Zone Based Firewall Lab Tips

  • Define Zones – zone security WORD . This is where you define the zone. think of it as a container.
zone security IN (unique name)
zone security OUT (unique name)
  • Classify the Traffic – class-map type inspect WORD. Using MQC Logic and Class Maps to classify the traffic
class-map type inspect match-all HTTP (unique name)
 match protocol http
  • Define the Inspect Policy – policy-map type inspect  WORD. Using MQC traffic to specify how to treat the classified traffic. Here we are treating as a CBAC with the INSPECT key word. Other actions can be PASS, DROP etc
policy-map type inspect OUTBOUND_TRAFFIC (unique name)
 class type inspect HTTP (name of class-map above)
  inspect
  • Associate the Policy to the Zone to a Pair and specify the Service-Policy – Here we are saying what zones will be associated with this ‘security rule’
zone-pair security OUTBOUND (unique name) source IN (name of Zone above ) destination OUT (name of zone above)
 service-policy type inspect OUTBOUND_TRAFFIC (name of Policy-map above)
  • Associate the interfaces to a zone. Here we will specify what interfaces are what members of the zones we have defined.
interface Ethernet1/0
 zone-member security IN

interface Serial1/0
 zone-member security OUT
  • Verification 
show policy-map type inspect zone-pair session  This will show what is hitting the policy and what is defined
show class-map type inspect This will show all the class maps defined
show policy-map type inspect This will show the policy map actions against the class maps
Advertisements

OSPF Sham Links Lab Tips

  • Without Sham Links – If two CE sites that are in the same OSPF area, in addition to the MPLS, are also connected by another link i.e. R3 is connected to Area 1 in Site 1 and Area 1 in Site 2, then this is known as the BACKDOOR link.
  • Traffic will be preferred over the backdoor link as routes will appear as INTRA-area routes and therefore will not prefer the MPLS link as those routes are seen as INTER-area or External routes (see below).
  • If both CE sites are in the same area, routes via MPLS will still be seen as Inter-Area routes due to the redistribution between MP-BGP and IGP into the VRF.
  • domain-id needs to match on both ends for routes, as per above, to be seen as Inter-Area routes otherwise it will be seen as External routes when redistribution occurs between MP-BGP and IGP.
  • With Sham Links will create a ‘virtual link’ between PE routers so that it is an extension of that area, i.e. say area 1. This now means the MPLS routes are now seen as INTRA area routers and or we need to do to prefer the MPLS link is to potentially manipulate the OSPF Cost (depending on link speed).
  • Building the Sham Link needs two /32 loopback addresses that has to be advertised by BGP inside the vrf.  This loopback must always be part of the vrf (ip vrf forwarding VRFNAME).
Click here for an excellent short video that explains sham-links and the above very well

NAT Lab Tips

The Law of NAT

Inside to Outside

  • A route to the destination prefix must exist before NAT can occur – Seeing nothing under show nat translations is a good indication of this.
Outside to Inside
  • NAT will occur first and then check the route-table for routing purposes

BPDU Filter Lab Tips

  • BPDU Filter at the Interface Level will stop BPDU from being received on that interface and sent out on that interface.
  • BPDU Filter at the Global Level will stop BDPUs from being sent out on all portfast enabled interfaces (it will send a few initially though to detect if the other device is running spanning tree). It should also be noted that it does not filter BPDU it if it is received on the interface, this is because if it is received the port will lose it’s portfast status anyways.
  • spanning-tree portfast default & spanning-tree bpdufilter default at the Global Level will allow the switch to automatically figure which interfaces should be edge ports by looking at interfaces where BPDUs are not coming in, which in turn means we will not send BPDUs out (BPDU filter). If we do recieve BPDU inbound, we will take this port out of portfast and disable the bpdufilter. Overall we figure out which interfaces should run portfast and which ones should not and then for the ones that are running portfast, we will kick in bdpufilter so that we do not send spanning tree information down the link (as there should be no reason too as these should be hosts etc and not switches on the other end of the link). running these two features together leaves you open to a layer 2 man-in-the-middle attack whereby the attacker becomes the root so that traffic is transit and can be sniffed.
The below URL is a link to an excellent video from INE describing the above.

IP Bridging Lab Tips

  • Need to enable this at the global config line with bridge irb
  • bridge 111 protocol ieee needed so that spanning-tree can function for the bridge-group.
  • Any protocol that needs to be routed, e.g. IP, needs to be specified with bridge 111 route ip

Catalyst QoS Lab Tips

  • Enable QoS on a  switch with mls qos at global config.
  • mls qos vlan-based under physical interfaces will….

EEM Lab Tips

  • Check that no other EEM process is running before configuring using show event manager policy registered.
  • Create a process with event manager applet MY_PROCESS.
  • Applets are just IF and THEN statements. IF is a match and THEN is an action.
  • The IF Statement: event cli pattern “.*interface loopback.*” sync yes – Here we are looking for somebody typing on the CLI ‘interface loopback’. The [dot/period] means wildcard or anything and the [asterix] means zero or more occurrence of the [dot/period].
  • The THEN Statement: Perform the following commands to shutdown the interface
    • action 1.0 cli command “enable”
    • action 1.1 cli command “configure terminal”
    • action 1.2 cli command “$_cli_msg” (variable to get to the same interface)
    • action 1.3 cli command “shutdown”
  • Verify with debug event manager all