CCNA-SEC Lec#7 | All about IPSec

What’s the IPsec?
The IPsec (Internet Protocol Security) Protocol Suite is a set of network security protocols, developed to secure the network traffic by establishing encrypted tunnels between two or more end points  across the public network.
IPsec provides the core benefits of confidentiality through encryption, data integrity through hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK).
IPsec Goals
The goals can be described as follows:
Confidentiality: provided through encryption changing clear text into cipher text.
Data integrity: provided through hashing and/or through Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
Authentication: provided through authenticating the VPN peers near the beginning of a VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates). Authentication can also be done continuously through the use of an HMAC, which includes a secret known only to two ends of the VPN.
Antireplay protection: when VPNs are established, the peers can sequentially number the packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the packet will not be accepted because the VPN device believes it has already processed that packet.
Internet Key Exchange (IKE) Protocol

IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access VPN tunnels.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) by define security attributes like encryption key, encryption algorithm, and mode, between IPSec peers.
Security Association (SA) is an one-way virtual tunnel between the two endpoints peers. Thus, for full communication to occur, two SA’s must be established, one for each direction.

The establishment of an IPsec connection takes place in two phases, called IKE phases:
■ IKE Phase 1: The two endpoints authenticate one another and negotiate keying material. This results in an encrypted tunnel used by Phase 2 for negotiating the ESP security associations.
■ IKE Phase 2: The two endpoints use the secure tunnel created in Phase 1 to establishes the IPsec tunnel (IPsec SA), which used to secure the actual user data that is passed between the two endpoints.
IKE relies on ISAKMP to establish an initial secure channel over which the IPsec tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP session (typically called an IKE SA), including the encryption type and hashing methods.
At IKE Phase 1, There are  five basic items need to be agreed upon between the two VPN endpoints peers as below:
■ Encryption algorithm:  This could be AES, DES or 3DES.
■ Hash algorithm: This could be  MD5 or SHA.
■ Diffie-Hellman (DH) group to use: for creating and sharing keys.
■ Authentication method: This could be pre-shared key (PSK) or  RSA signatures.
■ The SA Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
IKE Phase 1 negotiation can happen in two modes,either using Main Mode which be slower, but more secure or using Aggressive Mode which  faster, but less secure.
There are a  two primary methods for implementing the encapsulation of IPsec header as below:
■ Authentication Header (AH)
■ Encapsulating Security Payload (ESP)
Authentication Header (AH)
– While IPsec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPsec VPN. Authentication Header (AH) DOES NOT provide any Data Encryption at all.
– AH uses a hash algorithm to compute a hash value on both the payload and header of a packet which cause AH is incompatible with NAT which 
changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
– While IPsec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPsec VPN.
– ESP uses a hash algorithm to compute a hash value on the payload only and not include the header of a packet which enable it to be compatible with NAT.

ESP is more widely deployed than AH, because ESP provides all the benefits of IPsec, that is, Confidentiality, Integrity, Authentication and Re-Play attack protection….
IPsec Modes
IPsec uses two methods for encryption tunnel and transport mode.
– If IPsec tunnel mode is used, the both of IP header and payload are encrypted in addition a new header be injected.
– But When transport mode is used, only the packet payload is encrypted and the original IP header is left intact.
First let’s have a look at AH and ESP and how they tread original IP packetScreen Shot 2013-11-12 at 11.52.30 AM.png
And now about how those IP protocols fit in the two modes.

Screen Shot 2013-11-12 at 11.52.17 AM.png

In the next lecture we will go deeply into the IPsec configuration and troubleshooting, See you !
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#6 | Fundamentals of VPN and Cryptography “Part-2”

Following what we started at the previous lecture about the main guidelines of cryptography, We are about discuss all about Hashing and Authentication Techniques and Algorithms.
Let’s start….
Hashing Algorithms
As mentioned before Hashing is a function to achieve Data Integrity which can be defined as how to insure that data is not tampered or altered while transmission.
The main idea of Hashing is a process that takes a block of data and run the a defined algorithm to create a small fixed-sized hash value, then attach that value to the block of data and transmit it.
Which meaning if we have a two different computers (Transmitter & Receiver) take the same data and run the same hash function, they should get the same fixed-sized hash value.
Using a hash to verify integrity is the sender running a hash algorithm on each packet and attaching that hash to the packet. The receiver runs the same hash against the packet and compares his results against the results the sender had (which were attached to the packet, as well). If the hash generated matches the hash that was sent, we know that
the entire packet is intact. If a single bit of the hashed portion of the packet is modified, the hash calculated by the receiver will not match, and the receiver will know that the packet had a problem, specifically with the integrity of the packet.
The three most popular types of hashes are as follows:
Message digest 5 (MD5): This creates a 128-bit digest.
Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.

Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

 Hashed Message Authentication Code (HMAC)
Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type. Then only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. When this mechanism is used, an attacker who is eavesdropping and intercepting packets cannot inject or remove data from those packets without being noticed because he cannot recalculate the correct hash for the modified packet because he does not have the key or keys used for the calculation.
Authentication Algorithms
It is about how to confirm the identity of the host sending data, using pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.

■ Pre-shared key
Pre-shared key is an agreed character string in advance between both parties as the authentication key of the session; A pre-shared key is an example of symmetric cryptography as the key is a same on both sides.


The 0 before the Pre-Shared key specifies that the key is not encrypted.

■ RSA Digital Signatures
As a matter of fact, signature scheme consists of three related operations as below:
• Key pair generation produces a public/private key pair.
• Signature operation produces a signature for a message with a private key.
• Verification operation checks a signature with a public key.

Key Management
As cleared on our long discussion about  world of cryptography, The key is the one of the most important player here, as  We have symmetric keys that can be used with symmetric algorithms such as hashing and encryption. We have asymmetric keys such as public-private key pairs that can be used with asymmetric algorithms such as digital signatures, among other things.

A key pair is a set of two keys that work in combination with each other as a team. In a typical key pair, you have one public key and one private key. The public key may be shared with everyone, and the private key is not shared with anyone.

For example,  If we use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
Diffie-Hellman (DH)

Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, it  can be used to dynamically generate symmetrical keys to be used by symmetrical algorithms.
Diffie-Hellman Groups are used to determine the strength of the key used in the Diffie-Hellman key exchange process; Higher Diffie-Hellman Group numbers are more secure, but Higher Diffie-Hellman Groups require additional processing resources to compute the key. at below an examples from DH groups.
Group 1 – 768 bits
Group 2 – 1024 bits
Group 5 – 1536 bits
Group 14 – 2048 bits
Group 16 – 4096 bits
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#5 | Fundamentals of VPN and Cryptography

As mentioned before at our previous lectures, the main objective for any security model to achieve the three essential targets of confidentiality, data integrity &  authentication.
So, Virtual private network “VPN” is considered as a security deployment framework.
What is a VPN?
VPN allows  a logical connection between two devices over a wide-area network “WAN” connection using the Internet as a transport mechanism.
Types of VPNs :
There are two major categories into which VPNs could be placed :-
 ■ Remote-access VPNs: Some users might need to build a VPN connection from their individual computer to the corporate headquarters,  Remote-access VPNs can use IPsec or Secure Shell (SSL) technologies for their VPN.
■ Site-to-site VPNs: The other main VPN implementation is by companies that may have two or more sites that they want to connect securely together, so that each site can communicate with the other site or sites. This implementation is called a site-to-site VPN. Site-to-site VPNs traditionally use a collection of VPN technologies called IPsec.
 There are a two technology types to implement a VPN with its security features.
IPsec: Implements security of IP packets at Layer 3 of the OSI model, and can be used for site-to-site VPNs and remote-access VPNs.

■ SSL: Secure Sockets Layer implements security of TCP sessions over encrypted SSL tunnels of the OSI model, and it can be used for remote-access VPNs (as well as being used to securely visit a web server that supports it via HTTPS).
 Cryptography Basic Components

We are about to have a look about the three essential targets for any security model “confidentiality, data integrity &  authentication” before going to discuss the cryptography components.

■ Confidentiality
it means that only the intended parties can understand the data that is sent,  using encryption Algorithms to prevent the theft of data.
■ Data Integrity
It is about ensure that data is not tampered or altered while transmission, using a hashing algorithm to make sure the sent data is accurate from end to end.
■ Authentication
It confirms the identity of the host sending data, using bother pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.

All of us now know that confidentiality is a function of encryption, data integrity is a function of hashing, and authentication is the process of proving the identity of the other side of the tunnel. Now it is time to take a look at how those methods are implemented and the choices you have for each.

Encryption Algorithms
Encryption is the process of converting a plain-text message into cipher-text which can be decoded back into the original message,  An encryption algorithm along with a key is used in the encryption and decryption of data.
The type and length of the keys depend upon the encryption algorithm and the amount of security needed. In the symmetric encryption a single key is used to encrypt the data and decrypt the data.
In the asymmetric encryption the encryption key and the decryption key are different. One is a public key by which the sender can encrypt the message and the other is a private key by which a recipient can decrypt the message.
 Symmetric encryption Algorithms
Symmetric encryption algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.
 Common examples of symmetric encryption algorithms include the following:
  Advanced Encryption Standard (AES) : It is also known as Rijndael, and it is a block cipher.

Digital Encryption Standard (DES) : It is a block cipher with 64-bit block size that uses using a 56-bit key.
Triple Digital Encryption Standard (3DES) : It uses a 64-bit key, the idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys.
Blowfish : Blowfish has a 64-bit block size and a variable key length – from 32 bits to 448 bits.
International Data Encryption Algorithm (IDEA) : it uses a 128 bit key. This key length makes it impossible to break by simply trying every key.
Asymmetric encryption Algorithms
Asymmetric algorithms (public key algorithms) use different keys for encryption and decryption,  Instead of using the same key for encryption and decryption, we use two different keys that mathematically work together as a pair. Let’s call these keys the public key and private key.
Examples of asymmetrical algorithms include the following:

• RSARivest-Shamir-Adleman is the most commonly used public key encryption algorithm,  The key length may be from 512 to 2048, and a minimum size for good security is at least 1024.
• Diffie-Hellman (DH) :  DH is an asymmetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network,  The interesting thing about DH is that although the algorithm itself is asymmetrical, the keys generated by the exchange are symmetrical keys that can then be
used with symmetrical algorithms.

• Digital Signature Algorithm (DSA)

Finally, Asymmetrical algorithms require more CPU processing power than a symmetrical algorithm, while Asymmetrical algorithms are more secure than symmetrical ones.
We will continue at our next lecture the rest of Cryptography Basic Components, such as the Hashing Algorithm and the used techniques to achieve the authentication also.
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#4 | Securing Data Plane

After we finished the discussion of securing the management plane and control plane at the two previous lectures, We are about discuss how to protect the Data plane in the upcoming lines to cover all about the Network Foundation Protection “NFP” Framework.
What’s the Data plane ?

Data plane is the name of the router/switch part which responsible to handle traffic that is being forwarded through the network (sometimes called transit traffic), so it sometimes data plane called as a forwarding plane.
Data Plane is taking charge of Forward traffic to the next hop along the path to the selected destination network according to control plane logic.
Actually, t
he routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets.
A failure of some component in the data plane results in the customer’s traffic not being able to be forwarded. Other times, based on policy, you might want to deny specific types of traffic that is traversing the data plane.


Securing the Data plane
Now We are about cover the methods available for implementing policy related to traffic allowed
through (transit traffic) network devices .
As mentioned,  For the data plane, this discussion concerns traffic that is going through your network device.
There are some ways to control and protect data plane-

■ Access Control list (ACL) used for filtering
ACLs are used to secure the data plane in a variety of ways such as 
Block unwanted traffic or users, reduce the chance of DoS attacks, mitigate spoofing attacks and Provide bandwidth control.

■ Antispoofing
IP spoofing is a technique of generating IP packets with a source address that belongs to someone else, 
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
■ Port security
To prevent MAC address spoofing and MAC address flooding attacks which occur when a switch has no more room in its tables for dynamically learned MAC addresses, there is the possibility of the switch not knowing the destination Layer 2 address (for the user’s frames) and forwarding a frame to all devices in the same VLAN. This might give the attacker the opportunity to eavesdrop.
■ DHCP Snooping
Which enable switch to listen in on DHCP traffic and stop any malicious DHCP packets. DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.
For more info about this feature and how to implement it you can refer to below link.
■ Dynamic ARP inspection (DAI)
It can protect against Address Resolution Protocol (ARP ) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC address mapping information), and resulting Layer 2 man-in-the-middle attacks.
DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-t o-MAC address bindings.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database “DHCP snooping binding database”.

■ IP source Guard
This feature helps to prevent IP spoofing, which is when an attacker claims the IP address of a server or device on your network. By pretending to be that device, the attacker could potentially direct sensitive data towards a port he’s connected to.
Also, source guard relies on a switch’s knowledge of DHCP-assigned host addresses 
“DHCP snooping binding database”  in order to validate and restrict spoofed source addresses.
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#3 | Securing Control Plane

We will discuss in this topic how to secure the control plane after we finished at the previous lecture  Securing the Management Plane“.
Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself.
From the perspective of the network device,control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP).
So, The fateful issue to protect the control plane is minimizing the amount of CPU load as much as we can.
Some of the packets and traffic which handled by the CPU:
Receive adjacency traffic:  This indication is for any IP address that requires direct handling by the Cisco device CPU which is refereed by the term receive in the show ip cef command-line interface (CLI) output.

■ Access control list (ACL) logging:
The log and log-input options apply to an  ACL entries and cause packets that match the ACL entry to be logged.

■ Unicast Reverse Path Forwarding (URPF):
Security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.

■ IP options:
Any IP packets with options included must be processed by the CPU.

■ Fragmentation:
Any IP packet that requires fragmentation must be passed to the CPU for processing.

■ Time-To-Live (TTL) expiry:
Packets that have a TTL value less than or equal to 1.

■ Traffic requiring an ARP request:
Destinations for which an ARP entry does not exist require processing by the CPU.

Non-IP traffic:
All non-IP traffi c is processed by the CPU.

Through the use of control plane policing (CoPP) and control plane protection (CPPr) we can secure the control plane.
Control Plane Policing(CoPP):
It’s a  feature designed to allow users to manage the flow of traffic handled by the router processor of their network devices.
Control plane policing can be performed through the use of granular classification ACLs  and the use of the show policymap control-plane command to display it.
Benefits of Control Plane Policing
Configuring the Control Plane Policing feature on your Cisco router or switch provides the following benefits:
• Protection against DoS attacks at infrastructure routers and switches.
• QoS control for packets that are destined to the control plane of Cisco routers or switches.
• Ease of configuration for control plane policies.
• Better platform reliability and availability
In below example we are about permit only the BGP and OSPF and discard any ip packet has a ttl less than 2 to  reach the Cisco device CPU.
Control Plane Protection(CPPr):
The Control Plane Protection feature is an extension of the policing functionality provided by the existing Control-plane Policing feature. The Control-plane Policing feature allows Quality of Service (QoS) policing of aggregate control-plane traffic destined to the route processor.

Additionally , the CPPr feature provides the following:

• Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or non-listening TCP or UDP ports.
Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue.
For more details about this technique, you can refer to below link.

By: Hatem Farag | CCIE#54446


CCNA-SEC Lec#2 | Securing Management Plane

We will discuss at this lecture with more details about NFP and how to secure the three planes “Management plane, Control plane and Data plane”
As discussed at the previous lecture Cisco NFP (Network Foundation Protection) is a framework which provides the technologies and tools to protect different types of network traffic; Cisco has classified different type of network traffic as different planes of communication. Cisco NFP (Network Foundation Protection) defines three planes and they are Management plane, Control plane and Data plane.

Securing Management Plane

The management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network.
Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical.
There are many methods you can manage a device “VTY, AUX, and Console” lines and ports and you should do your best to keep access through it more secure as you can among some procedures such as :-
Strong passwords
Make passwords very difficult to break,  An attacker can break a password in several ways, including a dictionary and/or a brute force attack. In addition to this, you should use the encrypted password “enable secret” instead of plain text password “enable password”; Enable secrets are hashed using the MD5 algorithm. Also, work on enforcing password policy, including features such as maximum number of login attempts and minimum password length. 
Encrypted management protocols
Undoubtedly, accessing devices through “Telnet or HTTP” is not secure anymore as the password sent in plain text, so encrypted communications should be used, such as Secure Shell (SSH) or Hypertext Transfer Protocol Secure (HTTPS).
User authentication and AAA
AAA stands for Authentication, Authorization and Accounting.
In large networks it isn’t logic to depend on the local user database for authenticating users.
The goal of AAA is to identify who users are before giving them any kind of access to the network, and once they are identified, only give them access to the part they are authorized to use, see, or manage.
Cisco provides many ways to implement AAA services for Cisco devices, such as  ACS server, TACACS server, or RADIUS server and we will cover this point in more details at our next sessions.

 Role-based access control (RBAC)

 With RBAC,we can create a role (like a group) and assign that role to the users who will be acting in that role. With the role comes the permissions and access. Ways to implement RBACs include using Access Control Server (ACS) and CLI parser views.
 Logging is a way to create an audit trail,  Logging may be done in many different ways, logging includes not only what administrators have changed or done, but also system events that are generated by the router or switch because of some problem that has occurred or some threshold that has been reached. This logging information may be  sent to a syslog server. SNMP one of the most important protocols can be used here.
Network Time Protocol (NTP)
NTP is a protocol which is used widely in networking industry to synchronize the clocks of network infrastructure devices (Servers, Routers, Switches, Computers) over a network,  This becomes very important to correlate logs between devices in case there is ever a breach and you need to reconstruct (or prove in a court of law) what occurred.
Now, We are about discuss some practical issues about: 
1- How to enable SSH to access a router or switch
To enable SSH on a router or switch, the following items need to be in place:
Hostname other than the default name of router.
Domain name.
Generating a public/private key pair, used behind the scenes by SSH.
Requiring user login via the vty lines, instead of just a password. Local authentication or
authentication using an ACS server are both options.
Having at least one user account to log in with, either locally on the router, or on an ACS


2- User Authentication with AAA
There are two models to implement AAA server:-
Self-Contained AAA

AAA services in this model is a self-contained in the router. It is also known as local authentication.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local
Sample of the configuration
Server-Based AAA
Uses an external database server to authenticate the username/Password.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.server-aaa
There are many names and access methods associated with the central server, including calling it an authentication server, AAA server,ACS server, TACACS server, or RADIUS server.
The following list describes a few of these centralized server types:
Cisco Secure ACS Solution Engine: It’s  a server appliance with the Access Control Server (ACS) software preinstalled, Cisco ACS uses the two distinct protocols for AAA services RADIUS & TACACS+. 
Cisco Secure ACS for Windows ServerThis software package may be used for user and administrator authentication,  AAA services on the router contact an external Cisco Secure ACS (running on a Microsoft Windows system).
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#1 | Types of Network Attacks

Why Network Security?

By increasing network security techniques, you decrease the chance of unauthorized access, data theft, network misuse, wasting assets and so on.

Goals of an Information Security Program:

Prevent the disclosure of sensitive information from unauthorized people or attacks.
The protection of system information or processes from intentional or accidental modification.
The assurance that systems , data or resources accessible by authorized users when needed.cia

Risk Management Terms “Key Definitions”:

  • Vulnerability: A system, network or device weakness.
  • Threat: potential danger posed by a vulnerability.
  • Threat Agent: the entity that identifies a vulnerability and uses it to attack the victim.
  • Risk: likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.
  • Exposure: potential to experience losses from a threat agent.
  • Countermeasure: put into place to mitigate the potential risk.

Specific Network Attacks:

ARP Attack “ٍSpoofing”:
ARP spoofing is a type of attack in which a malicious actor sends fake ARP (Address Resolution Protocol) messages over a local area network, which results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
Brute Force Attack:
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
A spoofing attack is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, There are several different types of spoofing attacks such as :
Protocol (IP) Spoofing
MAC Spoofing
DNS Spoofing
A sniffer is an application that can capture network packets, it used by hackers to have a capture from packets, which if it isn’t encrypted, it can be read using a sniffer.
Distributed Denial of Service (DDoS) attack:
The idea of DOS attack is to reduce the availability of a certain network device by crash it with a heavy work load, it’s characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.
Man-In-The-Middle attack:
where attackers intrude into an existing communication between two hosts to monitor, capture, and manipulate the traffic.

How to secure a device?

NFP (Network Foundation Protection) is a framework used to break the infrastructure down into smaller components, and then systematically focusing on how to secure each of those components.
NFP is broken down into three basic planes/sections:
Cisco NFP (Network Foundation Protection) framework provides the technologies and tools which are required to secure Management plane, Control plane and Data plane.
Management plane: The management plane includes traffic that a network administrator uses to configure network devices. Management plane traffic is usually consists protocol traffic like telnet (in an insecure network), SSH or SNMP.
Control plane: Control plane traffic includes the traffic that the network devices send between each other for automatic network discovery and configuration. Example of Control plane traffic is routing protocol update and Address Resolution Protocol (ARP) traffic.
Data plane: Data plane traffic is the real end user traffic happening in the network. Example of Data plane traffic is the network traffic generated by a user sitting inside the company network and browsing a website.
By: Hatem Farag | CCIE#54446

Introduction to Carrier Supporting Carrier (CSC)

I’m going to discuss with you today, the carrier supporting carrier “CSC” as in the previous post, we talked about how to connect VPN in two different locations from two different service providers with a clarification to the different inter-AS options.
Carrier Supporting Carrier solution enables small service providers to use the cloud of another large service provider in order to connect parts of their own networks; Actually, CSC takes inter-AS L3 VPN to the next level.

Carrier Supporting Carrier

CSC is a technology used to expand the reach of a SP by using another SP as transport, The service provider that provides connectivity over its cloud to the other providers is called the Backbone carrier and the service provider that uses the cloud is called the Customer carrier.

Backbone carrier which gives service to another carrier which is called customer carrier.

Customer carrier might be Provider or Enterprise Company which has its own VPNs.


The CSC-CE is the device located in the customer carriers network, connecting to the backbone carrier. The CSC-PE is the device located in the backbone carriers network connecting to the customer carrier.

The backbone carrier routers “CSC-PE” shouldn’t do any routing lookup, and thus should be substituted with label switching.

The backbone carrier carries the internal addresses of customer carrier. These addresses are loopback interfaces of PEs, RR loopbacks; But backbone carrier is not aware of the customer prefixes of customer carrier.

MPLS is always enabled for the CSC case but LDP is not must for assigning a label.

If IGP protocol runs between customer and backbone carrier then LDP is used. The rule is ”If prefix is learned from IGP, label should be assigned by LDP”.

If BGP protocol runs between customer and backbone carrier, like normal MPLS VPN PE-CE eBGP under the address-family ipv4 vrf on the CSC-PE side but adding the neighbor x.x.x.x send-label command and the mpls bgp forwarding interface command on both sides – When using eBGP for label exchange using the send-label option, mpls bgp forwarding is automatically configured under the interface.

Using BGP for CSC is the recommended solution, due to the following facts:

BGP takes the place of an IGP and LDP since we can use BGP to distribute routes with their MPLS labels, and certainly using a single protocol instead of two expedites the configuration and troubleshooting.

BGP is the preferred routing protocol for connecting two ISPs, mainly because of its wide scale routing policies and ability to scale.

By: Hatem Farag | CCIE#54446


Inter-AS MPLS Options

Sometimes a customer needs a L3 VPN between two locations but on two different service providers and it can be on national or international basis.


To maintain the connectivity of VPN services across multiple service providers, IETF described 3 types of options (A, B and C) for Inter-AS or Inter-Provider MPLS VPN solutions, while Cisco implemented three options (1, 2 and 3) to describe how each of the two ISPs can deal with the other ISP.

Inter-AS Option A “Back-to-Back VRF”

It’s the most simple of the options to interconnect between two ISPs (ASBRs).

  • One Logical interface per each customer “VRF” is needed on the physical link between two ASBRs.
  • Each ASBR thinks the other is a CE.
  • Link may use any supported PE-CE protocol.
  • Packets are sent unlabeled between the ASBRs.
  • RD & RT values separated at the AS border.
  • Does not scale well for a large number of customers.


Inter-AS Option B “EBGP redistribution of labeled VPN-IPv4 routes”

It s a more scalable solution compared to Option A. It isn’t require any VRFs on the ASBRs.

  • Single interface to connect the ASBRs to transfer all traffic for all customers “VRFs”.
  • Packets are sent labelled between the ASBRs.
  • No need for VRFs on the ASBR.
  • RD & RT values requires agreement and coordination between two ISPs.
  • Scales better than Option A for a large number of customers.
  • both RRs will be visible to the other AS.


Inter-AS Option CMultihop EBGP redistribution of labeled VPN-IPv4 routes”

As same as option B, It isn’t require any VRFs on the ASBRs and packets are sent labelled between ASBRs; but with an essential difference that EBGP VPNv4 is between PEs or more likely RRs in the two ISPs.

  • End to End LSP.
  • No need for EBGP VPNv4 between ASBRs, EBGP IPv4 is enough.
  • RD & RT values requires agreement and coordination between two ISPs.
  • All PEs which carry the same VRF and RR will be visible to the other AS.


By: Hatem Farag | CCIE#54446