Cisco Tips & Tricks

June 26, 2006

Configuring a Cisco router as a terminal server

Filed under: Router — ciscotips @ 2:34 pm

when you have a home lab you want to have console connectivity to all your routers at the same time. By using a terminal server (2509-2512 router range) we can accomplish this.

To use a terminal server we need a 2509/2510 8 lines or 2511/2512 16 lines router and 1 or 2 octal cables.
The first thing we do is create a loopback interface that will be used for the reverse telnet sessions from the other devices.
Router(config)#interface loopback0
Router(config-if)#ip address 172.16.1.1 255.255.255.255

Now we add the devices that are connected to this router [octable cable to each console port]
Router(config)#ip host hostname 2001 172.16.1.1
Router(config)#ip host hostname2 2002 172.16.1.1

The previous commands lets you use the hostname of the device to access it on it's console port. The portnumber is made of the following 200x where x is the nr on the octal cable going to that device. Depending on the type of router you use for terminal server you can have either 8 or 16 devices hanging of it.

Now that the router is configured we use the following commands to navigate.
– to access a device
telnet 172.16.1.1 2001

– to switch between active sessions
ctrl-shift-6-x will bring you back to terminal server
show sessions will display the active sessions
entering a number of a session will let you access that session

– to disconnect a session
use the disconnect command

Advertisements

June 16, 2006

WiFi Security Standards & Best Practices

Filed under: Router, security, wifi — ciscotips @ 2:20 pm

Ramneek Khurana sent me following post for Wifi Best practices.

Latest Wifi security standards WPA2

In 2004, the Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2™), the second generation of WPA security. Like WPA, WPA2 provides enterprise and home Wi-Fi users with a high level of assurance that their data will remain protected and that only authorized users can access their wireless networks. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard ratified in June 2004. WPA2 uses the Advanced Encryption Standard (AES) for data encryption and is eligible for FIPS (Federal Information Processing Standards) 140-2 compliance.WPA2 supports IEEE 802.1X/EAP authentication or PSK technology. It also includes a new advanced encryption mechanism using the Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).

WPA2 Security Advantage

When compared with the IEEE 802.11 security standard using 40-bit WEP with no dynamic keying, TKIP and AES make it far more difficult-if not impossible-for a would-be intruder to break into a Wi-Fi network. By greatly expanding the size of keys and number of keys in use, creating an integrity checking mechanism, using a strong encryption cipher; and imposing replay protection, AES and TKIP greatly increase the strength and complexity of wireless encryption. Together with the IEEE 802.1X/EAP mutual authentication framework, TKIP and AES magnify the complexity and difficulty involved in decoding data on a Wi-Fi network—making the Wi-Fi network secure.

AP side configs for WPA2

!

interface Dot11Radio0

  !

encryption mode ciphers aes-ccm

Wifi Aps management security best practices

1.)     Disable the wifi management via radio interfaces, management should be allowed only via Ethernet interface on AP.

2.)     Apply VTY filters to make sure the management interfaces are accessible only via management VLANs
3.)     Disable the http/https service on AP.  

June 12, 2006

IANA Private Ip Address range & Auditing Router Modules in one shot

Filed under: Router — ciscotips @ 3:29 pm

This week I am incorporating two posts sent to me by Virinder S Jamnal. We can call this Mr Jamnal's column also
Here it goes 

1)      I am starting with very basic, can u please post the list of IANA private ip address range if it is not there already.

          The Internet Assigned Numbers Authority (IANA) reserved the following address space for private networks:

10.0.0.0 through 10.255.255.255: 16,777,214 hosts

172.16.0.0 through 172.31.255.255: 1,048,574 hosts

192.168.0.0 through 192.168.255.255: 65,534 hosts

2)      There is a similar post about auditing router interfaces, but this is one is more specific about auditing all router modules in one shot. I have got it from packet.

              router#show diag | include IC|NM-|Serial|FRU

PCB Serial Number : FOC09162SSN

Chassis Serial Number : FTX0926A00R

Product (FRU) Number : CISCO3845

PCB Serial Number : FOC09182ET4

Product (FRU) Number : CISCO3845-MB

Chassis Serial Number : FTX0926A00R

WIC Slot 0:

VIC2 – BRI-NT/TE Voice daughter card (2 port)

PCB Serial Number : FOC091537HG

Product (FRU) Number : VIC2-2BRI-NT/TE=

WIC Slot 1:

VIC2 – BRI-NT/TE Voice daughter card (2 port)

PCB Serial Number : FOC0910103X

Product (FRU) Number : VIC2-2BRI-NT/TE=

WIC Slot 2:

PCB Serial Number : FOC092150QX

Product (FRU) Number : HWIC-4ESW

NM-1T3/E3 (clear/subrate) Port adapter, 1 port

PCB Serial Number : FOC09140Y4S

Product (FRU) Number : NM-1T3/E3=

June 7, 2006

How to block skype

Filed under: Access-lists, QOS, Router, security — ciscotips @ 4:36 am

On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.

Example:-

NBAR configuration to drop Skype packets

class−map match−any p2p
match protocol skype

policy−map block−p2p
class p2p
drop

int FastEthernet0
description PIX−facing interface
service−policy input block−p2p

If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command

ip nbar protocol-discovery.

This will enable nbar discovery on your router.

Use following command:-

show ip nbar protocol-discovery stats bit-rate top-n 10

it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

June 4, 2006

Anti-spoofing rules for Internet routers

Filed under: Access-lists, Router, security, Technology and Software — ciscotips @ 12:41 am

As per my experience we should always try to use seperate internet routers for internet services in comparison to our company intranet routers for intranet. Exceptions are always there but it will be considered as a bad design, if we are using single router for internet and intranet traffic. Assuming we are using a seperante internet routers. Here are some anti-spoofing tips.

1)Always create a set of access-lists which deny’s access to your company’s private ipaddress & local host range from internet:-

Example
access-list extended antispoofing
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 255.255.255.255 any

2)Create anti-spoofing rule for the public IP block associated with this internet connection

Example:-
Continuing with anti-spoofing access-list, add following
deny ip x.x.x.x 0.0.0.255 any

3)Deny access of all ip addresses to external/serial interface of router.

Example:-
Continuing with anti-spoofing access-list, add following
deny ip any host x.x.x.x

4) deny icmp and don’t forget to add permit any any statement at the end of anti-spoofing aaccess-list.

Example:-
Continuing with anti-spoofing access-list, add following
deny icmp any any echo
permit ip any any

5)Apply anti-spoofing access-list to public interface (where ur internet is terminating)

Example:-

interface Serial0
ip access-group antispoofing in

After applying anti spoofing rules , make sure logging is enabled and disable all eroneous services as follows:-

logging buffered informational
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

service password-encryption
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no ip unreachables
no cdp run
no ip source-route
no ip finger
ip subnet-zero
no ip source-route
no ip finger
no ip http server

Secure your SNMP and telnet access by using access-list. Only allow telnet/SNMP access through one or two trusted servers.

Create a free website or blog at WordPress.com.