Professional Documents
Culture Documents
Rsasacheckpointvpn PDF
Rsasacheckpointvpn PDF
Protocol Numbers
Port Numbers
Repeater
Hub
L2 Switch
L3 Switch
Router
Differences Between
Switching Modes
VLAN
Management VLAN
DTP
VTP
Etherchannel
STP
FHRP
RIP v1 & v2
EIGRP
OSPF
BGP
ACL
NAT
DHCP
DNS
FTP
SMTP
Syslog
HTTP
Telnet
SSH
Ping Process
Trace route Process
Router Password Recovery
Switch Password Recovery
TCP
UDP
ASA
Checkpoint
Palo Alto
F5 (245)
Layer 7 – Application layer
∑ This is the closest layer to the end user.
∑ It provides the interface between the user application and the network.
∑ Web browser – IE, Firefox or Opera do not belong to Application layer.
∑ The Protocols reside in Application layer
∑ Telnet, FTP, HTTP, SMTP are examples of Application layer.
TCP FTP SSH Telnet SMTP HTTP POP3 BGP 179 HTTPS 443
20/21 22 23 25 80 110
UDP DHCP 67/68 TFTP 69 NTP 123 RIP 520
TCP/UDP DNS 53 SNMP 161/162 LDAP 389
Layer 3 – Network layer
This layer provides logical addresses which routers will use to determine the path
to the destination.
∑ Logical addressing – provides a unique address that identifies both the
host, and the network that host exists on.
∑ Routing – determines the best path to a particular destination network,
and then routes data accordingly.
It packages the higher-layer data into frames, so that the data can be put onto the
physical wire. This packaging process is referred to as framing or encapsulation.
∑ Ethernet – the most common LAN data-link technology
Collision Domain
∑ It is a part of a network where packet collisions can occur.
∑ In a half duplex Ethernet network, A collision occurs when two devices
send a packet at the same time
∑ Collisions are often in a hub environment, because each port on a hub is in
the same collision domain.
Broadcast Domain
∑ A broadcast domain is a domain in which a broadcast is forwarded.
∑ A broadcast domain contains all devices that can reach each other at the
data link layer (OSI layer 2) by using broadcast.
∑ All ports on a hub or a switch are by default in the same broadcast domain.
All ports on a router are in the different broadcast domains and routers
don’t forward broadcasts from one broadcast domain to another.
Repeater
∑ It is used to regenerate the signal
∑ When the signal travels over long distances, its clarity degrades, so repeater
regenerates the signal and enables them to travel to long distance.
∑ No memory
∑ Only 2 ports are available
Hub
∑ It is a physical layer of the OSI model
∑ It is used to connect the network device in a LAN
∑ Half duplex device
∑ When a frame is received, it will send to all ports
∑ it doesn't inspect the frame before forwarding
∑ 1 Collision domain and 1 Broadcast Domain
Bridge
∑ It is a Layer 2 device
∑ Half duplex device
∑ Frames are forwarded based on destination Layer 2 MAC Address
∑ Frame forwarding method is Store & Forward
∑ Multiple Collision domain and 1 Broadcast Domain
Switch
∑ It is a Layer 2 device
∑ It is used to connect the devices in a same LAN
∑ Full duplex device
∑ Learning of MAC Address & forwarding frame is based on ASIC
∑ Frames are forwarded based on the destination Layer 2 MAC Address
∑ It uses a CAM/MAC Address table to forward the frames
∑ Frame forwarding method is Store & Forward, cut-through, fragment free
∑ Multiple Collision & 1 Broadcast domain
Router
∑ It is a Layer 3 device
∑ It connects 2 or more diriment networks and forward the packet from one
network to another network
∑ Full duplex
∑ Packets are forwarded based on the destination Layer 3 IP Address
∑ It will never forward the Broadcast
∑ Multiple Collision & Broadcast domain
ASIC
Application Specific Integrated Circuit
A switch is a layer 2 device that makes a decision based on the layer 2 destination
MAC address. As the number of switch ports increase, the general purpose CPU
using software solution can't keep up. The ASIC is basically a CPU that is not a
general purpose CPU but is a CPU for making switching decisions very quickly. This
is similar to a high-end graphics card that has a special CPU for graphics
processing that wouldn't be good for general applications.
How does router build the Routing Table for first time?
Router builds the routing table, from its active interface that has IP Address. It
should be up and active.
Static Route: It is a route that is manually configured in the routing table by the
administrator.
Default Route: if a router doesn’t have a route for the destination IP address. If
nothing is matching. Then it will use this; this is also called Gateway of last resort.
MAC Address
-It allow devices to uniquely identify themselves on network
-First 24 bits in MAC Address is called OUI (Organizationally Unique Identifier)
System Communication
∑ Simplex
∑ Half-Duplex
∑ Full-Duplex
Simplex
- One device can send the data and other device can receive the data
Ex: Radio, Pager
Half-Duplex
-Two-way Communication, but not at the same time
-At a time only one device can send data or receive the data
-Collisions happen
Ex: Hub, Walky-talky
Full-Duplex
-Two-way communication at same time
-Both the devices can send & receive data at same time
Ex: Telephone
HTTP HTTPS
It uses a port no 80 for communication It uses a port no 443 for communication
Unsecured Secured
There is no encryption Encryption is there
No Certificates required Certificates Required
RIPV1 RIPV2
Supports only Classful network Supports only Classless network (subnet/VLSM)
Works on contiguous network Works on discontiguous network
Doesn’t support triggered updates Supports triggered updates
Forwards updates as Broadcast Forwards updates as multicast using 224.0.0.9
255.255.255.255
Doesn’t support VLSM Supports VLSM
RIP v1 can accept by default V1 and V2 update but only forward V1 updates
RIP v2 will only send and receive version 2 updates
RIPv1 can send v1 packet but receive v1 and v2 packet
Manual RIPv1 can only send and receive v1 packet
OSPF EIGRP
Open shortest path First Enhanced Interior Gateway Routing protocol
OSPF is able to load balance in equal EIGRP can load balance between unequal cost
cost paths paths
OSPF is merely a link state protocol. EIGRP shows characteristics of both link state
and distance vector protocol
It supports Maximum 255 Routers in The
Network
OSPF calculates the metric using cost EIGRP uses bandwidth, load, delay and reliability
to calculate the metric.
OSPF converges quickly than EIGRP; Not widely used
also OSPF can be used in larger
networks.
IPSec SSL
It works on Layer 3 (Network Layer) of OSI It works on Layer 7 (Application Layer) of
Model. OSI Model.
it works on Network Layer; it secures all It's used for secure web-based
data communication over the Internet.
It defines how to provide data integrity, authenticity It uses encryption and authentication to keep
and confidentiality over insecure network like communications private between two devices, typically,
Internet. web server and user machine.
It defines how to provide data integrity, authenticity - Like IPSec, SSL also provides flexibility by providing
and confidentiality over insecure network level of security.
Like Internet. - Unlike IPSec, SSL helps to secure one application at a
- It completes its goal through tunneling, Encryption time and each application is supported via web browser.
and Authentication.
TCP UDP
Connection-oriented Connectionless
It uses a 3-way handshake to establish the No 3-Way Handshake
connection SYN, ACK, SYN+ACK
VLAN VPN
It is group of computers that can have same broadcast VPN or Virtual Private Network can be defined as a
domain. So the group of computers in that particular secured means of connecting to the private
VLAN can directly talk to each other. It is generally network through a public network that is not very
used when you need to have separate set of much safe.
computers to whom you can't directly talk from
outside the VLAN and need special permission to get
access to the resources in the VLAN generally via ACL
(access control list).
A VLAN helps to group workstations that are not VPN is related to remote access to the network of a
within the same locations into the same company
broadcast domain
VLAN is a subcategory of VPN It means of creating a secured network for safe data
transmission.
VLAN is generally used when it is necessary for a VPN is used to communicate in a secured manner
person to connect with someone whom you cannot in an unsecured environment.
connect from outside the VLAN. It requires a
special permission before access.
Switching Modes
1. Store and Forward Switching
2. Cut-through Switching
3. Fragment-Free Switching
2. Cut-through Switching
Switch copies the destination MAC address (first 6 bytes of the frame) of the
frame before making a switching decision into its memory. It reduces delay
because the switch starts to forward the frame as soon as it reads the destination
MAC address and determines the outgoing switch port. Switch may forward bad
frames.
3. Fragment-Free Switching
The switches operating in fragment-free switching read at least 64 bytes of the
Ethernet frame before switching it to avoid forwarding Ethernet runt frames
(Ethernet frames smaller than 64 bytes).
Switching Functions
1. Learning
2. Aging
3. Flooding
4. Filtering
5. Forwarding
VLAN
∑ It is used to divide a single Broadcast domain into multiple Broadcast
domains
∑ By default all ports of the switch is in VLAN 1
∑ It provides a Layer 2 security
Dynamic VLAN
∑ Switch automatically assigns the port to a VLAN
∑ Each port can be a member of multiple VLAN's
∑ A VMPS (VLAN Membership Policy Server) software is needed
Advantages of VLAN
∑ Broadcast Control: Flooding of a packet is limited to the switch ports that
belong to a VLAN.
∑ Reduce the size of broadcast domains: VLAN increase the numbers of
broadcast domain while reducing their size.
∑ Layer 2 Security – VLANs gives us total control over each port and users.
With VLANs, you can control the users from gaining unwanted access over
the resources.
∑ Cost: Dividing a large VLAN to smaller VLANs is cheaper than creating a
routed network with routers because normally routers costlier than
switches.
Native VLAN
∑ It is an untagged VLAN on 802.1Q trunked Switchport.
∑ If a switch receives untagged frame, they are forwarded to the Native VLAN
∑ By default native VLAN is 1
∑ Both side of a trunk link must be configured to be in same VLAN
Switch-Port Security
∑ Port security features add additional layer of security in LAN network.
∑ It is used to secure the switch port.
∑ It is necessary because anyone can access unsecure network resources by
simply plugging his host into one of the available switch ports.
This command is used the port to learn the MAC Address dynamically and
automatically configure the MAC address as a static MAC address associated with
the port
# switchport port-security mac-address sticky
DTP
∑ Dynamic Trunking Protocol
∑ It is a Layer 2 Protocol
∑ It is a Cisco proprietary Trunking Protocol, which is used to automatically
negotiate trunks between Cisco switches
∑ It can be used negotiate and form trunk connection between Cisco switches
dynamically.
∑ It is enabled on each port by default
Switchport Modes
Access - Always forces that port to be an access port with no VLAN tagging
allowed EXCEPT for the voice vlan. DTP is not used and a trunk will never be
formed.
#switchport mode access
#switchport access vlan 10
Trunk: This interface will always be a trunk no matter what happens on the other
side. It will also use DTP to negotiate a neighboring interface that is set to
dynamic desirable or dynamic auto into a trunk.
#switchport encapsulation dot1q
#switchport mode trunk
Dynamic desirable - pro-active DTP negotiation will begin and if the other-side is
set to trunk, desirable, or auto. The interface will become a trunk. Otherwise the
port will become an access port.
Dynamic auto - allows the port to negotiate DTP if the other side is set to trunk or
desirable. Otherwise it will become an access port.
Nonegotiate - turns off DTP and forces the interface into a trunk.
VTP
∑ VLAN Trunking Protocol
∑ It is a Cisco proprietary protocol that propagate VLAN configurations to
other switches in the network
1. Server Mode:
This is also the default mode.
When you make a change to the VLAN configuration on a VTP server, the change
is propagated to all switches in the VTP domain.
VTP messages are transmitted out of all the trunk connections.
In Server mode we can create, modify and delete VLANs.
2. Client Mode
In this mode switches are only allowed to receive and forward updates from the
"Server" switch. It cannot make changes to the VLAN configuration when in this
mode; however, a VTP client can send any VLANs currently listed in its database
to other VTP switches. VTP client also forwards VTP advertisements (but cannot
create VTP advertisements).
3. Transparent Mode
In this mode, a switch maintains its own VLAN database and never learns any VTP
information from other switches (even from the switch in VTP server mode). It
still forwards VTP advertisements from the server to other switches .It can add,
delete and modify VLAN database locally.
2. Summary advertisement:
Summary advertisements are sent out every 300 seconds (5 minutes) by default
or when a configuration change occurs, which is the summarized VLAN
information.
3. Subset advertisement:
Subset advertisements are sent when a configuration change takes place on the
server switch. Subset advertisements are VLAN specific and contain details about
each VLAN.
1. VTPv1
It is default on Catalyst Switches
It supports the standard VLAN range 1-1005
A transparent switch using VTP version 1 will check the domain and version
before if forwards the frame.
2. VTPv2
If a switch is in transparent mode, it will forward the message without checking
version information.
3. VTPv3
Support for extended VLANs (4094).
Support for the creation and advertising of private VLANs.
Interaction with VTP version 1 and VTP version 2
Provides the ability to be configured on a per-port basis
VTP Pruning
∑ It cut down the unnecessary VLAN traffic on certain trunk port.
∑ VTP pruning is disabled by default in Cisco switches.
∑ By default, VLANs 2 – 1001 are pruning eligible
∑ VLAN 1 can’t be pruned because it’s an Administrative VLAN.
∑ Both VTP versions 1 and 2 supports pruning.
VLAN Port Types
1. Access ports
2. Trunk ports
Access link: An access link is a link that is part of only one VLAN, and normally
access links are for end devices.
Trunk link: A Trunk link can carry multiple VLAN traffic and normally a trunk link is
used to connect switches to other switches or to routers.
IEEE 802.1Q
∑ It is an open standard
∑ It inserts a 4-byte VLAN tag directly into the Layer-2 frame header.
∑ The VLAN tag includes a 12-bit VLAN ID.
∑ This tag increases, from its default of 1514 bytes to 1518 bytes.
∑ It supports a maximum of 4096 VLANs on a trunk port.
∑ It supports Native VLANS on trunk ports.
Etherchannel
The issue with using only a single physical port is a single point of failure. If the
port goes down, the trunk connection is lost.
Etherchannel is a technology that lets you bundle multiple physical links into a
single logical link. If we connect 2 or more cables between two Switches, There
will be a change of loops. STP will run and prevent the loop and blocks the Ports,
we can't add redundancy between switches.
Spanning tree sees Etherchannel as one logical link so there are no loops.
Etherchannel will do load balancing among the different links that we have and it
takes care of redundancy. A maximum of 8 active ports are supported in a single
Etherchannel.
Etherchannel Load-Balancing
Manual Configuration
#interface range f0/22 - 24
#channel-group 1 mode on
Dynamic Configuration
Cisco switches support two dynamic aggregation protocols:
∑ PAgP (Port Aggregation Protocol) – Cisco proprietary aggregating protocol.
∑ LACP (Link Aggregation Control Protocol) – IEEE standardized aggregation
protocol, originally defined in 802.3ad.
PAgP and LACP are not compatible – both sides of an Etherchannel must use the
same aggregation protocol.
EthernChannel - PAgP
It supports 2 Modes
∑ Desirable – actively attempts to form a channel
∑ Auto – waits for the remote switch to initiate the channel
EtherChannel - LACP
It has 2 Modes
∑ Active – actively attempts to form a channel
∑ Passive – waits for the remote switch to initiate the channel
Broadcast Storms
Without any loop removing mechanism, switches will flood broadcasts endlessly
throughout the network. This is known as broadcast storm.
The default priority is 32,768, and the lowest priority wins. If there is a tie in
priority, the lowest MAC address is used as the tie-breaker.
The sys-id-ext value that you see is the VLAN number. The priority is 32768 but
spanning-tree will add the VLAN number 1 so we end up with priority value
32769(32768+ 1).if it's for VLAN 10 it may be like 32778 (32768 +10)
Note: Root port always forward traffic to the root bridge Each switch has only one
Root Port, and the Root Bridge cannot have a Root Port.
Cost
Bandwidth
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
1 Gbps 4
10 Gbps 2
3. Designated Ports are identified
A single designated port is identified for each network segment and it is
responsible for forwarding BPDUs and frames to that segment. It has the lowest
path cost leading to the Root Bridge. This port will not be placed in a blocking
state.
Port ID
When electing root and designated ports, it is possible to have a tie in both path
cost and Bridge ID.
If the bandwidth of both links are equal, then both of Switch 2’s interfaces have
an equal path cost to the Root Bridge. The tiebreaker should be the lowest Bridge
ID, but that cannot be used in this circumstance
Port ID is used as the final tiebreaker, and consists of two components:
∑ 4-bit port priority
∑ 12-bit port number, derived from the physical port number
Port priority is the last tiebreaker. STP decides Root and Designated Ports based
on
∑ Lowest Path Cost to the Root Bridge
∑ Lowest Bridge ID
∑ Lowest Port ID
Port States
∑ Disable
∑ Blocking
∑ Listening
∑ Learning
∑ Forwarding
Timers
∑ Hello Timer
∑ Forward delay Timer
∑ Max-age Timer
Hello Timer: How often switches send BPDU's by default every 2 seconds
Forward delay Timer: how much long a port must spend time in both learning
and listening state. By default 15 seconds
Max-age Timer: How long a switch will retain BPDU information from a neighbor
switch before discarding it. By default 20 seconds
PortFast
UplinkFast
BackboneFast
Protecting STP
∑ Root Guard
∑ BPDU Guard
∑ BPDU Filtering
∑ Unidirectional Link Detection (UDLD)
∑ Loop Guard
Root Guard
BPDU Guard
BPDU Filtering
UDLD
Loop Guard
Port States
Discarding State:
A discarding port will not forward frames or learn MAC addresses.
A discarding port will listen for BPDUs.
Alternate and backup ports will remain in a discarding state.
Learning State:
A learning port will begin to add MAC addresses to the CAM table.
It cannot forward frames quite yet.
Forwarding State:
A forwarding port is fully functional – it will send and listen for BPDUs, learn MAC
addresses, and forward frames.
Root and designated ports will eventually transition to a forwarding state.
RSTP works by adding an alternative port and a backup port compared to STP.
These ports are allowed to immediately enter the forwarding state rather than
passively wait for the network to converge.
Port Roles:
Root port – A forwarding port that is the closest to the root bridge in terms of
path cost
Designated port – A forwarding port for every LAN segment
Alternate port – A best alternate path to the root bridge. This path is different
than using the root port. The alternative port moves to the forwarding state if
there is a failure on the designated port for the segment.
Backup port – A backup/redundant path to a segment where another bridge port
already connects. The backup port applies only when a single switch has two links
to the same segment (collision domain). To have two links to the same collision
domain, the switch must be attached to a hub.
Disabled port – Not strictly part of STP, a network administrator can manually
disable a port
Suppose all the switches have the same bridge priority so the switch with lowest
MAC address will become Root Bridge -> Sw1 is the root bridge and therefore all
of its ports will be Designated ports (forwarding).
Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in terms of path
cost) so they will become Root ports.
On the segment between Sw2 and Sw3, because Sw2 has lower MAC than Sw3 so
it will advertise better BPDU on this segment -> fa0/1 of Sw2 will be Designated
port and fa0/1 of Sw3 will be Alternative port.
Now for the two ports connecting to the hub, we know that there will have only
one Designated port for each segment (notice that the two ports fa0/2 & fa0/3 of
Sw2 are on the same segment as they are connected to a hub). The other port will
be Backup port according to the definition of Backup port above. But how does
Sw2 select its Designated and Backup port? The decision process involves the
following parameters inside the BPDU:
Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the root” and “sender
bridge ID” so the third parameter “lowest port ID” will be used. Because fa0/2 is
inferior to fa0/3, Sw2 will select fa0/2 as its Designated port.
Note: Alternative Port and Backup Port are in discarding state.
* Discarding – the port does not forward frames, process received frames, or
learn MAC addresses – but it does listen for BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC addresses but does
not yet forward frames (same as STP).
* Forwarding – receives and sends data, normal operation, learns MAC address,
receives and transmits BPDUs (same as STP).
Although the learning state is also used in RSTP but it only takes place for a short
time as compared to STP. RSTP converges with all ports either in forwarding state
or discarding state.
Note: RSTP is backward compatible with legacy STP 802.1D. If a RSTP enabled port
receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave
like a legacy port. It sends and receives 802.1d BPDUs only.
EIGRP
∑ Standard Protocol (initially was Cisco proprietary)
∑ Maximum Hop-Count is 255[ 100 by default]
∑ It is a classless protocol
∑ EIGRP having internal Administrative distance as 90 and external AD as 170
∑ EIGRP summary route AD value is 5
∑ All EIGRP routing information are exchanged between neighbors via
multicast using the address 224.0.0.10
∑ Hello packets are sent every 5 seconds
∑ Supports equal coast and unequal cost load balancing
∑ K-Values are used for calculating metric. By default EIGRP consider k1 and
k3 only
∑ In EIGRP Summarization is enabled by default."No auto-summary"
command is needed because by default EIGRP will behave like a classfull
routing protocol.
∑ EIGRP can load balance on both equal and unequal cost paths.”Variance”
command is used to configure load balancing. By default EIGRP supports 4
load balancing path. It can be extended to 6 paths
Successor
∑ The best path from the topology table will be copied in the routing table
∑ It is the best route used to forward packet to destination network.
∑ Present in routing table and topology table
∑ Metric of the successor path is called Feasible distance.
Feasible Successor
∑ A feasible successor is a second best route to a destination network
∑ It gives redundancy
∑ It is considered a backup route
∑ Present in Topology table
∑ Used when the primary route (Successor) goes down
∑ Metric of the successor is called Advertised distance (AD) or Reported
distance (RD).
Advertised distance: How far the destination is away for your neighbor.
Feasible distance: The total distance to the destination.
Successor: The best path to the destination
A Passive state indicates that a route is reachable, and that EIGRP is fully
converged. A stable EIGRP network will have all routes in a Passive state.
A route is placed in an Active state when the Successor and any Feasible
Successors fail, forcing the EIGRP to send out Query packets and re-converge.
Multiple routes in an Active state indicate an unstable EIGRP network. If a
Feasible Successor exists, a route should never enter an Active State.
R1- R5
Feasible Distance =100 (10+20+30+40);
Advertise Distance =90 (20+30+40);
Verification
#show ip eigrp topology
[FD/AD]
By default EIGRP can provide equal-cost load balancing of up to 4 links
We can have EIGRP load-balance across up to 6 links (equal or unequal)
Command
#router eigrp 10
#maximum-paths 6
Load balancing happens between two Even though they are not equal (1000,
routes which has a same cost. RIPv2, 1500), can do the load balancing, it has
OSPF, EIGRP supports this; to do manually (variance)
Least cost is the best route (1000) we got 2 routes it is going to load-balance
between both the routes. Means
EIGRP Metrics
EIGRP can utilize 5 separate metrics to determine the best route to a destination:
1. Bandwidth (K1)
2. Load (K2)
3. Delay of the Line (K3)
4. Reliability (K4)
5. MTU (K5)
K3= Delay-define as the amount of time (how long it is going to take to forward
the traffic)
(Serial 20,000 Microseconds, fastEthernet 100 Microseconds, gigabitEthernet 10
Microseconds)
K4= Reliability- calculated based on the Status of the link, it is calculated between
1 and 255
1- Less reliable; 255 –More reliable (default)
By default only uses Bandwidth and delay (K1 and K3) are used for metric
calculation;
Because (reliability and load) are variables they may change every second.
Bandwidth and Delay are fixed values; once we change it will be fixed.
OSPF
∑ Open Shortest Path First is a Link-State routing protocol, designed for larger
networks.
∑ OSPF will form neighbor relationships with adjacent routers in the same
Area.
∑ advertises the status of directly connected links using Link-
State Advertisements
∑ LSAs are additionally refreshed every 30 minutes.
∑ OSPF traffic is multicast either to address 224.0.0.5 (all OSPF routers) or
224.0.0.6 (all Designated Routers).
∑ Uses the Dijkstra Shortest Path First algorithm to determine the shortest
path.
∑ OSPF routes have an administrative distance is 110.
∑ OSPF uses cost as its metric, which is computed based on the bandwidth of
the link.
∑ OSPF COST = Reference bandwidth/Link Bandwidth
Router ID
∑ It is used to provide a unique identity to the OSPF Router.
∑ It can be add statically
∑ If there is no OSPF Router ID configured, highest IP of Loopback Interfaces
is selected
∑ If there is no loopback, the highest IP address of physical interface is
selected
AREA
Areas means logical grouping of the routers
If you got more than 200+ networks in organization
The problem in OSPF is all routers will maintain the same database and when we
have a common database, there is a problem they don't have enough memory to
maintain database (routing table) (1800, 2500 series routers). And there is a rule
in OSPF that every router should have a common database.
Tables
∑ Neighbor Table – contains a list of all neighboring routers.
∑ Topology Table – contains a list of all possible routes within an area.
∑ Routing Table – contains the best route for each known network.
Types of Routers
Internal (IR) – all OSPF interfaces must belong to the same OSPF area.
Backbone – at least one OSPF interface must belong to area 0 (backbone area)
Area Border Router (ABR) – at least one OSPF interface must belong to area 0
(backbone area) and at least one OSPF interface must belong to a non-backbone
(area 0) area.
Autonomous System Boundary Router (ASBR) – an OSPF router that performs
route injection (redistribution) from another route source (RIP, EIGRP, IS-IS, BGP,
another OSPF process, etc.).
Packet Types
Hello- Discovers neighbors and works as a keepalive
Link State Request (LSR)- Requests a Link State Update (LSU), see below
Database Description (DBD)- Contains summary of LSDB, includes RIDs &
sequence number
Link State Update (LSU)- Contains one or more complete LSAs
Link State Acknowledgement (LSAck)- Acknowledges all other OSPF packets
(except hellos)
States
There are 8 different OSPF states when forming neighbor relationships.
1. Down State: This is the first OSPF neighbor state. In this state router first
startup the OSPF process but there is no communication. No hellos have been
received;
4. Two-way State
A hello is received from another router with its own RID in the neighbor field. All
other required elements match and the routers become neighbors.
5. Exstart State
The router and its neighbors will establish master/slave relationship and
determine the database description sequence number for exchange of database
description packets. The router with the highest router id becomes the master.
6. Exchange State
Routers exchange DBDs that describes its entire link state database to neighbors
that are in exchange state; the router may also send link state request packets to
neighbors to request more recent LSA.
7. Loading State
Routers compare the DBD to their LS database. LSRs are sent out for missing or
outdated LSAs. Each router then responds to the LSRs with a Link State Update.
Finally, the LSUs are acknowledged.
8. Full State
The LSDB is completely synchronized with the OSPF neighbor. The routers are
fully adjacent. The adjacencies appear in router LSA and network LSA.
LSDB Overload
In large OSPF networks, if major network changes occur, a flood of LSAs will
immediately hit the entire network. The number of incoming LSAs to each router
could be substantial and bring the CPU and memory to its knees.
To mitigate that scenario, Cisco offers what it refers to as Link Sate Database
Overload Protection. Once enabled, if the defined threshold is exceeded over
one-minute time period, the router will enter the ignore state – dropping all
adjacencies and clearing the OSPF database. (# max-lsa number)
OSPF Authentication
∑ Simple Authentication (using plaintext keys)
∑ MD5 Authentication
Each OSPF router is identified by a unique Router ID. The Router ID can be
determined in one of three ways:
Area Types
∑ Standard area
∑ Backbone area (area 0)
∑ Stub area
∑ Totally stubby area
∑ Not-so-stubby area (NSSA)
∑ Totally NSSA
∑ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain
an ASBR. The backbone is considered a standard area.
∑ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted
for external routes.
∑ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3
LSA. The type 3 LSA describes a default route, substituted for all external
and inter-area routes.
∑ Not-so-stubby areas implement stub or totally stubby functionality yet
contain an ASBR. Type 7 LSAs generated by the ASBR are converted to type
5 by ABRs to be flooded to the rest of the OSPF domain.
Network Types
- An OSPF router maintains a data structure for each OSPF-enabled interface.
- If the network type is changed, the hello and dead timers will be adjusted
accordingly.
- OSPF defines six network types
Broadcast Network
The default network type on Ethernet interfaces.
Will elect a DR and a BDR.
Uses the multicast MAC 224.0.0.5 (0100.5E00.0005) for All SPFRouters and
224.0.0.6 (0100.5E00.0006) for
All DRouters.
There is NO next-hop modification. The next-hop IP remains that of the
originating router.
Layer3 to layer2 resolution is required.
Broadcast networks can't have unicast neighbours configured.
10 hello / 40 dead-interval.
Non-Broadcast Network
Can connect more than two routers but has no native broadcast capability.
Non-Broadcast is the default network type on multipoint frame-relay interfaces,
e.g. a main interface.
OSPF routers on NBMA networks elect a DR and BDR, but all OSPF packets are
unicast between each manually specified neighbour with the "neighbour"
command.
The next-hop IP is not changed and remains the IP address of the originating
router.
The default priority is 1, and should be disabled (=0) on ALL SPOKES, to prevent a
spoke from becoming a blackhole DR/BDR.
30 hello / 120 dead-interval.
Point-to-Point Network
Default on T1, DS-3, SONET links and on point-to-point sub-interfaces on frame-
relay.
Has no DR/BDR election, OSPF configured is as per normal.
Uses the multicast destination to AllSPFRouters (224.0.0.5), except for
retransmitted LSAs, which are unicast.
The next-hop IP is that of the advertising router.
OSPF ignores subnet mask mismatch on point-to-point links.
10 hello / 40 dead-interval
Points to Remember:
R2 belongs to both Area 0 and Area 1. R5 belongs to both Area 0 and Area 2.
These routers are known as Area Border Routers (ABRs).
Area 0 is known as Backbone Area. Every router which has an interface in Area 0
can be considered a Backbone Router. All other areas must have a connection to
Area 0 (except using virtual-link). Without Area 0, routers can only function within
that area.
OSPF has 11 LSA Types from 1 to 11 but some of them are not used like Type 6
(Multicast LSA), 8 (used for BGP), 9, 10, 11 (Opaque LSAs).
Router link LSA (Type 1) – Each router generates a Type 1 LSA that lists its active
interfaces, IP addresses, neighbors and the cost to each. LSA Type 1 is only
flooded inside the router’s area, it does not cross ABR.
Network link LSA (Type 2) – is sent out by the designated router (DR) and lists all
the routers on the segment it is adjacent to. Types 2 are flooded within its area
only; does not cross ABR. Type 1 & type 2 are the basis of SPF path selection.
Summary link LSA (Type 3) – ABRs generate this LSA to send between areas (so
type 3 is called inter-area link). It gathers information it has learned on one of its
attached areas and summarizes them before sending out to another area. LSAs
Type 3 is injected by the ABR from the backbone area into other areas and from
other areas into the backbone area.
R3#
router ospf 1
redistribute eigrp 100 subnets
LSA Type 4 is used so routers in other areas can find the ASBR, since R1 and R2 are
in the same area (R1 already knows the router ID of R2 btw) there is no need to
install LSA type 4 in the LSDB of R1.
Multicast LSA (Type 6) is specialized LSAs that are used in multicast OSPF
applications. Cisco does not support it.
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA; LSA 7 is translated into LSA
5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table
inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost
that includes the cost upto the ASBR.
LSA Type 8 (External attributes LSA for Border Gateway Protocol (BGP))
Used to work with BGP
Features:
∑ It is Open Standard
∑ Exterior Gateway Protocol
∑ It is the routing protocol we use to route between autonomous systems:
∑ It guarantees loop-free routing information.
∑ It avoids loops by using path vector routing protocol [BGP saves path when
they enter inside a AS]
∑ It doesn't use metrics but a rich set of BGP attributes.
∑ It uses TCP port 179
∑ Administrative distance of EBGP is 20
∑ Administrative distance of IBGP is 200
∑ Authentication used in BGP is MD5
∑ Currently using BGP v4
∑ BGP saves paths to all destination in a table called forwarding table. Best
path from forwarding table is saved in routing table
∑ Routers running BGP is termed as BGP speakers
∑ Its neighbor is called Peers. Peers must be configured statically
∑ It was built for reliability and Control but not for speed.
∑ Once BGP peers form a neighbor relationship, they share their full routing
table. Afterwards, only changes to the routing table are forwarded to peers.
ASA
(ADAPTIVE SECURITY APPLIANCE)
ASA
Firewall & types of firewall
A firewall is a network security device; it is used to secure the network. It permits
or denies traffic between an untrusted zone (Internet) and a trusted zone (a
private or corporate network). By default all the traffic in blocked in firewall.
Type of Firewall
Packet Filtering Firewall
Application Gateway Firewall
Stateful Inspection
Context Types
System Context
Admin Context
User-defined Context
Active / Active for groups of context: Not supported in single context mode. Only
available in multiple context mode; Both ASAs forward at the same time by
splitting the context into logical failover groups.
Active-Active failover
Available multiple context mode, both security appliances can pass network
traffic.
Configuration:
mac-address auto
Redundant Interface
Interface Redundant 1
Member-interface g0/1
Member-interface g0/2
Nameif Inside
No shut
Ip address 10.1.1.1 255.255.255.0
This is done by sending ICMP Echos to the ISP, which the ISP router keeps replying
to. If the ISP router fails, it will not send the reply.
As a backup, we need to have ISP2 configured and ASA will automatically update
its routing table to the ISP2.
Syntax:
sla monitor < Number>
type echo protocol ipIcmpEcho <IP address> interface <interface name>
timeout <0-604800000> in milliseconds
frequency <<1-604800> in seconds
sla monitor schedule < Number > start-time now life < Life seconds/forever>
track <1-500 Tracked object> rtr < Number > reachability
Configuration:
sla monitor 100
type echo protocol ipIcmpEcho 7.7.6.6 interface outside
timeout 100
frequency 1
sla monitor schedule 100 start-time now life forever
track 1 rtr 100 reachability
SSH:
ASA(config)# crypto key generate rsa modulus 1024
ASA(config)# ssh <IP Address> <subnet mask> <Interface Name>
ASA(config)# username cisco password cisco
ASA(config)# aaa authentication ssh console LOCAL
HTTP:
ASA(config # http server enable
ASA(config)# http <IP Address> <subnet mask> <Interface Name>
ASA(config)# aaa authentication http console LOCAL
Static Route
ASA(config)# route <Interface Name> <Dest Network> <Net Mask> <Next Hop Ip>
Default Route
ASA(config)# route <Interface-Name> 0.0.0.0 0.0.0.0 <Next Hop Ip>
EIGRP
router eigrp <AS>
network <____________> <Subnet Mask>
no auto-summary
OSPF
router ospf <process No.>
network <_________> <Subnet Mask>
EIGRP
authentication mode eigrp 100 md5
authentication key eigrp 100 cisco key-id 1
Bypass traffic through SAME SECURITY LEVEL
same-security-traffic permit inter-interface
Stateful Failover
∑ When a stateful failover is enabled, the active unit will continuously pass
per connection state information to the standby unit.
∑ When a failover occurs, the same connection information would be
available at the new active unit thus the failover happens seamlessly.
∑ Supported end user applications are not required to reconnect to keep the
same communication sessions
Failover Requirements
∑ Both ASA pairs should be the same model
∑ Both ASA should have the same number and type of interfaces
∑ Both ASA should have the same amount of RAM
∑ Should be in the same operating mode (Transparent/Router &
Single/Multiple)
∑ Major and Minor version of the OS should be same but patch no. can be
different
Failover Link
∑ Failover link is a link connecting between the ASA unit in failover pair.
∑ They constantly communicate over the failover link to determine the
operating state of each unit.
∑ They are NEVER a data link and will never participate in data traffic!
∑ Cisco recommends using a Switch between a failover link, to find out which
side is faulty if the failover connection is down.
Health Monitoring
Unit Monitoring: The failover link determines the health of the overall unit.
HELLO packets are sent over the failover link. Lack of three consecutive
HELLO’s cause ASA to send an additional HELLO packet out ALL data interfaces,
including the failover link.
Step 3 Copy the software to the standby unit. Use the same path as the active
unit
ASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asa901-smp-
k8.bin disk0:/asa901-smp-k8.bin
Step 4 Copy ASDM image to the active ASA unit’s flash memory
ASA# copy tftp://192.168.100.100/asdm-711.bin disk0:/asdm-711.bin
Step 5 Copy ASDM image to the standby ASA unit; Use the same path as the
active unit
ASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asdm-711.bin
disk0:/asdm-711.bin
Step 7 Verify current boot images configured. ASA uses these images in order.
To make the ASA boot to the new image, remove the existing entries and enter
the image URLs in the order desired.
asa(config)#show running-config boot system
Step 9 Set the ASA image to boot. Repeat command for backup images.
asa(config)#boot system disk0:/asa901-smp-k8.bin
asa(config)#boot system disk0:/asa861-smp-k8.bin
Step 10 Set the ASDM image to use. Only one can be configured.
asa(config)#asdm image disk0:/asdm-711.bin
Step 13 Force the active unit to fail over to the standby unit.
ASA# no failover active
Step 14 Reload the former active unit. Log into active unit
ASA# reload
Short:
∑ Load the image on both units' disk0:
∑ Change the boot variable
∑ Save the config with that change
∑ From the active unit, "failover reload-standby"
∑ Wait for successful reload and verify configuration is synced OK. You should
expect a message that mate software version is different.
∑ "no failover active" on active unit
∑ Log into newly active unit and "failover reload-standby"
∑ Wait for successful reload and verify configuration is synced OK. Both units
are now on 9.1(1)
How switch divert traffic to standby ASA when link to active ASA is
down?
Switches only forward frames based MAC address. The secondary ASA takes over
the MAC address of the failed ASA.
ASA 5505
Maximum throughput 150 Mbps
Maximum connections 10,000 (Security Plus -25,000)
Maximum connections/sec 4,000
Maximum 3DES/AES (VPN) throughput 100 Mbps
Maximum VPN sessions 10 (Security Plus -25)
Maximum SSL VPN sessions 25
Interface 8 Ethernet
ASA 5510
Maximum throughput 300 Mbps
Maximum connections 50,000 (Security Plus -130,000)
Maximum connections/sec 9,000
Maximum 3DES/AES (VPN) throughput 170 Mbps
Maximum VPN sessions 250
Maximum SSL VPN sessions 250
Interface 5 FastEthernet (2 Gigabit Ethernet + 3 Fast Ethernet)
ASA 5520
Maximum throughput 450 Mbps
Maximum connections 280,000
Maximum connections/sec 12,000
Maximum 3DES/AES (VPN) throughput 225 Mbps
Maximum VPN sessions 750
Maximum SSL VPN sessions 750
Interface 4 Gigabit Ethernet + 1 Fast Ethernet
ASA 5540
Maximum throughput 650 Mbps
Maximum connections 400,000
Maximum connections/sec 25,000
Maximum 3DES/AES (VPN) throughput 325 Mbps
Maximum VPN sessions 5,000
Maximum SSL VPN sessions 2,500
Interface 4 Gigabit Ethernet + 1 Fast Ethernet
ASA 5550
Maximum throughput 1.2 Gbps
Maximum connections 650,000
Maximum connections/sec 36,000
Maximum 3DES/AES throughput 425 Mbps
Maximum VPN sessions 5,000
Maximum SSL VPN sessions 5,000
Interface 8 Gigabit Ethernet + 1 Fast Ethernet
ASA 5580
Maximum throughput 10 Gbps
Maximum connections 2000000
Maximum connections/sec 150,000
Maximum 3DES/AES throughput 1 Gbps
Maximum VPN sessions 10,000
Maximum SSL VPN sessions 10,000
NAT ASA
Static NAT
Static PAT
Dynamic NAT
Dynamic PAT
Bypass NAT
- Identity NAT (nat 0)
- Static Identity NAT
- NAT Exemption
Policy NAT
- Static policy NAT
- Dynamic Policy NAT
Static NAT
static (inside,outside) <Mapped IP> <Real IP> <netmask> <Subnet Mask>
static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
Static PAT
static(inside,outside) <tcp|udp> <Mapped_IP> <Map_port> <real_IP> <real_port> netmask
<mask>
static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
DYNAMIC NAT
nat (interface) <nat_id> <Network ID> <Subnet Mask>
global (interface) <nat_id> <StartIP>-<EndIP> netmask <Subnet Mask>
nat (inside) 1 1.1.1.0 255.255.255.0
global (outside) 1 5.5.5.1-5.5.5.3 netmask 255.255.255.0
Dynamic PAT
nat (inside) <nat_id> 2.2.2.0 255.255.255.0
global (outside) <nat_id> interface
global (outside) 1 20.1.1.1
NAT BYPASS
Identity NAT
nat (interface) 0 <network> <mask>
nat (inside) 0 1.1.1.0 255.255.255.0
Step 1: enable
crypto isakmp enable outside
Types of Attack
∑ Cryptographic Attacks
∑ Injection Attacks
∑ Privilege escalation
∑ Phishing
∑ DoS
∑ Spoofing
∑ Malwares
Dictionary attack
This type of attack uses a dictionary of common words to find out the password of
a user. It can also use common words in either upper or lower case to find a
password. There are many programs available on the Internet to automate and
execute dictionary attacks.
Man in the middle attack
Occur when an attacker successfully inserts an intermediary software or program
between two communicating systems.
Phishing
ó Phishing is a type of deception designed to steal your valuable personal
data, such as credit card numbers, passwords, account data, or other
information.
ó Con artists might send millions of fraudulent e-mail messages that appear
to come from Web sites you trust, like your bank or credit card Company,
and request that you provide personal information.
DoS attack
ó It is also known as “network saturation attack” or “bandwidth consumption
attack”.
ó Attackers make Denial-of-Service attacks by sending a large number of
protocol packets to a network.
PING flood
ó It relies on the ICMP echo command, more popularly known as ping .
ó In legitimate situations the ping command is used by network
administrators to test connectivity between two computers.
ó In the ping flood attack, it is used to flood large amounts of data packets to
the victim’s computer in an attempt to overload it.
Ping of death
ó The maximum size for a packet is 65,535 bytes. If one were to send a
packet larger than that, the receiving computer would ultimately crash
from confusion.
ó Sending a ping of this size is against the rules of the TCP/IP protocol, but
hackers can bypass this by cleverly sending the packets in fragments. When
the fragments are assembled on the receiving computer, the overall packet
size is too great. This will cause a buffer overflow and crash the device.
Teardrop attack
ó Teardrop attacks exploit the reassembly of fragmented IP packets.
Fragment offset indicates the starting position of the data contained in a
fragmented packet relative to the data of the original unfragmented
packet.
Smurf attack
ó The attacker sends a large amount of ICMP traffic to a broadcast address
and uses a victim’s IP address as the source IP so the replies from all the
devices that respond to the broadcast address will flood the victim.
Spoofing
ó Spoofing is a technique that makes a transmission appears to have come
from an authentic source by forging the IP address.
ó In IP spoofing, a hacker modifies packet headers by using someone else’s IP
address to hide his identity.
VPN
VPN:
A VPN connection is the extension of a private network that includes links across shared
or public networks, such as the Internet. VPN connections (VPNs) enable organizations to send
data between two computers across the Internet in a manner that emulates the properties of a
point-to-point private link.
Types of VPN
1. Site-To-Site VPN- Between two Branches
2. Remote-Access VPN- Accessing or forming VPN from Remote Locations.
->5th SSK (Shared Secret Key is generated) Pre shared Key (PSK) is encrypted with
SSK
<-6th Pre shared Key (PSK)
Main Mode
MM_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
MM_SA_SETUP The devices have negotiated a set of parameters for the SA, but
have not yet exchanged any key information.
Aggressive Mode
AG_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
Quick Mode
QM_IDLE The SA is authenticated and ready for use.
Troubleshooting
MM_NO_STATE - Policy mismatch
MM_KEY_EXCH - DH-Key Mismatch
QM_Idle but Phase 2 tunnel not formed - Policy mismatch in Phase 2 (Transform-
set)
SSL is widely used then IPSEC because it is easy to implement. But it is less secure
than IPSec. It’s widely supported it’s openly supported by lot of vendors.
IPSEC was a L3 VPN, because it was protecting the packet from Layer 3 (IP
Address) onwards.
SSL VPN
SSL VPN is a L7 VPN, because Encryption happens on Layer 7;
TCP Port no 443 (HTTPS)
SSL Handshake
Remote access VPN always the Client first initiates the connection;
1. Client Hello
2. Server Hello
3. PKI Certificate
4. Server Hello Done
5. Pre_Master Key
6. Change CIPHER Suite
7. Client handshake Done
8. Change CIPHER Suite
9. Server Handshake Done
Quick Overview:
1st packet is originate from the client, client Hello with all the policies,
2nd Packet The server replies with his Hello as Server Hello
3rd Packet Server sends the Certificate, Public key sometimes it might ask another
certificate from client
Clientless: a way to configure the VPN where the client doesn't have to do
anything, all the client would require to connect up with the VPN gateway is a
Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec
VPN but it is easier on the client, and we can send traffic like http, ftp, through
that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these
protocols. Telnet, SMTP, and all the protocols that require well known port no we
can use them. It gives a very good flexibility. L4-L7
Think Client: gives the complete control just like IPSec VPN. Protecting from
Layer3 onwards, gives full control over private IPS, Public IPS etc.
Domain name: On a router for every different domain, we have different SSL VPN
page, like admin, sales, marketing they will have a separate page; and the users
will also be different.
Username and password will be stored in Lightweight Directory Access Protocol
(LDAP) AAA server;
Handshake is done when we open the page.
1.
webvpn gateway ROB
ip address 150.1.20.2 port 443
inservice
2.
username Gdwn@Admin password cisco
username Rob@Sales password cisco
aaa new-model
aaa authentication login Paris local
3.
webvpn context Admin-context
!
policy group Admin-Policy
functions file-access
functions file-browse
default-group-policy Admin-Policy
aaa authentication list Paris
aaa authentication domain @Admin
gateway ROB domain Admin
inservice
Backup of Configs
∑ #copy startup-config TFP
Restore Configs
∑ # copy TFTP running-config
Show version or show flash command we can see the router IOS file
R1#show version
R1#show flash
Then copy the startup-config file to tftp server machine so that we can get it
back from there whenever we need.
R1#copy startup-config tftp
Address or name of remote host []? 1.0.0.2
Destination filename [R1-confg]? R1-config
R1#reload
Router(config)#int fa0/0
Router(config-if)#ip address 1.0.0.1 255.0.0.0
Router(config-if)#no shut
Now router boots without any password and enters into setup mode
Router>Enable
Router#copy start-config running-config
(very imp if we don't want to lose the configs i the NVRAM)
Router(cionfig)#config-register 0x2102
Router#write
Router#reload
First Hop Redundancy Protocols (Gateway Redundancy Protocol: HSRP, VRRP,
GLBP)
Protocol HSRP VRRP GLBP
Features
Scope Cisco Propriety IEEE Standard Cisco Propriety
Load Balancing No No Yes
Multicast 224.0.0.2 224.0.0.18 224.0.0.102
Port Number UDP 1985 UDP 112 UDP 3222
Timers Hello- 3sec Advertisement- Hello- 3sec
Hold- 10sec 1sec Hold- 10sec
Downtime- 3*Ad
Election Active Master Active Virtual
1. Highest Priority 1. Highest Priority Gateway
2. Highest IP add 2. Highest IP add 1. Highest Priority
2. Highest IP add
Router Role ∑ Active Master Active
∑ Standby Backup Virtual Forwarder
∑ Listening (AVF)
Secondary
Virtual Forwarder
(SVF)
States Disabled
Initial
Learn
Listen
Speak
Standby
Active
Preempt By default By default Preempt By default Preempt
Preempt is is ON in VRRP, If is disabled, If Active
disabled, If Active Active Router is Router (Highest
Router (Highest down and up again, Priority) is down and
Priority) is down It will automatically up again, Preempt
and up again, become a Master should be
Preempt should be Router configured to
configured to become a Active
become a Active Router again.
Router again.
Virtual MAC 0000.0c07.acxx 0000.5e00.01xx 0007.b4xx.xxxx
Configuration
SSL VPN
SSL (Secure Sockets Layer) is a standard security technology for establishing an
encrypted link between a server and a client—typically a web server (website)
and a browser
How it works?
A consumer's browser begins the SSL handshake process by requesting a secure
Web page using the HTTPS protocol. Pot no 443,
2. Server Hello
Server will accept the Client hello chooses the highest one its supports among the
one which the client supports, if the client supports 1.0 and 1.2 the server only
has 1.0 they both will go down to 1.0;they will choose Whichever is the most
highest compatible between them. Sever will reply with [3des,sha],[TLS v 1.0]
Brief
1. Client Hello
This initiates a secure session with the website by sending a Client Hello message
to the Web server. The Client Hello message contains information about which
encryption and compression algorithms the browser supports;
2. Server Hello
The Web server responds with a Server Hello message, which also includes
information about supported algorithms; The Web server chooses the strongest
cipher that both the browser and server support.
3. The Web server then sends a Server Hello Done message indicating that it is
finished and awaiting a response from the browser.
Once the browser receives the server's message, it checks the certificate against a
list of known Certificate Authorities to ensure the certificate is valid. The server's
certificate contains its public key and the name of the server, which must match
the name of the server the browser requested. For example, if the user typed the
URL "https://www.secureserver.com" in the browser, the certificate should
contain a subject name of "www.secureserver.com" or "*.secureserver.com."
The SSL handshake process securely exchanges data that is then used by both the
client and the server to calculate a Master Secret key. Because both the server
and the client can calculate the Master Secret key, it does not need to be
exchanged. The server can now respond to the browser with a request to begin
communicating using the established keys and parameters. Thus, by combining
SSL with a Web server's digital certificate, a consumer can establish a secure
connection to a website without having to pass secret encryption keys in the
clear.
Clientless: a way to configure the VPN where the client doesn't have to do
anything, all the client would require to connect up with the VPN gateway is a
Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec
VPN but it is easier on the client, and we can send traffic like http, ftp, through
that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these
protocols. Telnet, SMTP, and all the protocols that require well known port no we
can use them. It gives a very good flexibility. L4-L7
Think Client: gives the complete control just like IPSec VPN. Protecting from
Layer3 onwards, gives full control over private IPS, Public IPS etc.
2.
username Gdwn@Admin password cisco
username Rob@Sales password cisco
aaa new-model
aaa authentication login Paris local
3.
webvpn context Admin-context
!
policy group Admin-Policy
functions file-access
functions file-browse
default-group-policy Admin-Policy
aaa authentication list Paris
aaa authentication domain @Admin
gateway ROB domain Admin
inservice
CP
(CHECKPOINT FIREWALL)
Check Point Firewall
This is a software firewall and one of the earliest firewalls to use Stateful
inspection.
Firewall Models
∑ Single Gateway product
∑ Enterprise Gateway product (Distributed Setup)
Rules
∑ Stealth Rule
∑ Cleanup Rule
Stealth Rule
Cleanup Rule
NAT
∑ Hide NAT
∑ Static NAT
NAT
Hide NAT
LAN_Network Object is created
Add 2 Rules
Name Source Dst VPN Service Action Track Install On Time
Hide LAN_Network Any Any Traffic Any Accept Log Gateway
Hide Any Any Any Traffic TCP http Accept Log Gateway
Policy
∑ Install
Static NAT
Two nodes
1. Available public IP Address
2. Internal private IP of the Server
1. Network Objects
∑ Nodes
Node
Host
2. Network Objects
∑ Nodes
Node
Host
Add 2 Rules
Name Source Dst VPN Service Action Track Install On
Static Private_Server_IP Any Any Any Accept Log Gateway
Static Any Public_Server_IP Any Any Accept Log Gateway
User Authentication
1. Checkpoint Password
2. OS password
3. RADIUS
4. TACACS
5. SecurID
Types of Clusters
∑ HIGH AVAILABILITY
∑ LOAD BALANCING
Checkpoint
∑ Installation
∑ Install Secure Platform on the Branch Gateway
∑ Perform Backup and restore
∑ Configuring DMZ
∑ Configuring NAT
∑ Monitoring with Smartview Tracker
∑ Client Authentication
∑ Identity Awareness
∑ Site-to-Site VPN between Corporate and Branch Office
SIC Reset
cpfw[admin]# cpconfig
Snapshot
[Expert@cpModule]# snapshot
[Expert@cpModule]# revert
CPBackup
[Expert@cpModule]# backup
[Expert@cpModule]# restore
Upgrade_Tools
cd $FWDIR/bin/upgrade_tools
Processes
CPD – CPD is a high in the hierarchical chain and helps to execute many services,
such as Secure Internal Communication (SIC), Licensing and status report.
FWM – The FWM process is responsible for the execution of the database
activities of the SmartCenter server. It is; therefore, responsible for Policy
installation, Management High Availability (HA) Synchronization, saving the
Policy, Database Read/Write action, Log Display, etc.
cpstart/cpstop utilities : Allow you to stop and start Check Point component
services.
Check Point registry : Common cross-platform registry for Check Point and
OPSEC products.
Check Point daemon (cpd): Cross-platform manager for all Check Point internal
communications.
OPSEC
OPSEC stands for Open Platform for Security, which is designed to extend the SVN
framework to include third-party products and services
AntiSpoofing
Anti-spoofing is a security feature that enables a firewall to determine whether
traffic is legitimate or if it is being used for malicious purposes.
EX: If the firewall is configured that the 192.168.1.1 address is an internal network
address, the firewall can drop the traffic, because there is no legitimate reason
why any traffic received on the Internet interface should contain a source IP
address of an internal system. Any traffic containing a source IP address of an
internal system should only ever be received on the internal interface.
cpstart The cpstart CLI utility starts all the Check Point applications installed on a
machine, excluding the cprid daemon, which is started separately during machine
boot up. In a VPN-1/FireWall-1 installation, this starts the VPN-1/ FireWall-1
components, as well as the SVN foundation.
fwstart The fwstart CLI utility starts all VPN-1/FireWall-1 components installed on
a machine. VPN-1/FireWall-1 components including the enforcement module
(fwd), the SmartCenter server (fwm), the VPN-1/FireWall-1 NG SNMP daemon
(snmpd), and authentication daemons (such as in.httpd, which is used to provide
an HTTP application-layer gateway daemon for authenticating HTTP access).
cplic print The cplic print CLI utility prints information about Check Point product
licenses.
fwm load The fwm load CLI utility instructs a SmartCenter server to install the
current security policy to one or more enforcement modules. This command has
the following syntax: fwm load [filter-file | rule-base] targets
fwm unload The fwm unload CLI utility instructs a SmartCenter server to uninstall
the current security policy from one or more enforcement modules. This
command has the following syntax: fwm unload targets
What is a Default rule?
This rule will default to any drop, do not log
Firewall Clustering
A cluster is a group of devices and other resources that act like a single device and
enable high availability and load balancing.
High Availability
Active-Standby
It gives us the Redundancy, if one device fails other device comes up.
Load Balancing
Active-Active
Both the devices up and they will share the data
Site-to-Site
∑ VPN Domain
∑ VPN Community
∑ Creating VPN Rule
∑ Troubleshooting a VPN
4 Steps
1. Create objects for the network or gateway
2. Configure the VPN Community
3. Defining VPN Domains
4. Finishing the VPN Configuration
1. Create 2 Objects
1. Local LAN 2. Remote LAN
Name: Local_LAN Name: Remote_LAN
IPV4 Address: 10.10.1.0 IPV4 Address: 10.10.2.0
Net Mask: 255.255.255.0 Net Mask: 255.255.255.0
Network Objects
Others
Externally Managed VPN Gateway
Local LAN Remote LAN
General Properties General Properties
Name: Local_Firewall Name: Remote_Firewall
IP Address: 192.168.0.10 IP AddresS: 192.168.0.11
Platform: Gaia Platform: Gaia
OK OK
VPN Community
∑ Meshed
General
∑ Name: Site-to-Site
Participating Gateways
∑ Add
Encryption
∑ Encryption Method
∑ IKEv1 Only
Encryption Suite
∑ Custom
Phase 1 Properties
∑ Encryption AES-256
∑ Data integrity: SHA1
Phase 2 Properties
∑ Encryption: AES-128
∑ Data integrity: SHA1
Tunnel Management
∑ On all Tunnels in the community
∑ VPN Tunnel Sharing
∑ One VPN tunnel per subnet pair
Shared Secret
∑ Enter Secret: Checkpoint
IPSec Phase 2
∑ Regenerate IPSec security association 3600 Seconds
NAT
∑ Disable NAT inside the VPN community
OK
Rule Tab
∑ Add Rule
∑ Top
Clustering on the SPLAT Firewall Modules can be enabled by two ways as shown
below,
At the Initial Setup in CLI wizard
Login to Firewall SPLAT CLI, run the command cpconfig. Under the menu options,
select option 6
[FW-2]# cpconfig
(6) Enable cluster membership for this gateway
To proceed with Configuration, connect to the Management Server (Smartcenter
Server) as an Administrator
Once done with the above wizard setup, both the firewalls will be listed under
the Cluster object container. Right click on the cluster object and click on edit
Make sure that clusterXL is enabled, and in this example we also uncheck IPSec
VPN and IPS software blades
Cluster Members option will list the existing members of the cluster. The
priority of a member can be increased or decreased if required
Under the Topology container, click on the edit topology and add interfaces for
the Cluster object. One Internal and one external interface have to be added for
the cluster object. There IP’s are referred as Internal VIP and External VIP
Specify the Internal VIP details
Write the Firewall rules by specifying the cluster object as shown below
Make sure the Gateway for the LAN Network machines is the Internal VIP of the
Cluster.
Once the setup is complete, you should be able to ping out to router’s interface
through Firewall Cluster
Firewall clustering can also be setup in the Load sharing mode wherein both the
Firewalls will be in Active state.
Login to Smartview Monitor to verify the Cluster Configuration
COMMAND FOR CLI R76 and R75
1. comp_init_policy : by using this command we can generate and load or to
remove the initial policy. This initial policy offers protection to the gateway
before the administrator has installed a policy on the gateway.
fwdir/bin/comp_init_policy [-u] [-g]
comp_init_policy -g
U:> for remove the current initial policy and ensures that it will not be
generated in future when cpconfig is run.
-g :> can be used if there is no initial policy. If there is make sure that after
removing the policy.
2. cp_admin_convert : to export automatically export administrator definitions
which are configured in smartdashboard.
3. cpca_client : This commands exexute oprations on ICA (Internal Certificate
Authority). Eg : cpca_client revoke_cert, cpca_client iscert.
Cp_conf admin : manage check point system administrators for the security
management server.
cp_conf admin get # Get the list of administrators.
cp_conf admin add <user> <pass> {a|w|r}
cp_conf admin del
cp_conf lic: shows the installed licenses and lets you manually add new ones.
> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>
cp_conf client: maage the GUI clients that can use SmartConsoles to connect to
the security Management Server.
Cpinfo: It is a utility that collects data on a machine at the time of execution. The
CPinfo output file enables Check Point's support engineers to analyze setups from
a remote location. Engineers can open the CPinfo file in demo mode, while
viewing real Security Policies and objects. This allows for in-depth analysis of all of
configuration options and environment settings.
Cpridrestart : stops and starts the check point remote installation Daemon.
Cpridstart : starts the check point remote installation Daemon.
This is the service that allows for the remote upgrade and installation of products.
Cpridstop: stop starts the check point remote installation Daemon.
Cprinstall: perform remote installation of product packages and associated
operations.
On the remote Check Point gateways the following are required:
Trust must be established between the Security Management server and the
Check Point gateway.
cpd must run.
cprid remote installation daemon must run.
Cpstart : Start all Check Point processes and applications running on an appliance
or server.
Cpstat: displays the status of Check Point applications, either on the local or on
another appliance or server, in various formats.
Cpstop: Terminate all Check Point processes and applications, running on an
appliance or server.
Cpwd_admin: cpwd (also known as WatchDog) is a process that invokes and
monitors critical processes such as Check Point daemons on the local machine,
and attempts to restart them if they fail. Among the processes monitored by
Watchdog are cpd, fwd, fwm.
fwd does not work in a Security Management Only machine. To work with fwd in
a Security Management Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In
addition, monitoring information is written to the console on UNIX platforms, and
to the Windows Event Viewer. The cpwd_admin utility is used to show the status
of processes, and to configure cpwd.
Cpwd_admin start: start a new process by cpwd.
Cpwd_admin stop: stop a process which is being monitored by cpwd.
Cpwd_admin list: print a status of the selected processes being monitored by
cpwd.
disconnect_client: SmartDashboard can connect to a Security Management
Server using one of these modes:
Read/Write - Administrators have full permissions to create or change all objects,
settings and policies.
Read Only - Administrators can see all objects, settings and policies, but cannot
add, change or delete
them.
Only one administrator can use SmartDashboard to connect to a Security
Management Server in the read/write mode at one time. When an administrator
connects in the Read/Write mode, this prevents other administrators from doing
these actions:
Connecting to the same management in the read/write mode
Creating or changing objects, settings and policies
Backing up the management server database
Installing a Security Policy
You can use a special command line utility to disconnect a different
SmartDashboard client that is open in the Read/Write mode.
Dbedit: Edit the objects file on the Security Management server. Editing the
objects.C file on the gateway is not required or desirable, since it will be
overwritten the next time a Policy is installed.
Dbver: The dbver utility is used to export and import different revisions of the
database. The properties of the revisions (last time created, administrator
responsible for, etc) can be reviewed. The utility can be found in $FWDIR/bin. Run
these commands from Expert mode.
dbver create: Create a revision from the current state of $fwdir/conf, including
current objects, rule bases, and so on.
Syntax
dbver> create <version_name> <version_comment>
dbver export Description Archive the revision as an archive file in the revisions
repository: $fwdir/conf/db_versions/export.
Syntax
dbver> export <version_numbers> <delete|keep>
dbver print_all Description Print the properties of all revisions to be found on the
server side: $fwdir/conf/db_versions Syntax dbver> print_all
fw: All fw commands are executed on the Check Point Security Gateway. Typing
fw at the command prompt sends a list of available fw commands to the standard
output.
Syntax
> fw
fw –i: Generally, when Check Point Security gateway commands are executed on
a Security gateway they will relate to the gateway as a whole, rather than to an
individual kernel instance. For example, the fw tab command will enable viewing
or editing of a single table of information aggregated for all kernel instances. This
command specifies that certain commands apply to an individual kernel instance.
By adding –I <kern> after fw in the command, where <kern> is the kernel
instance's number.
fw ctl Description The fw ctl command controls the Firewall kernel module.
Syntax
fw ctl {install|uninstall}
fw ctl debug [-m <module>] [+|-] {options | all | 0}
fw ctl debug -buf [buffer size]
fw ctl kdebug
fw ctl pstat [-h][-k][-s][-n][-l]
fw ctl iflist
fw ctl arp [-n]
fw ctl block {on|off}
fw ctl chain
fw ctl conn
fw ctl debug
Description Generate debug messages to a buffer.
Syntax A number of debug options are available:
fw ctl debug -buf [buffer size]: Allocates a buffer of size kilobytes (default 128)
and starts collecting messages there.
fw ctl debug [-m <module>] [+ | -] {options|all|0} : Specify the Security Gateway
module you wish to debug.
fw ctl debug 0 : Returns all flags in all gateways to their default values, releases
the debug buffer (if there was one).
fw ctl debug [-d <comma separated list of strings>]: Only lines containing these
strings are included in the output
fw ctl debug [-d <comma separated list of ^strings>]: Lines containing these
strings are omitted from the output
fw ctl debug [-s <string>]
fw ctl debug -h
fw ctl debug –x
fw ctl affinity : Sets CoreXL affinities when using multiple processors. For an
explanation of kernel, daemon and interface affinities.
The fw ctl affinity command is different for a VSX Gateway and a Security
Gateway: VSX Gateway - Use the -d parameter to save the CoreXL affinity settings
after you reboot it
Security Gateway - The CoreXL affinity settings are not saved after you reboot it
Syntax
> fw ctl affinity -s <proc_selection> <cpuid>
<proc_selection>
fw ctl affinity –l: Lists existing CoreXL affinities when using multiple processors.
Syntax
> fw ctl affinity -l [<proc_selection>] [<listtype>]
fw fetch : Fetches the Inspection Code from the specified host and installs it to
the kernel.
Syntax
> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...
fw fetchlogs; fw fetchlogs fetches Log Files from a remote machine. You can use
the fw fetchlogs command to transfer Log Files to the machine on which the fw
fetchlogs command is executed. The Log Files are read from and written to the
directory $FWDIR/log.
fw hastat The fw hastat command displays information about High Availability
machines and their states.
Syntax
> fw hastat [<target>]
fw kill: Prompts the kernel to shut down all firewall daemon processes. The
command is located in the $FWDIR/bin directory on the Security Management
server or gateway machine.
The firewall daemons and Security servers write their pids to files in the
$FWDIR/tmp directory upon startup. These files are named
$FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the
firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.
Syntax
> fw kill [-t <sig_no>] <proc-name>
fw lichosts: Print a list of hosts protected by Security Gateway products. The list
of hosts is in the file $fwdir/database/fwd.h
Syntax
> fw lichosts [-x] [-l]
-f [-t]: The -t parameter indicates that the display is to begin at the end of the file,
-n: Do not perform DNS resolution of the IP addresses in the Log file.
-l: Display both the date and the time for each log record.
-o: Show detailed log chains (all the log segments a log record consists of).
-C: Display only events whose action is action, that is, accept, drop,
reject, authorize, deauthorize, encrypt and decrypt.
-h: Display only log whose origin is the specified IP address or name.
Logfile: Use logfile instead of the default Log file. The default Log File is
$FWDIR/log/fw.log.
fw logswitch: fw logswitch creates a new active Log File. The current active Log
File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log
unless you define an alternative name that is unique. A Security Management
server can use fw logswitch to change a Log File on a remote machine and\
transfer the Log File to the Security Management server. This same operation can
be performed for a remote machine using fw lslogs
> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l
<len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO
<pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] –T
fw lslogs: Display a list of Log Files residing on a remote or local machine. You
must initialize SIC between the Security Management server and the remote
machine.
Syntax
> fw lslogs [[-f <filename>] ...] [-e] [-s{<name>|<size>|<stime>|<etime>}] [-r]
[<machine
Syntax
> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p
<pswd>] <host>...
fw repairlog: fw repairlog rebuilds a Log file's pointer files. The three files:
name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from
data in the specified Log file. The Log file itself is modified only if the -u flag is
specified.
Syntax
fw repairlog [-u] <logfile>
fw stat: Use fw stat to view the policy installed on the gateway, and which
interfaces are being protected.
Note - The cpstat command is an enhanced version of fw stat
Syntax
> fw stat -l
> fw stat –s
fw tab: The fw tab command shows data from the kernel tables, and lets you
change the content of dynamic kernel tables. You cannot change the content of
static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other
modules in the Security\Gateway use to inspect packets. These kernel tables are
the "memory" of the virtual computer in the kernel and are a critical component
of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel
memories.
Syntax
fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-
a|-x} -e <entry>] [-y] [<hostname>]
-t : Specifies a table for the command.
-s: Shows a short summary of the table (s) data.
-c: Shows formatted table information in common format.
-f: Shows a formatted version of the table data. Each table can use a different
style.
-o: Outputs CL formatted file called.
-r: Resolves IP addresses in formatted output.
-u: Show unlimited table entries.
-m: Sets the maximum table entries that are shown to <maxval>.
-a|-x: Adds (-a) or removes (-x) an entry from the specified table.
-e: One or more entries that you add or remove from the table.
-y: Do not show a prompt to users before they run commands.
fw ver: Display the Security Gateway major and minor version number and build
number.
Syntax
> fw ver [-k][-f <filename>]
Fwm: management operations on the Security Gateway. It controls fwd and all
Check Point daemons.
Syntax
> fwm
fwm dbimport: Imports users into the Check Point User Database from an
external file. You can create thisfile yourself, or use a file generated by fwm
dbexport.
Syntax
> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <del]
-m: If an existing user is encountered in the import file, the user's default values
will be replaced by the values in the template
-s: Suppress the warning messages issued when an existing user's values are
changed by
values in the import file.
-v: verbose mode
-r: fwm dbimport will delete all existing users in the database.
-k: Continue processing until nerror errors are encountered. The line count in the
error messages starts from 1 including the attributes line and counting empty or
commented out lines.
-f: The name of the import file. The default import file is
$FWDIR/conf/user_def_file
-d: Specifies a delimiter different from the default value (;).
fwm expdate: Modify the expiration date of all users and administrators.
Syntax
> fw expdate dd-mmm-1976
fwm dbexport: Export the Check Point User Database to a file. The file may be in
one of the following
formats:
The same syntax as the import file for fwm dbimport
LDIF format, which can be imported into an LDAP server using ldapmodify
To export the User Database to a file that can be used with fwm dbimport:
> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ]
[-f file] ]
To export the User Database as an LDIF file:
> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]
fwm dbload : Download the user database and network objects information to
selected targets. If no target is specified, then the database is downloaded to
localhost.
Syntax
> fwm dbload {-all|-conf <conffile>} [<targets>]
fwm load: Compile and install a Security Policy or a specific version of the Security
Policy on the target's Security Gateways. This is done in one of two ways:
fwm load compiles and installs an Inspection Script (*.pf) file on the designated
Security Gateways.
fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection
Script (*.pf) file then installs it to the designated Security Gateways.
Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>
-s ; The targets are UTM-1 Edge gateways
-p : Specifies the product name <plug-in> if applicable.
Rulebase : A Rule Base created by the GUI. Specify the name of the rulebase, such
as Standard (case sensitive).
fwm logexport: fwm logexport exports the Log file to an ASCII file.
Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n]
[-p]
[-f] [-m {initial|semi|raw}] [-a]
fwm sic_reset: Reset the Internal CA and delete all the certificates from the
Internal CA and the Internal CA itself. After running sic_reset, the ICA should be
initialized through the cpconfig command. If this command is run all the certified
IKE from the Internal CA should be removed (using the SmartConsole).
Syntax > fwm sic_reset
fwm unload <targets>: Uninstall the currently loaded Inspection Code from
selected targets.
Syntax > fwm unload <targets> [-all|-c <conffile>]
Logging
View the alert and warning log regarding debug.
Syntax
# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]
sam_alert: This tool executes FW-1 SAM (Suspicious Activity Monitoring) actions
according to information received through Standard input. This tool is for
executing FW-1 SAM actions with the FW-1
User Defined alerts mechanism.
Syntax
sam_alert [-o] [-v] [-s <sam_server>] [-t <timeout>] [-f <fw_host1>
<fw_host2>...]
[-C] [-n|-i|-I -src|-dst|-any|-srv]
VPN Commands
vpn crl_zap: Erase all Certificate Revocation Lists (CRLs) from the cache.
Usage vpn crl_zap
Return Value 0 for success; any other value equals failure.
vpn crlview: Retrieve the Certificate Revocation List (CRL) from various
distribution points and displays it for the user. The command comes in three
flavors:
vpn crlview -obj <MyCA> -cert <MyCert>. The VPN daemon contacts the
Certificate Authority called MyCA and locates the certificate called MyCert. The
VPN daemon extracts the certificate distribution point from the certificate then
goes to the distribution point, which might be an LDAP or HTTP server. From the
distribution point, the VPN daemon retrieves the CRL and displays it to the
standard output.
vpn crlview -f d:\temp\MyCert. The VPN daemon goes to the specified
directory, extracts the certificate distribution point from the certificate, goes to
the distribution point, retrieves the CRL, and displays the CRL to the standard
output.
vpn crlview -view <lastest_CRL>. If the CRL has already been retrieved, this
command instructs the VPN daemon to display the contents to the standard
output.
Usage vpn crlview -obj <object name> -cert <certificate name>
vpn crlview -f <filename
vpn crlview -view
vpn debug: Instruct the VPN daemon to write debug messages to the VPN log file.
To debug all available topics, use: ALL for the debug topic.
IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elg
Usage Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff |
trunc | timeon <SECONDS>|
timeoff
vpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoff
vpn debug ikeon | ikeoff timeon|timeoff
vpn debug trunk
vpn drv: Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk),
attaching the VPN driver to the Firewall driver.
Usage vpn drv on|off
vpn drv stat
vpn tu: Launch the TunnelUtil tool which is used to control VPN tunnels.
Usage vpn tu
vpn tunnelutil
Output
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
vpn ver: Display the VPN major version number and build number.
Usage vpn ver [-k] -f <filename>
rtm drv: Start, stop or check the status of the SmartView Monitor kernel driver.
Usage rtm drv <on | off | stat>
rtm rtmd: Start the SmartView Monitor daemon manually. This also occurs
manually when rtmstart is run.
Usage rtm rtmd
rtm stat Display the general SmartView Monitor status. In addition, it displays the
status of the daemon, driver, opened views and active virtual links.
Usage rtm stat [flavor(s)] [-h] [-v[v][v]]
Rtmstart Load the SmartView Monitor kernel module and starts the SmartView
Monitor daemon.
Usage rtmstart
Rtmstop Kill the SmartView Monitor daemon and unloads the SmartView Monitor
kernel module.
Usage rtmstop
ClusterXL Commands
Cphaprob: The cphaprob command verifies that the cluster and the cluster
members are working properly.
Cphastop : cphastop on a cluster member stops the cluster member from passing
traffic. State synchronization also stops. It is still possible to open connections
directly to the cluster member. In High Availability Legacy mode, running
cphastop may cause the entire cluster to stop functioning.
pdp debug Activates and deactivates the debug logs of the PDP daemon.
Syntax # pdp debug <parameter> <option>
pdp tracker Adds the TRACKER topic to the PDP logs (on by default). This is very
useful when monitoring the PDP-PEP identity sharing and other communication
on distributed environments. This can be set manually by adding the TRACKER
topic to the debug logs.
Syntax # pdp tracker <parameter>(on/off)
pdp update Initiates a recalculation of group membership for all users and
computers. Note that deleted accounts will not be updated.
Syntax # pdp update <parameter>
pdp ad associate For AD Query, adds an identity to the Identity Awareness
database on the Security Gateway. The group data must be in the AD.
Syntax # pdp ad associate ip <ip> u <username> d <domain> [m <machine>] [t
<timeout>] [s]
pdp ad disassociate Removes the identity from the Identity Awareness database
on the Security Gateway. Identity Awareness does not authenticate a user that is
removed.
Syntax # pdp ad disassociate ip <ip> {u <username>|m <machine>} [r
{probed|override|timeout}]
Pep:
Provides commands to control and monitor the PEP process.
Syntax # pep [command]... <argument>
Parameter Description
Tracker: Tracker options.
Show: Display PEP information.
pep show
Description Displays information regarding pep status.
Syntax # pep show <parameter> <option>
pep show: user Enables monitoring the status of sessions that are known to the
PEP. You can perform varied queries according to the usage below to get the
output you are interested in.
Syntax # pep show user all
pep show stat Shows the last time the daemon was started and the last time a
policy was received. Important - Each time the daemon starts, it loads the policy
and the two timers (Daemon start time and Policy fetched at) will be very close.
Syntax # pep show stat
IPS Commands:
and is
automatically disabled.
he CPU or memory goes below the low threshold, IPS exits bypass
mode and is
automatically enabled.
Usage - ips bypass {on|off}
ips bypass set Configures the thresholds for the ips bypass command.
Usage - ips bypass set {cpu|mem} {low|high} <th>
Cpu :Configure the CPU threshold
Mem :Configure the memory threshold.
Low :Configure the lower threshold to exit bypass mode.
High :Configure the higher threshold to enter bypass mode.
<th> :The CPU or memory threshold value.
ips debug Shows the IPS debug information.
Usage - ips debug [-e <filter>] -o <outfile>
INTERVIEW QUESTIONS
KPIT HP
1. What is vlan?
2. How to configure vlan in L2 switch?
3. What is Layer 3 vlan?
4. How many tcp flags? Name them.
5. What is Window size?
6. What is fragmentation?
7. OSPF LSA types.
8. Explain LSA 5.
9. Both HSRP routers become active during bootup. How will you
troubleshoot?
10.What are the changes that occur in a packet when it goes from a host to
another host traversing a switch and two routers?
11.What is NAT and PAT? Explain with example.
12.Why do we apply acl from inside to outside for icmp even though traffic
from inside to outside is allowed by default in asa?
13.How will a switch connected to failover firewalls know when FW1 fails and
FW2 becomes active?
14.VPN 9 packet negotiation
15.IPSEC parameters.
16.What is firewall? What is statefull firewall?
17.Natting definition, Static Nat, Dynamic Nat, Identity Nat, Nat exemption,
Nat-Control
18.Mechanism of NAT and how nat works
19.Nat Order
20.How does packet flow works. If from inside, packet is getting dropped while
going outside, than how will be trace
21.Active ftp and passive ftp concept in ASA
22.What is inspection and MPF
23.How we can know whether our inspection is working on nat. Tell command.
24.IPSEC : i phase and modes
a. ii Tshoot on tunnel down ( phase I is up)
b. iii Aggressive mode
25.SSL VPN.
26.Same security level ping will happen or not?
Same-security-traffic permit intra-interface (to allow U-turning traffic)
Same-security-traffic permit inter-interface (for communication between
DMZ and DMZ-2 having same security level)
27.IP spoofing
28.DNS Doctoring.
29.Site-to-Site vpn configuration on ASA
30.On which port SSL VPN works.
31.Difference between SSL VPN and WEB VPN
32. Statefull firewall
33.What is packet tracer
34.What is ip add? Private ip address
35.Does switch works on mac-address/ ip address.
36.10.1.1.0/24 which class it belongs.
37.FWSM (ASA- Firewall service module)
NET-APP
Q1. Transparent firewall
Q2. Same security level; how they can communicate with each other.
Q3. IPSEC/ SSLVPN
Q4. Types of NAT (Order of NAT), STATIC NAT configuration
Q5. IPSEC troubleshoot phase I and II.
Q6. External client want to communicate then web server situated inside in
company.
Q7. Frame (preamble).
Q8 Tell us about your company project.
Q9 DNS
IBM
Q1. What is VLAN?
Q2. Function of HSRP
Q3. Stuck in Active
Q4. AD of OSPF
Q5. A.D. and F.D. of EIGRP
Q6. Role of area 0
Q7. In this scenario, Host should be communicating with server. What will be
routing.
Q8. Downtime zero, in ASA firewall
Q9. Site –to – site VPN (Modes and 9 packet negotiation)
Q10. SSL VPN packets transfer.
Q11. In Below scenario PC wants to ping internet but it is dropping. What will be
tshoot. Scenario is below
CSS CORP
Q1. TCP Windowing
Q2. MTU and MSS
Q3. DHCP DORA
Q4. TCP sequence number
Q5. VPN 9 packets
Q6. DORA Packets type
Q7. Does UDP packet have sequence number?
Q8. After windowing. If one segment gets dropped from the receiver end then
what does the receiver send to the sender so as to get the dropped packet.
Q9. In this scenario PC-3 getting APIPA address. What will be tshoot
Q10. Difference between NACK and ACK
Q11. Difference between Main Mode and Aggressive Mode
Q12. SSL Handshake
Q13. Why do we use VPN?
Q14. In this Scenario how C does comes to know that each fragment put has been
reject and how C will come to know which one is first bit/last bit
IBM
Q1. Tell me about yourself and day by day job responsibility.
Q2. What is the difficult troubleshoot u faced in previous company.
Q3. One site is India and other site s USA. Create site to site tunnel and tell us the
configuration part.
Q4. How to check the command that the tunnel is up
Q5. VPN:=> show vpn connected session.
Q6. In firewall how to check the configuration of cluster i.e. context
Q7. There are two firewall ASA 5520 and ASA 5510. We are trying to make these
cluster but it is not done. What will be tshoot
Q8. Why are you leaving this job?
Q9. Difference between 5505 and 5510 firewall
ACCENTURE
Q1 In this scenario, Before I was able to work with printer. I updated firmware of
printer. After this task now I am not able to work with printer. Condition is that I
am able to ping ip address of printer.
Q2. What is packet capture command?
Q3. What is Hair pinning.
Q4. In this scenario, my ip 10.10.10.1 and 20.20.20.1 is natted. And I want to
communicate with destination ip 30.30.30.1 and 40.40.40.1. What will type of
natting I will use?
CGI
Q1. EIGRP, OSPF, STP, VLAN, RSTP.
Q2. Firewall hardening
Q3. Difference between L3 and L2 switch
Q4. Difference between MPLS and L2
Q5. Site to Site VPN and IPSEC VPN
Q6. Failover is running between two firewall. These two firewall connected with
switch. How will switch find out that which firewall is in active and standby?
Q7. 3 tier architecture of checkpoint
Q8. How to add policy in checkpoint
Q9. Packet flow of checkpoint
WIPRO
Q1. Day to day job responsibilities
Q2. Cisco ASA:- Difference (8.2,8.4,8.6)
Q3. Checkpoint version
Q4. What is SIC? Why we need SIC. Where we configure SIC in checkpoint? How
many SIC can form.
Q5. Difference between OSI model s vs TCP/IP models
Q6. TCP flags and 3 way handshake
Q7. What is proxy server
Q8. What is forward proxy and reverse proxy.
Q9 What is DNS and how does it work.
Q10 Password recover on router.
Q11. Chassis of nexsus switch.
UNKNOWN
Q1. Pcket flow between PC and Internet
Q2. Packet flow in checkpoint firewall
Q3. Packet flow in cisco ASA
Q4. TCP states
Q5. Example of session layer
Q6. Which OSI model decides? When a packets to move outside or to remain
inside
Q7 How will you triubleshoot if your PC is not getting connected with internet.
TEK SYSTEMS
Q1. Tell me about yourself and day by day job resposiblity.
Q2. In 8.2 we want to upgrade to 9.0 with zeo downtime.
Q3. Difference between Site to Site Vpn and Ipsec VPN
Q4. How does phase 1 works.
Q5. What will be tshoot when we will get MM_MO_ACTIVE in VPN?
Q6. Is it necessary to create phase-1 for phase-2.
Q7. In my network, duplicate ip address is detecting. What will be tshoot for it?
Q8. When does you felt offended in your previous organization.
Q9. How does network know that router is in stuck in active?
Q10. LSA 7
Q11. In our network BPDU Guard is enable. IF we add a new switch in our
network what type of massage display on switch.
Q12. In this scenario, One hour ago my PC was able to get internet. After one
hour PC is not able to access yahoo.com. What will be tshoot
HP (KPIT)
Q1. Failover is running between two firewall. These two firewall connected with
switch. How will switch find out that which firewall is in active and standby?
Q2. Packet flow of checkpoint
Q3. In Automatic nat how many rules will be created
Q4. By using CLI how we will make backup.
Q5. When a packet enters in router, than how works router with a packet
BAR
Q1. TCP 3 way handshake
Q2. Packet level – which bit is getting set
Q3. Difference between push and urgent
Q4. Packet flow between two PCs
Q5. Arp header size
Q6. DHCP
Q7. Ipsec packet level
Q8. Difference between ASA and router
Q9. SSL how SSL VPN works in application layer
Q10. Proxy arp.
Q11. NAT-ASA
Q12. DNS Doctoring
Q13. FTP
Q14. Where will we implement this is firewall i.e. active ftp and passive ftp and
what are the problems.
Q15. Ip fragmentation
Q16. Ip header- identification, offset fied.
Q17. CSR- SSL vpn
Q18. HTTP
Q19. DHCP relay agent
Q20.Configuration parameter DHCp
Q21 what will indicate phase I failure on an IOS device.
Q22. What can be various reason for IPSEC negotiation
Q23. What is NAT T?
FNF
Q1. How to change or reset pwd in Cisco switches.
Q2. How to tshoot when smartview tracker is not showing log by cli
Q3. How to make backup from checkpoint cli
Q4. Where log store?
Q5. Where Backup file will be store
Q6. What is HSRP (All Discuss?)
Q7. What is the Etherchannel, why we need Etherchannel?
Q8. What are protocols of Etherchannel?
Q9. How can we configure Etherchannel?
Q10. Command for port-security
Q11. What is AD value of Eigrp and OSPF?
Q12. What are values of AD in EIGRP?
Q13. What is OSPF?
Q14. What is difference between OSPF and EIGRP?
Q15. What is different between ABR and ASBR?
Q16. What are the states of OSPF? Explain.
Q17. What is multicast ip address of OSPF?
Q18. What is ACL?
Q19. Difference between Standard and extended acl.
Q20. What are types of ACL?
Q21. Configuration of Switch ACL
TTNI
Q1. What is difference between Cisco ASA and Checkpoint?
Q2. What is SIC? What is the purpose of it's?
Q3. Process for backup
Q4. Difference between snapshot and backup
Q5. What is stealth rule and what Is purpose of its.
Q6. What is cleanup rule and what is purpose of its.
Q7. What is FWM?
Q8. What is PDP?
Q9. What is RTM
Q10. What is tcpdump.
Q11. How can we check the log between two gateways.
Q12. What is mode of firewall.
Q13. What is context.
Q14. How we create context.
Q15. Where we create context in routed firewall or transparent firewall?
Q16. What is transparent firewall?
Q17. What is difference between switch and transparent firewall?
Q18. Can we create context in routed mode.
Q19. What is ipsec.
Q20. By default which mode is available in IPSec
MIND TREE
Q1. Suppose a switch is connected to a router and two PC are connected to
switch. How will Communicate PCA and PCB. Here is Scenario
Q2. Suppose four pc (A, B, C, D) are connected to a switch1 and four PCs(E,F,G,H)
are connected to Switch 2. In this scenario I want to communicate PCA to PCE.
What will be steps for this task?
Q3. In this Scenario Router R1 and Router R2 connected to Sw1 and Sw2. PC1 and
PC2 are connected to SW1 and Sw2. Pc1 and Pc2 want to communicate with each
other. What will be Steps? Scenario is below.
Q4. What is dynamic configuration of Vlan?
Q5. What is ipv4 and discuss in detail.
Q6. What is tcp flags?
Q7. What is reset flag and what is purpose of Reset flag.
Q8. What is three way handshake?
Q9. What is four way handshake?
Q10. What I nat.
Q11. What is the order of NAT?
Q12. What is dynamic NAT and Dynamic PAT and syntax.
Q13. What is packet tracer command?. How it check the packet.
Q14. What are the security parameter of ipsec phase1.
Q15. By default which mode available in phase 1 mode.
Q16. Phase 1 and phase 2 are active, data is encrypting but data not decrypting.
What is tshoot for that?
CAPGEMINI
Q1. In network there are two router. At router R1 protocol Eigrp is running and at
router R2 protocol OPSF is running. Pc which are connected to router R1 and R2.
PC1 and PC2 are want to communicate with internet. Which protocol PCs will
prefer. Scenario is below
Q2. Now in this scenario network of R1 is 192.1.1.0/24 and network of R2
192.1.1.0/28. Now which protocol will pc prefer.
Q3 In this scenario PC1 is connect to sw1 and there is vlan 10 on pc and PC2 is
connected to SW2 and vlan is 20. How these PC will communicate.
HR Interview Questions
How long would you expect to work for us if hired?
As far as I can tell, this company has everything I’m looking for. I enjoy this type of
work and the benefits at this company are great. I am looking for a long term
position and if there are opportunities for advancement and growth here, then I
want to stay for a long time.
Because of weak points only our good points can be recognized. So my boss is
leading a team of talented people, he is expert in handling pressure in tricky
situations, energetic and he always took part in extracurricular activities with his
team either organizing team fun or holidays outside town. I never noticed his
weak points. He is very helpful in every step of work whenever anyone needed.
Why should I hire you from the outside when I could promote someone from
within?
In my own perspective point of view, a new employer is someone that can give
fresh ideas that can improve to the company which I think every company needed
so I think your company deserves more interesting and new ideas and I think I am
the best person that suit to it.
WEAKNESS:
1. I can't easily say no to the task. I don't matter what the task is!
While overconfidence is truth on yourself beyond your ability and capability i.e.
you shall do it in every condition.
If someone says, "I have the ability to complete this job" is confidence while
someone says, "I'm the only one person to complete this job and don't dare to
others", is overconfidence.
What is the difference between hard work and smart work?
For example, teacher ask two students they are,
1. Hard work
2. Smart work
nobody wants to work in night & weekends. But if the company give growth &
provide full facilitate then everyone want to work in night & weekends according
to company needs. And I am one of them.