This is a very useful command for troubleshooting or verifying connectivity to directly connected devices. The physical media must support SNAP (subnetwork access protocol). When you issue the cdp commands, the output display gives a summary of the protocol and address information for the Cisco devices, as well as the devices' hardware and software information.
CDP is a Cisco proprietary layer 2 only protocol for Ethernet and Serial.
Question: Note to self, what does this really mean? Devices connected on the fast ethernet and serial ports!
Answer: This means that it does not need a configured IP address to function (layer 3).
usage: show cdp
This will load information about timers, perhaps not quite what you want.
List of Device Identifiers (Variables)
usage: show cdp neighbor
Device ID: the hostname of the directly attached device
Local interface: the port identifier where the device is directly connected to
Hold time: the amount of time the device will hold the CDP information before discarding
Capability: identified as router, switch, hub, repeater
Hardware platform: Cisco series
Port ID: port on the remote device that this device is attached to
Commands gives additional and more complete information about the neighbor; both the following commands display the same output
usage: show cdp neighors detail
usage: show cdp entry hostname
Issue the commands in Global Configuration mode
usage: show cdp ?
entry - gives info about specific device
interface - displays interfaces enabled with CDP and other parameters such as encapsulation, status and configuration
neighbors - CDP neighbor entries
traffic - CDP statistics
Configuring CDP with Security In Mind
usage: no cdp run - issue in global conf mode, to turn off CDP globally; prevents other CDP capable devices from accessing info on this device
usage: no cdp enable - disables cdp on a particular interface; recommended to turn off cdp on the interface facing the WAN side.
usage: cdp enable - enables cdp on the interface!
Tuesday, February 7, 2012
Monday, February 6, 2012
IP Sec Basics and Encryption Algorithms
This article is created from my CCNA Bootcamp notes but the course outline indicates that this material may not be part of the ICND1 Exam. It's good background information nonetheless!
Cisco IP Security
IPSEC is used for authentication and encryption of IP traffic. It's a tunnelling protocol, in transport mode like a traditional VPN, or in tunnel hop like a secure hop between gateways. It works by sharing IKE (Internet Key Exchange) and deciding on a session parameters (encryption type, mode). Upon agreement, the tunnel is established and secure traffic can flow.
Cisco IP Sec feature operates at the Layer 3 Network Layer. It is a framework of open standards for rules on secure communications for protecting and authenticating IP packets between IPSec peers. IPSec can protect all application traffic because the protection can be implemented from layer 4 to layer 7 with a plaintext layer 3 header. It functions on all layer 2 protocols like Ethernet, ATM, Frame Relay, Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC)
IP Sec services include
NAT Traversal allows IP packets protected by IP Sec to pass through a NAT. However is there is a problem to use the NAT with VPN on Windows XP .
Data Encryption Standard (DES) algorithm
- created by IBM
- based on 56 bit key
- symmetric
Triple DES (3DES) algorithm
- variant of DES
- data is broken into three 64 bit blocks
- processes each block three times with a separate 56 bit key
- symmetric
Advanced Encryption Standard (AES)
- NIST has adopted AES to replace DES in cryptographic devices
- stronger than DES, more efficient computational wise than 3DES
- three different key lengths available 128, 192, 256-bit keys
Rivest, Shamir, and Adleman (RSA)
- asymmetric
- uses key length of 512, 768, 1024 and larger
- not used in IPSec
MD5
- message digest 5 (MD5)
- 128 bit shared key combined and run through the HMAC-MD5 hash
- output a 128bit hash that is appended to the original message and forwarded on
Secure Hash Algorithm 1 (SHA-1)
- uses a 160 bit shared key
- take a variable length message and 160bit shared key, run it through HMAC-SHA1 hash algorithm to get a 160 bit hash
- append the hash to the original message, forward to the remote end
Cisco IP Security
IPSEC is used for authentication and encryption of IP traffic. It's a tunnelling protocol, in transport mode like a traditional VPN, or in tunnel hop like a secure hop between gateways. It works by sharing IKE (Internet Key Exchange) and deciding on a session parameters (encryption type, mode). Upon agreement, the tunnel is established and secure traffic can flow.
Cisco IP Sec feature operates at the Layer 3 Network Layer. It is a framework of open standards for rules on secure communications for protecting and authenticating IP packets between IPSec peers. IPSec can protect all application traffic because the protection can be implemented from layer 4 to layer 7 with a plaintext layer 3 header. It functions on all layer 2 protocols like Ethernet, ATM, Frame Relay, Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC)
IP Sec services include
- Confidentiality by encryption
- Data integrity
- Authentication using preshared keys (PSK), digital certificates, Internet Key Exchange (IKE)
- Anti replay protection
NAT Traversal allows IP packets protected by IP Sec to pass through a NAT. However is there is a problem to use the NAT with VPN on Windows XP .
Summary of Encryption Standards
There are three phases of the IP Sec using the different encryption standards- Setup
- Authentication of device/user
- Authentication of payload
Data Encryption Standard (DES) algorithm
- created by IBM
- based on 56 bit key
- symmetric
Triple DES (3DES) algorithm
- variant of DES
- data is broken into three 64 bit blocks
- processes each block three times with a separate 56 bit key
- symmetric
Advanced Encryption Standard (AES)
- NIST has adopted AES to replace DES in cryptographic devices
- stronger than DES, more efficient computational wise than 3DES
- three different key lengths available 128, 192, 256-bit keys
Rivest, Shamir, and Adleman (RSA)
- asymmetric
- uses key length of 512, 768, 1024 and larger
- not used in IPSec
MD5
- message digest 5 (MD5)
- 128 bit shared key combined and run through the HMAC-MD5 hash
- output a 128bit hash that is appended to the original message and forwarded on
Secure Hash Algorithm 1 (SHA-1)
- uses a 160 bit shared key
- take a variable length message and 160bit shared key, run it through HMAC-SHA1 hash algorithm to get a 160 bit hash
- append the hash to the original message, forward to the remote end
Symmetric Encryption - the same key for encryption and decryption, same key configured on both computers (receiver and sender)
Asymmetric Encryption - one key to encrypt, another key to decrypt
Public key encryption
- a variant of symmetric encryption.
- recipient gives public key to sender
- sender uses private key and public key to encrypt message
- sender shares public key with recipient
- to decrypt the message, recipient will use public key of sender and own private key
Public key encryption
- a variant of symmetric encryption.
- recipient gives public key to sender
- sender uses private key and public key to encrypt message
- sender shares public key with recipient
- to decrypt the message, recipient will use public key of sender and own private key
There are two main IPSEC framework
Authentication Header AH
- provides data authentication and integrity of IP packets
- when confidentiality is not required or possible
- text transmitted in the clear
Authentication Header AH
- provides data authentication and integrity of IP packets
- when confidentiality is not required or possible
- text transmitted in the clear
Encapsulating Security Payload (ESP)
- provides confidentiality and authentication by encrypting the IP packet, conceals the data the source/ destination
- ESP authenticates the inner IP packet and ESP header
- provides confidentiality and authentication by encrypting the IP packet, conceals the data the source/ destination
- ESP authenticates the inner IP packet and ESP header
Sunday, February 5, 2012
Cisco ICND1 Flashcard: Static Routing
Use of Static Routes
When the network is small and there are few routers, a network administrator can program static routes to set the path from one LAN to another. In a small network, this results in more security because routing table updates don't have to be sent over the network periodically because things won't change!
usage: ip route network-address-destination subnet-mask-remote-network ip-address of next hop router or exit-interface
Default Static Route
A default static route allows a stub network to reach all known networks beyond the next hop router. It is useful when the route from source to destination is not known or there are just too many routers to name. This is the perfect setting for the edge router of a company reaching to the ISP network.
conf t
usage: ip route 0.0.0.0 0.0.0.0 ip-address or the exit-interface
This can be imagined as the gateway of the last resort.
Dynamic Routes
Dynamic routers use a route that a network protocol adjusts automatically for topology or traffic changes. The protocols could include IGRP, RIP, EIGRP, OSP and EGP to name a few.
Confirm, but I believe you use the command
router rip to configure the routing protocol, just like that.
Verify the Routes
usage: show ip route
The output will list the path to networks the router knows by identifying S for a static route and the exit-interface, or a C for directly connected network. The reason it lists the exit-interface rather than the next hop router ip address is to supply the maximum information in a single lookup.
When the network is small and there are few routers, a network administrator can program static routes to set the path from one LAN to another. In a small network, this results in more security because routing table updates don't have to be sent over the network periodically because things won't change!
usage: ip route network-address-destination subnet-mask-remote-network ip-address of next hop router or exit-interface
Default Static Route
A default static route allows a stub network to reach all known networks beyond the next hop router. It is useful when the route from source to destination is not known or there are just too many routers to name. This is the perfect setting for the edge router of a company reaching to the ISP network.
conf t
usage: ip route 0.0.0.0 0.0.0.0 ip-address or the exit-interface
This can be imagined as the gateway of the last resort.
Dynamic Routes
Dynamic routers use a route that a network protocol adjusts automatically for topology or traffic changes. The protocols could include IGRP, RIP, EIGRP, OSP and EGP to name a few.
Confirm, but I believe you use the command
router rip to configure the routing protocol, just like that.
Verify the Routes
usage: show ip route
The output will list the path to networks the router knows by identifying S for a static route and the exit-interface, or a C for directly connected network. The reason it lists the exit-interface rather than the next hop router ip address is to supply the maximum information in a single lookup.
Cisco ICND1 Flashcard: WAN Protocols and Serial Encapsulation, PPP, HDLC
The Usual Scenario that describes most WANs
Use serial point to point connection to connect the LAN to service provider WAN
Have serial point to point connections within the LAN
Use Circuit Switching technology (ICND1 Topic)
ICND2: Packet Switching in Frame Relay and ATM
The Telco provides clocking info for CSUĂ© DSU. The DCE provides clocking, set the clock rate command here, while the receiving device say the customer`s router is a DTE.
What is a T1
T1: 24 DSO's each 64 k
1 DSO is the bandwidth is required for an uncompressed, digitized phone call
a point to point leased line bandwidth specified by a DS number (DS0, DS1 etc)
T1: 1.544Mbps, 24 DSO`s 64 kbps each, 8 kbps overhead
E1: 2.048 MBps, 32 DSO 64 kbps channels
Circuit Switching
A dedicated path is established, maintained, terminated through a carrier network for each session.
Therefore circuit switching creates a dedicated physical connection running PPP, HDLC on Layer 2. Most likely this will be a leased line at fixed capacity, dedicated for the WAN connection. The Point to Point serial line to form a preestablished WAN communications path
HOW TO Configure a Serial Interface
The serial interface will connect WAN to routers at a remote site
conf t
interface serial 0/0/0
bandwidth 64
clock rate 64000
encapsulation hdlc
no shutdown
Notes: by default Cisco devices are DTE devices but may be configured as DCE
bandwidth: metric used by IGRP routing protocol
clockrate: set clockrate on DCE interfaces in bps, possible 1200, 2400, 4800, 9600, 19200, 38400, 56000, 64000, 72000, 125000 to name a few and 4000000
The default value could be no clock rate configured, or on a serial interface card I plugged in, it was 2000000 bps.
Clock rate vs Bandwidth
My summary taken from cisco discussion pages on this subject.
Take the example of simple serial PPP linke: on the DCE side of the circuit (that would be the internal part connecting to the CPE of the Service Provider) put "clock rate 64000". Depending on the IOS version, on the DTE side, you may be able to see this with "show controllers (intf) | include clock" ; reveals the actual tx/rx clock. The clock rate is required to match the clocks on the receiver and transmitter on remote and local router.the two routers need to sync up their clocks in order to decode the packets coming on their interfaces
Then on the DTE side, look at "show interface (intf) | include BW" and the regular serial link is showing 1544K even though it's only physically possible to send 64K. By default, the routers do not have any mechanism to detect the actual bandwith of a serial line and its is set to a default value of 1.544 MBPs. If there is one 64K serial line and another T1 line on the same router, if the bandwidth value on the 64K serial line is not changed, the router will treat both as T1 lines. Its a method to tell the router that it is a slower link so that actual metrics can be computed accurately.
This bandwidth command tells IOS how to perceive the speed of any particular interface in order to manipulate routing metrics (EIGRP, OSPF); note that the bandwidth command doesn't physically change the speed of an interface like the clock rate command does.
Other commands
show controller serial 1/0, displays information about the physical interface, including clock rate
show interface
HDLC - High Level Data Link Control protocol
HDLC is one of two major data-link protocols, the encapsulation method for data on synchronous serial data links. Error checking built in, enables flow control and error checking using ack, control characters, checksum. However HDLC is not compatible between different vendors. Remember, it uses a frame delimiter to mark the start/ end of each frame
HDLC has a type field that may not be compatible with equipment from other vendors.
Cisco HDLC
Cisco HDLC is a datalink protocol for point to point WAN connections. It is the default encapsulation for serial lines. There is no windowing no flow control, only point to point. Some extensions allow multiprotocol support before ppp was specified
* will not interoperate with other HDLC implementations
* use PPP when interoperability is required, for example if two Nortel and Cisco devices were connecting
ISDN
Different ISDN services - voice and data can run over existing telephone lines. The BRI (basic rate interface) uses two B channels (64 kbps each, may be combined) and one D channel (16 kbps). B for bearer for voice and data; D for data for call signalling or clocking.
An ISDN interface can run these protocols:
E protocols for ISDN on existing telephone network.
I protocols for concepts, terminology and services.
Q protocols refer to switching and signaling.
A Service Provider may use Signaling System 7 (SS7) between the two switches—the same protocol used inside phone company networks to set up circuits for phone calls. ISDN PRI in North America is like a digital T1 circuit
ISDN BRI and PRI Reference Point Diagrams
PPP
Point to Point protocol is a data-link protocol, provides router to router and host to network connections over both synchronous and asynchronous circuits. So, it transports Layer 3 packets across the data-link layer. PPP can be applied to these physical interfaces:
1) asynchronous connection - think of a dial up connection
2) synchronous connection - think of a leased line, like ISDN media
3) High Speed Serial Interface HSSI
What features not available in HDLC but found in PPP:
1) link quality management feature to monitor quality of link. Too many errors detected, ppp takes down the link
2) supports Password Authentication Protocol PAP and CHAP (three way hash authentication)
Three phases of PPP
The method for encapsulating multiprotocol datagrams
* Link establishment phase- LCP extensible link control protocol, establish, configure, test the WAN link
* authentication phase of ppp is optional (choose PAP or CHAP)
* Network Layer protocol phase - NCP network control protocol, to establish and configure different network layer protocols, example IPCP, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems CP, Systems Network Architecture (SNA) CP, Compression CP
Main components:
E1A/ T1A 232C - connector, physical layer standard for serial comms
HDLC - high level data link control, for encapsulating datagrams over serial links
LCP negotiates traffic, maintaining or terminating traffic
NCP encapsulates traffic, multiple network layer protocols.
LCP configuration options
Authentication - identifying the sender, PAP or CHAP
Compression - Cisco uses Stacker and Predictor compression methods
Error Detection - Quality and Magic Numbers
Multilink - splits the load over two or more parallel circuits, or a bundle
PAP
- Password Authentication Protocol; passwords are sent in the cleartext, PAP is only for the initial link establishment
CHAP
- Challenge Authentication Protocol; used at the initial startup of the link and at periodic checkup times to make sure the router is still communicating with the same host. Router sends challenge request to the remote device, expects a value calculated by the one way hash function MD5. If the values don't match, the link is terminated.
Configuring PPP and authentication
* hostname RouterX, assign a hostname to RouterX
* username RouterY password B007! , identify the username RouterY and password of remote router
* conf t, then go to the serial interface in question
* encapsulation ppp, enable ppp encapsulation
* ppp authentication chap, enable chap authentication or use pap instead
Sample configuration
conf t
int s0
encapsulation ppp
Conf t
hostname routerX
username routerY privilege 15 secret 0 password B007!!
encapsulation ppp
ppp authentication chap
(or ppp authentication pap)
debug ppp authentication
Verify
show interfaces
show interface serial
show interface s0
Use serial point to point connection to connect the LAN to service provider WAN
Have serial point to point connections within the LAN
Use Circuit Switching technology (ICND1 Topic)
ICND2: Packet Switching in Frame Relay and ATM
The Telco provides clocking info for CSUĂ© DSU. The DCE provides clocking, set the clock rate command here, while the receiving device say the customer`s router is a DTE.
What is a T1
T1: 24 DSO's each 64 k
1 DSO is the bandwidth is required for an uncompressed, digitized phone call
a point to point leased line bandwidth specified by a DS number (DS0, DS1 etc)
T1: 1.544Mbps, 24 DSO`s 64 kbps each, 8 kbps overhead
E1: 2.048 MBps, 32 DSO 64 kbps channels
Circuit Switching
A dedicated path is established, maintained, terminated through a carrier network for each session.
Therefore circuit switching creates a dedicated physical connection running PPP, HDLC on Layer 2. Most likely this will be a leased line at fixed capacity, dedicated for the WAN connection. The Point to Point serial line to form a preestablished WAN communications path
HOW TO Configure a Serial Interface
The serial interface will connect WAN to routers at a remote site
conf t
interface serial 0/0/0
bandwidth 64
clock rate 64000
encapsulation hdlc
no shutdown
Notes: by default Cisco devices are DTE devices but may be configured as DCE
bandwidth: metric used by IGRP routing protocol
clockrate: set clockrate on DCE interfaces in bps, possible 1200, 2400, 4800, 9600, 19200, 38400, 56000, 64000, 72000, 125000 to name a few and 4000000
To configure the clock rate for the hardware connections on serial interfaces, use the clock rate interface configuration command. Use the no form to remove the clock rate if you change the interface from a DCE to a DTE device. Using the no form of this command on a DCE interface sets the clock rate to the hardware-dependent default value.
clock rate bpsno clock rate
The default value could be no clock rate configured, or on a serial interface card I plugged in, it was 2000000 bps.
Clock rate vs Bandwidth
My summary taken from cisco discussion pages on this subject.
Take the example of simple serial PPP linke: on the DCE side of the circuit (that would be the internal part connecting to the CPE of the Service Provider) put "clock rate 64000". Depending on the IOS version, on the DTE side, you may be able to see this with "show controllers (intf) | include clock" ; reveals the actual tx/rx clock. The clock rate is required to match the clocks on the receiver and transmitter on remote and local router.the two routers need to sync up their clocks in order to decode the packets coming on their interfaces
This bandwidth command tells IOS how to perceive the speed of any particular interface in order to manipulate routing metrics (EIGRP, OSPF); note that the bandwidth command doesn't physically change the speed of an interface like the clock rate command does.
Other commands
show controller serial 1/0, displays information about the physical interface, including clock rate
show interface
HDLC - High Level Data Link Control protocol
HDLC is one of two major data-link protocols, the encapsulation method for data on synchronous serial data links. Error checking built in, enables flow control and error checking using ack, control characters, checksum. However HDLC is not compatible between different vendors. Remember, it uses a frame delimiter to mark the start/ end of each frame
HDLC has a type field that may not be compatible with equipment from other vendors.
Cisco HDLC
Cisco HDLC is a datalink protocol for point to point WAN connections. It is the default encapsulation for serial lines. There is no windowing no flow control, only point to point. Some extensions allow multiprotocol support before ppp was specified
* will not interoperate with other HDLC implementations
* use PPP when interoperability is required, for example if two Nortel and Cisco devices were connecting
ISDN
Different ISDN services - voice and data can run over existing telephone lines. The BRI (basic rate interface) uses two B channels (64 kbps each, may be combined) and one D channel (16 kbps). B for bearer for voice and data; D for data for call signalling or clocking.
An ISDN interface can run these protocols:
E protocols for ISDN on existing telephone network.
I protocols for concepts, terminology and services.
Q protocols refer to switching and signaling.
A Service Provider may use Signaling System 7 (SS7) between the two switches—the same protocol used inside phone company networks to set up circuits for phone calls. ISDN PRI in North America is like a digital T1 circuit
ISDN BRI and PRI Reference Point Diagrams
PPP
Point to Point protocol is a data-link protocol, provides router to router and host to network connections over both synchronous and asynchronous circuits. So, it transports Layer 3 packets across the data-link layer. PPP can be applied to these physical interfaces:
1) asynchronous connection - think of a dial up connection
2) synchronous connection - think of a leased line, like ISDN media
3) High Speed Serial Interface HSSI
What features not available in HDLC but found in PPP:
1) link quality management feature to monitor quality of link. Too many errors detected, ppp takes down the link
2) supports Password Authentication Protocol PAP and CHAP (three way hash authentication)
Three phases of PPP
The method for encapsulating multiprotocol datagrams
* Link establishment phase- LCP extensible link control protocol, establish, configure, test the WAN link
* authentication phase of ppp is optional (choose PAP or CHAP)
* Network Layer protocol phase - NCP network control protocol, to establish and configure different network layer protocols, example IPCP, Appletalk Control Protocol, Novell IPX Control Protocol, Cisco Systems CP, Systems Network Architecture (SNA) CP, Compression CP
Main components:
E1A/ T1A 232C - connector, physical layer standard for serial comms
HDLC - high level data link control, for encapsulating datagrams over serial links
LCP negotiates traffic, maintaining or terminating traffic
NCP encapsulates traffic, multiple network layer protocols.
LCP configuration options
Authentication - identifying the sender, PAP or CHAP
Compression - Cisco uses Stacker and Predictor compression methods
Error Detection - Quality and Magic Numbers
Multilink - splits the load over two or more parallel circuits, or a bundle
PAP
- Password Authentication Protocol; passwords are sent in the cleartext, PAP is only for the initial link establishment
CHAP
- Challenge Authentication Protocol; used at the initial startup of the link and at periodic checkup times to make sure the router is still communicating with the same host. Router sends challenge request to the remote device, expects a value calculated by the one way hash function MD5. If the values don't match, the link is terminated.
Configuring PPP and authentication
* hostname RouterX, assign a hostname to RouterX
* username RouterY password B007! , identify the username RouterY and password of remote router
* conf t, then go to the serial interface in question
* encapsulation ppp, enable ppp encapsulation
* ppp authentication chap, enable chap authentication or use pap instead
Sample configuration
conf t
int s0
encapsulation ppp
Conf t
hostname routerX
username routerY privilege 15 secret 0 password B007!!
encapsulation ppp
ppp authentication chap
(or ppp authentication pap)
debug ppp authentication
Verify
show interfaces
show interface serial
show interface s0
Subscribe to:
Posts (Atom)