Inspection of router-generated traffic does not recognize DHCP client traffic
Once you start thinking about what's really going on, it all becomes obvious: as the router has no IP address when it sends the DHCP request, and it sends the DHCP request to a broadcast address (as it doesn't know the IP address of the upstream DHCP server), there is no session that could be entered into the CBAC session table. So you still have to allow all DHCP traffic to your router with an access-list similar to this one:
ip access-list extended Internet
permit udp any eq bootps any eq bootpc
deny ip any any
Note: Replace the highlighted any keyword with the actual DHCP server's IP adress if you have it available and you want to have an even more secure IP access-list.
DHCP and BOOTP coexistence
However, IOS has an interesting feature when you use a router as a DHCP server: you can tell it to ignore the BOOTP requests with the ip dhcp bootp ignore global configuration command (introduced in 12.2T and 12.3). Even more, the router can respond to DHCP requests and forward BOOTP requests to a non-local BOOTP server configured with the ip helper-address interface configuration command.
Totally Stealthy Router
In response to the post detailing router response to port scans, one of my readers asked an interesting question:
“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”
Here's how you do it:
Be Smart When Using the OSPF Network Statement
For whatever reason, a lot of people have the impression that the wildcard bits in the OSPF network statement have to be the inverse of the interface subnet mask. For example, if you have configured ip address 192.168.1.2 255.255.255.240 on an interface, they would enter network 192.168.1.2 0.0.0.15 in the OSPF configuration (and use one network statement per interface).
In reality, the network statements work like simple IP access-list: whenever an interface IP address matches the network statement, the interface is put into the selected area. The Cisco IOS CLI got better over the years: the network statements are automatically sorted from most-specific to least-specific and (like with the access lists) the first match stops the search.
Update: Inspect router-generated traffic
Furthermore, if you use any protocols that have separate control and data sessions (for example, FTP, H.323 or SIP), you have to list them before tcp or udp keywords, otherwise their control streams will not be inspected and there will be no provision for data sessions.
ip inspect name Internet ftp
ip inspect name Internet h.323 router-traffic
ip inspect name Internet sip router-traffic
ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
!
interface FastEthernet0/0
ip access-group Internet in
ip inspect Internet out
!
ip access-list extended Internet
deny ip any any
Redundant DHCP server
If the address space assigned to a LAN is at least twice as large as the number of LAN-attached devices, you can use the ip dhcp excluded-addresses command to exclude half of the address pool on each router, for example:
ip dhcp pool LANAlternatively, you can rely on the ip dhcp ping packets command; the router will ping an IP address to check whether it's live before assigning it (by default, the router sends two pings with 500 millisecond timeout).
network 192.168.1.0 192.168.0.0 255.255.255.0
!
! Exclude router addresses
ip dhcp excluded-addresses 192.168.0.1 192.168.0.10
!
! Exclude half of the pool
ip dhcp excluded-addresses 192.168.0.128 192.168.0.255
Note: You can also inspect the conflicting IP addresses the router found with the show ip dhcp conflict command.
Network Statements Are No Longer Needed in OSPF Configuration
If you’ve ever had to configure OSPF on a Cisco router, you’re well familiar with the venerable network statement, which effectively assigns interfaces into OSPF areas based on their IP addresses. Although our life became simpler when the network statements stopped being order-dependent (the order dependency allowed for a few nasty surprises in the troubleshooting part of the CCIE lab when the CCIE title still implied you had to be able to fix other people’s mistakes :), it was still an awkward way of configuring what belongs where.
Using MPLS VPN Books to Study for the CCIP Exam
Every now and then I'm getting questions from my readers regarding the suitability of my MPLS books for the CCIP exam, for example:
I'm pursuing my CCIP and have a hard time finding the right MPLS study guide. I know you have the CCIP edition that was written in 2002, but I think the exam topics have changed. Can you recommend what book or books are best for the CCIP MPLS exam?
Are MPLS VPN Architectures Volume 1 & 2 two completely separate books or is Volume 2 a newer release. I was thinking of going for the CCIP and wanted to know if I should get both books or just the more recent one.
OSPF Default Route: Design Scenarios
Here’s an interesting OSPF-related question I got::
“Which one is better: default-information originate or default-information originate always?”
As always, the answer is it depends. If your OSPF edge routers have external default routes (for example, static default routes toward the Internet, see the next diagram), you'd want them to announce the default route only when they have a default themselves (otherwise, they would attract the traffic and then blackhole it). In this case, you’d use default-information originate.
Inserting Default Route Into OSPF
Another Cisco IOS OSPF implementation trivia: if you’re redistributing a default route into OSPF (for example, you have a static default route configured with ip route 0.0.0.0 0.0.0.0 … and you use redistribute static subnets within the OSPF process), the default route will not be entered into the OSPF database unless you configure default-information originate within the router ospf configuration.
Similarly, if you configure default-information originate always, the router will inject the type 5 LSA for the default route into the OSPF topology database even if the router itself does not have a default route (or gateway of last resort).
Display per-process memory usage
router#show processes memory sortedUsually the top entry is the *Init* process, which allocates all shared buffers, but routing processes could also exhibit significant memory utilization in large networks.
Total: 13734272, Used: 6372068, Free: 7362204
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 135340 1864 4734916 0 0 *Init*
55 0 242388 188 249076 0 0 URL filter proc
69 0 317996 143308 182184 0 0 IPSEC key engine
62 2 277048 124752 165172 0 0 Virtual Exec
68 0 762828 657056 109896 0 0 Crypto IKMP
80 0 74556 1100 73772 0 0 CEF process
91 0 25704 188 28776 0 0 NTP
67 0 3116 51368 27904 0 0 Crypto ACL
83 0 184 0 25060 0 0 traffic_shape
30 0 89900 0 24700 0 0 IP Input
46 0 32248 1776 23596 0 0 DHCPD Receive
35 0 10236 540 16572 0 0 PPPOE discovery
48 0 95344 51488 14724 0 0 HTTP CORE
The “show ip interface” command I've always wanted to have
To use it, download it and store it into the flash memory of your router. Configure alias exec ipconfig tclsh flash:ipInterfaces.tcl and you can use ipconfig or ipconfig active to display interface IP addresses.
MPLS Ping and Traceroute
One of the hardest troubleshooting problems within an MPLS VPN network has always been finding a broken LSP. While you could (in theory) use the IP ping or traceroute (assuming all hops support ICMP extensions for MPLS), the results are not always reliable… and interpreting them is not so easy. For example, after I've disabled LDP on an interface with the no mpls ip configuration command, the routers in the LSP path still reported outgoing MPLS labels in ICMP replies for a few seconds (until the LDP holddown timer expired on both ends of the link).
As a side note, would you deduce from the printout that the break in the LSP path happened on the router with the IP address 192.168.201.1?
Closed versus Filtered ports
Sometimes (it depends on the application you're protecting) you can configure application-layer protection in Cisco IOS. For example, you can protect HTTP server with ip http access-class global configuration command or the Telnet server with the access-class in line configuration command (and BGP will not accept incoming TCP SYN packets unless you've configured a BGP neighbor). The access-class configuration causes the incoming request to be rejected within application (in control plane after the TCP stack), resulting in TCP RST packet being sent back. The port scanner thus reports the protected TCP port as closed.