Sunteți pe pagina 1din 6
ieMentor CCIE™ Service Provider Workbook v1.0 | Lab20 Solutions: Security Task 20.1: Configure ASBR1 Serial
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab20 Solutions: Security
Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to
ASBR1 from SP1.
Task 20.2: Configure an access-list to block all networks
addresses that is commonly used to hack SP networks.
Task 20.3: Limit ICMP rate to 500kbs on Serial 0/0 of ASBR1.
interface Serial0/2
description to PE1-RACK1 ISIS
mtu 9216
ip address 172.16.222.2 255.255.255.0
ip router isis
ip access-group 111 in
rate-limit input access-group 110 496000 9216 9216 conform-action
transmit exceed-action drop
encapsulation frame-relay
no keepalive
!
access-list 110 permit icmp any any echo log
access-list 110 permit icmp any any echo-reply log
access-list 111 deny
access-list 111 deny
access-list 111 deny
ip 192.168.0.0 0.0.255.255 any
ip 172.16.0.0 0.15.255.255 any
ip 10.0.0.0 0.255.255.255 any
ASBR1-RACK1#sho interfaces serial 0/2 rate-limit
Serial0/2 to PE1-RACK1 ISIS
Input
matches: access-group 110
params: 496000 bps, 9216 limit, 9216 extended limit
conformed 64 packets, 267457 bytes; action: transmit
exceeded 14 packets, 105940 bytes; action: drop
last packet: 828013ms ago, current burst: 0 bytes
last cleared 00:19:25 ago, conformed 1000 bps, exceeded 0 bps
Task 20.4: Guarantee all secure web traffic a bandwidth of 300K
going out of ASBR1.
rate-limit output 296000 9216 9216 conform-action transmit exceed-action
drop
access-list 112 permit tcp any eq 443 any log
Task 20.5: Configure CE8 to deny HTTP traffic Monday through
Friday between the hours of 8:00 am and 6:00 pm. Allow UDP
traffic on Saturday and Sunday from noon to 8:00 pm only.
CE8-RACK1#sho access-lists
1
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.

ieMentor CCIE™ Service Provider Workbook v1.0

|

Lab20 Solutions: Security

Extended IP access list task20.5

10

deny tcp any any eq www log time-range nohttp_mon_fri (inactive)

20

permit ip any any log time-range nohttp_mon_fri (inactive)

30

permit udp any any log time-range allow_udp_sat_sun (inactive)

CE8-RACK1#clock set 12:00:00 Jan 6 2006

CE8-RACK1#sho access-lists

Extended IP access list task20.5

10

deny tcp any any eq www log time-range nohttp_mon_fri (inactive)

20

permit ip any any log time-range nohttp_mon_fri (inactive)

30 permit udp any any log time-range allow_udp_sat_sun (active)

CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (active) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (inactive) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry

interface FastEthernet0/0.82 description to PE2 - VLAN 82 encapsulation dot1Q 82 ip address 10.82.1.1 255.255.255.0
interface FastEthernet0/0.82
description to PE2 - VLAN 82
encapsulation dot1Q 82
ip address 10.82.1.1 255.255.255.0
ip access-group task20.5 in
!
ip access-list extended task20.5
deny
tcp any any eq www log time-range nohttp_mon_fri
permit ip any any log time-range nohttp_mon_fri
permit udp any any log time-range allow_udp_sat_sun
!
time-range allow_udp_sat_sun
periodic weekend 12:00 to 20:00
!
time-range nohttp_mon_fri
periodic weekdays 8:00 to 18:00

CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (inactive) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (active) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry

CE8-RACK1#clock set 12:00:00 Jan 5 2006

2

This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com.

ieMentor CCIE™ Service Provider Workbook v1.0

|

Lab20 Solutions: Security

 

Task 20.6: Configure ASBR1 to enforce RFC 2827 traffic from SP1 based on the RFC1918 sources.

interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip access-group 115 in ip access-group 116 out ip verify unicast reverse-path

 

!

access-list 115 deny access-list 115 deny access-list 115 deny access-list 115 deny access-list 115 deny access-list 115 deny

ip 172.16.0.0 0.15.255.255 any ip 10.0.0.0 0.0.0.255 any ip 192.168.0.0 0.0.255.255 any ip 224.0.0.0 31.255.255.255 any ip 172.16.113.0 0.0.0.255 any ip 172.16.114.0 0.0.0.255 any

access-list 116 permit ip 172.16.113.0 0.0.0.255 any access-list 116 permit ip 172.16.114.0 0.0.0.255 any

access-list 116 deny

ip any any

Task 20.7: Configure ASBR1 to trace SYN flood, from 10.1.1.230.

access-list 118 permit tcp any any established access-list 118 permit tcp any host 10.1.1.230 log-input access-list 118 permit ip any any

!

interface Serial0/2 ip access-group 118 in

Task 20.8: ASBR1 should “black hole” all RFC1918 networks from SP1 IPv4 unicast traffic only.

To test this task, you are required to enable IPv4 peering. Re- configure the PEs to receive IPv4 unicast.

interface Null0 no ip unreachables

!

ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.255.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0

 

!

router bgp 100 bgp router-id 10.1.1.100 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 ebgp-multihop 2 neighbor 10.1.1.1 update-source Loopback0 neighbor 172.16.113.2 remote-as 200

neighbor 172.16.114.2 remote-as 200

 

3

This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com.

ieMentor CCIE™ Service Provider Workbook v1.0

|

Lab20 Solutions: Security

 

!

address-family ipv4 redistribute static metric 10 neighbor 10.1.1.1 activate no neighbor 172.16.113.2 activate no neighbor 172.16.114.2 activate no auto-summary no synchronization

exit-address-family

Task 20.9: Use BGP to trigger “black-holing.”

ASBR1-RACK1(config)#route-map hole permit 10 ASBR1-RACK1(config-route-map)# match tag 6727 ASBR1-RACK1(config-route-map)# set ip next-hop 10.1.2.1 ASBR1-RACK1(config-route-map)# set local-preference 221 ASBR1-RACK1(config-route-map)# set origin igp ASBR1-RACK1(config-route-map)# set community no-export ASBR1-RACK1(config)#route-map hole deny 20 ASBR1-RACK1(config-route-map)#ip route 10.1.2.1 255.255.255.255 Null0 ASBR1-RACK1(config-router)#redistribute static route-map hole ASBR1-RACK1(config-router)#neighbor 10.1.1.1 send-community

Task 20.10: Configure ASBR1 such than in the event of core dump to send everything via FTP to 10.1.1.222.

ASBR1-RACK1(config)#ip ftp source-interface Loopback0 ASBR1-RACK1(config)#ip ftp username cisco ASBR1-RACK1(config)#ip ftp password 7 045802150C2E ASBR1-RACK1(config)#exception protocol ftp ASBR1-RACK1(config)#exception dump 10.1.1.222

Task 20.11: Configure CE8 LAN interface to collect accounting precedence.

CE8-RACK1(config-subif)#ip accounting precedence output CE8-RACK1(config-subif)#ip accounting precedence input

Task 20.12: Disable proxy ARP on S0/0 of ASBR1.

ASBR1-RACK1(config)#int ser 0/0 ASBR1-RACK1(config-if)#no ip proxy-arp

 

Task 20.13: Configure PE1 for a secure Telnet session.

PE1-RACK1(config)#ip domain-name iementor.com PE1-RACK1(config)#username admin privilege 15 password iementor PE1-RACK1(config)#crypto key generate rsa The name for the keys will be: PE1-RACK1.iementor.com

4

This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com.

ieMentor CCIE™ Service Provider Workbook v1.0

|

Lab20 Solutions: Security

 

choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]:

 

Generating 512 bit RSA keys

[OK]

PE1-RACK1(config)#

Mar 7 18:53:29.507: %SSH-5-ENABLED: SSH 1.5 has been enabled

PE1-RACK1(config)#ip ssh authentication-retries 5 PE1-RACK1(config)#ip ssh time-out 60

PE1-RACK1(config)#line vty 0 4 PE1-RACK1(config-line)#transport input ssh PE1-RACK1(config-line)#login local

 

Task 20.14: Configure ingress filtering on ASBR1 for protection from possible hosts’ Loopbacks attacks.

access-list 127 deny

ip any any

Task 20.15: Configure ingress filtering on ASBR2 from SP2. Filter all RFC1918 and common DoS attack sources. Routing should remain stable

access-list 111 permit ip 172.16.240.0 0.0.0.255 any log

access-list 111 deny access-list 111 deny access-list 111 deny

ip 172.16.0.0 0.15.255.255 any log ip 192.168.0.0 0.0.255.255 any log ip 10.0.0.0 0.0.0.255 any log

access-list 111 permit ip host 10.1.1.4 any log

!

interface Ethernet0/0 description TO PE4 - VLAN 240 ip address 172.16.240.1 255.255.255.0 ip access-group 111 in

 

ip verify unicast reverse-path

ASBR2-RACK1#sho cef interface ethernet 0/0 Ethernet0/0 is up (if_number 2) Corresponding hwidb fast_if_number 2 Corresponding hwidb firstsw->if_number 2 Internet address is 172.16.240.1/24 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is 111 Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled

5

This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com.

ieMentor CCIE™ Service Provider Workbook v1.0

|

Lab20 Solutions: Security

Hardware idb is Ethernet0/0 Fast switching type 1, interface type 61 IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x4001, Output fast flags 0x0 ifindex 1(1) Slot 0 Slot unit 0 Unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500

6

This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com.