Calin | IPNET - Part 34

Cisco announced multiple security advisories

Last week, Cisco announced more security advisories regarding multiple possible vulnerabilities for range of it’s product. I will post here just a short summary about this advisories and provide you with the links to the full descriptions of the possible problems:

October 14, 2009 – Cisco Unified Presence Denial of Service Vulnerabilities

Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds.

Cisco has released free software updates that address these vulnerabilities.

October 15, 2009 – Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities:

Malformed HTTP or HTTPS authentication response denial of service vulnerability
SSH connections denial of service vulnerability
Crafted HTTP or HTTPS request denial of service vulnerability
Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
Cisco has released free software updates that address these vulnerabilities.

October 19, 2009 – Cisco IOS Software Tunnels Vulnerability

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

October 15, 2009 – Cisco IOS Software Authentication Proxy Vulnerability

Cisco IOS® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

Cisco has released free software updates that address this vulnerability.

There are no workarounds that mitigate this vulnerability.

October 19, 2009 – Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability

Cisco IOS® devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.

Cisco has released free software updates that address this vulnerability.

Cisco SRW2008P 8-port Gigabit Switch Video Data Sheet

CCIE Routing and Switching Exam Certification Guide, 4th Edition

I just received the news that Cisco Press will release on 19th of November 2009, the 4th edition of CCIE Routing and Switching Exam Certification Guide by Wendell Odom, Rus Healy and Denise Donohue.

A brief description from the Cisco Press site:

“The CCIE Routing and Switching certification is the most respected certification in the industry. The successful CCIE candidate must understand a broad range of network technologies that includes OSI model, bridging, LAN switching, IP and IP Routing protocols, multicast, WAN technologies, and performance management. The exam is notoriously difficult and CCIE candidates must first pass a qualifying written exam. The CCIE Routing and Switching Exam Certification Guide, Fourth Ed., covers all of the topics of the 4.0 written exam. In this updated edition there are content and alignment changes based on the revised v4.0 exam. The newest edition includes 300 pages of new content covering the following topics:

Network optimization

Troubleshooting

BGP routing policies

Expanded QoS coverage

Expanded WAN coverage

Expanded multicast coverage

Expanded MPLS coverage

IPv6 redistribution”

Currently you can pre-order the book and it will be delivered when published. If you are lucky enough to live in U.S. you can have it shipped for free.

Price and full details about this product can be found on the Cisco Press site.

Cisco acquire TANDBERG (for $3 billion)

Cisco today announced a definitive agreement for Cisco to launch a recommended voluntary cash offer to acquire TANDBERG (OSLO: TAA.OL). TANDBERG, based in Oslo, Norway, and New York, is a global leader in video communications, including a broad range of world-class video endpoint and network infrastructure solutions with intercompany and multi-vendor interoperability. With this proposed acquisition, Cisco will expand its collaboration portfolio to offer more solutions to a greater number of customers, further accelerating market adoption globally.

Under the terms of the agreement, Cisco will commence a cash tender offer to purchase all the outstanding shares of TANDBERG for 153.5 Norwegian Kroner per share for an aggregate purchase price of approximately $3.0 billion. This represents an 11.0% premium to the previous day closing price of TANDBERG’s stock, and a 25.2% premium to the 3-month volume weighted average closing price for TANDBERG’s stock. The proposal was recommended unanimously by TANDBERG’s board of directors.

Source: Cisco.com

Cisco: How to configure HSRP

In this post I proposed to discuss a little bit about Hot Standby Router Protocol and how it can be configured on a Cisco device. For this I have chosen the following topology:

I had in mind this scenario due to the fact that the traffic can take multiple paths in case of link being down and this give us the possibility to have a little bit of conversation on HSRP topic.
HSRP is defined in the document RFC2281 and according to the definition in this document: “The Hot Standby Router Protocol, HSRP, provides a mechanism which is designed to support non-disruptive failover of IP traffic in certain circumstances.” If you want to read more about the details how HSRP is working, please the RFC2281. I think there is not point in reproducing here what is already written there.
Regarding our topology, what you should know is that after configuring HSRP on R1 and R2 we will achieve a failover mechanism for the traffic from the Client (192.168.0.10) to the Server(10.10.10.10). From the beginning we will assume that R1 and R2 have the proper routing already configured to reach this destinations.

In the below presentation, you will see how the failover is achieved and what’s happening when you have a proper HSRP configuration in case that the link SC – R1 is broken:

So, how to achieve this behavior? From the topology you notice that proper configuration of HSRP involves 3 IP addresses from the same subnet (in our case this is 192.168.0.0 /24). One of the IP is configured on R1 the second one on R2 and the third one is HSRP IP address, which will be announced to the Client as gateway.

Configuration is straight forward on R1:

configure terminal
interface fa0/0
ip address 192.168.0.1 255.255.255.0
standby 1 ip 192.168.0.254
standby 1 priority 110

and on R2:

configure terminal
interface fa0/0
ip address 192.168.0.2 255.255.255.0
standby 1 ip 192.168.0.254

First we configure an IP address on the interface. Then we configure HSRP by typing the command “standby” followed by HSRP group (in our case group 1) and then the IP address. HSRP default priority is 100, and the principle is the higher the better. To force the path R1-SC to be the preferred one, we increse the priority to 110, making R1 to be the “Active” one. The other router, in our case R2, will have the HSRP status “Standby“. Maybe you are wondering what happens if you don’t configure the priority and both routers are having the same value 100. In this case HSRP has a mechanism that help it to chose the active router by comparing the IP addresses and chosing the one with the higher value. In our case this would be R2 (192.168.0.2 > 192.168.0.1).
Another useful feature that I recommend to configure for HSRP is “preemption“. The HSRP preemption feature enables the router with highest priority to immediately become the Active router. The configuration is also very simple and inquire only one additional line to the above ones:

standby 1 preempt

Also recommended is to configure “authentication“ between the HSRP participants:

standby 1 authentication somepassword

where “somepassword” can be what ever you want.

Going back to the topology, another scenario can take place. What if the link R1 – SC remains active, and instead the R1 – SS goes down. Since the R1 – SC is UP, the router R1 has no intention to cease the HSRP Active status. If you are having some kind of dynamic routing between R1 and R2, then you are on the safe side as the traffic will flow like in the scenario below (I’m assuming R1 to be the Active one for both R1-SC and R1-SS):

Remember that if do not have some routing between R1 and R2, the packets will be dropped on R1 as they will not have any path to the Server IP address 10.10.10.10.

This situation can be avoid with another HSRP feature, that will force the R1 to change it’s status from Active to Standby by monitoring the interface from R1 to SS. This feature is called “interface tracking“. This HSRP feature you have to configure at least on the router which is usual in Active mode:

standby 1 track FastEthernet1/0 30

In this scenario I assume that interface Fa1/0 is the connection to SS switch. This tracking command is watching for the status on the interface Fa1/0. When it’s status changes to “down” the “priority” value (110 in this example) is decremented with 30 (or whatever you will configure in the command line). After decremental, the “priority”
will have a value of 80 which is lower than the default one (100), forcing R2 to become the Active router and changing the R1 status to Standby.

Checking the status of an HSRP participant is very easy, and you can see this in the output below:

R1#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   110 P Active   local           192.168.0.2 192.168.0.254

R2#show standby brief
P indicates configured to preempt.
|
Interface   Grp Prio P State    Active          Standby         Virtual IP
Fa0/0       1   100 P Standby 192.168.0.1     local   192.168.0.254

All the HSRP configuration from this article can be fine tuned or extended according to your needs. I have presented here only the basics about the HSRP configuration. If you want don’t be afraid to explore and to “play” with the commands. Of course I would recommend to do that in test environment first.