Routers and switches make up the bulk of network infrastructure and are vulnerable to attack. We hear about mass Denial of Service (DOS) attacks or Distributed Denial of Service (DDOS), but the network itself is as big a risk because if it is taken out, there is no path for the data to flow. Although network infrastructure is vital, we also need to protect the networking devices themselves from attack; this protection is known as hardening. Firewalls will help along with Intrusion Prevention Systems (IPS), but there are additional steps we can take to harden the routers and switches within our network.
BPDU Guard: Prevents accidental connection of switching devices to PortFast-enabled ports. Connecting switches to PortFast-enabled ports can cause Layer 2 loops or topology changes.
BPDU filtering: Restricts the switch from sending unnecessary BPDUs out access ports.
Root Guard: Prevents switches connected on ports configured as access ports from becoming
the root switch.
Loop Guard: The Loop Guard STP feature improves the stability of Layer 2 networks by preventing bridging loops.
UDLD: UDLD detects and disables unidirectional links.
Interface Commands (show interfaces – show interfaces vg-anylan)
Cisco NX-OS/IOS Interface Comparison
Differences between IOS and IOS XE
- IOS is monolithic, completely adherent to the hardware, and does not provide any kind of isolation between “processes”, neither from a CPU nor memory point of view.
- Virtual memory is shared by all IOS processes: nothing prevents buffer overflows.
- Scheduler is non-preemptive: if SNMP decides it should keep CPU busy, it can, and other processes (BGP…) will be prevented from running.
- You cannot upgrade IOS (or parts of it) without disruption unless you are running expensive dual-supervisor hardware.
RIB Vs FIB
RIB (or routing table) and FIB (or forwarding table) are two different tables within an IP networking platform. They share common information but perform two distinctly different purposes. They also each have a different degree of resource capacity to perform their respective roles.
DMVPN is combination of 4 things:
- Multipoint GRE.
- Next Hop Resolution Protocol (NHRP).
- Crypto IPsec.
- Routing that running over the network.
Overview of attacks & countermeasures
- IP spoofing – IP source guards, PACL
- STP Spoofing – BPDU guard, Root guards
- MAC Spoofing – Port Security , Static CAM table entries
- DHCP Server Spoofing – DHCP Snooping
- ARP Spoofing – ARP inspection (ASA + IPS )
- VLAN Hopping – Disable auto DTP *
- CAM Floods – Port Security , 802.1x
- DHCP Starvation – DHCP Rate limiting