Professional Documents
Culture Documents
Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3: Limit ICMP rate to 500kbs on Serial 0/0 of ASBR1.
interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip router isis ip access-group 111 in rate-limit input access-group 110 496000 9216 9216 conform-action transmit exceed-action drop encapsulation frame-relay no keepalive ! access-list 110 permit icmp any any echo log access-list 110 permit icmp any any echo-reply log access-list 111 deny ip 192.168.0.0 0.0.255.255 any access-list 111 deny ip 172.16.0.0 0.15.255.255 any access-list 111 deny ip 10.0.0.0 0.255.255.255 any ASBR1-RACK1#sho interfaces serial 0/2 rate-limit Serial0/2 to PE1-RACK1 ISIS Input matches: access-group 110 params: 496000 bps, 9216 limit, 9216 extended limit conformed 64 packets, 267457 bytes; action: transmit exceeded 14 packets, 105940 bytes; action: drop last packet: 828013ms ago, current burst: 0 bytes last cleared 00:19:25 ago, conformed 1000 bps, exceeded 0 bps
Task 20.4: Guarantee all secure web traffic a bandwidth of 300K going out of ASBR1.
rate-limit output 296000 9216 9216 conform-action transmit exceed-action drop access-list 112 permit tcp any eq 443 any log
Task 20.5: Configure CE8 to deny HTTP traffic Monday through Friday between the hours of 8:00 am and 6:00 pm. Allow UDP traffic on Saturday and Sunday from noon to 8:00 pm only.
CE8-RACK1#sho access-lists
Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (inactive) CE8-RACK1#clock set 12:00:00 Jan 6 2006 CE8-RACK1#sho access-lists Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (active) CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (active) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (inactive) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry interface FastEthernet0/0.82 description to PE2 - VLAN 82 encapsulation dot1Q 82 ip address 10.82.1.1 255.255.255.0 ip access-group task20.5 in ! ip access-list extended task20.5 deny tcp any any eq www log time-range nohttp_mon_fri permit ip any any log time-range nohttp_mon_fri permit udp any any log time-range allow_udp_sat_sun ! time-range allow_udp_sat_sun periodic weekend 12:00 to 20:00 ! time-range nohttp_mon_fri periodic weekdays 8:00 to 18:00 CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (inactive) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (active) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry CE8-RACK1#clock set 12:00:00 Jan 5 2006
Task 20.6: Configure ASBR1 to enforce RFC 2827 traffic from SP1 based on the RFC1918 sources.
interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip access-group 115 in ip access-group 116 out ip verify unicast reverse-path ! access-list 115 deny ip 172.16.0.0 0.15.255.255 any access-list 115 deny ip 10.0.0.0 0.0.0.255 any access-list 115 deny ip 192.168.0.0 0.0.255.255 any access-list 115 deny ip 224.0.0.0 31.255.255.255 any access-list 115 deny ip 172.16.113.0 0.0.0.255 any access-list 115 deny ip 172.16.114.0 0.0.0.255 any access-list 116 permit ip 172.16.113.0 0.0.0.255 any access-list 116 permit ip 172.16.114.0 0.0.0.255 any access-list 116 deny ip any any
Task 20.8: ASBR1 should black hole all RFC1918 networks from SP1 IPv4 unicast traffic only.
To test this task, you are required to enable IPv4 peering. Reconfigure the PEs to receive IPv4 unicast.
interface Null0 no ip unreachables ! ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.255.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ! router bgp 100 bgp router-id 10.1.1.100 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 ebgp-multihop 2 neighbor 10.1.1.1 update-source Loopback0 neighbor 172.16.113.2 remote-as 200 neighbor 172.16.114.2 remote-as 200
! address-family ipv4 redistribute static metric 10 neighbor 10.1.1.1 activate no neighbor 172.16.113.2 activate no neighbor 172.16.114.2 activate no auto-summary no synchronization exit-address-family
Task 20.10: Configure ASBR1 such than in the event of core dump to send everything via FTP to 10.1.1.222.
ASBR1-RACK1(config)#ip ftp source-interface Loopback0 ASBR1-RACK1(config)#ip ftp username cisco ASBR1-RACK1(config)#ip ftp password 7 045802150C2E ASBR1-RACK1(config)#exception protocol ftp ASBR1-RACK1(config)#exception dump 10.1.1.222
choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating 512 bit RSA keys ...[OK] PE1-RACK1(config)# Mar 7 18:53:29.507: %SSH-5-ENABLED: SSH 1.5 has been enabled PE1-RACK1(config)#ip ssh authentication-retries 5 PE1-RACK1(config)#ip ssh time-out 60 PE1-RACK1(config)#line vty 0 4 PE1-RACK1(config-line)#transport input ssh PE1-RACK1(config-line)#login local
Task 20.14: Configure ingress filtering on ASBR1 for protection from possible hosts Loopbacks attacks.
access-list 127 deny ip any any
Task 20.15: Configure ingress filtering on ASBR2 from SP2. Filter all RFC1918 and common DoS attack sources. Routing should remain stable
access-list 111 permit ip 172.16.240.0 0.0.0.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 10.0.0.0 0.0.0.255 any log access-list 111 permit ip host 10.1.1.4 any log ! interface Ethernet0/0 description TO PE4 - VLAN 240 ip address 172.16.240.1 255.255.255.0 ip access-group 111 in ip verify unicast reverse-path ASBR2-RACK1#sho cef interface ethernet 0/0 Ethernet0/0 is up (if_number 2) Corresponding hwidb fast_if_number 2 Corresponding hwidb firstsw->if_number 2 Internet address is 172.16.240.1/24 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is 111 Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled
Hardware idb is Ethernet0/0 Fast switching type 1, interface type 61 IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x4001, Output fast flags 0x0 ifindex 1(1) Slot 0 Slot unit 0 Unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500