CCNAX| Interconnecting Cisco Networking Devices: Accelerated Student Guide Volume 3 Version 3.0 Part Number: 97-3838-03cisco! ‘emergas Headquarters ‘Asia Paci Headquarters Europe Headquarters (isco Systems, ne Cisco Systane (USA) Pe Led. Cisco Systane intrnationl BY Sandose, OA ‘Singapore Kratedar, ‘he Netaronss Cisco has more than 200 offices ordvde, Adresses, phone numbers, and fax numbers ae listed onthe Cisco Website at enti comigetmces Cisco andthe Cisco logo are rademars or roger ademas of isco andlor is silts in he US. and other curtis. To a It of Caco vademarks, go fo fis URL; vnv.cisc.comgairadsarks. Third-party vademarks fat are eon ae the Property of har rspecave ones. Theuse othe word pare doesnot imply a parinershisretonship betwean Cisco an ty her oomeary. (11108). DISCLAIMER WARRANTY: THS CONTENT IS BEING PROVIDED“AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS, CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WT TH CONTENT PROVIDED HEREUNDER EXPRESS IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT ‘GR.CCMMUNICATION BETWWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPUED WARRANTIES, INCLUDING INARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND ETTNESS FOR A PARTICULAR PURPOSE, (GRARISING FROW A COURSE OF DEALING. USAGE OR TRADE PRACTICE. Tic lemirg product may conan ay rlaze content, and whic Cisco Geleves to be accurate, falssubjet ote disclaimer above (©2017 Cisco Systems, ne.Table of Contents Troubleshooting Basic Connect 41 Lesson 4 Troubleshooting IPv4 Network Connectivity i i 3 ‘Troubleshooting Guidelines. : - - - 3 Discovery 30: Use Troubleshooting Toofs.... - - - 5 Troubleshooting Physical Connectivity Issue... = -. = 14 Identification of Current and Desired Path... - - - 9 Using SPAN for Troubleshooting - - - - 24 Configuring SPAN... - - - - 5 ‘Troubleshooting Default Gateway Issues... - - - 2 ‘Troubleshooting Name Resolution Issues... - - 29 Discovery 31: Configure and Verify IPv4 Extended ‘Access Lists. - - 32 ‘Troubleshooting ACL Issues. - - - 40 Discovery 32: Troubleshoot IPv4 Network Connectivity... - - a Challenge Ss : - - - 52 Answer Key - - - 53 Lesson 2: Troubleshooting IPv6 Network Gonnectivity : 55 IPV6 Unicast Addressed)... - - - 55 ‘Troubleshooting End-to-End IPV6 Connectivity - - - 62 Verification of End-to-End IPv6 Connectivity. - - - 63 Identification of Current and Desired IPv6 Path - - - m1 ‘Troubleshooting Default Gateway Issues in IPVB...... - - R ‘Troubleshooting Name Resolution Issues in IPVB...... - - a Discovery 33: Configure and Verify [PV Extended Access Lists... - % ‘Troubleshooting ACL Issues in IPV6. Discovery 34: Troubleshoot IPv6 Network Connectivity. Challenge.. Lesson 1: Securing Administrative Access. Network Device Security Overview. - - - - 101 ‘Securing Access to Privileged EXEC Mode... - - - 103 ‘Securing Console Access... - - - - 105 ‘Securing Remote Access... - - - 106 Discovery 35: Enhance Security of infal Configuration ... - - 109 Limiting Remote Access with ACLS. - - . - 121 Configuring the Login Banner. - - - 1 Discovery 36: Limit Remote Access Connectivity - - - 1B Challenge. - - - - - - 128 Answer Key. = - - - 129 Lesson 2: Implementing Device Hardening... - - 131 ‘Securing Unused Ports... - - - - 31 Port Security... - = - - - 134 Configuring Fort Security... - z - - a7 ‘Verifying Port Security... - - - - 139Discovery 37: Configure and Verify Port Security... Z 7 144 Disabling Unused Services... - - . so 154 Network Time Protocol... - . - . co 154 Configuring NTP. - - - - - sn 156 Verifying NTP. - - - _. 157 Discovery 38: Configure and Verity NTP - - - _. 158 Challenge. - - - - - _. 162 Answer Key - = - - _. 164 Lesson 3: Implementing Advanced Securit - 165 Mitigating Threats at the Access Layer - - - 165 Extemal Authentication Options... cos 169 Discovery 29: Configure External Authentication Using RADIUS and TACACS+ on TA Challenge. - - . ‘Answer Key Module 8: Implementing an EIGRP-Based Solution Lesson 1_Implementing EIGRP Dynamic Routing Protocols... - ‘Administrative Distance .. - - EIGRP Features... - - EIGRP Path Selection... - - EIGRP Metric. - Discovery 40: Configure and Verify EIGRP. - EIGRP Load Balancing... Challenge. - - - Answer Key - Lesson 2: Implementing EIGRP for IPv6. EIGRP for IPvé Discovery 41: Configure and Verify EIGRP for IPv6. Challenge. : - - ‘Answer Key - Lesson 3: Troubleshooting EIGRP.. Troubleshooting EIGRP Issues... - Troubleshooting EIGRP Neighbor Issues - Troubleshooting EIGRP Routing Table Issues... Troubleshooting EIGRP for IPV6 Issues - Discovery 42: Troubleshoot EIGRP Issues. - - . sx 250 Challenge. - - - - - 265 Answer Key - - = - - —- 267 Module 9: Summary Challenge. Lesson 4: Troubleshooting a Medium-Sized Network _ 7 a 274 Challenge. . - . . . 24 Answer Key - a 273 Lesson 2: Troubleshooting Scalable Medium-Sized Network 0275 Challenge: - . - . - a 275 Answer Key - - a 277 Module 10: Implementing a Scalable OSPF-Based Soluti Lesson 4: Understanding OSPF... : . 284 Link-State Routing Protocol... : . : ss 284 Link-State Routing Protocol Data Structures... - : sos 283i | i j (©2017 Cisco Syston, ne.jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neModule 6: Troubleshooting Basic Connectivity Introduction Here you will leam how to troubleshoot end-to-end connectivity in an IPt4 network and connectivity in an IPv6 network.Inteconnactng isco Networking Davies: Accslerated (CCNA) (© 2017 Cisco Systems neLesson 1: Troubleshooting IPv4 Network Connectivity Introduction ‘Various customers have called CCS with complaints involving network comnectivity problems, and several trouble tickets have been created. Bob has assigned all the network connectivity trouble tickets to you. Troubleshooting Guidelines Itis impossible to write a set of troubleshooting procedures that will solve any IP connectivity problem. The troubleshooting process can be guided by sthuctured methods, but the exact steps that are taken at each point along the way cannot be prescribed because they depend on many different factors. Each network is different, each problem is different, and the skill set and experience of each engineer that is involved ina troubleshooting process is different. When end-to-end connectivity is not operational, the user will inform the network administrator. The administrator will stat the troubleshooting process, as shown inthe leur. ©2017 Gace Systems, ne Teterconn Troubleshooting Guidelines (reaicaig >Troubleshooting Guidelines areca ara Tse detout gxoway Ta ns esas row neore —| FS ACL tong vate? ‘You should investigate the following when there is no end-to-end connectivity: + Check the cables to determine whether theres a faulty cable or interface. This is alink-by-link test. ‘You may need to check each cable that lies in the packet path (the path between the source and destination devices that are experiencing connectivity problems). + Make sure thet the devices are determining the corect path from the source to the destination. Manipulate the routing information, ifneeded. + Verify that the default gateway is correct. + Verify that the name resolution settings are comect, + Verify that there are mo ACLs that are blocking traffic. After every failed troubleshooting step, you should provide a solution to make the step successful. The ‘outcome of this process is operational end-to-end connectivity. 44 Iteroonnecing Cisco Networking Devices: Acalrated (CONAK} 2017 Cisco Systems, neDiscovery 30: Use Troubleshooting Tools Introduction Inthis discovery, you will leam how to use some basic commands for verifying end-to-end connectivity in am IP network. The live virtual lab is prepared with the devices that are represented inthe topology diagram and the connectivity table, All devices have their basic configurations in place, including hostnames and IP. adresses. RIP is configured on the routers. There are no issues to troubleshoot with the network. The goal of this discovery is to become familiar with some basic troubleshooting tools, and net to complete troubleshooting tasks. Topology (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accelerated (CCNAJob Aids Job Aids roror4 ‘The configuration is as follows: +All devices have their basic configurations in place, including hosmames and IP addresses. + RIP is configured on R1 and R2. Device Det Device InterFace: INeighbor hp Address Pot letnerneto10 lows lror0.s.s0724 SRvt lEthernet010 Re lrorosa04 wi jwean L Hor0.1.428 swi letnemneto0 rot L owt letnemet1/1 les _ RI letnemet1/1 lows loros.s28 RI ethernet 10 lee Ho.1.200 R2 ethernet 10 les Ho-.1.1r20 R2 lthernetO10 lsrvi loo 3.1108Note ‘The PO and SRVin the vitual lab envirermant are simulated as routers, so you should use Cisco 0S ‘commands to configure them or make verfostions, Task : Use Troubleshooting Tools Activity Complete the following steps: Step 1 Step 2 Step 3 Access the console of PC1. Ping SRV1 by its IP address. ‘The IP address of SRV1 is 10.10.3.30. You can verify this information in the Job Aids section, FOL ping 10.20.3.30 percent (4/8), round-crip min/arg/mx = 1/1/2 ms Itis common for the first one or fso probes of a ping attempt to time out if there are devioes in the path that do not currently have ARP cache entries for their peers. When all ARP caches are properly populated, the ping attempts should be consistently successful. Attempt to ping the address 10.10 3.40. This address is on a valid submet, but there is no host that isusing the address, Remember to take advantage ofthe IOS command history feature. It is easier to press the Page Up key and edit the previous command than to type this command PLE ping 10.10.3.40 If there is no response to the ICMP echo request within the timeout interval, the IOS ping displays the period () character. Attempt to ping the address 10.10 4.40, This address is on a nonexistent subnet FCLE ping 10.10.4.40 ‘Type escape Sequence to abors v.00 Suzcess ate is 0 pessent (0/5) In this case, because the network did not exist inthe routing table of R1, Ri retuned an ICMP unreachable error message to PCI. As a result, the ping command displays the "U" character The difference between a timeout and an explicit unreachable message can be significant for troubleshooting.Use IP SLA for Troubleshooting Use IP SLA for Troubleshooting IP SLA can use ICMP Echo Request and Response packets to test availabilty Exarpe P SUA teat eM Eno, ICMP Echo Request IGMP Echo Reply ‘There are several common fimctions for the IP SLA measurements + Edge-to-edge network availability monitoring For example, packet loss statistics + Network performance monitoring and network performance visibility — For example, network latency and response time + Troubleshooting of network operation — For example, end-to-end network connectivity ‘The ICMP Echo is only one of the available IP SLA tests. You can have multiple IP SLA operations (measurements) rmmning in a network at any given time, 3 lnteroonnecing Cisco Networking Devices: Acslrated (CONAK} 2017 Cisco Systems, neUse IP SLA for Troubleshooting (Cont.) ‘To canfigure the IP SL\ IGMP Echo test, perform the following steps: 1. Create an P SLA operation: 2. Coniigure the IP SLA ICMP Echo testo perform, 9, Schedule an IP SLA tet ‘The following table describes the commands that you can use to configure an IP SLA ICMP Echo test ‘Command Destription ip sla operation- number |crestes an IP SLAs operation and enters the IP SLAs configuration mode. ‘iemp-echo dstinatiorsip-adiress _|Configues an IGMP Echo tet forthe specified destination ‘frequency seconds (cptioney) Sets the rate at which a specified IP SLAs operation repests, The , range is fram 1 to 604800 seconds; the cefaut is 00 saconde {ip sla schedule operation-numBer [Configures the scheculing parameters for sn indivdusl IP SLAs operation tite forever |secondsj(starttime | yan nlite keymors symar you et how long IP SLA at wl run. you -Wiamonts month cigs mont |" Spgese forever the tst wil un ul you manual remove By ‘pending now after We mness ‘lefot, the P SLA est wil rn for + hour iageout second recurring} + With tne start-time keyword, you wil set when the IP SLA test ‘should sar You-can start the test night sy by issuing the ROW keypword, ar you cen configure @ delayed start + With the ageout keyword you ean corte how long the callsted dts is heat + With the recurring keyword, you can schedule tetto cin pesiadcally—forexarpl, et the same ime each day Note After an IP SLA testis scheduled to run, you will nat be able te mosfy Step 4 Access the console of R1 and configure an IP SLA ICMP Echo test to the SRW1 IP address (20.10.3.30),Define the IP SLA with the number 1 and set the frequency to 10 seconds Rit cone Rilconfig)? Sp stat Ri lconfig-ip-sla]# iemp-echo 10-10.3.30 Ri (config-ip-sia-echo)# frequency 40 Ri lconfig-sp-siswecha}# ext Step 5 Schedule IP SLA 1 on Ri to perform an ICMP Echo test forever and to start runing now. Ri(configh? sp sla schedule 1 1ife forever stert-time now Ri(configl? exit Verify IP SLA Operation Verify IP SLA Operation To verify the IP SLA operation, perform the following actions: + Vani tho IP SLA configuration on a device, + Verity the IP SLA statist, Use the show ip sla configuration command to verify the configured parameters. Use the show ip sla statistics. command to investigate the results ofthe test Step 6 OnRi, verily the IP SLA configuration, Ri should have an ICMP Echo test configured to the SRVI IP address. The test should nan every 10 seconds and should be scheduled to run indefinitely. 10 lterconnectng Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neStep 7 Step & Seatus of entry (SIMP Rewseacus) <..- outpas emisted -.-> (On RI, verify the IP SLA statistics to verify that SRW1 is reachable SLES. ‘The IP SLA | test on R1 has been successfully performed 91 times and the test never failed. Note that these numbers may differ in your output. Execute a traceroute command that targets the SRV1 IP address, POLE tenceroute 10.10.3.30 Teaeing the zouce Wi (20.10.3.30) URP info: (esf in name/idy vxf oat nane/id) 2 SRv1 (10.10.9-20) Omaec = The traceroute displays the "near-side" IP address of every router in the path to the destination IP address ‘The traceroute attempts to display both the DNS hostname and the IP address of each hop in the path. This information is evident in the last line inthe example output. There is no DNS service inthe virtual lab environment, but a static IP host entry for SRV1 has been set in the PCL configuration Note: nthe emulated virtua lab environment, itis normal for the middle probe tothe final destination fo time outStep 9 Step 10 Step 11 Attempt a traceroute to the nonexistent address 10.10,3. 40, Because the destination cannot be reached, the traceroute will continue to send probes with consistently higher TTL values. ‘The traceroute will terminate after 30 hops. However, you can interrupt it at any time by pressing the Cul Shif-6 keys simultaneously FCLE traceroute 20.10.3.40 ‘Type escape sequence to A traceroute sends a series of IP probe packets. It first sends three probes with 2 TTL =1. The probes will reach the first hop, which will decrement the TTL to 0. Because the first hop is not allowed to forward the packet with an expired TTL, itretums ICMP unreachable messages, hich the traceroute program processes. The traceroute will then send three probes with a TTL = 2, which will make ito the second hop. It continues to increase the TTL until the final destination responds, Verify Telnet reachability for SRVL. Verify thatthe prompt shows SRV, then terminate the ‘Telnet session with the exit command, Log in with the password Ciscol23. FCLE telnet 10.10.3.30 [Connection to 10.10.9.90 closed by foreign host] Fclg ‘Verify that SRV is rmming an HTTP service on the TCP port 80 by using the telnet command. Because you cannot mimic the behavior of a web browser from the Telnet CLI, enter a few random characters and press Enter. SRV retums an error message and terminates the comection. FCLE telnet 10.10.3.30 50 Teying 10.10.3120, 50... OBR Dste: Thu, Bad Reque Networking Devas:Step 12 Step 13, Step 14 step 15 Remember that Telnet uses TCP to test connectivity. By default, it will connect to port 23, but you can aso specify other ports, Demonstrate that SRVI is mot running an FTP service on TCP port 21 by using the telnet command. POLE tenet 20.10.3.30 21 Pog Display the ARP cache on PCI, verifjing that ithas an entry that associates the IP address and MAC address ofits defoult gateway. ‘The default gateway is the IP address of the Ethernet!/1 interface (10.10.1.1) of RI. FOL show sep Frotocel” Address Age (minh Hardware Addr Type Internee | 10.10-1-10 Etherne=0/0 Note: The MAC addresses might differ in your output Display the ARP cache on RI, verifying that it has an entry that associates the IP address and MAC address of PCL. Rif chow exp Frovocol dress Hardvare Beir Type Note: The MAC addresses might differ in your output Access the console of SW1 and display its MAC address table. Observe the switch ports that are associated with the MAC addresses of PCI and RL ‘Total Mae Addresses for this ericerien: 2 Note: The MAC addresses might differ in your output. This the endofthe eizenvery lab.Troubleshooting Physical Connectivity Issue Inevitably, troubleshooting processes involve a component of harchvare troubleshooting. There are three gories of isyues that could be the cause of a failure om the network: hardware failures, software failures (bugs), and configuration errors. A fourth category might be performance problems, but performance problems are a symptom, and not the cause of a problem, After you have used the ping and traceroute utilities to determine that a network comnectivty problem exists and where it exists, check to see if there are physical connectivity issues before you ge involved in more complex troubleshooting. You could spend ho(@a zoubleshooting a situation only to find that a network cable is loose or malfunctioning. i mane ech Cenecibe DNS eney Ifyou have physical access to devices that you suspect are causing network problems, you can save troubleshooting time by looking at the port LEDs. The port LEDs show the link status and ean indicate an error condition. Ifa link light for a port is not on, make sure that both ends of the cable are plugged into the correct ports ‘he interfaces that the traffic passes through are another component that is always worth verifying when you are troubleshooting performance-related issues and you suspect the hardware to be at fault. The interfaces are usually one of the first things that you would verify while tracing the path between devices, ‘The output of the show interfaces command lists these important statistics that should be checked, The frst line of the output from this command tells you whether an interface is up or down. 14 Interconnectng Cisco Networking Devices: Acalrated (CONAK} 2017 Cisco Systems, ne‘Troubleshooting Physical Connectivity Issue (Cont.) ‘To verity the interface status, use the show interface command. You might need to perform the following: + Make sure that you have the correct cable for he type of connection that you ae making + Try replacing a suspect cable witha known good cable. + Enable the nierlace Suntan tan, tess: “Tiss potonal fe op ‘Troubleshooting Physical Connectivity Issue (Cont.) (©2017 Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accolerated (CCNA) 15‘The output of the show interface command also displays the following important statistics + Input queue drops: Input queue drops (and the related ignored and throttle counters) signify the fact that at some point more traffic was delivered to the router than it could process. This situation does not necessarily indicate a problem because it could be nonmal during trafic peaks. However, it ould be an indication that the CPU canmot process packets in time, So if this number is consistently high, you should try to determine at which moments these counters are increasing and how this increase relates to the CPU usage. + Output queue drops: Output queue drops indicate that packets were dropped due to a congestion on the interface. Seeing output drops is normal at any point where the ageregate input traffic is higher than the output traffic. During traffic peaks, the packets are dropped if traffic is delivered to the interfaoe faster than the interface can send it out. However, although this setting is considered normal behavior, it leads to packet drops and queuing delays, so applications that ae sensitive to packet drops and queuing delays, such as VolP, might suffer from performance issues. Consistent output drops might indicate that youneed to implement an advanced queuing mechanism to provide good (oS to each application. + Input errors: Input errors indicate errors that are experienced during the reception of the frame, such as CRC errors. High mmbers of CRC errors could indicate cabling problems interface hardware problems, or in an Ethernet-based network, duplex mismatches. + Output errors: Output erors indicate emors, such as collisions, during the transmission of frame. In most Ethemmet-based networks, full-duplex transmission is the norm and half duplex transmission isthe exception. In full-duplex transmission, operation collisions cannot oceur. Therefore, collisions, especialy late collisions, often indicate duplex mismatches. ‘A.common cause of interface errors is mismatched duplex settings between two ends of an Ethemet link: “Most Ethemet links today operate in the fll-duplex mode, Also, point-to-point Ethernet links should always run in the fall-duplex mode. While collisions were formerly seen as normal occurrences for an Ethernet link, collisions today often indicate that duplex negotiation has feiled and that the ink is not operating im the correct duplex mode, The half-duplex mode is relatively rare today and you can typically see itn environments that use hubs. However, a half duplex on both ends of a comection still performs better than a duplex mismatch. Troubleshooting Physical Connectivity Issue (Cont.) ‘A.common cause of performance problems in Ethemnet-based networks is a duplex or speed mismatch between two ends of a link. * Duplex configuration guidelines: Pointio-point Etwenet inks shoud always run the ful-duplex mode, alt ‘duplex snot common anymore—you ean encounter hubs are used, ‘Autonegoiaon of speed and dupex's recommended on port that are comected 1a nonaiteat endpoirs, Manuaty set the speed and duplex on links between networking devices and ports connected ip ercal end pots * Verity duplex and speed settings on an interface. (isco Networking Davies:Troubleshooting Physical Connectivity Issue (Cont.) Pettnaepten, 1000/0 ‘The IEEE 802 3ab Gigabit Ethernet standard mandates the use of autonegotiation for speed and duplex. Also, although autonegotiation is not mandatory, practically all Fast Ethernet NICs also use itby defauit. ‘The use of autonezotiation for speed and duplex is the current recommended practice for ports that are comnected to moneritical endpoints. You should manually set the speed and duplex on links between networking devices and ports that are connected to critical endpoints, such as servers. However, if duplex negotiation fails for some reason, you might have to set the speed and duplex manually on oti ends. Typically, it would mean setting the duplex mode to full duplex on both ends of the connection, ‘The table summarizes possible settings of speed and duplex for a conection between 2 switch port and an end-device NIC. The table gives just a general ides about speed and duplex misconfiguration combinations Speed and Duplex Settings for End-Device NIC and Switch Connections ‘Configuration NIC [Configuration [Resulting NIC [Resulting Switen |Comments, (Speed, Duplex) [Switch (Speed, |(Speed, Duplex) |(Speed, Ouplen) Duplex) AUTO lauto. 1200 Mops. 000 noes Jassuming tht the maximum full duplex fall duplex |cspabiity of «Cisco Crisiyst lewich snd NIC is 1000 Mbps, fa upto 1000 Ms. Jauto. 200 nop 1000 noes [a tink is established. but the ‘ull duplex fut aupiex fut duplex lewitch cose not sae any [autonegotistion information from line NIC. Because Cisco Catalyst Jsniches support ony = full Jauplex operation with 1000 stops, they defaut to fll dupiox [This change happens only wher Joperating st 1000 Mops.Configuration NIC [Configuration fResuiting NC [Resulting Switch |Comments (Speed, Duplex) [Sich (Speed, [(Speed, Duplex) (Speed, Duplex) |Duptex) AUTO) coo a, ooo noes coo es, [Assuring tate mean fst uni ft cuniee sat uci Jespenity of @ Nic 1000 foes 2 opie 1000 bps. 000 nts. 000 nts 000.2, (eomect manual configuration sul upiax fut cupiex fucuntex at cup 100.Meps, 1c00 ns, tin No ink Niner sce estates ink sal cuplee ft cupie [ue to «speed mismatch 100 Mops. Javro 00 wos. sco mtens, |, ucter ismetcn can reautin fil duple fi contex ald perfomance issues, termitent [znnecty. end ies of |Srwmcrseaion aura) co nts. 00 woes sco mtens, | ueter ismetcn can reautin fut copie ja uniex fl cup perfomance suse, rtermitent Jennectaty. endless of |sonmuncten 100 Mops. foo mts 00 wor sco mts, [corect manuel configuration scope fut copie fu cuniex sat cure: 100 Mops, Javro 100 Mos. cops, ha? [Alnkisesabished but the nalfduse fat unis: fae luton doesnot sss ary latonagettnirfrmatin tom fe and Sctoute oho Jsclex wen operating #10100 tees 1OMbps. nif pte] AUTO fonts, nat copies] 10 Woosh cuperAink is estebished utthe wich dows not see ELP. it [stats to 10 Ms, na unl 1OMbps, pif dunte|100 Mops, ha |Notink i ink einer sce estabianes sink [slex [i to speed mismatch AUTO comps, nar [100 ops. rar [100 ops. att [Aline setae, but the NIC [usiex [ustex cuctex lies ot see any Jstonegcion formation. lett o 100 wpa na [telex AUTO: fonts, na cuntes|0 tos, na cup 10 Nos, cuplecA nk is etl, but the NIG laces ot see FLP i dfauts to fic tps. ner cups Networking ystems InIdentification of Current and Desired Path ‘When you are sure that you have eliminated any ‘comnectivity issues, you can move on to more in- depth troubleshooting, such as troubleshooting ‘and switching issues. Identification of Current and Desired Path To troubleshoot Layer 3 connectivity, you need a good understanding of the processes that are involved in routing a packet fiom a host across multiple routers to the final destination. Consider the scenario in which you are unable to send an email through the SMTP server at 172.16.1.100. Identification of Current and Desired Path (Cont.) Display routing table. (©2017 Cisco Systems, ne Interconnectng isco Networking Devioes: Accolerated (CCNA) 19Identification of Current and Desired Path (Cont.) ‘As you study the network that the figure shows, you should ask yourself these questions: + Which decisions will PC1 make, what informbtion does it need, and which actions will it perform to successfully send a packet that is destined forthe Server to the fist-hop router Branch? + Which decisions will the router Branch make, what information does it need, and which actions will it perfomn to successfully send the packet from PCI that is destined for the Server to the router Headquarters? On the router, use the show ip route command to examine the routing table. In the example, the problem is that the routing table on the Branch router does not have the route tothe Server (172.16.1.100). (isco Networking Davies:Routing Table Routing Table Routing Table (Cont.) + Directly connected: The router ataches to this network. © Loeal Most routes: The loeal IP adéroes on tho ruta rtrfaco. *‘Statle routing: system administrator enters manu Dynamic routing: Tho roular arms ty exchanging routing information © Default route: The router leas explict route to network i known, Routing table codes: it etacaly or dynamical used when no (©2017 Cisco Systems, Ine Intrconnectng Cisco Netorking Davies: Accelerated (CCNAX) a‘The routing tables can be populated by these methods: + Directly connected networks: This entry comes from having router interfaces that are directly attached to network sezments. This method isthe most certain method of populating @ routing table. Ifthe interface fails or is administratively shut down, the device will remove the entry for this network from the routing table. The administrative distance is 0 and will therefore pre-emmpt all other entries for this destination network. Entries withthe lowest administrative distance are the best, most-trusted sources. + Local host routes: This entry comes from the local JP address om the router interface. The subnet mask represents the host route + Static routes: A system administrator manually enters static routes directly into the configuration of a router. The default administrative distance fora static route is 1. Therefore, the static routes will be included in the routing table, unless there isa direct conection to this network. Static routes can be an effective method for small, simple networks that do not change frequent. For larger and unstable networks, the solution with static routes does not scale. + Dynamic routes: The router leams dynamic routes automatically when you configure the routing protocol and a neighbor relationship fo other routers is established, The information is responsive to changes in the network and updates constantly. There is, however, always a lag between the time that 2 network changes and when all the routers become aware of the change. The time delay for a router to match a network change is called the convergence time. A shorter convergence time is beter for users of the nehwork. Different routing protocols perform differently in this regard. Larger networks require the dynamic routing method because there are usually many addresees and constant changes. These changes require updates to routing tables across all routers inthe network, or connectivity is lst. + Default routes: A default route is an option} entry that is used when no explicit path to a destination is found in the routing teble. You can manually insert the default route, or it em be populated from 2 dynamic routing protocol ‘The show ip route command displays the routing table in a router. The first part of the output explains the codes, presenting the letters and the associated sources of the entries inthe routing table. +L: Reserved for the local host route + C:Reserved for directly comected networks served for static routes. + Re Reserved for RIP. +O: Reserved for the OSPF routing protocol + Dz Reserved for EIGRP, The letter “D" stands for DIVAL, which is the update algorithun that EIGRP ‘These scenarios show the different actions that a router takes if the destination adress in a packet matches or does not match a routing table entry: + the destination address in a packet does not match an entry in the routing table, then the device uses the default route. Ifno default route is configured on the router, the device discards the packet. + Ifthe destination address in a packet matches 2 single entry in the routing table, the router forwards the: packet through the interface that is defined in this route. (isco Networking Davies:‘ifthe destination adress in a packet matches more than one entry inthe routing table and the routing ‘entries have the same prefix (network mask), the router can distribute the packets for this destination ‘among the routes that are defined inthe routing table. ‘Ifthe destination adress in 2 packet matches more than one entry inthe routing table and the routing ‘entries have different prefixes (network matks), the router forwards the packets for this destination out ‘of the interface that is associated with the route that has the longer prefix match,Using SPAN for Troubleshooting A traffic sniffer can be a valuable tool for monitoring and troubleshooting a network. Properly placing a traffic miffer to capture a traffic flow but not interrupt it can be challenging. ‘When local area networks were based on hubs, connecting a traffic sniffer was simple, When a hub receives apacket on one port, the hub sends out a copy of that packet on all ports except the original recipient hub. ‘Therefore, a traffic sniffer that is connected toa hub port could receive all traffic in the network. Modem local networks are essentially switched networks. After a switch boots, it starts to build up a Layer 2 forwarding table based on the source MAC acliresses ofthe different packets thatthe switeh receives, ‘After the switch builds this forwarding table, it then forwards traffic that is destined for a MAC address directly to the corresponding port. This way, it prev(Gi\a traffic sniffer thet is connected to another port to receive the unicast traffic. The SPAN feature was therefore introduced on switches Using SPAN for Troubleshooting The SPAN feature allows you to instruct a switch to send copies of packets that it sees on one port to another port on the same switch, Cony Tee ne ‘The SPAN feature allows you to analyze network traffic passing through the port and sends a copy of the traffic to another port on the switch that has been connected to a network analyzer or other monitoring device. SPAN copies the traffic thatthe device receives and/or sends on source ports to a destination port for analysis. SPAN does not affect the switching of network: traffic on the source ports Ifyou would like to analyze the traffic flowing from PC1 to PC2 on the figure, you need to specify a source port. You can either configure the interface Ethemet0/1 to capture the ingress traffic or the interface Ethemet02 to capture the egress trafic. Second, specify the interface Ethernet('3 as a destination port. The traffic flowing from PCI to PC? will the be copied to that interface, and you will be able to analyze it with traffic emitterConfiguring SPAN With SPAN, the switch is instructed to copy all the (@\ic that it sends and receives on a source port toa destination port by configuring a SPAN session. Configuring SPAN |. Associate @ SPAN sesslan number wth the source pos of VLAN 2. Associate a SPAN session number withthe destination + efiy that the SPAN session has been configured correctly, The SPAN session is identified by a session number. The first step is that you associate a SPAN session ‘with source ports by using the monitor session muzmber source interface interface command. You can optionally specify which traffic you want to monitor on the source interface—if you want to monitor only received traffic, use the nx keyword; if you want to monitor only transmitted traffic then use the tx command. Ifyou want to monitor both received and transmitted traffic, use the both keyword. If you do not specify anything, received and transmitted traffic is captured on an interface. Similarly, you associate destination port with a SPAN session number by using the monitor session ‘uber destination interface interface command. Atthe end, you can verify that you specified the correct source and destination ports by using the show monitor command When configuring a SPAN, you have to take notice of the following facts + A destination port cannot be a source port, or vice versa +The destination port is no longer a normal switch port—only monitored traffic passes through that port.Configuring SPAN (Cont.) 4. Associate SPAN session number with source ports, 2. Associate SPAN session number withthe destination, Configuring SPAN (Cont.) —_—.. Oo Inthe example that is shown in the figure, the objective is to capture all the traffic that is sent between PC1 and PC2, both connected to the SWI. A packet sniffer is connected to port FastEthemet(/0. The switch is instructed to copy all the traffic that it sends and receives om port FastEthemet0)2 to port FastBthemet0\0 by configuring a SPAN session. 28 Interconnectng Cisco Networking Davies: Acoeerated (CCNA) 2017 Cisco Systems, neTroubleshooting Default Gateway Issues Inthe absence of detailed route onthe router or an(@rectdefal gateway onthe host, commmiction ‘Troubleshooting Default Gateway Issues =e RAG chow sp interface Ethexnet?/1 iieass ie 10-1-1.19/20 Helper address is not set Directed broadcast fecwarding is disabled Guegoing access Lise is not = - Inbound access list is nov seo <. ourpur emireed = ‘The IP access list is applied in the outbound direction to the Ethemet0\( interface, the one comiecting to the SRV2. Solve the problem by either removing the statement or changing it ftom "deny" to "permit." The example shows the second option. RAE cone Rélconfig)? sp access List extended Server Ri lconfig-ext-nacl)# no 20 Ba (cenfig-ext-aael] # 20 pemmit tep any any eq 23 Ra (config-ewe-nael] # end PCI should now be able to connect to SRV2 using Telnet with the usemame admin and password Ciseol23_ NetworkingFo2t telnet 20.10.4.40 Teping 10-10.4.40 ... Opes [Connection to 10.10.4.40 closed by seign host] Note: The traceroute will still not work, because the ACL is denying UDP, which is what the traceroute uses. ‘This isthe and ofthe ciscovery lab.Challenge 1. Which command would you use to determine whether there are any input or output errors on a GigabitEthemet 0/0 interface? A. show ip route GigabitEthernet 0/0 B. show ip interfaces GigabitEthernet 0/0 C. show interfaces GigabitEthernet 0/0 D. show mac-address-table 2. Which command would you use to identify the current path to a given destination on a router? A. show ip route BL route print C. show ip interfaces brief D._ show arp Which Cisco 10S command will enable you to see the path thet packets are taking om a hop-by-hop basis? AL path B. traceroute Cc. ping D. show route 4. Which two statements related to configuring SPAN are true? (Choose two.) A. The destination port cannot be a source port, or vice versa B. The destination port can be same as source port ©. Destination port is no longer a normal switch port—only monitored traffic passes through that port D. Source port is no longer @ normal switch port—only monitored traffic passes through that port. 5. Which command would show you whether an ACL is applied to the interface GigabitEthemet 0/1? A. show access lists GigabitEthernet 0/1 BL show access lists C. show ip interface GigabitEthernet 0/1 D. show interface brief 6. Which command would you use to deny Telnet access from IP address 10.1.1.1 into 10.1.1.27 A. access list 90 deny tep 10. B é i D. access list 101 deny tep 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0 eq 23 Where should extended ACLs be placed in a network? A. Asclose to the packet's destination as possible B) Asclose to the default gateway as possible C. Asclose to the source ofthe packet as possible D. Asclose to aborder gateway router as possibleAnswer Key Challenge ° (ConA2017 Cisco Systems, neLesson 2: Troubleshooting IPv6 Network Connectivity Introduction ‘A customer has called CCS with a complaint involving IPy6 network connectivity problems. A trouble ticket has beem issued, Afterreveving the toube ck desde wheter you a ready to goat fosle te problem or ‘whether you frst need to research troubleshboting IPv6 network connectivit IPv6 Unicast Addresses Py unicast addresses are assigned to each node (interface). Their ures are discussed in REC: 4201. The five types of unicast addresses are listed belowIPV6 Unicast Addresses [accross [vet eC 8 200028 F007 oct rew0-r10— Febo-s10 ange) ‘Assned ty ta LANA and sd on gue natn. Thay are ‘equal Pv gba (ube) adoeses ISPs sures {hese prove sclaiy onthe nero Unique lca urea! arosses ae analogs fo vate ut ‘areanea nat Tey ar ved for cal Ganmunicatons, The ‘cope entre aa or erenzaen ‘An aortic congue Pv anes onan eae, ne ‘ape cy eth physical ik. The Wet bo Sg are FE, as ‘he era og can range rom 8 Une for specie ype of anycat ane or rouse. (Garant bo 1256 ote Pv oasrese space arsed. & Unpwciies oJ — IPv6 Unicast Addresses (Cont.) {ihe the 127009 aacrssin tPv4,0090:00:01. ot lnwsed lertea testing ence. Une ve ich deacates onl Aces ecko tres rca eg YO wee 0.00.01 Pe means “uninower arse InP, ts ares |S repeeseniedy 09:00.0000, 01 andi ypealyusedin ne ‘source adress Bid fhe achat whan anietace doesnt fave an aees ands bg to aegure ore Saray Interconnectng Cisco Networking Davies: Accserted (CONAN) (© 2017 Cisco Systems, Inc.Global Addresses RFC 4201 specifies the 2000-13 prefix to be the global unicast address space that the IANA may allocate to the RIRs. A global unicast address is an IPv6 address that is created fiom the global unicast prefix. The structure of global unicast addresses enables the agzregation of routing prefixes, which limits the mumber of routing table entries inthe global routing table. Global unicast addresses that are used on links are aggregated upward through organizations and eventually tothe ISPs, ‘The IANA sssigns a global address. The elobal adress starts with 2000::/3. The 3 prefix leneth inaplies that only the first 3 bits are significant in matching the prefix 2000. The first 3 bits ofthe first hexadecimal value 2 are 001x. The fourth bit, x, is insignificant and can be either a O or a 1 Itresults in the first hextet beinga 2 (0010) ora3 (0011). The remaining 24 bits in the hextet (16-bit segment) can be a 0 ora 1 The figure shows how address space can be allocated to the RIR and ISP. These values are minimum allocations, which means that an RIR will get 23 or shorter, an ISP will get a/32 or shorter, and a site will geta 48 or shorter. A shorter prefix length allows more available address space. For example, a ste could zeta /40 instead ofa /48, giving it more addresses if it can justify ito its ISP. The figure shows a provider ageregatable model where the end customer obtains its IPv6 address from the ISP. The end customer can also choose a provider-independent address space b((@ ng stright to the PIR. In this case, itis not Global Addresses Global: Starts with 2000:/3 and is assigned by IANA, (Global Routing Pref Subnet 1D Intra: 10 a noe rs 7 19 hex “Ste Fete ———" Pesiie Home Ste Prete —e! SUN Pref, ty “Tis ita minimum scan. The preface may be les can ued Note The ICANN, the operator for IANA, allocstas IFV8 address blocks to the five IRs, The ourent global unicast address assignment fom [ANA begins with the binary value OO1 or the pref 2000:/3. This value ‘location results ine range of glabal unicast adcresses of 2000:13 through OFF: 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX)Local Addresses A block of IPv6 addresses is se aside for local aderestes, just as is done with private addresses in [Pv ‘These local addresses are local only toa particular link or site; therefore, they are never routed outside of a particular company network. There are tuo kinds of loca addresses: + Unique local addresses: These addresses are similar to RFC 1918, dddhess Allocation for Private Internets, in IPv today. The scope of these addresses is an entre ste or organization. They allow addressing within an organization without needing to use a public prefix. Routers forward datagrams using site-local addresses within the site, but ot outside the ste, to the public Intemet Inhexadecimal, ste-local addresses begin with FE and then “C" to "F” forthe third hexadecimal digit, So, these addresses begin with FEC, FED, FEE, or FEF. + Link-local addresses: The concept ofthe link-local scope is new to IPw6. These addresses have a smaller scope than site-local addresses—they refer only to a particular physical link (physical network. Routers do not forward datagrams using link-local addresses, not even Within the organization: they are coly for local communication on 2 particular physical network segment. ‘These addresses are used for link communications such as automatic address configuration, neighbor discovery, and router discovery. Many IPv6 routing protocols also use link-local addresses. A link-local address typically begins with FE80::/10 Note Technically spasking, an address wihin the prefix FEBO:/10 is considered a lnklocal address. This scope includes adcresses beginning with FEG0:|through FEBF::—shi lst address pref bumps up next tothe {fe00:/10 range that's assigned to the depreceted ste-lecal address scope. In common practice though link-local aderesses wil ypoaly begin with OxFESD. IPv6 Unicast Addresses (Cont.) + Loopback: (:1) Unspecified: () Reserved: The IETF uses Link local starts wth FE80:110) LUnique-ocal stars wih FCO0:/7) (isco Networking Davies:Loopback Addresses Just as with [Pv a provision has been made fora special loopback IPv6 address for testing. Datagrams that are sent to this address "loop back to the sending device. However, in IPv6, there is just one address, not a ‘whole block, for this function. The loopback address is 0:0:0-0-0:0:0:1, which is nommally expressed as "1 Unspecified Addresses In Pv4, an JP address containing all zeroes has a special meaning—it refers to the host itself and is used ‘when a device does not know its own address. In IPV6, this concept has been formalized, and the all-zeros address is named the unspecified address. Itis typically used in the source field of a datagram that a device that seeks to have its IP address configured sends. You can apply address compression to this address. Because the adress is all zeroes, the adress becomes just Reserved Addresses ‘The IETE reserved a portion of the IPv6 address space for various uses, both present and in the future Reserved addresses represent 1/256th of the total IPV6 adcress space. The lowest ackiress within each submet prefix (the interface identifier set to all zeroes) is reserved as the subnet-router anycast address. The 128 highest addresses within each /64 subnet prefix are reserved for use as anycast addresses Assigning IPv6 Addresses Interface identifiers in IPv6 addresses are used to identify interfaces on slink: They can also be thought of as the "host portion” of an [Pv address. Interface identifiers need to be unique on a specific link: Interface identifies are always 64 bits and can be dynamically derived ftom @ Layer ? media and encapsulation. ‘There are several ways to assign an IPv6 adress to a device Assigning IPv6 Addresses ‘Ways to assign an IPV6 address to a device: + Static assignment using a manual interface 1D + Static assignment using an EUL-64 interface ID + Stateless autoconfiguration ‘+ DHCP for 1Pv6 (OHCPY6)+ Static assignment using a manual interface ID: One way to statically assign an IPv6 address to a device isto manually assign both the prefix (network) and interface ID (host) portions ofthe IPv6 adéress. To configure an IPv6 address on 2 Cisco router interface and enable IPv6 processing on that interface, use the ipv6 address ipv6-address prefix iength commend inthe interface configuration mode, + Static assignment using an EUI-64 interface ID: Another way to statically assign an IPv6 address is to configure the prefix (network) portion of the IPV6 address and derive the interface ID (host) portion, from the Layer 2 MAC arldress ofthe device, which is known as the EUI-64 interface ID. To configure an IPvé adress for an interface and enable IPv6 processing on the interface using an EUI- (64 interface ID in the low order 64 bits ofthe address (host), use the ipv6 address jpv6-prefprefx- Jength eui-64 command in the interface configuration mode. + Stateless aufoconfiguration: As the name implies, autocorfiguration is 2 mechanism that automatically configures the [Pv6 address of a node. In IPv6, itis assumed that non-PC devices, and also computer terminals will be connected to the network. The autoconfiguration mechanism was ‘introduced to enable plug-and-play networking of these devices to help reduce administration overhead, + DECPo6: DHCP for IPv6 enables DHCP servers to pass configuration parameters such as IPV6 network addresses to IP6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. This protocol is a stateful counterpart to TPvé stateless address aautoconfiguration (RFC 2462), Deviees cam use it separately or concurrently with IPv6 stateless address ‘autoconfiguration to obtain configuration parameters Use of EUI-64 Format in IPv6| Addresses ‘The 64-bit interface identifier in an IPv6 address identifies a unique interface oma link. A link is a network medium over which network nodes communicate using the link layer. The interface identifier ean aleo be unique over a broader scope, Often, an interface identifier isthe same as or is based on the link layer (MAC) address of an interface. As in IPv4, a subnet prefix in [Pu is associated with one link ‘The EUI-64 standard explains how to stretch IEEE 802 MAC addresses fom 48 to 64 bits. The following figure illustrates this process. (conan Cisco SystemsUse of EUI-64 Format in IPv6 Addresses vicnne dase - 7 +1 = Universally Unique: a en cts ET Interdace identifiers inthe globel unicest and other IP address types must be 64 bits long and can be constructed in the 64-bit BUI-64 format. The EUL64 format intertace ID is derived from the 48-bit link layer (MAC) addvess by inserting the hexadpcimal mumaber FFFE between the upper 3 bytes (QU field) and ‘the lower 3 bytes (serial number) of the link layer address_ (©2017 Cisco Systems, ne Ietrconnectng isco Networking Devioes: Accelerated (CCNA) 61Troubleshooting End-to-End IPv6 Connectivity As with troubleshooting IP connectivity, the troubleshooting process for JPv§ can be guided by structured nethods, The overall troubleshooting procedure is the same as troubleshooting [Pv with differences that are related to IPv6 specifics. {When endo-end connectivity isnot operational, h(@>r will nfonm the network adainistratr. The amninisrator will start the troubleshooting process, 2 the figure shows ‘Sta ovtesotng czrnecy operon —| istare a physical ceoroawsy ae? —| oped = << Joo Stor tana o oO. 0 ‘When there is no end-to-end connectivity, you will want to investigate some of the following items: + there isan issue with the physical comnectivity, solve it by adjusting the configuration or changing the hardware, + Make sure that devices are determining the correct path from the source to the destination. Manipulate the routing information if needed. + Verify that the default gateway is correct. + Check everything is comect about the name resolution settings. There should be a name resolution server that is accessible over [Pv or Pv6. + Verify that there are mo ACs blocking traffic After every failed troubleshooting step, a solution should be provided to make the step successful. The ‘outcome of this process is operational, end-to-end connectivity. 62 —_nterconnectng Cisco Networking Davies: Acoserated (CCNA) 2017 Cisco Systems, neVerification of End-to-End IPv6 Connectivity ‘You can use several verification tools to verify end-to-end IPv6 connectivity: + Ping: A successful ping means that the device endpoints are able to communicate, This result does not ‘mean that there are no problems, it simply proves that the basic IP comectivity is working. + Traceroute: The results of traceroute can help you determine how far along the path data can successfully reach. Knowing at what point the data fails can help you determine where the issue is, + Telnet: Used to test the transport layer connectivity for any TCP pott over IPv6. + Neighbor discovery: Does the same as ARP in [Py Inthe following scenario, aPCI wants to access apj@)vions onthe Server. The figure shows the desirable path, ‘Verification of End-to-End IPvé Connectivity Desiabie path betwee] Ct and the sone (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accolerated (CCNA) 6S‘You can use the ping utility to test end-to-end [Pv connectivity by providing the IPv6 address as the destination address. The utility recognizes the [Pv6 (Ga}ess when one is provided and uses IPv6 as a protocol to test comnectivity Verification of End-to-End IPv6 Connectivity (Cont.) Ha. You can use the ping utiity on the PC to test IPvé connectivity. Verification of End-to-End IPv6 Connectivity (Cont.) eevee anc % You can use the ping utlity on the router to test IPv6 connectivity. eonent png aomisean 172/26: 100 Use the ping utility on the PC to test IPv6 connectivity 24 —_nterconnectng Cisco Networking Davies: Acoserated (CCNA) 2017 Cisco Systems, neC:\Windows\systend2> ping 2001 -088:172-16::100 Pinging 2001 sdh€:172:16::100 with 92 byves of data: Reply from 2002:dbe=172:26 ‘eimentime Reply from 2002:4b8=172:26 simetine Reply fem 2002 :4b8=172:26 imetine Reply from 200% :db8=172-46 imetine Ping seatdevice for 2001: db8:272: :400: 4) Lost = 0 (08 ose) Approxinate round trip tines in millicseconds: ‘You can also-use the ping uflty on the router to test Pv6 comnectivity: Branch? ping 2001 -089:272:16::100 Sending 5, 100-byse ICMP Echos vo 2007:D58:172:46:2100, cimecue is 2 seconds Success sate is 100 percent (5/5), cound-erip min/svg/max = 0/0/4 m= Traceroute is a utility that allows observation ofthe path between two hosts and supports IPv6. Use the ‘traceroute Cisco [OS command or tracert Windows command, followed by the IPV6 destination address, to observe the path between two hosts. The trace generates list of IPu6 hops that are successfully reached along the path. This lst provides important verification and troubleshooting information. Verification of End-to-End IPv6 Connectivity (Cont.) The traceroute utility on a PC allows the observation af the IPv6 path. 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX)Verification of End-to-End IPv6 Connectivity (Cont.) aoatenter i A-successful trace from a router to verity the IPV6 path. ‘The traceroute utility on the PC allows you to observe the [Pv6 path C:\Windows\systend2> tracert 2001:086:}72-16::100 2 40me fms dime 200L2ab0-972-16;-100 Trace complete. ‘You can also use the traceroute utility om the router to observe the IPv6 path: Branch traceroute 2001:088:172-16::100 Type escape sequence te abor=, Tracing the cours te 2001:088.172: 162:100 Inteconnactng isco Networking Davies: Accslerated (CCNA) 2017 Cisco Systems, neSimilar to IPv4, you can use Telnet to test end-to-end transport layer connectivity over IPv6 using the telnet command from 4 PC, router, ota switch, When you provide the IPv6 destination adress, the protocol stack determines thatthe IPv6 protocol has to be used. If you omit the port number, the client will connect to port 23. You can also specify a specific port mumber on t and connect to any TCP port that you want to test. ‘Verification of End-to-End IPv6 Connectivity (Cont.) You can use the telnet command to test the transport layer connectivity for any TCP port over IPV6. ‘Use Telnet to connectio the standard Telnet TCP pert rom aPC. + Use Taint to eonnectto the TCP poet 80, which test the O sence, abit ofthe HTTP ‘Verification of End-to-End IPvé Connectivity (Cont,) Inthe example, you can see two connections from a PC to the Server. The first one connects to port 23 and ‘tests Telnet over IPv6. The second comiects ta port 80 and tests HT'TP over IPv6, (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accelerated (CCNA) 67‘When troubleshooting end-to-end connectivity, itis useful to verify mappings between destination IP addresses and Layer 2 Ethernet addresses on individual segments, In Pv, ARP provides this fumctiouality. In IPV6, the neighbor discovery process and ICMPy6 replace the ARP fimctionality. The neighbor discovery ‘table caches IP addresses and their resolved Ethemet physical (VAC) addresses. As shown inthe figure, the netsh interface ipv6 show neighbor Windows command lists all devices that are currentiy in the neighbor discovery table cache. The information that the CLI displays for each device includes the IP address, physical (MAC) address, and the type of addressin the neighbor discovery table, you can verify that the destination IPv6 addresses map to the Gorrect Ethernet addresses. Verification of End-to-End IPvé Connectivity (Cont.) Neighbor discovery table on a PC: a so) Verification of End-to-End IPv6 Connectivity (Cont.) Neighbor discovery table on a router: sch show Spt maighbons (28 —_Interconnectng Cisco Networking Davies: Accelerated (OCNANY 2017 Cisco Systems, neThe figure also shows an example of the neighbor discovery table on the Cisco 1OS router. The table includes the IPV6 address ofthe neighbor, age in mimutes, because the address was confirmed as reachable, and the state. The states are explained inthe table: State Description incur |adcress rascluton is being performed on the-entry. The source has sent e neighbor solicitation (Incomplete) |meseage tothe solcited:nade multicast adress of he target. but thas not reosived the |coresponcing neighbor advertisement message. REACH [The source has received postive confirmation within the last ReschableTime miliseconds that the (Reschable) —_|foruare path to the neighbor was functioning corecty. While in the REACH state, te device takes no spacial action because itis sending packets. ‘STALE Kore than ReschsbleTime miliseconds have elapsed since the deve received the last positive Jconfimetion that the forward path was functioning propery. While in the STALE state, the device [skes no acton unti a packets cent DELAY hore than ReschsbleTime miliseconds have elapsed since the davioe received the last positive J-onfimstion thatthe forward path was functioning propery. A packet was sant within the last DELAY FIRST PROBE TIME seconds, Fhe device reosives no reachability confirmation within DELAY FIRST_PROBE_TIME seconds of entering the DELAY state, send @ neighbor soication massage and change the state to PROBE PROBE [The device sctvely secks a reachablity confirmation by resending neighber soicstion messages in RetransTimermiliseconds uni ereschebilty confrmstion is received Verification of End-to-End IPv6 Connectivity (Cont.) ‘You can also check the following aspects to verify that IPv6 is configured correctly © 18 IP¥6 routing enabled on the router? * Do the interfaces have the IPv6 address configured? + Which routing protocols are configured for IPE?‘You can use several other commands to verify that IPvs is configured comectiy on routers Verify that IPv6 routing has been enabled on the router Inthe show running-config command lock for the ipv6 unicast-routing command. ‘Verify thatthe interfaces have been configured with the correct IPV6 addresses. You can use the show {pv interface command to display the statuses and configurations for all IP interfaces. ‘Verify the [Pv routing protocols that are runing on the router using the show ipv6 protocols command (isco Networking Davies:Identification of Current and Desired IPv6 Path To verify that the cument [Pv path matches the th to reach destinations, use the show ipy6 route command on arouter to examine the routing table. Identification of Current and Desired IPv6 Path Identification of Current and Desired |Pv6 Path (Cont.) ‘The routing table on the Branch router in the example has a default route that is configured. The router will use itto route packets to the Server (2001:db8:172:16::100), (©2017 Cisco Systems, ne Intrconnactng Cisco Netting 7Troubleshooting Default Gateway Issues in IPv6 Inthe absence of the default gateway on a host, con(@ ication between two endpoints in a different network will not work. Ve ra Ifa PC needs access to other networks in addition tothe directly connected network, a correct configuration of the default gateway is very important. Ifa PC has to send a packet to 2 network that is not directly connected, ithas to send the packet to the default gateway, which isthe first router on the path to the destinations. The default gateway then forwards the packet toward the destination Note Youwil sea a parcent sign (88), followed by s number, at the end of the [Pv link-local address and at the ‘end ofthe default geteway. The number that folows the percent sign ideifies en interface on the PC and is not par of the IFVO address It should be ignored when determining the IPv@ adcreas ofthe defaut geteay, In Pv6, you can manually configure the default gateway or use stateless autoconfiguration. + Inthe case of stateless autoconfiguration, the default gateway is advertised to PCs that are using route advertisements. In IPV6, the IPv6 auldress that the device advertises inside route advertisements as 2 default gateway isthe link-local IPv6 address of a router interface. + Ifyou devide to configure the default gateway, which is unlikely. you can set the defeult gateway either to the global IPv6 address orto the link-local IPv6 address. Note A liniclocsl address is inended only for communications within the segment of local network or a paintio- peint connection that 2 host is connected to, The bnislocal Pv addresses sre assigned withthe fe0 04 pref (isco Networking Davies:To verify that a PC has the default gateway set, you can use the ipconfig command on a Windows PC or the ifconfig command on Linux and Mac OSX. In the example, the PC has the IPv6 default gxteway set tothe link-local address of the Branch router.Troubleshooting Name Resolution Issues in IPv6 Because [Pv networks are long and difficult to remember, DNS is even more important for IPv6 than for Bvt ‘The hosts fle serves the function of translating human-friendly host names into IPv6 addresses that identify and locate a host in an IP network. In some operating systems, the hosts file content is preferred over other methods, such as the DNS. Unlike the DNS, the hosts file is under the direct control of the local computer administrator. For a Windows operating system, the file is located at C:\Windows System \drivers ete hosts. Other operating systems may have the hosts file ina different location, or they may use a different fil, or may not have it a all. You can open the hosts ‘ile in a text editor such as Notepad.‘Troubleshooting Name Resolution Issues in IPv6 (Cont.) ‘Verify the connectivity of the server using the ping command and the host name as the destination, (Cont.) To verify the static name resolution, verify the connectivity to the Server using the host name Server6 instead of its IPv6 address. The ping should be successfil. (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accolerated (CCNA) 75Discovery 33: Configure and Verify IPv6 Extended Access Lists Introduction ‘This discovery will guide you through the extended IPv6 ACLs configuration. The virtual Lab environment is prepared with the devices that are represented in the topology diagram and the connectivity table. All devices have their basic configurations in place including hostames and IPv6 addresses. The configuration of ACL will be on RI and it will be applied inbound on the interface Ethemet00, to influence traffic fom PC2. Note The polioy thet ls defined inthe AGL was chosen to demonstrate how ACLS work, The palcy does nat reflet any real world spplication, Topology 7 (conan Cisco Systems‘The configuration is as follows: ‘+All devices have their basic configurations in place ineluding hostnames, [Pvi, and IPv6 addresses, + RIPis configured on RI and R2 to provide IP routing. + Static routes are configured on Ri and R2 to provide IPv6 routing Device Details Device _fintertace INeightor Pv Adress lPvs Address Pot etneretor0 |sws Hroto.s.r0r24 [2001:0880:10:4 Auto Po2 etneretor0 |sws Hrot0.s 2004 [2001:0880:10:4 Auto SRV etneretor0 Ro Hroto.s.s024 f2o01:n88.0:3:20064 sw jvuan + jiot0.4 408 [2001:088:0:10:184 Auto swt Ethernet pot L - swt Etheretov2 pce _ _ sm etherettt Ra L L Rt ethernet |sws jroro.s.128 f2001:088.0: 10-1168 Rt etnernett0 Re jror.1200 f2001:0880:2-184Device interface INeightnor leva address lieve Address R2 letnernet 0 les hoa.a.1120 l2o01-pee02-204 R2 letnerneto10 [seus hosos.a26 l2o01-Dee02:1164 Note PCs and SRV in the virtual lab environment ere simulated as routers, co you should use Ciseo IOS ‘commands to configure them or make veiftations, Task 1: Configure and Verifu IPv6 Extended Access Lists & Configure and Verify IPv6 Extended Access Lists ‘To configure an IPV6 extended named ACL, perform the following actions: Create an extended named ACL. ‘Specify the conditions to permit or deny packats. Apply the ACL to an interface. ‘The examples show the steps to configure IPv6 ACL. The following table explains the commands that you vill use in the configuration (conan Cisco SystemsCommand Description ipv6 access-list name Defines en IFVE sccess list using s name and enters the IPV@ sccess list configuration mode. {permit| deny) protocol (source. | Species permit or deny concitons for anIPv0 ACL. {v6 preftxjpreftr-fength | any | host Source: ipw6-adkress) [operator port {destination-ipv6-preftx preptx-dengtl | any | host déstination-jpv6-adéress} laperator port, ipv6 traffic-filter ncmne fim| out; | Applies the specifed access lst othe interfecein the inbound or ‘outbound airecton. Note Each IPV@ ACL has implict permit ras to enable IPV8 neighbor discovery (permit iomp any any nd-na 43nd permit icmp any any nd-ns) IPv8 ACLs implicitly alow [PVG neighbor discovery packets tobe sent {nd racuved on an interface, Atthe end of this implicit perm there ie an impli deny any rue (deny pws any any), Activity! Complete the following steps: Step 1 Access the console on R1 and configure a named extended IPv6 ACL. The ACL should be named "Examples." ‘The ACL should have the following four statements: + The first should deny all [DP trafiic. + The second should pemait TCP from PC2 to any destination as long asthe destination ports 23 Cielned. + The third should deny all other TCP traffic from PC2 +The last should explicitly permit all IP traffic. First, you need to access the console of PC2 and obtain its IPv6 address. FOE show ipvS interface brief Eohexnes0/0 up/ep] eavely dowsy/‘dows] scizely down/dowsl ‘unassigned seively dows/dows] Note: The IPVé6 adéress in your output may differ, co make sure you will use your IPv6 address, not the one provided inthis output.Step 2 Step 3 Step 4 Now configure the specified ACL on RL. Apply the ACL to the interface Ethemetl' in the inbound direction, At the end, leave the configuration mode, (config)? intavtace Eeheeneti/1 (Gonfig-ié)f pve teattienfilter Examples in (config-i#)# end Display the configured IPv6 ACL. show SpvS access-List Examples EEvé access Lise Eeampleé ‘The access list has all four statements in the correct order as you have configured them, Note that the output does not display the implicit permit statements for neighbor discovery, and deny any statement thet is at the end of every ACL. ‘The first line of the ACL will block all UDP traffic. SRVI is configured asthe NNTP server, but because NTP uses the UDP protocol, the frst line in the ACL should block IPv6 access for PC?. To verify it, access the console of PC2 and configure it to use the SRV IPv6 address as an NTP. server. Then display the status of NIP on PC2. FOIE cont t FC2 (contig)? ntp server 2002:080:0:3: :30 FC2 (config)? end Because NTP traffic from PC? is blocked, you should find that it has uot synchronized to SRVL = 250.0000 He, preci: jon 3s 2°*10Step 5 Step 6 Step 7 Step & ‘The second line in the ACL explicitly permits Telnet traffic from PC2. Verify that PC2 can successfully use Telnet to the SRVI IPv6 address. Use the username admin and password Ciseol23 At the SRV system prompt, use the exit command to terminate the connection. Fo2# telnet 2001:D85:0:3::30 ‘Trying 2001-086 open Username: admin SRI ast, (Connection ve 2001:088:0:9::30 closed by foreign host! reat ‘The third line in the ACL denies all other TCP traffic from PC2. Verify that PC cannot use SSH to reach the SRVI Pv6 address, FO2t ach “1 main 200: ‘The fourth line inthe ACL, wich explictiy permits all IPv6 traffic, should permit any non-UDP traffic from PC2, Verify that PC2 can ping the Server POZE ping 2001:088:0 Surcass wate ia 100 parcant (5/8), roundweeip min/avg/max = 1/2/18 m= The first three lines do not explicitly specify the ICMP protocol. So, any ICMP traffic should be pemnitted by the fourth line inthe ACL which explicitly pemnits all Pv6 traffic that did not match any ofthe previous lines. The ACL only applies to traffic coming from PC2. Access the console of PC! and attempt the same test sequence that you did from PCL ‘The test uses ICMP and TCP, not UDP. All the tests should succeed.Step 9 FCLE telnet 2001 -088:0:3::30 Taping 2001-086:0:2::20 ... OBER [Connection to 2001:052:0:8::90 closed by foreign host) FCLE sah “1 acai 2002:088:0:3:=30 [Connection £0 2001:05:0:9::20 clesed by foreign host) FCLE ping 2002:088:0:3::30 Type escape sequence £0 Sending §) 100-byte TOM Echos vo 2001-0B8-0:8:-80, timeout is 2 seconds Success rate de 100 percent (5/5); round Notice that PC1 can use both Telnet and SSH to the server, whereas PC2 could not because no ACL is applied toward the PCI. Display the ACL again and observe the updated hit counters that are associated with the activity that you just mitiated]| Rit show SpeS access-2ist Examples TEvé access List Exampleé deny udp any any (9 mavche: deny top hort 2001:DB@-0:10-ASHB:CCPP:FEO0:1800 any (1 match) sequence 30 any any (172 mavche:) sequa Due tothe dynamic nature ofthe lab environment, the hit counters that you observe are likely to differ from what the example shows. This isthe end ofthe discovery ib,Troubleshooting ACL Issues in IPv6 Another cause of an IPv6 network malfimction can be an ACT, misconfiguration. Inthe given scenario, the Telnet comnection to the S(@\r is not working and you need to investigate the ACLs that are configured on the router. Troubleshooting ACL Issues in IPv6 mamas Taine server a i snot working, Saae mover or 00 Display IFV6 ACLs that are configured on the router. First, you can verify whether there are any IPV6 ACLs configured on a router. You can use the show ipv6 ‘access list command. In the example, an ACL that is named Outbound is configured on the router. Troubleshooting ACL Issues in IPv6 (Cont.) Display the placement of the ACL on the interface. (©2017 Cisco Systems, ne Intrconnectng Cisco Networking Devoes: Accelerated (CCNA) 3‘Neat, verify ifn ACL is attached to an interface. Use the show ipv6 interface command. Inthe example, an ACL that is named Outbound is ed on the router. The ACL is applied to the Gigabit Ethemet 0/1 interface in the outbound. Troubleshooting ACL Issues in IPv6 (Cont.) 2eoisenrar 0 ‘Add an ACL entry to allow Telnet Inthe example, you verified that an ACL that is named Outbound is configured on the router. The ACL is applied to the Gigabit Etaernet 0/1 interface in the outbound direction. The ACL pennits only ICMP protocol, which is why ping will work In order to allow Telnet fiom PCI tothe Server, you need to add an entry in the Outbound ACL to allow the protocol TCP and port 23 fer Telnet. Troubleshooting ACL Issues in IPV6 (Cont.) Display the corrected ACLs that are configured on the router. Afler correcting the ACL, a Telnet comnection from PCI to the Server will be successfl Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neDiscovery 34: Troubleshoot IPv6 Network Connectivity Introduction This discovery will give you a chance to do some troubleshooting in an [Pv environment. The live virtual labis prepared with the devices that are represented inthe topology diagram and the comectvity table. All devices have their basic configurations in place, including hostames and IP addresses. IPy4 and IPv6 coexist in this network ina dual stack environment. RIP is configured on the routers to provide IP routing. For IPV6, static routes are configured. Four issues have been introduced on different devices. Your job isto find and fix these issues. There are only four steps in this discovery. A step describes the complaint that you must address. To get a feeling for troubleshooting activities, ry to uncover and resolve the problems before youuse the Answer Key for each step. Resolve each issue before moving to the next one, Sometimes, you may have to resolve a previous issue so thatthe following issues are demonstrated. Topology ring Devices: Aoelaratd (CCNAX) 17 Cisco Systems, Inc Intrconnectng CiscoJob Aids. All IPV6 addresses start with 2001:4b8:0. ‘The configuration is as follows: + Alldevices have their basic configurations in place, including hostames, IPv4, and IPv6 addresses. + RIPis configured on all four routers to provide [Pv routing + Static routes are configured om all four routers to provide IPv6 routing. + Four issues, related to the PCs connectivity to the SRVs, exist in the network Device Information Device interface INeighbor Pv madres lvs address Pot ethemet00 [sws jo.t0.1.1024 |2007:DB6.0164 Auta Poe ethemet00 [swe jo.10.22004 |2007:DB6.02:/64 Auto servi fetemetoo IRs hor0sso24 |2007:DB8.03:20068 srv2—fetremetoo les hor0..4a24 |2007:DB8.04:<0168 owt Jian L jo.10.1.4708 [2007.08 01164 Auto svi vant | Hor0.24006 [2007-086 02-64 Auto Rt ethemetoo [swt ja.10.1.1128 lz007.DB601-1104 Ri ethernett0 IRs hora.220 J2007:De8.0-13:1168Device _fintertace INeightor Pv Actress lve Address Rt Ethemettt Rs jor. 1030 faoo1:as0:14-1184 Ra themes 010 [swe jor02.12¢ f2o01-088.0:2-164 ra Etnemetti0 Ra Ho1.1.880 lzoor:ness.23:10 Re ethernet es fron. t4ra0 feo01:n88.0:24-1168 RS etneret20 lea jror.s1r20 f2o01:088.0:13-2164 RS theme Ro Hro1.1520 f2001:088.0:23-2164 RS etneretor0 Jeeves jroros.1es f2001:0880:3:164 Ra Ethernet ea Hiot.1.9%0 fpoo1:ne8.0. 14-2164 Re Etnemeait R2 jior.1 1360 lao01-nes0:24-2106 Re Etneretov0 [sve jot04.128 f2001:0880:4-104 Note PCs and SRVin the vidual lb environment are simulated 2s rover, so you should use Cisco IOS ‘cormmands io configure them or make verifications. Task 1: Troubleshoot IPv6 Network Connectivity Activity Complete the following steps: Step 1 The user at PC1 is complaining of not being able to connect to SRV. In fact, if the user attempts to ping SRV, the ping shows thatthe Server is unreachable. FCLE ping SRV ‘Type escape sequence to Suictes sate is 0 pescens (0/8) ‘The IPv6 address of SRV1 that PC! is pinging is 2001-DB8:0:4:-30, However, this address is not the IPv6 address of the Server. You can verify it by showing the interface status on SRVI or by comparing the address tothe information inthe topology diagram and the connectivity table.Step 2 SRULE show ipy6 interface Ethernst0/0 Eehamnat0/0 is up, line peevssol is ue ND reachable tine i= 20000 mill ng 30000) ND NS revrananit interval 2 1000 milliseconds If you ping the SRV using the IPv6 address, you will se that the Server is reachable. FCLE ping 2002:088:0:3::30 Bending 5, 100-byte ICMP Echos to 2001:0B9:0:9::90, timeout is 2 seconds Success rate de 100 percent (5/6), rounc ‘The problem isan incorrect entry for SRV1 in the local host configuration on PCL FCLE show renning-config | include host pee host SRV2 2002:088:0:4::40 pre hose POL 2001:052:0: ‘You can resolve the problem by configuring the host entry properly. FOIE cont Enear configuestion comands, ons per line End with CHTE/2 FCI (config) # ape6 oct SHVi. 2003 :058:0:3::30 ‘When you configure the entry properly, you should be able to ping SRVI by hostmame from PCI FCLE ping SEVL Sending 5, 100-byve IO@ Success rate de 100 percent (5/5); round Echos to 2001:088:072::30, timeout is 7 secon ‘The user on PC2 is having trouble getting to most network resources. In particular, the user needs to access SRV. NetworkingFO2t ping SRVL Type eeezpe sequance ts short Sending &; L00-byee TOP Echos to 200%-088:0:0::90, taneou is 2 seconds: Surcass sate as 0 passant (0/1 ‘The ping command indicates that there is no route to the destination. That is, PC2 does not have route, not that its gateway indicates that the gateway lacks a route FOE show ipvs route BBCP, HA ~ Hone Agent, UR - Mobile Router, B- RIP H- MERE, Ii - SIS Ti, 12 ~ 1818 12, TA ~ ISIS interarea ND - ND Defsult, NDp ~ ND Prefix, OCH ~ Destination, NDr ~ Redizece 0 ~ OSFF Intea, OL ~ OSFF Inter, OBL - OSPF axe 1, OE2 ~ OSEP exe 2 Na - OSE NOGA cay 2, ONZ ~ OSE NEGA exy 2, 2 ~ LDF ‘The only entry in the IPv6 routing table for PC? is the multicast for Null0 POZE show ipys interface Ethernet0/0 Echernet0/0 iz upy Line prcbocol is up IPvé iz enabled, Link-lecal adds: 1OG@ Zedizeccs are enabled ° ND reachable time iz 20000 milliseconds (using 20000) fed reachable tine is 0 (unspecified. = ed Feteanenit snverval in 0 (onapecafied) MD souter advertisements live for 1800 seconde ND adversised defauls rouver preference is Medium eateless autocontig for addresses, PC2 is configured for stateless autoconfiguration. Itneeds to see a router advertisement to properly configure its omm IPv6 address and gateway assignment. Why doesn't R2 send the advertisements?Rat chow spvs interface Ethernet0/O Glsbal wniease adds: o:2::/64 {TEN IQ@ onreachables are sent ND reachable tine i= 20000 mi ng 30000) ND advercised reachable tine is 0 (anepecified) ND adversized zeoranenit inverval 2 0 ( =D fed defaule ‘The cause is thet the Ethernet0/0 interface on R2 (the one facing PC2) is administratively down. Rat cont t Enter configurstion commande, che per Line. End with CHTL/2Z Ra (config)? sntexface Ethexnct0/0 Ru(eenfig-té)# no cht Ra (cenfig-iz)$ end ‘When you enable the Ethemet0i0 interface, stateless autoconfiguration works properly on PC2 Note that the TPv6 address in your output may be different.Step3 POZE show ipyS interface Ethernet0/0 Echarnat0/0 is wp, Line prosseol is up Seaceless address sucerengig ent Joined group sddre=: TOM unreachables are sen= ND IAD as enabled, number of DAD actempss, entaless autcconéig for sdiesses PC2 should now have access to hetwork resources (SRV in this case) POZE ping SEV Type socape sequence 20 ‘The user at PC? is much happier now because of being able to access SRV1. However, the user is still having difficulty reaching SRV2. Connectivity is terible. When the user attempts to ping ‘SRV2, half of the packets time out Fo2f ping SRVZ Success rate is 40 percent (2/5), round exip min/arg/max ‘When the packets consistently alternate between success and timeout, it indicates that there is load balancing going on at a point where one of the paths is valid and the other path is not ‘Where might this be? You know thatthe path from PC2 to SRV2 should traverse R2 and RA. Observe R2 to determine if R2 isthe point where load balancing occurs.Rat shaw spr route: TPvé Routing Table ~ de IS - 1813 sumary, D- EIGRE, BX - EIGRP eweernal, IC - YEW ol, Mp ~ ND Prefix, OCS ~ Desvinacion, NDe ~ Redizect <..- outpus emisted . ‘<.-- ouepur omiered o> 5 2001:DB8:0:4::/64 11/01 © Tia 2001:088:0:24::2, Eehernevi/t ‘There is no load balancing going on forthe SRV2 subnet on R2. R2is directly connected to 200%:DBS-0:2-64 (the PCY nefvor) and it forwards all trafic for that network directly from Ethemet0/0, R2 also forwards all traffic that is destined to 2001-DB8:0:4::/64 (the SRV2 network) to R4 vie Ethemet/L Move to R4 and observe if Rd is the point where load balancing occurs. RSP chow spv6 route Codes: C - Connected, 1 5 - SGE, A ~ Home Age it IS - 1S1S sumary, D- ETORE, EX - EIGRE excernal, If - NEMO ND - ND Default, Mp ~ ND Prefix, DCE ~ Destination, NDr ~ Redizect e.- outpus omitted . S g00ksDBe:O:2::/ 68 12/07, © Tis 200b:088:0:24::1, Eehernee2/t - : | Fis Evhernev0/0; dizectiy connected ‘The situation isthe same on R4. It is directly connected to the SRV2 network and it forwards all. tuaffic to the PC2 network to R2 via Ethemet2/1. Ifthe problem is not om the routers, it may be on the endpoints (isco Networking Davies:Step 4 SRU2$ chow ipr6 xoute Tees Rausing Table ~ defzule + IST8 summary, D = EIGRE, EX ~ ICRP axcarnal, 1M = HEMO ND ND Defsult, NDp - ND Presix, OCB ~ Destination, NDr ~ Redizect 1 O:4:2/64 10/0) ‘vig Eshernet0/0, directly connected 1 ‘Or4:240/128 [0/0] Loorroe::/2 10/0) | full0, receive ‘Two static default routes are configured on SRV2. One points to Rand the other points to a nonexistent address. You have to remove the invalid route, .g)$ mo spr6 woute «2/0 2003:088:0:4::2 ° 3)3 and ‘This chould ensure consistent communication between PC2 and SRV2. POZE ping SRV Type socape sequence to aber = Success rate is 100 percent (5/3), round ip min/avg/max = 1/1/1 me Even though you have successfully solved the problems that the user at PC? had with access to SRV2, now the user at PCI is complaining about access to the SR'V2. SRV2 is rumning HTTP services on port 80; however, the user is complaining that web access to the Server is wot working. POLE telnet SRYZ (255.258.255.255) PLE ping SRVZ Type escape sequence to skort Sending §, 100byte TO Echos co 2001-068:0:4::40, taneous is 2 seconds: Success rate is 100 percent (5/5), round Remember that Telnet uses TCP to test connectivity. By default, it will comect to port 23, but youcan also specify other ports. SRV2 on port $0'is not reachable; however, you can see that ping, which uses ICMP to test connectivity, to SRV2 is successfil. ‘SRV? is reachable, 20 you have to determine who in the network is blocking the connectivityUsing the traceroute command, you can determine which path PCI takes to reach SRV2. This action will give you the ist of routers to investigate, FCLE traceroute SHV2 Teseing the eouve eo SRV2 (20! as42240) SRYZ (2001:08:0:4:740) 0 maes 1 nsec 0 msec PCI takes the path via Ri and Ru to reach SRVJ. Investigate if any of these two routers are blocking the web access to SRV2. RIP chow Spv6 access List Re ‘There is no IPv6 access list configured on R1. What about Re? RSE show Spe access 2ist 20 eq #42 sequence 20 40 sequence 20 yy any oq telmep sequence 50 pve any any (9 matches) sequence 60 RA has an IPv6 access list configured that is blocking the wivw access to SRV2. Verify where this access lit is applied Cuswene configuestion + 124 bytes fp addeass 10.1-1.8 ipvé address 20017098:0-14.2/68 282 RAE show running-contig interface Ethernet0/O Building comtagurscion Cursens configuration : 189 bytes interface Ethemet0/0 Sp addeese 10.10.41 268.255.258.0 ‘The IPv6 access lst is applied in the outbound direction to the Ethemet00 interface, the one comnecting to the SRV2. Note: To see if'an access list is applied to an interface, you could also use the show ipv6 interface command. However, the output for IPv6 is not the sanae as for [Pv4—the apcess lst part appears only if an access list applies to this interface. waxy (isco Networking Davies: 17 Cisco SystTo solve the problem, you have two options. You can either remove the fist statement in the access list completely, or you can change it to "permit." The fist option is shown here, Rat cont RG (config)? Spr6 mcsaze list Outhound Ré(ccntig-ipvevaci]? no sequence 10 Note: The command to add or remove the specific rule ftom the access list is not the same as for Pv access lists. You also have to specify the sequence keyword before the sequence-number. PCI should now be able to connect to SRV on port 80—the user should have web access to the Server. FCLE talnat SRV2 80 Teanelating "ERV2".. domain sexver (265.295.265.295) Teying 2000:080:0:40240, 20 --- Be This isthe end ofthe discovery lab.Challenge 1. Which command verifies end-to-end transport layer connectivity for SMTP from a PC over an IPv6 path? AL ping IPV6 addbecs 25 B telnet JPvd_aathess 23 C. telnet JPv6_adavess 25 D. tracert JPv6 address @e 2. Based on this output, can this router send a packet to the server at 2001:db8-172:16::100? ° A. Yes, itcan only send to the server at 2001:db8:172:16::100 B. No, itcan only send to the server at 2001:4b8:172:16:101:1::1 C. The router willl not be able to send the packet because it does not have a route for this destination Which three options are valid representations ofthe IPv6 address 1001:2BC'5:0000:0000:087C:0000:000A? (Choose three.) AL 2035-0001-2BC5:-087C-000A Bo 2035-1:2BC5-37C:0:4 C. 2035:0001:28C5=087C:0000-0008 D. 2035-1:2BC5:0:0-870:A E, 2035:1:2BC5:087C:A 4. Which statement is true about the EUI-64 address format ofthe system ID for stateless sutoconfiguration that is used by Ciseo? A. Itisthe MAC address plus the Site-Level Aggregator. B. It isthe MAC address plus the ISO OUT. C. Tt expands the 48-bit MAC address to 64 bits by inserting FFFE into the middle 16 bits. D. It doesnot follow IEEE standards for uniqueness of the address, E._Itisonly used by Cisco, 5. Which command will show that the current IPV6 path matches the desired path to reach destinations? A. show ipv6 address Bl show ipv6 route C. show ipv6 interface D. show ipv6 inspect 00 Neto6. Which type of IPv6 adress is advertised inside route advertisements as a default gateway? A. global unicast B. Toopback C. reserved D. Tinke-local Which command verifies whether any IPv6 ACLs are configured on a router? show ipv6 configuration show ipv6 interface show ipv6 access list show ipv6 route vowAnswer Key Challenge avwopanModule 7: Implementing Network Device Security Introduction ‘This module describes the steps that are required to secure local and remote access to network devices. It diseusses general recommendations on how to improve device hardening. It deseribes how to configure syslog and how to safely run debugs on Ciseo IOS Software. This module also describes the different stages of the router bootup process, Cisco 10S File System, and how to manage Cisco 10S images or configuration files. The universality of Cisco 1OS images and the idea behind licensing are explained, and students are also shown how to verify the current licenseland install a new license.100. _Interconnecing Cisco Network jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neLesson 1: Securing Administrative Access Introduction ‘Your boss sends you to your customer to verify potential security threats. On the customer network devices, you will secure access to a privileged level. The customer may want to know the difference between ‘enabling a password and enabling a secret. [The customer may ask you howto secure access to the console line anc how to secure remote access by enabling and limiting access to SSH. You will also explain how to protect vty with a standard, mumbered ACT. Network Device Security Overview ‘Many forms of security threats have emerged because ofthe rapid growth of the Intemmet. Viruses, Trojan horse attacks, malicious hackers, and even the employees of an organization are potential security hazards to comporate networks. These threats have the potential io steal and destroy sensitive corporate data, tie up valuable resources, and inflict major damage due to network downtime. This situation may lead to a cost crisis and cripple the company financially. Security breaches are also encountered more frequently in home or private networks. Everyone has a reason to be concemed,Network Device Security Overview Network devices are vulnerable Electrical twreats ta those common threats: ~ Insuticent poner soppy okage Remote access threats — Votage ses ~ Unauttorzed remete access - Maintenance treats Local access and physica tweats Improper handing ~ Damage to equipment = Pooreabing ~ Password recovery ~ nadequte abating Devicethor Environmental threats Bxteme temperature ~ igh purist (Common threats to network device security and mitigation strategies can be summarized as follows: + Remote access threats: Unauthorized remot access is a threat when security is weak in remote access configuration, Mitigation techniques for this type of threat include configuring strong authentication and encryption for remote access policy and rules, configuration of login banners, use of ACLs, and VPN + Local aecess and physical threats: These threats include physical damage to network device hardware, password recovery that is allowed by weak physical security polices, and device theft Mitigation techniques for this type of threat include locking the wiring closet and allowing access only to authorized persomnel, It also includes blocking physical access through a dropped ceiling, raised floor, ‘window, duct work, or other possible point of entry. Use electronic access control and log all entry attempts. Monitor facilities with secunity cameras. + Environmental threats: Temperature extremes (heat or cold) or humidity extremes (too wet or too dry) can present a threat, Mitigation techniques for this type of threat include creating the proper operating enviroument through temperature control, humidity control, postive air fow, remote enviromental alam, and recording and monitoring + Electrical threats: Voltaze spikes, insufficient supply voltage (brovmouts), unconditioned power (noise), and total power loss are potential electrical threats. Mitigation techniques for this type of threat include limiting potential electrical supply problems by installing UPS systems and generator sets, {pllowing a preventative maintenance plan, installing redundant power supplies, and using remote alamns and monitoring ‘+ Maintenance threats: These threats include improper handling of important electronic components, lack of critical spare parts, poor cabling, and inadequate labeling. Mitigation techniques for this type of threat include using neat cable runs, labeling critical cables and components, stocking critical spares, and controlling access to console ports. (isco Networking Davies:Securing Access to Privileged EXEC Mode ‘You can secure a router or a switch by using passwords to restrict access. Using passwords and assigning: privilege levels is a way to provide terminal access control in a network. [tis a fom of management plane hardening. You can establish passwords on indivic , such as the console, and to the privileged EXEC mode. Passwords are case-sensitive Securing Access to Privileged EXEC Mode ‘Configure the enable password, ‘Configure the enable secret password. ‘Verity the configured passwords. Securing Access to Privileged EXEC Mode (Cont.) Encrypt plaintext passwords: (©2017 Cisco Systems, ne Interconnectng isco Networking Devioes: Accolerated (CCNA) 108,Note The passwords thal the gure shows are for instructional purposes only. Passwords thet ae usedin an actual implamantation should meet the requirements of strong passwords ‘The enable password global command restricts access to the privileged EXEC mode, You can assign an encrypted form of the enable password, which is called the enable secret password, by entering the enable secret password command atthe global configuration mode prompt with the desired password. When you configure the enable secret password, itis used instead of the enable password rather than in addition to it ‘You can also add a further layer of security, which is particularly useful for passwords that cross the network or are stored on a TFTP server, Cisco provides a feature that allows the use of encrypted passwords. To set password encryption, enter the service password-encryption command in the global configuration mode, Passwords that are displayed or set after you configure the service password-encryption command will be encrypted. Service password encryption uses type-7 encryption, which is not very secure. There are several tools and web pages available thet convert an encrypted password into a plaintext string. On the other hand, the enable secret command uses the \MD5-type encryption that, to this point, has not been broken. Its recommended that you always use the enable seeret password command instead ofthe enable password command. (isco Networking Davies:Securing Console Access {Use the line console 0 command followed by the pe(@Qord and login nibcommands to equie login and establish log password ona console terminal By efit logging in is not enabled on the conse Securing Console Access Console password: EXEC timeout Note Enter the service password -eneryption command in the global configuration mode to encryat the console password. Although this snenyplion = weak and can be easly decrypted, tis ail batter than @ leataxt Password. At least you are protected against exposing the password to casual observers. ‘The exec-timeout command prevents users from remaining connected to a console port when they Ieave a station. In the example, when no user input is detected on the console for 5 minutes, the user that is, connected to the console port is automatically disconnected.Securing Remote Access ‘You can establish an SSH comnection to the SSH-enabled device using an SSH client on your PC, such as PUTTY. When you establish a connection forthe frst time from a specific computer, you are presented with a security alert window that indicates thatthe server host key is not cached in the PuTTY cache. By: akey tothe cache, you will avoid seeing this sec ‘window every time that you establish an SSH connection from this computer. Securing Remote Access Virual terminal password: OSS Securing Remote Access (Cont.) Configuring SSH: 1108 lnteroonnecing Cisco Networking Devices: Acalrate (CONAK} 2017 Cisco Systems, neThe line vty 015 command, followed by the login and password subcommands, requires login and. establishes a login password on incoming Telnet sessions ‘You can use the login loeal command to enable password checking on ezch user by using the usemame and secret password that are specified with the username global configuration command. The username command establishes usemame authentication with encrypted passwords ‘The exec-timeout command prevents users from remaining connected to 2 vty port when they leave a station. In the example, when no user imput is detected on 2 vty lie for 5 mimutes, the vty session is automatically disconnected, To configure SSH on 2 Cisco switch or router, you need to complete the following steps 1. Use the hostname command to configure the hostname of the device so that itis mot Swétce (on a Cisco ‘switeh) or Router (on a Cisco router). 2. Configure the DNS domain with the ip domain name command. The domain name is required to be able to generate certificate keys, ‘Generate RSA keys that the user will use in authentication, Use the erypto 4. Configure the user credentials that the user vill use for authentication, By specifying the login local ‘command for vty lines, you are essentially telling the network device to use locally defined credentials ‘for authentication. Configure locally defined credentials using the username username secret pastword ‘command, 5. (Optional) You cam also limit access toa device to users that use SSH and block Telnet with the ‘transport input ssh vty mode commayf. If you want to support login banners and enhanced security ‘encryption algorithms, force SSH version 2 on your device with the ssh version 2 command in the global configuration mode. enerate rsa command, Securing Remote Access (Cont) Verily that SSH is enabled Check the SSH connection to the device:Securing Remote Access (Cont.) isla gil ti ‘To display the version and configuration data for SSH om the device that you configured as an SSH server, use the show ip ssh command. In the example, SBE? is enabled, To check the SSH connection to the device, use the show ssh command. 2017 Cisco Systems, ne 1108 _lnteroonnecing Cisco Networking Devices: Acalrated (CONAK}Discovery 35: Enhance Security of Initial Configuration Introduction This discovery lab will guide you through the various aspects of securing administrative access to Cisco IOS devices. You will secure access to the privileged EXEC and see the difference between enable password and enable secret. You will also secure access to the console port. You will enable remote access fo the vty lines via Telnet and SSH. You will set SSH as the only acceptable remote access protocol. ‘The devices are configured as represented in the topology diagram, including their IP addresses. This discovery lab will focus on R1. You will use other devices as sources of remote access comections. Topology & Device Information Device Information Table Devies |characteristic WWalue Pot Hoshame Pot Pot Ir dares hota.s.1024 Pet lbetaut gatensy foros.Device |characteristio |watue Poe Hostname pce poz > sccrass lro10..20024 Po2 Defaut astewsy jrotos.s wi Hosiname [sw wi VLAN 1 IF ederess Hotos.20¢ owt lbetaut gateway loros.s owt lEthernetO0 descistion Line to swe. owt lEthernetot descrision Line to Pot swe Hostname lswe swe VLAN 1 IP address lroros.a8 swe Default gstewsy, Hotos.1 swe EthernetO0 description Line ta sv swe lEthernetot description Link to Rt swe lEtherneto descristion Line to Po RI Hostname les RI lEthernetO0 descistion Line to swe. RI letnerneto IP address lhoros.s28 RI Leopbecs 0 1P lrono.sr2 PCs in the virtual lab environment are simulated as routers, so you should use Cisco TOS commands to configure them or make verifications Task 1: Secure Access to Privileged EXEC Mode Activity Step 1 OnRI, access the privileged EXEC with the enable command and the global configuration with the configure terminal command OnRi, enter the following commands: NetworkingStep 2 Step 3 Step 4 Step 5 Step 6 coné & Enter configuration comands, one per line. End with GVTL/2 Ri lcontig)? ‘The most commonly used commands are abbreviated in this guided discovery. For example, en for enable and conf t for configure terminal, If there is any confusion, you can attempt tab completion of commands to see the full commands during the discovery execution. For example, en would expand to enable and conf-tab> t=tab> would expand to configure terminal, Set the enable password to "Password!23" and leave the configuration mode. On RI, enter the following commands (config) # enable pesavord Passwordi23 (contig) # end ‘The enable password will now protect access to the privileged EXEC mode. Verify ths fact by leaving the privileged EXEC with the disable command, then use enable again, and authenticate with the password "Password123, Oni, enter the following comfaands: RES enable Pasoword: Passwordi23 View the enable password in the running configuration. On RI, enter the following command: shovun | ine enable enable password Passwordi22 By default, the enable password is stored in the configuration as cleartext Configure an enable secret, seting it to "Secret123." On RI, enter the following commands: RIE cont Enter configuration comands, one per line. End with OVTL/Z (Config)? enable secret Secenti23 ‘When both are present, the enable secret takes precedence over the enable password. Verify that this fact is comect. (On RI, enter the following commands:Step 7 Step & enable Re ‘The enable password was not accepted to access privileged EXEC mode. The enable secret was required. \View the enable password and the enable secretin the configuration. (OnRI, enter the following command: ‘The enable secret is always stored in a protected fashion in the configuration file. Cisco IOS Software on routers supports several encryption types. On production routers, you will most likely find type 8 or type 9. Using type 4 is not recommended due to security risks. Enable the service password-eneryption command in the configuration mode, Then revisit how the enable credentials appear in the Toning configuration On Ri, enter the following commands: Rit cone & Rilconfig)? service parsword-encryption (senfig)? end sh ron | anc enable soable password 7 OS45A12151: DESEARSEAESE ‘The enable password command is now protected using the CiscoIOS type 7 encryption algorithm. Understand that type 7 encryption is better than nothing, but itis nowhere near a strong as type 5 MDS. The service password encryption will also protect other cleartext passwords that may appear in the configuration file Task 2: Secure Console and Remote Access Activity Step 1 Enable a password on the Ri console (line console 0) by using the login command with the password command, Set the password to "Console123.” Also, set the exec-timeout value to 5 minutes. On Ri, enter the following commands:Step 2 Step 3 Step 4 ait cont Enter configuestion comands, one per line End vith CWTL/2 icentig)# ine com 0 (config-ine) # login (eonfig-iine)# password Consolei25 fenfig-line) ? exec-timesat S (config-iine) end O ‘The default value for exec-timeout is 10 minutes. Seting the time longer may be a convenience for the administrator. Setting the time shorter improves security by limiting the time that 2 session stays up ifthe administrator physically walks away from the terminal ‘View the configuration thet is now in place on "line con 0." On R1, enter the following command: Rif ch wan | section line line Fey 0 4 Service password-encryption continues to encrypt new passwords as they are defined, Verify the console password by logging out completely flom the Cisco IOS CLI session on R1 and then logging back in. Continue by using the enable command to access the privileged EXEC. On RI, enter the following commands: Rif degout, User Access ¥ Ris en Fasoword: SeeretiZ3 Re In a similar fashion, add a password to the five vty lines (line vty 04), setting the credential that is required for emote access to the CLI of RI. Also, for demonstration purposes, set the exec- timeout to the very small value of O minutes and 30 seconds, On RI, enter the following commandsStep 5 Step 6 Step 7 Step & Rit cone Enear configuestion comands, ons per line. End with CHTE/2 wey 04 until ‘passwerd! ned] ‘password’ ‘Verify that you can now access the CLI of RI via Teinet from other systems. Access the PCI console and 10.10.1.1 via Telnet. (On PCI, enter the following commands: Teying 10.10.11 |. Open ‘The prompt changed from PC1 to 1. You are currently accessing the PC1 console but using PCI to remotely access the CLIofR1 ‘Verify that you can use this remote connection to access the RI privileged EXEC with the enable conimand and the "Secret123" enable secret. Then remain idle for 30 seconds and verify the fimctioning of the exec-timecut. (On PCI, enter the following commands: Secret23 After the exec-timeout expired, the Telnet session was closed, You have retumed to the PCL CL Retum to the Ri console, It has been longer than the 5 mimate exec-timeout set on line con 0, you will have to reauthenticate using "Console!23" as the console password and "Secretl23" as the enable password ‘You will now increase the sophistication of the login process. Instead of using simply a password for remote access, you will require a seman and a password. The first step is to define a usemame in the configuration. Enter the configuration mode and then use the ? to display the options that are available as you configure a usemame (isco Networking Davies: 17 Cisco SystStep 9 Step 10 Step 11 On RI, enter the following commands Enter configuration comands, one per line. Bad with CNTL/2 Ri (config) # usexname 7 ‘The next element of the command line is to specify the usemame as a freeform WORD. Continue by specifying “admin” as the username followed by the ? to display the next set of options On Ri, enter the following command: Ri [configh# uremene adain 2 aa BAR dizective Gsliback-dialsteing Callback dizi Arsociave De not require sition after calibsck Rosssape ne abe one-time ‘Usernane/password is valid for only one mecret Specify the secres for the user ‘There are several options available, but for this purpose, focus only on "password" and "secre Understand that the differences regarding the username command are the same as they are with the enable password and the enable secret. Continue by specifying secret as the credential storage option and use the ? to display the next set of options, On Ri, enter the following command: (config) # username adain secret ? Specifier an UNENCRYETED secret will follow 4 Specifies a SHRI56 ENCRYETED secret will follow $ Specdties 2108 ENCRYPTED secret will follow ‘You can specify a 4 followed by an SHA.256-protected secret or a5 followed by an MDS- protected secret. These options allow you to copy the protected secret from one configuration to ‘another. There is also the option to specify 2 0 followed by the cleartext secret. Specifying the 0 is optional and generally not used. In this case, you do not have a protected secret to work with. ‘You will simply enter the cleartext secret next Complete the definition of the usemame "admin’ with the "Cisco123" secretStep 12 Step 13 Step 14 Step 15 OnRI, enter the following command: Ri (config)? erernane edain ceceat Cisco223 Remain in configuration mode. Use the do command to execute the privileged EXEC show running-config command from within configuration mode. Send the output through the include filter specifying the “user” string (OnRI, enter the following command: Rilconfigh? do show man | ne user username admin secret 4 rweGVdcUZ-RMCynai2USY/Piujen(KFSbe LEGGIAT ‘The usemame "admin" is now defined, and its password is stored in the configuration as a Cisco 108 type 4, SHA-256-protected secret. (Currently, the vty lines have the login command set without an argument. In this tate, authentication is done using the password that is defined on the line itself. I the login command is enhanced withthe local argument, then authentication will be accomplished using usemames that are stored inthe local rmning configuration. Enter the vty line configuration mode and configure the login local command. Then leave the configuration mode On RI, enter the following commands: Ri(configi# lane vty 0 Rilconfig-iine)# login local Rilconfig-Line]? no password (config-linel# end Remote access authentication should now require a valid usemame and password. Access the PCI console and attempt to comect via Telnet to RI (10.10.1.1) to verify this fact. (On PCI, enter the following commands: Open Recall thatthe exec-timeout on the vty lines is set to 0 minutes and 30 seconds. Quickly continue to.use the remote comection to modify the configuration. As long as ess than 30 seconds pass between keystrokes, the comection should remain open. Ifyou do get logged out, you can return toRI to enter the configuration changes. Onthe PC! console while connected via Telnet to RI, enter the following commands (isco Networking Davies:Step 16 Step 17 Paeswerd: Seorati23 (config)? dine wey 04 * * (configriine)# axec-timeout 10 Contig-tine) # end ‘Youmay be accustomed to seeing a "S¥S-5-CONFIG I” syslog message that is displayed wen leaving the configuration mode. This message didnot appear here. By default, syslog messages are displayed om the console (line con 0} only. In this case, you have a session to a vty line. You can see the syslog message on the RI console screen (Changing the configuration via a remote access session is itself demonstration of the importance of securing administrative access. Without proper security, network attackers could access your network devices and take control of your network. From this remote connection, review the configuration of the vty lines with a filtered show running-config command, On tthe PCI console while connected via Telnet to 21, enter the following commands: RIE chow mun | section line password 7 O8024340 181 E0814" Logging synehroncus login Line coy 04 Login local ‘There is no longer an exec-timeout command on line vty 04. Setting the timeout value back to its default value of 10 minutes causes the command to be hidden in the ruming configuration, Close the remote access connection using either the logout or exit command, On the PCI console while connected via Telnet to Ri, enter the following commands: shored by foreign beet] From the user or privileged EXEC, you can use the logout and exit commands interchangeably to terminate remote access comnections Task 3: Enable SSH Activity Step1 (On R1, enable SSH. The prerequisite of SSH on Cisco OS vty lines is having an RSA public- private Key pair. The prerequisite to defining the Key pair isto have ahostame and 2 domainStep 2 Step 3 Step 4 name that are defined. RI already has a hostname that is configured. Configure “iond lab" as the domain name, then generate a 1024-bit RSA public-private key pair. (On RI, enter the following commands: Rit cone Enter configurstion commande, ons per line. Bad with CNTE/2 Rilcenfig)? 3p domnin-name icnd.iab clcendig)? cepts key generate eae se the size of the key modulus in the range of 360 to 4096 for your al Furpere Keys. Choosing a key nedulus greater than $12 may sake How many bits in the modulus [S12]: 107@ & Generating 1024 mie RGA Heys, keys will be non-exporcable [0K] (elapsed cime waz 0 seconde) (contign ‘Shortly after you generate the RSA key pair, SSH is automatically enabled om the router. ‘There are some security issues that ae associated with SSH! Limit the eptions to $SHv2 only, then leave configuration mode| (On RI, enter the following commands: Rilconfigi# ip sch version 2 jconfig)# end Both Telnet and SSH should now be options for remote access to R. Access the PCI console to verity this fact. First connect via Telnet from PC to RL. Disconnect when you are connected. On PCL, enter the following command FCly telnet 10.10.2.1 Enying 10.20.21 1.. Open [Connection vo 10.10.22 closed by faredgn host] Next, test an SSH connection from PC! to RI. On PCI, enter the following command: (isco Networking Davies:Step 5 Step 6 Step7 Step & Step 9 The "+" isa dash and a lower-case "L" letter, not a dash with the number 1. Think lower-case L” for "login." From this remote access connection, examine the vty configuration to understand why both ‘Telnet and SSH are allowed. It is because “transport input al” is specified on the "line vty 04" configuration, On RI, enter the following command: how wun | section Line Line con 8 exectimeost 5 0 login line aux 0 ‘Login Local ‘seanspors input all Because SSH is superior to Telnet from a security perspective, change the transport input option fom allo ssh under "line vty 0." Oni, enter the following commands: cont t Enter configuration comands, one per line. End with GVTL/2 (config)? ine wey 0 # (configiinel# transport Seput sch (configrline] # end ‘Terminate this SSH session to retum to the local console of PCL (Oni, enter the following command: Rif aogout, (Connection to 10.10.11 closed by foreign host] Attempt a Telnet session from PC Ito R1. Because the transport input is now set to SSH only the Telnet attempt should be rejected On PCI, enter the following command: Fol> telnet 20.20.22 ‘Verify that SSH is still valid for new remote access sessions. Try to connect with SSH one more time from PCI to R1. Terminate the session after it successfully initiatesOn PCI, enter the following command: Ris logout, [Connection to 10.10.1.1 closed by foredgn hose] ‘You have explored many options for securing administrative access on Cisco IOS devices during this discovery lab. You ised the enable passwiord and the enable secret password to protect the privileged EXEC. You used service password encryption to provide simple protection to Cleartext passwords. You implemented a simple password protection on the console and vty lines. You then went further withthe vty lines, requiring a usemame and password for access and configuring SSH. Feel free to continue exploring these concepts independently within the Jab enviroament. This isthe end ofthe diccovery lab, (isco Networking Davies:Limiting Remote Access with ACLs ‘You can limit aocess to vty lines to specific IP addresses or submets in order to control remote administration of network devices. Remote administration is commonly run over a Telnet or an SSE connection, where the SSH connection is an encrypted communication channel betvieen the adininistrator workstation and the device. Usually, there are trv steps that you must complete to limit remote access with ACL 1. Configure an ACL: The following example shows an ACL being configured with two lines. The first lime permits Telnet access fom the network addresses in the 10.1 1.0/24 subnet. The second line is not ‘mandatory because there is an implicit deny statement at the end of every ACL. However, creating an ‘explicit deny statement and appending the log keyword allows you to monitor attempts of authorized sources trying to access the device. @ Limiting Remote Access with ACLs Use an ACL to permit Telnet accass from 10.1.1.0/24, but deny 2. Apply the ACL to the lines: The access-class command applies the ACL on vty lines. Using the in ‘keyword after the name of the ACL tells the router to limit vty comnections thet are coming ito the network device. Apply the ACL on vty lines: Rowcer (config) # Line vty 0.35 Router (config-line)# eccess-class t in ‘The example uses 16 vty lines (range 0 to 15).In the configuration output, it will appear in two vty line ranges, fist from 0 to 4 and second ffom 5 to 15. If there is no need for more than five vty lines, you may only the first rangeConfiguring the Login Banner ‘You can define a customized login banner to be displajed before the username and password Login prompts, Configuring the Login Banner Configure a login banner: ‘A.user connecting to the device sees this message: To configure a login banner, use the banner login command in global configuration mode. Enclose the ‘banner text in quotation marks or use a delimiter that is different fiom any character appearing in the banner string. Note Use caution when you create the fed thats used in the login banner. Words such as 'waleome” may imply that Sooess is not restricted and may alow hackers some legal defense oftheir actons, To define and enable an MOTD banner, use the banner motd command in global configuration mode. This MOTD bamer is displayed to all terminals that are connected and is useful for sending messages that affect all users (such as impending system shutdowms) (conan Cisco SystemsDiscovery 36: Limit Remote Access Connectivity Introduction This discovery lab will guide you through the remote access imitation by using an ACL. You will implement login and exec banners. The devices are configured as represented in the topology diagram, including IP addresses. This discovery lab will focus on RI. Other devices will be used as sources of remote access comnections. Topology & ° SV? eno ao a * EtnOr2 e Job Device Information Device Information Table Device |characterstic Wvatue Pot Hostname pc Pot lp adscons hox0..1024 Pot Default gateway jo.t0.1. Pc2 Hostname pce Poe IP edocess jo.10.1.2024Device |characteristio |watue Poe Default astenay 0.0. ow Hostname lsws wi VLAN IP adéress roto 228 swi Detautt astenay 0.10 sw lEtnerneto description Line to sve ow lEtnerneto’t description Line to Pot swe Hostname lswe swe VLAN +P aciress oro. .a6 swe Default astenay 0.0. sue EthernetO0 description Line to sw sua lEthernetOt description! Line to et swe lEtnerneto? descrintion Line to Poe RI Hostname les RI lEtrerneto description Link to swe RI letnerneto IP address o.r0.s.1126 RI Leopbecs 0 1F po.109.1126 RI lEnsbie password Passware 23 RI lEneble sesret| Seerett23 RI [Console psssword IConsotar23 RI lConscle Login Moe line RI Vy 04 Line Password IrvPass Rt vty 04 Login node cat RI lusername/ Secret lecmin Cisoot23PCs in the virtual lab environment are simulated as routers, so you should use Cisco IOS commands to configure them or make verifications Task 1: Limit Remote Access with ACLs Activity Step 1 Explore the use of ACLs to contol the source IP addresses that are allowed to establish remote access sessions to a Cisco IOS device, Before defining aew access lists, you should know which access lists exist to prevent accidental editing of am access list that is already defined. Ou R1, view the access lists that are in place. To access R1, use the "Console123" console password and the "Secret123” enable secret password, On Ri, enter the following command: Ri cond is new available Spores comnts Pnow eccose-asce 3 (On RI, no access lists are configured. Step 2. Enter the global configuration mode and define a new access list number 1 that permits PC1 (40304.10) and C2 (10.10.20 and explicitly denis all other adresses wih the og option enable On RI, enter the following commands: Rit cont (config)? access-list 1 pemit 10.10.4-10 (config)? access-list 1 peemat 10.10.1.20 (config)? access-list 1 Geny any Jog Step 3 Assign access list 1 to the vty lines in the inbound direction using the access-class command, then leave the configuration mode On RI, enter the following commands (config)? tine vty 04 jonfig-line)? access-clacs i in (contig-iine) ena 3 Step 4 One ata time, access the PC1, PC2, and SW consoles and attempt SSH sessions to R1 (10.10.1.1). The sessions should be successful fom PC1 and PC? but not from SWIStep 5 Step 6 On PCI, enter the following command: Ris logout, [Connection to 10.10.1.1 closed by foredgn hose] (On PC2, enter the following command: Ris logout, [Connection vo 10.10.22 closed by foredgn host] (On SW1, enter the following command: amis Retum tothe Ri console. You should find a syslog message thet is associated with the access attempt from SWI thatthe explicit dey statement at the end of the access list denied. ‘The syslog message is displayed on the R1 console, as follows: 9.445: ASEC-G-IEACCESSLOGHE: List 2 denied 0 10 0.0.0.0, 1 packer 30.1.2 -> (On Ri, show access list 1 and verify the match counters on each line. On RI, enter the following command: chow access-list 2 20 pemde 10.10.12 (2 marches! a0 deny any log (2 mat ‘When an ACL is applied tothe vty lines with the aceess-class command, each successful conection will increment the match counter on the associated permit statement by two while each rejected connection will only increment the match counter on the associated deny statement by one (isco Networking Davies:Task 2: Configure the Login and EXEC Banners Activity Step 1 Another access control option that you will explore during this discovery is the use of banner ‘messages. The login banner is displayed before the user logs in, and the EXEC banner is displayed after a successful login. Start by configuring a login banner on RL (On R1, enter the following commands: Rit conf Enter configuration somat Ri (config)? Benne login Recess for euthorised users only. Enter your valid credentinis fer access: per line. End wich GTmL/z Step 2 Also, configure an EXEC banner on RI and then leave the configuration mode. On RI, enter the following commands: Ri (config) # banner exce If you are net authorised, LOGOUT IMMEDIATELY contig) # end Step 3 Access the PCI console and execute an SSH connection to R1. You should see the login banner before entering the password and you should see the EXEC banner afer authentication and before the firs user EXEC prompt is displayed. On PCI, enter the following commands: jos for suchsrized usacs only. inter your valid credentials fer access: (Connection to 10.10.11 closed by foreign host] ‘You have explored how to limit remote access connections during this discovery. You have limited authorized remote access systems with ACLs. You finished with a simple demonstration of the login and EXEC banners, Feel fee to continue exploring these concepts independently within the lab environment. ‘This is the and ofthe ciscovery lab.Challenge 1. High levels of humidity posing a danger to devices operating properly can be considered to be which of the following types of threats? AL remote access threats B._ local access and physical threats C. environmental threats D. electrical threats E, maintenance threats 2. Which ofthe following commands will encrypt plaintext passwords on routers? A. password encryption B. service password-encryption ©. service encryption D. enable secret Which ofthe following commands enables you to configure the parameters for console access? A. line console 0 B. line console CC. Iogin console 0 D. login console 4. Which ofthe following is the correct comms to generate RSA keys that the user will use during authentication, when connecting over SSH to a router? A crypto key generate rsa BL crypto generate key rsa C._ cryptorsa generate D. erypto generate rsa 5. Choose the valid configuration to restrict remote users by applying ACL to vty lines. A. router(configh# line vty 0 15 router(config-line)# access-group 1 in. BL router(configyt line vty 0 15 router(config-line)# access-list Lin C. router(contigh# Line vty 0.15 router(config-line)# access-class 1 in D. router(configh# line vty 0 15 router(config-line)# ip access-group 1 in 6. Which of the following banners should be used to show information that should be hidden from ‘authorized users? A MOTD B. Login Cc. EXEC ‘Ensuring that the cable runs are neat, mitigation is for which kind of threat? AL remote access threats B. environmental threats C. clectrical threats D. maintenance threats (isco Networking Davies:Answer Key Challenge (ConA2017 Cisco Systems, neLesson 2: Implementing Device Hardening Introduction ‘Your boss sends you to your customer to secure umused ports. When discussing how to secure ports, you vill introduce the interface range command. You will discuss the lack of control over utilized ports and present port security as a possible solution. You will also explain the need to disable unused services. Your customer wants to implement the correct eystem time, so you will introduce NTP and demonstrate an NTP configuration example | Securing Unused Ports ‘Unused ports on a switch can be a security risk. A hacker can plug a switch into an unused port and become part ofthe network. Therefore, unsecured ports can create a security hole.Securing Unused Ports Be aware of the following aspects of unused ports: Uneoeured ports can ereato a sweuniy vlnarabity + Advice thats plugged into an unused ports added fo the network Unused ports can be secured by disabling interfaces (ports). Disabling an Interface (Port) A simple method that many administrators use to help secure their network ffom unauthorized access is to Gisable al unused ports on a network site. Disabling an Interface (Port) To shut down mutiple ports, use the interface range command and use the shutdown command, "122 __lnteroonneding Csco Networking Devices: Acalrated (CONAX} 2017 Cisco Systems, neDisabling an Interface (Port) (Cont.) ‘The Fa0it and Fa0/2 interfaces are disabled in the example. Imagine, for example, that the Cisco switch has 24 ports. If there are 3 Fast Bthemet comections in use, then the practicing good security demand ilthat you disable the 21 unused ports. Itis simple to disable multiple ports on a switch. Navigate to each umused port and issue the Cisco TOS shutdown command, An altemate way to shut down multiple ports isto use the interface range command, Ifa portneeds to be activated, you can manually enter the no shutdown command on this interface ‘The process of enabling and disabling ports can become a tedious task, but the enhanced security on your network is well worth the effort, ‘To make configuration more secure, add unused ports into an unused VLAN. Use the vam command to ‘anew VLAN, and use the switchport access vlan interface command to add ports into thePort Security ‘Now that you Imow about protecting unused ports, you need to leam how to protect the ports that are in use. ‘You can use the port secunty feature of Cisco IOS Software to restrict access to a switch port based on MAC addresses. A port that is configured with port security accepts frames only from secure MAC addresses. You can configure a device to leam thesia resses dynamically, or you can configure them statically Port Security Several iniplemantations of port security follow: * Static learning Dynamic learning + A-combination of static and ‘dynamic learning + Sticky learning Several implementations of port security follow + Static learning: You can statically configure specific MAC addresses that are permitted to use a port. ‘The source MAC addrestes that you do not specifically permit are not allowed te source frames to the port + Dynamic learning: You ean specify how many MAC addresses are permitted to use a port at one time. ‘Uke the dynamic approach when you care only about how many MAC addresses are permitted to use the port, rather than which MAC addresses are permitted. [fa port on which dynamic learning is configured has a link-down condition, all dynamically leamed addresses are removed, Following ¢ ‘bootup, a reload, ora link down condition, port security does not populate the address table with dynamically learmed MAC addresses until the port receives ingress traffic. Depending on how you configure the device, dynamically leamed addresses age out after 2 certain period and new addresses are leamed, up to the maximum that you have defined, 24 Inerconnacing Cisco Networking Devices Aalst (©CNAX) 2017 Cisco Systems, ne+ A combination of static and dynamic learning: You can specify some of the permitted MAC ‘addresses and let the switch learn the rest ofthe permitted MAC adresses. For example, you could limit the number of MAC addresses to four and statically configure two of the MAC addresses. The ‘switch would then dynamically leam the next two MAC addresses that it received on this port. The two ‘statically configured adresses would not age out, but the two dynamically learned addresses could age ‘out, depending on your configuration + Sticky learning: When you configure sticky leaming on an interface, the interface converts ‘dynamically leamed addresees to “sticky secure" addresses. This feature adds the dynamically learned addresses to the rmming configuration as if they were statically configured. Ifyou save the running ‘configuration to NVRAM, port security with sticky MAC addresses saves dynamically leamed MAC. addresses in the startup configuration fle, andthe port does not have to learn addresses from ingress ‘traffic after a bootup ora restart. Sticky secure addresses do not age out When a frame arrives on a port for which port security is configured, its source MAC address is checked against the secure MAC address table. Ifthe source MAC address matches an entry in the table for this pot, the device forwards the frame to be processed. Otherwise, the device does not forward the frame, ‘When port security is configured om 2 port, the following situations are considered security violations + The maximum muiber of secure MAC addresses las been added tothe address table, and a host whose ‘MAC address is notin the adress table attempts to access the interface + Alnost witha secure MAC address that is configured or learned on one secure port attempls to access ‘guother secure port inthe same VLAN| Port Security (Cont) When a security violation occurs, you can configure the device to take ‘one of the following actions: + Protect + Restict + Shutdown‘You can configure the device to take one of the following actions when a security violation occurs: + Protect: The protect violation mode drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. + Restrict: The restrict violation mode also drops packets with unknown source addresses until you remove enough secure MAC adresses to drop below the maximum value. However, it aso generates @ og message and causes the security violation counter to increment + Shutdown: The shutdowm violation mode puts the interface into an error-disabled state immediately ‘The entire port is shut down. Also, in this mode, the system generates a log message, sends an SNMP trap, and increments the violation counter. To make the interface usable, you must use a manual intervention or the error-disabled recovery. Shutdown isthe default violation mode. ‘When the port security violation mode is set to shutdown, the port with the security violation goes to the error-disabled state. You receive this notification on the device 20 12:44:84,066: eRGERR Y patting fa0/$ an ere~disable stave ABLE: paacure~visiation areor datectad on F20/S, 20 12:48:65.973: #LINEPROTO-S-PPOOM: Line protocsl on Intesface FastEchernet0/S, 20 12:44:86,972: #LINE-2-UEDOM: Invergaee Fi ehane 0/5, ‘Tomake the interface operational again, youneed to disable the interface administratively and then enable it again, as shown here: changed seiea to don Suivcht configh? interface FastEthemet 0/5 Sivek (confignit)# chutdom Switch (eonSigeié)$ no shuteionn 20 12:9 UEDOW: Inverface F: ssEthernet0/S, changed state to 8B intextace FarvEthernet0/S, ‘You can specify how secure MAC address aging occurs on a port by configuring either absolute or inactivity aging. When you configure absolute aging, all ofthe dynamically leamed secure addresses age out when the aging time expires. (When you configure inactivity aging, the aging time defines the period of | Inactivity after which all of the dynamically leamed secure addresses age out. Vou can also specify the aging time ‘You can configure port security only on static access ports or trunk ports. You cannot configure port security on an interface inthe defauit mode (dynamic auto). (isco Networking Davies:Configuring Port Security To configure port security to limit and identity the @Y address of stations that ze allowed to acess the port, do as follows: Configuring Port Security {nab port secu 2 Sel the MAC eden Ht 2. Spec the allowed MAC adéressus (optional). 4. Dafne the vilaton sein, port mam noone tenors eeceeeetty taert pertcooaority mannan The figure shows how to enable sticky port security on the FastEthemet0/S port of SwitchX. Port security limits the munber of valid MAC addresses that are allowed on a port. When you assign secure ‘MAC adiresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresees, Ifyou Limit the number of secure MAC addresses to one and assign a single MAC address to this por, only the workstation with this particular secure MAC address can successfully cormect to this switch port If you configure 2 port as a secure port and the maximum number of secure MAC adiresses is reached, 2 security violation occurs when the MAC address of a workstation that is attempting to access the port is, different from any of the identified secure MAC addresses. Note Before port security can be activated, you must set the port mode fo "soaess" or “runk” using the switchport mode aece | trunk cornmand Use the switchport port-security interface command without keywords to enable port security on an interface, Use the switchport port-security interface command with key words to Configure a secure MAC address, 2 maximum mumber of secure MAC addresses, or the violation mode. Use the no form of this, command to disable port security orto set the parameters to their default states. ‘You can also configure the maximum number of secure MAC adkiresses. In this eure, you can see the Cisco 10S command syntax that you use to set the maxinmum number of MAC adresses to one (switchport port-security maximum 1)‘You can add secure addresses to the address table ater setting the maximum muniber of secure MAC addresses that are allowed om a port in these ways: + Mamuslly configure all ofthe addresses (switchport port-seeurity miac-address 0008.ceee.ecee). + Allow the portto dynamically configure all ofthe addresses (switchport port-security mac-address sticky). + Configure several MAC addresses and allow the zest of the addresses to be dynamnically configured. ‘Youcan configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and add them to the runing configuration by enabling sticky leaming. To enable sticky learning, enter the switehport port-security mac-address sticky interface configuration command, When you enter this command, the interface converts all ofthe dynamic secure MAC addresses, including the MAC adresses thatthe device dynamically leamed before you enabled sticky learning, to sticky secure MAC adresses. ‘The violation mode is set to shutdown (switchport port-security violation shutdown). This violation mode, which is the default mode, puts the interface into the eror-disabled state immediately and shuts down the entire port, Note As mentioned, the other two viclaton medas are protect and restrict. These modes Grop frames from the ladsress thats nt allowed, but uni the shutdown mod, they do not put the intrface into the eror- disabled sate Note Pott security is cssbled by defauit| (isco Networking Davies:ing Port Security After you have configured port security for your switeh, verify that it has been configured correctly. Verifying Port Security Display the por security settings that are defined for an interface, ow yortecurity intartace erent 0/8 Verifying Port Security (Cont.) Display the port security settings that are defined for the FastEthemet0IS interface. (©2017 Cisco Systems, ne Intrconnectng Cisco Networking Devioes: Accolerated (CCNA) 130‘You must check each interface to verify that you have set the port security correctly. You must also verify ‘that you have configured static MAC addresses correctly. Use the show port-securrity interface privileged EXEC command to display the port security settings thet are defined for an interface. ‘The output displays this information (from the top down): + Whether the port security feature is enabled + The violation mode + The maximum allowed mumber of secure MAC addresses for ezch interface + The number of secure MAC adresses on the interface +The number of security violations that have oco@ Verifying Port Security (Cont.) Display the port security violation for the FastEthemet05 interface, Led post-ascurty Mataetice Pasersarast 6/8 140 lnterconnecng Cisco Networking Devices: Accelerated (CONAN) 2017 Cisco Systems, neVerifying Port Security (Cont.) Verify the status ofthe interface. ‘When MAC addresses are assigned to a secure port, the port does not forward frames with source MAC addresses outside the group of defined addresses. When a port that is configured with port security receives a frame, the source MAC address of the fralne is compared tothe lst of secure source addresses that were manually configured or autoconfigured (leamed) on the port. Ifa MAC address ofa device that is attached to the port differs from thelist of secure addresses, the port either shuts down uatl itis administratively re- enabled (default mode) or drops incoming frames from the insecure host (the restriet option). The behavior of the port depends on how it is configured to respond to a security violation. ‘The output in the figure shows that a security violation has occurred, and the port isin the secure-shutdowm state Because the port security violation mode is set to shutdown, the port with the security violation (source MAC aderesses outside the group of defined addresses) goes to the etror-disabled state. You receive this notification on the switch: Sep 20 06:44:54.966: ERI-f-ZAR DISABLE: precure-viclstion error detected on Ta0/Sy putting £a0/8 in err-disable vate adiress 002.287.4075 on port FastEchesnes0/S. Sep 20 06:48:55.979: #LINEPROTO-S-PEOOM: Line protocol on Interface FastEcheret0/5, changed state 2 down Sep 20 06:46:56.971: SLINK-S-UEDOM: Incertace FastEchernes0/5, changed szate co down To verity the status ofthe interface, use the show interface status command. ‘To make the interface operational again, you need to disable the interface administratively and then enable it again:Switchi (config)? interface FastBthernet 0/5 Swiccht (config if] # shatdown Sep 20 06:57:28,592: SLINK-S-CHANGED: Inearface FastEthernet0/S, changed svate to Switchi (configs f)8 no shutdown Sep 20 06:57:42.126: SLINE-2-UEDOMN: Interface FastEthemet0/S, changed scate co BB Sep 20 06:57:49,189: SLINEPROTO-S-UPDOM: Line protocel on Interface PactEchernet0/S, changed state vo i Verifying Port Security (Cont.) Display the secure MAC addresses for all ports. Inteconnactng isco Networking Davies: Accslerated (CCNA) 2017 Cisco Systems, neUse the show port-security address command to display the secure MAC addresses forall ports. Use the show port-security command without keywords to display the port security setings forthe switch,Discovery 37: Configure and Verify Port Security Introduction Port security restricts a switch port to a sperific set of MAC addresses, You should configure it om all ports that connect to end devices. In this discovery lab, you will configure and verify port security. You will also set error-disabled port automatic recovery Topology Job Device Information Device Information Table Device |characteristic Ivatue Pot Hostname lect Pot > scores jroro.s x04 Pot Default gstenay rors Poe Hostname lpc2 PC2 lp ecerass roto. 20724 erconnactng Cisco Networking Devices:Device [characteristic Wvatue Poo betaut gateway jror0..1 sw Hostname lsws Swi JVLAN 1 IP ederese hor0.1208 Swi etaut gateway Horo. Swi lEthemeso0 description linwte swe sw letremetot description linkto Pex swe Hostname lswe swe JvLaN 1 1 ederess horo.1326 swe betaut gateway jror0..1 swe EthemetO0 description Linkte swt swe themeto description Lincto Rt swe Ethemeto2 description Link to Pee RI Hostname ka RI lEtremeto0 description linkto swe RI lEthemet00 I acres hoso.s.126 RI Leopteck OF hosos.a26 PCs in the virtual lab environment are simulated as routers, so you should use Cisco 1S commands to them or make verifications. Task 1: Configure and Verify Port Security Activity Step 1 OnSW, configure port security with sticky leaning om the Ethernet) interface. (On SWI, enter the following commands:Step 2 Step 3 SMe cont Enear configuestion comands, ons per line. End with CHTE/2 1g)? anterface Ethernet 0/2 ‘Deitchport port-security mec-addrass sticky switehport povt-security Building configurasion Compressed configuration from 107 byt Jo 720 bycesiOR] ‘When SW leams the MAC address of PCI, you have to save the running configuration so that the learmed MAC address stays in the configuration even if the switch reboots. (On SW1, verigy the port security status (On SW1, enter the following command: SUE show port-security Secure Fort MaxSecurelddr CurrentAddr SecurityViolacion Security Betion (Count) (Couns) (Couns) (On SW1, verisy which MAC addreas is leamed on Ethemet01 (On SW1, enter the following command: SULE show port-security interface Ethernet 0/1 Port Status Secure-ap fn Mode 2 Shatdom: BecureStatic Midzeas Aging : Disabled Manamin HAC Adizeress 1 ‘The MAC address in your output may be different. Also verify that the same MAC address is listed in the configuration of SW Networking Systems, InStep 4 Step 5 swig ah wan int e0/t Building ect interface Echernat0/1 ‘Gescripeion Link On PCI, change the MAC address on Ethernet(\0 to eeee.ceee.ceee. On PCI, enter the following commands: POLE cone Enver configuration comands, one per Line. End wich CHTL/2 Fol(config)# int © 0/0 Pelt When the MAC address on PC1 fhanges, SWI will shut down the port toward PCI. You should see the following log messages on the SW! console: 2692 AM-a-ERR_DISEE olation exer devacted on pracurene On SWI, verify the port security status of Etheret0/1 On SWI, enter the following command SFLE 2h port-secunity ant = 0/4 aging Time Aging Type SecureStacic Address aging Configuwed WAC Addresses sticky MAC Addeesse= Bbsoluce Disabled Port Ethemet0/1 is disabled by port security On PCI, delete the MAC address from Ethemet0/0.Step 7 Step 8 Step 9 (On PCI, enter the following commands FCLE cont Fete: oa * PCI should use the default MAC address as leamed by SWI. FCLE 2h ant © 0/0 | in bis ssbb. 200.0200 (bis aamb.2200.0200) ‘The MAC address in your output may be different. (On SWI, verigy the port security status of Ethemet0/1 On SW1, enter the following command: SULE chow port-cecurity int €0/2 Pore Security ‘Enabled Wiellacion Mode ‘aging Time aging Type Maximan MAC Addzesses Security Vielavion Count Port Ethemet0/1 is still disabled by port security. (On SW, enable Ethemet0/1 by shutting it down and then bringing it back up (On SW1, enter the following command: figuration comands, one per Line. End with CNTL/2 interface 20/1 3 shutdown NEPROTO-S-UFDOM: Line peatocel oa Inte: Shanged state 20 5p Pena (On SW1, verify the port security status of Ethemet0/1 again. (On SW1, enter the following command: “8 (isco Networking Davies:SWE show port-security int <0/t Pee decuriey aging Time aging Type Securestacic Address Aging Configured HRC Addresses Sticky MAC Adicesses Port Ethemet0/1 is operational now. Error-Disabled Port Automatic Recovery An error-dsabled port will become operational after you shut it down and then bring it back: up. To reduce the administrative overhead, an ervor-disabled port (gabe automatically re-enabled after the problem thet causing the error-dsabled sat is fixed. Error-Disabled Port Automatic Recovery Configure autorecovery from the error-disabled state for a specified cause (port security violation) after a specified time period (30 seconds), Verify the autorecovery configuration. Use the erndisable recovery command to automatically re-enable the port after a specified time. IF the problem that caused the port to change into the error-disabled state is not resolved, the port will stay in the ‘rror-disabled state Gm (conEight eredisable recovery cause osuse SR conEight erediseble recovery interval seconde ‘The default time interval is 300 seconds, and the minimum is 30 seconds, ‘You can verify where autorecovery is enabled by using the show errdisable recovery command. By default, the autorecovery feature is disabledStep 10 Step 11 Step 12 Step 13 On SW, configure the error-disabled recovery cause to psecure-violation and set the interval timer to 30 seconds. (On SWI, enter the following commands: sme cont 31 (config)t exediceble recovery couse precure violation S01 (config)? eredisable recovery interval 30 Si (contag)? end OnPCI, change the MAC address on Ethemet00 to ecee.ecee.ecee again (OnPCI, enter the following commands: FOLE cont t sat 2 0/0, E mac-adlivecs seen case cose ‘When the MAC address on PCI changes, SW1 will shut down the port toward PCL. (On PCI, delete the MAC adéressfeckn Ethemet00. On PCI, enter the following commands: FOIE conf Enver configuration soma 3)? ant © 0/0 one per dine. End with GNTL/2 SW console: Astampeing te SLINEFROTO-S-UFTOMY: Line protecal on Inte: iy changed stare to op From PC1, ping Ri (10.10.1.1) to verify whether Ethernet0/1 om SW1 is operational. On PCI, enter the following command: FCLE ping 10.10.1.1 rip min/avg/max = 1/201/2004 msDisabling Unused Services To facilitate deployment, Cisco routers and switches start witha list of services that are tumed on and considered to be appropriate for most network envirouments, However, because not al networks have the same requirements, some of these services may not be needed, Disabling these umecessary services has two benefits It helps preserve system resources, and it G2 mates the potential for security exploits on the uneeded services Disabling Unused Services ‘You may not need some services on Cisco devices, so you can disable them, providing these benefits: Helps preserve system resources. “Eliminates the potential for security expoits onthe disabled services Identify open ports, as follows: © = Display the UDP or TCP ports thatthe rovter i listening to. ‘The general best practice isto identify open ports. Use the show eontrol-plane host open-ports command tosee which UDP or TCP ports the router is listening to and to determine which services need to be disabled. Inthe example, services that are enabled on the router are SSH, Telnet, TACACS, and DHCP. Note AS an alemative. Cisco IOS Sofware provioes the AuloSecure uncon that helps Gisable these unnecessary serves while enabling aver security servicesDisabling Unused Services (Cont.) The following are some general best practices: + You should disable Cisco Discovery Protocol on interfaces where the: service may represent a risk * tis strongly recommended that you tur off the HTTP service running on the router (HTTPS can stay on). Disable Cisco Discovery Protocol on the interfaces where the service may represent arisk. Examples are extemal interfaces, suc a thooe a the Internet edge, and data-only ports a the campus and branch access Cisco Discovery Protocol is enabled by defalt fu Cisco 108 Sostware Release 15.0 and later. ‘You can access Cisco routers via a web page, but itis strongly recommended that you tum off the HTTP service that is running on the router. Disabling Unused Services (Cont) ‘There are two options to disable Cisco Discovery Protocol + Disable it globally (on al interfaces), ee(centigit 00 ety em + Disable iton a specific interface It is recommended that you disable the HTTP service. 1162 __lnteroonneding Cisco Networking Devices: Acalrate (CONAX} 2017 Cisco Systems, neIf you prefer not to use the Cisco Discovery Protocol device discovery capability, you can disable it with the no ¢dp run global configuration command, To re-enable Cisco Discovery Protocol after disabling it, use the edp run command in the global configuration mode Ciseo Diseovery Protocol is enabled by default on all supported interfaces to send and receive Cisco Discovery Protocol information. Cisco Discovery Protocol is not on by default on Frame Relay interfaces, ‘You can disable Cisco Discovery Protocol on an interface that supports it with the no edp enable interface configuration coumand. To re-enable Cisco Discovery Protocol om an interface after disabling it, use the dp enable command inthe interface configuration mode. It is strongly recommended that you tum off the HTTP service that is running om the router. You ean use the no ip http server global configuration command to disable it. To re-enable the HTTP service after disabling it, use the ip http server command in global configuration mode.Network Time Protocol ‘Networks use NTP to synchronize the clocks of various devices across a network. Clock synchronization within a network is critical for digital certificates and for the correct interpretation of events within syslog date. A secure method of providing clocking for the network is for network administrators to implement ‘their own private network master clocks that are: d to UTC-using satellite or radio. However, if network administrators do not wish to implement xm master clocks because of cost or other reasons, other clock sources are available om the Intemet. Network Time Protocol Correct time within networks is important for the following reasons: + Correct time allows the tracking of events in the network in the: correct order. * Clack synetronization is erica for the correct intorpeotaton of events within sysiog data * lack synchronization is crtcal for digital certificates. OS Network Time Protocol (Cont.) NTP provides time synchronization between network devices. * NTP can get the correct time from an intemal or external time source: = becal master cook Master clock on he Intemet ~GPS—global positioning system or atomic ack + router can act as an NTP server and client. Other devices (NTP clients) ‘synchronize time with the router (NTP server). 1154 lnteroonneding Cisco Networking Devices: Acalrated (CONAX} 2017 Cisco Systems, ne‘NIP is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP allows routers on your network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source will have more consistent time settings. ‘You can configure a router as an NIP server, to which other devices (NTP clients) synchronize their time settingsConfiguring NTP To configure NIP on Cisco devices, ure following cSfamands: Configuring NTP Configure the branch router as an NTP client, which will synchronize its time with the NTP server Configure the SW1 switch as an NTP client, which will synchronize its é time with the branch router. ‘The figure shows an example configuration scenario, Both the branch router and switch SWI are configured as NTP clients using the mfp server ip-adress global configuration command. The IP address of the NTP server is configured. A Cisco IOS device acting as an NTP client will also respond to received time requests. This factor enables SWI to syne directly with the branch router and optimize traffic flows. Altematively, you could configure switch SWI to sync with an extemal NTP server as well Cisco 10S devices can also act as NTP servers. To configure Cisco IOS Software as an NIP master clock to which peers synchronize themselves, use the mtp master command in the global configuration mode: mfp master [strat] Note Use this cormmand with caution. You can easily overide valid ime souroes using tis command, especially if slow strstum number is configured. Configuring multiple devices in the same netweck with the ntp ‘master command can cause instabilty in keeping time ifthe devices do nat agree on the time The stratum value is a mmber fiom | to 15. The lowest stratum value indicates a higher NTP priority. It also indicates the NTP stratum number thatthe system wll elatm. 58 erconnactng Cisco Networking Devices:Verifying NTP To verisy NIP on Cisco devices, use the following commands: Verifying NTP Display the status of NTP associations Display the status of NTP. 1 shes arp state To display the status of NTP associations, use the show mtp associations command in the privileged EXEC mode, The output displays these significant fields: + *: The peer that is synchronized to this peer + ~4 The peer that i is statically configured + address: The address of the peer + st The stratum setting forthe peer Note ltmay take several minutes for an NTP lent to synchronize with the NTP server To display the status of NTP, use the show ntp status command in the user EXEC mode. ‘The output displays these significant fields: + synchronized: The system that is synchronized to an NTP peer + stratum: The NTP stratum ofthis system + reference: The address ofthe peer to which a clockis synchronized (Cisco Systems, Ine Interconnectng Cisco Networking Devioes: Accolerated (CCNA) 157Discovery 38: Configure and Verify NTP Introduction ‘Network devices generate svslog messages to convey important information about events within the network. Syslog messages have time stamps that are associated with them. For these time stamps to be of value for security analysis, the clocks on all of the network devices must bein syne. NTP is the preferred method to achieve synchronization. This discovery lab will guide you through configuring and verifying NTP services on Cisco IOS routers. ‘The lab is prepared as depicted in the topology diagram and the connectivity table. Topology SW2 mr enor oon a eho Ethoo | Job Device Information Device Information Table Device |characteristio |watue Pet Hostname pcs Pot > sccrass Hror01.s0124 Pet Default gstenay roto. Po2 Hostname lpc2 (isco Networking Davies:Device [characteristic Wvatue Po2 le adores horo.s2004 Poo betaut gateway jror0..1 Swi Mostme lew Swi JvLaN 1 1 ederess hovo.1206 Swi Default gateway foro. sw letremeto0 description linkto swe sw lEtremetot description linkto Pex swe Hostname lswe swe JvLaN 1 1 ederess horo.1326 swe Default gateway foros. swe themeto0 description Lincto swt swe themeto description Linkto Rt swe letremeto2 description linkta Po RI Hostname ka RI lEtremeto0 description linkto swe RI lEthemet00 I acres hoso.s.126 RI Leoptck OF hosos.a26 PCs in the virtual lab environment are simulated as routers, so you should use Cisco IOS commands to configure them or make verifications. Task 1: Configure and Verify NTP Activity Stop 1 Startby reviewing the clocks on SW1, SW2, and R1. You wll find that in the emulated lab environment, the clocks are actually synchronized by default. On SW, enter the following command: STE ah clock(On SW2, enter the following command: S028 2h clock (On RI, enter the following command: 6:12-804 PST Tus Now 24 2028 ‘The difference in time is only the time it took you to switch from one console to the next and center the show clock command (Of course the times that this output and the following output examples depict will differ ftom ‘what you can see in the lab environment. Step 2 Access the Ri console and configure it as an NTP server by enabling the master clock status. On RI, enter the following commands: cont t ater ceneiguratien comand, ene per Lane week Cur Rilcontigh# ond Step 3 Configure SW2touse RI (10.10.1.1) as its NTP server. (On SW2, enter the following commands: S128 cont t Enser configurasion comands, on per line. End wish CHTL/2 Sn2 (contig)? tp sexver 10-4013 12 (contig) ¢ ena ane Step 4 Display the current NTP associations and NTP status on SW2, (On SW2, enter the following commands: S28 show ntp associations sess ef clack sy when poll reach delay offser fabian Ee irtasUE Ts Beg NE orate “asthe ase a2 show nip statue “— . = Clock i: Simehronigad, seravun 2, he Eekerence vine is DSFEAZI0. 74205482 (00749:20.457 #57 Tue ov 26 2025) Glock offer a2 0.0000 meecy oot debay 22 1-00 noes Loopéileer stave is 'CIRL' (Normal Controlled Loop), deige is 0.0000 system poll invezval is 64, last update wae €¢ sec ago. 20 iso Networking Devices: 7 Cisco StStep 5 Step 6 Step 7 One ata time, access the SW? and R.1 consoles and display their clocks. They should be synchronized. The difference in time is due to the time that you spend switching between consoles and entering the command. (On SW2, enter the following command: st2t show clock 00:80:82.427 FST Tue Nev 24 2018 On Ri, enter the following command: Rif ch eleck 00:84:00,212 FST Tue Nov 24 2025 Oni, configure the Central Europe Time time zone, Oni, enter the following commands: Rif cont Enter configuration comands; one per line. End with GVTL/2 Ri (config)? clock timenone CET 2 00:64:67 EST Tus Mer 24 2018 te conscie by consale,| iconfig) # end Display the current time on R1 and observe tha the time zone has changed. On RI, enter the following command: ‘This is the and ofthe ciscovery lab.Challenge 1. Which command can you use to help disable multiple ports in a switch? A. interface range B. interface CC. shutdown range D. interface range shutdown 2. Which ofthe following converts dynamically leamed addresses into secure addresses by modifying the ‘umning configuration on the fly? A. static leaming BL dynamic leaming C. combination of static and dynamic leaming D._ sticky leaming: ‘You want an interface to error disable if traffic on the interface violates port-security parameters. Which of the following would you use? A. switchport port-security shutdown, B._switchport port security violations om C. switchport port-security violation err-disabled D._ switchport port-security violation shutdown 4. Check the following command output. In wht state isthe port? SuivehXt show port-sccurity interface FastEthernet 0/6 fe Security : Enabled fe Stace Secure-up Aging Time aging Type SecureStacic Addzess Aging Maximm IAC Addressee 2 ‘oval MAC Addresses Condigueed MAC Addresses AL forwarding BL error-disabled C. shutdown D. listening 5. Which ofthe following commands displays the open ports on 2 router? A. show open-ports B. show control-plane host C._ show control-plane host open-ports D. show ports open host (isco Networking Davies:6. Why is clock synchronization between network devices important? A B, c. D. ‘to ensure that routing protocols on devices can communicate with each other ‘to ensure that traffic transiting network devices do not get dropped ‘to ensure that no security breaches occur due to an exploit called "clock attack” ‘to ensure the correct interpretation of events within syslog data 7. Which command would you use to configure a device as an NTP client? vow antp client tp server ap master -ntp sourceAnswer Key Challenge wooruueLesson 3: Implementing Advanced Security Introduction ACCS customer would like some advice on how to mitigate the threats at the access Layer of their network: ‘They are also considering implementing RADIUS or TACACS+ servers for authentication to their network devices. The customer also heard that using NMS in their network can help them quickly determine the operation of different network devices. | Mitigating Threats at the Access Layer ‘The access layer is the point at which user devices connect to the network. This layer therefore is the connection point between the network and any client device. So protecting the access layer is important for protecting other users, applications, and the network itself from human errors and malicious attacks.Mitigating Threats at the Access Layer You can mitigate most access layor threats with these features: ~ Port security: Restricting a port to a speciic Sot of MAC. addresses: DHCP snooping: Preventing rogue DHCP servers, © DAI: Proventing ARP attacks = Also, implement identity-based networking to protect network resources and provide user mobil. Different security features exist to protect the access layer of your network. Port security, DHCP snooping, and Dynamic ARP Inspection, also lmown as DAF, are only some of them, Besides those features, you can configure identity-based networking, which will provide additional security and protection of your network: resources even inthe case of user mobility Note The configuration af mentioned techniques is beyand the soaps ofthia course (withthe exception of port seouriy, which you sre already feria with). ‘108 lnteroonnecing Csco Networking Devices: Acalrated (CONAK} 2017 Cisco Systems, neDHCP Snooping and DAI 3 S DHCPOFFER —= DHEP snooping is a Layer 2 security feature that validates the DHCP messages, DAI tracks IP-to-MAC bindings from DHCP transactions to protect against ARP poisoning. DHCP snooping is required, to build MAC-to- IP bindings for DA\ validation. DHCP snooping is a Layer 2 security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The primary function of the DHCP snooping isto prevent rogue DHCP servers in the network. Interfaces on the switches are configured as trusted or untrusted. Trusted interfaces allow all types of DHCP messages, while untrusted interfaces allow only requests. Trusted interfaces are interfaces that connect to a DHCP server or are an uplink toward the DHCP server. With DHCP snooping enabled, a switch also builds a DHCP snooping binding database. Each entry in the database includes the MAC adress ofthe host, the leased IP address, the lease time, the binding type, the \LAN number, and the interface information that is associated with the host. Other security features, such as DAL, also use this DHCP snooping binding database, DAI intercepts all ARP requests and all replies on the untrusted ports. It verifies each intercepted packet for a valid IP-to-MAC binding based on the database that DHCP snooping builds. The device either drops or logs ARP replies coming fiom invalid devices. This way, it prevents ARP poisoning attacks 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX)Identity Based Networking Identity-Based Networking ‘An identity-based network verifies the users when they connect, regardless of their physical locations, +The IEEE 802.1X standard defines identty-based networking. [dentity-based networking is a concept that utes several authentication, access control, and user policy components with the aim to provide users with the network services that they are entitled to. ‘Traditional LAN security depends on physical security of the network ports. In order to gain access tothe accounting VLAN, a user has to walk into the accounting department and plug the device in an Ethernet port. With user mobility as one of the core requirements of modem enterprise networks, this dependency is no longer practical, and it does not provide sufficient security Identity-based networking allows you to verify users when they connect to a switch port. Identity-based networking authenticates users and places them in the right VLAN based on their identity. Should any users fail to pass the authentication process, their access can be rejected, or they might be simply put in a guest VLAN. ‘The IFEE $02.1 standard allows you to implement the identity-based networking based on the client- server access control. These three roles are defined by the standard: + Client: Also known as the supplicant, it is the workstation with 802.1X-compliant client software + Authenticator: Usually the switch, which controls the physical access to the network; it acts as a proxy between the client and authentication server + Authentication server (RADIUS): The server that authenticates each client that comnects to a switch port before making available any services that the switch or the LAN offer 168 __lnterconnectng Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neExternal Authentication Options Administrative access to a specific network device should be secured so that only authenticated users can ‘access the device. Ina small network, local authentication is often used. When you have more than a few user accounts in a local device database, managing those user accounts becomes more complex. For exarupl, if you have 100 network devices, adding one user account means that you have to add this user account on all 100 devices in the network Also, when you add one network device to the network, you have to add all user accounts to the local device database to enable all users to access that device. Because maintaining the local database for each network device for the size of the network is usually not feasible, you can use an extermal AAA server that will manage all user and achninistative access needs for am entire network, Note AAA commonly alands for authentication, euthorzaton. and accounting, refers to « secur archilecture for cistituted systems that enables contrl over which usess re alowed access fo which services and how many resources they have used, 7 External Authentication Options Using the local database for AAA im plementation on network devices does not scale weil The two most popular options for external AA are as follows: + RADIUS: RADIUS is an open standard thet combines authentication and authorization services as a single process—after users are authenticated, they are also authorized. It uses UDP for the authentication and authorization service. + TACACS#: TACACS+ is a Cisco proprietary security mechanism that separates AAA services, Because it has separated services, you can use TACACS+ only for authorization and accounting, vile ‘using another method of authentication. Ituses TCP forall three services.By using the RADIUS or TACACS+ authentication, all authentication requests are relayed to the external server, Which allows or denies the user according to its user database. The server then instructs the network: device to allow or deny access. ‘The previous figure shows the extemal authentication process: 1. A host comects to the network. It can use any: communication protocol, depending on the host. At this point, the host is prompted for a username and password. 2. The network device passes a RADIUS/TACACS+ access request, along with user credentials, to the authentication server ‘The authentication server uses an identity that is stored to validate user credentials ‘The authentication server sends a RADIUS/TACACS+ response (Access-Accept or Access Reject) to the network device that will apply the decision, 70 (isco Networking Davies:Discovery 39: Configure External Authentication Using RADIUS and TACACS+ Introduction This discovery will guide you through the configuration of external authentication by using RADIUS and TACACS+. The live virtual lab is prepared with the router, PC, and server that are represented in the topology digeram and the connectivity table. The devices have their basic configurations in place, including hostnames and IP addresses. In the discovery, you will configure a console and vty access on the router by using RADIUS and TACACS+ servers. Topology (Cisco Systems, Ine Intrconnactng Cisco Networking Devioes: Accelerated (CCNA) 171Job Device Information 10.0010 E00 ‘The configuration is as follows: + Alldevices have their basic configurations in place, including hostnames and IP addresses. Device Details Device lntertace Neighbor he Address Pct lEterneto@ ea hooosoz Ri Ethernet rca hoooses Rt [Ethernet lervs fost. SRVI therneto0 ea jo1.1.1028 Note PG and SRV/in the vituel ab environment are simulated a3 routers, so you should use Clseo |S ‘commands fo configure them or make verifications,Task Configure RADIUS Yor Console and vty Access Configure RADIUS for Console and vty Access Prerequisite: Enable AAA services. Prerequisite: Create a local user for backup. Configure RADIUS for Console and vty Access (Cont.) 1. Configure a RADIUS server. PTF saree ipre 2. Associate the RADIUS server with a server group. 3. Canfigure a login authentication to use RADIUS groups with a fallback to local authentication. Before starting with the RADIUS configuration, youneed to enable AAA services and configure a local username and password to avoid being locked out. Rowcer (config) # aaa newnodal Router (config)# username weemane parsword password ‘The RADIUS AAA configuration then starts with the configuration of a RADIUS server: (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accolerated (CCNA) 173Router (config) radius server configuration-name Router (config-sadiue-server) address ipva hostname [euth-port integer] [ acct-port Router (configrzadice- sex F key steing ‘Youneed to specify the hostname, or the IP address of the server. Optionally. you can specify a custom port number for the UDP communication, if your RADIUS server is listening on nondefault ports, Port numbers for authentication and accounting differ. The key string command specifies the authentication and encryption key that is used between the access device and the RADIUS server. This value must match on both devices ‘Next, youneed to ad the RADIUS server to server group. You can add multiple RADIUS servers toa group, as long as they were previously defined by using the radius server command, Router (config) san group server radius geoup-nene Router (configag-sadiue)# zecvex name configus ‘Then you have to configure the device to actualy use the RADIUS server group for login authentication, Optionally, you cam also specify to fall back to local authentication. Rouex(config)t aaa authentication login [default | ‘The default method list is automatically applied to all interfaces, except those interfaces that have-a named rethod list that is explicitly defined] Note Vou-can also specify mulile authentication method lists, using diferent combinations of server groups and ‘an option for @ local fallback. Ifyou deciee fo use rathd lists, you must then apply @ speci list also fo the ‘Songele ory fnes, Activity Complete the following steps: Step 1 On RI, configure the local user admin that will have the Ciscol23 password, Rit cone & iicenfig)? username adnin password Ciscoi2? ‘You can then use this same locally created user ifthe extemal authentication server fails. Step 2 Youncedto enable AAA services to unhide all AAA commands. Access the console of Rl and center the aaa new-model command in the global configuration mode (config)? ane newmodel ‘The aaa new-model command immediately applies local authentication to all ines and interfaces (except the console ine line con 0). To avoid being locked out ofthe router, you should define a local usemame and password before starting the AAA configuration. NetworkingStep 3 Step 4 Step 5 Step 6 OnRi, configure SRV1 as a RADIUS server. Use radiusPassword as a shared key ‘The configuration name of the server can be anything, but you have to specify the SRV1IP address as the IPr address of the server. Ri (config)? radine server myRediusSRVL Ri [config-sadiue-server]? addeesn pri 10.11.10 (sontig-radius-server]? key radiuePasaword (config-esdius-server]? exit On Rt, adi this newly created RADIUS server to the group ‘The configuration name of the group can be anything. 2 config) grop server wndice tyfedinsGeosp (configrag-radiue) ? server nene mpRediasSHVi (configeag-radiue) ? exit Now you have to specify the router to use this RADIUS group for login authentication, On R1, configure this newty created group to be used for AAA login authentication, Ifthe RADIUS server fails, the fallback to local authentication should be set. Access the console of PCI and try to connect to R1. Use the admin username and Ciscol23 password for login credentials Remember that SRV1 is listed as a RADIUS server. Because SRV is a virtual server, which is simulated as a router in this example, it does not have actual RADIUS capabilities. So, when you tty to comnect to Rl, the RADIUS authentication will not work. Authentication will fall back to the local authentication, and you will be able to use the local credentials that you created earlier POLE telnet 10.0.0.1 eying 10.0.9. Note: Because RI first tries to authenticate you on the RADIUS server and then falls back to the local database, the authentication process may take a bit longer.Task 2: Configure TACACS+ for Console and vty Access Configure TACACS+ for Console and vty Access Prerequisite: Enable AAA services, Prorequisite: Create a local user for backup, OO (Cont.) 1. Configure the TACACS+ server. fallback to local authentication. Configure TACACS+ for Console and vty Access. 2, Associate the TACSCS+ server with a server group, 2, Configure login authentication to use TACACS+ groups with a TACACS+ AAA configuration is nearly identical to the RADIUS configuration. Before starting with the TACACS* configuration, you need to enable AAA services and configure a local usemame and password to avoid being locked out. 78 Rourer(config)t aaa newnodel, Router(config)# usemane username pacoword password Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neThen you can configure the TACACS* server. Rouver (config)? tacacs cexver Rewear(senfigrsacverntacses)$ adders ipeé haztnans Rouver (config-server-tacace) port portmunber Rowver (config-sesver-tacace)# hey soning ‘You need to specify the hostname, or the IP address of the server. Optionally, you can specify a custom port number for the TCP communication, if your TACACS+ server is listening on nondefault ports. The key string specifies the encryption key that is used for encrypting al traffic between the access device and TACACS+ server. This value must match on both devices. ‘Next, you need to add the TACACS+ server to a server group. You can add multiple TACACS+ servers to a ‘group, 25 long as they were previously defined by using the facacs server command, Router (config)? ‘Then you have to configure the device to use the TACACS* server group for login authentication Optionally, you cam also specify to fll bacl{to local authentication, Router (config! local wan authentication login [default | 1fzt-nenel group groupmnene ‘The default method lst is automatically applied to all interfaces except those interfaces that have a named method list that is explicitly defined. Activity Complete the following steps: Step1 You first need to enable AAA services and create a local user. Because you have already configured this part in the previous procedure, you can praceed to the next step. Step 2 Access the console of Rl and configure SRV1 as 2 TACACS+ server. Use tacacsPassword as a shared key ‘The configuration name of the server can be anything, but you have to specify the SRVIIP address as the IPv acess of the server. Rit cont € Step 3Step 4 Step 5 ‘The configuration name of the group can be anything. (config)? ane group server tacacst MyTaceccGroup (Gonfig-eg-escaceel® server name myTecnesSRVE Ri lconfig-ag-sacacet]# exit Now you have to specify the router to use this TACACS~ group for login authentication, On Ri, configure this newly created group to be used for AAA login authentication. Ifthe TACACS+ server fails, the fallback: to local authentication should be set (config)? ane authentication login default group MyTacacsGroup local (config)? exit Note that this configuration will overnite the previously specified authentication method that uses the RADIUS server because you can specify only one group (RADIUS or TACACS=) with the default method lst Access the console of PCI and try to connect to R1_ Use the admin and Ciscol23 login credentials Remember that SRV1 is listed asthe TACACS+ server. Because SRV isa wrtual server, which is simulated asa router in this example, it does not have actual TACACS~ capabilities. So, when you try to connect to RI, the TACACS+ authentication will not werk. Authentication will fall back to local authentication, and you will be able to use the local credentials that you created. earlier, FCLE telnet 10.0.0.1 eying 0.0.02... OBS wenection £0 10.0.0.1 closed by foreign Fclg Note: Because Rl first tres to authenticate you on the TACACS+ server and then fills back to the local database, the authentication process may take a bit longer This isthe end ofthe discovery ib, NetworkingChallenge 1 Which two options will mitigate aocess layer threats? (Choose two.) A. port security B. Layer 3 IP access lists c Dal D. AAA Which statement about DHCP snooping isnot true? ‘A. Itvalidates DHCP messages that are received from untrusted sources and then filters out invalid messages. B. It builds and maintains the DHCP snooping binding database, which contains information about ‘untrusted hosts with leased IP addresses. C. Trrate-limits DHCP traffic from trusted and untrusted sources. D. Itisa Layer? security feature that acts lke a firewall between hosts Which command will enable AAA on router? A amenable B. enable aaa C._new-model aaa D. aaanew-model Which two statements about TACACSHare true? (Choose two.) A. Itis a Cisco proprietary security mechanism. Bo Ituses UDP, C. Ttcombines authentication and authorization services asa single process—after users are suthenticated, they are also authorized. D. Ituses TCR Which statement about RADIUS is not true? A. Itisan open standard protocol, BI Itseparates AAA services, ©. Ttuses UDP. D._Itencrypts only the password in the access-request packet, from the client to the server. The remainder ofthe packet is unencrypted.Answer Key Challenge AC 1 2 4 5 wpogModule 8: Implementing an EIGRP-Based Solution Introduction EIGRP is an advanced distance vector routing protocol, EIGRP was a Cisco proprietary protocol, so all routers in a network that were rumning EIGRP had to be Cisco routers. Partial fnctionality of EIGRP was, converted to an open standard in 2013. EIGRP is often considered a hybrid protocol because it also sends link state updates when link states change. E[GRP is an interior gateway protocol that is suited for many diferent topologies and media, Ina well-designed network, EIGRP scales well and provides extremely quick convergence times with minimal network traffic. Inthis module, you will leam how to implement basic EIGRP configuration both for [Pvt and IPv6 and howto verify the operation of this routing protocol. You will also perform basic troubleshooting steps for common EIGRP issues and configuration mistakes,122 _Interconnecng Cisco Network jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neLesson 1: Implementing EIGRP Introduction Anew client calls CCS and reports slow network response. After speaking with the network administrator, Bob decides thatthe network issues can be resolved by moving this customer from RIP to @ more robust, routing protocol. Bob explains the benefits bf FIGRP tothe customer and they agree to an onsite engagement You will need to go onsite to the new company, shut down RIP. and configure FIGRP. You should know the technology behind EIGRP before you go onsite so you can answer any customer inquiries while on the job. Dynamic Routing Protocols routing protocol isa set of processes, algorithms, and messages that are used to exchange routing information. Routing information is used fo populate the routing table with the best paths fo destinations on the network As routers leam of changes to network reachability, this information is dynamically passed onto other routers,Dynamic Routing Protocols. ‘A dynamic routing protocol has these purposes: + Discovering remote networks + Maintaining up-to-date routing information + Choosing the best path to destination networks. + Finding a new best path if the current path is ne longer available All routing protocols have the same purpose: to leam about remote networks and to quickly adapt whenever there is a change inthe topology. The method that a routing protocol uses to accomplish this purpose depends upon the algorithm that it uses and the operational characteristics of this protocol. The operations of a dynamic routing protocol vary, depending on the type of routing protocol, and on the routing protocol itself, Although routing protocols provide routers with up-to-date routing tables, there are costs that put additional demands on the memory and processing power of the router. First the exchange of route information adds, overhead that consumes network bandwidth, This overhead can be a problem, particularly for low- bandwidth links between routers. Second, after the router receives the route information, protocols such as, EIGRP and OSPF process it extensively to make routing table entries. So, the routers that use these protocols must have sufficient processing capacity to implement the algorithms of the protocol and to perform timely packet routing and forwarding. (isco Networking Davies:Dynamic Routing Protocols (Cont.) Gime] ee Different protocols behave diferent + IGP versus EGP + Distance vector versus link state + Classless versus classful ‘An AS, otherwise known asa routing domi, is a collection of routers under & common aéministation, such as an intemal company network or an [SP netork. Because the [ntemet is based onthe AS concept, the following two types of routing protocol are required + IGP: The IGP routing protocol is used to exchange routing information within an AS. EIGRP, ISS, ‘OSPE, and RIP are examples of IGPs + EGP: The EGP routing protocol is used to route between autonomous systems. BGP is the EGP of ‘choice in networks today Within an AS, most IGP routing can be classified as distance vector or link-state routing: + Distance vector: The distance vector routing approach determines the direction (vector) and distance ‘uch as hops) to any link inthe intemetwork. Some distance vector protocols periodically send ‘complete routing tables to all of the connected neighbors. In large networks, these routing updates can ‘become very large, causing significant traffic on the links. The only information that a router kmows about 2 remote network is the distance or metric to reach this network and which pata or interface to use ‘o get there. Distance vector routing protocols do not have an actual map of the network topology. RIP is an example of a distance vector routing protocol while EIGRP is an advanced distance vector routing protocol + Limk state: The link-state approach, which uses the SPF algorithm, creates an abstract ofthe exact ‘topology of the entire intemetwork, or at least of the partition in which the router is situated. A link- ‘state routing protocol i like having a complete map of the network topology. A link-state router uses. ‘the link-stafe information to create a topology map and to select the best path to all destination networks sn the topology. The OSPF and IS-IS protocols are examples of link-state routing protocols.Also, there is classful and classless routing: + Classful routing protocol: Classfil routing protocol is a consequence of the fact that subnet masks are not advertised in the routing advertisements that most distance vector routing protocols generate. When 2 clasaful routing protocol i used, all subnetworks ofthe same major network: (Class A, B. or C) must use the same subnet mask, which is not necessarily a default major class subnet mask. Routers that are running a classful routing protocol perform automatic route summarization across network boundaries Classfil routing protocols are obsolete in networks today + Classless routing protocol: Classless routing protocols can be considered second-generation protocols because they are designed to address limitations of clsssful routing protocols such as P1Pv'l and IGRP. A prime limitation of claseful routing protocols is that the subnet mask is not exchanged during the routing update process. This limitation means that the same subnet mask must be used on all ssabnettyorks within the same major network. When you consider point-to-point serial WAN commections, using a 24-bit network prefix is very wasteful when all that is required isa 30-bit network prefix to accommodate the two endpoints. Another limitation ofthe claseful approach isthe need to autontatically summarize to the classful networks nurnber at all major network boundaries. Ae an example, using 172.16 00/16 asthe classful network allows only’a single, flat network [fthe class B network is subnetted into /24 networks, there are now 255 subnets available. Ifthe company connects to another network, it must advertise the 172.16 0.0/16 summary, because the classfal routing protocol does not have the capability to provide subnet specific routes Inthe classless environment, the summarization process is controlled manually and can usually be invoked at any bit position within the address, Because subnet routes are propagated throughout the routing domain, ‘manual summarization may be required to Keep the size of the routing tables manageable. Classless routing protocols include RIPV2, ENGRP, OSPF, and IS-1S. 28 (isco Networking Davies:Administrative Distance In an enterprise network, it is not common to encounter multiple dynamic routing protocols and static routes configured on Layer 3 devices. [fthere are several sources for routing information, such as specific routing protocols, static routes, and even directly comnected networks, 2 method is required to rate the trustworthiness of each routing information source in order to select the best path. Cisco 10S Software uses the concept of administrative distance to selec the best path when it leams about the same destination network ffom two or more routing sources. Aduninistrative distance ranks the relibilty of a routing protocol, Each routing protocol is prioritized in order of most to leat reliable (believable) with the help of an administrative distance value. ‘The administrative distance is an integer from 0 to 2(@@\A routing protocal with a lower administrative distance is considered more trustworthy than the one vith a higher administrative distance. Administrative Distance + Multiple routing protocols and static routes can be used atthe same time. Routers choose the routing source with the lowost administrative distance, Trged fo snd a past torn Winch roca eth bea? As illustrated in the figure, the router has 2 packet to deliver from network A to metwork B. The router must choose between the routes advertised by EIGRP and RIP. Given that there are fewer hops to the destination network via RIP, it appears to be the better choice. However, the EIGRP route has a lower administrative distance than RIP, so the router will choose the route that was advertised by EIGRP and install itn the routing table. If for some reason the path that was advertised by EIGRP goes down, the route that was advertized by RIP will be entered into the routing table ‘The table shows the default administrative distance for selected routing information sources, Note The default administrative clstences can be tuned for each routing protecal Route Source Detault Distance ‘Connected interface loRoute Source Default Distance Static route I EBGE lao EIGRP leo OSPF lio IsIs lis RIP 20 Exemal EIGR 70 IBgP l2o0 Unreachable [265 (will not be used o pass trafic)EIGRP Features EIGRE is a Cisco proprietary routing protocol that combines the advantages of link-state and distance vector routing protocols. EIGRP may act like a link-state routing protocol, because it uses a Hello protocol to discover neighbors and form nejghbor relationships, ly partial updates are sent when a change occurs, However, EIGRP is bated on the key distance vectc( sting protocol principle, in which formation sbout EIGRP Features EIGRP features: Rapid convergence + Load balancing + Loap-free, classless routing protocol + Reduced bandwidth usage Bounded updates No broadcast core 5156.0 ena cect nts 5 Tse C wid s0340 >) 10220 Look into the EIGRP features in more detail: + Rapid convergence: EIGRP uses DUAL to achieve rapid convergence. As the computational engine ‘that rus EIGRP, DUAL resides at the center of the routing protocol, guaranteeing loop-free paths and ‘backup paths throughout the routing domain. A router that uses EIGRP stores all available backup routes for destinations so that t can quickly adapt to alternate routes. Ifthe primary route inthe routing ‘table fails, the best backup route is immediately added to the routing teble. If no appropriate route or ‘Vackup route exists inthe local routing table, EIGRP queries its neighbors to discover an alternate route. + Load balancing: EIGRP supports unequal metric load balancing and equal metric load balancing, ‘which allows administrators to better distribute traffic flow in their networks. + Loop-free, classless routing protocol: Because EIGRP is a classless routing protocol, it advertises a routing mask for each destination network. The routing mask feature enables EIGRP to support

You might also like

• Fear: Trump in the White House

  

  From Everand

  Fear: Trump in the White House

  Bob Woodward

  Rating: 3.5 out of 5 stars

  3.5/5 (738)
• A Man Called Ove: A Novel

  

  From Everand

  A Man Called Ove: A Novel

  Fredrik Backman

  Rating: 4.5 out of 5 stars

  4.5/5 (4770)
• A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  

  From Everand

  A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  Dave Eggers

  Rating: 3.5 out of 5 stars

  3.5/5 (231)
• • Magazines
  • Podcasts
  • Sheet music
• The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  

  From Everand

  The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  Viet Thanh Nguyen

  Rating: 4.5 out of 5 stars

  4.5/5 (122)
• Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  

  From Everand

  Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  Gilbert King

  Rating: 4.5 out of 5 stars

  4.5/5 (266)
• The Little Book of Hygge: Danish Secrets to Happy Living

  

  From Everand

  The Little Book of Hygge: Danish Secrets to Happy Living

  Meik Wiking

  Rating: 3.5 out of 5 stars

  3.5/5 (401)
• Grit: The Power of Passion and Perseverance

  

  From Everand

  Grit: The Power of Passion and Perseverance

  Angela Duckworth

  Rating: 4 out of 5 stars

  4/5 (590)
• Never Split the Difference: Negotiating As If Your Life Depended On It

  

  From Everand

  Never Split the Difference: Negotiating As If Your Life Depended On It

  Chris Voss

  Rating: 4.5 out of 5 stars

  4.5/5 (844)
• Principles: Life and Work

  

  From Everand

  Principles: Life and Work

  Ray Dalio

  Rating: 4 out of 5 stars

  4/5 (609)
• Yes Please

  

  From Everand

  Yes Please

  Amy Poehler

  Rating: 4 out of 5 stars

  4/5 (1898)
• The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  

  From Everand

  The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  Mark Manson

  Rating: 4 out of 5 stars

  4/5 (5814)
• Shoe Dog: A Memoir by the Creator of Nike

  

  From Everand

  Shoe Dog: A Memoir by the Creator of Nike

  Phil Knight

  Rating: 4.5 out of 5 stars

  4.5/5 (540)
• A Tree Grows in Brooklyn

  

  From Everand

  A Tree Grows in Brooklyn

  Betty Smith

  Rating: 4.5 out of 5 stars

  4.5/5 (1929)
• Team of Rivals: The Political Genius of Abraham Lincoln

  

  From Everand

  Team of Rivals: The Political Genius of Abraham Lincoln

  Doris Kearns Goodwin

  Rating: 4.5 out of 5 stars

  4.5/5 (234)
• The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  

  From Everand

  The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  Ben Horowitz

  Rating: 4.5 out of 5 stars

  4.5/5 (348)
• The World Is Flat 3.0: A Brief History of the Twenty-first Century

  

  From Everand

  The World Is Flat 3.0: A Brief History of the Twenty-first Century

  Thomas L. Friedman

  Rating: 3.5 out of 5 stars

  3.5/5 (2259)
• Her Body and Other Parties: Stories

  

  From Everand

  Her Body and Other Parties: Stories

  Carmen Maria Machado

  Rating: 4 out of 5 stars

  4/5 (822)
• Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  

  From Everand

  Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  Margot Lee Shetterly

  Rating: 4 out of 5 stars

  4/5 (897)
• The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  

  From Everand

  The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  Brene Brown

  Rating: 4 out of 5 stars

  4/5 (1092)
• The Glass Castle: A Memoir

  

  From Everand

  The Glass Castle: A Memoir

  Jeannette Walls

  Rating: 4.5 out of 5 stars

  4.5/5 (1716)
• Angela's Ashes: A Memoir

  

  From Everand

  Angela's Ashes: A Memoir

  Frank McCourt

  Rating: 4.5 out of 5 stars

  4.5/5 (441)
• The Emperor of All Maladies: A Biography of Cancer

  

  From Everand

  The Emperor of All Maladies: A Biography of Cancer

  Siddhartha Mukherjee

  Rating: 4.5 out of 5 stars

  4.5/5 (271)
• John Adams

  

  From Everand

  John Adams

  David McCullough

  Rating: 4.5 out of 5 stars

  4.5/5 (2409)
• Wolf Hall: A Novel

  

  From Everand

  Wolf Hall: A Novel

  Hilary Mantel

  Rating: 4 out of 5 stars

  4/5 (3811)
• Rise of ISIS: A Threat We Can't Ignore

  

  From Everand

  Rise of ISIS: A Threat We Can't Ignore

  Jay Sekulow

  Rating: 3.5 out of 5 stars

  3.5/5 (137)
• The Woman in Cabin 10

  

  From Everand

  The Woman in Cabin 10

  Ruth Ware

  Rating: 3.5 out of 5 stars

  3.5/5 (2522)
• The Perks of Being a Wallflower

  

  From Everand

  The Perks of Being a Wallflower

  Stephen Chbosky

  Rating: 4.5 out of 5 stars

  4.5/5 (2104)
• Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  

  From Everand

  Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  Ashlee Vance

  Rating: 4.5 out of 5 stars

  4.5/5 (474)
• Sing, Unburied, Sing: A Novel

  

  From Everand

  Sing, Unburied, Sing: A Novel

  Jesmyn Ward

  Rating: 4 out of 5 stars

  4/5 (1104)
• The Light Between Oceans: A Novel

  

  From Everand

  The Light Between Oceans: A Novel

  M.L. Stedman

  Rating: 4.5 out of 5 stars

  4.5/5 (789)
• On Fire: The (Burning) Case for a Green New Deal

  

  From Everand

  On Fire: The (Burning) Case for a Green New Deal

  Naomi Klein

  Rating: 4 out of 5 stars

  4/5 (74)
• The Art of Racing in the Rain: A Novel

  

  From Everand

  The Art of Racing in the Rain: A Novel

  Garth Stein

  Rating: 4 out of 5 stars

  4/5 (4203)
• The Constant Gardener: A Novel

  

  From Everand

  The Constant Gardener: A Novel

  John le Carré

  Rating: 3.5 out of 5 stars

  3.5/5 (104)
• Brooklyn: A Novel

  

  From Everand

  Brooklyn: A Novel

  Colm Toibin

  Rating: 3.5 out of 5 stars

  3.5/5 (1947)
• The Outsider: A Novel

  

  From Everand

  The Outsider: A Novel

  Stephen King

  Rating: 4 out of 5 stars

  4/5 (1850)
• The Yellow House: A Memoir (2019 National Book Award Winner)

  

  From Everand

  The Yellow House: A Memoir (2019 National Book Award Winner)

  Sarah M. Broom

  Rating: 4 out of 5 stars

  4/5 (98)
• The Unwinding: An Inner History of the New America

  

  From Everand

  The Unwinding: An Inner History of the New America

  George Packer

  Rating: 4 out of 5 stars

  4/5 (45)
• Little Women

  

  From Everand

  Little Women

  Louisa May Alcott

  Rating: 4 out of 5 stars

  4/5 (104)
• Steve Jobs

  

  From Everand

  Steve Jobs

  Walter Isaacson

  Rating: 4.5 out of 5 stars

  4.5/5 (807)
• Bad Feminist: Essays

  

  From Everand

  Bad Feminist: Essays

  Roxane Gay

  Rating: 4 out of 5 stars

  4/5 (1018)
• Manhattan Beach: A Novel

  

  From Everand

  Manhattan Beach: A Novel

  Jennifer Egan

  Rating: 3.5 out of 5 stars

  3.5/5 (792)