Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4
User Security Configuration
- The MAC of the device receiving the exported traffic must be on the same LAN.
- The outgoing interface must be 10/100/1000 Ethernet only.
- can fileted copied packets with ACL to export
- default- incoming only. can configure bidirectional
- Packet exporting is performed before packet switching or filtering
Configuration
Router> enable
Router# configure terminal
Router(config)# ip traffic-export profile profile-name
Router(config-rite)# interface FastEthernet 0/1 //to IDS
Router(config-rite)#bidirectional
mac-address 00a.8aab.90a0
incoming {access-list {standard extended named} sample one-in-every packet-number} outgoing {access-list {standard extended named} sample one-in-every packet-number} exit
Router(config)# interface FastEthernet0/0 //monitor traffic
Router(config-if)#ip traffic-export apply profile-name
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_ip_traff_export_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Monday, October 19, 2009
Monday, October 12, 2009
7.60 WCCP
Cisco IOS IP Application Services http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp_ps6350_TSD_Products_Configuration_Guide_Chapter.html
- WCCP works only with IPv4 Networks.
- Can cluster up to 32 content engines
- WCCP1 only support http
- WCCP1, Router to content engine communicate via Control channel, port UDP 2048
- WCCP2, Unicast Ip or Multicast to communicate between all routers in the service group and content engines. 224.0.0.100
- WCCP2 support up to 32 routers per service group. Max service group - 256
- WCCP2 load Dsitribution,
hot spot handling
Load balacing
Load Shedding
Configuring a General WCCPv2 Session: Example
configure terminal
ip wccp web-cache group-address 224.1.1.100 password password1
interface ethernet0 ip wccp web-cache redirect out
exit
ip wccp check services all ! Configures a check of all WCCP services.
ip wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode.
ip wccp check acl outbound
To check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp check acl outbound command in global configuration mode.
ip wccp check services all
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode.
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode.
Router# configure terminal
Router(config)# ip multicast-routing
Router(config)# ip wccp web-cache group-address 224.1.1.100
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache group-listen
ip wccp redirect
To enable packet redirection on an outbound or inbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode.
The following example shows how to configure a session in which HTTP traffic arriving on Ethernet interface 0/1 is redirected to a Cisco Cache Engine:
Router(config)# ip wccp web-cache
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
ip wccp redirect exclude in
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode.
ip wccp version
To specify the version of Web Cache Communication Protocol (WCCP), use the ip wccp version command in global configuration mode.
ip wccp version {1 2}
ip wccp web-cache accelerated
To enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode.
- WCCP works only with IPv4 Networks.
- Can cluster up to 32 content engines
- WCCP1 only support http
- WCCP1, Router to content engine communicate via Control channel, port UDP 2048
- WCCP2, Unicast Ip or Multicast to communicate between all routers in the service group and content engines. 224.0.0.100
- WCCP2 support up to 32 routers per service group. Max service group - 256
- WCCP2 load Dsitribution,
hot spot handling
Load balacing
Load Shedding
Configuring a General WCCPv2 Session: Example
configure terminal
ip wccp web-cache group-address 224.1.1.100 password password1
interface ethernet0 ip wccp web-cache redirect out
exit
ip wccp check services all ! Configures a check of all WCCP services.
ip wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode.
ip wccp check acl outbound
To check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp check acl outbound command in global configuration mode.
ip wccp check services all
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode.
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode.
Router# configure terminal
Router(config)# ip multicast-routing
Router(config)# ip wccp web-cache group-address 224.1.1.100
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache group-listen
ip wccp redirect
To enable packet redirection on an outbound or inbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode.
The following example shows how to configure a session in which HTTP traffic arriving on Ethernet interface 0/1 is redirected to a Cisco Cache Engine:
Router(config)# ip wccp web-cache
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
ip wccp redirect exclude in
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode.
ip wccp version
To specify the version of Web Cache Communication Protocol (WCCP), use the ip wccp version command in global configuration mode.
ip wccp version {1 2}
ip wccp web-cache accelerated
To enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode.
Sunday, October 11, 2009
7.40 Implement Network Time Protocol
While reading about NTP for exam preparation, I got an idea to put short notes from Cisco Doc CD.
Doc CD path : Cisco IOS Network Management Configuration Guide, Release 12.4
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system
Router(config)# ntp access-group peer 99
Router(config)# ntp access-group serve-only 42
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode.
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 42
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. Only MD5 is supported
ntp broadcast
To configure the options for broadcasting Network Time Protocol (NTP) traffic, use the ntp broadcast command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp broadcast version 2
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. Router(config)# interface ethernet 1
Router(config-if)# ntp broadcast client
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode.
Command Default - 3000 microseconds Use when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds
ntp clock-period
Information Only. Do not manually set a value for the NTP clock-period. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates.
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp disable
ntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode.
Router(config)# ntp logging
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode.
Router(config)# ntp master 10
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. Specifies the number of NTP associations. The range is 0 to 4294967295. The default is 100.
Router(config)# ntp max-associations 200
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. Default - IPV4 - 224.0.1.1, IPV6- FF02:1 Default - ttl - 16, range 1-255 (limit the scope of an audience for multicast routing)
Router(config)# interface ethernet 0
Router(config-if)# ntp multicast version 2
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command.
Router(config)# interface ethernet 1
Router(config-if)# ntp multicast client
Default - 224.0.1.1
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer command in global configuration mode. The default maxpoll number is 10 seconds. The default minpoll number is 6 seconds.
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords.
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. Line configuration (for auxilary 0 only) Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock trimble pps none
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine.
Router(config)# ntp server 172.16.22.44
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. Source address is determined by the outgoing interface.
This command is useful if the address on an interface cannot be used as the destination for reply packets.
Router(config)# ntp source ethernet 0
ntp trusted-key To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode.
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode.
Router(config)# ntp update-calendar
Other time setting command ref;
Manually Setting the Software Clock
Router# clock set hh:mm:ss date month year
Setting the Hardware Clock
Router> calendar set hh:mm:ss day month year
Setting the Software Clock from the Hardware Clock
Router# clock read-calendar
Setting the Hardware Clock from the Software Clock
Router# clock update-calendar
Monitoring Time and Calendar Services
Router# show calendar
Displays the current hardware clock time.
Router# show clock [detail]
Displays the current software clock time.
Router# show ntp associations [detail]
Displays the status of NTP associations.
Router# show ntp status
Displays the status of NTP.
Router# show sntp Displays information about SNTP (Cisco 1003, Cisco 1004, Cisco 1005, Cisco 1600, Cisco 1720, or Cisco 1750 routers only).
Doc CD path : Cisco IOS Network Management Configuration Guide, Release 12.4
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system
Router(config)# ntp access-group peer 99
Router(config)# ntp access-group serve-only 42
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode.
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 42
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. Only MD5 is supported
ntp broadcast
To configure the options for broadcasting Network Time Protocol (NTP) traffic, use the ntp broadcast command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp broadcast version 2
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. Router(config)# interface ethernet 1
Router(config-if)# ntp broadcast client
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode.
Command Default - 3000 microseconds Use when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds
ntp clock-period
Information Only. Do not manually set a value for the NTP clock-period. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates.
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp disable
ntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode.
Router(config)# ntp logging
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode.
Router(config)# ntp master 10
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. Specifies the number of NTP associations. The range is 0 to 4294967295. The default is 100.
Router(config)# ntp max-associations 200
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. Default - IPV4 - 224.0.1.1, IPV6- FF02:1 Default - ttl - 16, range 1-255 (limit the scope of an audience for multicast routing)
Router(config)# interface ethernet 0
Router(config-if)# ntp multicast version 2
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command.
Router(config)# interface ethernet 1
Router(config-if)# ntp multicast client
Default - 224.0.1.1
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer command in global configuration mode. The default maxpoll number is 10 seconds. The default minpoll number is 6 seconds.
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords.
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. Line configuration (for auxilary 0 only) Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock trimble pps none
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine.
Router(config)# ntp server 172.16.22.44
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. Source address is determined by the outgoing interface.
This command is useful if the address on an interface cannot be used as the destination for reply packets.
Router(config)# ntp source ethernet 0
ntp trusted-key To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode.
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode.
Router(config)# ntp update-calendar
Other time setting command ref;
Manually Setting the Software Clock
Router# clock set hh:mm:ss date month year
Setting the Hardware Clock
Router> calendar set hh:mm:ss day month year
Setting the Software Clock from the Hardware Clock
Router# clock read-calendar
Setting the Hardware Clock from the Software Clock
Router# clock update-calendar
Monitoring Time and Calendar Services
Router# show calendar
Displays the current hardware clock time.
Router# show clock [detail]
Displays the current software clock time.
Router# show ntp associations [detail]
Displays the status of NTP associations.
Router# show ntp status
Displays the status of NTP.
Router# show sntp Displays information about SNTP (Cisco 1003, Cisco 1004, Cisco 1005, Cisco 1600, Cisco 1720, or Cisco 1750 routers only).
Subscribe to:
Posts (Atom)
