Display BGP routes originated in the local AS

The easiest way to display BGP routes originating in the local autonomous system is to use the regular expression ^$ (empty AS-path) in the show ip bgp regexp command, for example:

PE-A#show ip bgp regexp ^$
BGP table version is 10, local
router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history,
* valid, > best, i - internal,
              r RIB-failure, S
Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network
Next Hop            Metric LocPrf Weight Path
*> 10.0.1.1/32
0.0.0.0                  0         32768 i
r>i10.0.1.2/32
10.0.1.2                 0    100      0 i

If you want to apply a show filter to the printout of this command, you have to use the quote-regexp variant; otherwise the rest of the line is interpreted as regular expression. To skip the header explaining the BGP status code (we know them by heart by now, don’t we?), use …

PE-A#show ip bgp
quote-regexp "^$"  begin Network

Network          Next Hop            Metric LocPrf Weight Path
*>
10.0.1.1/32      0.0.0.0                  0         32768
i
r>i10.0.1.2/32      10.0.1.2                 0    100      0
i

… and end with the eye candy – define this command as an alias: alias exec localbgp show ip bgp quote-regexp "^$" begin Network.

Use the explicit "address-family ipv4" in BGP configurations

If you use multiprotocol BGP (MP-BGP) in your network to support MPLS VPN, IPv6 or IP Multicast over BGP, it's best if you go all the way and configure an explicit ipv4 address family; the resulting BGP configuration is significantly easier to read and understand as the session-specific parameters are clearly separated from the routing-specific parameters and the IPv4 settings are nicely grouped in an explicit section.
To change the format of the BGP configuration, configure the IPv4 address family with the address-family ipv4 unicast router configuration command (the neighbor statements and other configuration settings pertinent to IPv4 configuration are automatically moved into the new address family) or manually activate a BGP neighbor for IPv4 route exchange with the neighbor activate router configuration command.To illustrate the differences between the traditional BGP configuration and the per-address-family configuration, consider a simple MPLS VPN+Internet setup. First the traditional approach:

router bgp 65000
 template peer-policy Internal

send-community both
 exit-peer-policy
 !
 template peer-session
Internal
  remote-as 65000
  update-source Loopback0

exit-peer-session
 !
 no synchronization
 bgp
log-neighbor-changes
 network 10.0.1.1 mask 255.255.255.255

neighbor 10.0.1.5 inherit peer-session Internal
 neighbor 10.0.1.5
description PE-C(RR)
 neighbor 10.0.1.5 inherit peer-policy
Internal
 no auto-summary
 !
 address-family vpnv4
  neighbor
10.0.1.5 activate
  neighbor 10.0.1.5 send-community extended

exit-address-family

... and the changed configuration after the address-family ipv4 command has been entered:

router bgp
65000
 template peer-policy Internal
  send-community both

exit-peer-policy
 !
 template peer-policy InternalV6

send-label
  inherit peer-policy Internal 1
 exit-peer-policy

!
 template peer-session Internal
  remote-as 65000

update-source Loopback0
 exit-peer-session
 !
 bgp
log-neighbor-changes
 neighbor 10.0.1.5 inherit peer-session
Internal
 neighbor 10.0.1.5 description PE-C(RR)
 !

address-family ipv4
  no synchronization
  network 10.0.1.1 mask
255.255.255.255
  neighbor 10.0.1.5 activate
  neighbor 10.0.1.5
inherit peer-policy Internal
  no auto-summary

exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.1.5
activate
  neighbor 10.0.1.5 send-community extended

exit-address-family

Totally Stealthy Router

In response to the post detailing router response to port scans, one of my readers asked an interesting question:

“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”

Here's how you do it:

• No TCP RST packets should be sent as responses to port scans. Inbound access list dropping all IP packets achieves that.
• Outbound traffic, both from the protected LAN as well as from the router itself (ping, telnet, DNS, NTP ...) should be allowed. Configure ip inspect with router-traffic option.
• Disable generation of ICMP unreachables with the no ip unreachables interface configuration command.

The relevant parts of router configuration are included below:

ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
!
interface FastEthernet0/0
 ip address a.b.c.d x.y.z.w
 ip access-group Internet in
 no ip unreachables
 ip inspect Internet out
!
ip access-list extended Internet
 deny ip any any

Note: This article is part of You've asked for it series.

Secure IOS Template v5.1 - 29 OCT 2007

Secure IOS Template v5.1 29 OCT 2007

The commands are in BOLD text so that they stand out from the surrounding comments.

! Secure router configuration template.
! Version 3.1
! @(#)Secure IOS template v3.1 17 NOV 2003 Rob Thomas robt@cymru.com
! @(#)http://www.cymru.com/Documents/secure-ios-template.html
!
! This configuration assumes the following topology:
!
! Upstream/Internet
! 5.5.5.1/24
!       |
! 5.5.5.254/24 (Ethernet 2/0)
! THIS ROUTER
! 6.6.6.254/24 (Ethernet 2/1)
!       |
! 6.6.6.1/24
! Firewall
! 7.7.7.1/24
!       |
! 7.7.7.0/24
! Intranet
!
! In this case, 7.7.7.5 is the loghost, FTP server, etc.
! for the router. It could also be the firewall if
! circumstances dictate.
!
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
! Show copious timestamps in our logs
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
service password-encryption
no service dhcp
!
hostname secure-router01
!
boot system flash slot0:rsp-pv-mz.121-5a.bin
logging buffered 16384 debugging
no logging console
enable secret <PASSWORD>
no enable password
!
! Use TACACS+ for AAA. Ensure that the local account is
! case-sensitive, thus making brute-force attacks less
! effective.
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default stop-only group tacacs+
tacacs-server host 7.7.7.5
tacacs-server key cheezit
!
! In the event that TACACS+ fails, use case-sensitve local
! authentication instead. Keeps the hackers guessing, and
! the router more secure.
username <USERNAME> secret <PASSWORD>
!
! Logging the commands run while at enable level access is
! a great way to track mistakes, security issues, etc.
archive
 log config
  logging enable
  logging size 500
  notify syslog
  hidekeys
!
! Disable TCL, where available. This won't show up in the
! config. It will break your router-based TCL scripts if
! if you use such, so use with care!
no scripting tcl init
no scripting tcl encdir
!
! Enable the netflow top talkers feature.
! You can see the top N talkers (50 in this example) with the
! show ip flow top-talkers command. This is a handy
! utility to use during DDoS attacks and traffic issues. You
! can sort-by either packets or bytes, as you prefer.
ip flow-top-talkers
 top 50
 sort-by packets
!
! Don't run the HTTP server.
no ip http server
no ip http secure-server
!
! Allow us to use the low subnet and go classless
ip subnet-zero
ip classless
!
! Disable noxious services
no service pad
no ip source-route
no ip finger
no ip bootp server
no ip domain-lookup
!
! Catch crash dumps; very important with a "security router."
ip ftp username rooter
ip ftp password <PASSWORD>
! Give our core dump files a unique name.
exception core-file secure-router01-core
exception protocol ftp
exception dump 7.7.7.5
! Fire up CEF for both performance and security.
ip cef
! Set the timezone properly. It is best to standardize on one
! timezone for all routers, thus making problem tracking easier.
clock timezone GMT 0
! Synchronize our clocks with a local (trusted and authenticated)
! NTP server. The SECRETKEY must be the same on both the router
! and the NTP server.
ntp authentication-key 6767 md5 <SECRETKEY>
ntp authenticate
ntp update-calendar
ntp server 7.7.7.5
!
! Configure the loopback0 interface as the source of our log
! messages. This is often used for routing protocols as well.
! Select an IP address that uniquely identifies this router.
! One trick is to allocate a netblock for use as the router
! loopback netblock.
int loopback0
 ip address 10.10.10.10 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
! Configure null0 as a place to send naughty packets. This
! becomes the "roach motel" for packets -- they can route in,
! but they can't route out.
interface null0
 no ip unreachables
!
interface Ethernet2/0
 description Unprotected interface, facing towards Internet
 ip address 5.5.5.254 255.255.255.0
 ! Do we run CEF verify? Yes if the data path is symmetric. No
 ! if the data path is asymmetric.
 ip verify unicast reverse-path
 ! Apply our template ACL
 ip access-group 2010 in
 ! Allow UDP to occupy no more than 2 Mb/s of the pipe.
 rate-limit input access-group 150 2010000 250000 250000 conform-action transmit exceed-action drop
 ! Allow ICMP to occupy no more than 500 Kb/s of the pipe.
 rate-limit input access-group 160 500000 62500 62500 conform-action transmit exceed-action drop
 ! Allow multicast to occupy no more than 5 Mb/s of the pipe.
 rate-limit input access-group 170 5000000 375000 375000 conform-action transmit exceed-action drop
 ! Don't send redirects.
 no ip redirects
 ! Don't send unreachables.
 ! NOTE WELL that this may break PMTU discovery.
 ! For example, if this router is edge for a VPN of any sort, you might need
 ! to enable ip unreachables
 ! A typical symptom is ping working but a larger transmission doesn't.
 no ip unreachables
 ! Don't propogate smurf attacks.
 no ip directed-broadcast
 ! Don't pretend to be something you're not. :-)
 no ip proxy-arp
 ! Do not reveal our netmask
 no ip mask-reply
 ! Log all naughty business.
 ip accounting access-violations
 ! If you allow multicast in your network or participate in the
 ! MBONE, the following multicast filtering steps will help to
 ! ensure a secure multicast environment. These must be applied
 ! per interface.
ip multicast boundary 30
 !
 ! Keep flow data for analysis. If possible, export it to a
 ! cflowd server.
 ip route-cache flow
!
interface Ethernet2/1
 description Protected interface, facing towards DMZ
 ip address 6.6.6.254 255.255.255.0
 ! Do we run CEF verify? Yes if the data path is symmetric. No
 ! if the data path is asymmetric.
 ip verify unicast reverse-path
 ! If we are using RPF, comment out the ACL below.
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip directed-broadcast
 no ip proxy-arp
 ip accounting access-violations
 ip multicast boundary 30
 no ip mask-reply
 ip route-cache flow
!
! Default route to the Internet (could be a routing
! protocol instead)
ip route 0.0.0.0 0.0.0.0 5.5.5.1
! Route to network on the other side of the firewall
ip route 7.7.7.0 255.255.255.0 6.6.6.1
! Black hole routes. Do not combine this with TCP Intercept;
! in fact, don't use TCP Intercept at all.
ip route 1.0.0.0 255.0.0.0 null0
ip route 2.0.0.0 255.0.0.0 null0
ip route 5.0.0.0 255.0.0.0 null0
ip route 10.0.0.0 255.0.0.0 null0
ip route 23.0.0.0 255.0.0.0 null0
ip route 27.0.0.0 255.0.0.0 null0
ip route 31.0.0.0 255.0.0.0 null0
ip route 36.0.0.0 255.0.0.0 null0
ip route 37.0.0.0 255.0.0.0 null0
ip route 39.0.0.0 255.0.0.0 null0
ip route 42.0.0.0 255.0.0.0 null0
ip route 46.0.0.0 255.0.0.0 null0
ip route 49.0.0.0 255.0.0.0 null0
ip route 50.0.0.0 255.0.0.0 null0
ip route 100.0.0.0 255.0.0.0 null0
ip route 101.0.0.0 255.0.0.0 null0
ip route 102.0.0.0 255.0.0.0 null0
ip route 103.0.0.0 255.0.0.0 null0
ip route 104.0.0.0 255.0.0.0 null0
ip route 105.0.0.0 255.0.0.0 null0
ip route 106.0.0.0 255.0.0.0 null0
ip route 107.0.0.0 255.0.0.0 null0
ip route 108.0.0.0 255.0.0.0 null0
ip route 109.0.0.0 255.0.0.0 null0
ip route 110.0.0.0 255.0.0.0 null0
ip route 111.0.0.0 255.0.0.0 null0
ip route 112.0.0.0 255.0.0.0 null0
ip route 113.0.0.0 255.0.0.0 null0
ip route 127.0.0.0 255.0.0.0 null0
ip route 169.254.0.0 255.255.0.0 null0
ip route 172.16.0.0 255.240.0.0 null0
ip route 173.0.0.0 255.0.0.0 null0
ip route 174.0.0.0 255.0.0.0 null0
ip route 175.0.0.0 255.0.0.0 null0
ip route 176.0.0.0 255.0.0.0 null0
ip route 177.0.0.0 255.0.0.0 null0
ip route 178.0.0.0 255.0.0.0 null0
ip route 179.0.0.0 255.0.0.0 null0
ip route 180.0.0.0 255.0.0.0 null0
ip route 181.0.0.0 255.0.0.0 null0
ip route 182.0.0.0 255.0.0.0 null0
ip route 183.0.0.0 255.0.0.0 null0
ip route 184.0.0.0 255.0.0.0 null0
ip route 185.0.0.0 255.0.0.0 null0
ip route 192.0.2.0 255.255.255.0 null0
ip route 192.168.0.0 255.255.0.0 null0
ip route 197.0.0.0 255.0.0.0 null0
ip route 223.0.0.0 255.0.0.0 null0
!
! Export our NetFlow data to our NetFlow server, 7.7.7.5. NetFlow
! provides some statistics that can be of use when tracing the true
! source of a spoofed attack.
ip flow-export source loopback0
ip flow-export destination 7.7.7.5 2055
ip flow-export version 5 origin-as
!
! Log anything interesting to the loghost. Capture all of
! the logging output with FACILITY LOCAL5.
logging trap debugging
logging facility local5
logging source-interface loopback0
logging 7.7.7.5
!
! With the ACLs, it is important to log the naughty folks.
! Thus, the implicit drop all ACL is replaced (augmented,
! actually) with an explicit drop all that logs the attempt.
! You may wish to keep a second list (e.g. 2011) that does not
! log. During an attack, the additional logging can impact the
! performance of the router. Simply copy and paste access-list 2010,
! remove the log-input keyword, and name it access-list 2011. Then
! when an attack rages, you can replace access-list 2010 on the
! Internet-facing interface with access-list 2011.
!
! Block SNMP access to all but the loghost
access-list 20 remark SNMP ACL
access-list 20 permit 7.7.7.5
access-list 20 deny any log
!
! Multicast - filter out obviously naughty or needless traffic
access-list 30 remark Multicast filtering ACL
! Link local
access-list 30 deny 224.0.0.0 0.0.0.255 log
! Locally scoped
access-list 30 deny 239.0.0.0 0.255.255.255 log
! sgi-dogfight
access-list 30 deny host 224.0.1.2 log
! rwhod
access-list 30 deny host 224.0.1.3 log
! ms-srvloc
access-list 30 deny host 224.0.1.22 log
! ms-ds
access-list 30 deny host 224.0.1.24 log
! ms-servloc-da
access-list 30 deny host 224.0.1.35 log
! hp-device-disc
access-list 30 deny host 224.0.1.60 log
! Permit all other multicast traffic
access-list 30 permit 224.0.0.0 15.255.255.255 log
!
! Block access to all but the loghost and the firewall, and log any
! denied access attempts. This also serves to create an audit trail
! of all access to the router. Extended ACLs are used to log some
! additional data.
access-list 100 remark VTY Access ACL
access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range 22 23 log-input
access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range 22 23 log-input
access-list 100 deny ip any any log-input
!
! Leave one VTY safe for access, just in case. The host
! 7.7.7.8 is a secure host in the NOC. If all the VTYs are
! occupied, this leaves one VTY available.
access-list 105 remark VTY Access ACL
access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range 22 23 log-input
access-list 105 deny ip any any log-input
!
! Configure an ACL that prevents spoofing from within our network.
! This ACL assumes that we need to access the Internet only from the
! 7.7.7.0/24 network. If you have additional networks behind
! 7.7.7.0/24, then add them into this ACL.
access-list 115 remark Anti-spoofing ACL
! First, allow our intranet to access the Internet.
access-list 115 permit ip 7.7.7.0 0.0.0.255 any
! Second, allow our firewall to access the Internet. This is useful
! for testing.
access-list 115 permit ip host 6.6.6.1 any
! Now log all other such attempts.
access-list 115 deny ip any any log-input
!
! Rate limit (CAR) ACLs for UDP, ICMP, and multicast.
access-list 150 remark CAR-UDP ACL
access-list 150 permit udp any any
access-list 160 remark CAR-ICMP ACL
access-list 160 permit icmp any any
access-list 170 remark CAR-Multicast ACL
access-list 170 permit ip any 224.0.0.0 15.255.255.255
!
! Deny any packets from the RFC 1918, IANA reserved, test,
! multicast as a source, and loopback netblocks to block
! attacks from commonly spoofed IP addresses.
access-list 2010 remark Anti-bogon ACL
! Claims it came from the inside network, yet arrives on the
! outside (read: Internet) interface. Do not use this if CEF
! has been configured to take care of spoofing.
! access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
! access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
! Bogons
access-list 2010 deny ip 0.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 1.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 2.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 5.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 23.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 27.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 31.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 36.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 37.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 39.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 42.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 46.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 49.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 50.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 100.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 101.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 102.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 103.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 104.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 105.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 106.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 107.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 108.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 109.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 110.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 111.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 112.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 113.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 169.254.0.0 0.0.255.255 any log-input
access-list 2010 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 2010 deny ip 173.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 174.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 175.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 176.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 177.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 178.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 179.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 180.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 181.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 182.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 183.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 184.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 185.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 192.0.2.0 0.0.0.255 any log-input
access-list 2010 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 2010 deny ip 197.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 223.0.0.0 0.255.255.255 any log-input
access-list 2010 deny ip 224.0.0.0 31.255.255.255 any log-input
! Drop all ICMP fragments
access-list 2010 deny icmp any any fragments log-input
! Allow IP access to the intranet (firewall filters specific ports)
access-list 2010 permit ip any 7.7.7.0 0.0.0.255
! Allow multicast to enter. See also access-list 30 for more
! specific multicast rules.
access-list 2010 permit ip any 224.0.0.0 15.255.255.255
! Our explicit (read: logged) drop all rule
access-list 2010 deny ip any any log-input
!
! Do not share CDP information, which contains key bits about our
! configuration, etc. This command disabled CDP globally. If you
! require CDP on an interface, use cdp run and disable cdp
! (no cdp enable) on the Internet-facing interface.
no cdp run
! SNMP is VERY important, particularly with MRTG.
! Treat the COMMUNITY string as a password - keep it difficult to guess.
snmp-server community <COMMUNITY> RO 20
!
! Introduce ourselves with an appropriately stern banner.
banner motd %
Router foo. Access to this device or the attached
networks is prohibited without express written permission.
Violators will be prosecuted to the fullest extent of both civil
and criminal law.

We don't like you. Go away.

%
!
line con 0
 exec-timeout 15 0
 transport input none
line aux 0
 exec-timeout 15 0
line vty 0 3
 access-class 100 in
 exec-timeout 15 0
! Enable SSH connectivity. This is much more secure than telnet.
! Obviously, you must have an IOS image that supports SSH, and don't
! forget to generate the key with crypto key generate rsa.
 transport input telnet ssh
line vty 4
 access-class 105 in
 exec-timeout 15 0
 transport input telnet ssh
!

Cisco IOS: Cisco Tips and Tricks paper

Cisco Blog: Cisco Tips and Tricks paper

I ran across this paper by Global Knowledge. It's good reading for "newbies" to the Cisco realm - it talks about many of the ways to make your router more efficient. I learned a couple new things from it myself.

Click here to check it out (PDF format)

Cisco IOS: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Network Diagram

This document uses this network setup:

Configure the Thin-Client SSL VPN

 

Building configuration...

Current configuration : 4343 bytes
!
! Last configuration change at 15:55:38 UTC Thu Jul 27 2006 by ausnml
! NVRAM config last updated at 21:30:03 UTC Wed Jul 26 2006 by ausnml
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ausnml-3825-01
!
boot-start-marker
boot system flash c3825-adventerprisek9-mz.124-9.T.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$KbIu$5o8qKYAVpWvyv9rYbrJLi/
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local 
!
aaa session-id common
!
resource policy
!
ip cef
!
ip domain name cisco.com
!
voice-card 0
 no dspfarm

!--- Self-Signed Certificate Information

crypto pki trustpoint ausnml-3825-01_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 revocation-check crl
 rsakeypair ausnml-3825-01_Certificate_RSAKey 1024
!
crypto pki certificate chain ausnml-3825-01_Certificate
 certificate self-signed 02
  30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
!---------------------
!--- cut for brevity

  quit
!
username ausnml privilege 15 password 7 15071F5A5D292421
username fallback privilege 15 password 7 08345818501A0A12
username austin privilege 15 secret 5 $1$3xFv$W0YUsKDx1adDc.cVQF2Ei0
username sales_user1 privilege 5 secret 5 $1$2/SX$ep4fsCpodeyKaRji2mJkX/
username admin0321 privilege 15 secret 5 $1$FxzG$cQUJeUpBWgZ.scSzOt8Ro1
!
interface GigabitEthernet0/0
 ip address 192.168.0.37 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 172.22.1.151 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
ip route 0.0.0.0 0.0.0.0 172.22.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 100
!
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 40 0
 privilege level 15
 password 7 071A351A170A1600
 transport input telnet ssh
line vty 5 15
 exec-timeout 40 0
 password 7 001107505D580403
 transport input telnet ssh
!
scheduler allocate 20000 1000

!--- the WebVPN Gateway 

webvpn gateway gateway_1
 ip address 192.168.0.37 port 443 
 http-redirect port 80
 ssl trustpoint ausnml-3825-01_Certificate
 inservice

!--- the WebVPN Context

webvpn context webvpn
 title-color #CCCC66
 secondary-color white
 text-color black
 ssl authenticate verify all

!--- resources available to the thin-client

 port-forward "portforward_list_1"
   local-port 3002 remote-server "172.22.1.20" remote-port 110 description "Pop3 Email"
   local-port 3001 remote-server "172.22.1.30" remote-port 23 description "Router1"
   local-port 3000 remote-server "172.22.1.50" remote-port 25 description "Email"
   local-port 3003 remote-server "172.22.1.10" remote-port 22 description "Router2 SSH"

!--- the group policy

 policy group policy_1
   port-forward "portforward_list_1" 
 default-group-policy policy_1
 aaa authentication list sdm_vpn_xauth_ml_2
 gateway gateway_1 domain webvpn
 max-users 2
 inservice
!
end

 

Verify Your Configuration

Use this section to confirm that your configuration works properly.

1. 
   

   Use a client computer to access the WebVPN gateway at https://gateway_ip_address. Remember to include the WebVPN domain name if you create unique WebVPN contexts. For example, if you have created a domain called sales, enter https://gateway_ip_address/sales.
   

   

   
   
2. 
   

   Login and accept the certificate offered by the WebVPN gateway. Click Start Application Access.
   

   

   
   
3. 
   

   An Application Access screen displays. You can access an application with the local port number and your local loopback IP address. For example, to Telnet to Router 1, enter telnet 127.0.0.1 3001. The small Java applet sends this information to the WebVPN gateway, which then ties the two ends of the session together in a secure fashion. Successful connections can cause the Bytes Out and Bytes In columns to increase.
   

   

Commands

Several show commands are associated with WebVPN. You can execute these commands at the command-line interface (CLI) to show statistics and other information. To see the use of show commands in detail, refer to Verifying WebVPN Configuration.

Cisco IOS: Blocking Peer-to-Peer and Other Traffic of Interest

Blocking Peer-to-Peer and Other Traffic of Interest

don't even want it on my corporate network.  It serves no business purpose, so why allow it.  What am I talking about?  Peer-to-peer file sharing applications and other traffic of interest that may sacrifice my security policy.  Allowing P2P could very well be the fastest way to complete Network Death!

Using Cisco's NBAR you can snip off this traffic pattern easily, as well as things like jill.c, double-byte decode, SIPP attacks, Traversals and worms like Code-Red and Nimda, without breaking a sweat on your router.

Start by downloading the latest PDLMs from the Cisco website for maximum support of the latest P2P software and add them to your flash: file system.  Then declare them in your config: (note:  Not a complete list)

!
ip nbar pdlm flash:bittorrent.pdlm
ip nbar pdlm flash:eDonkey.pdlm
ip nbar pdlm flash:gnutella.pdlm
ip nbar pdlm flash:kazaa2.pdlm
ip nbar pdlm flash:WinMX.pdlm
ip nbar pdlm flash:printer.pdlm
!

Next, enable both a Class Map to declare the traffic and a Policy map to drop the traffic.  Then finish by assigning the Service Policy to the interface.

!
class-map match-any nbar-discovery
  match protocol gnutella
  match protocol kazaa2
  match protocol napster
  match protocol printer
  match protocol http url "*cmd.exe*"
  match protocol fasttrack
  match protocol novadigm
  match protocol edonkey
  match protocol bittorrent
!
!
 policy-map ip-prec-marked
  class nbar-discovery
   drop
!
Interface Serial0/1
 ip nbar protocol-discovery
 service-policy input ip-prec-marked

Done.

Cisco CAT: Speed Up Your Cisco Layer 2 Switch Configs

Speed Up Your Cisco Layer 2 Switch Configs

Everyone needs shortcuts, especially when there is a lot of work to do. Setting up your access-layer switches doesn't have to take more than a few commands to make the switch do just what you want it to do without sacrificing functionality or security. In an enterprise campus, there can be literally hundreds of access-layer switches functioning at layer 2 with VLANS and trunking and so on...so here are some shortcuts to speed up the time you take at each switch, and speed up the switch at the same time:

Scenario: Each access switch has already been set up with two trunk ports and one VLAN (we'll use VLAN 10 in our example for this specific switch). We need to assign all of the 10/100/1000 ports 1 - 48 to this VLAN and optimize the switch functionality at the same time with rapid spanning tree, optimal memory buffers and BPDU Guard or Filter for protection...so here goes:

AccessSW1(config)# spanning-tree mode rapid-pvst (enables rapid spanning tree, 802.1w)
AccessSW1(config)# spanning-tree portfast default (will enable portfast on all access ports only, trunks are unaffected)
AccessSW1(config)# spanning-tree bpduguard default (enables bpduguard as the default for all portfast ports)
AccessSW1(config)# sdm prefer vlan (optimizes memory buffers for layer 2 switching only)
AccessSW1(config)# interface range g01 - 48 (enters interface config mode on all 48 ports simultaneously)
AccessSW1(config-if-range)# switchport host (automatically sets the port as an access port, disables Etherchannel channeling and enables portfast, pretty cool shortcut command here...)
AccessSW1(config-if-range)# switchport access vlan 10 (assigns the 48 ports to the VLAN)

Of course this could easily be put into a text file and pasted into each switch as well. Save your configuration and you are all done. Simple shortcuts to save lots of time. :-)

Cisco IOS: Implementing Private VLANs - How They REALLY Work!

Implementing Private VLANs - How They REALLY Work!

Tuesday, November 14, 2006 at 02:02PM
Mike Storm

One very functional layer 2 security mechanisms that it seems hardly anyone understands is the use of Private VLANs.  While simple in concept, the implementation of PVLANs can be difficult to grasp, especially in large, complex environments.  The issue in implementation is more in understanding the way that the components of PVLANs work together and application of your scenario to the PVLAN configuration.  This example will exemplify a common scenario where PVLANs are applicable and put to rest some of the confusion involved in configuring PVLANs accordingly.

In our example, our intention is to use PVLANs to help protect our DMZ Network from unauthorized traffic pairs and still allow public services to operate correctly.  A goal of the PVLAN is to reduce the possibility of trust exploitation, VLAN hopping, and double tagging attacks. One thing to remember is that PVLANs have been fully supported only on Cisco 4000 and 6000 series switches for a long time and most of the configuration documentation on Cisco's website is based on these two platforms. Today the full feature set is supported on 3560 and 3750 switches as well (Important for CCIE Security Lab). Other switch platforms, such as the 3550 series, will not carry a full feature set for PVLAN deployment.

PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. They can be configured on a Layer 2 or 3 switch. PVLANS include three types of ports:
Promiscuous ports can communicate with all interfaces.
Isolated ports have complete Layer 2 separation from the other ports within the same PVLAN.  Isolated ports can communicate only with promiscuous ports.
Community ports communicate among themselves and with their promiscuous ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure.
A private VLAN uses VLANs three ways:
Primary VLAN carries traffic from promiscuous ports to isolated, community, and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN

The diagram below identifies how our scenario is set up, with a PIX/ASA device being used as the firewall (any stateful firewall can be used) creating a protected DMZ network, where our public access servers (bastion hosts) reside.

Goals of the Solution:

- 2 DNS servers must communicate with the Internet and each other for zone transfer
- 1 Web Server must communicate with the Internet and the SQL Server for content
- 1 SQL Server must communicate only with the Web server and an internal SQL source (protected by firewall rules)
- 1 SMTP Relay must communicate only with the Internet and the internal email stop
- 1 FTP Server must communicate only with the Internet

The first thing you must do is to create the Primary VLAN that will be used in the PVLAN scenario.  VLAN 1 is not eligible as a Primary VLAN.  In this step you need to also create the Community and Isolated VLANs that will be used in the scenario.  (The diagrams displaying this are shown in upcoming diagrams)

Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86
Switch(config-vlan)#exit

The diagram below shows the implementation of the Primary VLAN

The next step is to assign the PIX/ASA port to the primary VLAN as promiscuous.
Note:

Switch(config)#interface gig2/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 10 100,200,86

The diagram below shows the implementation of the assignment.

The diagram below shows the implementation of the Community VLAN 100 and the (additional) configuration to assign the ports to the community VLAN.
Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100

The diagram below shows the implementation of the Community VLAN 200 and the (additional) config to assign the ports to Community VLAN 200.
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#interface range Gig2/4 - 5
Switch(config-if-range)#switchport private-vlan host-association 10 200

The diagram below shows the implementation of the Isolated VLAN 86 and the related port assignment.
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#interface range Gig2/6 - 7
Switch(config-if-range)#switchport private-vlan host-association 10 86

After all of this has been implemented, your traffic pairs are now being controlled within the PVLAN environment. The diagram below shows the final allowed traffic pairs.

Cisco IOS: Throttling Bandwidth for Certain Internet Sites

Cisco Blog: Throttling Bandwidth for Certain Internet Sites

I was teaching a Quality of Service (QoS) course at Interface a few weeks back. One of my students asked an interesting question: Is it possible to use QoS to throttle bandwidth for just a few, a-typical "bandwidth hog" websites using only Cisco gear... You bet it is! ...and what a cool idea! We worked through the configuration on the whiteboard, and Mike Storm (a fellow instructor & friend) documented the process...here's what we came up with:

For the sake of all that is sacred....save us from the bandwidth thieves! YouTube, Google Video, MySpace....and others. All of them are to thank for our latest level of Internet bandwidth saturation. If it bothers you like it does me, why not do something about it. Save the Internet bandwidth for your business!! On a Cisco router, it is easy to recognize and limit this type of traffic by using Cisco Quality of Service, specifically NBAR and traffic policing components.

In my scenario I will be reserving and policing the standard web traffic to 11Mbps of our DS3 and the Offending Traffic (mentioned above) to just 64Kbps. Offending traffic will still flow, (to save you from a freedom of speech lawsuit...yep, you heard me right), but it WILL be SLOOOOW...

Here is a sample config:

Start by creating your traffic classes -

!
class-map match-any web-traffic
match protocol http
match protocol secure-http
match protocol ipsec
match protocol dns
match protocol .... (match any other non-offending traffic here)

class-map match-any scum
match protocol http url "*youtube*"
match protocol http url "*video.google*"
match protocol http url "*myspace*"

Next, create your class maps to define the traffic parameters. (note the embedded policy may for the scum traffic)

policy-map inbound-internet
class web-traffic
bandwidth 10000 (in Kbps)
police cir 10000000 pir 11000000 conform-action transmit exceed-action set-prec-transmit 0 violate-action drop
service-policy die-scum

policy-map die-scum
class scum
police cir 56000 pir 64000 conform-action set-prec-transmit 0 exceed-action drop

Finally, assign the service policy to your inbound interface:

interface serial1/0
service-policy input inbound-internet

Save the Bandwidth! =)

(originally posted on Mike Storm's blog at Interface)

Cisco IOS: Configuration Change Tracking...Built in?!?

Cisco Blog: Configuration Change Tracking...Built in?!?

For years, I have been relying on outside tools to tack changes in running configurations on Cisco devices. One of my favorite (cheaper) tools has been Kiwi CatTools. However, recently, someone turned me on to the fact that this functionality is BUILT-IN to the Cisco IOS! Here's the basics:

The feature is called Configuraton Change Notification and Logging. It has been available since IOS 12.3(4)T/12.2(25)S (it has really gone mainstream in 12.4).

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Pretty nice - and you can have this information stored in a local buffer or sent to a syslog server. Here's a configuration that will get you going:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered - 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional - exports changes to syslog server)

Watch this: this is an example of what the logging looks like in action:

CH_NAME_RTR# show archive log config all
 idx   sess           user@line      Logged command
    1     1         jeremy@vty0     |  logging enable 
    2     1         jeremy@vty0     |  logging size 200
    3     2         jeremy@vty0     |hostname CH_NAME_RTR
    4     2         jeremy@vty0     |enable secret *****  (this is hidden because of hidekeys command)
    5     2         jeremy@vty0     |interface FastEthernet0/0 
    6     2         jeremy@vty0     | bandwidth 100000

Cisco IOS: ZBF - Zone-Based Policy Firewall Design Guide

Zone-Based Policy Firewall Design Guide - Cisco Systems

Zone-Based Policy Firewall Design Guide

---

Cisco IOS Software Release 12.4(6)T introduced a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall zones until an explicit policy is applied to allow desirable traffic.

Nearly all firewall features implemented prior to Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface; supported features are as follows:

• Stateful packet inspection

• Application inspection

-HTTP

-Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)

-Sun RPC

• VRF-aware Cisco IOS Firewall

•URL filtering

• Denial-of-service (DoS) mitigation

Zone-based policy firewall generally improves Cisco IOS performance for most firewall inspection activities.

The only Cisco IOS Firewall features that are not supported in zone-based policy firewall in Cisco IOS Software Release 12.4(6)T are as follows:

• Authentication proxy

• Stateful firewall failover

• Unified firewall MIB

Technorati : ZBF
Del.icio.us : ZBF

Cisco IOS: Base Security Config

Base Security Config

Ever wanted a config you could paste into your router that would provide you with most of the security needs met and disable the services you needed disabled as well enables most of the services you needed enabled? I keep a base config in a .txt file that I copy & paste into a newly booted router so that I don't have retype all that stuff over and over again. I will post it here so that you can do the same. Please note that this is not an all encompassing config & there are other services that you may need to enable depending on the functions the router is providing as well as the area of the network the router is being being deployed in. For instance, if it's an I-net facing router, I would recommend in most cases you enable ZBF on the router. So use this config as a starting point guide.

no service pad
no service finger
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
service sequence-numbers
ip cef
ip tcp synwait-time 5
ip spd mode aggressive
login block-for 300 attempts 3 within 60
login delay 5
login on-failure log every 5
login on-success log every 5
no cdp run
no ip bootp server
no ip http server
no ip finger
clock timezone CST -6
clock summer-time CDT recurring
no ip source-route
no ip gratuitous-arps
no ip identd
no ip domain-lookup
logging facility local2
logging trap debugging
logging console critical
logging buffered 4096
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
int FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
load-interval 30
carrier-delay msec 0
!
banner motd #
***********************************************************************************
You have entered $(hostname).$(domain) on line $(line).This host is the property of ABC Company, and is for authorized use only.Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Use of this system constitutes consent to monitoring, recording, auditing, inspection, and disclosure at the discretion of <name>
***********************************************************************************
!
line con 0
session-timeout 15
exec-timeout 30 0
logging synchronous
transport output telnet
!
line aux 0
no exec
!
line vty 0 4
session-timeout 15
exec-timeout 30 0
logging synchronous
transport input telnet ssh
transport output none
session-disconnect-warning 180
exec prompt timestamp
!

********
As a follow-up I received an emial from Kevin Downes, CCIE# 1987 and Kevin provided a MOTD banner that he typically uses and that I really like so I thought I would post it here:

**********Warning**********
You have accessed a private computer system. This system is for authorized use only and user activities are monitored and recorded by company personnel. Unauthorized access to or use of this system is strictly prohibited and Constitutes a violation of federal, state criminal, and civil laws, including Title 18, Section 1030 of the United States Code and applicable international laws. Violators will be prosecuted to the fullest extent of the law.By logging on you certify that you have read and understood these terms and that you are authorized to access and use this system.

Cisco IOS: Measuring Latency on IOS Routers

Measuring Latency on IOS Routers

Have you ever needed to measure the latency between two routers on your network and needed a tool that could provide the statistics to you? Look no further than your very own IOS router. Since IOS 11.2, Cisco routers have a built-in Test TCP utility (TTCP) that can allow you to measure TCP throughput through an IP Path. To use it, start the receiver on one side of the path, then start the transmitter on the other side. The transmitting side sends a specified number of TCP packets to the receiving side. At the end of the test, the two sides display the number of bytes transmitted and the time elapsed for the packets to pass from one end to the other. You can then use these figures to calculate the actual throughput on the link. A detailed sample usage guide can be found at the following location:

http://www.cisco.com/warp/public/471/ttcp.html

Cisco IOS: IP SLA monitor to monitor DMVPN

Can I use IP SLA to monitor DMVPN

This may be a very useful tool to use for troubleshooting general VPN issues where infrastructure IP delivery may be unreliable. What this does is to have the router send out periodic ip sla probes, in this case udpecho packets as they are not as likely to be dropped as pings, to the peer (say DMVPN Hub for example) outside of the tunnel. So it's like any-to-any ip keepalives. The probes are tied to EEM via either a track object or SNMP MIB to send notification messages to the syslog, so you'd see something like this:

Jul 12 14:21:02.159: %HA_EM-6-LOG: ipsladown: IP SLA probe failed!
Jul 12 14:22:27.159: %HA_EM-6-LOG: ipslaup: IP SLA probe came up!

Download the config to enable this from here: Config

12.4 using EEM triggered on SNMP MIB
====================================

initiator
---------
ip sla monitor 10
 type udpEcho dest-ipaddr 14.1.23.46 dest-port 1501 source-ipaddr 14.1.21.146 source-port 1501 control disable
 timeout 1000
 frequency 5
ip sla monitor schedule 10 life forever start-time now
!
snmp-server community public RO
!         
event manager applet ipsladown 
 event snmp oid rttMonCtrlOperTimeoutOccurred.10 get-type exact entry-op eq entry-val 1 exit-op eq exit-val 2 poll-interval 5
 action 1.0 syslog msg "IP SLA probe failed!"
event manager applet ipslaup 
 event snmp oid rttMonCtrlOperTimeoutOccurred.10 get-type exact entry-op eq entry-val 2 exit-op eq exit-val 1 poll-interval 5
 action 1.0 syslog msg "IP SLA probe came up!"
!


responder
---------
ip sla monitor responder
ip sla monitor responder type udpEcho ipaddress 14.1.23.46 port 1501


12.4T using EEM triggered on SNMP MIB
=====================================

initiator
---------
ip sla 10
 udp-echo 14.1.23.46 1501 control disable
 timeout 1000
 frequency 5
ip sla schedule 10 life forever start-time now
snmp-server community public RO
!
event manager applet ipsladown 
 event snmp oid rttMonCtrlOperTimeoutOccurred.10 get-type exact entry-op eq entr
y-val 1 exit-op eq exit-val 2 poll-interval 5
 action 1.0 syslog msg "IP SLA probe failed!"
event manager applet ipslaup 
 event snmp oid rttMonCtrlOperTimeoutOccurred.10 get-type exact entry-op eq entr
y-val 2 exit-op eq exit-val 1 poll-interval 5
 action 1.0 syslog msg "IP SLA probe came up!"
!

responder
---------
ip sla responder
ip sla responder udp-echo ipaddress 14.1.23.46 port 1501


12.4T using track object
========================

initiator
---------
track 1 rtr 10
! 
ip sla 10
 udp-echo 14.1.23.46 1501 source-ip 14.1.21.146 source-port 1501 control disable
 timeout 1000
 frequency 5
ip sla schedule 10 life forever start-time now
!
event manager applet ipsladown 
 event track 1 state down
 action 1.0 syslog msg "IP SLA probe failed!"
event manager applet ipslaup 
 event track 1 state up
 action 1.0 syslog msg "IP SLA probe came up!"


responder
---------
ip sla responder
ip sla responder udp-echo ipaddress 14.1.23.46 port 1501

Cisco IOS: Log the NTP events

Cisco IOS hints and tricks: Log the NTP events

Log the NTP events

I almost started writing an EEM applet that would detect and log the changes in router's system time caused by NTP synchronizations, but then I've decided to check the IOS documentation first ... and found the ntp logging command available from IOS release 12.3(7)T.

For example, if you configure ...

rtr(config)#ntp logging
rtr(config)#ntp server 172.16.0.12

... the router will generate the following syslog messages when it synchronizes its time with the NTP server:

%NTP-6-RESTART: NTP process starts
%SYS-6-CLOCKUPDATE: System clock has been updated from 17:06:03 UTC Fri Mar 30 2007 to 17:04:07 UTC Fri Mar 30 2007, configured from NTP by 172.16.0.12.
%NTP-5-PEERSYNC: NTP synced to peer 172.16.0.12

Cisco IOS 12.4 T Feature Guides

Cisco IOS Software Releases 12.4 T Feature Guides - Cisco Systems

• 
  

  Cisco IOS Software Release 12.4(15)T

  
  
  
  
  • Automatic Signature Extraction
  
  
  • Bidirectional Forwarding Detection
  
  
  • Cisco IOS Auto-Upgrade Manager
  
  
  • Cisco IOS IPS Support for Microsoft Engines
  
  
  • Cisco IOS IPv6 Configuration Library
  
  
  • Cisco IOS VoiceXML Browser Update to W3C VoiceXML 2.1
  
  
  • Cisco IP VSAT Satellite WAN Network Module (NM-1VSAT-GILAT)
  
  
  • CNS Config Retrieve Enhancement with Retry and Interval
  
  
  • Command Scheduler (KRON) Policy for System Startup
  
  
  • Configuring an IP Local Pools Holdback Timer
  
  
  • Configuring the Cisco NM-1A-T3/E3 Network Module
  
  
  • Configuring the Cisco Wireless Controller Network Module on a Cisco Router, Cisco IOS Release 12.4(15)T
  
  
  • Configuring the 3G Wireless High-Speed WAN Interface Card for Cisco 1841, and 2800 and 3800 Series Routers (HWIC-3G-CDMA-x)
  
  
  • Configuring the 3G Wireless High-Speed WAN Interface Card for Cisco 1841, and 2800 and 3800 Series Routers (HWIC-3G-GSM)
  
  
  • Consent Feature for Cisco IOS Routers
  
  
  • DHCP Server Multiple Subnet
  
  
  • DMVPN: Dynamic Tunnels Between Spokes Behind a NAT Device
  
  
  • EIGRP L2/L3 API and Tunable Metric for Mobile Adhoc Networks
  
  
  • Embedded Resource Manager (ERM)-MIB
  
  
  • Ethernet Operations, Administration, and Maintenance
  
  
  • Extended VLAN ID
  
  
  • FHRP - GLBP Client Cache
  
  
  • Flexible Packet Matching
  
  
  • HTTP TACAC+ Accounting Support
  
  
  • iLBC Support for SIP and H.323
  
  
  • IP Tunnel MIB
  
  
  • Logging to Local Nonvolatile Storage (ATA Disk)
  
  
  • L2TP Congestion Avoidance
  
  
  • L2TP Forwarding of PPPoE Tag Information
  
  
  • MANET: Enhancements to PPPoE for Router-to-Radio Links
  
  
  • Media Resource Control Protocol (MRCP) Version 2
  
  
  • Multiple PPPoE Client
  
  
  • Network Admission Control
  
  
  • New Voice and Telephony Features in Cisco IOS Releases 12.4T
  
  
  • OER- Application Aware Routing with Static Application Mapping
  
  
  • OSPF Mechanism to Exclude Connected IP Prefixes from LSA Advertisements
  
  
  • OSPFv3 Dynamic Interface Cost Support
  
  
  • OSPFv2 Local RIB
  
  
  • Outbound Proxy Support for the SIP Gateway
  
  
  • Per Interface Mroute State Limit with Bandwidth-Based Call Admission Control (CAC) for IP Multicast
  
  
  • Performance Routing - Application Interface
  
  
  • Performance Routing - Link Groups
  
  
  • PPPoE Session Limit Local Override
  
  
  • Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers
  
  
  • Reserve Memory for Console Access
  
  
  • SCTP Release 4
  
  
  • Secure HTTP Client (SSL) for Cisco IOS VoiceXML Browser
  
  
  • Signed Tcl Scripts
  
  
  • SIP REFER outside the scope of a dialog created with a SIP INVITE
  
  
  • SIP: SIP Support for Asymmetric SDP
  
  
  • SIP: SIP Support for PAI
  
  
  • SIP: SIP Support for SRTP
  
  
  • SSG Mobile Wireless Enhancements New!
  
  
  • SSL VPN
  
  
  • SSL VPN Remote User Guide
  
  
  • VRF-Aware H.323 and SIP for Voice Gateways
  
  
  • Wireless Enhancements for Integrated Services Routers
  
  
  • X.25 Call Record
  
  
  
  


• 
  

  Cisco IOS Software Release 12.4(11)T

  
  
  
  
  • Any Transport over MPLS
  
  
  • AToM Graceful Restart
  
  
  • BGP Neighbor Policy
  
  
  • BGP per Neighbor SoO Configuration
  
  
  • Bidirectional Forwarding Detection
  
  
  • Cisco Cable Modem High-Speed WAN Interface Cards Configuration Guide
  
  
  • Cisco Easy VPN Remote
  
  
  • Cisco Express Forwarding Support for Layer 4 Port-Based Load Balancing
  
  
  • Cisco Group Encrypted Transport VPN
  
  
  • Cisco IOS IPv6 Configuration Library
  
  
  • Cisco IOS USB Token PKI Enhancements - Phase 2
  
  
  • Cisco IOS VoiceXML 2.0
  
  
  • Cisco IOS 4096-Bit Public Key Support
  
  
  • Configuration Logger Persistency
  
  
  • Configuring IEEE 802.1x Port-Based Authentication
  
  
  • DHCP Class Support for Client Identification
  
  
  • DHCP Option 82 on Stacked EtherSwitch Modules
  
  
  • DHCPv4 Relay Per Interface VPN ID Support
  
  
  • DTMF Relay, Fax Relay and Modem Relay for SCCP FXS Ports in Cisco IOS
  
  
  • Dynamic Multipoint VPN (DMVPN)
  
  
  • Easy VPN Server
  
  
  • Enhanced Object Tracking Support for Mobile IP, PDSN, or GGSN
  
  
  • Exclusive Configuration Change Access and Access Session Locking
  
  
  • Feature Mode for SCCP FXS Ports in Cisco IOS
  
  
  • FHRP ¿ HSRP BDF Peering
  
  
  • Field-Programmable Device Upgrades
  
  
  • H.323 Gatekeeper-Based Load Balancing
  
  
  • H.323 RAS Support in Cisco IOS Firewall
  
  
  • iLBC Codec Support
  
  
  • Integrating Data, Voice, and Video Services for ISDN Interfaces
  
  
  • IPS 5.x Signature Format Support and Usability Enhancements
  
  
  • Layer 2 Local Switching
  
  
  • Layer 2 Tunnel Protocol Version 3
  
  
  • Layer 2 Virtual Private Network Interworking
  
  
  • L2VPN Pseudowire Redundancy
  
  
  • Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
  
  
  • MPLS LSP Ping/Traceroute for LDP/TE, and LSP Ping for VCCV
  
  
  • MPLS MTU Command Changes
  
  
  • Multilink Frame Relay over L2TPv3/AToM
  
  
  • Network Admission Control (NAC) Auth Fail Open
  
  
  • Pseudowire Emulation Edge-to-Edge MIBs for Ethernet, Frame Relay, and ATM Services
  
  
  • RADIUS Server Load Balancing
  
  
  • Reliable Delivery and Filtering for Syslog
  
  
  • RFC 2833 Dual-Tone Multifrequency Media Termination Point Passthrough
  
  
  • Router IP Traffic Export Packet Capture Enhancements
  
  
  • Show and Clear Commands for IOS Sockets
  
  
  • SIP MWI NOTIFY - QSIG MWI Translation
  
  
  • SIP: SIP Support for Hookflash
  
  
  • SSL VPN
  
  
  • Suppressing EXEC Accounting Record
  
  
  • Symmetrical RTP Support for MGCP-Based Calls
  
  
  • TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
  
  
  • Tunnel Route Selection
  
  
  • USB Storage
  
  
  • USB Storage PKI Enhancements
  
  
  • User Defined Source Port Ranges for PAT
  
  
  • VMWI for SCCP FXS Ports in Cisco IOS
  
  
  
  


• 
  

  Cisco IOS Software Release 12.4(9)T

  
  
  
  
  • Access List-Based RBSCP
  
  
  • Bidirectional Forwarding Detection
  
  
  • Cache Control Enhancements for Certification Revocation Lists
  
  
  • Call Detail Records (CDR) Feature Correlation ID for Supplementary Features
  
  
  • Cisco Gateway GPRS Support Node, Release 5.2
  
  
  • Cisco IOS Flexible NetFlow
  
  
  • Cisco IOS Hosted NAT Traversal for Session Border Controller Phase-1
  
  
  • Cisco IOS IPv6 Configuration Library
  
  
  • Cisco PVDMII-12DM, PVDMII-24DM, and PVDMII-36DM Digital Modem Packet Voice Data Modules
  
  
  • CNS Security Enhancement
  
  
  • Customizable PSTN Tones and H.323 Call-Disconnect Cause Codes
  
  
  • DES/3DES/AES VPN Encryption Module (AIM-VPN/SSL-1, AIM-VPN/SSL-2, and AIM-VPN/SSL-3)
  
  
  • Diameter Credit Control Application
  
  
  • Dynamic Multipoint VPN (DMVPN)
  
  
  • Easy VPN Server
  
  
  • Enhanced MF for FGD and Analog CAMA Trunks
  
  
  • EOT Support for Carrier Delay
  
  
  • Ethernet Local Management Interface
  
  
  • FHRP - HSRP Group Shutdown
  
  
  • Flow-Based QoS for GGSN
  
  
  • Frame Relay Conditional Debug Support
  
  
  • Frame Relay Show Command and Debug Command Enhancements
  
  
  • FRF .20 Support
  
  
  • H.323 VoIP Call Preservation Enhancements for WAN Link Failures
  
  
  • High-Density Packet Voice Feature Card for Cisco AS5350XM and AS5400XM Universal Gateways
  
  
  • Integrating Data and Voice Services for ISDN PRI Interfaces on Multiservice Access Routers
  
  
  • IPHC Profiles
  
  
  • IPSec Diagnostics Enhancement
  
  
  • IPSec Virtual Tunnel Interface
  
  
  • MGCP Layer 2 Teardown for IUA DPNSS Trunks
  
  
  • MLPP for Analog and BRI Endpoints on Cisco IOS Voice Gateways
  
  
  • Mobile IP - Mobile Router Multipath Support
  
  
  • NETCONF over BEEP
  
  
  • NETCONF over SSHv2
  
  
  • New Voice and Telephony Features in Cisco IOS Releases 12.4T
  
  
  • OER BGP Inbound Optimization
  
  
  • RFC 3020 Multilink Frame Relay MIB Support
  
  
  • Secure Communication Between IP-STE Endpoint and Line-Side STE Endpoint
  
  
  • Split DNS
  
  
  • SSL VPN
  
  
  • Zone-Based Policy Firewall
  
  
  
  


• 
  

  Cisco IOS Software Release 12.4(6)T

  
  
  
  
  • ACL Manageability
  
  
  • ADSL HWICs
  
  
  • ANI Suppression During L2TP Setup
  
  
  • Certificate - Complete Chain Validation
  
  
  • Circuit Emulation over IP
  
  
  • Cisco IOS Firewall MIB
  
  
  • Cisco IOS Voice Configuration Library
  
  
  • Cisco Modem Relay
  
  
  • Cisco Text Relay for Baudot Text Phones
  
  
  • Control Plane Logging
  
  
  • DHCP Option 82 per Interface Support
  
  
  • DHCP Relay Accounting
  
  
  • Dynamic Frequency Selection and IEEE 802.11h Transmit Power Control
  
  
  • Easy VPN Server
  
  
  • Fax Relay Support for SG3 Fax Machines at G3 Speeds
  
  
  • FHRP - HSRP Multiple Group Optimization
  
  
  • Flexible Packet Matching XML Configuration
  
  
  • In-Service Updates to Gatekeeper Zone Prefix Configuration
  
  
  • Interface Input Queue Memory Reclamation
  
  
  • IOS Firewall Stateful Failover
  
  
  • IP SLAs ICMP Jitter Operation
  
  
  • IP SLAs RTP-Based VoIP Operation
  
  
  • IP SLAs--LSP Health Monitor
  
  
  • Management Plane Protection
  
  
  • Media and Signaling Authentication and Encryption Feature for Cisco IOS H.323 Gateways
  
  
  • MGCP NAS Package LAPB-TA
  
  
  • MPLS LSP Ping/Traceroute for LDP/TE, and LSP Ping for VCCV
  
  
  • MSCHAP Version 2
  
  
  • NAT ARP Ping
  
  
  • NAT SCCP Fragmentation Support
  
  
  • Network Admission Control: Agentless Host Support
  
  
  • New Voice and Telephony Features in Cisco IOS Releases 12.4T
  
  
  • OCSP - Server Certification from Alternate Hierarchy
  
  
  • OER Voice Traffic Optimization
  
  
  • OSPF Enhanced Traffic Statistics for OSPFv2 and OSPFv3
  
  
  • OSPF RFC 3623 Graceful Restart Helper Mode
  
  
  • OSPF: SNMP ifIndex Value for Interface ID in OSPFv2 and OSPFv3 Data Fields
  
  
  • Packet Mode Services on D Channel
  
  
  • RIPv2 Monitoring with SNMP Using the RFC 1724 MIB Extensions
  
  
  • RSVP Agent
  
  
  • RSVP Application ID Support
  
  
  • SCCP PLAR with DTMF Out-Pulse Digits for FXS Analog Phones
  
  
  • SDP Expanded Template CGI Support
  
  
  • Secure Multicast
  
  
  • Shortcut Switching Enhancements for NHRP in DMVPN Networks
  
  
  • SIP-to-SIP Extended Feature Functionality for Session Border Controller (SBC)
  
  
  • SIP: Busy Out Support
  
  
  • SIP: Cisco IOS SIP Gateway Signaling Support Over TLS Transport
  
  
  • SSL VPN
  
  
  • SSL VPN Remote User Guide
  
  
  • Tag and Template
  
  
  • Threat Information Distribution Protocol
  
  
  • TIDP Based Mitigation Services
  
  
  • Unique Calling Party Information with Alternate Endpoints
  
  
  • VPN Access Control Using 802.1X Authentication
  
  
  • Zone-Based Policy Firewall
  
  
  
  


• 
  

  Cisco IOS Software Release 12.4(4)T

  
  
  
  
  • AAA-SERVER-MIB Set Operation
  
  
  • ADSL HWICs
  
  
  • Alarm Filtering Support in the Cisco Entity Alarm MIB
  
  
  • Always On Dynamic ISDN (AO/DI) Enhancements
  
  
  • Application Firewall - Instant Message Traffic Enforcement
  
  
  • BGP Route-Map Continue Support for an Outbound Policy
  
  
  • BGP Selective Address Tracking
  
  
  • Bidirectional Forwarding Detection
  
  
  • Cisco Communication Media Module Voice Features for Catalyst 6500 Series and Cisco 7600 Series
  
  
  • Cisco Easy VPN Remote
  
  
  • Cisco IOS IPv6 Configuration Library
  
  
  • Cisco Modem Relay
  
  
  • Configurable Domain Name Prefix and Suffix Stripping
  
  
  • Control Plane Protection
  
  
  • DNS - VRF Aware DNS
  
  
  • DSP Operational State Notifications
  
  
  • Easy VPN Server
  
  
  • Fax Relay Support for SG3 Fax Machines at G3 Speeds
  
  
  • Flexible Packet Matching
  
  
  • IOS Certificate Server (CS) Split Database
  
  
  • IP SLAs RTP-Based VoIP Operation
  
  
  • IP to ATM Class of Service Mapping for SVC Bundles
  
  
  • IPsec and IKE MIB Support for Cisco VRF-Aware IPsec
  
  
  • MGCP Call Centric Debug
  
  
  • MGCP CAS MD Package
  
  
  • MPF for Broadband LAC, LNS, and PTA
  
  
  • Multi-PAD Support for X.25 Connections
  
  
  • Multicast Service Reflection
  
  
  • NetFlow Dynamic Top Talkers CLI
  
  
  • NetFlow Reliable Export with SCTP
  
  
  • Network-Based Application Recognition
  
  
  • New Voice and Telephony Features in Cisco IOS Releases 12.4T
  
  
  • Optional OCSP Nonce
  
  
  • PPPoE Circuit-Id Tag Processing
  
  
  • QoS: CBQoS MIB Index Enhancements
  
  
  • Routed Bridge Encapsulation with ATM Virtual Circuit Bundles
  
  
  • Scalability for Stateful NAT
  
  
  • Secure Communication Between IP-STE Endpoint and Line-Side STE Endpoint
  
  
  • Secure Device Provisioning (SDP) Start Page
  
  
  • Security Target For Cisco IOS Firewall Versions 12.3(14)T and 12.4(4)T
  
  
  • SIP to SIP Basic Call Interworking
  
  
  • SIP: CLI for Caller ID When Privacy Exists
  
  
  • Subordinate/RA Mode IOS Certificate Server (CS) Rollover
  
  
  • USB Storage PKI Enhancements
  
  
  • X.25 Throughput Negotiation
  
  
  
  


• 
  

  Cisco IOS Software Release 12.4(2)T

  
  
  
  
  • AAA Per VC QoS Policy Support
  
  
  • ACL Support for Filtering on TTL Value
  
  
  • AES and 3-DES Encryption Support for SNMP Version 3
  
  
  • Certificate Authority (CA) Key Rollover
  
  
  • Certificate Storage Location Specification
  
  
  • Circuit Emulation over IP
  
  
  • Cisco Easy VPN Remote
  
  
  • Cisco High-Speed Intrachassis Module Interconnect (HIMI)
  
  
  • Cisco IOS IPv6 Configuration Library
  
  
  • Clear IP Traffic CLI
  
  
  • Configuring NetFlow and NetFlow Data Export
  
  
  • Embedded Event Manager 2.2
  
  
  • FHRP - Enhanced Object Tracking Integration with Embedded Event Manager
  
  
  • ICMP Unreachable Destination Counters
  
  
  • IP SLAs Random Scheduler
  
  
  • Land Mobile Radio over IP
  
  
  • L2TP Calling Station ID Suppression
  
  
  • MSDP MD5 Password Authentication
  
  
  • Multilink Frame Relay (FRF.16.1)
  
  
  • NAT Optimized SIP Media Path with SDP
  
  
  • NAT Optimized SIP Media Path Without SDP
  
  
  • NetFlow Layer 2 and Security Monitoring Exports
  
  
  • Network-Based Application Recognition and Distributed Network-Based Application Recognition
  
  
  • New Voice and Telephony Features in Cisco IOS Releases 12.4T
  
  
  • OER Active Probe Source Address
  
  
  • OER Application-Aware Routing: PBR
  
  
  • Per VRF AAA
  
  
  • Process Interrupt Mask Profiler Enhancement
  
  
  • RADIUS Logical Line ID
  
  
  • RBE Client Side Encapsulation with QoS
  
  
  • SCCP Controlled Analog (FXS) Ports with Supplementary Features in Cisco IOS Gateways
  
  
  • SSG Support of WISPr Location Attributes
  
  
  • SSG-Limiting the Number of Sessions and Services
  
  
  • TCP Applications Flags Enhancement
  
  
  • TCP Show Extension
  
  
  • Transparent Cisco IOS Intrusion Prevention System (IPS)
  
  
  • Zeroization
  
  
  
  


• 
  
  
  
  • Installation and Configuration for Common Criteria EAL4 Evaluated Cisco IOS/Firewall