Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/wp-file-upload/wordpress_file_upload.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/wp-file-upload/wordpress_file_upload.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 179

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 180

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 181

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 182

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 183

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 184

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 185

Warning: Cannot modify header information - headers already sent by (output started at /home/circui15/public_html/packetpros.com/index.php:4) in /home/circui15/public_html/packetpros.com/wp-content/plugins/read-offline/lib/phpMobi/MOBIClass/MOBI.php on line 186
Secure the control plane with Qo`q`qBOOKMOBIDx    dMOBIXt! @EXTH|dColliniRoute ,Security ,Switchg

I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it's not too bad. What I want …

j'Tue, 03 Feb 2015 17:52:04 +0000p$http://packetpros.com/?p=384ePacketprosf Copyright packetpros.comSecure the control plane with QoS

I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it’s not too bad. What I want to accomplish is no management or services on the SVI/router interfaces. Management should be to a loopback only and from a trusted subnet. In this example. I only want 192.168.1.1 to be able to access 172.16.1.1. There should be no management/services allowed on the physical interfaces.

Here’s the config from the 172.16.1.1 router. We are allowing everything from 192.168.1.1 to 172.16.1.1 and blocking the rest.

object-group service UNUSED_PROTOCOLS
ahp
igmp
ipinip
nos
ospf
pcp
pim
!
class-map match-any FILTER
match access-group 100
!
policy-map DROP
 class FILTER
  DROP
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.0
!
!
router eigrp 1
network 10.0.0.0
redistribute connected
!
access-list 100 remark Allow loopback to loopback
access-list 100 deny ip host 192.168.1.1 host 172.16.1.1
access-list 100 remark Block Telnet
access-list 100 permit tcp any any eq 23
access-list 100 remark Block SSH
access-list 100 permit tcp any any eq 22
access-list 100 remark Block FTP
access-list 100 permit tcp any any eq 21
access-list 100 remark Block TFTP
access-list 100 permit udp any any eq 69
access-list 100 remark Block all other protocols not in use
access-list 100 permit object-group UNUSED_PROTOCOLS any any
!
control-plane
 service-policy input DROP

In reality it’s just as easy to create an ACL and apply it to each interface, but that is what I was trying to avoid. Since most good security policies want to log login attempts, you again would want to apply a different technique. But this config is proving a point, you can secure the control plane with just QoS!

FLIS00 00 00 0800 4100 0000 00 00 00ff ff ff ff00 0100 0300 00 00 0300 00 00 01ff ff ff ffFCIS00 00 00 1400 00 00 1000 00 00 0100 00 00 0000 00 08 8c00 00 00 0000 00 00 2000 00 00 0800 0100 0100 00 00 003918400778