Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4
User Security Configuration
- The MAC of the device receiving the exported traffic must be on the same LAN.
- The outgoing interface must be 10/100/1000 Ethernet only.
- can fileted copied packets with ACL to export
- default- incoming only. can configure bidirectional
- Packet exporting is performed before packet switching or filtering
Configuration
Router> enable
Router# configure terminal
Router(config)# ip traffic-export profile profile-name
Router(config-rite)# interface FastEthernet 0/1 //to IDS
Router(config-rite)#bidirectional
mac-address 00a.8aab.90a0
incoming {access-list {standard extended named} sample one-in-every packet-number} outgoing {access-list {standard extended named} sample one-in-every packet-number} exit
Router(config)# interface FastEthernet0/0 //monitor traffic
Router(config-if)#ip traffic-export apply profile-name
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_ip_traff_export_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Monday, October 19, 2009
Monday, October 12, 2009
7.60 WCCP
Cisco IOS IP Application Services http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp_ps6350_TSD_Products_Configuration_Guide_Chapter.html
- WCCP works only with IPv4 Networks.
- Can cluster up to 32 content engines
- WCCP1 only support http
- WCCP1, Router to content engine communicate via Control channel, port UDP 2048
- WCCP2, Unicast Ip or Multicast to communicate between all routers in the service group and content engines. 224.0.0.100
- WCCP2 support up to 32 routers per service group. Max service group - 256
- WCCP2 load Dsitribution,
hot spot handling
Load balacing
Load Shedding
Configuring a General WCCPv2 Session: Example
configure terminal
ip wccp web-cache group-address 224.1.1.100 password password1
interface ethernet0 ip wccp web-cache redirect out
exit
ip wccp check services all ! Configures a check of all WCCP services.
ip wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode.
ip wccp check acl outbound
To check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp check acl outbound command in global configuration mode.
ip wccp check services all
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode.
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode.
Router# configure terminal
Router(config)# ip multicast-routing
Router(config)# ip wccp web-cache group-address 224.1.1.100
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache group-listen
ip wccp redirect
To enable packet redirection on an outbound or inbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode.
The following example shows how to configure a session in which HTTP traffic arriving on Ethernet interface 0/1 is redirected to a Cisco Cache Engine:
Router(config)# ip wccp web-cache
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
ip wccp redirect exclude in
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode.
ip wccp version
To specify the version of Web Cache Communication Protocol (WCCP), use the ip wccp version command in global configuration mode.
ip wccp version {1 2}
ip wccp web-cache accelerated
To enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode.
- WCCP works only with IPv4 Networks.
- Can cluster up to 32 content engines
- WCCP1 only support http
- WCCP1, Router to content engine communicate via Control channel, port UDP 2048
- WCCP2, Unicast Ip or Multicast to communicate between all routers in the service group and content engines. 224.0.0.100
- WCCP2 support up to 32 routers per service group. Max service group - 256
- WCCP2 load Dsitribution,
hot spot handling
Load balacing
Load Shedding
Configuring a General WCCPv2 Session: Example
configure terminal
ip wccp web-cache group-address 224.1.1.100 password password1
interface ethernet0 ip wccp web-cache redirect out
exit
ip wccp check services all ! Configures a check of all WCCP services.
ip wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode.
ip wccp check acl outbound
To check the outbound access control list (ACL) for Web Cache Communication Protocol (WCCP), use the ip wccp check acl outbound command in global configuration mode.
ip wccp check services all
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode.
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode.
Router# configure terminal
Router(config)# ip multicast-routing
Router(config)# ip wccp web-cache group-address 224.1.1.100
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache group-listen
ip wccp redirect
To enable packet redirection on an outbound or inbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode.
The following example shows how to configure a session in which HTTP traffic arriving on Ethernet interface 0/1 is redirected to a Cisco Cache Engine:
Router(config)# ip wccp web-cache
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
ip wccp redirect exclude in
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode.
ip wccp version
To specify the version of Web Cache Communication Protocol (WCCP), use the ip wccp version command in global configuration mode.
ip wccp version {1 2}
ip wccp web-cache accelerated
To enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode.
Sunday, October 11, 2009
7.40 Implement Network Time Protocol
While reading about NTP for exam preparation, I got an idea to put short notes from Cisco Doc CD.
Doc CD path : Cisco IOS Network Management Configuration Guide, Release 12.4
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system
Router(config)# ntp access-group peer 99
Router(config)# ntp access-group serve-only 42
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode.
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 42
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. Only MD5 is supported
ntp broadcast
To configure the options for broadcasting Network Time Protocol (NTP) traffic, use the ntp broadcast command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp broadcast version 2
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. Router(config)# interface ethernet 1
Router(config-if)# ntp broadcast client
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode.
Command Default - 3000 microseconds Use when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds
ntp clock-period
Information Only. Do not manually set a value for the NTP clock-period. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates.
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp disable
ntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode.
Router(config)# ntp logging
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode.
Router(config)# ntp master 10
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. Specifies the number of NTP associations. The range is 0 to 4294967295. The default is 100.
Router(config)# ntp max-associations 200
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. Default - IPV4 - 224.0.1.1, IPV6- FF02:1 Default - ttl - 16, range 1-255 (limit the scope of an audience for multicast routing)
Router(config)# interface ethernet 0
Router(config-if)# ntp multicast version 2
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command.
Router(config)# interface ethernet 1
Router(config-if)# ntp multicast client
Default - 224.0.1.1
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer command in global configuration mode. The default maxpoll number is 10 seconds. The default minpoll number is 6 seconds.
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords.
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. Line configuration (for auxilary 0 only) Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock trimble pps none
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine.
Router(config)# ntp server 172.16.22.44
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. Source address is determined by the outgoing interface.
This command is useful if the address on an interface cannot be used as the destination for reply packets.
Router(config)# ntp source ethernet 0
ntp trusted-key To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode.
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode.
Router(config)# ntp update-calendar
Other time setting command ref;
Manually Setting the Software Clock
Router# clock set hh:mm:ss date month year
Setting the Hardware Clock
Router> calendar set hh:mm:ss day month year
Setting the Software Clock from the Hardware Clock
Router# clock read-calendar
Setting the Hardware Clock from the Software Clock
Router# clock update-calendar
Monitoring Time and Calendar Services
Router# show calendar
Displays the current hardware clock time.
Router# show clock [detail]
Displays the current software clock time.
Router# show ntp associations [detail]
Displays the status of NTP associations.
Router# show ntp status
Displays the status of NTP.
Router# show sntp Displays information about SNTP (Cisco 1003, Cisco 1004, Cisco 1005, Cisco 1600, Cisco 1720, or Cisco 1750 routers only).
Doc CD path : Cisco IOS Network Management Configuration Guide, Release 12.4
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system
Router(config)# ntp access-group peer 99
Router(config)# ntp access-group serve-only 42
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode.
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 42
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. Only MD5 is supported
ntp broadcast
To configure the options for broadcasting Network Time Protocol (NTP) traffic, use the ntp broadcast command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp broadcast version 2
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. Router(config)# interface ethernet 1
Router(config-if)# ntp broadcast client
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode.
Command Default - 3000 microseconds Use when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds
ntp clock-period
Information Only. Do not manually set a value for the NTP clock-period. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates.
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode.
Router(config)# interface ethernet 0
Router(config-if)# ntp disable
ntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode.
Router(config)# ntp logging
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode.
Router(config)# ntp master 10
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. Specifies the number of NTP associations. The range is 0 to 4294967295. The default is 100.
Router(config)# ntp max-associations 200
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. Default - IPV4 - 224.0.1.1, IPV6- FF02:1 Default - ttl - 16, range 1-255 (limit the scope of an audience for multicast routing)
Router(config)# interface ethernet 0
Router(config-if)# ntp multicast version 2
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command.
Router(config)# interface ethernet 1
Router(config-if)# ntp multicast client
Default - 224.0.1.1
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer command in global configuration mode. The default maxpoll number is 10 seconds. The default minpoll number is 6 seconds.
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords.
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. Line configuration (for auxilary 0 only) Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock trimble pps none
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine.
Router(config)# ntp server 172.16.22.44
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. Source address is determined by the outgoing interface.
This command is useful if the address on an interface cannot be used as the destination for reply packets.
Router(config)# ntp source ethernet 0
ntp trusted-key To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode.
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode.
Router(config)# ntp update-calendar
Other time setting command ref;
Manually Setting the Software Clock
Router# clock set hh:mm:ss date month year
Setting the Hardware Clock
Router> calendar set hh:mm:ss day month year
Setting the Software Clock from the Hardware Clock
Router# clock read-calendar
Setting the Hardware Clock from the Software Clock
Router# clock update-calendar
Monitoring Time and Calendar Services
Router# show calendar
Displays the current hardware clock time.
Router# show clock [detail]
Displays the current software clock time.
Router# show ntp associations [detail]
Displays the status of NTP associations.
Router# show ntp status
Displays the status of NTP.
Router# show sntp Displays information about SNTP (Cisco 1003, Cisco 1004, Cisco 1005, Cisco 1600, Cisco 1720, or Cisco 1750 routers only).
Thursday, September 18, 2008
NAT Extendable Notes
"Extendable" static translations:
The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.Some customers want to use more than one service provider and translate into each provider's address space2 upstream service provider with 2 public IP address but same local IP
Cisco notes.
The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation.
Sample config
ip nat inside source static 192.168.1.1 100.100.100.1 extendable
ip nat inside source static 192.168.1.1 200.200.200.1 extendable
Wednesday, August 27, 2008
Why you should hire a CCIE
- Maintenance of your network is fundamental to protect assets and to ensure seamless operations. The environment is growing more complex with operations conducted over VPNs, wireless, remote access and the Internet. You need proven experts to choose, implement and maintain the solutions required.
- Having certified staff can increase the confidence of your customers, investors and business partners, and thereby boost your organization’s credibility, reputation and value.
- Certified CCIEs are a highly-select group. Less than 3% of all Cisco certified individuals make it to the CCIE level, a tiny fraction of IT professionals worldwide.
- Passing the exams is not easy. Earning your CCIE requires passing a lab exam in a time pressured environment. Hands-on experience is the only way to prepare for the lab.
- CCIEs have invested a lot to expand their knowledge and further their careers. The average candidate spends thousands of their own dollars and at least 18 months pursuing certification. He or she will attempt the lab exam more than once before passing.
- CCIEs are committed to maintaining their expert skills. Keeping their status active requires passing a recertification exam every two years.
Tuesday, August 26, 2008
CCIE labs changing from UniversCD to Cisco Documentation
On Sept 24 2008 CCIE labs will no longer support using the UniversCD documentation for the lab exam.
All labs are migrating to Cisco Documentation only. For those scheduled to take the CCIE lab prior to Sept 24 access will still be available for UniversCD.
The Cisco Documentation pages have the same information that currently resides on UniversCD, please refer to the links on the CCIE web pages to view these pages and become familiar with the new format.
After Sept 24 2008 only the Cisco Documentation web pages will be available for CCIE labs.
http://cisco.com/web/psa/products/tsd_products_support_configure.html
Thursday, August 21, 2008
Cacti, the complete traffic monitoring
I've been using it for almost 2 years and it's really great tools for traffic monitoring.
I installed on Fedoara core 6 and after installation, i dont need to touch any configuration.
Just using web administration and add/remove devices to monitor.
Comapre to MRTG, it has SQL database inside and can store history data and its good for reporting.
Because of php frontend, its slighter longer than to view simple html on MRTG.
Build in user management and authentication features, I can easily specify use level, graph levels and permission
which are not so easy to do with MRTG and Apache.
The graph trees also useful for collecting groups of interfaces/devices under the same link.
The plug-in architecture will complete you more with lots of features.
I found 1 post in forum and list all the plug-in
http://forums.cacti.net/post-72427.html
can downloads those inside this.
http://cactiusers.org/downloads/
If you dont want to read about intallation and just want to use cacti, CactiEz is the right thing.
It comes with OS and just install OS by bootable CD. Once complte, can start to use cacti.
more details
http://www.cacti.net/
Installation notes/ manual
http://www.cacti.net/documentation.php
http://docs.cacti.net/
Installation notes on Ubuntu
https://help.ubuntu.com/community/Cacti?action=show&redirect=CactiHowTo
Subscribe to:
Comments (Atom)
