Any Transport Over MPLS (AToM)

Any Transport over MPLS (AToM) will transport layer 2 frames over a MPLS (Multiprotocol Label Switching) network. This will allow service providers to connect layer 2 networks of customers transparently by using their MPLS backbone. AToM can transport the following:

• ATM AAL5
• ATM Cell Relay
• Ethernet
• Frame Relay
• PPP
• HDLC

I will give you an example how to configure AToM to transport Ethernet over the MPLS backbone, we will use the following topology to do this:

Above you see a small MPLS backbone that consists of the PE1, P and PE2 router. This ISP only has one customer that has a HQ and Branch. The customer wants to have the HQ and Branch router to be in the same layer 2 segment.

Cisco IOS NAT on a Stick Configuration Example

NAT (Network Address Translation) is most commonly used to let users on our LAN access the Internet using a single public IP address but it can be used for some more interesting scenarios. Recently I encountered an interesting CCIE R&S task that had the following requirement:

"Make sure that whenever R2 responds to a traceroute it replies with the IP address on the loopback 0 interface"

This sounds easy enough but there’s no such thing as a “traceroute source loopback 0″ command or anything alike. To make this work we have to configure the NAT on a stick feature. In this tutorial I’ll show you this is done. First of all, this is the topology that we will use:

There are only two routers that are directly connected to each other. R2 has a loopback 0 interface with IP address 2.2.2.0 /24. Let’s configure these IP addresses first:

Site-to-Site IPSEC VPN Between Two Cisco ASA – one with Dynamic IP

isco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and several other networking services on a single platform. Cisco ASA 5520, a member of the Cisco ASA 5500 Series, is shown in Figure 1 below.

Figure 1 Cisco Adaptive Security Appliance (ASA)

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.
In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.
In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Another Java zero-day vulnerability being exploited in the wild

Do you still have Java installed? There is a bad news for you ! FireEye has detected yet another Java zero-day vulnerability being exploited in attacks in the wild.

The vulnerability targets browsers that have the latest version of the Java plugin installed Java v1.6 Update 41 and Java v1.7 Update 15 and FireEye warned that the vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm.

"Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process,"

"After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero."

The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month.

It is not known if this particular Java vulnerability is on Windows only or on Linux and Mac OS X, too. However, McRat is a Windows Trojan so the in-the-wild attacks are specifically targeting Windows users.

If you don't want any chance of being infected, the best thing to do is uninstall Java altogether.

Old School Hackers spying on European governments

Kaspersky Lab's team of experts recently published a new research report that analyzed that Cyber criminals have targeted government officials in more than 20 countries, including Ireland and Romania with a new piece of malware called 'MiniDuke'.

In a recent attack, malware has infected government computers this week in an attempt to steal geopolitical intelligence. The computers were infected via a modified Adobe PDF email attachment, and the perpetrators were operating from servers based in Panama and Turkey.

According to Kaspersky Lab CEO Eugene Kaspersky,"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world."

Last week Adobe released an update that patches the Adobe PDF bug (CVE-2013-6040) used in the attack. Once it was opened, the MiniDuke malware would install itself on a victim's computer. It is not known what information the attackers are targeting.

MiniDuke attacks government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.

The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.

Mpls Vpn review

Hi all, 
I'm completely busy on studying CCIE R&S written but I want to share a mpls vpn lab for reviewing mpls arguments.

Here is the topology:



Task list for this lab is:
-R1-R2-R3-R4-R5-R6-R7 (ISP) cannot elect any DR/BDR to speed up convergence
-Any OSPF area 0.0.0.0 neighbor fault must be detected within 1 second or less (NOTE: if you use dynamips, this requirement can be skipped or "relaxed"..., the high cpu % utilization will bring up/down your adjacency when you perform some operations like enable mpls...)

Mpls Lab #1 : Basic Mpls configuration

Hi all, after a successful BGP exam, now it's time to start with MPLS... nothing better than a basic lab to practice the configurations and show commands.

Here the topology, most of my lab routers doesn't support mpls (2600 series) that's why I used GNS3 with 3600s...

STEP 1: configure all point to point links and use EIGRP with various AS to route all links and loopbacks. Ensure that you can ping every interface from every router.

STEP 2: basic mpls configuration, for each router you must:
-enable ip cef with:

BGPFLAP: a simple tcl script to flap an interface

Hi all,
today I was trying the bgp dampening feature, and I wrote this simple tclsh script to flap an interface during my lab tests:

first, configure an interface with the route to flap:

R3#sh run int lo 10 | beg int
interface Loopback10
 ip address 10.10.10.10 255.255.255.0
end

then configure the network statement for that route under the bgp process: 

R3#sh run | sec router bgp
router bgp 300
 no synchronization
 bgp log-neighbor-changes
 bgp dampening
 network 10.10.10.0 mask 255.255.255.0
 neighbor 192.168.2.1 remote-as 200
 neighbor 192.168.2.1 ebgp-multihop 2
 neighbor 192.168.2.1 update-source Loopback0
 no auto-summary
R3#

and here is the tclsh script, I reccomend a wait time of 40-50 sec with the default bgp timers

VRRP , An Overview and Implementation

VRRP: Virtual Router Redundancy protocol

To reach remote networks we use the following methods to discover the first hop to our remote network:

• Dynamic process
• Static configurations

The problem with dynamic exploration is extra network overhead, and usually static configuration is recommended as it gives the next hop detail in advance thus reducing the extra network overhead. But the problem with static next hop or in simple words default gateway configuration is redundancy as it creates a single point of failure. To overcome this, we use different redundancy configuration techniques, in which we configure a single virtual IP on a group of routers. In case one virtual gateway fails, the load is instantly shifted to the next available router according to priority. VRRP is one of those techniques as are GLBP and HSRP. In VRRP we define a Master Router and a bunch of back up routers; these backup routers are the point of redundancy in case of Master router failure. 

SNMP: Simple Network Management Protocol

SNMP: Simple Network Management Protocol

SNMP is used for monitoring of network devices, collects logs and health statistics of different device nodes. SNMP data can be collected on a centralized NMS (Network Management System), the collected data can be plotted for a better representation of the overall network health. SNMP collects all of its data via SNMP Pooling and SNMP traps. Some famous SNMP supported NMSs are IBM Tivoli, PRTG and MRTG grapher. Many free SNMP based software is also available in the open source community.

Quick Facts about SNMP:

• SNMP Poll uses UDP 161
• SNMP Trap uses UDP 162
• SNMPv3 allows username authentication and packet encryption
• SNMP Inform requires packet acknowledgement, while SNMP Trap does not
• SNMP versions: SNMPv1, SNMPv2c & SNMPv3

SNMP Configuration in GNS3

Suppose, we are setting in a NOC (Network Operations Center). Our network is up and running, our task is to configure an SNMP based NMS to monitor our Core Network Router (R1), which is critical for our network operations. We are using a very popular NMS, known as PRTG (Packet router traffic Grapher). PRTG is a very popular used NMS, very good, efficient and excellent graphical interface, which gives us a very remarkable view of our critical network elements.

The simple flow of the topology is as follows:

A 2691 router is connected to a cloud (in GNS3, Cloud is used to connect the router to our PC physical interface). PRTG NMS has been configured on PC1 (local host). The topology is given below:

Configuring NAT Overload On A Cisco Router

Introduction

NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams are traversing the network. NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature of TCP/UDP ports translation.

The main purpose of NAT is to hide the IP address (usually private) of a client in order to reserve the public address space. For example a complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IP address. Other benefits of NAT include security and economical usage of the IP address ranges at hand.

The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in most businesses around the world, as it enables the whole network to access the Internet using one single real IP address. If you would like to know more about the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions and applications in today's networks.