Pages

Wednesday, August 17, 2011

Zone-based policy Firewall

Zone based policy firewall is one of the feature of the Cisco router to act as if it is a firewall. The way zone based policy firewall works is that it creates zones for the interfaces. When there is a traffic go across zones, the zone-based policy firewall comes to play.

Here is the guideline how to configure the zone-based policy firewall in the Cisco router.
1. Create Zone security
2. Create Zone pair to pair two zone together. The zone pair will be unidirectional. Therefore, if you need to have bi-directional traffic you can do both ways back and forth or do a traffic inspection in the policy
3  Create Policy map to allow / deny the traffic matching the criteria specified in the class-map

Example


We have R1 - R2 -R3. We will setup a zone-based firewall allowing only host 1.1.1.1 from R1 to ping host 3.3.3.3 on R3. Other traffic is not allowed.


Configuration Example
R2


class-map type inspect match-all ICMP
 match access-group 100
!
!
policy-map type inspect R1_R3_RULE
 class type inspect ICMP
  inspect
   // inspect the out going traffic and permit the return of this traffic back to R1
 class class-default
  drop
   // drop all other traffic.
!
zone security INSIDE
 description R1_SIDE
zone security OUTSIDE
 description R3_SIDE
zone-pair security R1-R3 source INSIDE destination OUTSIDE
 service-policy type inspect R1_R3_RULE
 // Create zone pair which has f0/0 (to R1)  as an inside interface and f0/1 (to R3) as an outside interface.
!

interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 zone-member security INSIDE
   // assign the interface to the zone.
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 zone-member security OUTSIDE
 duplex auto
 speed auto


access-list 100 permit icmp host 1.1.1.1 host 3.3.3.3
access-list 100 permit ospf any any


Verification


Ping with the f0/0 source address ( 192.168.1.1)
R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#


Ping with the lo0 source address (1.1.1.1)
R1#
R1#
R1#ping 3.3.3.3 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/76 ms
R1#

Tuesday, August 16, 2011

multicast helper-map

Multicast Helper-map
Broadcast : 255.255.255.255
Multicast  :  224.0.0.0 - 239.255.255.255
Broadcast address / subnet.


http://blog.ine.com/2008/05/06/understanding-the-ip-multicast-helper-map-command/






Thursday, August 11, 2011

EIGRP PE-CE

Sample Configuration of the EIGRP VRF
R1  -  R2


PE (R1)
int f0/0
ip vrf forwarding VPNA
ip address 192.168.1.1 255.255.255.0

router eigrp 1
address-family ipv6 unicast vrf VPNA
  network 192.168.1.0 0.0.0.255
  autonomous-system 1
  no auto-summary


CE (R2)
int f0/0
ip address 192.168.1.2 255.255.255.0

router eigrp 1
  network 192.168.1.0 0.0.0.255
  no auto-summary


Tuesday, August 9, 2011

Unicast reverse Path

Unicast reverse path check is used as an ingress filter to protect the network from the untrusted networks. When uRPF is enabled, the router checks the source ip address of the packet is reachable via the incoming interface. If it is not, the router will drop the packet.

Note:
uRPF should not be configured if you have the asymmetric network.

To see how this feature works, I have one simple examples to illustrate this. I have R1 - R2 - R3 connected according to the figure below.  They are in the same OSPF area. However, R2 has a static route going to 1.1.1.1 pointing to the 192.168.3.2 (R3 interface ) as opposed to going out via 192.168.1.0 network.

R2:   ip route 1.1.1.1 255.255.255.255 192.168.3.2
// we force the traffic back to 1.1.1.1/32 by going through R3 instead of R1 ( static route higher AD than OSPF) 


We will test the connectivity by PING from R1 to R2 using source IP address of 1.1.1.1. If we do not enable the uRPF check on the R2 interface, the PING is successful.

R1#ping 2.2.2.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/35/56 ms
R1#

When we enable the uRPF check on the interface R2, the PING will be failed because the traffic R2 going back to R1 will use another route (via R3) instead of going to R1 directly. This violates the RPF check rule.

R2(config-if)#ip verify unicast source reachable-via rx

the ping is failed.
R1#ping 2.2.2.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
R1#






Netflow Configuration

Netflow allow us to export traffic statistics to the remote workstation. We use this data to gain traffic performance, control, or accounting in the specific network locations.

Configure netflow

  • Enable Netflow
    • Interface Level : ip route-cache flow
  • Export Netflow information.
    • global level 
    • ip flow-export destination x.x.x.x <port>
    • ip flow-export source x.x.x.x

Example configuration

interface Serial0/3/0
 description T1 to remote-sites
 bandwidth 1536
 ip address 10.12.255.138 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 rate-limit output access-group 191 256000 32000 48000 conform-action transmit exceed-action drop
 ip route-cache flow
 service-policy output VOIP-LLQ


ip flow-export source Loopback0
ip flow-export destination 10.12.66.82 16384
ip flow-export destination 10.12.64.36 3000


BSR Border

ip pim bsr-border 


Prevent send / receive BSR message on the interface. When this command is used, the BSR  domain will stop at the interface configured this command.

R1 ---- R2 -----R3

Before 
R3

R3#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
  RP 1.1.1.1 (?), v2
    Info source: 1.1.1.1 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:00:04, expires: 00:02:21
R3#



After 
R2
int f0/1
description To R3
ip pim bsr-border


R3

R3#sh ip pim rp mapping
PIM Group-to-RP Mappings

R3#

From the example above, after we put in the command ip pim bsr-border on the interface of R2 connecting to the R3, we no longer see the RP on the R3.