Re: [c-nsp] L3VPN VPNv4 NLRI - Route Reflector Scaling
Mark Tinka wrote on Monday, March 24, 2008 2:48 AM: Hello all. (posted to NANOG too; please excuse the length of the message) Considering the scaling techniques currently available for VPNv4/L3VPN deployments as regards MP-BGP route reflectors, what do folk think is currently the most elegant way to deploy this that provides an even compromise on manageability, cost and scale (see RFC 1925, section 2, part 7, :-))? [...] How are folk handling these issues today? Well, most of the L3VPN deployments I'm aware of (which includes some very large SPs) still use a single iBGP mesh of dedicated VPNv4 RRs, some flat, some using hierarchical RR structure. RR partioning via rr-group or using other means is rarely done as the scalability requirements are still able to be handled by the simpler design. I guess once you reach 500.000 vpnv4 prefixes or more, RR partitioning comes into play, with the caveats you've mentioned. What are your requirements? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Hi, On Sun, Mar 23, 2008 at 08:29:59PM -0700, Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps some other candidates to add here (may depend on platform/image and only to be applied after careful reconsideration ;-): no service config no ip http-secure no service dhcp no boot network no boot host no mop enabled no ip host-routing as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). and, depending on the environment (e.g. in some IXs this can be found), you might want to add this one: no keepalive be aware this can lead to serious problems (e.g. on Gig-Ifs) when applied inappropriately ;-)) thanks, Enno -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Proxy ARP -- To disable, or not to disable..
There's reasons for both, but as a service provider there's no reason to have proxy-arp enabled on customer facing interfaces. *No* reason? If the customers are residential and your access network is Layer 2, you're very likely to run Private VLANs. Private VLANs require Local Proxy ARP. Local Proxy ARP requires Proxy ARP. There's one. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN VPNv4 NLRI - Route Reflector Scaling
On Monday 24 March 2008, Oliver Boehmer (oboehmer) wrote: Well, most of the L3VPN deployments I'm aware of (which includes some very large SPs) still use a single iBGP mesh of dedicated VPNv4 RRs, some flat, some using hierarchical RR structure. RR partioning via rr-group or using other means is rarely done as the scalability requirements are still able to be handled by the simpler design. I guess once you reach 500.000 vpnv4 prefixes or more, RR partitioning comes into play, with the caveats you've mentioned. What are your requirements? We would like to build scalability into the network for VPNv4 route reflected NLRI early on so that there is little to change when we start seeing that number of prefixes. At this time, we see simple route reflectors handling all address families as the way to start. As the network scale, doing the same on dedicated VPNv4 route reflectors seems logical. Beyond that is what we are thinking about. We might be able to live with additional routing information at the PE routers initially, but it would be an area of concern at scale. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Both redirects and unreachables can be used to implement a Denial of Service attack.We allow internally for troubleshooting but disallow both transmission to and reception from the global internet.Both to prevent DDoS from compromised hosts and from external hosts with hostile intent. I really want to go back to the days when it was safe and acceptable to run a completely open network. Right now the internet is becoming more and more like a no-man's land. Leonardo Gama Souza wrote: as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Good info. It's always risky when people add config without knowing what it does. I usually tell people to compare a before and after diff of the config of a lab router to see what exactly autosecure did. Then I point them to the online docs to figure out what the the reason was behind each of the changes. It's a good way for folks to learn. It doesn't get much easier than go research this command to learn what it does. Then they can decide what will or will not work on their network. Everyone should have a lab, even if work won't provide one. Justin David Barak wrote: Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Monday, March 24, 2008 9:21 AM To: David Barak Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Good info. It's always risky when people add config without knowing what it does. I usually tell people to compare a before and after diff of the config of a lab router to see what exactly autosecure did. Then I point them to the online docs to figure out what the the reason was behind each of the changes. It's a good way for folks to learn. It doesn't get much easier than go research this command to learn what it does. Then they can decide what will or will not work on their network. Everyone should have a lab, even if work won't provide one. Justin David Barak wrote: Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at
Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Have you looked into implementing control plan policing, or for 6500 SUP720 platform the hardware rate-limiters, to allow some control traffic, but limit the bandwidth? Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Monday, March 24, 2008 9:14 AM To: Leonardo Gama Souza Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..) Both redirects and unreachables can be used to implement a Denial of Service attack.We allow internally for troubleshooting but disallow both transmission to and reception from the global internet.Both to prevent DDoS from compromised hosts and from external hosts with hostile intent. I really want to go back to the days when it was safe and acceptable to run a completely open network. Right now the internet is becoming more and more like a no-man's land. Leonardo Gama Souza wrote: as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
We have - trouble is as a university with really big pipes to the 'net we are a target and the CoPP and other anti-DOS mechanisms get overwhelmed and become in themselves DoS amplifiers so in the end the KISS principle wins again until someone comes up with a really effective packet sink for DDoS. We are looking at the Cisco Guard products along these lines but so far nothing works quite as well as a simple ACL deny icmp any any as this drops in hardware on the 3BXL with the no unreach/redir so it can handle these packets at line rate. Recall that even now the control plane of a 65xx is still only 1 mbit so its possible to swamp the box fairly easily. Fred Reimer wrote: Have you looked into implementing control plan policing, or for 6500 SUP720 platform the hardware rate-limiters, to allow some control traffic, but limit the bandwidth? Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Monday, March 24, 2008 9:14 AM To: Leonardo Gama Souza Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..) Both redirects and unreachables can be used to implement a Denial of Service attack.We allow internally for troubleshooting but disallow both transmission to and reception from the global internet.Both to prevent DDoS from compromised hosts and from external hosts with hostile intent. I really want to go back to the days when it was safe and acceptable to run a completely open network. Right now the internet is becoming more and more like a no-man's land. Leonardo Gama Souza wrote: as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Enno Rey wrote: Hi, Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). To more explicitly say what everyone was dancing around, ICMPs are classified as receive packets which can only be processed switched. This leaves a wide open avenue for resource exhaustion attacks. ICMP can be very useful for troubleshooting and diagnostics. It is also an extremely easy and effective method with which to DoS SPs. I don't agree with blocking it outright, even at the Interner borders, but I do agree that much of it can be used maliciously and that it should be controlled. Deny ICMP frags explicitly (otherwise you'll endure 2 CPU interrupts). Permit echo requests and replies to your access edges. Permit packet-too-big (for PMTU) and time-exceeded (traceroutes). Then rate-limit it down to a reasonable number. On your routing devices disable/prevent all unnecessary ICMP services and responses. Rate-limit all necessary responses to a reasonable level. Good info on how to accomplish all of this can be had in Router Security Strategies Cisco Press book and many other resources. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? I don't think autosecure exists on my platform. (7500 RSP4+) Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PF to IOS FW Translation
Does anyone know of any resources available on the 'net for learning how to translate pf firewall rulesets into IOS Firewall rulesets? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] External Firewall
I'm interested in adding a firewall to a network I admin at work. The gateway router on the network is a 7200 NPE-G1. What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 9:55 PM To: Cisco NSPs Subject: [c-nsp] External Firewall I'm interested in adding a firewall to a network I admin at work. The gateway router on the network is a 7200 NPE-G1. What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Why would anybody want to secure their lan from their wan? :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Sridhar Ayengar [EMAIL PROTECTED] Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
because they do not trust their field offices not to install the latest 'screen saver'... [EMAIL PROTECTED] wrote: Why would anybody want to secure their lan from their wan? :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Sridhar Ayengar [EMAIL PROTECTED] Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Why, exactly? Performance of the firewall? Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
So the root question is why a Cisco 7200 router would perform better than a PC running BSD, beefy as that PC may be? Without questioning the merits behind spending time on this I'm not sure what benefit a firewall would provide. Exactly what are you looking for the firewall to do? You wanted to see how it performs with the firewall in various locations. Doing what? Sorry I can't be of more help. I understand what you are trying to find out, but not what a firewall has to do with it. You could possibly put a firewall before and/or after in transparent mode. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Sridhar Ayengar [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2008 3:12 PM To: Fred Reimer Cc: Masood Ahmad Shah; Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Sridhar Ayengar wrote: Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPLS, spanning tree and redundancy
Hi, It looks like one of our customers would like to have redundant L2 access. We have two PEs in both locations so in theory that should work. However, I wonder what your ideas are about preventing L2 loops in such network. The customer envisaged something like this: (variable-width font): CSW1CSW2 || PE1 PE2 MPLS cloud PE3PE4 | | CSW3---CSW4 where CSW is the customer's switch. Currently they only have one half of that solution (CSW1, PE1, PE3 and CSW3) with a single VPLS between PE1 and PE3. The solution we came up with is to run single VPLS1 between PE1 and PE3 (the way it is now) and then add VPLS2 between PE2 and PE4. This way customer can run spanning tree (bearing in mind that if they set the cost incorrectly they will get CSW3 talking to CSW4 through CSW1 and CSW2). I know that we might have scaling issues in future (twice the number of VPLSes), but are there any other issues that you're aware of? kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Sridhar, The Cisco is faster because it's designed from the ground up to route traffic. Not so with the BSD box. You could probably spend months looking at drivers, tuning the kernel, etc to improve it, but still not match the 7200. It's more than just CPU power. Depending on the platform, you might be able to policy route TCP syn/syn acks to the FW, and once it's established (assuming FW lets it), it can resume through the Cisco only. You're losing the benefit of a stateful firewall at this point though, since the state isn't being monitored anymore. Seems like a couple firewalls with throughput to match your WAN should be enough. If you're willing to lose the stateful firewall capability, a simple packet filtering switch would do, and at line rate. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 3:12 PM To: Fred Reimer Cc: Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Something like that should be possible in the not-too-distant future, though not with the 7200. However, one of the larger ASAs should be able to keep up with the 7200. Or you could go for the new ASR, which should be able to do both tasks at the same time even faster than the 7200. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Hi Sridhar, I'm afraid I haven't understood the significant of the firewall in your performance comparison tests between the cisco router and a BSD PC. Is the BSD PC the firewall you are referring to? Is your main aim to discover the reason why existing performance differs between the cisco and a BSD PC/router, or to test topology difference in two sites (only one of which has a firewall)? Perhaps the cisco outperforms a powerful PC because of the hardware assisted switching. The cisco router will use fast switching methods (e.g. CEF) to reduce the number of lookups and overall processing required by the main CPU. If I understand option (3) correctly, you wish to perform Multilayer Switching between a router and a stateful firewall. One difficulty I see with this is that in order for the firewall to perform stateful inspection, you will need to provide it with the traffic necessary to monitor the state of flows. Shifting a flow over to a path which cuts out the firewall will then deprive it of this information. This will limit its ability to function, for instance the firewall would not be able to detect when ports are negotiated within a session, or when a session ended. Consequently I think the only inspection that you would be able to achieve with that approach would be basic ACL style filtering; which is something you could do on the router in any case. Shifting the firewall so that it is not in the main transit path will also expose the edge router and the infrastructure behind it. Paul. Sridhar Ayengar wrote: Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
(3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. By definition stateful inspection requires the firewall to see all the packets...to verify that they are indeed part of an agreed connection etc... So scenario 3 is a nonsense. If you could offload the connection once it was setup (in a sort of MLS style way) - it would no longer be stateful inspection. As the packet forwarder is no longer verifying the state at all. The 7200 can do stateful inspection (via CBAC / Firewall IOS) but you'd need to give more info about the Processor (NPE), Throughput (inc Pkt sizes, protocols etc) and any other features you have running for a view on whether it would cope. (and that would only be an opinion then) Dean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: 24 March 2008 19:12 To: Fred Reimer Cc: Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Don't be giving out any NDA materials now... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, March 24, 2008 5:07 PM To: 'Sridhar Ayengar' Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Something like that should be possible in the not-too-distant future, though not with the 7200. However, one of the larger ASAs should be able to keep up with the 7200. Or you could go for the new ASR, which should be able to do both tasks at the same time even faster than the 7200. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS, spanning tree and redundancy
Hi, just a question in advance: do you know for sure that STP BPDUs are forwarded across the cloud? [this may or may not be the case, depending on the gear used and the configuration/carrier (you?) providing the VPLS links] On Tue, Mar 25, 2008 at 09:47:16AM +1300, Pshem Kowalczyk wrote: Hi, It looks like one of our customers would like to have redundant L2 access. We have two PEs in both locations so in theory that should work. However, I wonder what your ideas are about preventing L2 loops in such network. The customer envisaged something like this: (variable-width font): CSW1CSW2 || PE1 PE2 MPLS cloud PE3PE4 | | CSW3---CSW4 where CSW is the customer's switch. Currently they only have one half of that solution (CSW1, PE1, PE3 and CSW3) with a single VPLS between PE1 and PE3. The solution we came up with is to run single VPLS1 between PE1 and PE3 (the way it is now) and then add VPLS2 between PE2 and PE4. This way customer can run spanning tree if I understood you correctly there will be two different VPLS clouds between both pairs of CSW/PE links? why run STP at all, then? (bearing in mind that if they set the cost incorrectly they will get CSW3 talking to CSW4 through CSW1 and CSW2). again: given two different clouds this shouldn't happen. furthermore I seem to recall a Cisco white paper discussing ways (though impractical ones, from my perspective) to avoid loops in VPLS scenarios: http://www.cisco.com/en/US/tech/tk436/tk891/technologies_white_paper09186a00801f6084.shtml thanks, Enno -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
* [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS, spanning tree and redundancy
On 25/03/2008, Enno Rey [EMAIL PROTECTED] wrote: Hi, just a question in advance: do you know for sure that STP BPDUs are forwarded across the cloud? [this may or may not be the case, depending on the gear used and the configuration/carrier (you?) providing the VPLS links] We're providing the VPLS links and the BPDUs are definitely forwarded (we have some customers with 'hub and spoke' design that wanted all their traffic to go through a central point and STP solved that problem for them. if I understood you correctly there will be two different VPLS clouds between both pairs of CSW/PE links? why run STP at all, then? Yes, the idea is to run two VPLS clouds, we wouldn't run the STP, but the customer will. again: given two different clouds this shouldn't happen. Unless you use spanning tree and cost of going directly between switches is higher then going all the way around. We don't have control over the CSW - so it's up to customer to figure that out :-) furthermore I seem to recall a Cisco white paper discussing ways (though impractical ones, from my perspective) to avoid loops in VPLS scenarios: http://www.cisco.com/en/US/tech/tk436/tk891/technologies_white_paper09186a00801f6084.shtml Thx for the link, will have a look. kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [cisco-voip] Cisco VPN Client for 64-bit????
Yep... that's what I ended up doing... Jonathan On Mon, Mar 24, 2008 at 5:33 PM, Scott Voll [EMAIL PROTECTED] wrote: So is what I gather from this.. I must run a VM of XP 32bit in my Vista 64-bit OS in order to get a VPN connection back to my office? Scott PS Admin is not going to like this. On Wed, Feb 13, 2008 at 9:15 PM, Jason Aarons (US) [EMAIL PROTECTED] wrote: I run the Virtual PC 2007 (free) with XP 32bit (not free) on my Vista 64-Bit box. You can then mount you Vista c:\ drive in the VM. I find I sometimes need a XP test box, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Charles Sent: Wednesday, February 13, 2008 10:54 PM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [cisco-voip] Cisco VPN Client for 64-bit Oh, and not that stupid AnyConnect crapfest, I need to be able to connect to an IPSec VPN on a PIX or an older VPN Concentrator... Jonathan On Feb 13, 2008 9:29 PM, Jonathan Charles [EMAIL PROTECTED] wrote: I have a lot of users using Dell Precision Workstations with upwards of 8GB of RAM and are running 64-bit XP and Vista, and they can't get the Cisco VPN client to work... Does Cisco have any intention of supporting 64-bit for the VPN Client? Jonathan ___ cisco-voip mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-voip - Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you. ___ cisco-voip mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 10k?
On Thu, Mar 13, 2008 at 04:39:24PM -0400, Matthew Crocker wrote: Isn't Cisco doing away with all the routers based off the FPGA code? NSE-100, 7301, NSE-1 *very* fast when the packets can be handled in PXF, not so good when they can't. i'd be interested in any documentation or discussion that would point to cisco distancing themselves from the 7301. -- bill ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Thanks to everyone for all the great info! -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Rikard Skjelsvik Sent: Monday, March 24, 2008 4:42 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Justin Shore wrote: Sridhar Ayengar wrote: Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Or you could use nipper http://sourceforge.net/projects/nipper ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN VPNv4 NLRI - Route Reflector Scaling
On Monday 24 March 2008, Mark Tinka wrote: Beyond that is what we are thinking about. We might be able to live with additional routing information at the PE routers initially, but it would be an area of concern at scale. Perhaps to add, the implementation of RFC 4684 (Route Target Constraints) in IOS would be the ultimate solution. From what I can see, IOS currently does not support this feature. Is there any chance it would be supported in the near future? Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
What are you talking about then? -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Monday, March 24, 2008 5:03 PM To: Niels Bakker; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall I'm not talking about the ASR... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niels Bakker Sent: Monday, March 24, 2008 5:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall * [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 to access layer
On Mon, Mar 24, 2008, Mike Johnson wrote: This thread has gone a little off course, I am really interested in L3 to the access. In addition, are there any reasons for not doing it or good reasons to do it? Probably because edge to us can mean lots of different things. current Cisco and Juniper CAN designs to recommend L2 to the access. Dial is L3, DSL is L3 (sort of, sometimes!); hosting may be L2 but it may be private VLAN/subif type L2 which is L3 + proxy ARP to pretend to be L2. More information, perhaps? Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/