gewoon, mijn archief
Looks like 5.2.0 has been available since July.
http://www.cisco.com/c/en/us/
http://www.cisco.com/c/en/us/
7.3, last I heard..
Also, is this RFC 5575-compliant flowspec?
yes, with some recent enhancements to the specs (v6 support, relaxed origin check, extra redirect options, and a few more)
sanderev66 4 november 2014 18:35
Als je dit nu al op je PC wil heb ik al een tijd geleden een tool gemaakt die dit voor je kan regelen. Werkt ook met andere cloud opslag providers. http://cloudmanageroffice.codeplex.com/ Gratis en open source
Project Un1c0rn is a search engine exposing open, vulnerable and weak services since May 2014 ... Leaking mysql, mongo and heartbleed services worldwide ... Disclosure is the solution ... Un1c0rn won't die ... We don't ask, we host ... Back online, uptime should now be good, DB migration coming later. Leakhorn
https://www.asmus-consulting.com/en/blog-category-active-directory-and-windows-server/item/41-disable-ipv6-tunnel-adapter
Use these 3 lines to disable the Adapters by netsh:
1 |
netsh int ipv6 isatap set state disabled |
2 |
netsh int ipv6 6to4 set state disabled |
3 |
netsh interface teredo set state disable |
You can also disable Tunnel Adapters by GPO
– open Group Policy Management Editor
– select an existing or create a new GPO
– Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
Configure all of the Settings below – enable the Setting but select “disable” within.
– “Set 6to4 State”
– “Set ISATAP State”
– “Set Teredo State”
thats it
Cisco CoPP Best practices
Cisco CoPP Cat6k
http://events.cisco.hu/2014/techtorial/doc/lavarga_v1.0.pdf
Hi All,
Thanks for all the valuable input!
I wrote up a CoPPs policy, and deployed it in a non-limiting fasion
and monitored for a while. Once happy we enabled the policers and its
working fine, however the software counters are going up, and it’s not
clear to me why that is.
Further down is the config, immediately below is partial the output
from an example 7600 (as the CoPPs policy is quite long):
abr1#show policy-map control-plane input
Control Plane
Service-policy input: Control-Plane-Filter-In
Hardware Counters:
class-map: CoPP-Limit-and-Permit-Critical (match-any)
Match: access-group name CoPP-Limit-and-Permit-BGP
Match: access-group name CoPP-Limit-and-Permit-BGPv6
Match: access-group name CoPP-Limit-and-Permit-RSVP
Match: access-group name CoPP-Limit-and-Permit-LDP
Match: access-group name CoPP-Limit-and-Permit-OSPF
Match: access-group name CoPP-Limit-and-Permit-OSPFv3
Match: access-group name CoPP-Limit-and-Permit-HSRP
Match: access-group name CoPP-Limit-and-Permit-BFD
police :
10000000 bps 312000 limit 312000 extended limit
Earl in slot 6 :
631028621 bytes
5 minute offered rate 86968 bps
aggregate-forwarded 631028621 bytes action: transmit
exceeded 0 bytes action: transmit
aggregate-forward 79648 bps exceed 0 bps
Software Counters:
Class-map: CoPP-Limit-and-Permit-Critical (match-any)
4646556 packets, 411683229 bytes
5 minute offered rate 54000 bps, drop rate 0000 bps
Match: access-group name CoPP-Limit-and-Permit-BGP
4035626 packets, 367873184 bytes
5 minute rate 48000 bps
Match: access-group name CoPP-Limit-and-Permit-BGPv6
2101 packets, 174550 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-RSVP
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-LDP
173745 packets, 13108073 bytes
5 minute rate 1000 bps
Match: access-group name CoPP-Limit-and-Permit-OSPF
77045 packets, 8382206 bytes
5 minute rate 1000 bps
Match: access-group name CoPP-Limit-and-Permit-OSPFv3
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CoPP-Limit-and-Permit-HSRP
358039 packets, 22145216 bytes
5 minute rate 2000 bps
Match: access-group name CoPP-Limit-and-Permit-BFD
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 10000000 bps, bc 312500 bytes, be 312500 bytes
conformed 4646556 packets, 411683229 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
drop
conformed 54000 bps, exceeded 0000 bps, violated 0000 bps
I’m not sure why traffic like BGP would match into both the hardware
and software policiers, when its such a simple match statement (I am
assuming that because the packet count under the software counters is
much lower than the ACL match, so the rest were policied by
hardware?):
I am trying to write a CoPP template for some 7600s running as PEs. It
> would be handy if they were running a similar CoPP configuration to
> that on our Juniper PEs we are going to be connecting these 7600’s too
> so we have consistent CoPP across that domain of equally exposed
It’s not going to be consistent, CoPP does work, but can’t really compete with over decade newer Trio kit.
> CoPP on 7600’s can’t police ARP but one can use the MLS HWRL for that.
> The HWRLs can also handle other protocols like HSRP and CoPP can’t
> police multicast in hardware, so do people usually police ARP and HSRP
> using the MLS HWRLs instead of CoPP?
Pretty sure HSRP works just fine. For multicast, you just need to allow all multicast in CoPP (otherwise it’s processed by software CoPPP, which you don’t
want) and then limit in mls rate-limit.
> The HWRLs support other protocols too that ARE supported in CoPP in
> hardware, so are there any other protocols that people prefer to
> police using the HWRLs?
Example please, I cannot recall overlap.
> With regards to ACLs, do people really have giant access lists of
> peers they allow BGP to/from? The 7600 I am piloting this on has over
Yes. Two, one low rate for SYN and one for other BGP, alas. However if your master configuration data is not network, but database, then it does not really matter how complex or simple the network configuration is, as it’s generated automatically from database.
If it’s pure CLI jockey network, it can be a challenge.
But even this is isn’t as good as it should be, as each neighbour would need to have their own policer, like Cisco LPTS or Juniper ddos-protection can do.
But this is one of those things where you’ll rather carry a risk than overcomplicate the configuration.
> any any eq 179″ as above then I feel I need to police, unless I can
> guarantee at the edge I have filtered out traffic on TCP 179 from
> everywhere it shouldn’t be coming from. What approach to others take
> here? Why?
I have opted for simplicity, I have CoPP class for internal signalling stuff, which is critical, another for important customer/peer stuff, like BGP, and another for unimportant stuff (ping, udp traceroute…)
> What do people do with unusual traffic like IP fragments? I am
> discarding them. Thoughts?
If you can get away discarding fragments hitting control-plane, do it. If not, police it.
> What about packets with IP options set, I am allowing record-route
> only and dropping the rest. Thoughts?
No on expects IP options to work in the Internet, there is mls command to police them, I would do that, even for transit
> ICMP, I’m just proposing to allow the follow:
> ip access-list extended CoPP-Limit-and-Permit-ICMP permit icmp any
> any echo permit icmp any any echo-request permit icmp any any
> unreachable permit icmp any any ttl-exceeded permit icmp any any
> packet-too-big deny icmp any any
>
> Again, any thoughts there?
Never use ‘deny’ in PFC3 CoPP ACLs. It’s not needed, and it may not be supported and may cause negative match and stop of evaluation (i.e. won’t fall to next classs).
FlowViewer / SiLK handles IPv6.
Web-based, graphical tracking and analysis. Free.
http://sourceforge.net/projects/flowviewer/
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html#reference_A9019899140647F2B3F87ABABCFC170D
In order to keep the same interfaces indexes, the only way to achieve that easily is moving the nvram:ifIndex-table from the old SUP to the new SUP.
This document says that the file can be downloaded and viewed:
http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/28420-ifIndex-Persistence.html
Procedure:
Old SUP:
#copy nvram:ifIndex-table disk0:
New SUP:
#delete nvram:ifIndex-table
#copy disk0:ifIndex-table nvram:
#reload
In the IPv4 world, the DHCP server allocates IPv4 addresses and thereby stores the MAC addresses of the clients. In the IPv6 world, if SLAAC (autoconfiguration) is used, no network or security device per se stores the binding between the MAC (layer 2) and the IPv6 (layer 3) addresses from the clients. That is, a subsequent analysis of network behaviour corresponding to concrete IPv6 addresses and their client machines is not possible anymore.
is a network monitoring software developed to detect the behavior of hosts on big LANs. By its nature can be an aid for the network administrator to identify anomalies on a LAN. The tool is able to identify the presence of a node indicating the association between MAC, IPv4 and IPv6 address, maintains an history of network access and any changes in presence of mechanisms for automatic address assignment (DHCP, SLAAC ).
is a tool meant for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time.
ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active.
is an acronym for Network Administration Visualized. It is an advanced software suite to monitor large computer networks. It automatically discovers network topology, monitors network load and outages, and can send alerts on network events by e-mail and SMS, allowing for flexible configuration of alert profiles.
is a diagnostic software application used by Internet Protocol version 6 network administrators for monitoring ICMPv6 packets. NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration. When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.
ipv6 inspect routing-header
ipv6 inspect max-incomplete low 100
ipv6 inspect max-incomplete high 300
ipv6 inspect one-minute low 100
ipv6 inspect one-minute high 300
ipv6 inspect udp idle-time 60
ipv6 inspect tcp idle-time 1200
ipv6 inspect tcp finwait-time 8
ipv6 inspect tcp synwait-time 60
ipv6 inspect tcp max-incomplete host 100 block-time 1
!
interface dialer X
!
ipv6 inspect name ipv6-FireWall tcp alert on timeout 120
ipv6 inspect name ipv6-FireWall udp alert on timeout 60
ipv6 inspect name ipv6-FireWall icmp alert on audit-trail on timeout 5
ipv6 inspect name ipv6-FireWall ftp timeout 3600
!
ipv6 verify unicast source reachable-via any allow-default
ipv6 inspect ipv6-FireWall in
ipv6 inspect ipv6-FireWall out
ipv6 traffic-filter ipv6-inet-in in
!
ipv6 access-list ipv6-inet-in
remark block site local
deny ipv6 any FEC0::/10
remark block mcast
deny ipv6 any FF00::/8
remark permit mcast link local
permit ipv6 any FF02::/16
remark permit mcast global scope
permit ipv6 any FF0E::/16
remark permit minimale icmp berichten
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-request
permit icmp any any packet-too-big
permit icmp any any parameter-problem
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any router-solicitation
permit icmp any any router-advertisement
remark permit toegestaan verkeer
Handige site om de SSL sessie te onderzoeken en testen:
https://www.ssllabs.com/ssltest/analyze.html
