Dynamic Multipoint VPN (CCIE Notes)

Disclaimer: These are my rough cut notes for CCIE Security studies! Not a detailed explanation of DMVPN.

Three components that make up DMVPN:

1. Mulitpoint GRE (mGRE)

  • Tunnel interface having multiple tunnel destinations unlike a point-to-point GRE tunnel that has a single tunnel destination.

2. Next-Hop Resolution Protocol (NHRP)

  • Each router in an NHRP topology acts as either a NHC or a NHS.
  • mGRE uses NHRP for mapping logical/tunnel IP address to physical/real IP addresses.
  • NHC registers its physical-to-tunnel mapped IP address to the NHS and the NHS acts as a database agent which stores all registered mappings and replying to NHC queries.
  • If a NHS does not have a requested entry in its database, it can forward packet to another NHS to see if it has the requested association.

3. Cisco Express Forwarding (CEF)

  • Cisco Express Forwarding (CEF) is a packet-switching technique which provides the ability to switch packets through a device in a very quick efficient way while also keeping the load on the router’s processor low.
  • CEF is made up of two different main components: the Forwarding Information Base (FIB) and the CEF Adjacency Table.

Continue reading

Advertisements

TCP Intercept for DoS Attack Prevention (CCIE Notes)

TCP Intercept

  • It protects a TCP server from TCP SYN-flooding attacks (DoS) attacks.
  • It intercepts and validates TCP connection requests.
  • Establishes connection with the client on behalf of the destination server, and if successful, establishes a connection with the server on behalf of the client and knits the two half connections transparently.
  • Either all requests can be intercepted or those coming from specific networks or destined for specific servers.

Modes of Operation:

Intercept Mode

  • This is the default mode.
  • Performs a three-way handshake with the client, if successful, sends the original SYN packet to the destination server and performs a three-way handshake with the server.
  •  When this is completed, the two half connections are joined.

Watch mode

  • Connection requests are allowed to pass through the router to the server but are watched until they become established.
  • If requests fail to establish within 30 seconds (default), the software sends a reset request to the server to clear up its state.

Continue reading

OSPF neighbor relationship process

OSPF Neighbor relationship process

1. Determine the Router ID

  • It is the router’s name in the OSPF process. It’s always advisable to hard code the router-id.
  • Router-id > Loopbacks > Active Physical interface IP

2. Add interfaces to the link state database, done by the network command

3. Send a Hello message on chosen interfaces

  • Hello message timer
Broadcast/P-2-P networks Every 10 seconds
Non-Broadcast Multi-access Networks (NBMA) Every 30 seconds

Continue reading

Transferring licenses after RMA (Cisco)

Our ASR 1001 had a hardware failure with the SPA Interface Processor  and we had to file an RMA for it. Once we got the device to the data center and started loading up the config, we realized it required the ‘advipservices’ and ‘ipsecurity’ licenses which were being used on the old router. After speaking to the licensing support team, they explained to us that we can get a license transfer in this case as this is a replacement device. We gave the serial number of the old router and the new router with the RMA and SR number that was raised with them and she sent us a .lic file that can be loaded on the new ASR router.

If you have been looking for this, here’s another way to get this done; (A phone call to Cisco is definitely a better option with the below information handy)

Continue reading

Monitoring Site-to-Site VPNs in ASA/PIX (Syslog)

Recently I’ve got a task of monitoring our site-to-site VPNs on some PIX firewalls (yeah, I know, we still use it in some locations). After a lot of researching I’ve found a working and quite decent solution for now. Monitoring specific syslog IDs for VPN disconnections looks like the way to go.

I’m going to start off with PIX and will add the ASA config when I lab it up.

Note: You need not setup logging lists if you are already monitoring error level logs and above because the log message ID that we explicitly want to log for our VPN monitoring is a warning level log. Hence my logging list has a separate critical (level 2) logging as the VPN monitoring isn’t covered under that level.

Continue reading