Professional Documents
Culture Documents
ip default-network 10.0.0.0
To show only the routing table entries that are associated with EIGRP, issue this command
This command lists the interfaces participating in EIGRP and any neighbors found out of those interfaces
This command will show the number and types of EIGRP messages across the wire
If the default K values are used, the EIGRP path calculation amount to
the successor
If a successor path is lost and no feasible successor exists, the router sends out queries on all interfaces in an attempt to identify an alternate router. This route is in this state
active
In EIGRP, if a query goes unanswered for 3 minutes, the route goes into this state and the neighbor relation is reset
stuck in active
These are used as plug-ins for IP, IPX, and AppleTalk for use with EIGRP
The neighbor table, the topology table, and the common routing table
topology table
In EIGRP, this table is built from EIGRP hellos and used for reliable delivery
Neighbor Table
This EIGRP packet type identifies neighbors and serves as a keep alive
hello packet
Update Packets
Reply packets
These are the five steps to EIGRP Neighbor Discovery and route exchange
1 router A sends a hello 2 router B sends back a hello and a routing update 3 router A acknowledges the update 4 router A sends its update 5 router B acknowledges the update
debug ip eigrp
This EIGRP K value represents the choke point along the path to the network
bandwidth
This EIGRP route value represents the metric from the neighbor to the network
Administrative distance
This EIGRP route value is the metric from THIS router, through the network, to the destination
Feasible distance
bandwidth
IP protocol 50
loading
K4 and K5
UDP 4500
K3
On a router, you can see the EIGRP routes that are not feasible successors using this command
WEBVPN
to change the SSL listening port for clientless ssl vpn, use this command in config-webvpn mode
hostname(config-webvpn)# port
IP protocol 51
to change the listening port for ASDM, use this value for the http server enable command to another port- 444 for example
to configure the security appliance to use an external proxy server to handle HTTP and HTTPs requests use these commands
Http-proxy HTTPS-proxy
32768
this example shows how to configure use of a HTTP proxy server with an IP address of 209.165.201.1 using the default port, send a username and password with each HTTP request
The basic concept of this type of routing protocol is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes
link state
Sucessor routes
When a clientless ssl vpn user clicks on a link on the web portal home page a new window opens that prompts the user to log in. what setting will prevent this from happening
you can configure the security appliance to warn end users when their passwords are about to expire with this command
Port 636
this example shows how to set the days before password expiration to begin warning the user of the pending expiration to 90 for the connection profile named testgroup
hostname tunnel-group testgroup type webvpn hostname tunnel-group testgroup general-attributes hostname(config-general)# password-management password-expire-in-days 90
In EIGRP, this is the best metric along a path to a destination network, including the metric to the neighbor advertising that path
feasible distance
this command configures the security appliance to automatically pass clientless ssl vpn user login credentials on to the internal servers
Auto-signon command to configure auto-signon for all users of clientless ssl vpn to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255 using NTLM authentication
hostname #webvpn hostname (config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
This command sets the switch to become root for a given VLAN. It works by lowering the priority of the switch until it becomes root. Once the switch is root, it will not prevent any other switch from becoming root
Switch(cconfig)#spanning-tree vlan <vlan range> root primary example of configuring auto-signon for all users of clientless ssl vpn, using basic HTTP authentication, to servers defined by the URI mask https://*.example.com/*,
hostname#webvpn hostname(config-webvpn)
This connection profile attribute for clientless ssl vpn identifies one or more urls.
Group-url
In EIGRP, this is the total metric along a path to a destination network as advertised by an upstream neighbor
reported distance if you configure this connection profile attribute for clientless ssl vpn, users coming in on a specified URL need not select a group at login
Group-url
802.1d
this connection profile attribute identifies the DNS server group that specifies the dns server name, domain name, name server, number of retries, and timeout values
Dns-group
this clentless ssl vpn attribute specifies the message delivered to a remote user who logs into the cleintless vpn successfully but has no VPN priviledges
Deny-message
this clentless ssl vpn attribute enables CIFS browsing for file servers and shares
File-browsing this connection profile attribute for clientless ssl vpn allows users to enter file server names to access
File-entry
this connection profile attribute for clientless ssl vpn sets the name of the webtype access list
filter
this connection profile attribute for clientless ssl vpn controls the visibility of hidden shares for CIFS files
Hidden-shares
If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. Lower is better- this is configured with this command
this connection profile attribute for clientless ssl vpn sets the URL of the webpage that displays on login homepage
this connection profile attribute for clientless ssl vpn applies a list of servers and urls that the clientless ssl vpn page displays for end user access
Url-list
the security appliance stores browser plug-ins in this directory on the flash device
Csco-config/97/plugin
This value is sent with each EIGRP update but is NOT used to calculate the metric
MTU
enter this command to list the java-based client applications availabel to users of clientless ssl VPN
this command used in group-policy webvpn or username webvpn mode, starts smart tunnel access automatically upon user login
this command enables smart tunnel access upon user loging, but requires the user to start smart access tunnel manually
to view the smart tunnel list entries in the SSL VPN configuration, enter this command
The default value for the number of outstanding non-authenticated sessions for e-mail proxy users over cleintless SSL vpn
20 non-authenticated sessions
802.1w
when applying a standard access list- apply the filter closest to this device
destination router
when applying extended ACL- apply the filter closest to this device
source device
use this command to apply an access list to an interface in the inbound direction
this keyword in a TCP extended ACL validates that a packet belongs to an existing connection from an ongoing TCP session
Established
RFC 1918
this keyword in a TCP extended ACL validates that a TCP datagram has the acknowledegement or reset bit set
Established
use this command to apply an access list to an interface in the outbound direction
when used with the debug ip packet command- this keyword restricts output between devices that are outlined in an ACL
Type 7 Passwords
this command in global configuration mode- is used to encrypt passwords in the configuration
service password-encryption
Type 5
Passwords entered before usinf the SERVICE PASSWORD-ENCRYPTION command will be (encrypted or unencrypted) in the configuration file
unencrypted
This IOS command is used to set the minimum character length for all passwords
min-length
NO CDP RUN
This feature prevents the completion of the break sequence and the entering of rommon mode for password recovery
NO SERVICE PASSWORD-RECOVERY
port 123
This feature prevents changes to the configuration register values and access to NVRAM
NO SERVICE PASSWORD-RECOVERY
NO CDP ENABLE
CDP run
67
Displays the status of configuration resilience and the primary bootset filename
this command can be used to show all configuration changes that have been added by the Auto-Secure process
To take a snapshot of the router running configuration and securely archive it in persistent storage, use this command
Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled
storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps [pps-low]}
In routed mode, the ASA can be configured for how many active vlans with a base license
This command will disable any switch port that a superior BPDU is received on. This is done to ensure a switch will remain root at all times
DEBUG IP SSH
The default is to filter out the traffic and to not send traps.
When a secure port is in the error-disabled state, you can bring it out of this state by entering this global configuration command
errdisable recovery cause psecure-violation or you can manually re-enable it by entering the shutdown and no shutdown
SHOW SSH
Verify the storm control suppression levels set on the interface for the specified traffic type
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred
PROTECT mode
Take this step first when performing loopback tests on a frame relay connection
When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments
if you set the storm control threshold to this value no limit is placed on the traffic
threshold of 100 percent When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments
Displays the maximum allowed number of secure MAC addresses for each VLAN and the number of secure MAC addresses on the VLAN
show port-security [interface interface-id] vlan setting the storm-control threshold to this level will block all broadcast, multicast, and unicast traffic on that port
threshold of 0
Delete the RSA key pair. After the RSA key pair is deleted, the SSH server is automatically disabled
In transparent firewall mode, how many active vlans can be configured with the base license
These are manually configured by using this interface configuration command, stored in the address table, and added to the switch running configuration
This is the file name on the internal flash that houses the admin context
admin.cfg
switchport port-security mac-address sticky Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address
show port-security [interface interface-id] address These protocols require Layer 7 inspection because they utilize multiple channels - one well known port for data and one dynamic port for control
To restore the firewall or ASA to the default configuration, enter this command
The ip address in the following command is used for ____ hostname (config)# configure factory-default {ip address mask}
to set the ip address for the inside or management interface as well as the dhcp scope
This command tells the ASA to boot from a specific image, including an image on a flash device
boot system
Enter this command To change the ASA from transparent to routed mode
To save all context configurations at the same time, enter this command in the system execution space
Use this command to load the startup configuration and discard the running configuration without requiring a reboot
set the mode to single mode, enter this command in the system execution space
On the ASA 5505, trunk mode is available only with this license
Security Plus
CDP enable
In this mode, the ASA uses the same MAC address for all VLANS
routed mode
To make a port on the ASA 5505 a trunk port, issue this command
in routed mode, the ASA 5505 can be configured for how many active vlans with a Security Plus license
Enter this command To change the ASA from router (default) to transparent mode
This command shows the installed licenses, including information about temp licenses
This command allows return connections from a lower security host to a higher security host if there is already a connection from the higher level host to the lower level host
established
This command prevents a RIP-enabled router from sending broadcast and multicast RIP updates out of a specific interface, a set of interfaces, or all routers interfaces
This RIP timer determines the amount of time that the router should wait before accepting new routing information about an unreachable route
To prevent a switchport on the ASA from communication with other protected switchports on the same VLAN, enter this command
To enable interfaces on the same security level so that they can communicate with each other, enter this command
To change the default values for the RIP update, invalid, holddown, and flush timers use this command
TIMERS BASIC for example timers basic update invalid holddown flush
To make a trunk port an access port on an ASA 5505 , enter this command
802.1q
On the ASA, all auto-generated MAC addresses start with these characters
A2 T
This TCP option must be explicitly allowed when using BGP authentication through a firewall
TCP 19
Distance vector protocols will update their routing table based on what
The default values for the update, invalid, holddown, and flush parameters are
This frame relay encapsulation type is used to connect a Cisco router to a non cisco device
minimum guaranteed data transfer rate agreed to by the Frame Relay switch
Enter this command to allow an interface on the ASA to get it IP address from a DHCP server
logging timestamp
To allow a specific IP or network access to the http server use this command
http <ip address and mask> <interface> where ip address is the IP and subnet mask of the allowed host and interface is the interface by which the allowed host can be reached
the PVC is not present and no LMI information is being received from the Frame Relay switch
What are the three LMI types that are supported on a Cisco router
RIP: ignored v2 packet from 172.12.23.2 (illegal version) in the debug ip rip command indicates
that the routers are not running the same versions of RIP define how many hits there has to be on your access-list before a router will display a log message
The PVC is configured correctly on the local switch, but there is a problem on the remote end of the PVC
IP address
All traffic that exceds the CIR on a frame relay interface is marked as
discard eligible
Cisco encapsulation
Before enabling SSH you need to generate keys. This is done with this command
crypto key generate rsa modulus <modulus size> example ASA1(config)# crypto key generate rsa modulus 1024
The RIP version is usually changed globally, but it can be changed at the interface level with these two interface-level commands
ASA1(config-if)# management-only
100
Logging to a syslog server is configured with this command where the interface equals the interface used to reach the host
The date and time are set manually with this command
On the ASA, Verify that interfaces are up and have the correct IP with this command
In this VTP mode, a switch will forward received VTP updates to other switches but will not participate in the VTP database
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
EIGRP on the ASA is configured much the same as on a router Use this command
Using the interface name outside will automatically set the security-level to
client mode
Setup a default route so that traffic not matching any other routes will be sent to the next hop of 24.234.0.1
Trunk ports
What does the keyword boradcast in the following command do frame-relay map ip 10.121.16.8 102 broadcast
The broadcast option allows packets, such as RIP updates, to be forwarded across the PVC
Use this keyword to make sure that the networks are not summarized when redistributing EIGRP into OSPF
Allowing specific hosts or networks to connect via SSH works much the same as with HTTP Use this command
Configure logging so that information level and above messages are sent to the local buffer
When issuing the show ip route command, the second number in the brackets represents the
the second number is the metric for the route the networks who will be participating in the routing protocol are added with this command
network command. Notice that we use a regular subnet mask to identify the network instead of the wildcard mask that would be used on a router
On the ASA We can verify the OSPF neighbor relationship by using this command
30 seconds
route command The order of the command is route->interface the traffic will be routed to->ip and subnet of the traffic to be routed->next hop address
Allow 192.168.2.11 to send traffic to the outside without changing its IP address even with NAT control enabled
ASA1(config)# nat (inside) 0 192.168.2.11 255.255.255.255 A D in the show route output indicates the route came from
EIGRP
We use this keyword in the static command to set TCP specific parameters and 100 for the total TCP connections allowed. The second number is the total number of embryonic TCP connections allow per host
Configure NAT so that hosts on the outside who telnet to 24.234.0.4 on port 2323 are able to reach 192.168.2.4 on port 23
The static command follows the same basic format but we use TCP before the IP is entered and the TCP ports after the IP addresses for example ASA1(config)# static (inside,outside) tcp 24.234.0.4 2323 192.168.2.4 23
Verify that the ASA has become a, EIGRP neighbor by using this command
policy NAT An ACL is used to identify the specific traffic then That ACL is tied to a NAT ID
nat-control technique by which dynamic mappings are constructed in a network, allowing a device such as a router to locate the logical network address and associate it with a permanent virtual circuit
Inverse Arp
In order for routing updates to be propagated across a frame pvc, use this keyword in the frame map command
broadcast
The default administrative distance for External Border Gateway Protocol (BGP) is
20 Configuring EIGRP to propagate the default route is done with route redistribution First we will redistribute the default route into EIGRP 1 using these commands
a policy NAT
Configure dynamic address translation so that any outbound traffic from the 192.168.0.0/16 network translated to the outside interfaces IP address
ASA1(config)# nat (inside) 1 192.168.0.0 255.255.0.0 then ASA1(config)# global (outside) 1 interface
nonbroadcast multiaccess
timerange command
Nat-control requires a translation, but we can get around this requirement by using this feature
identity NAT, also known as NAT 0. Notice that the NAT ID is set to 0 for example ASA1(config)# nat (inside) 0 192.168.2.11 255.255.255.255
What does the keyword dynamic status mean in the show frame-relay map command
a static translation
How should a router that is being used in a Frame Relay network be configured to avoid split horizon issues from preventing routing updates
Configure a separate sub-interface for each PVC with a unique DLCI and subnet assigned to the subinterface
What triggers a routing update within the distance vector routing protocol
120
90
Use this command to verify that the VLANs exist in the VLAN database
show vlan
This command is used to specify the default gateway when routing is not enabled
ip defaultgateway
110
170
When issuing the show ip route command, the first number in the brackets represents the
This value in the show ip route field description indicates a route that is owned by RIP
This value in the show ip route field description indicates a route that is owned by OSPF
O this value in the show ip route field description indicates that a route is owned by EIGRP
An E1 in the show ip route command out put indicates - OSPF external type 1 route
Area 0
All routers in the same OSPF area must have this identical value if they are to exchange routing information
same process ID
When a route fails and has no feasible successor, EIGRP uses this algorithm to discover a replacement for a failed route
a distributed algorithm called Diffusing Update Algorithm (DUAL) the cost from the EIGRP neighbor to the destination
Advertised distance
In EIGRP, The sum of the AD plus the cost between the local router and the next-hop router is called
Feasible distance
In EIGRP, the primary route used to reach a destination this route is kept in the routing table
successor
Feasible successor delivery and reception of EIGRP packets is done with this protocol
This type of EIGRP packet is sent in response to query packets to instruct the originator not to recompute the route because feasible successors exist
REPLY
This type of EIGRP packet is used to find alternate paths when all paths to a destination have failed
Query
This type of EIGRP packet is used to advertise routes, only sent as multicasts when something is changed
Update
This table lists directly connected routers running EIGRP with which this router has an adjacency
Neighbor table
This table lists all routes learned from each EIGRP neighbor
Topology table
This table lists all best routes from the EIGRP topology table and other routing processes
routing table
This EIGRP table value represents the average time in milliseconds between the transmission of a packet to a neighbor and the receipt of an acknowledgement
When a DHCP client boots up for the first time, it broadcasts this layer 3 message
If you want to use the DHCP server from another network you can use this command which will make the router forward UDP broadcasts
ip helper-address command
This STP status indicates that STP is populating the MAC address table but not forwarding data frames
Learning
This STP status indicates that STP is sending and receiving data frames
Forwarding
This status indicates that STP is preparing to forward data frames without populating the MAC address table
Listening
This indicates that a STP port is preventing the use of looped paths
Blocking
the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination
Administrative distance
this trunking protocol is an open standard and is thus compatible between most vendors equipment
802.1q
This error will appear by CDP if there is a native VLAN mismatch on an 802.1Q link
On a Cisco scitch, vlans within this range are automatically created and cannot be deleted
VLANs 1002 through 1005 are automatically created and cannot be deleted
straight through
This Switch feature automatically disables an operational PortFast port upon receipt of a BPDU
BPDU Guard
This type of cable is used to connect the COM port of a PC to the COM port of a router or switch
Rolled Cable
This VTP mode is capable of creating only local VLANs and does not synchronize with other switches in the VTP domain
transparent
Switches set to this VTP mode behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client
Client mode
In this VTP mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain
VTP server
A switch set to this VTP mode does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but do forward VTP advertisements that they receive out their trunk ports in VTP Version 2
VTP transparent
A port in this RSTP state does not forward frames, process received frames, or learn MAC addresses but it does listen for BPDUs (like the STP blocking state)
Discarding
A port in this RSTP state receives and transmits BPDUs and learns MAC addresses but does not yet forward frames (same as STP)
Learning
A port in this RSTP state receives and sends data, normal operation, learns MAC address, receives and transmits BPDUs (same as STP)
Forwarding
192.168.1.245
RSTP uses these three parameters in the BPDU frame to determine the designated and backup port
Lowest path cost to the Root and Lowest Sender Bridge ID (BID) and Lowest Port ID
A RSTP port in this role will be A forwarding port for every LAN segment
designated
A RSTP forwarding port that is the closest to the root bridge in terms of path cost
Root Port
These two states are the port states when RSTP has converged
data link
Spanning Tree
100
19
All interfaces on the root bridge are put in this STP state
forwarding state
For other bridges that are not the root bridge, the port that is closest to the root bridge is put in this STP state
forwarding state
The bridge with the lowest administrative distance to the root bridge is called
This IEEE standard is the networking standard that supports Virtual LANs (VLANs) on an Ethernet network
IEEE 802.1Q
16
multiple
loopback address
a platform independent tunneling protocol designed to provide IPv6 (Internet Protocol version 6) connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets
Teredo tunneling
3544
an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network
This mechanism tunnels IPv6 datagrams within IPv4 UDP datagrams, allowing private IPv4 address and IPv4 NAT traversal to be used
Teredo tunneling
2000::/3
FE80::/10
FEC0::/10
FF00::/8
::1
the 802.11b standard defines this spread spectrum technology for its operation
DSSS
EIGRP
The key values of WPA keys can change dynamically while the system is used
This infrastructure mode service set uses more than one AP to create a WLAN, allows roaming in a larger area than a single AP
11 mbps t
wo features did WPAv1 add to address the inherent weaknesses found in WEP
54 Mbps
an EIGRP path whose reported distance is less than the feasible distance (current best path)
feasible successor
Displays a list of the currently configured object groups. If you enter the command without any parameters, the system displays all configured object groups
On a Cisco Firewall, Displays the current object groups by their group type
?????
This F5 component provides wide-area traffic management and high availability of IP applications and services running across multiple data centers
config
Enter this command to access the secondary operating system (AON/SCCP) menu on a F5 appliance
Esc (