Cisco Port Security

Use port security to manage the ingress of traffic from dynamically learned and static MAC address.  When a secure MAC address is assigned to a secure port, the port will not forward traffic from any other MAC address outside the defined MAC Address.

There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.

2) If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation action or mode. It is a move violation!

Possible actions are:

switchport port-security violation {protect | restrict | shutdown}

protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict— the same, but causes the SecurityViolation counter to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To bring a secure port out of the error-disabled state, in global configuration mode
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands

To prevent overtaxing the CPU, use the port security command with rate limiting

Methods of MAC address configuration

Static

How to statically configure all secure MAC addresses?

Use the switchport port-security mac-address mac_address interface configuration command.

Dynamic

Dynamiclly configure secure MAC addresses?

1) You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

2) You can statically configure a number of addresses and allow the rest to be dynamically configured by sticky!

Sticky MAC addresses

These can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

Remember to write memory (wr is the shortcut) or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file.  Theport does not have to learn addresses from ingress traffic after bootup or a restart.

ICND2 Topic: Access Lists, Standard and Extended

A topic for the practical CCNA Exam, but it is only in the ICND2. This will be discussed in greater detail when the article is more complete. For starters,

Setting up an access list on a brand new Cisco router, here are a few key points to remember:

• Implicit deny at the end of access lists; you must permit administrative traffic or you will block yourself out of the router
• Order matters, place the most restrictive rules first, or the more restrictive rules will never get a hit
• Issue one access list per direction or interface
• Standard access lists are placed closest to the destination
• Extended access lists closest to the source, purpose being to eliminate undesirable traffic across network

REMEMBER: Specific statements at the start; general ones after. Assume deny all. Use a "permit any" statement at the end.

IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.

Special handling required to identify

• type of traffic to be encrypted on VPN
• identify a router
• route filtering, which route to include in updates
• policy based routing
• NAT

Standard Access List
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999

Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob

Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699

access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any

Dynamic ACL - telnet

Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.

Time based ACL - can be used with standard and extended ACL

usage:
ip access-list standard TROUBLEMAKER
 permit ....
 deny ....
 remark .... a good idea to explain what the rule is for!

HOW TO Apply the IP Access List to an Interface
int eth 0
 ip access-group TROUBLEMAKER out

show access-lists
no ip access-list extended
access-list resequence

Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #

In  a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when  you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because  you are filtering on other parameters.

me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255

How to apply the access-list on a vty interface
usage: access-class 1 in

How to create an IP named standard access-list?
usage: ip access-list standard name

syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]

Cisco ICND1 Flashcard: NAT, PAT, Overloading

Network Address Translation

When you have internal IP addresses routing to another network and you don't want someone to know the originating IP address, you can use NAT.  Or if you have internal IP addresses mapping to the Internet and you have a limited number of Public IP addresses to give out.

NAT operates on a Cisco Layer 3 and designed for IP address simplification and conservation by converting private IP addresses into public IP addresses.  Apparently, NAT is not to be used with tunneling protocols or IPSec.

STATIC NAT
This means statically assigned by a network adminstrator I presume, one by one. The steps include, applying the NAT to the interface


LAB SUMMARY
Configure Static NAT on Router 1, inside and outside interfaces, x = 2 for my Pod 2
usage: conf t
ip nat inside source static 192.168.xx.10 172.16.xx.10
int fa 0/0
ip nat inside
int serial 1/1
ip nat outside
end

show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics

Remove Static NAT from Router 1
usage: conf t
no ip nat inside source static 192.168.xx.10 172.16.xx.10

DYNAMIC NAT
Use the IP address assignment by DHCP.  The quickest way would be to use a DHCP server. Create a pool name, range

Create a standard ACL to permit traffic from the switch network and deny everyone else.
usage: conf t
access-list 3 permit 192.168.xx.0 0.0.0.255
ip nat pool LAN 172.16.xx.65 172.16.xx.126 netmask 255.255.255.192

Enable the translation by tying the access list (3) to the pool (LAN) and leave config mode
ip nat inside source list 3 pool LAN
end

show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics

To clear the entire NAT table usage: clear ip nat translations *
To remove Dynamic NAT from router 1 usage: no ip nat inside source list 3 pool LAN
Another day, I'll add more info about PAT
PAT is many-to-one dynamic translation.

Bonus
I wonder if this is the same way to NAT IPv4 addresses with IPv6. In fact, on newer computers and laptops, the Network Settings Info will also include an IP v6 address. In the late 1990's the US DOD issued a command that all new computer systems being purchased must be IP v6 compatible. Most are, as the IPv6 address is formed from the MAC address. It's HEX and the initial digit assigned is a 2 (the number 2) which indicates planet Earth. Now that's planning ahead for future implementation, scalable to include the rest of the galaxies. To Infinity and Beyond!

Troubleshooting NAT
* Determine if there are enough addresses in the NAT pool
* Verify that the router interfaces are appropriately defined as NAT inside or NAT outside
* Verify that the ACL referenced by NAT command is permiting the necessary inside local IP addresses

Cisco ICND1 Flashcard: Router RIP and IGRP

ICND1 Topic: RIP
ICND2 Topics: RIPv2 VLSM, single area OSPF, EIGRP


Routing is taking a packet from one device and sending it over the network to another device on a different network. Routing requires routers.  Routers learn about remote networks from neighbor routers (dynamic) or programmed static routes by the administrator.  All Cisco routers are classful routers, that means expecting a default subnet mask on each interface on the router, otherwise the packet will be dropped. For default routing, the command "ip classless" must be used.

Two types of interior routing protocols
Static, Default and Dynamic Routes

IP Routing requirements

• destination address and a source address
• routing table for destination
• neighbor

See other article about Static Route vs. Dynamic Routes

On directly connected networks, hosts and routers find the destination MAC address for the destination IP addresses using ARP.

Strategies to prevent routing loops:

Split Horizon Rule: the router will not advertise a route back through the same interface from which the route was learned

Route Poisoning: to poison a route, set the metric to infinite; for RIP that number would be 16 for the maximum number of hops. When used with Split Horizon, this strategy is called Split-Horizon with Poison Reverse.

Holddown: holddown timer is used in route convergence, by preventing  route from reinstating the route until all routers have enough time to "age out" the route from the tables. Prevents routes from advertising bad or expired routing information.

Routing Protocols QUIZ

Most common metrics used by routing protocols to determine a network path
hop count
bandwidth - data capacity. Say 10 Mbps is better than 64 kbps leased line
delay
load
reliability - bit error rate of each network link
cost - configuraable, by default based on bandwidth
not packet length, distance.

1. What are three types of routing protocols?
a) hop count based
b) link state
c) cost based
d) distance-vector
e) advanced distance-vector (hybrid)
f) bndwidth based
answer 1. b,d,e


Name two IGP (interior gateway protocol) Distance Vector protocols: RIP, IGRP (Cisco proprietary)

• uses hop count as a metric
• sends entire routing table to neighbor, called routing by rumour and periodic updates
• lower CPU overhead than link-state protocols
• uses split horizon, route poisoning, and holddown to protect from routing loops

RIP - Routing Information Protocol

Configure RIP to run on the router:
conf t usage:
router rip
network 192.5.5.0
network 10.0.0.0 0.255.255.255

• RIP v1 and RIP v2
• RIP Classful
• RIP v2 supports VLSM (variable length subnet mask), route authentication
• distance vector protocol
• can load balance up to 6 equal cost paths
• uses hop count as the metric. The maximum hop count is 15, therefore 16 is infinite and unreachable
• sends periodic update every 30 seconds
• RIP timers include: update, invalid, holddown, flush (and garbage collection).

A handy command to create an interface to learn routes but not advertise
In router config mode usage: passive-interface interface#

IGRP - Cisco Proprietary
Interior Gateway Routing Protocol.  All routers within the same autonomous system should use the same AS number, and all routers should be Cisco if IGRP is used. IGRP was created to overcome the problems with RIP such as 15 hop count limit.  The maximum hop count for IGRP is 255 though 100 is the default. The IGRP metric (value to calculate best route) based on bandwidth and delay of the line called a composite metric; others factors optional but not required are reliability, load, maximum transmission unit (MTU). Sends a periodic update every 90s

usage: conf t
router igrp 10
network 172.16.0.0

IGRP can load balance up to six unequal links to a remote network (RIP networks must have the same hop count to load balance).


Summary 
How does RIP work in the internetwork?
RIP uses hop counts to determine the best route to a network, with an upper hop count limit of 15

Know the RIP commands
router rip
show ip route
show ip route rip

Administrative distance
Rates the trustworthiness of routing information received on a router from a neighbor; an integer between 0 to 255, where 0 is the most trusted and 255 means no traffic will pass through this route.
Default Administrative Distances
Route Source, Default Distance
Connected interface = 0
Static route = 1
EIGRP = 90
IGRP = 100
OSPF = 110
RIP = 120
External EIGRP = 170
Unknown = 255 not routable
      
What is AS, autonomous system
An AS is a group of routers that share the same routing information.

Know the difference between RIP and IGRP
Describe the metrics used. RIP only uses hop count.
Others are hop count, bandwidth, delay.

Three truths, from a quiz:
Routers evaluate the available paths to a destination
The routing process uses metrics and administrative distances when evaluating network paths
Dynamic routing occurs when information is learned using routing information that is obtained from routing protocols.

Note: the routing table is only displaying the information to the user
Routing table provides an ordered list of known network addresses.
Routing tables contain metrics that are used to determine the desirability of the route
Routing table associations tell a router that a particular destination is either directly connected to the router (C) or that it can reached via another router (the next-hop router or exit interface) on the way to the final destination

Link State Routing Protocols
Link state routing protocol respond quickly to network changes
Link state routing protocols send peridoic updates (link state refreshes) at long time intervals, about once every 30 minutes!!
In link state routing protocols, every router tries to build its own internap map of the network topology

Cisco ICND1 Flashcard: CDP Cisco Discovery Protocol

This is a very useful command for troubleshooting or verifying connectivity to directly connected devices.  The physical media must support SNAP (subnetwork access protocol). When you issue the cdp commands, the output display gives a summary of the protocol and address information for the Cisco devices, as well as the devices' hardware and software information.

CDP is a Cisco proprietary layer 2 only protocol for Ethernet and Serial.
Question: Note to self, what does this really mean? Devices connected on the fast ethernet and serial ports!
Answer: This means that it does not need a configured IP address to function (layer 3).

usage: show cdp
This will load information about timers, perhaps not quite what you want.

List of Device Identifiers (Variables)
usage: show cdp neighbor
Device ID: the hostname of the directly attached device
Local interface: the port identifier where the device is directly connected to
Hold time: the amount of time the device will hold the CDP information before discarding
Capability: identified as router, switch, hub, repeater
Hardware platform: Cisco series
Port ID: port on the remote device that this device is attached to

Commands gives additional and more complete information about the neighbor; both the following commands display the same output
usage: show cdp neighors detail
usage: show cdp entry hostname

Issue the commands in Global Configuration mode
usage: show cdp ?
entry - gives info about specific device
interface - displays interfaces enabled with CDP and other parameters such as encapsulation, status and configuration
neighbors - CDP neighbor entries
traffic - CDP statistics

Configuring CDP with Security In Mind
usage: no cdp run - issue in global conf mode, to turn off CDP globally; prevents other CDP capable devices from accessing info on this device
usage: no cdp enable - disables cdp on a particular interface; recommended to turn off cdp on the interface facing the WAN side.
usage: cdp enable - enables cdp on the interface!

Cisco ICND1 Flashcard: Static Routing

Use of Static Routes
When the network is small and there are few routers, a network administrator can program static routes to set the path from one LAN to another. In a small network, this results in more security because routing table updates don't have to be sent over the network periodically because things won't change!

usage: ip route network-address-destination subnet-mask-remote-network ip-address of next hop router or exit-interface

Default Static Route
A default static route allows a stub network to reach all known networks beyond the next hop router.   It is useful when the route from source to destination is not known or there are just too many routers to name. This is the perfect setting for the edge router of a company reaching to the ISP network.
 conf t
usage: ip route 0.0.0.0 0.0.0.0 ip-address or the exit-interface
This can be imagined as the gateway of the last resort.

Dynamic Routes
Dynamic routers use a route that a network protocol adjusts automatically for topology or traffic changes. The protocols could include IGRP, RIP, EIGRP, OSP and EGP to name a few.
Confirm, but I believe you use the command
router rip to configure the routing protocol, just like that.

Verify the Routes
usage: show ip route
The output will list the path to networks the router knows by identifying S for a static route and the exit-interface, or a C for directly connected network. The reason it lists the exit-interface rather than the next hop router ip address is to supply the maximum information in a single lookup.

Cisco ICND1 Flashcard: WAN Protocols and Serial Encapsulation, PPP, HDLC

The Usual Scenario that describes most WANs
Use serial point to point connection to connect the LAN to service provider WAN
Have serial point to point connections within the LAN
Use Circuit Switching technology (ICND1 Topic)

ICND2: Packet Switching in Frame Relay and ATM

The Telco provides clocking info for CSUé DSU. The DCE provides clocking, set the clock rate command here, while the receiving device say the customer`s router is a DTE.

What is a T1
T1: 24 DSO's each 64 k
1 DSO is the bandwidth is required for an uncompressed, digitized phone call
a point to point leased line bandwidth specified by a DS number (DS0, DS1 etc)

T1: 1.544Mbps, 24 DSO`s 64 kbps each, 8 kbps overhead
E1: 2.048 MBps, 32 DSO 64 kbps channels

Circuit Switching
A dedicated path is established, maintained, terminated through a carrier network for each session.
Therefore circuit switching creates a dedicated physical connection running PPP, HDLC on Layer 2. Most likely this will be a leased line at fixed capacity, dedicated for the WAN connection.  The Point to Point serial line to form a preestablished WAN communications path

HOW TO Configure a Serial Interface
The serial interface will connect WAN to routers at a remote site

conf t
interface serial 0/0/0
bandwidth 64
clock rate 64000
encapsulation hdlc
no shutdown

Notes: by default Cisco devices are DTE devices but may be configured as DCE
bandwidth: metric used by IGRP routing protocol
clockrate: set clockrate on DCE interfaces in bps, possible 1200, 2400, 4800, 9600, 19200, 38400, 56000, 64000, 72000, 125000 to name a few and 4000000

To configure the clock rate for the hardware connections on serial interfaces, use the clock rate interface configuration command. Use the no form to remove the clock rate if you change the interface from a DCE to a DTE device. Using the no form of this command on a DCE interface sets the clock rate to the hardware-dependent default value.

clock rate bpsno clock rate

The default value could be no clock rate configured, or on a serial interface card I plugged in, it was 2000000 bps.

Clock rate vs Bandwidth
My summary taken from cisco discussion pages on this subject.

Take the example of simple serial PPP linke: on the DCE side of the circuit (that would be the internal part connecting to the CPE of the Service Provider) put "clock rate 64000".  Depending on the IOS version, on the DTE side, you may be able to see this with "show controllers (intf) | include clock" ; reveals the actual tx/rx clock.  The clock rate is required to match the clocks on the receiver and transmitter on remote and local router.the two routers need to sync up their clocks in order to decode the packets coming on their interfaces

Then on the DTE side, look at "show interface (intf) | include BW" and the regular serial link is showing 1544K even though it's only physically possible to send 64K. By default, the routers do not have any mechanism to detect the actual bandwith of a serial line and its is set to a default value of 1.544 MBPs. If there is one 64K serial line and another T1 line on the same router, if the bandwidth value on the 64K serial line is not changed, the router will treat both as T1 lines. Its a method to tell the router that it is a slower link so that actual metrics can be computed accurately.

This bandwidth command tells IOS how to perceive the speed of any particular interface in order to manipulate routing metrics (EIGRP, OSPF); note that the bandwidth command doesn't physically change the speed of an interface like the clock rate command does.

Other commands
show controller serial 1/0, displays information about the physical interface, including clock rate
show interface

HDLC - High Level Data Link Control protocol
HDLC is one of two major data-link protocols, the encapsulation method for data on synchronous serial data links. Error checking built in, enables flow control and error checking using ack, control characters, checksum. However HDLC is not compatible between different vendors. Remember, it uses a frame delimiter to mark the start/ end of each frame

HDLC has a type field that may not be compatible with equipment from other vendors.

Cisco HDLC
Cisco HDLC is a datalink protocol for point to point WAN connections. It is the default encapsulation for serial lines. There is no windowing no flow control, only point to point. Some extensions allow multiprotocol support before ppp was specified
* will not interoperate with other HDLC implementations
* use PPP when interoperability is required, for example if two Nortel and Cisco devices were connecting

ISDN
Different ISDN services - voice and data can run over existing telephone lines. The BRI (basic rate interface) uses two B channels (64 kbps each, may be combined) and one D channel (16 kbps). B for bearer for voice and data; D for data for call signalling or clocking.

An ISDN interface can run these protocols:
E protocols for ISDN on existing telephone network.
I protocols for concepts, terminology and services.
Q protocols refer to switching and signaling.

A Service Provider may use Signaling System 7 (SS7) between the two switches—the same protocol used inside phone company networks to set up circuits for phone calls.  ISDN PRI in North America is like a digital T1 circuit

ISDN BRI and PRI Reference Point Diagrams

PPP
Point to Point protocol is a data-link protocol, provides router to router and host to network connections over both synchronous and asynchronous circuits. So, it transports Layer 3 packets across the data-link layer. PPP can be applied to these physical interfaces:
1) asynchronous connection - think of a dial up connection
2) synchronous connection - think of a leased line, like ISDN media
3) High Speed Serial Interface HSSI

What features not available in HDLC but found in PPP:
1) link quality management feature to monitor quality of link. Too many errors detected, ppp takes down the link
2) supports Password Authentication Protocol PAP and CHAP (three way hash authentication)

Three phases of PPP
The method for encapsulating multiprotocol datagrams
* Link establishment phase- LCP extensible link control protocol, establish, configure, test the WAN link
* authentication phase of ppp is optional (choose PAP or CHAP)
* Network Layer protocol phase - NCP network control protocol, to establish and configure different network layer protocols, example IPCP, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems CP, Systems Network Architecture (SNA) CP, Compression CP

Main components:
E1A/ T1A 232C - connector, physical layer standard for serial comms
HDLC - high level data link control, for encapsulating datagrams over serial links
LCP negotiates traffic, maintaining or terminating traffic
NCP encapsulates traffic, multiple network layer protocols.

LCP configuration options
Authentication - identifying the sender, PAP or CHAP
Compression - Cisco uses Stacker and Predictor compression methods
Error Detection - Quality and Magic Numbers
Multilink - splits the load over two or more parallel circuits, or a bundle

PAP
- Password Authentication Protocol; passwords are sent in the cleartext, PAP is only for the initial link establishment

CHAP
- Challenge Authentication Protocol; used at the initial startup of the link and at periodic checkup times to make sure the router is still communicating with the same host. Router sends challenge request to the remote device, expects a value calculated by the one way hash function MD5. If the values don't match, the link is terminated.

Configuring PPP and authentication
* hostname RouterX, assign a hostname to RouterX
* username RouterY password B007! , identify the username RouterY and password of remote router
* conf t, then go to the serial interface in question
* encapsulation ppp, enable ppp encapsulation
* ppp authentication chap, enable chap authentication or use pap instead

Sample configuration
conf t
int s0
encapsulation ppp

Conf t
hostname routerX
username routerY privilege 15 secret 0 password B007!!
encapsulation ppp
ppp authentication chap
(or ppp authentication pap)

debug ppp authentication
Verify
show interfaces
show interface serial
show interface s0

Cisco ICND1 Flashcard: DHCP

The starting point for understanding DHCP for the CCNA Exam or ICND1 and ICND2, is that DHCP is based on a client-server model.

There are three types of IP address allocation by DHCP

1. Automatic - assigns a permanently binding IP address to the client
2. Dynamic - assigns an IP address to the client for a limited time, until lease expires and the IP address is returned to the pool for reuse
3. Manual - a network administrator assigns the IP address to the client, DHCP conveys it (not completely sure I understand this to be a kind of DHCP).

The Client requests an IP address allocation and initialization parameters from the DHCP Server through the following exchange of messages.

DHCPDISCOVER
When a client boots up for the first time, it sends a DHCPDISCOVER message broadcast to 255.255.255.255 all destinations with a source IP address of 0.0.0.0 (because it doesn't have one)

DHCPOFFER
The DHCP server receives the message and replies with a DHCPOFFER unicast, and contains fields to specify a subnet mask or the default gateway (router), and other values including the IP address lease time, renewal time, DNS, and NetBIOS name. The message is sent on Layer 2 to the client MAC address. The destination IP address is the address being offered by the server.

DHCPREQUEST
Client responds to the offer with this message, showing intent to accept the parameters, sent to broadcast address (Layer 2 and Layer 3), uncertain if address is safe to use or if another DHCP client will grab it.

DHCPACK
The DHCP Server receives the request message, acknowledges the request with this unicast message

Setting DHCP Pool Parameters using a Wizard
The DHCP pool may be configured from the Cisco SDM page, according to the parameters below
DHCP Pool Name - Name that clearly identifies the DHCP pool
DHCP Pool Network and Subnet Mask- the assigned IP address is drawn from the pool, specifying a starting and ending IP address in the range.

Hints: The IP address range should be within the private address range
10.1.1.1 to 10..255.255.255
172.16.1.1 to 172.31.255.255
192.168.0.0 to 192.168.255.255

Must not use the reserved address in this range specified
The network or subnetwork IP address
The broadcast address on the network

Starting IP
Ending IP
Lease Length - integer number in days
DHCP options
DNS Server 1
DNS Server 2
Domain Name
WINS Server 1
WINS Server 2
Default Router - IP address of router to use as the default gateway
Import all DHCP options into the DHCP Server database

CLI Cisco IOS DCHP server on a router
ip dhcp pool mydhcppool
network 10.10.10.0 /8
domain-name mydhcpdomain.com
dns-server 10.10.10.98 10.10.10.99
default-router 10.10.10.1
lease 7
exit
ip dhcp excluded-address 10.10.10.0 10.10.10.99

HOW TO Setup TFTP Server on Linux to Transfer IOS

To backup a Cisco IOS or to do the Remote Red Hat Linux install, you need a TFTP server.

1. The first step on the Linux computer is to create the file using the command example, touch 2514-config
2. Change the permissions, chmod 777 2514-config
3. The tftp server directory is off root in /tftpboot
4. The files will be sent there

To back up the Cisco IOS, type the command
copy flash tftp
* Not completely sure why it was necessary to create the fake file in the /tftpboot directory first. There doesn't seem to be an issue in Windows when you just navigate to the directory you want to be in.  TFTP runs from the command window in Windows 7.

To back up the configuration, type the command
copy run tftp

To upgrade a newer copy of an IOS to the router, use the command
show flash
(make sure you have enough memory first. Otherwise you will be prompted to erase the flash. Eeeeeeeeerase!)
copy tftp flash
Follow the prompts for the IP address of the TFTP server.

If you have created a configuration file on an external editor, you can load or copy this running configuration into the router.
copy tftp running-configuration

Very easy. Once the file is loaded, be sure to save it by copying the running-configuration to the startup-config in NVRAM
copy run start

I'm not sure what would be the point of issuing a command to erase startup config other than to cause trouble, so use this command with caution if ever invoked, especially followed by a reload command.
erase startup-config





Cisco CCNA Exam and ICND Study Notes
Cisco CCNA Exam and ICND Study Notes by hot barbie geek girls who like lululemon, high heels and ulzzang makeup tips.

Cisco Troubleshoot: Password Recovery

If you have encountered the unfortunate tragedy of losing the password for your Cisco router, do the following steps in order. This post also sounds very similar to the other situation requiring the tftpnld command.

1. Read the entire list of directions first.
2. Boot the router but send a break signal using the Break key. In this mode halfway between heaven and hell, set the configuration register to 0x2142
3. Reload the router
4. The router comes up into the initial setup dialog. Hit Ctrl C, type enable
5. Copy the startup config into the running config, copy start run (tricky!)
6. Change the passwords and save the config file. The letters 'wr' is a legacy command that mean write configuration and is the same as copy run start.
7. Reset the configuration register to the default value, which should be 0x2102
8. Reload the router.

Cisco Router Configuration: Cheat Sheet for Router IOS Modes and CLI

Here are some basic commands so frequently used they're second nature and you'll only find them in your Study Notes for the CCNA Exam.

Cisco Command Line interface (CLI). I am most familiar with the CLI, however I was warned that with the newer exams it was important to be somewhat familiar with SDM.

Cisco SDM - Security Device Manager, web based management system to do router configuration. How do you know if SDM is already loaded on a router, show flash.

Several modes in the various stages of IOS
setup mode: when no valid configuration file is found in NVRAM
user mode: to view statistics and basic information. The prompt Router>
Privileged mode: type enable to view and modify the configuration. The prompt Router#
Global configuration mode: to make global changes; to access this mode from the privileged mode, type enable. The prompt Router(config)#
Interface configuration mode: to make changes to a specific interface, type conf t The prompt Router(config-if)#

	If both the enable secret and the enable password commands are configured on your router, how do you get to the # prompt?
	Enter the enable secret command. If you try to make the enable and enable secret password the same despite the warning messages, neither will work and then you have to do Password Recovery. This happened to me!

The basic Cisco commands:
enable: puts you in Privileged mode
disable: takes you back to User mode
logout: completely exits the router
exit: exits the current configuration mode
conf t: shortcut for configure terminal, moves you to global configuration mode
int #: you're in the configuration mode of the specific interface by number, example int fast-ethernet 0/15
line console 0: a subcommand from global configuration mode, modifications to console access, passwords line vty 0 4: a subcommand, from global configuration mode, modifications to vty (telnet) access, passwords
line aux 0: a subcommand, from global configuration mode to modify auxilary (telnet) access, passwords
Ctrl Z, end: like logout, disable

The quick reference guide for more Cisco commands
router protocol: in global configuration mode, configure that protocol eg. router RIP
show running-config: in privileged mode, show the running configuration in RAM
show startup-config: in privileged mode, show the startup config in NVRAM
show compress
show post command when the system runs, in order to see if any port had failed a POST test
show controllers: view the hardware related info on the router/ switch interfaces. Does not show operational status of the switchport
show interface: shows detailed information regarding interfaces or specify the interface, eg. show int fa 0/15
more precisely, show interfaces fa 0/15 switchport
show history: shows the last ten commands
show version: displays hardware and software versions
show user: see who has telnet sessions to the router
clock set: clock set hh:mm:ss mmm yyyy
banner [motd | incoming | login | exec]: sets the Message of the Day banner. Incoming for users using reverse telnet, login on all terminals, exec banner used on line activation like vty.
clock rate rate: in interface configuration mode, setting the device as a DCE. The DCE end of cable must be connected and detected to use the command.
bandwidth rate: not for setting the bandwidth rate all, but used for routing protocols to choose the best path
hostname: in global configuration mode, sets the hostname of the system eg. Router1
username: Example username admin priv 15 password cisco username bob priv 7 password cisco
enable password: in global configuration mode, sets the enable password for the router
enable secret: in global configuration mode, sets the secret password. It's encrypted and overrides the enable password. Cannot be the same as the enable password or it's bad!
no ip domain-lookup: this is a handy command to include so that when you make a typo or incomplete command, the router won't assume you are trying to telnet to a hostname and try to resolve it
ip name-server name-of-DNS-server: the router will use this server for DNS
ip domin-name name: this will append the fully qualified domain name to the hostname

show ip route: will show the contents of the routing table
show ip interface: shows the IP information on interfaces (including access-lists)
encapsulation (hdlc | ppp | frame-relay): choose the encapsulation on  serial interface
ppp encapsulation (pap| chap): set the password for ppp authentication
show frame-relay pvc: shows permanent virtual circuit information including the status
show frame-relay map: shows layer 3 (IP) to layer 3 (DLCI) mapping of PVC

Shortcut commands may pop up in the CCNA Exam Questions
Ctrl+ A: move cursor to beginning of line
Ctrl+ E: end
Ctrl+ Z: move back to the EXEC prompt in privileged mode
Tab: complete a partially entered command, autofill
Esc+ F: move forward one word
Esc+ B: move back one word
Ctrl+ F: move forward one character
Ctrl+ B: back
Ctrl+ D: delete a character
Backspace: delete a character
Ctrl+ U: delete everything on a line before the cursor
Ctrl+ W: delete a word
Ctrl+ P: recall the last line
Up and Down arrows: Recall previous older commands or recall more recent commands

Commands related to debug
Before running the debug command, turn on the synchronous logging first.
conf t
line con 0
logging synchronous

Use the debug command sparingly and be very specific for which item you are debugging. Never debug EVERYTHING (debug all) becuase the output buffer to the screen will fill up very quickly and you will be unable to stop it and the router will certainly crash. Privileged EXEC mode -
Add a timestamp to debug or log message
usage: service timestamps debug datetime msec
Display CPU usage
usage: show processes
Disable all debug commands
usage: undebug all (shortcut u all)
Display debug output to current vty session
usage: terminal monitor


Fancy stuff to be used only by a super geek:
conf t: configure from terminal (user input command line interface)
conf mem: merge startup configuration in NVRAM with the running config
conf network: merge startup config stored on a TFTP server with the running config
conf overwrite-network: overwrite the startup config stored in NVRAM with a configuration from the TFTP server

HOW TO Setup Cisco SDM on a Router

Cisco Secure Device Manager (SDM)
Router configuration can be done by the command line interface, however the newer routers and IOS support the new Cisco SDM web-based device management control interface. I was told that the ICND1 Exam contains questions about the Cisco SDM interface. It would help to navigate through the menus.

Cisco SDM is supported on Cisco 830 Series, Cisco 1700 Series, Cisco 1800 Series, Cisco 2600XM Series, Cisco 2800 Series, Cisco 3600 Series, Cisco 3700 Series, Cisco 3800 Series, and some Cisco 7200 Series and Cisco 7301 routers.
Cisco SDM Wizards
Simple router configurations or even advanced settings using the Cisco SDM Wizards can be done remotely (obviously) from the web browser.  The commands take effect when you click Submit or OK, much the same way when you press the Enter key in the CLI. Wizards for the following configurations
Interface and connections: WAN interfaces for PPP, Frame Relay, HDLC, and even DHCP
Firewall: firewall settings
Security audit: perform a security audit on the router, or issue a lockdown (scary!)
IPS: Intrusion prevention system
QoS: Quality of Service policy for outgoing traffic on the WAN interfaces and IPSec tunnels

If it is not already setup by default, start with enabling https.

First create a secure password policy. Use the command
> conf t
> service password-encryption
> hostname myrouter1
> banner motd #Authorized use only... Enter your display message between the two hash signs#

Enable https on the router
> conf t
> ip http server
> ip http authentication local
> ip http timeout-policy idle 600 life 86400
> requests 1000

Create a user account
> username myusername privilege 15 secret 0 mypassword

Configure the user for access by ssh, telnet, local login
> conf t
> line vty 0 4
> privilege level 15
> login local
> transport input telent ssh
> exit

Cisco SDM is stored on the router in flash memory. Launch the Cisco SDM from the web browser window using https://routerIPaddress The java applet will load on the PC with a possible security warning about certificates. Accept the certificate. On the top menu bar there is a button "Configure". This brings the user to "global configuration mode" in a GUI format.

HOW TO Download a Cisco IOS image using tftpdnld ROM mon Command

I used to think ROM mon mode was something bad and scary, like the blue screen of death!  But actually you could interupt a regular startup sequence and jump into ROM mon mode on purpose, using Ctrl-break during a Hyper Terminal session. (or try Ctrl-c or escape).  Anyway, I arrived in ROM mon during a simple Cisco IOS upgrade that went bad.

WHAT WENT WRONG
Hardware: the Cisco 2800 Series

Somewhere along with the way, during a routine copy tftp flash, there was an incomplete copy of the new Cisco IOS software, and I ended up in ROM mon mode. There was no valid image in the flash, so the router would never boot beyond ROM mon so I had to the tftp transfer by tftpdnld in ROM mon mode.

I found a very useful solution on the Cisco Support website, which I can reference and make some notes for myself:

• HOW TO Download a Cisco IOS image using tftpdnld ROM mon Command Document ID:12714
• ROMmon Recovery for the Cisco 2600 Series Router and the VG200 Document ID:15079

Understanding tftpdnld
Use the "set" command to view the ROMmon environment variables.
See Cisco tftpdnld Document 12714 set the correct commands for the tftpdnld
Use TFTPDNLD for extreme disaster recovery only to recover the operating system image software via tftp.

rommon 3> set

Here is the sample settings
IP_ADDRESS: 10.10.10.1 (for your router)
IP_SUBNET_MASK:255.255.255.248
DEFAULT_GATEWAY:10.10.10.6
TFTP_SERVER:10.10.10.2 (the laptop acting as the tftp server)
TFTP_FILE: c2600-is-mz.113-2.0.3.Q

TFTP_CHECKSUM = 0 (If prompted, use this as a workaround for the bug).

rommon 9> sync
Use the "sync" command to save the ROMmon environment variables to NVAM

rommon 10> tftpdnld -r
Choose the -r option if you don't want to overwrite the flash, load to DRAM only and launch
-u means upgrade the rommon, system will reboot once upgrade is complete.

There is a question, WARNING: all existing data in all partitions on flash will be lost! Do you wish to continue, say no, but the file reception will still continue.

rommon 16> reload

Reload reboots the router and you should be back in business!

HOW TO Upgrade the Cisco IOS by TFTP
This is what should've happened... a regular run of the mill Cisco IOS Upgrade of course! The intent was to copy a Cisco IOS from a tftp server to flash.
#show running
#conf  t
(conf)# int eth 0
(conf-int-eth0)# ip address x.x.x.x y.y.y.y
set the IP address to one on the same network as the TFTP Server
#show flash
view the name of the current flash image, and make a copy to a tftp server for safekeeping
#copy flash:flashimage tftp://ipaddress/flashimage
#delete flashimage
copy tftp://ipaddress/flashimage flash:flashimage

However the flash memory was too small, which is normally not a big deal but I further damaged the flash card by accidently re-formatting on Windows and not the Cisco proprietary format.

Anyway if there are too many Cisco IOS software images on the flash, you'll have to update the following in the configuration file.

conf t
no boot system flash oldflashimagename
boot system flash flashimage
exit

ROMMON IN CONFIGURATION REGISTER
Check the value of configuration register.
The first four bits of the configuration register indicate the boot field, which defines the source of the default Cisco IOS software image (normally the flash). If it is 0 as in the configuration register value of XXX0 then at startup the system enters the ROM monitor mode prompt.

(rommon)>

Use the "confreg " command to verify the value of the configuration register and where it will look for the
Cisco IOS software image on startup to boot from.
(rommon) 2 > confreg
0 = ROM Monitor
1 = the boot helper image
2-15 = boot system

Make your choice, say 2 and issue the command to router to reset, to take effect.
(rommon) 3> reset

Looking for the Valid Image in Flash
(rommon) 1 > dir flash
(rommon) 2 > boot flash:c2600-i-mz.122-10b.bin

copy run start
wr or reload (does the same thing)

Cisco Field Notice
Months after I needed to decommission this router and do something else with it so I erased the start-up config and issued the reload command. Remember this is a new 256 MB card (not the 64MB card it came with) It went into ROM MON again, I couldn't see the flash and the confreg was set to something wierd. I believe I should've just set the confreg 0x2102 the factory default but I just swapped cards with the other router a 128MB card and it seemed fine. I fragments of a 64 MB error. I'll have to resolve this tomorrow but here's the scoop: http://www.cisco.com/en/US/ts/fn/620/fn62127.html

Cisco Troubleshoot: VLAN mismatch

Hardware: Cisco Catalyst 2960 S Series Switch
Use "show version" to display the hardware configuration, Cisco IOS version, names and sources of configuration files, boot images (and boot sequences).

Symptoms:
The "show logging" displays a large volume of CDP messages potentially bogging down the network with warnings about vlan mismatch.

What is a VLAN?
Diagnosis:
Vlan mismatch could indicate that the switch does not have the VLAN 2 created on it, and is being asked to route traffic from a VLAN that is not advertised on the switch. Usually, only the default native VLAN 1 is configured by factory default, but the attached router is advertising VLAN 2.

Fix: Add VLAN 2 to the swtich
Access: Console Access or Cisco SDM (web GUI)

• If Console login is not configured by default, user must telnet to swtich to configure the "line con 0"
• If Telnet is disabled/ not configured by default and must be enabled first through the Cisco SDM
• web GUI.
• Cisco SDM is a web interface to configure the switch as an alternative to the Command Line Interface

HOW TO Use the Cisco SDM
1) Launch the webpage http://ipaddressoftheswitch
2) Login as cisco, cisco; You will be asked to change after the first login
3) Enable Telnet access to the switch from the Advanced Settings page
4) Use the web menus and configuration tabs, Add VLAN 2 and assign all the switchports to VLAN2

If you cannot open the Cisco SDM webpage because the username login is invalid and cannot be recovered, you can resort to restore the Switch to factory default to use the default login.


Alternatively, you may login as EXEC Privileged, global configuration mode and use the Cisco commands
switch (config)# line con 0
login
password mypassword

This indicates the maximum number of 5 sessions for telnet.
Additional lines may be specified with line vty 5 15
switch (config)# line vty 0 4
password
password myTelnetpassword


Verify Telnet and Assign ports to VLAN 2
Before closing the Cisco SDM or the CLI, verify that you can telnet into the switch from another machine on the network.
switch (config)# int range fa 0/1 - 24
switchport mode acces vlan 2
no schutdown

Do a "show running" on the switch and all the switchports should be ssigned to VLAN2.
This command configures ssh (and removes Telnet access. Beware!)
line vty 0 15
login local
transport input ssh

(if you leave that blank after ssh, then there is no longer any telnet acces)

Cisco Router Configuration: rate-limit and bandwidth monitoring

For the purpose of managing bandwith usage on peak hours (office hours) and off-peak hours (after work hours), use access lists in the router configuration in conjunction with the Cisco rate-limit command and time related rules,  like enable ntp, scheduler, and the time-range commands.

Mitigate Denial of Service Attack
Another application for the rate-limit command is a method to prevent DoS attacks, by controlling the bandwidth rate or to limite the connection rate of incoming traffic. If used properly, this command will reduce  the impact of an attack on a vulnerable computer. Most effectively used in conjunction with an Access Control List (ACL), a firewall, and an intrusion detection system (IDS). However it may be necessary to establish a traffic flow reporting baseline first.

Firewalls are a separate topic beyond the scope of the course, but I saw a practise quiz question ask about Cisco PIX firewalls.  A firewall is useful for infection containment during threat detection in the mitigation process by splitting the network into different security zones.

Configuration
The full description is found on the Cisco website in the set qos-group of commands, and I have the habit of taking a few notes down for myself. The usage:
rate-limt {input|output}[dscp dscp-value] [access-group rate-limit access list] bps burst-normal burst-max conform-action [action you want] exceed-action [action you want]

To remove the command, use no in front of the whole configuration line.

rate-limit output access-group 100 192000 36000 72000 conform-action transmit exceed-action drop
rate-limit output access-group 101 800000 150000 300000 conform-action transmit exceed-action drop

Where access-list 100 is for office hours
access-list 101 is for off peak hours or after work hours

The three numbers indicating bit rates for the rate-limit command listen in order. The bit rates to use can be calculated form the excel bit rate calculator link below.
bps - average bit rate in increments of 8kps
burst-normal - average burst size in bytes. The minimum value is bps/ 200
burst-max - excess burst size in bytes

Specify a time-range, example if Office Hours were 8am to 4pm Zulu (you'll have to change your numbers to match your real office hours but Cisco uses the time settings in Zulu only. I don't actually work 8am to 4pm Zulu just makes it easy to write this time-range article). The question mark is a symbol that prompts the Cisco IOS to list follow on options you can use.

time-range OFF-PEAK-TIME-RANGE
periodic ?
list days of the week: Monday Tuesday Wednesday Thursday Friday Saturday Sunday
periodic Monday Tuesday Wednesday Thursday Friday ?
specify the time in zulu
periodic Monday Tuesday Wednesday Thursday Friday 16:00 to 23:59
periodic Tuesday Wednesday Thursday 0:00 to 7:59

time-range OFFICE-HOURS-TIME-RANGE
periodic Monday Tuesday Wednesday Thursday Friday  8:00 to 15:59

My question is what happens with Saturday and Sunday? I've been just leaving it blank and assuming that goes full throttle. Never seen anything bad happen so I've been assuming it's working out ok.

Download your own Bit Rate Calculator here:
https://learningnetwork.cisco.com/docs/DOC-7874