Cisco to support flow spec

Looks like 5.2.0 has been available since July.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/general/release/notes/reln_520a9k.html
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html

 7.3, last I heard..

Also, is this RFC 5575-compliant flowspec?

 yes, with some recent enhancements to the specs (v6 support, relaxed origin check, extra redirect options, and a few more)

Zoek in project Uni1c0rn

Project Un1c0rn is a search engine exposing open, vulnerable and weak services since May 2014 ... Leaking mysqlmongo and heartbleed services worldwide ... Disclosure is the solution ... Un1c0rn won't die ... We don't ask, we host ... Back online, uptime should now be good, DB migration coming later. Leakhorn

Uitschakelen Windows tunnel interfaces

https://www.asmus-consulting.com/en/blog-category-active-directory-and-windows-server/item/41-disable-ipv6-tunnel-adapter

Use these 3 lines to disable the Adapters by netsh:

1 netsh int ipv6 isatap set state disabled
2 netsh int ipv6 6to4 set state disabled
3 netsh interface teredo set state disable



You can also disable Tunnel Adapters by GPO
– open Group Policy Management Editor
– select an existing or create a new GPO
– Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies






Configure all of the Settings below – enable the Setting but select “disable” within.
– “Set 6to4 State”
– “Set ISATAP State”
– “Set Teredo State”









thats it

Cisco CoPP

Cisco CoPP Best practices

Cisco CoPP Cat6k

http://events.cisco.hu/2014/techtorial/doc/lavarga_v1.0.pdf

Hi All,

Thanks for all the valuable input!

I wrote up a CoPPs policy, and deployed it in a non-limiting fasion

and monitored for a while. Once happy we enabled the policers and its

working fine, however the software counters are going up, and it’s not

clear to me why that is.

Further down is the config, immediately below is partial the output

from an example 7600 (as the CoPPs policy is quite long):

abr1#show policy-map control-plane input

Control Plane

  Service-policy input: Control-Plane-Filter-In

  Hardware Counters:

    class-map: CoPP-Limit-and-Permit-Critical (match-any)

      Match: access-group name CoPP-Limit-and-Permit-BGP

      Match: access-group name CoPP-Limit-and-Permit-BGPv6

      Match: access-group name CoPP-Limit-and-Permit-RSVP

      Match: access-group name CoPP-Limit-and-Permit-LDP

      Match: access-group name CoPP-Limit-and-Permit-OSPF

      Match: access-group name CoPP-Limit-and-Permit-OSPFv3

      Match: access-group name CoPP-Limit-and-Permit-HSRP

      Match: access-group name CoPP-Limit-and-Permit-BFD

      police :

        10000000 bps 312000 limit 312000 extended limit

      Earl in slot 6 :

        631028621 bytes

        5 minute offered rate 86968 bps

        aggregate-forwarded 631028621 bytes action: transmit

        exceeded 0 bytes action: transmit

        aggregate-forward 79648 bps exceed 0 bps

  Software Counters:

    Class-map: CoPP-Limit-and-Permit-Critical (match-any)

      4646556 packets, 411683229 bytes

      5 minute offered rate 54000 bps, drop rate 0000 bps

      Match: access-group name CoPP-Limit-and-Permit-BGP

        4035626 packets, 367873184 bytes

        5 minute rate 48000 bps

      Match: access-group name CoPP-Limit-and-Permit-BGPv6

        2101 packets, 174550 bytes

        5 minute rate 0 bps

      Match: access-group name CoPP-Limit-and-Permit-RSVP

        0 packets, 0 bytes

        5 minute rate 0 bps

      Match: access-group name CoPP-Limit-and-Permit-LDP

        173745 packets, 13108073 bytes

        5 minute rate 1000 bps

      Match: access-group name CoPP-Limit-and-Permit-OSPF

        77045 packets, 8382206 bytes

        5 minute rate 1000 bps

      Match: access-group name CoPP-Limit-and-Permit-OSPFv3

        0 packets, 0 bytes

        5 minute rate 0 bps

      Match: access-group name CoPP-Limit-and-Permit-HSRP

        358039 packets, 22145216 bytes

        5 minute rate 2000 bps

      Match: access-group name CoPP-Limit-and-Permit-BFD

        0 packets, 0 bytes

        5 minute rate 0 bps

      police:

          cir 10000000 bps, bc 312500 bytes, be 312500 bytes

        conformed 4646556 packets, 411683229 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          transmit

        violated 0 packets, 0 bytes; actions:

          drop

        conformed 54000 bps, exceeded 0000 bps, violated 0000 bps

I’m not sure why traffic like BGP would match into both the hardware

and software policiers, when its such a simple match statement (I am

assuming that because the packet count under the software counters is

much lower than the ACL match, so the rest were policied by

hardware?):

I am trying to write a CoPP template for some 7600s running as PEs. It

 

> would be handy if they were running a similar CoPP configuration to

> that on our Juniper PEs we are going to be connecting these 7600’s too

> so we have consistent CoPP across that domain of equally exposed

 

It’s not going to be consistent, CoPP does work, but can’t really compete with over decade newer Trio kit.

 

> CoPP on 7600’s can’t police ARP but one can use the MLS HWRL for that.

> The HWRLs can also handle other protocols like HSRP and CoPP can’t

> police multicast in hardware, so do people usually police ARP and HSRP

> using the MLS HWRLs instead of CoPP?

 

Pretty sure HSRP works just fine. For multicast, you just need to allow all multicast in CoPP (otherwise it’s processed by software CoPPP, which you don’t

want) and then limit in mls rate-limit.

 

> The HWRLs support other protocols too that ARE supported in CoPP in

> hardware, so are there any other protocols that people prefer to

> police using the HWRLs?

 

Example please, I cannot recall overlap.

 

> With regards to ACLs, do people really have giant access lists of

> peers they allow BGP to/from? The 7600 I am piloting this on has over

 

Yes. Two, one low rate for SYN and one for other BGP, alas. However if your master configuration data is not network, but database, then it does not really matter how complex or simple the network configuration is, as it’s generated automatically from database.

If it’s pure CLI jockey network, it can be a challenge.

 

But even this is isn’t as good as it should be, as each neighbour would need to have their own policer, like Cisco LPTS or Juniper ddos-protection can do.

But this is one of those things where you’ll rather carry a risk than overcomplicate the configuration.

 

> any any eq 179″ as above then I feel I need to police, unless I can

> guarantee at the edge I have filtered out traffic on TCP 179 from

> everywhere it shouldn’t be coming from. What approach to others take

> here? Why?

 

I have opted for simplicity, I have CoPP class for internal signalling stuff, which is critical, another for important customer/peer stuff, like BGP, and another for unimportant stuff (ping, udp traceroute…)

 

> What do people do with unusual traffic like IP fragments? I am

> discarding them. Thoughts?

 

If you can get away discarding fragments hitting control-plane, do it. If not, police it.

 

> What about packets with IP options set, I am allowing record-route

> only and dropping the rest. Thoughts?

 

No on expects IP options to work in the Internet, there is mls command to police them, I would do that, even for transit

 

> ICMP, I’m just proposing to allow the follow:

> ip access-list extended CoPP-Limit-and-Permit-ICMP  permit icmp any

> any echo  permit icmp any any echo-request  permit icmp any any

> unreachable  permit icmp any any ttl-exceeded  permit icmp any any

> packet-too-big  deny icmp any any

>

> Again, any thoughts there?

 

Never use ‘deny’ in PFC3 CoPP ACLs. It’s not needed, and it may not be supported and may cause negative match and stop of evaluation (i.e. won’t fall to next classs).

Netflow viewers

FlowViewer / SiLK handles IPv6.

Web-based, graphical tracking and analysis. Free.

http://sourceforge.net/projects/flowviewer/

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html#reference_A9019899140647F2B3F87ABABCFC170D

http://qosient.com/argus/

Cisco IOS sup-720 SNMP

In order to keep the same interfaces indexes, the only way to achieve that easily is moving the nvram:ifIndex-table from the old SUP to the new SUP.

This document says that the file can be downloaded and viewed:

http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/28420-ifIndex-Persistence.html

 

Procedure:

Old SUP:

#copy nvram:ifIndex-table disk0:

New SUP:

#delete nvram:ifIndex-table

#copy disk0:ifIndex-table nvram:

#reload

IPv6 security

MAC bindings

In the IPv4 world, the DHCP server allocates IPv4 addresses and thereby stores the MAC addresses of the clients. In the IPv6 world, if SLAAC (autoconfiguration) is used, no network or security device per se stores the binding between the MAC (layer 2) and the IPv6 (layer 3) addresses from the clients. That is, a subsequent analysis of network behaviour corresponding to concrete IPv6 addresses and their client machines is not possible anymore.

6MoN

is a network monitoring software developed to detect the behavior of hosts on big LANs. By its nature can be an aid for the network administrator to identify anomalies on a LAN. The tool is able to identify the presence of a node indicating the association between MAC, IPv4 and IPv6 address, maintains an history of network access and any changes in presence of mechanisms for automatic address assignment (DHCP, SLAAC ).

ipv6mon

is a tool meant for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time.

ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active.

NAV

is an acronym for Network Administration Visualized. It is an advanced software suite to monitor large computer networks. It automatically discovers network topology, monitors network load and outages, and can send alerts on network events by e-mail and SMS, allowing for flexible configuration of alert profiles.

NDPmon

 is a diagnostic software application used by Internet Protocol version 6 network administrators for monitoring ICMPv6 packets. NDPMon observes the local network for anomalies in the function of nodes using Neighbor Discovery Protocol (NDP) messages, especially during the Stateless Address Autoconfiguration. When an NDP message is flagged, it notifies the administrator by writing to the syslog or by sending an email report. It may also execute a user-defined script. For IPv6, NDPMon is an equivalent of Arpwatch for IPv4, and has similar basic features with added attacks detection.

Cisco IPv6 IOS firewall

ipv6 inspect routing-header
ipv6 inspect max-incomplete low 100
ipv6 inspect max-incomplete high 300
ipv6 inspect one-minute low 100
ipv6 inspect one-minute high 300
ipv6 inspect udp idle-time 60
ipv6 inspect tcp idle-time 1200
ipv6 inspect tcp finwait-time 8
ipv6 inspect tcp synwait-time 60
ipv6 inspect tcp max-incomplete host 100 block-time 1
!
interface dialer X
!
ipv6 inspect name ipv6-FireWall tcp alert on timeout 120
ipv6 inspect name ipv6-FireWall udp alert on timeout 60
ipv6 inspect name ipv6-FireWall icmp alert on audit-trail on timeout 5
ipv6 inspect name ipv6-FireWall ftp timeout 3600
!

ipv6 verify unicast source reachable-via any allow-default
ipv6 inspect ipv6-FireWall in
ipv6 inspect ipv6-FireWall out
ipv6 traffic-filter ipv6-inet-in in
!
ipv6 access-list ipv6-inet-in
remark block site local
deny ipv6 any FEC0::/10
remark block mcast
deny ipv6 any FF00::/8
remark permit mcast link local
permit ipv6 any FF02::/16
remark permit mcast global scope
permit ipv6 any FF0E::/16
remark permit minimale icmp berichten
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-request
permit icmp any any packet-too-big
permit icmp any any parameter-problem
permit icmp any any mld-query
permit icmp any any mld-report
permit icmp any any mld-reduction
permit icmp any any router-solicitation
permit icmp any any router-advertisement
remark permit toegestaan verkeer

 

1 4 5 6