Nov 6

URL Filtering using IOS

Posted by Radu

Today, while I was trying to keep my students awake during a CCNA1 presentation I noticed that two of them were looking at 9Gag and they ignored me. Not that I was saying something so deep and meaningful but it was a little bit frustrating for me. So, as soon I finished my presentation, I opened a console to the local router (a Cisco 2821 ) and began to filter 9gag.

Obviously you cannot do that with ACLs when you want to filter a website running on multiple addresses like 9gag. Even if you use hostname instead of an IP address, that hostname is resolved once using dns servers defined in your configuration and that’s it.

So I used a policy and five minutes later those two were the frustrated ones. This is how I did it :

!
class-map match-any URLFILTER
    match protocol http host *9gag.com
!
policy-map DROPURL
    class URLFILTER
      drop
!
!
interface FastEthernet 0/1
    desc Internal
    service-policy input DROPURL
!

And that was it. Next time, facebook, prepare your url, I wanna filter you.

Or, using CBAC (Context-Based Access Control) :

!
ip inspect name WEBFILTER http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .9gag.com
!
!
interface FastEthernet 0/1
   desc Internal
   ip inspect WEBFILTER in
!

Oh, and if you’re wondering how to do url filtering with linux the answer is “it’s complicated”. You need either a proxy (squid, privoxy) or, if you are shameless, you can do it using DNS hijacking.

Jul 23

Anti-lockout best practice

Posted by Alex Juncu

ACL are usually configured for firewall configurations, for traffic filtering. When configuring ACLs, careful planing should be made so that in the moment when you are applying an ACL, things get filtered exactly the way you want it. In a lab environment tests can be made and if somethings doesn’t work right, you can start over. But in a live network router, filtering the wrong traffic could cause network outages.

If you are connected to the router via telnet or ssh (most likely in productions routers) it is very easy to lock yourself out of the router by denying the telnet or ssh traffic on an interface between you to that router. This is mostly because how IOS works. Any commands given in IOS are instantly commited to the live configuration. And, for example, if you make a configuration with an ACL and you forget about the implicit deny any (any) and you also forget to permit the telnet/ssh traffic, you might find yourself with the router not responding to any input after you apply the rules. It might take a while to figure out that you can’t access the router anymore and need to get physically to its location and either reload it orĀ  use the console port to remove the ACL from the running-config.

One way of avoiding this is to schedule an automated reload in 10-15 minutes, while you are configuring, From enable mode issue the command:

#reload in MINUTES

This will reload the router after the specified number of minutes. It will ensure that if you lock yourself out, the router will revert back to the working startup-config. If the configuration was applied successfully, you can cancel the scheduled reload with the command

#reload cancel

http://www.youtube.com/watch?v=SMWi7CLoZ2Q
Nov 3

Run remote procedures & GNS3

Posted by Dragos Draghicescu

An interesting and pretty new capability of Cisco IOS is scripting through TCL language. What is not that well documented is that you can configure a router in some situations and the interesting thing is that you can store the configuration procedure remotely, like on a tftp server for example. What I will present may be useful in lab environments, for simulation purposes. I used it to prepare a huge exercise for the CCNA 2 class.

First of all, I will suppose that you have configured a tftp server somewhere in your LAN. Second thing is you can configure a bridge between your Ethernet interface and a tap interface (a virtual interface, for use with the emulated router). In Linux, you can use the Bridge-utils and uml-utilities to do that. You can find a tutorial on how to do a bridge <here>.

Now lets get to work! :)

In GNS3 (ran as root) you have to link the router with a clouds tap interface. In the cloud configuration panel, add a tap interface into the NIO tap tab (lets say tap0). Next, configure the router interface IP address like its part of your LAN. You can ping your gateway to verify that.

It’s all said and done. The script I wrote reads a number of Loopback interfaces to be configured from the user input. The output looks like this:

IOS output

IOS output

The output is incomplete, but the script configured Loopback 0 to 4 with ip addresses.

I hope some will find what can be done with IOS TCL pretty interesting.

Good luck!

DD