CE and IP Spoofing

Similar Messages

• Spoofing IP and this scenario with standard ACL

  I have got Router R1 with two Fast Ethernets (e0 and e1),,,,network 172.168.2.0 connected to e0, network 172.168.1.0 connected to e1.
  If I want to black all IP spoofing attacks, that originating on the 172.168.1.0 network using a spoofed address outside the 172.168.1.0 range from being sent into the 172.168.2.0 network.
  However, all other traffic must be permitted.
  The access that has been applied to e1 as input filter is :
  Access-list 1 permit 172.168.1.0 0.0.0.255
  How does the access-list 1 can distinguish between the real ip address (belong to network 172.168.1.0) from the spoofing one,,,,because as we know that the spoofing ip, impersonate the real ip address

  You are correct; the router cannot distinguish between a genuine packet sourced from 172.168.1.x and a spoofed one.
  However, spoofing like this limits the options of the spoofers to merely a DoS attack as the return path will not be reachable. They cannot make a connection to your destination network.
  You could take a look at the Cisco Security Products (IPS) if you need more extensive filtering of packets.
  Regards,
  Leo

• 50L2400U and HDMI Switch Problem

  I just purchased a 50L2400U LED TV and am having a problem, First there is only two HDMI ports and I have three HDMI devices, I have a HDMI switch the same one I used on my other HD TV when I hook up the switch nothing happens the LED lights up on the switch but cant switch between the Roku and the DVD player. Anyone have any idea what the problem could be ???

  Gefen makes a product called the DVI Detective that is made just for such situations. You insert it between the mini and the receiver and it spoofs the mini into thinking the TV is always attached, even when the receiver is switched to something else.
  Of course the downside is you are adding more hardware and it isn't cheap, but I don't know of any other workaround that will succeed, and this definitely will.
  http://www.gefen.com/kvm/product.jsp?prod_id=1378

• ISE - how-to prevent mac spoofing

  I've built an ISE lab (1.1.3.124) and have an authorization policy which permits access to profiled Cisco-Access-Points. For the purpose of the lab, these devices have full access.
  Profiling is working correctly. I have a 1231 AP which is correctly profiled and placed in an endpoint group, Cisco-Access-Point.
  From a Linux laptop, using macchanger, I can successfully spoof the mac of the AP and gain full access - for some reason ISE isn't profile checking the laptop and I'm not sure why. The laptop obtains an IP using DHCP. I have the following profile checks enabled: NetFlow, DHCP, RADIUS, DNS, SNMP.
  When I check Live Authentications, apart from the session IDs, there is no difference when comparing the authz between the AP and the spoofed laptop.
  I was hoping that ISE would recognise the spoofed attempt and let it fall through to the deny policy.
  I'm happy to attach any screenshots if required.
  Thanks.

  This may or may not be already known, so I'm going to describe how I would expect ISE to work.
  Authentications based on profiling The first time a device comes through ISE, it could get the wrong result you would expect the device to get. This is due to the fact that ISE has a bit of a challenge - to identify and authorize new users to its system before the probes can learn anything about these endpoints.
  For example, DHCP and HTTP are fairly useless until after the port becomes authorized since no client traffic can flow before an authentication occurs. ISE might apply the catch-all CWA result allowing it on the network, but then the DHCP class identifier could say 'Cisco AP'.
  ISE knows that any new profiled information could result in a different AuthZ policy, so it issues a CoA to inform the NAD to re-authenticate that particular session.
  The same authentication occurs now, but ISE now already knows the device appears to act like a Cisco AP and hands back the WAP result this time instead of CWA.
  Any future authentications that occur for this Cisco AP, we pass back the Cisco AP result since we know he was previously an AP. Our probes would still learn as much as they can about the 'new' authentication, but no data would change from our end since the probes learn redundant information for this legit Cisco AP.
  So, what you're describing is you're performing MAB and swapping out the profiled Cisco AP with another device that is spoofing the MAC address. MAB literally stands for 'MAC Address Bypass', so when ISE is presented with the MAC address it checks its internal host store and finds out he does in fact know 'AA-BB-CC-DD-EE-FF'. The spoofed device was previously known to be a Cisco AP, so ISE will hand out the Cisco AP result allowing it on the network infrastructure VLAN with a special DACL if you're getting fancy.
  Your point here is that the spoofed PC is allowed on the network, when in fact it isn't a Cisco AP. What should happen at this point is the probes start doing their magic. The only way a device becomes a 'Cisco-Access-Point' is if the CDP entry in the switch contains 'AIR' or the dhcp-class-identifier includes 'Cisco AP'. So what I would expect happen is if you have SNMP Query/Trap probes setup and working, as soon as the linux laptop plugs in with the spoofed MAC the switch would inform ISE that a link came up/up. ISE sends back an SNMP Query asking for more information, which the switch then provides. ISE would then realize that there's no CDP information there (unless your linux test box is utilizing CDP, then this is a mute point anyways) and update the session endpoint in its internal hosts either during or before the actual authentication occurs. If it's during, ISE would trigger a CoA, which would cause the endpoint to reauthenticate then fall into (probably) the Cisco-Devices group based of the OUI of the MAC.
  The other way to become a Cisco-Access-Point by default is through the dhcp class identifier. So lets say your linux box authenticates, ISE passes back the AP result, and you're allowed on the network. Once you issue a DHCP Discover from your box, ISE should recieve it and learn that the DHCP class identifier has changed from what it expected ('Cisco AP') to something different and issue a CoA. The linux box will reauthenticate, and get passed back the generic CWA profile.
  Ultimately the entire job relies on either the DHCP probe, SNMP Trap/Query Probes, and CoA...unless you've modified the profiling settings from the default. Since you mentioned deleting the MAC address from the internal hosts section forces ISE to send back CWA, i'm thinking that your switch config might be missing the CoA portion.
  1. What probes do you have enabled. This by default requires DHCP, DHCP Span, or SNMP Query/Trap.
  2. Can you see the successful CoA from the switch?
  3. If you wait ~5 minutes after the linux box with the spoofed address authenticates and check the internal host, what does ISE know about that device? If my CoA theory is right I would expect after even a couple minutes we would recognize that the device isn't a Cisco WAP.

• App Store and dock not letting go

  Hi all,
  Each time that I boot up, the app store appears in the dock even though I remove it each time by dragging and letting go and the "spoof". What do I do if I don't wanna see it in the dock each time?

  Hi ...
  Apps that run on the Mac OS X cannot run on an iOS based device for apps purchased from iTunes Store and vice versa. Two different operating systems. 

• WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

  Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures
  I wanted step-by-step guidance of:
  1. Locking down ports by MAC address.
  2. DDoS protection.
  3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
  4. Shutting down any services on the switch.
  5. Shutting down password recovery.
  6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.
  Any other recommended security steps to secure the switch.
  Thanking in advance,
  Parth

  Hello, Parth Maniar.
  1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).
  2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.
  3. To turn off ssh and telnet:
  line vty 0 4
   transport input none
  exit
  line vty 5 15
   transport input none
  exit
  For turning off http access: no ip http server
  To limit access only from 1 IP address to HTTPS server:
  access-list 1 remark ------- ACL for HTTPS access ------------------------
  access-list 1 permit [permited IP]
  access-list 1 deny any log
  access-list 1 remark ------- END of ACL for HTTPS access -----------------
  ip http access-class 1
  And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf
  4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").
  5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
  After reading it you can undenstand why you can't turn it off.
  6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:
  enable secret [password]
  username [name] secret [password]
  After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"
  What else you can use for securety matters:
  - logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html
  Also you can use a configuration bellow to log all changes at configuration:
  archive
    log config
   exit
  exit
  - turn off lldp and cdp protocols to the end users sides (you can google it).
  - use SNMP for getting status of the switch and ports and analyse it for anomalies.
  - use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).
  - use a command " switchport nonegotiate" at the all ports.
  - also you can use this commands:
  no ip source-route
  ip arp proxy disable
  no ip icmp redirect

• Ip Spoofing in Cisco Cache

  Is there any way to enable ip spoofing in CIsco Cache Engine.We are Using Cisco Cache Engine with 3640 router???

  This question does not specify which IP address should be spoofed. Perhaps an explanation of WCCP and caching
  will answer the question.
  With WCCP enabled, the traffic passing through the 3640 router will be redirected to the CacheEngine. The CacheEngine
  will then check to see if it has the objects being requested. If so it will "spoof" the web-servers address, and
  respond to the client. In this way the client thinks it is getting a response from the web-server.
  If the CacheEngine does not have the object requested in its cache, then it will retrieve this content from the web-server and
  then "spoof" the web-servers address and response to the client. The connection from the CacheEngine to the web-server
  will use the IP address of the CacheEngine and NOT the address of the original client making the request. The result
  of this is that the web-server will only see requests from one ip address for the entire organization using that CacheEngine.

• 1st Gen Time Capsule thrashing modem

  Hi,
  I've got a 1st Generation Time Capsule with version 7.6 software, which was a replacement for one of the faulty ones a year or so back.  This one work fine for about a week, then appears to start polling (thrashing?) the modem, where the modem seems to show constant activity and the Time Capsule gives no internet connection.  After resetting the Time Capsule I get the internet connection back.  Anyone got any ideas what might be causing this?
  I know the Time Capsule is the problem; I ran an AirPort Express for a month with no problems.  The issue came back when using the Time Capsule again.
  The ADSL modem is connected directly to the Time Capsule.  The Time Capsule generates a hidden network with WPA2 Personal security and MAC address matching.
  Thanks for any help,
  Sam

  7.6 firmware is causing issues as well on my gen 1 TC.. and I am going back to 7.5.2 as it is simply more stable.
  A lot of apple refubished TC were very poor.. they lasted less time than the original. Did not make people happy.
  Is your modem bridged and you are using pppoe client in the TC??
  Or the other way around. Router in the modem on and TC bridged.. do not use two routers.
  Hidden SSID (wireless name) is a useless exercise and actually breaks the wireless IEEE standard. It causes multiple issues.. but the real joke is, on a utiity like inssider it is not hidden at all. As soon as it transmits it is visible to everybody with nasty intents. MAC filtering also useless. WPA2 with a decent passkey.. that is all you need. Anyone who breaks that already has access and can spoof a MAC address in less time than you can type it in.
  As yet there is no method to break WPA2.. and the idea of an extra layer of security is meaningless.

• $20 to anyone who can help: (I think) how to send the right cookie info

  Yes, we're so befuddled and stumped that we are willing to pay $25 by Paypal or any other method (check, money order) to the first person who provides us with a concrete solution that allows us to read this page through a Java application:
  http://s1.amazon.com/exec/varzea/subst/your-account/your-open-marketplace-items.html/104-3907538-7794313
  The problem (we think) seems relatively simple: how can we pass the correct cookie to a server? We want to search our merchant web pages on amazon.com (and perform other operations, but for the purposes of this problem, just assume we want to read the above web page). We wrote a variation of a webcrawler which works fine on most web pages. However, the Amazon web pages we want to crawl (i.e., http://s1.amazon.com/exec/varzea/subst/your-account/your-open-marketplace-items.html/104-3907538-7794313) require you to sign in first (otherwise you get redirected to http://s1.amazon.com/exec/varzea/subst/your-account/your-won-zshop-items.html/104-0793551-2976761). So we thought that this meant we had to figure out how to get our webcrawler to login first (we implemented the Java Almanac example for accessing password-protected URLs: http://javaalmanac.com/egs/java.net/Auth.html?l=rel). During the course of testing this out (the code seemed to work, though we still got redirected), we realized that the Amazon web page is not actually performing basic authentication (not asking for username/password), but instead seems (that is, seems to inexperienced us) to be looking for a cookie. We believe this because after we sign in to Amazon, we can access all our merchant web pages just fine without ever needing to log in, even if we turn off the browser (or computer). Also, if we try to access the web page after deleting all cookies, we again get redirected to the page requesting that we sign in.
  So we took a look at the Amazon cookie that was created after we signed in to Amazon (printed below), and then implemented the cookie-passing code from the Java Almanac (http://javaalmanac.com/egs/java.net/SendCookie.html). This seemed to have no effect:we still got redirected. We hunted around for other Cookie examples and found achase1's example from a previous forum question (http://forum.java.sun.com/thread.jsp?forum=54&thread=375956), which seemed to add a few HTTPUrlConnection.set's, but this also had no effect--our Java crawler still gets redirected to the page that requests that we sign in first.
  So we think that either we are somehow passing the wrong cookie information, or are just missing some critical HttpURLConnection setting or parameter.
  So, if you can tell us how to read the Amazon page that seems to require a cookie, and your explanation actually works (that is, we can read the page), we will send you $25 immediately--like so many others on the forum, we're frustrated and lost and need an answer that works!
  Here is the Amazon account information (naturally, this is a working dummy account on Amazon, not our actual account, in case you want to test your solution before posting it):
  username: [email protected]
  password: melville
  Here is the cookie that is generated:
  session-id
  104-3907538-7794313
  amazon.com/
  1536
  3382951936
  29569409
  1475475408
  29568127
  session-id-time
  1055491200
  amazon.com/
  1536
  3382951936
  29569409
  1475575408
  29568127
  ubid-main
  430-1017936-7312154
  amazon.com/
  1536
  2916341376
  31961269
  1482485408
  29568127
  x-main
  Z3yciaQAfpzN?CPFkzeRd8z1U2lWcoap
  amazon.com/
  1536
  2916341376
  31961269
  2005235408
  29568127
  Here is the extra-simplified version of our webcrawler, which simply tries to read (and print out) the web page:
  import java.net.*;
  import java.io.*;
  public class PasswordReader {
  public static void main(String[] args) throws Exception {
  // Try to access the page
  try {
       HttpURLConnection m_urlConn;
       URL url = new URL(args[0]);
  // Cookie passing code
       m_urlConn=(HttpURLConnection)url.openConnection();
       m_urlConn.setDoOutput(true);
       m_urlConn.setDoInput(true);
       m_urlConn.setUseCaches(false);
       m_urlConn.setRequestMethod("POST");
       // optrional
       m_urlConn.setRequestProperty("User-Agent","Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818)");
       m_urlConn.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
       m_urlConn.setRequestProperty("Cookie" , "session-id=104-3907538-7794313;session-id-time=1055491200;ubid-main=430-1017936-7312154;x-main=Z3yciaQAfpzN?CPFkzeRd8z1U2lWcoap");
       m_urlConn.connect();
  // end cookie code
       BufferedReader in = new BufferedReader(
                      new InputStreamReader(
                      url.openStream()));
       String inputLine;
  // Read and print out the web page
       while ((inputLine = in.readLine()) != null)
       System.out.println(inputLine);
       in.close();
  } catch (MalformedURLException e) {
  } catch (IOException e) {
  Thank so much to anyone who even tries to help us!! We've been poring through the Sun forums, almanacs, and sample code all week without much evident progress. You'd really be making us very, very happy.
  Thank you,
  Ogi Ogas
  [email protected]

  "{[VERSION="0" ; NAME="session_id" ; VALUE="@@33f84622845133891a68ec0dffe9f620" ; DOMAIN="my.asu.edu" ; PATH="/" ; SECURE="false" ; EXPIRES="null"]}"
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~The Cookie!
  <HTML><HEAD><!--set cookie-->
  <SCRIPT language='JavaScript'><!--
  document.cookie = "session_id=@@33f84622845133891a68ec0dffe9f620; path=/;";
  // Begin JavaScript
  if(!document.cookie) {
  var agt=navigator.userAgent.toLowerCase();
  var is_major = parseInt(navigator.appVersion);
  var is_minor = parseFloat(navigator.appVersion);
  // Note: Opera and WebTV spoof Navigator.
  var is_nav = ((agt.indexOf('mozilla')!=-1) && (agt.indexOf('spoofer')==-1)
  && (agt.indexOf('compatible') == -1) && (agt.indexOf('opera')==-1)
  && (agt.indexOf('webtv')==-1));
  var is_nav2 = (is_nav && (is_major == 2));
  var is_nav3 = (is_nav && (is_major == 3));
  var is_nav4 = (is_nav && (is_major == 4));
  var is_nav4up = (is_nav && (is_major >= 4));
  var is_navonly = (is_nav && ((agt.indexOf(";nav") != -1) ||
  (agt.indexOf("; nav") != -1)) );
  var is_nav5 = (is_nav && (is_major == 5));
  var is_nav5up = (is_nav && (is_major >= 5));
  var is_ie = (agt.indexOf("msie") != -1);
  var is_ie3 = (is_ie && (is_major < 4));
  var is_ie4 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.0")==-1) );
  var is_ie4up = (is_ie && (is_major >= 4));
  var is_ie5 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.0")!=-1) );
  var is_ie5up = (is_ie && !is_ie3 && !is_ie4);
  // KNOWN BUG: On AOL4, returns false if IE3 is embedded browser
  // or if this is the first browser window opened. Thus the
  // variables is_aol, is_aol3, and is_aol4 aren't 100% reliable.
  var is_aol = (agt.indexOf("aol") != -1);
  var is_aol3 = (is_aol && is_ie3);
  var is_aol4 = (is_aol && is_ie4);
  var is_opera = (agt.indexOf("opera") != -1);
  var is_webtv = (agt.indexOf("webtv") != -1);
  var intro_dir = "This installation of Blackboard 5 requires the acceptance of a cookie by your browser software. ";
  intro_dir += "The cookie is used to ensure that you <I>and only you</I> are able to access information in the courses, assessments, gradebooks and other features which are appropriate for you. <P>";
  intro_dir += "The system has been unable to place the cookie. This may be because cookies are disabled in your browser.<P> To enable cookies in your browser:<ol>";
  var nn4dir = "<LI>Select <I>Preferences</I> from your browser's Edit Menu. <LI>Select <I>Advanced</I> from the list in the left-hand pane of the dialog box. ";
  nn4dir += "<LI>Under the <I>Cookies</I> box, select either of the first two options ('Accept all cookies' or 'Accept only cookies that get sent back to ";
  nn4dir += "the originating server')<LI>Click 'Ok' to close the dialog box. ";
  var ie5dir = "<LI>Select <I>Internet Options</I> from your browser's Tools Menu <LI>Select the <I>Security</I> Tab, and click on the 'Custom Level' button. ";
  ie5dir += "<LI>Scroll down to the 'Cookies' Section, and select either of the last two options under 'Allow Per-Session Cookies (not stored)' - either 'Enable' or 'Prompt'. ";
  ie5dir += "<LI>Click 'Ok' to Close the Security Settings dialog box. ";
  ie5dir += "<P><B>NOTE</B> Depending on your institution's set-up of Blackboard 5, you may need to repeat steps 3 & 4 for more than one 'Security Zone'. ";
  ie5dir += "<BR>For example, if you are connecting from a computer inside the same firewall or network as the Blackboard 5 machine, you would select the 'Local Intranet Zone'. ";
  ie5dir += "<BR>If you are making a connection across the internet from another location, you would select the 'Internet Zone'. <BR>In some cases, you may need to do both.<P>";
  ie5dir += "<LI>Click 'Apply' and 'Ok' to close the Internet Options dialog box.";
  var ie4dir = "<LI>Select <I>Internet Options</I> from your browser's Tools Menu <LI>Select the <I>Advanced</I> Tab. ";
  ie4dir += "<LI>Scroll down to the 'Cookies' Section under 'Security', and select either the first or last option - either 'Prompt before Accepting Cookies' or 'Always Accept Cookies'. ";
  ie4dir += "<LI>Click 'Apply' and 'Ok' to close the Internet Options dialog box.";
  var browser_dir = "<LI>Please follow your browser's Help instructions for enabling Session (non-stored) cookies that are sent back to the originating server.";
  if (is_nav) { browser_dir = nn4dir; }
  if (is_ie5up) { browser_dir = ie5dir; }
  if (is_ie4) { browser_dir = ie4dir; }
  browser_dir += "<LI>Click 'Ok' on this page to return to Blackboard 5.";
  document.write("<table border='0' width='100%' cellpadding='0' cellspacing='0'><tr><td align='left' width='40'> </td>");
  document.write("<td align='left' width='100%'><b><font face='Arial, Helvetica, sans-serif' size='4'>Browser Cookies Disabled</font></b><hr size=5 noshade></td></tr></table>");
  document.write("<table border='0' cellpadding='5' cellspacing='0' width='100%'><tr><td width='20' valign='top'> </td><td width='100%' valign='top'>");
  document.write("<font face='Arial, Helvetica, sans-serif' size='2'><b>Browser Cookies Disabled</b></font><br>");
  document.write("<font size='2' face='Arial, Helvetica, sans-serif'>"+intro_dir);
  document.write(browser_dir);
  document.write("</font><br></td></tr><tr><td colspan='6' align='center'><form><input type=button value='Ok' onclick='javascript:history.go(-1)'></td></tr></table></form>");
  } else {
  var href = document.location.href;
  href = href + "?bbatt=Y";
  document.location.href = href;
  //END JavaScript
  //--></SCRIPT>
  </HEAD><BODY BGCOLOR='FFFFFF'>
  </BODY><HTML>

• How do you promote a static route over a directly connected?

  Hi all,
  I have a need for a static route to be used instead of a directly connected route. (Long story - involving firewalls and anti-spoofing.. but can go further if required)
  I am using a Cisco 3750 switch. I notice directly connected routes have a metric of 0, and the highest metric I can give a static route is 1.
  Therefore, how is it possible for me to make the switch use the static route and not the directly connected?
  Any help would be appreciated!
  Cheers,
  Ben

  Hi Rick,
  Thanks for your patience.
  Maybe I should start again.
  Initially we had 16 VLANs within the 10.0/16 address space. We have some Cisco 3750's connected by dark fibre accross a couple of kms and then lower access switches all hanging of these by some means. The network is flat.
  We have a checkpoint firewall hanging off one of the 3750s connected using a TRUNK port. The firewall has an IP address on all VLANs and is used to route traffic between VLANs based on its ruleset.
  So if I have a user in VLAN 10 who wants to talk to VLAN 20, they travel to the firewall, if a rule permits the access, the firewall routes the packet on to VLAN 2 and the switches deliver at Layer 2.
  The switches all have their default VLAN 1 disabled, and have an IP address on our management VLAN to allow us to manage the switches.
  Its quite important that this IP is on a secured management VLAN as we don't want just anyone being able to snoop switch logins etc..
  If we need to login to a switch, the firewall routes our traffic from whatever VLAN we are on to the Management VLAN.
  One of our VLANs (the Desktop VLAN) is quite large (approx 1300 hosts) and suffers a great deal from too much arp broadcast traffic.
  As we have a flat switched network across several kms, the cost of putting in routers to subnet this large VLAN is excessive.
  However, the 3750's we have are perfectly capable of routing between VLANs, so we decide to create a load of new VLANs instead of subnetting our large VLAN. We don't want to use the firewall to route between these new VLANs as thats just giving the firewall more to do, and previously all these hosts were on a single subnet, so we have no need for any strict security - at most we can use ACLs on the switches if we even need that!
  So far so good.
  With 1300 hosts, we obviously can't make sudden topology changes. Therefore we need to be able to route between the Desktop VLAN and the new VLANs.
  We therefore introduce the static routes between the firewall and the switches.
  So the firewall says:
  route 10.1.0.0/16 via Multilayer switch IP on 10.1.0.0/16
  The multilayer switch says:
  route 10.0.0.0/16 via Firewall IP on 10.1.0.0/16
  This allows routing perfectly between the Desktop VLAN and the new VLANs.
  However the moment we enable ip routing on the switches we break access between the desktop VLAN and the Management VLAN.
  A packet leaves the desktop VLAN through the default gateway on the firewall. This is then routed to the Management VLAN. The return packet doesn't use the Management VLAN default gateway (firewall), it follows the static route on the switch and ends up at the firewall on 10.1.0.0/16. This is subsequently dropped as the firewall knows the packet hasn't come from the 10.1.0.0/16 network, it originally came from the desktop VLAN on 10.0.0.0/16.
  It might seem we can define a route on the switch to say:
  route 10.0.50.0/24 (management VLAN) via 10.0.50.254 (firewall). However, this would result in all packets from 10.1.0.0/16 being dropped by the firewall.
  The other problem is that if we are on a new VLAN and want to talk to the management VLAN. The packet goes to its default gateway on the switch. The switch says - "I have an IP on the management VLAN, its directly connected" - therefore it ignores the static route, and passes the packet on its way. We have now bypassed the firewall, which is bad.
  Incidentally the return packets get routed through the firewall and dropped, as the original packet didn't come through the firewall, there is no entry in the state table for its return.
  I think if we turned off the management interface on the switch and managed it through the interface on 10.1.0.0/16, I assume everything would work. However, we don't want to do this for a whole load of other reasons I wont go into.
  Im sure there must be a fairly simple solution - I just don't have enough experience!
  Cheers,
  Ben

• 1000's of Returned Mail messages every day!

  Hi All,
  I am receiving thousands of Returned Mail and Undeliverable Mail messages every day in my Mail application.
  Here is the problem description:
  I used to have a MobileMe (.mac) account and a corresponding email address.  I did not renew my MobileMe account this year.  Now, whenever Mail receives any valid message to my existing RoadRunner email address, that same message is being automatically resent to the defunct .mac email address and since it is no longer a valid address, it is being returned to my inbox as Undeliverable or Returned.  The same message is being resent apparently many many times for each valid message I receive in my inbox.  The result is literally thousands of undeliverable email messages clogging my account.  Each time it is resent, it copies all the headers and the original message so by the time the same message is received over and over again the message sizes are well over 2 MB in size!  It is an endless repeating cycle.
  What I have done so far:
  Called RoadRunner - they said to delete and reinstall Mail
  Deleted Mail and reinstalled
  Deleted Mail preferences
  Turned off all iSync functions
  Searched for and deleted all references to the invalid .mac email address on my computer
  Turned off all notifications from iCal
  Upgraded OS from 10.5.x to 10.6.7
  None of this has stopped the torrents of messages…PLEASE HELP.
  Would not like to have to erase the hard drive and reinstall the OS from scratch if possible.
  Here is what a typical returned message header looks like (Email address blocked out by me):
  This message was created automatically by the mail system (ecelerity).
  A message that you sent could not be delivered to one or more of its
  recipients. This is a permanent error. The following address(es) failed:
  [email protected] (after RCPT TO): 550 5.1.1 unknown or illegal alias: [email protected]
  Reporting-MTA: dns; hrndva-oedge04.mail.rr.com
  Arrival-Date: Thu, 28 Apr 2011 13:25:39 +0000
  Remote-MTA: dns; nk11b01-smtp-mx006.mac.com
  Diagnostic-Code: smtp; 550 5.1.1 unknown or illegal alias: [email protected]
  Last-Attempt-Date: Thu, 28 Apr 2011 13:25:39 +0000
  Action: failed
  Final-Recipient: rfc822; [email protected]
  Status: 5.1.1
  ------ This is a copy of the original message, including all headers. ------
  Return-Path: <[email protected]>
  X-Authority-Analysis: v=1.1 cv=pN6kzQkhXdmdOr6Akjoh3kGBD/S3UyPMKQp53EJY+ro= c=1 sm=0 a=9Xqw66NJkoB9GertGQDpPQ==:17 a=n-kJSqksAAAA:8 a=nz4EaHi66Edgnas9-7sA:9 a=98jSFH7WqmUA:10 a=ayC55rCoAAAA:8 a=qyzg_sS0DHm6ZXvf9RAA:9 a=udDd3TAlAAAA:8 a=A-Ay9Xv3AAAA:8 a=13-m3CVyAAAA:8 a=Nq7WNfEEaPaVeQek9H8A:9 a=nCRpLGje-JdQZUhY4UwA:7 a=xKgkma0IJD8A:10 a=pdFTHh6Ffp0A:10 a=uqRLPZCTzCUA:10 a=60GRva4_FlB0_GV7:21 a=0a-loXuVl3_jPVwJ:21 a=9Xqw66NJkoB9GertGQDpPQ==:117
  X-Cloudmark-Score: 0
  X-Originating-IP: 50.90.215.242
  From: <[email protected]>
  Received: from [50.90.215.242] ([50.90.215.242:47870] helo=[10.0.1.4])
      by hrndva-oedge04.mail.rr.com (envelope-from <[email protected]>)
      (ecelerity 2.2.3.46 r()) with ESMTP
      id 73/88-28036-3CA69BD4; Thu, 28 Apr 2011 13:25:24 +0000
  Content-Type: multipart/report; report-type=delivery-status; boundary="lvFcVbMq4Bmrb7Nos44Q+yDizFUn+uvxvchPCg=="
  X-Mailer: Apple Mail (2.1084)
  Date: Thu, 28 Apr 2011 13:24:24 +0000
  Subject: Mail Delivery Failure
  Resent-Date: Thu, 28 Apr 2011 09:25:23 -0400
  Resent-From: Joe Blow <[email protected]>
  To: [email protected]
  Resent-To: [email protected]
  Message-Id: <[email protected]>
  --lvFcVbMq4Bmrb7Nos44Q+yDizFUn+uvxvchPCg==
  Content-Type: text/plain
  This message was created automatically by the mail system (ecelerity).
  A message that you sent could not be delivered to one or more of its
  recipients. This is a permanent error. The following address(es) failed:
  [email protected] (after RCPT TO): 550 5.1.1 unknown or illegal alias: [email protected]
  THANK YOU FOR READING AND HELPING IF YOU CAN.
  Bern

  Are the returned messages showing all different recipients? If so, it's possible someone has hacked into your MobileMe account and is using it to send out spam.
  A brute force spamming will result in thousands of failed return messages. That happens when a spammer sends out mail to a know mail server, such as Hot Mail. They'll send the same message to [email protected], [email protected], etc. Do this for thousands of addresses and many will be returned by the receiving server as undeliverable because there is no user on their system by [email protected], and any other address with no match.
  Or, your address is simply being spoofed by a prolific spammer. They picked up your email address as a valid address and are spoofing it in the From field. Doesn't matter that the thousands of emails that went out from them with your name as the sender didn't come from you, the receiving server just assumes it did and you get the bounce messages.
  For the first, go in and change your password and see if that stops the flow. For the latter, there's really nothing you can do. Spammers will only use someone's address for a short while. Otherwise, the "from" address gets blacklisted automatically by mail servers, which would cut off the spammer's ability to send out more crap in your name. Then it's someone else who has to put up with it for a few days.

• Optimal settings for Roku?

  Just got a Roku box for the holidays.  I have the FiOS Actiontec 1424 (that model number might not be exact; I'm not in front of my router at the moment, but it's the common one listed in these forums). Anyway, looking for what everyone else sets up for settings, including (but not limited to):
  channel configuration (automatic; 1; 11; something else)
  encryption method (WEP [weak, but the default]; WPA, WPA2 [strongest, but does it slow anything down?])
  firewall (min,medium [default], max)
  Also, do you all let everything in that can see the SSID and know the network password?  Or do any of you explicitly use MAC address filtering?  
  Do you put any device in the DMZ to give it free and clear access to the Internet?
  Any other tips/tricks for getting the most out of your FiOS signal from your wireless router and your streaming device?

  abelniak wrote:
  Just got a Roku box for the holidays.  I have the FiOS Actiontec 1424 (that model number might not be exact; I'm not in front of my router at the moment, but it's the common one listed in these forums). Anyway, looking for what everyone else sets up for settings, including (but not limited to):
  channel configuration (automatic; 1; 11; something else)
  encryption method (WEP [weak, but the default]; WPA, WPA2 [strongest, but does it slow anything down?])
  firewall (min,medium [default], max)
  Also, do you all let everything in that can see the SSID and know the network password?  Or do any of you explicitly use MAC address filtering?  
  Do you put any device in the DMZ to give it free and clear access to the Internet?
  Any other tips/tricks for getting the most out of your FiOS signal from your wireless router and your streaming device?
  Hey there. 
  Wired is always better than wireless, so if you can - think about wiring the roku to the router with an ethernet cable.  If it's too far, then think about getting a MOCA bridge.  the HME2200 and EB2200 are good models, plug and play and will give you pretty much flawless playback. 
  If you go wireless, then you'll want to experiment with the channels.  Leave it on auto at first and if it plays fine, then don't worry about it.  Keep it in mind, though, that if any problems come up with streaming - then you'll want to revisit this topic. 
  Generally speaking channels, 1, 6 and 11 are meant for North america, the other channels for wireless are non standard, and not recommended.      This portion here is not a fixed answer.  Some people have real good luck with channel 11, and some people can't get a good signal on channel 11 if their lives depended on it.  So you'll have to try 1, 6 and 11 individually to see which gives you the best performance.    
  If you're wireless - then check out page 2 of actiontec's wireless guide, there are some general things to know about the router and it's physical set up to get the best wireless signal you can get.
  With regards to Security -  Double check with the roku forums to see if there are any preferred methods.  WPA2 is the preferred, and you should not notice a difference in speed or performance when using it.
   Firewall is a personal choice, I always leave it on medium, and I recommend only advanced users set it to anything higher.    you have to have a certain level of knowledge about your own in home network to use a higher firewall setting without running the risk of locking up a program or resource for access to the net. 
  Mac Filtering has been proven to be not very effective a security measure, so I wouldn't worry about using it all.  It's rather easy find out and to spoof a mac address for a determined user.  
  I very rarely put anything in the dmz.    I only use the DMZ for testing, if I need access to anything, then I'll use port forwarding.   
  For tips - I would recommend those moca bridges over wireless, and if you have to go wireless, then take a look at some of the basics on that actiontec wireless guide.  a lot of people have their routers positioned in the house in a way that doesn't satisfy their wireless needs.
  merry christmas, happy new year and enjoy the new toy!

• Arp broadcasts & dhcpv6 sollicits & neighbour advertisements visible

  We have a setup with 5500 controller with a couple of SSID (2 WPA2 , 1 Open).
  The 'Controller - General - Broadcast Forwarding' option is set on disabled.
  DHCP proxy is enabled.
  Multicast is also disabled.
  P2P Blocking action is Drop.
  Issue1: Arp broadcasts
  When sniffing on the encrypted SSIDs we see ARP requests for the default gateway (received by DHCP) of the clients.
  The ARP requests are coming from clients located on different accesspoints.
  When we do this on the open SSID not a single ARP request is visible. Which is as far as I understand the way it should work because proxy arp is enabled by default.
  'The WLC acts as an ARP proxy for WLAN clients by maintaining the MAC address-IP address associations. This allows the WLC to block duplicate IP address and ARP spoofing attacks. The WLC does not allow direct ARP communication between WLAN clients. This also prevents ARP spoofing attacks directed at WLAN client devices.' from http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/ch4_2_SPMb.html#wp1307340
  Is this a bug or just something about WPA2 that I don't understand ?
  Issue2: Dhcpv6 sollicits & Neighbour Advertisements
  The same issue as the Arp broadcasts is also popping up with Dhcpv6 sollicits & Neighbour Advertisements, although this is the same for the WPA2 as for the Open SSID.
  We're seeing DHCPv6 sollicits (to ff02::1:2) from clients on different AP's when sniffing.
  We're seeing Neighbour Advertisements (icmpv6 to ff02::1) from clients on different AP's when sniffing.
  Why is this forwarded ? Shouldn't this be blocked by the controller ? Also a bug ?
  Thanks,
  Wim

  I'm not a fan of "me too" posts but I'll chime in with "me too" here anyway. Thanks for this thread: for the longest time I thought I was the only one seeing this issue! Before I found this I did a lot of searching and packet capture analysis and in an effort to help anyone else dealing with it, my findings are below.
  CSCub65575 seems to still be present in 7.2.111.3 based on packet captures I did yesterday. On another WiSM2 running 7.4.100.0 I noticed that gratuitous ARP traffic is still forwarded downstream to wireless clients. That is listed as a fixed version on CSCub65575 and I'm not sure if this is intentional or not but I figured it was worth mentioning.

• OpenVZ based Arch Linux VPS's off-line at several hosting providers

  Hello all,
  I have a number of Arch Linux OpenVZ based VPS's with a good number of hosting providers. For the last year+ I have done a regular weekly update (pacman -Syu cron job) on all my VPS's. The last update round rendered all my VPS's unbootable on every host. It looks like the package update "linux-api-headers 2.6.36.2-1" does not play well with the kernels that have OpenVZ support baked in. Currently I have VPS's offline with Virpus and ZoomVPS/BoostHosting amongst others. Virpus and Zoom have booth been rather unresponsive for a number of days now. I have to think other Arch VPS users are feeling this because at lest one VM was nearly a brand new vanilla install and was impact just like the others. Are there any other Arch users out there effect by this? Have any hosting providers found a fix? Any info would be great.

  My hosts would not upgrade and or spoof their kernel on my node so to solve my situation I restored an older backup and followed these directions (http://irony.at/archlinux-openvz-glib) ignoring upgrades to glibe (IgnorePkg), installing a custom build of glib and then applying regular updates. My systems back online and I have learned my lesson about pacman -Syu cron jobs. Sure does make you think that Xen-HVM hosting might be worth the minimal additional cost.

• Working methods with Mail

  My preferred working methods with email is to use everal secondary email addresses courtesy of my ISP. My old ISP and Thunderbird worked fine and did exactly what i wanted of them namely: multiple email addresses that can be accessed in a single application and those multiple email addresses to contain Sent, Inbox and Trash folders relevant to that email address (eg: 5 email addresses = 5 sets of folders).
  Background
  The above working method is worth my offort as it keeps the primary email address tucked away and scarcely used. Should a secondary email address become compromised all it is is a matter of ditching that email address and setting up a replacement for it. The above working method seems to solve spam or compromised address easily and in a timely manner.
  For why?
  Well I guess we've all received those group emails from someone with a less than acute sense of security. In other words there is a good chance your email address may be compromised because of the skills or lack of them in someone sending a message to you and 20 or 30 other senders. (I think the maximum number of email addresses I found in a body of a message covered some 100 - 150 people at various organisations).
  So, I'd like to make an enhancement request for Mail to support multiple email addresses (note: not aliases) which act independently of each other.
  Is it doable in Mail?

  An example to elaborate
  primary email address with ISP follows convention: [email protected] (never declare this and avoid using it)
  secondary email address #1 for use with online banks and financial institutions:
  [email protected]
  secondary email address #2 for use with online purchases:
  [email protected]
  secondary email address #3 for use with people with unknown skills levels and/or doubtful security practices:
  [email protected]
  Now imagine that for some reason or other email address #3 has been compromised and starts to receive floods of viagra, ***** enlargement, sex online, spam, online bank spams and/or spoofs.
  One could try to invoke all manner of filters (dodgy, well-dodgy) or simply manage the ISP accounts to ditch [email protected] and set up a replacement account of [email protected]
  The second method seems (according to my own experience) work a treat.