network training ppt1
TRANSCRIPT
-
7/28/2019 Network Training Ppt1
1/277
2002, Cisco Systems, Inc. All rights reserved. 1
Wide-Area Networking Review
-
7/28/2019 Network Training Ppt1
2/277
WAN Overview
WANs connect remote sites.
Connection requirements vary depending on user
requirements, cost, and availability.
-
7/28/2019 Network Training Ppt1
3/277
WAN Connection Types: Layer 1
-
7/28/2019 Network Training Ppt1
4/277
Provider assigns connection parameters
to subscriber.
Interfacing Between
WAN Service Providers
-
7/28/2019 Network Training Ppt1
5/277
Serial Point-to-Point Connections
-
7/28/2019 Network Training Ppt1
6/277
Typical WAN Encapsulation Protocols:
Layer 2
-
7/28/2019 Network Training Ppt1
7/277
Summary
A WAN makes data connections across a broad
geographic area so that information can be exchanged
between distant sites.
Some of the WAN connection types available are
leased line, circuit-switched, and packet-switched.
Cisco routers support the EIA/TIA-232, EIA/TIA-449,
V.35, X.21, and EIA/TIA-530 standards for serial
connections. To encapsulate data for crossing a WAN link, you can
choose from a variety of Layer 2 protocols, including
HDLC, PPP, SLIP, X.25/LAPB, Frame Relay, and ATM.
-
7/28/2019 Network Training Ppt1
8/277 2002, Cisco Systems, Inc. All rights reserved. 8
Configuring Serial
Point-to-Point Encapsulation
-
7/28/2019 Network Training Ppt1
9/277
Objectives
Upon completing this lesson, you will be able to: Use Cisco IOS commands to configure serial interfaces
using HDLC and PPP encapsulation for leased-line
connections, given a functioning router
Use show commands to identify anomalies in HDLC and
PPP encapsulation for leased-line connections, given an
operational router
Use debug commands to identify events and anomalies in
PPP configuration for leased-line connections, given an
operational router
-
7/28/2019 Network Training Ppt1
10/277
Supports only single-protocol environments
HDLC Frame Format
Uses a proprietary data field to support
multiprotocol environments
-
7/28/2019 Network Training Ppt1
11/277
Router(config-if)#encapsulation hdlc
Enables HDLC encapsulation
Uses the default encapsulation on synchronous
serial interfaces
Configuring HDLC Encapsulation
-
7/28/2019 Network Training Ppt1
12/277
PPP can carry packets from several protocol suites
using NCP.
PPP controls the setup of several link options using LCP.
An Overview of PPP
-
7/28/2019 Network Training Ppt1
13/277
Layering PPP Elements
PPP: A data link with network layer services
-
7/28/2019 Network Training Ppt1
14/277
PPP LCP Configuration Options
-
7/28/2019 Network Training Ppt1
15/277
PPP Session Establishment
Two PPP authentication protocols:
PAP and CHAP
-
7/28/2019 Network Training Ppt1
16/277
Passwords sent in clear text
Peer in control of attempts
PPP Authentication Protocols
-
7/28/2019 Network Training Ppt1
17/277
-
7/28/2019 Network Training Ppt1
18/277
Configuring PPP and
Authentication Overview
-
7/28/2019 Network Training Ppt1
19/277
Router(config-if)#encapsulation ppp
Enables PPP encapsulation
Configuring PPP
-
7/28/2019 Network Training Ppt1
20/277
Router(config)#hostname name
Assigns a host name to your router
Router(config)#username name passwordpassword
Identifies the username and password of remote
router
Configuring PPP
Authentication
f
-
7/28/2019 Network Training Ppt1
21/277
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
Enables PAP and/or CHAP authentication
Configuring PPP
Authentication (Cont.)
-
7/28/2019 Network Training Ppt1
22/277
CHAP Configuration Example
-
7/28/2019 Network Training Ppt1
23/277
Router#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCPLast input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Verifying the HDLC and PPP
Encapsulation Configuration
-
7/28/2019 Network Training Ppt1
24/277
debug ppp authentication shows successful CHAP output.
Verifying PPP Authentication
-
7/28/2019 Network Training Ppt1
25/277
Summary
HDLC is the Cisco default data-link layer protocolfor encapsulating data on synchronous serial datalinks.
PPP encapsulates network layer protocolinformation over point-to-point links.
Configurable aspects of PPP include methods ofauthentication, compression, and error detection,
as well as whether or not multilink is supported. PPP session establishment progresses through
three phases: link establishment, authentication,and network layer protocol.
-
7/28/2019 Network Training Ppt1
26/277
Summary (Cont.)
When configuring PPP authentication, you canselect PAP or CHAP. In general, CHAP is thepreferred protocol.
You enable PPP with the encapsulation ppp
command and PPP authentication with the pppauthentication command.
Use the show interface command to verify properconfiguration of PPP encapsulation.
The debug ppp authentication command displaysthe authentication exchange sequence.
-
7/28/2019 Network Training Ppt1
27/277
Establishing Frame Relay
Connections
-
7/28/2019 Network Training Ppt1
28/277
2002, Cisco Systems, Inc. All rights reserved. 28
Frame Relay Overview
-
7/28/2019 Network Training Ppt1
29/277
Objectives
Upon completing this lesson, you will be
able to:
Describe the features and operation of a Frame
Relay network
Define important Frame Relay terms including
local access rate, virtual circuit, PVC, SVC, DLCI,
CIR, InARP, LMI, FECN, and BECN
-
7/28/2019 Network Training Ppt1
30/277
Frame Relay Overview
Connections made by virtual circuits
Connection-oriented service
-
7/28/2019 Network Training Ppt1
31/277
Frame Relay Stack
OSI Reference Model Frame Relay
Physical
Presentation
Session
Transport
Network
Data-Link
Application
EIA/TIA-232,
EIA/TIA-449, V.35,
X.21, EIA/TIA-530
Frame Relay
IP/IPX/AppleTalk, etc.
-
7/28/2019 Network Training Ppt1
32/277
Frame Relay Terminology
-
7/28/2019 Network Training Ppt1
33/277
Frame Relay default: nonbroadcast, multiaccess (NBMA)
Selecting a Frame Relay Topology
Reachability Issues with Routing
-
7/28/2019 Network Training Ppt1
34/277
Reachability Issues with Routing
Updates
Problem: Broadcast traffic must be replicated for
each active connection.
Split-horizon rule prevents routing updates received on
one interface from being forwarded out the same interface.
-
7/28/2019 Network Training Ppt1
35/277
Resolving Reachability Issues
Split horizon can cause problems in NBMA environments.
Subinterfaces can resolve split horizon issues.
Solution: A single physical interface simulates multiple logical interfaces.
-
7/28/2019 Network Training Ppt1
36/277
Frame Relay Address Mapping
Use LMI to get locally significant DLCI from the Frame Relayswitch.
Use Inverse ARP to map the local DLCI to the remote router s
network layer address.
-
7/28/2019 Network Training Ppt1
37/277
Frame Relay Signaling
Cisco supports three LMI standards: Cisco
ANSI T1.617 Annex D
ITU-T Q.933 Annex A
Frame Relay Inverse ARP
-
7/28/2019 Network Training Ppt1
38/277
Frame Relay Inverse ARP
and LMI Signaling
-
7/28/2019 Network Training Ppt1
39/277
Stages of Inverse ARP
and LMI Operation
d
-
7/28/2019 Network Training Ppt1
40/277
How Service Providers Map Frame
Relay DLCIs: Service Provider View
d
-
7/28/2019 Network Training Ppt1
41/277
How Service Providers Map Frame
Relay DLCIs: Enterprise View
i id
-
7/28/2019 Network Training Ppt1
42/277
Service Provider
Frame Relay-to-ATM Interworking
-
7/28/2019 Network Training Ppt1
43/277
FRF.8 Service Interworking
-
7/28/2019 Network Training Ppt1
44/277
Summary
Frame Relay is an ITU-T and ANSI standard that defines theprocess for sending data over a public data network.
The core aspects of Frame Relay function at the lower two
layers of the OSI reference model.
Knowing the terms that are used frequently whendiscussing Frame Relay is important to understanding the
operation and configuration of Frame Relay services.
Frame Relay allows you to interconnect your remote sites
in a variety of topologies including star, full mesh, andpartial mesh.
A Frame Relay NBMA topology may cause routing update
reachability issues, which are solved by using
subinterfaces.
-
7/28/2019 Network Training Ppt1
45/277
Summary (Cont.) A Frame Relay connection requires that, on a VC, the local
DLCI be mapped to a destination network layer address
such as an IP address.
LMI is a signaling standard between the router and the
Frame Relay switch that is responsible for managing the
connection and maintaining status between the devices.
Service providers map Frame Relay DLCIs so that DLCIs
with local significance appear at each end of a Frame Relay
connection.
FRF.5 provides network interworking functionality that
allows Frame Relay end users to communicate over an
intermediate ATM network that supports FRF.5. FRF.8
provides service interworking functionality that allows a
Frame Relay end user to communicate with an ATM
-
7/28/2019 Network Training Ppt1
46/277
2002, Cisco Systems, Inc. All rights reserved. 46
Configuring Frame Relay
-
7/28/2019 Network Training Ppt1
47/277
Objectives
Upon completing this lesson, you will be able to: Use Cisco IOS commands to configure a Frame Relay
network, given a functioning router
Use show commands to identify anomalies in the Frame
Relay PVCs, given a functioning router and an operational
Frame Relay network
Use debug commands to identify events and anomalies in
the Frame Relay PVCs, given a functioning router and an
operational Frame Relay network
-
7/28/2019 Network Training Ppt1
48/277
Configuring Basic Frame Relay
C fi i St ti F R l
-
7/28/2019 Network Training Ppt1
49/277
Configuring a Static Frame Relay
Map
-
7/28/2019 Network Training Ppt1
50/277
Configuring Subinterfaces
Point-to-point Subinterfaces act like leased lines.
Each point-to-point subinterface requires its own subnet.
Point-to-point is applicable to hub and spoke topologies.
Multipoint Subinterfaces act like NBMA networks, so they do not resolve the split-
horizon issues.
Multipoint can save address space because it uses a single subnet.
Multipoint is applicable to partial mesh and full mesh topologies.
Configuring Point-to-Point
-
7/28/2019 Network Training Ppt1
51/277
Configuring Point to Point
Subinterfaces
Multipoint Subinterfaces
-
7/28/2019 Network Training Ppt1
52/277
Multipoint Subinterfaces
Configuration Example
-
7/28/2019 Network Training Ppt1
53/277
Verifying Frame Relay Operation
Router#clear frame-relay-inarp
Clears dynamically created Frame Relay maps, created by using Inverse ARP
Router#show interfaces type number
Displays information about Frame Relay DLCIs and the LMI
Router#show frame-relay lmi [type number]
Displays LMI statistics
Router#show frame-relay map
Displays the current Frame Relay map entries
Router#show frame-relay pvc [type number[dlci]]
Displays PVC statistics
Router#show frame-relay traffic
Displays Frame Relay traffic statistics
-
7/28/2019 Network Training Ppt1
54/277
show interfaces Example
Displays line, protocol, DLCI, and LMI information
Router#show interfaces s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI upLMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
-
7/28/2019 Network Training Ppt1
55/277
Displays LMI information
Router#show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
show frame-relay lmi Example
-
7/28/2019 Network Training Ppt1
56/277
Displays PVC traffic statistics
show frame-relay pvc Example
Router#show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398
out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
-
7/28/2019 Network Training Ppt1
57/277
Displays the route maps, either static or dynamic
Router#show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,broadcast,, status defined, active
show frame-relay map Example
-
7/28/2019 Network Training Ppt1
58/277
Clears dynamically created Frame Relay maps
clear frame-relay-inarp Example
Router#show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Router#clear frame-relay-inarpRouter#show frame map
Router#
Troubleshooting Basic Frame Relay
-
7/28/2019 Network Training Ppt1
59/277
Troubleshooting Basic Frame Relay
Operations
Displays LMI debug information
Router#debug frame-relay lmiFrame Relay LMI debugging is onDisplaying all Frame Relay LMI dataRouter#1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8C 8B1w2d:1w2d: Serial0(in): Status, myseq 1401w2d: RT IE 1, length 1, type 11w2d: KA IE 3, length 2, yourseq 140, myseq 1401w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8D 8C1w2d:
1w2d: Serial0(in): Status, myseq 1421w2d: RT IE 1, length 1, type 01w2d: KA IE 3, length 2, yourseq 142, myseq 1421w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
-
7/28/2019 Network Training Ppt1
60/277
Summary A basic Frame Relay configuration assumes one or more
physical interfaces, and LMI and Inverse ARP are running
on the remote routers. In this type of environment, the
LMI notifies the router about the available DLCIs.
When the remote router does not support Inverse ARP, or
when you want to control routed broadcast traffic, you
must define the address-to-DLCI table statically.
You can configure Frame Relay subinterfaces in either
point-to-point or multipoint mode.
After you configure Frame Relay, you can verify that the
connections are active using the available show
commands.
Use the debug frame-relay lmi command to verify and
troubleshoot a Frame Relay connection.
-
7/28/2019 Network Training Ppt1
61/277
2002, Cisco Systems, Inc. All rights reserved. 61
Configuring ISDN BRI and PRI
-
7/28/2019 Network Training Ppt1
62/277
Objectives
Upon completing this lesson, you will be able to:
Configure ISDN BRI and ISDN PRI, given a functioning
router and a physical ISDN connection
Use show commands to identify the anomalies in theISDN BRI and PRI configurations, given a functioning
router and a physical ISDN connection
Use debug commands to identify the anomalies in the
ISDN BRI and PRI configurations, given a functioningremote access router and a physical ISDN connection
-
7/28/2019 Network Training Ppt1
63/277
What Is ISDN?
Voice, data, video, and special services
-
7/28/2019 Network Training Ppt1
64/277
Standards from the ITU-T (formerly CCITT)
ISDN Standards
-
7/28/2019 Network Training Ppt1
65/277
BRI and PRI are used globally for ISDN.
ISDN Access Options
-
7/28/2019 Network Training Ppt1
66/277
BRI and PRI Call Processing
ISDN Functions and Reference
-
7/28/2019 Network Training Ppt1
67/277
ISDN Functions and Reference
Points
Functions are devices or
hardware.
Reference points are
demarcations or interfaces.
-
7/28/2019 Network Training Ppt1
68/277
Cisco ISDN BRI Interfaces
-
7/28/2019 Network Training Ppt1
69/277
Cisco ISDN PRI Interfaces
-
7/28/2019 Network Training Ppt1
70/277
ISDN Switch Types
Many providers use many different switch types.
Services vary by region and country.
-
7/28/2019 Network Training Ppt1
71/277
Router(config)#isdn switch-type switch-type
The command specifies the type of ISDN switch with
which the router communicates.
Other configuration requirements vary for specificproviders.
Step 1: Specify the ISDN switch type.
Router(config-if)#isdn switch-type switch-type
Configuring ISDN BRI
-
7/28/2019 Network Training Ppt1
72/277
Sets a B channel SPID required by many serviceproviders
Step 2: (Optional) Setting SPIDs
Sets a SPID for the second B channel
Router(config-if)#isdn spid1 spid-number[ldn]
Router(config-if)#isdn spid2 spid-number[ldn]
Configuring ISDN BRI (cont.)
-
7/28/2019 Network Training Ppt1
73/277
Configuring ISDN PRI
Router(config)#isdn switch-type switch-type
Router(config)#controller controller slot/port
Router(config-controller)#pri-group timeslots range
Step 1: Specify the ISDN switch type.
Step 2: Select the controller.
Step 3: Establish the interface portto function as PRI .
-
7/28/2019 Network Training Ppt1
74/277
ISDN PRI Examples
Router(config)#controller T1 3/0
Router(config-controller)#framing esf
Router(config-controller)#linecode b8zs
Router(config-controller)#pri-group timeslots 1-24
Router(config-controller)#interface Serial3/0:23
Router(config-if)#isdn switch-type primary-5essRouter(config-if)#no cdp enable
T1 Sample Configuration
Router(config)#controller E1 3/0
Router(config-controller)# framing crc4Router(config-controller)# linecode hdb3
Router(config-controller)# pri-group timeslots 1-31
Router(config-controller)#interface Serial3/0:15
Router(config-if)# isdn switch-type primary-net5
Router(config-if)# no cdp enable
E1 Sample Configuration
-
7/28/2019 Network Training Ppt1
75/277
Verifying the ISDN Configuration
Router#show isdn active
Router#show isdn status
Displays current call information
Displays the status of an ISDN connection
Router#show interfaces bri0
Displays statistics for the BRI interface configured
on the router
Troubleshooting the ISDN
-
7/28/2019 Network Training Ppt1
76/277
g
Configuration
Router#debug ppp authentication
Displays the PPP authentication protocol messages
Displays information on PPP link establishment
Router#debug isdn q921
Shows ISDN Layer 2 messages
Shows ISDN call setup and teardown activity (Layer 3)
Router#debug isdn q931
Router#debug ppp negotiation
Displays protocol errors associated with PPP
Router#debug ppp error
-
7/28/2019 Network Training Ppt1
77/277
Summary
ISDN defines a digital architecture that providesintegrated voice and data capability using the publicswitched network.
ISDN specifies two standard access methods, BRI
and PRI. To establish an ISDN call, the D channel is used between
the routers and switches, and SS7 signaling is usedbetween the switches.
ISDN functions are hardware devices while reference
points are interfaces between devices.
Cisco devices can be physically configured with differentISDN options, which dictate what additional equipment, ifany, is needed to run ISDN.
( )
-
7/28/2019 Network Training Ppt1
78/277
Summary (Cont.)
You must configure your router to identify the type ofswitch it will be communicating with, which depends
in part on the country the
switch is in.
To enable ISDN BRI, you use isdn switch-type and isdnspid commands.
To enable ISDN PRI, use the pri-group command.
Use show commands to verify that your ISDN
configuration is functioning properly.
You can use debug commands to troubleshoot your
ISDN configuration.
h ?
-
7/28/2019 Network Training Ppt1
79/277
What is NAT?
79
Similar to Classless Inter-Domain
Routing (CIDR), the original
intention for NAT was to slow the
depletion of available IP addressspace by allowing many private IP
addresses to be represented by
some smaller number of public IPaddresses.
f f
-
7/28/2019 Network Training Ppt1
80/277
Benefits of NAT
80
You need to connect to the Internet
and your hosts dont have globally
unique IP addresses.
You change to a new ISP thatrequires you to renumber your
network.
You need to merge two intranetswith duplicate addresses.
Where NAT is typically
-
7/28/2019 Network Training Ppt1
81/277
Where NAT is typically
configured
81
B i NAT
-
7/28/2019 Network Training Ppt1
82/277
Basic NAT
82
Th f NAT
-
7/28/2019 Network Training Ppt1
83/277
Three types of NAT
83
Static
Dynamic
Overloading
S i NAT
-
7/28/2019 Network Training Ppt1
84/277
Static NAT
84
Lets take a look at a simple basic static NATconfiguration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside!
D i NAT
-
7/28/2019 Network Training Ppt1
85/277
Dynamic NAT
85
Here is a sample output of a dynamic NATconfiguration:
ip nat pool todd 170.168.2.2 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
P t Add T l ti
-
7/28/2019 Network Training Ppt1
86/277
Port Address Translation
86
PAT
-
7/28/2019 Network Training Ppt1
87/277
PAT
87
Here is a sample output of a PAT configuration:ip nat pool globalnet 170.168.2.1 170.168.2.1
netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
-
7/28/2019 Network Training Ppt1
88/277
The MPLS Conceptual
Model
B i MPLS F t
-
7/28/2019 Network Training Ppt1
89/277
Basic MPLS Features
MPLS is a switching mechanism in which packets areforwarded based on labels.
Labels usually correspond to IP destination networks(equal to traditional IP forwarding).
Labels can also correspond to other parameters: Layer 3 VPN destination
Layer 2 circuit
Outgoing interface on the egress router
QoS
Source address
MPLS was designed to support forwarding of non-IPprotocols as well.
Basic MPLS Concepts Example
-
7/28/2019 Network Training Ppt1
90/277
Basic MPLS Concepts Example
Only edge routers must perform a routing lookup.
Core routers switch packets based on simple label lookups and swap labels.
-
7/28/2019 Network Training Ppt1
91/277
Router Switching
Mechanisms
-
7/28/2019 Network Training Ppt1
92/277
MPLS Architecture
Major Components of MPLS
-
7/28/2019 Network Training Ppt1
93/277
j p
Architecture
Control plane: Exchanges routing information and labels
Contains complex mechanisms to exchange routing
information, such as OSPF, EIGRP, IS-IS, and BGP
Exchanges labels, such as LDP, BGP, and RSVP
Data plane:
Forwards packets based on labels
Has a simple forwarding engine
Control Plane Components Example
-
7/28/2019 Network Training Ppt1
94/277
Control Plane Components Example
Information from control plane is sent to data
plane.
-
7/28/2019 Network Training Ppt1
95/277
MPLS Labels
MPLS Labels
-
7/28/2019 Network Training Ppt1
96/277
MPLS Labels
MPLS technology is intended to be usedanywhere, regardless of Layer 1 media and Layer 2
protocol.
MPLS uses a 32-bit label field that is insertedbetween Layer 2 and Layer 3 headers (frame
mode MPLS).
MPLS over ATM uses the ATM header as the label
(cell mode MPLS).
Label Format
-
7/28/2019 Network Training Ppt1
97/277
Label Format
MPLS uses a 32-bit label field that contains this information: 20-bit label
3-bit experimental field
1-bit bottom-of-stack indicator
8-bit TTL field
Label Stack
-
7/28/2019 Network Training Ppt1
98/277
Label Stack
Protocol ID (PID) in a Layer 2 header specifies that the payloadstarts with a label (or labels) and is followed by an IP header.
Bottom-of-stack bit indicates whether the next header is anotherlabel or a Layer 3 header.
Receiving router uses the top label only.
Frame Mode MPLS
-
7/28/2019 Network Training Ppt1
99/277
Frame Mode MPLS
-
7/28/2019 Network Training Ppt1
100/277
Label Switch Routers
Label Switch Routers
-
7/28/2019 Network Training Ppt1
101/277
LSR primarily forwards labeled packets (swap label).
Edge LSR: Labels IP packets (impose label) and forwards them into the MPLS domain
Removes labels (pop label) and forwards IP packets out of the MPLSdomain
-
7/28/2019 Network Training Ppt1
102/277
LSR Component
Architecture
Functions of LSRs
-
7/28/2019 Network Training Ppt1
103/277
Component Functions
Control plane Exchanges routing information
Exchanges labels
Data plane Forwards packets (LSRs andedge LSRs)
Component Architecture of LSR
-
7/28/2019 Network Training Ppt1
104/277
Component Architecture of LSR
Component Architecture of Edge LSR
-
7/28/2019 Network Training Ppt1
105/277
Component Architecture of Edge LSR
Summary
-
7/28/2019 Network Training Ppt1
106/277
Summary
MPLS is a switching mechanism that uses labels to forwardpackets. The result of using labels is that only edge routersperform a routing lookup; all the core routers simply forwardpackets based on labels assigned at the edge.
MPLS consists of two major components: control plane and dataplane.
MPLS uses a 32-bit label field that contains label, experimentalfield, bottom-of-stack indicator, and TTL field.
LSR is a device that forwards packets primarily based on labels. Edge LSR is a device that labels packets or removes labels from
packets. Exchange routing information and exchange labels are part of
the control plane, while forward packets is part of the dataplane.
-
7/28/2019 Network Training Ppt1
107/277
The Procedure to
Configure MPLS
The Procedure to Configure MPLS
-
7/28/2019 Network Training Ppt1
108/277
The Procedure to Configure MPLS
1. Configure CEF
2. Configure MPLS on a frame mode interface
3. (Optional) Configure the MTU size in label switching
-
7/28/2019 Network Training Ppt1
109/277
Configuring IP CEF
Step 1: Configure CEF
-
7/28/2019 Network Training Ppt1
110/277
Step 1: Configure CEF
1. Configure CEF: Start CEF switching to create the FIB table
Enable CEF switching on all core interfaces
2. Configure MPLS on a frame mode interface3. (Optional) Configure the MTU size in label switching
Step 1: Configure CEF (Cont )
-
7/28/2019 Network Training Ppt1
111/277
ip cef [distributed]Router(config)#
Step 1: Configure CEF (Cont.)
Starts CEF switching and creates the FIB table
The distributed keyword configures distributed
CEF (running on VIP or line cards)
All CEF-capable interfaces run CEF switching
ip route-cache cef
Router(config-if)#
Enables CEF switching on an interface
Usually not needed
Monitoring IP CEF
-
7/28/2019 Network Training Ppt1
112/277
Monitoring IP CEF
Displays a summary of the FIB
show ip cef detail
Router#
Router#show ip cef detail
IP CEF with switching (Table Version 6), flags=0x0
6 routes, 0 reresolve, 0 unresolved (0 old, 0 new)
9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations
0 load sharing elements, 0 bytes, 0 references
2 CEF resets, 0 revisions of existing leaves
refcounts: 543 leaf, 544 node
Adjacency Table has 4 adjacencies
0.0.0.0/32, version 0, receive
192.168.3.1/32, version 3, cached adjacency to Serial0/0.100 packets, 0 bytes
tag information set
local tag: 28
fast tag rewrite with Se0/0.10, point2point, tags imposed: {28}
via 192.168.3.10, Serial0/0.10, 0 dependencies
next hop 192.168.3.10, Serial0/0.10
valid cached adjacency
tag rewrite with Se0/0.10, point2point, tags imposed: {28}
-
7/28/2019 Network Training Ppt1
113/277
Configuring MPLS on a
Frame Mode Interface
Step 2: Configure MPLS on
-
7/28/2019 Network Training Ppt1
114/277
a Frame Mode Interface
1. Configure CEF
2. Configure MPLS on a frame mode interface:
Enable label switching on a frame mode interface
Start LDP or TDP label distribution protocol
3. (Optional) Configure the MTU size in label switching
Step 2: Configure MPLS on
-
7/28/2019 Network Training Ppt1
115/277
a Frame Mode Interface (Cont.)
Enables label switching on a frame mode
interface
Starts LDP on the interface
mpls ipRouter(config-if)#
mpls label protocol [tdp | ldp | both]
Router(config-if)#
Starts selected label distribution protocol on the specified interface
Configuring MPLS on a Frame
-
7/28/2019 Network Training Ppt1
116/277
Mode Interface: Example 1
Configuring MPLS on a Frame
d f l
-
7/28/2019 Network Training Ppt1
117/277
Mode Interface: Example 2
-
7/28/2019 Network Training Ppt1
118/277
Defining MPLS VPN
VPN Taxonomy
-
7/28/2019 Network Training Ppt1
119/277
VPN Taxonomy
VPN Models
-
7/28/2019 Network Training Ppt1
120/277
VPN Models
VPN services can be offered based on twomajor models:
Overlay VPNs, in which the service provider
provides virtual point-to-point links betweencustomer sites
Peer-to-peer VPNs, in which the service provider
participates in the customer routing
Overlay VPNs: Frame Relay Example
-
7/28/2019 Network Training Ppt1
121/277
y y p
Overlay VPNs: Layer 3 Routing
-
7/28/2019 Network Training Ppt1
122/277
The service provider infrastructure appears as point-to-point linksto customer routes.
Routing protocols run directly between customer routers.
The service provider does not see customer routes and isresponsible only for providing point-to-point transport of customerdata.
Peer-to-Peer VPNs
-
7/28/2019 Network Training Ppt1
123/277
Benefits of VPN Implementations
-
7/28/2019 Network Training Ppt1
124/277
p
Overlay VPN: Well-known and easy to implement
Service provider does not participate in customer
routing
Customer network and service provider network are
well-isolated
Peer-to-peer VPN:
Guarantees optimum routing between customer sites
Easier to provision an additional VPN
Only sites are provisioned, not links between them
Drawbacks of VPN
I l t ti
-
7/28/2019 Network Training Ppt1
125/277
Implementations
Overlay VPN: Implementing optimum routing requires a full mesh of VCs.
VCs have to be provisioned manually.
Bandwidth must be provisioned on a site-to-site basis.
Overlay VPNs always incur encapsulation overhead (IPsec or GRE).
Peer-to-peer VPN: The service provider participates in customer routing.
The service provider becomes responsible for customer convergence.
PE routers carry all routes from all customers.
The service provider needs detailed IP routing knowledge.
Drawbacks of Peer-to-Peer VPNs
-
7/28/2019 Network Training Ppt1
126/277
Shared PE router: All customers share the same (provider-assigned or
public) address space.
High maintenance costs are associated with packet
filters.
Performance is lowereach packet has to pass a packet
filter.
Dedicated PE router:
All customers share the same address space.
Each customer requires a dedicated router at each POP.
-
7/28/2019 Network Training Ppt1
127/277
MPLS VPN Architecture
MPLS VPN Architecture
-
7/28/2019 Network Training Ppt1
128/277
An MPLS VPN combines the best features ofan overlay VPN and a peer-to-peer VPN:
PE routers participate in customer routing,
guaranteeing optimum routing between sites andeasy provisioning.
PE routers carry a separate set of routes for each
customer (similar to the dedicated PE router
approach).
Customers can use overlapping addresses.
MPLS VPN Architecture:
T i l
-
7/28/2019 Network Training Ppt1
129/277
Terminology
PE Router Architecture
-
7/28/2019 Network Training Ppt1
130/277
-
7/28/2019 Network Training Ppt1
131/277
IPsec VPNs
IPsec Components and IPsec VPN
Features
-
7/28/2019 Network Training Ppt1
132/277
IPsec Overview
What Is IPsec?
-
7/28/2019 Network Training Ppt1
133/277
IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:
Authentication of every IP packet
Verification ofdata integrity for each packet
Confidentiality of packet payload
Consists of open standards for securing privatecommunications
Scales from small to very large networks
Is available in Cisco IOS software version 11.3(T) andlater
Is included in PIX Firewall version 5.0 and later
IPsec Security Features
-
7/28/2019 Network Training Ppt1
134/277
IPsec is the only standard Layer 3 technology that provides: Confidentiality
Data integrity
Authentication
Replay detection
IPsec Protocols
-
7/28/2019 Network Training Ppt1
135/277
IPsec uses three main protocols to create asecurity framework:
Internet Key Exchange (IKE):
Provides framework for negotiation of security parameters
Establishment of authenticated keys
Encapsulating Security Payload (ESP):
Provides framework for encrypting, authenticating, and
securing of data
Authentication Header (AH):
Provides framework for authenticating and securing of data
IPsec Headers
-
7/28/2019 Network Training Ppt1
136/277
IPsec ESP provides the following:
Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP
Confidentiality (DES, 3DES, or AES) only with ESP
Peer Authentication
-
7/28/2019 Network Training Ppt1
137/277
Peer authentication methods: Username and password
OTP (Pin/Tan)
Biometric
Preshared keys
Digital certificates
-
7/28/2019 Network Training Ppt1
138/277
Internet Key Exchange
Internet Key Exchange
-
7/28/2019 Network Training Ppt1
139/277
IKE solves theproblems of manual
and unscalable
implementation ofIPsec by automating
the entire key
exchange process:
Negotiation of SA
characteristics
Automatic key
IKE Phases
-
7/28/2019 Network Training Ppt1
140/277
Phase 1: Authenticate the peers
Negotiate a bidirectional SA
Main mode or aggressive mode
Phase 1.5:
Xauth
Mode config
Phase 2: IPsec SAs/SPIs
Quick mode
IKE Modes
-
7/28/2019 Network Training Ppt1
141/277
-
7/28/2019 Network Training Ppt1
142/277
IKE: Other Functions
IKE: Other Functions
-
7/28/2019 Network Training Ppt1
143/277
Dead peer detection (DPD): Bidirectional
Sent on periodic intervals
Sender must receive a reply or disconnect
IKE keepalives are unidirectional and are sent
every 10 seconds.
NAT traversal:
Defined in RFC 3947 Encapsulates IPsec packet in UDP packet
Mode config (Push Config) and Xauth (User
Authentication)
IPsec and NAT: The Problem
-
7/28/2019 Network Training Ppt1
144/277
IPsec NAT Traversal
-
7/28/2019 Network Training Ppt1
145/277
Need NAT traversal with IPsec over TCP/UDP: NAT traversal detection
NAT traversal decision
UDP encapsulation of IPsec packets UDP encapsulated process for software engines
-
7/28/2019 Network Training Ppt1
146/277
Symmetric vs. Asymmetric
Encryption Algorithms
Symmetric vs. AsymmetricEncryption Algorithms
-
7/28/2019 Network Training Ppt1
147/277
yp g
Symmetric algorithm:
Secret keycryptography
Encryption anddecryption usethe same key
Typically used toencrypt the content ofa message
Examples: DES, 3DES,AES
Asymmetric algorithm:
Public keycryptography
Encryption anddecryptionuse different keys
Typically used in digitalcertification and keymanagement
Example: RSA
Key Lengths of Symmetric vs.
Asymmetric Encryption Algorithms
-
7/28/2019 Network Training Ppt1
148/277
Asymmetric Encryption Algorithms
Symmetric Key Length Asymmetric Key Length
80 1024
112 2048
128 3072
192 7680
256 15,360
Comparable key lengths required for asymmetric keys compared tosymmetric keys
Security Level of Cryptographic
Algorithms
-
7/28/2019 Network Training Ppt1
149/277
Algorithms
Security Level Work Factor Algorithms
Weak O(240) DES, MD5
Legacy O(264) RC4, SHA-1
Baseline O(280) 3DES
Standard O(2128) AES-128, SHA-256
High O(2192) AES-192, SHA-384
UltraO
(2256
) AES-256, SHA-512
Symmetric Encryption: DES
-
7/28/2019 Network Training Ppt1
150/277
Symmetric key encryption algorithm Block cipher: Works on 64-bit data block, uses
56-bit key (last bit of each byte used for parity)
Mode of operation: Apply DES to encrypt blocksof data
Symmetric Encryption: 3DES
-
7/28/2019 Network Training Ppt1
151/277
168-bit total key length
Mode of operation decides how to process DES
three times Normally: encrypt, decrypt, encrypt
3DES requires more processing than DES
Symmetric Encryption: AES
-
7/28/2019 Network Training Ppt1
152/277
Formerly known as Rijndael
Successor to DES and 3DES
Symmetric key block cipher
Strong encryption with long expected life
AES can support 128-, 192-, and 256-bit keys; 128-
bit key is considered safe
Asymmetric Encryption: RSA
-
7/28/2019 Network Training Ppt1
153/277
Based on Diffie-Hellman key exchange (IKE)
principles
Public key to encrypt data, and to verify digital
signatures
Private key to decrypt data, and to sign with a
digital signature
Diffie-Hellman Key Exchange
-
7/28/2019 Network Training Ppt1
154/277
Diffie-Hellman Key Exchange
(Cont.)
-
7/28/2019 Network Training Ppt1
155/277
(Cont.)
-
7/28/2019 Network Training Ppt1
156/277
PKI Environment
PKI Environment
-
7/28/2019 Network Training Ppt1
157/277
Certificate Authority
-
7/28/2019 Network Training Ppt1
158/277
The trust basis of a PKI system
Verifies user identity, issues certificates by binding
identity of a user to a public key with a digital
certificate
Revokes certificates and publishes CRL
In-house implementation or outsourcing
X.509 v3 Certificate
-
7/28/2019 Network Training Ppt1
159/277
PKI Message Exchange
-
7/28/2019 Network Training Ppt1
160/277
PKI Credentials
-
7/28/2019 Network Training Ppt1
161/277
How to store PKI credentials: RSA keys and certificates
NVRAM
eToken: Cisco 871, 1800, 2800, 3800 Series router
Cisco IOS Release 12.3(14)T image
Cisco USB eToken
A k9 image
Summary
-
7/28/2019 Network Training Ppt1
162/277
IPsec provides a mechanism for secure data transmissionover IP networks.
The IKE protocol is a key management protocol standardused in conjunction with the IPsec standard.
IKE has some additional functions: DPD, NAT traversal,encapsulation in UDP packet, config mode, and Xauth.
The two IP protocols used in the IPsec standard are ESPand AH.
For message authentication and integrity check, an HMACis used.
The two types of encryption are symmetric encryption andasymmetric encryption.
PKI provides customers with a scalable, secure mechanismfor distributing, managing, and revoking encryption andidentity information in a secured data network.
-
7/28/2019 Network Training Ppt1
163/277
IPsec VPNs
Site-to-Site IPsec VPN Operation
-
7/28/2019 Network Training Ppt1
164/277
Site-to-Site IPsec VPN
Operations
Five Steps of IPsec
-
7/28/2019 Network Training Ppt1
165/277
Step 1: Interesting Traffic
-
7/28/2019 Network Training Ppt1
166/277
Step 2: IKE Phase 1
-
7/28/2019 Network Training Ppt1
167/277
IKE Policy
-
7/28/2019 Network Training Ppt1
168/277
Negotiates matching IKEtransform sets to protectIKE exchange
Diffie-Hellman Key Exchange
-
7/28/2019 Network Training Ppt1
169/277
Authenticate Peer Identity
-
7/28/2019 Network Training Ppt1
170/277
Peer authentication methods:
Preshared keys
RSA signatures
RSA encrypted nonces
Step 3: IKE Phase 2
-
7/28/2019 Network Training Ppt1
171/277
Negotiates IPsec security parameters, IPsec
transform sets
Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure
security
Optionally, performs an additional Diffie-
IPsec Transform Sets
-
7/28/2019 Network Training Ppt1
172/277
A transform set is a
combination of
algorithms and
rotocols that enact a
Security Associations
-
7/28/2019 Network Training Ppt1
173/277
SA database:
Destination IP
address
SPI
Protocol (ESP
or AH)
Security policy
database:
Encryption
algorithm
Authenticatio
n algorithm Mode
Key lifetime
SA Lifetime
-
7/28/2019 Network Training Ppt1
174/277
Data transmitted-based Time-based
Step 4: IPsec Session
http://rds.yahoo.com/S=96062857/K=clocks/v=2/SID=w/TID=YS80_76/l=II/R=1/SS=i/OID=b31de637c8c1ef0e/;_ylt=A0Je5xZWEjREUc8AqBGJzbkF;_ylu=X3oDMTBwYTA5MG5kBHBvcwMxBHNlYwNzcgR2dGlkA1lTODBfNzY-/SIG=1f8vbsuk4/EXP=1144349654/*-http%3A//images.search.yahoo.com/search/images/view?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3F_adv_prop%3Dimages%26imgsz%3Dall%26imgc%3D%26vf%3Dall%26va%3Dclocks%26fr%3Dslv1-%26ei%3DUTF-8&w=454&h=454&imgurl=www.rarity4u.com%2Fcatalog%2Fimages%2FClocks%26Watches_Wall.jpg&rurl=http%3A%2F%2Fwww.rarity4u.com%2Fcatalog%2Findex.php%2Fname%2FWall%2520Clocks%2FcPath%2F45&size=55.1kB&name=Clocks&Watches_Wall.jpg&p=clocks&type=jpeg&no=1&tt=403,320&ei=UTF-8 -
7/28/2019 Network Training Ppt1
175/277
SAs are exchanged between peers.
The negotiated security services are applied to
the traffic.
Step 5: Tunnel Termination
-
7/28/2019 Network Training Ppt1
176/277
A tunnel is terminated by one of the following:
By an SA lifetime timeout
If the packet counter is exceeded
IPsec SA is removed
-
7/28/2019 Network Training Ppt1
177/277
Configuring IPsec
Configuration Steps forSite-to-Site IPsec VPN
-
7/28/2019 Network Training Ppt1
178/277
1. Establish ISAKMP policy2. Configure IPsec transform set
3. Configure crypto ACL
4. Configure crypto map5. Apply crypto map to the interface
6. Configure interface ACL
-
7/28/2019 Network Training Ppt1
179/277
Site-to-Site IPsec
Configuration: Phase 1
Site-to-Site IPsec Configuration:Phase 1
-
7/28/2019 Network Training Ppt1
180/277
-
7/28/2019 Network Training Ppt1
181/277
Site-to-Site IPsec Configuration:Phase 2
-
7/28/2019 Network Training Ppt1
182/277
-
7/28/2019 Network Training Ppt1
183/277
Site-to-Site IPsec
Configuration: Apply VPN
Configuration
Site-to-Site IPsec Configuration:
Apply VPN Configuration
-
7/28/2019 Network Training Ppt1
184/277
-
7/28/2019 Network Training Ppt1
185/277
Site-to-Site IPsec
Configuration: Interface
ACL
Site-to-Site IPsec Configuration:
Interface ACL
-
7/28/2019 Network Training Ppt1
186/277
When filtering at the edge, there is notmuch to see:
IKE: UDP port 500
ESP and AH: IP protocol numbers 50 and 51,respectively
NAT transparency enabled:
UDP port 4500
TCP (port number has to be configured)
Site-to-Site IPsec Configuration:Interface ACL (Cont.)
-
7/28/2019 Network Training Ppt1
187/277
Router1#show access-lists
access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20
access-list 102 permit esp host 172.16.172.10 host 172.16.171.20
access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp
Ensure that protocols 50 and 51 and UDP port 500
traffic is not blocked on interfaces used by IPsec.
Summary
-
7/28/2019 Network Training Ppt1
188/277
IPsec operation includes these steps: Initiation by interesting
traffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP
policy, define the IPsec transform set, create a crypto ACL,create a crypto map, apply crypto map, and configure ACL.
To define an IKE policy, use the crypto isakmp policy global
configuration command. To define an acceptable combination of security protocols and
algorithms used for IPsec, use the crypto ipsec transform-setglobal configuration command.
To apply a previously defined crypto map set to an interface, usethe crypto map interface configuration command.
Configure an ACL to enable the IPsec protocols (protocol 50 forESP or 51 for AH) and IKE protocol (UDP/500).
-
7/28/2019 Network Training Ppt1
189/277
IPsec VPNs
Configuring IPsec Site-to-Site VPN
Using SDM
-
7/28/2019 Network Training Ppt1
190/277
Generic Routing
Encapsulation
Generic Routing Encapsulation
-
7/28/2019 Network Training Ppt1
191/277
OSI Layer 3 tunneling protocol: Uses IP for transport
Uses an additional header to support any other OSI
Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)
Default GRE Characteristics
-
7/28/2019 Network Training Ppt1
192/277
Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE
Stateless (no flow control mechanisms)
No security (no confidentiality, data authentication, or integrity assurance)
24-byte overhead by default (20-byte IP header and 4-byte GRE header)
Optional GRE Extensions
-
7/28/2019 Network Training Ppt1
193/277
GRE can optionally contain any one or more of these fields:
Tunnel checksum
Tunnel key
Tunnel packet sequence number
GRE keepalives can be used to track tunnel path status.
GRE Configuration Example
-
7/28/2019 Network Training Ppt1
194/277
GRE tunnel is up and protocol up if: Tunnel source and destination are configured
Tunnel destination is in routing table GRE keepalives are received (if used)
GRE is the default tunnel mode.
-
7/28/2019 Network Training Ppt1
195/277
Introducing Secure GRE
Tunnels
Introducing Secure GRE Tunnels
-
7/28/2019 Network Training Ppt1
196/277
GRE is good at tunneling: Multiprotocol support
Provides virtual point-to-point connectivity, allowing
routing protocols to be used
GRE is poor at securityonly very basic plaintextauthentication can be implemented using the
tunnel key (not very secure)
GRE cannot accommodate typical security
requirements:
Confidentiality
Data source authentication
D t i t it
IPsec Characteristics
d h l k
-
7/28/2019 Network Training Ppt1
197/277
IPsec provides what GRE lacks:
Confidentiality through encryption using symmetricalgorithms (e.g., 3DES or AES)
Data source authentication using HMACs (e.g., MD5 orSHA-1)
Data integrity verification using HMACs IPsec is not perfect at tunneling:
Older Cisco IOS software versions do not support IPmulticast over IPsec
IPsec was designed to tunnel IP only (no multiprotocolsupport)
Using crypto maps to implement IPsec does not allowthe usage of routing protocols across the tunnel
IPsec does not tunnel IP protocols; GRE does
GRE over IPsec
-
7/28/2019 Network Training Ppt1
198/277
GRE over IPsec is typically used to do thefollowing:
Create a logical hub-and-spoke topology ofvirtual point-to-point connections
Secure communication over an untrustedtransport network (e.g., Internet)
GRE over IPsec Characteristics
-
7/28/2019 Network Training Ppt1
199/277
GRE encapsulates arbitrary payload.
IPsec encapsulates unicast IP packet (GRE):
Tunnel mode (default): IPsec creates a new tunnel IP
packet
Transport mode: IPsec reuses the IP header of the
GRE (20 bytes less overhead)
-
7/28/2019 Network Training Ppt1
200/277
High Availability for Cisco
IOS IPsec VPNs
Failures
-
7/28/2019 Network Training Ppt1
201/277
IPsec VPNs can experience any one of a number of different types of failures: Access link failure
Remote peer failure
Device failure
Path failure
IPsec should be designed and implemented with redundancy and high-availabilitymechanisms to mitigate these failures.
Redundancy
-
7/28/2019 Network Training Ppt1
202/277
Common solutions using one or more of these options: Two access links to mitigate access-link failures
Multiple peers to mitigate peer failure
Two local VPN devices to mitigate device failures
Multiple independent paths to mitigate all path failures
Failure Detection
-
7/28/2019 Network Training Ppt1
203/277
Native IPsec uses DPD to detect failures in the path and remote peer failure.
Any form ofGRE over IPsec typically uses a routing protocol to detect failures
(hello mechanism).
HSRP is typically used to detect failures of local devices. VRRP and GLBP havesimilar failure-detection functionality.
Dead Peer Detection
IKE k li
-
7/28/2019 Network Training Ppt1
204/277
IKE keepalives: Keepalives in periodic intervals
DPD: Keepalives in periodic intervals if no data transmitted
On-demand option
-
7/28/2019 Network Training Ppt1
205/277
IPsec Backup Peer
IPsec Backup Peer
-
7/28/2019 Network Training Ppt1
206/277
One HA design option is to use native IPsec and its HAmechanisms: DPD to detect failures
Backup peers to take over new tunnels when primary peerbecomes unavailable
Configuration Example
-
7/28/2019 Network Training Ppt1
207/277
Router will first try primary peer.
If primary peer is not available or becomes unavailable (DPD failure detection), the routertries backup peers in order as listed in the crypto map.
-
7/28/2019 Network Training Ppt1
208/277
Hot Standby Routing
Protocol
Hot Standby Routing Protocol
-
7/28/2019 Network Training Ppt1
209/277
HSRP can be used at: Headend: Two head-end IPsec devices appear as one to remote peers Remote site: Two IPsec gateways appear as one to local devices
Active HSRP device uses a virtual IP and MAC address. Standby HSRP device takes over virtual IP and MAC address when
active HSRP device goes down.
HSRP for Default Gateway at RemoteSite
-
7/28/2019 Network Training Ppt1
210/277
All remote devices use virtual IP as default gateway.
Backup router is only used when primary router is down.
HSRP for Head-End IPsec Routers
-
7/28/2019 Network Training Ppt1
211/277
Remote sites peer with virtual IP address (HSRP) of the headend.
RRI or HSRP can be used on inside interface to ensure proper return path.
-
7/28/2019 Network Training Ppt1
212/277
IPsec Stateful Failover
IPsec Stateful Failover
-
7/28/2019 Network Training Ppt1
213/277
IPsec VPNs using DPD, HSRP, or IGPs to mitigatefailures only provide stateless failover.
IPsec stateful failover requires:
Identical hardware and software configuration of IPsec
on active and standby device
Exchange of IPsec state between active and standby
device (i.e., complete SA information)
IPsec Stateful Failover (Cont.)
-
7/28/2019 Network Training Ppt1
214/277
IPsec stateful failover works in combination withHSRP and SSO.
SSO is responsible to synchronize ISAKMP and
IPsec SA database between HSRP active and
standby routers.
RRI is optionally used to inject the routes into the
internal network.
IPsec Stateful Failover Example
-
7/28/2019 Network Training Ppt1
215/277
Configure IPC to exchange state information between head-end devices.
Enable stateful redundancy.
-
7/28/2019 Network Training Ppt1
216/277
Backing Up a WAN
Connection with an IPsec
VPN
Backing Up a WAN Connectionwith an IPsec VPN
-
7/28/2019 Network Training Ppt1
217/277
IPsec VPNs can be used as cost-effective and fast backups for an existing WAN.
Switchover options:
Using an IGP (e.g., GRE over IPsec or VTI):
Use IGP metrics to influence primary path selection
Optionally, use HSRP to track PVC status on remote site
Using floating static routes for VPN destinations
IPsec VPN: Example Using GRE over
IPsec
-
7/28/2019 Network Training Ppt1
218/277
IGP used todetect PVCfailures
Reroute to GREover IPsectunnel
Summary
High availability requires two components:
-
7/28/2019 Network Training Ppt1
219/277
High availability requires two components:
Redundant device, links, or paths
High availability mechanisms to detect failures and reroute
Native IPsec can be configured with backup peers in
crypto maps in combination with DPD. HSRP can be used instead of backup peers.
IPsec stateful failover can augment HSRP to minimize
downtime upon head-end device failures.
IPsec VPNs can be used as a backup for other types ofnetworks.
-
7/28/2019 Network Training Ppt1
220/277
IPsec VPNs
Configuring Cisco Easy VPN and Easy
VPN Server Using SDM
-
7/28/2019 Network Training Ppt1
221/277
Introducing Cisco Easy VPN
Introducing Cisco Easy VPN
-
7/28/2019 Network Training Ppt1
222/277
Cisco Easy VPN has two main functions: Simplify client configuration
Centralize client configuration and dynamically push
the configuration to clients
How are these two goals achieved? IKE Mode Config functionality is used to download
some configuration parameters to clients.
Clients are preconfigured with a set of IKE policies
and IPsec transform sets.
Cisco Easy VPN Components
-
7/28/2019 Network Training Ppt1
223/277
Easy VPN Server: Enables Cisco IOS routers,Cisco PIX Firewalls, and Cisco VPN Concentrators
to act as VPN head-end devices in site-to-site or
remote-access VPNs, in which the remote office
devices are using the Cisco Easy VPN Remotefeature
Easy VPN Remote: Enables Cisco IOS routers,
Cisco PIX Firewalls, and Cisco VPN Hardware
Clients or Software Clients to act as remote VPN
clients
Remote Access Using Cisco Easy VPN
-
7/28/2019 Network Training Ppt1
224/277
-
7/28/2019 Network Training Ppt1
225/277
Describe Easy VPN Server
and Easy VPN Remote
Cisco Easy VPN RemoteConnection Process
1 The VPN client initiates the IKE Phase 1 process
-
7/28/2019 Network Training Ppt1
226/277
1. The VPN client initiates the IKE Phase 1 process.
2. The VPN client establishes an ISAKMP SA.
3. The Easy VPN Server accepts the SA proposal.
4. The Easy VPN Server initiates a username and
password challenge.
5. The mode configuration process is initiated.
6. The RRI process is initiated.
7. IPsec quick mode completes the connection.
Step 1: The VPN Client Initiatesthe IKE Phase 1 Process
-
7/28/2019 Network Training Ppt1
227/277
Using pre-shared keys? Initiate aggressive mode.
Using digital certificates? Initiate main mode.
Step 2: The VPN Client Establishesan ISAKMP SA
-
7/28/2019 Network Training Ppt1
228/277
The VPN client attempts to establish an SA between peer IP addresses by
sending multiple ISAKMP proposals to the Easy VPN Server.
To reduce manual configuration on the VPN client, these ISAKMP proposals
include several combinations of the following:
Encryption and hash algorithms
Authentication methods
Diffie-Hellman group sizes
Step 3: The Cisco Easy VPN ServerAccepts the SA Proposal
-
7/28/2019 Network Training Ppt1
229/277
The Easy VPN Server searches for a match:
The first proposal to match the server list is accepted (highest-priority
match).
The most secure proposals are always listed at the top of the Easy VPN
Server proposal list (highest priority).
The ISAKMP SA is successfully established.
Device authentication ends and user authentication begins.
Initiates a Username and Password
Challenge
-
7/28/2019 Network Training Ppt1
230/277
If the Easy VPN Server is configured for Xauth,
the VPN client waits for a username/password
challenge:
The user enters a username/password combination.
The username/password information is checked
against authentication entities using AAA.
Step 5: The Mode ConfigurationProcess Is Initiated
-
7/28/2019 Network Training Ppt1
231/277
If the Easy VPN Server indicates successful authentication, the VPN clientrequests the remaining configuration parameters from the Easy VPNServer:
Mode configuration starts.
The remaining system parameters (IP address, DNS, split tunneling
information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group
profile; all other parameters are optional.
Step 6: The RRI Process Is Initiated
-
7/28/2019 Network Training Ppt1
232/277
RRI should be used when the following conditions occur:
More than one VPN server is used
Per-client static IP addresses are used with some clients (instead ofusing per-VPN-server IP pools)
RRI ensures the creation of static routes.
Redistributing static routes into an IGP allows the servers site routers tofind the appropriate Easy VPN Server for return traffic to clients.
Step 7: IPsec Quick ModeCompletes the Connection
-
7/28/2019 Network Training Ppt1
233/277
After the configuration parameters have been
successfully received by the VPN client, IPsec
quick mode is initiated to negotiate IPsec SA
establishment.
After IPsec SA establishment, the VPN
connection is complete.
-
7/28/2019 Network Training Ppt1
234/277
Configuring NTP Client
Understanding NTP
NTP is used to synchronize the clocks in the entire
-
7/28/2019 Network Training Ppt1
235/277
y
network.
System clock is set by the battery system calendar
during bootup.
System clock can then be modified manually or viaNTP.
NTP runs over UDP port 123; current version is 4.
Only NTP up to version 3 has been documented inRFCs.
Stratum describes how many NTP hops away a
machine is from authoritative time source.
Configuring NTP Authentication
ntp authenticate
Router(config)#
-
7/28/2019 Network Training Ppt1
236/277
p
Enables the authentication feature
R1(config)#ntp authentication
R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs
R1(config)#ntp trusted-key 1
ntp authentication-key numbermd5 value
Defines the authentication keys
Used for both peer and server associations
ntp trusted-key key-number
Defines the trusted authentication keys
Required to synchronize to a system (server association)
Router(config)#
Router(config)#
Configuring NTP Associations
Router(config)#
-
7/28/2019 Network Training Ppt1
237/277
ntp server {ip-address | hostname} [version number] [keykeyid] [source interface] [prefer]
R1(config)#ntp server 10.1.1.1 key 1
R1(config)#ntp server 10.2.2.2 key 2 prefer
R1(config)#interface Fastethernet 0/1R1(config-if)#ntp broadcast client
Forms a server association with another system
ntp broadcast client
Receives NTP broadcast packets
Router(config-if)#
Configuring Additional NTPOptions
Router(config)#
-
7/28/2019 Network Training Ppt1
238/277
ntp access-group {query-only | serve-only | serve | peer}access-list-number
R1(config)#access-list 1 permit host 10.1.1.1
R1(config)#ntp access-group peer 1
R1(config)#ntp source loopack 0
Controls NTP message exchange
ntp source interface
Modifies the source IP address of NTP packets
Router(config)#
-
7/28/2019 Network Training Ppt1
239/277
Configuring NTP Server
Implementing NTP Server
Cisco IOS routers work as an NTP server by
-
7/28/2019 Network Training Ppt1
240/277
default.
As soon as a router is synchronized to an
authoritative time source, it will allow peers with
lower stratum to synchronize to that router: Requires a peer association
You can make a router an authoritative NTP
server, even if the system is not synchronized to
an outside time source.
Two options to establish a peer association:
Unicast
Configuring NTP Server
ntp peer ip-address [normal-sync][version number] [key
Router(config)#
-
7/28/2019 Network Training Ppt1
241/277
ntp master [stratum]
R2(config)#ntp peer 10.1.1.1 key 1
R2(config)#ntp master 3
R2(config)#interface Fastethernet0/0
R2(config-int)#ntp broadcast
Makes the system an authoritative NTP server
ntp broadcast [version number][destination address][key keyid]
Configures an interface to send NTP broadcast packets
Router(config-int)#
keyid] [source interface] [prefer]
Forms a peer association with another system
Router(config)#
NTP Configuration Example
-
7/28/2019 Network Training Ppt1
242/277
Source(config)#ntp master 5
Source(config)#ntp authentication-key 1 md5 secretsource
Source(config)#ntp peer 172.16.0.2 key 1
Source(config)#ntp source loopback 0
Intermediate(config)#ntp authentication-key 1 md5 secretsource
Intermediate(config)#ntp authentication-key 2 md5 secretclient
Intermediate(config)#ntp trusted-key 1
Intermediate(config)#ntp server 172.16.0.1
Intermediate(config)#ntp source loopback 0
Intermediate(config)#interface Fastethernet0/0
Intermediate(config-int)#ntp broadcast
Client(config)#ntp authentication-key 1 md5 secretclient
Client(config)#ntp trusted-key 1
Client(config)#interface Fastethernet0/1
Client(config-int)#ntp broadcast client
Summary
Since OOB management provides higher levels of security and performance
-
7/28/2019 Network Training Ppt1
243/277
than in-band, the decision to use an in-band solution must be consideredcarefully.
Management communications should use SSH rather than Telnet.
Implementing a router logging facility is an important part of any networksecurity policy.
Syslog is implemented on your Cisco router using syslog router commands.
Network management will be greatly enhanced by implementing the securityfeatures of SNMPv3 rather than earlier versions.
Cisco IOS SNMPv3 server configuration tasks include configuring SNMP-serverengine ID, group names, users, and hosts.
Cisco routers can be configured as NTP servers or clients.
Packet authentication and filtering should be used to protect NTP exchange.
-
7/28/2019 Network Training Ppt1
244/277
Cisco Device Hardening
Configuring AAA on Cisco Routers
-
7/28/2019 Network Training Ppt1
245/277
Introduction to AAA
AAA Model
Authentication:
h ?
-
7/28/2019 Network Training Ppt1
246/277
Who are you? I am user student and my password validateme proves it.
Authorization:
What can you do? What can you access?
User student can access host serverXYZ using Telnet.
Assign an IP address and ACL to user student connecting through VPN.
When user student starts an EXEC session, assign privilege level 10.
Accounting:
What did you do? How long and how often did you do it?
User student accessed host serverXYZ using Telnet for 15 minutes.
User student was connected to VPN for 25 minutes.
EXEC session of user student lasted 20 minutes and only show commands were
executed.
Implementing AAA
-
7/28/2019 Network Training Ppt1
247/277
Administrative access: Console, Telnet, and AUXaccess
Remote user network access: Dialup or VPN
-
7/28/2019 Network Training Ppt1
248/277
Router Access Modes
Router Access Modes
-
7/28/2019 Network Training Ppt1
249/277
-
7/28/2019 Network Training Ppt1
250/277
AAA Protocols: RADIUS
and TACACS+
AAA Protocols: RADIUS andTACACS+
-
7/28/2019 Network Training Ppt1
251/277
RADIUS Authentication andAuthorization
-
7/28/2019 Network Training Ppt1
252/277
The example shows how RADIUS exchange
starts once the NAS is in possession of the
username and password.
The ACS can reply with Access-Accept message,
or Access-Reject if authentication is not
successful.
RADIUS Messages
There are four types of messages:
-
7/28/2019 Network Training Ppt1
253/277
Access-Request
Access-Challenge, to facilitate challenge-response
authentication protocols
Access-Accept
Access-Reject
RADIUS Attributes
RADIUS t i AV i
-
7/28/2019 Network Training Ppt1
254/277
RADIUS messages contain zero or more AV-pairs,for example:
User-Name
User-Password (this is the only encrypted entity in
RADIUS) CHAP-Password
Service-Type
Framed-IP-Address
There are approximately 50 standard-based
attributes (RFC 2865).
RADIUS allows proprietary attributes.
RADIUS Features
St d d t l (RFC 2865)
-
7/28/2019 Network Training Ppt1
255/277
Standard protocol (RFC 2865) Standard attributes can be augmented by
proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+
attribute to be used over RADIUS
Uses UDP on standard port numbers (1812 and
1813; Cisco Secure ACS uses 1645 and 1646 by
default)
Includes only two security features:
Encryption of passwords (MD5 encryption)
Authentication of packets (MD5 fingerprinting)
TACACS+ Authentication
-
7/28/2019 Network Training Ppt1
256/277
The example shows how TACACS+ exchange
starts before the user is prompted for username
and password.
The prompt text can be supplied by theTACACS+ server.
TACACS+ Network Authorization
-
7/28/2019 Network Training Ppt1
257/277
The example shows the process of network
authorization which starts after successful
authentication.
TACACS+ Command Authorization
-
7/28/2019 Network Training Ppt1
258/277
The example illustrates the command
authorization process which is repeatedly
started for every single command that requires
authorization (based on command privilegelevel)
TACACS+ Attributes and Features
TACACS+ messages also contain AV pairs such as these:
-
7/28/2019 Network Training Ppt1
259/277
TACACS+ messages also contain AV-pairs, such as these:
ACL
ADDR
CMD
Interface-Config
Priv-Lvl
Route
TACACS+ uses TCP on well-known port number 49.
TACACS+ establishes a dedicated TCP session for every AAA action.
Cisco Secure ACS can use one persistent TCP session for all actions.
Protocol security includes authentication and encryption of all TACACS+
datagrams.
Configuring the AAA Server
-
7/28/2019 Network Training Ppt1
260/277
TACACS+
RADIUS
-
7/28/2019 Network Training Ppt1
261/277
Configure AAA Login
Authentication on Cisco
Routers Using CLI
AAA Authentication Commands
Router(config)#
-
7/28/2019 Network Training Ppt1
262/277
aaa authentication login {default | list_name} group
{group_name | tacacs+ | radius} [method2 [method3
[method4]]]
Use this command to configure the authentication process.
Router(config)#aaa authentication login default group tacacs+
local line
Character Mode Login Example
Router#show running-config
-
7/28/2019 Network Training Ppt1
263/277
Router#show running config...
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login my_list group tacacs+
...
line con 0
line aux 0
line vty 0 4
login authentication my_list
Because the authentication has not been specified for line con 0 and
aux 0, the default option will be used.
Verifying AAA LoginAuthentication Commands
aaa new-model
!
-
7/28/2019 Network Training Ppt1
264/277
aaa authentication login default local
aaa authentication login radius_local group radius group radius
aaa authorization exec default local
!
username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1
!
tacacs-server host 10.1.1.10 single-connection key secrettacacsradius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key
secretradius
!
line vty 0 4
login authentication radius_local
-
7/28/2019 Network Training Ppt1
265/277
Troubleshoot AAA Login
Authentication on Cisco
Routers
Troubleshoot AAA LoginAuthentication on Cisco Routers
debug aaa authentication
router#
-
7/28/2019 Network Training Ppt1
266/277
debug aaa authentication
Use this command to help troubleshoot AAA authentication problems.
Troubleshoot AAA AuthenticationExample
R2#debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''se '' po t 'tt 1' em add 'as nc/81560' a then t pe ASCII se ice LOGIN p i 1
-
7/28/2019 Network Training Ppt1
267/277
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
-
7/28/2019 Network Training Ppt1
268/277
AAA Authorization
Commands
AAA Authorization Commands
-
7/28/2019 Network Training Ppt1
269/277
aaa authorization {network | exec | commands level | config-commands
| reverse-access} {default|list-name} method1 [method2...]
router(config)#
router(config)#aaa authorization exec default group radius local none
Example:
Authorization Example
R2#show running-config
-
7/28/2019 Network Training Ppt1
270/277
g g...
aaa new-model
!
aaa authentication login default local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ localaaa authorization commands 15 default group tacacs+ local
...
username admin password 0 cisco123
Troubleshooting Authorization
debug aaa authorization
router#
-
7/28/2019 Network Training Ppt1
271/277
Use this command to help troubleshoot AAA authorization problems.
R2#debug aaa authorization
2:23:21: AAA/AUTHOR (0): user='carrel'2:23:21: AAA/AUTHOR (0): send AV service=shell
2:23:21: AAA/AUTHOR (0): send AV cmd*
2:23:21: AAA/AUTHOR (342885561): Method=TACACS+
2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel
2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell
2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd*
2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL
-
7/28/2019 Network Training Ppt1
272/277
AAA Accounting
Commands
AAA Accounting Commands
-
7/28/2019 Network Training Ppt1
273/277
aaa accounting {command level | connection | exec | network |
system} {default | list-name} {start-stop | stop-only | wait-start}
group {tacacs+ | radius}
router(config)#
R2(config)#aaa accounting exec default start-stop group tacacs+
Example:
AAA Accounting Example
-
7/28/2019 Network Training Ppt1
274/277
R2#show running-config | begin aaa
aaa new-model
!
aaa authentication login default group tacacs+ localaaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
...
tacacs-server host 10.1.1.3
tacacs-server key SeCrEtKeY
...
Troubleshooting Accounting
debug aaa accounting
router#
-
7/28/2019 Network Training Ppt1
275/277
Use this command to help troubleshoot AAA accounting problems.
R2#debug aaa accounting
16:49:21: AAA/ACCT: EXEC acct start, line 10
16:49:32: AAA/ACCT: Connect start, line 10, glare
16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54
elapsed_time=14
Summary
Authentication, authorization, and accounting are used to
effectively control network access.Th t d f AAA h t d k t
-
7/28/2019 Network Training Ppt1
276/277
effectively control network access. The router access modes for AAA are character and packet.
The most popular AAA protocols are TACACS+ and RADIUS.
AAA can be configured on the router using CLI or SDM.
SDM simplifies the AAA configuration process.
One of the troubleshooting tools for login authentication isthe debug aaa authentication command.
The aaa authorization exec command is used for charactermode while aaa authorization network command is usedfor packet mode access authorization.
The aaa accounting command provides numerous optionsfor accounting purposes.
Module Summary
Attacks can target various components of modern
networks, such as system integrity, confidentiality,
-
7/28/2019 Network Training Ppt1
277/277
networks, such as system integrity, confidentiality,
and availability.
Disabled unneeded router services and interfaces
make the router less vulnerable to attacks. Administrative access should be secured using