Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco & cisco network tag

Multiple Vulnerabilities in Cisco Products Could Cause Remote Denial of Service

October 18 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Multiple vulnerabilities have been discovered in several Cisco products, including Cisco Adaptive Security Appliance (ASA) 5500 Series, Cisco Catalyst 6500 Series ASA and Firewall Services Module (FWSM), Cisco 7600 Series Routers ASA and FWSM, Cisco ASA 1000V Cloud Firewall, as well as Cisco 1000 Series Aggregation Services Routers (ASR) running Cisco IOS XE. These products provide firewall, intrusion prevention, remote access, and other services. Successful exploitation of these vulnerabilities could result in denial of service conditions or reboot of the affected device.

SYSTEMS AFFECTED:

Cisco Adaptive Security Appliance (ASA) Software for:

Cisco Firewall Services Module (FWSM) Software for:

Cisco IOS XE Software for:

  • Cisco 1000 Series Aggregation Services Routers (ASR)

RISK:

Government:

  • Small government entities: High
  • Large and medium government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

 

Home users: N/A

 

DESCRIPTION:

Multiple Cisco products are vulnerable to a remote Denial of Service condition. The details of each vulnerable Cisco product are provided below.


Cisco Adaptive Security Appliance (ASA) 5500 Series, Cisco Catalyst 6500 Series ASA and Firewall Services Module (FWSM), Cisco 7600 Series Routers ASA and FWSM, Cisco ASA 1000V Cloud Firewall

 

To exploit these vulnerabilities, an attacker needs to create a specially crafted packet that will cause a denial of service condition when processed by the appliance. Affected versions of Cisco ASA and FWSM software will vary depending on the specific vulnerability.

 

The details of the vulnerabilities are as follows:

  • Cisco ASA and Cisco FWSM are prone to a remote denial-of-service vulnerability because they fail to properly process an incoming IKE version 1 message. An attacker can exploit this vulnerability by sending a crafted IKE message, causing a reload of an affected device, denying service to legitimate users. Switching to IKE version 2 will mitigate this vulnerability. This issue is being tracked by Cisco Bug IDs CSCub85692 and CSCud20267 (CVE-2013-1149).
  • Cisco FWSM for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is prone to a denial-of-service vulnerability due to the incorrect processing of URLs. Specifically, this issue occurs when clients make requests through the auth-proxy feature. An attacker can exploit this issue to cause a vulnerable device to reload, triggering a denial-of-service condition. Disabling AAA for network access control and HTTP(S) listening ports to authenticate network users, if feasible, will mitigate this vulnerability. This issue is tracked by Cisco Bug ID CSCtg02624 (CVE-2013-1155).
  • Cisco Adaptive Security Appliance (ASA) is prone to a remote denial-of-service vulnerability. Specifically, this issue occurs in the URL processing code of the authentication proxy feature. An attacker can exploit this vulnerability by sending a crafted URL, causing a reload of an affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCud16590 (CVE-2013-1150).
  • Cisco Adaptive Security Appliance (ASA) is prone to a remote denial-of-service vulnerability due to an implementation error in the code that validates the digital certificates used during authentication. An attacker can exploit this issue by using a crafted certificate to trigger an authentication operation on an affected device, causing a reload of an affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuc72408 (CVE-2013-1151)
  • Cisco Adaptive Security Appliance (ASA) is prone to a remote denial-of-service vulnerability that occurs in the DNS inspection engine code. Specifically, this issue occurs because of improper processing of certain fields in DNS messages. An attacker can exploit this issue by sending a crafted DNS message, causing a reload of an affected device, denying service to legitimate users. Disabling DNS inspection, if feasible, will mitigate this vulnerability. This issue is being tracked by Cisco Bug ID CSCuc80080 (CVE-2013-1152).

 

Cisco IOS XE Software for Cisco 1000 Series Aggregation Services Router (ASR).

To exploit these vulnerabilities, an attacker needs to create a specially crafted packet that will cause a denial of service when processed by the software. Affected versions of Cisco IOS XE Software for 1000 Series ASR will vary depending on the specific vulnerability.

 

The details of the vulnerabilities are as follows:

  • Improper handling of fragmented IPv6 multicast and IPv6 MVPN traffic by Cisco 1000 Series ASR with ASR1000-ESP40 or ASR1000-ESP100 may allow an attackers to cause a reload of the affected devices, denying service to legitimate users. This issue is being tracked by Cisco Bug IDs CSCtz97563 and CSCub34945 (CVE-2013-1164).
  • Improper handling of specific L2TP packets by Cisco 1000 ASR may allow an attackers to cause a reload of the affected devices, denying service to legitimate users. Repeated attacks will result in a sustained denial of service. This issue is being tracked by Cisco Bug ID CSCtz23293 (CVE-2013-1165).
  • Improper handling of packets by Cisco 1000 Series ASR configured for bridge domain interface (BDI) may allow attackers to cause a reload of the affected devices, denying service to legitimate users. Repeated attacks will result in a sustained denial of service. This issue is being tracked by Cisco Bug ID CSCtt11558 (CVE-2013-1167).
  • Improper handling of a large number SIP packets by Cisco 1000 Series ASR when configured for VRF-aware NAT and SIP ALG may allow an attackers to cause a reload of the affected devices, denying service to legitimate users. Repeated attacks will result in a sustained denial of service. This issue is being tracked by Cisco Bug ID CSCuc65609 (CVE-2013-1166).

 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade vulnerable Cisco products immediately after appropriate testing.
  • Consider migrating from IKE version 1 to IKE version 2.

 

REFERENCES:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-fwsm

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000

 

More Related Topics:

Cisco Patches Flaw in Security Appliances, Switches, Routers

Cisco IOS Updates Fix Eight Denial of Service Vulnerabilities

Cisco to Unveil New Catalyst Access Switch to Converge Wired&Wireless Networking

Read more

A Basic ASA Setup for a Native IPv6 Network

September 3 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

For the ASA firewall, IPv6 feature support has been available and can be set up quickly. In this article it focuses on a basic ASA setup for a native IPv6 network.   As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity. 

BASIC CONFIGURATION

STEP#1-Enable IPv6 on the interface and configure up the global IPv6 address.

interface vlan 2

ipv6 enable

ipv6 address 2001:db8:2:3::1/64

 

This will assign the IPv6 global address to the interface.  When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).  With the IPv6 address command above, you are manually specifying the global, however the ASA also allows for autoconfig which will receive stateless configurations based on RA router advertisement messages. 

 

For more details, you can review the following reference guide document:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html#wp1897428

 

STEP#2-Verify IPv6 configuration.

show ipv6 interface

Example:

outside is up, line protocol is up

  IPv6 is enabled, link-local address is fe80::21e:7aff:fe11:45c 

  Global unicast address(es):

            2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 

  Joined group address(es):

            ff02::1

            ff02::2

            ff02::1:ff00:1

            ff02::1:ff11:45c

  ICMP error messages limited to one every 100 milliseconds

  ICMP redirects are enabled

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 1000 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

  Hosts use stateless autoconfig for addresses

 

STEP#3-Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivelant to “any”.  The IPv6 route command is functionally similar to the IPv4 route.

 

STEP#4-Define IPv6 access-lists (optional).

IPv6 access-lists are functionally the same as IPv4.  They are parsed sequentially and have an implicit deny at the end.

 

Example:

ipv6 access-list test permit tcp any host 2001:db8::203:A0FF:FED6:162D

access-group test in interface outside

 

The above is permitting traffic to a specific server 2001:db8::203:A0FF:FED6:162D.

 

Securing the Firewall:

If you plan to configure auto-config for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network.  This will help prevent the ASA from being auto configured from unknown routers.

 

ipv6 access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

ipv6 access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface vlan2

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable 

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified.  All other RAs will be denied.

 

If you wish to prevent the ASA from sending out router advertisements (RA) on a specific interface, you may suppress them with the following interface command:

interface vlan2

ipv6 nd suppress-ra 

Neighbor discovery will continue to be operational even though RA suppression has been configured.

 

For further information, please check out the following documentation on cisco.com:

ASA 8.3 IPv6 configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html

ASA 8.3 IPv6 command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html

Reference from https://supportforums.cisco.com/docs/DOC-15973

More Related:

How to Enable IPv6 Support on a Cisco Catalyst 3560 Switch?

First Hop Redundancy Protocols in IPv6 HSRP + GLBP

What Hardware Vendor IPv6 Support

IPv6 OSPF/v3: Case Study

Cisco IPv6 Static Address Configuration Tech Tips

Read more

One Platform Kit (onePK) for Developers

August 6 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco onePK, short for One Platform Kit, is an easy-to-use developer’s toolkit for innovation, automation, and service creation. onePK delivers the benefits of network programmability on Cisco routers and switches. onePK allows you to tie your network more effectively to ever changing application needs, providing improved business agility and decreased opex. onePK allows your network’s power to be unleashed in new ways for a faster, more flexible, and intelligent infrastructure.

What Problems Does It Help Solve?

Need for deeper access to information stored within network devices

Need to exercise greater or more precise control over flows and routes

Need to extract particular packets for modification and reinjection

Need to improve quality of service based on custom parameters

Need to add services to the network without making a huge infrastructure investment

Need to allow programmers to augment network operation in response to application-specific business logic

Need to bridge the operational gap between disparate systems

Need to deploy a gateway or network service without adding hardware or constraining functionality based on physical connectivity

 

Applications of onePK for Specfiic Customer Types

Improve visibility and control over network operations (all market segments)

Reduce hardware footprint for new services or gateway functions (enterprise and service provider)

Automate new service provisioning for customers (cloud service provider)

Deliver more consistent quality of service to multimedia service customers (service provider)

Achieve higher levels of data security when transmitting over untrusted networks (government/defense)

Improve the perceived speed of the application to users of hyperscale data center services (for example, social media websites)

Orchestrate new services or additional resources more quickly and cost-effectively (data centers and service providers)

Modify packets to enhance security, reliability, or performance for customers (data centers and service providers)


One Platform Kit (onePK)

onePK is a flexible development environment that supports C or Java programs. Your source code can be written and compiled using any tools that you want. The onePK infrastructure is built right into the operating system of all Cisco platforms and communicates with the onePK presentation layer, supporting the developer’s C or Java programs.

onePK-Language-of-Choice.jpg

This architecture gives users maximum deployment flexibility. onePK along with Cisco’s container support allows the user to host applications on the device processor board, a services blade available with some Cisco platforms or a separate server, that communicates to the onePK infrastructure using a secure communications channel.

Because the API is consistent across all Cisco platforms, the developer can write an application once and have that application deployed on any switch or router.

 

What Are the Benefits of onePK?

Build, automate, improve: Create new or improve existing applications and services, increase productivity

Speed and faster adaptability: Provide flexibility for rapidly changing business needs and reduced operating costs

Extend: Extend the functionality of your network

New Revenue Opportunities: Provide monetization of new applications or services, create services more quickly with code that you can write once and run anywhere

 

Simplicity, integration, and the power of choice

Utilize with your programming language and tools of choice

Run it on any server or right in the network device

 

More Related:

Cisco IOS Versions and Naming Overview

Read more

IPv6 OSPF/v3: Case Study

May 20 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

This document is an illustration of Stub, Totally Stub and NSSA area feature in an IPv6 environment. Stub, NSSA, and totally stubby are supported and configured in the exact same way as for OSPFv2 for IPv4, using the area stub, area nssa, and area stub no-summary commands. 

In this document, three routers (R1,R2 and R3) are configured with OSPFv3 routing protocol, with router R1 and R3 in Area 0 and R1/R2 in Area 12. Router R3, has three Loopback interfaces and are advertised via OSPFv3. The only exception of Loopback 3, which is redistributed into OSPFv3 routing protocol to make it as an external route. This is done purposely to differentiate between different type of routes received by router R2 under different cisrcumstances. Under Normal conditions, i.e. running OSPFv3 without any of the stub feature all these routes will appear at R2 as below.

IPv6-OSPFv3-Case-Study01.png

Note: route OE2 is external as it was redistributed on R3 as a connected route. See configuration of R3.

All configurations are tested on Cisoc 7200 series router running  Cisco IOS 15.1(3)S3 advance ip services image.

Prerequisite

Topology Diagram

IPv6-OSPFv3-Case-Study02.png

Configuration

For complete configuration, see attached files (R1, R2 and R3).

Case Study 1: OSPFv3 Stub Routing

In Stub routing, the router gets a deafult route and the internal OSPF routes. The external routes are filtered out. Stub feature is configured by command "area x stub" under the OSPFv3 routing configuration mode. It is important to configure both the ends by keyword stub.

IPv6-OSPFv3-Case-Study03.png

IPv6-OSPFv3-Case-Study04.png

Note: A deafult toute::/0 along with OSPF Internal routes are only received by stub router R2. Prefix AA3::33 is an external route and is filetered out, even though it is reachable.

Case Study 2: OSPFv3 Totally Stubby Area

In Totally stubby area, the stub router receieves only the default route and all other (intra, inter, external) are filtered out. The feature can be configured on any one router by command "area x stub no-summary".

IPv6-OSPFv3-Case-Study05-copy-1.png

IPv6-OSPFv3-Case-Study06.png

Note: Stub Router, R2, receives only the default route ::/0.

Case Study 3: OSPFv3 Not So Stubby Area (NSSA)

The feature works with command "area x nssa". With NSSA, the routes receives only the Intra and Inter OSPF routes, all other routes (External) are filtered out. For NSSA, the configuration is done at both the ends.

IPv6-OSPFv3-Case-Study07.png

IPv6-OSPFv3-Case-Study08.png

Note: Stub Router R2, is receives only the Intra/Inter OSPF routes.

References

Implementing OSPF for IPv6

---DOC from https://supportforums.cisco.com/docs/DOC-25487

More Related OSPF Tips:

How to Troubleshoot OSPF?

OSPF, How to Configure OSPF in the Cisco IOS?

How to Configure OSPF in a Single Area?

Read more

OSPF Neighborship Troubleshooting

May 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

When setting up dynamic routing protocols, there are certainly a number of things that need to be configured correctly for everything to end up working as planned. On top of this, each of the different routing protocols has different elements that they expect to be configured first for each of them to operate correctly. This article takes a look at these requirements from the perspective of OSPF and shows the different commands that can be used to ensure proper OSPF neighborship configuration and communications between devices.

 

OSPF Neighborship Requirements

From the perspective of OSPF, there are a couple of things that must match for a OSPF neighborship to establish; these include:

  1. The devices must be in the same area
  2. The devices must have the same authentication configuration
  3. The devices must be on the same subnet
  4. The devices hello and dead intervals must match
  5. The devices must have matching stub flags

OSPF Neighborship Configuration Verification and Troubleshooting

Starting from the top of the list, the interfaces connecting devices must be on the same area. To display the various commands and what to look for, Figure 1 shows a simple lab has been setup with two devices that are connected together via an Ethernet connection.

OSPF-Neighborship-Troubleshooting01.jpg

Figure 1-Simple Lab

 

Mismatched Areas

The first thing that is going to be checked by the OSPF device is whether the remote device is in the same area. No other processing will occur on the device until both devices have been configured with the same area. Figure 2 shows an example of the message given by the debug ip ospf adj command when the remote device is not in the same area.  As can be seen from the figure, the remote device is configured into area 1 (notated as 0.0.0.1) while the local device is configured for area 2 (notated as 0.0.0.2).

OSPF-Neighborship-Troubleshooting02.jpg

Figure 2-Mismatched Areas

 

Authentication Mismatch

The second entry on the list was that each device must have matching authentication configuration; before any other information is exchanged between the devices they must agree on an authentication type (if any is configured). If the parameters are not the same on both sides, the neighborship process will never progress. Figure 3 shows the error message that will be displayed (from the debug ip ospf adj command) when an authentication mismatch occurs.

OSPF-Neighborship-Troubleshooting03.jpg

Figure 3-Authentication Mismatch

 

Subnet Mismatch

Another valuable command to use when troubleshooting OSPF is debug ip ospf hello. As the name suggests, this command shows debugging information for the hello event s between devices.  Since a neighborship starts with a hello exchange, this is a valuable command to use.

The third entry on the list was that each device must be in the same subnet.  Figure 4 shows an example of a message that shows the engineer that a mismatch exists between devices and upon closer inspection it shows that the subnet mask is configured differently on each device. In this case the remote device was configured in the 10.10.10.0/25 subnet while the local (connected) device was configured in the 10.10.10.0/24 subnet.

OSPF-Neighborship-Troubleshooting04.jpg

Figure 4-Subnet Mismatch

 

Hello and Dead interval mismatch

The fourth entry on the list is matching hello and dead intervals. When configuring the hellointerval on an interface, the device (With Cisco equipment) will automatically adjust the deadinterval; Figure 5 shows a case where the remote device was configured with a hello interval of 8 (Seconds) while the local device uses the default setting of 10.

OSPF-Neighborship-Troubleshooting05.jpg

Figure 5-OSPF hello and dead interval mismatch

 

Stub Flag Mismatch

The final entry on the list was that the device must agree on whether the area is a stub or not. Figure 6 shows an example of a message where the devices disagree on whether the area is a stub area or not.

OSPF-Neighborship-Troubleshooting06.jpg

Figure 6-Stub Flag Mismatch

While it can be often overlooked, a neighborship is the first thing that must be established before any communication will happen between devices. Each of the different routing protocols has their own requirements that must be met before this neighborship will establish. This article takes a look at the elements that must match for OSPF neighborships to establish and what commands to use to troubleshoot which misconfiguration potentially exists. Hopefully, the information in this article, when committed to memory, will help in future OSPF configuration endeavors.

More Related OSPF Tips:

How to Troubleshoot OSPF?

Read more

the Difference between a Layer-3 Switch and a Router

May 2 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In general, a Layer-3 switch (routing switch) is primarily a switch (a Layer-2 device) that has been enhanced or taught some routing (Layer 3) capabilities. A router is a Layer-3 device that simply does routing only. In the case of a switching router, it is primarily a router that may use switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions).

As illustration, here are some examples
Layer-2 switches
Cisco: Catalyst 2950, 2960 series

Layer-3 switches or routing switches
Cisco: Catalyst 3550, 3560, 3750, 4500, 6500 series
Juniper: EX series

Routers (with some bridging and/or security features) or switching routers
Cisco: 1800, 1900, 2600, 2800, 2900, 3700, 3800, 3900, 7200, 7600, ASR 1000 series
Juniper: MX series, J series, M series

Several factors have created significant confusion surrounding the subject of Layer-3 switch and Layer-3 switching. Some of this bewilderment arises from the recent merging of several technologies. In the past, switches and routers have been separate and distinct devices. The term switch was reserved for hardware-based platforms that generally functioned at Layer-2. For example, ATM switches perform hardware-based forwarding of fixed-length cells whereas Ethernet switches use MAC addresses to make forwarding decisions. Conversely, the term router has been used to refer to a device that runs routing protocols to discover the Layer-3 topology and makes forwarding decisions based on hierarchical Layer-3 addresses. Because of the complexity of these tasks, routers have traditionally been software-based devices. Routers have also performed a wide variety of "high touch" and value added features such as tunneling, data-link switching (DLSw), protocol translation, access lists, and Dynamic Host Configuration Protocol (DHCP) relay.

To understand better of switching router and routing switch differences, following is an illustration. In early Cisco switches (i.e. Catalyst 3500 switches), there are only basic Layer-2 capabilities such as bridging and switching. With newer models (i.e. Catalyst 3550 or 3560 switches), there are also some routing capabilities such as terminating multiple Layer-3 interfaces and running dynamic routing protocol. In router world, early Cisco routers (i.e. 1600 or 2500 model), there are only basic Layer-3 capabilities such as running dynamic routing protocol, terminating Serial ports, and running non-IP protocols such as IPX and SNA. With newer models (i.e. 1700, 1800, 2600 or 2800 models), there are also some Layer-2 capabilities such as bridging and switching. In addition there are some WIC (WAN Interface Cards) and NM (Network Modules) with Ethernet ports supporting bridging and switching in those newer router models even further such as WIC-4ESW Ethernet Switching card for 1700 series, HWIC-4ESW High-Density Ethernet Switching card for 1800 and 2800 series, and NM-16ESW Ethernet Switching module for 2600 and 2800 series.

As a broad category, routing switches use hardware to create shortcut paths through the middle of the network, by bypassing the traditional software-based router. However, unlike traditional routers that utilize general-purpose CPUs for both control-plane and data-plane functions, Layer-3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. By removing CPUs from the data-plane forwarding path, wire-speed performance can be obtained. This results in a much faster version of the traditional router. In Cisco world, this routing switch ASIC technology implementation as example applies to Catalyst 6500 switch series. These kind of switches are typically blade or module based switch which you have to specify which "switch brain" (called Supervisor Engine in Cisco world) and which port modules you like the switch to have.

In the case of a switching router as primarily a router that uses switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions), there are Cisco 7600 series and Juniper MX series routers as examples. These kind of routers are typically blade or module-based router which you have to specify which "router brain" (also called Supervisor Engine in Cisco world) and which port modules you like the router to have.

Further, the Cisco 7600 series router Supervisor Engine modules are compatible with the Cisco Catalyst 6500 series switch due to identical architecture between the router and the switch. In other words, you could use the same Supervisor Engine model on either Cisco 7600 series router or Catalyst 6500 series switch.

Some network topologies as illustrations
1. Single Router

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router
                                            |
                             LAN 1 with Unmanaged Switch (UM)
                                       10.0.1.0/24


2. Single Router with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router --- LAN 2 with UM 10.0.2.0/24
                                            |
                                      LAN 1 with UM
                                       10.0.1.0/24


3. Single Router with single connection to a switch and with multiple LAN subnets (also known as "Router on A Stick" design)

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                         Router
                                            *
                                            * Single Connection to a Switch using feature  called Trunking
                                            *
                                  Layer-2 Managed Switch
                                    |       |       |
                                    |     LAN 2     |
                                    |    with UM    |
                                    |  10.0.2.0/24  |
                                    |               |
                                  LAN 1           LAN 3
                                 with UM         with UM
                               10.0.1.0/24     10.0.3.0/24


4. Single Router with Layer-3 Switch and with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                     Internet Router
                                            |
                                            | 10.0.0.0/24
                                            |
                                      Layer-3 Switch
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | 10.0.2.0/24 |
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM
                                10.0.1.0/24   10.0.3.0/24


5. Multiple Routers with multiple unmanaged (dumb) switches and with multiple LAN subnets

                                        Internet
                                            |
                                            | 1.1.1.0/24
                                            |
                                     Internet Router
                                            |
                                            | 10.0.0.0/24
                                            |
                                   Unmanaged Switch (UM)
                                     |     |       |
                                     |  Router 2   |
                                     |     |       |
                                     |   LAN 2     |
                                     |   with UM   |
                                     | 10.0.2.0/24 |
                                     |             |
                                  Router 1      Router 3
                                     |             |
                                   LAN 1         LAN 3
                                  with UM       with UM
                                10.0.1.0/24   10.0.3.0/24

Of the variety of other switching devices and terminology released by vendors, Layer-4 and Layer-7 switching have received considerable attention. In general, these approaches refer to the capability of a switch to act on Layer 4 (transport layer) information contained in packets. For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers can be used to make decisions affecting issues such as security and Quality of Service (QoS). However, rather than being viewed as a third type of campus switching devices, these should be seen as a logical extension and enhancement to the two types of switches already discussed. In fact, both routing switches and switching routers can perform these upper-layer functions.

 

More Related Network Hardware Tips and Guides

Use Layer-3 Switch or Router?

Layer 2 Switches & Layer 3 switches

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

Main Network Hardware’s Difference: Integrated Devices, Router, Network Switch & Firewall

Read more

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):

cisco-nat-NAT-Configuration.jpg

Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240

 
PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113                 


Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 interface              

 

Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:

nat3-NAT-Configuration.jpg

Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtp netmask 255.255.255.255

 

ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq smtp

 

 ASA1(config)#access-group outside_in_acl in interface outside

 

Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask 255.255.255.255        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 

 

More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco STP(Switching and Spanning Tree Protocol) Basics

March 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Switching is the process of using the physical address of devises to perform forwarding decisions. Switches use application specific integrated circuits (ASICs) to perform their switching function. As a consequence, amazingly fast switching speeds are accomplished. Today I will explain how switches learn the hardware address of hosts attached to them and how they use this information to perform their tasks. I will focus on the protocol designed for preventing broadcast loop existence.

 

For those of you that are new to this field, what I am talking about is the Spanning Tree Protocol (STP); I will describe its operation in details and use examples when necessary, so you can get a clear understanding of how it functions.

 

Switching Benefits

Switches are very important networking devices; they’re used to terminate hosts on the LAN. They consist of multiple Ethernet/Fast Ethernet/Gigabit Ethernet interfaces with adjustable throughput rates.

 

They can be seen as multi-lane highways with a lot of exit points. Each host is assigned a separate lane on the highway, therefore collision domains are separated per each individual switch port. No bandwidth sharing takes place and each individual host on each port is provided with independent, dedicated bandwidth. The benefits of all these are:

  • Low Latency
  • Thunder Speed
  • Low Cost

 

Why low cost? Well the answer is quite simple. Imagine having a LAN of fifty hosts. All the hosts need access to the Internet; therefore they should be connected to a router somehow. Having 50 interfaces on a router to terminate client links is inefficient and wasteful.

 

By incorporating a switch in the network, the router needs only a single interface to connect to the switch and all users reach the router’s exit point with the help of the switch’s ASIC electronics. The diagram below shows a typical LAN connection.

 typical-LAN-connection.jpg

Switch Operation

As already mentioned, switches operate at layer 2 (the data-link layer) of the OSI model. They do not need special configuration to operate; they are simple plug and play devices. You can expect a new switch out of the box to work instantly when it is powered up. Later on we’ll take a look at just how this is accomplished.

 

A layer 2 switch deals with three functions:

  • Address learning — When a switch is first switched on, it learns the MAC address of hosts attached to it and stores the MAC address and interface port association into its MAC table.
  • Forwarding — Based on the MAC address table, the switch is able to forward frames out the appropriate interfaces.
  • Loop prevention — Multiple connections between switches may exist for redundancy purposes. However these multiple connections may lead to network loops without the use of a sophisticated protocol to prevent their existence. STP is the protocol running on the switch ports to eliminate data flooding as a consequence of loops while at the same time maintaining redundancy.

 

How Does the Switch Find Host MACs?

Let’s use the diagram below to help us understand how address learning process takes place.

address-learning-process.jpg

Let’s assume that we have just powered on the switch. It has nothing in its MAC table. We connect the cables from the hosts on the switch interfaces as shown in the diagram. Host A initiates a connection towards Host D, and the following takes place:

  1. Host A (interface fe0/0) sends a frame to Host D (MAC address:0000.43c5.334c).
  2. The switch inspects the Source Address in the frame and notes in its table the MAC address of Host A along with the Interface number from which the frame originated.
  3. The switch inspects the Destination Address in the frame. Since it does not have Hosts D MAC address in its table, it constructs a broadcast frame and forwards out all interfaces except the interface from where the original frame arrived.
  4. Host D identifies itself as the expected recipient and responds back to Host A. The switch receives the respond frame on interface fe0/11 and places the SA in its table along with the interface number where the frame came from.
  5. From now on, further communication between the two hosts will be switched to the appropriate interfaces based on the MAC tables entries.

 

This process takes place every time a new host is attached on the switch and initiates traffic. The switch tries to keep its MAC table up-to-date, therefore if some hosts do not initiate traffic for a certain amount of time, the switch removes them from its table and reinserts them when they begin sending traffic.

 

Spanning Tree Protocol (STP) Operations

The Spanning Tree Protocol (STP) is responsible for identifying links in the network and shutting down the redundant ones, preventing possible network loops. In order to do so, all switches in the network exchange BPDU messages between them to agree upon the root bridge. Once they elect the root bridge, every switch has to determine which of its ports will communicate with the root port.

 

If more than one link connects to the root bridge, then one is elected as the forwarding port (Designated Port) and the others are blocked. Let us see the operation of STP with the use of an example. We will use the topology shown below to help us understand how STP operates.

how-STP-operates-copy-2.jpg

  1. The root bridge needs to be elected. Two fields combined together identify the root bridge: MAC address and Priority value. Without manual configuration all switches have the same priority therefore it is up to the MAC address to decide upon the root bridge. The switch with the lowest MAC address value is elected as the root bridge. In the diagram above Switch C is the elected root bridge.
  2. Once the root bridge is elected, each switch needs to identify a single root port – the port closest to the route bridge. This port will always be in the forwarding state. By default all ports of the route bridge are in the forwarding state. Moreover, one port per segment (called designated port) is allowed to be in the forwarding state.
  3. In our example we have 2 ports on switch A and two ports on switch B that belong to the same segment. Therefore, two of them need to be blocked to avoid loops. Since switch B has higher MAC address value (hence lower priority), its designated ports need to be blocked.
  4. The result of all this is that only one path from one switch to any other switch exists. Mission accomplished!

 

Things to Keep in Mind about STP

  • The Spanning Tree Protocol is a link management protocol that is designed to support redundant links while at the same time preventing switching loops in the network. It is quite useful and should be enabled on the switch interfaces.
  • STP has high convergence time; it can take up to one minute to converge and provide redundancy. A newer development is implemented to the STP protocol, called the Rapid Spanning Tree Protocol (RSTP). The latter retains all the tasks of STP whilst minimizing convergence time significantly.

 

More Related Topics:

How to Configure Spanning Tree Protocol (STP) on Catalyst Switches?

Switch Types and LAN Switching

Switchport Security & Configuration

Read more

Switchport Security Configuration

March 25 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

The switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network.

 

Once an organization decides to utilize the switchport security feature on their networks, it is important to carefully plan before any configuration is put in place. While the switchport security feature is very useful if used correctly, it can easily be misconfigured; this misconfiguration can cause service interruption and ongoing headaches for an organization. The planning of the configuration includes determining which violation mode and operation mode to use based on the goals of the organization, as well as determining which switchports should be enabled with the feature. This article takes a look at how the switchport security feature is configured by extending on the concepts that were covered in Switchport Security.

 

Switchport Security Configuration

By default, the switchport security feature is disabled on all switchports and must be enabled. Table 1 shows the steps required to enable the switchport security feature on an interface (This can cause some confusion, but when using Cisco IOS, switchport configuration is performed while in interface configuration mode. The terms interface and switchport are interchangeable).

Enter privileged mode

router>enable

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Enable the switchport security feature

router(config-if)#switchport port-security

Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport (dynamically) and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shut down and put into the err-disabled state.

 

Table 2 shows the steps required to alter these default parameters:

Enter privileged mode

router>enable

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Configure the maximum number of MAC addresses allowed on a switchport (default : 1)

router(config-if)#switchport port-security maximum value

Configure the switchport violation mode (default : shutdown)

router(config-if)#switchport port-security violation {protect |restrict | shutdown}

 

As stated above, by default MAC addresses are learned on a switchport dynamically and are called dynamic MAC addresses. MAC addresses can also be configured in two other ways: statically and sticky. Static MAC addresses can be configured on a switchport to ensure that only a device with a specific MAC can utilize a switchport (for example, if the switchport location and a device are publically accessible and the organization wants to ensure only that authorized device can access the network). A sticky MAC address is a hybrid between a static and dynamic MAC address.  When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address across a reboot a configuration save is required (copy running startup).

Table 3 shows the steps required to configure a static MAC address:

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Configure a static MAC address

router(config-if)#switchport port-security mac-address mac-address

 

Table 4 shows the steps required to enable the use of sticky learning on a switchport:

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Enabling the use of sticky MAC address learning

router(config-if)#switchport port-security mac-address sticky

 

Switchport Security Configuration Example

To wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example.

 

The configuration shown in Table 5 will enable the use of the switchport security feature on ports f0/1 and f0/2, statically configure the 0000.1111.2222 MAC address on the f0/1 switchport and enable sticky learning on the f0/2 switchport.

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface f0/1

Enabling the switchport security feature

router(config-if)#switchport port-security

Configuring a static MAC Address (0000.1111.2222) on the switchport.

router(config-if)#switchport port-security mac-address0000.1111.2222

Enter interface configuration mode

router(config)#interface f0/2

Enabling the switchport security feature

router(config-if)#switchport port-security

Configuring the use of sticky MAC address learning

router(config-if)#switchport port-security mac-address sticky

 

While the switchport security feature does not require that many commands to operate properly, it can also be misconfigured just as easily. Take the time to write down and triple-check that the proposed configuration is doing what is expected, and/or test a proposed configuration in a non-production environment. Hopefully the content in this article can be used to get started with the switchport security feature.

 

More Related Topics:

What is Switchport Security?

Switchport Security & Configuration

How to Know What Device is on What Port on a Cisco Switch?

Cisco Switch Port Security ---How to Configure Switch Security?

How to Set Port Security on a Cisco Catalyst Switch?

Read more

Benefits of Dynamic Routing

February 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

As a network administrator, you must also know dynamic IP routing like the back of your hand. In this article, we'll explore dynamic IP routing and you'll learn the practical information that you need to know about it.

 

Routing in General

To review from the last tip, the router learns the next hop for packets using one of two methods:

  1. Static routing: With static routing, you -- as the administrator -- manually enter the routes and tell the router, for each IP network, what next hop that traffic should be delivered to.
  2. Dynamic routing: With dynamic routing, you -- as the administrator -- configure a routing protocol on your network interfaces. Your routing protocol learns about other routers automatically. Your router and the other routers exchange routes, and each learns about the networks that the other is connected to. When new networks are added or removed, the routers update each other.

 

Static Routing Issues

With static routing, you are telling your router to send traffic with a destination IP address to a router with an IP address of x.x.x.x. This is handy for a small network with very few routes or for someone who wants to have absolute control, but it can become very cumbersome as your network grows. To keep a multi-site wide-area network fully connected (fully meshed) via static routes, you have to create a route on every router for every other router. This mean that, as you add more sites, the number of routes you have to create increases exponentially, and when sites go down or links are performing poorly, any corrections must be entered manually.

 

Benefits of Dynamic Routing

A dynamic routing protocol can resolve these issues for you. Here are some general benefits of using a dynamic routing protocol:

  • More automation: Routing updates are automatically sent to all other routers.
  • Change notification: The dynamic routing protocol may be able to reroute traffic around a link that is down or congested.
  • Greater uptime for users: Because the routing protocol has intelligence and can react faster, the users may see more uptime.
  • Greater network throughput: Because the routing protocol may be able to calculate the most responsive network link to use, the users may see less latency and more performance out of the network.
  • Less work for administrators: As the network grows, the administrator doesn't have to worry about configuring all the other routers on the network. Instead, the administrator configures the dynamic routing protocol on the new router to talk to the other routers and let them know what networks the new router has to offer.

 

Gotchas of Dynamic Routing

Don't think that dynamic routing protocols are perfect, however. Here are some possible gotchas of using dynamic routing protocols:

  • Routers may need more CPU and RAM to hold routing tables and calculate dynamic routes.
  • Dynamic routing protocols aren't perfect and can experience routing loops in some cases.
  • Dynamic routing protocols will introduce complexity to your network. You will need to understand how to configure and troubleshoot the new dynamic routing protocols.

 

Dynamic Routing Protocols

You may be wishing you had some examples of dynamic routing protocols. I'm not going to cover or compare all possible routing protocols, but let's talk about the dynamic routing protocols you need to know.

 

First off, there are the interior gateway routing protocols (IGP). These are protocols that you would use within your own network. They are the protocols that are supported by just about every router and server operating system (such as Windows 2003 Server and Linux):

  • OSPF(Open Shortest Path First)--RFC2328--is the most popular dynamic routing protocol in use today. It is an open protocol, so that any router or server operating system can run OSPF. OSPF selects the best route using "cost" as its metric. OSPF is a full-featured routing protocol and can be complex, but it can also scale to any size of network.
  • EIGRP(Enhanced Interior Gateway Routing Protocol) is a Cisco proprietary protocol. Only Cisco devices run EIGRP. EIGRP is a full-featured routing protocol, similar to OSPF. EIGRP has some great features, but unless you can guarantee that you will always have an all-Cisco network, I would recommend an open protocol like OSPF, instead. EIGRP replaced IGRP, its predecessor. With EIGRP, the metric used to select the best route is calculated using a formula that takes into account the bandwidth, reliability, load and delay of the link.
  • RIP (Routing Information Protocol) Version 2 -- RFC2453 -- is also an open source protocol. Version 2 of RIP is what you should use today as it provides support for VLSM (Variable Length Subnet Mask). RIP is the simplest and easiest routing protocol to configure, but it also has fewer features than OSPF and is limited to routing for a network with fewer than 15 hops. RIP works very well for a small network that doesn't plan on growing large, however. Another great thing about RIP is that it is commonly supported by even small routers and firewalls.

And, in a class by itself, there is Border Gateway Protocol (BGP):

  • BGP (Border Gateway Protocol) is the routing protocol of the Internet. BGP is an Exterior Gateway Protocol (EGP). What that means is that BGP is used by routers that make routing decisions on the Internet. Just because your home or work router has a connection to the Internet, you don't necessarily need BGP or want to run it. Once your router has more than one dedicated connection to the Internet from business-class providers, you may want to look at running BGP. BGP is a path-vector protocol, and it selects the best route, unlike other routing protocols. BGP uses the "AS-PATH" as its routing metric and would select the route that has the shortest path through the Internet.

 

Configuring Dynamic Routing

So all this theoretical stuff is great, right? It gives you a good foundation, but you probably want to see how to configure a dynamic routing protocol.

 

Let's say that we have the basic network, shown below:

 

 Configuring-dynamic-routing.jpg

It is our job to configure RIP between these two locations so that each network knows about the other router's networks. Assuming that all normal router IP addressing is configured and interfaces have been enabled, we need issue only a few simple commands on each router to accomplish this.

 

Here is the configuration:

Location A
Router rip 
Ver 2
No auto-summary
Network 10.1.1.0
Network 63.248.129.0

Location A
Router rip
Ver 2
No auto-summary
Network 10.2.2.0
Network 63.248.129.0

What this does is:

Enter routing configuration mode on each router.
Enable Version 2 of the RIP routing protocol.
Enable RIP routing on both the LAN and the WAN networks. This will tell the router both to advertise these networks to other routers and to try and find other routers on these networks.

 

Once completed, here is the routing table and ping output for Location A:

Location-A1.jpg

Location-A2.jpg

Location-A3.jpg

As you can see, each router knows about the other router's LAN networks through RIP (the "R" in the routing table source shows that these routes were learned through RIP). Also, each router can ping other routers' Ethernet interfaces.

 

We could have accomplished the same connectivity with only one static route on each router. However, as this network grows from two routers to 20 or 200, the time needed to administer static routing would be a horrible administrative burden.

 

As a network administrator, you should have some basic knowledge of the four most popular dynamic routing protocols in use today. If you are new at this, I recommend that you start by learning about RIP and move up to the other protocols from there.

---Resource from http://searchnetworking.techtarget.com/tip/Cisco-IOS-IP-routing-dynamic-routing

More Related Cisco and Network Tips:

Routing Information Protocol & RIP Configuration

Understanding Different Router Numbers

Understanding Cisco IOS Static Multicast Routes

Cisco IOS IP Routing: Static Routes

Read more
<< < 1 2 3 4 5 6 7 > >>