Cisco IOS DNS auth/recursive

ip dns view Event-Wifi
domain timeout 5
dns forwarder 208.67.222.222
dns forwarder 208.67.220.220
ip dns view-list Event-Wifi
view Event-Wifi 100
restrict source access-group 2
!
ip dns server view-group Event-Wifi
ip dns server
ip dns primary event.wifi soa ns.event.wifi postmaaster.event.wifi 21600 900 7776000 86400

Cisco IOS reflective ACL

interface Cellular0
ip access-group public-inbound-packet-catcher in
ip access-group public-outbound-packet-listener out
!
ip access-list extended public-inbound-packet-catcher
remark -= icmp permit’s and deny’s =-
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
permit tcp any any eq 1723
permit gre any any
permit udp any eq isakmp any eq isakmp
permit esp any any
remark -= allow ssh and dns =-
permit tcp any any eq 22 log
permit tcp any any eq www log
permit udp any eq domain any
remark -= returning traffic =-
evaluate outside-access-in-reflexive-temporary-list
deny ip any any log-input
ip access-list extended public-outbound-packet-listener
permit tcp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
permit udp any any reflect outside-access-in-reflexive-temporary-list timeout 3600

 

Basic IOS config (o.a. VTP en NTP)

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
clock timezone CET 1 0
clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00
!
aaa new-model
aaa authentication login local local
!
vtp mode transparent
!
username outeradmin secret PASSWORD
!
enable secret PASSWORD
!
no ip domain-lookup
!
ip domain-name routit.net
!
spanning-tree mode rapid-pvst
!
no ip http server
no ip http secure-server
!
banner exec ^

Organisatie : winfred.nl
Lokatie         : site
Beheer          : iemand @ winfred . nl
Installatie    : iemand @ winfred . nl

^
banner motd ^
Waarschuwing !!!
Toegang tot dit systeem en informatie verkregen door middel van
deze systemen is strikt vertrouwelijk en in eigendom van

MOI

Toegang tot deze systemen en informatie is alleen met uitdrukkelijke
toestemming van de eigenaar geoorloofd, elke andere vorm van toegang
is niet toegestaan en kan juridische gevolgen hebben.
^
!
! NMS station SNMP
access-list 1 permit 172.31.180.10
!
! NMS station SSH
access-list 23 permit 10.35.0.0 0.0.255.255
!
line con 0
line vty 0 15
session-timeout 5
access-class 23 in
login authentication local
transport input ssh
!
snmp-server community 754d7066ab385bb0d44b6361d78faef1 RO 1
snmp-server ifindex persist
snmp-server location site
snmp-server contact iemand @ winfred . nl
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
!
! ntp update-calendar
! ntp0.nl.uu.net
ntp server 193.67.79.202
! ntp.pool.tu.nl
ntp server 193.79.237.14 prefer

 

Achtergrond:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html

ASA basic | fail-over

Controle context mode:

ASA-lab# sh mode
Security context mode: multiple

Verwijderen call-home config

ASA-lab(config)# clear config call-home
ASA-lab(config)# no service call-home

Aanmaken Admin context:

ASA-lab(config)# admin-context admin
Creating context 'admin'... Done. (1)

Aanmaken interfaces:

interface GigabitEthernet0/0
 channel-group 1 mode active
 speed 1000
!
interface GigabitEthernet0/1
 channel-group 1 mode active
 speed 1000
!
interface GigabitEthernet0/2
 description FailOver HA
 speed 1000
!
interface GigabitEthernet0/3
 description FailOver FT
 speed 1000
!
interface Port-channel1
!
interface Port-channel1.300
 description ASA-Lab HA
 vlan 300
!
interface Port-channel1.301
 description ASA-Lab FT
 vlan 301
!
interface Port-channel1.302
 description ASA-Lab Admin
 vlan 302

Instellen Admin context:

ASA-lab(config)# context admin
ASA-lab(config-ctx)# description Admin-context
ASA-lab(config-ctx)# config-url disk0:/admin-beheer.cfg

WARNING: Could not fetch the URL disk0:/admin-beheer.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.

ASA-lab(config-ctx)# allocate-interface interface Port-channel1.302 Beheer

Instellen FO:

interface Redundant1
 member-interface GigabitEthernet0/2

Primary UNIT:

failover 
failover lan unit primary
failover lan interface LAN Redundant1
failover key wachtwoord
failover replication http
failover link LAN Redundant1
failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover group 1
 replication http
 
Secondary UNIT:
 
failover 
failover lan unit secondary
failover lan interface LAN Redundant1
failover key wachtwoord
failover replication http 
failover link LAN Redundant1 
failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 
failover group 1 
 replication http

Instellen admin context:

ASA-lab# changeto context admin

interface Beheer
 nameif Beheer
 security-level 100
 ip address 192.0.2.1 255.255.255.248 standby 192.0.2.2
!
http server enable
http 192.0.2.0 255.255.255.0 Beheer
!
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication secure-http-client

 

 

 

 

 

 

DH group X ; The Logjam Attack

https://weakdh.org/

 

Highlight:

“We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break”.

 

 

Dit zijn de encryptie sterkte van de DH groepen:

  • DH Group 1: 768-bit group
  • DH Group 2: 1024-bit group
  • DH Group 5: 1536-bit group
  • DH Group 14: 2048-bit group
  • DH Group 15: 3072-bit group
  • DH Group 19: 256-bit elliptic curve group
  • DH Group 20: 384-bit elliptic curve group

ISG ; login based on IP/MAC

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-auto-sub-logon.html/index.html#GUID-6C9CCCB3-8EB2-4CEE-A8AA-578A883EA6DE

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-netwk-acess-pol.html

https://cisco-images.test.edgekey.net/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-xe-3s-book.pdf

http://www.postseek.com/meta/c89669f50ef996712b544922d4d6ff80

Internet in VRF

 

>

> Nice that’s clever.

> And since you are using CSR1000v you don’t need to worry about the

> cost of HW for RRs.

 

Yes, the CSR1000v’s are workhorses.

 

 

> I see, so RRs do the routing decision on behalf of the PE routers in a

> particular PoP.

 

Correct, but in some cases, the routing decision is done in a completely different country/continent/cluster, before that final decision is pushed down to the RR which has the target edge router. Either way, the result is always the same, since the destination traffic was headed toward that different country/continent anyway.

 

 

> Since RR cluster is local to the PoP the AS-exit proximity is

> accurate, in other words what is good for the RR has to be good for

> the PEs within the PoP.

 

Yes, and this is a very important point that you note. Having iBGP sessions to RR’s not in the same physical PoP can lead to sub-optimal routing for devices in that PoP, as by default, RR’s base best-path selection for IGP metrics on the local IGP metric, while the iBGP neighbor would be remote.

 

BGP-ORR, covered in “draft-ietf-idr-bgp-optimal-route-reflection-09”, is trying to fix this. But I don’t know of anyone shipping code yet.

 

 

> But still you’d have to use add-path to advertise backup paths from

> RRs to PEs in a local PoP whereas with MP-BGP you’d just use unique RDs.

 

You might find it strange but I do neither :-).

 

Each cluster has 2x RR’s. Each iBGP client has 2x sessions to each RR for all address families.

 

Based on our hardware, we’ve modeled convergence performance for BGP routing and found it to be reasonably quick across the network.

Considering the additonal overhead Add-Paths and such would bring, it has been a calculated decision to keep things simple, and rely on Next-Hop Address Tracking tech. in Cisco and Juniper to speed up convergence. BFD for IS-IS has also been very helpful, as we’ve found BGP to be a lot more stable in a steady-state.

 

We are still watching this, and will decide if physically installing additional paths is a good idea. For now, it’s not hurting overall network performance.

 

>

>

> I see it as more of a good practice not to hold default route or full

> inet table on a peering box but as I said before peer pointing a

> default at you is rather a corner case I guess.

 

Hehe, depends. Some folk point default toward you at peering points because they don’t know better. Others do because they are chancers.

Either way, avoid the risk.

 

We have dedicated peering routers in each PoP. We carry neither a full table nor a default route on those. In fact, we null-route default routes on every peering box.

 

 

>

>

> Yeah been doing EoMPLS PW to provide full internet feed to customers

> behind MEs didn’t have the confidence to use the table-map/SRD 🙂

 

You should try BGP-SD, works great over here :-).

 

Tunnels or eBGP-Multihop is too much for me for passing full feeds to customers :-).

 

1 10 11 12 13 14 21