Journey to CCIE: November 2015

Thursday 5 November 2015

Port Based Traffic Control

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swtrafc.html#pgfId-1038501

Security Violations

It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.x
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note

We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
shutdown—a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occur

Table 1-1 Security Violation Mode Actions
Violation Mode	Traffic is forwarded ¹	Sends SNMP trap	Sends syslog message	Displays error message ²	Violation counter increments	Shuts down port
protect	No	No	No	No	No	No
restrict	No	Yes	Yes	No	Yes	No
shutdown	No	No	No	No	Yes	Yes
shutdown vlan	No	No	Yes	No	Yes	No³

^1.Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.

^2.The switch returns an error message if you manually configure an address that would cause a security violation.

^3.Shuts down only the VLAN on which the violation occurred.

-> Port security can be applied to access and trunk ports but not to a dynamic ports

-> Secure MAC addresses

- can belong to only one port

- static

-learned(dynamic)

-sticky

->Trunk Ports

- Support per vlan limits

-port limit is aggregate across all VLANS

Wednesday 4 November 2015

IOS Device Access Security

R1(config)#username vamsi password krishna

by default its saved in clear text format

Alternatives:
-----------

1) username vamsi secret cisco - enrypts with MD5 which is type 5
2)service password-encryption - converts all passwords on the box to type 7 encryption
and its reversible

Modes:
=====
exec --- R1#
config --- R1(config)#
interface --- R1(config-if)#

Without aaa:
=========
username vamsi privilege 5 password 0 cisco
line vty 0 4
login local

when logged in vamsi will have privilege of 5

With aaa:
======
1) aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
line vty 0 4
password starent
login authentication LOCAL_DATABASE

By default if vamsi is logged in he will have privilege of 1 at login level and 15 at exec level

2) To change the authorization of commands at different privileges when aaa new-model is enabled:

aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+
aaa authorization commands 1 TACACS_AU group tacacs+
aaa authorization commands 15 TACACS_AU group tacacs+
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification

Username: vamsi
Password:

R1>en
% Authorization failed
R1>show pri
% Authorization failed

To fix the above:

aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
aaa authorization config-commands
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+ none
aaa authorization commands 1 TACACS_AU group tacacs+ none
aaa authorization commands 15 TACACS_AU group tacacs+ none
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open

User Access Verification

Username: vamsi
Password:

R1>en
Password:
R1#show privilege
Current privilege level is 15
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#end
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
R1#

3) Moving the privileges.

Task: Vamsi to be assigned with privilege 5 and go to global and add ip to an interface

Normal process:

-->
R3#show running-config | sec vty|user
username pri password 0 cisco
line vty 0 4
login local

R1#telnet 20.1.1.2
Trying 20.1.1.2 ... Open

User Access Verification

Username: pri
Password:
R3#show run
^
% Invalid input detected at '^' marker.
R3#conf t
^
% Invalid input detected at '^' marker.
R3#show privilege
Current privilege level is 5

-->
R3(config)#privilege exec level 5 configure terminal
Commands added on run-config
privilege exec level 5 configure terminal
privilege exec level 5 configure
On Telnet
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface fa1/0
^
% Invalid input detected at '^' marker.

-->
R3(config)#privilege configure level 5 interface
On telnet
R3(config)#interface fa1/0
R3(config-if)#
R3(config-if)#ip address ?
% Unrecognized command

-->
R3(config)#privilege interface level 5 ip address
Commands added on run-config
privilege interface level 5 ip address
privilege interface level 5 ip
On Telnet
R3(config-if)#ip address 30.1.1.1 255.255.255.0
R3(config-if)#ipv6 address ?
% Unrecognized command

Role Bases Access List (logging in using Views instead of privilege)
----------------------

R2#show run | sec user|vty
aaa authorization exec default local
username infy view view1 password 0 cisco
parser view view1
secret 5 $1$u2AH$mvoK9aVion/jmSLpUW0B20
commands router include all network
commands configure include all router
commands exec include all show
commands exec include configure terminal
line vty 0 4

On Telnet:

R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open

User Access Verification

Username: infy
Password:

R2>show parser view
Current view is 'view1'
R2>show privi
Currently in View Context with view 'view1'
R2>show run
Building configuration...

Current configuration : 76 bytes
!
! Last configuration change at 21:05:21 UTC Wed Nov 4 2015
!
!
!
!
!
end
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.2 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down

R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>end
^
% Invalid input detected at '^' marker.

R2(config)>exit

Change logging (Archiving):
---------------------------

-->R2#show running-config | sec archive
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys

-->On Telnet:

R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.

R2(config)>exit
R2>conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.

R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>

--> On Console:

R2#show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 100
3 1 console@console | notify syslog
4 2 infy@vty0 |configure

Login Enhancements-Login Block:
------------------------------

"login block-for seconds attempts tries within seconds "

R2(config)#login block-for 30 attempts 2 within 10

If the configured number of connection attempts fail within a specified time period, the Cisco IOS device does not accept any additional connections for a “quiet period.” (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)

IOS Resilient Config:
----------------------

Used to prevent config or IOS image from being deleted
-> hides the config and IOS image on flash/nvram
-> 'secure boot-config' and 'secure boot-image'

LOCAL DATABSE
R1(config)#username CISCO privilege 15 password CISCO123 (sets username and password with privilege level 15 in LOCAL database)
R1(config)#username ADMIN privilege 7 password ADMIN123 (sets username and password with privilege level 7 in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable secret CISCO123 (sets enable encrypted password in LOCAL database)
ENABLE AAA
R1(config)#aaa new-model (enables aaa new model)
AAA TACACS/RADIUS CONFIG
R1(config)#tacacs-server host 150.100.220.20 (use TACACS+ server at the IP address 150.100.220.20)
R1(config)#radius-server host 150.100.220.21 (use Radius server at the IP address 150.100.220.21)
R1(config)#tacacs-server key CISCO (encrypts communication between R1 and TACACS with password CISCO)
R1(config)#radius-server key CISCO (encrypts communication between R1 and RADIUS with password CISCO)
R1(config)#ip tacacs source-interface loopback 0 (sources TACACS packets from the Loopback 0 interface)
R1(config)#ip radius source-interface loopback 0 (sources Radius packets from the Loopback 0 interface)
AAA CUSTOMIZATION
R1(config)#aaa authentication password-prompt “Password Required” (creates custom prompt password message)
R1(config)#aaa authentication userame-prompt “Username Required” (creates custom prompt username message)
R1(config)#aaa authentication banner # (creates custom banner message)
Enter TEXT message. End with the character ‘#’.
This system requires authentication#
R1(config)#aaa authentication fail-message # (creates custom authetication failed message)
Enter TEXT message. End with the character ‘#’.
Authentication Failed , try again#
AAA AUTHENTICAION
R1(config)#aaa authentication login CONSOLE local (configures router to use LOCAL database authentication)
R1(config)#aaa authentication login VTY group tacacs+ local (configures router to first use TACAcs and then local database)
R1(config)#aaa authentication login VTY group tacacs+ local-case (configures router to first use TACAcs and then local database, same as local but makes password case sensitive)
R1(config)#aaa authentication login VTY group tacacs+ line (configures router to first use TACAcs and then line database, make sure password is set under line vty)
R1(config)#aaa authentication enable default group tacacs+ none (privilege mode will be authenticated first against TACACS+ then it’ll fall back to no authentication)
R1(config)#aaa authentication attempts login 3 (specifies number of valid login attempts)
R1(config)#aaa authentication ppp default group tacacs+ group radius local none (for all PPP authentication request use TACACS then RADIUS then LOCAL then NONE authen method)
LINE PORTS
R1(config)#line con 0
R1(config-line)#login authentication CONSOLE (login to consolse as specified under aaa CONSOLE statement above)
R1(config)#line vty 0 15
R1(config-line)#login authentication VTY (login to vty as specified under aaa VTY statement above)
R1(config-line)#password CISCO (login to vty — see above aaa VTY second statement)
AAA AUTHORIZATION
R1(config)#aaa authorization console (enables console authorization)
R1(config)#aaa authorization exec CONSOLE group tacacs+ local (console line should authorize users with TACACS then LOCAL database)
R1(config)#aaa authorization exec VTY group tacacs+ if-authenticated (authorises any authenticated users if TACASE server fails)
DIFFERENCE BETWEEN NONE AND IF-AUTHENTICATED METHODS:
EXAMPLE 1
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default none
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router will allow incoming connections
EXAMPLE2
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default if-authenticated
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router grants access but fails authorization
LINE PORTS
R1(config)#line con 0
R1(config-line)#authorization exec CONSOLE (ensure the console line is authorized, see above aaa config)

Monday 2 November 2015

DMVPN

http://packetlife.net/blog/2008/jul/23/dynamic-multipoint-vpn-dmvpn/

DMVPN Phase 1:
==============

HUB:

interface Loopback0
 ip address 150.1.1.1 255.255.255.0

interface Loopback 1
 ip address 10.0.1.1 255.255.255.0

interface Tunnel0

ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 99
tunnel source GigabitEthernet0/0.100
tunnel mode gre multipoint
end

SPOKE:

interface Loopback0
 ip address 150.1.2.2 255.255.255.0
!
interface Loopback 1
 ip address 10.0.2.2 255.255.255.0
!

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip nhrp authentication test
ip nhrp map 10.0.0.1 169.254.100.1
ip nhrp map multicast 169.254.100.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source GigabitEthernet0/0.100
tunnel destination 169.254.100.1
end

DMVPN Phase 2:
==============

HUB:

interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 99
tunnel source GigabitEthernet0/0.100
tunnel mode gre multipoint
tunnel key 10000

SPOKE:

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast 169.254.100.1
ip nhrp map 10.0.0.1 169.254.100.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
tunnel source GigabitEthernet0/0.100
tunnel mode gre multipoint
tunnel key 10000
end

DMVPN Phase 3:
==============

HUB:

interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp redirect
ip nhrp network-id 99
tunnel source GigabitEthernet0/0.100
tunnel mode gre multipoint
tunnel key 10000

SPOKE:

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast 169.254.100.1
ip nhrp map 10.0.0.1 169.254.100.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0.100
tunnel mode gre multipoint
tunnel key 10000
end

EIGRP:
=====

DMVPN phase 1:
--------------------

Hub:
-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

router eigrp DMVPN

address-family ipv4 unicast autonomous-system 100

af-interface default

passive-interface

exit-af-interface

af-interface Tunnel0

no passive-interface

no split-horizon

exit-af-interface

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

Spoke:
------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel destination 169.254.100.5

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

router eigrp DMVPN

address-family ipv4 unicast autonomous-system 100

af-interface default

passive-interface

exit-af-interface

af-interface Tunnel0

no passive-interface

exit-af-interface

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

DMVPN Phase 2:

---------------------

No change on spoke but on hub

router eigrp DMVPN

address-family ipv4 unicast autonomous-system 100

af-interface default

passive-interface

exit-af-interface

af-interface Tunnel0

no next-hop-self

no passive-interface

no split-horizon

exit-af-interface

topology base

exit-af-topology

network 150.1.0.0

network 155.1.0.0

exit-address-family

OSPF:
====

DMVPN phase 1:
--------------------

Hub:
-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf network point-to-multipoint

ip ospf hello-interval 10

no shutdown

router ospf 1

network 150.1.0.0 0.0.255.255 area 0

network 155.1.0.0 0.0.0.255 area 0

Spoke:

------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel destination 169.254.100.5

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

no shutdown

router ospf 1

network 150.1.0.0 0.0.255.255 area 0

network 155.1.0.0 0.0.0.255 area 0

DMVPN Phase 2:

---------------------

Hub:

-----

interface Tunnel0

ip address 155.1.0.5 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf 1 area 0

ip ospf priority 255

ip ospf network broadcast

no shutdown

Spoke:

------

interface Tunnel0

ip address 155.1.0.1 255.255.255.0

ip mtu 1400

ip nhrp authentication NHRPAUTH

ip nhrp map 155.1.0.5 169.254.100.5

ip nhrp map multicast 169.254.100.5

ip nhrp network-id 1

ip nhrp nhs 155.1.0.5

ip tcp adjust-mss 1360

tunnel source GigabitEthernet1.100

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN_PROFILE

ip ospf 1 area 0

ip ospf priority 0

ip ospf network broadcast

no shutdown