Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About jradke
Stats
Member since
06-05-2006
44
Posts
10
Helpful
0
Solutions
01-18-2019
08:42 AM
So the solution is to place an additional ACL to block SNMP on each port exposed to the Internet to make the SNMP ACL work properly? That isn't sound engineering and I hope that's not Cisco's answer. FYI: I use the OOBM interface for management, syslog, ntp, and SNMP. Unfortunately, Cisco does not export Netflow out the OOBM interface and my netflow analyzer expects to gather SNMP data from the IP that it is receiving netflow from. Regardless, SNMP is still running on the box and not exclusively on the OOBM interface and the ACL should NOT ALLOW connections rather than shut them down AFTER they have connected.
... View more
01-17-2019
02:27 PM
I need to make sure that our Nexus switches are hardened on the Internet and I'm really bothered that the ACL for SNMP works but leaves the port open. The ACL works in that if I attempt this from a host not allowed in the ACL, the Nexus will not accept the credentials and reset the connection. However, having the port open is an exploitable condition on any system. Because the Nexus is listening on this port, disregarding the ACL in this fashion, it could be exploited by overwhelming the system with too many connection attempts. There are two ways to see that the port is open and the system is responding to the socket:
1. Nmap shows that it is open which means botnets scanning the Internet will find this port open when it shouldn't be.
2. If I telnet to any of the public interface IP's on port 161 I get a prompt. If I sniff the tcp/telnet session I get a syn, syn/ack, ack from the Nexus proving the port is open and responding from an invalid hosts attempting to reach the Nexus on the SNMP port.
What I'd expect is that a SNMP tcp syn is received on any public interface and the Nexus should not respond if it is not a valid IP source in the ACL. Instead, the Nexus is entertaining the prospect of the tcp conversation on the snmp port by responding on the port.
How can I fix this problem to adequately harden this system from SNMP requests attempts?
Setup:
Nexus 9318 running 9.2.1
Simple config:
snmp-server community password1111 group network-operator snmp-server community password1111 use-ipv4acl SNMP
IP access list SNMP 10 permit udp 10.x.x.0/24 any eq snmp log 20 permit udp 10.y.x.0/24 any eq snmp log 30 deny ip any any log
... View more
Labels:
12-17-2013
04:18 PM
Success! Using this extended list to specify the multicast works as needed: access-list 104 permit udp any 224.0.0.0 15.255.255.255 different from the ACL I found in a posting earlier which doesn't work: access-list 81 permit 224.0.0.0 15.255.255.255
... View more
12-17-2013
04:08 PM
I found that matching on the destination port number works as well: access-list 104 permit udp any any eq 8208 sho policy-map int g3/9 input GigabitEthernet3/9 Service-policy input: MARK_INBOUND_IPTV class-map: IPTV (match-all) Match: access-group 104 set dscp 32: Earl in slot 5 : 64144752 bytes 30 second offered rate 3980472 bps aggregate-forwarded 64144752 bytes Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps I'd really like to match on all multicast though. The destination IP or MAC makes the most sense but they fail.
... View more
12-17-2013
03:49 PM
Question Summary: How do I set the p-bit (COS value) for multicast traffic ingressing on an interface? Additional details: Although I have had success matching all IP traffic ingressing from the encoder/streamer (multicast source) I want to match only multicast traffic. I see no obvious reason why my attempts with ACL's for multicast are failing to match. Help! I verified failing or work by output of policy-map information, wireshark from port mirror, and remote client receiving the multicast. Traffic Type (Multicast): Source IP: 10.0.0.1 Source Port: 1025 Destination IP: 239.100.0.5 Destination Port: 8208 Destination MAC: 01:00:5e:64:00:05 Here is my configuration: class-map IPTV match access-group <ATTEMPT X> policy-map MARK_INBOUND_IPTV class IPTV set dscp cs4 interface GigabitEthernet3/9 service-policy input MARK_INBOUND_IPTV Individually attempted the following ACL's for the match statement<ATTEMPT X>: FAIL: access-list 81 permit 224.0.0.0 15.255.255.255 access-list 4 permit 239.100.0.5 access-list 700 permit 0100.5e13.05b8 0000.00ff.ffff access-list 700 permit 0100.5e00.0000 0000.00ff.ffff SUCCESS: (inadequate because it is all IP traffic not just multicast) access-list 7 permit any Command output from Fails: sho policy-map int g3/9 detailed GigabitEthernet3/9 Service-policy input: MARK_INBOUND_IPTV class-map: IPTV (match-all) Match: access-group 4 set dscp 32: Earl in slot 5 : Traffic: Total bytes 30-s bytes peak bytes 5-min avg bps peak bps ----------------------------------------------------------------------------------------------------------- Offered 0 0 0 0 0 Agg-fwd 0 0 0 0 0 Exceed 0 0 0 0 0 Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps sho policy-map int g3/9 input GigabitEthernet3/9 Service-policy input: MARK_INBOUND_IPTV class-map: IPTV (match-all) Match: access-group 4 set dscp 32: Earl in slot 5 : 0 bytes 30 second offered rate 0 bps aggregate-forwarded 0 bytes Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps
... View more
Labels:
02-17-2012
08:56 AM
Quick follow-up on my old post. Not seeing the tags was a span bug. The simple fix is to choose a higher session number. For instance I tried the same source/destination ports but as session 3 and it works. This was determined through a TAC case.
... View more
02-16-2012
12:50 PM
Problem: My traffic coming inbound appears to be marked but is not marked when egressing. Setup: Ingress from encoder G3/9->> Egress G8/1 Default DSCP/COS map table (DSCP 24 is COS3) Cos-dscp map: cos: 0 1 2 3 4 5 6 7 ------------------------------------ dscp: 0 8 16 24 32 40 48 56 1. Any reason COS 3 is not marked outbound on this traffic? I'm determining this by doing a wireshark off of interface g8/1. The traffic appears to be marked on the ingress correctly but does not maintain its mark on the egress. I can confirm this with equipment on other Ethernet links in produciton as well as my test port listed in the config below with wireshark. FYI: Unfortunately with my cards in the 6509 I cannot port mirror and see outbound multicast (determined through a TAC case). Because the STB does not understand tagged traffic I setup the native vlan for it to function. To see the multicast with tags I temporarily remove the native command and do the wireshark to see the multicast. It still shows a COS setting of 0. I will try to attach a capture of a multicast packet. interface GigabitEthernet3/9 description Mulicast Encoder switchport switchport access vlan 962 switchport mode access logging event link-status load-interval 30 service-policy input MARK_IP_PREC_3 ! PhatCat#sho policy-map int g3/9 GigabitEthernet3/9 Service-policy input: MARK_IP_PREC_3 class-map: ALL_TRAFFIC (match-all) Match: access-group 47 set dscp 24: Earl in slot 6 : 3268388676 bytes 30 second offered rate 4074264 bps aggregate-forwarded 3268388676 bytes Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps 2. I've continued to try and mark on the egress but have problems with the configuration. I'm ingressing on g3/9 and egressing on 8/1 for my test. Egress Attempt 1: PhatCat(config)#int g8/1 PhatCat(config-if)#service-policy output MARK_OUTBOUND_VIDEO MQC features are not supported in output direction for this interface Egress Attempt 2: PhatCat(config)#int vlan 781 PhatCat(config-if)#service-policy output MARK_OUTBOUND_VIDEO set cos cannot be configured on output direction for this interface Configuration failed! %'set cos cos-inner' for 'class OUT_VIDEO' on Vlan781 is not supported ('set cos cos-inner' is only supported on a class with 'match vlan' or on 'class class-default') Configuration: interface GigabitEthernet8/1 description STB-NET8-TEST switchport switchport access vlan 781 switchport trunk encapsulation dot1q switchport trunk native vlan 781 switchport trunk allowed vlan 781 switchport mode trunk logging event link-status load-interval 30 no cdp enable end interface Vlan781 description NET8 ip address 10.239.56.1 255.255.248.0 ip helper-address 10.100.141.40 ip pim dense-mode end
... View more
Labels:
01-09-2012
08:51 AM
Port security works but I can't use a wildcard mask to filter based on OUI. What solutions are available to me if mac filtering and VACL's are not applicable?
... View more
01-06-2012
02:58 PM
It seems that mac-filtering and PACL's is rather straight forward but its not working on my L2 interface. Port-security works but this is not useful when trying to filter based on OUI. What am I doing wrong in my config? Linux box: Obviously on the same subnet since it has an arp entry, you can also see that it is on a different port since my target box is the only MAC on g1/42. :arp -an | grep 65.182.XYZ.38 ? (65.182.XYZ.38) at 00:11:11:12:1d:62 [ether] on eth0 4948 Switch: 4948-TOP-PRI#sho mac- int g1/42 Unicast Entries vlan mac address type protocols port -------+---------------+--------+---------------------+-------------------- 224 0011.1112.1d62 dynamic ip GigabitEthernet1/42 interface GigabitEthernet1/42 description WATSON-PUBLIC switchport access vlan 224 switchport mode access logging event link-status load-interval 30 mac access-group WATSON in mac access-group WATSON out spanning-tree portfast ! interface Vlan224 description Backbone-Subnet no ip address shutdown end FAILS to block pings: mac access-list extended WATSON permit 0012.1100.0000 0000.00ff.ffff any FAILS to block pings: mac access-list extended WATSON deny 0011.1100.0000 0000.00ff.ffff any FAILS to block pings: mac access-list extended WATSON deny any any ! I may implement this on the VLAN eventually but in simple testing I haven't discovered why this doesn't work on the port level. Ultimately I want to allow this box and deny everything else but I'm testing it by trying to block it first. This is what I should use if the port level mac access-list is working. mac access-list extended WATSON permit 0011.1100.0000 0000.00ff.ffff any
... View more
Labels:
01-06-2012
10:10 AM
FIXED! Oh how refreshing, this fixed my problem! You guys rock! THANK YOU! no logging message 305011 no logging message 305012 no logging message 302020 no logging message 302021 I was using the 'log disable' command at the end of the rule to try to disable the logging which was ineffective: access-list Inside_access_in_2 extended permit icmp any any log disable
... View more
01-06-2012
09:50 AM
Goal: How do I disable these ICMP messages on my ASA? Version 8.0(3)6 Problem: In my log file I have 343520 entries per hour of just ICMP messages! We're installing some new equipment and it does a plentiful amount of ICMP traffic which is used for its HA functions. Unfortunately, its filling up my ASA firewall logs with ICMP build and teardown messages like this: Jan 6 09:44:47 10.55.33.7 %ASA-6-305012: Teardown dynamic ICMP translation from PMETA-MGMT:10.55.30.101/31276 to OUTSIDE-IF:65.182.XYZ.51/33778 duration 0:00:30 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/19511 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/19511 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/28984 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 10.55.30.101/28984 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/29240 gaddr 10.55.30.1/0 laddr 10.55.30.1/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/29240 gaddr 10.55.30.1/0 laddr 10.55.30.1/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-305011: Built dynamic ICMP translation from PMETA-MGMT:10.55.30.101/30008 to OUTSIDE-IF:65.182.XYZ.51/34016 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34016 laddr 10.55.30.101/30008 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34016 laddr 10.55.30.101/30008 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33984 laddr 10.55.30.101/20535 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33984 laddr 10.55.30.101/20535 Jan 6 09:44:47 10.55.33.7 %ASA-6-305012: Teardown dynamic ICMP translation from PMETA-MGMT:10.55.30.101/38956 to OUTSIDE-IF:65.182.XYZ.51/33781 duration 0:00:30 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/21047 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/21047 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/11577 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 10.55.30.101/11577 gaddr 10.55.31.50/0 laddr 10.55.31.50/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/11833 gaddr 10.55.30.1/0 laddr 10.55.30.1/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/11833 gaddr 10.55.30.1/0 laddr 10.55.30.1/0 Jan 6 09:44:47 10.55.33.7 %ASA-6-305011: Built dynamic ICMP translation from PMETA-MGMT:10.55.30.101/12601 to OUTSIDE-IF:65.182.XYZ.51/34020 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34020 laddr 10.55.30.101/12601 Jan 6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34020 laddr 10.55.30.101/12601 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33988 laddr 10.55.30.101/27959 Jan 6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33988 laddr 10.55.30.101/27959 Here's what I've tried: I removed icmp inspect from the global policy I setup rules for ICMP for the different zones I've also disabled logging for the ICMP rules Here's what I've found: Sadly, the new piece of equipment is not using the same ICMP identifier for its continuous pings. This gear is using 4 IP's on the same subnet each pinging 3 other devices once per second (12pps) which results in the lengthy log files. When I sniff the traffic I see that the ICMP identifier BE and LE are unique for each ping even to the same destination IP. Where as a normal ping like from a Linux box uses the same identifier BE/LE for that ping instance for each ICMP request which only results in a 4 log entries for either 1 ping or 55000 at 1pps or 3000pps.
... View more
Labels:
12-27-2011
05:05 PM
Command output below, thanks Paul! 4948-TOP-PRI#sho span sum Switch is in rapid-pvst mode Root bridge for: VLAN0001, VLAN0031-VLAN0033, VLAN0035, VLAN0944 Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 0 0 0 1 1 VLAN0031 0 0 0 1 1 VLAN0032 0 0 0 1 1 VLAN0033 0 0 0 1 1 VLAN0035 0 0 0 1 1 VLAN0224 0 0 0 3 3 VLAN0944 0 0 0 1 1 ---------------------- -------- --------- -------- ---------- ---------- 7 vlans 0 0 0 9 9 4948-TOP-PRI#sho run int g1/1 Building configuration... Current configuration : 225 bytes ! interface GigabitEthernet1/1 description Web-ster_Uplink switchport access vlan 224 switchport trunk encapsulation dot1q switchport mode access logging event link-status load-interval 30 speed 1000 duplex full end 4948-TOP-PRI#sho int g1/1 switchport Name: Gi1/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 224 (WEB-STER-CORE) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none 4948-TOP-PRI#sho span int g1/1 portfast VLAN0224 disabled
... View more
12-27-2011
02:22 PM
Thanks for the responses and clarifications guys. Peter, since my uplinks are not in trunk mode, what command should I use on my uplink ports to tell the switches that they are not edge ports? If I issue the command "no spann portfast" it does not show up in the config for g1/1.
... View more
12-27-2011
11:04 AM
Looks like RSTP is completely automatic for setting edgeports? If I set a port to portfast I see no entry in the config because the default is portfast. If I try to remove portfast for the uplinks that doesn't apply either (no entry in the config). It seems to be detecting what ports are p2p or p2p-edge based on incoming bpdu's. I was perplexed by this message when enabling portfast default if I'm not supposed to set something on the uplink ports: (config)# spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops. I guess it's just hard for me to get comfortable with the protocol that does practically everything itself!
... View more
01-18-2019
So the solution is to place an additional ACL to block SNMP on each port
exposed to the Internet to ...
01-17-2019
I need to make sure that our Nexus switches are hardened on the Internet
and I'm really bothered tha...
12-17-2013
Success! Using this extended list to specify the multicast works as
needed:access-list 104 permit ud...
12-17-2013
I found that matching on the destination port number works as
well:access-list 104 permit udp any an...
12-17-2013
Question Summary:How do I set the p-bit (COS value) for multicast
traffic ingressing on an interface...
02-17-2012
Quick follow-up on my old post. Not seeing the tags was a span bug. The
simple fix is to choose a hi...
02-16-2012
Problem: My traffic coming inbound appears to be marked but is not
marked when egressing.Setup:Ingre...
01-09-2012
Port security works but I can't use a wildcard mask to filter based on
OUI.What solutions are availa...
01-06-2012
It seems that mac-filtering and PACL's is rather straight forward but
its not working on my L2 inter...
01-06-2012
FIXED!Oh how refreshing, this fixed my problem! You guys rock! THANK
YOU!no logging message 305011no...
01-06-2012
Goal:How do I disable these ICMP messages on my ASA? Version 8.0(3)6
Problem:In my log file I have 3...
12-27-2011
Command output below, thanks Paul!4948-TOP-PRI#sho span sumSwitch is in
rapid-pvst modeRoot bridge f...
12-27-2011
Thanks for the responses and clarifications guys.Peter, since my uplinks
are not in trunk mode, what...
Public Statistics
| Date Registered | 06-05-2006 10:45 AM |
| Date Last Visited | 06-19-2019 12:40 AM |
| Total Messages Posted | 44 |
| Total Helpful Votes Received | 10 |
.jpg "VIP Expert"){kind=icon}
