Professional Documents
Culture Documents
• Will be available on
ftp://ftp-eng.cisco.com/pfs/seminars
• Feel free to ask questions any time
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 2
Background
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 3
Cisco ISP Essentials
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 4
IOS Software and Router
Management
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 5
Which IOS?
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 6
Which IOS?
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 7
Which IOS?
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 8
12.0 IOS release images
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 9
12.1 IOS release images
http://www.cisco.com/warp/public/620/roadmap.shtml
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 13
Cisco IOS Roadmap
http://www.cisco.com/warp/public/620/roadmap_b.shtml
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 14
Which IOS?
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 15
IOS Software Management
Flash Memory
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 16
IOS Software Management
Flash Memory
Which means:
Boot quoted image from slot0:. If it isn’t there, boot
the quoted image in slot1:. If that isn’t there, try the
first image available in flash
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 17
IOS Software Management
System Memory
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 18
IOS Software Management
When to Upgrade
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 19
(Digression)
Loopback Interface
interface loopback 0
description Loopback Interface of CORE-GW3
ip address 215.18.3.34 255.255.255.255
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 20
(Digression)
Loopback Interface
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 21
(Digression)
Loopback Interface
TCP
Wrapper
ACLs
Router
w/Loopback TFTP
TFTP
Exporting SYSLOG
SYSLOG
Information
Backbone
Backbone NOC Services
TACACS+
TACACS+
SNMP
SNMP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 23
Configuration Management
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 24
Configuration Management
TFTP
• Secure the TFTP server Source
Loopback 0
TFTP source interface
Loopback 0 on Router
Firewall/ACL
Wrapper on TFTP Server
Firewall
which only allows the or ACL
router’s loopback
address
TCP
Wrapper or
ip other tool
ip tftp
tftp source-interface
source-interface Loopback0
Loopback0 TFTP
server
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 25
FTP Client Support
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 26
FTP Client Support
Loading /cisco/ios/12.0/12.0.21S7/7200/c7200-k4p-mz.120-
21.S7.bin
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 27
Larger Configurations
• Compress Configuration
Used when configuration required is larger
than configuration memory (NVRAM) available.
service compress-config
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 28
Command Line Interface Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 29
Command Line Interface Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 30
Command Line Interface Features
• Example:
Show running configuration from the point where BGP
is configured
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 32
System Logs:
Topologies Used
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 33
Network Time Protocol
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 34
Network Time Protocol
• Set timezone
clock timezone <name> [+/-hours [mins]]
• Router as source
ntp master 1
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 35
Network Time Protocol
• Example Configuration:
clock timezone SST 8
ntp update-calendar
ntp source loopback0
ntp server <other time source>
ntp peer <other time source>
ntp peer <other time source>
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 36
Network Time Protocol
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 37
SNMP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 38
HTTP Server
• Example configuration:
ip ftp username cisco
ip ftp password 7 045802150C2E
ip ftp source-interface loopback 0
exception protocol ftp
exception dump 169.223.32.1
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 41
Cisco ISP Essentials
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 42
General Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 43
Interface Configuration
• “ip unnumbered”
no need for an IP address on point-to-point links
keeps IGP small
• “description”
customer name, circuit id, cable number, etc
on-line documentation!
• “bandwidth”
used by IGP
documentation!
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 44
Interface Configuration – Example
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 45
Interface Status Checking
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 46
More Interface Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 47
NetFlow
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 48
NetFlow – Capacity Planning
Public Routers 1 , 2, 3 Month of September Outbound Traffic
1% 1% 1% 1% 1% 1%
1% 1%1%
1% 2%
4%
32%
6%
8%
8%
20% 10%
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 49
NetFlow
• Configuration example:
interface serial 5/0
ip route-cache flow
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 50
NetFlow
• Information export:
router to collector system
ip flow-export version 5 [origin-as|peer-as]
ip flow-export destination x.x.x.x <udp-port>
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 51
NetFlow
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 53
Cisco ISP Essentials
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 54
Routing
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 55
Routing Tables Feed the
Forwarding Table
Static Routes
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 56
HSRP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 57
CIDR Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 60
Path MTU Discovery
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 61
OSPF – configuration hot tips
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 62
OSPF – Router ID
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 63
OSPF – Adding Networks
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 64
OSPF – Adding Networks
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 65
OSPF – Logging Neighbour Changes
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 66
OSPF – Cost & Reference Bandwidth
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 67
OSPF – Cost: Example Strategy
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 70
BGP – useful features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 71
BGP Synchronization
no synchronization
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 72
BGP Auto Summarisation
no auto-summary
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 73
iBGP configuration
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 74
BGP Community Format
ip bgp-community new-format
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 75
Route Refresh Capability
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 76
Dynamic Reconfiguration
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 77
Soft Reconfiguration
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 79
BGP Neighbour Shutdown
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 80
BGP Damping
Suppress limit
3000
Penalty
2000
Reuse limit
1000
0
0 1 2 3 4 5 6 7 8 9 10111213 1415 161718 19202122232425
Time
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 81
BGP Damping
bgp dampening
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 82
Deterministic MED
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 83
Deterministic MED—Operation
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 84
Next-hop-self
iBGP versus IGP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 85
Next-hop-self
“Scaling IGP”
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 86
Default Administrative Distances
Route Source Default Distance
Connected Interface 0
Static Route 1
Enhanced IGRP Summary Route 5
External BGP 20
Internal Enhanced IGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
External Enhanced IGRP 170
Internal BGP 200
Unknown 255
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 87
BGP Distance
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 88
Private-AS Removal
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 89
local-AS
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 90
local-AS – Example
AS 100
B A
A
• Router A is in AS100 .1
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 91
local-AS – Example
AS 100
B A
A
• Router A sees the old AS300 in .1
the path 10.0.0.0/24
neighbor 10.0.0.2 local-as 300
If this is not desired, the [no-prepend]
option can be used
router bgp 100 .2
neigh 10.0.0.2 local-as 300 no-prepend
C
• routes received now appear as AS 200
though they come directly from
AS200 and not through AS300
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 92
BGP Neighbour Authentication
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 93
BGP Maximum Prefix Tracking
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 94
BGP Maximum Prefix Tracking
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 95
Limiting AS Path Length in BGP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 96
Limiting AS Path Length in BGP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 98
Reason for Last Peer Reset
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 99
BGP Peering
no bgp fast-external-fallover
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 100
BGP peer groups
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 101
Prefix Lists
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 102
Prefix-list Command
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 103
Prefix Lists – Examples
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 104
Prefix Lists in BGP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 105
Prefix-list route-map command
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 106
Prefix-List ORF
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 107
BGP Policy
Configuration and Maintenance
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 108
BGP Policy
Route-map Features
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 109
BGP Policy
Route-map Features
ip policy-list foo
match as-path 10
match ip address 100
!
route-map bar permit 10
match ip policy-list foo
set community 100:200
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 111
BGP Policy
Configuration and Maintenance
route-map continue
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 112
BGP Policy
Configuration and Maintenance
route-map continue
route-map local-policy-map
set community 10:10
!
route-map foo-out permit 10
• Provides the ability to jump match ip address 1
to a specific step within the match metric 10
current route-map or to continue 30
!
jump to the beginning of
route-map foo-out permit 20
a different route-map match ip address 2
All the ‘match’ statements are match metric 20
evaluated against the original set as-path prepend 10 10
set of attributes !
route-map foo-out permit 30
match community 10:1
set local-preference 104
continue local-policy-map
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 113
BGP Policy
Configuration and Maintenance
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 114
BGP Policy
Configuration and Maintenance
peer-templates
• Used to group common configurations
Uses peer-group-like syntax
No associated UPDATE replication assistance
• Hierarchical policy configuration mechanism
A peer-template may be used to provide policy
configurations to an individual neighbor, a
peer-group or another peer-template
The more specific user takes precedence if
policy overlaps
individual neighbor > peer-group > peer-template
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 115
BGP Policy
Configuration and Maintenance
peer-templates Example
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 118
iBGP Multipath
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 120
BGP Templates
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 121
BGP Template – iBGP peers
• Use peer-groups
• iBGP between loopbacks!
• Next-hop-self
Keep DMZ and point-to-point out of IGP
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 126
Securing the Router
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 127
ISP Security
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 128
ISP Security
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 129
Global Services You Turn OFF
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 131
Cisco Discovery Protocol
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 132
Cisco Discovery Protocol
Example
Version :
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(5)T9, RELEASE
SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 23-Jun-01 20:13 by cmong
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 133
Login Banner
banner login ^
Authorised access only
This system is the property of Galactic Internet
Disconnect IMMEDIATELY if you are not an authorised user!
Contact noc@net.galaxy +99 876 543210 for help.
^
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 134
Exec Banner
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 135
Use Enable Secret
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 136
Turn on Nagle
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 137
ident Feature
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 138
What Ports Are Open on the Router?
7206-UUNET-SJ#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0
17 --listen-- 204.178.123.178 67 0 0 9 0
17 0.0.0.0 123 204.178.123.178 123 0 0 1 0
17 0.0.0.0 0 204.178.123.178 161 0 0 1 0
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 139
Ratelimiting connections to router
ICMP echo/echo-reply
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 140
Ratelimiting connections to router
TCP connections
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 141
Compiled Access-Lists
access-list compiled
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 142
ASIC Access-lists
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 143
Black Hole Routing
Forwarding to Null0
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 144
Black Hole Routing
Ratelimiting ICMP unreachables
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 145
VTY and Console port timeouts
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 146
VTY Security
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 147
VTY Access and SSHv1
SSHv1 Server
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 148
VTY Access and SSHv1
SSHv1 Client
ssh [-l <userid>] [-c <des|3des>] [-o num-attempts <n>] [-p <port>]
<ipaddr|hostname> [<IOS command>]
where
-l <userid> is the user to login as on the remote machine. Default is the current user
id.
-c <des|3des> specifies the cipher to use for encrypting the session. Triple des is
encrypt-decrypt-encrypt with three different keys. The default is 3des if this algorithm
is included in the image, else the default is des.
-o specifies the options which is currently one only num-attempts <n> specifies the
number of password prompts before ending the attempted session. The server also
limits the number of attempts to 5 so it is useless to set this value larger than 5.
Therefore the range is set at 1-5 and the default is 3 which is also the IOS server
default.
-p <port> Port to connect to on the remote host. Default is 22.
<ipaddr|hostname> is the remote machine ip address or hostname
<IOS command> is an IOS exec command enclosed in quotes (ie "). This will be
executed on connection and then the connection will be terminated when the
command has completed.
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 149
User Authentication – take 1
aaa new-model
aaa authentication login neteng local
username joe password 7 1104181051B1
username jim password 7 0317B21895FE
line vty 0 4
login neteng
access-class 3 in
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 150
User Authentication – take 2
aaa new-model
aaa authentication login neteng local
username joe secret 5 $1$j6Ac$3KarJszBV3VMaL/2Nio3E.
username jim secret 5 $1$LPV2$Q04NwAudy0/4AHHHQHvWj0
line vty 0 4
login neteng
access-class 3 in
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 151
User Authentication
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.1
tacacs-server host 215.17.5.35
tacacs-server key CKr3t#
line vty 0 4
access-class 3 in
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 152
User Authentication
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 153
Cisco ISP Essentials
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 154
Securing the Network
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 155
Ingress and Egress Route Filtering
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 156
Ingress and Egress Route Filtering
BGP Configuration
router bgp 200
no synchronization
bgp dampening
neighbor 220.220.4.1 remote-as 210
neighbor 220.220.4.1 version 4
neighbor 220.220.4.1 prefix-list bogons in
neighbor 220.220.4.1 prefix-list bogons out
neighbor 222.222.8.1 remote-as 220
neighbor 222.222.8.1 version 4
neighbor 222.222.8.1 prefix-list bogons in
neighbor 222.222.8.1 prefix-list bogons out
no auto-summary
!
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 157
Ingress and Egress Route Filtering
Prefix List
ip prefix-list bogons deny 0.0.0.0/8 le 32
ip prefix-list bogons deny 10.0.0.0/8 le 32
ip prefix-list bogons deny 127.0.0.0/8 le 32
ip prefix-list bogons deny 169.254.0.0/16 le 32
ip prefix-list bogons deny 172.16.0.0/12 le 32
ip prefix-list bogons deny 192.0.2.0.0/24 le 32
ip prefix-list bogons deny 192.168.0.0/16 le 32
ip prefix-list bogons deny 224.0.0.0/3 le 32
ip prefix-list bogons permit 0.0.0.0/0 le 32
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 158
Ingress and Egress Packet Filtering
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 159
Ingress and Egress Packet Filtering
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 160
Packet Filtering
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 161
Outbound Packet Filtering
ISP
Internet 165.21.0.0/16
Serial 0/1
Outbound Filter
applied to ISP’s
border router Block source address from all other networks
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 162
Inbound Packet Filtering
ISP
Internet 165.21.0.0/16
Serial 0/1
Inbound Filter
applied to ISP’s
Block source address from all other networks
border router
Ex. IP addresses with a source of 10.1.1.1 would
be blocked
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 163
Dynamic ACLs with AAA Virtual
Profiles
AAA Server
User X
Check
Remote LAN 1
Bridge/Router
Authentication Get User Virtual
OK Config Info
2 6 Template
User Y ISDN User config 5 Interface
Physical Info Delivered Virtual Access
4 Interface Cloned
Interface from Virtual
Single User Client Analog 3 Template Interface
with ISDN Card
Create Virtual
Access Interface Virtual
User Z Network Access
Access Server Interface
Single User Client with
ISDN BRI T/A or Modem
• Logical extension of Dialer Profile functionality
• ACLs stored in the Central AAA Server
• Supports both Radius and Tacacs+
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 164
Reverse Path Forward Check
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 165
Reverse Path Forward Check
• IOS Command
interface serial 1/0
ip verify unicast reverse-path <acl>
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 166
CEF Unicast RPF
Routing Table:
210.210.0.0 via 172.19.66.7
172.19.0.0 is directly connected, Fddi 2/0/0
CEF Table: If OK, RPF passed
210.210.0.0 172.19.66.7 Fddi 2/0/0 the packet to be
172.19.0.0 attached Fddi 2/0/0
Adjacency Table:
forwarded by CEF.
Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800
FDDI 2/0/0
172.19.0.0/16
Unicast
Data IP Header Data IP Header
RPF
In Out
Routing Table:
210.210.0.0 via 172.19.66.7
172.19.0.0 is directly connected, Fddi 2/0/0
CEF Table:
210.210.0.0 172.19.66.7 Fddi 2/0/0
172.19.0.0 attached Fddi 2/0/0
Adjacency Table:
Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800
FDDI 2/0/0
172.19.0.0/16
Unicast
Data IP Header
RPF
In Out
no ip proxy-arp
Enterprise Upstream ISP
! Network
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 170
Unicast RPF – ACL
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 171
Unicast RPF – ACL
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 172
Unicast RPF – ACL
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 173
Description of “Smurfing”
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 174
Description of “Smurfing”
Internet
Perpetrator
Victim
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 175
Multiplied Bandwidth – Example
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 176
Multiplied Bandwidth – Consequences
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 177
Profiles of Participants
• Typical Perpetrators
Cracked superuser account on well-connected enterprise network
Superuser account on university residence hall network (Ethernet)
Typical PPP dial-up account (for smaller targets)
• Typical Victims
IRC Users, Operators, and Servers
Providers who eliminate troublesome users’ accounts
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 178
Prevention Techniques
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 179
Prevention Techniques
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 181
DDoS Links
• http://www.denialinfo.com/
• http://www.staff.washington.edu/dittrich
• http://www.sans.org/y2k/DDoS.htm
• http://www.nanog.org/mtg-9910/robert.html
• http://cve.mitre.org/
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 182
Cisco ISP Essentials
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 183
More Information?
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 184
Where to get more information
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 185
For Further Reference…
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 186
For Further Reference…
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 187
ISP Essentials
Essential IOS Features every ISP should Consider
End of Tutorial
IOS Essentials 3.0 © 2003, Cisco Systems, Inc. All rights reserved. 188