Sunday 1 October 2023

What is DAI (Dynamic ARP Inspection)? | How to configure Dynamic ARP Inspection DAI? | cyber-attack prevention | ARP Poisoning prevention.

 Dynamic ARP Inspection 

ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices are used for discovering MAC (media access control) addresses, associating with an IPv4 address (internet layer address), and mapping the MAC addresses to IPv4 addresses, this mapping is done dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC address exists on the data link layer and the IP address exists on the network layer. In other words, Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address (Layer 3) to a MAC address (Layer 2).

DAI dynamic ARP inspection is a security feature that is used to protect ARP from ARP poisoning attacks. DAI checks all ARP packets on an untrusted interface and by default all the interfaces are untrusted and these untrusted interfaces undergo DAI validation. DAI compares the information in the ARP packets received on an untrusted port with the DHCP snooping database and ARP access list. Once the information is matched it will forward but if not match, it will discard ARP packets with invalid MAC addresses to IP address bindings. This is how DAI prevent ARP Poisoning (man-in-the-middle) attack by intercepting all ARP request and responses. DIA verified for valid MAC address to IP address binding before the packet is forwarded to the destination.

 

An attacker may also send a large number of ARP messages and harm our switch CPU utilization. In order to prevent this attack, we need to limit the Dynamic ARP inspection message rate and interval. after implementing DAI some services may break, such as proxy ARP but there is a solution, configure some ports as trusted for DAI.


Let’s see the configuration to get a better understanding.


Topology: -




  • configure the topology as per the diagram 
  • configure VLAN 100, name DAI
  • assign all the active ports in VLAN 100
  • configure Portfast on all the active access port
  • configure the IP address on fa0/0 192.168.1.1/24 
  • configure DHCP server the IP 192.168.1.0/24
  • configure DNS IP 192.168.1.80
  • configure Eth 1/0 trusted for DHCP
  • configure switch to prevent ARP poisoning attack on VLAN 100
  • configure DHCP snooping on VLAN 100
  • make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway
  • configure the ARP access list and bind the IP to MAC for untrusted active ports
  • make sure all the untrusted ports undergo the inspection.
  • configure ARP inspection interval and message rate 8 limit 

Read more »
By at No comments:

Tuesday 26 September 2023

What is VTP Pruning? How to configure Cisco VTP pruning?

VTP pruning is used to improve the allocation and use of network bandwidth by reducing unnecessary traffic flood for example broadcast, multicast, and flooded unicast. Pruning makes more efficient use of trunk bandwidth. 

by default, VTP pruning is disabled, when you enable VTP pruning switch still forwards VLAN unknown unicast and broadcast frames over a trunk port but only forwards if the switch on the receiving end of the trunk has ports in the same VLAN. 

when you enable VTP Pruning on the VTP server all the clients in the VTP domain will automatically enable VTP Pruning. once you enable the VTP pruning by default all the VLANs are prune-eligible except VLAN 1 because it is an administrative VLAN and extended range of VLANs. which means VLAN 2 through VLAN 1005 are eligible for pruning. 

How does VTP pruning work? 


as you can see in the topology here, we have 5 VTP pruned enable switches. a broadcast traffic is generated on switch 2 port which is in VLAN 10. switch 2 forwards it to the trunk and switch-1 receives the traffic and forwards this traffic to switch-4 because the VLAN 10 is only configured on switch 4 and switch 1. The rest of the switches' flooded traffic is pruned. 

let's see the configuration: -

Topology: -




  • configure the topology as per the diagram
  • configure IP addresses on PCs
  • configure the 802.1q between switches
  • configure VTP server on a core switch and switch-1 and 2 clients
  • configure version 2, password cisco123 and the password must be hidden
  • configure VLAN 50,60,70,80 on the VTP server and make sure clients synced this information. 
  • configure VTP pruning on VTP server
  • remove VLAN 80 from Pruned

Read more »
By at No comments:
Labels:

Sunday 24 September 2023

What is BGP Route Aggregation (R A)? How to configure Route Aggregation?

What is BGP Route Aggregation (R A)? 
What is atomic-aggregate? What is aggregated?



Route Aggregation or BGP route summarization is used to minimize the routing table size. Route aggregate provides the flexibility to allow none, all, or a subnet of the summary’s component subnets to be advertised out of the BGP table. Route Aggregation minimizes the size of the global routing table, decreases the workload of routers, and also saves the network bandwidth.

BGP summarization is more complex than IGP protocols because when we use the BGP router sub-command aggregate-address without any parameters, all the important information of individual route attributes is lost such as AS_PATH, we know AS_PATH is used for loop prevention. in order to summarize make sure at least one subnet is in the BGP table. 

atomic-aggregate is a well-known BGP attribute. this attribute must be recognized by all BGP routers but it's not mean this attribute has to be included in all BGP updates. this atomic aggregate tells the BGP routers that 192.168.0.0/18 is a result of route aggregation and some information could be missing.

aggregate attribute (aggregated by 65300 192.168.33.1) This attribute specifies the autonomous number and BGP router ID of the aggregating router.

I'm assuming you are familiar with IGP summarization. let's take a look aggregation command. 


R2(config-router)#aggregate-address 192.168.8.0 255.255.248.0 ?

  advertise-map  Set condition to advertise attribute

  as-set         Generate AS set path information

  attribute-map  Set attributes of aggregate

  nlri           Nlri aggregate applies to

  route-map      Set parameters of aggregate

  summary-only   Filter more specific routes from updates

  suppress-map   Conditionally filter more specific routes from updates

  <cr>

(When we configure the aggregate-address 192.168.8.0 255.255.248.0 command without any additional then this command advertises the route with individual prefixes and it looks like this) 


R3#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path

*> 192.168.8.0/21   2.2.2.1                  0             0 65200 i

*> 192.168.10.0     2.2.2.1                                0 65200 65100 i

*> 192.168.11.0     2.2.2.1                                0 65200 65100 i

*> 192.168.12.0     2.2.2.1                                0 65200 65100 i

*> 192.168.13.0     2.2.2.1                                0 65200 65100 i


(you can delete (suppress) these prefixes and you can tell the BGP router that only advertises the summary address but you need to add an additional command which is summary only. let's see what it looks like after adding a summary-only command) 

R2(config)#router bgp 65200
R2(config-router)#aggregate-address 192.168.8.0 255.255.248.0 summary-only
R2(config-router)#end

R3#show ip bgp
BGP table version is 46, local router ID is 192.168.33.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.8.0/21   2.2.2.1                  0             0 65200 i


 (Now the individual prefixes are gone but there is AS Path information is not available. this will happen if you do not specify any additional option to the command. it looks like a new prefix is born in the local AS.) 

Let's see the configuration: -


Topology: - 





Goal_

  • configure the topology as per the diagram 
  • assign the IPs to their respective ports as per the topology 
  • configure E-BGP as per the topology 
  • advertise the loopback route as per the topology
  • configure Router_AS_65300 to aggregate routes 192.168.0.0/18 without any additional command.
  • configure Router_AS_65300 to aggregate routes 192.168.0.0/18 with summary only 
  • configure Router_AS_65200 to aggregate routes 192.168.40.0/18 with summary only 




Read more »
By at No comments:

Friday 22 September 2023

How to configure CDP flood attack? | How to prevent CDP attack?

In this blog, we will see how to completely destroy an enterprise switch & router and also see how to prevent this DoS Attack.  We are to attack the CDP Cisco discovery protocol with the help of Yersinia. This attack is very easy and extremely powerful. This attack comes under of denial-of-service attack. To make the switch fail we need a Linux machine and simulation. The protocol we are going exploit is by default enabled on Cisco routers and switches CDP.

Let’s take an overview look at CDP: -

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

this is the topology we are going to use for the lab: -



So before starting our lab let me give the overview of what is actually going to happen to our switch while doing this attack. For example, when we log into a switch and write the command show CDP neighbors. The router is going to display all the directly connected enabled CDP neighbors' devices. Like this

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater

 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

switch2          Fas 1/0            178         R S I     Linux Uni Eth 0/0

switch1          Fas 0/0            149         R S I     Linux Uni Eth 0/0

 

 We are going flood thousands of CDP fake packets to the switch with the help of Yersinia and these packets will freeze down the switch operating system and the switch processor will utilize its full power until it crashes. In the end switch will no longer be a switch it’s become a hub. 

you will also see a warning:

 


*Sep 21 10:02:23.606: %SYS-2-NOMEMORY: No memory available for DSensor Malloc 17

 

let's see the configuration: -



  •  configure topology as per the diagram 
  • configure the IP address on kali machine 
  • make sure to check CPU utilization before and after attack 
  • configure attack using yersinia 
  • diagnose the attack and prevent this attack. 

Read more »
By at No comments:
Labels:

Wednesday 20 September 2023

What is Link Layer Discovery Protocol (LLDP)? | How link layer discovery protocol work? | LLDP default configuration? | how to configure LLDP?

  

Link Layer Discovery Protocol

LLDP it’s a nonproprietary protocol that works at layer 2. It is an open IEEE-standard 802.1AB.  LLDP is an alternative to CDP.  LLDP runs over the data link layer and it collects information about the neighboring devices. This information will help us in troubleshooting and documentation. LLDP and Cisco CDP work similarly but the big difference is that LLDP is a standard while CDP is a Cisco proprietary.

LLDP has similar capabilities to CDP and there is an enhanced version to specifically address the voice application this version is called LLDP-MED (media endpoint discovery) but LLDP and LLDP-MED are not compatible.

LLDP supports a defined set of attributes that contain a T-type, L-length, and V-value, these are called TLVs. It is used to discover neighbors’ devices. LLDP support devices use TLV to send and receive information and store the information in a local table.





How link layer discovery protocol work?

First, you must enable it on the devices because by default LLDP is disabled, and remember not all Cisco IOS routers support LLDP. LLDP-enabled devices send LLDP advertisements to LLDP neighbors and the information is stored in the MIB database locally. This information can be accessed using SNMP.

What information is stored?

  • Device name and description
  • Port name
  • IP management address
  • Capabilities
  • MAC address
  • MDI power
  • Link aggregation
  • VLAN

 

LLDP default configuration: -

IOU1(config)#lldp ?

  holdtime    Specify the holdtime (in sec) to be sent in packets

  reinit      Delay (in sec) for LLDP initialization on any interface

  run         Enable LLDP

  timer       Specify the rate at which LLDP packets are sent (in seconds)

  tlv-select Selection of LLDP TLVs to send


  • LLDP is disabled by default
  • LLDP hold time – 120 seconds
  • LLDP reinitialization delay – 2 seconds
  • LLDP timer (packet update frequency) – 30 seconds
  • LLDP tlv-select – to send and receive all TLVs.

 

Let's see the configuration: -

 Topology; -



 

  •  configure the topology as per the diagram.
  • configure Trunk 802.1q
  • enable LLDP in global configuration mode.
  • change the hold time to 180,  reinit to 5 sec, and the timer to 20 sec.
  • clear the LLDP table.
  • disable the LLDP

 

 

 

Read more »
By at 1 comment:
Labels:

Monday 18 September 2023

What is Cisco discovery protocol? | How to configure CDP? | CDP



In most networks, we have several routers, switches, and more. We want to make management for networks easy, most of the admins take the help of CDP and LLDP to know about what type of devices are present in the network, the IP addresses, and how all the devices are connected with each other (which means the interface or port) and the information about which VLAN they belong.


Cisco discovery protocol

 

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

What information do we collect from neighbors?

  • Device ID means the hostname of the neighbor.
  • The local interface is the port on which CDP enables the device to receive the CDP packets.
  • Hold time means the router's remaining amount of time is left to hold the information before the router is discarding it. The router discards the information if no more CDP packets are received. {You can choose the length from 10 – 255 seconds.}
  • Capability means what is the capability of the neighbor it’s a router or switch or it’s a repeater.
  • Platform means the type of Cisco device directly connected. In the previous output,
  • Port ID means the neighbor device’s port or interface on which the CDP packets are multicasting.

 Let's see the configuration and we will see some interesting show commands.


Topology: -



  • configure the topology as per the diagram 
  • configure the Hostname 
  • assign the IPs to their respective ports as per the topology
  • configure CDP in global mode. or you can also configure CDP on an interface. 
  • make sure the router-1-core will collect all the information.
Read more »
By at No comments:
Labels:

Friday 15 September 2023

What is VTP version 3, How to configure VTP version 3?


VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol, as I already said VTP is used to share the VLAN configuration with other switches and maintain consistency throughout that network but information will be passed only if the switch is connected with fast Ethernet or higher ports and also it must be trunk links.7

if you are not familiar with VTP versions 1 and 2 please click the link

 here https://www.internetworks.in/2018/12/vlan-trunking-protocol-vtp.html




VTP version 3 has features of the VTP primary server the primary server is able to create, delete, and modify VLANs. The secondary server can relay process and save only. VTP version 3 supports the Extended VLANs range (1006 – 4094). And also supports Private VLANs, RSPAN VLANs, and MST. VTP version 3 is compatible with version 2, but not with version 1. VTP version 3 is protected against data overwrites its ability to fix the configuration revision number higher updating. VTP version 3 has more secure methods for authentication of clear text or hidden password protection.


let's configure VTP version 3: -  https://youtu.be/D0t29ZdO09I?si=GofAD3lfK61IsiS1

Topology: -




Goal: -
  1. Configure the topology as per the diagram.
  2. configure trunk Dot1q as per the topology
  3. configure VTP domain name will be internetworks
  4. configure version 3
  5. configure password ccie123
  6. Hide the password
  7. configure LAYER-3-switch-1 primary server VLAN
  8. Configure VLAN 10,20,30,40,50,60,70,80 and 90 on LAYER-3-switch-1 and make sure the rest of the domain switches synchronize this data.
  9. configure the extended range of VLAN 2000,2001 on LAYER-3-switch-1 and make sure the rest of the domain switches synchronize this data.
  10. configure MSTP on LAYER-3-switch-2 and make sure the rest of the switches synchronize this information.  
Read more »
By at No comments:
Labels:

Thursday 20 July 2023

What is VLAN Access List? How to configure VACL?

 

VLAN Access List

VLAN ACL Is very useful when we want to filter traffic within the VLAN. When we configure VACL on the switch, all the packets entering the VLAN are checked against the VLAN access list. In VACL you cannot define the direction like router ACL. A VACL can either drop a matching packet, forward it, or redirect it to another interface. Notice that the VACL is applied globally to one or more VLANs listed and not to a VLAN interface switch virtual interface (SVI).

How to proceed

  • 1.      Configure ACL standard or extended as per your requirement for VACL.
  • 2.      Configure a VLAN access map for matching the IP hosts
  • 3.      Configure the action forward or drop
  • 4.      Apply the VACL map to the VLAN.
  • 5.      Verify the VACL map information.

 https://youtube.com/@internetworkss

 Topology: -



  • configure IP addresses on PCs as per the topology
  • configure the default gateway as per the topology
  • configure inter-VLAN- routing SVI
  • configure IP address 10.1.1.1 on VLAN 10
  • configure IP address 20.1.1.1 on VLAN 20
  • at this point make sure all four PCs can ping each other 
  • configure ACL 10 
  • configure VACL make sure PC1 cannot communicate with any VLAN 20 PC
Read more »
By at No comments:
Labels:

Saturday 15 July 2023

What is Private VLAN? How to configure Private VLAN? #PVLAN

 By default, our traffic is allowed to move unrestricted within a VLAN. One host sends packets to another host and it's heard only by the destination host this is the beauty of layer 2 switching. However, if one host sends the broadcast packet, all the remaining hosts on that VLAN listen to that broadcast and reply as per the broadcast. We can solve this if the host is connected to a local switch with VACL or configured with more VLAN but it would be nice to have the capability to segment traffic within a single VLAN, without having to use multiple VLANs. The solution is Private VLAN.

Let’s understand private VLAN with an example.





 All the devices are on a single subnet and in a single VLAN 100. All the devices can communicate but we don’t want all devices to communicate. As per the requirement, we need server 1, and server 2 should be able to share and communicate with each other and gateway but not communicate with server 3. Server 3 can only communicate with the gateway and be Isolated. This can be done with Private VLANs.

The private VLAN always has one primary VLAN. Within the primary VLAN, you will find the promiscuous port. In my picture above you can see that there’s a router connected to a promiscuous port. All other ports are able to communicate with the promiscuous port. Within the primary VLAN, you will encounter one or more secondary VLANs, there are two types:




Community VLAN: In this VLAN all the ports can communicate with each other and also the promiscuous port but not with other communities.

Isolated VLAN: In this VLAN all the ports are isolated means cannot communicate with each other or any community VLAN but they can communicate with the promiscuous port. 


 let's see the configuration: -

Topology:





 

  • configure the topology as per the diagram 
  • assign the IP addresses 192.168.1.0/24 subnet for all the ports
  • configure fa0/0 default gateway 192.168.1.1 on the router
  • configure primary VLAN 100
  • configure gig 0/0 promiscuous port
  • configure Community VLAN 101 assign port r gig 0/1
  • configure Community VLAN 102 assigns port  gig 0/2
  • configure Isolated VLAN 103 assigns port gig 0/3
  • verify with show commands


Switch-1-(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
Switch-1-(config)#VLAN 100
Switch-1-(config-vlan)#private-vlan primary
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 101
Switch-1-(config-vlan)#name first_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 102
Switch-1-(config-vlan)#name second_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit

Switch-1-(config)#VLAN 103
Switch-1-(config-vlan)#name isolate_community
Switch-1-(config-vlan)#private-vlan isolated
Switch-1-(config-vlan)#exit

Switch-1-(config)#vlan 100
Switch-1-(config-vlan)#private-vlan association 101,102,103
Switch-1-(config-vlan)#exit


Switch-1-(config)#interface gigabitEthernet 0/1
Switch-1-(config-if)#description this is a first-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 101
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit


Switch-1-(config)#interface gigabitEthernet 0/2
Switch-1-(config-if)#description this is a second-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 102
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit


Switch-1-(config)#interface gigabitEthernet 0/3
Switch-1-(config-if)#description this is a isolate-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 103
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit

switch-1-(config)#interface gigabitEthernet 0/0
switch-1-(config-if)#description this is a prom-port
switch-1-(config-if)#switchport private-vlan mapping 100 101,102,103
switch-1-(config-if)#switchport mode private-vlan promiscuous
switch-1-(config-if)#exit


switch-1-#show interfaces gigabitEthernet 0/0 switch
Name: Gi0/0
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (VLAN100) 101 (first_community) 102 (second_community) 103 (isolate_community)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none



switch-1-#show interfaces gigabitEthernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 101 (first_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none


switch-1-#show interfaces gigabitEthernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 102 (second_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none



switch-1-#show interfaces gigabitEthernet 0/3 switchport
Name: Gi0/3
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 103 (isolate_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Appliance trust: none





switch-1-#show vlan private-vlan type

Vlan Type
---- -----------------
100  normal
101  normal
102  normal
103  normal



switch-1-#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0, Gi1/1, Gi1/2, Gi1/3
                                                Gi2/0, Gi2/1, Gi2/2, Gi2/3
                                                Gi3/0, Gi3/1, Gi3/2, Gi3/3
100  VLAN100                          active
101  first_community                  active
102  second_community                 active
103  isolate_community                active



Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     101       non-operational   Gi0/0, Gi0/1
100     102       non-operational   Gi0/0, Gi0/2
100     103       non-operational   Gi0/0, Gi0/3


(In the type field you see non-operational, this is because I do not have an upgraded switch. you will see community, isolated, and pro port in the upgraded switch)


By at 2 comments:
Labels:

Thursday 29 June 2023

What is Administrative Distance? How to change AD value of OSPF, EIGRP, RIPv2 and BGP?

 

 

Administrative Distances

The administrative distance is used to rate the accuracy of routing protocol information received on a router from a neighbor router. An administrative distance is an integer value ranging from 0 to 255, where 0 means most trusted and 255 untrusted no traffic will be passed through this route or this route will never be installed in the routing table.

 




What will happen if our router receives two updates for the same remote network?

The first task our route will do is to check the administrative distance (AD). If one of the two updates has a lower AD than the other route.  our router will install a lower AD route in the routing table.

Now again, what will happen if both the advertise updates have the same AD for the same remote network?

In this case, our router will find the best path for the remote network by comparing routing protocol metrics like hop count or the bandwidth of the lines depending on the routing protocol. The lowest metric will win and our router will install the route in the routing table.

Now one more time again, what if both advertise updates (route) have the same AD, and the same metric which route a router will install in its routing table?

The answer is router will do load balances to the remote network.

 

The administrative distance default values

Route source (protocol)

Default Administrative distance (AD)

Connected interface

0

Static route

1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (BGP)

20

Internal EIGRP

90

IGRP

100

Open Shortest Path First OSPF OSPF

110

Intermediate System-to-Intermediate System (IS-IS)

115

Routing Information Protocol (RIP)

120

Exterior Gateway Protocol (EGP)

 

140

On-Demand Routing (ODR)

 

160

External EIGRP

 

 

170

Internal BGP

 

200

Unknown*

 

255

 if you want to change the default administrative distance value yes you can change it, so let's configure the experiment here we are going to advertise the same remote network with 5 different protocols. let's see the router will install which route and then we will change the default AD and see the router action.

(If you are familiar with Internetworks blogs you know we come straight to the point and like LABS, I request you please visit our YouTube program and click here thank you) 



Topology: -


  • configure the topology as per the diagram 
  • assign the IP addresses to their ports as per the topology
  • configure a static route between routers 1-2-7
  • configure EIGRP routing between routers 1-3-7
  • configure OSPF routing between routers 1-4-7 
  • configure RIPv2 routing between routers 1-5-7
  • configure IBGP routing between routers 1-6-7
  • advertise directly connected network
  • now you will see all the routers (R2, R3, R4, R5 and R6) advertising the same network 20.1.1.0 with different administrative distance
  • now ping from PC-1 to PC-2 and see which path router-1 will choose in order to reach the 20.0.0.0 network. 
Read more »
By at 1 comment:
Labels:

Thursday 22 June 2023

What is Smurf attack DDoS attack? How to configure Smurf attack?

 A Smurf attack is a form of a DDoS attack (distributed denial of service). Smurf attack occurs at layer 3. A Smurf attack is named after the malware DDoS Smurf and more widely Smurf attack is named after a cartoon because it takes down a big target by working together.




 Smurf attack exploiting vulnerabilities of IP and ICMP. 






First, the attacker builds a Smurf malware spoofed packet that has its source address set to the targeted victim and this packet is sent to the destination address is a subnet broadcast address of a router or firewall. This is also called a directed broadcast. Now it sends requests (ICMP) to every host device address inside the network. More numbers of devices mean more requests. All the devices receive these requests and they reply to the target victim host with an ICMP packet. This attack makes the victim overwhelmed and results in denial-of-service to legitimate traffic. 




I am assuming you understand the DDoS Smurf's attack, now let's configure and then we will see how to prevent these attacks. 


Topology: -


  • configure the topology as per the diagram 
  • assign the IP addresses on servers and PCs as per the topology. 
  • assign the IP address Kali Linux 2-2 as per the topology
  • configure trunk and allowed all VLANs on the switch
  • configure PC ports as access ports. 
  • configure static routing between routers
  • target server-1 from Kali 2-2
  • configure Smurf to attack the victim server with ICMP messages 
  • make sure the server choked up and make it almost dead.


{assign the IP addresses on servers and PCs as per the topology}

SERVER-1> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER-192.168.1.20/24      192.168.1.1       00:50:79:66:68:04

SERVER-2> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER-192.168.1.21/24      192.168.1.1       00:50:79:66:68:06

SERVER-3> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER- 192.168.1.22/24      192.168.1.1       00:50:79:66:68:05


PC1> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC1    192.168.1.10/24      192.168.1.1       00:50:79:66:68:00


PC2> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC2    192.168.1.11/24      192.168.1.1       00:50:79:66:68:01


PC3> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC3    192.168.1.12/24      192.168.1.1       00:50:79:66:68:02


PC4> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC4    192.168.1.13/24      192.168.1.1       00:50:79:66:68:03


{assign the IP address Kali Linux 2-2 as per the topology}





{configure trunk and allowed all VLANs on the switch}


SWITCH-1#show interface trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094

Port        Vlans allowed and active in management domain
Gi0/0       1,100,200,300

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/0       1,100,200,300


{configure static routing between routers}


R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

*Jun 22 17:30:44.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to up

R1(config)#interface fastethernet 0/0
R1(config-if)#ip addres 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

*Jun 22 17:31:13.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, 


R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

*Jun 22 12:27:58.131: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up
*Jun 22 12:27:59.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0,                                                                             
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit


R1(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.2
R1(config)#ip route 192.168.2.0 255.255.255.0 1.1.1.2

R2(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.1
R2(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.1
R2(config)#exit


R2#show ip route static
S    192.168.1.0/24 [1/0] via 1.1.1.1


R1#show ip route static
S    192.168.2.0/24 [1/0] via 1.1.1.2

(Now we try to ping from PCs to KALI and we will make sure the network is working fine)


PC1> ping 192.168.2.25
84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=62.669 ms
84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=66.405 ms
84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=63.907 ms
84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=70.719 ms
84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=62.990 ms

SERVER-1> ping 192.168.2.25
84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=63.265 ms
84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=64.596 ms
84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=72.530 ms
84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=63.830 ms
84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=64.962 ms

(AS OF NOW EVERYTHING IS WORKING FINE, NOW WE ARE GOING TO ATTACK OUR VICTIM SERVER-1)






(Now we are going to capture traffic with the help of Wireshark) 




(As you can see from the above output, we are capturing traffic between router-1 and router-2 and router-1 is getting thousands of ICMP requests. now capture traffic between server and switch)






(Now you will see router-1 sending ICMP requests and now our server is getting down) let's see on the server)

SERVER-1>
SERVER-1> ping 192.168.1.10
84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=25.006 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=5.128 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=10.348 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=7.397 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.493 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
SERVER-1>


(When we try to ping PC1 from the server the queue is full. Soon our server goes down and it chocked up)


(Now the question comes to how to prevent SMURF ATTACK)


R1(config)#interface serial 4/0
R1(config-if)#no ip broadcast-address
R1(config-if)#ip verify unicast source reachable-via rx allow-default allow-self-ping
R1(config-if)#ip cef

(Now again we try to ping from server to PC)

SERVER-1> ping 192.168.1.10
84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=13.014 ms
84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=6.296 ms
84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=6.508 ms
84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=9.503 ms
84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.806 ms


(As you can see the server is working fine no queues full one more thing try to capture traffic between the victim and switch)







(Now our network is working fine and thank you so much for reading)
if you like this blog please visit our YouTube program.


By at No comments:
Labels:
Subscribe to: Posts (Atom)

What is Virtual Router Redundancy Protocol (VRRP)? How to configure Virtual Router Redundancy Protocol (VRRP)?

 Virtual Router Redundancy Protocol (VRRP) is a gateway redundancy networking protocol used to create a virtual gateway similar to HSRP . VR...