How to DoS the Cisco Identity Services Engine ¯\_(ツ)_/¯

On the journey to CCNA Security (210-260)

  • Option 1: Try to login ise
  • Option 2: Do not login for 45 days…. because you forgot you had an ISE lab running
  • Double or nothing: Do not login for 45 days because you forgot the password scribbled somewhere on your labnotes
  • Protip: The admin password can vary for the cli and web gui, however, this can be a double edged sword – also might want to change the default password expiry

Lab: Layer 3 Switching Pt.1 – Preparing vor v6 requirements

Preapring the Layer 3 Switch for v6

Before setting up the Lab Switches for some basic Layer 3 functions I will upgrade the IOS Images to make sure I can use v6 in the Lab environment as well.

3750-1#show boot
BOOT path-list : flash:c3750-ipbase-mz.122-25.SEB4/c3750-ipbase-mz.122-25.SEB4.bin

Since the 3750 is currently running an IP-Base Image I will neet to upgrade it to a IP-Services Image to be able to use advanced Layer 3 functions for v6 routing. In the BASE Versions of the 3750, only Staic v6 and RipNG are available.
So I grabbed the newest 3750 Image from the Cisco Web Page (requires a Login Account, but a Guest Account will suffice for the 3750 Image). Another benefit of an IOS Upgrade will be some improved security, since the current Image lacks some crypto functionality. This means no SSH – the lack of HTTPS can be neglected since we dont enable the http or the secure-server(https) on the device. The K6 tag in an Image name references to crypto features such as SSH some make sure your production equiptment supports it.
Since the Flash space was insufficient to store both the IP-BASE and IP-SERVICES Image I will have to delete the current IOS which can be done while the switch is running since the IOS image is in the RAM.
Make sure to back up your current IOS image to a TFTP server just in case.

3750-1#del /force /recursive c3750-ipbase-mz.122-25.SEB4#

The /force and /recursive options will delete the complete Image directory as well as bypass any confirmations on deleting files. You will want to use this feature in case you did in fact have the Webinterface set up since it will ask for confirmation on a huge amount of files.

#copy tftp://10.1.1.1:/c3750-ipservicesk9-mz.122-55.SE6.bin flash:/
Loading c3750-ipservicesk9-mz.122-55.SE6.bin from 10.1.1.1 (via Vlan123): !!!!!!!!!!!

Now would be a good time to grab a cup of coffee. Once this is done, we will boot the new image from global config mode:

3750-1(config)#boot system switch all c3750-ipservicesk9-mz.122-55.SE6.bin and reload from enable mode to boot into the new IOS image.

In the next part of the Lab, I will demonstrate Inter-VLAN-Routing using a trunk connection to a router (Router on a Stick) and Switch Virtual Interfaces (SVIs)