Category: Router Config

Juniper Control Plane Protection

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

| Continue Reading.. |

Control Plane Protection in Cisco IOS

CoPP – Control Plane Protection or better Control Plain Policing. It is the only option to make some sort of flood protection or QoS for traffic going to control plane.

In the router normal operation the most important traffic is control plain traffic. Control plane traffic is traffic originated on router itself by protocol services running on it, destined to other router device on the network. In order to run properly, routers need to speak with each other. They speak with each other by rules defined in protocols and protocols are running in shape of router services.

Examples for this kind of protocols are routing protocols like BGP, EIGRP, OSPF or some other non-routing protocols like CDP etc..

CoPP

Control Plane Policing is QoS applied on ingress sub-interfacess towards Route Processor

When router is making BGP neighbour adjacency with the neighbouring router, it means that both routers are running BGP protocol service on them. BGP service is generating control plane traffic, sending that traffic to BGP neighbour and receiving control plane traffic back from the neighbour.

Usage of Control Plane Protection is important on routers receiving heavy traffic of which to many packets are forwarded to Control Plane. In that case, we can filter traffic based on predefined priority classes that we are free to define based on our specific traffic pattern.

| Continue Reading.. |

Mitigate DoS Attack using TCP Intercept on Cisco Router

This is really cool feature on Cisco router not usually mentioned until you dig a little deeper inside Cisco IOS. But first a bit of theory…

What is TCP SYN flood attack

TCP 3-way handshake

SYN flood DoS attack happens when many sources start to send a flood of TCP SYN packets usually with fake source IP.

This attack uses TCP 3-way handshake to reserve all server available resources with fake SYN requests not allowing legitimate users to establish connection to the server. SYN packet is the first step in TCP 3-way handshake. This is the step where client sends connection synchronization request to the server. Server receives TCP SYN from client, the server replies back with SYN ACK. SYN ACK acknowledges synchronization request.

In that moment server is waiting the client to complete the handshake by sending an ACK back to server to acknowledge the SYN ACK. With this third step, TCP session is successfully established and communication between server and client begins.

If the ACK is not received from the client side, server will wait for it for some time and then the session will timeout and get dropped. When the server deletes the session, his resources will be released.

TCP SYN flood attack

TCP SYN flood attack sends first packet of 3-way handshake SYN packet to server many times to cause the server to allocate resources for sessions that will never become established. It means that client who is attacking will never respond to server SYN ACK and the session will remain on the second step of 3-way.

| Continue Reading.. |

Saving Router Configuration to Server

VoIP protocols functionalityIf you want to store a backup copy of your router’s configuration on a TFTP server we have a simple solution for you. This article will explain all the commands needed to save backup configuration of a device to TFTP server. All this for Cisco and also for Juniper device.

CISCO

You need to make regular backups of your router configuration files and keep copies in a safe place. If you have a serious failure that damages a router’s hardware or software, the configuration will be destroyed. And anybody who has had to reconstruct a complex router configuration file from memory will tell you how difficult and stressful this task is. But if you have a backup of the last working configuration file, you can usually get a router working again within minutes of fixing any hardware problems.

| Continue Reading.. |

Use TFTP to configure a Router

If we want to send previously prepared configs commands to Router via TFTP we can do this in very simple way and in this article we will se how to do it on Cisco and Juniper device.

CISCO

When we use TFTP to download configuration commands to the router, he is not making an echo of each command which reduces overall time consumption, CPU consumption and increases speed.

In this example, we will configure this router by making it receive the file named RConfig from the server at 20.20.1.1 by using the Trivial File Transfer Protocol – TFTP. The router will use the whole file received via TFTP before entering all the commands into the running configuration. This is particularly good because some commands in the configuration process could prevent your access to the router by locking you out or disconnecting you from the network, but the rest of the commands might fix the issue. If you enter the same configurations manually using telnet or “configure t”, you would simply lock yourself out of the router and not be able to continue with your work. A usual example of this issue happens when you change an active access-list. When you enter the first line, the router puts an implicit deny at the end, which will break your connection. Entering commands by using TFTP avoids any of this kind of problem.

| Continue Reading.. |