Tuesday, October 25, 2011

How to BLOCK out going traffic by MAC-Address filter in Cisco ASA

How to BLOCK out going traffic by MAC-Address filter in Cisco ASA

May be this title is some weird, usually Cisco ASA act as Layer3 mode and is able to filter by IP Address. Most of the people may not need to filter by Layer2 MAC-Address. If you need in some circumstances you can use by MAC-LIST command using with AAA (Cut-Through Proxy Feature). In this my example it will state ASDM configuration steps.

There is no option for DHCP reservation in Cisco ASA, so that we can’t tie MAC-Address and IP Address for that user pc in ASA and not able to add Access-Rule with IP Address.

Since Cisco ASA is Layer3 mode, this is not possible to do with MAC-Address filtering access. In transparent mode on ASA, it could be possible by adding static MAC Address under inside interface. In such case, you should use with Disabling MAC Address Learning command together.

Adding a Static MAC Address

hostname(config)#mac-address-table static interface_name mac_address

Disabling MAC Address Learning

hostname(config)#mac-learn interface_name disable

Reference link for transparent mode ASA: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridgarp.html#wp1039986

Cut-Through Proxy Feature

  • step 1. Log in to ASDM and navigate to Configuration > Firewall > AAA Rules.
  • step 2. Click on Add and select Add Authentication Rule.
  • step 3. Select the interface where the authentication rule will be applied from the Interface pull-down menu. The inside interface is selected in this example.
  • step 4. Select Authenticate in the Action field to require user authentication.
  • step 5. Select the AAA server group (LOCAL) from the AAA Server Group pull-down menu.
  • step 6. Click on Add User and type your desire username and password from Add User Account dialog box.
  • step 7. Select the No ASDM, SSH, Telnet or Console access under Access Restriction session and click OK button.
  • step 8. You must specify a source and a destination for traffic that will require authentication. Click the ellipsis (...) to select an address that has already been configured in ASDM. In this example, the any keyword is entered to require authentication for any source from the inside interface.
  • step 9. Enter the destination IP address, network address, or the any keyword in the Destination field. In this example, the any keyword is entered to require authentication when a host tries to reach any destination.
  • step 10. Enter an IP service name for the destination service in the Service field. In this example, authentication is required for any host trying to access any TCP-based applications.
  • step 11. You can optionally enter a description for the authentication rule in the Description field.
  • step 12. Click OK.
  • step 13. Click Apply to apply the configuration changes.
  • step 14. Click Save to save the configuration in the Cisco ASA.

Exemption MAC Address

  • step 1. Log in to ASDM and navigate to Configuration > Firewall > AAA Rules.
  • step 2. Click on Add and select Add MAC Exempt Rule.
  • step 3. Select MAC Exempt in the Action field.
  • step 5. Type MAC Address (00aa.00bb.00cc) in MAC Address field box. 00aa.00bb.00cc states in example mac address.
  • step 6. MAC Mask field will show ffff.ffff.ffff and leave it as default value and Click OK.
  • step 7. Click Apply to apply the configuration changes.
  • step 8. Click Save to save the configuration in the Cisco ASA.

Reference link as below:

http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=4

Monday, August 15, 2011

VLAN Access Control Lists (VACLs) Tier 1



In this blog post, we will obtain some good solid Tier 1 level knowledge regarding VLAN Access Control Lists or VACLs. These are often also referred to as VLAN Access Maps or just VLAN Maps; thanks to the syntax that is used in their creation.When you want to filter traffic that is moving from one VLAN to another, things are real CCNA-like and friendly We use an Access Control List. In fact, we should elaborate on that term a bit now in light of this discussion. We actually use a Router-based Access Control List or RACL.But what if we want to filter traffic that is flowing within a VLAN? On no, a Router-based Access Control List cannot help us! This is when we turn to the VLAN Access Control List. To help us understand this feature, let us create a topology and a sample scenario. Here is the simple topology:

For full information please visit to mention link:


Thursday, July 21, 2011

My Note (Switching)

Private VLAN (PVLAN)
What private vlan do, is split broadcast domain into multi isolated broadcast subdomains. Simple concept is VLAN inside a VLAN. Private vlan defined as a pairing of a Primary VLAN (normal vlan) with a Secondary VLAN (isolated & community vlans).
Isolated VLAN – The end point of all ports assigned to an isolated private vlan; cannot communicate with one another nor with host ports in any other private vlans.
Community VLAN – End point attached to community ports can communicate with one another, but not with ports in other private vlans.
An access port assigned to a private vlan operates in one of two modes
Host – The port inherits its behavior from the type of private vlan it is assigned to.
Promiscuous – The port can communicate with any other private vlan port in the same primary vlan. (usually connects to a router)
--------------------------------------------------------------------------
STP

The hello time is 2 seconds. The Max Age Timer is 10x the the hello timer. This is important. Because it's not always 20 seconds, it's 20 seconds because the hello timer is 2 seconds.

STP has 4 states: blocking, listening, learning and then forwarding.

Once a port is in blocking state, it stays there for 20 seconds. Then moves onto listening at 15 seconds, then learning at 15 seconds. That's where you get your 50 seconds.

RSTP
The max age is 3x the hello. So a max of 6 seconds. There's no blocking port in RSTP. It's discarding state. Discarding replaces blocking and listening. So only have discarding, learning and forwarding.

The main difference in RSTP is that all bridges can send BPDU, not just the root.

The BPDU's come from all switches with RSTP whereas with STP it come from the root down to the switches.

So in the instance of a switch goes down, any switch that has a link connected to it will notice (as its link has gone down) this switch will then bring up its alternative port and send out a BPDU to neighbor switch still alive to say it has done so. (so no timer need to time out, this happens almost instantly). This BPDU then travel through the network update all other switch resulting in sub second fail over and convergence of the network.
--------------------------------------------------------------------------
Loop Guard

DO NOT enable loop guard on PortFast-enabled or dynamic VLAN ports.
DO NOT enable PortFast on loop guard-enabled ports.
DO NOT enable loop guard if root guard is enabled.
DO NOT enable loop guard on ports that are connected to a shared link.
Note: Recommend that enable loop guard on root ports and alternate root ports on access switches.

Root Guard
It guards the integrity of the root bridge.  In other words, rootguard makes sure that the switch you want to be the root bridge in your spanning-tree topology remains the root bridge. (Root guard forces a port to always be designated as the root port. )
Rootguard is generally configured on designated ports and prevents the port from becoming a root port

Good explanation of rootguard is http://astorinonetworks.com/2011/10/28/understanding-stp-rootguard/





Friday, July 15, 2011

Reset password on Riverbed Steelhead

To reset your password on a Steelhead appliance, you must have access to the serial console

or monitor and be able to see the entire boot process to perform these steps:

1. Start, or reboot the appliance.

2. Once you see the "Press any key to continue" message, press a key.

3. Immediately press E.

A GNU GRUB menu appears.

For a Steelhead upgraded to 4.0 from 2.0 or 3.0, the menu prompts you to select the Riverbed

Steelhead, diagnostics, or a restore/recovery image. Select Riverbed Steelhead and skip to

Step 5.

For a Steelhead manufactured with 4.0 (that has not had previous versions), the menu prompts

you to select the disk image to use. Continue with Step 4.

For software versions prior to 4.0, the menu displays root and kernel parameters. Skip to Step

6.

4. Press V or ^ to select the disk image to boot.

5. Press E.

Another GRUB menu appears, with options similar to these:

------------------

0: root (hd0,1)

1: kernel /vmlinuz ro root=/dev/sda5 console=tty0 console=ttyS0,9600n8

-----------------

6. Press V or ^ to select the kernel boot parameters entry.

7. Press E to edit the kernel boot parameters.

You should be given a partially filled in line of text.

8. Append " single fastboot" at the end of this line. Note the space before 'single', it is very

important. (And do not enter the quotes.)

9. The line of text will contain TWO "console=" entries. Delete the one containing "tty0" (unless

you are using a keyboard/monitor on the Steelhead, in which case delete the one containing

"ttyS0").

TIP: Use the arrow keys to access the entire command line.

10. Press Enter.

11. Press the B key to continue booting.

The system starts.

12. Once at the command prompt, type "/sbin/resetpw.sh" and press Enter.

The password will be blank.

13. Type "reboot" and press Enter to reboot the appliance.

Sunday, July 10, 2011

My Note (BGP)

BGP synchronisation rule is
R1(As-100)-------R2(AS-200)----------R3(AS-200)-------R4(AS-300)
R3 is also connected to R10 (As-200)

R1 lo 0 - 1.1.1.1/24 & this is advertised in the BGP network command.
Since R1 and R2 are eBGP neighbors R1 will send this route to R2.
R2 recieves this route and puts it in his BGP table(sh ip bgp) as well as routing table(sh ip route).
R2 & R3 are iBGP peers
R3 has synchronisation ON .
Now R2 sends the route (1.1.1.0/24) to R3.
R3 will not use the route i.e R3 will keep 1.1.1.0/24 in its bgp table BUT will not give it '>' best path which means that 1.1.1.0/24 will not be kept in the routing table of R3.

So now to the
definition of SYNCHRONISATION.
A route learnt via an iBGP peer will not be forwarded to an eBGP peer and NOT put into the routing table(i.e the route will not be used) until and unless the same route has been learnt via an IGP(e.g OSPF,RIP etc..)
This is when Synchronisation is ON.

If Synchronisation is OFF i.e
R3 #router bgp 200
no sync

Then R3 will put 1.1.1.0/24 in its BGP table giving it '>' best path which means this route will also go to the routing table.
SPLIT-HORIZON rule in IGP and BGP

In BGP the split horizon rule is different.
It means routes learnt via an iBGP peer will not be sent to another iBGP peer
eg
R1(As-100)------------R2(AS-100)-------------R3(As-100)
R1 - R2 --------> iBGP
R2 - R3 ---------->iBGP

Routes which R2 learn from R1 will not be sent to R3. It is R1's job to send routes to R3.
This s how split horizon in BGP works.

In IGP (RIP,EIGRP). Ospf doesn't support Split horizon

definition is 'What routes i receive in interface1, I will not send the same routes back in interface1, but i can send it in any other interface.
-----------------------------------------------------------------------
ebgp-multihop: In EBGP, neighbor relationships are only formed if we have directly connected networks. We would require to use ebgp-multihop keyword with neighbor statement so that neighbors which are not directly connected can form relationship with each other. We need to specify a number with ebgp-multihop keyword, number can be between 1-255. This number represents how many hop counts is the router away.

The disable-connect-check command is used when you want to establish peering of directly connect routers using the loopback interface (using the loopback as the BGP source is configured with neighbor update-source).

update-source: We need to specify the interface which will be used to update neighbor table incase routers are not directly connected. Without update-source we will not be able to form BGP neighbor relationships. update-source keyword will update the interface which will be used to form neighbor relationship.



next-hop-self: When ebgp relation replicates , next hop always changes. IBGP routers only connected with other ibgp routers in same AS will not be able to talk with routers outside the AS, if they are not directly connected with each other. We would require a next-hop-self keyword in the ibgp router which is directly connected with ebgp neighbor so that other router in same AS (IBGP) can talk with ebgp routers.


-----------------------------------------------------------------------

Influencing Route Selection

BGP uses different attribute to implement these polices in route selection process between different autonomous systems. There are some main attributes that BGP uses in route selection process.

  • Weight
  • Local preference
  • Multi-exit Discriminator or MED
  • Origin
  • AS_Path
  • Next Hop
  • Community

Weight
Higher weights are preferred. Weight attributes basically a cisco proprietary technology, the default value is 32768 for locally originating network and default value of the weight is 0 for all other network.
Local Preference
Highest value is preferred than lower local preference number.
Default local preference is 100.
MED
Lower value is preferred over a higher metric value. Default value is 0.
-----------------------------------------------------------------------
BGP Link Bandwidth (dmzlink-bw command)
Bgp link bandwidth feature is used to advertise the bandwidth of an AS exit link as an extended community.
This feature is configured for links between directly connected ebgp neighbors.
The link bandwidth extended community attribute is propagated to iBGP peers when extended community exchange is enabled.
This feature is used with multipath features to configure load balancing over links with unequal bandwidth.
-----------------------------------------------------------------------
bgp deterministic-med command ensures the comparison of the MED variable when choosing routes advertised by different peers in the same autonomous system.
bgp always-compare-med command ensures the comparison of the MED for paths from neighbors in different autonomous systems.
The bgp always-compare-med command is useful when multiple service providers or enterprises agree on a uniform policy for setting MED. Thus, for network X, if Internet Service Provider A (ISP A) sets the MED to 10, and ISP B sets the MED to 20, both ISPs agree that ISP A has the better performing path to X.
-----------------------------------------------------------------------
BGP Backdoor

BGP Backdoor option is assigned to the network that is ADVERTISED to you, therefore, you should reference the network that is advertised to you and NOT the network that your local router is advertising.
# network 150.1.1.0 mask 255.255.255.0  <--local advertising="" font="" is="" router="">
# network 150.1.2.0 mask 255.255.255.0 backdoor <--neighbor advertised="" br="" router="" to="" you="">
-----------------------------------------------------------------------
BGP Conditional Advertisement 

To implement conditional advertisement of selected prefixs, the following must be used:
- Advertise-map
- Non-exist-map
- Exist-map
# neighbor 10.1.13.3 advertise-map ADV non-exist-map NOT_THERE
-----------------------------------------------------------------------
BGP well known Communities 
-Internet - If assigned to a network/s, that network/s should be advertised.


-Local-as - If assigned to a network/s, that network/s should ONLY be advertised within that AS. Even though it may look like it is doing the same thing as the "No-export" community, they are different, and the difference is that the "local-as" works within a confederation, whereas, the "No-export" does NOT, and the policy will leak into the other sub-ASes within the confederation.
 

-No-advertise - If assigned to a network/s, that network/s should NOT be advertised to ANY BGP neighbor.
 

-No-export - If assigned to a network/s, that network/s should NOT be advertised to an EBGP neighbor.
----------------------------------------------------------------------- 
BGP bestpath med missing-as-worst 
Paths received with no MED are assigned a MED of 0, unless you have enabled bgp bestpath med missing-as-worst .
If you have enabled bgp bestpath med missing-as-worst, the paths are assigned a MED of 4,294,967,294.

----------------------------------------------------------------------- 
BGP always-compare-med 
It is used to change this behavior by enforcing MED comparison between all paths, regardless of the AS from which the paths are received.
bgp bestpath as-path ignore is also needed as part of the solution.

Note: bgp bestpath as-path ignore command is a hidden one.

----------------------------------------------------------------------- 
BGP as-path access-list 
To filter prefixes using "as-path access-list" should use with "filter-list" router command.

----------------------------------------------------------------------- 
BGP Regular Expressions 

+------------------------------------------------------+
| CHAR | USAGE                                         |
+------------------------------------------------------|
|  ^   | Start of string                               |
|------|-----------------------------------------------|
|  $   | End of string                                 |
|------|-----------------------------------------------|
|  []  | Range of characters                           |
|------|-----------------------------------------------|
|  -   | Used to specify range ( i.e. [0-9] )          |
|------|-----------------------------------------------|
|  ( ) | Logical grouping                              |
|------|-----------------------------------------------|
|  .   | Any single character                          |
|------|-----------------------------------------------|
|  *   | Zero or more instances                        |
|------|-----------------------------------------------|
|  +   | One or more instance                          |
|------|-----------------------------------------------|
|  ?   | Zero or one instance                          |
|------|-----------------------------------------------|
|  _   | Comma, open or close brace, open or close     |
|      | parentheses, start or end of string, or space |
+------------------------------------------------------+

+-------------+---------------------------+
| Expression  | Meaning                   |
|-------------+---------------------------|
| .*          | Anything                  |
|-------------+---------------------------|
| ^$          | Locally originated routes |
|-------------+---------------------------|
| ^100_       | Learned from AS 100       |
|-------------+---------------------------|
| _100$       | Originated in AS 100      |
|-------------+---------------------------|
| _100_       | Any instance of AS 100    |
|-------------+---------------------------|
| ^[0-9]+$    | Directly connected ASes   |
+-------------+---------------------------+
Ref link : http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ 

E.g Configure R2 such that it allows AS-Path prepend from AS 100 ONLY if they have 
prepended ther own AS number and NOT anoter AS number. 
Configure R1 in AS 100 to ONLY allow prefixes from its existing and future directly 
connected ASes, these ASes should be allowed to prepend. 
 
# ip as-path access-list 1 permit ^([0-9]+)(_\1)*$ 
----------------------------------------------------------------------- 
BGP REGEX DETERMINISTIC  

"bgp regex deterministic" disabled recursive algorithm when processing regular expressions.
Configure R2 such that it allows AS-Path prepend from AS 100 ONLY if they have prepended ther own AS number and NOT anoter AS number. Configure R1 in AS 100 to ONLY allow prefixes from its existing and future directly connected ASes, these ASes should be allowed to prepend. # ip as-path access-list 1 permit ^([0-9]+)(_\1)*$
----------------------------------------------------------------------- 
BGP CONFEDERATION

"BGP confederation identifier" command is used to configure a single AS number to identify a group of smaller ASes (Sub-Ases) as a single confederation. This command MUST be configured on all the routers within the confederation.

"BGP confederation peers" command is used to identify the DIRECTLY CONNECTED EBGP sub-confederation peers.