Press "Enter" to skip to content

//> A L C A T R O N . N E T //> Posts

Netdisco 1.0 Released

Netdisco 1.0 has been released, probably the best network management tool of all your routers/switches in the enterprise 🙂

This brings many new features including improved Vlan searching, graphical network mapping, and device type discovery including IP phones and wireless clients.

Full VMware image, and Source files availble from http://sourceforge.net/projects/netdisco/files/

More info http://www.netdisco.org/

[ad#googleadd1]

Leave a Comment

Cisco 877 security hardening

I researched some more information how to tighten the 877 against security attacks, and usually on your dialer interface you might have this..

ip access-group 101 in

then a access list for incoming traffic via access-group 101 might look like this..

access-list 101 permit ip any any

However with having this set, means icmp, port attacks, or any other type of probing could be spoofed to gain access to your network. I have implemented the following access list filter to stop that from occuring, by blocking any internal LAN ranges from the wan side coming in via the dialer interface, and other type of bogus attacks.

access-list 101 deny   icmp any any echo                (blocks wan pings)
access-list 101 deny   tcp any any eq 139     (blocks port 139 netbios attacks used for ms fileshares)
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any  (blocks internal lan range)
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any (blocks internal lan range)
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any (blocks internal lan range)
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any  (blocks localhost spoofs)
access-list 101 deny   ip 50.0.0.0 0.255.255.255 any   (blocks unused 50.* address space which attackers may spoof)
access-list 101 deny   ip 100.0.0.0 0.255.255.255 any   (blocks unused 100.* address space which attackers may spoof)
access-list 101 deny   ip 101.0.0.0 0.255.255.255 any (blocks unused 101.* address space which attackers may spoof)
access-list 101 deny   ip host 255.255.255.255 any (blocks spoofing from this address)
access-list 101 deny   ip host 0.0.0.0 any (blocks spoofing from this address)
access-list 101 permit ip any any  (permits all other traffic)

Now once you have this in place, how do you know if you are actually getting hits from any of these rules, and if the 877 is dropping the packets if the acl matches?

There is one nice command to show that data…(need to be in priviliged mode)

cisco877#show access-lists
Extended IP access list 101
10 deny icmp any any echo (30 matches)  <30 hits on blocking wan ping from outside sources
20 deny tcp any any eq 139 log
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 127.0.0.0 0.255.255.255 any
70 deny ip 50.0.0.0 0.255.255.255 any log
80 deny ip 100.0.0.0 0.255.255.255 any log
90 deny ip 101.0.0.0 0.255.255.255 any log
100 deny ip host 255.255.255.255 any
110 deny ip host 0.0.0.0 any
120 permit ip any any (2954091 matches) <<lots of hits being allowed in from other sources not in access list (normal ip traffic flow)

Hopefully this is useful to someone wishing to implement a bit more security to their 877 setup 🙂

Any questions post your comments.

[ad#googleadd1]

3 Comments

CISCO WS-C2960G-8TC-L

Well the new switch just arrived here are some pics. Looks quite nice, little bit bigger than your usual 8 port switch, but it runs nice and quiet 🙂

When it came to configuring individual ports, following website prooved very useful:
http://www.itsyourip.com/cisco/how-to-enable-spanning-tree-portfast-in-cisco-catalyst-switch-ios/

With gigabit connectivity you can enable jumbo ports in global config:

system mtu jumbo 9000

Then by issuing “show system mtu”

System MTU size is 1500 bytes
System Jumbo MTU size is 9000 bytes
Routing MTU size is 1500 bytes

Also note on Port GigabitEthernet 0/6 i decided not to use the portfast/bpduguard since the Cisco 877 is plugged into it, and that has a switch. Portfast is only recommended on single devices etc.

Current config I have running:

Current configuration : 3531 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2960G
!
boot-start-marker
boot-end-marker
!
enable secret yourpasshere
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
switchport mode access
!
interface GigabitEthernet0/7
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!

interface GigabitEthernet0/8
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface Vlan1
ip address 10.108.1.9 255.255.255.224
no ip route-cache
control-plane
!
!
line con 0
login

line vty 0 4
access-class 102 in
login
line vty 5 15
no login
!
end

[ad#googleadd1]

11 Comments