Control Plane Protection
|
|
- Bertina Walters
- 6 years ago
- Views:
Transcription
1 Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control.
2 Layer 2 Attacks ARP injections MAC address flooding
3 ARP Injection What is ARP injection? How can it be used? The only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?
4 What is ARP injection? ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.
5 How does it work?
6 How does it work?
7 How does it work?
8 How does it work?
9 ARP injection What can it be used for? Switch flooding. Allows for traffic interception. Disrupting traffic flows.
10 Defenses? Dynamic ARP Inspection. Your whole layer two domain is on DHCP right? Other wise ARP ACL s :(
11 MAC address flooding What is it? How can it be used? Mac address limits on switch ports
12 What is MAC address flooding? Switches have a maximum number of ARP address they can store (in the tens of thousands normally) So you send more than it can handle. The switch turns into a hub and floods all traffic to all ports.
13 Network Flooding
14 Network Flooding
15 Success. Network Flooding
16 Switches STP VTP VLAN Hopping Native VLAN
17 STP What is STP? Potential attacks.
18 What is STP Allows a network of switches to automatically remove loops from a layer two network. It assists in directing traffic through the network So it could be used for intercepting traffic or disrupting traffic flow. Also sending a lot can cause STP to not converge.
19 VTP Cisco proprietary protocol for distributing vlan configuration. Never allow it to the outside world. Just disable it.
20 VLAN hopping Gaining access to a VLAN that was unintended. Harder than some people think. Potential to exploit DTP switchport nonegotiate switchport mode access
21 Native VLAN What is a native VLAN? When a port is a trunk, the native VLAN defines the behaviour of untagged packets. Don t run management or customer traffic over vlan 1. Force the native VLAN to use tagged packets, Also change it. switchport trunk native vlan tag switchport trunk native vlan 999 On unused ports change the default vlan to something else switchport access vlan 2
22 Layer 3 Protection ICMP Open Protocols
23 ICMP source-route redirects router advertisments unreachables proxy-arp gratuitous-arps mask-reply
24 Source routing Source routing allows the sender of the packet to choose the next hop. Don t allow random packets to choose their routing and ignore our policy.
25 Redirects Router won t accept them anyway, this disables sending. But don t send them as it s a leak of information.
26 Router Advertisements Used for advertising routers to a local subnet. For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges. For IPv6 it s enable automatically :( ipv6 nd ra suppress all
27 Unreachables no ip unreachables Rate limiting is now the default.
28 proxy-arp Please tell me no one is still using this!
29 ip arp gratuitous none Disable accepting ARP packets we didn t ask for. This disables the acceptance of unsolicited ARP packets. ip arp gratuitous none <- global C730F25E-343A-4C4A-9E8C-2662B09EA5C4 A9F7-1F8552D3CFED
30 mask-reply Disables replying to ICMP packets that request the subnet.
31 Echo Reply Request Don t disable it.
32 OSPF Make sure it s passive by default. Only enable it on internal networks. Always use MD5 authentication.
33 ebgp Security MD5 authentication TTL hack Prefix filters for inbound routes. Prefix filters for outbound routes.
34 MD5 Passwords Without means you trust everyone Prevents making connections without authentication. Also means corrupted packets will be dropped. But the MD5 sum needs to be verified for every packet.
35 TTL Protection Has anyone heard of this? It s pretty neat.
36 TTL Protection Most BGP connections are on directly connected routers. So the TTL should never be decremented. So if we set the TTL to one on our packets should never get back to an attacker.
37 TTL Protection But that doesn t save us from accepting those initial SYN packets. And calculating the MD5 sum for the packet :(
38 TTL Protection So instead set the TTL to 255. :) Must be hard to configure! If the TTL is less than 254, drop it.
39 TTL Protection! Configuration. bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on ebgp!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!
40 Prefix Filters They really need some thinking about before applying them. Policy needs to be thought about before creating.
41 Prefix Filters RFC 1918 address space? RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598? /8, /4 Loopback Address /8, /12, /16 Private Space /15 Network interconnection device testing /24 6to4 relay Anycast /16 Local link v /24, /24, /24 Test networks / / /24 IETF protocol assignments.
42 Prefix Filters Bogon Filtering
43 Prefix Filters Your own prefixes? For downstream customer, only accept their prefix. For upstream vendors you ll need to accept routes for customers that are multihoming.
44 Prefix Filters Customer filtering. Accept only what s assigned. Peer filtering. Get a prefix list from them, but still block bogons and your space. Provider filtering. Unlikely they would give you a prefix list, it would be too long anyway, still filter bogons and your space. Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise. ftp://ftp-eng.cisco.com/cons/isp/security/ingress-prefix-filter-templates/t-ip-prefix-filter-ingress-loose-check-vcurrent.txt
45 Max Prefixes Should you accept 1,000,000 routes from everyone? Even customers? Is there one good number?
46 Communities + Route maps Settings communities on BGP routes is a great policy enforcement tool. Reduces the need to statically configure prefix lists at every peering point. Makes out bound prefix selection a breeze. If it s fast and easy it will be better maintained. Use route maps to apply policy to incoming and outgoing routes.
47 Internet Exchange Security Layer 2 issues. ARP injection MAC attacks (flooding) Layer 3 issues Non-Policy Routing. data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_ pdf
48 Layer 2 Issues We ve talked about this already, but this is where you are most in danger of it happening. I ve never heard about anyone being attacked, so don t be too nervous.
49 Non-Policy Routing? What s that? When another organisation ignores advertised routing policy and makes up their own. Examples?
50 Free outbound transit Easy, just add a static route for a destination and send it to a router on the exchange. This isn t a how-to Of course you ll want to test it before put the route in.
51 Lay out, two AS both connected to the same exchange. Free outbound
52 AS10 notices that it s outbound traffic to it s upstream is busy. Doesn t want to pay for more bandwidth! Free outbound
53 They noticed that a lot of the traffic is going to AS30. They also notice that AS30 is connected directly to AS20. Free outbound
54 Free outbound So a less than ethical admin adds a route for /16 to send traffic via AS20 s router that is attached to the exchange.
55 Free outbound Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20 s exchange port gets busy, so they pay for an upgrade.
56 Free inbound transit Bit more difficult to do. Again this isn t a how to
57 Free inbound
58 Free inbound So advertise more specifics via a lower cost path. Perhaps you wouldn t want to advertise your whole address space de-aggregated.
59 Is this the only way to do it? Nope, you could just advertise subnet, or use appending ASs to your path. You could use this on peers as well. Free inbound
60 Free symmetric traffic. This is the most valuable type of stealing bandwidth. So the most specific and difficult. Still this is not a how to
61 So here we have AS10 is connected to two exchanges, along with AS20. Free symmetric transit
62 Free symmetric transit So AS10 has an expensive transit services between it s two POPs. But it s getting too busy, what to do? So an unethical admin notices that AS20 is connected to both exchanges as well.
63 Free symmetric transit So after a bit of testing adds static route for two subnets to send traffic via AS20.
64 Problem solved, for someone. Other ways to achieve that? Advertise those sub-subnets? Free symmetric transit
65 Defences? Prefixes lists. ACLs. Separate exchange router, recommended. Separate VRF.
66 The null0 route drops all the traffic for which there is no known routes. Exchange Router
67 VRF Lite Combined with urpf is a way to secure your peering interface. Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface. Be warned it makes configurations difficult
68 Mike Jager Exchange security testing
69 v4 vs v6 Security Is there a difference in the control plane?
70 v4 vs v6 Security Actually there are some slight differences.
71 What s different? There s no ARP any more. Now there s multicast for neighbour discovery.
72 What s different? They insist on making our lives easier SLAAC via RD and RA s Source routing still available. Source routing is disabled by default in Cisco boxes, yay.
73 What s different? I can t heard wh..<bzzt> No more fragmentation on routers.
74 What s different? But that means ICMPv6 is important now. Neighbour discovery (v6 ARP) SLAAC Packet too big ICMP messages Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.
75 What s different? The max packet size allowable is now, 32**2-1 (That s over 4Gig in size) Can t wait to see what some operating systems make of that.
76 What s different? Privacy is harder to find with SLAAC But minimum allocations are /64 so the OS can use temporary addresses.
77 What s different? The addresses are HEAPS longer. Making management harder.
78 What s different? Tunneling? We got tunneling. 6to4 (automatic) Teredo (automatic) 6in4 (configured) All run over protocol 41, but can fallback to UDP. Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.
79 What s different? Implementations are new, so there will be new bugs. Juniper was forwarding traffic to linklocal addresses?!
Data Plane Protection. The googles they do nothing.
Data Plane Protection The googles they do nothing. Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing. Can be, ICMP (smurf, POD), SYN, Application attacks.
More informationService Provider Multihoming
BGP Traffic Engineering Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit ISPs strive to balance traffic flows in both directions
More informationService Provider Multihoming
Service Provider Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic?
More information2016/01/17 04:05 1/19 Basic BGP Lab
2016/01/17 04:05 1/19 Basic BGP Lab Basic BGP Lab Introduction The purpose of this exercise is to: Understand the routing implications of connecting to multiple external domains Learn to configure basic
More informationMultihoming Complex Cases & Caveats
Multihoming Complex Cases & Caveats ISP Workshops Last updated 6 October 2011 Complex Cases & Caveats p Complex Cases n Multiple Transits n Multi-exit backbone n Disconnected Backbone n IDC Multihoming
More informationModule 16 An Internet Exchange Point
ISP Workshop Lab Module 16 An Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12 and 13, and the Exchange Points Presentation
More informationQuestion: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)
Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.
More informationIPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
More informationInternetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview
Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above
More informationRemember Extension Headers?
IPv6 Security 1 Remember Extension Headers? IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header Allows adding new features to IPv6 protocol without major re-engineering
More informationBraindumpsQA. IT Exam Study materials / Braindumps
BraindumpsQA http://www.braindumpsqa.com IT Exam Study materials / Braindumps Exam : 400-101 Title : CCIE Routing and Switching Written Exam v5.1 Vendor : Cisco Version : DEMO Get Latest & Valid 400-101
More informationICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
More informationImplementing Cisco IP Routing
300-101 Implementing Cisco IP Routing NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 300-101 Exam on Implementing Cisco IP Routing...
More informationCCNP (Routing & Switching and T.SHOOT)
CCNP (Routing & Switching and T.SHOOT) Course Content Module -300-101 ROUTE 1.0 Network Principles 1.1 Identify Cisco Express Forwarding concepts 1.1.a FIB 1.1.b Adjacency table 1.2 Explain general network
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationIPv6 Module 16 An IPv6 Internet Exchange Point
IPv6 Module 16 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 12, 14 and 15, and the Exchange Points Presentation
More informationIntroduction. Keith Barker, CCIE #6783. YouTube - Keith6783.
Understanding, Implementing and troubleshooting BGP 01 Introduction http:// Instructor Introduction Keith Barker, CCIE #6783 CCIE Routing and Switching 2001 CCIE Security 2003 kbarker@ine.com YouTube -
More informationTSIN02 - Internetworking
Lecture 2: The Internet Protocol Literature: Forouzan: ch 4-9 and ch 27 2004 Image Coding Group, Linköpings Universitet Outline About the network layer Tasks Addressing Routing Protocols 2 Tasks of the
More informationIPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
More informationCCNP Switch Questions/Answers Securing Campus Infrastructure
What statement is true about a local SPAN configuration? A. A port can act as the destination port for all SPAN sessions configured on the switch. B. A port can be configured to act as a source and destination
More informationInterconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
More informationFinding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8
This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: Finding Feature Information, page 2 Information
More informationContents. EVPN overview 1
Contents EVPN overview 1 EVPN network model 1 MP-BGP extension for EVPN 2 Configuration automation 3 Assignment of traffic to VXLANs 3 Traffic from the local site to a remote site 3 Traffic from a remote
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2
More informationConfiguring IPv4. Finding Feature Information. This chapter contains the following sections:
This chapter contains the following sections: Finding Feature Information, page 1 Information About IPv4, page 2 Virtualization Support for IPv4, page 6 Licensing Requirements for IPv4, page 6 Prerequisites
More informationMonitoring BGP. Configuring the Router
You have to be extra careful if the prefix you want to announce over BGP is already present in the global routing table. This happens in the situation where your ISP announced your address block but you
More informationSession Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs
Session Overview! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs! RIP, IGRP, EIGRP and OSPF! Attacking tunnels! GRE intrusion
More informationIPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State
DRAFT IPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State Jeff Wheeler jsw@inconcepts.biz The Problem MLD-snooping is much like IGMP-snooping but for IPv6 It keeps unnecessary multicast
More informationImplementing Cisco IP Routing ( )
Implementing Cisco IP Routing (300-101) Implementing Cisco IP Routing (ROUTE 300-101) is a 120-minute qualifying exam with 50 60 questions for the Cisco CCNP and CCDP certifications. The ROUTE 300-101
More informationCSCI-1680 Network Layer:
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John JannoA Administrivia Homework 2 is due tomorrow So we can
More informationCCNA Routing and Switching (NI )
CCNA Routing and Switching (NI400+401) 150 Hours ` Outline The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that is
More informationTEXTBOOK MAPPING CISCO COMPANION GUIDES
TestOut Routing and Switching Pro - English 6.0.x TEXTBOOK MAPPING CISCO COMPANION GUIDES Modified 2018-08-20 Objective Mapping: Cisco 100-105 ICND1 Objective to LabSim Section # Exam Objective TestOut
More informationMPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
More informationTCP/IP Protocol Suite
TCP/IP Protocol Suite Computer Networks Lecture 5 http://goo.gl/pze5o8 TCP/IP Network protocols used in the Internet also used in today's intranets TCP layer 4 protocol Together with UDP IP - layer 3 protocol
More informationSecurizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN MPLS VPN 5-ian-2010 What this lecture is about: IP
More informationInternet Control Message Protocol
Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.
More informationInterconnecting Cisco Networking Devices Part 2 (ICND2 v3.0)
Interconnecting Cisco Networking Devices Part 2 (ICND2 v3.0) Cisco 200-105 Dumps Available Here at: /cisco-exam/200-105-dumps.html Enrolling now you will get access to 170 questions in a unique set of
More informationInsights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CISA, CCSP Senior Information & Network Security Consultant NXme FZ-LLC Information Security Researcher, PhD Candidate Stockholm University bilal@nxme.net
More informationService Provider Multihoming
Service Provider Multihoming ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last
More informationHPE FlexFabric 5940 Switch Series
HPE FlexFabric 5940 Switch Series Layer 3 IP Services Configuration Guide Part number: 5200-1022a Software version: Release 2508 and later verison Document version: 6W101-20161101 Copyright 2016 Hewlett
More informationCisco Certified Network Associate ( )
Cisco Certified Network Associate (200-125) Exam Description: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith , Kitakyushu, Japan 2001, Cisco Systems, Inc. All rights reserved. 1 Presentation Slides Available at www.apnic.net/meetings/14/programme/docs/bgp-tutslides-pfs.pdf
More informationPeering THINK. A Guide
Peering THINK A Guide Purpose of This Guide To demonstrate the features and benefits of Peering as a resource, and how it helps businesses connect faster, operate more efficiently and lower costs. Contents
More informationAdvanced Multihoming. BGP Traffic Engineering
Advanced Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit
More informationRouting Basics. Campus Network Design & Operations Workshop
Routing Basics Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationCCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,
CCNA Cisco Certified Network Associate (200-125) Exam DescrIPtion: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment
More informationIPv6 Neighbor Discovery
IPv6 Neighbor Discovery Last Updated: September 19, 2012 The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationIPv6 Technical Challenges
IPv6 Technical Challenges Peter Palúch, CCIE #23527, CCIP University of Zilina, Slovakia Academy Salute, April 15 th 16 th, Bucharest IPv6 technical challenges What challenges do I meet if I decide to
More informationConfiguration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38
This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: About DHCP Snooping About DHCP Snooping, on
More informationJuniper Netscreen Security Device. How to Enable IPv6 Page-51
Juniper Netscreen Security Device Page-51 Netscreen Firewall - Interfaces Below is a screen shot for a Netscreen Firewall interface. All interfaces have an IPv6 address except ethernet0/0. We will step
More informationBGP Multihoming Techniques
BGP Multihoming Techniques Philip Smith , Oakland 2001, Cisco Systems, Inc. All rights reserved. 1 Presentation Slides Available on NANOG Web site www.nanog.org/mtg-0110/smith.html Available
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationIPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
More informationComputer Networks ICS 651. IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery
Computer Networks ICS 651 IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery Routing Information Protocol DV modified with split horizon and poisoned reverse distance
More informationConfiguring IP Unicast Routing
CHAPTER 40 This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E
More informationConfiguring IP Unicast Routing
CHAPTER 39 This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. A switch
More informationIntroducing Cisco Data Center Networking [AT]
Introducing Cisco Data Center Networking [AT] Number: 640-911 Passing Score: 825 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ Cisco 640-911 Introducing Cisco Data Center Networking
More informationMPLS VPN Inter-AS Option AB
First Published: December 17, 2007 Last Updated: September 21, 2011 The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol
More informationConfiguring IPv6 for Gigabit Ethernet Interfaces
CHAPTER 46 IP version 6 (IPv6) provides extended addressing capability beyond those provided in IP version 4 (IPv4) in Cisco MDS SAN-OS. The architecture of IPv6 has been designed to allow existing IPv4
More informationMultihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.
Multihoming Techniques bdnog8 May 4 8, 2018 Jashore, Bangladesh. 2 ISP Hierarchy Default free zone Internet Routers that have explicit routes to every network on the Internet Regional /Access Providers
More informationBGP and the Internet
BGP and the Internet Transit and Internet Exchange Points 1 Definitions Transit carrying traffic across a network, usually for a fee traffic and prefixes originating from one AS are carried across an intermediate
More informationAccess Rules. Controlling Network Access
This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent
More informationIPv6 Client IP Address Learning
Prerequisites for IPv6 Client Address Learning, on page 1 Information About IPv6 Client Address Learning, on page 1 Configuring IPv6 Unicast, on page 6 Configuring RA Guard Policy, on page 7 Applying RA
More informationLecture Computer Networks
Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Lecture Computer Networks Internet Protocol
More informationNetwork Infrastructure Filtering at the border. stole slides from Fakrul Alam
Network Infrastructure Filtering at the border maz@iij.ad.jp stole slides from Fakrul Alam fakrul@bdhbu.com Acknowledgement Original slides prepared by Merike Kaeo What we have in network? Router Switch
More informationService Provider Multihoming
Service Provider Multihoming ISP Workshops Last updated 18 September 2013 1 Service Provider Multihoming p Previous examples dealt with loadsharing inbound traffic n Of primary concern at Internet edge
More informationVendor: Cisco. Exam Code: Exam Name: CCIE Routing and Switching Written v5.0. Version: Demo
Vendor: Cisco Exam Code: 400-101 Exam Name: CCIE Routing and Switching Written v5.0 Version: Demo DEMO QUESTION 1 Which two options are effects of the given configuration? (Choose two) A. It enables Cisco
More informationConfiguring IP Unicast Routing
Finding Feature Information, page 2 Information About, page 2 Information About IP Routing, page 2 How to Configure IP Routing, page 9 How to Configure IP Addressing, page 10 Monitoring and Maintaining
More informationDeploying LISP Host Mobility with an Extended Subnet
CHAPTER 4 Deploying LISP Host Mobility with an Extended Subnet Figure 4-1 shows the Enterprise datacenter deployment topology where the 10.17.1.0/24 subnet in VLAN 1301 is extended between the West and
More informationMPLS VPN. 5 ian 2010
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
More informationInsights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CCSP Senior Information & Network Security Consultant - NXme Information Security Researcher Stockholm University 10/9/10 NXme FZ-LLC 1 NIXU Middle
More informationCCIE Routing and Switching (v5.0)
400-101 - CCIE Routing and Switching (v5.0) 1. Which two statements about MAC ACLs are true? (Choose two.) A. They support only inbound filtering. B. They support both inbound and outbound filtering. C.
More informationH3C S6800 Switch Series
H3C S6800 Switch Series Layer 3 IP Services Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2609 and later Document version: 6W103-20190104 Copyright 2019,
More informationConfiguring Virtual Private LAN Services
Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. This module explains VPLS
More information2015/07/23 23:32 1/8 More ibgp and Basic ebgp
2015/07/23 23:32 1/8 More ibgp and Basic ebgp More ibgp and Basic ebgp Objective: Connect your ISP to a Transit provider and the Internet Exchange Point using a combination of ISIS, internal BGP, and external
More informationIP Routing Volume Organization
IP Routing Volume Organization Manual Version 20091105-C-1.03 Product Version Release 6300 series Organization The IP Routing Volume is organized as follows: Features IP Routing Overview Static Routing
More information2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.
2016/09/07 08:37 1/5 Internal BGP Lab Internal BGP Lab Introduction The purpose of this exercise is to: Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within
More informationRouting Basics. ISP Workshops. Last updated 10 th December 2015
Routing Basics ISP Workshops Last updated 10 th December 2015 1 Routing Concepts p IPv4 & IPv6 p Routing p Forwarding p Some definitions p Policy options p Routing Protocols 2 IPv4 p Internet still uses
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationUnit 3: Dynamic Routing
Unit 3: Dynamic Routing Basic Routing The term routing refers to taking a packet from one device and sending it through the network to another device on a different network. Routers don t really care about
More informationBGP for Internet Service Providers
BGP for Internet Service Providers Philip Smith Seoul KIOW 2002 1 BGP current status RFC1771 is quite old, and no longer reflects current operational practice nor vendor implementations
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo
Vendor: Cisco Exam Code: 300-101 Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo DEMO QUESTION 1 Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP
More informationConfiguring IP Unicast Routing
28 CHAPTER This chapter describes how to configure IP unicast routing on the Catalyst 3750 Metro switch. Note For more detailed IP unicast configuration information, refer to the Cisco IOS IP and IP Routing
More informationRouting Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols
Routing Basics 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 Addresses are 32 bits long Range from 1.0.0.0 to 223.255.255.255 0.0.0.0
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 05 MULTIPROTOCOL LABEL SWITCHING (MPLS) AND LABEL DISTRIBUTION PROTOCOL (LDP) 1 by Xantaro IP Routing In IP networks, each router makes an independent
More informationIndex. Numerics. Index 1
Index Numerics 802.1p priority (QoS) definition 8-6 802.1q VLAN in mesh 7-23 802.1Q VLAN standard 6-6 802.1w as a region 6-54 802.1x, mesh, not supported 7-5 A ABC enabled on edge switch 7-26 in mesh domain
More informationTable of Contents Chapter 1 Tunneling Configuration
Table of Contents Table of Contents... 1-1 1.1 Introduction to Tunneling... 1-1 1.1.1 IPv6 over IPv4 Tunnel... 1-2 1.1.2 IPv4 over IPv4 Tunnel... 1-7 1.2 Tunneling Configuration Task List... 1-8 1.3 Configuring
More informationBGP Configuration for a Transit ISP
BGP Configuration for a Transit ISP ISP Workshops Last updated 24 April 2013 1 Definitions p Transit carrying traffic across a network, usually for a fee n traffic and prefixes originating from one AS
More informationECE 435 Network Engineering Lecture 14
ECE 435 Network Engineering Lecture 14 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 October 2018 Announcements HW#6 was due HW#7 will be posted 1 IPv4 Catastrophe 2 Out of
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationConfiguring VRF-lite CHAPTER
CHAPTER 36 Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer
More informationExam Topics Cross Reference
Appendix R Exam Topics Cross Reference This appendix lists the exam topics associated with the ICND1 100-105 exam and the CCNA 200-125 exam. Cisco lists the exam topics on its website. Even though changes
More informationReal4Test. Real IT Certification Exam Study materials/braindumps
Real4Test http://www.real4test.com Real IT Certification Exam Study materials/braindumps Exam : HP0-Y37 Title : Migrating &Troubleshooting Enterprise Networks Vendors : HP Version : DEMO Get Latest & Valid
More informationMPLS MULTI PROTOCOL LABEL SWITCHING OVERVIEW OF MPLS, A TECHNOLOGY THAT COMBINES LAYER 3 ROUTING WITH LAYER 2 SWITCHING FOR OPTIMIZED NETWORK USAGE
MPLS Multiprotocol MPLS Label Switching MULTI PROTOCOL LABEL SWITCHING OVERVIEW OF MPLS, A TECHNOLOGY THAT COMBINES LAYER 3 ROUTING WITH LAYER 2 SWITCHING FOR OPTIMIZED NETWORK USAGE Peter R. Egli 1/21
More informationRealCiscoLAB.com. Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions
RealCiscoLAB.com CCNPv6 SWITCH Inter-VLAN Routing with an Internal Route Processor and Monitoring CEF Functions Topology Objective Background Route between VLANs using a 3560 switch with an internal route
More informationConfiguring Private VLANs
Finding Feature Information, on page 1 Prerequisites for Private VLANs, on page 1 Restrictions for Private VLANs, on page 1 Information About Private VLANs, on page 2 How to Configure Private VLANs, on
More informationRouting Basics. ISP Workshops
Routing Basics ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated 26
More information