Archive for the ‘Cisco Security – IOS’ Category

IP SLA (icmp) on Cisco routers

Posted: March 24, 2017 in Cisco Security - IOS
0

Just a brief overview on setting up a IP SLA (icmp) on Cisco routers. The idea is to have a primary connectivity line (via MPLS) and backup connectivity line in case primary line is down. The backup line should take traffic load until primary line is back on line (such a fancy wordings).. The switch to the primary line should be automatically with no user interventions. If you need more info about IP SLA features you can click on the link.

Here is connectivity diagram:

ipsla

The idea is to have constant communication between RTR 4331 and RTR2′ loopback interface Lo1 (ip address 4.4.4.4). This simulates connectivity to, lets say Exchange server located in the main office, even dough these days most of the Exchange servers are in the cloud already but you got the point.

Lets get to the bread and butter:

Router’s configuration related to IP SLA only is listed below. Router has default config, no fancy stuff, IP addresses were assigned to interfaces as per diagram above.
ip sla 10
icmp-echo 4.4.4.4 source-interface GigabitEthernet0/0/0
frequency 5000
threshold 2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now

ip route 0.0.0.0 0.0.0.0 10.238.254.134 track 10
ip route 0.0.0.0 0.0.0.0 1.1.1.2 10

 

Cool. Lets test this stuff..

FEI-R-4331-1#sh ip sla summary 
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending

ID           Type        Destination       Stats       Return      Last
(ms)        Code        Run
———————————————————————–
*10          icmp-echo   4.4.4.4           RTT=1       OK          5 minutes, 42
seconds ago

FEI-R-4331-1#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.238.254.134 1 msec 1 msec 0 msec
2 20.20.20.22 0 msec *  1 msec
FEI-R-4331-1#

FEI-R-4331-1#sh ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: 1 milliseconds
Latest operation start time: 09:22:57 pdt Fri Mar 24 2017
Latest operation return code: OK
Number of successes: 1
Number of failures: 0
Operation time to live: Forever

Let start constant ping to 4.4.4.4, then disconnect the cable on MPLS line, and do tracert to 4.4.4.4…
FEI-R-4331-1#ping 4.4.4.4 repeat 6000
Type escape sequence to abort.
Sending 6000, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
… deleted for clarity
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! – lost 1 ping
… deleted for clarity

Success rate is 99 percent (5998/6000), round-trip min/avg/max = 1/1/7 ms

FEI-R-4331-1#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.2 1 msec 1 msec 1 msec
2 30.30.30.32 1 msec *  1 msec – communication goes over backup line
FEI-R-4331-1#

Switching it back to MPLS:
FEI-R-4331-1#ping 4.4.4.4 repeat 6000
Type escape sequence to abort.
Sending 6000, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! – lost 1 ping while MPLS interface came up.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (5999/6000), round-trip min/avg/max = 1/1/6 ms
FEI-R-4331-1#

FEI-R-4331-1#traceroute 4.4.4.4  – route is switched back automatically to the higher priority one.
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.238.254.134 1 msec 1 msec 0 msec
2 20.20.20.22 0 msec *  1 msec
FEI-R-4331-1#

Here it goes. Very useful feature that saved valuable time to most of my customers base.

 

Preventing UDP flood attack

Posted: October 25, 2013 in Cisco Security - IOS
0

Commands are listed here:
ip access-list extended UDP-FLOOD
permit udp any any
!
class-map match-all UDP-CLASS
match access-group name UDP-FLOOD
!
policy-map POLICE-UDP
class UDP-CLASS
police 16000
!
control-plane
service-policy input POLICE-UDP

### Theory ###

Router3(config)#ip access-list extended UDP-FLOOD !– define interesting traffic
Router3(config-ext-nacl)#permit udp any any

Router3(config)#class-map ?
WORD                class-map name
match-all           Logical-AND all matching statements under this classmap
match-any         Logical-OR all matching statements under this classmap
type                     type of the class-mapRouter3(config)#class-map match-all ?
WORD                class-map name

Router3(config)#class-map match-all UDP-CLASS
Router3(config-cmap)#

Router3(config)#policy-map POLICE-UDP
Router3(config-pmap)#?
Policy-map configuration commands:
class                  policy criteria
description     Policy-Map description
exit                   Exit from policy-map configuration mode
no                     Negate or set default values of a command
rename            Rename this policy-mapRouter3(config-pmap)#class ?
WORD             class-map name
class-default    System default class matching otherwise unclassified packets

Router3(config-pmap)#class UDP-CLASS
Router3(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth       Bandwidth
compression     Activate Compression
drop          Drop all packets
exit           Exit from class action configuration mode
fair-queue       Enable Flow-based Fair Queuing in this Class
log                     Log IPv4 and ARP packets
measure           Measure
netflow-sampler     NetFlow action
no             Negate or set default values of a command
police     Police
priority      Strict Scheduling Priority for this Class
queue-limit           Queue Max Threshold for Tail Drop
random-detect     Enable Random Early Detection as drop policy
service-policy       Configure QoS Service Policy
set                        Set QoS values
shape                  Traffic Shaping

Router3(config-pmap-c)#police ?
<8000-2000000000> Bits per second
cir Committed information rate
rate Specify police rate

Router3(config-pmap-c)#police 16000
Router3(config-pmap-c-police)#exit

Router3(config)#control-plane
Router3(config-cp)#?
Control Plane configuration commands:
exit Exit from control-plane configuration mode
fpm Attach fpm package group to the console port
no Negate or set default values of a command
service-policy Configure QOS Service Policy

Router3(config-cp)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type type of the policy-map

Router3(config-cp)#service-policy input POLICE-UDP
Router3(config-cp)#exit
nsole by console
Router3#
###############################################################################