Currently browsing

May 2012

BGP Attributes

1. BGP Data Structures 1.1 Neighbor Table The address in the bgp summary table shows the IP used in the peering, not the Router ID. 1.2 BGP Table Lists all prefixes learned from all peers If no routes towards a destination show the “>” code, you should investigate why no …

BGP 101

1. Starting the Routing Process 1.1 Define the routing process Only one BGP process can run on a router and it can be started using: The AS Number used to be a 16 bits number ranging from 0 to 65535. According to RFC 4893, the AS number can have 32 …

DHCP 101

1. DHCP Server 1.1 DHCP Pools On a router, you have to create one or more pools of DHCP addresses available for lease. When a DHCP server receives a DHCP request, it will know what pool to use based on the IP address of interface that received it. If the …

NTP 101

1. Software Clock Each router has a software clock that is set at initialization according to the hardware clock. The software clock can be updated manually, or automatically using NTP, SNTP or VINES Time Service. The software clock provides the time for time-based ACLs, logging ande debugging messages, and other …

FHRP 101

1. HSRP HSRP provides a virtual MAC address and a virtual IP address that is shared among a group of routers in order to have a HA infrastructure for the default gateway in a subnet. 1.1 Starting HSRP 1.2 Timers Timers are usually learned from the active router. Millisecond timers …

Controlling CLI Access

1. CLI Modes User EXEC Mode Privileged EXEC Mode Configuration Mode To protect access to the Privileged EXEC mode, use: 1.1 Custom Privilege Levels These commands are not compatible with AAA mode of operation. By default, there are only 3 privilege levels: Level 0 = no rights Level 1 = …

AAA 101

1. Enabling AAA new-model AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process …

Zone Based Firewall

1. Basics A Zone Based Firewall uses the same inspection engine as CBAC, but works with security zones, not with individual interfaces. A zone groups multiple interfaces together. By default, traffic is allowed between interfaces in the same zone, but is not allowed between interfaces in different zones. You can …

More ACLs

1. Time-based ACLs Define the time range: Add the time-range to the ACL: 2. Reflexive ACLs A reflexive ACL is used to permit outgoing traffic that was originated on one side of the connection (inside) and allow the returning packets from the other side (outside), but to deny traffic that …

Cisco IOS Firewall

1. CBAC – Context Based Access Control CBAC allows examination of traffic at the Application Layer, not just Layer 3 or Layer 4 as in ACLs. It can maintain session information and create temporary openings to allow return traffic for permissible sessions. CBAC maintains a state table both for TCP …