Sikandar Shaik CCLEX3 (RS/; mi SEO) DT e ache ‘Sikandar Shaik CCIEXS (RS/SP/SEC) Whatsapp - +91 9985048840, +91 7036826345Table of Contents About the Author. 3 Network Security Concepts 4 Common Network Security Attacks - Mitigation 0 Malicious Cades- Virus-Worms. m4 Hacking “Hath... sn sen BB Threat Defense Technal0gis...n0:nnnnnninnn sn cnn BB Network lfrastreuture Protection 35 Management Plane Security 38 LB: Securing the Router for Administrative Access. 4B Telnet vs SSH 52 AB: Secure Shell (SSH) 56 NETWORK & DEVICE LOGGING 58 LOGEING ON CISCO ROUTERS — 83 NETWORK TIME PROTOEDL on = —— ae a m4 LAB NETWORK TIME PROTOCAL..... 16 CONTROL PLANE SECURITY a) UAB RlPv2 AUTHENTICATION . 83 UB ; EIGRP AUTHENTICATION... 8 . of 85 LAB : OSPF AUTHENTICATION (Interface Ive) ..-nnssnst neni 88 CONTROL PLANE POLICING, 8 LAB: CONTROL PLANE POLICING 93About the Author Sikandar Shaik, a Triple CCIE (RS/SP/SEC # 35012), is a highly experienced and extremely driven senior technical insfructor and network consultant. He has been training networking courses for more than 15 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addifion, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and implementing changes to various aspects of mulfi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like fo thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence fo believe in myself and pursue my dreams. | could never have done this without the faith I have in you. Secondly | would like to thank my family for understanding my long nights at the computer. | have spent a lot of fime on preparing workbooks and this workbook would not have been possible without their support and encouragement. 1 would also like fo recognize the cooperation of my students who took my trainings and workbooks. 1 believe my workbooks have helped them in upskilling themselves with respect fo the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 3 (RS/SP/SEC) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions af info@noasolutions.comJ | OA. Network Security Concepts Sikandar Shaik CIEx3 (RS/SP)/SEC # 35012 Senior Technical Instructor (coi (cor) c&ATRD CCIE) https://www.facebook.com/sikandar3s012/ (ccle) (cc | {ogee CC | https://www.youtube.com/sikandarshaik CCIE) ee https://twitter.com/sikandarccie PROVIER Xsan https://www.linkedin.com/in/sikandarshaik/ Enterprise Network iM A, v » Enterprise will probably want to connect itself to the public Internet and perhaps to some corporate partners Allow its workers to be mobile and carry laptops, tablets, and smartphones in and out Offers wireless connectivity to its employees (and guests) Provide network access to guests who visit. 8 6 Enterprise Closed System Enterprise Extends Beyond Its Own BoundaryEnterprise Network _- Securit NPA, » Process of taking preventative measures to protect the Networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure. » Security is important » Lack of Security will risks company with financial, legal, politcal, and Data loss. = Security Terminology ASSET » Anything that i valuable to organization (that isto be protected) © Will vary between Organizations. » Can include Property, people, and information/data that have value to the company. Proprietary information or trade secrets and the reputation of the company. » Company records, client information, proprietary software, and so on. —— VULNERABILITY » Weakness which allows attacker to reduce the Security assurance. » Vulnerability can be found in © Protocols © Operating systems PZ Application Zz © System DesignSecurity Terminology (Cont.) OA. THREAT > Potential danger to your assets » Physical (Fire, water, Earthquake) » Malicious codes ( Trojans, Virus, Adware, Malware, hackers) » Potential to unauthorized access to asset, compromise of asset, destruction/damage of asset (COUNTERMEASURE » Safeguard that somehow mitigates a potential Threats/Risk » Reducing or eliminating the vulnerability or potential Threats/Risk, Primary Goal of Network Security - CIA OA, Network security objectives usually involve three basic concepts: » Confidentiality > Integrity > Avallability tengrigy | svadadicdy » Also known as the CIA triad, is a model designed to guide policies for information security within an organization.Goals of Security — Confidentiality NGA, ‘Only the authorized individuals’ systems can view sensitive or clasified information. Unauthorized individuals should not have any type of access tothe data. ia https:// > Protect that data Is to encrypt It before sending It. a rm > Securing Webpages, VPNs Traffic. core ert ate rere et =— Goals of Security — Int » Ensuring that data is not modified by anyone in the transit © Corruption of data is a failure to maintain data integrity. » Changes made to data are done only by authorized individuals/systems. include file permissions and user access controls.AVAILABILITY: JM OA, » If the network or its data is not available to authorized users. > Because of a Network issues or Denial-of-service (DoS) attack » The impact may be significant to companies and users who rely on that network as a business tool. » The fallure of a system, to Include data, applications, devices, and networks > Generally equates to loss of revenue. AVAILABILITY AVAILABILITY Network Failure DoS Attack . Cato sen nr _ ss 3% ws 3 gO ‘Asronce sata ‘Serres bomaten Motivations behind network attacks NOA eee NETWORK ONLINE ACADEMY Financial » Attackers can make financial gains through their malicious actions. millions of credit/debit cards, which can subsequently be sold on the online black market. Disruption Many individuals and groups exist solely to cause disruption to the core business of many organizations and institutions. » Competitors (attacking servers) » To protest the actions, decisions, or behaviors of an enterprise » To gain media attention for the actions of the malicious group or individualMotivations behind network attacks (Cond.) NOA NETWORK ONEINE ACADEMY Geopolitical: » Certain nation states that leverage the Internet to engage in cyber warfare » Use the Internet to launch attacks against countries JUSPS Hacked: Postal Service Hit By Cyber lattack ite Howe ComputersJ | OA. Common Network Security Attacks~ Mitigation Sikandar Shaik CEIEx3 (RS/SP)/SEC # 35012 Senior Technical Instructor https://www.facebook.com/sikandar3o0l2/ https://www.youtube.com/sikandarshaik https://twitter.com/sikandarccie https://www.linkedin.com/in/sikandarshaik/ Types of Attacks » Social Engineering Attack > Phishing attack » DOS & DDoS Attack > Spoofing Attacks > Reflection Attacks » Amplification Attacks > Password Attacks > Reconnaissance attacks > Buffer overflow Attacks > Man in the Middle Attacks CISCO fio cc) (ci (core) (coe) (coe) | E) GE) {a \scomrSocial Engineering Attack » Manipulation of people into performing actions or divulgir » Tricking people into breaking normal security procedures. © Shoulder watching Attacker watches as your type credentials (PIN or Password) Fake Phone calls asking for sensitive information ( spoofing Identity) Phishing via email spoofed emails from banks asking for credentials © USB Memory Lost on purpose (hidden partition install malicious sofware) ing confidential information. (information gathering, fraud, or system access) Phishing emails are often sent from addresses that look offical Native thatthe URL does nat drect you to an cll IRS website, Phishing Attacks ‘Attacks against the human , making them ¢o leak information, » Ema Phishing » harming ( Based on DNS) » Phone calls ( Vishing) » SMS messages ( Smishing) CARO staring wh 4868 ras been DEACTIVATED. Pease | ©) come sf 206-915-7605. ccking on this link would take youtoa Fraudulent website wth 2 form to enter your personal Information, JM OA.Social Engineering & Phishing Mitigation WN CA. > Provide awareness to users through training, policies & live simulations. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information Verify his or her identity directly with the company. Do not provide personal information or information about your organization, luding its structure or networks Do not reveal personal or financial information in email Do not respond to email solicitations. Pay attention to the URL of a web site. (com vs .net) > Install and maintain anti-virus software, firewalls, and email filters to reduce these types of emails. > Web & Email Security Solutions (Cisco WSA & ESA) » Endpoint security to restrict to restrict user access. (Antivirus programs) > Network level security to restrict user access ( Firewalls, IPS) Denial of Service ( DoS) Attack NOA, > Prevents users from accessing targeted computer systems, devices or other network resources » Flood servers, systems or networks with traffic in order to overload the victim resources and make it difficult or impossible for legitimate users to use them, » Generally sourced from a single system. » Eg: Ping of Death & TCP Sync Flood attacks (less common nowadays) eaDOS Attack — TCP Sync Flood XM OA, » The connection establishment is successfully completed when the 3-way handshake ‘method is performed. Tor um Hatin + natacer cud food hse th TC SYN seamen wit online o back the server's SYN response. » The server's session table is filled up with ongoing Session requests, uti » Valid users unable to accept legitimate connection requests until its TCP inactivity ‘timer is reached where it would start dropping incomplete sessions. » usually originated by a spoofed source IP address making it harder to track down the attacker. ao MUTT Ping of Death NA. > Aplng packet can have up to 65536 bytes » AM ICMP echo request with more than 45,507 (65,535-20-8) bytes of data could cause a remote system to crash while reassembling the packet fragments. » Exploit bugs on UNIX, Windows, MacOS. » OS Patches will fix this problem ( No longer) Ping of Death Attack _ — =— Ig ———— Cngal packet blore hagmertatonDDoS Attack _( Distributed Denial of Service OA, Multiple compromised computer systems attack a target, such as a server, website or other network resource. » Target system forces it to slow down or even crash and shut down Server or website » Thereby denying service to legitimate users or systems. » Always sourced from large number of sources ( botnets) Controller & o& a. Wetin DDoS Attack _- How it works NETWORR ONLINE ACADEMY » Attacker install malicious code on different computers on internet. » Allows Attacker to send instructions or commands to end points at specific time. > Allendpoints initiates malicious trafic towards victim at same time. » Infected Endpoints are referred as botnets. » Result in Resource unavailable or increase BW utilization. Doe (i —DDoS Attack - Mitigations JN CA. > Harden network devices. » Implement both network & Application level firewalls. » Restrict resource access from the intemet by location of source. » Implement intelligence in to network that learns network behavior. » Sometimes it takes longer time to stop a DDoS attack. fy ome se eae spot Ata MOA. » The Attacker fakes the identity of another user or Device. psoas MAC Spoofing > Ifattacker is connected on the same LAN or network. IP Address Spoofing. » Mostly happen on internet or LAN. » Attacker can be on the outside network or in the LAN. Application Spoofing (L2/L3/L4) » Attacker can be on the outside network or in the LAN. » From Inside network ~ ARP Spoofing , DHCP Spoofing. » From Outside Network ~ DNS, SMTP HTTPSpoofing Attacks - Mitigation XA, Infrastructure ACLs » Ingress fileting to deny IP source spoofing (RFC 2823 , RFC 1918) . aaa » Deny traffic sourced from private IP from internet URPF » Unicast RPF enables the administrator to drop packers that lack a verifiable source IP address atthe router. \ » When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the Interface to see whether the source address matches the receiving interface. Searyuat seme mnie f sae Legitimate User Br Le Be \ a Internet Caco a aoe sot ta eatig APF in me Seca Retna Spoofing Attacks - Mitigation NOA. Pocrad ARP Caste > PortSecurity Layer2 (MAC Spoofing attack ) > ARP Inspection ( ARP spoofing Attack) » DHCP Snooping ( DHCP Spoofing attack) » IP Source Guard ( IP Spoofing attack ) » Routing Protocol Authentication > BGP TTL Security » IP Options Checking (Source Routing) > » IPSec VPN. Rogue DHCP server Offering vali IP aderessesMan in the Middle Attacks ( MiTM) JN OF \ Attacker secretly relays and possibly alters the communication between two parties » Both parties believe that they are directly communicating with each other. » Eg Eavesdropping, » Has different variations on method being used ARP Spoofing, IP Spoofing , DHCP Spoofing , DNS Spoofing, Attacker Password Attacks » Aimed to identify user’s password for various platforms ( windows, Social Media, Email) > Gain access to ser information like a client database, credit card information, and more? Guessing passwords » Attackers can guess passwords locally or remotely using either a manual or automated approach. » Many tools can automate the process of typing password after password. » for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons; » Attackers exploit the weak passwords used ( DoB, Pet name).Password Attacks iM OA. v Dictionary attack A hacker uses a program or script to try to login by cycling through combinations of common words. » Tries only those possibilities which are most likely to succeed » Common passwords or common password algorithms. Papo el Avhacker uses a program to track all of a user's keystrokes. » So at the end of the day, everything the user has typed—including their login IDs and passwords—have been recorded, » Key logging program used is malware (or a full-blown virus) that must first make it onto the user's device. (often the user is tricked into downloading it by clicking on a fink in an email. @ - a ! coe Image above shows Keylogger Stealing VPN credentials Password Attacks - Mitigatio Best practices NOA NETWORK ONLINE AcADEHY An acceptable password length is 10 or more characters Sores > uw gS Complex passwords include a mix of upper and lowercase leters, | numbers, symbols and spaces lol ie} i il Tena aaa a HEE a Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = Security) eae = amd eeeysy 1 Beare Change passwords often ‘sabe tat = . == Do not write passwords down and leave them in obvious places wns Sarees, si nee maraeeahitinssom Page 19Password Attacks - Mitigation JN OA. v » Do not store passwords in clear text (in user database or configuration files) > Force users to create strong passwords through security policies. » Train users not to leave passwords written in papers or else. > Implement multi-factor authentication systems. (Digital signatures & username/passwords) » Implement one time password (OTP) systems. Complex passwords are generated by tokens Valid specific time intervals ( Time based) Valid for specific events ( even based) > Disallowing use of a single password over multiple systems, > Disabling accounts after a certain number of unsuccessful login attempts have been availaed; > Discouraging the use of plaintext passwords. » Encouraging the use “strong” passwords. (Use “mYs! Rthdsy” rather than “mybirthday”) Reflector - Reflective Attacks JN OA, » Attacker spoofs the victims IP address send requests to Vulnerable DNS servers. » Initiates large amount of requests to Server with victim spoofed IP. » Servers send replies to victim, flooding it, causing DoS Attacks. wm 3. veins oo ya one dts NS serversAmplification attacks OA, » Similar to Reflection attacks but sourced from multiple devices (botnets) » Attacker spoofs the victims IP address from multiple Sources. » Initiates large amount of small request packets to Server with victim spoofed IP. » Server send replies to victim, flooding it, causing Bandwidth DDoS. Reconnaissance Attacks » Learning information about target networks using some tools to gain information & access to network. (OS, Services, IP address, vulnerabilities) » Used an intermediate to plan future attacks. cop, LLDP, © Ping sweeps (ICMP echo-reply, unreachable, reply, redirect) Packet Sniffers © Port Scan Internet information queries. Se——_eyReconnaissance Attacks - Ping Sweeps & Internet information queries NOA ris Te, EEF Mm omnes seamen, ser ate == Cee HOxea Qevets Be acqnaor ~ — pene cae age Tage [nize [ae] wor ce fomit| pny tbe Toot tho (i Feet TO to Gi) Fewest Tao Gin) Fewest Tot tho Gi Feet To feo (rw) rewwst Tar do (i) Fewest Tor ho (im Fewest Tot febo (orm Feast Tor do (re rely ato Gin) Fewest Tor fo (hi Few ‘+ Sample IP address query Attackers can use Internet formation queries tools such as whois as a weapon Reconnaissance Attacks — Mitigation NEMO ORNE-ACABEAY » Disable un-needed services. (cond » Deploy Application & Network Firewalls as proxies. ( Firewall IPS) eaters » Use authentication for proper process. » Use Encryption technologies (Cryptography) > Anti-sniffer Tools to detect packet sniffer attacks. > Internet c f Border RouterBuffer overflow Attacks J | DA. » Caused when more data is given to the program than it can handle. » Extra data contains some malicious code. > Ioverwrite system memory could execute easily ( Eg: Nimda, Code Red Il) » Solution : Protect the stack buffer. >» ttp://www.computerweekly.com/news/2240042574/Cisco-network-products-are-hit-by-buffer-overflow-in-wake-of-Nimda Inatrection Butter 1 Instruction Buffer ee at i i ite ener ‘ee : se tao ars toes iy ‘Some -— cea a | weet | i ania” nin abana ©Evolution of Malicious Codes - VIRUS NA, > Program or Code that is loaded on computer without your knowledge. > When executed, replicate itself by modifying its own code. » Eg: Downloaded file when we try to open causing computer to freeze. > Infected computer programs can include Data files, Boot sector, hard drive. » Can cause system fallure, wasting computer resources, corrupting data, increasing maintenance costs, etc. » Can make multiple copies of itself & Spread across networks. » Needs a host program to run (cannot run on its own) ee) | | ByEvolution of Malicious Codes - WORMS NA, » Introduced after Antivirus programs were introduced, » Similar to Virus but it can run on its own ( no host program needed) . » Don't get attached to files like Virus. > Identify the victims & spread on its own. Evolution of Malicious Codes - TROJAN HORSES NEA, v » Programs which appear attractive and genuine, but have malicious code embedded inside them. » Trojan war where solider hide inside the statue of a horse and won over the city of Troy. Games, S/W Upgrade This code could be either a virus, a worm or both of these.Hacking -Hackers Advance persistent Threats — Hacking NA, » Unauthorized person gains access to a network and stays there undetected for a long period of time. » Steal data rather than to cause damage to the network or organization » Target organizations in sectors with high-value information such as national defense, manufacturing and the financial industry. order to avoid detection. » Tries to get in and out as quickly as possi Script s » Person who uses existing computer scripts or codes to hack Into computers » Lack the expertise to write scripts on their own. > Internet is full of free hacking tools. Kali htp://sectools org tribution with built in hacking tools Hackers » Anyone can be a hacker ( think twice though) » Hackers may use paid network scanning tools hps://metasploit.com,. JM ‘ONL A. Malware as Sei Provides paid tools & support for introducing attacks. > Sends proper hacking tools to launch successful attack (need to tell Target, data Interested) » Even provide support for this cause (if not successful), » Need to know how to connect with them. m, OA.Threat Defense Technologies & Devices ‘Common Threat Defense Technologies & Devices What Is a Firewall ? Next Generation Firewalls Content Security- Web & Email Security IPS overview VPN AAA Concepts Sikandar Shaik CCIEX3 (RS/SP)/SEC # 35012 Senior Technical Instructor Scie) (cate) CIE) https://www-facebook.com/sikandar3S012/ https://www.youtube.com/sikandarshaik (CCIE) EP (cge} (CCIE IE} https://twitter.com/sikandarccie 4 uy https://www linkedin.com/in/sikandarshaik/ Common Threat Defense Technologies NA, Network Level » Firewall, IPS, VPN, Logging & monitoring Endpoint level » Antivirus programs, Logging & monitoringCommon Threat Defense Technologies & Devices NOA, v0 > Firewall (NGFW) Dewees » Content Security Firewalls > IPS » VPN » Logging and Monitoring » ACS (Access control Server) » ISE (clsco ISE) > WSA (web Security ) » ESA ( Email security ) FSA petve Cetoate secund Active Cetin Deecory Authory a0) 08) contr ‘withing Cove What Is a Firewall ? iM ‘ONLINE A. DMZ Network Need > Outside Inside Network Network > A firewall is a system or group of systems that manages access between two or more networks. > Can be a software or hardware firewall,Next Generation Firewalls ‘Added features to statefull firewalls. Identity based access Control » Firewall rules based on username/password or security tags URL Filtering » Which users can access what websites. Application & Visibility Control » What applications are you using while browsing ( Facebook: chat, Video, Audio) Next Generation IPS (NGIPS) ‘Advanced Malware Protection » Scans content to defend known & unknown malwares, Next Generation Firewall_Content Security Firewalls NOA, == Allows security based on complete context of situation Who: the identity of the users ‘What: application or website user is trying to access Where: the user is located, source IP and so on. How: device used for access ( Ipad, laptop, Android) when Sarit ness mearaseahitonssam® "Page 50Content Security - Web_& Email Securit NEA, » Internet Connections relies heavily on HTTP/HTTPS « SMTP protocols » Web firewall for HTTP/HTTPS ( web Proxy / web filtering) - ClscoWSA » Email firewall for SMTP (SMTP Gateway ) = Cisco ESA es Malicious website blocked G a yo 8 o a ene bowen atts eninns ‘ea cimmAth Cano WBA ee Mes / fat Known good s dlvered =, 2 ‘Appliance / Access to tis web page I restricted at hs time, a ospim aio een hee yt ty stn TEs Sree ———— ae catatonia a ood Bad and ‘oltedagged So “Gray” oF Unknown Emad What is Intrusion 2 XA, > Anybody trying to gain unauthorized access to the network » Virus, Trojans and worms replicating in the network. » Attacks that would make the services unresponsive even for legitimate users. > Sending specially crafted packets to exploit any specific vulnerability Types of intrusion/Attacks » Web based attacks Sal injection, web shells, LFI, RFI,XSS attacks, » Network based attacks Unauthorized Login, Dos Attacks, scanning ports & services, © Replication of worms, Trojan, virus. ‘Spoofing attacks ( ARP, DNS) » Triggering vulnerabilities (Exploit Buffer overflow attacks) » eto day attacks (unknown attacks)ad JM ONLINE: A, IPS — Over » Technology that examines network traffic flows to detect and prevent vulnerability exploits. > Deep-packet inspection feature that effectively mitigates a wide range of network attacks. > Stop the Spread of Attacks, Worms and Viruses. > provides your network with the intelligence to accurately identify, classify, and stop or block malicious traffic in real time. ‘Actively analyzing and taking automated actions on all traffic flows that enter the network. » Sending an alarm to the administrator. Ee. » Dropping the malicious packets ‘Company Systems > Blocking traffic from the source address > Resetting the connection ‘Company Employees Virtual Private Network JM OA. » VPNs replace dedicated point-to-point links with emulated point-to-point links that share common infrastructure. » Customers use VPNs primarily to reduce their operational costs. = » Example: X.25, Frame-relay, ATM , GRE, DMPVN , IPsec, MPLS , L2TPva. —_ » VPN doesn’t mean Encryption. Internet VPN eS met wniteaane ‘Stee sandr as Headtoftoe eS Lin "Seo Remote roaming usersAAA ~ Authentication m, OA, Provides Identification of who you are » Username / Passwords , Certificates » User or machine gets authenticated with identification. > Device Access / Network Access fs AAA - Authorization Defines what you are allowed to do. » Device Access - Privilege Levels allow Commands » Network Access ~ Dynamic VLAN , ACL , Encryption, Security-group Tag A\ of b aAAA ~ Accounting » Provides Evidence of what you have done. » Device access ( commands used) > Network access sessions statistics for billing Session Identification ( MAC, IP , username) Session state ( Connected or disconnected) f Cisco Traffic Telemetry Methods NOA [NETWORK ONEINE ACADEMY » The word is derived from Greek roots: tele = remote, and metron = measure. » Network Admin needs to detect monitor kind of trafic, unusual network traffic, device failures. Dates & time between Devices should be accurate and Sync ( Using NTP) Notification about network devices status using logging or SNMP traps. (high CPU or low memory, interface overload) Notification about unusual network activity using logging. Exporting network traffic flows using Net-low Time ‘Synchronization NTP ServerMi OA. Network Infrastructure Protection Management plane Control plane Data plane Sikandar Shaik CCIEX3 (RS/SP)/SEC # 35012 Senior Technical Instructor htps:/ www. facebook.com/sikandar35012/ https://www youtube. com/sikandarshatk CCl E}} (CCIE ) (CCIE l E)! httos://twitter.com/sikandarcie (care) os Yeon https:/ /www.linkedin.com/in/sikandarshaik/ a Network Infrastructure JM DA.. ‘Network infrastructure primarily consists of routers and switches and their interconnecting cables. Enterprise business rely heavily on the Network infrastructure - which can be exposed to threats. ‘The infrastructure has to be healthy and functional if we want to be able to deliver network services Reliably. o&ntrreD (coe) offtirieo Application Systems Workstations, Servers, Laptops, smartphones, tablets » Network Infrastructure Routers, switches, Telephony components, Firewall > Data 71-7 ‘Transferred over Network 7 =Network Infrastructure Protection NOA., Enterprises business process rely heavily on the Network Infrastructure, which is exposed to large group of threats © DoS, DDoS, Unauthorized Access , Session Hijacking , Man-in-middle attack, privilege escalation, Intrusions, Botnets, Routing protocol attacks, Spanning-tree attacks, layer 2 attacks » Network Infrastructure protection sets the baseline for protecting network devices ‘The Key Areas are Securing infrastructure Devices © Securing Routing Infrastructure © Securing Switching Infrastructure © Network Telemetry © Device Resiliency & Survivability Identify Network Device Planes Functionality of network Device segmented in to three separate contexts called Planes. + Control Plane Data Plane = Management Plane S a uControl plane — Overview NA. » Refers to any action that controls the data plane. » Learns information required for packet forwarding (Data plane) © IP routing table, an IP Address Resolution Protocol (ARP) table, a switch MAC address table, and so on © Control plane information has to be built ( Where or How to forward packets) » Traffic destined to the network or sourced from the network device. ; » Traffic is always process switched ( CPU Switched) ‘Traffic can be IP or non-IP » Routing protocols (OSPF, EIGRP, RIP, BGP) > IPva ARP, STP, VTP, Switch MAC learning » IGMP , PIM , NHRP, LDP, ICMPvs > IPV6 Neighbor Discovery Protocol (NDP) Management Plane - Overview + Traffic destined to the network or sourced from the network device. + Traffic is always process switched ( CPU Switched) Traffic can be only, > AAACTACACS+ , RADIUS) > Telnet , SSH, HTTPS, » NTP, Syslog, SNMP, Net flowData Plane — Overview NOA, + Traffic transiting the router (not destined to the router). + Used for packet forwarding between the device interfaces ( user traffic) * Control plane should be functional for data plane to work. ‘+ Can work without management plane being functional. ae + Traffic is generally CEF switched. i) Traffic will be in general IP ( non-IP can also work using encapsulations) serNA. Deploying Cisco IOS Management Plane Security Controls Secure Management Access ( SSH,HTTPS) Out of Band Access Sikandar Shaik CDIEX3 (RS/SP)/SEC # 35012 Senior Technical Instructor Facebook.com/sikandar35012/ Youtube.com/sikandarshaik oft eo (cor: (cer: Twitter.com/sikandarccie (cciE) (ccie ) E} (cc IE} Linkedin.com/in/sikandarshaik/ a security Wow Noasolutions.com Identify Network Device Planes OA. Functionality of network Device segmented in to three separate contexts called Planes.Management Plane ~ Overview NOA NETWORK ONLINE ACADEMY Traffic destined to the network or sourced from the network device. » Traffic is always process switched ( CPU Switched) = st Traffic can be only IP » AAA (TACACS+ , RADIUS) > Telnet , SSH, HTTPS, » NIP, Syslog, SNMP, Net flow oe SF » AAA server (RADIUS/TACACS) SNMP | Management Loa HTTPS Network Adminstrator SSH) Network Device Management - Inband_(vs) Outband NOA NETWORK ORINE ACADEMY Inband Management g > Uses the same trar path as user trafic (Data plane « Management plan) C= » Normal LAN & WAN interfaces. (Fo/0, Govo , S/o, Loopback) E a Out of Band Management a » Network Traffic Is isolated from Management traffic. > Console & MG rerio out-of-band Console ASA support MGMT dedicated interfaces. ‘management port port + 1 @e AUX ports Ouiside Rowtrs >Network Device Management - Inband Non-Secure Device management > Sessions are Authenticated » Management traffic is in clear text » Telnet , HTTP, SNMPv2c Secure Device management » Sessions are Authenticated » Management traffic is encrypted. » SSH, HTTPS, SNMPv3 2 IBXXIG Access ports passwords > Console > Auxiliary » VTY line (Telnet/SSH) \@ze -— “o= inside LAN core Suite ee sis. a = aaa2 170 waa ojo roar woaai0 smanazenertony LAN - 192.168.1.0/24Access Port Passwords JM OA, ‘Commands to establish a ‘Commands to establish a login login password for dial-up password on incoming Telnet sessions modem connections Ri(configit line vty 04 Ri(configy* line aux 0 Ri(config-line}+ password cisco Ri(config-line}+ password cisco Ri(config-line)+ login Ri(config-line}* login Ri(config-line)+ password cisco Ri(config-line)e login ‘Commands to establish a login password on the console line Ri(configh enable secret cisco ‘Command to restrict access to PC with Terminal privileged EXEC mode Emulation Software with username NOA NETWORK ONLINE ACADEMY » Tells the router to use the local username/password database when login into the line. » Note that if there is not username/password set in the line, you will be locked out of the router. Access Port Password: A PC wit Terminal \ os Ri(config}t username admin password noai23 Oo Ri(confighs line vty 04 ps Ri(config-line}* login local Emulabon Software Routersteinet 192.168.1.100 Trying 10.1.1.1 .. Open User Access Verification Username: Admin password: when Sarno honest mearaseahitonnsam® "Page 42Drawbacks of Local user Authentication NOA Gerrans ORK ONLINE ACADEMY » Not scalable \ > a to Using External Server Based Authentication » Username & passwords are stored in remote Server. » Allows centralized Authentication, > Reduces Administrative Task > Scalable. Encrypting Passwords NPA, » Protocol analyzers can examine packets (and read passwords), » We increase access security by configuring the Cisco IOS software to encrypt passwords. » Encryption prevents the password from being readable in the configuration fil. » All passwords in the configuration file should be encrypted, Router(configh# service password- encryption (curzent contigueation + 590 bytes bevscrce inctars tp catenin ate Joszzent contiguration + 620 byte] ets pen \ fe mcs nena] — Seen ie rnmigncontgas'cieart« ine con 0 onle ] Op peesee oreo] __> re peemnort ae now outer a4 jeUnattended connections should be disabled NOA eeeareeresree eee eee aeereemecerens NETWORK ONLINE ACADENY » Logout sessions on vty or tty lines that are left ile. » By default, sessions are disconnected after ten minutes of inactivity. cael < £0 (Config)# line con 0 K (Config-line )# exec-timeout [seconds] ' 1 1 (Config)# line vty 0.4 \ (Config-line }# exec-timeout [seconds] . tit LAN - 192,168.1.0/28 Minimum Password Length » By default there are no limitations on the size of password length in a Cisco Device. » Sometimes this may leads to a security risk. (config) security passwords min-length 8 (config}# enable secret cisco % Password too short - must be atleast 8 characters. Password configuration filed LAN - 192.168.1.0/24Login block-for command » Prevent brute-force login attempts from a virtual connection, such as Telnet, SSH, or HTTP. » Block all telnet and SSH connections to that router if incorrect credentials are entered for a specified number of times. (config)# login block-for 60 attempts 2 within 10 + BLOCK all connections to Router for 60 seconds if the credentials are entered INCORRECTLY 2 times WITHIN a span of 10 seconds. Router show login fallures Total failed logins: 2 Detailed information about last 50 failures Username SourcelPAddr [Port Count TimeStamp user 10.004 22 2 17:01:34 UTC Thu Sep 22 2016 , 0 UU, LAN - 192,168.1.0/24TASK: + Connect to any one router CLI * Configure a minimum password length of 8 on RI and verify. * Configure & Verity Line console/viy passwords with exec-timeout -§ minutes + Assign IP addressing as per the Diagram. R-I (config) #security passwords min-length 8 R-I config) tenable password cisco % Password too short - must be at least 8 characters. Password not configured. R-I config) sine con 0 R-I [config-line) #password cisco % Password too short - must be at least 8 characters. Password not configured. R-I(config-line) #password cisco123 R-I [config-line) #login R-1(configsline) #exec-timeout ? <0-35791> Timeout in minutes R-Iconfig-line) #exit R-I(config)#line vty 04 R-I(config-line) tpassword telnet123. R-I(config-line) #login R-I(config-line) texec-timeout § R-I(config-line) texit R-I (config) texit R-I cond is now available Press RETURN fo get started. User Access Verification Password: R-I>enable R-I#teontt R-I (config) #int g0/0 R-I configrif tip address 192.168.1.100 255.255.255.0 R-[configcif)#ne shutdown verify telnet from PC (192.168.1.1) in the LAN PC>ipcontig Fastéthemeto Connection:(default port) Linksocal IPV8 AGAESS. 1.2 FEBO::20B:BEFF:FETS:9790 IP ADAPES5.onnenrnnnn! 192.168.1.1 Subnet Mask. 255,255.255.0 Default Gateway... 1 192,168.1.100 PC>ping 192.168.1.100 Pinging 192. 168.1.100 with 32 bytes of data: Reply from 192.168. 1.100: bytes=32 time=Ims TT 5 55 Reply from 192.168. 1.100: bytes=32 time=Oms TTLReply from 192. 168. 1.100: bytes=32 tim Reply from 192. 168. 1.100: bytes=32 tim Ping statistics for 192. 168. 1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milliseconds: ‘Minimum = Oms, Maximum = ims, Average = Oms PC>teinet 192.168.1.100 Trying 192.168. 1.100... Open User Access Verification Password: R-I>enable 5% No password set. R-I>exit [Connection to 192.168. 1.100 closed by foreign host] PC> ‘onfigure Enable secret password on R1 R-1(config)#enable password enable123 OR R-1(config)#enable secret cisco123 R-I(config)#end R-1# sh running-contig Building configuration... Curent configuration : 746 bytes version 15.1 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption security passwords min-ength 8 hostname R-1 enable password enable 123 1 R-I#exit R-I>exit User Access Verification Password: R-I>enable Password: TASK: ensure that all passwords shown under running-config should be encrypted format: R-1(config)#service password-encryptionR-1iish running-config Building configuration... Current configuration : 977 bytes ' version 15.1 no service timestamps log datetime msec no service fimestamps debug datetime msec service password-encryption security passwords minlength & hostname R-] i i i enable secret 5 $1$mERr$5.06P4JqbNIMXO/ usika/ enable password 7 0824424F0B] 500464058 ji ! license udi pid CISCOI941/K9 sn FIXIS245FRS spanning-tree mode pst ! ! interface Gigabitethemet0/0 ip address 192. 168.1.100 255.255.255.0 duplex auto speed auto interface Gigabitethemet0/ no ip address duplex auto speed auto shutdown ! interface Viani no jp address shutdown ip classless 1 line con 0 ‘exec-fimeout 5 0 password 7 0822455D0A 16544541 login ! lime aux 0 ! line vty 04 ‘exec-fimeout 50 password 7 0835494207 1C 11464058 fogin ! !end TASK: Configure Login Banner In a production network it is common to place banners on Cisco devices which include legal information and ‘other warning information for unauthorized individuals attempting to establish a exec session with your device(s). ‘+ Login banners are displayed upon an attempting exec session establishment, ‘+ MOTD banners are shown prior to a login banner and before user authentication. ‘* EXEC banners are shown once an individual has started an EXEC session with the device. TASK: © Configure a Login banner to inform incoming session's legal information and privacy information. * When configuring a banner you'll need fo use a delimiting character; which is a character that only appears at the beginning and end of the banner. + The Ais commonly used. * Toset a banner you'll use the banner command followed by the fype of banner rather if be login, exec, motd and the delimiting character. + Asshown below you can see a basic Login banner is configured and configuration is verified by ending and reestablishing an exec session with the device. Router(config) #banner login & Enter TEXT message. End with the character HHH HH # This is a Login banner used to show. # # legal and privacy information. # # # # Unauthorized users prohibited — # {REE RE n a Router(config) tend Router#exit Router cond is now available Press RETURN fo get started, User Access Verification Password: Router TASK: Configure an exec banner so that any authenticated exec sessions will be shown what the device hostname is and the line the session is established on. * Inorder to configure this type of banner you'll need to know what Banner Tokens are.© Banner tokens are basically a variable you can set in a banner that calls particular information from the device and dispatches it into the banner. * The banner tokens that will be used in this objective are ${hostname) and $line) which display the hostname and fine number. * To configure the exec banner as required by objective 3, use the following text Session established fo (hostname) on line $line) © Like the previous Login banner you've configured you execute the same command in global configuration mode but rather executing banner login 4 you'l execute banner Router>enable Password: Router Routerticonfigure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#banner exec A Enter TEXT message. End with the character'A’ Session established to $(hostname) on line $(line) a Router(contig) # * After the exec banner is configured, venty your configuration by terminating your exec session and reestablishing an exec session fo the device as shown below: Router(contig)#tend Routertexit Router cond is now available Press RETURN fo get started. HHAAANH HASH AU EER AAA RAMA EO # This is a Login banner used fo show _# # legaland privacy information. # # # # Unauthorized users prohibited # HAMA HH ae a a a User Access Verification Password: Route> TASK. configure a Message of the Day banner, which is commonly used to display maintenance information on the Cisco device such as “This router will undergo routine maintenance on 01/01/10 from 12:00AM fo 2:00AM" * The MOTD banner is displayed prior to the login banner on a Cisco Router or Switch and is configured the same was as any other banner which is fo execute the banner command followed by the type of banner and the delimiting character in global configuration mode. + Asshown below is an example MOTD banner configuration and verification: Router>enable Password: Routerticonfigure terminalEnter configuration commana’, one per line. End with CNTL/Z. Router(config)#banner motd 4 Enter TEXT message. End with the character’A' This router will undergo routine maintenance on 01/01/10 from 12:00AM to 2:00AM a Router(contig)# * To verify the MOTD banner configuration, exit and reestablish an exec session to the device as shown below; Router(config)#end Routertexit Router cond is now available Press RETURN fo get started. HHHHHHHHHEAAHESEHABRRRERHER RARE RRA A HEE # This is a Login banner used fo show # # legaland privacy information. # # # # Unauthorized users prohibited — # HHAHAHHH HRS SHUSESSOMRRTRRRR RAMEE RRS EES User Access Verification Password: Session established fo Router on Ine 0 Router>Telnet vs SSH Remote Access ~ using Telnet NOA ORK OWLINE ACADEMY Telnet-Unsecured => & Hacker » Allow the user to access remote device ( CLI) » Telnet uses port 23 by default. Network Technician Drawbacks of Telnet NEA ae TWORK ONLINE ACADENY » all text is transmitted in the clear (unencrypted). » Attacker can view information contained within those packets, such as a client's username and password, » Supports password only & username/password Authentication K a Bo a a Yom ae Soytuserame) "rss pemwerTelnet_- Packet Captures in clear text NOA NETWORK ONEIWE ACADEMY SSH - Secure Shell NPA, {s.a protocol which provides a secure remote access connection to network devices. > Standard alternative to telnet protocol for remote access. ‘Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. » SSH version 2 uses a more enhanced security encryption algorithm. Eraypied SSR Gerenperienargs f 2 Saf f o- 339 Tet user Tenet curt Rey utorame rept password Vocalrest The Tenet user eres: (eomete has erate con) Fey userame) amsc0 passers) 192.168.1 12.34 192.1682.SSH Connection Phases NOA [NETWORK ONLINE ACADEMY '$5] performs three handshake operations to establish a TCP connection Secure Tunnel Nege on (Version, Hashing & Encryption key exchange) 2 lent Authentication (Exchange Authentication Credentials) syo f 2 Secure transmission of data over the tunnel. (Management traffic ) eS 2" & s/o toi. ‘070 RG were —@_9 g SSH Configuration - 1OS NPA. > Generate RSA private-public key pair t92168.1100 » Configure user credentials username / Password) (ee ee __ » Configure VTY tine to use authentication & allow SSH » Optionally configure other SSH parameters (version, Max sessions) = teases.SSH Configuration - 1OS aM OA. Rer(configisusername admin password noat23 twaseess00 Reticonfghenable secret clscot23 ES-— ) Rm 192.168.14, Re(configisip domain name _www.noasolutions.com R-(confightcrypto key generate rsa general-keys modulus 1024 R-r(confighline vty 0 15, eee ieee me R-(contigrline}#login local R-1(configeline)ttransport input ssh telnet R-r(configdineywexitLAB: Secure Shell (SSH) © Most IT pros know that using Telnet fo manage routers, swifches, and firewalls is not exactly a security best practice, instead, the accepted alternative fo Teinet’s lack of securily is Secure Shell (SSH). © Toset up access fo a Cisco switch for SSH, you will need fo have a user account created on your switch, SSH versio * There are two versions of SSH. SSH Version 2 is an IETF standard that is more secure than version 1. * Version 1 is more vulnerable fo man-in-the-middle attacks, * Cisco devices support both types of connections, but you can specify which version fo use. ‘Steps fo Configure SSH: Telnet is enabled by default, buf configuring even a basic SSH server requires several steps: 1 2. Ensure that your IOS supports SSH. 3. Configure a host name, unless this was done previousy. 4. Configure a domain name, unless this was done previously. 5. Configure a client authentication method. 6. Tell the router or switch fo generate the Rivest, Shamir, and Adelman (RSA) keys that will be used to encrypt the session. 7. Specify the SSH version, if you want to use version 2. 8. Disable Telnet on the VIV lines. 8. Enable SSH on the VIY lines. If SSH is activated, which it i not by defautt, it wil stil not work because SSH requires usermame/password-based authentication. So itneeds AAA fo be configured, or VTY lines to authenticate via usemame/password, which is activated through the VTY command login local a RB 192.168.1.1 Tasi * Configure Basic Connectivity and IP addressing as per the diagram. * Configure R1 to enable SSH using the following Parameters: © hostname RI © domainname — noasolutions.com © versoin SSH version 2 © Username ‘Sikandar © Password ciscol23 ROUTER|config) int 0/0 ROUTER(config-if]#ip address 192.168. 1.100 255.255.255.0 ROUTER(config-}#no shutdown ROUTER(configu] #end ROUTER#ping 192.168.1.1 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: nm Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms ROUTER(config) hostname R-1 when Saree) nee mmraeeahitimssam Page 56R-1 (config) ip domain name noasolutions.com R-I (config) #exit NOTE: both the hostname and domain name are required for the encryption keys fo be generated: R-1 (config) #usemame sikandar password ciscol23 R-I(config) tenable secret cisco Rel(confg)erype key generate a generl-keys modulus 1024 The name for he eye wil be: ReiROSSOIOAORSEO B inekey modulus ste 1024 bie 3 Caneraing 1024 bil BSA keys, keys willbe non-exportable. (OF Ter | O00 O51, RSSit SEN AC mere R-Titsh ip ssh SSH Enabled - version 1.99 Authentication fimeout: 120 secs; Authentication retries: 3 R-1 (config) #ip ssh version 2 R.I{config}#end Relish ip ssh Authentication timeout: 120 secs: Authentication retries: 3 R-1(config) tip ssh time-out 60 R-1(config) tip ssh authentication-retries 3 R-I{config) line vty 0.871 R-I{contig-iine} login local R-1{config-line} #transport input ssh telnet R-I{configuline] exit ficati To verify SSH use either Putty.exe or secure CRT application: Below is the screenshot of putly.exePUTTY Configuration Lx) Sexson Bas pon yur PUTTY ssn oe Sect te dentin you wero cect io rally oa Nan Paden) ot bs 192168110, 2 Fesnres Connetn pe 6 Wadow Oran Cte CFSE OSSH Ose! ese feoeanea Lond ave ct ered eon Torta Saved Seton secon a Colours (Defaut Setings Loed ous = Poy Tort Cele Foon o ssH Sead Clone neo ont: GNSS Aways ©) Never Only on clean exit Pout Open Cancel Corer Preece reer 192.168.1.100 ikandlar Shaik CCIEX3 (RS/SP/SEC) NOA solutions, Hyderabad, INDIA. Whatsapp - +91 9985043240, +91 7036826345 www.noasolutions.com Page 58NETWORK & DE! LOGGING Device & Network Events Logging NEA, Network devices generate log messages & can be used Keeping track of events. > Monitoring Device failure notifications (Interface status & Routing issues) » Auditing (ACL Logging) » Troubleshooting ( Debugging level) > Forensic Analysis Incident Investigation) Ri(config)#int s1/0 Ri(config-if#shutdown Semmdce WI Mewtlonte id a in| ois Sr eral ey cap eaaeie genase isms na Sateen a See eee eee cub eee as Logging Options JM ONLINE: Ld Reuters canbe cofgured 0 sen fog messages to nae » Console Line (Console Logging) > VTY line (Terminal Logging) » Local Buffer ( Buffered logging) » External SYSLOG servers ( Syslog) " 833, RX(config)#int s/0 an araeaare R1(configri}#shutdown Coton a = Seerten [ETL vonage a soy Ise! Hee] Fare Seat | D8 We ROUT LUA SOWEES enw R dda aad mn oRBeoR sh uerwolosuh aeposataaaesca Ooapacuton Au Hauge Ss a arpa. mn kano 1 2044 REPRIOSIRON plete abe un Reuoa toh Ho 2003 SSC, Caparo un eseCONSOLE LOGGING: » By default, Router & Switches sends all log messages to its console port. » Hence only the users that are physically connected to the router console port can view these messages. Ri(config)#int s1/0 Ri(config-if)#shutdown Rifdebus eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO. UNKNOWN, PROBE, ACK. STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on Rie Ri(config)érouter elgrp 100 Ri(config-router}# network 1.0.0.0 g LAN -192.168.1.0/24 Disable console logging OA, » Large amount of logging output (most often produced in a debugging process) sent to a router’s console » Can significantly increase the router's CPU load » Even stop the box from forwarding packets or can lose routing adjacencies. » Console interrupt is one of the highest-priority interrupts on the router. » To stop the console logging, use the no logging console global configuration commandBuffered logging: Mi ‘On vA. » This type of logging uses router's RAM for storing log messages. » buffer has a fixed size to ensure that the log will not deplete valuable system memory. » The router accomplishes this by deleting old messages from the butfer as new messages are added, Router(configh logging buffered 16384 (Bema Routers show loging Syslog Server logging : aM 6 ZA. » The router can use syslog to forward log messages to external syslog servers for storage. » This type of logging is not enabled by default. mi 81/0 Router # logging host 10.1.1.10 1/0 Fo/0 1112 Foo r.r.a 20.1.1.1 wren sareaio, si neers mrameattinnsam Page 61> Itis similar to console logging, but it displays log messages to the router's VTY lines instead. » This is not enabled by default 4# Terminal monitor mi 81/0 a vita 0/0 roa Rifterminal monitor Ri(contfig)#int £0/0 Ri(config-f}#shutdown Logging — Levels NA. » Log messages have different severity levels. » Level 7 provides most output ‘o—emergencies 1alerts «tical s—errors warn 5~notifcation 6—Informational 7—debugging » The default level for console, monitor, and syslog is debugging, » By default, the router logs anything at the level of debugging and greater.ING ON RL R2 ion ; Fo/o cae 20.1.1.1 Knowing how fo properly use logging is a necessary skill for any network administrator. I's vital that you know how to use logging when it comes time fo start troubleshooting. The Cisco 108 offers a great many options for logging. To help bring you up fo speed, let's discuss how to configure logging, examine how fo view the log and its status, and look af three common errors when it comes to logging. The logging command in Global Configuration Mede and the show logging command in Privileged Mode are two simple but powerful fools fo configure and show alll Cisco IOS logging options. Let's take a closer look. TASK: Connect router to a Console port Verity Console logging messges by making changes on router. RI (config) #int s1/0 ie f) #shutdown Rifconfigaf) #exit Ri (config) tint 31/0 Ri [config-f) #no shutdown Ri[configef) fend Riftdebug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on Rit Ri (config) #router eigrp 100 RI a3 # network 1.0.0.0 Ri (configrouter|# network 10.0.0.0 Ri {configouter) tend ‘Mar 31 11:53:33.699: EIGRPESSAGING HELLOTSRIFAO/O - pakien 20 *Mar 31 11:53:33,699: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *Mar 31 11:53:35. 155: 88YS-5-CONFIG_{: Configured from console by console Rit “Mar 31 11:53:35.915: %8UNEPROTO-5-UPDOWN: Line protocol on interface Serial /0, changed state to up Rig *Mar 31 11:53:38,119: EIGRP: Sending HELLO on Fa0/0 - pakien 20 *Mar 31 11:53:38,119: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 lib un/rely 0/0 *Mar 31 11:53:38.935: EIGRP: Sending HELLO on Se1/0 - paklen 20"Mar 31 11:53:38,935: AS 100, Flags 0x0:(NULL). Seq 0/0 interface 0/0 lidbQ un/rely 0/0 Rit Ri#undebug all Allpossible debugging has been tumed off RI#show logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 8 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xmi disabled, filtering disabled Buffer logging: level debugging, & messages logged, xml disabled, fitering disabled Exception Logging: size (8192 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 41 message lines logged Logging Source-interface:__ VRF Name: Log Buffer (8192 bytes): *Mar 31 11:49:18,047: 8SYS-5-CONFIG_{: Configured from console by console “Mar 31 11:52:50.255: SYS-5-CONFIG_|: Configured from console by console *Mar 31 11:53:01.279: EIGRP: Sending HELLO on Fa0/0- paklen 20 *Mar 31.11:58:01.279: AS 100, Flags Ox0:(NULL). Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 “Mar 31 11:53:05.855: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 11:53:05.859: AS 100, Flags Ox0:(NULL). Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 *Mar 31 11:53:10,827: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:10.827: AS 100, Flags Ox0:(NULL). Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 “Mar 31 11:53:15.479: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 11:53:15.479: AS 100, Flags Ox0:(NULL], Seq 0/0 interfaceQ 0/0 iidbQ unirely 0/0 *Mar 31 11:53:19,127: SYS-5-CONFIG_t: Configured from console by console *Mar 31 11:53:19,859: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 11:53:19.863: AS 100, Flags Ox0:(NULL}, Seq 0/0 interfaceQ 0/0 iidbQ unirely 0/0 *Mar 31 11:53:24.575: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:24.575: AS 100, Flags 0x0:(NULL), Seq 0/0 interface@ 0/0 iidbb@ un/rely 0/0 *Mar 31 11:53:29.219: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 11:53:29.219: AS 100, Flags Ox0:(NULL}, Seq 0/0 interface@ 0/0 iidbQ unirely 0/0 “Mar 31 11:53:33.699: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:33,699: AS 100, Flags 0x0:(NULL), Seq 0/0 interface@ 0/0 iidbbO un/rely 0/0 *Mar 31 11:53:35,155: 9SYS-5-CONFIG_l: Configured from console by console *Mar 31 11:53:35,915: %LINEPROTO-5.UPDOWN: Line protocol on interface Seriall/0, changed state to up “Mar 31 11:53:38.119: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:38.119: AS 100, Flags Ox0:(NULL), Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 *Mar 31 11:53:38.935: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 31 11:53:38.935: AS 100, Flags Ox0:(NULL), Seq 0/0 intertace@ 0/0 iidb@ un/rely 0/0 *Mar 31 11:53:42,547: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:42,547: AS 100, Flags OxO:(NULL). Seq 0/0 interface@ 0/0 iidbbO un/rely 0/0 *Mar 31 11:53:43,771: EIGRP: Sending HELLO on Sei/0 - paklen 20“Mar 31 11:53:43,771: AS 100, Flags Ox0:{NULL). Seq 0/0 interface@ 0/0 jidbQ un/rely 0/0 *Mar 31 11:53:47,051: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 11:53:47.051: AS 100, Flags Ox0:(NULL], Seq 0/0 interface 0/0 lidb@ un/rely 0/0 *Mar 31 11:53:48,747: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 31 11:53:48,747: AS 100, Flags Ox0:(NULL), Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 *Mar 31 11:53:51.763: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 11:53:51,763: AS 100, Flags Ox0:(NULL), Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 *Mar 31 11:53:53.147: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 31 11:53:53.147: AS 100, Flags Ox0:(NULL], Seq 0/0 interface 0/0 idb@ un/rely 0/0 Rit Ri#clear logging Clear logging buffer [confi] Riitshow logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0. overruns, xm disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 8% messages logged, xmI disabled, filtering disabled Monitor logging: level debuaging, 0 messages logged, xml disabled, filtering disabled. Buffer logging: level debugging, 86 messages logged, xml disabled, fitering disabled Exception Logging: size (8192 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 41 message lines logged Logging Source-interface:_ VRF Nome: Log Buffer (8192 bytes): Ri8 TASK * Configure the route to send buffered logging of its events to the memory * Change the buffer size for logging to 16384 bytes. You can configure the router fo send buffered logging of its events to the memory. (Rebooting the router will ose all events stored in the buffered log.) RI (config) #logging buffered 16384 Ri {config)#end Riitshow logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 87 messages logged, xml disabled,filtering disabled Monitor logging: level debugging, 0 messages logged. xmi disabled, fitering disabled Buffer logging: level debugging, I messages logged, xml disabled, fitering disabled Exception Logging: size (8192 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trop logging: level informational, 42 message lines logged Logging Source-Inferface: —VRF Name: *Mar 31 11:59:52,663: 68YS-5-CONFIG_I: Configured from console by console Rit TASK. © Configure VTY and enable password on RI fortelnet access © Telnet fo RI from R2. RI (config) tine vty 0.4 Ri {config-ine) password cisco Ri {confige-line) #login Ri{configeline) #exit Ri{config) tenable secret cisco RI (config) #exit R2#ttelnet 10.1.1.1 Trying 10.1.1.) .. Open User Access Verification Password: RI>enable Password: TASK: Configure RI fo enable Terminal monitor fo see the messges on the CLI if any changes done on the router RI (contig) #int 0/0 RI (config. #shutdown Ri{configei #exit RI (config)#do sh ip int brief Interface IP-address OK? Method Status Protocol Fastéthemet0/0 10.1.1.) YES NVRAM administratively down down Serial! /0 10.1.1.1 YESNVRAM up up Serial /1 4442 YESNVRAM up down Serial /2, unassigned YES NVRAM administratively down down Serial 1/3. unassigned YES NVRAM adiministrafively down down Loopbacko 1.0.0.1 YESNVRAM up up Loopback! 11.0.1.) YESNVRAM up up Loopback? 1.02.1 YESNVRAM up upLoopback3 11.0.3.) YESNVRAM up up RI (config) Hint f0/0 RI (config-if)#no shutdown RI (configu tend * CISCO IOS doesn't send log messages fo a terminal session over IP(i.e telnet or SSH connections}..f you want logging messages from IOS to appear on the terminal, use terminal monitor command. * Ifyou want legging messages from IOS fo appear on the your terminal then you need to use the ‘ferminal monifor’ command. * Logging fo your ferminal will now occur. Of course, a message or log has fo be happening for a message to. appear, So lets use [OS fo tell us that we have configured it. RI#erminal monitor Ri (config) Hint f0/0 R1(configeif) #shutdown RI (config-if|#no shutdown Ri (configu) #end Rittdebug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on “Mar 31 12:18:53,095: EIGRP: Sending HELLO on Fa0/0 - pakien 20 “Mar 31 12:18:53,095: AS 100, Flags 0x0:(NULL), Seq 0/0 interface@ 0/0 jidb@ un/rely 0/0 “Mar 31 12:18:53,515: EIGRP: Sending HELLO on Se1/0 - paklen 20 "Mar 31 12:18:53,515: AS 100, Flags Ox0:(NULL), Seq 0/0 interfaceQ 0/0 jidlb@ un/rely 0/0ei Ri#undebug all All possible debugging has been tuned off Ri text [Connection to 10.1.1.1 closed by foreign host] Rae TASK: Connect PC fo Router 1 , assign IP addressing as per the diagram + Configure R1 to send all log messges fo extemal syslog server. + Use free source tool on PC to verily.FO/O 10.1.1.1 10.1.1.10 Syslog— Use a UNIX-style SYSLOG protocol fo send messages to an external device for storing. The storage size does not depend on the router's resources and is limited only by the available aisk space on the external sysiog server. This option is not enabled by default. * Before configuring a Cisco device to send syslog messages, make sure that i! is configured with the right date, fime, and fime zone, Syslog data would be useless for troubleshooting if it shows the wrong date and fime. You should configure all nefwork devices fo use NTP. Using NIP ensures a correct and synchronized system clock on ail devices within the network. Setting the devices with the accurate time is helpful for event correlation, * To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices. Cisco devices use a severity level of warnings through emergencies fo generate error messages about soffware or hardware malfunctions. The debugging level displays the output of debug commands. The Notice level displays interface up or down transitions and system restart messages. The informational level reloads requests and low-process stack messages. Scien [ERO ere a = smelter werane Gata ligl)_ ee Ri (config) #int s1/0 Ri (configif) #shutdown Ri (configiif| #no shutdown *Mar 31 12:47:53,099: SLINK-3-UPDOWN: Interface Seriall /0, changed state fo up *Mar 31 12:47:54,111: SLINEPROTO-5-UPDOWN: Line profocol on Inferface Seriall/0, changed state fo up Ri {configuf #end TASK: + Enable debug eigrp packets on RI © Configure EIGRP on both routers and verify syslogs on PC. Ri#debug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on RI (config) ##no router eigrp 100 Ri (config) #router eigrp 100 Ri (config-outer)# network 1.0.0.0 Ri {configsouter)# network 10.0.0.0 Ri (configsouter} #exit RI (config) #logging trap ? <07> Logging severity level ales. Immediate actionneeded —_(severity=1) critical Critical conditions sever emergencies System is unusable [severity=0) emors Error conditions [severity=3) informational informational messages [severity=6) notifications Normal but significant conditions (severity=5) wamings — Waming conditions [severity=4) when saroniestonscai maraseahtnssem® Page 68Ri (config) #logging trap debugging By default, syslog servers receive informational messages and numerically lower levels Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network. + When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, thelogging trap warning command configures the router fo send all messages with the severity warning, error, critical, and emergency. * Similarly, the logging trap debugcommand causes the router fo send all messages fo the syslog server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router fo crash. R2 (config) #router eigrp 100 R2{(configrouter) #network 20.0.0.0 R2{(config-router) #network 1.0.0.0 R2{(config-router) #end "Marr 31 13:22:00,631: S6SYS. CONFIG. Configured from console by consoleRi#undebug all All possible debugging has been turned off Rig TASK: * configure R2 to send logging to host 10.1.1.1 © R2source should be loop 0 interface. R2#tping 10.1.1.10 Type escape sequence fo abort. Sending 5, 100-byte ICMP Echos to 10. 1.1.10, timeout is 2 seconds: Ht Success rate is 100 percent (5/5), round-trip min/avg/max = 24/75/148 ms R2 (config) #logging host 10.1.1.10 R2 (config) #logging source-interface loopback 0 R2(config)#tend *Mar 31 13:25:24,251: %SYS-6-LOGGINGHOST_STARTSTOP: Logging fo host 10.1.1.10 port $14 started - CLI initiatedRemove the logging host command on both routers and Change the logging to local logging. RI {config)# no logging host 10.1.1.10 Ri{config)# logging on Ri (config) #exit TASK: * RI should insert uptime-based in log and debug messages. Timestamps represent how the fime shows at the fime of logging or debug output. Ri (config) #tservice timestamps ? debug Timestamp debug messages log Timestamp Jog messages Ri (config) #service timestamps log ? datetime Timestamp with date and time uptime Timestamp with system uptime Ri (config) #service timestamps log uptime ? Ri (config) #service timestamps log uptime Ri (config) #service timestamps debug uptime RI (config) #exit Rie Rie OIE27EIGERESYS-5. CONFIG. Configured from console by console Rl debug carp packets Or:27HBes8S96.5. CONFIG: Configured from console by console RI #debug eigrp packets [UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on Rie when Saronie honest maraseahitonnsa® Page 72Rie i. Sending HELLO on Fa0/0- paklen 20 100, Flags 0x0:(NULL), Seq 0/0 interface@ 0/0 iidb@ un/rely 0/0 Rie Ri#undebug all Allpossible debugging has been tumed off TASK: + R2 should insert Datetime 1estamps with time zone and year in log and debug messages. R2(config) #service timestamps log datetime localtime show-timezone year R2(config) #service timestamps debug datetime localtime show-timezone year R2 [config] texit | MeRSTIZOISNMOZSOUTERBSYS:S-CONFIG_|: Configured from console by console R2i#debug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on ‘WearSIIZOISWHOZEBUTE: EIGRP: Received HELLO on Se 1/0 - paklen 20 nb 10.1.1.1 *sdar 31 2015 14:02:46 UIC: AS 100, Flags Ox0-(NULL), Seq 0/0 interfaceQ 0/0 jidb@ un/rely 0/0 peer un/rely o/0 *har 31 2015 14:02:46 UTC: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *hdar 31 2015 14:02:46 UTC: AS 100, Flags Ox0+(NULL), Seq 0/0 interfaceQ 0/0 lidbQ un/rely 0/0 R2e *Mar 31 2015 14:02:48 UTC: EIGRP: Sending HELLO on Se! /0 - paklen 20 “Mar 31 2015 14:02:48 UTC: AS 100, Flags 0x0:(NULL). Seq 0/0 interfaceQ 0/0 iidb@ un/rely 0/0 Roe *Mar 31 2015 14:02:50 UTC: EIGRP: Received HELLO on Se1/0- paklen 20 nbr 10.1.1.1 “Mar 31 2015 14:02:50 UTC: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ unjrely o/0 *har 31 2015 14:02:51 UTC: EIGRP: Sending HELLO on Fa0/0 - paklen 20 “Mar 31 2015 14:02:51 UTC: AS 100, Flags Ox0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Roe Shar 31 2015 14:02:52 UTC: EIGRP: Sending HELLO on Se1/0 - paklen 20 *har 31 2015 14:02:52 UTC: AS 100, Flags Ox0:(NULL), Seq 0/0 inferfaceQ 0/0 jidbQ un/rely 0/0 R2#un R2#u R2#undebug *har 31 2015 14:02:55 UTC: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 31 2015 14:02:55 UTC: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 *har 31 2015 14:02:55 UTC: EIGRP: Received HELLO on Se1/0 - paklen 20 nbr 10.1.1.1 “Mar 31 2015 14:02:55 UTC: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely o/0 R2H#undebug all All possible debugging has been tumed off Roe Roe *Mar 31 2015 14:02:56 UTC: EIGRP: Sending HELLO on SeI/0 - paklen 20 "Mar 31 2015 14:02:56 UTC: AS 100, Flags 0x0:(NULL], Seq 0/0 interfaceQ 0/0 jidbQ un/rely 0/0 RoeNetwork Time Protocol (NTP) NOA vefhad oer » Protocol allow network devices to synchronize their Date & Clock with current time. » Uses UDP port 123. Swichee >) » Accurate clock settings are required for Logging with accurate timestamps Time-based ACL restriction (ACL) Digital certificate validation. SSO Authentication Mechanisms. (Single Sign-on) IE PRI L Sa ches > An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. » NTP then distributes this time across the network, NTP Stratum NOA JORK ONLINE ACADEMY NTP uses a stratum to describe the distance between a network device and an authoritative time source: > Stratum 1 are always servers which do not run NTP (Time servers on Internet) » A stratum 2 NTP server receives its time through NTP from a stratum 1 time server. > Stratum 2 in turn provide NTP Service to Stratum 3 and So on External Reference ‘Clock (UTC) Esa10S - NTP Configuration NOA., > Configure Time Zone & NTP Clock synchronization » Configure Authenticated NTP ( Optional) Ri(confighsntp server 12.0.0.1 Ra{confighentp server 12.0.0.1 Rash ntp status Rissh ntp associations IOS - NTP Authentication (Optional) NA, NIP Serer R2(configw np authenticate R2(confight_ntp authenticatlon-key 1 mds noat23 R2(configh np trusted-key 1 Ri/Rs (NTP! Rx(confight_ntp authenticate Rx(confighs ntp authentication-key 1 mds noa123, Rx(configh ntp trusted-key 1 Rx(confighs_ntp server 12.0.0.1 key 1 Rx(confighend,TASK: Change the time on R2 fo 10:10:10 and 10 january 2015. time. + Configure R2 as NTP server and R1/R3 as NTP clients + Ensure that R1/R3 should change their time as per R2 (NTP server). Ri (config) #router ospf 1 RI [configsouter #network 10.0.0.0 0.255.255.255 area 0 Ri[configrouter #network 1.0.0.0 0.255.255.255 area 0 Ri[configrouter #network 11.0.0.0 0.255.255.255 area 0 Ri[configrouter #exit R2 (config) #router ospf 1 R2[configrouter #network 20.0.0.0 0.255.255.255 area 0 R2[configsouter) #network 2.0.0.0 0.255.255.255 area 0 R2[configrouter) #network 1.0.0.0 0.255.255.255 area 0 R2[configrouter #network 12.0.0.0 0,255.255.255 area 0 R2[configsouter) #end 3 (config) #router ospf 1 R3[configrouter #network 2.0.0.0 0.255.255.255 area 0 R3[configrouter #network 13.0.0.0 0,255,255.255 area 0 R3[configsouter) #network 30.0.0.0 0.255.255.255 area 0 R3{config-router] #end R2#tsh ip ospf neighbor NeighborID Pri State Dead Time Address Interface 11.03.10 FULL/ - 00:00:34 10.1.1.) Serial /0 13.03.10 FULL/- 00:00:32 2.2.2.2 Seriall/1 Rash ip route ospf Codes: L- local, C - connected, S - static, R - RIP, M - mobile, B- BGP D-EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area NI - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 ET - OSPF external type 1, E2 - OSPF extemal type 2J ISS, su ~ ISAS summary, LI - ISS level, (2 - ISS level-2 ig - {S418 inter area, * - candidate default, U - per-user static route © -ODR, P - periodic downloaded static route, H - NHRP, I~ LISP +-replicated route, % - next hop override Gateway of last resort is not set © 10.0.0.0/8 {110/65} via 10.1.1.1, 00:00:36, Serial /O 11.0.0.0/32 is subnetted, 4 subnets © 11,0.0.1 [110/65] via 10.1.1,1, 00:00:36, Serial /O © 1.0.1.1 [110/65] via 10. 1.1.1, 00:00:36, Serial /O © 1.0.2.1 (110/65) via 10.1.1.1, 00:00:36, Serial /O © 1.0.8.1 [110/65] via 10.1.1.1, 00:00:36, Serial /O ° ° ° ° 13.0.0.0/32 is subnetted, 4 subnets 13.0.0.1 [110/65] via 2.2.2.2, 00:00:13, Serial / 13.0.1.1 [110/65] via 2.2.2.2, 00:00:13, Serial / 13.0.2.1 [110/65] via 2.2.2.2, 00:00:13, Serial / 13.0.3.1 [110/65] via 2.2.2.2, 00:00:13, Sericil/ O 30.0.0.0/8 [110/65] via 2.2.2.2, 00:00:13, SerialI/1 R2itclock set 10:10:10 10 january 2015 R2#tsh clock R2 (config) #ntp master 2 R2[config) tend R2iish nip status Clock is synchronized, stratum 2, reference is 127.127.1.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precksion is 2°*18 nip uptime is 1700 (1/100 of seconds), resolution is 4000 reference time fs D85B7952.94A33984 (10: 1:30.604 UTC Sat Jan 10 2015) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 3937.56 msec, peer dispersion is 3937.56 msec loopiilter state is ‘CTRL (Normal Controlled Loop), dif is 0.000000000 s/s syslem poll interval is 16, last update was I sec ago. R2#sh nip associations address refciock st when pollreach delay offset _aisp *2127.127.1.1 .LOCL, 1 12 16 3 0.000 0,000 3937.5 * syspeer, # selected, + candidate, - outiyer, x falseficker, ~ configured Rliping 12.0.0.1 Type escape sequence fo abor. Sending 5, 100-byte ICMP Echos fo 12.0.0.1, timeout is 2 seconds: nm Success rate is 100 percent (5/5), round-trip minjavg/max = 96/1 17/156 ms Ri (config) #ntp server 12.0.0.1 Ri (config) texit R3# ping 12.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.0.0.1, timeout is 2 seconds: nuSuccess rate is 100 percent (5/5), round-trip minjavg/max = 52/1 11/152 ms R3 (config) #ntp server 12.0.0.1 R3 (config) #end NOTE: Update of time on client is done incremental (not once) Takes more time, depends on time difference between client & server. R3iish nip associations address refciock st when pollreach delay offset _disp *312.0.0.1 127.197.1.1 2 0 64 1 143.93 108.054 1937.5 * sysipeer, # selected, + candidate, - outlyer, x fakseticker, ~ configured R3Hsh clock RI¥ish clock RI#sh ntp associations address refciock st when pollreach delay offset_isp *12.0.0.1 127,127.11 2 39 64 1 103.92 -22.228 187.62 * sysipeer, # selected, + candidate, - outlyer, x falseticker, ~ configured R1#sh ntp status Clock is synchronized, stratum 3, reference is 12.0.0.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, prectsion is 2°*18 nfp uptime is 6100 (1/100 of seconds), resolution is 4000 reference time fs D85879F9,59A974A I (10:14:17.350 UTC Sat Jan 10 2015) lock offset is -22.2285 msec, root delay is 103.92 msec root dispersion is 4098.93 msec, peer dispersion is 187.62 msec loopiifer state is ‘CTRL (Normal Controlled Loop), diff is 0.000000000 s/s system poll interval is 64, last update was 56 sec ago. TASK: Configure NTP Authentication on both server and clients: RRS Rx(config) # ntp authentication-key 1 md§ noal23 Rx(config) # ntp authenticate Ax{config)# nip trusted-key 1 Rx(config)# nip server 12.0.0.1 key 1 Rx(config) #end Ri [config)# nlp authentication-key 1 md noa123 Riconfig)# nip authenticate Ri[config)# nip trusted-key 1CONTROL PLANE SECUR! Control plane — Overview » Traffic destined to the network or sourced from the network device. » Builds the Routing table &: forwarding tables for the data plane (packet forwarding). » Control plane information has to be built ¢ Where or How to forward packets) » Traffic is always process switched ( CPU Switched) Traffic can be IP or non-IP » Routing protocols (OSPF, BGP) » IGMP , PIM , NHRP , LDP, ICMPvs > ARP, STP, VTP Control Plane - Possible Threats Possible Threats : (Denall of Service) » Routing Protocol Spoofing (False Routing updates) » Attackers can send high rate of packets to the CPU to disable these three functions. pod » Excessive traffic in anyone of the plane. Can overwhelm entire CPU and effect other planes. “_/ ames a » HTTPS, SSH are configured to accept only. (Dos attacks) — » Router sending ICMP reply unreachable messages to unknown packets. » Attacker spoofing with valid source address. » False Routing updates ( Routing protocol spoofing)Routing Protocol Authentication NOA WORK OHLINE ACADEMY > A router authenticates the source of each routing update packet that it receives. » Most Routing Protocols support Authentication (EIGRP, RIPv2, BGP, OSPF, ISIS) » Prevent spoofed neighbor relationships & Updates » Does not prevent malicious updated from authenticated peers. » Clear text or MDS passwords supported. Simple Password vs. MDs Authentication NOA NETWORK OWING ACADEMY ‘Simple Password Authentication: » Router sends packet and key. eZ = » Neighbor checks whether key matches its key. » Process not secure. ( > OSPE,RIPY2 MDs authentication: > Configure a key (password) and key ID; router generates a message digest, or hash, ofthe key, key ID and message. > Message digest is sent with packet; Key is not sent. > Process more secure, > OSPE,RIPv2, EIGRPRIPv2 Authentication - Configuration NOA NETWORK ONINE ACADEMY Router(configh key chain Router(config-keychain)t key ) Router(config-keychaln-key)e key-string Routericonfig-keychain-keyy exit Router(confight interace serlal 70 Router(configrif ip rip authentication mode Router(configrifwip rip authentication key-chain Riédebug ip rip events Risclear ip route * Ritshow key chain + Key number & string has to match on both sides EIGRP Authentication NOA NETWORK ONLINE ACADEMY » Supports only MDS » Define key chain globally » Key number & key string must match » White space can also be character. > Applied on interface, » Key number « string has to match on both sides (configs key chain < name-of-chain> (config-keychainys key (config-keychain-key) key-string (config-keychain-keyy exit (configye interace serial 1/0 (config-ips Ip authentication mode EIGRP 109 MDs (config-iNsip authentication key-chain EIGRP 190 OSPF Authentication NOA NETWORK ONLINE ACADEMY Thtee types of authentication » Type o- Null » Type 1 Simple Password » Type 2 ~ Cryptographic (MDs/SHA) : OSPF Clear text Authentication OSPF MDs Authentication (configint 1/0 (configiint s1/0 (config: ip ospf authentication (config: ip ospf authentication message-digest (configs ip ospf authentication-key ciscor23 {config pe ip ospf message-digest-key 1 mds csco123LAB_RIPv2_AUTHENTICA’ TASK: Advertise the interfaces as per the diagram 1 (contig) #router rip R1(config-router)# ver 2 RI (config-outer) # no auto-summary RI (config-router) #network 10.0.0.0 RI (config-router) #network 1.0.0.0 RI (configrouter) #exit 2(contig) #router rip 2(contig-outer) version 2 R2(config-router| #network 20.0.0.0 R2(config-router| #network 1.0.0.0 R2(config-router) fino auto-summary R2(config-router) fexit R1#sh Ip route rip R 20.0.0.0/8 [120/1} via 1.1.1.2, 00:00:04, Seriall/0 R2#sh ip route rip R_ 10.0.0.0/8 [120/1] via 10.1.1.1, 00:00:15, Seriall /O TASK ‘* Configure R1 and R2 fo exchange the routes only after successful authentication 81 (config) FKey chain CHAINRI RI {config-keychain) #Key 1 Ri [config-keychain-key) #Key-stting SHEB123 RI (config-keychain-key) #int s1/0 Ri {configiif)# ip rip authentication mode mdS Ri {configu} ip rip authentication key-chain CHAINR1 2{config) #Key chain CHAINR2 R2[config-keychain) #Key 1 R2[config-keychain-key] #Key-string EBES R2{(config-keychain-key) #int s1/0 R2(configuf)# ip rip authentication mode mdS R2(configuf)# ip rip authentication key-chain CHAINR2 R2{(configuf) #end NOTE ‘* key no and the key string should be same on both routers but the above configuration have mismatch of passwords. wheat Sarno tonsa maraeseahtonnsam® Page 85Rl#debug ip rip events RIP event debugging is on Rl#clear ip route * ‘hor 1 0024.24.75 Ri: $n gUGSF oR ENERMGIOTOTS 224009 “Mar 1 00:24:24 755 ip. youte. aoa for esteinemelllo coming op “Ma 1 00:24:24 735 I sending feques on FasteIneme0/0 fo 2240.08 “Mar | 00:24:24 768 RIP sending recves! on Senll¥0 to 224.009 *Mar 1 00:24:24.763: rip_route_adjust for Serial! /O coming ut “ar | 60:24:24 767 1 sending requeston Serio 701 22009 “her 1 9028:24787 RIP remove Festthemet0/O fom RI ido a?" “Mar | 0024:2479( RIP: remove Serll/0 hom RP “Mar | 002424875 RIP ocd Serio 0 10 RIP lot “her 10024:24.816: RIP: Sending request on Sena /0 to 224.009 *Mar 1 00:24:24.819: RIP: add FastEthemet0/0 to RIP idb list “har 1 9028:24 828 RI: sending requcs on Fanethemel0/0 fo 224.009 “Mar | 0028:26795 RI: sending v2 Nonh upate 10 2240.09 vs Seri (10.1.1) “Mar 1 00:24:26 795: RIP: Updos contains | roules “Mar 1 0024:26 799 RiP: Update queued “Mar | 60:24:26 008 RP: sending 2 fee update fo 224.009 via FextEthemet0/0 (1.1.1.1) “Mer | enzace-ser RP: update comtare Tres “Mar 1 00:24:2681 |: RI: Update queved “ar 1 00282681 1: I: Update sent ia Se /O “Mar 1 00:24:26,815: RIP: Update sent via Fastéthemet0/0 “har 1 60:24:38. 775: RiP: Kore peeket fron 1.1.1.2 (Ave GURERNCGHOA) Ri#undebug all All possible debugging has been turned off RI#sh key chain Key-chain : key | ~ text" ‘accept lifetime (always vatid) - {always valid) [valid now} send lifefime (always valid) - (always valid) [valid now] Raitsh key chain Key cha key 1 - ‘accept lifetime (always vatid) - (always valid) [valid now] send lifefime (always valid) - (always valid) [valid now] the above configuration shows that there is a mismatch of key string on both routers R2 (config) #Key chain CHAINR2 R2(config-keychain) #Key T R2{config-keychain-key) #no Key-string R2[config-keychain-key) #no Key-string R_ 20.0.0.0/8 [120/1] via 1.1.1.2, 00:00:04, Serial /0 R2#sh ip route rip R 10.0.0.0/8 [120/1] via 10.1.1.1, 00:00:18, Serialt /oTASK: Advertise The Interfaces As Per The Diagram R1 (config) #router eigrp 100 RI (config-route’) # no auto-summary RI (config-router) #network 10.0.0.0 R1(config-router) #network 1.0.0.0 R1(config-router) #exit R2 (config) #router eigrp 100 R2(configrouter) #network 20.0.0.0 R2(config-router) #network 1.0.0.0 R2(config-router) #no auto-summary R2(config-router #exit R1#sh ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRIT RTO Q Seq {sec} {ms} CntNum O12 Sella 12.00:00:11 95 5700 3 R2#sh ip eigrp neighbors IP-EIGRP neighbors for process 100 H Adress Interface — Hold Uptime SRIT RTO @ Seq isec) (ms) Cnt Num Te 11-00:00:22 80 7200 3 TASK * Configure R1 and R2 to form neighborship and exchange the routes only affer successful authentication.. RI (config) #Key chain CHAINRT Ri (config-keychain) #Key 1 Ri (config-keychainkey) #Key-sting €BEOTZS Ri (config) #int s1/0 Ri (configcif}# ip authentication mode EIGRP 100 md5 Ri {config.if)# ip authentication key-chain EIGRP 100 CHAINRI R2(config) #Key chain CHAINR2 R2{config-keychain) #Key 1 R2(config-keychain-key) KKey-sting EES R2(config-keychain-key] #int s1/0 R2(configrif)# ip authentication mode EIGRP 100 md5 R2(configiif)# ip authentication key-chain EIGRP 100 CHAINR2 R2(configif) tend when saroniehonsasie maraseahtonnsam® Page BSRI#sh ip eigrp neighbors IP-EIGRP neighbors for process 100 R2#tsh ip elgrp neighbors IP-EIGRP neighbors for process 100 NOTE: * Once we implement authentication the neighborship between RI and R2 goes down * Inorder to have successful neighborship key no and the key string should be same on both routers * but the above configuration have mismatch of passwords. Rl#idebug eigrp packets EIGRP Packels debugging is on [UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Mar 1 00:44:49,747: EIGRP: Sending HELLO on Serial /O “Mar 1 00:44:49,751: AS 100, Flags 0x0, Seq 0/0 1ab@ 0/0 ib un/rety 0/0 “Mar 1 00:44:51.41 1 EIGRP: “Mar 1 00:44:51.415; EIGRP: Seniall/0: ‘pcode = 5 (inveiel SUIRERTEGHOR) “Mar 1 00:44:53,215: EIGRP: Sending HELLO on FastEthemes0/0 *Mar 1 00:44:53,219: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 “Mar 1 00:44:54,351: EIGRP: Sending HELLO on Serial] /O *Mar I 00:44:54.351: AS 100, Flags 0:0, Seq 0/0 idb@ 0/0 jbQ un rely 0/0 *Mar I 00:44:55.915: EIGRP. *Mar I 00:44:55.919: EIGRP: Serial /0: ‘opcode = 5 [invalid authentication) Ri#undebug ail Allpossible debugging has been tured off Ri#tsh key chain Key-chain key | — text accept lifetime (always valid) - (always valid} [valid now] send lifetime (always valid) - (always valid) [valid now] key 1— send lifetime (always valid) - (always valid) [valid now] The above configuration shows that there is a ismatch of key string on both routers R2(config) #Key chain CHAINR2 R2(config-keychain] #Key 1 R2(config-keychain-key) #no Key-string EL R2[config-keychain-key] #no Key-string R1#ish ip eigrp neighbors IP-EIGRP neighbors for process 100 H Adatress Interface Hold Uptime SRTT RTO Q Seq sec} ims)__ Cnt Num RI#sh ip route ei Do o20000 0789072172416) via 1.1.1.2, 00:00:41, SeratoR2itsh ip elgrp neighbors IP-EIGRP neighbors for process 100 H Adatess Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cat Num 12.00:00:06 64 384 0 8 R2#sh Ip route Via 10.1.1.1, 00:00:49, Serial /O