Ernie Wilson's Cisco Security Notes

Mitigating CAM Table Overflow attacks on Cisco
conf t int fas 0/23 desc Some user PC switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation protect | restrict | shutdown

Mitigating MAC Spoofing attacks on Cisco
conf t int fas 0/23 desc Some user PC switchport port-security mac-address switchport port-security violation protect | restrict | shutdown arp timeout 600

Mitigating DHCP Starvation attacks on Cisco
show ip dhcp snooping show ip dhcp snooping binding conf t ip dhcp snooping ip dhcp snooping vlan 9 int fa 0/24 desc Uplink or DHCP Server port ip dhcp snooping trust int fa 0/24 desc Some user PC no ip dhcp snooping trust ip dhcp snooping limit rate 100

Port Security on Cisco
#Part 1 interface FastEthernet0/1 duplex full speed 100 port security max-mac-count 1 port security action shutdown # Part 2 mac-address-table secure 0013.2163.d031 FastEthernet0/1 vlan 1

HSRP on Cisco
# Router A interface Vlan24 description Prod. User/Front-end Network OSPF Area 17 ip address 10.17.24.2 255.255.248.0 no ip redirects no ip proxy-arp ip ospf message-digest-key 24 md5 7 020B06550A080A35 standby 3 ip 10.17.24.1 standby 3 timers 5 15 standby 3 priority 105 standby 3 preempt delay 300 standby 3 authentication vlan24 # Router B interface Vlan24 description Prod. User/Front-end Network OSPF Area 17 ip address 10.17.24.3 255.255.248.0 no ip redirects ip ospf message-digest-key 24 md5 7 020B06550A080A35 standby 3 ip 10.17.24.1 standby 3 timers 5 15 standby 3 priority 110 standby 3 preempt standby 3 authentication vlan24
Warning: Do not forget about preempt delay!
               standby delay minimum min-delay reload min-delay
               HSRP flapping may result if preempt delay is not used!
               (Verified: Ernie 2004 MBNA)

ATM PVC Manage on Cisco
# Router A ! interface ATM1/0 description Circuit-ID-Here EncryptorA ATMMuxA no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM1/0.1 point-to-point description PVCxyz connected to RouterB bandwidth 256 ip address 10.240.16.5 255.255.255.252 no ip proxy-arp ip split-horizon ip ospf message-digest-key 4 md5 7 0009110805550E12 pvc 206/302 vbr-nrt 512 256 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone # Router B ! interface ATM1/0 description Circuit-ID-Here EncryptorB ATMMuxB no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM1/0.1 point-to-point description PVCxyz connected to RouterA bandwidth 256 ip address 10.240.16.6 255.255.255.252 ip ospf message-digest-key 4 md5 7 09414C07180B1206 pvc 18/301 vbr-nrt 512 256 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone
Warning: Do not forget about oam-pvc manage
The router will fail to mark the route as DOWN in OSPF if the ATM WAN link fails.
(Verified: Ernie 2003 MBNA)

BGP Peering with OSPF Redistribution on Cisco
# Router US ! router bgp 65000 bgp log-neighbor-changes aggregate-address 10.16.0.0 255.255.0.0 summary-only aggregate-address 10.17.0.0 255.255.0.0 summary-only aggregate-address 10.22.0.0 255.255.0.0 summary-only aggregate-address 10.48.0.0 255.248.0.0 summary-only aggregate-address 10.64.0.0 255.248.0.0 summary-only aggregate-address 10.80.0.0 255.248.0.0 summary-only aggregate-address 10.96.0.0 255.248.0.0 summary-only aggregate-address 10.104.0.0 255.255.0.0 summary-only aggregate-address 10.105.0.0 255.255.0.0 summary-only aggregate-address 10.112.0.0 255.248.0.0 summary-only redistribute static redistribute ospf 1 match internal external 1 external 2 route-map deny_Europe_routes neighbor 10.20.56.2 remote-as 65500 neighbor 10.20.56.2 password 7 0309590507012458 neighbor 10.20.56.2 soft-reconfiguration inbound no auto-summary ! ip classless ip route 10.3.0.0 255.255.0.0 10.2.246.65 ip route 10.9.0.0 255.255.0.0 10.2.246.65 ip route 10.15.0.0 255.255.0.0 10.2.246.65 ip route 10.49.0.0 255.255.0.0 10.2.246.65 ip route 164.91.0.0 255.255.0.0 10.2.246.65 ip route 164.126.0.0 255.254.0.0 10.2.246.65 ip route 192.168.17.0 255.255.255.0 10.2.246.65 ip route 192.168.129.0 255.255.255.0 10.2.246.65 ip route 192.168.197.0 255.255.255.0 10.2.246.65 route-map aggregate_uk permit 10 match ip address 75 ! route-map deny_Europe_routes deny 10 match tag 65500 ! route-map deny_Europe_routes permit 20 match ip address 52 ! access-list 52 deny 0.0.0.0 access-list 52 deny 192.168.181.0 0.0.0.255 access-list 52 permit any access-list 75 deny 10.8.0.0 access-list 75 deny 10.0.0.0 access-list 75 deny 10.48.0.0 access-list 75 deny 192.168.181.0 0.0.0.255 access-list 75 permit any # Note OSPF redistribution example: ! router ospf 1 log-adjacency-changes auto-cost reference-bandwidth 1000 area 10.2.0.0 authentication message-digest redistribute bgp 65000 metric-type 1 subnets route-map aggregate_uk passive-interface ATM4/0.1 network 10.2.246.69 0.0.0.0 area 10.2.0.0 network 10.3.255.240 0.0.0.0 area 10.2.0.0 network 10.20.40.0 0.0.0.255 area 10.2.0.0 network 10.20.56.1 0.0.0.0 area 10.2.0.0 ! interface FastEthernet2/0 description Area 10.2.0.0 connected to DXCC4005 port 9/45 VLAN 602 ip address 10.2.246.69 255.255.255.224 ip pim sparse-mode ip ospf message-digest-key 64 md5 7 045609080E2F495A duplex full arp timeout 1200 # Router UK ! router bgp 65500 no synchronization bgp log-neighbor-changes redistribute ospf 1 match internal external 1 external 2 route-map us_route_filter neighbor 10.20.56.1 remote-as 65000 neighbor 10.20.56.1 password 7 020B06550A080A35 neighbor 10.20.56.1 soft-reconfiguration inbound no auto-summary ! route-map set_metric permit 10 match ip address 51 set metric 300 ! route-map set_metric permit 20 match ip address 52 set metric 10 ! route-map us_route_filter deny 10 match tag 65000 ! route-map us_route_filter permit 20 match ip address 53 ! access-list 52 deny 0.0.0.0 access-list 52 permit any access-list 53 permit any ip classless # Note OSPF redistribution example: ! router ospf 1 log-adjacency-changes area 0 authentication area 10.160.10.169 authentication area 10.160.10.169 range 10.160.0.0 255.255.248.0 area 10.160.10.169 range 10.160.8.0 255.255.248.0 area 10.160.10.169 range 10.160.16.0 255.255.248.0 area 10.160.10.169 range 10.160.24.0 255.255.248.0 area 10.160.10.169 range 10.160.32.0 255.255.248.0 area 10.160.10.169 range 10.160.40.0 255.255.248.0 area 10.160.10.169 range 10.160.48.0 255.255.248.0 area 10.160.10.169 range 10.160.56.0 255.255.248.0 area 10.160.10.169 range 10.160.64.0 255.255.248.0 area 10.160.10.169 range 10.160.72.0 255.255.248.0 area 10.160.10.169 range 10.160.80.0 255.255.248.0 area 10.160.10.169 range 10.160.88.0 255.255.248.0 area 10.160.10.169 range 10.160.96.0 255.255.248.0 area 10.160.10.169 range 10.160.104.0 255.255.248.0 area 10.160.10.169 range 10.160.112.0 255.255.248.0 area 10.160.10.169 range 10.160.120.0 255.255.248.0 area 10.160.10.169 range 10.160.232.0 255.255.248.0 area 10.160.10.169 range 10.160.248.0 255.255.248.0 area 10.160.10.169 range 10.161.0.0 255.255.248.0 area 10.160.10.169 range 10.161.8.0 255.255.248.0 area 10.160.10.169 range 10.161.16.0 255.255.248.0 area 10.160.10.169 range 10.161.96.0 255.255.248.0 area 10.160.10.169 range 10.161.184.0 255.255.248.0 area 10.160.10.169 range 10.161.192.0 255.255.248.0 area 10.160.10.169 range 10.161.248.0 255.255.248.0 redistribute bgp 65500 metric-type 1 subnets route-map set_metric passive-interface ATM3/0.1 network 10.20.56.2 0.0.0.0 area 10.160.10.169 network 10.160.0.0 0.0.255.255 area 10.160.10.169 network 10.166.254.54 0.0.0.0 area 0 network 10.166.0.0 0.0.255.255 area 0
Note (although this seems obvious):
Make sure your NOC is aware that "adjacency-changes" are likely to be circuits failing!

Novell IPX on Cisco
access-list 1001 deny FFFFFFFF 30C access-list 1001 deny FFFFFFFF 52C access-list 1001 deny FFFFFFFF 640 access-list 1001 permit FFFFFFFF 0 access-list 1001 permit FFFFFFFF interface ATM3/0 description MCI-Wxxxxxxx VZN-11hfgsxxxxxx.xx CDCC4024 ENCC4026 no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM3/0.1 point-to-point description PVC274917 connected to ROUTERBa4/0.1 bandwidth 10112 ip address 10.240.105.5 255.255.255.252 ip pim sparse-mode ip ospf message-digest-key 4 md5 7 0309590507012458 pvc 206/300 vbr-nrt 15168 10112 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone ! ipx network AF06904 ipx output-sap-filter 1001 interface ATM4/0 description ATT-DNECxxxxxx VZN-s11hfgsxxxxxx.xx CDCC4023 ENCC4024 no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM4/0.1 point-to-point description ATT-DNECxxxxxx connected to ROUTERAa3/0.1 bandwidth 40500 ip address 10.240.112.5 255.255.255.252 ip rip send version 1 ip rip receive version 1 ip pim sparse-mode ip ospf message-digest-key 4 md5 7 0309590507012458 pvc 111/100 vbr-nrt 40704 40500 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone ! ipx network AF07004 ipx output-sap-filter 1001 ! interface FastEthernet2/0 description Connected to XYZ ip address 10.15.128.15 255.255.248.0 duplex full ipx network 1015128 encapsulation SAP
Note: May God have mercy on your soul if you are forced to implement IPX WAN today!

NTP on Cisco
clock timezone EST -5 clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 clock calendar-valid ntp authentication-key 101 md5 0451594C4B24566647 7 ntp authenticate ntp clock-period 17180044 ntp update-calendar ntp server 10.17.17.4 prefer ntp server 10.49.17.4
Note: Adjust recurring as needed to compensate for Daylight Saving Time

Various Examples: RIPv1, RIPv2 and OSPF Route Redistribution Combined on Cisco
! interface FastEthernet0/0 description Area 0 connected to CXCC4002 port 7/1 VLAN 900 ip address 10.240.3.18 255.255.255.240 ip pim sparse-mode ip ospf message-digest-key 16 md5 7 10430B170419171F duplex full ipx network AF00310 encapsulation SAP arp timeout 1200 interface ATM3/0 description MCI-WOFxxxxx VZN-11hfgsxxxxxx.xx CDCC4024 ENCC4026 no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM3/0.1 point-to-point description PVC274917 connected to RTKN1004a3/0.1 bandwidth 10112 ip address 10.240.105.5 255.255.255.252 ip pim sparse-mode ip ospf message-digest-key 4 md5 7 0309590507012458 pvc 206/300 vbr-nrt 15168 10112 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone ! interface ATM3/0.2 point-to-point description PVC8433472 connected to RTSUN001a1/0.1 bandwidth 256 ip address 10.240.16.5 255.255.255.252 no ip proxy-arp ip split-horizon ip ospf message-digest-key 4 md5 7 0009110805550E12 pvc 206/302 vbr-nrt 512 256 2320 oam-pvc manage encapsulation aal5snap ! ! interface ATM4/0 description ATT-DNECxxxxx VZN-s11hfgsxxxxxx.xx CDCC4023 ENCC4024 no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM4/0.1 point-to-point description ATT-DNECxxxxx connected to RTBF1003a3/0.1 bandwidth 40500 ip address 10.240.112.5 255.255.255.252 ip rip send version 1 ip rip receive version 1 ip pim sparse-mode ip ospf message-digest-key 4 md5 7 0309590507012458 pvc 111/100 vbr-nrt 40704 40500 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone ! ipx network AF07004 ipx output-sap-filter 1001 ! ! router ospf 1 log-adjacency-changes auto-cost reference-bandwidth 1000 area 0 authentication message-digest redistribute static metric 10 metric-type 1 subnets route-map limit network 10.13.136.1 0.0.0.0 area 0 network 10.240.8.1 0.0.0.0 area 0 network 10.240.16.5 0.0.0.0 area 0 network 10.240.56.5 0.0.0.0 area 0 network 10.240.80.5 0.0.0.0 area 0 network 10.240.88.1 0.0.0.0 area 0 network 10.240.96.1 0.0.0.0 area 0 network 10.240.105.5 0.0.0.0 area 0 network 10.240.112.5 0.0.0.0 area 0 network 10.240.0.0 0.0.255.255 area 0 default-information originate metric 10 metric-type 1 ! ip classless ip route 0.0.0.0 0.0.0.0 ATM3/0.1 ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 ip route 0.0.0.0 128.0.0.0 Null0 ip route 128.0.0.0 128.0.0.0 Null0 ! interface FastEthernet2/0 description Area 0 connected to FXCC4002h0501 port 4 ip address 10.15.128.15 255.255.248.0 ip rip send version 1 ip rip receive version 1 duplex full ipx network 1015128 encapsulation SAP interface ATM4/0 description ATT-DNECxxxxxx VZN-s11hfgsxxxxxx.xx CDCC4023 ENCC4024 no ip address atm framing cbitplcp no atm ilmi-keepalive ! interface ATM4/0.1 point-to-point description ATT-DNECxxxxxx connected to RTBF1003a3/0.1 bandwidth 40500 ip address 10.240.112.5 255.255.255.252 ip rip send version 1 ip rip receive version 1 ip pim sparse-mode ip ospf message-digest-key 4 md5 7 0309590507012458 pvc 111/100 vbr-nrt 40704 40500 2320 oam-pvc manage encapsulation aal5snap service-policy output Backbone router rip version 2 redistribute static metric 1 route-map limit passive-interface FastEthernet0/0 passive-interface ATM3/0.1 passive-interface ATM4/0.1 passive-interface ATM5/0.1 network 10.0.0.0 default-information originate ip classless ip route 0.0.0.0 0.0.0.0 ATM3/0.1 ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 ip route 0.0.0.0 128.0.0.0 Null0 ip route 128.0.0.0 128.0.0.0 Null0 ! interface FastEthernet1/0 description Area 0 connected to CXCC4001 port 7/3 VLAN 901 ip address 10.240.3.84 255.255.255.240 ip rip send version 2 ip rip receive version 2 ip pim sparse-mode ip ospf message-digest-key 80 md5 7 070223424F071C11 duplex full ipx network AF00350 encapsulation SAP arp timeout 1200 router rip version 2 redistribute static metric 1 route-map limit passive-interface FastEthernet0/0 passive-interface ATM3/0.1 passive-interface ATM4/0.1 passive-interface ATM5/0.1 network 10.0.0.0 default-information originate ip classless ip route 0.0.0.0 0.0.0.0 ATM3/0.1 ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 ip route 0.0.0.0 128.0.0.0 Null0 ip route 128.0.0.0 128.0.0.0 Null0
Note: Obviously avoid RIP if at all possible
Do not exceed RIP Diameter of 15!
(Verified: Ernie 2003 MBNA - RIP diameter hit 16 and various networks were unreachable from remote locations!)

SNMP on Cisco
access-list 10 permit 164.91.30.239 access-list 10 permit 10.161.2.65 access-list 10 deny any log access-list 11 permit 10.49.80.99 access-list 11 permit 10.161.2.66 access-list 11 deny any log ! snmp-server engineID local 0000000902000004DE7A2800 snmp-server community MBNANET RW 10 snmp-server community TTTCID RO 10 snmp-server community TELECOM RO 11 snmp-server packetsize 2048 snmp-server contact Command Center 302-457-4093 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon snmp-server enable traps rtr snmp-server enable traps dlsw snmp-server host 10.161.2.65 MBNANET snmp-server host 164.91.30.239 MBNANET

SSH on Cisco
ip ssh time-out 60 ip ssh authentication-retries 5 OPTIONAL: ip scp server enable AND (For both TELNET and SSH) line vty 0 4 session-timeout 10 exec-timeout 9 0 transport input telnet ssh line vty 5 15 session-timeout 10 exec-timeout 9 0 transport input telnet ssh OR (For just SSH) line vty 0 4 session-timeout 10 exec-timeout 9 0 transport input ssh line vty 5 15 session-timeout 10 exec-timeout 9 0 transport input ssh

TACACS on Cisco
aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default group tacacs+ local aaa authorization commands 15 default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 2 default start-stop group tacacs+ aaa accounting commands 3 default start-stop group tacacs+ aaa accounting commands 4 default start-stop group tacacs+ aaa accounting commands 5 default start-stop group tacacs+ aaa accounting commands 6 default start-stop group tacacs+ aaa accounting commands 7 default start-stop group tacacs+ aaa accounting commands 8 default start-stop group tacacs+ aaa accounting commands 9 default start-stop group tacacs+ aaa accounting commands 10 default start-stop group tacacs+ aaa accounting commands 11 default start-stop group tacacs+ aaa accounting commands 12 default start-stop group tacacs+ aaa accounting commands 13 default start-stop group tacacs+ aaa accounting commands 14 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ tacacs-server host 10.17.113.207 tacacs-server host 10.49.17.21 tacacs-server directed-request tacacs-server key secretpasswordhere line con 0 exec-timeout 9 0 line aux 0 exec-timeout 9 0 no exec line vty 0 4 exec-timeout 9 0 transport input telnet line vty 5 15 exec-timeout 9 0 transport input telnet