Posts filed under 'ios'
Hello there,
Today a new security alert about VTP (Vlan Trunking Protocol) was disclosed. In a Bisounours(Care Bears) world, people follow security best practices and the security work is done. Sometimes, things overcome best practices paper.
Please take a chair, sit down and put on Telemann music.
The vulnerability do a denial of service on the VTP process which leads to reload in most cases. Pre-requisite are trunk port and VTP client or server. The attack can works even if the attacker doesn’t know the VTP password.
For the sake of the positive best practice deviation god, don’t forget (config)# vtp mode transparent command in your layer 2 network as soon as VTP is activated on at least one switch.
I got it but what can I do client/server switches? Education! and best practices by limiting exposure with disabling DTP.
Reminds me a story about Catalyst 4500’s with VTP enabled and static switchport mode trunk on all ports…Yalla!
novembre 5th, 2008
Should I prepare for CCIE security lab ? I’ve already done the written exam since May of 2008.
If so what are your recommendations for preparing it ? Habits, blogs, websites, forums, PEC training, which company (InternetworkExpert looks nice) for security rack rental and more ?
Francois
septembre 14th, 2008
When a networking geek find a new feature, he’d love to implement it on his network perimeter (Perhaps Benmoon will read my article).
But, sometimes, the super feature is not applicable on all sort of production networks.
That’s the case for the L2PT (Layer 2 protocol tunneling) feature which is especially useful for VPLS (aka virtual lan services based on Ethernet) service provider customers. Cisco doc is not very clear and poor about the usage of L2PT feature but CCIE hackers use it. The feature’s goal is to widen the layer 2 network of multiple geographic remote sites over WAN. I’ll try to add another dimension in the understanding of this feature.
First thing to know: when you hear L2TP you must think “big switch” or “big trunk” in Cisco terminology.
Second thing to know: L2TP do Spanning-tree, CDP and Vlans tunnels (+Pagp,lacp,udld).
Third thing to know: It do nothing except giving the possibility to extend the Layer 2 domain size.
Why do I need a big switch ?
Increasing Layer 2 domain size between Paris, London and Sidney :
- Single bridge domain (one VLAN)
- Single subnet
- Single SLA
- MAC address learning and forwarding
To do this working over a WAN, L2PT is mandatory.
Guys, I have a Wacom tablet so I’ll definitely try to use it for this article. Like I used to say to my students, it’s best effort drawing 
L2PT big picture over a MPLS/VPLS backbone :
A switch as a CE (Customer Edge) ?
It’s not because it’s a Layer 2 stuff that a switch is absolutely required. You can have a switch and/or a router aka a stuff who can do 802.1Q tunneling.
Who configure the L2PT in IOS ?
L2PT will be configured on the ISP equipments (commands borrowed from packetlife). These lines need to be typed on the backbone routers where CDP,STP and VLANs frames will flow until reaching another customer’s site.
interface GigabitEthernet0/1
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
Limitations of L2PT
Don’t forget the MAC address limits, VLAN numbers limit which will require PBT (Provider Bridging Transport) or H-VPLS (Hierarchical VPLS) in order to work and break L2PT. Also, in the good to know part, please keep in mind that a virtual switch will operate like a conventional switch considering flooding/forwarding, MAC learning/aging, loop prevention in Unicast, Broadcast and Multicast environments, so always keep an open eye on your layer 2 perimeters (not the part owned by the ISP).
L2TP should only be used with small customer implementations.
And security ?
One thing is sure.. these technologies open massive leaking holes on the network security field. I will name the use of redundant multihoming connections (Local traffic may be tunneled to the service provider backbone) and misfit in Vlans number: Imagine Vlan10 in the Sidney site is the wifi hotspot vlan and Vlan10 in Paris is the database’s customers one.
août 16th, 2008
Strange behavior in the pipe! Welcome!
I was working on a bug PoC glad to an old fashion 2611 router when the problem begins: Packets can’t reach their destination from and to an ethernet sub-interface with the physical interface UP and without IP address.
I do ping 192.168.0.23 which is linked to ethernet0/0 by a cross-over cable.
CDP can be exchanged as it’s layer 2 and use of the physical interface.
I’ve tested too with the 2611 linked to a 2500 router and to a 2900 switch.
Same behavior : I can’t ping from and to the sub-interface (192.168.0.100).
And of course, it works like a charm when I setup it with the physical interface.
Do you know a mystic trick to do this working except use other hardware or use dynamips linked to the host computer interface ?
Anyway, I really need to use the subif else my bug PoC should not be viable 
Show commands output:
hacking2600#sh ip int brief
*Mar 1 00:07:43.848: %SYS-5-CONFIG_I: Configured from console by console
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/0.1 192.168.0.100 YES manual up up
sh run
interface Ethernet0/0
no ip address
full-duplex
!
interface Ethernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.100 255.255.0.0
!
When I try ping, debug ip packet said “encapsulation failed”.
There is nothing special in wireshark: The PC responds to the ICMP requests but looks like the router drop the stuff.
Tried with 2 different versions of ios.
Don’t get fucked by the the network mask.
Debug ip packet details output :
*Mar 1 00:44:38.907: IP: tableid=0, s=192.168.0.100 (local), d=192.168.0.23 (E
thernet0/0.1), routed via RIB
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, sending
*Mar 1 00:44:38.907: ICMP type=8, code=0
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, encapsulation failed
*Mar 1 00:44:38.911: ICMP type=8, code=0.
Success rate is 0 percent (0/5)
hacking2600#
*Mar 1 00:44:44.112: IP: s=192.168.0.100 (local), d=224.0.0.5 (Ethernet0/0.1),
len 64, sending broad/multicast, proto=89
août 16th, 2008
