IP SLA on ASA firewalls

Posted: July 9, 2014 in Cisco Security - Firewalls
6

ASA configuration commands:

ASA03-5510(config)# sla monitor 20
ASA03-5510(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA03-5510(config-sla-monitor-echo)# frequency 3
ASA03-5510(config-sla-monitor-echo)# request-data-size 1392
ASA03-5510(config-sla-monitor-echo)# num-packets 3
ASA03-5510(config-sla-monitor-echo)# timeout 1000
ASA03-5510(config)# sla monitor schedule 20 life forever start-time now
ASA03-5510(config)# track 1 rtr 20 reachability
ASA03-5510(config)# route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
ASA03-5510(config)# route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

 

# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 110
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1392
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# sh sla monitor operational-state
Entry number: 110
Modification time: 06:56:46.879 UTC Tue Aug 5 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 22
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 06:57:49.881 UTC Tue Aug 5 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 10      RTTMin: 10      RTTMax: 10
NumOfRTT: 3     RTTSum: 30      RTTSum2: 300

 

ASA2# debug icmp trace
ASA2# debug track
ASA2# un all

 

ASA03-5510# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0         outside                 10.99.99.1      255.255.255.0   manual
Ethernet0/1          outside-backup  10.88.99.1      255.255.255.0   manual
Ethernet0/2          inside                   1.1.1.10            255.255.255.0   manual

!— shut down main ISP interface
!— Traceroute shows that traffic is going via backup link (outside-backup interface)

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:00:10
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
11 changes, last change 00:05:34
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [20/0] via 10.88.99.2, outside-backup

ASA03-5510# traceroute 10.77.99.3

Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.88.99.2 0 msec 0 msec 0 msec   !– via outside-backup
2  10.77.99.3 0 msec *  0 msec

!– the main ISP interface was brought up.

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:01:23
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
13 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

!– traceroute show that traffic goes via main ISP now. Route was put in automatically,
ASA03-5510# traceroute 10.77.99.3
Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.99.99.2 0 msec 0 msec 0 msec !— via outside interface
2  10.77.99.3 0 msec *  0 msec

ASA03-5510# sh run route !– only sla related routes are in configuration

route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [1/0] via 10.99.99.2, outside

 

!– SLA related configuration:

ASA Version 8.4(3)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet0/1
nameif outside-backup
security-level 0
ip address 10.88.99.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!

object network inside-host
subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside-host interface
nat (inside,outside-backup) source dynamic inside-host interface
route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

sla monitor 20
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 20 life forever start-time now
!
track 1 rtr 20 reachability

Switch Port Security

Posted: December 4, 2013 in General Security Features
2

 

 

interface FastEthernet1/0/1
switchport voice vlan 100            !–VLAN 100 as the voice VLAN
switchport port-security              !–Configure SW1 to guard against MAC address flooding attacks
switchport port-security maximum 2                     !—max two MAC entries, one per vlan
switchport port-security maximum 1 vlan voice  !– for trunk ports, limit the number of MAC addresses learned simultaneously on a port to one per VLAN
switchport port-security maximum 1 vlan access
switchport port-security violation protect                  !–simply drop the traffic.
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security mac-address sticky !– Retain the MAC addresses learned on the port in the switch configuration.
switchport port-security violation restrict      !–drop offending packets and generate log records of the violation.
switchport port-security aging time 10           !– Age the learned secure entries after 10 minutes of inactivity
switchport port-security aging type inactivity

interface FastEthernet1/0/3
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan 133
switchport port-security maximum 1 vlan 143
switchport port-security violation shutdown vlan             !–apply the err-disabled state only to offending vlan
switchport port-security aging time 10
switchport port-security aging type inactivity

Global commands:

errdisable recovery cause psecure-violation
errdisable recovery interval 180               !– global config, automatic recovery after 3 minutes.

Port security is a layer 2 feature that enforces a limit on the number of MAC addresses allowed per port. The two main purposes are to prevent unauthorized connections (from unauthorized/unknown MAC addresses) on a port and to prevent MAC-address flooding attacks. A MAC address flooding attack consists of sending a barrage of packets with different source MAC addresses, forcing the switch to overpopulate its MAC address table. The latter may occur in cases when the switch starts behaving like a hub, flooding frames out all ports and all VLANs because the MAC address table overflows, exceeding the maximum number of MAC address that the switch can learn.

Port security works only on ports configured as static access or static trunk

On a port configured for port security, the switch keeps a table of secure MAC address entries.

#switchport port-security maximum-address <number> =  The total number of entries allowed on interface

On trunk ports, the above command specifies the maximum number of MAC addresses for all VLANs, the aggregate limit. Note that the switch treats the same MAC address on different VLANs as two different MAC addresses.

#switchport port-security maximum <number> vlan <vlan-number> = For trunk ports specify the maximum number of MAC addresses per VLAN

#switchport port-security maximum <number> vlan [access|voice] = impose restrictions on any of two vlans, If the port is an access-port configured with both data and voice VLANs.

When a switch has reached the maximum allowed number of MAC addresses on the port level or VLAN level, and a frame with a new source MAC address arrives on the port, the switch may take any of the following actions:

Shutdown: The port actually enters in an err-disabled state and all frames received on the port are discarded.

Shutdown VLAN: The VLAN enters in an err-disabled state but only for the port where the violation occurred, and all frames received on that port for the respective VLAN are discarded. In this case, a syslog message is also generated.

Protect: All frames are silently discarded on the VLAN where the violation occurred for the respective port. Protect mode is not recommended for trunk ports because as soon as any VLAN on a trunk reaches its MAC address limit, the port stops learning MAC addresses on any other VLAN. The worst thing about this mode is that the switch does not notify you with a logging message.

Restrict: All frames are discarded for the respective port, but a syslog message and SNMP trap are generated. You must additionally configure the SNMP hosts to send the actual traps.

The default port security violation action, unless otherwise configured, is shutdown. The switch does not allow the same MAC address to appear on more than one secure port at the same time. Thus, if a switch has learned a MAC address on a secure port, it will not allow the same address to appear on other layer 2 ports until the secure entry has expired. The switch ages out secure MAC address entries using a configurable timeout. You can set the timeout and its functional mode per port using following two commands:

switchport port-security aging timeout <timeout>

switchport port-security aging type {absolute|inactivity}

Absolute aging instructs the switch to age out each MAC address entry when the timeout period has elapsed, so it is unconditional.
Inactivity aging instructs the switch to age out each MAC address entry only if it has been inactive for an interval equal to the timeout period, so it is conditional.

If the port security feature has shutdown a port, the port can be restored to an operational state using the automatic error-disable recovery procedure, or manually by issuing a shutdown command followed by a no shutdown command on the port.

There are multiple possible reasons that can trigger a port to enter the err-disabled state, so we must specify both the cause for which the port entered in the err-disabled state, and the interval for keeping it in this state. The interval is a global value, which affects the switch behavior for all possible err-disabled causes:

errdisable recovery cause <cause>

errdisable recovery interval <seconds>

#errdisable recovery cause ?

all                      Enable timer to recover from all error causes
arp-inspection           Enable timer to recover from arp inspection error disable state
bpduguard                Enable timer to recover from BPDU Guard error
channel-misconfig (STP)  Enable timer to recover from channel misconfig error
dhcp-rate-limit          Enable timer to recover from dhcp-rate-limit error
dtp-flap                 Enable timer to recover from dtp-flap error
gbic-invalid             Enable timer to recover from invalid GBIC error
link-flap                Enable timer to recover from link-flap error
loopback                 Enable timer to recover from loopback error
mac-limit                Enable timer to recover from mac limit disable state
pagp-flap                Enable timer to recover from pagp-flap error
port-mode-failure        Enable timer to recover from port mode change failure
pppoe-ia-rate-limit      Enable timer to recover from PPPoE IA rate-limiterror
psecure-violation        Enable timer to recover from psecure violation error
security-violation       Enable timer to recover from 802.1x violation error
sfp-config-mismatch      Enable timer to recover from SFP config mismatch error
small-frame              Enable timer to recover from small frame error
storm-control            Enable timer to recover from storm-control error
udld                     Enable timer to recover from udld error
vmps                     Enable timer to recover from vmps shutdown error

#switchport port-security mac-address <mac-address> = configure static secure MAC address entries. The static entries also count against the maximum number of allowed MAC addresses on an interface.

#command switchport port-security aging static  = configure a port to age static secure MAC address entries. This may be useful when you need to set up guaranteed access for a specific MAC address for some amount of time.

# switchport port-security mac-address sticky  = port-security feature known as sticky learning. It allows you to transform dynamically learned MAC addresses into static secure MAC addresses. When a switch learns new MAC addresses on a port in sticky mode, it generates a configuration line for the corresponding MAC address as a secure static entry. This line appears in the running configuration, so you need to save it to make the static entry truly permanent; otherwise, if the switch reloads the command is lost. Intead of manual configuration saving, a kron policy or EEM script can be used to automatically save the configuration periodically or triggered by an event.

# switchport port-security  = enable security feature

Dynamic Trunking Protocol

Posted: December 3, 2013 in General Security Features
0

 

 

#sh spanning-tree vl 13                              !–Determine which interfaces run STP in VLAN 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID    Priority    32781

Address     b4a4.e354.4800
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Bridge ID  Priority    32781  (priority 32768 sys-id-ext 13)

Address     b4a4.e354.4800
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————————–

Fa0/10              Desg FWD 19        128.10   P2p                                   !– trunking port
Fa0/11              Desg FWD 19        128.11   P2p                                   !– trunking port
Fa0/38              Desg FWD 19        128.38   P2p Edge                         !– port assigned to vl 13
Fa0/40              Desg FWD 19        128.40   P2p Edge                         !– port assigned to vl 13
Gi0/1               Desg FWD 4         128.49   P2p                                      !– trunking port between two switches

 

SW1-p25#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/1     ** R1 et0/0 **  notconnect   11           auto   auto 10/100BaseTX
Fa0/10    *ESX LAN 2 *    connected    trunk      a-full  a-100 10/100BaseTX
Fa0/11    *ESX LAN 1 *   connected    trunk      a-full  a-100 10/100BaseTX
Fa0/38    R3 f0/1            connected    13         a-full  a-100 10/100BaseTX
Fa0/40                       connected    13         a-full  a-100 10/100BaseTX
Gi0/1     ** Trunk DM-CoreSW connected    trunk      a-full a-1000 10/100/1000BaseTX

 

SW1-p25#sh run int f0/38

interface FastEthernet0/38
description R3 f0/1
switchport access vlan 13
switchport mode access
switchport nonegotiate               !– this shows in config that DTP is disabled on the port.
spanning-tree portfast

!– You disabled DTP on the switch port by switchport mode access command but to have it more visible you can put in port configuration one extra line: switchport nonegotiate. If the remote end still runs DTP, as is our case for trunk ports because DTP is enabled on SW2, you’ll see the dropped packets counter increasing, as each DTP message received inbound is dropped.

SW1-p25#sh dtp int f0/38

DTP information for FastEthernet0/38:

TOS/TAS/TNS:                              ACCESS/OFF/ACCESS

TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q

Neighbor address 1:                       00000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       never/STOPPED                 !– shows DTP is disabled on the switch
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S1:OF
# times multi & trunk                     0
Enabled:                                  no
In STP:                                   no

 

Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

0 packets output (0 good)

0 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

0 link ups

14 link downs, last link down on Mon Dec 02 2013, 09:12:23

 

on trunk ports:

SW1-p25#sh dtp int f0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS:                              TRUNK/ON/TRUNK
TOT/TAT/TNT:                              802.1Q/802.1Q/802.1
Neighbor address 1:                       000000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       24/RUNNING
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S6:TRUNK
# times multi & trunk                     0
Enabled:                                  yes
In STP:                                   no
Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

51672 packets output (51672 good)

51672 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

1 link ups, last link up on Fri Nov 15 2013, 10:19:26

0 link downs

 

SW1-p25#sh int f0/38 switchport                          !–A commonly used method to identify DTP state for interfaces is to view layer 2 port state information

Name: Fa0/38
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off    !!!
Access Mode VLAN: 13 (VLAN0013)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

SW1-p25#

 

##### Theory #####

DTP is the protocol that makes two switches negotiate the interconnecting links as trunk, as well as the trunking protocol (802.1q or ISL, with ISL having priority over 802.1q), without any required configurations. There are two possible DTP default port states:
     Dynamic Desirable (DTP Active):  the port actively sends DTP messages so it initiates trunk formation.
     Dynamic Auto (DTP Passive):  the port waits for DTP messages from the other end in order to respond and negotiate the trunk formation.

If you connect two switches that outside of the box have ports in Dynamic Auto mode, no trunk would be formed because there is no switch to initialize the DTP negotiation.
In common trunk port configurations, at a minimum you specify the trunking protocol and administratively set the port as trunk, with the following interface-level commands:

          switchport trunk encapsulation dot1q
switchport mode trunk

In common access port configuration, at a minimum you specify the VLAN membership and administratively set the port as access, with the following interface-level commands:

          switchport access vlan 13
switchport mode access

Ports administratively configured as trunks still have DTP enabled, whereas ports administratively configured as access have DTP disabled. Even if you configure a port as static trunk, you still want DTP enabled because the other end of the link might not yet be configured as static trunk, and you don’t want to break it. After you have configured a port as static access, you do not want it to be trunk, so there is no need to leave DTP enabled.

The inteface-level command to manually disable DTP is switchport nonegotiate.
You might want to use this command on access ports just to make it visible in the configuration, whereas on trunk ports it is mandatory to disable DTP.
The command that implicitly disables DTP on access ports is switchport mode access

How to use the Cisco ASA built in packet capture tool

Posted: November 27, 2013 in Cisco Security - Firewalls
0

 

 
During troubleshooting it is often necessary to see what traffic is being passed between two networks or two hosts. Lets use built-in capture tool. Below are the steps you need to take:
So, we are troubleshooting traffic between a host with the address of 20.20.20.1 and a host with the address of 10.10.10.1.

1.) Define the traffic that you would like to check by creating capture file called LB:

#access-list LB extended permit ip host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit ip host 10.10.10.1 host 20.20.20.1
#access-list LB extended permit icmp host 20.20.20.1 host 10.10.10.1
#access-list LB extended permit icmp host 10.10.10.1 host 20.20.20.1

2.) Create and start the packet capture process called LB:

#capture LB access-list LB

3.) Create some traffic between these hosts.
Our defined ACL will detect all traffic between these two hosts, so let just start pinging:

From the host 20.20.20.1 ping 10.10.10.1
From the host 10.10.10.1 ping 20.20.20.1

4.) Analyze the packet capture.

#show capture LB !— This will show all captured traffic.

5.) Turn off the packet capture and remove the ACL:

#no capture LB
#clear configure access-list LB

#clear capture LB !—clear the capture log by using this command
#show capture LB | inc 20.20.20.1 !—use the pipe functionality when viewing output

 

 

 

 

BGP

Posted: November 26, 2013 in Generic IOS, Uncategorized
0

 

ScreenClip


Router1(config-router)#do sh ip int br
FastEthernet0/0 136.1.13.1
Loopback0 150.1.1.1

Router1(config)#router bgp 11
Router1(config-router)#neighbor 136.1.23.2 remote-as 22
Router1(config-router)#neighbor 136.1.23.2 ttl-security hops 2
Router1(config-router)#network 150.1.1.1 mask 255.255.255.255
Router1(config-router)#exit

router bgp 11
no synchronization
bgp log-neighbor-changes
network 150.1.1.1 mask 255.255.255.255
neighbor 136.1.23.2 remote-as 22
neighbor 136.1.23.2 ttl-security hops 2
no auto-summary
!
Router2(config)#router bgp 22
Router2(config-router)#neighbor 136.1.13.1 remote-as 11
Router2(config-router)#neighbor 136.1.13.1 ttl-security hops 2
Router2(config-router)#network 150.1.2.2 mask 255.255.255.255
Router2(config-router)#exit

router bgp 22
no synchronization
bgp log-neighbor-changes
network 150.1.2.2 mask 255.255.255.255
neighbor 136.1.13.1 remote-as 11
neighbor 136.1.13.1 ttl-security hops 2
no auto-summary

Router2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.23.2
Loopback0 150.1.2.2

Router2#sh ip bgp summary
BGP router identifier 150.1.2.2, local AS number 22
BGP table version is 2, main routing table version 2
1 network entries using 120 bytes of memory
1 path entries using 52 bytes of memory
1/1 BGP path/bestpath attribute entries using 124 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 296 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor    V   AS    MsgRcvd     MsgSent     TblVer    InQ    OutQ   Up/Down State/PfxRcd
136.1.13.1   4   11       0                   0                   1              0        0              never      Idle

Class, class-map, policy-map

Posted: November 5, 2013 in Generic Firewalling
0

ip access-list extended TTL    
permit ip host 172.16.1.1 any ttl lt 2

 

class-map acl-filter-class

# match access-group name TTL

 

policy-map acl-filter
class acl-filter-class

drop

 

control-plane
service-policy input acl-filter

The following example configures a traffic class called acl-filter-class for use in a policy map called acl-filter. An access list permits IP packets from any source having a TTL of 0 or 1. Any packets matching the access list are dropped.
The policy map is attached to the control plane.

!– defines an IP access list that filters on a TTL value; it must be an extended access list.
ip access-list extended TTL    !–Every access list must have at least one permit statement.!–This access-list sets conditions to allow a packet to pass a named IP access list.
!–This example permits packets from source 172.16.1.1 to any destination with a TTL value less than 2. Any packets that pass the access list are dropped in policy. This special access list is separate from any interface access list.
#permit ip host 172.16.1.1 any ttl lt 2!– Creates a class map to be used for matching packets to a specified class.
#class-map acl-filter-class!– Configures the match criteria for a class map on the basis of the specified access control list.

     # match access-group name TTL!– Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

policy-map acl-filter!– Specifies the name of the class whose policy you want to create or change or to specify the default class (commonly known as the class-default class) before you configure its policy.

class acl-filter-class!– Configures a traffic class to discard packets belonging to a specific class.

drop!– Associates or modifies attributes or parameters that are associated with the control plane of the device.

control-plane

!– Attaches a policy map to a control plane for aggregate control plane services.Router(config-cp)# service-policy input acl-filter

Preventing UDP flood attack

Posted: October 25, 2013 in Cisco Security - IOS
0

Commands are listed here:
ip access-list extended UDP-FLOOD
permit udp any any
!
class-map match-all UDP-CLASS
match access-group name UDP-FLOOD
!
policy-map POLICE-UDP
class UDP-CLASS
police 16000
!
control-plane
service-policy input POLICE-UDP

### Theory ###

Router3(config)#ip access-list extended UDP-FLOOD !– define interesting traffic
Router3(config-ext-nacl)#permit udp any any

Router3(config)#class-map ?
WORD                class-map name
match-all           Logical-AND all matching statements under this classmap
match-any         Logical-OR all matching statements under this classmap
type                     type of the class-mapRouter3(config)#class-map match-all ?
WORD                class-map name

Router3(config)#class-map match-all UDP-CLASS
Router3(config-cmap)#

Router3(config)#policy-map POLICE-UDP
Router3(config-pmap)#?
Policy-map configuration commands:
class                  policy criteria
description     Policy-Map description
exit                   Exit from policy-map configuration mode
no                     Negate or set default values of a command
rename            Rename this policy-mapRouter3(config-pmap)#class ?
WORD             class-map name
class-default    System default class matching otherwise unclassified packets

Router3(config-pmap)#class UDP-CLASS
Router3(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth       Bandwidth
compression     Activate Compression
drop          Drop all packets
exit           Exit from class action configuration mode
fair-queue       Enable Flow-based Fair Queuing in this Class
log                     Log IPv4 and ARP packets
measure           Measure
netflow-sampler     NetFlow action
no             Negate or set default values of a command
police     Police
priority      Strict Scheduling Priority for this Class
queue-limit           Queue Max Threshold for Tail Drop
random-detect     Enable Random Early Detection as drop policy
service-policy       Configure QoS Service Policy
set                        Set QoS values
shape                  Traffic Shaping

Router3(config-pmap-c)#police ?
<8000-2000000000> Bits per second
cir Committed information rate
rate Specify police rate

Router3(config-pmap-c)#police 16000
Router3(config-pmap-c-police)#exit

Router3(config)#control-plane
Router3(config-cp)#?
Control Plane configuration commands:
exit Exit from control-plane configuration mode
fpm Attach fpm package group to the console port
no Negate or set default values of a command
service-policy Configure QOS Service Policy

Router3(config-cp)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type type of the policy-map

Router3(config-cp)#service-policy input POLICE-UDP
Router3(config-cp)#exit
nsole by console
Router3#
###############################################################################

BGP

Posted: October 18, 2013 in Uncategorized
0
Router1(config)#router bgp 1           !–Autonomous system number
!– Flags a network as local to this autonomous system and enters it to the BGP table. Specify a network to announce via BGP
Router1(config)#network 150.1.1.1 mask 255.255.255.255  
!– Specify a neighbor router
Router1(config)#neighbor 136.1.13.3 remote-as 3  
! — Set a password
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router3(config)#router bgp 3
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD   
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp       Border Gateway Protocol (BGP)
eigrp     Enhanced Interior Gateway Routing Protocol (EIGRP)
isis      ISO IS-IS
iso-igrp  IGRP for OSI networks
mobile    Mobile routes
odr       On Demand stub Routes
ospf      Open Shortest Path First (OSPF)
rip       Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.3      4            3       7       5        4    0    0 00:00:50                         2

!– To check BGP table
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 150.1.1.1/32     0.0.0.0                  0         32768 i
*> 150.1.2.2/32     136.1.13.3                             0 3 2 i
*> 150.1.3.3/32     136.1.13.3               0             0 3 i
Router1#
!– Wrong password entered:
Router1(config)#router bgp 1
Router1(config-router)#neighbor 136.1.13.3 password ee     !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.1      4            1       5       5        2    0    0 00:00:02        1
136.1.23.2      4            2       0       0        1    0    0 never    Active

%BGP-5-ADJCHANGE: neighbor 136.1.23.2 Up

Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
…..

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
136.1.13.1      4            1       7       9        4    0    0 00:02:29        1
136.1.23.2      4            2       7       8        4    0    0 00:02:17        1

!– Verify authentication on per neighbour basis:
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2,  remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.13.1
BGP neighbor is 136.1.13.1,  remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
!– Failure in authentication
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
!– error message if authentication is not enabled on routers
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)

##### Theory #####
BGP uses TCP for transport and specifically for authentication TCP option 19 which is MD5 signature option.

##############################################################################################################

EIGRP Authentication

Posted: October 16, 2013 in Uncategorized
0

When entering basic config the existing routing is gone (go figure)…

Router3#
OSPFv3: Interface FastEthernet0/1 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/1
OSPFv3: DR/BDR election on FastEthernet0/1
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: Interface Loopback0 going Down
OSPFv3: Interface FastEthernet0/0 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: 150.1.2.2 address FE80::21B:53FF:FEE5:9478 on FastEthernet0/0 is dead, state DOWN
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0

Router3#OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none

!– New EIGRP config being entered.

Router3(config)#key chain MD5CHAIN
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5STRING
Router3(config)#int f0/0
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 MD5CHAIN

Router3(config)#key chain ROLLOVER
Router3(config-keychain)#key 1
Router3(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain)#key 2
Router3(config-keychain-key)#accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan  1 2015
Router3(config-keychain-key)#send-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015

Router3(config)#int f0/1
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 ROLLOVER
Router3(config)#router eigrp 1
Router3(config-router)#network 150.1.0.0
Router3(config-router)#network 136.1.0.0

!- Sh run commands related to EIGRP:

key chain MD5CHAIN
key 1
key-string MD5STRING
key chain ROLLOVER
key 1
key-string KEY1
accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
send-lifetime 00:00:00 Jan 1 2013 00:00:00 Jan 1 2014
key 2
accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
send-lifetime 00:00:00 Jan 1 2014 00:00:00 Jan 1 2015
!
interface FastEthernet0/0
ip address 136.1.23.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 ROLLOVER
duplex auto
speed auto
ipv6 address 2001:136:1:23::3/64

!
interface FastEthernet0/1
mac-address 0005.0006.0007
ip address 136.1.13.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MD5CHAIN
duplex auto
speed auto
ipv6 address 2001:136:1:13::3/64
!

router eigrp 1
network 136.1.0.0
network 150.1.0.0
!

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Interface PEER-TERMINATION received
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Auth failure

!– Verification, o verify whether EIGRP-enabled interfaces have authentication configured and which key chain is being used, use below command:
Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”
Router3#

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “”MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)

Router3#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
1   136.1.23.2              Fa0/0             12 00:04:12    3   200  0  7
0   136.1.13.1              Fa0/1             10 00:23:51    1   200  0  6

Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)
Router3#

##### Theory #####

EIGRP authentication is a key-chain based. EIGRP only supports MD5, not clear-text. This example shows single authentication key between R1 and R3, and automatic key rotation between R2 and R3.

The potential problem with accept and send configuration is that if the routers’ time is not NTP synchronized, key rollover could happen at different time intervals, which could potentially cause a loss of the EIGRP adjacency. To prevent this, configure multiple authentication keys that accept lifetimes overlap.

###########################################################################################################

Configuring OSPF authC on routers

Posted: October 7, 2013 in Uncategorized
0

R1 – OSPF 0 – R3 – OSPF 1 -R2

R2:
#interface FastEthernet0/0
Router2(config-if)#ip ospf authentication message-digest
Router2(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router2(config-if)#ip ospf 1 area 1

R1:
interface FastEthernet0/0
Router1(config-if)#ip ospf authentication
Router1(config-if)#ip ospf authentication-key CLEARTXT
Router1(config-if)#ip ospf 1 area 0

R3:
#router ospf 1
log-adjacency-changes
#area 0 authentication
#area 1 authentication message-digest

interface Vlan11
Router3(config-if)#ip ospf authentication null    !– This will prevent vlan 11 int for ospf authentication

interface FastEthernet0/0
Router3(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router3(config-if)#ip ospf 1 area 1

interface FastEthernet0/1
Router3(config-if)#ip ospf authentication-key CLEARTXT
Router3(config-if)#ip ospf 1 area 0

Router1#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.13.1/24, Area 0
Process ID 1, Router ID 150.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID    Cost    Disabled    Shutdown      Topology Name
0           1         no          no            Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1  (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

Router3#sh ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 136.1.13.3/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Flush timer for old DR LSA due in 00:00:25
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1  (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#

Router3#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.3/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router3#

Router2#sh ip ospf  int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.2/24, Area 1
Process ID 1, Router ID 150.1.2.2, Network Type BROADCAST, Cost: 1
Topology-MTID    Cost    Disabled    Shutdown      Topology Name
0           1         no          no            Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1  (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router2#

! – Failures in OSPF authentication can be verified as a failure to establish adjacency. The below debug shows a mismatch in authentication type, where R3 has MD5 authentication configured to R1, while R1 has clear-text authentication configured to R3. At the OSPF packet level, type 0 authentication means NULL – or no authentication, type 1 is clear-text, and type 2 is MD5.

Router1#
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
OSPF: Neighbor change Event on interface FastEthernet0/0
OSPF: DR/BDR election on FastEthernet0/0
OSPF: Elect BDR 0.0.0.0
OSPF: Elect DR 150.1.1.1
DR: 150.1.1.1 (Id)   BDR: none
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: Build router LSA for area 0, router ID 150.1.1.1, seq 0x80000005, process 1
OSPF: No full nbrs to build NetLSA for interface FastEthernet0/0
OSPF: Build network LSA for FastEthernet0/0, router ID 150.1.1.1

!- A mismatch in the password between two neighbours:

OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1

! – To verify ospf, use:

Router1#sh ip osp neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:36    136.1.13.3      FastEthernet0/0
Router1#

Router3#sh ip osp neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.1.1.1         1   FULL/DR         00:00:32    136.1.13.1      FastEthernet0/1
150.1.2.2         1   FULL/DR         00:00:39    136.1.23.2      FastEthernet0/0

Router2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:38    136.1.23.3      FastEthernet0/0
Router2#

!- If authentication has been enabled at the global level can be determined by using command show ip ospf:

Router3#sh ip ospf | se area
Supports area transit capability
It is an area border router
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Number of areas transit capable is 0
Number of interfaces in this area is 1
Number of interfaces in this area is 3 (1 loopback)
Router3#

##### Theory #####

On R1 and R2 ospf authentication is configured at interface level; in R3 ospf authentication is configured globally and interfaces are added into corresponding ospf areas. When OSPF authentication is enabled under the global process, it applies to all interfaces in that area. This means that all interfaces in area 0 run clear-text authentication, and all interfaces in area 1 run MD5 authentication. When OSPF authentication is enabled at the interface level, it overrides the configuration of the global process, but only for that particular interface. The authentication key, however, is always configured at the interface level.

########################################################################################

Older Entries
Newer Entries