Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address
Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ?
any Source is reachable via any interface
rx Source is reachable via interface on which packet was received <-EXACT INTERFACE
#sh ip int s1/0.21 | b verify
IP verify source reachable-via RX
0 verification drops
0 suppressed verification drops
0 verification drop-rate
!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED.
Zone Based Firewall
Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html
To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.
STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE
(config-pmap-c)#drop
STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
<cr>
(config-pmap-c)#inspect
STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ
(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE
STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY
#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
Zone-pair: OUT-to-DMZ
Service-policy inspect : OUTSIDE_POLICY
Class-map: INSIDE (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html
To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.
STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE
(config-pmap-c)#drop
STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
<cr>
(config-pmap-c)#inspect
STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ
(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE
STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY
#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
Zone-pair: OUT-to-DMZ
Service-policy inspect : OUTSIDE_POLICY
Class-map: INSIDE (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION
Subscribe to:
Posts (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...