Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.



Similar documents
Lab QoS Classification and Policing Using CAR

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

LAB II: Securing The Data Path and Routing Infrastructure

Unicast Reverse Path Forwarding

Strategies to Protect Against Distributed Denial of Service (DD

CCIE R&S Lab Workbook Volume I Version 5.0

How To Lower Data Rate On A Network On A 2Ghz Network On An Ipnet 2 (Net 2) On A Pnet 2 On A Router On A Gbnet 2.5 (Net 1) On An Uniden Network On

Chapter 4 Rate Limiting

MPLS. Cisco MPLS. Cisco Router Challenge 227. MPLS Introduction. The most up-to-date version of this test is at:

MPLS Configration 事 例

Troubleshooting Load Balancing Over Parallel Links Using Cisco Express Forwarding

Configuring a Basic MPLS VPN

Cisco Configuring Commonly Used IP ACLs

Using the Border Gateway Protocol for Interdomain Routing

BGP-4 Case Studies. Nenad Krajnovic.

Configuring Denial of Service Protection

CCNA Access List Sim

Multiprotocol Label Switching Load Balancing

Configuring Control Plane Policing

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Lab 4.2 Challenge Lab: Implementing MPLS VPNs

Edge-1#show ip route Routing entry for /24. Known via "bgp 65001", distance 200, metric 0. Tag 65300, type internal

MPLS-based Layer 3 VPNs

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

BGP Link Bandwidth. Finding Feature Information. Contents

Deploying and Configuring MPLS Virtual Private Networks In IP Tunnel Environments

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Frame Mode MPLS Implementation

Firewall Technologies. Access Lists Firewalls

MPLS VPN Route Target Rewrite

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM

8 steps to protect your Cisco router

The benefits of BGP for every service provider

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Community tools to fight against DDoS

NetFlow Subinterface Support

Table of Contents. Configuring IP Access Lists

Lab Exercise Configure the PIX Firewall and a Cisco Router

Chapter 2 Lab 2-2, EIGRP Load Balancing

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

N2X Core Routing - BGP-4 MPLS VPN scenario with integrated traffic Application Note

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Security Audit CHAPTER21. Perform Security Audit

BGP Link Bandwidth. Finding Feature Information. Prerequisites for BGP Link Bandwidth

This feature was introduced. This feature was integrated in Cisco IOS Release 12.2(11)T.

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Approach to build MPLS VPN using QoS capabilities

Module 12 Multihoming to the Same ISP

How To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv

Inter-Autonomous Systems for MPLS VPNs

Cisco Configuring Basic MPLS Using OSPF

OBJECTIVES This paper examines how NetFlow is implemented on logical interfaces. Logical interfaces can be divided into two groups:

BGP4 Case Studies/Tutorial

co Characterizing and Tracing Packet Floods Using Cisco R

Configuring Route Maps and Policy-Based Routing

Troubleshooting the Firewall Services Module

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN

Exam Name: BGP + MPLS Exam Exam Type Cisco Case Studies: 3 Exam Code: Total Questions: 401

Lab Configure Cisco IOS Firewall CBAC

MPLS VPN Implementation

Prototype Cloud-based Services on MPLS Service Provider in Iraq

Firewall Firewall August, 2003

Multihomed BGP Configurations

Skills Assessment Student Training Exam

APNIC elearning: BGP Basics. Contact: erou03_v1.0

FIREWALLS & CBAC. philip.heimer@hh.se

CCNA 2 v5.0 Routing Protocols Final Exam Answers

ICND IOS CLI Study Guide (CCENT)

- Route Filtering and Route-Maps -

- Basic Router Security -

Application Note. Failover through BGP route health injection

Troubleshooting the Firewall Services Module

BGP Terminology, Concepts, and Operation. Chapter , Cisco Systems, Inc. All rights reserved. Cisco Public

Table of Contents. Cisco Configuring a Basic MPLS VPN

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Lab Developing ACLs to Implement Firewall Rule Sets

Implementing MPLS VPNs over IP Tunnels

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

l.cittadini, m.cola, g.di battista

C H A P T E R Management Cisco SAFE Reference Guide OL

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Advanced BGP Policy. Advanced Topics

Virtual Fragmentation Reassembly

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Testing Juniper Networks M40 Router MPLS Interoperability with Cisco Systems 7513 and Routers

IPv6 Diagnostic and Troubleshooting

IPv6 for Cisco IOS Software, File 2 of 3: Configuring

Firewalls. Chapter 3

Supporting Document LNS Configuration

Chapter 13 Internet Protocol (IP)

Introduction to Firewalls

Configuring NetFlow Switching

Transcription:

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3: Limit ICMP rate to 500kbs on Serial 0/0 of ASBR1. interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip router isis ip access-group 111 in rate-limit input access-group 110 496000 9216 9216 conform-action transmit exceed-action drop encapsulation frame-relay no keepalive access-list 110 permit icmp any any echo log access-list 110 permit icmp any any echo-reply log access-list 111 deny ip 192.168.0.0 0.0.255.255 any access-list 111 deny ip 172.16.0.0 0.15.255.255 any access-list 111 deny ip 10.0.0.0 0.255.255.255 any ASBR1-RACK1#sho interfaces serial 0/2 rate-limit Serial0/2 to PE1-RACK1 ISIS Input matches: access-group 110 params: 496000 bps, 9216 limit, 9216 extended limit conformed 64 packets, 267457 bytes; action: transmit exceeded 14 packets, 105940 bytes; action: drop last packet: 828013ms ago, current burst: 0 bytes last cleared 00:19:25 ago, conformed 1000 bps, exceeded 0 bps Task 20.4: Guarantee all secure web traffic a bandwidth of 300K going out of ASBR1. rate-limit output 296000 9216 9216 conform-action transmit exceed-action drop access-list 112 permit tcp any eq 443 any log Task 20.5: Configure CE8 to deny HTTP traffic Monday through Friday between the hours of 8:00 am and 6:00 pm. Allow UDP traffic on Saturday and Sunday from noon to 8:00 pm only. CE8-RACK1#sho access-lists 1 This product is individually licensed.

Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (inactive) CE8-RACK1#clock set 12:00:00 Jan 6 2006 CE8-RACK1#sho access-lists Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (active) CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (active) periodic weekend 12:00 to 20:00 time-range entry: nohttp_mon_fri (inactive) periodic weekdays 8:00 to 18:00 interface FastEthernet0/0.82 description to PE2 - VLAN 82 encapsulation dot1q 82 ip address 10.82.1.1 255.255.255.0 ip access-group task20.5 in ip access-list extended task20.5 deny tcp any any eq www log time-range nohttp_mon_fri permit ip any any log time-range nohttp_mon_fri permit udp any any log time-range allow_udp_sat_sun time-range allow_udp_sat_sun periodic weekend 12:00 to 20:00 time-range nohttp_mon_fri periodic weekdays 8:00 to 18:00 CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (inactive) periodic weekend 12:00 to 20:00 time-range entry: nohttp_mon_fri (active) periodic weekdays 8:00 to 18:00 CE8-RACK1#clock set 12:00:00 Jan 5 2006 2 This product is individually licensed.

Task 20.6: Configure ASBR1 to enforce RFC 2827 traffic from SP1 based on the RFC1918 sources. interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip access-group 115 in ip access-group 116 out ip verify unicast reverse-path access-list 115 deny ip 172.16.0.0 0.15.255.255 any access-list 115 deny ip 10.0.0.0 0.0.0.255 any access-list 115 deny ip 192.168.0.0 0.0.255.255 any access-list 115 deny ip 224.0.0.0 31.255.255.255 any access-list 115 deny ip 172.16.113.0 0.0.0.255 any access-list 115 deny ip 172.16.114.0 0.0.0.255 any access-list 116 permit ip 172.16.113.0 0.0.0.255 any access-list 116 permit ip 172.16.114.0 0.0.0.255 any access-list 116 deny ip any any Task 20.7: Configure ASBR1 to trace SYN flood, from 10.1.1.230. access-list 118 permit tcp any any established access-list 118 permit tcp any host 10.1.1.230 log-input access-list 118 permit ip any any interface Serial0/2 ip access-group 118 in Task 20.8: ASBR1 should black hole all RFC1918 networks from SP1 IPv4 unicast traffic only. To test this task, you are required to enable IPv4 peering. Reconfigure the PEs to receive IPv4 unicast. interface Null0 no ip unreachables ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.255.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 router bgp 100 bgp router-id 10.1.1.100 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 ebgp-multihop 2 neighbor 10.1.1.1 update-source Loopback0 neighbor 172.16.113.2 remote-as 200 neighbor 172.16.114.2 remote-as 200 3 This product is individually licensed.

address-family ipv4 redistribute static metric 10 neighbor 10.1.1.1 activate no neighbor 172.16.113.2 activate no neighbor 172.16.114.2 activate no auto-summary no synchronization exit-address-family Task 20.9: Use BGP to trigger black-holing. ASBR1-RACK1(config)#route-map hole permit 10 ASBR1-RACK1(config-route-map)# match tag 6727 ASBR1-RACK1(config-route-map)# set ip next-hop 10.1.2.1 ASBR1-RACK1(config-route-map)# set local-preference 221 ASBR1-RACK1(config-route-map)# set origin igp ASBR1-RACK1(config-route-map)# set community no-export ASBR1-RACK1(config)#route-map hole deny 20 ASBR1-RACK1(config-route-map)#ip route 10.1.2.1 255.255.255.255 Null0 ASBR1-RACK1(config-router)#redistribute static route-map hole ASBR1-RACK1(config-router)#neighbor 10.1.1.1 send-community Task 20.10: Configure ASBR1 such than in the event of core dump to send everything via FTP to 10.1.1.222. ASBR1-RACK1(config)#ip ftp source-interface Loopback0 ASBR1-RACK1(config)#ip ftp username cisco ASBR1-RACK1(config)#ip ftp password 7 045802150C2E ASBR1-RACK1(config)#exception protocol ftp ASBR1-RACK1(config)#exception dump 10.1.1.222 Task 20.11: Configure CE8 LAN interface to collect accounting precedence. CE8-RACK1(config-subif)#ip accounting precedence output CE8-RACK1(config-subif)#ip accounting precedence input Task 20.12: Disable proxy ARP on S0/0 of ASBR1. ASBR1-RACK1(config)#int ser 0/0 ASBR1-RACK1(config-if)#no ip proxy-arp Task 20.13: Configure PE1 for a secure Telnet session. PE1-RACK1(config)#ip domain-name iementor.com PE1-RACK1(config)#username admin privilege 15 password iementor PE1-RACK1(config)#crypto key generate rsa The name for the keys will be: PE1-RACK1.iementor.com 4 This product is individually licensed.

choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating 512 bit RSA keys...[ok] PE1-RACK1(config)# Mar 7 18:53:29.507: %SSH-5-ENABLED: SSH 1.5 has been enabled PE1-RACK1(config)#ip ssh authentication-retries 5 PE1-RACK1(config)#ip ssh time-out 60 PE1-RACK1(config)#line vty 0 4 PE1-RACK1(config-line)#transport input ssh PE1-RACK1(config-line)#login local Task 20.14: Configure ingress filtering on ASBR1 for protection from possible hosts Loopbacks attacks. access-list 127 deny ip any any Task 20.15: Configure ingress filtering on ASBR2 from SP2. Filter all RFC1918 and common DoS attack sources. Routing should remain stable access-list 111 permit ip 172.16.240.0 0.0.0.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 10.0.0.0 0.0.0.255 any log access-list 111 permit ip host 10.1.1.4 any log interface Ethernet0/0 description TO PE4 - VLAN 240 ip address 172.16.240.1 255.255.255.0 ip access-group 111 in ip verify unicast reverse-path ASBR2-RACK1#sho cef interface ethernet 0/0 Ethernet0/0 is up (if_number 2) Corresponding hwidb fast_if_number 2 Corresponding hwidb firstsw->if_number 2 Internet address is 172.16.240.1/24 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is 111 Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled 5 This product is individually licensed.

Hardware idb is Ethernet0/0 Fast switching type 1, interface type 61 IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x4001, Output fast flags 0x0 ifindex 1(1) Slot 0 Slot unit 0 Unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500 6 This product is individually licensed.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information