Router Virtualization with GNS3

August 14th, 2009 No comments

Today I had a presentation in my company about virtualizing cisco routers.
Feel free to read my presentation:

I’ve added some tutorials and topologies in my download area.

If you have any questions just don’t hesitate to ask me.

Fighting with Alix Board + FreeBSD 7.x (update for FreeBSD 8.x)

May 13th, 2009 5 comments

I’m currently installing a new sandbox for our DSL customers.

The idea is quite simple: Once a customer is virus infected or doing something nasty put him into a sandbox using some firewall forwading (IPFW) and squid magic. I’ve created such a sandbox about 3 years ago – but I have new ideas and some updates I want to bring in. I will probably show how the whole system works in a later post.

But before going live with the new sandbox I just wanted to test the basics and make sure i have some proof of concept that everything is working as planned.
So I took one of my PCengines Alix board (alix2d3) and decided to install FreeBSD 7.2 on it.

dsc00272

Sounds easier as it is but here are the steps what I did:

Installing FreeBSD to have a PXEboot Environment using a serial console

Actually, installing FreeBSD over the network is quite simple and consists of following tasks:

  1. configure a DHCP server
  2. configure a TFTP server
  3. configure a NFS server
  4. prepare the data for the installation
  5. modify some stuff on the nfs host
  6. boot the alix box and install everything needed
  7. reboot alix box and enjoy

So, but some stuff is really tricky…

Read more…

Categories: FreeBSD

Cisco Revises its Popular CCIE R&S Certification

May 5th, 2009 No comments

I got this morning another mail from cisco with updates to the CCIE certification:

Cisco has revised the certification requirements for CCIE Routing & Switching
(CCIE R&S)-the expert level certification for network engineers.

The new certification standards reflect the job skills employers look for
at the expert level and are outlined on the Cisco Learning Network at
CCIE R&S v4.0 written exam topics and CCIE R&S v4.0 lab exam topics.
The revised CCIE R&S v4.0 exams are scheduled for release on October 18, 2009
and will immediately replace the currently available v3.0 exams. 

To support the certification changes, the Cisco 360 Learning Program for
CCIE R&S is being updated with new lessons on MPLS and Troubleshooting,
additions to the instructor-led workshops, new lab exercises for
self-paced practice, and new performance assessments.
The Program is the only authorized expert training currently aligned to
CCIE R&S v4.0. The program is delivered globally by Cisco Learning Partners. 

Save the Date: Two Live CCIE R&S Certification Webinars, May 20, 2009
Cisco will conduct two live webinars on Wednesday, May 20, 2009 covering
enhancements made to the CCIE R&S certification and to the
Cisco 360 Learning Program for CCIE R&S to align with the updates. 
Attendees can choose from calls at 8:00 AM and 7:00 PM PST.
Click here to register.

For more information on the updates, the Cisco 360 Learning Program for
CCIE R&S, and how to locate an authorized Learning Partner, access the
Cisco Learning Network.

By just having a quick look on the new lab blueprint I noticed following changes:

  • MPLS needs to be configured (PE, CE)
  • IPv6 increased (Multicast, EIGRP)
  • Security: the zone based firewall and IPS (Intrusion Prevention System)
  • Troubleshooting is a new section

On the written part I’ve noticed that analyzing a network and proposing changes to due e.g. a migration has also been added. Sounds like kind of CCDE stuff in there… Some IOS have been upgraded to the T-train and some Routers  (-3725s,  +1841s / +3825s) and Switches (no more 3550s) are replaced.

The Lab format did also changed: 2 hours independent troubleshooting and then a different 6 hours lab.

I think this new blueprint is now closer to what we have in real world. Troubleshooting is one of the key aspects which was missing in v3 – you had to troubleshoot what you’ve fucked up. As far as I remember in the old 2-day CCIE lab exams you had troubleshooting on the 2nd day. Now part of this came back. Thats great!

I’ve added the 2 PDF’s from Cisco which the blueprint details to the download section.

[Update]: Petr from Internetwork Experts made a great post about this.

Yet another Internetwork Expert Promo

April 30th, 2009 No comments

I just got this mail from Internetwork Experts which is quite cool:

Hello Cisco Certified Users:

If you are considering CCIE
certification, TODAY is the day to get the CCIE training materials/Bootcamps
that you need and save some money at the same time!

25% off all training
Today Only (April 30th, 2009)!

Discount Code: APR30X

http://www.internetworkexpert.com 

Training available for: CCIE (R&S, Voice, Security,
Service Provider), CCIE R&S Written, CCENT.

Please contact me with
any questions.

Best regards,
Stan

Stan Yee
Corporate &
Channel Sales Manager
syee@INE.com

Internetwork Expert,
Inc.
http://www.InternetworkExpert.com 
Toll
Free: 877.224.8987 x709
Direct/Outside US: +1.775.785.3026
Online
Community: http://www.IEOC.com 
CCIE Blog: http://blog.internetworkexpert.com 

Follow us on Twitter for updates, special promotions/offers:
http://twitter.com/inetraining

Just watching the twitter link gives me the impression that day have everyday kind of a “sale”-day ,-)

Securing Cisco Devices: Part III – CBAC

April 28th, 2009 2 comments

Cisco developped Context-based Access Control to intelligently filtering TCP and UDP packets based on application-layer protocols. You can inspect traffic for sessions that originate from any side of the firewall (can be an internal or external interface).

Without CBAC your filtering abilities is limited to pure access-lists which are examining the packets at network or transport layer. However CBAC gives you the ability to analyze also the application-layer protocol information. By example CBAC can detect the FTP connection informations and open also the correct ports for active FTP.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

cbac1

You can inspect the traffic at any point of the router:

  • Inbound or outbound traffic on the internal interface
  • Inbound or outbound traffic on the external interface

It is important to note that CBAC operates at interface level.

Read more…

Securing Cisco Devices: Part II – Reflexive ACLs

April 27th, 2009 No comments

Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:

reflacl1

In this example we would have to place a access-list like:

inACL:

ip access-list standard inACL
   permit tcp 192.168.1.0 0.0.0.255 any eq 80
   permit udp 192.168.1.0 0.0.0.255 any eq 53
   permit tcp 192.168.1.0 0.0.0.255 any eq 53
   deny ip any any

outACL:

ip access-list standard outACL
   permit tcp any eq 80 192.168.1.0 0.0.0.255
   permit udp any eq 53 192.168.1.0 0.0.0.255
   permit tcp any eq 53 192.168.1.0 0.0.0.255
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Read more…

ACL Maths

April 21st, 2009 No comments

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

But do you know how to calculate an access-list which matches 10.20.30.40 and 40.30.20.10?

Read more…

Securing Cisco Devices: Part I – ACLs

April 20th, 2009 3 comments

Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit 212.90.198.7
    20 permit 192.168.12.0, wildcard bits 0.0.0.255
    30 permit 193.100.0.0, wildcard bits 0.0.0.15
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit 1.1.1.1

Router#sh access-lists
Standard IP access list 99
5 permit 1.1.1.1
10 permit 212.90.198.7
20 permit 192.168.12.0, wildcard bits 0.0.0.255
30 permit 193.100.0.0, wildcard bits 0.0.0.15
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit 1.1.1.1
150 permit 212.90.198.7
200 permit 192.168.12.0, wildcard bits 0.0.0.255
250 permit 193.100.0.0, wildcard bits 0.0.0.15
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host 1.2.3.4 eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#permit 1.1.1.1
Router(config-std-nacl)#permit 2.2.2.2
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

Securing Cisco Devices

April 19th, 2009 No comments

I got quite some mails in the past of people, asking me how creative we might be to filter traffic and perform some kind of security on a Cisco device.

Probably the most interesting features are:

I will try to hightlight some of them within my next posts and show you how to solve standard problems within a service provider network.

If you have special requests just drop me some comments.

Cisco Design Secrets

April 17th, 2009 No comments

About one or two weeks ago, we’re thrashing some cisco switches, because they didn’t survived our office move. We opened one of those devices and found out, that some guys we’re placing some kind of easter-eggs on a platine of a cisco 2950 switch:

cisco secrets

Categories: Humour