IPv6 EIGRP


IPv6 EIGRP and IPV4 EIGRP are very similar in concept except for the following differences:

  • IPv6 is configured on interface basis (like OSPFv3 and RIPng) and networks are advertised based on interface command.
  • When configured on interface, IPv6 EIGRP is initially placed in “shutdown” state.
  • As with OSPFv3, IPv6 EIGRP require a router-id in IPv4 format.
  • Passive interfaces can only be configured in the routing process mode.
  • Need for extra memory resources and supported in IOS 12.4(6)T and later.
R1#sh ver | i Version

Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)

BOOTLDR: 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)

6 slot VXR midplane, Version 2.1

R1#

  • No split horizon in IPv6 because it is possible to get multiple prefixes per interface.
  • No concept of classful routing in IPv6 EIGRP consequently no automatic summary.

Figure1 depicts the Lab topology used for IPv6 EIGRP deployment, R1, R2 and R3 are connected to each other through a Frame Relay cloud and R2, R3 and R4 are connected to each other through LAN.

Each router protect its own set of local networks.

This lab covers the following topics related to the deployment of IPv6 EIGRP

  • IPV6 addressing
  • Frame Relay configuration
  • IPv6 routing configuration
  • IPv6 route manipulation 

Figure1 IPv6 EIGRP topology:


I) DEPLOYMENT

  1. IPV6 addressing: 

First unicat IPv6 and link local addresses are configured.

Link local addresses are statically configured to make their manipulation easier.

R1(config)#int s1/0

R1(config-if)#ipv6 address 2001:1:1:210::1/60

R1(config-if)#ipv6 address FE80::210:1 link-local

R1(config-if)#no sh 

 

R2(config-if)#int s1/0

R2(config-if)#ipv6 address 2001:1:1:210::2/60

R2(config-if)#ipv6 address FE80::210:2 link-local

R2(config-if)#no sh

 

R2(config)#int fa 0/0

R2(config-if)#ipv6 address 2001:1:1:410::2/60

R2(config-if)#ipv6 address FE80::410:2 link-local

R2(config-if)#no sh 

 

R3(config-if)#int s1/0

R3(config-if)#ipv6 address 2001:1:1:210::3/60

R3(config-if)#ipv6 address FE80::210:3 link-local

R3(config-if)#no sh

 

R3(config-if)#int fa 0/0

R3(config-if)#ipv6 address 2001:1:1:410::3/60

R3(config-if)#ipv6 address FE80::410:3 link-local

R3(config-if)#no sh

 

R4(config-if)#int fa 0/0

R4(config-if)#ipv6 address 2001:1:1:410::4/60

R4(config-if)#ipv6 address FE80::410:4 link-local

R4(config-if)#no sh

  1. FR Configuration:

For each interface connected to the Frame relay cloud FR encapsulation is set, Inverse ARP disabled and Static mapping is performed using next-hop unicat ipv6 as well as next-hop link local ipv6.

R1(config-if)#int s1/0

R1(config-if)#encapsulation frame-relay

R1(config-if)#frame-relay map ipv6 2001:1:1:210::2 102 broadcast

R1(config-if)#frame-relay map ipv6 FE80::210:2 102

R1(config-if)#frame-relay map ipv6 2001:1:1:210::3 103 broadcast

R1(config-if)#frame-relay map ipv6 FE80::210:3 103

 

R2(config)#int s1/0

R2(config-if)#encapsulation frame-relay

R2(config-if)#frame-relay map ipv6 2001:1:1:210::1 201 broadcast

R2(config-if)#frame-relay map ipv6 FE80::210:1 201

R2(config-if)#frame-relay map ipv6 2001:1:1:210::3 203 broadcast

R2(config-if)#frame-relay map ipv6 FE80::210:3 203

 

R3(config)#int s1/0

R3(config-if)#encapsulation frame-relay

R3(config-if)#frame-relay map ipv6 2001:1:1:210::1 301 broadcast

R3(config-if)#frame-relay map ipv6 FE80::210:1 301

R3(config-if)#frame-relay map ipv6 2001:1:1:210::2 302 broadcast

R3(config-if)#frame-relay map ipv6 FE80::210:2 302

Before continuing further, it is recommended to check connectivity:

Frame Relay cloud:

unicast:

R1#ping ipv6 2001:1:1:210::2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:1:1:210::2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/73/88 ms

 

R1#ping ipv6 2001:1:1:210::3

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:1:1:210::3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/73/88 ms

R1#

Link-local:

R1#ping ipv6 FE80::210:2

Output Interface: Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::210:2, timeout is 2 seconds:

Packet sent with a source address of FE80::210:1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/60/80 ms

R1#

 

R1#ping ipv6 FE80::210:3

Output Interface: Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::210:3, timeout is 2 seconds:

Packet sent with a source address of FE80::210:1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/54/92 ms

R1#

Ethernet :
Unicast:

R2#ping ipv6 2001:1:1:410::3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:1:1:410::3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/79/116 ms

R2#ping ipv6 2001:1:1:410::4

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:1:1:410::4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/96 ms

R2#

 Link-local:

R2#ping ipv6 FE80::410:3

Output Interface: FastEthernet0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::410:3, timeout is 2 seconds:

Packet sent with a source address of FE80::410:2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/76/92 ms

R2#ping ipv6 FE80::410:4

Output Interface: FastEthernet0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::410:4, timeout is 2 seconds:

Packet sent with a source address of FE80::410:2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/71/96 ms

R2#

Routing Configuration:

 Steps:
Now let’s proceed with IPv6 EIGRP:

  • Enable unicast IPV6 routing globally.
  • enable IPV6 on FR interface.
  • enable IPv6 EIGRP per interface-basis.
  • manually set IPv6 EIGRP router-id in IPv4 format.
  • no shutdown EIGRP process.
R1(config)#ipv6 unicast-routing

R1(config)#int s1/0

R1(config-if)#ipv6 enable

R1(config-if)#ipv6 eigrp 10

R1(config-if)#exit

R1(config)#ipv6 router eigrp 10

R1(config-rtr)#router-id 1.1.1.1

R1(config-rtr)#no sh

 Verify the IPv6 EIGRP protocol:

R1(config)#do sh ipv6 protocols

IPv6 Routing Protocol is “connected”

IPv6 Routing Protocol is “static”

IPv6 Routing Protocol is “eigrp 10”

EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

EIGRP maximum hopcount 100

EIGRP maximum metric variance 1

Interfaces:


Serial1/0

Redistribution:

None

Maximum path: 16

Distance: internal 90 external 170

 

R1(config)#

 Repeat previous steps for R2 and R3 and make sure that IPV6 eigrp PROCESS id match.

R2(config)#ipv6 unicast-routing

R2(config)#int s1/0

R2(config-if)#ipv6 enable

R2(config-if)#ipv6 eigrp 10

R2(config-if)#exit

R2(config)#ipv6 router eigrp 10

R2(config-rtr)#router-id 2.2.2.2

R2(config-rtr)#no sh

 

R2(config-rtr)#int fa 0/0

R2(config-if)#ipv6 enable

R2(config-if)#ipv6 eigrp 10

R2(config-if)#exit

R2(config)#

 

R3(config)#ipv6 unicast-routing

R3(config-if)#int s1/0

R3(config-if)#ipv6 enable

R3(config-if)#ipv6 eigrp 10

R3(config-if)#exit

R3(config)#ipv6 router eigrp 10

R3(config-rtr)#router-id 3.3.3.3

R3(config-rtr)#no sh

 

R3(config-rtr)#int fa 0/0

R3(config-if)#ipv6 enable

R3(config-if)#ipv6 eigrp 10

R3(config-if)#exit

R3(config)#

 

R4(config)#ipv6 unicast-routing

R4(config-rtr)#int fa 0/0

R4(config-if)#ipv6 enable

R4(config-if)#ipv6 eigrp 10

R4(config-if)#exit

R4(config)#

 Let’s check neighbor relationships and IPv6 routing table on R1 for example:

R1(config)#do sh ipv6 eigrp neigh

IPv6-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 Link-local address: Se1/0 154 00:01:16 32 200 0 5


FE80::210:3

0 Link-local address: Se1/0 163 00:04:56 48 288 0 3


FE80::210:2

R1(config)#sh ipv6 eigrp neighbor

IPv6-EIGRP interfaces for process 10

 

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes

Se1/0 2 0/0 40 0/15 175 0

R1(config)#

 You can note that as in OSPFv3, IPv6 EIGRP use link-local addresses to establish neighbor relationships with its neighbors.

R1(config)#do sh ipv6 route eigrp

IPv6 Routing Table – 35 entries

Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP

U – Per-user Static route

I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary

O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2

ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2

D – EIGRP, EX – EIGRP external

D 2001:1:1:410::/60 [90/2172416]


via FE80::210:2, Serial1/0


via FE80::210:3, Serial1/0

R1(config)#

 R1 has learnt the LAN network 2001:1:1:410::/60 from both R2 and R3 and it is perfectly reachable:

R1(config)#do ping ipv6 2001:1:1:410::4

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:1:1:410::4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 116/136/164 ms

R1(config)#

R1#traceroute ipv6 2001:1:1:410::4

Type escape sequence to abort.

Tracing the route to 2001:1:1:410::4

 

1 2001:1:1:210::2 80 msec


2001:1:1:210::3 120 msec


2001:1:1:210::2 68 msec

2 2001:1:1:410::4 144 msec 120 msec 144 msec

R1#

 R1 load-balanced ICMP packets between the two paths through R2 and R3.

  1. Route manipulation:

To practice IPv6 route summarization, loopback interfaces are created to simulated local networks for each router (figure1) and ipV6 EIGRP is enabled on each interface.
The result is as follow:

R4:

R4# sh ipv6 route eigrp

IPv6 Routing Table – 22 entries

Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP

U – Per-user Static route

I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary

O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2

ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2

D – EIGRP, EX – EIGRP external

D 2001:1:1:110::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:120::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:130::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:140::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:150::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:160::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:170::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:180::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:190::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1A0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1B0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1C0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1D0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1E0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:1F0::/60 [90/2300416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

D 2001:1:1:210::/60 [90/2172416]

via FE80::410:3, FastEthernet0/0

via FE80::410:2, FastEthernet0/0

R4#

 22 entries, only routes to FR network routes and R1 fifteen local networks, you just imagine if we add R2 and R3 local networks, or even worse in a production network with hundreds of site and thousands of routes!

Here is where summarization comes, to lessen the complexity of handling routes individually.

As in IPv4 EIGRP after configuring the summarization command the router drops IPv6 EIGRP relationships to reestablish them again, this renew input events and make neighbors rebuild their topology tables and perform DUAL algorithm local computation again using the new advertisements from the router who reconfigured summarization.

The summarization command is performed on interface-basis, so make sure than it is executed on all EIGRP interfaces through which you want to spread summary route.

R1:

R1(config-if)#int s1/0

R1(config-if)#ipv6 summary-address eigrp 10 2001:1:1:1::/56

*Jun 13 10:36:44.871: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:3 (Serial1/0) is down: summary configured

*Jun 13 10:36:44.927: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:2 (Serial1/0) is down: summary configured

R1(config-if)#

*Jun 13 10:37:01.919: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:3 (Serial1/0) is up: new adjacency

*Jun 13 10:37:02.019: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::210:2 (Serial1/0) is up: new adjacency

R1(config-if)#

 Now let’s take a look at R4 routing table:

R4# sh ipv6 route eigrp

IPv6 Routing Table – 10 entries

Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP

U – Per-user Static route

I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary

O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2

ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2

D – EIGRP, EX – EIGRP external

D 2001:1:1:100::/56 [90/2300416]

via FE80::410:2, FastEthernet0/0

via FE80::410:3, FastEthernet0/0

D 2001:1:1:210::/60 [90/2172416]

via FE80::410:2, FastEthernet0/0

via FE80::410:3, FastEthernet0/0

D 2001:1:1:300::/56 [90/156160]

via FE80::410:3, FastEthernet0/0

D 2001:1:1:600::/56 [90/156160]

via FE80::410:2, FastEthernet0/0

R4#

 The routing table is reduced to 10 entries with only summary routes to R1, R2 and R3 local networks.

II) CONCLUSION

As with other IPv6 routing protocols there is practically nothing to do if you grasp the concept of the IPv4 version of the protocol as well as IPV6 addressing.

Advertisements

CBAC Context-Based Access Control


 CBAC is a Cisco Router security tool used to provide more sophisticated way of perimeter security than simple access control lists to mitigate threats from unprotected networks; it provides dynamic inspection of a specific traffic as it traverse the IOS FW.

This lab provides basic configuration guideline and general recommendations for CBAC deployment and shows how it can prevent some attacks like SYN flood.

 

Figure1 : CBAC Lab topology

I) CBAC Configuration guideline:

  1. Select interfaces controlled by CBAC:

CBAC router:

Remember that the inspection rule is applied to a particular interface in a particular direction, therefore CBAC will control, by either dynamical allowing or denying, the traffic entering interfaces in the direction opposed to the inspection rule.

Fa0/0: Internal interface– from where any sessions can be originated to any destination, CBAC will decide whether to allow traffic entering Fa1/0 and Fa2/0 (that would normally be blocked) if it the returning traffic of the one originated from Fa0/0 (That would normally be allowed by ACL).

Fa1/0: DMZ interface – traffic generated from other areas toward DMZ servers should be inspected from one point Fa1/0. Only servers are supposed to reside in the DMZ not hosts.

CBAC will decide whether to allow traffic back from DMZ (that would normally be blocked).

 

  1. Configure Access Control Lists:
  • Identify the applications that need to be inspected and make sure that the outgoing traffic, from the protected zone, is not blocked by any ACL.
  • Set ACLs to block traffic from unprotected interfaces, CBAC will take care of dynamically allowing holes in the ACL to permit legitimate returning traffic.
  • Packets entering the IOS FW are inspected by CBAC only if they first pass the inbound ACL at the interface.
  • One Blocking ACL should be bound to the outside interface Fa2/0 inbound and another to the DMZ interface, also inbound, therefore blocking illegitimate traffic before entering the IOS FW.
  • In production environment you have to take into account address space filtering according to RFC2827, in other words blocking private addresses from outside, broadcast, bogons and ip spoofing addresses etc.
  • Don’t forget the implicit “deny ip any any” in ACLs.

 

Table1 : Access control lists

ACL name 

Permit/

deny 

Protocol 

Source 

Src port 

Destination 

Dst

port

Ip 

Mask 

Ip 

mask 

FROM_DMZ 

deny 

Ip 

Any 

 

 

Any 

 

 

FROM_INSIDE 

permit 

Ip 

192.168.11.0 

24 

 

Any 

 

 

FROM_OUTSIDE 

Permit 

tcp 

any 

 

 

10.10.10.1 

32 

www

permit 

tcp 

any 

 

 

10.10.10.1 

32 

telnet

permit 

tcp 

any 

 

 

10.10.10.1 

32 

ssh

permit

tcp

any

10.10.10.1

32

smtp

permit 

tcp 

any 

 

 

10.10.10.1 

32 

ftp 

permit 

icmp 

any 

 

 

10.10.10.1 

32 

echo* 

permit 

icmp 

any 

 

 

192.168.11.0 

24 

echo* 

permit 

icmp 

any 

 

192.168.11.0 

24 

time-exceeded* 

permit 

icmp 

any 

 

 

192.168.11.0 

24 

unreachable* 

deny 

Ip 

any 

 

 

any 

 

 

*For ICMP traffic the ICMP type is filled in the column “dst port”

ip access-list extended FROM_DMZ
deny ip any any
ip access-list extended FROM_INSIDE
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended FROM_OUTSIDE

permit tcp any host 10.10.10.1 eq www

permit tcp any host 10.10.10.1 eq 22

permit tcp any host 10.10.10.1 eq telnet

permit tcp any host 10.10.10.1 eq smtp

deny ip any any

 

  1. Set global timeouts and thresholds:

Table3 : Generic protocol timeouts and thresholds (default values)

protocol  Timeout and thresholds  value 
TCP  One-minute  Low 

400 ½ opened sessions 

  High 

500 ½ opened sessions 

Max-incomplete  Low 

400 ½ opened sessions

High 

500 ½ opened sessions 

Per host  ½ opened sessions 

50 

Block-time 

0 min 

Synwait-time   

30 s 

Finwait-time   

5 s 

Idle-time   

3600 s 

UDP  Idle-time   

30 s 

 

  1. Define the inspection rule:

For the purpose of this lab a standard inspection rule is defined for general TCP and UDP application.

Each protected Zone will have its own Inspection rule.

ip inspect name MyGENERIC_inside tcp
ip inspect name MyGENERIC_inside udp
ip inspect name MyGENERIC_inside http
ip inspect name MyGENERIC_inside icmp
ip inspect name MyGENERIC_inside ftp

ip inspect name MyGENERIC_dmz tcp

ip inspect name MyGENERIC_dmz udp

 

  1. Apply inspection rules to interfaces:

Inspection rule is applied to interfaces where the traffic should be inspected.

GENERIC applied to fa 0/0 inbound
GENERIC applied to fa 1/0 outbound
 interface FastEthernet0/0
ip access-group FROM_INSIDE in

ip inspect MyGENERIC_inside in

 

interface FastEthernet1/0

ip access-group FROM_DMZ in

ip inspect MyGENERIC_dmz out

 

interface FastEthernet2/0

ip access-group FROM_OUTSIDE in

 

Connectivity check:

To lessen the clutter of troubleshooting CBAC it is highly recommended to check the connectivity between all devices before beginning to apply the inspections rules and access.

From DMZ, after applying CBAC & associated ACL:

DMZ hosts cannot initiate any connection to neither outside nor inside.

DMZ#192.168.40.105
Trying 192.168.40.105 …

% Destination unreachable; gateway or host down

DMZ#192.168.11.105

Trying 192.168.11.105 …

% Destination unreachable; gateway or host down

DMZ#

 

From outside, after applying CBAC and associated ACL:

OUTSIDE can initiate connections only to predefined DMZ services in the inspection rules and allowed by an ACL, not to inside hosts.

outside#192.168.11.105
Trying 192.168.11.105 …

% Destination unreachable; gateway or host down

outside#10.10.10.1

Trying 10.10.10.1 … Open

User Access Verification

Username:

Password:

 

DMZ#

 

Monitoring from CBAC router:

  • The following is a summary of CBAC configuration from the output of “show ip inspect all”:
CBAC(config-if)#do sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec — tcp finwait-time is 5 sec

tcp idle-time is 3600 sec — udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name MyGENERIC_inside

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

http alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

ftp alert is on audit-trail is off timeout 3600

Inspection name MyGENERIC_dmz

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

 

Interface Configuration


Interface FastEthernet0/0


Inbound inspection rule is MyGENERIC_inside

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

http alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

ftp alert is on audit-trail is off timeout 3600

Outgoing inspection rule is not set


Inbound access list is FROM_INSIDE

Outgoing access list is not set


Interface FastEthernet1/0

Inbound inspection rule is not set

Outgoing inspection rule is MyGENERIC_dmz

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30


Inbound access list is FROM_DMZ

Outgoing access list is not set

 

Established Sessions

Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN

Session 6509A230 (192.168.40.105:4916)=>(10.10.10.1:23) tcp SIS_OPEN

CBAC(config-if)#

 

CBAC#sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [3:181]
Interfaces configured for inspection 2
Session creations since subsystem startup or last reset 3

Current session counts (estab/half-open/terminating) [2:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:1]

Last session created 00:01:31

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

 

CBAC#

 

  • telnet connections from inside to DMZ zone
CBAC#debug ip inspect detailed
INSPECT Detailed Debug debugging is on
CBAC#

*Mar 1 02:18:23.023: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:24819, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23

CBAC#

CBAC#

  • telnet from inside to outside

inside#192.168.40.105

Trying 192.168.40.105 … Open

Welcome to Microsoft Telnet Service

 

login: <adminlogin>

password:

 

*===============================================================

Welcome to Microsoft Telnet Server.

*===============================================================

C:\Documents and Settings\<adminlogin>.MNGMNT.001>

 

CBAC#

*Mar 1 02:22:52.315: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:29067, dst_tableid:0, dst_addr:192.168.40.105, dst_port:23

CBAC#

 

  • the IOS FW router can detect and refuse replayed packets according to its records in its inspection table
CBAC#
*Mar 1 02:35:03.503: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23
*Mar 1 02:35:13.547: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23
*Mar 1 02:35:23.567: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23

 

CBAC#sh ip inspect sessions
Established Sessions
Session 65099FB8 (192.168.10.2:29067)=>(192.168.40.105:23) tcp SIS_OPEN
Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN
CBAC#clear

 

  • The IOS router react as expected to SYN flood attack (100 packet every 10ms) by blocking ½ half opened sessions that exceed the configured value.
CBAC#
*Mar 1 04:11:43.562: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host 10.10.10.1.
CBAC#
CBAC#sh ip inspect stat
Packet inspection statistics [process switch:fast switch]

tcp packets: [2884:12563]

Interfaces configured for inspection 2

Session creations since subsystem startup or last reset 409

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [3:51:1]

Last session created 00:00:50

Last statistic reset never

Last session creation rate 76

Last half-open session total 0

CBAC#

 

  • With an aggressive attack (more than 500 ½ sessions per minute) the IOS FW react by dropping sessions.
*Mar 1 04:14:44.530: %FW-4-ALERT_ON: getting aggressive, count (51/500) current 1-min rate: 501
CBAC#

 

  • As soon as the number of ½ opened sessions drop below the low threshold of 400 sessions per minutes, the IOS stop dropping sessions
CBAC#
*Mar 1 04:16:38.294: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0
CBAC#

 

  • This can cause Denial Of Service of the router if no protections against such type of attacks in a production environment.
CBAC#sh proc cpu
CPU utilization for five seconds: 3%/0%; one minute: 3%; five minutes: 8%

CBAC#sh proc cpu
CPU utilization for five seconds: 41%/56%; one minute: 6%; five minutes: 8%


CBAC#sh proc cpu

CPU utilization for five seconds: 18%/100%; one minute: 9%; five minutes: 9%


CBAC#sh proc cpu

CPU utilization for five seconds: 17%/100%; one minute: 15%; five minutes: 11%

II) Conclusion:

A successful deployment of CBAC rely on the understanding of application traffic that traverses the IOS Firewall as well as where to apply ACL and inspection rules and over all make sure that everything works fine before applying CBAC.

 

 

%d bloggers like this: