Role base authorization simplifies the enforcement of security controls when used with IOS devices.
The first step involves the configuration of the IOS device.
parser view ccie
secret 5 $1$pcY4$eqZ1i/dKMOS8cPigSQZbm0
commands configure include all router
commands configure include all interface
commands configure include shutdown
commands configure include all no router
commands configure include all no interface
commands configure include no shutdown
commands configure include no
commands exec include all configure terminal
commands exec include all configure
commands exec exclude show ip route
commands exec include show ip interface
commands exec include show ip
commands exec include show privilege
commands exec include show parser view
commands exec include show parser
commands exec include show
commands exec include logout
!
Then we proceed to configure AAA:
aaa new-model
aaa authentication login default local
aaa authentication login iosvpn local
aaa authentication login RAD group radius
aaa authentication login TACA group tacacs+
aaa authentication login EZvpn local
aaa authorization exec RAD group radius
aaa authorization exec TACA group tacacs+
aaa authorization network iosvpn local
aaa authorization network ezVPN local
aaa session-id common
aaa authentication login TACA group tacacs+
aaa authorization exec TACA group tacacs+
ip tacacs source-interface FastEthernet0/0
tacacs-server host 172.30.3.53 tacacs-server key 7 1511080501
line vty 0 3
session-timeout 30
exec-timeout 30 0
authorization exec TACA
login authentication TACA
Finally we configure the ACS server:
Enable "Display window for each service..." under advanced TACACS+ interface configuration.
Next, for the desired user(s) or group(s) check "Shell (exec)" and under "Custom Attributes" type:
shell:cli-view-name=ccie
When you login as a user (or member of a group) with this feature enabled, you will be placed in the appropriate CLI view.
Wednesday, June 30, 2010
Tuesday, June 29, 2010
DMVPN - hub to spoke issue
DMVPN brings with it tremendous simplicity whilst providing a scalable and secure connectivity solutions. The configuration of the hub is compact and elegant, while the spokes feature mostly uniform and even more concise commands. An IGP such as OSPF of EIGRP, with the latter being more popular, can be easily configured to overlay a network on top of the NBMA mGRE fabric that DMVPN is built on.
While configuring and experimenting with various versions of DMVPN, I ran into a very interesting issue that is really the crux of this blog entry. Spoke-to-spoke connectivity was no problem but I was not able to ping the networks behind the hub, or ping spoke networks from the hub.
The issue was rooted in the control-plane policing policy applied at the hub. The ICMP rate was limited to 1 packet per second (pps). This apparently is not enough when tunnel interfaces come into the picture as is the case here with DMVPN. Increasing the ICMP threshold to 10 or more packets per second and specifying "burst" value fixed this issue.
While configuring and experimenting with various versions of DMVPN, I ran into a very interesting issue that is really the crux of this blog entry. Spoke-to-spoke connectivity was no problem but I was not able to ping the networks behind the hub, or ping spoke networks from the hub.
The issue was rooted in the control-plane policing policy applied at the hub. The ICMP rate was limited to 1 packet per second (pps). This apparently is not enough when tunnel interfaces come into the picture as is the case here with DMVPN. Increasing the ICMP threshold to 10 or more packets per second and specifying "burst" value fixed this issue.
Thursday, June 3, 2010
vPC configuration on Nexus 7000
vPC or Virtual Port Channels allow multiple links between particpating switches to partcipate in traffic forwarding but they are no longer confined to the same switch like in a traditional port channel.
Ensure you are in the correct VDC
Step 1.
feature vpc
Step 2.
vpc domain 1
Step 3.
Configure vPCpKL - peer keep-alive link.
Note: this is done while under "vpc domain"
peer-keepalive destination
Note that it highly recommended that the keep-alive link be configured using a separate VRF such as the mgmt 0 mechanism.
Step 4:
Create the vPCpL - peer-link
Note: this is done under the interfaces on each switch that are going to participate in the domain.
interface port-channel 20
vpc peer-link
Step 5:
Enable vPC on the unlink/downlink interfaces on particpating switches
vpc
Ensure you are in the correct VDC
Step 1.
feature vpc
Step 2.
vpc domain 1
Step 3.
Configure vPCpKL - peer keep-alive link.
Note: this is done while under "vpc domain
peer-keepalive destination
Note that it highly recommended that the keep-alive link be configured using a separate VRF such as the mgmt 0 mechanism.
Step 4:
Create the vPCpL - peer-link
Note: this is done under the interfaces on each switch that are going to participate in the domain.
interface port-channel 20
vpc peer-link
Step 5:
Enable vPC on the unlink/downlink interfaces on particpating switches
vpc
Tuesday, June 1, 2010
GET - Group Encrypted Transport
Secure Connectivity Simplifed.
Cisco's GDOI interpretation for IOS provides a simple and effective way to protect traffic between networks without the overhead of tedious, repetive manual configuration headaches.
The following example illustrates how a central key server can specify traffic to be encrypted.
Key server configuration:
crypto gdoi group myGDOI
identity number 99
server local
rekey algorithm aes 128
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET-gdoi-key
rekey transport unicast
authorization address ipv4 GET_list
sa ipsec 1
profile gdoi-profile
match address ipv4 GET_traffic
replay counter window-size 64
address ipv4 10.4.1.2
crypto ipsec profile gdoi-profile
set security-association lifetime seconds 900
set transform-set ccie
Extended IP access list getvpn_traffic
10 permit ip 10.9.1.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip 192.168.200.0 0.0.0.255 10.9.1.0 0.0.0.255
Secure Connectivity Simplifed.
Cisco's GDOI interpretation for IOS provides a simple and effective way to protect traffic between networks without the overhead of tedious, repetive manual configuration headaches.
The following example illustrates how a central key server can specify traffic to be encrypted.
Key server configuration:
crypto gdoi group myGDOI
identity number 99
server local
rekey algorithm aes 128
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GET-gdoi-key
rekey transport unicast
authorization address ipv4 GET_list
sa ipsec 1
profile gdoi-profile
match address ipv4 GET_traffic
replay counter window-size 64
address ipv4 10.4.1.2
crypto ipsec profile gdoi-profile
set security-association lifetime seconds 900
set transform-set ccie
Extended IP access list getvpn_traffic
10 permit ip 10.9.1.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip 192.168.200.0 0.0.0.255 10.9.1.0 0.0.0.255
Subscribe to:
Posts (Atom)
