During my CCIE R&S studies (CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1), I have discovered an unexpected behavior of the static port channel: a Layer2 loop! Obviously, in order for that happen, several things must happen. Suppose to have three switches: The Ciscozine-ROOT switch, as the word suggest, is the root bridge (priority 4096); the Ciscozine-ROOT_SEC is the “backup root bridge” (priority 8192), while the Ciscozine-SW has the default priority. Now suppose that: the ports on the Ciscozine-ROOT_SEC switch toward Ciscozine-SW have already been bundled in a Port-channel using mode on (without Pagp or Lacp protocol). the Ciscozine-SW has no yet configured […]![]()
![]()
![]()
![]()
![]()
![]()
Is static port channel a good idea?
↧
↧
Cisco 2015 Midyear Security Report
Like every year, Cisco has released the Midyear Security Report. This paper is written to understand how attackers are evolving their techniques to evade defenses, using stealthy tactics based on agility, speed, adaptation, and even destruction. New threat intelligence and trend analysis reveal how attackers use stealthy tactics based on agility, speed, adaptation, and even destruction. During this year, adversaries continue to innovate as they slip into networks undetected and evade security measures: Exploits of Adobe Flash vulnerabilities are increasing. They are regularly integrated into widely used exploit kits such as Angler and Nuclear. Operators of crimeware, like ransomware, are hiring and funding professional development […]![]()
![]()
![]()
![]()
![]()
![]()
↧
SYNful Knock – backdoor in Cisco devices
Recently, Fireeye researchers have discovered a new type of malware implant in Cisco router that allows attackers to gain and keep access to these devices. The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable […]![]()
![]()
![]()
![]()
![]()
![]()
↧
SecureCRT: How to import sessions via CSV file
In my opinion, one of the best Telnet/Serial/SSH client is SecureCRT, that provides rock-solid terminal emulation for computing professionals, raising productivity with advanced session management and a host of ways to save time and streamline repetitive tasks. I recently had the need to import a hundred devices in SecureCRT, but I didn’t know how to do it. Surfing the web, I found a helpful python script to import it via CSV! Three components are required: SecureCRT (obviously), the script and the CSV file. Step1 Create a CSV file with these fields: session_name: The name that should be used for the session. If this […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Using Cisco ISE API to write web interface
In the last three months, I was involved in a project concerning the migration of the authentication system (dot1x) from Cisco ACS to Cisco ISE (1.4). At the end of this work, the account told me if it is possible to have a web interface with the active sessions, the devices authenticated via Dot1x and the devices authenticated via MAB. Reading the official guide, I found that Cisco ISE has embedded API. Cool! This what I needed! There are two different API: REST API: it allow you to gather session and node-specific information; for instance: session management, troubleshooting, change of authorization (CoA). External […]![]()
![]()
![]()
![]()
![]()
![]()
↧
↧
Interview with Anderson Mota Alves, 7x CCIE
This is the first interview on Ciscozine and it is my pleasure and honor to introduce Anderson Mota Alves. With more 15 years of experience in the network consulting, he is a teacher in San Paulo university and have SEVEN CCIE!!! How do you combine study, work and personal life? During my study process combining these three things were one of the greatest difficulties I had to learn how to manage, because I had to spend so many hours of study after work and still save some time to attend to a few meetings with family and friends along the […]![]()
![]()
![]()
![]()
![]()
![]()
↧
vPC aka Virtual PortChannel
The vPC aka virtual Port Channel is a Cisco technology that presents both Nexus paired devices as a unique Layer 2 logical node to a third device. The third device can be a switch, server, or any other networking device that supports link aggregation technology. From a spanning tree standpoint, vPC eliminates STP blocked ports and uses all available uplink bandwidth. Spanning-Tree is used as a fail safe mechanism and does not dictate L2 path for vPC attached devices. First of all, it is required to understand all vPC components: vPC: The combined port-channel between the vPC peers […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Nexus HSRP/VRRP active/active with vPC
In the article vPC aka Virtual PortChannel, I explained how vPC works and the benefits that it gives. However, there is another important feature using HSRP/VRRP protocols in the context of vPC: the Layer2 dual–active peer devices. What does it mean? HSRP and VRRP operate in active-active mode from data plane standpoint, as opposed to classical active/standby implementation with STP based network. From a control plane standpoint, active-standby mode still applies for HSRP/VRRP in context of vPC. A characteristic of the active HSRP/VRRP peer device is that it is the only one to respond to ARP requests for HSRP/VRRP VIP […]![]()
![]()
![]()
![]()
![]()
![]()
↧
DDNS: How to manage a device with a dynamic public IP
The DDNS aka Dynamic DNS is an old feature that several routers (non only Cisco devices) have implemented and, in some circumstances, it is very useful. DDNS is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. It provides two mechanisms to generate or perform DDNS: the IETF standard as defined by RFC 2136 and a generic HTTP using various DNS services. In a nutshell, when this feature can simplify our lifes? When we haven’t a static IP public […]![]()
![]()
![]()
![]()
![]()
![]()
↧
↧
How to access network devices via Radius server
Suppose you manage hundreds of Cisco devices; how can you connect and secure it against unauthorized access? You can use local username, but it isn’t scalable and granular, or use an AAA Server. In fact, the benefits of AAA are: Increased flexibility and control of access configuration. Scalability. Standardized authentication methods. Multiple backup system. Additionally, AAA provides a modular way of performing the following services: Authentication is the way a user is identified prior to being allowed access to the network and network services. Authorization works by assembling a set of attributes that describe what the user is authorized to […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Cisco 2017 Annual Cybersecurity Report
Cisco published the annual Cybersecurity report that presents the latest security industry advances designed to help organizations and users defend against attacks. The report also highlights major findings from the Cisco 2017 Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness to defend against attacks. The study, conducted across 13 countries with more than 2,900 respondents, reveals that: Organisations impacted by cyberattacks are experiencing loss of business and in some cases, revenue declines of more than 25%. 44% of security alerts are not investigated. More than 50% of organisations have had to […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Cisco will fail after 18 months
Recently, Cisco published a critical advisory concerning a clock signal component problem. Devices that contain the faulty component could potentially fail after 18 months of use; once the component has failed, the system will stop functioning, will not boot, and is not recoverable. Cisco did not release specifics of the faulty clock part, but probably the component affected by this problem is the Intel’s Atom C2000 processor family that effectively bricks devices. There is no workaround for this issue, so the only solution is to replace products under warranty or covered by any valid services contract dated as of November 16, […]![]()
![]()
![]()
![]()
![]()
![]()
↧
How to install Cisco ISE using USB or CIMC interface
In one of my last job activities, the customer has requested to reinstall the Cisco ISE appliance (SNS-3495). The first option, a DVD reader, is not feasible due the large ISO image file; in fact, the Cisco ISE Software Version 2.2.0 full installation iso file requires more or less 8Gb. So, how can we install the software? There are two options: Using an USB pendrive(al least 16Gb) Using the Cisco Integrated Management Interface (CIMC) USB pendrive – the fastest solution. Download Fedora LiveUSB Creator for Windows or Linux to the local system from the following location. Note: it is possible […]![]()
![]()
![]()
![]()
![]()
![]()
↧
↧
The power of prefix lists
Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access lists in many route filtering commands. The most notable and important difference is that a prefix-list allows you to filter networks based on their subnet mask. ACLs used in distribute list filter networks only by network addresses but they do not perform matching on subnet mask; in other words, for an ACL used in distribute list, the networks 192.168.100.0/24 and 192.168.100.0/28 are indistinguishable. Moreover, the prefix-list also allows you to specify networks in much more natural format that ACLs. Prefix […]![]()
![]()
![]()
![]()
![]()
![]()
↧
WPA2 is no more secure
WPA2 (Wi-Fi Protected Access 2) is a network security technology commonly used on Wi-Fi wireless networks. It’s an upgrade from the original WPA technology, which was designed as a replacement for the older and much less secure WEP. WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption. Yesterday, researchers Mathy Vanhoef and Frank Piessens, from the University of Leuven, has officially published a series of vulnerabilities that target the session establishment and management process in WPA(1/2)-PSK and WPA(1/2)-Enterprise. I say “officially” because the first notification by this […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Cisco EIGRP named, a better approach
The Enhanced Interior Gateway Routing Protocol can be configured using either the classic mode or the named mode. The classic mode is the old way of configuring EIGRP. In classic mode, EIGRP configurations are scattered across the router mode and the interface mode. The named mode is the new way of configuring EIGRP; this mode allows EIGRP configurations to be entered in a hierarchical manner under the router mode. Each named mode configuration can have multiple address families and autonomous system number combinations. In the named mode, you can have similar configurations across IPv4 and IPv6. Although Named EIGRP is […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Cisco WebVPN critical bug. Patch it now!
Few days ago, Cisco published a critical advisor with a score of 10/10 about ASA and Firepower devices. The vulnerability known as CVE-2018-0101 and discovered by Cedric Halbronn, Senior Researcher at NCC Group is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. This vulnerability allows the attacker to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely […]![]()
![]()
![]()
![]()
![]()
![]()
↧
↧
Cisco Smart Install Remote Code Execution
At the end of March, Cisco published a stack-based buffer overflow vulnerability in Smart Install Client code. This vulnerability enables an attacker to remotely execute arbitrary code without authentication. So it allows getting full control over a vulnerable network equipment. Cisco Smart Install is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design. A Smart Install network consists […]![]()
![]()
![]()
![]()
![]()
![]()
↧
Understanding Cisco DMVPN
In an old post, dated 2011, I explained various types of VPN technologies. In seven years several things have changed: SHA1 is deprecated, des and 3des are no more used for security issues, but some VPN technologies are still used with protocols more secure (SHA256, AES, …). In this article, I explain how DMVPN works and what are the key components of it. Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users. Key components are: Multipoint GRE (mGRE) tunnel […]![]()
![]()
![]()
![]()
![]()
![]()
↧
DMVPN Phase 3: a complete guide
In a previous article, I explained what is and how it works DMVPN technology. In this article you see how to configure DMVPN phase3. This phase allows spokes to build a spoke-to-spoke tunnel and to overcomes the phase2 restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. The phase3 configuration is based by 4 steps: Define Tunnel interface (mandatory) Define NHRP (mandatory) Define EIGRP Process (mandatory) Define IPSEC Profile (optional) In this example, there are 3 routers: one hub (Ciscozine) and two spokes. The IP address […]![]()
![]()
![]()
![]()
![]()
![]()
↧
More Pages to Explore .....
