Friday 20 May 2022

What is BGP Backdoor? How to configure BGP Backdoor?

 BGP backdoor it’s a well-known feature of the BGP which is used to change the AD (administrative distance) of eBGP. By default, external BGP (eBGP) has an administrative distance value of 20 with the help of a backdoor command you can set 200 AD. If two routing protocols provide route information for the same destination the administrative distance is the first criterion that a router uses to determine which routing protocol to use for the best path.  The lowest AD value is a more reliable protocol and link.

 

Why do we need to change eBGP AD?

Whenever our router learns about a network (prefix) through eBGP and also with an IGP protocol like OSPF EIGRP or RIP then our router always chooses the Ebgp route because Ebgp uses an administrative distance value of 20 so our router by default prefers eBGP over EIGRP AD 90, RIP AD 120, OSPF AD 110.

 In some scenarios this becomes a problem let’s see the configuration.


Topology:


Goal:

  • configure the topology as per the diagram.
  • assign the IP addresses 
  • configure EIGRP 100 on router 1 and router 3
  • advertise the interfaces
  • configure eBGP peering between router 1 and 2
  • configure eBGP peering between router 2 and router 3
  •  make sure router 1 gets the 192.168.30.1 route from serial 4/3 link via EIGRP. 
  • configure backdoor in order to get 192.168.30.1 route via serial link 4/3 from router 3.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface serial 4/2
R1(config-if)#ip address 3.3.3.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.10.1 255.255.255.255
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive

R2(config-if)#exit

R2(config)#interface loopback 0
R2(config-if)#ip address 192.168.20.1 255.255.255.255
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)# no shutdown
R3(config-if)#exit

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit



R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 3.0.0.0
R1(config-router)#exit

*May 20 13:40:19.679: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.1 (Serial4/2) is up: new adjacency

R1(config)#router bgp 6111
R1(config-router)#neighbor 1.1.1.2 remote-as 6100
R1(config-router)#network 192.168.10.1 mask 255.255.255.255
R1(config-router)#network 10.0.0.0
R1(config-router)#exit
R1(config)#end

*May 20 13:43:29.459: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up

R2(config)#router bgp 6100
R2(config-router)#neighbor 1.1.1.1 remote-as 6111
R2(config-router)#network 192.168.20.1 mask 255.255.255.255
R2(config-router)#neighbor 2.2.2.2 remote-as 6333
R2(config-router)#exit

 20 13:43:29.531: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R3(config)#router eigrp 100
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.30.0
R3(config-router)#exit

*May 20 13:40:19.663: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R3(config)#router bgp 6333
R3(config-router)#neighbor 2.2.2.1 remote-as 6100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 192.168.30.1 mask 255.255.255.255
R3(config-router)#exit
R3(config)#end

*May 20 13:42:50.559: %BGP-5-ADJCHANGE: neighbor 2.2.2.1 Up

R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
B        192.168.10.1 [20/0] via 2.2.2.1, 00:02:03


( as can see from the above output router 3 is getting  (R1) 192.168.10.1 route from route via serial 4/0 to serial 4/1 {2.2.2.1} R2. because of the lower AD value of eBGP )

 Let's see on  router 1 from where it's getting 192.168.30.1 network 


R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
B        192.168.30.1 [20/0] via 1.1.1.2, 00:01:44

( router 1 is also installing 192.168.30.1 network  from router 1 because of lower AD of eBGP)

We need to fix this with help of the BGP backdoor command.

R1(config)#router bgp 6111
R1(config-router)#network 192.168.30.1 mask 255.255.255.255 backdoor
R1(config-router)#exit

R3(config)#router bgp 6333
R3(config-router)#network 192.168.10.1 mask 255.255.255.255 backdoor



R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
D        192.168.10.1 [90/2297856] via 3.3.3.2, 00:38:02, Serial4/2


( as you can see after applying the backdoor command now our routers installing a new path)


A backdoor network is treated as a local network, except that it is not advertised. 

R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
D        192.168.30.1 [90/2297856] via 3.3.3.1, 00:02:17, Serial4/2

By at 4 comments:
Labels:

Wednesday 4 May 2022

What is ARP (Address Resolution Protocol)? How ARP works?

 What is ARP (Address Resolution Protocol)?

ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices used for discovering MAC (media access control) addresses, associate with an IPv4 address (internet layer address), and map the MAC addresses to IPv4 addresses this mapping is done dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC address exists on the data link layer and the IP address exists on the network layer.


How does ARP work?

Whenever a fresh PC (computer) connects to LAN, it will assign an IP address statically or dynamically to use for identity and for communication. When an incoming packet destined for a host machine on a particular LAN arrives at a gateway, the gateway is going to ask ARP for a MAC address that matches the IP address. There is a table called ARP cache in this table ARP mapping record.  Whenever a host asks for a MAC address in order to send a packet to another host in the LAN, ARP looks it the cache to see if their IP to MAC mapping translation is already stored. If it’s already stored then no need for ARP broadcast but if there is no translation stored then ARP sends a request for the network address (does anybody knows this IP address)

 


ARP sends broadcast a request packet to all the hosts on the LAN network and asks is there any host using this particular IP address please let me know. When a host recognizes oh it’s my IP address it will immediately send a unicast reply so ARP can update and store it in the cache table and now communication can proceed.

 

 

What happens if the host (machine) doesn’t know its own IP address?

In this situation, RARP (Reverse ARP) protocol is used for discovery. next chapter we are going to see proxy ARP and RARP.

 

What is ARP cache?

ARP cache is a table where mapping or translation is stored. The size of the ARP cache is limited and from time to time cleansed its entire entries to free its space. Mappings are stored for a few minutes. ARP frequently updates when a host changes their requested IP address.

 

 


ARP Commands

we used arp -a command to display the ARP table. It shows all the entries of the ARP cache or table.




arp -g: This command works the same as the arp -a command.

we use arp -d command when we want to delete an entry from the ARP table for a particular interface.

 




 


 


Instagram

Facebook


Twitter



LINKEDIN








By at No comments:
Labels:

Tuesday 15 February 2022

What is Time-based access-list? How to configure Time-based access-list?


Time-based access-list is type of access-list which allows network access on the basis of given time period. It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular day and time periods.

Sometimes it may be useful if you want to block particular traffic on specific days or during business hours.


 

Time-based access-list
Time-based access-list
Time-based access-list is Easy to implement and Its provides good control over the network traffic to an admin as the traffic can be denied or permitted on the basis of time.

lets configure Time-based access-list 

Topology:




  • configure the topology as per the diagram
  • configure IP addresses to their ports 
  • configure EIGRP AS 65100 for routing
  • make sure PC communicate loopback 0 172.16.1.1 network before configure Time-based access-list .
  • configure Time-based access-list  on router 1 and block PC ICMP msg for 172.16.1.1 network.


R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit


R1(config)#interface ethernet 6/0

R1(config-if)#ip address 10.1.1.1 255.0.0.0

R1(config-if)#no shutdown



R1#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        192.168.1.1     YES manual up                    up

Ethernet6/0            10.1.1.1        YES manual up                    up



R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit



R3(config)#interface serial 4/0
R3(config-if)#ip address 1.1.1.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address 172.16.1.1 255.255.0.0

R3(config-if)#do show ip int br
Interface              IP-Address      OK? Method Status                Protocol
Serial4/0              1.1.1.2         YES manual up                    up
Loopback0              172.16.1.1      YES manual up                    up


{CONFIGURE PC IP ADDRESS WITH DEFAULT GATEWAY}

IP 10.1.1.2 255.0.0.0 10.1.1.1




R1(config)#router eigrp 65100

R1(config-router)#network 192.168.1.0

R1(config-router)#network 10.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit


*Feb 15 12:47:49.483: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 192.168.1.2 (FastEthernet0/0) is up: new adjacency




R2(config)#router eigrp 65100
R2(config-router)#network 1.0.0.0
R2(config-router)#network 192.168.1.0
R2(config-router)#no auto-summary

*Feb 15 12:47:13.891: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 192.168.1.1 (FastEthernet0/0) is up: new adjacency

R2(config-router)#no auto-summary
R2(config-router)#exit






R3(config)#router eigrp 65100
R3(config-router)#network 172.16.0.0
R3(config-router)#network 1.0.0.0
R3(config-router)#no auto-summary

*Feb 15 12:48:24.771: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
R3(config-router)#exit



PC1> ping 10.1.1.1
84 bytes from 10.1.1.1 icmp_seq=1 ttl=255 time=96.577 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=255 time=35.450 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=255 time=9.170 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=255 time=5.948 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=255 time=5.712 ms

PC1> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=12.731 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=5.809 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=7.586 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=14.573 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=14.912 ms

PC1> ping 1.1.1.1
84 bytes from 1.1.1.1 icmp_seq=1 ttl=254 time=32.289 ms
84 bytes from 1.1.1.1 icmp_seq=2 ttl=254 time=26.462 ms
84 bytes from 1.1.1.1 icmp_seq=3 ttl=254 time=28.834 ms
84 bytes from 1.1.1.1 icmp_seq=4 ttl=254 time=32.267 ms
84 bytes from 1.1.1.1 icmp_seq=5 ttl=254 time=27.565 ms

PC1> ping 172.16.1.1
84 bytes from 172.16.1.1 icmp_seq=1 ttl=253 time=86.535 ms
84 bytes from 172.16.1.1 icmp_seq=2 ttl=253 time=44.981 ms
84 bytes from 172.16.1.1 icmp_seq=3 ttl=253 time=39.510 ms
84 bytes from 172.16.1.1 icmp_seq=4 ttl=253 time=49.432 ms
84 bytes from 172.16.1.1 icmp_seq=5 ttl=253 time=52.414 ms

PC1> ping 172.16.1.1
84 bytes from 172.16.1.1 icmp_seq=1 ttl=253 time=50.518 ms
84 bytes from 172.16.1.1 icmp_seq=2 ttl=253 time=49.394 ms
84 bytes from 172.16.1.1 icmp_seq=3 ttl=253 time=39.684 ms
84 bytes from 172.16.1.1 icmp_seq=4 ttl=253 time=50.800 ms
84 bytes from 172.16.1.1 icmp_seq=5 ttl=253 time=52.605 ms




R1#clock set 0:10:0 1 july 2021


*Jul  1 00:10:00.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:01:35 UTC Tue Feb 15 2022 to00:10:00 UTC Thu Jul 1 2021, 


R1(config)#time-range Work_Hours

R1(config-time-range)#absolute start 00:15 1 july 2021

R1(config-time-range)#absolute start 00:15 1 july 2021 end 00:20 1 july 2021

R1(config-time-range)#exit



R1(config)#time-range NO_ICMP

R1(config-time-range)#periodic ?

  Friday     Friday

  Monday     Monday

  Saturday   Saturday

  Sunday     Sunday

  Thursday   Thursday

  Tuesday    Tuesday

  Wednesday  Wednesday

  daily      Every day of the week

  weekdays   Monday thru Friday

  weekend    Saturday and Sunday


R1(config-time-range)#periodic weekdays 0:15 to 0:20

R1(config-time-range)#exit


R1(config)#ip access-list extended Work_Hours

R1(config-ext-nacl)#$ost 10.1.1.2 host 172.16.1.1 time-range N0_ICMP

R1(config-ext-nacl)#permit ip any any

R1(config-ext-nacl)#end


R1(config)#interface fastEthernet 0/0

R1(config-if)#ip access-group Work_Hours out

R1(config-if)#exit



PC1> ping 172.16.1.1
*10.1.1.1 icmp_seq=1 ttl=255 time=22.213 ms (ICMP type:3, code:13, Communication administratively prohibited                                                            )
*10.1.1.1 icmp_seq=2 ttl=255 time=12.513 ms (ICMP type:3, code:13, Communication administratively prohibited                                                            )
*10.1.1.1 icmp_seq=3 ttl=255 time=9.375 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.1.1.1 icmp_seq=4 ttl=255 time=9.523 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.1.1.1 icmp_seq=5 ttl=255 time=3.403 ms (ICMP type:3, code:13, Communication administratively prohibited)





Instagram 




Facebook



Twitter




LINKEDIN








 


 


Instagram

Facebook


Twitter



LINKEDIN








By at 1 comment:
Labels:

Friday 11 February 2022

What is Network time protocol? How to configure NTP on router?

 Network time protocol provides pretty much what its name says time. provide correct time to all network devices. in other words, NTP synchronizes the clock of the computer system over packet switch, variable-latency data networks. Correct network time within the network is important.

Correct time allows the tracking of the event in the network in the correct order. Cock synchronize is critical for the correct interpretation of events within the Syslog data.

Advantages of NTP : 

It provides internet synchronization between the computer devices.

NTP provides enhanced security within the premises.

NTP is used in authentication systems.

NTP  provides network acceleration which helps in troubleshooting problems.


let's see the configuration on the router:

Topology:


Goal :

  • configure the topology as per the diagram above.
  • configure the IP addresses to their ports 
  • configure routing with EIGRP AS 65100 and advertise all the ports 
  • configure NTP on router 3, server address will loopback 0 
  • make sure the rest of the routers get time which is provided by our NTP server.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#do show ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.1.1.1        YES manual up                    up
Serial4/0                     1.1.1.1         YES manual up                    up
Loopback0             192.168.1.1     YES manual up                    up

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface loopback 0

R2(config-if)#ip address 192.168.2.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#do show ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        20.1.1.1        YES manual up                    up
Serial4/0                      1.1.1.2         YES manual up                    up
Serial4/1                      2.2.2.1         YES manual up                    up
Loopback0              192.168.2.2     YES manual up                    up

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit


R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address 192.168.3.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#do show ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        30.1.1.1        YES manual up                    up
Serial4/1              2.2.2.2         YES manual up                    up
Serial4/2              3.3.3.2         YES manual up                    up
Loopback0              192.168.3.3     YES manual up                    up


R4(config)#interface fas
R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.3 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface loopback 0
R4(config-if)#ip address 192.168.4.4 255.255.255.0
R4(config-if)#exit

R4(config)#do show ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        40.1.1.1        YES manual up                    up
Serial4/2              3.3.3.3         YES manual up                    up
Loopback0              192.168.4.4     YES manual up                    up


R1(config)#router eigrp 65100
R1(config-router)#network 10.0.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#network 192.168.1.0
R1(config-router)#no auto-summary
R1(config-router)#exit


R2(config)#router eigrp 65100
R2(config-router)#network 20.0.0.0
R2(config-router)#network 1.0.0.0
R2(config-router)#network 2.0.0.0
R2(config-router)#network 192.168.2.0
R2(config-router)#no auto-summary
R2(config-router)#exit

*Feb 11 12:54:25.263: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency


R3(config)#router eigrp 65100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.3.0
R3(config-router)#no au
R3(config-router)#no auto-summary
R3(config-router)#exit
R3(config)#end

*Feb 11 12:54:58.699: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 2.2.2.1 (Serial4/1) is up: new adjacency 

*Feb 11 12:55:29.027: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.3 (Serial4/2) is up: new adjacency


R4(config)#router eigrp 65100
R4(config-router)#network 40.0.0.0
R4(config-router)#network 3.0.0.0
R4(config-router)#network 192.168.4.0
R4(config-router)#no auto-summary
R4(config-router)#exit
R4(config)#end

*Feb 11 12:55:08.211: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 192.168.1.1
  Topology : 0 (base)
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1


R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

D     2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:02:52, Serial4/0
D     3.0.0.0/8 [90/3193856] via 1.1.1.2, 00:02:00, Serial4/0
D     20.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:19, Serial4/0
D     30.0.0.0/8 [90/2684416] via 1.1.1.2, 00:02:05, Serial4/0
D     40.0.0.0/8 [90/3196416] via 1.1.1.2, 00:01:36, Serial4/0
D     192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:02:47, Serial4/0
D     192.168.3.0/24 [90/2809856] via 1.1.1.2, 00:01:54, Serial4/0
D     192.168.4.0/24 [90/3321856] via 1.1.1.2, 00:01:31, Serial4/0


R2#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 192.168.2.2
  Topology : 0 (base)
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

D     3.0.0.0/8 [90/2681856] via 2.2.2.2, 00:01:48, Serial4/1
D     10.0.0.0/8 [90/2172416] via 1.1.1.1, 00:02:47, Serial4/0
D     30.0.0.0/8 [90/2172416] via 2.2.2.2, 00:01:53, Serial4/1
D     40.0.0.0/8 [90/2684416] via 2.2.2.2, 00:01:22, Serial4/1
D     192.168.1.0/24 [90/2297856] via 1.1.1.1, 00:02:47, Serial4/0
D     192.168.3.0/24 [90/2297856] via 2.2.2.2, 00:01:43, Serial4/1
D     192.168.4.0/24 [90/2809856] via 2.2.2.2, 00:01:17, Serial4/1

R3#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 192.168.3.3
  Topology : 0 (base)
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R3#show ip ei
R3#show ip eigrp route
                 ^
% Invalid input detected at '^' marker.

R3#show ip route ei
R3#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

D     1.0.0.0/8 [90/2681856] via 2.2.2.1, 00:01:30, Serial4/1
D     10.0.0.0/8 [90/2684416] via 2.2.2.1, 00:01:30, Serial4/1
D     20.0.0.0/8 [90/2172416] via 2.2.2.1, 00:01:30, Serial4/1
D     40.0.0.0/8 [90/2172416] via 3.3.3.3, 00:01:00, Serial4/2
D     192.168.1.0/24 [90/2809856] via 2.2.2.1, 00:01:30, Serial4/1
D     192.168.2.0/24 [90/2297856] via 2.2.2.1, 00:01:30, Serial4/1
D     192.168.4.0/24 [90/2297856] via 3.3.3.3, 00:00:54, Serial4/2



R4#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
  Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  NSF-aware route hold timer is 240
  Router-ID: 192.168.4.4
  Topology : 0 (base)
    Active Timer: 3 min
    Distance: internal 90 external 170
    Maximum path: 4
    Maximum hopcount 100
    Maximum metric variance 1

R4#show ip route ei
R4#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

D     1.0.0.0/8 [90/3193856] via 3.3.3.2, 00:00:39, Serial4/2
D     2.0.0.0/8 [90/2681856] via 3.3.3.2, 00:00:39, Serial4/2
D     10.0.0.0/8 [90/3196416] via 3.3.3.2, 00:00:39, Serial4/2
D     20.0.0.0/8 [90/2684416] via 3.3.3.2, 00:00:39, Serial4/2
D     30.0.0.0/8 [90/2172416] via 3.3.3.2, 00:00:39, Serial4/2
D     192.168.1.0/24 [90/3321856] via 3.3.3.2, 00:00:39, Serial4/2
D     192.168.2.0/24 [90/2809856] via 3.3.3.2, 00:00:39, Serial4/2
D     192.168.3.0/24 [90/2297856] via 3.3.3.2, 00:00:39, Serial4/2


R3#show clock
*13:05:18.351 UTC Fri Feb 11 2022

R3#clock set 15:15:15 25 july 2020

*Jul 25 15:15:15.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:06:12 UTC Fri Feb 11 2022 to 15:15:15 UTC Sat Jul 25 2020, configured from console by console.

R3#show clock

15:15:23.199 UTC Sat Jul 25 2020


R3(config)#NTP master 8
R3(config)#exit

R3(config)#ntp source loopback 0

R3(config)#ntp server 192.168.3.3

R1#show clock

*13:14:36.687 UTC Fri Feb 11 2022

R1#show clock

*13:14:39.259 UTC Fri Feb 11 2022

R1(config)#ntp server 192.168.3.3
R1(config)#exit


R1#show clock
*15:23:34.069 UTC Sat Jul 25 2020


R2#show clock
*13:13:01.619 UTC Fri Feb 11 2022

R2(config)#ntp server 192.168.3.3
R2(config)#exit

R2#show clock
*15:24:01.200 UTC Sat Jul 25 2020


R4#show clock
*13:14:40.535 UTC Fri Feb 11 2022

R4(config)#ntp server 192.168.3.3
R4(config)#exit

R4#show clock
15:24:56.677 UTC Sat Jul 25 2020

R3#show ntp packets
Ntp In packets                  :  27
Ntp Out packets                 :  36
Ntp bad version packets         :  0
Ntp protocol error packets      :  0



R3#show ntp status
Clock is synchronized, stratum 8, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 55200 (1/100 of seconds), resolution is 4000
reference time is E2C6CD63.0A3E5987 (15:25:23.040 UTC Sat Jul 25 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.35 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 8 sec ago.


R3#show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           7     14     16   377  0.000   0.000  0.235
 ~192.168.3.3     .INIT.          16      -     64     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured




 


 


Instagram

Facebook


Twitter



LINKEDIN








By at No comments:
Labels:

Thursday 21 October 2021

What is DHCP Snooping? What is Man in the Middle attack? How to configure DHCP Snooping security?


DHCP (Dynamic Host Configuration Protocol) servers are providing all the basic information that the client wants to operate on the network like DNS address, Default Gateway, IP addresses, and subnet. masks and many more.


Imagine a bad guy (attacker) comes up and brings a fake DHCP server machine and runs the exact same subnet as other PCs on the network. now what will happen? the PC broadcast for DHCP request and our attacker servers may send a DHCP reply from its fake DHCP machine with its own IP address to pretend as the default gateway.   





Now when our client receives the reply from the attacker machine. client using the spoofed gateway address and our packets going through the attacker machine first. Yes, maybe the attacker forwards our packets to the correct destination but in the meantime, the attacker examines all our packets and now this scenario becomes a man-in-a-middle attack and our innocent client does not even realize it. 





Cisco switches use the DHCP snooping feature to prevent these types of attacks. when the DHCP server is connected to the switch. switch ports our switch has the option of trusted or untrusted. the legally reliable DHCP server can be found on a trusted port and the rest of the ports are untrusted for the DHCP server. when the DHCP server request comes from the untrusted port our switch prevents all the DHCP requests before they flood the VLAN and discard the request and also puts that untrusted port into to err disable state automatically. DHCP snooping keeps track of the complete DHCP binding.


let's see the configuration of the DHCP snooping attack and how to prevent it from attacking.


Topology: -

 cisco packet tracer 

Goal:

  • configure the topology as per the diagram on the cisco packet tracer
  • configure an IP address on router 1 
  • configure DHCP server on router 1
  • make sure all our clients get all the basic information IP addresses, subnet mask, default gateway, and DNS addresses.
  • configure attacker machine with DHCP server 
  • Restart our client (PC) with STATIC to DHCP and verify whether the basic information has been changed or not (IP CONFIG /ALL)
  • now configure our switch to prevent attackers with DHCP SNOOPING 
  • To prevent the attack, restart our PC with static to DHCP.



Router(config)#interface gigabitEthernet 0/0

Router(config-if)#ip address 10.0.0.1 255.255.255.0

Router(config-if)#no shutdown

Router(config-if)#exit


Router(config)#ip dhcp pool SERVER

Router(dhcp-config)#network 10.0.0.0 255.255.255.0

Router(dhcp-config)#default-router 10.0.0.1

Router(dhcp-config)#dns-server 10.0.0.80

Router(dhcp-config)#exit


Router(config)#ip dhcp excluded-address 10.0.0.1

Router(config)#ip dhcp excluded-address 10.0.0.80

Router(config)#exit



make sure all our client get all the basic information IP addresses, subnet mask, default gateway and DNS address





(FROM PC 1)



Packet Tracer PC Command Line 1.0

C:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 000B.BE81.0DD7

Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7

IP Address......................: 10.0.0.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7


Bluetooth Connection:



(FROM PC 2)



Packet Tracer PC Command Line 1.0

C:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 000B.BE81.0DD7

Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7

IP Address......................: 10.0.0.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7


Bluetooth Connection:





(FROM PC 3)



:\>ipconfig /all


FastEthernet0 Connection:(default port)


Connection-specific DNS Suffix..:

Physical Address................: 0060.472C.94D8

Link-local IPv6 Address.........: FE80::260:47FF:FE2C:94D8

IP Address......................: 10.0.0.4

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 10.0.0.1

DNS Servers.....................: 10.0.0.80

DHCP Servers....................: 10.0.0.1

DHCPv6 Client DUID..............: 00-01-00-01-D9-76-38-6D-00-60-47-2C-94-D8





  • configure attacker machine with DHCP server 


ATTACKER(config)#interface gigabitEthernet 0/0

ATTACKER(config-if)#ip address 192.168.10.1 255.255.255.0

ATTACKER(config-if)#no shutdown

ATTACKER(config-if)#exit


ATTACKER(config)#ip dhcp pool MIB

ATTACKER(dhcp-config)#network 192.168.10.0 255.255.255.0

ATTACKER(dhcp-config)#default-router 192.168.10.1

ATTACKER(dhcp-config)#dns-server 192.168.10.80

ATTACKER(dhcp-config)#exit


ATTACKER(config)#ip dhcp excluded-address 192.168.10.1

ATTACKER(config)#ip dhcp excluded-address 192.168.10.80

ATTACKER(config)#exit



  • Restart our client (PC) with STATIC to DHCP and verify the basic information has been changed or not (IP CONFIG /ALL)






















(verify the basic information has been changed or not (IP CONFIG /ALL)


FROM PC 1

ATTACKER GOT PC 1


FROM PC 2


ATTACKER GOT PC 2 TOO

                                      

FROM PC 3


ATTACKER GOT ALL OUR PCs


  • now configure our switch to prevent attacker with DHCP SNOOPING 

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1


Switch(config)#interface fastEthernet 0/1

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#exit



Router(config)#ip dhcp relay information trust-all 

Router(config)#exit



  • after prevent the attack restart our PC with static to DHCP.
from router 1 








from router 2








from router 3









Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

1

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

----------------------- ------- ----------------

FastEthernet1/1 no unlimited

FastEthernet2/1 no unlimited

FastEthernet3/1 no unlimited

FastEthernet0/1 yes unlimited



 

Switch#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- -----------------

00:0B:BE:81:0D:D7 10.0.0.5 86400 dhcp-snooping 1 FastEthernet1/1

00:D0:97:B1:1E:E3 10.0.0.3 86400 dhcp-snooping 1 FastEthernet2/1

00:60:47:2C:94:D8 10.0.0.4 86400 dhcp-snooping 1 FastEthernet3/1

Total number of bindings: 3



 


 


Instagram

Facebook


Twitter



LINKEDIN








By at 3 comments:
Labels:
Subscribe to: Posts (Atom)

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...