Index
Numerics
10MQC, rate limiting, 173
3DES (Triple DES), 378
802.1Q (IEEE)
double encapsulation attacks, 92
headers, 543–550
A
AAA (authentication, authorization, and accounting), 326–329, 422, 439
IPsec VPN case study, 462
MPLS VPN case study, 479
commands
aaa accounting command, 328
aaa authentication command, 328
aaa authorization command, 328
aaa command, 579
aaa new-model command, 322, 328
aaa new-model configuration, 422, 439
access
case studies, 406
HTTPS, 439
Internet case study, 444–455
intranets, 465
IPsec VPN control, 391–393
MPLS VPNs, 426
passwords, 303–306
remote terminal access security, 309–311
role-based CLI, 320–324
access control entries.See ACE
access control lists.See ACLs
access mode, 210
access-class {access-list} in command, 309
access-group command, 576
accounting policies, BGP, 331
ACEs (access control entries), 235
ACK flags, 513
acknowledgment numbers, 512
ACLs (access control lists), 558, 563
antispoofing, 419
commands, 558
community strings (SNMP), 307
crypto, 392
CsC, 373
data plane security, 147–156
IKE, 387
IPsec VPN access control, 393
MPLS VPN case study, 481
IP options, filtering, 177
packets, defining classification, 244–247
PACLs, 212
control plane security, 230–232
deploying, 232–241
IPsec VPN case study, 459
MPLS VPN case study, 475
types of, 148
uRPF, applying, 157
VACLs, 211
aCoPP (aggregate CoPP) deployment, 260–261, 564
activation of rACLs, 233–234
Address Resolution Protocol.See ARP
attacks, 76
bogon, 161
broadcast, 231
destination, 508
limiting, 239–240
trigger routers, 196
feasible uRPF, 167
loose mode uRPF, 161–163
MAC, 545
dynamically, 208
static, 208
sticky, 208
traffic blocking, 209
NAT, data plane security, 201–203
networks, 231
next-hop Layer 2, 39
reflectors, 74
limiting, 237–239
strict mode uRPF, 157–161
VRF, 163–166
adjacency tables, 45–46
Advanced Encryption Standard (AES), 378
Advanced Technology Attachment (ATA), 319
advertise passive-only command, 571
advertisements
attacks, 84
BGP
prefix filters, 280–282
prefix limits, 282–283
advertise-passive-only command, 188
AES (Advanced Encryption Standard), 378
AFNOG (African Network Operators’ Group), 605
Agarwal, P., 554
agents
DHCP, 312
SNMP, 306
aggregate CoPP (aCoPP) deployment.See aCoPP
aggressive mode
IKE, 378
SPD, 225
Akyol, B., 554
alerts, Router Alert Label, 371
algorithms, queuing, 170
allow-default keyword, 158, 419, 421
allow-self-ping keyword, 159
alternate reachability, 29
Alvarez, S., 400
analysis of attacks, 602
Andersson, L., 554
Andreasen, F., 400
antispoofing
Protection, 310, 313, 329, 601
uRPF, 157
Antoine, V., 295
any parameter, 163
APOPS (Asia Pacific Operators Forum), 605
Cisco IOS XR Software, 59
data plane security, 200–207
layers, 13
management, NAT, 203
NBAR, 156
routers, 35
services plane
CE routers, 364–365
deploying QoS, 361–362
Inter-AS, 372–376
IPsec, 376–394
mechanisms (QoS), 351–361
MPLS VPN, 362–363
overview of, 347–350
P routers, 370–372
PE routers, 365–370
QoS, 350–351
SSL VPN, 395–396
video services, 397–398
VoIP, 396–397
applying interface ACLs, 148
APRICOT (Asia Pacific Regional Internet Conference on Operational Technologies), 605
architecture
ACLs, 152
centralized ASIC-based, 52–54
centralized CPU-based, 50–51
distributed ASIC-based, 56–62
distributed CPU-based, 54–56
enterprise networks, 8
in-band, 300–301
IP router types, 50–62
MPLS VPN, 335–341
out-of-band, 300–301
security, enabling, 122
service provider networks, 10
area {area} authentication message-digest command, 572
area authentication message-digest command, 272
area sham-link ttl-security command, 277
area virtual-link ttl-security command, 277
arguments, warn-threshold, 367
Arkin, O., 529
ARP (Address Resolution Protocol), 24, 220
DAI, 288–291
proxy, 220
sticky, 291–292
arp timeout command, 291
AS path limits, 283
ASIC, 52–62
as-path-set command, 568
asymmetric bandwidth, 7
Asynchronous Transfer Mode.See ATM
ATA (Advanced Technology Attachment), 319
ATM (Asynchronous Transfer Mode), 5
attachments, dCoPP policy, 262
attacks
brute force, 520
business data, 103
cyber, 86
defense
breadth and depth, 117–123
core security, 138–141
edge security, 133–138
interfaces, 127–132
IP traffic planes, 123–127
direct, 508
DoS, 66
double 802.1Q encapsulation, 92
double tagging, 92
eBGP, 280
ICMP, 528–538
incident handling procedures, 597–602
invalid checksums, 516
IP networks, 65–66
control plane, 83–85
malicious network reconnaissance, 88–89
management plane, 85–86
resource exhaustion, 66–75
routing protocol, 81–83
software vulnerability, 87–88
spoofing, 75–76
transport protocol, 76–81
IP Options, 102
IP unreachable, 71
LAND, 512
Layer 2 networks, 89
CAM table overflow, 89–90
MAC spoofing, 90–91
PVLAN, 93–94
STP, 94–95
VLAN hopping, 92–93
VTP, 95
MD5 authentication, 273
MiTM, 75
packet flood, 68
ping of death, 503
PoD, 87
real-time, 102
reflection, 507–508
RST, 511
SLAs, 102
smurf (ICMP), 528
SNMP, mitigating risk of, 307
spoofing, 519
Stacheldraht v1.666, 502
STP, 292–294
SYN flood, 200–201
TCP, 512
TTL expiry, 71
UDP
Echo/Chargen, 519
Snork, 519
VPN networks, 96
CE, 98–99
Inter-AS, 103–107
IPsec, 108–111
MPLS, 96–98
P , 101–103
WinNuke, 515
authentication, 421
MD5 BGP
IPsec VPN case study, 460
MPLS VPN case study, 477
MD5 OSPF
IPsec VPN case study, 460
MPLS VPN case study, 476
neighbor, 269–270
MD5, 270–273
TTL, 273–277
VTP, 285–286
authentication command, 574
Authentication Header.See AH
authentication key-chain command, 571
authentication mode md5 command, 272
authentication, authorization, and accounting. See AAA
auto secure command, 330
auto trunking, disabling, 210–211
autodiscovery, 311
AutoSecure, 329–330
AUX (auxiliary port), 301
availability, IP networks, 6
B
B channel (bearer channel), 12
backscatter, 533
Baker, F., 215
bandwidth
networks, 68
percent keyword, 358
queuing, 170–171
types of, 7
bandwidth-delay product, 515
banner incoming command, 316–317, 586
banner login command, 317, 586
banner prompt-timeout command, 586
banner slip-ppp command, 318
banners, customizing, 316–318
BCP (best common practice), 597
configuring, 440
IPsec VPN case study, 463
MPLS VPN case study, 480
router security configurations, 424
services, disabling, 220
bearer channel (B channel), 12
BEEP (Blocks Extensible Exchange Protocol), 324
behavior
CoPP, 257
PHB, 502
Behringer, M. H., 400
best common practice.See BCP
between traffic planes, 32
BGP (Border Gateway Protocol), 10, 15
commands, 564
bgp graceful-restart command, 285, 567
bgp log-neighbor-changes command, 331, 582
bgp maxas-limit command, 283, 565
communities
external link protection, 191
trigger router configuration, 197
IPsec VPN case study, 458
MD5, 272
IPsec VPN case study, 460
MPLS VPN case study, 477
MPLS VPN case study, 474
policies
accounting, 331
enforcement using QPPB, 183–187
rACL policies, 237
reachability, 139
binding tables, DHCP snooping, 287
bits
DF, 504
DSCP, 502
IP headers, 502. See also IP
MF, 504
patterns, 168
black hole filtering, remote triggers, 193–200
black list mode, 163
blocking
traffic, 209
UUFB, 214
blocks, CIDR, 238
Blocks Extensible Exchange Protocol (BEEP), 324
Blue Screen of Death (BSOD), 515
Bollapragada, V. , 400
Bonica, R., 554
boot system flash command, 589
BOOTP (Bootstrap Protocol), 311
Border Gateway Protocol.See BGP
Bottom of Stack (S) field, 553
BPDU (Bridge Protocol Data Unit)
messages, 95
Guard, 292
breadth, principles of defense, 117–118
core security, 138–141
defensive layers, 119–122
edge security, 133–138
interfaces, 127–132
IP traffic planes, 123–127
operational envelope of networks, 122–123
organizational operation, 123
protection, determining need for, 119
Bridge Protocol Data Unit.See BPDU
bridging loops, 213
broadcasts
addresses, 231
CoPP, 265
MPLS VPN case study, 482
storms, 213
brute force attacks, 520
BSOD (Blue Screen of Death), 515
buffers
memory, 512
packets, 68
retransmission, 512
BugToolkit, 602
business data attacks, 103
bypassing
ACL filtering rules, 75
filtering policies, 507
C
CAC (Call Admission Control), 387
caches
CEF, 44–50
fast switching, viewing, 42
Call Admission Control.See CAC
call admission limit command, 387
CAM (content-addressable memory), 89–90
capacity
internal traffic, 9
transit traffic, 9
CapEx (capital expenditure), 6
CAR (committed access rate), 173
Carrier Routing System (CRS-1), 57
Carrier Supporting Carrier.See CsC
carrier-class requirements, 5
case studies
IPsec VPN and Internet access, 406
network topology and requirements, 407–409
router configuration, 409–417
MPLS VPN, 426
network topology and requirements, 426–428
router configuration, 428–441
SP networks, 443–444
IPsec VPN and Internet access, 444–455
MPLS VPN, 463–474
CDP (Cisco Discovery Protocol), 23, 311
CE (Customer Edge) routers
link reachability, 190
security, 364–365
threats, 98–99
CEF (Cisco Express Forwarding), 21, 35, 44–50, 156
dCEF, 58
centralized ASIC-based architectures, 52–54
centralized CPU-based architectures, 50–51
CERT/CC (Computer Emergency Readiness Team/ Coordination Center), 604
channels
IP operations, 12
traffic segmentation, 6
checksums
headers, 507
ICMP, 531–541
TCP, 516
UDP headers, 520
Cheng, G, 509
CIA (confidentiality, integrity, and availability), 6
CIDR (classless interdomain routing), 69, 238
Cisco 12000, CoPP implementation, 260–264
Cisco Catalyst 6500/Cisco 7600 CoPP implementation, 264–269
Cisco Discovery Protocol.See CDP
Cisco Express Forwarding.See CEF
Cisco IOS XR Software, 59
Cisco NetFlow.See NetFlow
Cisco Product Security Incident Response Team (PSIRT), 602–604
Cisco Security Center, 603
Cisco Security IntelliShield Alert Manager Service, 603
Cisco Security Vulnerability Policy, 603
Cisco Software Center, 604
Cisco Technical Assistance Center, 602
class of service.See CoS
Class-Based WFQ, 170
classes
maps, defining packet classification MQC, 247
classification
of attacks, 600
packets, defining MQC class maps, 247
rACLs, 235
SPD, 224. See also SPD
traffic, 148
classless interdomain routing (CIDR), 69, 238
class-map command, 245
class-map construct, 355
clear counters command, 359
clear ip bgp command, 282
CLI (command-line interface), role-based access, 320–324
CLNP (Connectionless Network Protocol), 188
CLNS (Connectionless Network Service), 187
CNNOG (China Network Operators’ Group), 605
Code field (ICMP), 527, 531, 535, 540
codes, ICMP, 522
collateral damage, 66
coloring packets, 171–173
combinations, flags, 514
commands, 273, 315, 558–566, 573, 583, 587
aaa, 579
aaa accounting, 328
aaa authentication, 328
aaa authorization, 328
access-class {access-list} in, 309
access-group, 576
advertise-passive-only, 188, 571
area {area} authentication message-digest, 572
area authentication message-digest, 272
area sham-link ttl-security, 277
area virtual-link ttl-security, 277
arp timeout, 291
as-path-set, 568
authentication, 574
authentication key-chain, 571
authentication mode md5, 272
auto secure, 330
banner prompt-timeout, 586
banner slip-ppp, 318
bgo log-neighbor-changes, 582
BGP, 564
bgp graceful-restart, 285, 567
bgp log-neighbor-changes, 331
boot system flash, 589
call admission limit, 387
clear counters, 359
class-map, 245
clear ip bgp, 282
community-set, 568
control plane security, 562–578
control-plane, 261
control-plane slot {slot-number}, 262
copy, 320
copy running-config startup-config, 208
crypto call admission limit ike sa, 387
crypto ipsec df-bit clear, 391
crypto ipsec fragmentation before-encryption, 391
crypto key generate rsa, 310
data plane security, 558–562
dialer-list, 148
domain lookup disable, 592
drop, 248
ebgp-multihop {hop-count}, 277
enable secret, 304
enable view, 322
errdisable recovery arp-inspection, 290
errdisable recovery bpduguard, 293
errdisable recovery cause shutdown, 209
errdisable recovery dhcp-rate-limit, 289
event manager, 588
exec-banner, 316
extcommunity, 568
fault manager, 588
file verify auto, 320
flow, 587
ftp, 584
hello-password hmac-md5, 572
hold-queue {length} in, 228
icmp ipv4 rate-limit unreachable, 576
interact, 330
ip access-group, 148
ip address, 231
ip arp inspection filter, 290
ip arp inspection limit rate {pps}, 290
ip arp inspection log-buffer entries {number}, 291
ip arp inspection log-buffer logs {number_of_messages} interval {length_in_seconds}, 291
ip arp inspection trust, 290
ip arp inspection validate dst-mac, 290
ip arp inspection validate dst-mac src-mac, 290
ip arp inspection validate src-mac, 290
ip arp inspection validate ip, 290
ip arp inspection vlan, 289
ip arp inspection vlan {vlan_range} logging {acl-match {matchlog | none} | dhcp- bindings {all | none | permit}}, 291
ip as-path access-list, 568
ip authentication mode eigrp, 572
ip authentication mode eigrp md5, 273
ip bgp-community new-format, 564
ip cef, 46
ip community-list, 568
ip dhcp bootp ignore, 312
ip dhcp snooping, 286
ip dhcp snooping information option allowed-untrusted, 288
ip dhcp snooping information option allow-untrusted, 287
ip dhcp snooping limit rate {rate}, 288
ip dhcp snooping trust, 288
ip dhcp snooping verify mac-address, 287
ip dhcp snooping vlan, 287
ip directed-broadcast, 420
ip domain-name, 310
ip extcommunity-list, 568
ip ftp, 584
ip http access-class, 313
ip http port, 313
ip http secure-server, 311
ip http timeout-policy idle, 315
ip icmp rate-limit unreachable, 179
ip icmp rate-limit unreachables, 576
ip igmp access-group, 278, 576
ip msdp filter-sa-request, 279
ip msdp sa-filter in, 279
ip msdp sa-filter out, 279
ip mtu <value>, 369
ip name-server, 313
ip options, 176
ip options ignore, 176
ip ospf message-digest-key key-id encryption-type md5, 572
ip ospf message-digest-key md5, 272
ip ospf ttl-security, 277
ip pim neighbor-filter, 278, 576
ip rcmd source-interface, 585
ip receive access-list, 233, 563
ip receive access-list {number}, 233
ip rip authentication key-chain, 272
ip rip authentication mode md5, 272, 573
ip route {prefix} {netmask} Null0, 570
ip route 192.0.2.1 255.255.255.255 Null0, 198
ip route-cache, 40
ip route-cache cef, 46
ip rsvp authentication, 575
ip rsvp authentication challenge, 574
ip rsvp authentication key, 574
ip rsvp authentication type, 574
ip rsvp authentication window-size, 575
ip scp server enable, 320, 584
ip spd mode aggressive, 225, 421
ip spd queue max-threshold, 226
ip spd queue min-threshold, 226
ip ssh, 310
ip ssh port, 310
ip ssh version, 310
ip sticky-arp, 292
ip tcp, 583
ip tcp adjust-mss, 390
ip tcp intercept list, 201
ip tcp intercept mode {intercept | watch}, 201
ip tftp source-interface, 584
ip unreachables, 178
ip verify unicast source reachable-via {rx|any}, 148
ip vrf forwarding, 163
ip vrf select source, 148
ipv4 unreachables disable, 576
key-source key-chain, 574–575
label accept for {prefix-acl} from {ip-address}, 594
label advertise, 594
life-time, 574–575
line aux 0, 585
line con 0, 585
line console, 585
line default, 585
line template, 585
line vty, 302
line vty 0 4, 585
log-adjacency-changes, 582
logging, 582
logging buffered, 334
logging console disable, 592
logging correlator, 582
logging host, 334
login, 303
lsp-password hmac-md5, 571
mac-address-table static, 209
management plane security, 578–592
management-interface allow, 324
match acccess-group, 148
match input-interface, 245
match ip address, 148
match protocol arp, 245
match protocol ipv6, 245
maximum prefix, 593
maximum routes {warn-threshold | warn-only}, 367
maximum-prefix, 566
memory free low-watermark processor, 589
message-digest-key, 572
mls qos, 264
mls rate-limit all mtu, 267
mls rate-limit all ttl-failure, 265
mls rate-limit layer2 pdu, 267
mls rate-limit layer2 l2pt, 267
mls rate-limit multicast ipv4, 268
mls rate-limit multicast ipv4 igmp, 267
mls rate-limit multicast ipv6, 268
mls rate-limit unicast acl, 265
mls rate-limit unicast acl vacl-log, 267
mls rate-limit unicast cef glean, 266
mls rate-limit unicast cef receive, 266
mls rate-limit unicast ip features, 266
mls rate-limit unicast ip icmp redirect, 266
mls rate-limit unicast ip icmp unreachable, 265
mls rate-limit unicast ip errors, 267
mls rate-limit unicast ip rpf-failure, 265
mpls ip-ttl-propagate disable, 593
mpls ldp advertise-labels, 278, 594
mpls ldp neighbor {ip-address} password {password}, 574
mpls ldp neighbor labels accept, 278, 594
mpls ldp neighbor password, 272
mpls ldp session protection, 573
mtu, 594
mtu <value>, 369
neighbor {peer address} disable-connected-check, 276
neighbor {peer address} ebgp-multihop 2, 276
neighbor disable-connected-check, 566
neighbor distribute-list, 566
neighbor ebgp-multihop, 276
neighbor password, 272
neighbor password clear, 565
neighbor prefix-list, 282, 566
neighbor remote-as, 237
neighbor route-map, 566
neighbor route-policy, 566
neighbor ttl-security hops, 565
neighbor ttl-security hops {hop-count}, 276
neighbor-filter, 576
neighbor-group ttl-security, 565
neighbor password, 565
neighbor update-source Loopback0, 276
no banner exec, 316
no banner incoming, 317
no banner login, 317
no cdp, 592
no cdp enable, 311
no exec, 313
no exec-banner, 316
no ip directed-broadcast, 181, 436, 561
no ip domain lookup, 312
no ip finger, 313, 424, 440, 591
no ip http server, 311
no ip information-reply, 221, 420, 437, 577
[no] isis advertise prefix, 571
no ip mask-reply, 221, 420, 437, 577
no ip proxy-arp, 220, 422, 438, 577
no ip receive access-list, 233
no ip redirects, 179, 266, 437, 576
no ip source-route, 175, 220, 561
no ip sticky-arp, 292
no ip unreachables, 178–179, 420, 437, 576
no ipv4 directed-broadcast, 561
no ipv4 mask-reply, 577
no ipv4 redirects, 576
no isis advertise prefix, 188
no logging console, 592
no mpls ip propagate-ttl, 593
no mpls ip propagate-ttl forwarded, 370, 374, 554
no peer neighbor-route, 191
no proxy-arp, 577
no service dhcp, 312
no service finger, 313, 424, 440, 591
no service ipv4 tcp-small-servers, 590
no service tcp-small-servers, 314, 590
no service udp-small-servers, 314
no shut down, 209
no snmp-server, 309
no spd enable, 229
ntp, 580
ntp disable, 314
parser view, 322
passive, 570
passive-interface, 421, 570–571
password, 303
police, 248
policy-map, 570
policy-map CoPP, 249
prefix-set, 567
privilege level, 304
process cpu threshold, 589
radius-server, 328
reload, 320
route-map, 569
route-policy, 569
router static, 570
rsvp authentication, 574
rsvp neighbor {IP address} authentication, 575
rsvp interface, 574
scheduler allocate, 589
secret 5, 322
secure boot-config restore {filename}, 319
secure boot-image, 319
secure-boot-config, 319
security authentication failure rate, 305
security passwords min-length, 305
service compress-config, 590
service dhcp com, 312
service password-encryption, 305, 590
service tcp-keepalive, 583
service tcp-keepalives-in, 316
service tcp-keepalives-out, 316
service timestamps debug, 591
service timestamps log datetime msec localtime, 334
services plane security, 592–594
session protection for {acl} duration, 573
set vtp primary, 286
show access-list, 254, 256, 264, 358
show adjacency, 45
show auto secure config, 330
show cdp interface, 312
show cef interface policy-statistics, 331
show configuration, 285
show interface, 227
show interface Null0, 194
show interface Null0 accounting, 195
show interface Null0 stats, 195
show ip cef detail, 186
show ip dhcp snooping binding, 287
show ip http server, 313
show ip interface, 161
show ip route, 321
show ip sockets detail, 314
show ip spd, 228–229
show ip ssh, 310
show ip traffic, 161
show line, 302
show logging, 334
show management-interface, 326
show mls qos ip, 264
show policy interface, 155
show policy map control-plane, 255
show policy-map control-plane, 256, 264
show policy-map control-plane input, 253
show port-security, 209
show route-map, 153
show secure bootset, 319
show spd, 228–229
show tcam utilization, 264
show tcp brief all, 315
show version, 319
snmp-server community, 307
snmp-server packetsize, 308
snmpwalk, 255
spanning-tree bpduguard enable, 293
spanning-tree guard root, 294
spanning-tree portfast bpduguard, 293
spanning-tree portfast bpduguard default, 293
spd extended, 229
spd headroom, 228
ssh, 583
suppressed, 571
switchport, 214
switchport block unicast, 214
switchport port-security, 208
switchport port-security mac-address, 208
switchport port-security mac-address sticky, 208
switchport port-security violation, 209
switchport trunk encapsulation negotiate, 210
taskgroup, 581
tftp, 584
transport input, 310
ttl-security all-interfaces, 277
tunnel path-mtu-discovery, 389
usergroup, 581
username view, 322
/verify, 320
vtp passwd, 285
window-size, 574–575
write memory, 208
committed access rate (CAR), 173
communities
ACLs, 307
BGP, 191
triggers, 197–198
community-set command, 568
components, QoS
classification, 353
marking, 353–354
policing, 354
queuing, 354–355
confidentiality, integrity, and availability (CIA), 6
configuration
AAA, 328
ACLs, antispoofing, 156
BGP, 185
AutoSecure, 329–330
BCP, 440
CoPP, 243–260
default routes, 421
FPM, 169
GRE, 425
IOS BGP prefix filters, 282
IP header precedence, 356–358
IPsec, 425
key chain, 273
management VPN, 337
MD5, 285
MQC, QPPB, 186–187
NetFlow, 333
network exploitation, 497
no ip redirects command, 180
no ip unreachables command, 179
packet-matching criteria, 168
passwords, 306
PBR ACL modularization, 152–153
QoS
classification, 353
marking, 353–354
policing, 354
queuing, 354–355
rACLs, 234–240
routers
IPsec VPN case study, 448–455
MPLS VPN case study, 467–474
trigger, 195
strict mode uRPF, 158
syslog, 439
uRPF, VRF, 165
conform drop exceed drop MQC policer actions, 154
conform transmit exceed transmit, 252, 257
conform-action drop exceed-action drop, 257, 259
conform-action transmit exceed-action transmit, 249
congestion, 6
Connectionless Network Protocol (CLNP), 188
Connectionless Network Service (CLNS), 187
connections, RST attacks, 80
console port (CTY), 301
constructs
class-map, 355
policy-map, 355
service-policy, 355
Conta, A., 554
content-addressable me.See CAM
ACL filters, 277–279
attacks, 83–85
BGP, 279–285
case study
IPsec VPN and Internet access, 420–422
MPLS VPN, 437–438
CEF, 49
control-plane command, 261
CoPP, 241–242
configuring, 243–260
implementing, 260–269
fast switching, 42
ICMP, 220–222
IPsec VPN case study, 458–460
Layer 2 Ethernet, 285–294
MPLS VPN case study, 474–477
neighbor authentication, 269–270
MD5, 270–273
TTL, 273–277
process switching, 38
rACLs, 230–232
deploying, 232–241
security commands, 562–578
services, disabling, 220
SPD, 222
input queue check, 226
monitoring and tuning, 226–229
state check, 223–226
Control Plane Policing.See CoPP
control-plane slot {slot-number} command, 262
convergence, IS-IS protocols, 188
CoPP (Control Plane Policing), 241–242, 420, 563
configuring, 243–260
CsC, 374
data plane security, 178
IKE, 387
implementing, 260–269
IPsec VPN
access control, 393
case study, 459
MPLS VPN, 437
case study, 476
policies, 367
copy command, 320
copy running-config startup-config command, 208
core routers, rACls, 234
core security, 138–141
IP, 139–140
MPLS VPN, 140–141
CoS (class of service), 32
counters, 352
hardware, viewing, 264
interfaces, resetting, 359
monitoring, 358
coupling, 538
CPE routers, IPsec VPN case study, 446
CPUs
centralized CPU-based architectures, 50–51
distributed CPU-based architectures, 54–56
packet flood attacks, 68
cracking passwords, 86
CRC (cyclic redundancy check), 546
CRS-1 (Carrier Routing System), 57
crypto ACLs, 392
crypto call admission limit ike sa command, 387
crypto ipsec df-bit clear command, 391
crypto ipsec fragmentation before-encryption command, 391
crypto ipsec transform-set configuration, 383
crypto key generate rsa command, 310
crypto map elements, 383
CsC (Carrier Supporting Carrier), 103, 373–374, 551
CTY (console port), 301
CU (currently unused) field, 502
Customer Edge.See CE routers
Custom Queuing, 170
customizing banners, 316–318
cyber attacks, 86
cyclic redundancy check (CRC), 546
D
D channel (delta channel), 12
DA (Destination Address) field, 545, 548
DAI (Dynamic ARP Inspection), 288–291
Data Encryption Standard (DES), 378
data link layer (Layer 2), 14
data offset, 513
data place, CEF, 49
case study
IPsec VPN and Internet access, 418–420
MPLS VPN, 435–437
CEF, 48
fast switching, 42
IPsec VPN case study, 455–458
MPLS VPN case study, 474
process switching, 37
security
BGP policy enforcement using QPPB, 183–187
commands, 558–562
disabling IP directed broadcasts, 181
FPM, 168–169
ICMP, 178–181
integrity checks, 182
interface ACLs, 147–156
IP layers, 200–207
IP options, 174–178
IP routing, 187–200
Layer 2 Ethernet, 208–214
QoS, 170–174
uRPF, 156–167
Data/Payload field, 550
dCEF (Distributed CEF), 58
dCoPP (distributed CoPP), 262–264, 563
DDR (dial-on-demand routing), 148
de Weger, B., 296
deaggregation, IP prefix, 281
deep packet inspection (DPI), 205–207
Deering, S., 539
default gateways, ICMP Redirects, 179
default routes, 6
configuring, 421
default values, MTU, 369
defense, breadth and depth, 117–118
core security, 138–141
defensive layers, 119–122
determining need for protection, 119
edge security, 133–138
interfaces, 127–132
IP traffic planes, 123–127
operational envelope of networks, 122–123
organizational operation, 123
defining CoPP policies, 243–252
delay, 6–7
Deleskie, J., 295
delta channel (D channel), 12
demilitarized zone.See DMZ
denial-of-service attacks.See DoS attacks
DENOG (German Network Operators Group), 605
deny entry, 245
deny ip any any statement, 151
deny statements, 150, 246, 259
dependencies, 32
deployment
CoPP
defining policies, 243–252
tuning policies, 252–260
rACLs, 232–241
depth, principles of defense, 117–118
core security, 138–141
defensive layers, 119–122
edge security, 133–138
interfaces, 127–132
IP traffic planes, 123–127
operational envelope of, 122–123
organizational operation, 123
protection
determining need, 119
DES (Data Encryption Standard), 378
Destination Address (DA) field, 545, 548
destination addresses, 508
limiting, 239–240
trigger routers, 196
destination network reachability, 39
Destination Unreachable message (ICMP), 533–543
detection
identification of attacks, 600
IDS, 117
IOS IPS, 205–206
SDFs, 205
devices
adjacency tables, 45–46
services, disabling, 220
DF (Don’t Fragment) bit, 504
DH (Diffie Hellman), 377
DHCP (Dynamic Host Configuration Protocol)
servers, DoS attacks, 84
snooping, 286–289
DHCPDECLINE messages, 287
DHCPRELEASE messages, 287
diagnostics, ping, 525
dialer-list command, 148
dial-on-demand routing (DDR), 148
Differentiated Services.See DiffServ
Diffie Hellman (DH), 377
DiffServ (Differentiated Services), 351
directed broadcasts
IP, disabling, 181
MPLS VPN case study, 482
disable TTL propagation, MPLS VPN case study, 482
disabling, 175
auto trunking, 210–211
fast switching, 41
HTTP servers, 313
ICMP Redirects, 179
idle user sessions, 315–316
IP
directed broadcasts, 181
DNS-based host name-to-address translation, 312
services, 220
management plane, 311–315
SNMP, 307
SPD, 229
TTL, 370–371
unused services, 422–440
discontiguous network masks, 192–193
discovery, PMTUD, 389
disrupting peering sessions, 83
distributed ASIC-based architectures, 56–62
Distributed CEF (dCEF), 58
distributed CoPP.See dCoPP
distributed CPU-based architectures, 54–56
distribution, labels, 374
DMZ (demilitarized zone)., 149
DNS (Domain Name Service), 15
servers, DoS attacks, 84
Dobbins, R., 606
domain lookup disable command, 592
Domain Name Service.See DNS
Don’t Fragment (DF) bit, 504
Doolan, P., 554
DoS (denial-of-service) attacks, 66–75
direct attacks, 67–70
reflection attacks, 74–75
servers, 84
transit attacks, 70–74
ICMP, 71–72
IP Option, 72–73
multicast, 73–74
TTL expiry attacks, 150
double 802.1Q encapsulation attacks, 92
double tagging attacks, 92
downstream service providers (DSP), 372
DPI (deep packet inspection), 205–207
Drop mode, 176
drops
commands, 248
IP options selective, 175–177
uRPF reports, 161
DSCP bits, 502
DSP (downstream service providers), 372
Dynamic ARP Inspection.See DAI
dynamic auto mode, 210
dynamic desirable mode, 210
Dynamic Host Configuration Protocol. See DHCP
dynamically learned MAC addresses, 208
E
earthquakes, 65
eBGP (external BGP), 437
attacks, 280
peers, external link protection, 190
ebgp-multihop {hop-count} command, 277
Echo Request/Echo Reply query messages (ICMP), 525–529
Eckert, T., 295
edge
recoloring, 561
security, 133–138
Internet, 133–134
MPLS VPN, 136–138
Edge routers
BGP Community-based RTBH Configuration, 198
external link protection, 189–193
IPsec VPN case study, 457
rACLs, 234
EEM (Embedded Event Manager), 331
egress interfaces, 39
EIGRP (Enhanced IGRP)
commands, 572
MD5 authentication, 273
elements, crypto map, 383
Embedded Event Manager (EEM), 331
enable password command, 304, 580
enable secret command, 304
enable view command, 322
enabling
MD5 authentication, 273
password security on lines, 303
rACLs, 234
rate limiters, 268
SCP, 439
security, 122
SPD, 229
uRPF, 156
Encapsulating Security Payload (ESP), 378
encapsulation
adjacency tables, 45–46
double 802.1Q attacks, 92
encryption
AES, 378
layers of defense concept, 117
NULL, 378
tunnels, 31
enterprise networks
case studies
IPsec VPN and Internet access, 406–417
MPLS VPN, 426–441
IP, 7–8
entries
ACEs, 235
deny, 245
permit, 245
EOF (European Operators Forum), 606
ephemeral port numbers, 511
equal-cost best paths, 157
errdisable recovery bpduguard command, 293
errdisable recovery dhcp-rate-limit command, 289
errors, checksums, 516
ESP (Encapsulating Security Payload), 378
Ethernets
control plane security, 285–294
headers, 543–550
port management, 302
threats, 89
CAM table overflow, 89–90
MAC spoofing, 90–91
PVLAN, 93–94
STP, 94–95
VLAN hopping, 92–93
VTP, 95
European Operators Forum (EOF), 606
Evans, J., 215
event manager command, 588
EXEC banner, 316
EXEC mode, 313
exec-banner command, 316
Experimental Use (EXP) field, 553
expiry attacks,101
TTL, 71
TTL DoS, 150
network configuration, 497
protocols, 525
extcommunity-set command, 568
extended headroom region, SPD, 226, 229
extended translation, 202
external access to web services, 407
external BGP (eBGP), 437
external interfaces, 128–130
IPsec VPN case study, 447
MPLS VPN case study, 465
rACLs, 234
external links, 189–193
external to external traffic, 455
external to internal traffic, 418, 455
F
Fabric Interface, 58
Farinacci, D., 554
fast path, 122
fault manager command, 588
FCS (Frame Check Sequence), 546
feasible uRPF, 167
features, order of operations, 120
FEC (Forwarding Equivalence Class), 552
Fedorkow, G., 554
Feldman, N., 554
Feng, D., 296
Ferguson, P., 215
FIB (Forwarding Information Base), 44–45
CEF receive cases, 266
glean, 266
uRPF, 156
fields, 545
Bottom of Stack (S), 553
CU, 502
Data/Payload, 550
Destination Address (DA), 545, 548
Experimental Use (EXP), 553
Fragment Offset, 503–504
Identification, 503
kind, 516
Label (MPLS), 552
reserved, 513
Start Frame Delimiter), 544, 548
TTL, 505
Type (ICMP), 526, 530, 534, 540
Type/Length, 550
file system security, 319–320
File Transport Protocol.See FTP
file verify auto command, 320
files
PDHFs, 168
SDFs, 205
Filsfils, C., 215
filters, 235–237
ACLs, 277–279
bypassing, 75
support for IP options, 177
black hole, remote triggers, 193–200
packets, 148
PBR, 153
policies, bypassing, 507
port numbers, 235–237
prefix, BGP, 280–282
protocols, 235–237
remote traffic, 192–193
fin scan mode, 514
finger service, 313
Firestone, S., 400
firewalls, 117
IOS Firewall, 203–205
NAT, 202
FIRST (Forum of Incident Response and Security Teams), 604
ACK, 513
combinations, 514
SYN, 512
URG, 516
Flexible Packet Matching (FPM), 155
data plane security, 168–169
attacks, 68
packets, SPD, 229
SYN flood attacks, 80
TCP intercepts, 200–201
UUFB, 214
force-multipliers, 7
formatting passwords, 306
forwarding, 35
AutoSecure, 330
CEF, 21
data plane traffic, 26
in-band management interfaces, 301
LFIB, 140
multicast tables, 74
NSF, 284
URPF, data plane security, 156–167
MPLS VPN case study, 481
uRPF, 163–166
Forwarding Equivalence Class (FEC), 552
Forwarding Information Base.See FIB
Foster, B., 400
FPM (Flexible Packet Matching), 155
data plane security, 168–169
Fragment Offset field, 503–504
look ahead, 391
offset fragments, 503
packets, 503
Frame Check Sequence (FCS), 546
Frame Relay, 5
frames, jumbo, 546
Fredette, A., 554
Fries, S., 400
FRnOG (FRench Network Operators Group), 605
Fry, S., 400
FTP (File Transport Protocol), 15
ftp command, 584
FULL DROP SPD state, 225
Fuller, V. , 295
functions, rACLs, 232.See also commands
G
Gan, D., 554
gateways
default, ICMP Redirects, 179
IGP, 188. See also IGP
Gemberling, B., 606
Generalized TTL Security Mechanism (GTSM), 274–277
global Internet routing, IPsec VPN case study, 446
Gont, F., 539
graceful restart, BGP, 283–285
gratuitous ARP, 220
Greene, B., 606
GTSM (Generalized TTL Security Mechanism), 274–277
H
hackers, 66.See also attacks
hard edge, 10
hardware
counters, viewing, 264
QoS, CoPP, 264
hash processing, MD5, 273
headers
802.1Q, 543–550
AH, 379
checksum, 507
Ethernets, 543–550
ICMP, 521–525
Destination Unreachable message, 533–543
Echo Request/Echo Reply query messages, 525–529
Time to Live Exceeded in Transit error message, 529–533
IPv4, 499–510
precedence, 356–358
MPLS, 551–555
PDHFs, 168
ROUTER-ALERT IPv4, 351
TCP, 510–518
headroom region, SPD, 226–228
Heffernan, A., 518
hello-password hmac-md5 command, 572
help, 602
hidden keyword, 285
hiding
IP network core infrastructure, 187–188
passwords, VTP, 286
hijacking sessions, 78–80
Hoffman, P., 295
hold-queue {length} in command, 228
hopping attacks, VLAN, 92–93
hops
MPLS, 554
next-hop MTU values, 536
horizontal scans, 508
MSS modification, 389
PMTUD, 389
HSRP (Hot Standby Routing Protocol), 28
HTTP (Hypertext Transfer Protocol), 15, 313
HTTPS (Secure HTTPS), 311, 439
hub-and-spoke topology, 407
human errors, 65
hundreds of millions of packets per second (Mpps), 35
hurricanes, 65
Hypertext Transfer Protocol.See HTTP
I
iACLs (infrastructure ACLs), 40, 148, 366
remote traffic, filtering, 192–193
IANA (Internet Assigned Numbers Authority), 231, 506
ICMP (Internet Control Message Protocol)
attacks against TCP, 81
commands, 576
control plane security, 220–222
data plane security, 178–181
headers, 521–525
Destination Unreachable message, 533–543
Echo Request/Echo Reply query messages, 525–529
Time to Live Exceeded in Transit error message, 529–533
IPsec VPN case study, 457
MPLS VPN, 437
case study, 482
Parameter Problem messages, 180
rACL policies, 237
redirects, 266
replies, 69
request packets, 69
Time Exceeded (Type 11) messages, 180, 370
transit attacks, 71–72
unreachable rate limiter, 265
icmp ipv4 rate-limit unreachable command, 576
identification, 235
of attacks, 600
values, 503
Identification field, 503
idle user sessions, disabling, 315–316
IDS (intrusion detection systems), 117
IDSM2 (Intrusion Detection Service Module), 206
IE-NOG (Irish Network Operators Group), 605
IETF OPSEC (Operational Security Capabilities for IP Network Infrastructure), 604
IGMP (Internet Group Management Protocol)
ACL filters, 278
commands, 576
Ignore mode, 176
IGP (Interior Gateway Protocol), 8, 139, 188
MPLS VPN case study, 475
rACL policies, 238
traffic, 420
IPsec VPN case study, 458
IHL (IP Header length), 501
IKE (Internet Key Exchange), 32, 520
IPsec, 377–378
security, 386–387
implementation
CoPP, 260–269
QoS, 355–356
in-band architecture, 300–301
in-band packets, 6
incident handling procedures, 597
phases of, 597–602
incoming banners, 317
incoming packets, filtering, 148
industry organizations, 604
industry security organizations, 604
Information Sharing and Analysis Center, 604
infrastructure
DPI, 205–207
enterprise networks, 7–8
IP, 187–188
overview of, 5–7
service provider, 9–11
infrastructure ACLs.See iACLs
ingress packets
SPD, 222
state check, 223–226
initial sequence number (ISN), 512
input queue check, SPD, 226
Integrated Services.See IntServ
integrity checks, IP, 182
intention of attacks, 66
Inter-AS
security, 372–376
threats, 103–107
intercepts, TCP, 200–201
interfaces
CsC, 373
data plane security, 147–156
IKE, 387
IPsec VPN access control, 393
IPsec VPN case study, 456
MPLS VPN case study, 481
counters, resetting, 359
CTY, 301
egress, 39
Ethernets, management ports, 302
external
IPsec VPN case study, 447
MPLS VPN case study, 465
rACLs, 234
Fabric Interface, 58
in-band management, 301
internal, 427
IPsec VPN case study, 448
MPLS VPN case study, 465
IPsec VPN case study, 448
MPLS VPN case study, 466
management plane, 300–303
MPP, 324–326
MTU
modification, 390–391
MPLS VPN case study, 482
Null0, 438
static routes, 421
statistics, 194
IPsec VPN case study, 448
MPLS VPN case study, 466
TCP MSS modification, 390
types of, 127–132
logical, 131–132
physical, 128–131
uRPF, 156
Interior Gateway Protocol.See IGP
Intermediate System-to-Intermediate System.See IS-IS
IPsec VPN case study, 448
MPLS VPN case study, 465
internal Internet access, 407
internal to external traffic, 418, 455
internal to internal traffic, 418, 455
internal traffic capacity, 9
International Telecommunication Union (ITU), 396
Internet
access, 444–455
case studies, 406
router configuration, 409–417
edge, 133–134
peering policy violations, 183
Internet Assigned Numbers Authority (IANA), 231, 506
Internet Control Message Protocol.See ICMP
Internet Group Management Protocol.See IGMP
Internet Key Exchange.See IKE
Internet Printing Protocol (IPP), 520
Internet Protocol.See IP
intranet access, 465
Intrusion Detection Service Module (IDSM2), 206
intrusion detection systems.See IDS
Intrusion Prevention System (IPS), 32, 205–206
IntServ (Integrated Services), 350
invalid flag combinations, 514
IOS
file system security, 319–320
process level, 175
IOS Firewall (IOS FW), 203–205
IOS IPS (IOS Intrusion Prevention System), 205–206
IP (Internet Protocol)
control plane, 219
destination addresses
limiting, 239–240
trigger routers, 196
directed broadcasts, 436
disabling, 181
IPsec VPN case study, 457
enterprise networks, 7–8
errors, 267
fragments, 236
noninitial, 246
IPv4, 499–510
integrity checks, 182
layers, data plane security, 200–207
management plane, 299
MPLS VPN case study, 482
networks
control plane attacks, 83–85
core infrastructure hiding, 187–188
edge router external link protection, 189–193
malicious network reconnaissance, 88–89
management plane attacks, 85–86
resource exhaustion attacks, 66–75
routing protocol attacks, 81–83
software vulnerability attacks, 87–88
spoofing attacks, 75–76
threats against, 65–66
transport protocol attacks, 76–81
operations, 11–19
options
ACL support for filtering, 177
data plane security, 174–178
IPsec VPN case study, 457
MPLS VPN case study, 482
selective drop, 175–177
values, 508
overview of, 5–7
policies, queuing, 170
rACls, 366–367
preventing, 184
reassembly, 368–370
routers
architecture types, 50–62
packet processing, 32–50
routing, data plane security, 187–200
security, 6
core, 139–140
service provider networks, 11
service provider networks, 9–11
services plane, 347
source addresses, limiting, 237–239
source guard, 212
source routing, disabling, 175, 220
Source Tracker, 331
spoofing, source guard, 212
static default, IPsec VPN case study, 446
ToS, 236
control planes, 27–28
data planes, 25–27
exception/non-IP packets, 22–24
management planes, 29–30
planes, 24–32
receive-adjacency packets, 21–22
services planes, 30–32
transit packets, 20–21
Traffic Export, 332
unreachable attacks, 71
VoIP, 396–397
VPN
CE threats, 98–99
Inter-AS threats, 103–107
IPsec threats, 108–111
MPLS threats, 96–98
P threats, 101–103
threats, 96
ip access-group command, 148
ip address command, 231
ip arp inspection filter command, 290
ip arp inspection limit rate {pps} command, 290
ip arp inspection log-buffer entries {number} command, 291
ip arp inspection log-buffer logs {number_of_messages} interval {length_in_seconds} command, 291
ip arp inspection trust command, 290
ip arp inspection validate dst-mac command, 290
ip arp inspection validate dst-mac src-mac command, 290
ip arp inspection validate src-mac command, 290
ip arp inspection vlan {vlan_range} logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} command, 291
ip arp inspection vlan command, 289
ip as-path access-list command, 568
ip authentication mode eigrp command, 572
ip authentication mode eigrp md5 command, 273
ip bgp-community new-format commands, 564
ip cef command, 46
ip community-list command, 568
ip dhcp bootp ignore command, 312
ip dhcp snooping command, 286
ip dhcp snooping information option allowed-untrusted command, 288
ip dhcp snooping information option allow-untrusted command, 287
ip dhcp snooping trust command, 288
ip dhcp snooping verify mac-address command, 287
ip dhcp snooping vlan command, 287
ip directed-broadcast command, 420
IP DNS-based host name-to-address translation, disabling, 312
ip domain-name command, 310
ip extcommunity-list command, 568
ip ftp command, 584
IP Header Length (IHL), 501
ip http access-class command, 313
ip http port command, 313
ip http secure-server command, 311
ip http timeout-policy idle command, 315
ip icmp rate-limit unreachable command, 179
ip icmp rate-limit unreachables command, 576
ip igmp access-group command, 278, 576
ip msdp filter-sa-request command, 279
ip msdp sa-filter in command, 279
ip msdp sa-filter out command, 279
ip name-server command, 313
IP network Edge protection, 189–193
IP Options
attacks, 102
transit attacks, 72–73
attacks, 102
ip options drop command, 176–177, 561
ip options drop configuration, 419, 436
ip options ignore command, 176, 560
ip ospf message-digest-key key-id encryption-type md5 command, 572
ip ospf message-digest-key md5 command, 272
ip ospf ttl-security command, 277
ip pim neighbor-filter command, 278, 576
ip prefix-list command, 282, 567
ip rcmd source-interface command, 585
ip receive access-list {number} command, 233
ip receive access-list command, 233, 563
ip rip authentication key-chain command, 272
ip rip authentication mode md5 command, 272, 573
ip route {prefix} {netmask} Null0 command, 570
ip route 192.0.2.1 255.255.255.255 Null0 command, 198
ip route-cache cef command, 46
ip route-cache command, 40
ip rsvp authentication challenge command, 574
ip rsvp authentication command, 575
ip rsvp authentication key command, 574
ip rsvp authentication lifetime command, 575
ip rsvp authentication type command, 574
ip rsvp authentication window-size command, 575
ip scp server enable command, 320, 584
ip source-track command, 332, 588
ip spd mode aggressive command, 225, 421
ip spd queue max-threshold command, 226
ip spd queue min-threshold command, 226
ip ssh port command, 310
ip ssh version command, 310
ip sticky-arp command, 292
ip tcp adjust-mss command, 390
ip tcp command, 583
ip tcp intercept list command, 201
ip tcp intercept mode {intercept | watch} command, 201
ip tftp source-interface command, 584
ip unreachables command, 178
ip verify unicast source reachable-via {rx|any} command, 148
ip vrf forwarding command, 163
ip vrf select source command, 148
IP/Multiprotocol Label Switching.See MPLS
IPP (Internet Printing Protocol), 520
IPS (Intrusion Prevention System), 32, 205–206
Active Update Bulletins, 603
IPsec (IP Security), 425
case studies, 406
network topology and requirements, 407–409
router configuration, 409–417
threats, 108–111
VPNs, 376–394
case study, 444–455
hub-and-spoke topology, 407
IPv4, multicast rate limiters, 267
ipv4 mt command, 594
ipv4 unreachables disable command, 576
IPv6, multicast rate limiters, 268
IS-IS (Intermediate System-to-Intermediate System), 24
advertise-passive-only, 187
MD5 authentication, 272
ISN (initial sequence number), 512
isolation, bandwidth queuing, 170–171
ITU (International Telecommunication Union), 396
Cybersecurity Gateway, 604
J
JANOG (Japan Network Operators’ Group), 605
jitter, 7
Jones, S., 517
jumbo frames, 546
K
Kaeo, M., 606
kamikaze, 515
IPsec VPN case study, 459
MPLS VPN case study, 475
keys
chains
configurations, 273
IKE
IPsec, 377–378
security, 386–387
key-source key-chain command, 574–575
keywords
allow-self-ping, 159
bandwidth percent, 358
hidden, 285
log, 150
match access-group, 245
match ip dscp, 245
match ip precedence, 245
match mpls experimental, 245
match qos-group, 245
match-all, 247
match-any, 247
priority percent, 358
restart, 283
secret, 286
warning-only, 283
warn-only, 367
Khalid, M., 400
kind values, 516
Kpps (thousands of packets per second), 35
Kuhn, D. R., 400