|
|
|
- Patience Stevenson
- 6 years ago
- Views:
Transcription
1
2
3 Acknowledgements HRD Division Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India
4
5
6
7 ROUTER AUDITING 1
8 TABLE OF CONTENTS: SL.NO. POLICIES PAGE NO. 1. LATEST STABLE SOFTWARE VERSION SHALL BE SELECTED. 2. HOSTNAME SHALL NOT REVEAL MAKE / MODEL OF THE DEVICE. 3. EACH USER SHALL BE ALLOCATED A SEPARATE LOGIN ACCOUNT. 4. SEPARATE LOGIN ACCOUNT SHALL BE USED FOR OPERATING AT DIFFERENT PRIVILEGE LEVELS AND NETWORK SECURITY DEVICES SHOULD HAVE AT LEAST TWO ADMINISTRATORS. 5. PASSWORD SHALL BE MANAGED AS PER THE PASSWORD MANAGEMENT GUIDELINES AND ALSO PASSWORD SHALL BE STORED IN ENCRYPTED FORM. 6. NETWORK TIME PROTOCOL (NTP) SHALL BE CONFIGURED ON THE DEVICES. (REFER: TIME SYNCHRONIZATION GUIDELINES) 7. FOR CHECKING THE TIME SETTINGS IN ROUTER. 8. BANNER MESSAGE WARNING MESSAGE SHOULD BE DISPLAYED BEFORE LOGIN AS A CAUTION 9. PROTOCOLS / SERVICES USING ENCRYPTED CHANNEL (SUCH AS, SSH, SSL, IPSEC, RDP) SHALL BE USED FOR REMOTE ADMINISTRATION. 10. FOR CHECKING UNUSED NETWORK INTERFACES SHALL BE DISABLED. 11. AUTHENTICATION SHOULD BE USED FOR DYNAMIC ROUTING PROTOCOLS. 12. INGRESS AND EGRESS FILTERING SHALL BE CONFIGURED. 13. UNUSED ADDRESS SPACE SHOULD BE ROUTED TO NULL INTERFACE. 14. ANTI-SPOOFING SHOULD BE CONFIGURED ON ALL INTERFACES 15 BACK UP OF THE DEVICE 16. LOG MAINTENANCE 17. FOR CHECKING CONSOLE AND OTHER DIRECT ACCESS PORT CONNECTIONS OF THE ROUTER. 18. FOR CHECKING WHAT ARE THE VARIOUS NETWORKS ALLOWED IN ROUTER. 19. FOR CHECKING THE ROUTER NETWORK TRAFFIC FLOW AND LOOPBACK INTERFACE. 20. FOR CHECKING THE ROUTER TIMEOUT OPTION. 21. FOR CHECKING FOR ANY VIRTUAL TERMINAL UNIT I.E. VTY S ENABLED ON DEVICE. 22. FOR CHECKING THE ROUTER REMOTE ADMINISTRATION ACCESS PROCESS. 23. FOR CHECKING ACL WRITTEN WITH RESPECT TO ACCESS TO VTY OR REMOTE ADMINISTRATION MECHANISM FOR ROUTER 2
9 24. FOR CHECKING ANY PRIVILEGED EXEC MODE IN ROUTER SETTINGS 25. FOR CHECKING THE ROUTER IS CONFIGURED WITH LOCAL OR AAA ENCRYPTION MECHANISM 26. FOR CHECKING THE STATIC AND DYNAMIC ROUTING 27. FOR CHECKING RADIUS & TACACS+ METHODS IN ROUTER 3
10 1. Latest stable software version shall be selected. CDAC-R09R06-C01-R-2#show version 2. Hostname shall not reveal make / model of the device. CDAC-R09R06-C01-R-2#show run i hostname 3. Each user shall be allocated a separate login account. CDAC-R09R06-C01-R-2#show user all CDAC-R09R06-C01-R-2#show users Note: All the users who are authenticated can be viewed only by login through the tacacs server. 4. Separate login account shall be used for operating at different privilege level and Network Security Devices should have at least two administrators. CDAC-R09R06-C01-R-2#show run b user Note: All the users/admin who are authenticated can be viewed only by login through the tacacs server and different privilege levels can also be seen by the using the same tacacs server. 5. Password shall be managed as per the Password Management Guidelines and also Password shall be stored in encrypted form. 4
11 CDAC-R09R06-C01-R-2#show run i password Note: All the users/admin password shall be managed as per the Password Management Guidelines only by login through the tacacs server and different privilege levels can also be seen by the using the same tacacs server. 6. Network Time Protocol (NTP) shall be configured on the devices. (refer: As Per the cyber security policies for NICNET Information Infrastructure - Time Synchronization Guidelines) CDAC-R09R06-C01-R-2#show ntp status CDAC-R09R06-C01-R-2#show ntp assotiations 7. For checking the time settings in router. CDAC-R09R06-C01-R-2#show clock 8. Banner Message Warning message should be displayed before login as a caution. A sample banner message follows: W A R N I N G Unauthorized access is prohibited. Disconnect IMMEDIATELY if you are not an authorized user!!! All activities are benign monitored. Any unauthorized access may subject the user to disciplinary / legal action. CDAC-R09R06-C01-R-2#show run b banner 9. Protocols / Services using encrypted channel (such as, SSH, SSL, IPSec, RDP) shall be used for Remote administration. 5
12 CDAC-R09R06-C01-R-2#show run i line 10. For checking Unused network interfaces shall be disabled. CDAC-R09R06-C01-R-2#show interface des Include Gi 11. Authentication should be used for dynamic routing protocols. SUMMARY STEPS configure router ospf process-name router-id {router-id} authentication [message-digest [keychain keychain] null] message-digest-key key-id md5 {key clear key encrypted key} area area-id interface type instance Repeat Step 7 for each interface that must communicate, using the same authentication. exit area area-id authentication [message-digest [keychain keychain] null] interface type instance Repeat Step 12 for each interface that must communicate, using the same authentication. interface type instance authentication [message-digest [keychain keychain] null] end Or commit DETAILED STEPS: Step 1 Step 2 Command configure RP/0/RSP0/CPU0:router# configure router ospf process-name RP/0/RSP0/CPU0:router(config)# router ospf 1 Purpose Enters global configuration mode. Enables OSPF routing for the specified routing process and places the router in router configuration mode. 6
13 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 router-id {router-id} RP/0/RSP0/CPU0:router(config-ospf)# router-i d authentication [message-digest[keychain keyc hain] null] RP/0/RSP0/CPU0:router(config-ospf)# authentication message-digest message-digest-key key-id md5 {key clear key encrypted key} RP/0/RSP0/CPU0:router(config-ospf)# message-digest-key 4 md5 yourkey area area-id RP/0/RSP0/CPU0:router(config-ospf)# area 0 interface type instance RP/0/RSP0/CPU0:router(config-ospf-ar)# interf ac e GigabitEthernet 0/1/0/3 Repeat Step 7 for each interface that must communicate, using the same authentication. exit RP/0/RSP0/CPU0:router(config-ospf-ar)# exit area area-id RP/0/RSP0/CPU0:router(config-ospf)# area 1 Note The process-name argument is any alphanumeric string no longer than 40 characters. Configures a router ID for the OSPF process. Enables MD5 authentication for the OSPF process. This authentication type applies to the entire router process unless overridden by a lower hierarchical level such as the area or interface. Specifies the MD5 authentication key for the OSPF process. The neighbor routers must have the same key identifier. Enters area configuration mode and configures a backbone area for the OSPF process. Enters interface configuration mode and associates one or more interfaces to the backbone area. All interfaces inherit the authentication parameter values specified for the OSPF process (Step 4, Step 5, and Step 6). Enters area OSPF configuration mode. Enters area configuration mode and configures a nonbackbone area 1 for the OSPF process. The area-id argument can be entered in dotted-decimal or IPv4 address notation, such as area 1000 or 7
14 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 authentication [message-digest[keychain keyc hain] null] RP/0/RSP0/CPU0:router(config-ospf-ar)# authentication interface type instance RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/1/0/0 Repeat Step 12 for each interface that must communicate using the same authentication. interface type instance RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/3/0/0 authentication [message-digest[keychain keyc hain] null] RP/0/RSP0/CPU0:router(config-ospf-ar-if)# authentication null end or commit RP/0/RSP0/CPU0:router(config-ospf-ar-if)# end or area However, you must choose one form or the other for an area. We recommend using the IPv4 address notation. Enables Type 1 (plain text) authentication that provides no security. The example specifies plain text authentication (by not specifying a keyword). Use the authentication-keycommand in interface configuration mode to specify the plain text password. Enters interface configuration mode and associates one or more interfaces to the nonbackbone area 1 specified in Step 10. All interfaces configured inherit the authentication parameter values configured for area 1. Enters interface configuration mode and associates one or more interfaces to a different authentication type. Specifies no authentication on GigabitEthernet interface 0/3/0/0, overriding the plain text authentication specified for area 1. By default, all of the interfaces configured in the same area inherit the same authentication parameter values of the area. Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before 8
15 RP/0/RSP0/CPU0:router(config-ospf-ar-if)# commit exiting(yes/no/cancel)? [cancel]: CDAC-R09R06-C01-R-2#show run b router ospf Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. 12. Ingress and Egress filtering shall be configured. SUMMARY STEPS 1. configure 2. ethernet egress-filter strict 3. interface {GigabitEthernet TenGigE FastEthernet Bundle-Ether} instance.subinterface 4. ethernet egress-filter {strict disabled} 5. exit DETAILED STEPS: Step 1 Command or Action configure RP/0/RSP0/CPU0:PE44_ASR-9010# config Thu Jun 4 07:50: PST RP/0/RSP0/CPU0:PE44_ASR-9010(config)# Purpose Enters global configuration mode. 9
16 Step 2 ethernet egress-filter strict RP/0/RSP0/CPU0:PE44_ASR-9010(config)# ethernet egress-filter strict Enables strict egress filtering on all subinterfaces on the device by default. Step 3 interface {GigabitEthernet TenGigE FastEthernet Bundle-Ether} instance.subinterface Creates an L2 subinterface. Step 4 Step 5 RP/0/RSP0/CPU0:PE44_ASR-9010(config)# interface GigabitEthernet 0/1/0/1.1 RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# ethernet egress-filter {strict disabled} RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# ethernet egress-filter strict exit RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# exit RP/0/RSP0/CPU0:PE44_ASR-9010(config)# exit Allows egress filtering to be explicitly enabled or disabled on any L2 subinterface. It can also be used to override global settings. Exit from the configuration mode. CDAC-R09R06-C01-R-2#show access-lists BLOCK-UDP pfilter location all CDAC-R09R06-C01-R-2#show run include ingress CDAC-R09R06-C01-R-2#show run include engress 13. Unused address space should be routed to null interface. FOR EXAMPLE: R2# conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# ip route Null0 R2(config)# end CDAC-R09R06-C01-R-2#show run i Null 10
17 14. Anti-spoofing should be configured on all interfaces To configure Unicast RPF loose mode, perform the following steps. SUMMARY STEPS 1. enable 2. configure terminal 3. ip cef 4. interface type slot / port-adapter / port 5. ip verify unicast source reachable-via any DETAILED STEPS: Step 1 enable Router> enable Command or Action Step 2 configure terminal Router# configure terminal Step 3 ip cef Router (config)# ip cef Step 4 interface type slot / port-adapter / port Router (config)# interface serial5/0/0 Step 5 ip verify unicast source reachable-via any Router (config-if)# ip verify unicast source reachable-via any Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Enables CEF on the route processor card. Configures an interface type and enters interface configuration mode. Enables Unicast RPF using loose mode. 11
18 Note: Anti-Spoofing feature is not configured so that s why screen shot is not attached. 15. Back up of the current operating system and the running configuration shall be taken prior to upgrade with SNMP Protocol.check for the following: Enable SNMP if required and check SNMPv3 or higher should be used. CDAC-R09R06-C01-R-2#show snmp host Default community string (for example, "public") shall not be used. Community string security shall be treated at per with Administrator account passwords. Community string should be set for Read Only mode. SNMP access should be permitted from specific IP addresses of trusted networks. Same or similar community strings should not be used across devices. CDAC-R09R06-C01-R-2#show run i snmp 16. Log Maintenance Logs should be sent to a centralized log server. CDAC-R09R06-C01-R-2#show log Logs should be archived in read-only format. CDAC-R09R06-C01-R-2#show log location CDAC-R09R06-C01-R-2#show run i log 12
19 17. For checking console and other direct access port connections of the router. CDAC-R09R06-C01-R-2#show run b line 18. For checking what are the various networks allowed in router. CDAC-R09R06-C01-R-2#show access-lists BlOCK-UDP usage pfilter location all 19. For checking the router network traffic flow and loopback interface. CDAC-R09R06-C01-R-2#show monitor-session counters 20. For checking the router timeout option. CDAC-R09R06-C01-R-2#show run i timeout 21. For checking for any virtual terminal unit i.e. VTY s enabled on device. CDAC-R09R06-C01-R-2#show run b vty 22. For checking the router remote administration access process. CDAC-R09R06-C01-R-2#show run i line 13
20 23. For checking ACL written with respect to access to VTY or remote administration mechanism for router. CDAC-R09R06-C01-R-2#show access-lists MANAGEMENT 24. For checking any privileged exec mode in router settings. CDAC-R09R06-C01-R-2#show run i exec 25. For checking the router is configured with local or AAA encryption mechanism. CDAC-R09R06-C01-R-2#show tacacs Note: AAA encryption mechanism managed as per the Cyber Security Policies NICNET Information Infrastructure only by login through the tacacs server and different privilege levels can also be seen by the using the same tacacs server. The above command shows the information about tacacs server. 26. For checking the static and dynamic routing. For checking the routing and routed protocols CDAC-R09R06-C01-R-2#show protocols bgp CDAC-R09R06-C01-R-2#show protocols ospf CDAC-R09R06-C01-R-2#show route static For checking bgp summary. CDAC-R09R06-C01-R-2#show bgp summary 14
21 For checking the ospf neighbor. CDAC-R09R06-C01-R-2#show ospf neighbor For checking OSPF route. CDAC-R09R06-C01-R-2#show route ospf For checking RIP. For checking EIGRP. Note: Organization is not using RIP and EIRGP routing. 27. For checking radius & tacacs+ methods in router. CDAC-R09R06-C01-R-2#show tacacs CDAC-R09R06-C01-R-2#show run i tacacs CONTRIBUTED BY: 1. Mr Ch A.S Murty 2. Mr Tyeb Naushad 3. Mr Devi Satish 4. Mr Shrinath Rusia 5. Ms Vertika Singh 6. Mr Vinay Kumar C-DAC, Hyderabad 15
22
23
24
Lab Configuring 802.1Q Trunk-Based Inter-VLAN Routing (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
OSPF Commands on Cisco ASR 9000 Series Router
OSPF Commands on Cisco ASR 9000 Series Router This module describes the commands used to configure and monitor the Open Shortest Path First (OSPF) routing protocol. For detailed information about OSPF
Cisco Router Security: Principles and Practise. The foundation of network security is router security.
The foundation of network security is router security. 1) Router security within a general IT security plan, IOS software and standard access. 2) Password security and authentication. 3) Services, applications
Configuring Security with Passwords, Privileges, and Logins
Configuring Security with Passwords, Privileges, and Logins Cisco IOS based networking devices provide several features that can be used to implement basic security for CLI sessions using only the operating
Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
Configuring 802.1Q VLAN Interfaces
A VLAN is a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.
Using the Management Interfaces
The following management interfaces are provided for external users and applications: Gigabit Ethernet Management Interface, page 1 SNMP, page 7 Gigabit Ethernet Management Interface Gigabit Ethernet Management
OSPFv3 Commands. address-family (OSPFv3), page 4. authentication (OSPFv3), page 7
This module describes the commands used to configure and monitor the IP Version 6 (IPv6) Open Shortest Path First Version 3 (OSPFv3) routing protocol. For detailed information about OSPFv3 concepts, configuration
Network security session 9-2 Router Security. Network II
Network security session 9-2 Router Security Network II Router security First line of defense of the network Compromise of a router can lead to many issues: Denial of network services Degrading of network
Implementing Integrated Routing and Bridging
IRB provides the ability to route between a bridge group and a routed interface using a BVI. The BVI is a virtual interface within the router that acts like a normal routed interface. A BVI is associated
Lab 7 Configuring Basic Router Settings with IOS CLI
Lab 7 Configuring Basic Router Settings with IOS CLI Objectives Part 1: Set Up the Topology and Initialize Devices Cable equipment to match the network topology. Initialize and restart the router and switch.
Configuring Secure Shell (SSH)
Prerequisites for Configuring Secure Shell, page 1 Restrictions for Configuring Secure Shell, page 2 Information About Configuring Secure Shell, page 2 How to Configure Secure Shell, page 4 Monitoring
Lab Securing Network Devices
Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.1.1 255.255.255.0 N/A S1 VLAN 1 192.168.1.11 255.255.255.0 192.168.1.1 PC-A NIC 192.168.1.3
Lab Configuring and Verifying Standard IPv4 ACLs Topology
Topology 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 10 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
PT Activity: Configure AAA Authentication on Cisco Routers
PT Activity: Configure AAA Authentication on Cisco Routers Instructor Version Topology Diagram Addressing Table Device Interface IP Address Subnet Mask R1 Fa0/0 192.168.1.1 255.255.255.0 S0/0/0 10.1.1.2
OSPF Commands on Cisco IOS XR Software
This module describes the commands used to configure and monitor the Open Shortest Path First (OSPF) routing protocol. For detailed information about OSPF concepts, configuration tasks, and examples, see
Lab Configuring Per-Interface Inter-VLAN Routing (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/0 192.168.20.1 255.255.255.0 N/A G0/1 192.168.10.1 255.255.255.0 N/A S1 VLAN 10 192.168.10.11
RR> RR> RR>en RR# RR# RR# RR# *Oct 2 04:57:03.684: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/2 TDR=0, TRC=0 RR#
RR> RR> RR>en *Oct 2 04:57:03.684: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/2 TDR=0, TRC=0 term len 0 show run Building configuration... Current configuration : 2568 bytes version 15.4 service timestamps debug
Implementing Secure Shell
Implementing Secure Shell Secure Shell (SSH) is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms,
Implementing Layer 2 Access Lists
Implementing Layer 2 Access Lists An Ethernet services access control list (ACL) consists of one me access control entries (ACE) that collectively define the Layer 2 netwk traffic profile. This profile
Lab Configuring Per-Interface Inter-VLAN Routing (Instructor Version)
(Instructor Version) Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only. Topology Addressing Table Objectives Device Interface IP Address Subnet Mask
Teacher s Reference Manual
UNIVERSITY OF MUMBAI Teacher s Reference Manual Subject: Security in Computing Practical with effect from the academic year 2018 2019 Practical 1: Packet Tracer - Configure Cisco Routers for Syslog, NTP,
OSPF Commands. adjacency stagger, page 7. authentication-key (OSPF), page 14
OSPF Commands This module describes the commands used to configure and monitor the Open Shortest Path First (OSPF) routing protocol. For detailed information about OSPF concepts, configuration tasks, and
Lab Configuring IPv4 Static and Default Routes (Solution)
(Solution) Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.0.1 255.255.255.0 N/A S0/0/1 10.1.1.1 255.255.255.252 N/A R3 G0/1 192.168.1.1 255.255.255.0
UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
CCNA Semester 2 labs. Labs for chapters 2 10
CCNA Semester 2 labs Labs for chapters 2 10 2.2.2.5 Lab - Configuring IPv4 Static and Default Routes 2.3.2.4 Lab - Troubleshooting Static Routes 3.2.1.9 Lab - Configuring Basic RIPv2 5.2.2.9 Lab - Configuring
Remote Access MPLS-VPNs
First Published: August 12, 2002 Last Updated: May 4, 2009 The feature allows the service provider to offer a scalable end-to-end Virtual Private Network (VPN) service to remote users. This feature integrates
Access Control List Enhancements on the Cisco Series Router
Access Control List Enhancements on the Cisco 12000 Series Router Part Number, May 30, 2008 The Cisco 12000 series router filters IP packets using access control lists (ACLs) as a fundamental security
TACACS+ Configuration Mode Commands
Important TACACS Configuration Mode is available in releases 11.0 and later. This chapter describes all commands available in the TACACS+ Configuration Mode. TACACS+ (Terminal Access Controller Access-Control
Configuring Security Features on an External AAA Server
CHAPTER 3 Configuring Security Features on an External AAA Server The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users
Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1
Advanced IPv6 Training Course Lab Manual v1.3 Page 1 Network Diagram AS66 AS99 10.X.0.1/30 2001:ffXX:0:01::a/127 E0/0 R 1 E1/0 172.X.255.1 2001:ffXX::1/128 172.16.0.X/24 2001:ff69::X/64 E0/1 10.X.0.5/30
User Security Configuration Guide, Cisco IOS Release 15MT
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 2014 Cisco Systems, Inc. All rights
IP Routing Protocol-Independent Commands
IP Routing Protocol-Independent Commands Use the commands in this chapter to configure and monitor the features that are routing protocol-independent. For configuration information and examples on IP routing
Managing GSS User Accounts Through a TACACS+ Server
CHAPTER 4 Managing GSS User Accounts Through a TACACS+ Server This chapter describes how to configure the GSS, primary GSSM, or standby GSSM as a client of a Terminal Access Controller Access Control System
Managing GSS User Accounts Through a TACACS+ Server
4 CHAPTER Managing GSS User Accounts Through a TACACS+ Server This chapter describes how to configure the GSS, primary GSSM, or standby GSSM as a client of a Terminal Access Controller Access Control System
Access List Commands
This chapter describes the Cisco IOS XR software commands used to configure IP Version 4 (IPv4) and IP Version 6 (IPv6) access lists on Cisco ASR 9000 Series Aggregation Services Routers. An access control
Skills Assessment. CCNA Routing and Switching: Connecting Networks. Topology. Assessment Objectives. Scenario
Skills Assessment Topology Assessment Objectives Part 1: Configure Device Basic Settings (15 points, 15 minutes) Part 2: Configure PPP Connections (20 points, 10 minutes) Part 3: Configure IPv4 ACL for
Configuring Flexible Command Line Interface Configuration Groups
Configuring Flexible Command Line Interface Configuration Groups This module describes how to configure and use flexible command line interface (CLI) configuration groups. Table 1: Feature History for
Implementing NTP. Support was added for IPv6 addresses, VRFs, multicast-based associations, and burst and iburst modes for poll-based associations.
Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. Cisco IOS XR software implements NTPv4. NTPv4 retains backwards compatibility with the older versions of
Cisco Questions $ Answers
Cisco 644-906 Questions $ Answers Number: 644-906 Passing Score: 800 Time Limit: 120 min File Version: 38.7 http://www.gratisexam.com/ Cisco 644-906 Questions $ Answers Exam Name: Implementing and Maintaining
Flexible NetFlow IPv6 Unicast Flows
The feature enables Flexible NetFlow to monitor IPv6 traffic. Finding Feature Information, on page 1 Information About Flexible NetFlow IPv6 Unicast Flows, on page 1 How to Configure Flexible NetFlow IPv6
Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1
Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1 Commands for Access Controller and Access Controller Switch Interface Board 1-1 acl (user interface view) 1-1 activation-key
Flexible NetFlow IPv4 Unicast Flows
The Flexible Netflow IPv4 Unicast Flows feature enables Flexible NetFlow to monitor IPv4 traffic. Finding Feature Information, page 1 Information About Flexible NetFlow IPv4 Unicast Flows, page 1 How to
Configuring the Management Interface and Security
CHAPTER 5 Configuring the Management Interface and Security Revised: February 15, 2011, Introduction This module describes how to configure the physical management interfaces (ports) as well as the various
Note that you can also use the password command but the secret command gives you a better encryption algorithm.
Router Device Security Lab Configuring Secure Passwords 1. Configure the enable secret and password enable password TRUSTME enable secret letmein Look at the configuration: show config terminal Note the
Using the Management Ethernet Interface
This chapter covers the following topics: Gigabit Ethernet Management Interface Overview, page 1 Gigabit Ethernet Port Numbering, page 1 IP Address Handling in ROMmon and the Management Ethernet Port,
EIGRP Route Tag Enhancements
The feature enables you to specify and display route tags in dotted-decimal format, filter routes using the route tag value with wildcard mask, and set a default route tag for all internal Enhanced Interior
ITBraindumps. Latest IT Braindumps study guide
ITBraindumps http://www.itbraindumps.com Latest IT Braindumps study guide Exam : 300-101 Title : Implementing Cisco IP Routing Vendor : Cisco Version : DEMO Get Latest & Valid 300-101 Exam's Question and
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces.
Lab Using the CLI to Gather Network Device Information Topology
Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.1.1 255.255.255.0 N/A Lo0 209.165.200.225 255.255.255.224 N/A S1 VLAN 1 192.168.1.11 255.255.255.0
Enabling Remote Access to the ACE
CHAPTER 3 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. All features described in this chapter are supported with IPv6 unless otherwise
Implementing Static Routes on Cisco IOS XR Software
Implementing Static Routes on Cisco IOS XR Software This module describes how to implement static routes. Static routes are user-defined routes that cause packets moving between a source and a destination
Lab Configuring Basic RIPv2 (Solution)
(Solution) Topology 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 15 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway
Configuring Traffic Mirroring
This module describes the configuration of the traffic mirroring feature. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN). Feature History for Traffic Mirroring Release
Basic Router Configuration
This section includes information about some basic router configuration, and contains the following sections: Default Configuration, on page 1 Configuring Global Parameters, on page 2 Configuring Gigabit
All participants will work within their groups in pairs. Each group has three routers and three switches to work with.
Layer 3 - Exercises All participants will work within their groups in pairs. Each group has three routers and three switches to work with. The lab is divided into four components: 1. Static Routing 2.
Configuring Traffic Mirroring
This module describes the configuration of the traffic mirroring feature. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN). Feature History for Traffic Mirroring Release
Console Port, Telnet, and SSH Handling
Console Port Overview, on page 1 Connecting Console Cables, on page 1 Installing USB Device Drivers, on page 1 Console Port Handling Overview, on page 2 Telnet and SSH Overview, on page 2 Persistent Telnet,
Lab Configuring Dynamic and Static NAT (Solution)
(Solution) Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway Gateway G0/1 192.168.1.1 255.255.255.0 N/A S0/0/1 209.165.201.18 255.255.255.252 N/A ISP S0/0/0 (DCE)
Lab Configuring and Verifying Extended ACLs Topology
Topology 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8 Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 192.168.10.1
Traffic Mirroring Commands on Cisco ASR 9000 Series Router
Traffic Mirroring Commands on Cisco ASR 9000 Series Router This module describes the commands used to configure and monitor traffic mirroring. Command Reference HR-1061 acl Traffic Mirroring Commands on
Using the Management Ethernet Interface
The Cisco ASR 920 Series Router has one Gigabit Ethernet Management Ethernet interface on each Route Switch Processor. The purpose of this interface is to allow users to perform management tasks on the
Lab Configuring Switch Security Features Topology
Topology Addressing Table Objectives Device Interface IP Address Subnet Mask Default Gateway R1 G0/1 172.16.99.1 255.255.255.0 N/A S1 VLAN 99 172.16.99.11 255.255.255.0 172.16.99.1 PC-A NIC 172.16.99.3
Flexible NetFlow IPv6 Unicast Flows
The feature enables Flexible NetFlow to monitor IPv6 traffic. Finding Feature Information, page 1 Information About Flexible NetFlow IPv6 Unicast Flows, page 1 How to Configure Flexible NetFlow IPv6 Unicast
Network Infrastructure Filtering at the border. stole slides from Fakrul Alam
Network Infrastructure Filtering at the border maz@iij.ad.jp stole slides from Fakrul Alam fakrul@bdhbu.com Acknowledgement Original slides prepared by Merike Kaeo What we have in network? Router Switch
26 CHAPTER Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer
Implementing Management Plane Protection on Cisco IOS XR Software
Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network
Configuring FlexVPN Spoke to Spoke
Last Published Date: March 28, 2014 The FlexVPN Spoke to Spoke feature enables a FlexVPN client to establish a direct crypto tunnel with another FlexVPN client leveraging virtual tunnel interfaces (VTI),
CCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)
(Instructor Version Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or
Skills Assessment Student Training
Skills Assessment Student Training Topology Assessment Objectives Part 1: Initialize Devices (6 points, 5 minutes) Part 2: Configure Device Basic Settings (33 points, 20 minutes) Part 3: Configure Switch
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
Configuring Traffic Mirroring
This module describes the configuration of the traffic mirroring feature. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN). Feature History for Traffic Mirroring Release
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby
Configuring CRS-1 Series Virtual Interfaces
Configuring CRS-1 Series Virtual Interfaces A virtual interface is defined as representing a logical packet switching entity within the Cisco CRS-1 Series router. Virtual Interfaces have a global scope
PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.
PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC. Configuration Corrupt Config Database RADB Intercept Configuration Transport Transport Attacks Trojan Horses in Code 2-4-2 Network Infrastructure
RIP Commands. output-delay, page 32 passive-interface (RIP), page 33 poison-reverse, page 35 receive version, page 37 redistribute (RIP), page 39
RIP Commands This module describes the commands used to configure and monitor the Routing Information Protocol (RIP). For detailed information about RIP concepts, configuration tasks, and examples, see
Chapter 4: Routing Concepts. Routing & Switching
Chapter 4: Routing Concepts Routing & Switching Routers are Computers Routers are specialized computers containing the following required components to operate: Central processing unit (CPU) Operating
Flexible NetFlow IPv6 Unicast Flows
The feature enables Flexible NetFlow to monitor IPv6 traffic. Finding Feature Information, on page 1 Information About Flexible NetFlow IPv6 Unicast Flows, on page 1 How to Configure Flexible NetFlow IPv6
Unicast Reverse Path Forwarding Loose Mode
The feature creates a new option for Unicast Reverse Path Forwarding (Unicast RPF), providing a scalable anti-spoofing mechanism suitable for use in multihome network scenarios. This mechanism is especially
Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x
Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x First Published: August 01, 2014 Last Modified: November 13, 2015 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San
RSVP Message Authentication
RSVP Message Authentication First Published: March 17, 2003 Last Updated: August 6, 2007 The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality
Configuring Local Authentication
This chapter describes local authentication. This chapter also describes procedures to configure local authentication and privilege levels. This chapter includes the following topics: Understanding Authentication,
Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client
Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client Topology IP Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 FA0/1 192.168.1.1 255.255.255.0 N/A
Configuring Cisco Prime NAM
Cisco SRE NAM has an internal Gigabit Ethernet interface and an external interface. You can use either interface for Prime NAM management traffic such as the NAM web GUI, telnet or ssh, but not both. You
MLDP In-Band Signaling/Transit Mode
This module contains information for configuring Multicast Label Distribution Protocol (MLDP) in-band signaling to enable the MLDP core to create (S,G) or (*,G) state without using out-of-band signaling
Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers
Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers An access control list (ACL) consists of one me access control entries (ACE) that collectively define the netwk traffic profile.
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces. 2016 Cisco and/or its affiliates. All
OSPF Exercises. All participants will work within a group as a team. Each group has three routers and four switches to work with.
OSPF Exercises All participants will work within a group as a team. Each group has three routers and four switches to work with. These exercises are divided into several components: 1. Basic Router Configuration
Passwords and Privileges Commands
Passwords and Privileges Commands This chapter describes the commands used to establish password protection and configure privilege levels. Password protection lets you restrict access to a network or
Configuring Switch-Based Authentication
CHAPTER 7 This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists
Configuring TACACS+ About TACACS+
This chapter describes how to configure the Terminal Access Controller Access Control System Plus (TACACS+) protocol on Cisco NX-OS devices. This chapter includes the following sections: About TACACS+,
Lab 8.5.2: Troubleshooting Enterprise Networks 2
Lab 8.5.2: Troubleshooting Enterprise Networks 2 Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Fa0/0 192.168.10.1 255.255.255.0 N/A R1 Fa0/1 192.168.11.1 255.255.255.0
Security Hardening Checklist for Cisco Routers/Switches in 10 Steps
Security Hardening Checklist for Cisco Routers/Switches in 10 Steps Network infrastructure devices (routers, switches, load balancers, firewalls etc) are among the assets of an enterprise that play an
Configuring DHCP Services for Accounting and Security
Configuring DHCP Services for Accounting and Security Cisco IOS XE software supports several capabilities that enhance DHCP security, reliability, and accounting in Public Wireless LANs (PWLANs). This
MPLS Label Distribution Protocol (LDP)
MPLS Label Distribution Protocol (LDP) Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) enables peer label switch routers (LSRs) in an MPLS network to exchange label binding information
Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+
Finding Feature Information, page 1 Prerequisites for TACACS+, page 1 Information About TACACS+, page 3 How to Configure TACACS+, page 7 Monitoring TACACS+, page 16 Finding Feature Information Your software
MPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji
Network Infrastructure Filtering at the border PacNOG19 28th November - 2nd December 2016 Nadi, Fiji Issue Date: [Date] Revision: [XX] What we have in network? Router Switch CPE (ADSL Router / WiFi Router)
Configuring Network Access to the GGSN
CHAPTER 7 This chapter describes how to configure access from the gateway GPRS support node (GGSN) to a serving GPRS support node (SGSN), public data network (PDN), and optionally to a Virtual Private