Re: [c-nsp] Serious Bug in Cisco's 6500 & 6800 Platforms
hi, On Tue, Apr 09, 2024 at 03:20:15PM +0200, Mark Tinka via cisco-nsp wrote: > https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dos-Hq4d3tZG I'm so glad our single box with SUP-2T has been retired many years ago... (We still do have one (1) Sup720-10G 6500 running, but that is being migrated away from right now) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL to block udp/0?
Hi, On Wed, Dec 06, 2023 at 09:00:58AM +, Dobbins, Roland wrote: > On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp > wrote: > > > deny ipv4 any any fragments > > This is approach is generally contraindicated, as it tends to break EDNS0, & > DNSSEC along with it. I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which works just fine to avoid fragments... http://www.dnsflagday.net/2020/ ... but of course you are right that unconditionally dropping all fragments is not a recommended approach unless acutely under attack. What we do here is exactly what you recommend - rate-limit fragments to some 200Mbit/s per network ingress, which is ~50x the normal peak rate of fragments seen, and closely monitor drop counts. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL to block udp/0?
Hi, On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote: > We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform. > > Had a user under udp/0 attack. Tried to block it via standard ACL: > > > ipv4 access-list block-zero > 20 deny udp any any eq 0 > 30 deny tcp any any eq 0 > 40 permit ipv4 any any D'Wayne Saunders already pointed at this most likely being fragments - large packet reflections, and all non-initial fragments being reported by IOS* as "port 0" (so you should see 1500 byte regular UDP as well, with a non-0 port number) IOS XR syntax for fragment blocking is deny ipv4 any any fragments gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow vs SNMP
Hi, On Mon, Oct 02, 2023 at 09:13:55AM +0300, Hank Nussbacher via cisco-nsp wrote: > When comparing traffic stats with SNMP, Netflow stats always appear too low > (see attachment). > > Opened a TAC case and their recommendation is to do 1:1 and I quote: > > "Irrespective of the rate at which the NP punts the records to CPU, exporter > picks up a maximum of 2000 records at a time from the cache that are > eligible for export (timers, network/TCP session events, etc). This is > basically to avoid NetIO dropping the packets due to lack of b/w. When the > exporter wakes up again, it repeats the same." I fail to see why it would make sense to increase the number of flow exports if their reasoning is "$machinery is busy, so, flow exports are exported slowly"... I do like 1:1 netflow, but the ASR9k (at least the linecards we have) are not suitable to do that, alas - flow cache does not go high enough, and NPU PPS is limited. We currently do 1:10, which mostly works OK for our load, but we still see a few LC/0/0/CPU0:Oct 2 08:14:24.825 MEDST: nfsvr[280]: %MGBL-NETFLOW-6-INFO_CACHE_SIZE_EXCEEDED : Cache size of 100 for monitor v4mon has been exceeded every day... (from what I understand, there should be enough LC memory to go higher with that cache, but it cannot be configured). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?
Hi, On Wed, Sep 27, 2023 at 08:48:44AM +0800, Barry Greene via cisco-nsp wrote: > Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP > peering Sessions? Not me. Not sure if my vendors do support it (IOS XR and Arista EOS), but I do not see significant benefit. TBH, most of our (non-multihop) eBGP sessions do not even deploy MD5, as the whole password management thing adds another source of operational friction. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "next-table" Equivalent for IOS XR - Default Route into Global Routing Table
Hi, On Tue, Aug 29, 2023 at 02:28:53PM +0200, Mark Tinka via cisco-nsp wrote: > So yes, our default routes point to Null0. I changed that to something > useful and it still didn't work. It's almost as if the traffic exiting the > VRF toward the global table wanted to follow a label switched path, and not > an IP-based path. Not sure whether "label mode per-vrf" would have helped to > obfuscate the fact that the global table default routes pointed to Null0, > but it's too late to test now. The box has been swapped out. My guess after staring long and hard at IOS XR and VRF leaking is that the CEF structures are getting in the way here - on ingress forward lookup, as far as I understand, the system expects to find complete egress information, as in "output line card, output interface, encapsulation, destination MAC". When you create a route to another VRF "with an egress interface", this information can then be populated properly. Asking for "go to the other VRF and do a routing table lookup over there" needs packet recirculation, and (again, guessing from how I understand the architecture) this is just not possible. ... unless you add a loop cable somewhere. ... maybe they could have made a virtual loop cable (LT-), but maybe not... So, yes, I would be interested what exactly happens inside the box, and why it does not work / how hard it would be with existing ASR9k NPUs to make it work (technically) but I expect there will be no answer on this. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Routes
Hi, On Sun, Mar 12, 2023 at 08:51:36PM +0200, Saku Ytti via cisco-nsp wrote: > You might want add-path or best-external for predictability and > improved convergence time. Last time we did best-external with ASR9k it only worked in a useful way if you are using labeled-unicast. That was many years ago, so it might have been fixed, but "test and expect surprises". In our case, the effect was that the local router that exported best-external to its peers was also installing the best-external path into its local FIB, as a load-shared path(!). So we had packets come in from uplink, the "good" path was "send internal over our network", but half the packets got balanced via the "best-external" path. Intereresting isseus ensued. To me this never made sense but TAC claimed "this is the way it is, we're not considering this a bug, use labeled-unicast, then it will work fine". As we didn't use LU, I could not verify this. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
Hi, On Tue, Feb 28, 2023 at 08:33:47AM -0800, William McCall via cisco-nsp wrote: > My long-term solution to this problem is to install with iPXE. That lets > you do it via HTTP and without all the nonsense :) This sounds like a fairly long downtime to do upgrades... not exactly what I want either. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
Hi, On Sun, Feb 26, 2023 at 08:21:01PM +, Phil Bedard wrote: > The newer software is packaged that way already, if you don?t need SMUs. If > you want to customize it with SMUs and whatnot it takes a few minutes, > depends on your processor and storage speed of course. The question was not so much "how long does it create the iso" but "how long will the platform take to do 'install replace myiso.iso'", given the abysmal filesystem performance of IOS XR. While I generally really like XR more than XE, the "copy one image to flash, and then reload, pointing to that image" is just much more convenient than "have the box extract the image into a full filesystem, waiting for that to succeed, eternities later". (The latter is also something JunOS on EX switches really *cough* excels at, mounting flash read-write that should be read-only, and destroying filesystems on power-outage reloads...) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
Hi, On Sun, Feb 26, 2023 at 02:29:13PM +, Phil Bedard wrote: > XR for a number of years now has had the concept of a ?golden ISO?. It?s a > single image either built by Cisco or customers can build their own that > include the base software and the SMUs in a single image. You just issue a > single ?install replace myiso.iso? and that?s it. And that takes how many hours to complete? (But yes, that sounds like progress has been made in XR64 land) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
Hi,
On Fri, Feb 24, 2023 at 05:00:52AM +0200, Mark Tinka via cisco-nsp wrote:
> For IOS XR, it's just too heavy for that sort of thing. Okay in the data
> centre where we are aggregating a ton of customers and/or Metro-E rings,
> but not out in the Metro. The Metro calls for a more agile OS. There are
> simply way too many devices to be dealing with the issue you mention,
> updating SMU's, rebooting, e.t.c., just to get a functionality and/or a
> bug fix from IOS XR.
I really do like XR, but the update hassles... so having an "image based"
XR ("scp $new_xr.bin router:", "boot system flash $new_xr.bin", "reload")
would have been really nice.
Now, SMUs and "restart only the affected service" is a great promise, but
in all our time with the ASR9001, all we've seen is "reboot required"
or "the SMU is not compatible with using service packs". So, "just upload
a new image, and then reload" would have had the same effect, with less
argueing with the box.
Not sure XR64 is better in that regard, no experience - we lost trust in
Cisco before the question of "successor to the 9001? something with XR64?"
arose.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
Hi, On Thu, Feb 23, 2023 at 09:40:26AM +0200, Mark Tinka via cisco-nsp wrote: > The issue they face is Ethernet-centric platforms are much more > optimized for today's Internet, and platforms like the ASR1000 simply > don't make sense anymore. Why pay all that to get some Ethernet on an > ASR1000 when an MX240 or an ASR9000 is around? Basically they have "fixed" that by making the ASR9901/9902/9903 even more expensive. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
hi, On Wed, Feb 22, 2023 at 06:29:00PM +, Eric Louie via cisco-nsp wrote: > We tried an NCS-5501 and it was a disaster, in a word. The 10G interface, > uRPF, source-based blackholing, and routing table depth with Cisco is a > limiting factor in their product line. Do not forget the licensing... "extra added value", and the bazaar style price negotiations. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll never use it?
Hi, On Wed, Jan 04, 2023 at 03:45:51PM +, Drew Weaver via cisco-nsp wrote: > I'm trying to put together an order for some Cisco switches. Cisco licensing shit has made us decide that we're just not going to buy any new Cisco products. Period. Yes, these really look nice, and the base price is quite attractive (guess why)... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP network design considerations
Hi, On Fri, Oct 14, 2022 at 03:07:47PM -0400, Aaron wrote: > You can setup a raspberry pi as a server and do GPS. Not sure on the > scalability (how many devices it can handle) of that but it does work. For a true time geek, the time the rPIs provide is just not good enough (fluctuates +/- 20 usec if the rPI has work to do and gets warm) :-) http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html ... but for "I want my own Stratum 1 device and it should not cost a fortune" it's definitely good enough... (I have one with a DCF77 antenna lying around somewhere here, for my network @ home) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP network design considerations
Hi, On Fri, Oct 14, 2022 at 02:41:45PM -0400, harbor235 wrote: > I hear what your saying but NTP is an active attack vector, I don't trust > outside resources implicitly and traffic segmentation is a prudent measure > especially if you are getting internet time. Now if you have your own > stratum1 then I understand your point more. The Meinberg boxes have GPS receivers, so they provide Stratum 1 directly. The FreeBSD boxes run standard NTP time, and sync to a variety of official sources (like ntp.se) that are hard to manipulate all at the same time. Now what I'd really like is to use one of those... https://www.oscilloquartz.com/de-de/products-and-services/ptp-grandmaster-clocks/sfp-pluggable-ptp-grandmasters/osa-5401-series ... plug it directly into one of our Aristas, *and* have the router use the PTP time source to feed its own NTP service, as stratum 1... "Less boxes" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP network design considerations
Hi,
On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> How are you integrating NTP into your infrastructures? Is it part of your
> management network(s)?
NTP servers (appliances from Meinberg and regular FreeBSD servers, basically)
are just sitting "on the Internet" and our machines sync to them, and
monitor their relative times (= so if one is misbehaving, NTP will
do the right thing on its own, and monitoring will tell us so we can
fix it).
The machines protect themselves by local iptables rules for SSH/https,
and in-band by NTP access rules ("serve time to everyone, serve larger
responses only to management systems, do not believe anyone").
I've never understood this obsession on filtering things that are intended
to be put out in the wild.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to disable ILMI/SNMP CSCvs33325
Hi, so, more on this... - on ASR9k, SNMPv3 is subject to regular control plane ACLs, so unless a SNMPv3 sender shows up in control-plane management-plane inband interface all allow all peer address ipv4 1.2.3.4/32 ! allow SNMP peer address ipv4 3.4.5.6/32 the ASR9k will not reply (I assume that's generic IOS XR). Good. - on IOS XE, I found something that "seems to do the right thing", as in, block all SNMPv3 packets, including discovery, while still permitting SNMPv2 asr920(config)#access-list 99 deny any log asr920(config)#snmp-server drop report access 99 asr920(config)#do term mon asr920(config)# Sep 21 12:25:07: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 1 packet Sep 21 12:25:11: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 1 packet Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.27.20 5 packets Sep 21 12:31:03: %SEC-6-IPACCESSLOGS: list 99 denied 1.1.0.18 5 packets (these are the two test hosts that could do SNMP v3 discovery before) - since we're not using SNMPv3 anywhere, that is good enough for us. This is on IOS XE 16.06.10. Older IOS XE and IOS versions have "snmp-server drop unknown-user", but that still permits discovery. So maybe the "snmp-server drop report" will at least help Hank... :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to disable ILMI/SNMP CSCvs33325
Hi, On Wed, Sep 21, 2022 at 08:14:30AM +0300, Hank Nussbacher wrote: > Indeed the SNMP leaks appear to be exactly CSCtw74132 which we did not > know about nor did Cisco TAC :-( The more I dive into this, the more I want to return to my bed and pull the blanket over my head... So, the Cisco bug ID claims "this has been fixed in some versions", but none of those are "ASR920 IOS trains" (except 03.9(00)E, which is sort of weird). The bug also claims "CVE ID CVE-2012-5719 has been assigned", but MITRE says "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem", so it got never published... That said, I then went to test our Junipers and Aristas, and they all do the same silly shit - no SNMPv3 configured, strict ACLs for all configured SNMP communities, and *still* SNMP engine discovery works from arbitrary sources out there. On the switches it's not that annoying (management interface is in a well-isolated network segment) but on the routers, customer-facing IPs are reachable "from the world". Sounds like a nice reflection attack in the coming... *grumble* gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to disable ILMI/SNMP CSCvs33325
Hi, On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote: > On 19/09/2022 15:40, Gert Doering wrote: > > On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp > > wrote: > >> Recently Shodan has been showing how it probes all our IOS-XE routers > >> via SNMP even though we have an ACL on all our SNMP. We then found that > >> there is a bugid on the issue (ILMI can't be blocked by ACL): > >> CSCvs33325 > > > > Is that still a thing? Insane. > Indeed. Just for reference, here's the 2001 bug. With full PSIRT "get free software upgrade" parts... https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html [..] > > That said, I tried to reproduce it on our boxes, and neither the ASR920 > > nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community > > "ILMI", with nothing in the config to block it (same source host can > > query with one of the configured SNMP communities). This is on IOS XE > > 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra. > > It is V3. Here is a Shodan snippet from one of dozens of alerts we get > per day: Good to know. Looking at shodan, I see that both types of devices here are listed as well (ewww!). So, need to figure out what the magic -v3 incantation of snmpget is to make this work... (every time I tried v3 so far has led to "more grey hair"). thanks for the heads up gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to disable ILMI/SNMP CSCvs33325
HI, On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote: > Recently Shodan has been showing how it probes all our IOS-XE routers > via SNMP even though we have an ACL on all our SNMP. We then found that > there is a bugid on the issue (ILMI can't be blocked by ACL): > CSCvs33325 Is that still a thing? Insane. It used to be an issue on IOS 15+ years ago... (on IOS, the issue was "ILMI is a predefined community which cannot be deleted" - but you *could* expose it, make it explicit, and then put an ACL on it). That bug is amazing anyway. My suggestion would have been "escalate via PSIRT", but the bug says "The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels." WAT?! That said, I tried to reproduce it on our boxes, and neither the ASR920 nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community "ILMI", with nothing in the config to block it (same source host can query with one of the configured SNMP communities). This is on IOS XE 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] storm-control errdisable with no traffic or vlan
Hi, On Wed, Aug 03, 2022 at 07:05:59PM -0400, Joe Maimon via cisco-nsp wrote: > Even with switchport mode trunk and switchport allowed vlan none, with > input counters in single digits, storm control immediately takes the > port down after link up. There was negligible traffic on the link before > or after the attempt. > > Vendor's best idea is to turn off storm control, which I am only going > to do with an isolated switch on site, anyone seen anything like this or > have any other ideas? Make the port a routed port (= ingress packets go nowhere), set up a SPAN session, find out what sort of packets are coming in (broacast, multicast, unknown-unicast) and how many of them. Adjust limits, as ytti said. While I agree to "have storm-control anywhere" - if this is intended to be a routed link, limits can be fairly high (the only reason why you want storm-control is to protect the 4900M's CPU, not anything else in the network). OTOH, a 4900M? really? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
