Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

IRR/RIPE database documentation

Written by Arnaud no comments

get help to query RIPE Database :

telnet 43

Documentation page :

Query flags cheatsheet :

some aliases I use in my bashrc :

alias cymru='whois -h -v'
alias ripe='whois -h -r'
alias ntt='whois -h -r'
alias radb='whois -h -r'
Classified in : MISC Tags : none

L2 ACL / MAC ACL vs Port Security

Written by Arnaud no comments

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

 switchport port-security
 switchport port-security maximum 100
 switchport port-security maximum 2 vlan 4
 switchport port-security mac-address 0000.1111.2222 vlan 4
 switchport port-security mac-address 0000.1111.3333 vlan 4
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
 errdisable recovery cause psecure-violation
 errdisable recovery interval 300

You can also choose other actions if a port violation occurs (interface conf mode):

switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :

mac access-list extended MY-ACL
 permit host 0123.4567.8910 any ip vlan 100
 permit host 0123.4567.8911 any 
NB : You can apply mac filtering on a lot of protocols/options
And apply on the interface :
 mac access-group MY-ACL in
Classified in : cisco Tags : none

Enable SSH && disable telnet

Written by Arnaud no comments

Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key

hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
 transport input ssh

Remember to add ACL, this is always a good thing

access-list 99 permit
ipv6 access-list ACL-RESTRICTED-IN
 permit ipv6 2001:db8::/32 any

line vty 0 15
 access-class 99 in
 ipv6 access-class ACL-RESTRICTED-IN in

when you create your ACL, remember it's even better to only accept login from your network

Source and nice explanation of the banners :

OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable

Classified in : cisco Tags : none

BGP references

Written by Arnaud no comments
I have put here lots of links I use for my presentations, and that could be interresting for anyone :
PDF Slides of my BGP workshops (in French)
What is Peering?
BGP Convergence explained (very nice post)
Wonderful cheat sheet (not only BGP!)
BGP Best Path Selection Algorithm
Examples conf BGP
BGP syntaxe and attributs
Sample BGP Commands for Cisco Systems
Performances routing cisco
Cisco Feature Navigator
Stats transits AS
peering DB
simulator router cisco
looking glass
ANSSI  (French):
PEVAL  :"peval as199422" or "peval afi ipv6 AS199422"
BGP well-known communities RFC 1997 &3765:
65535:65281 NO_EXPORT
65535:65282 NO_ADVERTISE
65535:65284 NOPEER
IANA ASN allocation :
Lolz :
Video IPv6
The IT Crowd
Classified in : BGP Tags : none

Vlan Shaping

Written by Arnaud no comments
conf t
  mls qos

  class-map match-any vlan123
   match vlan 123

  policy-map ratelimit
   class vlan123
   police cir 1000000000
   confirm-action transmit
   exceed-action drop

  int gi0/1
    service-policy input ratelimit
Classified in : cisco Tags : none

Limit user access (views)

Written by Arnaud no comments

limit commands to admin 15 :

privilege exec level 15 ssh
privilege exec level 15 telnet

Create a view for a user :

enable view
conf t
  parser view readonly
    secret 5 ???
    commands exec include show vlan
    commands exec include show
  username test view readonly password 0 ????

sources :

Classified in : cisco Tags : none

Configuring Netflow

Written by Arnaud no comments

Old style :

interface Gi0/1
   ip flow ingress

 ip flow-export source Gi0/2
 ip flow-export destination 2055
New Style :
interface Gi0/1
  ip route-cache flow sampled
  ip route-cache distributed
ip flow-export version 5
ip flow-export destination 2055
ip flow-sampling-mode packet-interval 100
Or even :
flow-sampler-map SAMPLER
 mode random one-out-of 100

ip flow-export version 5
ip flow-export destination 2055

interface Gi0/1
 flow-sampler SAMPLER
Debug :
show ip flow sampling
sh ip flow export


Classified in : cisco Tags : none


Written by Arnaud no comments

you can check your log in buffer :

#show logging

By default the buffer is 4k (aprox 60 lines), you can change it with :

(config)#logging buffered 23456

Remove logging to console :

(config)#no logging console

Disable specific logging in the buffer :

(config)#logging discriminator nologthr msg-body drops string_or_regexp_to_match 
(config)#logging buffered discriminator nologthr

To only have notifications (level 5) and more important logs :

(config)#logging buffered 40960 notifications

Add proper time format to your logs :
(config)#service timestamps log datetime localtime show-timezone

Log when someone fail (or success) to log in :

(config)#login on-failure log
(config)#login on-success log
Classified in : cisco Tags : none
Rss feed of the articles