How to Secure Cisco Routers and Switches

Routers and switches make up the bulk of network infrastructure and are vulnerable to attack. We hear about mass Denial of Service (DOS) attacks or Distributed Denial of Service (DDOS), but the network itself is as big a risk because if it is taken out, there is no path for the data to flow. Although network infrastructure is vital, we also need to protect the networking devices themselves from attack; this protection is known as hardening. Firewalls will help along with Intrusion Prevention Systems (IPS), but there are additional steps we can take to harden the routers and switches within our network.

Continue reading

Advertisements

BPDU Guard, BPDU Filter, Root Guard, Loop Guard & UDLD

BPDU Guard: Prevents accidental connection of switching devices to PortFast-enabled ports. Connecting switches to PortFast-enabled ports can cause Layer 2 loops or topology changes.

BPDU filtering: Restricts the switch from sending unnecessary BPDUs out access ports.

Root Guard: Prevents switches connected on ports configured as access ports from becoming
the root switch.

Loop Guard: The Loop Guard STP feature improves the stability of Layer 2 networks by preventing bridging loops.

UDLD: UDLD detects and disables unidirectional links.

Continue reading

CCNP Switch bonus – Troubleshooting Ethernet

Troubleshooting Ethernet
http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1904.html

Interface Commands (show interfaces – show interfaces vg-anylan) 
http://www.cisco.com/c/en/us/td/docs/ios/12_2/interface/command/reference/finter_r/irfshoin.html

Cisco NX-OS/IOS Interface Comparison
http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_Interface_Comparison

Continue reading

Differences between IOS and IOS XE

Differences between IOS and IOS XE

Cisco IOS:

  • IOS is monolithic, completely adherent to the hardware, and does not provide any kind of isolation between “processes”, neither from a CPU nor memory point of view.
  • Virtual memory is shared by all IOS processes: nothing prevents buffer overflows.
  • Scheduler is non-preemptive: if SNMP decides it should keep CPU busy, it can, and other processes (BGP…) will be prevented from running.
  • You cannot upgrade IOS (or parts of it) without disruption unless you are running expensive dual-supervisor hardware.

Continue reading

RIB vs FIB

RIB Vs FIB

RIB (or routing table) and FIB (or forwarding table) are two different tables within an IP networking platform.  They share common information but perform two distinctly different purposes.  They also each have a different degree of resource capacity to perform their respective roles.

Continue reading

Private VLAN’s and PVLAN Edge

Overview of attacks & countermeasures

  • IP spoofing – IP source guards, PACL
  • STP Spoofing – BPDU guard, Root guards
  • MAC Spoofing  – Port Security , Static CAM table entries
  • DHCP Server Spoofing – DHCP Snooping
  • ARP Spoofing – ARP inspection (ASA + IPS )
  • VLAN Hopping – Disable auto DTP *
  • CAM Floods – Port Security , 802.1x
  • DHCP Starvation – DHCP Rate limiting

Continue reading