Cisco Tips & Tricks

October 27, 2008

Compute an access-list to match even or odd networks

Filed under: Access-lists, ccie, IP Routing, Router, security, Technology and Software — ciscotips @ 10:16 pm

One of my old student who is preparing for CCNP asked me on how to write an access-list for permitting/denying even or odd networks. So I am just pasting my email reply to him

Here is a simple tip to write an access-list for even or odd networks.

Lets say we are asked to permit all odd or permit all even for 192.168.1.0/24 ?

We’ll play the game with last octet or I should say the least significant bit of last octet.

-If it is 0, the IP address will be Even

-If it is 1, the IP address will be Odd 

192.168.1.00000001 = 192.168.1.1 – odd

192.168.1.00000011 = 192.168.1.3  – odd

192.168.1.00000010 = 192.168.1.2   even

192.168.1.00000100 = 192.168.1.4   even

FOR Even Networks

The IP address will be 192.168.1.0

With the wild card mask as 0.0.0.254

254 = 11111110

Here, 0 means DO CARE of the last bit in IP address (must be ZERO)

Hence ACL will be

access-list 1 permit 192.168.1.0  0.0.0.254

For Odd Networks

The IP address will be 192.168.1.1

With the wild card mask as 0.0.0.254

254 = 11111110

Here, 0 means DO CARE of the last bit in IP address (must be ONE)

Hence ACL will be

access-list 1 permit 192.168.1.1 0.0.0.254
 

  

November 29, 2006

Access Violations

Filed under: Access-lists, cisco, security — ciscotips @ 10:54 pm

The cool feature of access lists allow monitoring / logging  ACL violations and it can be used to characterize traffic associated with network attacks, by logging the suspect traffic. By using the log keyword at the end of the acl you can do logging

Access-list 120   deny ip  any any log

This option causes logging of the IP addresses and port numbers associated with packets matching an access list entry. Newer versions of IOS also provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it. Either option causes an informational logging message about the matching packet to be sent to the console (by default). The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

This logging mechanism may drop some messages if either too many messages or more than one message in 1 second need to be displayed. This prevents the router from crashing due to too many logging packets. Therefore, the logging facility cannot be treated as an accurate source of information in terms of number of matches to an access list.

A more accurate tracking tool is accounting on the interface:

ip accounting [access-violations] [output-packets]

To display IP access violations use the following command:

show ip accounting access-violations

which shows information about packets that failed access lists and were not routed.

June 7, 2006

How to block skype

Filed under: Access-lists, QOS, Router, security — ciscotips @ 4:36 am

On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.

Example:-

NBAR configuration to drop Skype packets

class−map match−any p2p
match protocol skype

policy−map block−p2p
class p2p
drop

int FastEthernet0
description PIX−facing interface
service−policy input block−p2p

If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command

ip nbar protocol-discovery.

This will enable nbar discovery on your router.

Use following command:-

show ip nbar protocol-discovery stats bit-rate top-n 10

it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

June 4, 2006

Anti-spoofing rules for Internet routers

Filed under: Access-lists, Router, security, Technology and Software — ciscotips @ 12:41 am

As per my experience we should always try to use seperate internet routers for internet services in comparison to our company intranet routers for intranet. Exceptions are always there but it will be considered as a bad design, if we are using single router for internet and intranet traffic. Assuming we are using a seperante internet routers. Here are some anti-spoofing tips.

1)Always create a set of access-lists which deny’s access to your company’s private ipaddress & local host range from internet:-

Example
access-list extended antispoofing
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 255.255.255.255 any

2)Create anti-spoofing rule for the public IP block associated with this internet connection

Example:-
Continuing with anti-spoofing access-list, add following
deny ip x.x.x.x 0.0.0.255 any

3)Deny access of all ip addresses to external/serial interface of router.

Example:-
Continuing with anti-spoofing access-list, add following
deny ip any host x.x.x.x

4) deny icmp and don’t forget to add permit any any statement at the end of anti-spoofing aaccess-list.

Example:-
Continuing with anti-spoofing access-list, add following
deny icmp any any echo
permit ip any any

5)Apply anti-spoofing access-list to public interface (where ur internet is terminating)

Example:-

interface Serial0
ip access-group antispoofing in

After applying anti spoofing rules , make sure logging is enabled and disable all eroneous services as follows:-

logging buffered informational
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

service password-encryption
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no ip unreachables
no cdp run
no ip source-route
no ip finger
ip subnet-zero
no ip source-route
no ip finger
no ip http server

Secure your SNMP and telnet access by using access-list. Only allow telnet/SNMP access through one or two trusted servers.

May 20, 2006

QoS-Rate-Limiting Tip

Filed under: Access-lists, QOS, Router, Switching, Technology and Software — ciscotips @ 7:17 am

QOS feature that performs rate-limiting and packet classification is called CAR-Committed Access Rate.

Here is a quick tip that limits an Internet based traffic
(primarily http and FTP) to 512K, with a nice, fat burst.

First create the access lists.

access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq ftp

Then apply rate limiting rules to the appropriate interface:

interface Serial1/0
bandwidth 2048
ip address 172.16.100.2 255.255.255.252
rate-limit input access-group 100 512000 1024000 2048000 conform-action transmit exceed-action drop
rate-limit output access-group 100 512000 1024000 2048000 conform-action transmit exceed-action drop

It will limit only http and ftp trafic, for other corporate web applications running on different ports, it will still get full E1 bandwidth.

Warning:-If, in a rate-limit rule, you reference an access list that does not exist, the rule will match all traffic. Usually not good.

May 7, 2006

Turning the router in to Packet sniffer

Filed under: Access-lists — ciscotips @ 5:43 am

I see lot of posts on the net on troubleshooting of different applications being used on the network. People try to rely on third party sniffers to see what is happening. But do you know we can create a small sniffer script and add to make things lot more easier in troubleshooting. Moreover, Many applications need access through an access control list (ACL) on a router, but you might not know what ports or protocols to allow in the ACL rules. Simply use an access list and the router’s logging function to “sniff” and report what it sees.Take a transparent approach to locking the ACL down to only what is needed. The process takes some time, but is effective and can be used on virtually any interface ACL.

Follow these steps:

1. Discover: Use the router’s ability to log ACL matches in its own buffer in order to catalog the traffic that crosses it. The configuration is the following:

Router (config)# logging buffered 15000 (this creates a large enough buffer to look at locally on the router,or you can configure the router to log the ACL matches to a Syslog server).

Router (config)# access-list 101 permit tcp any gt 0 any gt 0 log

Router (config)# access-list 101 permit udp any gt 0 any gt 0 log

Router (config)# access-list 101 permit icmp any any

Router (config)# access-list 101 permit ip any any log (this entry is a “catch-all”)

Router (config)# interface interfaceRouter (config-if)# ip access-group 101 in

Look at the log by using the show log command from the exec prompt. You should see IP addresses (source and destination), along with the used TCP or UDP ports (in parentheses):

Mar 18 20:05:10.628: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50051) -> 10.2.9.30(15648), 1 packet

Mar 18 20:05:20.697: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50054) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:30.757: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50057) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:40.854: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50060) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:51.006: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50063) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:01.115: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50115) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:10.354: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50118) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:20.423: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50121) ->10.2.9.30(15648), 1 packet

When using earlier IOS versions you can specify permit ip any any log or permit tcp any any log. This showsyou the port numbers in the show log command. However, with later IOS versions, using these permit statements produces a port zero (0) in the show log command, which is why I use statements such as permit TCP any gto any gto log. This produces the TCP port numbers. The same goes for UDP.

In this example, two IP addresses need to communicate, and the destination TCP port is 15648. The source port changes, so I cannot create a static ACL for that port. I can create a TCP ACL that states:

access-list 101 permit tcp host 192.168.19.137 host 10.2.9.30 eq 15648

This should be sufficient for a tight access list. Using this information, I can create a new access list.

2. Notify: Even though we do not expect any connectivity issues, notify those who could be affected by an error or an unexpected condition during this process.

3. Implement: We do not want to interrupt a production environment to make changes. I used this method:

Router (config)# interface interface

Router (config-if)# no ip access-group 101 in(Removes the ACL from active service)

Router (config-if)# exit (I could use Crtl+Z here as well)

Router (config)# exitRouter# ena

Router (config)# no access-list 101 (Now go and delete the ACL.)

If you use “named” access lists, you can edit out individual access-list entries. I use Microsoft Notepad to edit the access list from the configuration by pasting it into the Telnet/SSH session. Next, Iadd the new access list:

Router (config)# access-list 101 permit tcp host192.168.19.137 host 10.2.9.30 eq 15648

Router (config)# access-list 101 permit tcp any gt 0any gt 0 log

Router (config)# access-list 101 permit udp any gt 0any gt 0 log

Router (config)# access-list 101 permit icmp any any

Router (config)# access-list 101 permit ip any any log

Router (config)# interface interface

Router (config-if)# ip access-group 101 in

4. Verify: Use the show access-list command and the show log command to verify that the access list is working.As the more specific access-list entries are added, the more general ones are pushed to the bottom of the list, and eventually the hit counters on the general ACL entries will be zero. Then you can delete those general ACL entries, leaving only the specific rules. The sequence of commands I used is important in retaining a transparent change to a production environment.

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 43 other followers