CISCO INITIAL SETUP " sho port security"

put some name show all status

create a vlan interface 1
assigned an IP LAN OPTIMIZING AND TROUBLESHOOTING
and default gateway. Configuration of speed and duplex
show version command "conf t"
mode "int fa0/2
global config "duplex half"
"speed 10"
SECURITY "logging synchronous" - cleanner typing of commands
telnet is bad "exec-timeout 30- 0 - 30 mins idle timer
line concsole 0 configuration "no ip domain-lookup" no domain look up, save time
"enable password cisco" -- bad "sh ip int brief" long but we can create alieases
"enable secret cisco1" -- good "alies exec s show ip int brief"
"line console 0" "alies exec save copy run start"
"login" SPANNING TREE PROTOCOL
"line vty 0 4" telnet - turn off on-off the redundancy when needed
"login" broadcast storm
"password cisco2" 3 IMPT COMMANDS
"service password-encryption" sh ip int bief
login banners sh int
"banner motd ( do not log on (" sh run
insert username Sh ip int brief
"username faambito password faambito reliability 255/255 -good
insert domain input output rate - # of activity sent
"ip domain kiko.com" broadcast recieved
encrytion runt - small pocket, giants - big
"crypto key generate rsa" trottles - bad things
"1024" CRC-interferances
"ip ssh version 2" Collision -
"line vty 0 4" late collisions - more than 100 m cable
"transport input telnet ssh"
WIRELESS
Port Security CSMA/CA - colision avoidance
unlicensed frequencies
"sho ip int brief" 900-928 mhz range - 902-928
"terminal monitor" 2.4-6g hz: 2.400-2.483
"sh mac address-table" 5-6 hz: 5.150 t0 5.350
setting one mac address to one port 802.11 Lineup
"conf t" 802.11B 3 clean channels
"int fa0/5" 11 mbps
"switchport mode access" 802.11.G 3 clean channels
enable port access 54 mbps
"switchport port-security max 1" comaptible with B
"switchport port-security violation? 802.11A not compagible with 802.11B
Restrict - ignor and log 54 mbps
protect - ignor 12 to 23 clean channels
shutdown - good turn off not compatible with A
"switchport port-security mac-address 802.11N MImo multiple input multiple output
'mac address' cHANNELS- range of frequency
Sticky - copy the last mac address ITU-R International Telemunication - Radiocommunication
"do sh run int fa/0 5" - any mode Sector
"sh port security int fa0/5" IEEE - Institute of Electrical Electronic Engineer
show the status WI-FI alliance - Cetified interoperability
 SECURITY
THREATS default route (internet)
wardriving #ip route 0.0.0.0 0.0.0.0 68.110.171.97
HAckers #ip name-server 4.2.2.2 get them
Employees
SECURITY TYPE of Routing protocols
Authentication Distance Vector
Encyption Easy to configure
Intrusion Prevention System Not Many Features
RIP, IGRP
Preshared Key - WEP Link State
Pre shared Key - WPA - TKIP Difficult to configure
WPA and 802.1x Authentication Feature- riffic
WPA2 82.11 I - AES new hardware OSPF, IS-IS
Hybid
SSID Service set Identifier "The best of both worlds"
WAO WAP repeater Proprietory
BSS -single service set EIGRP
ESS - extended service set 2 or more
ROUTER RIP-1969
WORKING WITH BINARY-- done Rip v1
SUBNETIING - done class-full -advertized network but not mask
does not support vlsm
no authentication
uses broadcast
SDM- Secuirty device manager Rip v2
Steps: classless (support VLSM)
1. genrate Encyption Keys(SSH and HTTPs) Adds Authentication
#ip domain-name kiko.com Uses Multicast
#crypto key generate rsa general-keys A. Turn on RIP (Global Configuration)
2. Turn on the HTTP/HTTPs servers for your router B Change Version and
#IP http server C. enter the Network Statement
#ip secure-http #router Rip
3. Create a priviledge level 15 user account #VERSION 2
#useraname Jeremy priviledge 15 password Tells rip what network to advertise
cisco #network 192.168.1.0
#useraname Jeremy priviledge 15 secret cisco #no Auto summary

4. Configure your VTY and Http access ports NAT

priviledgelevel 15 and tu use the local DB PAT - POrt address translation
#ip Http authentication local NAT - Network address Translation
#line vty 0 4 Static NAT - email
#trasnport input telnet ssh
#trasnport input all SDM NAT - NAT overload
# login local
5. Install Java in PC and access the router using a web WAN
browser. HDLC
Layer 2 - High level data link control
PPP
#ip dhcp binding point to point protocol
# encapsulation HDLC
ROUTING
Static route Styles of WAN connection
#ip route 192.168.3.0 255.255.255.0. 192.168.2.2 Leased Lines: Dedicated badnwidth
 -T1, Cas VTP Modes 802.1Q trunking
-E1, Cas SERVER default
Circuit switch saves vlan info
On demand bandwidth between location send recieve updates
-Dial-up modems power to change vlan config
-ISDN CLIENT
Packet Switched: Shared, but guaranteed, Cannot chnage vlan info
bandwidth between locations send recieved updates
-Frame Relay Does not have vlan config
-ATM Transparent
Physical connection power to change vlan info
WIC - wan interface card forawards (passes through)
Serial V.35 does not listen to VTP advertisement
CSU/DSU save vlan configurations
or CONFIGURATION of TRUNKs
T1 Card WIC-T1-DSU #show run-config int fa 0/11
DTE and DCE cable- simulate T1 link switchport mode dynamic desirable
#sh controllers S0/1/0 #switchport mode accesss -- for PCs
show the clockrate - speed #switchport mode trunk - for trunking
- has error
MANAGEMENT AND SECURITY #switchport trunk encapsulation dot1q - elliminate
telnet and ssh session the error
CTRL, SHIFT 6 X - suspend telent or SSH Session go to CONFIGURATION of VTP
many routers #sh vtp status - running version
Show sessions -revision
show session -domain
resume 1 -vlan supported
enter key go to recent session -prunning
disconnect #vtp domain NUGGETWORLD - case sensitive
disconnect session #vtp mode
Clear line (x) server
clear line 66 - disconnects users client
transparent
CDP -Cisco Discovery Protocol CONFIGURATION of VLAN
#sh cdp neighbors #Vlan 10
#sh cdp entry R3 or # sh cdp entry * #name SALES
#sh cdp neighbors detail #switchport mode access
#no cdp enable - disable cdp - for internet #switchport access vlan 10
#no cdp run - all no cdp Routing in Vlan
1. Separate port to each Vlan
BACK UP FILE USING TFTP 2. Router on the Stick - uses trunk - uses sub
#copy tftp start - copying file NVRAM interfaces
ip addresss using regular switch
file name #int fa 0/0.20
#copy running-config tftp #ip address 192.168.20.1
host 255.2555.255.0
r2-config (nanme) #encapsulation dot1q 20
#copy flash tftp 3. Layer 3 switching
or #int Vlan 20
#copy flash: name.bin tftp://192.168.1.1/name #ipaddress 192.168.20.1
#boot system tftp:/192.168.1.1/name.bin booting from tftp. #ip routing - routing capabilities turned
on
VTP and VLAN put static route:
#ip route 192.168.20.0 255.255.255.0
192.168.1.2 #Spanning-tree mode rapid-pvst
open to all switches
TROUBLESHOOTING
STP 1. Get familiar with the Network
Spanning Tree Protocol- 802.1D- prevents loops 2. Have an Accurate Network diagram
Layer Approach - best for growth, redundancy 3. Work logically from the bottom up (OSI)
BPDU- send probe to elect root bridge
COMMON ISSUES
Three Port Types POrt Issues
Root port: used to reach the root bridge cabling
Designated Port: forwarding port, one per link duplex/half or full
Blocking/ Non designated port: whre tree fall. VLan
32768 - all has this priority STP
lower is better - elected as root bridge root bridge
breaking the tie using MAC address rstp
Link reflect in Network diagram
How STP finds the best path disconnect redundant links
Step 1 Elect the Root Vlan and Trunking
Step 2 Switches find the lowest cost path to root Native Vlan Mismatch
Link Bandwidth Hard code Trunk port to on
10 mbps 100 ip address assignement in a Vlan
100 mbps 19 Ping and traceroute
1 gbps 4 VTP
10 gbps 2 Verify trunks
Configurations Verify VTP information: name,
#spanning-tree vlan 1 root primary password, and version, modes
or LAst resort, deleate flash:|Vlan.dat and
#spanning-tree vlan 1 root secondary reconfigure
or
#spanning-tree vlan 1 root priority 0 or + 4096 + SWITCH SECURITY IS ESSENTIAL
30 secords to downtime (listening-learning- Most Security focus around the network
STP ENHANCEMENT parameter
PORTFAST Switch Security Checklist
#spanning-tree portfast - disable STP Physical security
to specific por, but can cause loops, use with caution password and logon password
port transitioning process disable the web features
#no ip http server
limite remote access subnets (Access list)
LISTENING mode -15 secs BPDUs Use SSH Whenever possible
LEARNING mode - 15 secs, learning configure logging
MAC address # logging buffered 6400
FORWARDING #sh log
BLOCKING - 20 seconds limit CDP reach
50 seconds downtime #no cdp run
Initial Enhancement: PVST+ #no cdp enable -- per port
Run instance of STP per Vlan use BPDU Guard on portfast post
Allows different root bridges per vlan #spanning-tree bpduguard
#spanning tree vlan 1,10,20,30 root #spanning-tree bpdufilter-- dangerous
primary turn off bpdu
Ultimate enhansement - RSTP - R- rapid VLSM - Variable link Subnet Mask
802.1W Change subnet mask whenever whereever in network
Proactive system most efficient addressing possible
redefined port roles 20 users 192.168.96-127 /27
many STP similarities 20 users 192.168.64-95 /27
 60 users 192.168.1.0-63 /26
links 192.168.1.128-131 /30 192.168.0.0 / 20 is the summary
192.168.1.132-135/30
192.168.1.136-139 /30 TERMS and Network Design
Uses classless All Areas must connect to Area 0
RIP V2, EIGRP, OSPF, ISIS, All Router is an area have the same topology
dont use RIP V1, IGRP table
Goal: Localize updates within area
Requeires a hierarchical design
DISTANCE VECTOR vs Link State
Distance Vector routing protocols AREA - specific group or routers (ABR - Area
Distance Vector loop prevention mechanism border routers)
Understaning Link state routing protocols Forming neighbors
DISTANCE VECTOR Hello messages sent only on chosen interfaces
Have looping issues - routing infinity Every 10 seconds on broadcast / p-2p network
broadcast every 30 secs. once every 30 seconds NMBAnetwork
LOOP PRVENTION MECHANISM Contains all information
1. Maximum Distance Router ID
2. Route Piosoning Hello and dead timers
3. Triggered updates Network mask
4. Split hoizon Area ID
5. Hold time timers Neighbors
LINKS STATE ROUTING PROTOCOLS Router Priority
only neighbor knows rather than braodcast DR/BDR ip address
send only small, event base update Authentication password
currenly two ls protocols General syntax
- OSPF R1
- IS-IS # SH IP protocols
Advantages - faster to converge/solve problems #router OSPF 1 (process ID)
no routing loops # default- information originate – R 2 access the
design your network correctly internet
Disadvantages #network 192.168.1.0 0.0.0.255 (wild card bits)
demand router resources Or
solid network design #network 192.168.1.1 0.0.0.0 area 0
Technical complexity #sh ospf neighbor
OSPF
Optimization at its best: route summarization R2
OSPF - terms and Network design #network ospf 1
OSPF - Hello pocket # network 192.168.0.0. 0.0.255.255 area 0
#show ospf neighbor
ROUTE SUMMARIZATION R3
Larger routing tables - slower router #Router ospf 1
192.168.0.0 /24 #network 192.168.0.0.0.0.255.255 area 0
192.168.1.0 /24
192.168.2.0 /24 R3 Area1
192.168.... 172.30.0.0
192.168.15.0 /24 172.30.1.0.
172.30.2.0
192.168.00000000.00000000 - 0 …
192.168.00000001.00000000 - 1 172.30.7.0
192.168.00000010.00000000 - 2 255.255.255.255
192.168.00000011.00000000 - 3 summary is 172.30.0.0 255.255.248.0
... wild card bits is 172.30.0.0 0.0.7.255
192.168.00001111.00000000 - 15 ABR
 #router ospf 1 172.30.0.0 255.255.248.0
#network 172.30.0.0.0.0.7.255 area 1 #Sh IP route
# area 1 range 172.30.0.0 255.255.248.0
ROUTER ID Null 0 – means no packet received
Identifies the router to ospf neighbors throw it away
Highest physical interface at start up Configuration and Verification
Loopback interfaces beats physical #Sh eigrp neighbor
New router-ID command beat all R1
#Router eigrp 10
R3 #network 192.168.1.0 0.0.0.255
#router ospf 1 R2
#router-id 3.3.3.3 – router ID command #router eigrp 10
#clear ip ospf process – restart of the ospf #network 192.168.0.0 0.0.255.255
process R3
#Router eigrp 10
Troubleshooting #192.168.0.0 0.0.255.255
#Sh ip protocols #network 172.30.0.0 0.0.255.255
#sh ospf neighbors
#debug ip ospf adj
ACCESS list
Check for Permit and deny
Hello and dead timers Specific host
Network mask Network
Area ID TCP port
Authentication password Can be used for
Access control
NAT
EIGRP Quality of Service
The good the bad and the proprietary Demand dial routing
Back up routes (fast Policy routing
convergence/Dual) Route filtering
Simple configuration Adding access list capabilities
Flexibility in summarization Standard
Unequal cost/ load balancing Matches based on source address
Combines best of distance vector and Lower processor utilization
link state Affect depends on application
Support multiple network protocol
Extended
Tables and Terminology Matches based on source/destination
A router running eigrp maintains three address,
tables protocol, source /destination port
Neighbor Table number.
Topology table
Routing table Higher processor utilization
Syntax takes time to learn
Understanding the EIGRP Auto Summary
Command line for terminating auto Dynamic
summarization Established (reflexive)
#router eigrp 10 Allows return traffic for internal request.
# No Auto Time-base
Manual summary Context-based access control
#conf t Configuration Standard (0-99)
#int s0/0 #access-list 1 deny 192.168.5.100 0.0.255.255
# ip summary –address eigrp 10 #access-list 1 permit 192.168.5.0 0.0.0.255
 # do sho access-list One to one translation
#int s0/0 Does not work with IP address
#ip access –group 1 in #IP nat Pool PUBLIC ADDRESSES
68.110.171.99 68.110.171.100 netmask 255.255.255.0
Samples VTY (100-199) #ip nat inside source list NAT_ADDRESSES pool
R1 PUBLIC ADDRESES overload
# Access-list 70 remark THIS WILL DENY HOST
A to TELNET R1
# Access-list 70 deny 192.168.10.50 0.0.0.0 NAT Overload or (Microsoft) Port Address Translation
# access-list 70 permit any All devices share 1 ip address
#sho run | include- access-list 70 R1
#line vty 0 4 #int e0/0
Applying #ip nat inside
#access-class 70 in #int e0/1
#p nat outside
Extended Access List – ip, tcp, udp, icmp #exit
#access list 150 deny ip 192.168.10.50 0.0.0.0 #ip access-list standard NAT_ADDRESSES
192.168.3.50 #deny 192.168.0.0 0.0.0.255
“or” #permit 192.168.0.0 0.0.0.255.255
#access list 150 deny host 192.168.10.50 0.0.0.0 #Exit
192.168.3.50 #ip nat inside source list NAT ADDRESSES
“or” interfaces Ethernet 0/1 overload
#access list 150 deny tcp 192.168.10.50 0.0.0.0 #Sho ip nat translation
any eq 80 (port number)
R 2 – prevent access in a link Static NAT
#access-list 100 deny ip host 192.168.10.50 Hosting server in network
192.168.2.0 0.0.0.255 Done in 2 ways
Permit Static ip address
#access-list 100 permit ip any Uses port numbers
Applying R1
#int fa0/0.10 #ip nat inside source static 192.168.10.50
#ip access-group 100 in 68.110.171.99

Accessing homepages VPN – Virtual Private Network

#access list 100 deny 100 host 128.242.116.211 Remote Access
eq 80 SSL vpn
WEB VPN
Modern IP Sec – VPN security Protocol
#IP access-list extended or standard “denyhostA Negotiation Protocol
wor or number AH
#permit ip host 192.168.10.50 host 4.2.2.2 ESP
#permit tcp 192.168.168.10.50 host 4.2.2.2 ESP+AH
#permit icp 192.168.168.10.50 host 4.2.2.2
Adding the sequesnce number Encryption
#15 permit tcp host 196.168.10.50 host 4.2.2.4 DES
Deleting sequesnce number 3DES
#no 20 AES
Intenernet
#Ip access-list extended filter_internet Authentication
#permit tcp any any established MDs
#int e0/1 SHA-1
# ip access-group filter_internet in
NAT- Network Address translation Protection
Dynamic NAT DH1 (Diffy helman)
 DH2 CIR- Committed information rate- bandwidth
DH5 LAR- Local Access Rate
DH7 LMI- Local Management Interface
Datalink Connection Identifier
VPN Encryption Data Link Connection Identifier (DLCI) – locally
Symmetric – fast (des, AES) significant
Permanent Virtual Circuit
PPP Point to Point Protocols
Physical connections PVC DESIGN
WIC slot Wan interface Card Hub and Spoke (no redundant)
WIC 1 T Full mesh (redundant but costly)
WIC 2 T Partial mesh(rightly)
Built in T1 CSU/DSU
MULTIPOINT DESIGN
DB-60 All routers on the same Subnet
Multiple DLCI numbers happened to interface
V.35 connector Causes problems with split horizons
POINT TO POINT DESIGN
CSU/DSU All routers on Different Subnet
Point to point Sub interface created for each
DEMARC No problems with Split Horizon

WAN WORLD CONFIGURATIONS

Frame Relay, ATM – VPI and BVPI, PPP, HDLC
HDLC – High level Data Link Control
Cisco Proprietary
Extremely low overhead
No Features
PPP
Industry Standard
Moderate Overhead
Feature-Riffic
-Authentication
-Compression
-Callback
-Multilink
#int S0/1/0
#encapsulation ppp
Or
#Encapsulation HDLC
Authentication
PAP –not uswed anymore
CHAP – hash –Md 5 hash
#Int s0/0
#ppp authentication Chap
Create user accounts
#Username R2 Password Cisco
#username R3 password cisco
#debug ppp authentication
FRAME RELAY
Multipoint
R1
#ip address 192/168.1.1 /24
#encapsulation Frame relay
#frame-relay lmi-type
#Show frame-relay lmi
#frame- relay map ip 192.168.1.2 102
broadcast
#frame –relay map ip 192.168.1.3 103
broadcast
R2
#ip address 192.168.1.2 /24
#encapsulation frame-relay
#frame-relay.lmi
#frame-relay map ip 192.168..1.1 102
broadcast
#frame-relay map ip 192.168.1.3 301
broadcast
Point to point config
#sh frame map
#sh frame lmi
#sh fram pvc
R1
#encapsulation frame relay
#int s0/1/0.102 point to point
#ip address 192.168.1.1 /24
if#frame-relay intercafe-dlci 102
create another sbubnets
 #int s0/1/0.103 point to point
#ip address 192.168.2.1 /24
#frame-relay int- dlci 103

R2
#int s0/0
#encapsulation frame-relay
#int s0/0.201 point- to-point
#ip address 192.168.1.2 /24
#frame –relay interface-dlci 201

R3
#int s0
#encapsulation frame-relay
#int s0.301 point to point
#ip address 192.168.2.2 /24
# frame-relay interface-DLCI 301
#exit

``IPv6