Easy & Pinpoint Cisco Routers and Switch Configurations! The Ultimate Resource: June 2010

Jun 21, 2010

Capture a Port on Cisco Switches using SPAN

SPANs on Cisco Switches

Believe me, Cisco’s SPAN may be something you were looking for. So lets see what it is.

The switched port analyzer (SPAN) is a mechanism on Cisco switches that allows you to take traffic on one port and copy it to another. It’s generally used to get traffic to a sniffer or IDS for analysis, but it’s a great tool to use to sample traffic from a host for troubleshooting.

Let’s use a real-world example. You suspect that somebody is downloading songs or some other restricted content from your office’s internet, and you just want to CONFIRM that he is really downloading that stuff before taking some appropriate actions. This is an example scenarion whare SPAN can help you. You can use a SPAN to copy his traffic to another switch interface (may be your own PC’s port in that Cisco switch) whare you have already installed a Sniffer software.

Let’s say you have a 2950, and that suspecious person is on port F0/1 of your switch. You have your own PC plugged into F0/24 ready to capture the traffic. Here’s what you do. In global config mode, write ;

Switch(config)#monitor session 1 source interface F0/1 both

Switch(config)#monitor session 1 destination interface F0/24

This will create a new monitor session (that is, a SPAN session) that copies traffic from port F0/1 in both directions (simply saying, downloads and uploads) to port F0/24. Now, when you run tcpdump on your Linux box or some nice sniffer (easily available on the web) on your PC, you see all the traffic coming in and going out of that person’s port.

That’s pretty easy, right? You can have multiple sources ports by just adding more source lines or using ranges of ports. You can also just copy received or transmitted traffic from a source. Check out the contextual help for a little more info.

To see what’s going on, you can do a show monitor or a show monitor session 1 (depending on the IOS version). You’ll see something like this.

switch#sh monitor

Session 1

---------

Type              : Local Session

Source Ports      :

Both          : Fa0/1

Destination Ports : Fa0/24

Encapsulation : Native

Ingress : Disabled

If you take a look at the destination port when the SPAN is running, you’ll see it’s in a state of up/down (monitoring). I think you can figure out that this means we’re monitoring some traffic to this port. Here’s what you’ll see if you look at the port.

switch#sh int f0/24

FastEthernet0/24 is up, line protocol is down (monitoring)

...

There are two big things to keep in mind when doing SPANs. The first is that monitoring a port can drive CPU utilization way up (depending on the platform and traffic volume), so you may run into problems if you have a bunch of SPANs going at the same time. Related to this is the fact that, if your switch has to decide between switching and copying traffic, it will stop copying until there’s enough CPU headroom to do that safely, and you’ll lose packets in the meantime. It’s a switch — not a copier.

The second thing to keep in mind involves those little voices in your head called ethics. What if you see a VOIP phone call from your boss to the HR department? How about if you find someone in upper management copying a spreadsheet of people to be fired tomorrow? How about if you find an engineer’s telnet password to a key system? These are things that you probably shouldn’t see, so be careful when looking at the packets. I would suggest you tell someone in your security when you’re going to do a packet capture to make sure someone knows you’re not up to no good.

Jun 18, 2010

Easy Pinpoint method to Protect your router from a dictionary DoS attack

You may not realize it, but a dictionary denial of service (DoS) attack on Telnet, SSH, or HTTP ports could hit your Cisco router. In fact, I bet most network administrators have at least one, if not more, of these ports open for router management.

Of course, having these ports open to a public network is much more dangerous than leaving them open on a private network. But either way, you need to do whatever you can to protect your routers from a dictionary DoS attack, which attackers could use to gain access to your router or simply create a service outage on your network.

Thanks to login enhancements in IOS 12.3(4)T and later, you can provide your routers with additional protection. These new login enhancements offer the following benefits:

Create delays between successive login attempts.
Disallow login if there are too many failed login attempts.
Create messages in the system log or send SNMP traps that alert/record additional information about the failed and disallowed logins.

How do you know if your router contains the appropriate code? The simplest way to find out is to go to Global Configuration Mode and enter login ? This command returns a list of choices, as shown below:

block-for Set quiet-mode active time period

delay Set delay between successive fail login

on-failure Set options for failed login attempt

on-success Set options for successful login attempt

quiet-mode Set quiet-mode options

If you don't have this code in your IOS, it will return an "Unrecognized command" error.

If you don't have the feature, use the Cisco IOS Feature Navigator to find the code for your router that has this feature. (Look for Cisco IOS Login Enhancements.) You can also use this tool to search for other features that you need. Keep in mind that a Cisco maintenance contract is necessary to download IOS code and access the Feature Navigator.

The only command required to configure the most basic form of these features is the login block-for command. Once you've enabled this command, there's a default login delay of one second. The system will deny all logins for a specified number of seconds if the maximum number of tries occurs within the time you indicate.

In global configuration mode, execute the following:

Here's an example:

This command configures the system to deny all logins to the router if there are five failed login attempts within 60 seconds. Then, if you enter show login, you'll receive the following output:

A default login delay of 1 second is applied.

No Quiet-Mode access list has been configured.

Router enabled to watch for login attacks.

If more than 5 login failures occur in 60 seconds or less,

logins will be disabled for 120 seconds.

Router presently in Normal-Mode.

Current Watch Window remaining time 54 seconds.

Present login failure count 0.

This shows you the setting you've configured, including the default login delay of one second, along with additional information. It also tells you that the router is in Normal Mode, which means that the router is currently allowing logins.

The router goes into Quiet Mode when it believes something has attacked it, and it begins denying all logins. You can also configure an ACL that will serve as an exclusion list of hosts/networks that the router will allow, regardless of whether it's in Quiet Mode.

Here are some options to configure some of these other commands:

login delay : Add the number of seconds of delay between failed logins. You can choose one to 10 seconds.
login on-failure and login on-success: This allows you to choose the type of logging/SNMP alerts when there are failed and successful logins.
login quiet-mode access-class : Add the ACL number, and this allows you to enter an exclusion list of hosts/networks allowed to log in to the router, regardless of whether the router is in Quiet or Normal Mode.

In general, I suggest enabling login block-for on all routers for security purposes. These new features will help better secure your routers.

And while you're at it--if you haven't already--consider enabling only SSH on your routers and only allowing access to that from the internal network. SSH encrypts all traffic between a PC and a router (including usernames and passwords).

For the complete command reference on these new features, check out the Cisco IOS Login Enhancements Documentation.