Anthony,
How the heck are you man? Good example.
On Wed, Oct 31, 2012 at 4:42 PM, Anthony Sequeira
<terry.francona_at_gmail.com>wrote:
> Since this maps to so many certs, I thought I might share my work on this
> one with GS. Hope you enjoy.
>
>
>
> Relevant Certifications:
>
> CCNA Security, CCNP Security, CCIE R&S, CCIE Security
>
>
>
> Documentation Path Used:
>
> Cisco.com - Support - All Products - IOS and NX-OS - Cisco IOS - 15S -
> 15.2S
> - Configuration Guides - Quality of Service Solutions Configuration Guide -
> QoS: Policing and Shaping Configuration Guide, Cisco IOS Release 15.2S -
> Control Plane Policing
>
>
>
> The Feature:
>
> Control Plane Policing (CoPP) permits the use of a QoS filter to manage the
> flow of control plane packets in order to help protect routers and switches
> from potentially devastating denial-of-service attacks. CoPP uses the MQC
> approach to configuration. With this feature, the control plane (CP) is
> treated as a separate entity with its own ingress and egress ports. You can
> think of these like input and output ports on a router.
>
>
>
> My Practice Task:
>
> 7.1 Control Plane Security
>
> R6-S0/2/0----------S0/2/0-R9
>
>
>
> Ensure that ICMP ping traffic sourced from R99s Lo0 interface is limited to
> 64 Kbps. All other ping traffic should be dropped. Ensure that all ICMP
> port-unreachables are dropped by R6 should these messages be sourced from
> any interface other than S0/2/0. Permitted port-unreachables should be
> limited to 12 Kbps.
>
>
>
> 3 points
>
>
>
> Initial Configurations:
>
> R6:
>
> hostname R6
>
> !
>
> interface Loopback0
>
> ip address 192.168.6.6 255.255.255.0
>
> !
>
> interface Serial0/2/0
>
> ip address 48.48.106.6 255.255.255.0
>
> shutdown
>
> clock rate 2000000
>
> !
>
> router eigrp 100
>
> network 48.0.0.0
>
> network 192.168.9.0
>
> no auto-summary
>
> !
>
> end
>
>
>
> R9:
>
> hostname R9
>
> !
>
> interface Loopback0
>
> ip address 192.168.9.9 255.255.255.0
>
> !
>
> interface Serial0/2/0
>
> ip address 48.48.106.9 255.255.255.0
>
> !
>
> router eigrp 100
>
> network 48.0.0.0
>
> network 192.168.9.0
>
> no auto-summary
>
> end
>
>
>
> My Solution:
>
> First, I want to ensure reachability between these devices. Specifically, I
> need to ensure that pings sourced from the loopback 0 interface of R9 can
> reach R6.
>
>
>
> INITIAL VERIFICATIONS
>
>
>
> R9#ping 48.48.106.6 source lo0
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
>
> Packet sent with a source address of 192.168.9.9
>
> .....
>
> Success rate is 0 percent (0/5)
>
> R9#
>
>
>
> Darn. Well, no real surprise there. The troubleshooting steps below reveal
> the issue. R6 possesses an interface in the shutdown state, and an
> incorrect
> network statement in EIGRP.
>
>
>
> R9#show ip prot
>
> Routing Protocol is "eigrp 100"
>
> ...
>
> R9#show ip int brief
>
> Interface IP-Address OK? Method Status
> Protocol
>
> FastEthernet0/0 unassigned YES unset administratively down
> down
>
> FastEthernet0/1 unassigned YES unset administratively down
> down
>
> Serial0/2/0 48.48.106.9 YES manual down
> down
>
> Serial0/2/1 unassigned YES unset administratively down
> down
>
> Loopback0 192.168.9.9 YES manual up
> up
>
> R9#
>
> R9#show run | section eigrp
>
> router eigrp 100
>
> network 48.0.0.0
>
> network 192.168.9.0
>
> no auto-summary
>
> R9#
>
>
>
> R6#show ip prot
>
> Routing Protocol is "eigrp 100"
>
> ...
>
> R6#show ip int brief
>
> Interface IP-Address OK? Method Status
> Protocol
>
> FastEthernet0/0 unassigned YES unset administratively down
> down
>
> FastEthernet0/1 unassigned YES unset administratively down
> down
>
> Serial0/1/0 unassigned YES unset administratively down
> down
>
> Serial0/2/0 48.48.106.6 YES manual administratively down
> down
>
> Serial0/2/1 unassigned YES unset administratively down
> down
>
> Loopback0 192.168.6.6 YES manual up
> up
>
> R6#
>
> R6#show run | section eigrp
>
> router eigrp 100
>
> network 48.0.0.0
>
> network 192.168.9.0
>
> no auto-summary
>
> R6#
>
>
>
> INITIAL TROUBLESHOOTING REPAIR
>
>
>
> R6(config)#int s0/2/0
>
> R6(config-if)#no shut
>
> R6(config-if)#
>
> *Nov 1 02:42:59.133: %LINK-3-UPDOWN: Interface Serial0/2/0, changed state
> to up
>
> R6(config-if)#
>
> *Nov 1 02:42:59.909: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
> 48.48.106.9 (Serial0/2/0) is up: new adjacency
>
> *Nov 1 02:43:00.137: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Serial0/2/0, changed state to up
>
> R6(config-if)#router eigrp 100
>
> R6(config-router)#no net 192.168.9.0
>
> R6(config-router)#net 192.168.6.0
>
> R6(config-router)#end
>
> R6#
>
> *Nov 1 02:43:26.453: %SYS-5-CONFIG_I: Configured from console by console
>
> R6#
>
>
>
> INITIAL VERIFICATIONS 2
>
> R9#ping 48.48.106.6 source lo0
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
>
> Packet sent with a source address of 192.168.9.9
>
> !!!!!
>
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>
> R9#
>
>
>
> SOLUTION CONFIGURATION
>
> R6#conf t
>
> Enter configuration commands, one per line. End with CNTL/Z.
>
> R6(config)#ip access-list extended AL-PING
>
> R6(config-ext-nacl)#permit icmp any any echo
>
> R6(config-ext-nacl)#permit icmp any any echo-reply
>
> R6(config-ext-nacl)#exit
>
> R6(config)#ip access-list extended AL-PING-LOOP
>
> R6(config-ext-nacl)#permit icmp host 192.168.9.9 any echo
>
> R6(config-ext-nacl)#permit icmp host 192.168.9.9 any echo-reply
>
> R6(config-ext-nacl)#exit
>
> R6(config)#ip access-list extended AL-UNREACHABLE
>
> R6(config-ext-nacl)#permit icmp any any port-unreachable
>
> R6(config-ext-nacl)#exit
>
> R6(config)#ip access-list extended AL-UNREACH-R9
>
> R6(config-ext-nacl)#permit icmp host 48.48.106.9 any port-unreachable
>
> R6(config-ext-nacl)#exit
>
> R6(config)#class-map CM-PING
>
> R6(config-cmap)#match access-group name AL-PING
>
> R6(config-cmap)#exit
>
> R6(config)#class-map CM-PING-LOOP
>
> R6(config-cmap)#match access-group name AL-PING-LOOP
>
> R6(config-cmap)#exit
>
> R6(config)#class-map CM-UNREACHABLE
>
> R6(config-cmap)#match access-group name AL-UNREACHABLE
>
> R6(config-cmap)#exit
>
> R6(config)#class-map CM-UNREACH-R9
>
> R6(config-cmap)#match access-group name AL-UNREACH-R9
>
> R6(config-cmap)#exit
>
> R6(config)#policy-map PM-COPP
>
> R6(config-pmap)#class CM-PING-LOOP
>
> R6(config-pmap-c)#police 64000
>
> R6(config-pmap-c-police)#exit
>
> R6(config-pmap-c)#exit
>
> R6(config-pmap)#class CM-PING
>
> R6(config-pmap-c)#drop
>
> R6(config-pmap-c)#exit
>
> R6(config-pmap)#class CM-UNREACH-R9
>
> R6(config-pmap-c)#police 12000
>
> R6(config-pmap-c-police)#exit
>
> R6(config-pmap-c)#exit
>
> R6(config-pmap)#class CM-UNREACHABLE
>
> R6(config-pmap-c)#drop
>
> R6(config-pmap-c)#exit
>
> R6(config-pmap)#exit
>
> R6(config)#control-plane
>
> R6(config-cp)#service-policy input PM-COPP
>
> R6(config-cp)#end
>
> R6#
>
> *Nov 1 03:12:01.036: %CP-5-FEATURE: Control-plane Policing feature enabled
> on Control plane aggregate path
>
> R6#
>
> *Nov 1 03:12:02.168: %SYS-5-CONFIG_I: Configured from console by console
>
> R6#
>
>
>
> FINAL VERIFICATION
>
> R9#ping 48.48.106.6 source lo0
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
>
> Packet sent with a source address of 192.168.9.9
>
> !!!!!
>
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>
> R9#ping 48.48.106.6
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
>
> .....
>
> Success rate is 0 percent (0/5)
>
> R9#ping 48.48.106.6 source lo0 size 1500
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 1500-byte ICMP Echos to 48.48.106.6, timeout is 2 seconds:
>
> Packet sent with a source address of 192.168.9.9
>
> !.!.!
>
> Success rate is 60 percent (3/5), round-trip min/avg/max = 12/13/16 ms
>
> R9#
>
>
>
> R6#show policy-map control-plane
>
> Control Plane
>
>
>
> Service-policy input: PM-COPP
>
>
>
> Class-map: CM-PING-LOOP (match-all)
>
> 20 packets, 16080 bytes
>
> 5 minute offered rate 0 bps, drop rate 0 bps
>
> Match: access-group name AL-PING-LOOP
>
> police:
>
> cir 64000 bps, bc 2000 bytes
>
> conformed 16 packets, 10064 bytes; actions:
>
> transmit
>
> exceeded 4 packets, 6016 bytes; actions:
>
> drop
>
> conformed 0 bps, exceed 0 bps
>
> ...
>
>
>
> CCIE Security Practice Lab Sample Task and Solution:
>
> 6.1: Control plane protection
>
> Configure Control Plane Policing (CoPP) on R2, meeting all the following
> requirements:
>
> - Configure CoPP protection on R2, allowing ICMP pings sourced from the RFC
> 1918 address space only. Any ICMP packets sourced from nonprivate address
> space to R2 should be dropped.
>
> - Do not configure any parameters under the default class that matches any
> packet.
>
> - You are allowed to configure only one class-map and one policy-map to
> complete this task.
>
>
>
> 4 points
>
>
>
> SOLUTION:
>
> R2# show policy-map control-plane
>
> Control Plane
>
> Service-policy input: copp
>
>
>
> Class-map: copp (match-all)
>
> 0 packets, 0 bytes
>
> 5 minute offered rate 0 bps, drop rate 0 bps
>
> Match: access-group 101
>
> Match: not access-group 102
>
> drop
>
> Class-map: class-default (match-any) 877 packets, 113617 bytes
>
> 5 minute offered rate 0 bps, drop rate 0 bps
>
> Match: any
>
>
>
> R2# show ip access-lists
>
> Extended IP access list 101
>
> 10 permit icmp any any (274 matches)
>
> Extended IP access list 102
>
> 10 permit icmp 10.0.0.0 0.255.255.255 any (96 matches)
>
> 20 permit icmp 172.16.0.0 0.15.255.255 any (33 matches)
>
> 30 permit icmp 192.168.0.0 0.0.255.255 any (110 matches)
>
>
>
> Anthony Sequeira, CCIE, CCSI, VCP
>
> http://www.stormwind.com
>
> Twitter: @compsolv
>
> Facebook: http://www.facebook.com/compsolv
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- *Narbik Kocharians *CCSI#30832, CCIE# 12410 (R&S, SP, Security) *www.MicronicsTraining.com* <http://www.micronicstraining.com/> Sr. Technical Instructor YES! We take Cisco Learning Credits! A Cisco Learning Partner Blogs and organic groups at http://www.ccie.netReceived on Wed Oct 31 2012 - 18:08:35 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:34 ART