Cisco Catalyst Switch MVR

     Multicast VLAN Registration (MVR) is designed for applications using
wide-scale deployment of multicast traffic across an Ethernet ring-based
service provider network (for example, the broadcast of multiple
television channels over a service-provider network). MVR allows a
subscriber on a port to subscribe and unsubscribe to a multicast stream
on the network-wide multicast VLAN. It allows the single multicast VLAN
to be shared in the network while subscribers remain in separate VLANs.
MVR provides the ability to continuously send multicast streams in the
multicast VLAN, but to isolate the streams from the subscriber VLANs for
bandwidth and security reasons.

    
MVR assumes that subscriber ports subscribe and unsubscribe (join and
leave) these multicast streams by sending out IGMP join and leave
messages. These messages can originate from an IGMP version-2-compatible
host with an Ethernet connection. Although MVR operates on the
underlying mechanism of IGMP snooping, the two features operate
independently of each other. One can be enabled or disabled without
affecting the behavior of the other feature. However, if IGMP snooping
and MVR are both enabled, MVR reacts only to join and leave messages
from multicast groups configured under MVR. Join and leave messages from
all other multicast groups are managed by IGMP snooping.

    
The switch CPU identifies the MVR IP multicast streams and their
associated MAC addresses in the switch forwarding table, intercepts the
IGMP messages, and modifies the forwarding table to include or remove
the subscriber as a receiver of the multicast stream, even though the
receivers might be in a different VLAN from the source. This forwarding
behavior selectively allows traffic to cross between different VLANs.

The switch has these modes of MVR operation: dynamic and compatible.

When operating in MVR dynamic mode, the
switch performs standard IGMP snooping. IGMP information packets are
sent to the switch CPU, but multicast data packets are not sent to the
CPU. Dynamic mode allows the multicast router to run normally because
the switch sends the IGMP join messages to the router, and the router
forwards multicast streams for a particular group to an interface only
if it has received a join message from the interface for the group.
Receiver ports are treated as members of the multicast VLAN for MVR
multicast control and data traffic. IGMP reports for MVR groups are sent
out source ports in the multicast VLAN.

When in MVR compatible mode, MVR on the
Catalyst 3550 switch interoperates with MVR on Catalyst 3500 XL and
Catalyst 2900 XL switches. It works the same as dynamic mode for all
multicast data packets and IGMP query and leave packets. However,
received IGMP report packets for MVR groups are not sent out on the
multicast VLAN source ports. In contrast to dynamic mode, the switch
does not send join messages to the router. The router must be statically
configured for the interface to receive the multicast stream.
Therefore, in this mode, MVR does not support dynamic membership joins
on source ports.


Cisco Catalyst 3550/3560/3750 Switch MVR Config Example:

可分成兩個方式來做Global or interface

Global:

Switch(config)# mvr
Switch(config)# mvr group 228.1.23.4

Switch(config)# mvr querytime 10

Switch(config)# mvr vlan 22 

Switch(config)# mvr mode dynamic 
Switch(config)# end
Switch# show mvr
MVR Running: TRUE
MVR multicast vlan: 22
MVR Max Multicast Groups: 256
MVR Current multicast groups: 1
MVR Global query response time: 10 (tenths of sec)
MVR Mode: dynamic

Interface:
Switch(config)# mvr
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# mvr type receiver
Switch(config-if)# mvr vlan 22 group 228.1.23.4
Switch(config-if)# mvr immediate
Switch(config)# end
Switch# show mvr interface gigabitethernet0/2

Type: RECEIVER Status: ACTIVE Immediate Leave: ENABLED

Switch# show mvr interface gigabitethernet0/6 members
239.255.0.0 DYNAMIC ACTIVE
239.255.0.1 DYNAMIC ACTIVE
239.255.0.2 DYNAMIC ACTIVE
239.255.0.3 DYNAMIC ACTIVE
239.255.0.4 DYNAMIC ACTIVE
239.255.0.5 DYNAMIC ACTIVE
239.255.0.6 DYNAMIC ACTIVE
239.255.0.7 DYNAMIC ACTIVE
239.255.0.8 DYNAMIC ACTIVE
239.255.0.9 DYNAMIC ACTIVE

Switch# show mvr interface

Port Type Status Immediate Leave
---- ---- ------- ---------------
Fa0/1 SOURCE ACTIVE/UP DISABLED
Fa0/2 SOURCE ACTIVE/UP DISABLED
Fa0/3 SOURCE ACTIVE/DOWN DISABLED
Fa0/5 SOURCE ACTIVE/DOWN DISABLED

This is an example of output from the show mvr interface privileged EXEC command for a specified interface:

Switch# show mvr interface fastethernet0/2
224.0.1.1 DYNAMIC ACTIVE
This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included:

Switch# show mvr interface gigabitethernet0/6 members
239.255.0.0 DYNAMIC ACTIVE
239.255.0.1 DYNAMIC ACTIVE
239.255.0.2 DYNAMIC ACTIVE
239.255.0.3 DYNAMIC ACTIVE
239.255.0.4 DYNAMIC ACTIVE
239.255.0.5 DYNAMIC ACTIVE
239.255.0.6 DYNAMIC ACTIVE
239.255.0.7 DYNAMIC ACTIVE
239.255.0.8 DYNAMIC ACTIVE
239.255.0.9 DYNAMIC ACTIVE

This is an example of output from the show mvr members privileged EXEC command:

Switch# show mvr members

MVR Group IP Status Members
------------ ------ -------
224.0.1.1 ACTIVE Fa0/1(s), Fa0/2(d)
224.0.1.2 ACTIVE Fa0/1(s)
224.0.1.3 ACTIVE Fa0/1(s)
224.0.1.4 ACTIVE Fa0/1(s)
224.0.1.5 ACTIVE Fa0/1(s)
<output truncated>



Junioer SRX Route-Based IPSEC VPN

Configuring a Route-based IPSEC VPN
1. Create a interface st0
SRX# edit interface
SRX# set st0 unit 0 family inet address 192.168.100.2
SRX# top set security zones security-zone untrust interface st0.0

2. Create IKE(IPSEC Phase I)
SRX# top edit security ike
SRX# set proposal phase1 authentication-method pre-share-keys
SRX# set proposal phase1 dh-group group2
SRX# set proposal phase1 authentication-algorithm md5
SRX# set proposal phase1 encryption-algorithm 3des-cbc
SRX# set proposal phase1 lifetime-seconds 600

3. Create IKE phase policy
SRX# set policy phase1-policy mode main
SRX# set policy phase1-policy proposals phase1
SRX# set policy phase1-policy pre-shared-key ascii-text juniper

4. Create IKE gateway
SRX# set gateway phase1-gateway ike-policy phase1-policy
SRX# set gateway phase1-gateway address 172.18.1.2
SRX# set gateway phase1-gateway dead-peer-detection interval 20
SRX# set gateway phase1-gateway dead-peer-detection threshold 5
SRX# set gateway phase1-gateway external-interface ge-0/0/3.0

5. Add IPSEC
SRX# up
SRX# edit ipsec
SRX# set proposal phase2 protocol esp
SRX# set proposal phase2 authentication-algorithm hmac-md5-96
SRX# set proposal phase2 encryption-algorithm 3des-cbc
SRX# set proposal phase2 lifetime-sconds 3200

6.  Add Phase2 policy
SRX# set policy phase2-policy perfect-forward-secrecy keys group 2
SRX# set policy phase2-policy proposals phase2

7. Add a VPN Tunnel
SRX# set vpn to-host1 bind-interface st0.0
SRX# set vpn to host1 ike gateway phase1-gateway
SRX# set vpn to-host1 ike ipsec-policy phase2-policy
SRX# set vpn to-host1 establish-tunnels immediately

8. add a vpn route
SRX# top edit routing-options
SRX# set static route 172.20.204.0/24 next-hop st0.0

9. Change security policy
SRX# top edit security policies
SRX# edit frome-zone untrust to-zone it
SRX# set policy ipsec match source-address vr204
SRX# set policy ipsec match destination-address any
SRX# set policy ipsec match application any
SRX# set policy ipsec then permit
SRX# commit

Check Command:
SRX# run show interface st0 terse
SRX# run show security ike security-associations
SRX# run show security ipsec security-associations
SRX# run show security ipsec security-associations index x
SRX# run clear security ipsec statistics
SRX# run show security ipsec statistics
SRX# run show security flow session

Juniper SRX Network Address Translation

Inter-Based Source NAT
Source是vlan 105 and vlan 205 到host 172.31.15.1(untrust)才做NAT,帶interface ip為source

SRX# edit security nat source
SRX# set rule-set internet-bound from interface ge-0/0/4.105
SRX# set rule-set internet-bound from interface ge-0/0/4.205
SRX# set rule-set internet-bound to zone untrust

SRX# edit rule-set internet-bound
SRX#  set rule 1 match destination-address 172.31.15.1/32
SRX#  set rule 1 then source-nat interface
SRX#  commit

Pool-Based Destination NAT
NAT內部WEB Server至外部,同時限制網段可存取此WEB Server

SRX# edit security nat destination
SRX# set pool webserver address 172.20.205.10/32
SRX# set rule-set from-internet from zone untrust

SRX# edit rule-set from-internet rule 1
SRX#  set match source-address 172.18.1.0/30
SRX#  set match destination-address 192.168.2.1
SRX#  set then destination-nat pool webserver

SRX#  top edit security policies from-zone untrust to-zone it
SRX#  set policy webserver match source-address host1-c
SRX#  set policy webserver match destination-address vr205
SRX#  set policy webserver match application junos-telnet
SRX#  set policy webserver match application junos-http
SRX#  set policy webserver then permit
SRX#  commit

Pool-Based Source NAT with Overflow Pool:
SRX#  edit security nat source
Inter-Based Source NAT
Source是vlan 105 and vlan 205 到host 172.31.15.1(untrust)才做NAT,帶interface
ip為source

SRX# edit security nat source
SRX# set rule-set internet-bound from interface ge-0/0/4.105
SRX# set rule-set internet-bound from interface ge-0/0/4.205
SRX# set rule-set internet-bound to zone untrust

SRX# edit rule-set internet-bound
SRX#  set rule 1 match destination-address 172.31.15.1/32
SRX#  set rule 1 then source-nat interface
SRX#  commit

Pool-Based Destination NAT
NAT內部WEB Server至外部,同時限制網段可存取此WEB Server

SRX# edit security nat destination
SRX# set pool webserver address 172.20.205.10/32
SRX# set rule-set from-internet from zone untrust

SRX# edit rule-set from-internet rule 1
SRX#  set match source-address 172.18.1.0/30
SRX#  set match destination-address 192.168.2.1
SRX#  set then destination-nat pool webserver

SRX#  top edit security policies from-zone untrust to-zone it
SRX#  set policy webserver match source-address host1-c
SRX#  set policy webserver match destination-address vr205
SRX#  set policy webserver match application junos-telnet
SRX#  set policy webserver match application junos-http
SRX#  set policy webserver then permit
SRX#  commit

Pool-Based Source NAT with Overflow Pool
SRX# edit security nat source
SRX# set pool vr105_port  no-translation
SRX# set pool vr105 overflow-pool interface
SRX# set pool vr105 address 172.20.205.2 to 172.20.205.9
SRX# set pool vr205_port  no-translation
SRX# set pool vr205 oveflow-pool interface
SRX# set pool vr205 address 172.20.105.2 to 172.20.105.9

SRX# set rules vr105 from zone dc
SRX# set rules vr105 to zone it
SRX# set rules vr205 from zone it
SRX# set rules vr205 to zone dc

SRX# edit rule-set vr105
SRX# set rule vr105-to-vr205 match source-address 172.20.105.0/24
SRX# set rule vr105-to-vr205 then source-nat pool vr105
SRX# up
SRX# edit rule-set vr205
SRX# set rule vr205-to-vr105 match source-address 172.20.205.0/24
SRX# set rule vr205-tovr105 then source-nat pool vr205

SRX# top edit security policies
SRX# edit from-zone dc to-zone it policy vr105-to-vr205
SRX# set match source-address vr105
SRX# set match application internal-apps
SRX# set then permit
SRX# up 2
SRX# edit from-zone dc to-zone it policy vr205-to-vr105
SRX# set match source-address vr205
SRX# set match application internal-apps
SRX# set then permit
SRX# commit

Proxy-ARP:
SRX# edit security nat proxy-arp
SRX# edit interface ge-0/0/4.105
SRX# set address 172.20.105.2 to 172.20.105.9
SRX# up
SRX# edit interface ge-0/0/4.205
SRX# set address 172.20.205.2 to 172.20.205.9
SRX# up
SRX# commit

Check command:
SRX#  run show security flow session
SRX#  run show security nat destination pool all

Juniper SRX Screen Function

SRX# edit security screen
SRX# set ids-option internet-protect icmp large
SRX# set ids-option internet-protect icmp fragment
SRX# set ids-option internet-protect ip record-route-option
SRX# set ids-option internet-protect limit-session destination-ip-based 1
SRX# commit
以上為阻檔ping of death 及限制連線數

SRX# edit security zones security-zone untrust
SRX# set screen internet-protect
SRX# commit
 以上將internet-protect 套用上untrust zone

什麼是smurf攻擊

什麼是smurf攻擊

Smurf攻擊是以最初發動這種攻擊的程序名Smurf來命名。這種攻擊方法結合使用了IP欺騙和
ICMP回復方法使大量網絡傳輸充斥目標系統,引起目標系統拒絕為正常系統進行服務。

    攻擊的過程是這樣的:Woodlly Attacker向一個具有大量主機和因特網連接的網絡的廣播地址發送一個欺騙性Ping分組(echo
請求),這個目標網絡被稱為反彈站點,而欺騙性Ping分組的源地址就是Woolly希望攻擊的系統。

   
這種攻擊的前提是,路由器接收到這個發送給IP廣播地址(如206.121.73.255)的分組後,會認為這就是廣播分組,並且把以太網廣播地址
FF:FF:FF:FF:FF:FF:映射過來。這樣路由器人因特網上接收到該分組,會對本地網段中的所有主機進行廣播。

   
讀者肯定能夠想到下面會發生什麼情況。網段中的所有主機都會向欺騙性分組的IP地址發送echo響應信息。如果這是一個很大的以太網段,可以會有500個
以上的主機對收到的echo請求進行回復。

    由於多數系統都會盡快地處理ICMP傳輸信息,Woodlly
Attacker把分組的源地址設置為目標系統,因些目標系統都很快就會被大量的echo信息吞沒,這樣輕而易舉地就能夠阻止該系統處理其它任何網絡傳
輸,從而引起拒絕為正常系統服務。

   
這種攻擊不僅影響目標系統,還影響目標公司的因特網連接。如果反彈站點具有T3連接(45Mbps),而目標系統所在的公司使用的是租用線路
(56Kbps),則所有進出該公司的通訊都會停止下來。

Juniper SRX local-user for normal user access ( Pass-Through SRX)

SRX# edit access profile ftp users
SRX# set client john firewall-user password ibm123
SRX# set client mary firewall-user password ibm456
SRX# set profile ftp-users session-options client-group ftp-group
SRX# edit firewall-authentication
SRX# set pass-through default-file ftp-user
SRX# edit access firewall-authentication
SRX# set pass-through ftp banner login " JUNOS ROCKS!!"
SRX# edit security policys
SRX# edit from-zone hr to-zone untrust policy outbound-ftp-auth
SRX# set match source-address dc
SRX# set match destination-address untrust-ftp
SRX# set match application junos-ftp
SRX# set then permit