Once upon a time reading some CCIE paper at work I asked myself a question : “Why would someone bother to invent ttl-security and even write RFC http://tools.ietf.org/html/rfc5082 on it when multi-hop EBGP feature provides the same end result ?” .
The results of my busy/doing-nothing activity I present here.First some background. For some (unknown to [...]
Feb
26
2010
26
2010
Difference between ebgp-multihop and ttl-security.
Feb
1
2010
1
2010
Capture packets at IOS Cisco router or finally we have a sniffer
Finally it is here – built-in sniffer on the Cisco IOS platform ! Starting IOS 12.4(20) release Cisco introduces brand new feature
called Embedded Packet Capture (EPC) that allows us to capture raw packets on the Cisco router and then later analyze it offline.
It can capture any traffic passing through the router, destined to it, [...]
Jan
23
2010
23
2010
IP Options are evil – drop them , drop them on Cisco Asa/IOS Microsoft ISA Juniper or Checkpoint
As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers supporting IP protocol must implement Ip Options filed . It is up to the vendor to decide [...]
Jan
21
2010
21
2010
Cisco log: Missing cef table for tableid 65535 during CEF samecable event
Today I’ve noticed some strange error on my Cisco 1841 router :
%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event
After searching the net, i’ve found some Cisco bug that describes this.
“FIB-4-FIBCBLK errors with dns view
Symptoms
Message “%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event” displayed on the console logs.
Conditions
The message [...]
Jan
18
2010
18
2010
Cisco ASA privilege separation for a local user or read only user on ASA
Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to [...]
Oct
20
2009
20
2009
copy http flash – download from HTTP server to the Cisco router
The feature to download anything (mostly used to download IOS images) from remote HTTP server to the cisco router has
been with us for years, yet there are few caveats to be aware of before using it.
The command itself is pretty simple:
Router# copy http[:full URI specification] flash[: local path to save the file]
The facts you should [...]
May
28
2009
28
2009
Tracking the source of DOS attack with Cisco IOS
Problem: Enterprise is under Denial Of Service Attack that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed LAN) you will need help of [...]
Jan
17
2009
17
2009
Cisco ip accounting to begin with
First of all, Happy New year to All !
As I promised before (last year I’ll look at ip accounting in Cisco world. I’ll say it at the start already – accounting being with us since IOS 10.0 nowadays is getting pushed aside by the powerful Netflow feature.And while it is nowhere being depreciated/end-of-lifed [...]
Dec
6
2008
6
2008
Finding the station/IP using/abusing most of the bandwidth – PIX/ASA
Here is a short how-to I wrote some (well ,long) time ago for the newcomers to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are [...]
Oct
10
2008
10
2008
Guarding against brute force attack on VTY in Cisco IOS
Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is:
1) Configure ACL containing management IPs to be allowed to access the router through VTY
2) (Optional) Restrict VTY access protocol to ssh only (transport input ssh)
3) [...]