Anti spoof acl and cisco 7606

Similar Messages

• Cisco 1921 - Anti Spoofing?

  Hello there.
  I have a customer who has a service from "sharedband" which basically bonds two adsl lines. The DSL lines terminate to two netgear routers that talk to each other using the sharedband service. The two netgears present a single ip address to the LAN, which i have placed a router in the way to provide firewall services.
  I have configured s2s VPN, CBAC, ACLs and locked down the router pretty well. But havent configured any sort of anti spoofing.
  The support guy from sharedband say i need to "turn off" anti spoofing on the Cisco router. But i HAVENT configured it and am not aware its on by default. As you can imagine, when both netgears are switched on, packets get lost and the service goes really slow. When only one router is operational, it works like a dream albeit slow due to the line speed.
  Is their anything on by default, or can i configure anything to allow 2 mac addresses to be accepted for the same IP address. Its not like HSRP where it provides a virtual MAC address. IP CEF is switched ON, its running IOS version 15.0.
  The folks at shareband pointed my in the direction of a document they provide that states how to switch anti spoofing off, but thats on a draytek which we arnt using.
  Here is that link http://support.sharedband.com/index.php?act=article&code=view&id=3.
  Anyone know how to do this in IOS?

  Hi,
  I found this post Googling after problems with 1921 on Sharedband.  opened TAC case - no luck so far.
  However adding secondary IP in subnet of Sharedband physical IPs enables 1921 to "see" all the Sharedband routers and improves performance - same result as Sharedband "20 milliseconds of resequencing" workround
  ip address 192.168.3.254 255.255.255.0 secondary
  1921-BRSA-2CAMB#sh ip arp g0/1
  Protocol  Address          Age (min)  Hardware Addr   Type   Interface
  Internet  91.108.165.74           -   588d.0978.3f21  ARPA   GigabitEthernet0/1
  Internet  192.168.3.254           -   588d.0978.3f21  ARPA   GigabitEthernet0/1
  Internet  91.108.165.73           0   e894.f667.eff8  ARPA   GigabitEthernet0/1
  Internet  192.168.3.4             0   e894.f6bb.b990  ARPA   GigabitEthernet0/1
  Internet  192.168.3.1           137   e894.f667.eff8  ARPA   GigabitEthernet0/1
  Internet  192.168.3.2            94   e894.f6bb.bc76  ARPA   GigabitEthernet0/1
  Internet  192.168.3.3           113   e894.f6bb.b8f8  ARPA   GigabitEthernet0/1

• Cisco 7606 and out of band remote management

  Hi
  I have been trying to look for a document to confirm that Cisco 7606 support out of band remote management via Aux port. Can anyone please confirm whether 7606 support out of band remote management.
  Regards

  The 7606 with a sup will only have a console port and no aux port.
  Yes the console port supports OOB management using an external modem.
  Thanks, Mak

• Increasing anti-spoofing rules

  What options are available on the C370's for implementing anti-spoofing controls in order to protect our company from the increasing number of phishing emails using spoofed addresses?  
  We already have an inbound rule to check the mailfrom: field and reject all messages that contain our domains

  Hello Anne,
  I hope that this tech-note may help:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117796-problemsolution-esa-00.html
  This is a technote to assist with tagging possibly spoofed emails.
  You can change the action to another action if you want it to be dropped or actions in some other manner.
  Regards,
  Matthew

• Anti Spoofing

  I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.
  I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.
  If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

  Carlos,
  It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.
  https://supportforums.cisco.com/docs/DOC-11874
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• CWLMS 3.1 : CiscoView of Cisco 7606-S Router

  Hi Friend,
  I am facing some issue with CiscoView of 7606-S router.
  Please find the attachment for more details.
  In figure, The RED Marked LAN port appears GREEN when viewed through CiscoWorks but physically on Cisco 7606-S router, no such port exists at all.
  Also besides this, we have 3 fiber ports and 2 RJ-45 port on Cisco router visible through CiscoView, but physically on Cisco router 2 Fiber and 2 RJ-45 port are present.
  first fiber port is up and connected whereas when seen through CiscoWorks, it shows 3rd fiber port as green.

  you can not display your 7600 in ciscoview, the most probably reason is that a device package is needed to do this. do the following:
  1. Download the device package from the link (Cat6000IOS.cv50.v29-1.zip, Cat6000IOS.cv50.v29-1.readme)
  http://www.cisco.com/cgi-bin/apps/vwplan/cvresult.cgi?product_class=Routers&product=Internet+Router+7600+IOS&application=All+Versions
  2. Go to Common Services > Software Center > Device Update, then select CiscoView > click on 'Check for updates' > select 'Enter Server Path' and enter the path where you downloaded the files > continue the instructions to
  install it.
  This will probably need to restart ciscoworks to apply the changes.

• How to create anti-spoof rules with exception

  Hello all,
  I'm a beginner with Ironport and I need to create rules for specific cases.
  I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
  But I have some mail addresses with external applications that need to be send with my mail domains.
  For example, I receive acknowledge mails sent with [email protected] address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external [email protected] mail will be dropped.
  For example I tried this rule with no success :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
  drop();
  I tried this rule too :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^[email protected]$") OR (mail-from !="^[email protected]$") OR (mail-from !="@ack.mydomain.com$")){
  drop();
  Have you got any tips or advice to answer my funny case ?

  Hello,
  We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
  Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
  insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
  The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
  A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.
  We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D
  Good luck,
  Steven

• Macbook wireless and Cisco base station causes kernel panics

  So my company uses Macbooks and Cisco wireless base stations. For some reason, when they use bother ethernet, and the wireless, the Macbook will kernel panic for no apparent reason. So since we have a fast wired network, I have been advising those Macbook users to turn off wireless and use the wired network. Wouldn't you know, the kernel panics go away. Is anyone aware of an issue with the wireless chipset in the Macbooks and the wireless chipsets in the Ciscos not liking to play with one another? I know it's the wireless in the Macbooks as if I use any other wireless base station from Apple or Linksys, the issue is not there. I should also mention that when people use those Macbooks on the wireless every once in a while, they get an access control list error. We do not have ACLs for our wireless. Our PowerBooks and iBooks do not exhibit any of these issues on the same network, so we know it is an issue with Intel based Macs. Any ideas?

  I'm having a similar problem at college (they use Cisco equipment). On most of the campus everything is fine, but in the area near my classes (typically), wireless causes the mac to panic.
  I asked at IT, and came back more confused (apparently, they use the same model WAPs throughout the college, so they couldn't see why one particular WAP would cause this. They guessed it was to do with the huge amount of traffic that particular WAP gets, with it being in the Computing department and all).

• Cisco 7606 FIB Protocol Allocation mismatch after mls cef maximum-routes command

  Hi,
  we are trying to fine tune the mls cef maximum-routes without success for ipv4 on our Cisco 7606 router equiped like this:
  Mod Ports Card Type                              Model              Serial No.
    2   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL09169CP0
    6    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL     SAL10370YH7
  Mod MAC addresses                       Hw    Fw           Sw           Status
    2  0013.c38b.ed9c to 0013.c38b.edb3   2.2   12.2(14r)S5  12.2(33)SRC1 Ok
    6  0017.9441.b750 to 0017.9441.b753   5.2   8.4(2)       12.2(33)SRC1 Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status 
    2  Centralized Forwarding Card WS-F6700-CFC       SAL09159C8T  2.0    Ok
    6  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL10360CJ0  1.8    Ok
    6  MSFC3 Daughterboard         WS-SUP720          SAL10360GNX  2.5    Ok
  the show version is like this:
  System image file is "bootdisk:c7600s72033-adventerprisek9-mz.122-33.SRC1.bin"
  We tryied to set the value of the ipv4 FIB TCAM to 720k with this command:
  mls cef maximum-routes ip 720
  and then to save the configuration we used the "write" command. This was the output after we wrote the configuration:
  FIB TCAM maximum routes :
  =======================
  Current :-
   IPv4 + MPLS         - 512k (default)
   IPv6 + IP Multicast - 256k (default)
  User configured :-
   IPv4                - 720k
   MPLS                - 16k (default)
   IPv6 + IP Multicast - 144k (default)
  Upon reboot :-
   IPv4                - 720k
   MPLS                - 16k (default)
   IPv6 + IP Multicast - 144k (default)
  so we reloaded the router to get the new value.
  when the router was up again it start to reload each 4 minutes. The FIB TCAM value was:
  show mls cef maximum-routes
  Reload scheduled for 13:50:09 DST Wed Aug 13 2014 (in 2 minutes and 51 seconds)
  Reload reason: FIB Protocol Allocation mismatchFIB TCAM maximum routes :
  =======================
  Current :-
   IPv4 + MPLS         - 512k (default)
   IPv6 + IP Multicast - 256k (default)
  User configured :-
   IPv4 + MPLS         - 512k (default)
   IPv6 + IP Multicast - 256k (default)
  Upon reboot :-
   IPv4 + MPLS         - 512k (default)
   IPv6 + IP Multicast - 256k (default)
  We know that our cisco is able to handle up to 1M of ipv4 routes inside the TCAM but we cannot set more than 512k ipv4 routes.
  Why the router doesn't accept the new value?
  Thanks
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/116132-problem-catalyst6500-00.html
  https://supportforums.cisco.com/discussion/12250356/recommended-value-7600-ipv4-fib-tcam

  Hi Paolo,
  #sho ver
  Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXI13, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Tue 11-Mar-14 04:53 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
   punk.gs2 uptime is 17 hours, 55 minutes
  Uptime for this control processor is 17 hours, 55 minutes
  Time since punk.gs2 switched to active is 17 hours, 54 minutes
  System returned to ROM by reload at 22:32:30 BST Mon Sep 1 2014 (SP by reload)
  System restarted at 22:35:24 BST Mon Sep 1 2014
  System image file is "disk0:s72033-adventerprisek9_wan-mz.122-33.SXI13.bin"
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco WS-C6504-E (R7000) processor (revision 2.0) with 983008K/65536K bytes of memory.
  Processor board ID FOX11270F1B
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from power-on
  11 Virtual Ethernet interfaces
  50 Gigabit Ethernet interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  #remote command switch show version
  Cisco IOS Software, s72033_sp Software (s72033_sp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXI13, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Tue 11-Mar-14 05:09 by prod_rel_team
  ROM: System Bootstrap, Version 8.5(4)
   punk.gs2 uptime is 17 hours, 55 minutes
  Time since punk.gs2 switched to active is 17 hours, 55 minutes
  System returned to ROM by reload at 22:32:30 BST Mon Sep 1 2014
  System restarted at 22:34:17 BST Mon Sep 1 2014
  System image file is "disk0:s72033-adventerprisek9_wan-mz.122-33.SXI13.bin"
  Last reload reason: Reload Command
  cisco Catalyst 6000 (R7000) processor with 983008K/65536K bytes of memory.
  Processor board ID FOX11270F1B
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from s/w reset
  50 Gigabit Ethernet interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  500472K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  Hope that helps.

• Anti Virus 2008 and 2009

  I have been researching anti virus 2008 and 2009 malware. I have found little discussing how to prevent the malware. Mostly I find how to get rid of it. Any ideas on how to prevent the infection? Maybe using a network IPS.

  "IPS will not be suitable for Anti-Virus or Anti-Malware protection"
  right on.
  "The CSC-SSM can prevent virtually all known malicious code from entering and propagating across the network"
  Absolute, complete and utter BS. I know you're just regurgitating what Cisco says (shame on Cisco), but this is absolute fantasy. You simply CAN'T do this that effectively at a gateway, you don't have the required context. Even the best products in this space (which Cisco is far from being) aren't that effective.
  If you're starting from scratch, I would recommend looking at client solutions first. Once you have that in place, it might make some sense to look at gateway solutions. If you want "best of breed", take a look at Webwasher, Finjan and BlueCoat. Ironports might be worth checking out too, if it's anywhere near as good as their SMTP product. If those are just to expensive, then you might also take a look at the Cisco ASA-CSC solution.

• Extended ACL and FTP

  We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
  permit tcp any any established

  Maybe this link should help.
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
  Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
  So instead you use
  access-list 100 permit tcp any host 192.168.1.100 gt 1023
  You should use
  access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
  But, in my opinion, from the server's view, active FTP is more secure than passive.
  Hope this helps

• Anti-spoofing rule

  I am trying to create a antispoofing rule using message filter feature.
  It is like
  if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }
  But the rough part is to be able to whitelist certain hosts, e.g., our partners.
  For example:
  AND ( header("Received") != "whitelist1|whitelist2...." )
  Is there a better way to do this? My concern is that this will get very long and error prone over time.
  Thanks,
  Jack

  What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.
  Next, you can modify your existing filter to bypass spoofing checks from partner domains:
  if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
  { apply anti-spoofing rules here; }

• Cisco 7606-s oid

  image :c7600rsp72043-ipservicesk9-mz.122-33.SRE2.bin
  i want monitor cisco 7606 information .but i only found some mib from cisco site .
  i want to oid for cisco 7606-s so that i can monitor cpu memory and temperature.
  thanks!

  Hi Winm,
  http://tools.cisco.com/ITDIT/MIBS/MainServlet?IMAGE_NAME=c7600rsp72043-ipservicesk9-mz.122-33.SRE2.bin
  ...show you which OIDs are supported by your software version.
  Try the following:
  CPU under:
  OLD-CISCO-CPU-MID
  eg: 1.3.6.1.4.1.9.2.1.58
  Memory under :
  CISCO-MEMORY-POOL-MIB
  eg: 1.3.6.1.4.1.9.9.48
  Temperature:
  CISCO-ENVMON-MIB
  eg: 1.3.6.1.4.1.9.9.13.1.3.1.3
  cheers,
  Seb.

• Cisco 7606 stacked VLAN support

  Hi All,
  Does Cisco 7606 GigabitEthernet modules support stacked VLAN (two VLAN tags)?
  If yes, how do I configure it?
  Thanks in advance.
  Regards,
  Sarah

  Hi Sean,
  Yes, it is QinQ tunneling. I am using Cat6k-Sup720.
  Cisco7606(config-vlan)#?
  VLAN configuration commands:
  are Maximum number of All Route Explorer hops for this VLAN (or
  zero if none specified)
  backupcrf Backup CRF mode of the VLAN
  bridge Bridging characteristics of the VLAN
  exit Apply changes, bump revision number, and exit mode
  media Media type of the VLAN
  mtu VLAN Maximum Transmission Unit
  name Ascii name of the VLAN
  no Negate a command or set its defaults
  parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
  private-vlan Configure a private VLAN
  remote-span Configure as Remote SPAN VLAN
  ring Ring number of FDDI or Token Ring type VLANs
  said IEEE 802.10 SAID
  shutdown Shutdown VLAN switching
  state Operational state of the VLAN
  ste Maximum number of Spanning Tree Explorer hops for this VLAN (or
  zero if none specified)
  stp Spanning tree characteristics of the VLAN
  tb-vlan1 ID number of the first translational VLAN for this VLAN (or
  zero if none)
  tb-vlan2 ID number of the second translational VLAN for this VLAN (or
  zero if none)
  Regards,
  Sarah

• Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

  We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
  We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

  Hi,
  So you have N7k acting as L3 with servers connected to 4510?.
  Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
  This will help narrow down if issue is between server to 4510 or 4510 to N7k.
  Thanks,
  Nagendra