Friday, October 24, 2008

What happen if all SFC removed from GSR

During reading a article on GSR; I was stumbled when come to know that GSR can also work without SFC(Switch Fabric Card). Actually what happens when the SFC removed from the GSR Clock Schedular Card(CSC) comes into the picture. At that time all the line engines will stop work except line engine 0. So your CSC will work as SFC.
what i think that at that time all line engines are stopped and there is no need for the clock thats why clock card(CSC) falls back to SFC card mode. It means GSR can be upgraded without shutting it down.


regards
shivlu
Click Here To Read Rest Of The Post...

Wednesday, October 22, 2008

DHCP Authentication With Dot1x

How to secure lan so that any rougue laptop/pc donot get the ip address fom the dhcp, a big question mark, but possible in wireless media but what about wired media. Same question was asked to me few days back and my instant response was dhcp did not support authentication. But I replied we can use the dot 1x for the wired media.
So i started out my testing lab with one of my colleague and installed domain controller with radius. We use the dot1x mechanism to authenticate the pc/laptops; After 2 days testing we got the positive results.

Advantages
1. Get rid form the man in middle attack.
2. Dictionary attacks can be stopped with this.
3. Security of Lan; No one will get the ip address until and unless he/she is having domain username & password.

I am writing document on this, If someone need on urgent basics kindly mail me.
Click Here To Read Rest Of The Post...

Saturday, October 18, 2008

Hacking ISP With OSPF

It is always recommended not to leak the information of network protocol which is running in ISP core. Why it is said, without leaking the information can someone gain the information of any ISP.
Answer is yes.
So in the docment attached I have tested a scenario in which ISP is using OSPF and one of its esteemed client who is attached to any of PE be able to access the ISP network consequence major downtime.
Thats why it is recommended not to use OSPF,EIGRP,IGRP,RIP with customer, If you are using then do it in a very secured manner. One mistake may lead kick you out from the organization.

Click Here To Download
Click Here To Read Rest Of The Post...

Friday, October 17, 2008

Number Of VRF Supported


Click Here To Read Rest Of The Post...

Nat Issues with ip virtual-reassembly

I got a question from one of my manager what are the pros and cons of ip virtual-reassembly.

Answer from of the blog I got

IOS throws that on automatically. Here’s what it does:

A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.

In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time (which can be configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.

Here’s why it does it:

VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.
Click Here To Read Rest Of The Post...

Tuesday, October 14, 2008

Communiaction between two different subnets

One of my friend asked a question that can we a communication be possible in point to point link with different subnet ip addresses. I replied him at the same instant yes by adding static route in it and it works fine. But what happens if OSPF or ISIS is used. Under OSPF the neighborship comes up because OSPF neighborship made on the basics of multicast address not on ip address. In case of IS-IS it works on the basics of network Id not on ip addresses.
This can really a good experience becasue in network some one can make this type of mistake and you won't be able to troubleshoot because everthing works fine in it. In the next post I will post the document for this.
Click Here To Read Rest Of The Post...

Monday, October 13, 2008

Recurisve Lookup

When a packet forwards to the destination address the next hop address is checked and corresponding to that next hop address a outgoing interface is selected where the packet actually moves. Let's consider what happens when the routing table receives some prefixes with next hop looopback address of some router. In this case first a route lookup will be checked whether the destination prefix is in the routing table if yes then a lookup is performed for its next hop address becasue in this case next hop address is not directly connected interface. For latter, it will use the recursive lookup. This algorithm will work till it gets the directly connected interface. In most of the cases no recursive lookup will take more than 2 steps.
Actually it is more required in iBGP type of scenarios.
Click Here To Read Rest Of The Post...

Wednesday, October 8, 2008

Support of 1600 MTU

Prior fast ethernet interfaces does not supoprt MTU more than 1500 bytes. But now-a-days the barrior has been closed and cisco has opened the MTU barrior upto 1600 Bytes with the new release of 12.4(20)T. So no more problems in case of MPLS, you can access your applications without fragmentation.
Click Here To Read Rest Of The Post...

Tuesday, October 7, 2008

MVPN MDT & IGMP

I got a mail form one of my friend saying given words

"
Thanks a ton for the detail. Well, I was sure of using that to make a comfortable network management while configuring the multicasting. Just since heard that link can be established without using that so as did ask to you.

Like we had a word about the MDT value in the same evening, I believe we are not using it in every configuration and like you told me that it is making a tunnel. Requesting you please explain me little bit in detail. Because my query is, If we are using 2 end to end interfaces which will be delicately responsible for the Multicasting through an IGMP group and a Rendezvous IP address then how & when MDT value comes into play in terms of comfortablity.
"

Shivlu Says:-

Regarding IGMP Probelm:-
Actually you can use the multicasting without IGMP but the problem is that when you donot use the IGMP PC or receiver by default takes the TTL value that is 128 or 64. As you know multicast traffic is CPU oriented. Without using IGMP the last hop router also not able to know which group he has to join becasue no one is going to send the request to router. In that case it has to manage all the entries in router. But when you use IGMP it sets the TTL=1 it means you laptop is going to send a request to its nearest gateway with TTL=1 and packet is not propagated in the network. So that router will look forward for that group which you laptop is requesting and create a (s,g) entries. In this way routers has fully control of join & leave request.

Regarding MDT Problem:-
Actually what happens MPLS doesn't supoprt multicast but rosen (name of the guy who proposed the solution) proposed a draft in which he mentioned that we can use the multicast with the help of multicast tunnel. For that every VPN should have default MDT group which is mandatory and MDT data is optional. So when you configure MDT default in one vrf and same mdt default in the another end of same VRF it creates multicast tunnel. You can check my previos post of MVPN which explains all the things (http://shivlu.blogspot.com/2008/09/case-study-mvpn-part-1.html)I am talking about. So after tunnel creation all the multicast floods on tunnel.

Hope I replied as you are looking for.
Click Here To Read Rest Of The Post...

Friday, October 3, 2008

CEF Enhanced Scalability (CSSR)

After waiting for long time, CISCO has added new data structuted named CSSR in CEF which is actually going to enhance the performance of CEF. It is available on 12.4(20)T platform.

Secret Of CSSR: Actually CEF uses adjacency table for next-hop and mac-address resolution. If you are having n entries in the routing table with the same next-hop then for every entry it has to maintain the adjacency table which acquires more space. By adding new data structure into CEF, it will save only a single entry in the adjacency table for all the routes who are having same next-hop address.
Click Here To Read Rest Of The Post...

Thursday, October 2, 2008

CEF Troubleshooting With Ping

Few days back I faced problem related to the CEF. I tried to ping from one router to another but found packet drops. SO I initiated the first step with ping. By using extended ping I set the record option and find ping reply.
So what is the difference when we use the ping with record option and without record option. Actually by setting record option ping packets uses the fast switching and without record option it uses the cef switching. So I conclude there might be problem with the CEF in the path.

Shivlu_rtr#ping
Protocol [ip]:
Target IP address: 10.10.20.20
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet0/0.50
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: Record
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
Packet sent with a source address of 71.5.100.69
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
Click Here To Read Rest Of The Post...

L2TP Vulnerability


On 24th september, 2008 Cisco has official announced the l2tp vulnerability. A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable.
This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet.

Recent Post
Click Here

Work Around
Note: L2TP implementations will need to allow UDP 1701, from trusted addresses to infrastructure addresses. This does not provide for a full mitigation as the source addresses may be spoofed.

Note: L2TPv3 over IP only implementations need to deny all UDP 1701 from anywhere to the infrastructure addresses.

Create an iACL

access-list 101 permit udp trusted-address wcm trusted-address wcm eq 1701
access-list 101 deny udp any any
access-list 101 permit 115 trusted-address wcm trusted address wcm
access-list 101 permit ip any any

As shown in picture apply access-list to fa0/0 in direction of Delhi-PE

int fa0/0
ip access-group 101 in
Click Here To Read Rest Of The Post...

Wednesday, October 1, 2008

MTU Utility

mturoute is a small command line application that uses ICMP pings of various sizes in order to determine the MTU values on the path between itself and the target system. It also includes a "traceroute" like mode where it will attempt to determine the lowest MTU between the local host and each hop in the communication. The utility generates maybe 100 times as much traffic as a normal ping does, so you should exercise restraint when running it on networks you do not administer. During development and testing my ICMP capability was disabled completely several times, although a power cycle on the cable modem restored normal operation.
You can use it for troubleshooting MTU problems.

Click Here For Download the Utility

For more you can visit
http://www.elifulkerson.com/projects/mturoute.php
Click Here To Read Rest Of The Post...

Cisco IOS MPLS VPN May Leak Information

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

Workarounds

Customers running versions of Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions.

The following configuration example applied in the ipv4 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv4 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
The following configuration example applied in the ipv6 address family of a PE device removes extended communities from the CE router:

router bgp
address-family ipv6 vrf one
neighbor
remote-as
neighbor
activate neighbor
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
Note: The capability of filtering extended communities is only available in certain 12.0S and 12.2S based Cisco IOS releases.

BGP session between the PE and the CE needs to cleared to make this configuration change effective.
Click Here To Read Rest Of The Post...

Inter-AS Communication-MP-eBGP(Option B)

I have written a document on MP-eBGP(option B) which is widely used by many service provider for inter-as communication.


Click Here For Download
Click Here To Read Rest Of The Post...