Let’s talk a bit about network management. Perhaps not the most exciting topic but I’m going to show you how you can use CDP (Cisco Discovery Protocol) to help you build network maps and what other information it can reveal.
LLDP is a layer two discovery protocol, similar to Cisco’s CDP. The big difference between the two is that LLDP is a standard while CDP is a Cisco proprietary protocol.
Cisco devices support the IEEE 802.1ab version of LLDP. This allows non-Cisco devices to advertise information about themselves to our network devices.
In this blog we’ll cover the standard access-list. Here’s the topology:
In this blog, we’ll take a look at the extended access-list. This is the topology we’ll use:
Sometimes it might be useful to block certain traffic on specific days or during business hours. For example, maybe you want to block all facebook traffic from monday to friday between 9:00 – 17:00.
We can achieve this by using time ranges in our access-lists. When you use these, the statement in the access-list will only be active during the time range that you specified. Let’s take a look at an example!
As we discussed about the router security policy in the previous blog, routers are often used at the edge of our network where they are vulnerable to attacks. Because of this, you should have an access-list that blocks some of the most common attacks while you only permit traffic that is really required.
What your access-list will look like really depends on the the role of your router. Do you use it for NAT/PAT with some users behind it for Internet access or is it a transit router on the Internet? Do you use any VPNs or BGP? What kind of traffic flows through your router? These are all questions that you need to answer before you create an infrastructure access-list.
Normally when your router receives unicast IP packets it only cares about one thing:
- What is the destination IP address of this IP packet so I can forward it?
If the IP packet has to be routed it willl check the routing table for the destination IP address, select the correct interface and it will be forwarded. Your router really doesn’t care about source IP addresses as it’s not important for forwarding decisions.
When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can use. Let me show you an example why you might want this for your switches:
TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticate network devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server. Whenever you try to log onto a network device, the credentials that you supply will be forwarded to the TACACS+ server. Besides authentication, TACACS+ also allows us to configure authorization and accounting. Authorization lets us define what commands a user is able to use on the router or switch, and accounting lets us log whatever commands the user is typing.
Besides syslog there is another method to store logging information to an external server. SNMP (Simple Network Management Protocol) can be used to collect statistics from network devices including Cisco routers and switches.
SNMP consists of 2 items:
SNMPv3 is similar to SNMPv1 or SNMPv2 but has a completely different security model. SNMPv1 and SNMPv2 use a community-string that is used as the password and there’s no authentication or encryption.
Even if you have never heard of syslog before, you probably have seen it when you worked on a router or switch. Take a look at the following lines:
NTP (Network Time Protocol) is used to allow network devices to synchronize their clocks with a central source clock. For network devices like routers, switches or firewalls this is very important because we want to make sure that logging information and timestamps have the accurate time and date. If you ever have network issues or get hacked, you want to make sure you know exactly what and when it happened.
Network management protocols like SNMP allow us to monitor our network. We can check things like cpu load, memory usage, interface status and even the load of an interface. Other tools like NBAR allow us to see what kind of protocols are used.