Control Plane Protection – CPPr (CCIE Notes)

CPPr can restrict/police traffic with more granularity than that used by CoPP. CoPP does it globally (a more accurate term for that is ‘aggregate’ policy). Whereas CPPr has three different classification models which applies to different type of traffic.

Do note that CoPP takes precedence over CPPr and the traffic actually goes through any kind of CoPP before it hits any CPPr policy.

Continue reading

Routing Protocol Authentication – RIP, OSPF, EIGRP and BGP (CCIE Notes)

RIPv2:

  • Define a key chain > key > key-string.
  • Reference the key-chain under the interface configuration.

Configuration:

key chain RIPkey
 key 0
 key-string cisco123
!
interface fa0/0
 ip rip authentication key-string
 ip rip authentication mode [md5 | text]

Continue reading

Cisco IOS Unicast Reverse Path Forwarding (uRPF) | (CCIE Notes)

Unicast Reverse path Forwarding (uRPF)

  • Validates IP source address spoofing on the source interface
  • uRPF is available only when CEF is enabled because uRPF relies on FIB which is populated by CEF.
  • uRPF does a reverse look up in the CEF table. (show ip cef)

uRPF Enhancements:

ACLs and Logging:

  • An ACL can be used in conjunction with uRPF.
  • Permit statement in ACL – packet is forwarded in spite of being denied by uRPF.
  • Deny statement in ACL – packet which is already dropped by uRPF can be logged if logging is configured on the deny ACL.

Continue reading

Cisco IOS Firewall Stateful Failover (CCIE Notes)

Stateful failover for the Cisco IOS firewall enables a router to continue processing and forwarding firewall session packets after a planned or unplanned outage occurs.

Stateful failover for the Cisco IOS firewall is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing Protocol (HSRP).

Prerequisites:

  • The Cisco IOS firewall configuration that is on the active device must be duplicated on the standby device. The configuration information between the active and standby device is NOT automatically transferred, and the user is responsible for ensuring that the configuration matches on both devices.
  • The devices must be running the same Cisco IOS software.
  • Both router should be the same type of device, have the same CPU and memory.

Continue reading

Port to Application mapping (PAM) | (CCIE Notes)

Port to Application Mapping (PAM)

  • PAM enables CBAC supported apps to be run on non-standard ports.
  • PAM supports host or subnet specific port mapping which allows you to apply PAM to a single host or subnet using standard ACL there by overriding the default port mappings.
  • Three types of mapping:
    • System-Defined port mapping
      • It is a table/database of system-defined mapping entries using the well-known port-mapping information. This is set up during the system start-up and it cannot be deleted or modified. But it can be overridden using Host-Specific Port Mapping.
    • User-Defined port mapping
      • Network services or applications that use non-standard ports required user-defined entries in the PAM table.
      • You can also specify a range of ports for an application by establishing a separate entry in the PAM table for each port number in the range.
    • Host-Specific Port Mapping
      • It establishes port mapping information for specific hosts or subnets.
      • Same port number can be used for different services on different hosts.
      • Examples;
      • Map port 8000 with HTTP for one host, while mapping port 8000 with Telnet for another host.
      • Hosts in subnet 192.168.21.0 might run HTTP services on non-standard port 8000, while other traffic through the firewall uses the default port for HTTP.

Continue reading