One of the main elements to configure on a Cisco router is its interfaces. The router is usually equipped with Ethernet interfaces (for LAN connectivity) or Serial/ATM/T1/E1 interfaces for WAN connectivity. Below you will find three typical router interface configuration scenarios to get an idea about this important setup.

Configuring Ethernet or Fast Ethernet Interfaces
Router> enable
Router # config terminal

! enter the interface configuration submode
Router(config) # interface fastethernet 0/0

! IP configured on the interface
Router(config-if) # ip address 10.1.10.1 255.255.255.0

!bring the interface up
Router (config-if) # no shutdown
Router (config-if) # description lan (assign a name to the interface)
Router (config-if) # exit
Router (config) #

* Note that the interface naming can be different. Examples are FastEthernet, Ethernet, GigabitEthernet etc. Also, the interface numbering varies from router to router, such as 0, 1, 0/0 0/1, etc.

Configuring DTE Serial Interfaces
Note that DTE serial interfaces receive clock from the Serial WAN modem.

Router> enable
Router# config terminal

! enter the interface configuration submode
Router (config) # interface serial 0/0

Router (config-if) # ip address 172.16.1.1 255.255.255.252
Router (config-if) # no shutdown
Router (config-if) # description WAN Network (assign a name to the interface)
Router (config-if) # exit
Router (config) #

* Note that the interface numbering can be 0, 1, 0/0 0/1, etc. This varies by router.

Configuring DCE Serial Interfaces
Note that DCE serial interfaces provide clock to the connected device on the interface.

Router> enable
Router# config terminal
Router(config) # interface serial 0 / 1
Router(config-if) # ip address 10.1.1.1 255.255.255.0

!configure the clock rate that will be provided by the router
Router(config-if) # clock rate 128000
Router(config-if) # no shutdown
Router(config-if) # description WAN Network (assign a name to the interface)
Router(config-if) # exit
Router(config) #

* Note that the interface number can be 0, 1, 0/0 0/1, etc. This varies by router model.

The most common attack against Service Provider IP Networks is Denial of Service. Usually these attacks take the form of “Many-to-One Attacks” where multiple attacking sources send flooding traffic towards a single destination. These attacks are sometimes called Distributed Denial of Service. Usually the attacking hosts are “zombie” computers which are compromised by hackers and belong to a BotNet network. Usually these attacks are directed towards a critical node of the ISP network (a Border Router, a public Server etc).

If the attack contains thousands of non-legitimate connections to initiate TCP communication (SYN packets) towards a single host, the target host gets overloaded from the requested connections because the three-way TCP handshake does not get completed (because these TCP connections have unreachable return addresses, the connections cannot be established).  The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests. The above attack is also called SYN Attack.

TCP Intercept is a feature on routers used to prevent and mitigate TCP SYN-flooding attacks by monitoring the rate of SYN packets and intervening inside the TCP communication whenever necessary in order to reduce the number of incomplete TCP connections.

There are two modes for TCP Intercept: “Intercept Mode” and “Watch Mode”.

Intercept Mode

The most “invasive” mode is “Intercept Mode”. The router establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. This means that if the connection is legitimate, it will reach the server with no problem. If the connection is from a non-legitimate client, the half-open connection will be dropped by the router. This mode consumes a lot of memory and CPU on the router.

Watch Mode

We recommend using the “Watch Mode” instead of the “Intercept Mode”.  In Watch Mode, the router passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

Configuration of TCP Intercept

On router connecting the host under attack, configure the following (assume target host under attack is 1.1.1.1):

Router(config)# access-list 101 permit tcp any host 1.1.1.1
Router(config)# ip tcp intercept mode watch
Router(config)# ip tcp intercept list 101

The above configuration will watch the TCP SYN packets towards host 1.1.1.1. If the SYN packets exceed a certain default value, the router starts to close incomplete TCP connections. Specifically, if the number of incomplete connections exceed 1,100, or the number of connections arriving in the last one-minute period exceed 1,100, each new arriving connection causes the oldest partial connection (or a random connection) to be deleted. These are the default values, which can be altered.

In order for two Layer 3 devices (routers or layer 3 switches) to be able to exchange routing information, it is necessary to use the same routing protocol, such as RIP, EIGRP, OSPF, BGP, etc. Different routing protocols, or protocols configured differently (eg different EIGRP autonomous system) do not exchange information.

However, when a device learns routing information from different sources (eg static routes or using different protocols) Cisco IOS allows the information learned from a specific source to be published to other devices using a different protocol. For example, a route learned through RIP can be advertised to other devices using OSPF. This is what is called “redistribution” of routes: Using a routing protocol to advertise routes that are learned through other means (other protocol, static routes or directly connected). To configure route redistribution some rules must be in place:

• The redistributed route must be present in the routing table.
• The redistributed route will be received by the neighbouring device with a new metric as configured by the redistributing router.

What is it used for?

In principle it is desirable that a network should use a single routing protocol. However, in some cases we may require the use of redistribution: two companies merged, different departments of a company managed by different teams, multi-vendor environments, migration, etc. When addressing a redistribution of routes scenario we should take into account particular aspects of routing: different metrics, administrative distance of each protocol, the capabilities of classful and classless routing, and network topology.

Metrics

Each routing protocol uses a different metric. This causes the routes redistributed to lose the original metric of the protocol and the metric is redefined in terms of the new protocol. For example, if an OSPF route is redistributed with a metric of 1642 in RIP, RIP metric uses number of hops (between 1 and 15). So you must change the metric before redistributing to RIP.

The metric with which a protocol receives the routes learned by another metric is called seed metric.
Each protocol uses a default seed metric:

RIP – default seed metric: infinity.
EIGRP – default seed metric: infinity.
OSPF – default seed metric: 20.
The default seed metric can also be modified using the “default metric” command.

The basic commands
When you configure redistribution of protocols, you should indicate how to redistribute routing information, and how we want to measure these routes (metric) when they are redistributed. If we do not indicate anything, the routes are redistributed with the default metric.

Router (config) # router rip
Router (config-router) # network 129.100.0.0
Router (config-router) # redistribute ospf 1 metric 2

In this example we tell the router to redistribute routing information into RIP when learned through the OSPF process 1 which is in the routing table, with a metric of 2 hops.

Redistribution in EIGRP
To redistribute routing information into EIGRP, it should be noted that the default metric is infinite. Therefore, if you do not specify metric for redistributed routes, they will not appear in the routing table of the neighbouring device.

Furthermore, by defining the metric it should be noted: bandwidth, delay, reliability, load and MTU.

An example:

Router (config) # router eigrp 100
Router (config-router) # redistribute static
Router (config-router) # redistribute rip
Router (config-router) # default-metric 10000 100 255 1 1500

Redistribution in OSPF

The default metric used by OSPF is 20, so it does not require us to specify a metric for the route learned by the adjacent devices. However, when there are multiple subnets on the same network and you want to publish routes for each subnet, you must configure a metric otherwise OSPF will summarize all subnets in the class boundary and publish a single route.

An example:

Router (config) # router ospf 1
Router (config-router) # redistribute static metric 200 subnets
Router (config-router) # redistribute eigrp 100 metric 500 subnets

RIP redistribution

Like EIGRP, RIP redistributes the protocols using a default metric of infinity, so it is necessary to specify a different metric in order for the neighbour router to incorporate the routing information in its table.

An example:

Router (config) # router rip
Router (config-router) # redistribute static metric 1
Router (config-router) # redistribute ospf 1 metric 2

The Cisco 7600 router is in my opinion one of the most versatile High End routing machines on the planet!! It is one of my favorite networking devices. If you take a look at Cisco website under the Routers Product Category, you will notice that the 7600 can be used in Data Centers, in Service Provider networks, in WAN aggregation or as Internet Edge router. In Service Providers can be used as Provider Edge (PE) in IP MPLS networks aggregating many Customer Edge (CE) router devices. Its modularity and high port capacity allows the 7600 to work as both Layer2 aggregation and as Layer3 high performance router.

In Service Provider networks one of the main concerns of network administrators is to protect the networking infrastructure from Denial of Service attacks. These DoS attacks are actually the most serious and popular security threat against Service Providers. Botnets are frequently the main source of such attacks. ICMP flooding, UDP flooding, spoofed addresses DoS, SYN attacks etc are a few examples of DoS or DDos (Distributed Denial of Service) attacks. Fortunately the Cisco 7600 router has many robust features and mechanisms to protect itself from such attacks.

In the company that I work (Service Provider) we have already implemented several security protection features on 7600 which are really effective against DoS attacks. A summary of the DoS protection mechanisms on 7600 follows below:

• Security Access Control Lists (ACL): Applied on interfaces to block traffic at Layer3/4 layers.
• QoS Rate Limiting: Using class-maps and policy-maps you can apply rate limiting to specific type of traffic (e.g ICMP)
• uRPF (unicast Reverse Path Forwarding): protects against spoofing attacks.
• Traffic Storm Control: Protects against broadcast storm attacks.
• TCP Intercept: Protects against SYN attacks.
• Hardware-Based Rate Limiters: Work on PFC3 engines. These rate limiters protect the MSFC routing engine from various packets that can overload its CPU (configured with the mls rate-limit command)
• Control Plane Policing (CoPP)::Again used for protection of the MSFC routing engine by applying rate limiting to packets that flow from the data plane to the control plane.

Of course in addition to the above you must not forget other important security mechanisms such as strong password policy, proper Authentication and Accounting, logging, SNMP security, Routing Protocols security (MD5 authentication in OSPF, BGP etc) etc. All of these technical issues must be based on a thorough and carefully written security policy.