Welcome to our version of the: CCNA. Cisco Certified Network Associate

Transcription

1 Welcome to our version of the: CCNA Cisco Certified Network Associate Copyright Course Outsource All Rights Reserved Welcome to our Cisco CCNA training course This course will help you better understand how networking is defined, implemented and supported in the real world More precisely, this course will give you a Cisco-specific network perspective CCIP, CCIE, CCDA, CCDP, CCENT, CCNP, CCNA, CCVO, VLANDirector, TrafficDirector, CiscoWorks 2000, ONS Secure PIX Firewall, Secure Virtual Private Networks, Cisco, Cisco Systems, Cisco Systems Logo, Catalyst, EtherChannel, IOS and LightStream are registered trademarks of Cisco Systems, Inc or its affiliates in the US and certain other countries Course Outsource All Rights Reserved 1

2 Introduction This is a 5 day hands-on course which covers the following exam objectives CCNA 30 ( ) Another exam option this course covers: ICND1 ( ) ICND2 ( ) Copyright Course Outsource All Rights Reserved This course was also written to help you understand the objectives for the Cisco exam; however the ICND and Intro exams are also covered We do not suggest that you take the two test option as it is not easier than the one test method Of course, that is up to you and we are confident this course will prepare you whichever way you decide to go Now, let s start with this Course book itself Each page of this course book will consist of slides from the instructor s slidedeck and the accompanying information to explain the content of the slide Some slides are markers (ie chapter headings, outlines, intro s, etc) and require no additional information In this case you will see the next corresponding slide immediately following For example, look at the next few pages which outline the class and the exam Course Outsource All Rights Reserved 2

3 CCNA Exam Around items Around 850 out of 1000 to pass The amount of questions and percent to pass varies on each exam About 90 minutes Cannot return to questions Simulated, testlets, multiple choice, fill-in-the-blank, and drag n drop questions Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 3

4 CCNA Course Outline Chapter 1: The Cisco Router and Switch Interface Cisco IOS Cisco CLI Administrative Functions Configuring Interfaces Introduction to Cisco Catalyst Switches Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 4

5 CCNA Course Outline Chapter 2: Managing a Cisco Internetwork Copying and saving the IOS and configuration Troubleshooting Cisco networks Chapter 3: TCP/IP Addressing and Subnetting IP Addressing Class C Subnetting Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 5

6 CCNA Course Outline Chapter 4: IP Routing Basic IP routing Static Routing RIPv1 and RIPv2 EIGRP OSPF Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 6

7 CCNA Course Outline Chapter 5: Advanced TCP/IP Chapter 6: Security Class C subnetting review Class B subnetting VLSM design and implementation Discontiguous Networks Summarization Introduction to Security Standard Access Lists Extended Access Lists Named Access Lists Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 7

8 CCNA Course Outline Chapter 7: Network Address Translation Static NAT Dynamic NAT Pools Port Address Translation (PAT) Chapter 8: Switching Virtual LAN s (VLAN s) Spanning Tree Protocol (STP) Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 8

9 CCNA Course Outline Chapter 9: Wireless LAN s Basic Service Sets (BSS) Chapter 10: Introduction to IPV6 - IPv6 Addressing - Implementing IPv6 Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 9

10 CCNA Course Outline Chapter 11: Cisco WAN Support Basic WAN HDLC PPP Frame Relay Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 10

11 Preface Course Conventions Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 11

12 Local-Area and Wide-Area Network Symbols Key Router Bridge ATM Switch Ethernet Switch Hub Concentrator MAU Server Comm Server WAN Cloud CSU/DSU Ethernet Serial Line Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 12

13 Syntax Conventions Router prompts are in BLACK as follows: R1# Router commands to be entered by the user are in GREEN as follows: R1(config)# interface serial 0 R1(config-if)# shutdown Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 13

14 The Cisco Router and Switch Interface Chapter 1 Copyright Course Outsource All Rights Reserved In this chapter we will discuss the basics and a glaze over a few advanced topics with regard to interfaces, configurations, registries and the like We will review switch interfaces at the end of the chapter Course Outsource All Rights Reserved 14

15 Router Power-On/Bootup Sequence 1 Perform Power-On Self Test (POST) 2 Load and run bootstrap code 3 Look in NVRAM for config-register setting 4 Load the Cisco IOS software 5 Find the configuration (if none, run Setup) 6 If found, load the configuration in RAM Copyright Course Outsource All Rights Reserved When you first bring up a Cisco router, it will run a Power-On Self-Test (POST), and if that passes, it will then look for and load the Cisco IOS from Flash memory if a file is present In case you don t know, flash memory is an electronically erasable programmable Read-Only Memory (ROM) an EEPROM The IOS then proceeds to load and then look for a valid configuration the startup-config that s stored by default in nonvolatile RAM, or NVRAM ROM Contains microcode for basic functions Runs post Loads bootstrap Has Mini-IOS Provides ROM-Monitor mode Course Outsource All Rights Reserved 15

16 Router Interfaces Copyright Course Outsource All Rights Reserved Router interfaces can be GigabitEthernet, FastEthernet, Ethernet, Token Ring and various other LAN physical technologies, like FDDI The serial ports can be used for a WAN T1, for example, or PPP or Frame Relay Miscellaneous ports can include BRI for ISDN The Console port is a serial connection that allows out-of-band signaling The Aux port is a console port that allows modem commands so you can dial into the router out-of-band if a remote router goes down and you need to configure it through the console connection Course Outsource All Rights Reserved 16

17 Cisco IOS Software EXEC User Mode Limited examination of switch or router Command prompt on the device: Router> Privileged (or enable) Mode Detailed examination of switch or router Enables configuration and debugging Prerequisite for other configuration modes Command prompt on the device: Router# Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 17

18 Logging into the Router Router con0 is now available Press RETURN to get started Router> Router> enable Router# Router# disable Router> quit User mode prompt Privileged mode prompt Copyright Course Outsource All Rights Reserved After the interface status messages appear and you press Enter, the Router> prompt will appear This is called User mode and is mostly used to view statistics There are two primary EXEC modes for entering commands on a Cisco router These are User and Privilege modes User mode is used to verify status, and run basic show commands You can only view and change the configuration of a Cisco router in Privileged mode, which you get into with the enable command Course Outsource All Rights Reserved 18

19 Router Context-Sensitive Help Router# clok Translating "CLOK" % Unknown command or computer name, or unable to find computer address Router# cl? clear clock Router# clock % Incomplete command Router# clock? set Set the time and date Router# clock set 19:56: ^ % Invalid input detected at the '^' marker Copyright Course Outsource All Rights Reserved Note: The command help does not give you help on a command You can use the Cisco advanced editing features to help you configure your router If you type in a question mark (?) at any prompt, you ll be given the list of all the commands available from that prompt You can press the spacebar to get another page of information, or you can press Enter to go one command at a time Once you have enough characters for a non-ambiguous command, the Tab key can be pressed to complete the syntax, and then the? key can be entered to obtain additional help if needed If a command is ambiguous, you will need to enter more characters or? to determine the specific syntax to use for the desired command The ^ character is used to identify where syntax errors or invalid input was detected Course Outsource All Rights Reserved 19

20 Using Enhanced Editing <Ctrl-A> <Ctrl-E> <Esc-B> <Ctrl-F> <Ctrl-B> <Esc-F> <Ctrl-D> tab up/down arrows Move to the beginning of the command line Move to the end of the command line Move back one word Move forward one character Move back one character Move forward one word Delete a single character Finishes typing a command for you Displays previous/next command from the history buffer Automatic scrolling of long lines gives you $ and moves your text ten spaces to the left Copyright Course Outsource All Rights Reserved This slides shows the list of the enhanced editing commands available on a Cisco router The most common enhanced editing features used are the up/down arrows On some terminal emulators, you may need to do a <Ctrl-P> or a <Ctrl-N> if the up/down arrows do not function Course Outsource All Rights Reserved 20

21 Router Command History Ctrl-P or Up arrow Ctrl-N or Down arrow Router> show history Router> terminal history size lines Last (previous) command recall More recent command recall Show command buffer contents Set session command buffer size Copyright Course Outsource All Rights Reserved You can review the router-command history with the commands shown in this slide This is very helpful and will save you from re-typing things over and over and over Course Outsource All Rights Reserved 21

22 Break Sequences <CTRL>+z <CTRL>+c <CTRL>+<SHIFT>+ 6 then X <CTRL>+Break or <CTRL>+<SHIFT>+ 6 then B during the router boot cycle allows you to access ROM Monitor mode One purpose is to perform password recovery Copyright Course Outsource All Rights Reserved This slide shows some basic break sequences you can use on a Cisco router The <Ctrl>+<Shift>+6 then X is used to break out of a command This is especially helpful on traceroute where the traceroute is to a network not in the routing table By default the command would continue for 30 hops, with each waiting for the TTL to expire This can save a lot of time by breaking out of the command <Ctrl>+<Shift>+6 then B is very helpful if you are performing a password recovery and your PC configuration does not have a break key or if the <Ctrl>+[Break key] is not stopping the cycle of the reboot Course Outsource All Rights Reserved 22

23 Router Components Router# show running-config Router# show startup-config Router# show flash RAM NVRAM [Running-Config] [Startup-Config] routing table, arp [config-register] cache, packet buffers Console Auxiliary Router# show process cpu Router# show protocols Flash [IOS] ROM [POST] [Bootstrap] [Skeleton IOS] Interfaces Router# show mem Router# show ip route Router# show line Router# show version Router# show interfaces Copyright Course Outsource All Rights Reserved show flash: shows all files in flash show startup-config: shows the backup configuration stored in NVRAM show running-config: shows the configuration the router is using at the moment show interfaces: shows the status of all interfaces You can type show interface s0 to see just the statistics of serial 0 show line: shows you all the available lines that can be configured on a router The default lines are aux, console and vty show version: covered in the next slide Course Outsource All Rights Reserved 23

24 show version Command Displays system hardware config info, software version, and the names and sources of config files and boot images on a router Router# show version Cisco Internetwork Operating System Software IOS (tm) 2600 Software (C2600-JS-L), Version 120(8), RELEASE SOFTWARE (fc1) Copyright (c) by cisco Systems, Inc Compiled Mon 08-Feb-99 18:18 by phanguye Image text-base: 0x03050C84, data-base: 0x ROM: System Bootstrap, Version 110(10c), SOFTWARE BOOTFLASH:3000 Bootstrap Software (IGS-BOOT-R),Version 110(10c), RELEASE SOFTWARE(fc1) R1 uptime is 22 minutes System restarted by reload System image file is "flash:c2600-js-l_120-8bin" (output cut) Copyright Course Outsource All Rights Reserved The show version command will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images The last information given from this command is the value of the configuration register In this example, the value is 0x2102 the default setting The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence By manipulating the configuration register, you can perform actions such as password recovery, or determine the boot sequence, or where to boot from Course Outsource All Rights Reserved 24

25 show version Command cont cisco 2610 (MPC860) processor (revision 0x202) with 45056K/4096K bytes of memory Processor board ID JAB032008NM ( ) M860 processor: part number 0, mask 49 Bridging software X25 software, Version 300 SuperLAT software (copyright 1990 by Meridian Technology Corp) TN3270 Emulation software 1 Ethernet/IEEE 8023 interface(s) 1 Serial network interface(s) 2 Serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Note: The above router has 48 Meg of RAM and 16 Meg of System Flash Copyright Course Outsource All Rights Reserved The above router has 48 meg of RAM, 32K of NVRAM and 16 meg of Flash memory The IOS size for this router is limited to a maximum size of 16 megs The last information given from this command is the value of the configuration register In this example, the value is 0x2102 the default setting The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence Course Outsource All Rights Reserved 25

26 Configuration-Register 0x2102=load IOS from flash and then the configuration from NVRAM The router looks in NVRAM for the boot sequence 0x2100=Load ROM Monitor Mode 0x2101=load Mini-IOS from ROM 0x2142=Load IOS from Flash and do not load startup-config Router#config t Router(config)#config-register 0x2102 Copyright Course Outsource All Rights Reserved All Cisco routers have a 16-bit software register that s written into NVRAM By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM You can change the configuration register by using the config-register command Router# config t Router(config)# config-register 0x2102 On newer routers, this can also be carried out from ROMMON mode using the confreg command Course Outsource All Rights Reserved 26

27 When this router is rebooted, why does it lose it s s configuration? cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084k bytes of memory Processor board ID JAB03040BPS ( ) M860 processor: part number 0, mask 49 Bridging software X25 software, Version 300 SuperLAT software (copyright 1990 by Meridian Technology Corp) TN3270 Emulation software 1 Ethernet/IEEE 8023 interface(s) 1 Serial network interface(s) 2 Serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2142 Copyright Course Outsource All Rights Reserved It doesn t lose the configuration, it just never loads the configuration from NVRAM because the configuration register is set to bypass the startup-config in NVRAM The configuration register should be 0x2102 Course Outsource All Rights Reserved 27

28 Viewing the Configuration RAM Config NVRAM Config IOS show running-config Displays the active configuration show startup-config Allows you to display the backup configuration Copyright Course Outsource All Rights Reserved You can view the configuration files on a router by typing show runningconfig or show startup-config from privileged mode The main difference is that the running-config is what is actually active on the router, where the startup-config is what is saved in NVRAM By performing a copy runningconfig startup-config, it saves the running-config into NVRAM A best practice commonly used in various industries is to keep several versions of the router s configuration on a TFTP server, and to regularly save the running-config after changes are made and successfully tested This can provide an audit trail of when changes were introduced, and can aid in troubleshooting problems brought on as a result of changes Course Outsource All Rights Reserved 28

29 Setup Mode When you erase the configuration on a router and reboot, you will be in Setup mode You can type setup from privilege mode to enter setup mode Square brackets indicate default or current settings Enable password and Enable secret password are configured during setup mode The enable secret password cannot be seen as clear text when viewing the configuration If both the Enable password and Enable secret passwords are set, the router will utilize the Enable secret password as it is more secure Copyright Course Outsource All Rights Reserved Once the IOS is loaded, up and running, a valid configuration will be loaded from NVRAM However, if there isn t a configuration stored in NVRAM, the router will go into setup mode a step-by-step process to help you configure the router You can also enter setup mode at any time from the command line by typing the command setup from privileged mode The Enable password and Enable secret password are configured during setup mode The enable secret password cannot be seen as clear text when viewing the configuration For this reason, it should be used wherever possible because it can protect against someone using router configurations to gain unauthorized access to the routers It displays in the router configuration as an MD5 hash, and in many cases is used as a last resort password if TACACS or RADIUS fails Course Outsource All Rights Reserved 29

30 Configuring the Router Router#configure Configuring from terminal, memory, or network [terminal]? Terminal: Configures information into RAM (changes the running-config) Memory: Configures information from NVRAM into running-config Network: Configures information from a file stored on a TFTP host into running-config Copyright Course Outsource All Rights Reserved To configure from a CLI, you can make global changes to the router by typing configure terminal (or config t for short), which puts you in global configuration mode and changes what s known as the running-config A global command (commands run from global config) is one that is set once and affects the entire router You can type config from the privileged-mode prompt and then just press <Enter> to take the default of terminal You would use the memory or network option to upload a configuration file from either memory or a TFTP server on the network In many cases, this is used to pre-stage changes, migrations, or to facilitate review processes Course Outsource All Rights Reserved 30

31 Router Modes User EXEC Mode: Limited to basic monitoring commands Privileged EXEC mode: Global Configuration Mode: Specific Configuration Mode: Provides access to all other router commands Commands that effect the entire system Commands that affect interfaces/processes only Setup Mode: Interactive configuration dialog Copyright Course Outsource All Rights Reserved This slide shows a summary of the various router modes used on a router Course Outsource All Rights Reserved 31

32 Router Modes Example User EXEC mode: Privileged EXEC mode: Global configuration mode: Router> enable Router# configure terminal Router(config)# <ctrl>-z (end) Configuration Mode Interface Subinterface Line Router Prompt Router(config-if)# Router(config-subif)# Router(config-line)# Router(config-router)# Copyright Course Outsource All Rights Reserved It s really important that you understand the different prompts you can find when configuring a router Knowing these well will help you navigate and recognize where you are at any time within configuration mode Course Outsource All Rights Reserved 32

33 Saving Configurations Copy the current configuration to NVRAM Router# copy running-config startup-config Destination filename [startup-config]? <enter> Building configuration Copyright Course Outsource All Rights Reserved You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command You can use the shortcut copy run start also You can also save to other files on NVRAM or a TFTP server in addition to the startup config Course Outsource All Rights Reserved 33

34 Restoring Configurations Copy the saved configuration to DRAM Router# copy startup-config running-config Destination filename [running-config]? <enter> Building configuration Building configuration Configures information into RAM on a router Retrieves a routers configuration file from NVRAM Copyright Course Outsource All Rights Reserved The copy startup-config running-config will append the startup-config file into RAM This is one way of backing out of changes made that may not have been successful Course Outsource All Rights Reserved 34

35 Administrative Functions Administrative Functions help you administer your internetwork This includes: Hostnames Banners Interface Descriptions Passwords Copyright Course Outsource All Rights Reserved This next section will teach you how to configure administrative functions on a router Course Outsource All Rights Reserved 35

36 Configuring Router Identification Router Name Router(config)# hostname R1 R1(config)# Message of the Day Banner R1(config)# banner motd # MIS meeting at 13:00 Everyone that has attended this class gets a 50% raise # Copyright Course Outsource All Rights Reserved You can set the identity of the router with the hostname command This is only locally significant, which means it has no bearing on how the router performs name lookups, but is used by Cisco MIBs to identify the router A good naming standard should be able to provide some functional and geographical information Unique naming is an important best practice as it will aid in troubleshooting and prevent confusion over duplicate names A good reason for having a banner is to add a security notice to users remotely accessing your internetwork You can set a banner on a Cisco router so that when either a user logs into the router or an administrator telnets into the router, the banner will give them the information you want them to have As another best practice, the banner can be used to identify the revision of the standard configuration template used, and should not contain proprietary or confidential information since it will be seen by users prior to authentication Course Outsource All Rights Reserved 36

37 Configuring Interface Description Interface Description R1(config)# interface fastethernet 0/1 R1(config-if)# description Finance LAN R1(config-if)# interface serial 0/0 R1(config-if)# description WAN to Miami View descriptions with the following commands: R1# show running-config R1# show interface Copyright Course Outsource All Rights Reserved Setting descriptions on an interface is helpful to the administrator and support staff This is a helpful command because you can use it to keep track of circuit numbers, for example If configurations are stored offline, this information can be accessed to create circuit databases, or assist in creation of port maps and network diagrams Standardizing on the format provides a consistent format in which to create a script to pull the information together into a database, spreadsheet or network drawing Course Outsource All Rights Reserved 37

38 Do the do For newer routers running 123 and above, you can use the: R1(config)# do show run R1(config-if)# do show interface Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 38

39 Console/Aux Password Configuration Console and Auxiliary Password R1(config)# line console 0 R1(config-line)# password todd R1(config-line)# login R1(config-line)# line aux 0 R1(config-line)# password lammle R1(config-line)# login Console connection No Access! Copyright Course Outsource All Rights Reserved To set the console password, use the line console 0 command Same for the aux port You need to enable the login command, or the router will not prompt for the password Use caution if line passwords are the same as enable secret Please keep in mind that these will be shown in clear text within the router configuration unless the service password-encryption command is utilized Course Outsource All Rights Reserved 39

40 Other Console Line Commands Prevent console session timeout R1(config)# line console 0 R1(config-line)# exec-timeout 0 0 Console connection Redisplays interrupted console input R1(config)# line console 0 R1(config-line)# logging synchronous Copyright Course Outsource All Rights Reserved For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out Logging synchronous is a very cool command, and it should be a default command, but it s not It s basically stops annoying console messages from popping up and disrupting the input you re trying to type Course Outsource All Rights Reserved 40

41 Telnet VTY Password Virtual Terminal Password R1(config)# line vty 0 4 R1(config-line)# password todd R1(config-line)# login (or no login) R1(config-line)# Telnet connection NOTE: no vty password no telnet access Cisco supports 5 simultaneous Telnet sessions by default: 0-4 although your router may support more Copyright Course Outsource All Rights Reserved To set the user-mode password for Telnet access into the router, use the line vty command Routers that aren t running the Enterprise edition of the Cisco IOS default to five VTY lines 0 through 4 But if you have the Enterprise edition, you ll have significantly more The best way to find out how many lines you have is to use that question mark: Router(config-line)#line vty 0? <1-4> Last Line Number <cr> You can use the no login option so that you can telnet into a router and not be prompted for a password (not recommended!) An access-class can be used on the VTY lines to further restrict access **Note ** If the password is not set, and TACACS or RADIUS is not configured, you will get Password not set when attempting to telnet to the router, and be logged off Course Outsource All Rights Reserved 41

42 Telnet versus SSH Access Telnet Most common access method Insecure SSH Encrypted IP domain must be defined key must be generated!--- The username command create the username and password for the SSH session username cisco password 0 cisco ip domain-name mydomaincom crypto key generate rsa ip ssh version 2 line vty 0 4 login local transport input ssh Copyright Course Outsource All Rights Reserved SSH Server The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router This connection provides functionality that is similar to that of an inbound Telnet connection Before SSH, security was limited to Telnet security SSH allows a strong encryption to be used with the Cisco IOS software authentication The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients SSH Integrated Client The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted With authentication and encryption, the SSH client allows for a secure communication over an insecure network The SSH client in the Cisco IOS software works with publicly and commercially available SSH servers The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication User authentication is performed like that in the Telnet session to the router The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords Course Outsource All Rights Reserved 42

43 Secure Shell Here are the minimum commands needed to configure SSH on your router or switch: R1# config t R1(config)# username Todd password Lammle R1(config)# ip domain-name lammlecom R1(config)# crypto key generate rsa R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh (Optional: transport input ssh telnet) Copyright Course Outsource All Rights Reserved You must remember the command: transport input ssh This enables SSH under the VTY lines Course Outsource All Rights Reserved 43

44 Verifying SSH To verify that the SSH server is enabled and view the version and configuration data for your SSH connection: R1# show ip ssh To verify the status of your SSH server connections: R1# show ssh Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 44

45 Enable Passwords Enable Password Router(config)# enable password lammle Enable Secret Password Router(config)# enable secret fido No Access! The enable secret is encrypted by default and supersedes the enable password if set Copyright Course Outsource All Rights Reserved Setting the Enable password prompts you for a password when you enter the enable command The Enable Secret password is encrypted by default and supersedes the enable password As a best practice, it is recommended to use the Enable Secret since it is encrypted within the configuration using an MD5 hash Other means of encrypting the password (level 7) can be easily cracked using shareware programs This is especially of concern if the configuration files were accessed Use of Enable Secret password is therefore recommended Course Outsource All Rights Reserved 45

46 Encrypting your Passwords Encrypts your enable password and line passwords Router(config)# service password-encryption Router(config)# exit *Router# show running-config Router# config t Router(config)# no service password-encryption *You need to perform a show run if you configure your passwords before you enable the encryption service The service password-encryption encrypts passwords in the plain text configuration file Copyright Course Outsource All Rights Reserved Remember that you can see all the passwords except the Enable Secret when performing a show running-config on a router To manually encrypt your passwords, use the service password-encryption global configuration command Course Outsource All Rights Reserved 46

47 Draw a line from the left to the answer on the right Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 47

48 Chapter 1 Lab Hands-on Lab 11 Copyright Course Outsource All Rights Reserved Open your lab books and complete hands-on lab 23 Course Outsource All Rights Reserved 48

49 Chapter 1 Continued Configuring Router Interfaces Copyright Course Outsource All Rights Reserved Open your lab books and complete hands-on lab 23 Course Outsource All Rights Reserved 49

50 Configuring an Interface Choosing an interface R1(config)# interface type number R2(config)# interface type slot/port e0 R1 fa0 Examples of choosing an interface R1(config)# interface ethernet 0 R2 e0/0 fa0/1 R2(config)# interface fastethernet 0/1 Copyright Course Outsource All Rights Reserved Some of the configurations used to configure an interface are Network layer addresses, media type, bandwidth, and other administrator commands Different routers use different methods to choose the interfaces used on them Most of today s routers are modular, the configuration would be interface type slot/port Course Outsource All Rights Reserved 50

51 Adding IP Addresses continued Interfaces on fixed series routers R1# config t R1(config)# interface serial 0 R1(config-if)# ip address R1(config-if)# interface e0 R1(config-if)# ip address Copyright Course Outsource All Rights Reserved Even though you don t have to use IP on your routers, it s most often what people use To configure IP addresses on an interface, use the ip address command from interface configuration mode Note: The command ip address address mask starts the IP processing on the interface Course Outsource All Rights Reserved 51

52 Adding IP Addresses continued Interfaces on modular series routers R1# config t R1(config)# interface serial 0/0 R1(config-if)# ip address R1(config-if)# int fa0/0 R1(config-if)# ip address Copyright Course Outsource All Rights Reserved This slide demonstrates how to configure an IP address on 2600 router interfaces Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different Don t forget which interface you are programming Course Outsource All Rights Reserved 52

53 Adding IP Addresses continued Interfaces on ISR series routers R1# config t R1(config)# interface serial 0/0/0 R1(config-if)# ip address R1(config-if)# int fa0/0 R1(config-if)# ip address Copyright Course Outsource All Rights Reserved This slide demonstrates how to configure an IP address on 2600 router interfaces Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different Don t forget which interface you are programming Course Outsource All Rights Reserved 53

54 Adding IP Addresses continued Secondary Addresses (not advised) R1# config t R1(config)# interface Ethernet 0 R1(config-if)# ip address R1(config-if)# ip address secondary E0 Note: Different subnets/broadcast domains on same interface Copyright Course Outsource All Rights Reserved This slide shows how two hosts on the same LAN would need to go through a router to communicate because the hosts think they are on different subnets! If you type another IP address and press Enter on a router interface, it will replace the existing IP address and mask This is definitely a most excellent feature of the Cisco IOS However, if you want to add a second subnet address to an interface, you have to use the secondary command I really wouldn t recommend having multiple IP addresses on an interface because it s inefficient Course Outsource All Rights Reserved 54

55 Serial Interface Clocking DTE DCE DTE CSU/DSU CSU/DSU Clocking typically provided by DCE network to routers In non-production environments, A DCE network is not always present Copyright Course Outsource All Rights Reserved Serial interfaces will usually be attached to a CSU/DSU type of device that provides clocking for the line But if you have a back-to-back configuration (for example, one that s used in a lab/classroom environment), on one end the data communication equipment (DCE) end of the cable must provide clocking The type of cable plugged into the serial interface can be verified by performing show controller command The clock present is representative of the cable plugged in (DTE or DCE) If it s DCE, the clockrate command will be needed in a back to back configuration Course Outsource All Rights Reserved 55

56 Configuring a Serial Interface Set clock rate if needed R1# config t R1(config)# interface serial 0 R1(config-if)# clock rate DCE Set interface bandwidth R1(config-if)# bandwidth 64 R1(config-if)# exit R1(config)# exit DTE DCE side determined by cable Add clocking to DCE side only Note: show controllers will show the cable connection type ISR routers auto-detect cable type and set clock rate to 2,000,000 by default Copyright Course Outsource All Rights Reserved By default, Cisco routers are all data terminal equipment (DTE) devices, so you must tell an interface to provide clocking if you need it to act like a DCE device You configure a DCE serial interface with the clock rate command The show controllers command displays information about the physical interface itself It ll also give you the type of serial cable plugged into a serial port Usually, this will only be a DTE cable that plugs into a type of data service unit (DSU) R1# show controllers serial 0 Hd unit 0, idb = 0x121c04, driver structure at 0x Buffer size 1524, hd unit 0, v35 DCE cable The bandwidth and delay of an interface is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost (path) to a remote network So if you re using RIP routing, then the bandwidth or delay setting of an interface is irrelevant, since RIP uses only hop count to determine that Course Outsource All Rights Reserved 56

57 Disabling or Enabling an Interface Disable an interface R1# configure terminal R1(config)# interface serial 0 R1(config-if)# shutdown %LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down Enable an interface R1# configure terminal R1(config)# interface serial 0 R1(config-if)# no shutdown %LINK-3-UPDOWN: Interface Seria0, changed state to up %LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up Copyright Course Outsource All Rights Reserved You can turn an interface off with the interface shutdown command, and turn it on with the no shutdown command If an interface is shut down, it will display administratively down when using the show interface command REMEMBER TO DO A NO SHUTDOWN COMMAND WHEN YOU HAVE CONFIGURED A DEVICE THIS TRIPS UP MANY STUDENTS ON THE SIMULATION PORTION OF THE EXAM Course Outsource All Rights Reserved 57

58 Verifying Your Changes R1# show interface serial 0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 11112/24 100% Reliable No Load MTU 1500 bytes, BW 64 Kbit, DLY usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) Last input 00:00:09, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec (output cut) Copyright Course Outsource All Rights Reserved The command show interface reveals to us the hardware address (if a LAN interface), logical address, and encapsulation method, as well as statistics Maximum Transmission Unit (MTU) shows how many bytes of data can be sent in each encapsulated packet BW is 1544kbps by default on serial interfaces, Delay is 20,000 microseconds If the link is 100% reliable, the rely 255/255 will be shown If the link is basically at no load, the load 1/255 will be displayed The encapsulation on a serial interface is HDLC by default The loopback can be set to test the link and the keepalive is 10 seconds by default This is a Data Link layer keepalive that is sent between routers If the timers are not exactly the same, the Data Link layer will not come up Course Outsource All Rights Reserved 58

59 Interpreting Interface Status R1# show interfaces serial 1 Serial1 is up, line protocol is up Carrier Detect (Physical) Keepalives (Data Link) Operational Serial1 is up, line protocol is up Connection problem Serial1 is up, line protocol is down Interface problem Serial1 is down, line protocol is down Disabled Serial1 is administratively down, line protocol is down Copyright Course Outsource All Rights Reserved The most important statistic of the show interface command is the output of the line and data-link protocol status If the output reveals that serial 1 is up and the line protocol is up, then the interface is up and running The first listed up in this example, shows carrier detect from the CSU/DSU The second up in this example shows keepalives from the remote router Another thing to confirm is the state of the signals This is shown at the bottom of the output, and on most serial interfaces can also be seen on the router s serial interface as a series of green lights Usually when the router interface is up and normal, all of the signals will show to be up Course Outsource All Rights Reserved 59

60 Show ip interface brief R1# show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/ YES manual up up FastEthernet0/ YES DHCP up up Serial0/0/ YES manual up up Serial0/0/1 unassigned YES unset administratively down down Copyright Course Outsource All Rights Reserved This command is used to get a quick view of the status of all interfaces configured on the router The status and protocol fields are quick indicators as to the state of the interface When you are troubleshooting if you see the status as administratively down, you need to perform a no shutdown on the interface to mark it administratively up Course Outsource All Rights Reserved 60

61 Which issue on the left corresponds to the router output on the right? Layer 1 problem Serial 0/1 is up, line protocol is up Layer 2 problem Serial 0/1 is up, line protocol is down Layer 3 problem Port operational Serial 0/1 is down, line protocol is down Serial 0/1 is administratively down, line protocol is down Port disabled Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 61

62 Erasing NVRAM on a Router Erasing a router configuration R1(config)# exit R1# erase startup-config Erasing the nvram will remove all the files! Continue? OK Erase of nvram complete Copyright Course Outsource All Rights Reserved You can delete the startup-config file by using the erase startup-config command This command would be recommended if the router was being re-deployed or decommissioned, and you wanted to make sure none of the old configuration elements were present when it either comes back online, or is decommissioned Once the configuration is erased, the user will be prompted to enter setup commands as if the router had come from the factory The write earase command is another command that performs the same function Course Outsource All Rights Reserved 62

63 Draw a line from the left to the answer on the right # configure term Enter privileged EXEC mode (config-if)# ip address /24 (config-if)# ip address Enter global config mode (config)# ip address Enter interface config mode (config)# interface fa0/0 Configure the interface IP address (config-if)# no shutdown (config-if)# enable interface Enable the interface # enable > enable Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 63

64 Chapter 1 Lab Hands-on Lab 12 Copyright Course Outsource All Rights Reserved Open your lab book and complete hands-on lab 24 Course Outsource All Rights Reserved 64

65 Introduction to Cisco Catalyst Switches Chapter 1 Continued Copyright Course Outsource All Rights Reserved This section will introduce you to Cisco Catalyst IOS Switches and how to set an IP address on the switch so it can be managed in-band When Cisco s talking about switching, they really mean layer-2 switching unless they say otherwise Layer-2 switching is the process of using the hardware address of devices on a LAN to segment a network Switching will be explained in detail in a later chapter Course Outsource All Rights Reserved 65

66 Catalyst Switches If POST completes successfully, the system LED turns green If POST fails, the system LED turns amber This is typically fatal Copyright Course Outsource All Rights Reserved The 2950 comes in a bunch of flavors, and runs 10Mbps all the way up to 1Gbps switched ports, with either twisted-pair or fiber It can be a layer 3 switch, and runs what is known as Catalyst IOS This operating system is very similar to Cisco IOS running on a router, and all ports are treated as interfaces The 3550 and 3750 switches can provide layer 3 services, the 2950 cannot Course Outsource All Rights Reserved 66

67 Hubs (Physical) A B C D All devices in the same collision domain All devices in the same broadcast domain Devices share the same bandwidth Copyright Course Outsource All Rights Reserved Hubs just connect network segments together Course Outsource All Rights Reserved 67

68 Switches/Bridges (Layer 2) Straight-through cable Crossover cable Each segment has its own collision domain All segments are in the same broadcast domain Dedicated bandwidth when only one host connected to switch port Copyright Course Outsource All Rights Reserved Switches/Bridges break up collision domains, but create one large broadcast domain by default Course Outsource All Rights Reserved 68

69 Switches Supersede Bridges Hub Switch Hub Segment 1 Segment 2 Internet Operate at Layer 2 of the OSI model Forward, filter, or flood frames Have many ports Bridges/Switches learn MAC addresses by examining the source MAC address of each frame received Copyright Course Outsource All Rights Reserved Layer-2 switching is hardware based, which means it uses the MAC address from the host s NIC cards to filter the network Unlike bridges that use software to create and manage a filter table, switches use application-specific integrated circuits (ASICs) to build and maintain their filter tables But it s still okay to think of a layer-2 switch as a multiport bridge because their basic reason for being is the same: to break up collision domains Layer-2 switches and bridges are faster than routers because they don t take up time looking at the Network layer header information Instead, they look at the frame s hardware addresses before deciding to either forward the frame or drop it Switches create private dedicated domains and don t share bandwidth like a hub would Course Outsource All Rights Reserved 69

70 LAN Switch Features Dedicated Communication Between Devices Multiple Simultaneous Conversations 100 MB 10 MB Full-Duplex Communication Media-Rate Adaptation Copyright Course Outsource All Rights Reserved LAN Switches provide many features including dedicated connections between an end node and the switch allowing for a much smaller collision domain and the capability to run at full duplex Course Outsource All Rights Reserved 70

71 Three Switch Functions Address learning Forward/filter decision Loop avoidance Copyright Course Outsource All Rights Reserved There are three distinct functions of layer-2 switching: address learning, forward/filter decisions, and loop avoidance Course Outsource All Rights Reserved 71

72 Learning Host Locations MAC address table A B 02608c E0 E c C E2 E3 D 02608c c Initial MAC address table is empty Copyright Course Outsource All Rights Reserved When a switch is first powered on, the MAC forward/filter table is empty When a device transmits and an interface receives a frame, the switch places the frame s source address in the MAC forward/filter table, allowing it to remember which interface the sending device is located on The switch then has no choice but to flood the network with this frame because it has no idea where the destination device is actually located Course Outsource All Rights Reserved 72

73 How Switches Filter Frames A 02608c C 02608c MAC address table E0: 02608c E2: 02608c E1: 02608c E3: 02608c E0 E2 X X E1 E3 B 02608c D 02608c Station A sends a frame to station C Destination is known, frame is not flooded Copyright Course Outsource All Rights Reserved When the switch is powered on, it has nothing in its MAC address forward/filter table But when the hosts start communicating, the switch places the source hardware address of each frame in the table along with which port the frame s address corresponds Course Outsource All Rights Reserved 73

74 Broadcast and Multicast Frames A 02608c E0 MAC address table E0: 02608c E2: 02608c E1: 02608c E3: 02608c E1 B 02608c C 02608c E2 E3 D 02608c Station D sends a broadcast or multicast frame Broadcast and multicast frames are flooded to all ports other than the originating port Copyright Course Outsource All Rights Reserved When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database If the destination hardware address is known and listed in the database, the frame is only sent out the correct exit interface The switch doesn t transmit the frame out any interface except for the destination interface This preserves bandwidth on the other network segments and is called frame filtering But if the destination hardware address isn t listed in the MAC database, then the frame is broadcast out all active interfaces except the interface the frame was received on If a device answers the broadcast, the MAC database is updated with the device s location (interface) If a host or server sends a broadcast on the LAN, the switch will broadcast the frame out all active ports by default Remember, the switch only creates smaller collision domains, but it s still one large broadcast domain by default Course Outsource All Rights Reserved 74

75 show mac-address address-table Switch-1# show mac address-table Dynamic Addresses Count: 3 Secure Addresses (User-defined) Count: 0 Static Addresses (User-defined) Count: 0 System Self Addresses Count: 41 Total Mac Addresses: 50 Non-static Address Table: Destination Address Address Type VLAN Destination Port 00100de0e289 Dynamic 1 FastEthernet0/ b Dynamic 2 FastEthernet0/ b Dynamic 2 FastEthernet0/2 S1 needs to forward a frame with an address of 00b0d056efa4 What will the switch do with this frame? Copyright Course Outsource All Rights Reserved What would the switch do if it received a frame and the source address was 00b0d056efa4? It would place the address in the MAC Address Table with the destination port being the source port the packet was received on Course Outsource All Rights Reserved 75

76 Connecting Switches together Crossover cable When connecting a cable into a switch, at first the link lights are orange, then turn green indicating normal operation Why? Copyright Course Outsource All Rights Reserved You would use a crossover cable to connect switches together A crossover cable has the following pins crossed: 1 to 3 2 to 6 3 to 1 6 to 2 The lights turn orange for 50 seconds because of the Spanning-Tree Protocol (STP), which is covered later in this course This behavior does depend on the type of switches being interconnected, their speed and duplex settings, and their spanning tree configuration Care and caution should be exercised when interconnecting switches, as not to introduce loops in the network topology, as well as to limit the broadcast domain and not to substantially oversubscribe the uplink ports STP is covered in detail later in the course Course Outsource All Rights Reserved 76

77 Do switches need an IP Address? Switch Crossover cable Switch Hub Hub Hub Which type of Ethernet cable is used to connect the hubs to the switch? Copyright Course Outsource All Rights Reserved No, switches do not need an IP address We would add an IP address to a switch only for management purposes and it is configured under the VLAN 1 interface, or the management VLAN NOT on an interface This can also take the form of an Sc0 interface in the case of switches running Catalyst OS To connect a hub to a switch, you would use a crossover cable Why not a straight-through? Course Outsource All Rights Reserved 77

78 What is the default gateway address for the hosts? E0: Both the hosts and the switch would use a default gateway address of Copyright Course Outsource All Rights Reserved The default gateway address of the hosts (which allows them to send packets out of the local network) is always set to a router or layer 3 network address The layer 2 switch usually does not perform any routing functions, and would not be able to route the packet if directed to it s IP address The switch, when sending packets out of the local network for management purposes only, needs a default gateway address set to the router as well just like a host would Remember, the IP address and default gateway set on the switch have nothing to do with a host sending packets out of the local network Think of the switch s configuration in the same way as any host that does not route traffic The switch simply breaks up collision domains for the local network and the router is used to connect networks together Course Outsource All Rights Reserved 78

79 Configuring the Switch IP Address Configures an IP address and subnet mask for the switch Switch(config)# interface vlan 1 Switch(config-if)# ip address Switch(config-if)# no shutdown Switch(config-if)# exit Configures the default gateway for the switch Switch(config)#ip default-gateway The rest of the commands are similar to a routers IOS ie copy run start, erase start, show run, passwords, etc Copyright Course Outsource All Rights Reserved The IP address is configured differently on the Catalyst switches than it is on any router you actually configure it under the VLAN1 interface Remember that every port on every switch is a member of VLAN1 by default This really confuses a lot of people you d think that you would set an IP address under a switch interface but no, that s not where it goes! Remember that you set an IP address for the switch so you can mange the switch in-band (through the network) You set the ip default-gateway command so that you can manage the switch from outside the local network Remember to also perform a no shut under the VLAN interface Course Outsource All Rights Reserved 79

80 Testing your understanding Copyright Course Outsource All Rights Reserved As is true on routers, both the 2950 s and 3550 s configurations are stored in NVRAM You save the configuration with the copy running-config startup-config command, and you can erase the contents of NVRAM with the erase startupconfig command On a Catalyst OS switch: Switch (enable)>clear config all Switch (enable)>reset Course Outsource All Rights Reserved 80

81 show running-config Switch# sh running-config Building configuration [output cut]! interface Vlan1 ip address ! ip default-gateway ! Copyright Course Outsource All Rights Reserved The show running-config command displays the active configuration Course Outsource All Rights Reserved 81

82 Chapter 1 Lab Hands-On Lab 13 & 14 Copyright Course Outsource All Rights Reserved Open your lab books and complete labs 25 and 26 Course Outsource All Rights Reserved 82

83 Chapter 1 Summary Cisco routers provide a command line interface (CLI) There are two modes User EXEC Privileged EXEC The enable command is used to enter Privileged EXEC mode from User EXEC mode Routers contain four types of memory: RAM (Random Access Memory) ROM (Read Only Memory) Flash NVRAM (NonVolatile RAM) Learned CTRL and ESC sequences to manipulate the command line Learned the startup sequence of the router Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 83

84 Chapter 1 Summary (cont) Learned how to manipulate / store / restore the router configuration file There are several passwords on a Cisco router that control access Examples are as follows: enable enable secret line VTY # (telnet access) console auxiliary Unencrypted passwords can be encrypted in the configuration file so they are not seen as clear text Banners can be used to display messages Default configuration register setting is 0x2102 (0x2142 is used for password recovery) Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 84

85 Security Chapter 6 Copyright Course Outsource All Rights Reserved The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise With access lists, managers can gather basic statistics on packet flow and security policies can be implemented Sensitive devices can also be protected from unauthorized access Course Outsource All Rights Reserved 333

86 Common Threats to Physical Installations Hardware threats Environmental threats Electrical threats Maintenance threats What should be part of a comprehensive network security plan? *Physically secure network equipment from potential access by unauthorized individuals Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 334

87 Common Attacks Denial of Service (DoS): a flood of packets that are requesting a TCP connection to a server lammlecom Internet ACK ACK CRASH! SY N SY N SY N 65,000 times Bad Guy Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 335

88 Security Appliances IDS An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses and worms) IPS An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 336

89 Why Use ACLs? Filtering: Manage IP traffic by filtering packets passing through a router Classification: Identify traffic for special handling Copyright Course Outsource All Rights Reserved An access list is a mechanism for identifying particular traffic One application of an access list is for filtering traffic into or out of a router interface Course Outsource All Rights Reserved 337

90 ACL Applications: Filtering Permit or deny packets moving through the router Permit or deny vty access to or from the router Without ACLs, all packets could be transmitted to all parts of your network Copyright Course Outsource All Rights Reserved This figure illustrates common uses for IP access lists While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process You can allow user access through a firewall dynamically, without compromising security restrictions Course Outsource All Rights Reserved 338

91 Types of IP ACLs Standard ACL Checks source address Generally permits or denies entire protocol suite Extended ACL Checks source and destination address Generally permits or denies specific protocols and applications Two methods used to identify standard and extended ACLs: Numbered ACLs use a number for identification Named ACLs use a descriptive name or number for identification Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 339

92 How to Identify ACLs Numbered standard IPv4 lists (1 99) test conditions of all IP packets for source addresses Expanded range ( ) Numbered extended IPv4 lists ( ) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports Expanded range ( ) Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name) Copyright Course Outsource All Rights Reserved With Cisco IOS 120, the IP access-lists range has been expanded to also include: < > IP standard access list (expanded range) < > IP extended access list (expanded range) Course Outsource All Rights Reserved 340

93 IP Access List Entry Sequence Numbering Requires Cisco IOS Release 123 Allows you to edit the order of ACL statements using sequence numbers In software earlier than Cisco IOS Release 123, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order Allows you to remove a single ACL statement from the list using a sequence number With named ACLs in software earlier than Cisco IOS Release 123, you must use no {deny permit} protocol source source-wildcard destination destination-wildcard to remove an individual statement With numbered ACLs in software earlier than Cisco IOS Release 123, you must remove the entire ACL to remove a single ACL statement Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 341

94 ACL Configuration Guidelines Standard or extended indicates what can be filtered Only one ACL per interface, per protocol, and per direction is allowed The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement ACLs are created globally and then applied to interfaces for inbound or outbound traffic An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied When placing ACLs in the network: Place extended ACLs close to the source Place standard ACLs close to the destination Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 342

95 Dynamic ACLs Use Telnet to connect to router and authenticate Use FTP, HTTP, etc to connect to the server Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 343

96 Reflexive ACLs Inbound Traffic Initiated Outside S0 Inbound Traffic Initiated Inside Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 344

97 Time-Based ACLs Time-based ACLs: Allow for access control based on the time of day and week Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 345

98 Access List Applications Typical uses for Access lists: Permit or deny packets moving through the router Permit or deny vty access to or from the router Stop basic user data Without access lists all packets could be transmitted onto all parts of your network Advanced uses for Access-lists: Priority and custom queuing Dial-on-Demand Routing (DDR) Route table filtering Classify network traffic Copyright Course Outsource All Rights Reserved This figure illustrates common uses for IP access lists While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process You can allow user access through a firewall dynamically, without compromising security restrictions Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet (VTY) access to or from a router, and create dial-ondemand interesting traffic that triggers dialing to a remote location Course Outsource All Rights Reserved 346

99 Wildcards Review E0 Incoming Packet Outgoing Packet S specifies this host specifies this network You must remember your block sizes: 128, 64, 32, 16, 8 and 4 Copyright Course Outsource All Rights Reserved Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks To understand a wildcard, you need to understand what a block size is; they re used to specify a range of addresses Some of the different block sizes available are 64, 32, 16, 8, and 4 Course Outsource All Rights Reserved 347

100 Wildcard Masks The wildcard is always one less then the block size Subnet Mask / / / / / / Copyright Course Outsource All Rights Reserved This is a review of wildcard masks, as first discussed when configuring OSPF You really need to know these!! Course Outsource All Rights Reserved 348

101 Access List Command Overview Standard IP Access List Commands Router(config)# access-list access-list-number {permit deny} {test conditions} Router(config-if)# { protocol } access-group access-list-number {in out} Example Standard IP Access List Commands Router(config)# access-list 10 permit host Router(config)# access-list 10 permit Router(config)# access-list 10 permit Router(config)# int e0 Router(config-if)# ip access-group 10 in Copyright Course Outsource All Rights Reserved This slides demonstrates a basic standard access-list Each of the three test statements say the same thing It is showing three different ways to specify a host Course Outsource All Rights Reserved 349

102 Wildcard Example 1 Internet S0 E0 E / /24 access-list 10 deny access-list 10 permit any int e1 ip access-group 10 out Copyright Course Outsource All Rights Reserved This example will deny anyone on network from exiting interface E1 Course Outsource All Rights Reserved 350

103 Wildcard Example 2 Internet E0 S0 E / /24 access-list 10 deny access-list 10 permit any int e1 ip access-group 10 out Copyright Course Outsource All Rights Reserved This example stops only host from existing interface E1 Course Outsource All Rights Reserved 351

104 Wildcard Example 3 Internet E0 S0 E / /26 access-list 10 deny access-list 10 permit any int e1 ip access-group 10 out Copyright Course Outsource All Rights Reserved This example will deny anyone on subnet from exiting interface E1 Course Outsource All Rights Reserved 352

105 Wildcard Question You have the following four test statements: access-list 10 permit access-list 10 permit access-list 10 permit access-list 10 permit What one statement can replace these four? Copyright Course Outsource All Rights Reserved Answer: access-list 10 permit Course Outsource All Rights Reserved 353

106 Applying Access lists to a VTY Line Router# e0 Physical port (e0) (Telnet) Virtual ports (typically vty 0 through 4) Setup IP address filter with standard access list statement Use line configuration mode to filter access with the access-class command You should set identical restrictions on all vty lines Copyright Course Outsource All Rights Reserved When you apply an access to the VTY lines, you don t need to specify the telnet protocol since access to the VTY implies terminal access You also don t need to specify a destination address, since it really doesn t matter which interface address the user used as a target for the telnet session You really only need to control where the user is coming from their source IP address Nice! Course Outsource All Rights Reserved 354

107 Virtual Terminal Access Example Create the access-list Router(config)#access-list 10 permit Apply it to all VTY lines Router(config)# line vty 0 4 Router(config-line)# access-class 10 in The above example permits only hosts in network to connect to the router s vtys Copyright Course Outsource All Rights Reserved The above example permits only hosts in network to connect to the router s VTY lines Course Outsource All Rights Reserved 355

108 Chapter 6 Lab Hands-on Lab 61 & 62 Copyright Course Outsource All Rights Reserved Open your lab books and complete labs 61 and 62 Course Outsource All Rights Reserved 356

109 Standard versus Extended Access List Standard Filters Based on Source Permit or deny entire TCP/IP protocol suite Range is 1 99 and Extended Filters Based on Source and destination Specifies a specific IP protocol and port number Range is and Copyright Course Outsource All Rights Reserved Standard access lists These use only the source IP address in an IP packet as the condition test All decisions are made based on source IP address This means that standard access lists basically permit or deny an entire suite of protocols They don t distinguish between any of the many types of IP traffic such as WWW, telnet, UDP, etc Extended access lists Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 header of an IP packet IP Source Address IP Destination Address Protocol Field in Network Layer Packet Port number in Transport Layer Segment Course Outsource All Rights Reserved 357

110 Extended Access List Example Non E0 S0 E access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 Copyright Course Outsource All Rights Reserved This slide shows an example of an extended IP access list It denies FTP (port 21 is FTP and port 20 is FTP data) from subnet to Actually since there is an implicit DENY at the end of each access list, this access list denies all packets since there is NOT a permit statement Note: If access list 101 were applied to an interface, all traffic wither inbound or outbound (depending on how the ACL was applied) would be denied Course Outsource All Rights Reserved 358

111 Extended Access List Example Non E0 S0 E access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 access-list 101 permit ip any any (access-list 101 deny ip any any) Copyright Course Outsource All Rights Reserved Don t forget to include the permit statement to permit all other IP traffic Access list 101 could be applied inbound to interface E1 or outbound to interface E0 Course Outsource All Rights Reserved 359

112 Extended Access List Example Non E0 S0 E access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 access-list 101 permit ip any any interface ethernet 1 ip access-group 101 in Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 360

113 Extended Access List Example Non E0 S0 E access-list 101 deny tcp host eq 23 access-list 101 permit ip any any interface ethernet 0 ip access-group 101 in Copyright Course Outsource All Rights Reserved This slide demonstrates an extended access-list that will stop anyone from network telnetting to host Course Outsource All Rights Reserved 361

114 Extended Access List Example Non E0 S0 E access-list 101 deny tcp any eq www log access-list 101 permit ip any interface ethernet 0 ip access-group 101 in Copyright Course Outsource All Rights Reserved This slide demonstrates an extended access-list that will stop anyone from network using HTTP to any destination Course Outsource All Rights Reserved 362

115 Extended Access List Example /24 LAN_A E0 S0 (DCE) S1 LAN_B E0 Host C Host D Host E Host F Sales LAN Marketing LAN You want to stop users from the Sales LAN entering the Marketing LAN What access-list would you create, and to what interface will you apply it? Copyright Course Outsource All Rights Reserved Extended: On the LAN_A router access-list 110 deny ip access-list 110 permit ip any any int e0 ip access-group 110 in OR Standard: On the LAN_B router access-list 10 deny access-list 10 permit any int e0 ip access-group 10 out Course Outsource All Rights Reserved 363

116 Access List Configuration Guidelines The order of ACL statements is crucial Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router Top-down processing is important Place the more specific test statements first Statements cannot be rearranged or removed Use the no access-list number command to remove the entire ACL Exception: Named ACLs permit removal of individual statements Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement Copyright Course Outsource All Rights Reserved Guidelines Access list numbers indicate which protocol is filtered One access list per interface, per protocol, per direction is allowed The order of access list statements controls testing Place the most restrictive statements at the top of list There is an implicit deny any statement as the last access list test Every list needs at least one permit statement Create access lists before applying them to interfaces Access lists filter traffic going through the router; they do not apply to traffic originating from the router Course Outsource All Rights Reserved 364

117 Named Access Lists Instead of using numbers, you can use names to configure your access-lists Here is an example: ip access-list standard Lammle permit host 1111 interface ethernet 0 ip access-group Lammle in Copyright Course Outsource All Rights Reserved Named access lists are just another way to create standard and extended access lists In medium to large enterprises, management of access lists can become, well, a real hassle over time For example, when you need to make a change to an access list, a frequent practice is to copy the access list to a text editor, change the number, edit the list, then paste the new list back into the router Named access lists allow you to use names to both create and apply either standard or extended access lists There is nothing new or different about these access lists aside from being able to refer to them in a way that makes sense to humans However, you do not need to delete the named access-list in order to make changes This is one of the best benefits of named access-lists Course Outsource All Rights Reserved 365

118 Named Standard ACL Example RouterX(config)#ip access-list standard troublemaker RouterX(config-std-nacl)#deny host RouterX(config-std-nacl)#permit RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access-group troublemaker out Deny a specific host Copyright Course Outsource All Rights Reserved All hosts on subnet are blocked from going out on E0 to subnet The arrow represent the access list is applied as an outbound access list Course Outsource All Rights Reserved 366

119 Named Extended ACL Example RouterX(config)#ip access-list extended badgroup RouterX(config-ext-nacl)#deny tcp any eq 23 RouterX(config-ext-nacl)#permit ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access-group badgroup out Deny Telnet from a specific subnet Copyright Course Outsource All Rights Reserved All hosts telnet requests initiating on subnet are blocked going out on E0 to subnet Course Outsource All Rights Reserved 367

120 Commenting ACL Statements RouterX(config)# ip access-list {standard extended} name Creates a named ACL RouterX(config {std- ext-}nacl)# remark remark Creates a named ACL comment Or RouterX(config)# access-list access-list-number remark remark Creates a numbered ACL comment Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 368

121 Monitoring ACL Statements RouterX# show access-lists {access-list number name} RouterX# show access-lists Standard IP access list SALES 10 deny 10110, wildcard bits permit permit permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp 30 permit tcp host any eq ftp-data Displays all access lists Copyright Course Outsource All Rights Reserved This is the most consolidated method for seeing several access lists The implicit deny all statement is not displayed unless it is explicitly entered in the access list Course Outsource All Rights Reserved 369

122 Verifying Access Lists Todd#show ip int e0 Ethernet0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled <output cut> Copyright Course Outsource All Rights Reserved Lists IP interface information Indicates whether outgoing and/or inbound access lists are set Review the output of the show ip interface command The highlighted text shows details about access list settings in the show command output Course Outsource All Rights Reserved 370

123 Monitoring Access List Statements Todd# show {protocol} access-list {access-list number} Todd# show access-lists {access-list number} Todd# show access-lists Standard IP access list 1 permit permit permit permit Extended IP access list 101 permit tcp host any eq telnet permit tcp host any eq ftp permit tcp host any eq ftp-data Copyright Course Outsource All Rights Reserved show access-list: Displays all access lists and their parameters configured on the router This command does not show you which interface the list is set on show access-list 110: Shows only the parameters for the access list 110 This command does not show you the interface the list is set on show ip access-list: Shows only the IP access lists configured on the router show ip interface: Shows which interfaces have access lists set show running-config: Shows the access lists and which interfaces have access lists set Course Outsource All Rights Reserved 371

124 Remember! To view the contents of all access-lists use the command: show access-lists To see which interface has an access list set, which displays the placement and direction of an IP access list on a router: show ip interface Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 372

125 Match the following: Copyright Course Outsource All Rights Reserved Course Outsource All Rights Reserved 373

126 Access List Question The access control list shown in the figure has been applied to the Ethernet interface of R1 using the ip access-group 101 in command Which telnet sessions will be blocked by this ACL? Copyright Course Outsource All Rights Reserved The following telnet session will be blocked by the ACL: Any host with an address between 5118 and on R1 will not be able to telnet to network 5130 Course Outsource All Rights Reserved 374