Showing posts with label ACL. Show all posts
Showing posts with label ACL. Show all posts

Friday, February 5, 2016

Example - How to configure Site-to-site VPN with IOS router



  • Router 1 (Left):

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.10.20.3
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
 set peer 10.10.20.3
 set transform-set My-Set
 match address R1_TO_R3
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 crypto map MyMap
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.0
!
router ospf 10
 router-id 1.1.1.1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R1_TO_R3
 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
  • Router 3 (Right):

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key CISCO address 10.10.10.1
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
 set peer 10.10.10.1
 set transform-set My-Set
 match address R3_TO_R1
!
interface FastEthernet0/0
 ip address 172.16.3.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.20.3 255.255.255.0
 crypto map MyMap
!
router ospf 10
 router-id 3.3.3.3
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R3_TO_R1
 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

  • Validation:


Router3#show  crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: MyMap, local addr 10.10.20.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 10.10.10.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3242, #pkts encrypt: 3242, #pkts digest: 3242
    #pkts decaps: 3242, #pkts decrypt: 3242, #pkts verify: 3242
    #pkts compressed: 0, #pkts decompressed: 0


Router3#show  crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.10.10.1      10.10.20.3      QM_IDLE           1002    0 ACTIVE






Friday, December 11, 2015

Capture traffic on Cisco switch with EPC (both directions)

Embedded Packet Capture is a powerful tool implemented on certain Cisco devices. With this technology, it's no more mandatory to SPAN traffic in order to capture it. You can capture traffic at differents points of your network with some limitations described in the Cisco documentation.
In my case, I would like capture traffic between 2 machines (only these 2 machines) has described in diagram below:

In order to do this, you can use the following configuration:
ip access-list extended HOST-TO-FILTER
 permit ip host 10.10.10.1 host 10.10.20.1
 permit ip host 10.10.20.1.1 10.10.10.1
!
monitor capture MY-CAPTURE file location flash:mycapture.pcap  size 10 int GigabitEthernet1/0/1 both access-list HOST-TO-FILTER

After that, you can start the capture with the command:
monitor capture MY-CAPTURE start

And stop it:
monitor capture MY-CAPTURE stop


This capture can be export and read with wireshark for example.
!! Warning!!
EPC can consumes CPU and memory. Take care to apply a good filter in order to not overload your router or switch.

Wednesday, January 14, 2015

Avoid tromboning effect on extended Datacenter

If we want extend a datacenter between 2 sites, we have to have the same vlan on these 2 sites.
And as a virtual machine can be located on DC A or DC B, we cannot have static path between the client and the server. If we consider the diagram below we are facing a tromboning issue when a User on site B tries to reach a VM located in DC B.
The traffic follows the path:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC A -> Router DC B -> client in site B


However the optimal is:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC B -> Router DC B -> client in site B

In order to have this path, we have to have 2 actives HSRP routers on the same vlan.

This can obtained by filtering HSRP request between site on the port-channel.
This can easily be done with the following PACL:

ip access-list extended HSRP-FILTER
 10 deny udp any 224.0.0.2 0.0.0.0 eq 1985
 20 deny udp any 224.0.0.102 0.0.0.0 eq 1985
 30 permit ip any any
!
interface port-channel 10
 access-group mode prefer port
 ip access-group HSRP-FILTER in

However, we will have a duplicate IP address and logs messages will be generated.
On a Nexus, we can stop this log with the command below on the bvi:
no ip arp gratuitous hsrp duplicate

In my case, I was using Catalyst to interconnect my DC. 'Gratuitous arp' are the source of my problem! This message are sent by the router to announce their IP and their associated MAC. To filter this message and all ARP coming from the HSRP (other site), you can use the PACL to filter it.
As we know how a MAC is built in HSRP, this ACL filter all arp message coming with an address MAC of a HSRP (v1 and v2) source:

mac access-list extended FILTER-ARP-HSRP
 deny 0000.0c07.ac00 0000.0000.00ff any
 deny 0000.0c9f.f000 0000.0000.0fff any
 permit any any
!
int po 10
 mac access-group FILTER-ARP-HSRP in

Saturday, December 14, 2013

QoS Traffic Policing (drop excess traffic)

Today, I was facing an issue with several users. These users were uploading big files on server (http). Unfortunately, they were using all available bandwidth. It's why, I have decided to police this specific traffic (any users to this server). With the following configuration, the bandwidth for users is limited at 3Mbps (configuration applied on a Layer 3 Switch):



  • If the bandwidth exceeds 3Mbps, following packets are dropped:

access-list 100 permit tcp any 10.10.10.200 0.0.0.0 eq www
!
class-map match-all UserTraffic
match access-group 100
!
policy-map policeTraffic
class UserTraffic
    police 3000000 conform-action transmit  exceed-action drop
!
interface Vlan999
service-policy output policeTraffic

  • Check statistics:
MYSWITCH#show policy-map  interface vlan 999
Vlan999
  Service-policy output: policeTraffic
    Class-map:UserTraffic (match-all)
      558663 packets, 827048161 bytes
      5 minute offered rate 3643000 bps, drop rate 645000 bps
      Match: access-group 100
      police:
          cir 3000000 bps, bc 93750 bytes
        conformed 460702 packets, 679305595 bytes; actions:
          transmit
        exceeded 97962 packets, 147744080 bytes; actions:
          drop
        conformed 2994000 bps, exceed 669000 bps
    Class-map: class-default (match-any)
      1626596 packets, 568490144 bytes
      5 minute offered rate 3555000 bps, drop rate 0 bps
      Match: any

Friday, November 22, 2013

Reflexive ACLs

Introduction:

By default, an ACL is not stateful. When an 'inside' client open a session to an 'outside' host you have to create 2 ACLs:
- Client to Server
- Server to Client
In our case, we would like open everything coming from the client side and going to the server side. We also deny each session coming from server side. With traditional ACLs it will be really difficult to realize this configuration. It's why, we will use reflexive ACLs. This kind of ACL record session open from the client side and open the necessary port and IP source for the traffic coming back from the specific server.

In our case, we are using a simple test infrastructure as can be seen in the following diagram:


The traffic coming from the client side and going to server side is authorized. Only the response to a session open by a client is authorized (handle dynamically by a recursive ACL). Any other traffic coming from the server side is denied.

Configuration:

In a first step, we create an ACL to reflect outgoing packets:

ip access-list extended OUTBOUND
  permit ip any any reflect MIRROR
!
interface FastEthernet0/1
  ip access-group OUTBOUND out

When the client initiates a session, a reflected ACL is created in MIRROR.
Router#show ip access-lists MIRROR
Reflexive IP access list MIRROR
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)

In a second step, we create an ACL which uses the MIRROR entry to authorize the traffic.
ip access-list extended INBOUND
  evaluate MIRROR
!
interface FastEthernet0/1
  ip access-group INBOUND in
 
Results:

Connexion coming from the server side are denied:
SERVER#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Destination unreachable; gateway or host down

Connexion coming from the client side are authorized:
client#telnet 10.1.3.10
 Trying 10.1.3.10 ... Open
 User Access Verification
 Password:
 SERVER>en
As you can see below, a 'reflexive' session is authorized from the server to the client:
Router#show ip access-lists
Extended IP access list INBOUND
  10 evaluate Mirror
Reflexive IP access list Mirror
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)
Extended IP access list OUTBOUND
10 permit ip any any reflect Mirror (27 matches)
 
Remarks:
 
By default the timeout for a reflexive ACL is 300sec.


Tuesday, December 20, 2011

Protect against unwanted Router Advertisements (RA)

RA is used by auto-configuration. What is it auto-configuration ? It's a solution who allows devices to choose their own address.
How it works ?

Autoconfiguration is a two-step process:

- Host has to obtain prefix information to configure its address. To do this, it sends a Router Solicitation (RS). It's a multicast frame (ICMPv6 RS) for each router.
- Router advertisement (RA) is sent back by the router. These RAs are also sent periodically by the router. In our case, it's an instantaneous response.

It's a helpful solution for administrator but it's also a good way for hacker to shunt data flows. A hacker can send a wrong RA to a device. In this case, there are 2 issues, denial of service or man in the middle attack. If the hacker sends his own address (gateway information in the RA) all the flows can pass through him. Another error can occur with a misconfigured device, the host should obtain a wrong prefix. To protect against this kind of attack you can use this simple configuration (Port ACL) to stop untrusted RA. The access-list stop RA on all the untrusted interface. Just keep free interface where the router is plugged:

ipv6 access-list filter_RA
 remark Block Rogue RA
 deny icmp any any router-advertisement
 permit any any
!
interface gigabitethernet 1/0/10
 ipv6 traffic-filter filter_RA in
 
On the Catalyst 6500 and 4500 it's possible to use a macro to configure this kind of PACL:

interface gigabitethernet 1/0/10
 ipv6 nd raguard 

It's also possible to filter DHCPv6 with a PACL and just authorize the interface of the server to send response:
ipv6 access-list filter_DHCP
 remark Block traffic from DHCP to client
 deny udp any eq 547 any eq 546
 permit any any
!
interface gigabitethernet 1/0/10
 ipv6 traffic-filter filter_DHCP in