You are on page 1of 6

ieMentor CCIE Service Provider Workbook v1.

Lab20 Solutions: Security

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1. Task 20.2: Configure an access-list to block all networks addresses that is commonly used to hack SP networks. Task 20.3: Limit ICMP rate to 500kbs on Serial 0/0 of ASBR1.
interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip router isis ip access-group 111 in rate-limit input access-group 110 496000 9216 9216 conform-action transmit exceed-action drop encapsulation frame-relay no keepalive ! access-list 110 permit icmp any any echo log access-list 110 permit icmp any any echo-reply log access-list 111 deny ip 192.168.0.0 0.0.255.255 any access-list 111 deny ip 172.16.0.0 0.15.255.255 any access-list 111 deny ip 10.0.0.0 0.255.255.255 any ASBR1-RACK1#sho interfaces serial 0/2 rate-limit Serial0/2 to PE1-RACK1 ISIS Input matches: access-group 110 params: 496000 bps, 9216 limit, 9216 extended limit conformed 64 packets, 267457 bytes; action: transmit exceeded 14 packets, 105940 bytes; action: drop last packet: 828013ms ago, current burst: 0 bytes last cleared 00:19:25 ago, conformed 1000 bps, exceeded 0 bps

Task 20.4: Guarantee all secure web traffic a bandwidth of 300K going out of ASBR1.
rate-limit output 296000 9216 9216 conform-action transmit exceed-action drop access-list 112 permit tcp any eq 443 any log

Task 20.5: Configure CE8 to deny HTTP traffic Monday through Friday between the hours of 8:00 am and 6:00 pm. Allow UDP traffic on Saturday and Sunday from noon to 8:00 pm only.
CE8-RACK1#sho access-lists

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

ieMentor CCIE Service Provider Workbook v1.0

Lab20 Solutions: Security

Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (inactive) CE8-RACK1#clock set 12:00:00 Jan 6 2006 CE8-RACK1#sho access-lists Extended IP access list task20.5 10 deny tcp any any eq www log time-range nohttp_mon_fri (inactive) 20 permit ip any any log time-range nohttp_mon_fri (inactive) 30 permit udp any any log time-range allow_udp_sat_sun (active) CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (active) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (inactive) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry interface FastEthernet0/0.82 description to PE2 - VLAN 82 encapsulation dot1Q 82 ip address 10.82.1.1 255.255.255.0 ip access-group task20.5 in ! ip access-list extended task20.5 deny tcp any any eq www log time-range nohttp_mon_fri permit ip any any log time-range nohttp_mon_fri permit udp any any log time-range allow_udp_sat_sun ! time-range allow_udp_sat_sun periodic weekend 12:00 to 20:00 ! time-range nohttp_mon_fri periodic weekdays 8:00 to 18:00 CE8-RACK1#sho time-range time-range entry: allow_udp_sat_sun (inactive) periodic weekend 12:00 to 20:00 used in: IP ACL entry time-range entry: nohttp_mon_fri (active) periodic weekdays 8:00 to 18:00 used in: IP ACL entry used in: IP ACL entry CE8-RACK1#clock set 12:00:00 Jan 5 2006

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

ieMentor CCIE Service Provider Workbook v1.0

Lab20 Solutions: Security

Task 20.6: Configure ASBR1 to enforce RFC 2827 traffic from SP1 based on the RFC1918 sources.
interface Serial0/2 description to PE1-RACK1 ISIS mtu 9216 ip address 172.16.222.2 255.255.255.0 ip access-group 115 in ip access-group 116 out ip verify unicast reverse-path ! access-list 115 deny ip 172.16.0.0 0.15.255.255 any access-list 115 deny ip 10.0.0.0 0.0.0.255 any access-list 115 deny ip 192.168.0.0 0.0.255.255 any access-list 115 deny ip 224.0.0.0 31.255.255.255 any access-list 115 deny ip 172.16.113.0 0.0.0.255 any access-list 115 deny ip 172.16.114.0 0.0.0.255 any access-list 116 permit ip 172.16.113.0 0.0.0.255 any access-list 116 permit ip 172.16.114.0 0.0.0.255 any access-list 116 deny ip any any

Task 20.7: Configure ASBR1 to trace SYN flood, from 10.1.1.230.


access-list 118 permit tcp any any established access-list 118 permit tcp any host 10.1.1.230 log-input access-list 118 permit ip any any ! interface Serial0/2 ip access-group 118 in

Task 20.8: ASBR1 should black hole all RFC1918 networks from SP1 IPv4 unicast traffic only.
To test this task, you are required to enable IPv4 peering. Reconfigure the PEs to receive IPv4 unicast.
interface Null0 no ip unreachables ! ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.255.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ! router bgp 100 bgp router-id 10.1.1.100 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 ebgp-multihop 2 neighbor 10.1.1.1 update-source Loopback0 neighbor 172.16.113.2 remote-as 200 neighbor 172.16.114.2 remote-as 200

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

ieMentor CCIE Service Provider Workbook v1.0

Lab20 Solutions: Security

! address-family ipv4 redistribute static metric 10 neighbor 10.1.1.1 activate no neighbor 172.16.113.2 activate no neighbor 172.16.114.2 activate no auto-summary no synchronization exit-address-family

Task 20.9: Use BGP to trigger black-holing.


ASBR1-RACK1(config)#route-map hole permit 10 ASBR1-RACK1(config-route-map)# match tag 6727 ASBR1-RACK1(config-route-map)# set ip next-hop 10.1.2.1 ASBR1-RACK1(config-route-map)# set local-preference 221 ASBR1-RACK1(config-route-map)# set origin igp ASBR1-RACK1(config-route-map)# set community no-export ASBR1-RACK1(config)#route-map hole deny 20 ASBR1-RACK1(config-route-map)#ip route 10.1.2.1 255.255.255.255 Null0 ASBR1-RACK1(config-router)#redistribute static route-map hole ASBR1-RACK1(config-router)#neighbor 10.1.1.1 send-community

Task 20.10: Configure ASBR1 such than in the event of core dump to send everything via FTP to 10.1.1.222.
ASBR1-RACK1(config)#ip ftp source-interface Loopback0 ASBR1-RACK1(config)#ip ftp username cisco ASBR1-RACK1(config)#ip ftp password 7 045802150C2E ASBR1-RACK1(config)#exception protocol ftp ASBR1-RACK1(config)#exception dump 10.1.1.222

Task 20.11: Configure CE8 LAN interface to collect accounting precedence.


CE8-RACK1(config-subif)#ip accounting precedence output CE8-RACK1(config-subif)#ip accounting precedence input

Task 20.12: Disable proxy ARP on S0/0 of ASBR1.


ASBR1-RACK1(config)#int ser 0/0 ASBR1-RACK1(config-if)#no ip proxy-arp

Task 20.13: Configure PE1 for a secure Telnet session.


PE1-RACK1(config)#ip domain-name iementor.com PE1-RACK1(config)#username admin privilege 15 password iementor PE1-RACK1(config)#crypto key generate rsa The name for the keys will be: PE1-RACK1.iementor.com

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

ieMentor CCIE Service Provider Workbook v1.0

Lab20 Solutions: Security

choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating 512 bit RSA keys ...[OK] PE1-RACK1(config)# Mar 7 18:53:29.507: %SSH-5-ENABLED: SSH 1.5 has been enabled PE1-RACK1(config)#ip ssh authentication-retries 5 PE1-RACK1(config)#ip ssh time-out 60 PE1-RACK1(config)#line vty 0 4 PE1-RACK1(config-line)#transport input ssh PE1-RACK1(config-line)#login local

Task 20.14: Configure ingress filtering on ASBR1 for protection from possible hosts Loopbacks attacks.
access-list 127 deny ip any any

Task 20.15: Configure ingress filtering on ASBR2 from SP2. Filter all RFC1918 and common DoS attack sources. Routing should remain stable
access-list 111 permit ip 172.16.240.0 0.0.0.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 10.0.0.0 0.0.0.255 any log access-list 111 permit ip host 10.1.1.4 any log ! interface Ethernet0/0 description TO PE4 - VLAN 240 ip address 172.16.240.1 255.255.255.0 ip access-group 111 in ip verify unicast reverse-path ASBR2-RACK1#sho cef interface ethernet 0/0 Ethernet0/0 is up (if_number 2) Corresponding hwidb fast_if_number 2 Corresponding hwidb firstsw->if_number 2 Internet address is 172.16.240.1/24 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is 111 Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

ieMentor CCIE Service Provider Workbook v1.0

Lab20 Solutions: Security

Hardware idb is Ethernet0/0 Fast switching type 1, interface type 61 IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x4001, Output fast flags 0x0 ifindex 1(1) Slot 0 Slot unit 0 Unit 0 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1500

This product is individually licensed. Copyright 2005 ieMentor http://www.iementor.com.

You might also like