When examining inbound traffic at your Internet edge, there are quite a few source networks that should be automatically discarded. RFC 3330 (Special-Use IPv4 Addresses) specifies many of these.
Local Networks
In most sane networks, you should never see inbound traffic from your own address space. Thus, if you have 12.3.45.0/24 as your public address space, your inbound ACL should block traffic appearing to be sourced from this network.
RFC 1918
10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16
An easy way to remember the CIDR value for these (found on GroupStudy): each is 4 greater than the last.
Local-only Networks
0.0.0.0 /8
127.0.0.0 /8 – note: not just 127.0.0.1!
169.254.0.0 /16
These are (respectively) the “this network” range, the localhost address space, and the Microsoft AutoNet network (also called APIPA, for Automated Private IP Addressing).
Reserved Networks
192.0.2.0 /24 – TEST-NET, e.g. example.com
198.18.0.0 /15 – Benchmark networks
240.0.0.0 /4 – Class E
Multicast
224.0.0.0 /4
The multicast address space will never appear as a source address in legitimate traffic. A multicast IP is always a destination.
Unassigned Address Space
Many experts recommend filtering all unallocated address space (networks that have not been assigned to users or ISPs by the various numbering authorities, such as ARIN or APNIC). This requires diligence on the part of network administrators to track new address allocations and keep ACLs up-to-date, to avoid blackholing legitimate traffic from newly-assigned networks. For more information, see the Bogon Reference at Cymru.
Posted in CCIE Security.
By blanders
– January 24, 2009
A very simple example for when you want to very quickly get a network (for example, a branch office) online behind a DSL line or similar. This PATs all private network traffic behind the outside interface’s public IP.
interface FastEthernet0/0
description TO_ISP
ip nat outside
!
interface FastEthernet0/1
description TO_LAN
ip nat inside
!
ip access-list standard NAT_SOURCE
permit 10.1.1.0 0.0.0.255
!
ip nat inside source list NAT_SOURCE interface FastEthernet0/0 overload
Posted in CCIE Security.
Tagged with IOS, NAT, PAT, Security.
By blanders
– January 21, 2009
A more detailed post to come…
Posted in CCIE.
By blanders
– January 8, 2009
Getting down to the wire for my lab attempt (22 days to go!) I’ve been horrible about blogging my progress, but I’m going to try to be more consistent in the home stretch. Overall I think I’m in good shape, but I really need to focus over the next 3 weeks to be completely ready.
Plans for this week:
- IE just released their first v.5 full labs (lab 1 and lab 10). I’ll probably skip Lab 1, since it’s only a level 5 and I’ve already watched the live Lab Meetup, but I’ll definitely be hitting lab 10 since it’s an 8.
- I have IE rack rentals Tue-Thu. My goal is to hit two full IE labs (v.5 lab 10 and probably v.4 lab 7)
- IPexpert rack rentals Fri, Sat, Sun, Mon. I want to get some solid lab hours in before the Christmas break. Haven’t picked a set of labs yet, but at least book 3, labs 9 and 10.
- I may try to pay for another IE mock lab during my current Christmas break. My lab 4 attempt went pretty well (77, with a couple of sections I disagreed with the proctor on).
- Reading:
- Finish the QoS self-study book
- Start the Cisco Press multicast and IPv6 books
- IE workbook 1 v.5 solution guides. These are terrific for individual technology focus.
Posted in CCIE.
By blanders
– December 15, 2008
Switching
- beware of pruning issues when some switches are transparent and some aren’t. If not otherwise specified, make all switches transparent if one is.
IP Telephony
macro apply cisco-phone $access_vlan 5 $voice_vlan 4 sets most things properly- To change the CoS applied to traffic coming from the PC connected to a phone:
switchport priority extend cos 1
- Don’t forget to enable
mls qos globally or nothing will work
PPP
- as a general rule, use
no peer neighbor-route on all PPP interfaces to avoid random /32 routes showing up in IGPs and redistributions. They’re only needed if you have different subnets at each end of the link.
IGP’s — RIP
- use the
distribute-list gateway option along with a prefix-list to specify the routers from which we will accept routes.
- don’t forget the
prefix option (e.g. distribute-list prefix FOO not distribute-list FOO when filtering routing updates
- remember, though, that a
distribute-list doesn’t have to use a prefix-list. It also works just fine with a regular ACL (useful for permit any or deny any).
Posted in CCIE.
By blanders
– December 7, 2008
What I’ve been up to:
- IPExpert’s one week R&S bootcamp in San Jose
- IPExpert’s one week mock lab workshop in San Jose
- InternetworkExpert’s “Open Lecture” multicast troubleshooting (in progress)
- InternetworkExpert’s 5-day lab bootcamp CoD (in progress)
- InternetworkExpert’s Adv. Technology CoD on redistribution (in progress)
- Working through IEWB3 to get better at core technology, especially redistribution
Posted in Uncategorized.
By blanders
– November 26, 2008
Sources:
- IPexpert BLS class-on-demand
- IPexpert v.10 Workbook 2
- InternetworkExpert ATS CoD v4.5
Notes — PPP General:
- By default, PPP will inject a directly-connected /32 route for the remote end into each device’s routing table. Can be safely disabled unless both ends of the link are not on the same logical IP subnet (e.g. one side or both sides are using ‘ip unnumbered’). To disable, use the ‘
no peer-neighbor-route' interface-level command.
- The ‘
ppp quality‘ interface-level command enables Link Quality Monitoring (LQM), which will bring down the interface if the number of bytes transmitted vs. received over a link falls below a given percentage.
- The ‘
ppp reliable-link‘ command enables LAP-B numbered mode to negotiate a reliable link.
Notes — PPP Multilink
- The ‘
ppp multilink links minimum‘ interface option (under the Multilink interface) specifies how many physical circuits must be up before the bundle comes up. The ‘mandatory‘ option brings the bundle down if the number of active links falls below the minimum.
Notes — PPP Authentication:
- The ‘
ppp authentication <protocol>‘ command is only required on the side of the link that is issuing the challenge (the “server” side). This may also be referred to as the side that’s “doing authentication” or that is “authenticating <OtherRouter>”
- CHAP (and EAP) will use the hostname of the router as the username, by default. PAP requires the username to be explicitly specified with the ‘
ppp pap sent-user‘ command. If you need to use a different username, you can specify it using the ‘ppp chap hostname‘ or ‘ppp eap identity‘ commands.
- For CHAP, if you don’t want to specify the global username/password combo on the client (or you don’t know the server’s hostname), you can specify just the password to be sent to any remote authentication challenge with the ‘
ppp chap password‘ command at the interface level.
- If you want to use the same username in both directions with CHAP, use the ‘
no ppp chap ignoreus‘ interface-level command, since by default CHAP will refuse to authenticate with “ourself” if the hostname matches.
- EAP is an additional “secure” protocol distinct from CHAP. MS-CHAP and MS-CHAPv2 probably aren’t “different enough” from CHAP to satisfy a lab requirement of two different secure protocols.
- You must specify ‘
ppp eap local‘ for EAP to work unless you have a radius server available.
- EAP doesn’t use the shared password from the ‘
username‘ statement when responding to a challenge. You need to specify the password using ‘ppp eap password <pass>‘
Posted in CCIE.
Tagged with authentication, CCIE, CHAP, EAP, multilink, PAP, PPP.
By blanders
– November 15, 2008
I’m in San Jose, CA for IPExpert’s two-week End-to-End route/switch bootcamp. I was very lucky to win this training at Cisco Networkers this year and am definitely looking forward to it. The flight out was a bit annoying (flew Airtran instead of Delta and you could really notice the little differences). Just got back from dinner at Chipotle’s and am planning to take an early night and hopefully get my internal clock synced up.
Posted in CCIE.
By blanders
– November 9, 2008
Timers
- Hello and Dead interval timers are set on a per-interface basis with
ip hello-interval eigrp <AS> <seconds>
ip hold-time eigrp <AS> <seconds>
- The stuck-in-active (SIA) timer is configured with the router-level command
timers active-time <seconds|disabled>
Metrics
Bandwidth Used for EIGRP
- EIGRP uses 50% of the interface bandwidth by default
- Can be changed using the interface-level command
ip bandwidth-percentage eigrp <AS> <percent>
Stubs
- A stub can be configured to only receive (not send) routes using the router-level command
eigrp stub receive-only
Logging
no eigrp log-neighbor-changeseigrp log-neighbor-warning <interval> will log updates that are received from an IP not in the subnet of the receiving interface.
Summary Addresses
- The
leak-map option to ip summary-address eigrp references a route-map that defines what component routes of a summary supernet are also injected along side the summary. It is only available on physical and VirtualTemplate interfaces (not on subinterfaces).
Load Balancing
- For unequal-cost load balancing, the AD of the worst route must be less than the FD
- Take the AD of the worst route and divide by the AD of the best route (rounding up) to get the variance.
Authentication
- same as RIP, but configured on a per-interface and per-AS basis
ip authentication mode eigrp 300 md5
Posted in CCIE.
Tagged with CCIE, EIGRP, routing.
By blanders
– September 13, 2008
General Notes
passive-interface default is recommended, due to the network statement being classful- don’t forget to consider switch-based solutions like vlan access-maps and port access-lists (blocking udp/520) to prevent updates from propagating between routers if the task restricts your configuration options on the routers themselves.
- CCIE Links page updated with RIPv2 links
Timers
- default basic timers are 30/120/120/240 (update, invalid, hold down, flush)
- periodic updates can be delayed after a triggered update with the sleep parameter at the end of the
timers basic router command.
- the “hold down” timer is Cisco-proprietary. Set it to 0 if you need to retain full compatibility with RFC 2453.
Distribute Lists
distribute-list uses a separate ip prefix-list for defining the gateway and the routes
Default Originate
- the
route-map option to default-information originate causes the 0/0 route to only be injected into RIP if the route-map is satisfied (e.g. if a route exists)
Multicast / Broadcast / Unicast
- RIPv2 defaults to sending updates via multicast (224.0.0.9)
- The
passive-interface and neighbor router commands change it to unicast
- The
ip rip v2-broadcast interface command changes it to broadcast
- A very tricky way to force unicast updates without using the neighbor command:
ip nat outside udp X.X.X.X 520 224.0.0.9 520
int se0/0/0
ip nat outside
This converts the inbound multicast updates to unicast, which will create a NAT table entry and translate all outbound RIP updates to unicast as well (NAT is bidirectional)
Authentication
- IOS 12.4 supposedly requires a valid
send-lifetime configured for a key before it will work.
- RIP will always use the first valid key when sending updates out an interface.
Route Filtering
- The three methods to kill a route:
distribute-list with an ACLoffset-list pushing the metric beyond 16distance command setting the AD to 255
Posted in CCIE.
Tagged with CCIE, notes, RIP, RIPv2, routing.
By blanders
– September 13, 2008
