ccieix.fm page 1048 tuesday, june 10, 2003 8:11...

CCIEIX.fm Page 1048 Tuesday, June 10, 2003 8:11 AM

I

N

D

E

X

Numerics

3DES (Triple DES) 432, 636802.1Q tunneling 881

A

AAA 428, 436, 448–449configuring on PIX Firewall 581, 583, 585–593configuring with RADIUS 569–581user account verification 449–451VPDN configuration 752–761

access attacks 436access control lists.

See

ACLsaccess-list command 756accounting, Tripwire 967accounts

locking 965root account, modifying 964

ACEs (access control entries) 477applying to interfaces 496–497entry order 496implicity deny statement 495

ACLs (access control lists) 428, 443, 477, 480–483.

See also

advanced ACLsACEs 477

entry order 496implicit deny statement 495

applying to interfaces 496, 497, 501assigning to vtys 445Cisco PIX Firewall configuration 824–826configuring 498crypto 477

functions of 477implementing 478–479

defining 495defining criteria 498–500displaying information 514–515IP, testing Layer 4 information 493lock-and-key 506–507

configuring 484–487logging 494–495, 511–512named extended IP ACLs

configuring 482creating 503

time range function 483–484named MAC extended IP ACLs,

configuring 482named standard IP ACLs

configuring 482creating 503

numbered extended IP ACLsconfiguring 481creating 502, 503

numbered standard IP ACLsconfiguring 481creating 502

port, configuring 490, 491reflexive 507–511

configuring 488–489router configuration 490size limitations 517–518time range function

implementing 504–506troubleshooting 516–517TurboACL, configuring on PIX

Firewall 6.2 850unsupported features on

Catalyst 3550 switch 518VLAN map entries

creating 513removing 514

ACS, password recovery 1011active routers (HSRP) 527active state (EIGRP) 250ActiveX objects, filtering 827address mapping, configuring on Frame Relay

105–108address translation, xlates 814addressing, IS-IS 333

NSAP format 333–334requirements 334–335

adjacencies 328configuring on IS-IS 324–325

adjusting MTU packet size 526administrative distance 398

configuring on OSPF networks 300–301advanced ACLs 482–483

defining 495lock-and-key, configuring 484–487, 506–507logging 494–495port ACLs, configuring 490–491


1050

reflexive, configuring 488–489, 507–511router ACLs

configuring 490VLAN maps 491–492

size limitations 517–518advanced RIP configuration 233–235advanced security features, practice lab 926–931advanced VPN configuration 718–719

EIGRP 720–724GRE tunnels 720loopback interfaces 720

advanced VPN implementation 715DMVPN 732–735

configuring on hub router 736–738configuring on spokes 739–740IPSec profiles, configuring 735–736verifying configuration 741–745

IPSec VPNs 715DMVPNs 716–718GREs 716

advertising, default routes 209AES (Advanced Encryption Standard) 637aggressive mode (IKE phase 1) 642AH (authentication header) 428, 634application inspection, configuring on PIX Firewall

835–836applying

ACLs to interfaces 496–497, 501patches to Windows 975

applying patches to Solaris 958area authentication, IS-IS configuration 342areas

configuring on OSPF networks 290–292NSSA, configuring on OSPF networks 292

assigningdialer lists to interface 145IP address to PIX Firewall 817–818IS-IS to an interface 325–327privilege levels to Cisco IOS user accounts

447–448ATM (asynchronous transfer mode)

cell headers 183–184multiprotocol encapsulation over AAL5,

configuring 185–191RFC 2225 implemenation

classical IP with PVC 192–193classical IP with SVCs 193–194configuring 191–193

attacks 436DoS

preventing with CAR 879–880preventing with RPF 880, 886

IP spoofing 831audit trails 428auditing, enabling in Windows 976authentication 428

AH 634EIGRP routing updates 263–264IKE phase 1 641–642IKE phase 2 642–643IS-IS

configuring 340–345troubleshooting 345

PPP authentication, ISDN configuration 161–164

PPP multilink, ISDN configuration 165–166RIP 216–218unidirectional PPP authentication, ISDN

configuration 164authentication proxy on TACACS+ 610–615

configuring 615–617authorization 429Auto Update support, configuring on PIX Firewall

6.2 852–853automatic metric translations 398autonomous systems 351

confederations, configuring 372–377configuring BGP through a firewall with

prepend 386–393private, configuring 377–385single-homed, configuring 354–363transit, configuring 363–372

autosense feature(LMI) 95availability 428

B

B channel 134backup interfaces, ISDN configuration 158–159banners (motd), changing 965basic ACLs 480

extended IP ACLs, configuring 481named extended ACLs, configuring 482named MAC extended ACLs, configuring 482named standard ACLs, configuring 482

advanced RIP configuration


1051

numbered standard IP ACLs, configuring 481basic OSPF configuration, case study 279–281

administrative distance 300–301area configuration 290–292blocking LSA flooding 304–305configuring interface parameters 282–283creating virtual links 295–297demand circuits 302DNS lookup 298generating default routes 298ignoring MOSPF LSAs 305logging neighbor adjacency changes 303loopback interfaces 298nonbroadcast network configuration 288–289NSSA configuration 292point-to-multipoint broadcast configuration

287–288point-to-multipoint nonbroadcast 284–285route calculation timers 301route summarization 294–295simplex interfaces 301VLSM support 285

Bc (committed burst) 96Be (excess burst) 96BECN (backward explicit congestion

notification) 97BGP (Border Gateway Protocol) 352

autonomous systems 351configuring 353configuring through a firewall with AS prepend

386–393path determination 352updates 353

bgp log-neighbor changes command 357bidirectional end-to-end keepalives 101Bidirectional NAT, configuring on PIX Firewall 6.2

846– 847bits 97black hats 432blocking

LSA flooding 304–305LSP flooding on interfaces 335RIP updates on interfaces 207

BOOTP server, disabling 453break sequences, simulating 1013BRI (basic rate interface) 134

PPP, configuring 160–161broadcast queues, configuring on Frame Relay 119buffer overflow 963

C

C2 security policy, Windows compliance 969 calculating

EIGRP composite metric 247Frame Relay MaxR 97

call setup and teardown, ISDN 138CAR (committed access rate)

configuring 882–883policies, configuring 884–885preventing DoS attacks 879–880

CAs (certificate authorities) 639, 429configuring 695–696

on PIX-to-PIX VPNs 703–710IKE phase 1 696–703

Catalyst 3350 switches 467802.1Q tunneling 881port blocking, configuring 468port security, configuring 469–470port-based traffic control, verifying 470–472protected ports, configuring 468storm control, configuring 467unsupported IOS ACL-related features 518

CatOS 434–435CBAC (content-based access control)

configuring 786–798configuring on two interfaces 803–805debugging 798–799disabling 802DoS attack detection error messages 800FTP error messages 801functionality 784–785intrusion detection 783Java-blocking error messages 801limitations of 783–784PAM 806–808

configuring 808–810SMTP attack detection error messages 800–801syslog messages, interpreting 799traffic filtering 781–782traffic inspection 782with IPSec 791

CC (Common Criteria) certification, Windows 2000 969

CC (Common Criteria) certification, Windows 2000


1052

CCIE exam 5–6developing good study habits 15–18lab exam 9–10lab experience versus real-world experience

18–19preparing for 13–14topics covered 6–9

CDP, disabling 452CEF (Cisco Express Forwarding), enabling 886cell headers, ATM 183–184certifications, CCIE Security exam 5, 6

lab exam 9–10topics covered 6–9

CHAP (Challenge Handshake Authentication Protocol) 161

cipher 429CIR (committed information rate) 96Cisco IDS 859–860

configuring 867–870sensors, password recovery 1008–1009

Cisco IOS Firewallfirewalls, creating 776PAM 806–808

configuring 808–810Cisco IOS Software 433

access lists 443FTP administration 449HTTP administration 442limiting connection time 445MNLB Forwarding Agent, configuring

535–537NTP 441

configuring 458–463password management 442

assigning privileges 447–448creating user accounts 446–447enable password 442line passwords 443privilege levels 442

remote access, configuring 446services

BOOTP server 453CDP 452finger server 453ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NTP 453Proxy ARP 453

router name and DNS resolution 451TCP and UDP small servers 452verifying deactivation 455–456

software configuration register, password recovery 995–1003

SSH 443configuring 464–466

TCP interceptconfiguring 776–781

Telnet addresses, hiding 449user accounts, verifying with AAA 449–451vtys, configuring 445–446

Cisco PIX Firewalls 860–861ACLs, configuring 824–826ActiveX objects, filtering 827application inspection, configuring 835–836Auto Update support, configuring 852–853Bidirectional NAT, configuring 846–847Configurable Proxy Pinging 834configuring 815, 870–874DHCP server configuration 844–846Flood Guard 832idle timers, configuring 836–837IDS signatures 861–867

configuring 842–844inbound connections, resetting 832–833interface MTU, configuring 816–817IP address, configuring 817–818IP spoofing attacks, preventing 831–832Java applets, filtering 828logging, configuring 838–840NAT, configuring 818–819NTP, configuring 851options, configuring 837–838password recovery 1010–1011security levels 813

configuring 815SMR, configuring 847–850SNMP functions, configuring 841–842static NAT, configuring 820–822static routes, configuring 822–823TurboACL, configuring 850URLs, filtering 828–831xlates 814

classful routing protocols 398classical IP, implementing

with PVCs 192–193with SVCs 193–194

clearing IP accounting database 557

CCIE exam


1053

combining share permissions and NTFS permissions 980

commandsaccess-list 756bgp log-neighbor changes 357debug dialer events 174debug frame-relay lmi 125–126debug isdn events 174–175debug isdn q931 177–178debug ppp authentication 176–177debug ppp multilink 175–176debug vtemplate 760service resetinbound 833show dialer 172–173show frame-relay map 125show frame-relay pvc 123–125show interfaces bri 0/0 169–171show ip accounting 548show ip nhrp 745show isdn active 173show isdn status 171–172show ppp multilink 173show route 823show vpdn tunnel 760sysopt connection 837username password 756virtual template 764vpdn-template 769

commenting out network services 959–960conditions 545confederations, BGP configuration 372–377confidentiality 428–429config-register command, password recovery

999–1002Configurable Proxy Pinging 834configuration files, renaming 1003–1004configuring

AAA 448–449, 569–581on PIX Firewall 581–593

ACLs 498–501logging 494–495, 511–512time range function 483–484

advanced security features, practice lab 926–931

advanced VPNs 718–719EIGRP 720–724GRE tunnels 720loopback interfaces 720

ATMmultiprotocol encapsulation over AAL5

185–191RFC 2225 191–194

authentication proxy 615–617basic security, practice lab 917–920BGP 353

confederations 372–377private autonomous systems 377–385single-homed autonomous systems

354–363through a firewall with AS prepend

386–393transit autonomous systems 363– 372

CAs 695–696Catalyst 3550 switches

port blocking 468port security 469–470protected ports 468storm control 467

CBAC 786–798on two interfaces 803–805

Cisco IDS 867–870Cisco PIX Firewall 815, 870– 874

ACLs 824–826ActiveX object filters 827as DHCP server 844–846Flood Guard 832idle timers 836–837IDS signatures 842–844interface MTU 816–817IP address 817–818IP spoofing prevention 831–832Java applet filters 828logging 838–840NAT 818–819options 837–838resetting inbound connections 832–833security levels 815SNMP functions 841–842static NAT 820–822static routes 822–823URL filters 828–831

Cisco PIX Firewall 6.2Auto Update support 852–853Bidirectional NAT 846–847NTP 851SMR 847–850

configuring


1054

TurboACL 850DDR 144

assigning dialer-list to interface 145dialer profiles 147–149legacy DDR 146–147specifying interesting traffic 144

dial backup, practice lab 915–917DMVPN 732–735

IPSec profiles 735–736on hub router 736–738on spokes 739–740verifying configuration 741–745

DRP Server Agent 540–541EIGRP 241–243, 253

default routing 259–261distribute lists 261–262manual route summarization 258–259over GRE tunnels 266–269route authentication 263–264stub routing 264–265WAN connections 254–255

extended ACLs 481Frame Relay 102

address mapping 105–108broadcast queues 119encapsulation 103–05LMI 108–109SVCs 109–113TCP/IP header compression 121–122traffic shaping 114–119

Frame Relay switch, practice lab 904–905HSRP 541, 542–547HTTP servers 456–457ICMP redirects 539IOS-to-IOS VPNs with IKE phase 1 using CA

696–703IP accounting 548IPSec VPNs 724, 725, 726, 727

between two IOS routers 644–662between two PIX firewalls 671–693verifying configuration 728–732

ISDN 142backup interfaces 158–159encapsulation 160floating static routes 152–154interfaces 158ISDN callback 166–168OSPF demand circuits 155–157

passive interfaces 151–152PPP authentication 161–164PPP multilink 165–166SPIDs 143–144static routing 149–151switch type 142–143unidirectional PPP authentication 164

IS-ISauthentication 340–345default routes 337hello timer 339IP 322–327retransmission interval 339route redistribution 337–338

ISP servicesrate limiting 882–885RPF 886

L2VPNon router 887on switches 889–890trunk ports 890–891verifying configuration 891–894

lock-and-key ACLs 484–487, 506–507MAC address accounting 530mesh groups 336named extended ACLs 482named extended IP ACLs 503named MAC extended ACLs 482, 512–513named standard ACLs 482named standard IP ACLs 503NAT 549–50, 554–555

dynamic translation 550–551overlapping addresses 552–553overloading 551TCP load distribution 553–554

NTP 458–459, 460–463numbered extended IP ACLs 502–503numbered standard IP ACLs 502OSPF 278–281

ABR Type 3 LSA filtering 310–311ABR Type 3 LSAs 310–311administrative distance 300–301areas 290–292default routes 298DNS lookup 298external route summarization 308GRE tunnels 312–314inter-area route summarization 306–308

configuring


1055

interface parameters 282–283loopback interfaces 298LSA flood blocking 304–305nonbroadcast networks 288–289NSSAs 292on simplex interfaces 301over demand circuits 302point-to-multipoint broadcast 287–288point-to-multipoint nonbroadcast 284–285route calculation timers 301route summarization 294–295, 306virtual l inks 295–297VLSM support 285

PAM 808–810passwords 444PIX Firewall, remote-access VPNs 593–608PIX2, PPTP 766–768PIX-to-PIX VPNs with IKE phase 1 using CA

703–710port ACLs 490

VLAN maps 491PPP 160–161precedence accounting 531redistribution 399–401

between directly connected networks 413–415

between EIGRP and IGRP autonomous systems 409–412

between EIGRP autonomous systems 408–409

between OSPF and RIPv1 407–408between static routes into EIGRP 412–413into OSPF 402NSSAs into BGP 405–407OSPF into BGP 402–405practice lab 915–917

reflexive ACLs 488–489, 507–511remote access on Cisco IOS Software 446remote FTP administration 449RIP 203

advanced techniques 233–235authentication 216–218blocing RIP updates on interfaces 207default route advertisement 209initial setup 204–206over router to PIX 5.2 connection

221–225

over router to PIX 6.2 connection with authentication 225–231

route filtering 208route summarization 212–215specifying version 210–211troubleshooting 218–220

router ACLs 490SSH 464–466standard ACLs 481TACACS+

PPP callback 621–627privilege levels 617–621

TCP intercept 776–781TCP performance parameters 531

connection attempt time 533header compression 532maximum read size 534maximum window 535Path MTU Discovery 533selective acknowledgment 534time stamps 534

VPDNs 752default group template 768–769TACACS+ 761–765with local AAA 752–761

vtys 445–446confreg command, password recovery 999–1002congestion control mechanisms, Frame Relay 96–97

DE 98DLCI priority levels 98end-to-end keepalives 100–101error checking 99ForeSight 99–100notification methods 100

connected networks, redistribution into OSPF 402connection time (Cisco IOS), limiting 445controlling EIGRP routes 261–262CPE (customer premises equipment) 134–135creating

Cisco IOS user accounts 446–447customized firewalls 776VLAN map entries 513

creating baseline security level in Windows operating systems 972–975

crypto access lists 477functions of 477implementing 478–479

cryptography 429

cryptography


1056

D

D channel 134DAC (Discretionary Access Control) 969data link layer (OSI), ISDN operation 137DCEs (data circuit-terminating equipment) 85DDR (Dial On-Demand Routing) 141

configuring 144dialer lists 141

asssigning to interface 145dialer profiles, configuring 146–149interesting traffic, configuring 144legacy DDR, configuring 142, 146–147

DE (discard eligibility) bit 96–98debug dialer events command 174debug frame-relay lmi command 125–126debug isdn events command 174–175debug isdn q931 command 177–178debug ppp authentication command 176–177debug ppp multilink command 175–176debug vtemplate command 760debugging

CBAC 798–799EIGRP in production environment 271IS-IS 346–348

decision process, IS-IS state machine 331default group templates, VPDN configuration

768–769default routes 203

advertising 209configuring 337EIGRP 259–261gernerating on OSPF networks 298

default umask setting, modifying 964defining ACLs 495

ACE entry order 496implicit deny statement 495

deleting VLAN map entries 514DES (Data Encryption Standard) 429, 636desktop operating systems, Windows 969devices

CPE 134, 135Frame Relay

DTEs 85FRADs, handshake sequence 92

required equipment for home-based study labs 24–25

resetting for password recovery 1005–1006

DH (Diffie-Hellman) 429, 638DHCP servers, configuring on PIX Firewall

844–846dial backup practice lab 915–917dialer lists 141

assigning to interface 145dialer-group-number 145

dialer maps, configuring legacy DDR 146dialer profiles, configuring 146–149dialer-group-number 145dialup, VPDNs 749–751

configuring 752–765default group templates,

configuring 768–769digital certificates 430, 639digital channels (ISDN) 134digital signatures 430directly connected networks, redistribution between

413–415DIS (Designated IS) 327

election process 331–332disabling

CBAC 802EIGRP route summarization 256–258EIGRP split horizon 269IDENT services 832–833routing on Solaris systems 965services

BOOTP server 453DCP 452finger server 453ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NTP 453Proxy ARP 453router name and DNS resolution 451TCP and UDP small servers 452

startup scripts 961Stop-A abort sequence 965

displayingACL information 514–515

resource usage 515active accounting database 548EIGRP topology table information 248–249IP statistics 556–557OSPF routing process information 315OSPF statistics 315–316

D channel


1057

OSPF update packet pacing 317distribute lists, controlling EIGRP routes 261–262DLCI (Data-Link Connection Identifier) 84

priority levels 98DMVPNs 716–718

configuring 732–735IPSec profiles 735–736on hub router 736–738on spokes 739–740

verifying configuration 741–745DNS lookup, configuring on OSPF networks 298domain authentication, IS-IS configuration 343–344“don't care” masks 481DoS attacks 436

half-open sessions 788preventing

with CAR 879–885with RPF 880, 886

DRP (Director Response Protocol) Server Agents 527

configuring 540–541DTEs (data terminal equipment) 85DUAL 240, 251–252Dynamic NHRP 717dynamic PVCs, configuring 189–190dynamic routing

ISDN 152–154over IPSec VPNs 718–724

configuring IPSec parameters 724–727verifying configuration 728–732

E

EBGP (external BGP) 352EEPROM, passwords 966egress filtering 831EIGRP (Enhanced IGRP) 240

composite metric, calculating 247configuring 241–243, 253, 720–724controlling routes 261–262default routing, configuring 259–261DUAL 251–252feasible successors 250features 240IGRP interoperability 251manual route summarization, configuring

258–259

neighbor table 244–246adjacencies, logging 255

“not on common subnet” error message 245over GRE tunnels, configuring 266–269packet format 243redistribution

between autonomous systems 408–409into IGRP autonomous system 409–412into static routes 412–413

route authentication, configuring 263–264route states 250route summarization, disabling 256–258route tagging 251split horizon, disabling 269stub routing, configuring 264–265topology table 246–247

displaying information 248–249troubleshooting 270–272WAN connections, configuring 254–255

election process of DIS 331–332enable password 442enabling

logging 962OSPF 280–281

encapsulationconfiguring on Frame Relay 103–105ISDN options 160

encryptionAES 637DH 638RSA 639

end-to-end keepalives 100–101enhanced distance vector protocols , BGP 352

configuring 353path determination 352updates 353

entry order (ACEs) 496equipment list for routing practice lab 911error checking, CRC 99error codes, ISDN 983–992ESP (Encapsulating Security Payload) 430, 635–636Ethernet, simplex interfaces 527event logs, enabling in Windows 976event window 100exacting 643exploits, buffer overflow 963

exploits, buffer overflow


1058

extended ACLsconfiguring 481named MAC extended, configuring 512–513

extensions for LMI 92external route tags, EIGRP 251external routes

OSPF 278summarization, configuring 308

extranet VPNs 435

F

FAT 977FAT32 977feasible successors (EIGRP) 250features of EIGRP 240FECN (forward explicit congestion notification) 97fields

of EIGRP neighbor table 245of Frame Relay frames 84of Frame Relay LMI frames 92–93

file and directory auditing, enabling in Windows 976file systems

FAT 977FAT32 977NTFS 977–978

permissions 978–980share-level security 980

files, world-writeable 966filtering

ActiveX objects 827Java applets 828OSPF ABR Type 3 LSA filtering, verifying 316OSPF ABR Type 3 LSAs 310–311routing information 416–421to OSPF neighbors, configuring 311URLs 828–831

finger server, disabling 453firewalls

Cisco PIX Firewall IDS 860–861configuring 870–874signatures 861–867

creating with Cisco IOS Firewall feature set 776PIX Firewall

application inspection 835–836Auto Update support 852–853Bidirectional NAT 846–847

Configurable Proxy Pinging 834configuring 815–826DHCP server configuration 844–846filtering ActiveX objects 827filtering Java Applets 828filtering URLs 828–831Flood Guard 832idle timers 836–837IDS signatures, configuring 842–844IP spoofing attacks, preventing 831–832logging, configuring 838–840NTP 851options, configuring 837–838resetting inbound connections 832–833security levels 813SMR 847–850SNMP, configuring 841–842TurboACL 850xlates 814

fixup, configuring on PIX Firewall 835–836flapping routes, resolving 157floating static routes, ISDN 152–154Flood Guard 832flooding 328

blocking on IS-IS interfaces 335mesh groups, configuring 336

ForeSight 99–100format

of EIGRP packets 243of NSAP addresses 333–334of practice labs 901–902

forward process, IS-IS state machine 331FRADs, handshake sequence 92fragmentation, IP Path MTU Discovery 525Frame Relay

address mapping 105–108broadcast queues, configuring 119configuring 102congestion control mechanisms 96–97

DE 98DLCI priority levels 98end-to-end keepalives 100–101error checking 99ForeSight 99–100notification methods 100

connectivity, troubleshooting 122–126DCEs 85DTEs 85

extended ACLs


1059

encapsulation, configuring 103–105frame fields 84fully meshed topologies 87LMI 91

autosense feature 95configuring 108–109frame format 92–93timers 94–95

NNI 95–96partially meshed topologies 87

subinterfaces 88–89PVCs 91signaling 91–92star topologies 86SVCs 90

configuring 109–113TCP/IP header compression 121–122traffic shaping, configuring 114–119

FTP (file transfer protocol)remote administration 449services 960

fully meshed topologies, Frame Relay 87functional groups 134–135

reference points 135functionality

of CBAC 784–785of IPSec 640

G

gray hats 432GRE (generic routing encapsulation) 716

configuring between OSPF and non-IP networks 312–314

implementing on EIGRP 266–269tunnels, configuring 720

group pacing 303–304

H

half-open sessions 788handshake sequence on FRADs 92hello interval (IS-IS), configuring 339hello packets, EIGRP 243Hfnetchk 971hiding Telnet addresses 449

HMAC (Hashed-based Message Authentication Code) 430

home-based study labs 22planning 23–25

hop count 202hot fixes, Windows resources 971HSRP (Hot Standby Router Protocol) 527

and ICMP redirects 528–530configuring 541–547verifying support for MPLS VPNs 556

HTTP administration 442server configuration 456–457

Hybrid CatOS 434

I

IBGP (interior BGP) 352ICMP (Internet Control Message Protocol)

disabling 454–455mask reply messages 525redirects 524

and HSRP 528–530configuring 539

unreachables 524IDENT services, disabling 832–833idle timers, configuring on PIX Firewall 836–837IDSs (intrusion detection systems) 436

signatures 842configuring on PIX Firewall 842, 843, 844

IEEE 802.1Q tunneling 881ignoring MOSPF LSAs 305IGRP (Interior Gateway Routing Protocol), EIGRP

interoperability 251IIS Lockdown Wizard 971IIS logs, enabling in Windows 976IKE (Internet Key Exchange) 430, 637, 638

aggressive mode 642phase 1 using CA

configuring on IOS-to-IOS VPNs 696–703

configuring on PIX to-PIX VPNs 703–710phase 2 642–643

implementingaccess lists 478– 479advanced VPNs

DMVPNs 716–718GREs 716

implementing


1060

IPSec VPNs 715GRE tunnels on EIGRP 266–269NAT 538physical security 967time range function on ACLs 504–506

implicit deny statement (ACEs) 495inbound connections, resetting through Cisco PIX

Firewall 832–833information 742information security policies 430ingress filtering 831inside address, identifying on Cisco PIX Firewall

with NAT 818installing

Solaris 958Windows 970

integrity 427, 430inter-area route summarization, configuring

306–308interesting traffic 141

defining 641dialer lists 141specifying for DDR configuration 144

interfacesCisco PIX Firewallm, security levels 813ISDN configuration 158

internal OSPF routing table entries, displaying 315interoperability of EIGRP and IGRP 251interpreting CBAC syslog messages 799intranet VPNs 435intrusion detection

CBAC 783Cisco IDS, configuring 867–870Cisco IOS software IDS 859–860Cisco PIX Firewall IDS 860–861

configuring 870–874signatures 861–867

IOS.

See

Cisco IOS SoftwareIOS-to-IOS VPNs, IKE phase 1 using CA 696–703IP, IS-IS configuration 322, 324

interface assignment 325–327levels 324–325

IP accountingclearing database 557configuring 548MAC accounting 530precedence accounting 531

IP addresses, configuring on PIX Firewall interfaces 817–818

IP Path MTU Discovery 525IP source routing 526

disabling 454IP spoofing attacks 831IP-directed broadcast, disabling 454IPSec 431

3DES 636AES 637AH 634CAs, configuring 695–696defining interest traffic 641DES 636DH 638encrypted tunnels 643ESP 635, 636functionality 640IKE 637, 638IKE phase 1 641–642IKE phase 2 642–643MD5 638preshared keys 638RSA signatures 638SHA-1 638transport mode 640tunnel mode 640tunnel termination 643VPNs 718–724

configuring between IOS routers 644–662, 696–703

configuring between two PIX firewalls 671–693, 703–710

DMVPNs 716–718GREs 716implementing 715parameters, configuring 724–727PIX-to-PIX, troubleshooting 687–695troubleshooting 662–670verifying configuration 728,–732

with CBAC 791ISDN

backup interface configuration 158–159call stages 138configuring 142CPE 134–135data link layer 137DDR, configuring 144–149

implicit deny statement (ACEs)


1061

digital channels 134encapsulation options 160error codes 983–992interface configuration 158ISDN callback, configuring 166–168network layer 138physical layer 136PPP 139

authentication 161–164configuring 160–161LCP 139–140NCP 140PPP multilink 165–166

reference points 135routing

floating static routes 152–154OSPF demand circuits 155–157passive interface 151–152static routes 149–151

SPIDs, configuring 143–144standards support 133–134switch type, configuring 142–143troubleshooting 169–177

IS-ISaddressing 333

NSAP foramt 333–334requirements 334–335

authenticationconfiguring 340–345troubleshooting 345

debugging 346, 348default routes, configuring 337DIS 327hello timer, adjusting 339IP configuration 322–324

interface assignment 325–327levels 324–325

LSPs 328–330blocking flooding on interfaces 335mesh groups, configuring 336

monitoring 346PSNs 331–332retransmission interval, adjusting 339route redistribution, configuring 337–338state machine 330–331

ISOs (information security officers) 432ISP services

rate limiting 882– 885RPF 886

J

Java applets, filtering 828jumper settings

changing with software 1007–1008manually shorting 1006

K-L

keepalives, event window 100

L2 tunneling protocols, PPTP 751L2F (Layer 2 Forwarding) 749L2TP (Layer 2 Tunneling Protocol), LNS 749L2VPNs

802.1Q 881configuring 887–891verifying configuration 891–894

LAN storms 467LAPD (Link Access Procedure on the

D channel) 137Layer 2 protocol tunneling 881Layer 4, matching rules for IP ACLs 493LCP (Link Control Protocol) 139–140legacy DDR 142

configuring 146–147levels, configuring for IS-IS 324, 325limitations

of ACL size 517–518of CBAC 783–784

limiting Cisco IOS connection time 445line passwordsm, Cisco IOS password

management 443link flapping, resolving 157link-state protocols

IS-ISaddressing 333–335authentication 340–345debugging 346–348default routes, configuring 337DIS 327hello timer, adjusting 339IP configuration 322–327LSPs 328–330, 335–336

link-state protocols


1062

monitoring 346PSNs 331–332retransmission interval, adjusting 339route redistribution, configuring 337–338state machine 330–331

OSPFadministrative distance, configuring

300–301areas, configuring 290–292blocking LSA flooding 304–305configuring 278–281configuring on simplex interfaces 301creating virtual links 295–297default route generation 298demand circuits 302DNS lookup 298ignoring MOSPF LSAs 305interface parameters, configuring 282–283logging neighbor adjacency changes 303loopback interfaces 298nonbroadcast configuration 288–289NSSA configuration 292point-to-multipoint broadcast

configuration 287–288point-to-multipoint nonbroadcast

configuration 284–285route calculation timers 301route summarization 294–295, 306–308VLSM support 285

LMI (Local Management Interface) 91–92autosense feature 95configuring on Frame Relay 108–109frame format 92–93timers 94–95

LNS (L2TP network server) 749lock-and-key ACLs

configuring 484–487, 506–507source-address spoofing 485

locking user accounts 965logging

ACLs 494–495, 511–512configuring on PIX Firewall 838–840EIGRP neighbor adjacency changes 255enabling 962

on Windows 976OSPF neighbor adjacency changes 303

loopback interfaces, configuring 720on OSPF networks 298

lost passwords, recovering 995–1008LSAs

flood blocking 304–305group pacing, configuring 303–304OSPF

ABR Type 3, configuring 311type codes 278

packet pacing, displaying 317LSPs 328–330

blocking flooding on interfaces 335flooding 328mesh groups 336

M

MAC address accounting 530manual route summarization, EIGRP configuration

258–259manually shorting jumper settings 1006mask reply messages (ICMP) 525masquerading 431master lab 933

prestaging 934–940timed portion 942–951versus CCIE Security Lab exam 902–903

matching rules for testing Layer 4 information on IP ACLs 493

MaxR, calculating 97MBSA (Microsoft Baseline Security Analyzer) 971MD5 638MD5 (Message Digest 5) 431mesh groups, configuring 336messages (ICMP)

mask reply 525redirects 524unreachables 524

metrics 397EIGRP composite metric, calculating 247RIP 202

MLP (Multilink PPP), configuring 165–166MNLB (MultiNode Load Balancing) Forwarding

Agentconfiguring 535–537monitoring 558

modifyingdefault umask setting 964motd file 965

LMI (Local Management Interface)


1063

monitoringISDN 169–177IS-IS 346MNLB Forwarding Agent 558NAT 559PVCs 190–191

motd file, modifying 965MPLS VPNs, verifying HSRP support 556MTU packet size

adjusting 526configuring on PIX Firewall interfaces

816–817multihomed autonomous systems 351multipoint subinterfaces 89multiprotocol encapsulation over AAL5, ATM

configuration 185–191

N

named extended ACLsconfiguring 482time range function 483–484

named extended IP ACLs, creating 503named MAC extended ACLs

configuring 482, 512–513named standard ACLs, configuring 482named standard IP ACLs, creating 503NAS (network access server) 749NAT (Network Address Translation) 537

Cisco PIX Firewall configuration 818–819configuring 549–555dynamic translation, configuring 550–551implementing 538monitoring 559overlapping addresses, configuring 552–553overloading, configuring 551TCP load distribution, configuring 553–554

Native CatOS 434NCP (Network Control Protocol) 139–140NCSC (National Computer Security Centre) C2

rating, Windows compliance 969neighbor adjacency changes, logging

EIGRP 255OSPF 303

neighbor table (EIGRP) 244–246logging neighbor adjacency changes 255

NETs (network entity titles) 323

network layer (OSI), ISDN operation 138network services

FTP 960NS 961rlogin 960RPC 961stopping 959–960

NFS services 961NHRP 717NNI (Network-to-Network Interface) 95NNI cell headers 183–184nonbroadcast OSPF configuration 288–290nonrepudiation 431“not on common subnet” error message 245notification methods for Frame Relay congestion

control 100NSAP (network service access point) addresses 333

format 333–334NSSAs (not-so-stubby areas)

OSPF configuration 292redistribution ito BGP 405–407

NT1 (Network Termination 1) 135NT2 (Network Termination 2) 135NTFS 977–978

permissions 978–980share-level security 980

NTP (Network Time Protocol) 441configuring 458–463configuring on PIX Firewall 6.2 851disabling 453

numbered extended ACLs, time range function 483–484

numbered extended IP ACLscreating 502–503

numbered standard ACLs, configuring 481numbered standard IP ACLs, creating 502

O

o/r command, password recovery 1002–1003obtaining equipment for home-based labs 24, 25on-demand circuits, OSPF configuration 302options, configuring on PIX Firewall 837, 838OSI (Open Systems Interconnection) model, ISDN

operationdata link layer 137network layer 138

OSI (Open Systems Interconnection) model, ISDN operation


1064

physical layer 136OSPF (Open Shortest Path First)

ABR Type 3 filtering, configuring 310–311administrative distance, configuring 300–301areas, configuring 290–292configuring 278–281default routes, generating 298demand circuits, ISDN configuration 155–157DNS lookup, configuring 298external routes 278GRE, configuring for non-IP traffic 312–314interface parameters, configuring 282–283loopback interfaces, configuring 298LSA flood blocking, configuring 304–305LSAs

group pacing 303–304type codes 278

MOSPF LSAs, ignoring 305neighbor adjacency changes, logging 303nonbroadcast networks, configuring 288–289NSSAs

configuring 292redistribution into BGP 405–407

over demand circuits, configuring 302point-to-multipoint broadcast, configuring

287–288point-to-multipoint nonbroadcast, configuring

284–285redistribution

into BGP 402–405into RIPv1 407–408

route calculation timers, configuring 301route summarization 306

configuring 294–295external 308inter-area 306–308

routing processes, displaying information 315simplex interfaces, configuring 301statistics, displaying 315–316virtual links, creating 295–297VLSM support, configuring 285

P

PAC (PPTP access concentrator) 751

packet filteringACLs 477, 480–483

ACE entry order 496ACEs 477applying to interfaces 496, 497, 501configuring 498crypto 477defining criteria 498–500displaying information 514–515extended ACLs 481implementing 478–479implicit deny statement 495lock-and-key 484–487, 506–507logging 494–495, 511–512named extended ACLs 482named MAC extended ACLs 482

512–513named standard ACLs 482numbered standard IP ACLs 481port 490–491reflexive 488–489, 507–511router 490size limitations 517, 518time range function 483–484time range function, implementing

504–506troubleshooting 516–517VLAN map entries, creating 513

unsupported features on Catalyst 3550 switch 518

packet pacing, displaying information 317packets

EIGRP, format 243IS-IS LSPs 328–330LSAs, OSPF 278NSAPs 333

format 333–334PAM (Port-to-Application Mapping) 806–808

configuring 808–810PAP 161partially meshed topologies, Frame Relay 87

subinterfaces 88–89passive routing, ISDN 151–152passive state (EIGRP) 250passive-reply end-to-end keepalives 101password management (Cisco IOS) 442

enable password 442line passwords 443

OSPF (Open Shortest Path First)


1065

privilege levels 442password recovery 995–997

break sequence 997–1002changing jumper settings with software

1007–1008manually shorting jumper settings 1006o/r command 1002, 1003on ACS running Solaris 1011on Cisco IDS sensors 1008–1009on Cisco PIX Firewall 1010–1011on VPN concentrators 1012–1013renaming software 1003–1004replacing software 1005resetting devices 1005–1006

passwordsconfiguring 444EEPROM, configuring 966

patchesapplying to Solaris 958applying to Windows 975

path determination, BGP 352performance, TCP configuration 531–535permissions, NTFS 978–980physical layer (OSI), ISDN operation 136physical security, implementing 967PIX Firewall.

See also

PIX Firewall 6.2AAA configuration 581–593ACLs, configuring 824–826ActiveX objects, filtering 827application inspection, configuring 835–836Configurable Proxy Pinging 834configuring PIX-to-PIX IPSec VPNs

671–693, 815DHCP server configuration 844, 845, 846Flood Guard 832idle timers, configuring 836–837IDS signatures, configuring 842–844inbound connections, resetting 832–833interface MTU, configuring 816–817IP address, configuring 817–818IP spoofing attacks, preventing 831–832Java applets, filtering 828logging 838–840NAT, configuring 818–819options, configuring 837–838PPTP, configuring 766–768remote-access VPNs, configuring 593–608security levels 813–815

SNMP functions, configuring 841, 842static NAT, configuring 820, 822static routes, configuring 822–823troubleshooting PIX-to-PIX IPSec VPNs

687–695URLs, filtering 828–831xlates 814

PIX Firewall 6.2Auto Update support, configuring 852–853Bidrectional NAT, configuring 846–847NTP, configuring 851SMR, configuring 847–850TurboACL, configuring 850

PIX-to-PIX VPNs, IKE phase 1 using CA 703–710PKI (Public Key Infrastructure) 431planning home-based labs 23–25point-to-multipoint broadcast OSPF configuration

287–288point-to-multipoint nonbroadcast OSPF

configuration 284–285point-to-point subinterfaces 89port ACLs

configuring 490VLAN maps, configuring 491

port blocking, configuring on Catalyst 3550 switches 468

port security, configuring on Catalyst 3550 switches 469–470

port-based traffic control, verifying on Catalyst 3550 switches 470–472

PPP (Point-to-Point Protocol) 139configuring 160–161LCP 139–140NCP 140

PPP authenticationISDN configuration 161–164unidirectional, ISDN configuration 164

PPP callbackconfiguring with TACACS+ 621–627

PPP multilink, configuring 165–166PPTP (Point-to-Point Tunneling Protocol) 751

configuring on PIX firewall 766, 767, 768practice labs

bulding layer 2equipment list 903prestaging 904–909timed lab portion 909–911

configuring security

practice labs


1066

advanced features 926–931basic features 917–920

dial and application security 921–925format 901–902master lab 933

prestaging 934–940timed portion 942–951

protocol redistribution and dial backup configuration 915–917

routing 911timed portion 913–914

service provider 931–932precedence accounting 531preparing for CCIE exam 13–14

developing good study habits 15–18lab experience versus real-world experience

18–19preparing for lab exam

home-based study labs 22planning 23–25

remote study labs 23work-based study labs 22

preshared keys 638prestaging (practice labs), building layer 2 905–909preventing IP spoofing attacks 831, 832PRI (primary rate interface) 134priority classes of CAR 879 private autonomous systems

BGP configuration 377–385numbering 351

private IP addressing, NAT 537–538configuring 549–555monitoring 559

privilege levelsassigning to Cisco IOS user accounts 447–448Cisco IOS password management 442configuring on TACACS+ 617–621

protected ports, configuring on Catalyst 3550 switches 468

Proxy ARPdisabling 453

PSNs (pseudonodes) 331–332public-key encryption 638PVCs 91

dynamic, configuring 189–190static, configuring 186–189troubleshooting 190–191

Q-R

Q series protocols (ISDN) 134query packets, EIGRP 243

RA (registration authority) 431RADIUS

AAA configuration 569–581packet encryption 568router management 568versus TACACS+ 567

rate limitingCAR 879–885configuring 882

receive process, IS-IS state machine 330reconnaissance attacks 436recovering passwords 995–997

break sequence 997–1002changing jumper settings with software

1007–1008manually shorting jumper settings 1006o/r command 1002–1003on ACS running Solaris 1011on Cisco IDS sensors 1008–1009on Cisco PIX Firewall 1010–1011on VPN concentrators 1012–1013renaming software 1003–1004replacing software 1005resetting devices 1005–1006

redirectsand HSRP 528–530configuring 539ICMP 524MNLB Forwarding Agent, configuring

535–537redistribution 399–401

betweeen directly connected networks 413–415betweeen EIGRP and IGRP autonomous

systems 409–412betweeen EIGRP and static routes 412–413betweeen EIGRP autonomous systems 408–409betweeen OSPF and RIPv1 407–408connected networks into OSPF 402filtering routing information 416–421metrics 397OSPF into BGP

configuring 402–405NSSAs into BGP 405–407

precedence accounting


1067

practice lab 915–917troubleshooting 399

redundancy, HSRP 527and ICMP redirects 528–530configuring 541–547

reference points 135reflexive ACLs, configuring 488–511reinitializing EIGRP routing process 270remote access, configuring on Cisco IOS 446remote FTP administration 449remote study labs 23remote-access VPNs 435, 633

configuring on PIX Firewall 593–608removing VLAN map entries 514renaming configuration files 1003–1004replacing software, password recovery 1005reply end-to-end keepalives 101reply packets, EIGRP 243request end-to-end keepalives 101request packets, EIGRP 243required equipment for requirements

home-based study lab equipment 24–25of IS-IS addressing 334–335

resetting devices, password recovery 1005–1006resource usage for ACLs, displaying 515retransmission interval, IS-IS 339RFC 2225 ATM configuration 191–193

classical IP with PVC 192–193classical IP with SVCs 193–194

RIB (Routing Information Base) 330RIP (Routing Information Protocol)

advanced configuration 233–235configuring 203–220

over router to PIX 5.2 connection 221–225

over router to PIX 6.2 connection with authentication 225–231

redistribution into OSPF 407–408structure 201

default routes 203metric 202routing updates and timers 201–202split horizon 202

risk assessment 431rlogin services 960root account, modifying 964route authentication, EIGRP configuration 263–264route calculation timers, OSPF configuration 301

route filtering 208route redistribution, configuring 337–338route states (EIGRP) 250route summarization

configuring on EIGRP 258–259configuring on OSPF networks 294–295disabling on EIGRP 256–258

route tagging (EIGRP) 251router ACLs

configuring 490VLAN maps, configuring 491–492

routingISDN

floating static routes 152–154OSPF demand circuits 155–157passive interfaces 151–152static routes 149–151

practice lab 911timed portion 913–914

routing protocolsclassful 398classless 398ships in the night 321

RPC services 961RPF (Reverse Path Forwarding)

configuring 886preventing attacks

DoS attacks 880IP spoofing attacks 831

RSA (Rivest, Shamir, and Adleman) 432RSA signatures 638

S

SAs (security associations) 637SCEP (CA Server with Simple Certificate

Enrollment Protocol) 695Security Notifications Bulletin 975Security Roll Up Packages 975selective acknowledgment (TCP) 534sername password command 756server operating systems, Windows 969service packs, Windows resources 971service resetinbound command 833services

BOOTP server 453CDP 452

services


1068

finger server 453FTP 960HTTP servers

configuring 456–457ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NFS 961NTP 453

configuring 458–463Proxy ARP 453rlogin 960router name and DNS resolution 451RPC 961startup scripts, disabling 961TCP and UDP small servers 452verifying deactivation 455, 456

SHA-1 (Secure Hash Algorithm) 432, 638share-level security, NTFS 980ships in the night 321show dialer command 172–173show frame-relay map command 125show frame-relay pvc command 123–125show interfaces bri 0/0 command 169–171show ip accounting command 548show ip nhrp command 745show isdn active 173show isdn status command 171–172show ppp multilink command 173show route command 823show vpdn tunnel command 760signaling, Frame Relay 91, 92

LMI autosense feature 95LMI frame format 92–93LMI timers 94–95

signatures 842signatures (IDS) 861–867simplex interfaces 527

OSPF configuration 301simulating break sequences 1013single-homed autonomous systems 351

BGP configuration 354–363site-to-site VPNs 631–632SMR (Stub Multicast Routing), configuring on PIX

Firewall 6.2 847–850smurf attacks 454SNMP (Simple Network Message Protocol),

configuring on PIX Firewall 841–842

software configuration register, password recovery 995–998

config-register command 999–1002o/r command 1002–1003

Solarisapplying patches 958default umask setting, changing 964disabling routing 965installing 958network services, stopping 959–960SSH, implementing 967user accounts, locking 965

source routing 526source-address spoofing on lock-and-key ACLs 485specifying RIP version 210, 211SPIDs (service profile identifiers), ISDN

configuration 143–144split horizon 88, 202

disabling on EIGRP 269split tunneling 600SSH (Secure Shell) 443

configuring 464–466implementing on Solaris systems 967

stack-based buffer-overflow, preventing 963standards, ISDN-related protocols 133–134standby routers (HSRP) 527star topologies, Frame Relay 86startup scripts, disabling 961state machine (IS-IS) 330–331static NAT, Cisco PIX Firewall configuration

820–822static PVCs, configuring 186–189static routes

Cisco PIX Firewall configuration 822–823ISDN 149–151redistribution to EIGRP interfaces 412–413

Stop-A abort sequence, disabling 965stopping network services 959–960storm control, configuring on Catalyst 3550

switches 467structure of RIP 201

default routes 203metric 202routing updates and timers 201–202split horizon 202

stub routingm EIGRP configuration 264, 265study labs

home-based 22

SHA-1 (Secure Hash Algorithm)


1069

planning 23–25remote 23required equipment 24–25work-based 22

studying for CCIE exam, developing good habits 15–18

summarizationOSPF 306

external 308inter-area 306–308

RIP routes 212–215SVCs 90

configuring on Frame Relay 109–113switch type, ISDN configuration 142, 143switches

Catalyst 3550, unsupported IOS ACL-related features 518

CatOS 434sysopt connection command 837

T

TA (terminal adapter ) 134TACACS+

authentication proxy 610–615configuring 615–617

packet encryption 568PPP callback, configuring 621–627privilege levels, configuring 617–621router management 568versus RADIUS 567VPDN configuration 761–765

TCP 814performance parameters, configuring 531–535settings, securing 964small servers, disabling 452

TCP intercept, configuring 776–781 TCP/IP header compression, configuring on Frame

Relay 121–122TE1 (Terminal equipment 1) 134TE2 (Terminal equipment 2) 134TEI (terminal endpoint identifier) 137Telnet addresses, hiding 449terminal equipment (ISDN) 134–135time range function

configuring on ACLs 483–484implementing on ACLs 504–506

timed portion (practice lab)configuring advanced security features

927–931configuring basic security 919–920building layer 2 909–911master lab 942–951redistribution and dial backup configuration

916–917routing 913–914service provider 932

timersLMI, tuning 94–95RIP 201–202

topics covered on CCIE Security exam 6–9topologies, partially meshed 87

subinterfaces 88–89topology table, EIGRP 246–247

displaying information 248–249DUAL 251–252

ToS classes, CAR rate limiting 879traffic filtering

ACLs 477–483ACE entry order 496ACEs 477applying to interfaces 496–497, 501configuring 498crypto 477defining 495defining criteria 498–500displaying information 514–515extended ACLs 481implementing 478–479implicit deny statement 495lock-and-key 484–487, 506–507logging 494–512named extended ACLs 482named MAC extended 482, 512–513named standard ACLs 482numbered standard IP ACLs 481port 490–491reflexive 488–511router 490size limitations 517–518time range function 483–484time range function, implementing

504–506troubleshooting 516–517

traffic filtering


1070

unsupported features on Catalyst 3550 switch 518

VLAN map entries, creating 513CBAC 781–782

traffic inspection, CBAC 782traffic shaping, configuring on Frame Relay

114–119transform sets 651transit autonomous systems 351

BGP configuration 363– 372transitivity 88transparent bridging, split horizon 88transport mode (IPSec) 640Tripwire 967troubleshooting

ACLs 516–517EIGRP 270–272flapping routes 157Frame Relay connectivity 122–126IPSec VPNs 662–670

PIX-to-PIX 687–695ISDN 169–177IS-IS authentication 345PVCs 190–191redistribution 399RIP 218–220

tuning LMI timers 94, 95tunnel mode (IPSec) 640tunnel ports 881tunneling

802.1Q 881L2F 749L2VPN

configuring 887–891verifying configuration 891–894

Layer 2 protocol tunneling 881PPTP 751

PIX2 firewall configuration 766–768TurboACL, configuring on PIX Firewall 6.2 850turning off CBAC 802

U

UDP 814small servers, disabling 452

umask setting, modifying 964

UNI (User-Network Interface) 96cell headers 183–184

unidirectional PPP authentication, configuring 164uninteresting traffic 141UNIX

ACS running Solaris, password recovery 1011EEPROM passwords, configuring 966Solaris

applying patches 958installing 958

unreachables (ICMP) 524update packets

BGP 353EIGRP 243RIP 201–202

blocking on interfaces 207update process, IS-IS state machine 331URLs, filtering 828–831UrlScan 971user accounts

AAA verification 449–451locking 965Windows 970

user accounts (Cisco IOS)assigning privilege levels 447–448creating 446–447

V

VCsPVCs 91SVCs 90

configuring 109–113verifying

DMVPN configuration 741–745HSRP support for MPLS VPNs 556installation information 963–964IPSec VPN configuration 728–732L2VPN configuration 891–894OSPF ABR Type 3 LSA filtering 316port-based traffic control on Catalyst 3550

switches 470–472user accounts with AAA 449–451

verifying service deactivation 455–456virtual links, creating on OSPF networks 295–297virtual templates, creating 759virtual-template command 764

traffic inspection


1071

VLAN mapsconfiguring on port ACLs 491configuring on router ACLs 491–492entries

creating 513removing 514

VLSM, OSPF configuration 285VPDNs 749, 750, 751

configuring 752default group templates, configuring 768–769local AAA, configuring 752– 761TACACS+, configuring 761–765

vpdn-template command 769VPN concentrators, password recovery 1012–1013VPNs (Virtual Private Networks) 432

advanced configuration 718–719EIGRP 720–724GRE tunnels 720IPSec VPNs 715–718loopback interfaces 720

IOS-to-IOS, IKE phase 1 using CA 696–703IPSec 718–724

configuring between two IOS routers 644–662

configuring between two PIX firewalls 671–693

parameters, configuring 724–727troubleshooting 662–670, 687–695verifying configuration 728–732

L2VPN802.1Q tunneling 881configuring 887–891verifying configuration 891–894

PIX-to-PIX, IKE phase 1 using CA 703–710remote-access 633site-to-site 631–632

vtys, configuring 445, 446

W-X-Y-Z

WANsconnections, configuring on EIGRP 254–255Frame Relay

configuring 102–122congestion control mechanisms 96–101error checking 99

fully meshed topologies 87NNI 95partially meshed topologies 87–89PVC 91signaling 91–92star topology 86SVCs 90troubleshooting connectivity 122–126UNI 96

white hats 432Windows operating system

auditing, enabling 976file systems

FAT 977FAT32 977NTFS 977–980

installing 970logging, enabling 976MBSA 971patches, applying 975user accounts 970

Windows 2000, creating baseline security level 972–975

Windows NT 4 Server, creating baseline security level 972–975

work-based study labs 22world-writeable files, checking for 966

xlates 814

xlates


1072


ccieix.fm page 1048 tuesday, june 10, 2003 8:11...

Documents