Control Plane Protection

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Control Plane Protection"

Transcription

1 Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control.

2 Layer 2 Attacks ARP injections MAC address flooding

3 ARP Injection What is ARP injection? How can it be used? The only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?

4 What is ARP injection? ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.

5 How does it work?

6 How does it work?

7 How does it work?

8 How does it work?

9 ARP injection What can it be used for? Switch flooding. Allows for traffic interception. Disrupting traffic flows.

10 Defenses? Dynamic ARP Inspection. Your whole layer two domain is on DHCP right? Other wise ARP ACL s :(

11 MAC address flooding What is it? How can it be used? Mac address limits on switch ports

12 What is MAC address flooding? Switches have a maximum number of ARP address they can store (in the tens of thousands normally) So you send more than it can handle. The switch turns into a hub and floods all traffic to all ports.

13 Network Flooding

14 Network Flooding

15 Success. Network Flooding

16 Switches STP VTP VLAN Hopping Native VLAN

17 STP What is STP? Potential attacks.

18 What is STP Allows a network of switches to automatically remove loops from a layer two network. It assists in directing traffic through the network So it could be used for intercepting traffic or disrupting traffic flow. Also sending a lot can cause STP to not converge.

19 VTP Cisco proprietary protocol for distributing vlan configuration. Never allow it to the outside world. Just disable it.

20 VLAN hopping Gaining access to a VLAN that was unintended. Harder than some people think. Potential to exploit DTP switchport nonegotiate switchport mode access

21 Native VLAN What is a native VLAN? When a port is a trunk, the native VLAN defines the behaviour of untagged packets. Don t run management or customer traffic over vlan 1. Force the native VLAN to use tagged packets, Also change it. switchport trunk native vlan tag switchport trunk native vlan 999 On unused ports change the default vlan to something else switchport access vlan 2

22 Layer 3 Protection ICMP Open Protocols

23 ICMP source-route redirects router advertisments unreachables proxy-arp gratuitous-arps mask-reply

24 Source routing Source routing allows the sender of the packet to choose the next hop. Don t allow random packets to choose their routing and ignore our policy.

25 Redirects Router won t accept them anyway, this disables sending. But don t send them as it s a leak of information.

26 Router Advertisements Used for advertising routers to a local subnet. For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges. For IPv6 it s enable automatically :( ipv6 nd ra suppress all

27 Unreachables no ip unreachables Rate limiting is now the default.

28 proxy-arp Please tell me no one is still using this!

29 ip arp gratuitous none Disable accepting ARP packets we didn t ask for. This disables the acceptance of unsolicited ARP packets. ip arp gratuitous none <- global C730F25E-343A-4C4A-9E8C-2662B09EA5C4 A9F7-1F8552D3CFED

30 mask-reply Disables replying to ICMP packets that request the subnet.

31 Echo Reply Request Don t disable it.

32 OSPF Make sure it s passive by default. Only enable it on internal networks. Always use MD5 authentication.

33 ebgp Security MD5 authentication TTL hack Prefix filters for inbound routes. Prefix filters for outbound routes.

34 MD5 Passwords Without means you trust everyone Prevents making connections without authentication. Also means corrupted packets will be dropped. But the MD5 sum needs to be verified for every packet.

35 TTL Protection Has anyone heard of this? It s pretty neat.

36 TTL Protection Most BGP connections are on directly connected routers. So the TTL should never be decremented. So if we set the TTL to one on our packets should never get back to an attacker.

37 TTL Protection But that doesn t save us from accepting those initial SYN packets. And calculating the MD5 sum for the packet :(

38 TTL Protection So instead set the TTL to 255. :) Must be hard to configure! If the TTL is less than 254, drop it.

39 TTL Protection! Configuration. bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on ebgp!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!

40 Prefix Filters They really need some thinking about before applying them. Policy needs to be thought about before creating.

41 Prefix Filters RFC 1918 address space? RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598? /8, /4 Loopback Address /8, /12, /16 Private Space /15 Network interconnection device testing /24 6to4 relay Anycast /16 Local link v /24, /24, /24 Test networks / / /24 IETF protocol assignments.

42 Prefix Filters Bogon Filtering

43 Prefix Filters Your own prefixes? For downstream customer, only accept their prefix. For upstream vendors you ll need to accept routes for customers that are multihoming.

44 Prefix Filters Customer filtering. Accept only what s assigned. Peer filtering. Get a prefix list from them, but still block bogons and your space. Provider filtering. Unlikely they would give you a prefix list, it would be too long anyway, still filter bogons and your space. Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise. ftp://ftp-eng.cisco.com/cons/isp/security/ingress-prefix-filter-templates/t-ip-prefix-filter-ingress-loose-check-vcurrent.txt

45 Max Prefixes Should you accept 1,000,000 routes from everyone? Even customers? Is there one good number?

46 Communities + Route maps Settings communities on BGP routes is a great policy enforcement tool. Reduces the need to statically configure prefix lists at every peering point. Makes out bound prefix selection a breeze. If it s fast and easy it will be better maintained. Use route maps to apply policy to incoming and outgoing routes.

47 Internet Exchange Security Layer 2 issues. ARP injection MAC attacks (flooding) Layer 3 issues Non-Policy Routing. data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_ pdf

48 Layer 2 Issues We ve talked about this already, but this is where you are most in danger of it happening. I ve never heard about anyone being attacked, so don t be too nervous.

49 Non-Policy Routing? What s that? When another organisation ignores advertised routing policy and makes up their own. Examples?

50 Free outbound transit Easy, just add a static route for a destination and send it to a router on the exchange. This isn t a how-to Of course you ll want to test it before put the route in.

51 Lay out, two AS both connected to the same exchange. Free outbound

52 AS10 notices that it s outbound traffic to it s upstream is busy. Doesn t want to pay for more bandwidth! Free outbound

53 They noticed that a lot of the traffic is going to AS30. They also notice that AS30 is connected directly to AS20. Free outbound

54 Free outbound So a less than ethical admin adds a route for /16 to send traffic via AS20 s router that is attached to the exchange.

55 Free outbound Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20 s exchange port gets busy, so they pay for an upgrade.

56 Free inbound transit Bit more difficult to do. Again this isn t a how to

57 Free inbound

58 Free inbound So advertise more specifics via a lower cost path. Perhaps you wouldn t want to advertise your whole address space de-aggregated.

59 Is this the only way to do it? Nope, you could just advertise subnet, or use appending ASs to your path. You could use this on peers as well. Free inbound

60 Free symmetric traffic. This is the most valuable type of stealing bandwidth. So the most specific and difficult. Still this is not a how to

61 So here we have AS10 is connected to two exchanges, along with AS20. Free symmetric transit

62 Free symmetric transit So AS10 has an expensive transit services between it s two POPs. But it s getting too busy, what to do? So an unethical admin notices that AS20 is connected to both exchanges as well.

63 Free symmetric transit So after a bit of testing adds static route for two subnets to send traffic via AS20.

64 Problem solved, for someone. Other ways to achieve that? Advertise those sub-subnets? Free symmetric transit

65 Defences? Prefixes lists. ACLs. Separate exchange router, recommended. Separate VRF.

66 The null0 route drops all the traffic for which there is no known routes. Exchange Router

67 VRF Lite Combined with urpf is a way to secure your peering interface. Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface. Be warned it makes configurations difficult

68 Mike Jager Exchange security testing

69 v4 vs v6 Security Is there a difference in the control plane?

70 v4 vs v6 Security Actually there are some slight differences.

71 What s different? There s no ARP any more. Now there s multicast for neighbour discovery.

72 What s different? They insist on making our lives easier SLAAC via RD and RA s Source routing still available. Source routing is disabled by default in Cisco boxes, yay.

73 What s different? I can t heard wh..<bzzt> No more fragmentation on routers.

74 What s different? But that means ICMPv6 is important now. Neighbour discovery (v6 ARP) SLAAC Packet too big ICMP messages Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.

75 What s different? The max packet size allowable is now, 32**2-1 (That s over 4Gig in size) Can t wait to see what some operating systems make of that.

76 What s different? Privacy is harder to find with SLAAC But minimum allocations are /64 so the OS can use temporary addresses.

77 What s different? The addresses are HEAPS longer. Making management harder.

78 What s different? Tunneling? We got tunneling. 6to4 (automatic) Teredo (automatic) 6in4 (configured) All run over protocol 41, but can fallback to UDP. Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.

79 What s different? Implementations are new, so there will be new bugs. Juniper was forwarding traffic to linklocal addresses?!

2016/01/17 04:05 1/19 Basic BGP Lab

2016/01/17 04:05 1/19 Basic BGP Lab 2016/01/17 04:05 1/19 Basic BGP Lab Basic BGP Lab Introduction The purpose of this exercise is to: Understand the routing implications of connecting to multiple external domains Learn to configure basic

More information

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)

Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.

More information

Multihoming Complex Cases & Caveats

Multihoming Complex Cases & Caveats Multihoming Complex Cases & Caveats ISP Workshops Last updated 6 October 2011 Complex Cases & Caveats p Complex Cases n Multiple Transits n Multi-exit backbone n Disconnected Backbone n IDC Multihoming

More information

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2

More information

Internet Control Message Protocol

Internet Control Message Protocol Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.

More information

Lecture Computer Networks

Lecture Computer Networks Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Lecture Computer Networks Internet Protocol

More information

MPLS VPN. 5 ian 2010

MPLS VPN. 5 ian 2010 MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process

More information

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,

More information

Access Rules. Controlling Network Access

Access Rules. Controlling Network Access This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent

More information

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery IPv6 Neighbor Discovery Last Updated: September 19, 2012 The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the

More information

Cisco Certified Network Associate ( )

Cisco Certified Network Associate ( ) Cisco Certified Network Associate (200-125) Exam Description: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that

More information

Deploying LISP Host Mobility with an Extended Subnet

Deploying LISP Host Mobility with an Extended Subnet CHAPTER 4 Deploying LISP Host Mobility with an Extended Subnet Figure 4-1 shows the Enterprise datacenter deployment topology where the 10.17.1.0/24 subnet in VLAN 1301 is extended between the West and

More information

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

Juniper Netscreen Security Device. How to Enable IPv6 Page-51 Juniper Netscreen Security Device Page-51 Netscreen Firewall - Interfaces Below is a screen shot for a Netscreen Firewall interface. All interfaces have an IPv6 address except ethernet0/0. We will step

More information

Introduction to Switched Networks Routing And Switching

Introduction to Switched Networks Routing And Switching Introduction to Switched Networks Routing And Switching 1 Converged Networks Growing Complexity of Networks Our digital world is changing Information must be accessed from anywhere in the world Networks

More information

Configuring IP Unicast Routing

Configuring IP Unicast Routing 28 CHAPTER This chapter describes how to configure IP unicast routing on the Catalyst 3750 Metro switch. Note For more detailed IP unicast configuration information, refer to the Cisco IOS IP and IP Routing

More information

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local

More information

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 05 MULTIPROTOCOL LABEL SWITCHING (MPLS) AND LABEL DISTRIBUTION PROTOCOL (LDP) 1 by Xantaro IP Routing In IP networks, each router makes an independent

More information

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing Last time Network layer Introduction forwarding vs. routing Virtual circuit vs. datagram details connection setup, teardown VC# switching forwarding tables, longest prefix matching IP: the Internet Protocol

More information

CCIE Routing and Switching (v5.0)

CCIE Routing and Switching (v5.0) 400-101 - CCIE Routing and Switching (v5.0) 1. Which two statements about MAC ACLs are true? (Choose two.) A. They support only inbound filtering. B. They support both inbound and outbound filtering. C.

More information

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1 Mobile IP Petr Grygárek rek 1 Basic principle Picture from IOS IP and IP Routing Configuration Guide Mobile node maintains the same IP address even while roaming in foreign networks even if it s address

More information

Configuring VRF-lite CHAPTER

Configuring VRF-lite CHAPTER CHAPTER 36 Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer

More information

Lecture 10: Addressing

Lecture 10: Addressing Lecture 10: Addressing CSE 123: Computer Networks Alex C. Snoeren HW 2 due WEDNESDAY Lecture 10 Overview ICMP The other network-layer protocol IP Addresses Class-based addressing Subnetting Classless addressing

More information

MPLS Label Distribution Protocol (LDP)

MPLS Label Distribution Protocol (LDP) MPLS Label Distribution Protocol (LDP) First Published: January 1, 1999 Last Updated: May 1, 2008 Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) enables peer label switch routers

More information

Advanced Multihoming. BGP Traffic Engineering

Advanced Multihoming. BGP Traffic Engineering Advanced Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit

More information

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8 This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: About DHCP Snooping, page 2 About the DHCP

More information

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols Top-Down Network Design Chapter Seven Selecting Switching and Routing Protocols Copyright 2010 Cisco Press & Priscilla Oppenheimer 1 Switching 2 Page 1 Objectives MAC address table Describe the features

More information

CS519: Computer Networks. Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol)

CS519: Computer Networks. Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol) : Computer Networks Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol) More ICMP messages These were added over time RFC1191: Path MTU Discovery Added the size of the limiting MTU to the ICMP Packet

More information

IPv6 tutorial. RedIRIS Miguel Angel Sotos

IPv6 tutorial. RedIRIS Miguel Angel Sotos IPv6 tutorial RedIRIS Miguel Angel Sotos miguel.sotos@rediris.es Agenda History Why IPv6 IPv6 addresses Autoconfiguration DNS Transition mechanisms Security in IPv6 IPv6 in Windows and Linux IPv6 now 2

More information

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER CHAPTER 3 This chapter describes how to configure Internet Protocol version 6 (IPv6), which includes addressing, Neighbor Discovery Protocol (ND), and Internet Control Message Protocol version 6 (ICMPv6),

More information

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview

More information

Virtual Subnet (VS): A Scalable Data Center Interconnection Solution

Virtual Subnet (VS): A Scalable Data Center Interconnection Solution Virtual Subnet (VS): A Scalable Data Center Interconnection Solution draft-xu-virtual-subnet-05 Xiaohu Xu (xuxh@huawei.com) NANOG52, Denver Requirements for Data Center Interconnection To interconnect

More information

Configuring PIM. Information About PIM. Send document comments to CHAPTER

Configuring PIM. Information About PIM. Send document comments to CHAPTER CHAPTER 3 This chapter describes how to configure the Protocol Independent Multicast (PIM) features on Cisco NX-OS switches in your IPv4 networks. This chapter includes the following sections: Information

More information

Hot Standby Router Protocol (HSRP): Frequently Asked Questions

Hot Standby Router Protocol (HSRP): Frequently Asked Questions Hot Standby Router Protocol (HSRP): Frequently Asked Questions Document ID: 9281 Contents Introduction Will the standby router take over if the active router LAN interface state is "interface up line protocol

More information

MIX Peering Port Configuration How-to

MIX Peering Port Configuration How-to MIX Peering Port Configuration How-to Page 1 of 11 DOCUMENT CODE : MIX-305E VERSION : 1.0 ENGLISH TRANSLATION DEPARTMENT : TECHNICAL OFFICE STATUS : DEFINITIVE DATE : 01/03/2011 NUMBER OF PAGES : 11 RELEASED

More information

Peering observations on security and resiliency at IXPs Greg Hankins, AS NANOG 67

Peering observations on security and resiliency at IXPs Greg Hankins, AS NANOG 67 Peering observations on security and resiliency at IXPs Greg Hankins, AS 38016 NANOG 67 Image source: http://as2914.net/ 1 Nokia 2016 Public NANOG 67 2016/06/14 Agenda Introduction

More information

Intelligent WAN Multiple VRFs Deployment Guide

Intelligent WAN Multiple VRFs Deployment Guide Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...

More information

Network layer: Overview. Network Layer Functions

Network layer: Overview. Network Layer Functions Network layer: Overview Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing 1 Network Layer Functions Transport packet from sending to receiving hosts Network layer protocols in every

More information

Configuring Q-in-Q VLAN Tunnels

Configuring Q-in-Q VLAN Tunnels This chapter describes how to configure Q-in-Q VLAN tunnels. Finding Feature Information, page 1 Feature History for Q-in-Q Tunnels and Layer 2 Protocol Tunneling, page 1 Information About Q-in-Q Tunnels,

More information

IPv6 and IPv4: Twins or Distant Relatives

IPv6 and IPv4: Twins or Distant Relatives IPv6 and IPv4: Twins or Distant Relatives Paul Ebersman, IPv6 Evangelist NANOG54, San Diego (5-8 Feb 2012) 1 What you ll see immediately More addresses 340 undecillion Bigger, beefier addresses 2001:db8:dead:beef::1

More information

Configuring Control Plane Policing

Configuring Control Plane Policing 21 CHAPTER This chapter describes how to configure control plane policing (CoPP) on the NX-OS device. This chapter includes the following sections: Information About CoPP, page 21-1 Guidelines and Limitations,

More information

BGP Techniques for ISP. Terutaka Komorizono

BGP Techniques for ISP. Terutaka Komorizono BGP Techniques for ISP Terutaka Komorizono Introduction Presentation has many configuration examples Using Cisco IOS CLI Aimed at Service Providers Techniques can be used by many enterprises

More information

HPE 5920 & 5900 Switch Series

HPE 5920 & 5900 Switch Series HPE 5920 & 5900 Switch Series Layer 3 IP Services Command Reference Part number: 5998-6643t Software version: Release 2422P01 Document version: 6W101-20171030 Copyright 2016, 2017 Hewlett Packard Enterprise

More information

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011 A Practical (and Personal) Perspective on IPv6 for Servers Geoff Huston June 2011 Lets look at... Why we need IPv6 The differences between IPv4 and IPv6 Some practical hints for Dual Stack Services Why?

More information

Question No: 1 What is the maximum number of switches that can be stacked using Cisco StackWise?

Question No: 1 What is the maximum number of switches that can be stacked using Cisco StackWise? Volume: 283 Questions Question No: 1 What is the maximum number of switches that can be stacked using Cisco StackWise? A. 4 B. 5 C. 8 D. 9 E. 10 F. 13 Answer: D Question No: 2 A network engineer wants

More information

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Understanding VLANs CHAPTER CHAPTER 10 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership

More information

Configuring EIGRP. Finding Feature Information

Configuring EIGRP. Finding Feature Information The Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of the Interior Gateway Routing Protocol (IGRP) developed by Cisco. The convergence properties and the operating efficiency

More information

HP FlexFabric 5930 Switch Series

HP FlexFabric 5930 Switch Series HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information

More information

BGP route filtering and advanced features

BGP route filtering and advanced features 2015/07/23 23:33 1/13 BGP route filtering and advanced features BGP route filtering and advanced features Objective: Using the network configured in Module 6, use various configuration methods on BGP peerings

More information

HPE FlexNetwork 5510 HI Switch Series

HPE FlexNetwork 5510 HI Switch Series HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-0078b Software version: Release 11xx Document version: 6W102-20171020 Copyright 2015, 2017 Hewlett Packard

More information

BGP Multihoming Techniques

BGP Multihoming Techniques BGP Multihoming Techniques Philip Smith 15-22 January 2004 Bangalore, India 1 Presentation Slides Available on ftp://ftp-eng.cisco.com/pfs/seminars/sanog3-multihoming.pdf 2 Preliminaries

More information

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1 Advanced IPv6 Training Course Lab Manual v1.3 Page 1 Network Diagram AS66 AS99 10.X.0.1/30 2001:ffXX:0:01::a/127 E0/0 R 1 E1/0 172.X.255.1 2001:ffXX::1/128 172.16.0.X/24 2001:ff69::X/64 E0/1 10.X.0.5/30

More information

BGP made easy. John van Oppen Spectrum Networks / AS11404

BGP made easy. John van Oppen Spectrum Networks / AS11404 1 BGP made easy John van Oppen Spectrum Networks / AS11404 2 What is BGP? Snarky answer: RFC-4271 BGP is an Exterior gateway protocol, the only one used on the public Internet and is used for inter-autonomous

More information

Security in an IPv6 World Myth & Reality

Security in an IPv6 World Myth & Reality Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4

More information

Fixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering

Fixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering Fixed Internetworking Protocols and Networks IP mobility Rune Hylsberg Jacobsen Aarhus School of Engineering rhj@iha.dk 1 2011 ITIFN Mobile computing Vision Seamless, ubiquitous network access for mobile

More information

OSPF. About OSPF. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.4 1

OSPF. About OSPF. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.4 1 This chapter describes how to configure the Cisco ASA to route data, perform authentication, and redistribute routing information using the Open Shortest Path First () routing protocol. About, page 1 Guidelines

More information

Internet Protocol v6.

Internet Protocol v6. Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration Why IPv6? IPv6 Address Space Customer LAN migration IPv4 DASH BOARD THE REASON For IPv6

More information

2015/07/23 23:32 1/8 More ibgp and Basic ebgp

2015/07/23 23:32 1/8 More ibgp and Basic ebgp 2015/07/23 23:32 1/8 More ibgp and Basic ebgp More ibgp and Basic ebgp Objective: Connect your ISP to a Transit provider and the Internet Exchange Point using a combination of ISIS, internal BGP, and external

More information

Internetworking Part 2

Internetworking Part 2 CMPE 344 Computer Networks Spring 2012 Internetworking Part 2 Reading: Peterson and Davie, 3.2, 4.1 19/04/2012 1 Aim and Problems Aim: Build networks connecting millions of users around the globe spanning

More information

Configuring Advanced Firewall Settings

Configuring Advanced Firewall Settings Configuring Advanced Firewall Settings This section provides advanced firewall settings for configuring detection prevention, dynamic ports, source routed packets, connection selection, and access rule

More information

CCIE R&S v5.0. Troubleshooting Lab. Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7

CCIE R&S v5.0. Troubleshooting Lab. Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7 Troubleshooting Lab Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7 Q2. R17 should have one default route which points to R12 via PPP as shown below R17# sh ip route S* 0.0.0.0/0

More information

Module 2 More ibgp, and Basic ebgp Configuration

Module 2 More ibgp, and Basic ebgp Configuration ISP/IXP Networking Workshop Lab Module 2 More ibgp, and Basic ebgp Configuration Objective: Simulate four different interconnected ISP backbones using a combination of ISIS, internal BGP, and external

More information

Case Study A Service Provider s Road to IPv6

Case Study A Service Provider s Road to IPv6 Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting amir@unisonip.com The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What

More information

IPv6: An Introduction

IPv6: An Introduction Outline IPv6: An Introduction Dheeraj Sanghi Department of Computer Science and Engineering Indian Institute of Technology Kanpur dheeraj@iitk.ac.in http://www.cse.iitk.ac.in/users/dheeraj Problems with

More information

MPLS LDP. Agenda. LDP Overview LDP Protocol Details LDP Configuration and Monitoring 9/27/16. Nurul Islam Roman

MPLS LDP. Agenda. LDP Overview LDP Protocol Details LDP Configuration and Monitoring 9/27/16. Nurul Islam Roman MPLS LDP Nurul Islam Roman (nurul@apnic.net) 1 Agenda LDP Overview LDP Protocol Details LDP Configuration and Monitoring 1 Label Distribution Protocol Overview MPLS nodes need to exchange label information

More information

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art 2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April 21-23 in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities

More information

DNA SA Border Node Support

DNA SA Border Node Support Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure

More information

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Vienna, Austria, November 15-18, 2011 About... I have worked in security assessment of communication

More information

CS 457 Lecture 11 More IP Networking. Fall 2011

CS 457 Lecture 11 More IP Networking. Fall 2011 CS 457 Lecture 11 More IP Networking Fall 2011 IP datagram format IP protocol version number header length (bytes) type of data max number remaining hops (decremented at each router) upper layer protocol

More information

(Chapters 2 3 in Huitema) E7310/Internet basics/comnet 1

(Chapters 2 3 in Huitema) E7310/Internet basics/comnet 1 Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture IPv4 Addressing Routing principles Protocols: IPv4, ICMP, ARP (Chapters 2 3 in Huitema) E7310/Internet basics/comnet

More information

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1 Which statement about stateless autoconfiguration is true? A host can autoconfigure itself by appending its MAC address to the local link prefix (64 bits). 2 Autoconfiguration allows devices to connect

More information

Implementing BGP on Cisco ASR 9000 Series Router

Implementing BGP on Cisco ASR 9000 Series Router Implementing BGP on Cisco ASR 9000 Series Router Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) that allows you to create loop-free interdomain routing between autonomous systems.

More information

MPLS Introduction. (C) Herbert Haas 2005/03/11

MPLS Introduction. (C) Herbert Haas 2005/03/11 MPLS Introduction MPLS (C) Herbert Haas 2005/03/11 Terminology LSR LER FEC LSP FIB LIB LFIB TIB PHP LDP TDP RSVP CR-LDP Label Switch Router Label Edge Router Forwarding Equivalent Class Label Switched

More information

COMP211 Chapter 4 Network Layer: The Data Plane

COMP211 Chapter 4 Network Layer: The Data Plane COMP211 Chapter 4 Network Layer: The Data Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross

More information

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS Computer Network Architectures and Multimedia Guy Leduc Chapter 2 MPLS networks Chapter based on Section 5.5 of Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley,

More information

Rocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610

Rocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610 Rocky Mountain ISSA Chapter April 5, 2007 IPv6 Security Scott Hogg Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610 Agenda IPv6 Threats Reconnaissance LAN Threats ICMPv6 Threats

More information

Workshop on Scientific Applications for the Internet of Things (IoT) March

Workshop on Scientific Applications for the Internet of Things (IoT) March Workshop on Scientific Applications for the Internet of Things (IoT) March 16-27 2015 IP Networks: From IPv4 to IPv6 Alvaro Vives - alvaro@nsrc.org Contents 1 Digital Data Transmission 2 Switched Packet

More information

VRF, MPLS and MP-BGP Fundamentals

VRF, MPLS and MP-BGP Fundamentals VRF, MPLS and MP-BGP Fundamentals Jason Gooley, CCIEx2 (RS, SP) #38759 Twitter: @ccie38759 LinkedIn: http://www.linkedin.com/in/jgooley Agenda Introduction to Virtualization VRF-Lite MPLS & BGP Free Core

More information

Copyright Link Technologies, Inc.

Copyright Link Technologies, Inc. 3/15/2011 Mikrotik Certified Trainer / Engineer MikroTik Certified Dude Consultant Consulting Since 1997 Enterprise Class Networks WAN Connectivity Certifications Cisco, Microsoft, MikroTik BGP/OSPF Experience

More information

Configuring Cache Services Using the Web Cache Communication Protocol

Configuring Cache Services Using the Web Cache Communication Protocol Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How

More information

Connecting to a Service Provider Using External BGP

Connecting to a Service Provider Using External BGP Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)

More information

For information about configuring these settings from Cluster Management Suite (CMS), refer to the online help.

For information about configuring these settings from Cluster Management Suite (CMS), refer to the online help. Configuring VLANs This chapter provides information about configuring virtual LANs (VLANs). It includes command-line interface (CLI) procedures for using commands that have been specifically created or

More information

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis Session 8. TCP/IP Dongsoo S. Kim (dskim@iupui.edu) Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis IP Packet 0 4 8 16 19 31 Version IHL Type of Service Total Length Identification

More information

MPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label

MPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label 7 C H A P T E R S U P P L E M E N T This online supplement of Chapter 7 focuses on two important developments. The first one is Inter-Autonomous. Inter-Autonomous is a concept whereby two service provider

More information

Configuring Interfaces (Transparent Mode)

Configuring Interfaces (Transparent Mode) 8 CHAPTER This chapter includes tasks to complete the interface configuration in transparent firewall mode. This chapter includes the following sections: Information About Completing Interface Configuration

More information

Networking: Network layer

Networking: Network layer control Networking: Network layer Comp Sci 3600 Security Outline control 1 2 control 3 4 5 Network layer control Outline control 1 2 control 3 4 5 Network layer purpose: control Role of the network layer

More information

MikroTik RouterOS Training. Routing. Schedule. Instructors. Housekeeping. Introduce Yourself. Course Objective 7/4/ :00 10:30 Morning Session I

MikroTik RouterOS Training. Routing. Schedule. Instructors. Housekeeping. Introduce Yourself. Course Objective 7/4/ :00 10:30 Morning Session I MikroTik RouterOS Training Routing Schedule 09:00 10:30 Morning Session I 10:30 11:00 Morning Break 11:00 12:30 Morning Session II 12:30 13:30 Lunch Break 13:30 15:00 Afternoon Session I 15:00 15:30 Afternoon

More information

BGP Best Current Practices

BGP Best Current Practices BGP Best Current Practices ISP Workshops Last updated 10 th July 2015 1 Configuring BGP Where do we start? 2 IOS Good Practices p ISPs should start off with the following BGP commands as a basic template:

More information

Configuring Access and Trunk Interfaces

Configuring Access and Trunk Interfaces Configuring Access and Trunk Interfaces Ethernet interfaces can be configured either as access ports or trunk ports. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend

More information

Configuring Q-in-Q VLAN Tunnels

Configuring Q-in-Q VLAN Tunnels Information About Q-in-Q Tunnels, page 1 Licensing Requirements for Interfaces, page 7 Guidelines and Limitations, page 7 Configuring Q-in-Q Tunnels and Layer 2 Protocol Tunneling, page 8 Configuring Q-in-Q

More information

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture #4 preview ICMP ARP DHCP NAT

More information

Troubleshooting and Maintaining Cisco IP Networks v2 ( )

Troubleshooting and Maintaining Cisco IP Networks v2 ( ) Troubleshooting and Maintaining Cisco IP Networks v2 (300-135) Exam Description: Troubleshooting and Maintaining Cisco IP Networks v2 (TSHOOT 300-135) is a 120- minute qualifying exam with 15 25 questions

More information

Introduction to routing in the Internet

Introduction to routing in the Internet Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 2 3 in Huitema) Internet-1 Internet Architecture Principles End-to-end principle by

More information

Introduction to IPv6 - II

Introduction to IPv6 - II Introduction to IPv6 - II Building your IPv6 network Alvaro Vives 27 June 2017 Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery

More information

Service Graph Design with Cisco Application Centric Infrastructure

Service Graph Design with Cisco Application Centric Infrastructure White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...

More information

ITBraindumps. Latest IT Braindumps study guide

ITBraindumps.  Latest IT Braindumps study guide ITBraindumps http://www.itbraindumps.com Latest IT Braindumps study guide Exam : 300-101 Title : Implementing Cisco IP Routing Vendor : Cisco Version : DEMO Get Latest & Valid 300-101 Exam's Question and

More information

Unit A - Connecting to the Network

Unit A - Connecting to the Network Unit A - Connecting to the Network 1 What is a network? The ability to connect people and equipment no matter where they are in the world. telephone computers television How does your body work as a network?

More information

HPE FlexNetwork 5510 HI Switch Series

HPE FlexNetwork 5510 HI Switch Series HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-3837 Software version: Release 13xx Document version: 6W100-20170315 Copyright 2015, 2017 Hewlett Packard Enterprise

More information

Intelligent WAN Deployment Guide

Intelligent WAN Deployment Guide Cisco Validated design Intelligent WAN Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deployment Details...1 Configuring DMVPN Hub Router...2

More information

Mobile IP. Mobile Computing. Mobility versus Portability

Mobile IP. Mobile Computing. Mobility versus Portability Mobile IP Mobile Computing Introduction Amount of mobile/nomadic computing expected to increase dramatically in near future. By looking at the great acceptance of mobile telephony, one can foresee a similar

More information

TBGP: A more scalable and functional BGP. Paul Francis Jan. 2004

TBGP: A more scalable and functional BGP. Paul Francis Jan. 2004 TBGP: A more scalable and functional BGP Paul Francis Jan. 2004 BGP: Border Gateway Protocol BGP is the top-level routing protocol in the Internet It holds the Internet together BGP allows routers to tell

More information