Wednesday, October 28, 2009

New Cisco ISR G2 Routers: The Facts Part 1

Cisco ISR G2 Routers

Who what when where why

You have probably heard the fuss regarding Cisco’s release of the next generation of ISR Routers, ISR G2. ISR Routers have been the most successful access routers EVER. Now comes the ISR G2 which appears to be able to continue this success.

Enough marketing talk, plenty of that on Let’s get down to the details on what exactly we are looking at, each article will focus on a different area of the G2, Today we will be looking at

Software Licensing

The software is where the vast majority of the changes to the way you think about Cisco are occurring

First of all, No more separate IOS images per platform: IOS version 15 is a “universal” IOS which means that the same IOS is used across all platforms. What is even more interesting is that this “universal” IOS also comes pre-loaded with all the feature sets (i.e. security etc.) ready to go: They just need to be licensed.

It is also important to note that the different feature sets have been broken up into much smaller and more easily understood sections, rather than ADV IP Services, IP Services, IP Plus etc. etc. the model has been significantly simplified:

A default IP base image is enabled by default and you can then enable the feature sets that you require (SEC, DATA or UC). These are referred to as cisco IOS “Technology packages”

Routers that you have pre-purchased for UC etc will obviously come licensed for that technology package. Just so you know: yes you can enable multiple technology packages at the same time.

How do you license them? With a PAK File, you order the license, a PAK file with a special key number is provided to you, you go to and enter in this PAK number along with the unique ID of the router (which is made up of the serial number of the router and the PID)

Once you have done that you are then sent a .lic file that you can then apply to the router. Your done!

It is important to note that while this sounds like a pain in the butt it makes ordering IOS a lot simpler and means you don’t have to worry about downloading a new IOS in order to apply the feature set you want. What’s even cooler is that the concept of temporary licenses allowing you to try a feature for 60 days is now supported.

What about features such as SSL you say, or CCME? These are enabled using a “feature license” which is basically an add-on to a particular technology package, so for example, in order to enable CME feature license you obviously must have a voice feature package license already. There are two types of feature licenses

Subscription Licenses

Subscription licenses are time-based licenses that require the subscriber to periodically renew or the license will expire after an agreed-upon time. Some examples of Subscription license are URL Filtering and IPS.

Counted Licenses

Feature licenses can be either uncounted licenses or counted licenses. Uncounted licenses do not have any count and simply enable the unrestricted feature on the router when activated. Counted licenses enable a defined number of uses e.g. CME User Licenses”

Thursday, October 15, 2009

SSID Broadcasting on Cisco

Hi Guys,

Very quick update this one: Just letting you guys know how to broadcast an SSID on a cisco wireless device, i know it sounds simple but its such a weird command to enable broadcasting of the SSID i wanted to document it for those of you who have trouble finding it.

dot11 ssid

Hope this is help to some of you!

Tuesday, October 13, 2009

IPSEC Redundancy

Hi Guys,

Straight into it: Did you know that there are some very nice redundancy features for IpSEC? Sure I always kind of realized you could put two routers in a VRRP or HSRP Arrangement, but what if I told you not only could you do this but you could also even get them to exchange state information about the traffic in the IPSEC session?

Or what if your routers are in entirely different subnets? So maybe you have an ipsec router on one ISP and a backup IPSEC router on the other? That is the topic of this blog.

Lets first cover off a very basic redundancy option that might fit the bill for you perfectly:

Just add more than one peer in your set peer command!

Monday, October 12, 2009

EBGP Multihop protection

I assume ofcourse if your reading this blog you probably know what BGP is :) So I won't bore you with that, but what I will say is man: BGP Security globally is in a pretty sorry state.

From non-password encrypted BGP sessions to lax prefix filters, disaster is just a step away with such lax security.

A fairly simple attack that you might fall victim to is BGP spoofing. Take for example you peer with and you dont use MD5 encryption because the network engineer at that ISP thinks MD5 is some oddly named rock-band

Further to this, not only does he not know what he is doing from a encryption perspective, he has also failed to implement any sort of ip spoofing protection on his network. One of the customers on his network, Dr Evil decides to spoof a BGP packet to you as source where he claims he knows the routes to google. Since your not using MD5 your quite stuffed at this point! But I have prefix list protection you say! Okay fair enough, what if he just kept sending resets for your BGP Session? That could still potentially cause you issues.

"Save me Dr Cisco!" I hear you cry.

Enter BGP TTL-Security check

this funky little feature takes advantage of the fact that all IP packets have a TTL value. If your peering with someone directly (and its important to note that key word DIRECTLY (Remember, if the other end is sourcing its BGP traffic from a loopback interface or is peering to YOUR loopback interface the hop count is going to be slightly diffirent.))

So if a packet is spoofed from a customer, the TTL will still have to be "marked down" and thus when the TTL Value makes it to your router it will be something like 248 or 249 instead of 254 or 253 as it should be.

The BGP Support for TTL Security Check feature is configured with the neighbor ttl-security command in router configuration mode or address family configuration mode. When this feature is enabled, BGP will establish or maintain a session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. Enabling this feature secures the eBGP session in the incoming direction only and has no effect on outgoing IP packets or the remote router. The hop-count argument is used to configure the maximum number of hops that separate the two peers. The TTL value is determined by the router from the configured hop count. The value for this argument is a number from 1 to 254.

I hope this helps guys!