Sikandar CCIE-RS-v5-Security Workbook PDF

Routing ¢3 Switelhing Version F.0 Infrastructure Security www.noasolutions.com loor Opposite to banjara function hall,Banjarahills road no 7036826345 Page 1About the Author Sikandar Shaik, a dual CCIE (RS/SP# 35012). is a highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 10 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addition, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and iplementing changes to various aspects of multi-scaled, multi-platform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi-faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE. He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. Acknowledgment First and foremost | would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence to believe in myself and pursue my dreams. | could never have done this without the faith | have in you, Secondly | would like to thank the NOA Solutions team for their continued support, dedication and hard work which helped me in delivering a better product. | would like to thank my family for understanding my long nights at the computer. | have spent a lot of time on preparing workbooks and this workbook would not have been possible without their support and encouragement. | would also like to recognize the cooperation of my students who took my trainings and workbooks. | believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and | will continue preparing workbooks for the updated technology versions. Shaik Gouse Moinuddin Sikandar CCIE x 2 (RS/SP) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions at info@noasolutions.com NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 2INDEX Access-Controllist Standard ACL... 5 LAB: STANDARD ACCESS-LIST u Extended ACL... 15 LAB: EXTENDED ACCESS-LIST .. 19 Named ACL 22 LAB : Restricting Telnet Access ... 28 Routing protocol and ACL... 32 LAB : Routing protocol and ACL : ....-seseseeee ceosesesseesesseesee cesses 34 LAB: Deny OSPF / EIGRP Traffic: 38 TIME BASED ACL . LAB-2 : Time Based ACL IPv6 ACL. Device Access Security Basic Login passwords .. 59 65 70 Login password Enhancements .o.s.sssosssssscstesesseseesnstensese LAB : Cisco Login Enhancements . Cisco IOS Resilient Configuration... AAA Authenitcation using external servers ..ssssesseseeeeteetea LAB: AAA Authentication: ....ccsesssssssssssseeeesesesusstssssssssessessessesesesessesisessnssssseee OT User Accounts & Privilege levels 99 LAB : User accounts and privilege Levels 102 Role based Access control 107 LAB : Role Based Access Control ( Views) .. Layer2 Seaur Understanding switch security issues 4 Port security 6 LAB: PORT-SECURITY .. 122 DHCP snooping 128 LAB : DHCP Snooping : 131 LAB : IP Source Guard 14 Dynamic ARP inspection 144 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 3LAB : Dynamic ARP inspection 151 StOFM COMO! sevseeneeee Sere ee 156 Private VLAN 158 LAB : PRIVATE VLAN 165 Vian ACL. W7 IPv6 First Hop security .. 179 IPv6 RA Guard 183 DHCPv6 Guard . 186 NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘on Page 4NA. ACCESS CONTROL LIST (ACL) ACCESS CONTROL LIST (ACL) NGA, » ACLisa set of rules which will alow or deny the specific traffic moving through the router > Itisa Layer 3 security which controls the flow of traffic from one router to another. so called as Packet Filtering Firewall, NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 5Types of Access-list MOA. NA. ‘STANDARD ACCESS LIST EXTENDED ACCESS LIST V. The access-list number range is1 99 1. The access-list number range is 100 199 Can block a Network, Host and Subnet 2. We can allow or deny @ Network, All services are blocked. Host, Subnet and Service Implemented closest to the destination. 3, Selected services can be blocked. Filtering is done based on only source IP | 4. Implemented closest to the source. address 5. Filtering is done based on source IP . destination IP , protocol, port no Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 6Lab : standard access-list NEA hd. “TASK: Configure the Appropriate router as per the rules given peel ney eee an artes Berea cere eters ps Poem ore pene eae See NOTE: the Above ACL rules should not affect the other communication NA. Router(config)# accesslist Creation of Standard Access List Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 7MOA. To write ACL Statement (On which Router to implement ACL. 2. Identify Source & Destination 2 Infout Ensure that the router you are implementing ACL must be the transit router . ‘Think your router as destination ( incoming as source. Wild card mask Tells the router which portion of the bits to match or ignore. must match 1 ignore 255.255.255.255 ~255.255.255.0 Global Subnet Mask = Customized Subnet Mask Wild Card Mask > Wild Card Mask for Network will be Inverse mask » Wild Card Mask for a Host will be always 0.0.0.0 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 om Page & Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutionen MOA. Router(configh#accesslst R-2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(confighFaccessiist 15 deny host 192.168.1.2 R2(confighfaceesslst 15 deny 192.168.3.0 0.0.0.255 R-2(config)#accessist 15 permit any Understanding IN / OUT NA. » Into the router » Out of the router p22 atone wewazoat a Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 9A. R2(configh# accesslit 15 deny 192,168.11 0.0.0.0 R2(confgifaccessiist 15 deny host 192.168.1.2 R2(configiaccessiist 15 deny 192.168.3.0 0.0.0.255 R2(config)taccessiit 15 permit any Implementation: -2(config) interface fetEthernet 0/0 Re2(configseip acces-group 15 out Rash access Standar IP aces it 15 deny bos 192168.11 deny hos 192168.12 deny 192.168.3.0 0.00255 permit any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 10LAB: STANDARD ACCESS-LIST f 192.168.2.1 192.165.22 192.168.3.1 192.168.3.2 168.1.0/24 192.168.2.0/24 eee Pre-requirement for LAB (check previous labs) 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram. 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol or static routing 5) Verify Routing table and reachability between the LAN’s (using PING and TRACE commands) ‘TASK: Configure the Appropriate router as per the rules given Deny the host 192.168.1.1 communicating with 192.168.2.0 Deny the host 192.168.1.2 communicating with 192,168.2.0 Deny the network 192.168.3.0 communicating with 192.168.2.0 Permit all the remaining traffic NOTE: the Above ACL rules should not affect the other communication NOTE: Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command PC>ipconfig IP Address Subnet Mas Default Gateway. 255.255.255.0 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipconfig NOA solutions,N.K Arcade, 2nd & 3rd Floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 11192.168.1.2 255,255.255.0 Default Gateway. 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tims Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres: Subnet Mask. Default Gateway. 192.168.3.1 255,255.255.0 192.168.3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim ROUTER -2 Creating the ACL rules according to requirement: R-2(config)# accesslist 15 deny 192.168.1.1 0.0.0.0 R-2(config)faccesslist 15 deny host 192.168.1.2 t 15 deny 192.168.3.0 0.0.0.255 any R-2(config)#access: R-2(config)#access Implementation: R-2(config)#interface fastEthernet 0/0 R-2(config-if}#ip access-group 15 out Verificatio R-2#sh access-lists Standard IP access list 15 deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any Pc>ipconfig IP Addres: Subnet Mask. 2 255.255.255.0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 12Default Gateway... : 192.168.1.100 Pc>ping 92.16821 Pinging 192.16: Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. with 32 bytes of data: PC>ping 192.168.3.1 Pinging 192.168.3.1 with 32 bytes of data: Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 tim Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipconfig IP Addressisnunnsannnies 19216812 Subnet Mas! 255.255.255.0 192.168.1.100 Default Gateway. PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ipeonfig IP Addres: Subnet Mask. Default Gateway. Pc>ping 192168.21 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tims 255.255.255.0 192.168.1100 Reply from 192.168.2.1: bytes=32 time=24ms TTL=126 PC>ipconfig IP Address{iiNNNNTS268/321 subnet Mas! 255.255.255.0 192.168.3.100 Default Gateway. PC>ping 192.168.2.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 13Pinging 192.168.2.1 with 32 bytes of data: Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. Reply from 11.0.0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168. Reply from 192.168. Reply from 192.168. Reply from 192.168. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 14Access-list Rules NA. > Works in Sequential order. » All deny statements have to be given First (preferable most cases ) » There should be at least one Permit statement (mandatory) » An implicit deny blocks all traffic by default when there is no match (an invisible statement). » Can have one access-list per interface per direction. ({e.) Two accesstlists per interface, ‘one in inbound direction and one in outbound direction, » Any time a new entry is added to the access lis, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested. » You cannot remove one line from an access list. Extended Access-list S@A., The accesslist number range is 100 - 199 ‘We can allow or deny a Network, Host, Subnet and Service Selected services can be blocked. Implemented closest to the source. Filtering is done based on source IP , destination IP , protocol, port no sa55 Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 15na, cotentermancunoetecmanin OA, ‘Deny the uerson LAN. 192.168:2.0 shoud no access 192:168..3 HTTP serie 2 Deny the wserson AN 192188..0 should not acess 192,168..4 FTP service > Deny the waeson LAN. 192.69.2.1 should not acest 192.1681.9 HTTP sevice 4 Deny the wert on LAN 192.1632.0 should not get DNS verve from ONS server 192.168..4 Deny the ser frm the os between 192168.3.2 and 192168..2 should ao be ale to send ICMP (ing race meager Remaining hos and serves shouldbe permlted NOTE: the Above ACL rules should not affect the other communication Operators: eq (equal to) neq (not equal to) It (less than) gt (greater than) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 16Extended ACL Syntax MOA. Router(contigh accesslist ‘ < destination wildeard mask> Router(config)finterface Router(contigiffip access-group MOA. Rifconfig)tacceniit 145 deny tep 192.169.2.0 0.0.0255 host 192.168.13 eq www Rifconfig)Haccesiist 145 deny tep192.168.3.0 0.0.0.255 host 192,168.14 eq fip ifconfig) tacces ist 145 deny tep host 192.168.3.1 host 192.168.1.3 eq wor Rifconfig)laccesiit 145 deny udp 192.168.2.0 0.00255 host 192.168.14 eq domain i(config)taccess 145 deny lemp hor 192.168.3.2 host 192.168.1.2 echo ifconfig)daccessst 145 deny lemp hos 192.168.3.2 host 192.1681.2 echo-reply Rlfconfighaccesslist 145. permit Ip any any Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 17Implementatic OA, Rl(contigh# interface fastEthemet 0/0 R(contigit# ip accessgroup 145 out OR Ra(configt Interface serial 0/0 Ral(contigitit Ip accessgroup 145 in Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 18LAB: _ EXTENDED ACCESS-LIST 192.1682 192.168.22 toatesa.1 192.1082 192.168.2.0/24 192.168.3.0/24 1) Design the topology (connectivity ) 2) Assign the IP address according to diagram 3) Make sure that interfaces used should be in UP UP state 4) Any dynamic routing Protocol. or static routing, 5) Verify Routing table and reachability between the LAN’s ( using PING and TRACE commands) TASK: Configure the Appropriate router as per the rules given below 1. Deny the users on LAN 192.168.2.0 should not access 192.168.1.3 HTTP service 2. Deny the users on LAN. 192.168.3.0 should not access 192.168.1.4 FTP. service 3. Deny the users on LAN 192.168.3.1 should not access 192.168.1.3 HTTP service 4, Deny the users on LAN 192.168.2.0 should not get DNS service from DNS server 192.168.1.4 5. Deny the users from the host between 192.168.3.2. and 192.168.1.2 should not be able to send ICMP ( ping /trace ) messages 6. Remaining hosts and services should be permitted NOTE: the Above ACL rules should not affect the other communication Router —1 RA(config)#access-list 145 deny tep 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www Rel(configh#access-list 145 deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp Rel(configh#access-list 145 deny tcp host 192.168.3.1 host 192.168.1.3 eq www. Rel(config) #access-list 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq ? <0-65535> Port number bootpe —_ Bootstrap Protocol (BOOTP) client (68) bootps om Protocol (BOOTP) server (67) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 19isakmp Internet Security Association and Key Management Protocol (500) non500-isakmp Internet Security Association and Key Management Protocol (4500) snmp Simple Network Management Protocol (161) tftp Trivial File Transfer Protocol (69) Rel(config)#accesslist 145 deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domain Rel(config)#access-list 145 deny icmp host 192.168.3.1 host 192.168.1.1 ? <0-256> type-num host-unreachable —_host-unreachable net-unreachable _net-unreachable port-unreachable _port-unreachable protocol-unreachable protocol-unreachable ttexceeded ttl-exceeded unreachable unreachable Rel(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo Rel(config)#access-list 145 deny icmp host 192.168.3.2 host 192.168.1.2 echo-reply Rel(config)#access-list 145 permit i Implementatic R-l(config)# interface fastEthernet 0/0 Rel(configsif}# ip access-group 145 out OR Rel(config)# interface serial 0/0 R-l(config-if}# ip access-group 145. in Verificati PC>ipconfig IP Address. Subnet Mask.. 255.255.2550 192.168.3.100 Default Gateway.. Pc>ping 192.168.1.2 pe ns 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 20Reply from 192.168.1.1: bytes=32 time=20ms TTL=125 Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim Reply from 192.168.1.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 21Named ACL NEA, > Access lists are identified using Names rather than Numbers. » Names are Case-Sensitive + No limitation of Numbers here. » One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. » 10S version 11.2 oF later allows Named ACL Creation of Standard Named Access list Router(contig|# ip access-list standard Router(contig-stc-nacl) # Implementation of Standard Named Access List Router(config) #interface Router(configxt}#ip access-group NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 22LAB:_ STANDARD NAMED ACL ta 192,168.21 192.108.2.2 192.168,3.1 192.168.3.2 192.168.3.0/24 192.168.2.0/24 TASK: ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-1 Before creating the ACL, make sure that the routing configured is correct and all the three LAN devices are able to communicate with each other using PING command. PC>ipconfig IP Address. Subnet Mask. Default Gateway. 255.255.255.0 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 7ms TTL=126 Reply from 192.168.2.1: bytes=32 time=20ms TTL=126 Reply from 192.168.2.1: bytes=32 ti Reply from 192.168.2.1: bytes=32 tim PC>ipconfig IP Addres 192.168.1.2 Subnet Mask..eisssseueniset 255,255.255.0 Default Gateway. : 192.168.1.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 time=I6ms TTL=126 Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: com Page 23PC>ipconfig IP Addres: Subnet Mask. Default Gateway 192.168.3.1 255.255.255.0 + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1; bytes=32 time=23ms TTL=126 Creating an Access-list as per the given rules R-2(config)#ip access-list standard CCNA R-2(config-std-nacl)#deny 192.168.1.1 0.0.0.0 R-2(config-std-nacl)#deny host 192.168.1.2 R-2(config-std-nacl)#deny 192.168.3.0 0.0.0.255 R-2(config-std-nacl)#permit any R-2(config-ste-nacl}#exit Implementat R-2(config)# interface fastEthernet 0/0 R-2(config-if# ip access-group CCNA out R.2esh access-ists Standard IP access list CENA deny host 192.168.1.1 deny host 192.168.1.2 deny 192.168.3.0 0.0.0.255 permit any PC>ipconfig IP Addres Reply from Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. PC>ping 192.168.3.1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 24Pinging 192.168.3.1 with 32 bytes of data: 32 time Reply from 192.168.3.1: bytes=32 time=13ms TTL=125 PC>ipeontig IP Adidressisssnssnnneet 19216812 Subnet Mask. 255.255.255.0 Default Gateway. 192.168.1100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply . Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. SERVER> ipconfig IP Addres Subnet Mas 255.255.255.0 Default Gateway. 192.168.1.100 SERVER>ping 192:168.201 Pinging 192.168.2.1 with 32 bytes of dat Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 time=17ms TT! Reply from 192.168.2.1: bytes=32 tim Reply from 192.168.2.1: bytes=32 tim PC>ipeonfig IP Adidressueemneenies 192 168.3.1 Subnet Mas 255.255.255.0 Default Gateway... + 192.168,3.100 PC>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Reply Reply from 11. Reply from 11. Reply from 11. 0.1: Destination host unreachable. 0.1: Destination host unreachable. 0.1: Destination host unreachable. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 25Creation of Extended Named Access List Router(contig)# ip access-list extended Router(config-ext-nacl)# < destination wildcard mask> Router{config) #interface Router{config.i tip access-group LAB: NAMED EXTENDED ACL 03 san yates mre szsosas toaton22 fezvenay t92s65.2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 ‘+ Configure Standard Named ACL ‘+ Use the same Rules as Lab-2 Rel(configh#ip access-list extended CCNP R(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 26R-l(config-ext-nacl)# deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp R-(config-ext-nacl}# deny tep host 192.168.3.1 host 192.168.1.3 eq www R-(config-ext-nacl}#deny udp 192.168.2.0 0.0.0.255 host 192.168.1.4 eq domi echo Rel(config-ext-nacl)# deny icmp host 192.168.3.1 host 192.168. R-l(config-ext-nacl}#deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply R-(config-ext-nacl}# permit ip any any Implementation: R-(configl# interface fastEthernet 0/0 R-l(config-if}# ip access-group CCNP out OR R-(config)# interface serial 0/0 Re(configeif)# ip access-group CCNP in Relish access lists Extended IP access liS3GENP deny tep 192.168.2.0 0.0.0.255 host 192.168.1.3 eq www deny tep 192.168.3.0 0.0.0.255 host 192.168.1.4 eq ftp deny tep host 192.168.3.1 host 192.168.1.3 eq www deny udp 192,168.2.0 0.0.0.255 host 192.168.1.4 eq domain deny icmp host 192.168.3.1 host 192.168.1.1 echo deny icmp host 192.168.3.1 host 192.168.1.1 echo-reply permit ip any any Verification: PC>ipconfig IP Addres Subnet Mask. Default Gateway. 255,255.255.0 192.168.3.100 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. PC>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data. Reply from 192.168.1.1; bytes=32 time=20ms TTL=125 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 27Restricting Telnet Access To The Router NEA to Specified Networks Or Hosts ae > restrict the users who can telnet and who should not > access-class command on the VTY lines » Compare only the telnet Traffic on VTY line. en en ‘oni meanness Soo Restricting Telnet Access To The Router NGA, to Specified Networks Or Hosts a ‘TASK: Allow only the hosts 192.168.1.1 and 192.168.1.2 0 telnet RI. any other host should be ‘denied of they try to telnet RI RA(contigacces st 20 permit host 192.168.1.1 R.A(contigtacces st 20 permit host 192.168.1.2 Implementation Rilconfigiéine vty 04 Raconfigstine)fpassword csco Ralconfigiine)élogin Rel(configtine)# access-lass 20 in Rifconfigsine)fend Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 28LAB : Restricting Telnet Access to the Router to Specified Networks or Hosts Should You Secure Your Telnet Lines on a Router? TASK: You're monitoring your network and notice that someone has telnetted into your core router by using the show users command. You use the disconnect command and they are disconnected from the router, but you notice they are back into the router a few minutes later. You are thinking about putting an access list on the router interfaces, but you don’t want to add a lot of latency on each interface since your router is already pushing a lot of packets. The access-class command illustrated in this lab is the best way to do restrict the users who can telnet and who should not Because it doesn’t use an access list that just sits on an interface looking at every packet that is coming and going. This can cause overhead on the packets trying to be routed. ‘When you put the access-class command on the VTY lines, only packets trying to telnet into the router will be looked at and compared. This provides nice, easy-to-configure security for your router. 052.1 192:168.22 roatos1 192.1082 '192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Allow only the hosts 192.168.1.1 and 192.168.1.2 to telnet RI. any other host should be denied of they try to telnet RI Creating ACL which permits only hosts 192.168.1.1 and 192.168.1.2 (means by default deny all the other hosts) R-l(config)#access-list 20 permit host 192.168.1.1 R-l(config)#access-list 20 permit host 192.168.1.2 Implementation Rel(config}#line vty 04 Rel(configline)#password cisco Rel(configcline)#login RA(configdine)# access-class 20 in R-l(configcline)#end NOA solutions,N.K Arcade, 2nd & 3rd floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 29Verification: PC>ipconfig Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification PC>ipconfig 1 Acie Subnet Mask.. 255.255.2550 Default Gateway.. 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification From both the host (192.168.1.1 and 192.168.1.2) telnet to RI is successful (from above outputs) Telnet from any other users should be denied automatically as per our requirement ( verify below outputs) ‘Try Telnet from 192.168.1.3 to RI PC>ipconfig IP Addressisnannnies 19216813 Subnet Mask.. 255.255,255.0 Default Gateway. + 192.168.1.100 PC>telnet 192.168.1.100 Trying 192.168.1.100... ‘Try Telnet from 192.168.1.4 to RI Pc>ipconfig IP Addres Subnet Mask.. Default Gateway.. 255.255.255.0 192.168.1.100 PC>telnet 192.168.1.100 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 30Trying 192.168.1.100 ... % Connection refused by remote host ‘Try Telnet from R2 to R1 R-2>enable R-2#telnet 10.0.0.1 Reldsh access-lsts Standard IP access list 12 permit host 192.168.1.1 (2 match(es)) permit host 192.168.1.2 (2 match(es)) deny any (13 match(es)) Relish users line User Host(s) Idle Location * Ocond idle 00:00: idle 00: idle 00:00:39 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 31Routing Protocol & ACL wore ie Tita Ss 2(config) access-list 12 permit 10.0.0.0 0.255.255.255 2(config)¥int s1/0 R2(config-i) ip aceest-group 12 in R2(config-if#end 2(config)ip acceselist extended CCIE 2(config-ext-nacl) permit tep any any eq fp R2(configext-nacl) permit tep any any eq telnet R2(configrext-nad)Wexit R2(config)ine 31/0 2(configf)#lp access group CCIE In Routing Protocol & ACL R2(config) ip access-list extended EIGRP R2(config-ext-nacl)#deny eigrp any any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#int s1/0 R2(config-iffip access-group EIGRP in NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 32Routing Protocol & ACL MOA. R2(config)#ip access-list extended OSPF pa R2(config-ext-nacl)#permit ip any any ate . 1.2 eA : R2{config-ext-nad)Aint s1/0 R2{config-if}tip access-group OSPF in OR R2{config)#accesstlist 151 deny ip any host 224.0.0.5 R2{config)#aceess-list 151 deny ip any host 224.0.0.6 R2{config)#accessist 151 permit ip any any R2{config)#int s1/0 R2{config-ifip access-group 151 in NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 33LAB : Routing protocol and AC! 7 7 FO/O 4 FO/O TASK: * Configure EIGRP and OSPF Routing on RI/R2 and advertise the interfaces given in the diagram. Ri(config)#router ospf 1 Ri(config-router)# network 1.0.0.0 0.255.255.255 area O Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#exit Ri(config)#router eigrp 100 Ri(config-router)# network 1.0.0.0 Ri(config-router)# network 10.0.0.0 Ri(config-router) exit Ra(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)# network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#exit R2(config)#router eigrp 100 R2(config-router)# network 1 R2(config-router)# network 20.0.0.0 R2(config-router) #exit R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FULYY- 00:00:34 11.1.1 Serialt/0 R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq (ec) (ms) Cnt Num O 144 seo 11 00:04:27 1126 5000 0 12 R2#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 34El - OSPF external type 1, E2 - OSPF external type 2 1-15-15, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set D_— 10.0.0.0/8 [90/2172416] via 1.1. TASK: * Configure standard ACL on R2 s1/0 inbound to permit only traffic sourced from 10.0.0.0 (RI-LAN) * Ensure that the ACL should not drop OSPF or EIGRP traffic.. 1, 00:04:28, Seriall/O R2(config)#access-list 12 permit 10.0.0.0 0.255.255.255 R2(config)#int s1/0 R2(config-if#ip access-group 12 in Ra(config-iffend After some time you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. the reason is ACL on R2 s1/0 interface which allows traffic from source 10.0.0.0 only. as per the default drop all the remaining traffic ( here OSpf and Elgrp packets) R2#sh ip ospf neighbor R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) To permit OSPF and EIGRP traffic we need to permit traffic sourced from RI (host 1.1.1.1) on R2. R2(config)#access-list 12 permit host 1.1.1.1 R2(config)#end R2Ash ip ospf neighbor Neighbor ID Pri_ State Dead Time Address Interface 1.03.1 © FULY- — 00:00:36 LLL.1 _Seriall/0 Raifsh ip elgrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num ol sevo 12 00:00:15 224 1344 0 17 R2fsh access-ists Standard IP access list 12 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 3520 permit 1.1.1.1 (20 matches) 10 permit 10.0.0.0, wildcard bits 0.255.255.255 TAS! © Remove the standard ACL on R2 * Configure extended ACL to allow only telnet/FTP traffic between RI and R2 LAN * Configure ACL on RI s1/0 interface. * Ensure that the ACL should not drop OSPF or EIGRP traffic.. R2(config)#int s1/0 R2(config-if#no ip access-group 12 in Ra(config-iNifexit Ra(config)#no access-list 12 R2(config)¥end Ra(config)#ip access-list extended CCIE Ra(config-ext-nacl}#permit tep any any eq ftp R2(config-ext-nacl)#permit tep any any eq telnet Ra(config-ext-nadl} exit, Ra(config)#int s1/O R2(config-i#ip access-group CCIE in Ra(config-i#end + After some © the reason is ACL on R2 51/0 interface which allows traffic for FTP or TELNET. + as per the default drop all the remaining traffic ( here OSpf and Elgrp packets). R2#sh ip ospf neighbor Raffsh ip elgrp neighbors e you will see both the EIGRP and OSPF neighbors will go down once dead time expires.. © To ensure that the ACL should not drop OSPF or EIGRP traffic we need to add permit statament which matches OSPF and EIGRP packets. R2(config)#ip access-list extended CCIE R2(config-ext-nacl)#permit ospf any any R2(config-ext-nacl)#permit eigrp any any Ra(config-ext-nacl)#exit R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H_ Address Interface Hold Uptime SRTT RTO Q Seq NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 36(se) (ms) Cnt Num 0 Wad sevo 11.00:00:12 217 1302 0 21 R2#sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 1.0.3.1 0 FULIY- — 00:00:36 1.1.1.1 Seriall/0 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 37LAB: Deny OSPF / EIGRP Traffic: * Sometimes when we are doing some troubleshooting in the lab exam , the possible issue can also be some ‘ACL which was configured effecting the neighborship in any protocol. + In this lab, we will verify how the ACL can be possibly configured to Deny Routing protocol traffic using, EIGRP and OSPF as our routing protocols. R1 81/0 1.1.1.1 had s1/0 we, ka ro “— 20.1.1.1 TASK: Configure OSPF on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router ospf 1 RI(config-router)#network 10,0.0.0 0.255.255.255 area 0 RI(config-router)#network 1.0.0.0 0,255.255.255 area 0 Ri(config-router)#exit R2(config)#router ospf 1 R2(config-router) network 20.0.0.0 0.255.255.255 area 0 R2(config-router) #network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#end R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 0 FUL - 00:00:36 1.1.1.1 Seriall/0 TASK: Configure EIGRP on all routers and advertise the connected interfaces as per the diagram : Ri(config)#router eigrp 100 RI(config-router)#network 10.0.0.0 Ri(config-router)#network 1.0.0.0 Ri(config-router)#exit R2(config)#router eigrp 100 R2(config-router)#¢network 20.0.0.0 R2(config-router)#network 1.0.0.0 R2(config-router)#end R2¥#sh ip route NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 38Codes: L.- local, C - connected, 5 - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 EI - OSPF external type 1, E2 - OSPF external type 2 i IS-IS, su - ISIS summary, LI - IS-IS level-t, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L_ 1.1.1.2/32 is directly connected, Seriall/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks, C _ 12,0.0.0/24 is directly connected, Loopback L 12,0.0.1/32 is directly connected. Loopback0 C 12,0.1.0/24 is directly connected, Loopbackl L_ 12.0.1.1/32 is directly connected, Loopback! C 12,0.2.0/24 is directly connected, Loopback2 L_ 12.0.2.1/32 is directly connected, Loopback2 C 12.0.3.0/24 is directly connected, Loopback3 L 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C — 20.0.0.0/8 is directly connected. FastEthernet0/0 L 20.1.1.1/32 is directly connected, FastEthernet0/O By default in the routing table router installs the routes learned through EIGRP (AD =90 ) instead of OSPF (AD = M10) , decided based on Adminsitrative Distance TASK: Configure ACL to deny EIGRP packets on R2. Ensure that all the remaining traffic is permitted. R2(config)#ip access-list extended EIGRP R2(config-ext-nacl)#deny Bigep any any R2(config-ext-nacl) permit ip any any R2(config-ext-nacl)dint s1/O R2(config-if}#ip access-group EIGRP in R2#clear ip eigrp neighbors R2#sh ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 39R2#debug eigrp packets (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP Packet debugging is on *Mar 19 13:39:40,947: EIGRP: Sending HELLO on Fa0/0 - paklen 20 *Mar 19 13:39:40.947: AS 100, Flags OxO:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:43,615: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:43,619: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra# *Mar 19 13:39:45.327: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:45.331: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:48,035: EIGRP: Sending HELLO on Se1/0 - paklen 20 *Mar 19 13:39:48,035: AS 100, Flags Ox0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Ra¢ *Mar 19 13:39:49.683: EIGRP: Sending HELLO on Fa0/O - paklen 20 *Mar 19 13:39:49.683: AS 100, Flags 0x0:(NULL), Seq 0/0 interface 0/0 iidbQ un/rely 0/0 Rae igtp is sending hello messages on s1/0 but its not receiving on s1/O because of ACL dropping EIGRP packets R2#sh access-list Extended IP access list EIGRP 20 permit ip any any (10 matches) R2#undebug all All possible debugging has been turned off R2ésh ip route Gateway of last resort is not set 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 1.0.0.0/8 is directly connected, Seriall/0 L_1.1.1.2/32 is directly connected, Seriall/0 © 10.0.0.0/8 [110/65] via 1.1.1.1, 00:02:07, Serialt/0 12.0.0.0/8 is variably subnetted, 8 subnets, 2 masks 12.0.0.0/24 is directly connected, LoopbackO 12.0.0.1/32 is directly connected, LoopbackO 12.0.1.0/24 is directly connected, Loopback! 12.0.1.1/32 is directly connected, Loopbackl 12.0,2.0/24 is directly connected, Loopback2 arara NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 4012.0.2.1/32 is directly connected, Loopback2 C 12,0.3.0/24 is directly connected, Loopback3 L_ 12.0.3.1/32 is directly connected, Loopback3 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.0.0.0/8 is directly connected, FastEthernet0/0 L_ 20.1.1.1/32 is directly connected, FastEthernet0/O + Now R2 install the routes learned from OSPF as EIGRP neighborship is not established on R2 with RI + Sometimes when we are doing some troublshooting in the lab exam , the possible issue can also be some ACL which was configured effecting the neighborship in any protocol. TASK : Remove the EIGRP acl under interface and configure acl to deny OSPF R2(config)#NO ip access-list extended EIGRP R2 (config)#int s/0 R2 (config-if)#NO ip access-group EIGRP in R2(config)#ip access-list extended OSPF R2(config-ext-nacl) dehy Osprany any R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)fint s1/0 R2(config-if}#fip access-group OSPF in OR R2(config)#access-list 151 deny ip any ROst 224101015 R2(config)#access-list 151 deny ip any host 224.0,0.6 R2(config)#access-list 151 permit ip any any R2(config)#int s1/0 R2(config-if#ip access-group 151 in R2(config-ii#end R2fclear ip ospf process RI#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 12.031 0 RMT = 00:00:32 141.12 Seriall/o NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 41Time Based ACL » Allows you to restrictor allow resources based on time periods or day. time range relies on the router system clock Steps to configure : 1. Define a time range when ACL action must take place: 2. Define an ACL and apply time range to its statements: 3. Apply Access List to the interface you need. (a NPA ®A., ‘on weekdays ( IM-F) between 9 AM to 5 PM Permit Telnet Traffic mi 81/0 101 al ane. acon time-range DENY_FTP 2{eonfigtimerange}® periodic weckdays 09:00 to 17:00 Ra{configsimerange)# ett 2{configtime-range TELNET Ra{conigtime-range} absolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2{configtimerange}éend 1R2(config)#aceess.tst 5 deny tep any any eq fiptime-range DENY. FTP R2(config)# access 15 permit tep any any eq telnet time-ange TELNET R2(confg)#access.st 1S permit ospf any any R2(config)int sO R2(confg-if}ip acese-group 115 in NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 42+ Allow telnet from Jan 1 to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm + RI hasto telnet to R3 on the above time successfully R2{config)ttime-ronge WEEKDAYS R2(confighfperlodkc weekdays 09:00 to 17:00, = a R3(configtimesrange)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 R2{conig)faccesslst 102 permit tep any any eq 23 time-range WEEKDAYS R2(coniigh# acces-list 102 permit ospfany any R2(config:int SIA R2(config:ip acces group 102 out Fo/0 30.1.1-1/8 TASK: Configure OSPF as Routing protocol to provide Reachability Ri(config)#router ospf 1 Ri(config-router) #network 10.0.0.0 0.255.255.255 area 0 Ri(config-router) #network 1.0.0.0 0.255.255.255 area 0 Ri(config-router) fexit R2(config)#router ospf 1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 43R2(config-router) #network 20.0.0.0 0.255.255.255 area 0 R2(config-router) network 1.0.0.0 0.255.255.255 area 0 R2(config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3(config)#router ospf 1 3 (config-router) #network 30.0.0.0 0.255.255.255 area O 3 (config-router) #network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#end R3¢sh ip ospf neighbor Neighbor ID Pri. State Dead Time Address Interface 12.0.3.1 © FUL - 00:00:36 2.2.2.1 Seriall/0 R3#sh ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area NI-- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1, E2 - OSPF external type 2 i ISAS, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route ©- ODR, P - periodic downloaded static route, H - NHRP, | - LISP + - replicated route, % - next hop override Gateway of last resort is not set © 1.0.0.0/8 [10/128] via 2.2.2.1, 00:03:12, Serial1/0 © 10.0.0.0/8 [110/129] via 2.2.2.1, 00:00:05. Seriall/0 © 20.0.0.0/8 [110/65] via 2.2.2.1, 00:03:12, Seriall/0 TASK: Configure TIME BASED ACL on R2 which ‘+ Allow telnet from Jan I to Feb 28 2012 on all weekdays 9.00 am to 5.00 pm ‘+ RI has to telnet to R3 on the above time successfully. ‘+ Ensure that OSPF traffic is permitted on WAN interfaces R2(config)#time-range WEEKDAYS R2(config)#periodic weekdays 09:00 to 17:00 R3(configtime-range)# absolute start 09:00 1 jan 2012 end 17:00 28 feb 2012 Configure ACL and implement it on the interface on R2: R2(config)#access-list 102 permit tep any any eq 23 time-range WEEKDAYS R2(config)# access-list 102 permit ospf any any int sI/1 if}#ip access-group 102 out Ra(confi Ra(confi NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 44Verification: R2Ashow time-range time-range entry: WEEKDAYS (inactive) absolute start 09:00 01 January 2012 end 17:00 28 February 2012 periodic weekdays 9:00 to 17:00 used in: IP ACL entry R2#show clock *00:32:01.687 UTC Fri Mar 12002 R2#dlock set 10:00:00 2 Jan 2012 Ridtelnet 2.2.2.2 Trying 2.2.2.2 ... Open RB> R2#dock set 10:00:00 1 march 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable: gateway or host down R2#dlock set 19:00:00 20 Feb 2012 Riftelnet 2.2.2.2 Trying 2.2.2.2 % Destination unreachable; gateway or host down, R2#dlock set 12:00:00 14 Feb 2012 Ri#telnet 2.2.2.2 Trying 2.2.2.2 ... Open NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 45LAB-2 : Time Based ACL we 0/9 ria Foo a 20.1.1.1 TASK: ‘© Connect RI-R2 as per the Diagram. Ri(config)#router ospf 1 R1(config-router)# network 1.0.0.0 0.255.255.255 area 0 Ri(config-router)# network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#end R2(config)#router ospf 1 R2(config-router)# network 1.0.0.0 0.255.255.255 area 0 R2(config-router)#network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#end R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.0.3.1 O FUL - 00:00:39 1.1.11 Serialt/O R2#sh ip route ospf Codes: L - local, C - connected. S - static, R - RIP, M - mobile, B - BGP D- EIGRP, EX - EIGRP external, © - OSPF, IA - OSPF inter area N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 El - OSPF external type 1. E2 - OSPF external type 2 i IS-IS, su - IS-IS summary, LI - IS-IS level-l, 12 - IS-IS level-2 ja - IS-IS inter area, * - candidate default, U - per-user static route © ODR, P - periodic downloaded static route, H - NHRP, | - LISP + = replicated route, % - next hop override Gateway of last resort is not set TASK : Configure Time based ACL as per the given conditions. + Deny FTP Traffic on weekdays ( M-F) between 9 AM to 5 PM © Permit Telnet Traffic January 1 - January 319 AM to 5 PM * Ensure that the OSPF traffic should be get dropped. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: on’ Page 46R2#tsh clock R2(config)# time-range DENY_FTP R2(config+time-range)# periodic weekdays 09:00 to 17:00 R2(config+time-range)# exit R2(config)#time-range TELNET R2(configtime-range)Fabsolute start 09:00 1 january 2015 end 17:00 31 january 2015 R2(config+time-range)#end R2#sh time-range time-range entry: DENY_FTP (active) periodic weekdays 9:00 to 17:00 time-range entry: TELNET (inactive) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 R2(config)#access-list 115 deny tep any any eq fip time-range DENY_FTP Ra(config)# accessclist 115 permit tcp any any eq telnet time-range TELNET R2(config)#access-list 115 permit ospf any any R2(config)#int s/0 R2(config-if}#ip access-group 115 in Ra(config-ifend R2M#sh clock R2#R2#sh access-lists Extended IP access list 115, 10 deny tcp any any eq ftp time-range DENY_FTP (active) 20 permit tep any any eq telnet time-range TELNET (inactive) 30 permit ospf any any (11 matches) R2(config)#line vty 0.4 Ra(config-line)#password cisco R2(config-line)#login R2(config-line)#exit Riftelnet 1.1.1.2 Rlfsh clock NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 47in the month of january march 19 2015. * Change the time and date on R2 to match the ACL time range * Ensure that you should be allowed to telnet on R2. R2#sh clock R2fclock set 10:10:10 jan 10 2015 R2#sh clock R2#sh time-range time-range entry: DENY_FTP (inactive) periodic weekdays 9:00 to 17:00 used in: IP ACL entry time-range entry: TELNET (active) absolute start 09:00 O1 January 2015 end 17:00 31 January 2015 used in: IP ACL entry Riftelnet 1.1.1.2 Trying 1.1.1.2 ... Open User Access Verification Password: R2>exit R2#tsh access-lists Extended IP access list 115 10 deny tep any any eq fip time-range DENY_FTP (inactive) 20 permit tep any any eq telnet time-range TELNET (active) (48 matches) 30 permit ospf any any (56 matches) if we try to telnet on R2, we are not able to telnet here as the time range for telnet allowed is only allowed NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 48IPV6 ACL NA, > ACLisa set of rules which will allow or deny the specific traffic moving through the router > Itisa Layer 3 security which controls the flow of traffic from one router to another. > Itis also called as Packet Filtering Firewall. » If you've worked with IPv4 access lists (ACLs) on Cisco IOS before, IPu6 ACLs will feel quite familiar to you. IPV6 ACL (compared to IPv4 ACL) MA. » IPv6 supports only named, extended access lists > IPV6 ACE addresses use CIDR notation instead of wildcard masks. > IPV6 ACLs are applied to interfaces using the command Ipv6 trafficcilter. > IPV6 ACLs are applied to lines using the command ipv6 access-class. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 49IPv6 ACL lab | Configure ACL to deny RI 10/0 Interface communicating with R3. any interface. 2. Configure ACL to deny RI loop Interface communicating with R3 1oop 0 » Configure ACL to deny R2 (0/0 interface should not be able to telnet R3_ 0/0 4 Configure ACLto deny RI loop 1 Interface should not be able to access http service on R3 loop! 5 Configure ACL to deny R2 loop 2 Interface should not be able to access DNS service on R3. loop 2 6 Configure ACL to deny RI loop 3 interface should not be able to ping or trace R3 loop 3 » Make sure that the above ACL should not effect the others MOA. 3 (cong) fipy6 access st CCIE 3(configipwG-aell# deny fpy6 host FCOO:1s:1 any (config ipv6-acl}# deny fpy6 host 2001: host 200%: Ra (configsipvé-acl\# deny tep host 2001:2 host FCO0:33: (config ipvé-ac# deny tep host 20011 R3(convigipvé-ecli# deny iemp host 2001: 11:3 host 2001 3 (con/igipvéacll# permit ipv6 any any R3(configint sO Sake R3 (cong flpv6 traffic filter CCIE in RB (configififexit ee ee NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 50LAB : IPV6 ACL Loopback 200122: Loopback Loopback 2001:1111::1/128 TASK: * Configure IPv6 addressing as per the diagram ‘+ Advertise the interfaces using OSPFv3 to provide Reachability Rish ipv int brief FastEthemet0/0 [up/up] FE8O::CEOI:I2FF:FECO:0 FOO: Seriall/o [up/up] FE8O::CEOI:I2FF:FECO:0 2001:1 Seriali/1 [up/up] FE8O::CEOI:I2FF:FECO:0 2001:1 Seriall/2 [administratively down/down] Serialt/3 [administratively down/down] Loopbacko [up/up] EOL:I2FF:FECO:0 {up/up] EOL:12FF:FECO:0 2001:117 Loopback2 [up/up] FE8O::CEOI:12FF:FECO:0 2OO1TIM::2 Loopback3 [up/up] FE8O::CEOI:I2FF:FECO:0 2001:111::3 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 51R2#sh ipv int brief FastEthemet0/0 [up/up] FE80::CEO2:12FF:FECO:0 FC00:22::2 Seriall/o [up/up] FE80::CEO2:12FF:FECO: 2001 Serialt/1 [up/up] FES 2001:23: Seriall/2 [administratively down/down] Seriall/3 [administratively down/down] Loopbacko [up/up] FE8O::CEO2:12FF:FECO:0 2001::2 Loopback! {up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::1 Loopback2 [up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::2 Loopback3 [up/up] FE8O::CEO2:12FF:FECO:0 2001:2222::3 R34sh ipv int brief Fastéthemet0/0 [up/up] FE80::CEO3:12FF:FECO:0 FC00:33::3 Seriall/o [up/up] FE8O::CEO3:12FF:FECO:0 2001:23: Seriall/1 [up/down] FE80::CEO3:12FF:FECO:0 2001:34::3 Seriall/2 [administratively down/down] Seriall/3 [administratively down/down] Loopbacko [up/up] FE8O::CEO3:12FF:FECO:0 2001::3 Loopback! [up/up] FE80::CE03:12FF:FECO:0 2001:3333::1 Loopback2 [up/up] NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 52FE80::CEO3:12FF:FECO:0 2001:3333::2 Loopback3 {up/up] FE8O::CEO3:12FF:FECO:0 2001:3333::3 TASK: configure OSPF to provide reachability between connected and Loopback interfaces: Ri(config)#ipv6 unicast-routing Ri(config)# ipv6 router ospf 1 Ri(config-ttr)# router-id 1.11.1 Ri(config-rtr)# exit Ri(config)# int f0/0 Ri(config-if}# ipvé ospf I area 0 Ri(configif)# exit Ri(config)# int s1/0 Ri(config-if}# ipvé ospf 1 area 0 Ri(configif)#exit Ri(config)# int loop 0 Ri(config-if}# ipvé ospf 1 area 0 Ri(configif)#exit Ri(config)# int loop 1 Ri(config-if}# ipv6 ospf 1 area 0 Ri(config-ifyexit Ri(config)# int loop 2 Ri(configif)# ipv6 ospf 1 area 0 Ri(config-if)exit Ri(config)# int loop 3 Ri(configeif)# ipv6 ospf I area 0 Ri(configsif)# exit R2(config)# ipv6 unicast-routing R2(config)# ipv6 router ospf 1 R2(config-rtr)# router-id 2.2.2.2 Ra(config-rtr}# exit R2(config)# int f0/0 R2(config-if# ipv6 ospf 1 area 0 R2(config-iN# exit Ra(config)# int s1/O R2(config-i# ipv6 ospf 1 area 0 Ra(config-iN#fexit, R2(config)#int s1/1 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 53R2(config-if#ipv6 ospf 1 area 0 Ra(config-iN#exit, R2(config)# int loop 0 R2(config-i# ipv6 ospf 1 area 0 Ra(config-iN#exit, R2(config)# int loop 1 R2(configiit R2(config)# int loop 2 if# ipv6 ospf 1 area O iffexit R2(config)# if}# ipv6 ospf 1 area 0 it exit 3 (config)#ipvé unicast-routing R3(config)# ipv6 router ospf 1 R3(config-rtr)# router-id 3.3.3.3 R3(config)# R3(config-if# ipv6 ospf 1 area 0 R3(config)# R3(config-if# ipv6 ospf 1 area 0 R3(config-if}fexit R3(config)# int loop 2 R3(config-f)# ipv6 ospf 1 area 0 R3(config-Nfexit R3(config)# int loop 3 R3(config-f)# ipv6 ospf 1 area 0 R3(config-iN# exit R2fsh ipv6 ospf neighbor Neighbor ID Pri. State Dead Time Interface ID Interface 3.3.3.3 1 FULY- — 00:00:32 5 Serialt/1 Ml 1 FUL’ - — 00:00:30 5 Seriall/O NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 54R2#sh ipv6 route ospf IPv6 Routing Table - 21 entries Codes: C - Connected, L - Local, $ - Static, R - RIP, B - BGP U-- Per-user Static route I1- ISIS L1, 12 - ISIS L2, IA - ISIS interarea, IS - ISIS summary (O- OSPF intra, Ol - OSPF inter, OE! - OSPF ext 1, OE2 - OSPF ext 2 ONI - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 © 200::1/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Serial1/O 2001::3/128 [110/64] via FE8O::CEO3:12FF:FECO: © 2001:1111::1/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Seriall/O © 2001:1111::2/128 [110/64] via FE8O::CEOU:I2FF:FECO:0, Seriall/O © 2001:1111::3/128 [110/64] via FE8O::CEO1:I2FF:FECO:0, Seriall/O © 2001:3333::1/128 [110/64] E03:12FF:FECOx :3333::2/128 [110/64] via FE8O::CEO3:12FF:FECO: © 2001:3333::3/128 [110/64] Seriali/1 Serialt/1 Serialt/1 Serialt/1 via FE8O::CEOI:12FF:FECO:0, Seriall/O © FC00:33::3/128 [110/64] via FE8O::CEO3:12FF:FECO:0, Seriall/1 TASK: ‘+ Configure ACL to deny RI 0/0 interface communicating with R3_any interface.. ‘© Configure ACL to deny RI loop 0 interface communicating with R3 loop 0 ‘+ Configure ACL to deny R2_ 0/0 interface should not be able to telnet R3_f0/0 ‘© Configure ACL to deny RI loop 1 interface should not be able to access http service on R3 loop 1 ‘+ Configure ACL to deny R2 loop 2 interface should not be able to access dns service on R3_ loop 2 ‘+ Configure ACL to deny RI loop 3 interface should not be able to ping or trace R3 loop 3 ‘+ Make sure that the above ACL should not effect the others. R3(config)#ipv6 access-list CCIE R3(config-ipv6-acl)# deny ipv6 host FCO0:11: R3(config-ipv6-acl)# deny ipv6 host 2001 R3(config-ipv6-acl)# deny tcp host 20 :3 eq telnet R3(config-ipv6-acl}# deny tep host 2001:1111::1 host 2001:3333::1 eq www R3(config-ipv6-acl)# deny udp host 2001:2222: eq domain R3(config-ipv6-acl)#deny ICMP host 2001:1111: echo-request R3(config-ipv6-acl}# deny icmp host 2001:111 echo-reply NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 55R3(config-ipv6-acl)# permit ipvé any any R3(config)#int s1/0 R3(config-if)#ipv6 trafficcfilter CCIE in R3(config-ifexit Rl#ping {c00:33::3 source fc00:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC00:3 Packet sent with a source address of FCOO: Success rate is O percent (0/5) . timeout is 2 seconds: Ri#ping fc00:3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FC00: mt Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/88 ms . timeout is 2 seconds: Ri#ping {c00:33::3 source 2001:1111::1 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to FC00:33: Packet sent with a source address of 2001:111 mt Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/44 ms . timeout is 2 seconds: R34sh ipv6 access-list IPV6 access list CCIE deny ipv6 host 2001::1 host 2001::3 sequence 20 deny tcp host 2001::2 host FC00:33::3 eq telnet sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:333. deny icmp host 200 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (17 matches) sequence 80 eq domain sequence 50 Rl#ping 2001::3 source 2001::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2001::1 Success rate is O percent (0/5) R3#sh ipv6 access-list NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 56IPV6 access list CCIE deny ipvé host FCO0:11::1 any (10 matches) sequence 10 deny ipv6 host 2001:1 host 2001::3 (5 matches) sequence 20 deny tcp host 2001::2 host FC00:33::3 eq telnet sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (20 matches) sequence 80 R3(config)#line vty 0.4 R3(config-line)#no login R3(config-line}#exit Ra#telnet fc00: Trying FCOO: ‘% Destination unreachable: gateway or host down /source-interface loopback 0 R3#sh ipv6 access-list IPV6 access list CCIE deny ipvé host FC00:11::1 any (10 matches) sequence 10 deny ipv6 host 2001::1 host 2001::3 (5 matches) sequence 20 deny tep host 2001::2 host FC00:33::3 eq telnet (1 match) sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (51 matches) sequence 80 Ra#ttelnet £c00:33: Trying FCO w- Open R3>exit [Connection to fc00:33::3 closed by foreign host] Ridping 2001:3333::3 source 2001:1111::3 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:333: Packet sent with a source address of 2001:111 Success rate is O percent (0/5) . timeout is 2 seconds: 3 R3Ash ipv6 access-list IPV6 access list CCIE deny ipvé host FCO0:1 1 any (10 matches) sequence 10 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 57deny ipv6 host 2001::1 host 2001::3 (5 matches) sequence 20 deny tep host 2001::2 host FCO0:33::3 eq telnet (I match) sequence 30 deny tep host 2001:1111::1 host 2001:3333::1 eq www sequence 40 deny udp host 2001:2222::2 host 2001:3333::2 eq domain sequence 50 deny icmp host 2001:1111::3 host 2001:3333::3 echo-request (5 matches) sequence 60 deny icmp host 2001:1111::3 host 2001:3333::3 echo-reply sequence 70 permit ipv6 any any (73 matches) sequence 80 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 58)\Solutions] eave iy revs Cher cree Without names, network devices are difficult to identify for configuration purposes. NOAsommin Global configuration mode Saeed Toned toa Router # configure terminal Configuring Device Ni Router (config) # iguring Device Names Router (config) # hostname NOA Hostnames allow devices to be ores identified by network administrators over a network or the Internet. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 59NOAsomon Assigning Passwords Se eee » Console » Auxiliary » VIY line (telnet) NOAsomma Assigning console password: —— Router(config) # line con 0 Router(config-line) # password Router(config-line) # login (line mode) Router(configline) # exit Assigning Auxiliary password: Router(config) # line aux 0 Router(config-line) # password Router(config-line) # login (ine mode) Router(configiine) # exit Assigning Telnet password: Router(config) # line vty 0.4 Router(contig-line) #password Router(configsline) Plogin (line mode) Router(configcline) exit NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 60NOAsomon we tat evn Ce eee Enable Password Router> enable Password: s.r Router(config) # enable password ‘The will be password saved in clear text oR Router(config) # enable secret ‘The password will be saved in encrypted text (Solutions! Encrypting Password Display NOAsormn (config)# service password-eneryption NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 61NOAsomeon To save the configuration: Saray ae Cc Router # copy running-config. startup-config. (OR) Router # write memory (OR) Router # write Erase all Configurtions NOA # erase startup-config NOA # reload NOAsomean anwar eve Coer cree Banner Messages (config)# banner motd # .. # Limiting Device Access - MOTD Banner oe, | = manne Lp rae to x sear sate. atarond NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 62TO change the Hostname of the router Router(config)# hostname HYDERABAD HYDERABAD (config)# ‘TO ASSIGN CONSOLE PASSWORD HYDERABAD (config)#line console 0 HYDERABAD (config-line)#password ciscol23 HYDERABAD (config-line)#login HYDERABAD(config-line)¥end SYS-CON I Configured om console by cole HYDERABAD# exit HYDERABAD cond is now available Press RETURN to get started. User Access Verification (Enter the console password which was configured) HYDERABAD> HYDERABAD>enable HYDERABAD# conf terminal Enter configuration commands, one per line. End with CNTVZ. HYDERABAD (config)# line vty 04 HYDERABAD (config-line)¥ password ccnal23 HYDERABAD (config-line)# login HYDERABAD (configtline)# exit HYDERABAD(config)é enable password cenp123 HYDERABAD (config)# exit HYDERABAD exit HYDERABAD con0 is now available Press RETURN to get started. User Access Verification NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 63(Enter the console password which was configured) HYDERABAD> enable (Enter the enable password wl was configured) HYDERABAD# HYDERABADF show running-config Building configuration... Current configuration : 480 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname HYDERABAD ! ! ! ! HYDERABAD configure terminal HYDERABAD(config)# enable secret ccie123 HYDERABAD(config)# exit HYDERABAD# show running-config Building configuration... Current configuration : 527 bytes ! version 12.2 jestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname HYDERABAD ! ! i enable secret Sig IS RIERR2R7BDAGAXERITSDV 7A enable password cenp123 ! NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 64NA. 1OS Device Access Security AAA, Privilege levels, Assigning Passwords » Console oe > Auxiliary / » VTY line (telnet) Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 65Access Port Passwords NA. Command to restrict access to RI(ConTia)# enable secret ico privileged EXEC mode ‘Commands to establish a Commands to establish a login login password for dial-up password on incoming Telnet sessions mmedem connections Ri(contiayt line viy 04 Ri(confg)# Tine au Ri(configtine)# password csco Rifcontigtine)# password csco RY (confine) login Bi(conigsine)# login Router —_— t= a PC wah Terminal Emusaion Stare PC with Terminal Rifconfige ine con 0 Riconfgline\# password cisco Rileonfigline # ‘Commands to establi login don the: Ematon Sofware Unattended connections should be disabled RI(config)# line console 0 Ricontfigline)# password consolel23 i(configeline)# exec-timeout 5 0 Ri(configtine)# login (contiguline)# logging synchronous ‘console line MOA, Ri(config)# line aux 0 Riconfig-ine)# password clcosuxpass Ri{config-ine)# exectimeout 5 0 Rifconfig-ine}# login Ri(config-line)# exit Ri(config)# line vty 04 Rifconfig-ine}# password cscovtypass RI(config-ine)# exec-timeout 5 0 Rifconfig-tine}# login + Foraditionel security, the exec timeout command causes the line to log out after 5 minutes of Inactivity. NOA solutions,N.K Arcade, 2nd & 3rd floor, Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution The logging synchronous command prevents console messages from Interrupting command entry. Opposite to banjara function hall,Banjarahills road no 1 Page 66All passwords in the configuration file should be encrypted Ri(config)# service password-encryption NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 67To increase the security of passwords, use additional configuration parameters: ‘Minimum password lengths should be enforced Unattended connections should be disabled All passwords in the configuration file should be encrypted Password Security (config) seeuty passwords minength 10 Rifconfighenable secret cisco RI(config)# enable secret ciscol2345 MOA. Router (config) #login block-for attempts within Ri (config)# login block-for 60 attempts 2 within 30 + Use the login block-for command to help prevent brute-force login attempts from a virtual connection, such as Telnet, SSH, or HTTP. + This can help slow down dictionary attacks and help protect the router from a possible DoS attack. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 68Passwords Best practices NEA, ‘An acceptable password length is 10 or more characters ‘Complex passwords include a mix ‘of upper and lowercase letters, numbers, symbols and spaces, ‘Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = Security) Change passwords often, seater Do not write passwords down and leave them in obvious places NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 69LAB : Cisco Login Enhancements TASK. * Configure a minimum password length for all router passwords. * Use the security passwords command to set a minimum password length of 10 characters. Ri(config)# security passwords min-length 10 Ri(config)fenable secret cisco ‘TASK: Configure the enable secret encrypted password on both routers. Ri(config)# enable secret ciscol2345 ‘TASK: Configure basic console, auxiliary port, and virtual access lines. Note: + Passwords in this taskare set to aiminimum of 10 characters but are relatively simple for the benefit of performing the lab. * More complex passwords are recommended in a production network. * Configure a console password and enable login for routers. * For additional security, the exectimeout command causes the line to log out after 5 minutes of inactivity. + The logging synchronous command prevents console messages from interrupting command entry. + To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 O.which prevents it from expiring, However, this is not considered a good security practice. Ri(config)# line console 0 Ri(configsline)# password consolel23 Ri(configline)# exec-timeout 5 0 Ri(config-line)# login R(configcline)# logging synchronous TASK: Configure a password for the AUX port for router RI. RI(config)# line aux 0 Ri(configcline)# password ciscoauxpass Ri(configcline)# exec-timeout 5 0 Ri(configline)# login Ri(configeline)# exit Ri(config)# line vty 04 Ri(configcline)# password ciscovtypass Ri(configeline)# exec-timeout 5 0 Ri(configcline)# login NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 70RI(configcline)#end Riffsh running-config Building configuration, Current configuration : 1766 bytes ! Last configuration change at 1: version 15.2 service timestamps debug datetime msec service timestamps log datetime msec 54 UTC Fri Mar 27 2015, hostname RI ! security passwords min-length 10 enable secret 5 §1$ruu.$/YVTaBnpONm2AOFKNx9fq. line con 0 exectimeout 50 Password consolel23 logging synchronous login stopbits 1 line aux 0 execttimeout 5.0 password ciscoauxpass logging synchronous login stopbits 1 line vty 04 exec-timeout 5 0 login ! ! End TASK: Encrypt clear text passwords. Use the service password-encryption command to encrypt the console, aux, and vty passwords. Ri(config)# service password-encryption Rl#sh running-config Building configuration... Current configuration : 1840 bytes NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 71| Last configuration change at 16: 10:16 UTC Fri Mar 27 2015 version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname RI 1 security passwords min-length 10 enable secret 5 §1$ruu.$/YVTdBnpONm2AOFKNX9fq. ! line con 0 execttimeout 5 0 privilege level 15 logging synchronous privilege level 15 logging synchronous login stopbits 1 line vty 04 execttimeout 50 login 1 1 end TAS! + Create local username : admin , Password : ciscol23_on RI. * Ensure that RI should be able to login via cosole or VTY using username and password. ( login local) 192.168.1.100 fo/o 1 RI 192.168.14 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 72Ri(config)#username admin password cisco Ri(config)#line con 0 Ri(config-line)#login local Ri(configcline)#exit Ri(config)#exit Rifexit RI cond is now available Press RETURN to get started, Username: admin Password: Ri>enable Password: To verify Telnet Access Ri(config)#username admin password cisco {already created username in the previous task) Ri(config)# int f0/0 Ri(configif)# ip address 192.168.1.100 255.255.255.0 Ri(configsif)# no shutdown Ri(config-if)# exit Ri(config)#line vty 0.4 Ri(config-line)#login local Ri(config-line)Fexit Get in to PC command line to verify Telnet : Pc>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Addres IP Address. Subnet Mask.. Default Gateway. : FE80::20 2 192.168.1.1 255.255.2550 192.168.1.100 :85FF:FECT:199D PC>ping 192.168.1.100 Pinging 192.168.1.100 with 32 bytes of data: Reply from 192.168.1.100: bytes=32 time=Ims TTL=255 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 73Reply from 192.168.1.100: bytes=32 time=Oms TTL=255 Reply from 192.168.1.100: byte Reply from 192.168.1.100: byte: Ping statistics for 192.168.1.1 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = Oms, Maximum = Ims, Average = Oms PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification Username: admin Password: Ri>enable Password: TASK: Enhanced Virtual Login Security on Routers. + PC and Router are preconfigured with IP addressing as per the diagram + Configure the router to protect against login attacks. * Use the login block-for command to configure a 60 second login shutdown (quiet mode timer) if two failed login attempts are made within 30 seconds. 192.168.1100 folo [| a RI 192.168.14 * Use the login block-for command to help prevent brute-force login attempts from a virtual connection,such as Telnet, SSH, or HTTP. + This can help slow down dictionary attacks and help protect the router from a possible Dos attack. © From the user EXEC or privileged EXEC prompt. issue the show login command to see the current router login attack settings. RI# show login No login delay has been applied. No Quiet-Mode access list has been configured. Router NOT enabled to watch for login Attacks Ri(config)# login block-for 60 attempts 2 within 30 Ri(config)# exit NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 74Rlfshow login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured, Router enabled to watch for login Attacks. Router presently in Normal-Mode. Current Watch Window remaining time 26 seconds. Present login failure count 0. Rit ‘+ Telnet from PC and provide wrong login information and see login blocked. PC>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification Username: djfkidt Password: Username: dfdkfj Password: Pc>telnet 192.168.1.100 oa 192.168.1.100 ... Pc> Router#show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured. Router enabled to watch for login Attacks. If more than 2 login failures occur in 30 seconds or less, logins will be disabled for 60 seconds. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 75Router presently in Normal-Mode. Current Watch Window Time remaining: 4 seconds. Login failures for current window: 0. Total login failures: 1. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 76Cisco IOS Resilient Configuration NA, » Used to prevent 105, configurations from being deleted, » Hides the 105, configs on flash/NVRAM. ifconfig secure boot-image Al(confg? secure boot config | ae ‘ier of fay ‘Lone 23587052" Jan 9 20101751658 +0000 aerate I2E 24 Tin 128257568 bytes tal (104544608 tsa) MOA. Ri(configh secure boot image 128237568 byes otal OUD byte) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 77NA. Router show secure bootet 10S eellence router ld FHKMIOSISUQ 105 image resence version 12-4 activated at 02:00:30 UTC Sun Oct 17 2010 Secure achive Nashc1Bb-acvipservicesk0-ma.124.24.T.bin type is image (el) [ file sie is 23587052 bytes, ran ie is 23752654 bytes Runnable image. entry point x80012000, run from ram 10 configuration relence version 12.4 activated at 02:00:41 UTC Sun Oet 17 2010 Secure achive fissure’ 20101017-020040.r type i contig configuration archive size 1544 bytes [A this point, we notice that our IOS image ile on Flas is now hidden ier of fash 2 nae 660 Sep 26 201007.2812 40000 voncat 126257550 yes otal OUSEAS Wes ee) heir ioat Come MOA. Router# show secure bootiet To restore our orignal configuration, we simply have to extract It from the secure archive and sve It 0 Fra Next, we can replace the current running configuration withthe archived config using the configure replace command, Router(config seaure boot config restore asharchived config, ios reslionce-configuaton succesfully restored a fasharchived-config, Router(configyt end Router# configure replace lasharchived config Ener Yf you ae sure you want to proceed, ? [SBE Tofal number of pase: 1 Rollback Done NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 78LAB : Cisco 10S Resilient Configuration ‘+ feature enables a router to secure the running image and maintain a working copy of the configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). ‘+ The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file. we're going to examine a related Cisco 1OS security feature, dubbed resilient configuration. This feature enables critical router files, namely the IOS image and configuration, to persist despite destructive events such as deletion of the startup configuration or a format of the Flash filesystem. The feature does not require any external services; all persistent files are stored locally on the router. Enabling Resilient Configuration ‘+ The binary 10S image used to boot the router is stored on the Flash filesystem, which is a type of memory very similar to that found inside a USB thumbdrive. The startup configuration file is stored on a separate filesystem, NVRAM. ‘+ The contents of both filesystems can be viewed with the dir command. Router# dir flash: Directory of flash:/ 2 -tw- 600 Sep 26 2010 07:28:12 +00:00 vian.dat 128237568 bytes total (104644608 bytes free) Router# dir nvram: Directory of nvram:/ 189 -rw- 1396 startup-config 190 - 24 private-config 191 -w- 1396 underlying-config 1 tw 0 ifindex-table 2-w- 593 1OS-Self-Sig#3401.cer 3-32 persistent-data 4 tw 2945 ‘cwmp_inventory 21-rw 581 lOS-Self-Sig#T.cer 196600 bytes total (130616 bytes free) The resilient image and configuration features are enabled with one command each. Router(config)# secure boot-image Router(config)# secure boot-config NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution "Page 79‘+ The secure boot-image command enables Cisco IOS image resilience, which hides the file from dir and show commands. «The file cannot be viewed, copied, modified, or removed using EXEC mode commands. (It can be viewed in ROMMON mode.) ‘+ When turned on for the first time, the running image is secured. The secure boot-config command takes a snapshot of the router running configuration and securely archives it in persistent storage (flash). The combination of the secured lOS image and configuration file is referred to as the bootset. We can verify the secure configuration with the command show secure bootset. Router# show secure bootset 10 resilience router id FHK110913UQ 1S image resilience version 12.4 activated at 02:00:30 UTC Sun Oct 17 2010 Secure archive flash:cl81x-advipservicesk9-mz.124-24.T.bin type is image (elf) [] file size is 23587052 bytes, run size is 23752654 bytes Runnable image. entry point 0x80012000, run from ram. 10 configuration resilience version 12.4 activated at 02:00:41 UTC Sun Oct 17 2010 Secure archive flash:.runcfg-20101017-020040.ar type is config configuration archive size 1544 bytes At this point, we notice that our IOS image file on Flash is now hidden. Router# dir flash: Directory of flash:/ 2 -rw- 600 Sep 26 2010 07:28:12 +00:00 vlan.dat 128237568 bytes total (104636416 bytes free) TASK : Restoring an Archived Configuration ‘+ Now suppose that the router’s startup configuration file is erased (accidentally or otherwi router is reloaded. ‘+ Naturally, it boots with a default configuration. The resilient configuration feature will even appear to be disabled. ) and the Router# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [Ok] Erase of nvram: complete Router# show startup-config startup-config is not present NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 80Router reload System configuration has been modified, Save? [yes/no]: n Proceed with reload? [confirm] Router> enable Router# show secure bootset ‘+ To restore our original configuration, we simply have to extract it from the secure archive and save it to Flash, ‘+ Next, we can replace the current running configuration with the archived config using the configure replace command, Router(config)# secure boot-config restore flash:archived-config ios resilience:configuration successfully restored as flash:archived-config Router(config)# end Router# configure replace flash:archived-config, Enter Y if you are sure you want to proceed. ? [ROJY Total number of passes: 1 Rollback Done ‘+ This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration, ‘+ Don't forget to save the running configuration once the restoration is complete (copy run start). NOTE ‘© Be aware that the resilient configuration file is not automatically updated along with the startup configuration. ‘+ To update it, you must first delete the existing resilient configuration and issue the secure boot-config, command again. The secure bootset features can only be disabled from the console line. Router(config}# no secure boot-config ‘You must be logged on the console to apply this command ‘command “no secure boot-config " In fact, attempting to disable either part of the secure bootset generates a handy syslog message to alert administrators: NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 81Router(config)# no secure boot-config Router(config)# secure boot-config Restoring an Archived IOS: Here we can see that it persists even when the Flash filesystem appears to have been formatted. Router# format flash: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "flash:". Continue? [confirm] Writing Monlib sectors... Monlib write complete Format: All system sectors written. OK... Format: Total sectors in formatted partition: 250848 Format: Total bytes in formatted partition: 128434176 Format: Operation completed successfully. Format of flash: complete Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Router# reload Proceed with reload? [confirm] *Oct 17 02:37:37,127: %SYS-5-RELOAD: Reload requested by console, Reload Reason : Reload Command. System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. C1800 platform with 131072 Kbytes of main memory with parity disabled Upgrade ROMMON initialized program load complete, entry point: 0x80012000, size: OxcOcO Initializing ATA monitor library... program load complete, entry point: 0x80012000, size: OxcOcO NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 82Initializing ATA monitor library... program load complete, entry point: 0x80012000, size: 0x167e724 Self decompressing the image : ##AHERHERREARAEHREREREEEREFIEERAE ERE REET RHREREE FAERIE EERE TER EER ERE PRE ERR ARETE ERIE AERA EERE EER RRP RR EPH E # HEE EEE EAE EEE EEE EE EE EE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (0 of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (6) () (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10S Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (el) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 26-Feb-09 03:22 by prod_rel_team Router> enable Password: Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Routerf show version Cisco IOS Software, C181x SBRRWAPEN(CTEIXADVIPSERVICESKONA)IVEBIGR 12.4(24)T, RELEASE SOFTWARE (fel) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc Compiled Thu 26-Feb-09 03:22 by prod_rel_team NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 83Authentication — Local Database MOA. Creates individual user account/password on each device » Provides accountability » User accounts must be configured locally on each device RI(convigh¥ username Admin secret noal23 ifconfig) line vty 0.4 Ri(configine)# togin local User Access Verifston Password io? «im gin invalid (tae Username: Admin a Login invalid Local Database Method Authentication — Local Database (contd) NPA, router(config)fusername sikandar password noal23 router(config)éline vty 0.4 router(config-ine) login local router(configuine)#exit Router#telnet 192.168.1.100 Trying 10.1.1.1 .. Open User Access Verification Username: Sikandar password: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 84Authentication - Local Database (contd) NA. Drawbacks of Local user Authentication Username & passwords are stored locally No centralized control ‘More Administrative task Not scalable sontestorae Using External Server Based Authentication NA. » Username & passwords are stored in remote Server. » Allows centralized Authentication. » Reduces Administrative Task i » Scalable. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 85External Authentication using AAA NA, Authorization ‘whlch resources the wei allowecs to ees ane wich ‘Authentication ‘operations the wer allowed to perfor? ‘Who are your ‘Accounting What aid you send ton? Self-Contained AAA Authentication Remote Client Ll o Router ‘SelF-Contained AKA 1. The client establishes a connection with the router. 2. The AAA router prompts the user fora username and password, 43. The router authenticates the username and patsword using the local databace andthe user is thorized to acces the network based on information in the local + Used for small networks » Stores usernames and passwords locally in the Cisco router NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 86Server-Based AAA Authentication NEA, ei » Both RADIUS and TACACS+ are client/server AAA protocols. » Authenticate a username/password combination, » Determine if a user is allowed to connect to the client. Cieco Secure ACS for ‘Widows Server eco Secure ACS Express, Overview of TACACS+ and RADIUS NA. TASAGS* or RADIUS protocols are used to communicate between the clients and AMA security servers ‘Terminal Access Controller Access Control System Remote authentication dial in user service ico Secure ACS for ‘Windows Server Cisco Secure ACS Express NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 87Local AAA Authentication Configuration Ra(config)aaa new-model :l(config)#username sikandar password noal23 .(config)#aaa authentication login default local Ral(config}tine console 0/ vty 04 a(configstine)#login authentication default Ril(confgtine exit series ore Server-Based AAA Authentication XA, » Centrally validate users wishing to gain access to a resource such as a router » Uses an external database server Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express » More appropriate if there are multiple routers AAA Siete Remote Client o eae seer Server Based ANA 1. The client establishes » connection with the router 2. The AAA router prompts the user fora username and password 3, The router authenticates the username and password using a remote AAA server 4, The user is authorized fo acces the network based on information on the remote AAA Server NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 8&Local Versus Server-Based Authentication MOA. Tocal Authentication ‘Window Server Perimeter ; o reer gy Server Based Authentication 1. Tae wer exablies a connection with the router. 2. Te router prompts the we or a username and password 3 The oster pases the usermame and password tothe sco Secure ACS (server oF engin) 4. The Cio Secure ACS authentietes the wee Te wei authorized to aca the router admiirative ‘tes or the network bated on fformaton found nthe lca Secure ACS dab, AAA Authentication using TACACS+ MOA. Rat(confightno aaa new-model l(config)#username sikandar password noal23 Ral(config}#tacacs-server host 192.168.1.1 l(config)ttacacs-server key sikandar23 Ral(config)#aaa new-model Rel{confightaaa authentication login default group tacacs+ oc Ra(configyetine con 0 ine)#login authentication default Ral(contightend NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 89AAA Authentication using RADIUS Server Rel(configitno aaa new-model :l(config)#username slkandar password noal23 Ral(config)#radiusserver host 192.168.1.1 Rilfconfighttradiusserver key sikandarl23 Ral(config)#aaa new-model Rel(confighfaae authentication login default group Radius focal a Ra(confighetine con 0 Rellconfigine) login authentication default Ralconfigstine)Fexit Rilfconfightend NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 90LAB: AAA Authenticatic 100.01 10002 Re 1070 192.168.2.100 sw2 168-11 192.168.2.1 192.168.2.2 TACACS server -168.1.2 RADIUS server 192.168.1.3,5) 765 4 4 TASK: + Configure Basic IP addressing as per the Diagram and Ensure that there is reachability between Them Router(config)#hostname R-l Rel(config)éint f0/0 Rel(config-if)#ip address 192.168.1.100 255.255.255.0 R-l(config-if}#no shutdown, Ra(config:if\fexit R-l(config)#int s0/0/0 R-l(config-if)#ip address 1.0.0.1 255.0.0.0 R-l(config-if#no shutdown, R-l(config-if)#clock rate 64000 Rel(config-if)fend Router(config)#hostname R-2 R-2(config)#int f0/0 R-2(config-if ip address 192.168,2.100 255.255.255.0 R-2(config.if}#no shutdown R-2(config if}exit NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution Page 91R-2(config)#interface serial 0/0/0 R-2(config.if}#ip address 10.0.0.2 255.0.0.0 R-2(config-if}#no sh R-2(config.if#clock rate 64000 R-2(configifhfend R-2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip = 3/12/37 ms R-2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms TASK: Configure Local AAA Authentication for Console Access on RI R-l(config)#username sikandar password cisco123 R-l(config)#aaa new-model R-l(config)#aaa authentication ? enable Set authentication lists for enable. [6ZiN Set authentication lists for logins. ppp _ Set authentication lists for ppp. R-l(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R-l(config)#aaa authentication login default local R-l(config)#line console 0 R-1(config-line)#login authentication default R-(configctine)#exit R-l(config)#end Relffexit User Access Verification NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 92RA> R-l>enable Rel#exit TASK: © Configure Local AAA Authentication for VTY Lines on RI R-l(config)#line vty 0 15 R-l(config-line)#login authentication default R-l(config-line) fexit R-l(config) #enable secret cisco Verify the AAA authentication method. Verify the Telnet configuration. From the command prompt of PC (192.168.1.3) Telnet to RI. On Pc PC>telnet 192.168.1.100 Trying 192.168.1.100 ...Open User Access Verification Username: sikandar Password: R-l>enable Password: R-lfexit [Connection to 192.168.1.100 closed by foreign host] TASK: * Remove th AAA configs done in the previous tasks * Configure Server-Based AAA Authentication Using TACACS+ protocol (192.168.1.1) on RI * Fallback to local authentication if server does not respond. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 93Service @ On CO kasper (1645 Networe Configuration Secet sieanderi23 = Serverivpe (Tacace ‘CheotNome Ghent —‘Serveifype ‘ey yet 192.168.1100 Teaes hander User Setup netine [admin Pussnord [clso23 UserName Pasoword | R-l(config)#no aaa new-model R-l(config)#username sikandar password ciscol23 R-l(config)#tacacs-server host 192.168.1.1 R-l(config)#tacacs-server key sikandarl23 R-l(config)#aaa new-model R-l(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R-l(config)#aaa authentication login default group tacacs+ ? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R-l(config)#aaa authentication login default group tacacs+ local R-l(config)éline con 0 R-l(config-line)#login authentication default R-l(config-line)#exit R-l(config)¥end NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ‘om Page 94TAS! © Configure AAA Authentication for VTY Lines on RI using TACACS server. R-l(config)#line vty 0.4 R-l(config-line)#login authentication default R-l(config-line)#exit PC>ipconfig IP Address. Subnet Mask. Default Gateway. : 192.168.1.3, 255.255.255.0 192.168.1.100 Pc>telnet 192.168.1.100 Trying 192.168.1.100 ... Open User Access Verification Username: admin Password: R-l>enable Password: Re Relfsh users Line User Host(s) Idle Location Ocon0 admin idle 00:00:44 TASK * Configure R2 to use AAA authentication using external AAA server (192.168.1.2) RADIUS protocol * Fallback to local authentication if server does not respond. * Using EIGRP as routing Protocol to provide connectivity between the two networks Username: admin Password: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 95R-l>enable Password: Rel#fconf terminal R-l(config)#router eigrp 100 R-l(config-router)#network 10.0.0.0 R-l(config-router)#network 192.168.1.0 R-l(config-router)#exit R-2(config)#router eigrp 100 R.2(config-router)#network 10.0.0.0 R-2(config-router)#network 192.168.2.0 R.2(config-router)#end R-2#sh ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface. Hold Uptime SRTT RTO Q Seq (se) (ms) Cnt Num ON 1OL0101)/'Se0/0/0 11 00:00:14 40 1000 0 3 R-2#sh ip route eigrp DNISAIE8.110/24 [90/2172416] via 10.0.0.1, 00:00:16, Serial0/0/0 R-2#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: at Success rate is 100 percent (5/5), round-trip min/avg/max = 11/13/16 ms R-2¥ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 5/10/16 ms NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 96Algorithm Settings Service «On WO —adusrurt (1645 He Network Configuration DHCP tent tae [8-2 cet (100.02 at ene edi = seoet —skandari23 Servertype ‘Radius svSLog ‘ChentName ‘Serveriype Key aaa Re roon2 Redivs sikandert2 ATP EMAL eT ser Setup INTERFACE ey senna [aden Password (cinco823 Userhieme Pazrword 1 edn ecole R-2(config}fusername sikandar password ciscol23 R-2(config)#radius-server host 192.168.1.2 R-2(config)#radius-server key sikandar123 R-2(config)#aaa new-model R-2(config)#aaa authentication login default group radius? enable Use enable password for authentication. group Use Server-group. local Use local username authentication. none NO authentication. R-2(config)#aaa authentication login default group radius local R-2(config)#line con 0 R-2(config-line)#login authentication default R-2(config-line}#exit R-2(config)exit R-2#exit Press RETURN to get started. User Access Verification NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. comR-2>enable Password: R-2#sh users Line User Host(s) Idle Location * Ocond admin? ide 00:00:00 Ineriace “User Mode idle Beer Address TASK: Configure AAA Auther ion for VTY Lines on R2 using RADIUS server. R-2(configh#line vty 04 R-2(configline)#login authentication default R-2(configline}#exit R-2(configh# PC>ipconfig IP Address. 192.168.2.1 Subnet Mask. 255.255.255.0 Default Gateway. 192.168.2.100 PC>telnet 192.168.2.100 Trying 192.168.2.100 ...Open User Access Ver Username: adminR2 Password: R2>enable Password: R-2#sh users Line User Host(s) Idle Location OcoHOMAMIAR2 idle 00:00:36 * 67 vtyO idle 00:00:00 192.168.2.1 Interface User Mode Idle Peer Address NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 98Privilege Levels NA. » Additional levels of access to commands » privilege levels locally on the Cisco networking device » can also be implemented using AAA with TACACS+ and RADIUS. R.l(config)#username sikandar password noal23 Configuring for Privilege Levels MOA, Zero-level access (0) allows only five commands—logout, enable, disable. help, and exit User EXEC mode (privilege level 1) Privileged EXEC mode (privilege level 15) 2-14 Customized Privilege Levels Router>show privilege Routerfshow privilege Current privilege level is 1 Current privilege level is 15, NOTE: ‘Commands available at lower privilege levels are always executable at higher levels. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 99Privilege Levels for Users OA, Ri(confighusername user? privilege 2 password user2 Ri(confg)#privilege exec level 2 show run RI{configprivilege exec level 2 show start i(config)#privitege exec level 2 write memory (config) #privilege exec level 2 configure terminal (config) privilege configure level 2 hostname Privilege Levels for Users NA. i(contfig)#usemame userS privilege 5 password user5 RouterI(config)¥ privilege configure level 5 ip route Router (contig)¥ privilege configure level 5 interface Router (config)#privilege interface level 5 ip address Routerl(config)#privilege interface level 5 shutdown ifconfig) privilege configure level 5 router Ri(contfig)# privilege router level 5 network NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 100erfaces, ports, logical interfaces, and slots on a Privilege Level Limitations » There is no access control to specifi router » Commands available at lower privilege levels are always executable at higher levels. » Commands specifically set on a higher privilege level are not available for lower- privileged users. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 101LAB : User accounts and privilege Levels Ri>show privilege Current privilege level is 1 Rlfshow privilege Current privilege level is 15 RI(config)#usemame admin password admin123 Ri(config)fenable secret ciscol23 Ri(config)#line con 0 RI(configcline)#login local Ri(configcline)#end Rifexit User Access Verification Username: admin Password: RI> R1>show priv Current pr lege level is 1 RiI>enable Password: Ri#show privilege Current privilege level is 15 TASK: User ACcount Privileges. Create user accounts based on the following Privilege Username : user2 Privilege : 2 password : user2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: com Page 102‘+ Configure Privilege level 2 users should be able to see Running-config & startup-config ( Show run & show startup-config) Ri(config)#usemame user2 privilege 2 password user2 Ri(config)#privilege exec level 2 show run Ri(config)#privilege exec level 2 show start Ri(config)#exit * by default level 2 can still access level 1 commands in the user mode Rifexit, User Access Verification Username: user2 Password: Ri#show privilege Ri#show running-config, Ri#sh startup-config * you should be able to get output of the above two commands.lets verify other commands. Rifconf t Riferase startup-config Rifcopy run start | TASK: Configure user2 to ensure that he should be able to change hostname & save the configs in the NVRAM. Rigexit User Access Verification Username: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 103Username: admin Password: Ri>enable Password: RI(config)#privilege exec level 2 write memory Ri(config) privilege exec level 2 configure terminal ) ) RI(config)#privilege configure level 2 hostname Ri(config)#end Rifexit, Ri#show privilege Rifshow users Line User Host(s) Idle Location * OconO user2 idle 00:00:00 Interface User Mode Idle Peer Address Rl#write memory Rifconft Ri(config)#hostname Routerl Routerl(config)¥end Routerl#write memory TASK: User ACcount Privileges. Create user accounts based on the following Privilege username : userS Privilege : 5 password : userS NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 104‘+ Configure Privilege level 5 users should be able to * All commands of level 2 configured in the previous task ‘+ change hostname and IP address and shutdown commands on the interface + Modify the Static or Default routing configured. User Access Verification Username: admin Password: Routerl>enable Password: Routerl#conf t Enter configuration commands, one per line, End with CNTL/Z. RI(config)Fusemame user5 privilege 5 password userS Router! (config)#privilege configure level 5 ip route Router! (config)privilege configure level 5 interface Routerl(config)privilege interface level 5 ip address Router (config)privilege interface level 5 shutdown * Once we assign any privilege level higher gets access to lower level commands as well( in our lab we have configured level 2 already configured to get in to config mode and change hostname in the previous task) * so there is no need to reconfigure the same for privilege 5 Router(config)#end Routerl#exit User Access Verification Password: Routerl#show privilege Current privilege level is 5 Ri(config)#interface £0/0 address 10.1.1.1 255.0.0.0 Ri(config)#ip route 20.0.0.0 255.0.0.0 1.1.1.2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 105Ri(config)#router rip TASK: Configure privilege level 5 to allow router level commands.( network commands). Ri(config)#exit Rifexit User Access Verification Username: admin Password: Ri>enable Password: Ri(config)# privilege configure level 5 router Ri(config)# privilege router level 5 network Ri(config)#end Rifexit User Access Verification Username: user5 Password: Rifconft Ri(config)#router rip RI(config-router) AeRIOR2 % Invalid input detected at '~' marker. Ri(config-router)#network 192.168.1.0 RI(config-router)#network 10,0.0.0 RI(config-router) AS aute=sumimay % Invalid input detected at '~' marker. Ri(config-router)#end NOTE: * Inside the router mode again we need to define what set of commands allowed to t user. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 106Role-Based Access Control ( Views) MOA. » Replacement for privilege levels » newer method of controlling which Cisco IOS commands a user can execute > More Flexible in terms of Command allocation. » restrict user access to. the Cisco IOS CLI and configuration information » Aview can define which commands are accepted and what configuration information is visible > Roles can be switched manually or assigned to users’ > RBAC requires AAA to be enabled in a Router. ae MOA. ‘To configure any view for the system, the administrator must be in the root view. Root view has all of the access privileges as a user who has level 15 privileges. AAA and enable password mandatory. Rienable view Ridshow parser view Current Hews FOE CLI View A specific set of commands can be bundled into a "CLI view”. Each view must be assigned all commands associated with that view and there is no Inheritance of commands from other views. ‘Additionally, commands may be reused within several views. Rifenabe view aint Bushow penser ew Password Current view adn NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 107i(conightparsee view acini (config view)fsaeret admin @123 Ri(config-view)#commands exec include ll show (config view)#eommands exec include all configure terminal i(cenfigview)#eommands exec Include all debug ifenable view admin Rifshow parser view Password ‘Current ve admin Ri(config)paser view acmint Ri(config.view)® commands exec include all copy Ai(configview)" commands exec include all erase NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 108LAB : Role Based Access Control ( Views Rifenable view To define views, AAA must be enabled and also enable secret should be configured. Ri>enable view Ri(config)#enable secret ciscol23 Ri(config)#aaa new-model Ri(config)#exit Use the command enable view to enable the root view, Rifenable view Rifshow parser view Current (iew is root Now from the root view, included or excluded per view. where we create all other views and define the commands that can be TASK: Create the adi establish a password, and assign privileges * The admint user is the top-level user below root that is allowed to access this router. It has the most authority. The admin! user can use all show, config, and debug commands. R(config)#parser view admint Mar 1.00:46:06.511: %PARSER-6-VIEW CREATED: view ‘admint’ successfully created. + Note: To delete a view. use the command no parser view viewname Ri(config)#parser view admint Ri(config-view)#secret adminl@123 Ri(config-view)#commands exec include all show Ri(config-view)#commands exec include all configure terminal Ri(config-view)#commands exec include all debug RI(config-view)#exit Ri(config)#exit Indude : NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 109* Adds a specified command or a specified interface to the view and allows the same command or interface to be added to a view. include-exclusive : Adds a specified command or a specified interface to the view and excludes the same command or interface from being added to all other Exclude: Denies access to commands in the specified parser mode. Note: This keyword is available only for command-based views. All © (Optional) A “wildcard” that allows every command in a specified configuration mode that begins with the same keyword or every subinterface within a specified interface to be part of the view. Rifenable view admint Password: Rifshow parser view Rie? Exec commands: configure Enter configuration mode debug Debugging functions (see also 'undebug') enable Turn on privileged commands exit Exit from the EXEC show Show running system information Rifcopy run start % Invalid input detected at '~' marker. Rifwrite % Invalid input detected at '~' marker. If we want to define any commands which comes in the privilege mode we need to define them inside the view (above example : copy or erase commands) TASK: Configure adi view to include copy and erase commands Rifenable view Password: Rifshow parser view NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 110RI(config)#parser view admint Ri(config-view)# commands exec include all copy RI(config-view)# commands exec indude all erase Ri(config-view)#exit Rifenable view admint Rifsh parser view Rie? Exee commands: configure Enter configuration mode copy Copy from one file to another debug Debugging functions (see also ‘undebug) do-execMode-independent "do-exec" prefix support enable Turn on privileged commands erase Erase a filesystem exit Exit from the EXEC show Show running system information TASK: ‘© Create the admin2 view, establish a password, and assign privileges. ‘+The admin2 user is a junior administrator in training who is allowed to view all configurations but is not allowed to configure the routers or use debug commands. Rifenable view Ri(config)#parser view admin2 Ri(config-view)# Ri(config-view)#secret admin2@123 Ri(config-view)#commands exec include all show Ri(config-view)#end Rifenable view admin2 Password: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution mm Page 111Rlfshow parser view Ri? Exee commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system information TASK: ‘* Create the Engineer view, establish a password, and assign pri + The tech user typically installs end-user devices and cabling. ‘Engineer users are only allowed to use selected show commands. "ges. Rifenable view Password: Rifconf t Enter configuration commands, one per line. End with CNTL/Z. Rifsh parser view RI(config)# parser view engineer Ri(config-view)# secret engineer@123 Ri(config-view)#commands exec include show version RI(config-view)#commands exec include show interface RI(config-view)#commands exec include show ip interface brief RI(config-view)#commands exec include show parser view Ri(config-view)#end Rifenable view engineer Password: Ri#show parser view Ri#show parser view Ru? Exee commands: enable Turn on privileged commands NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 112exit Exit from the EXEC show Show running system information Rlfshow ? flash: display information about flash: file system, interfaces Interface status and configuration ip [information parser Display parser information slot0: display information about slot0: file system slotl: display information about siot!: file system version System hardware and software status NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 113MA. Understanding Switch Security Issues Overview of Switch Security Devices Firewalls Routers Switches EdgeandDMZ Core and Distribution Access Submodule > NOA solutions,N.K Arcade, 2nd & 3rd floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 114Rogue Access Points Rogue network devices + Wireless hubs + Wireless routers + Access switches + Hubs These devices are typically connected at access level switches. PE Switch Attack Categories & solution Layer 2 Attacks + MAC table overflow attacks + VLAN attacks + Spoofing attacks ( Mac. IP ARR. DHCP) Switch Security: + Port-security + DHCP Snooping + IP source Guard + Dynamic ARP Inspection + Storm Control oo NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 115MAC Address Table Overflow Attack vetaon OA, Bogus address: re Sdded tothe CAM Inuder rns mac table CAM table ful. 13 begin sncing Unk bogus MAC saree VIAN 10 ans => @ the sch Rods oe ‘AXtacker sees traffic to ny 5 of servers Band D, 4. Attacker floods CAM table with frames with numerous invalid source MACs. Valid hosts cannot create CAM entries. 2. Normal traffic is flooded out all ports because no CAM entries exist for valid i wee Attacker NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 116Port Security Overview Attacker Allows an administrator to statically specify MAC ‘Addresses for a port or to permit the switch to dynamically : team limited number of MAC addreses Port Security Configuration (config)# interface fO/1 (config-if# switchport mode access (config-if)# switchport port-seaurity (config-if# switchport port-security maximum value (config-if# switchport port-security violation {protect | restrict | shutdown} Note: + Port-security works only on ports configured as static access or static trunks (does not work on dynamic ports) + the default “shutdown” action NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 117Port-Security Violation Parameters NEA. (config-i# switchport port-security violation {protect |restrict | shutdown} Shutdown ‘+ port immediately is put into the Err-disable state Protect + The port is allowed to stay up, as in the restrict mode. Reaches its MAC address limit, the port stops learning MAC addresses Although packets from violating addresses are dropped, no record of the violation is kept. Restrict + The port is allowed to stay up, but all packets from violating MAC addresses are dropped. ‘The switch keeps a running count of the number of violating packets and can send. an SNMP trap and a syslog message as an alert of the violation, Verifying Port Security NEA, Displays MAC address table security information ‘GwitchFenow port-security addres Secure Mae Address SecureConfigur SecureConfigur Secureconfigurea SecureConfigur econfigu rreconts NOA solutions,N.K Arcade, 2nd & 3rd floor Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 118MAC Address Spoofing Attack NA, : Z The switch keeps track of the Switch Port Ce endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, ‘AABBec MAC Address: AABBcc ‘ato — ~ /~ Vhave associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. ~~ MAC Address Spoofing Attack to match the server. Thave changed the MAC feet address on my computer > ac aes abiee ‘The device with MAC address AABBcc has changed location: to Port2. | must adjust my MAC address table accordingly. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 119MAC Address Spoofing Attack (solution) GA. Binding MAC address to specific ports es SS — =~} ” Port Security ( Binding MAC addresses) ‘nerwont OA. (orton ate O10 Pet yn orb HA to (ei sre (enti wp oc Ce er asm ee ar-@ (config-if# switchport port-security violation {protect | restrict | shutdown} —— Manual Binidng MAC addeeses (configi9# switehportport-secuity mac-adéres mac-adcress or oe Dm redone iemat hc Ale {config:9# switchport port-seculty mac-addeess sticky NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 120View Secure MAC Addresses NA. ‘Gu-clasa¥ show port-security address Secure Mac Address Table Type Ports Remaining Age (nins) in Systam (excluding one mac per port): 0 Max Addresses limit in Syetea (excluding one mac per port) : 1024 Verify Port-security MOA, ‘Redland how por aeary Secwe Port MasSecueAdde CurenAdd SecurtyVolation Security Action (Cou) (Count) (Count) “Total Address in Sytem (exuding one mac per port) +0 ‘Max Addresses imi in Sytem excluding one mac per pot): 1024 werclasat show poreneourity invertacs fO/i Pore Security Enables otal ¥ac Asarese configured Yc Addresses: 0 Aging tine 120 nine ‘aging type aecoiute NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 121LAB : PORT-SECURITY gozt6a.1 192.168.1.2 192.168.1.3. 192.168.1.4 TAS * Configure Port-security on {0/1 with maximum mac-address limit to 2 * also the mac-address sticky option to bind the Mac on port f0/1 * if it exceeds it has to apply the default violation rule (shutdown) Switch(config)#int f0/1 Switch(config-if#switchport port-security ‘Command rejected: Fastéthernet0/1 is a dynamic port. switeh(config)# int fO/1 Switch(config-if}# switchport mode access Switch(config-if}# switchport port-security Switch(config.if}# switchport port-security maximum 2 Switch(config-if}#switchport port-security macaddress Switch(config.if}fend ‘Switchdsh running-config Building configuration. interface FastEthemetO/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky Switch#clear mac-address-table Switch#'sh mac-address-table Mac Address Table Vian Mac Address Type Ports NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 122Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecutityViolation Security Action (Count) (Count) (Count) TASK: + Configure FO/1 port to use port-fast to ensure that it comes to forwarding immediately. © Connect PC( 192.168.1.1) on f0/1 and generate traffic by using ping to other devices in the LAN. + Try connecting another device and generate traffic to test Port-security violation rule. Switch(config)#int fO/1 Switch(config-if}#spanning-tree portfast Switch(config-if}#end NOTE: In order to test and verify we are using port-fast ( portfast is not mandatory to configure port-security) . here we are using to speed up the access ports convergence time. Pc>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Address. IP Address. 192.168.1.1 Subnet Mask.. 155.255.255.0 Default Gateway. + 192.168.1.100 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=Oms TTL=128 Reply from 192.168.1.2: bytes=32 time: Reply from 192.168.1.2: bytes=32 time=Oms TTI Reply from 192.168.1.2: bytes=32 time=Oms TTI Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = Oms, Maximum = Oms, Average = Oms Switch#sh mac-address-table Mac Address Table NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 123Vian Mac Address Type Ports 1 0001.9744,5308 DYNAMIC Fa0/2 1 0005.5e88.800b STATIC Fa0/1 Switchdsh run Building configuration... spanning-tree mode pvst ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security mac-address sticky 0005.5E88.800B spanning-tree portfast Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Sticky will automatically bind the mac-address learned on f0/1 port. maximum mac-address option will not allow to learn more than one mac-address as per our configuration here. TAS! + Remove the PC connected on f0/1 and try connecting another PC ( here 192.168.1.3) and generate traffic from new PC connected. Switchdsh running-config interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security mac-address sticky 0005.5E88.8008 _switchport port-security mac-address sticky OOE0.A325.1980 spanning-tree portfast NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 124Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) © Connect PC4 (192.168.1.4) to f0/1 port by removing 192.168.1.3 © Verify as per the configuration the f0/1 port should go in to err-disable state. PC>ipconfig FastEthernetO Connection:(default port) Link-local IPv6 Address. IP Address. Subnet Mask. Default Gateway. FE8O::20C:CFFF:FEE2:3946 192.168.1.4 155.255.255.0 : 0.0.0.0 PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Ping statistics for 192.168. Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Switchésh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1_ unassigned YES manual down = down TAS * Reconnect PCI ( 192.168.1.1) back on f0/1 port. + and ensure that port comes back to up state and should be reach other devices in the LAN. Switch#sh ip int brief Interface IP-Address OK? Method Status Protocol Switch(config)#int f0/1 Switch(config-if}#shutdown Switch(config-if}#no shutdown Switch(config-if#end NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 125‘Switch#sh ip int brief Interface IP-Address OK? Method Status Protocol ‘Switch#sh running-config interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security mac-address sticky 0005.5E88.800B _switchport port-security mac-address sticky OOE0.A325.1980 spanning-tree portfast, Switch#’sh mac-address-table Mac Address Table Vian MacAddress Type Ports 1 0001.974d.5308 DYNAMIC _ Fa0/2 (On f0/1 there is MAC biniding done with PCI and PC2 Mac-address. if anyother device is connected on f0/1 it will put the port in to shutdown state. TASK: Confugure the Violation rule to protect mode instead of shutdown Switch(config)#int fO/1 Switch(config-if}#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode Switch(config-if}#switchport port-security violation protect Switch(config.ifhfend Switch#sh running-config interface FastEthernet0/1 switchport mode access switchport port-security NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 126switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security mac-address sticky 005.588.8008 switchport port-security mac-address sticky OOE0.A325.1980 spanning-tree portfast To test connect PC3 to f0/1 and try generating traffic to other devices in the LAN, Switch#sh ip int brief Interface IP-Address OK? Method Status Protocol ‘Switch#show port-seaurity Secure Port MaxSecureAddr CurrentAddr SecutityViolation Security Action (Count) (Count) (Count) Pc>ipconfig FastEthernet0 Connection:(default port) PC>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Ping statistics for 192.168.1. Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 on’ Page 127 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutionDHCP spoofing Attack + Attacker activates DHCP server on VLAN. + Attacker replies to valid dlient DHCP requests. =. + Attacker assigns IP configuration information ‘that establishes rogue device as client default gateway. + Attacker establishes “man-in- ‘the-middle” attack. PE DHCP Process o IP address req IP address selection ere @ IP address cknowledgment DHCP client MOA. DHCP server Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 128DHCP Snooping XA. ‘+ DHCP snooping allows the configuration of ports as trusted or untrusted. = Untrusted ports cannot process =e DHCP replies. = t f a + Configure DHCP snooping on uplinks to a DHCP server. = Do not configure DHCP snooping on client ports DHCP Snooping Configuration erwom CA, Besta) | Seacaeer| | | oe Kissel) | trusted Port ‘Switeh(config)# ip dhep snooping Switch(config)# ip dhep snooping vlan number [number] ‘Switch config) interface f0/1 Switch config-if}# ip dhep snooping trust NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 129Verifying DHCP Snooping NPA. * Verifies the DHCP snooping configuration Switch show ip dhep snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs: 10 30-40 100 200-220 Insertion of option 82 information is enabled. Interface ‘Trusted Rate limit (pps) Fastethernet2/1 ye none FastEthernet2/2 yes none FastBthernet3/1 no 20 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 130LAB : DHCP Snooping : bxCP | fo/0 Rogue DHCP 192.168.1.50 Client TASK: * Create vian 10 and assign IP address 192.168.1.50 on vian 10 interface. * Connect devices as per the diagram and configure f0/1 - 4 ports in vlan 10. * Enable porttfast on these ports for faster convergence.(to test not mandatory) SW/1(config)#vlan 10 SWI (config-vian)#exit SWA(config)#int vlan 10 SWA(config-if}#ip address 192.168.1.50 255.255.255.0 SWI(config-if)#exit SW/I(config)#int range f0/1 - 4 SWI (config-if-range)#switchport access vlan 10, SW(config-if-range)#switchport mode access SWI (config-if-range)#spanning-tree portfast SW/I(config-if-range)#no shutdown SWI (config-if-range)#end TASK. * Configure RI to be DHCP server and verifty on R3 ( as DHCP client) . * use network range 192.168.1.0/24 and RI should be default Gateway ( 192.168.1.100) . R-l(config)#int f0/0 (config-if}#ip address 192.168.1.100 255.255.255.0 (config-if}#no shutdown (config-if}#exit Ra Ra Ra Rel(config)#ip dhep pool CCIE R-1(dhep-config)#network 192.168.1.0 255.255.255.0, NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 131R-l(dhep-config)#default-router 192.168.1.100 R-l(dhep-config)#exit R-l#sh ip dhep pool Pool CCIE: Utilization mark (high/low): 100 /0 Subnet size (first/next) 0/0 Total addresses 254 Leased addresses 20 Pending event none 1 subnet is currently in the pool : Current index IP address range Leased addresses R3-DCHPClient(config)int f0/0 R3-DCHPClient(config-if}#ip address dhcp R3-DCHPClient(config-if}#no shutdown R3-DCHPClient(config-if#end DCHPClient#sh ip int brief Interface IP-Address OK? Method Status FastEthernet0/1 unassigned YES NVRAM up R-ldsh ip dhep binding Bindings from all pools not associated with VRF: IP address Client-ID/ Hardware address/ User name TAS! * Enable DHCP snooping on SW/ for vlan 10 * SWI should store the binding database in flash with the filename DHCP.txt. SWWI(config)#ip dhep snooping SW/(config)#ip dhep snooping vlan 10 Swi(config)ip dhep snooping database flash:DHCP.txt SW(config)#end Protocol down NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 132SW/lish ip dhep snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is enabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted — Rate limit (pps) SW1i#debug ip dhep snooping agent SWt#debug ip dhep snooping packet Release IP address on R3 client and verify if client can get IP address from DHCP server. DCHPClient#release dhep f0/0 DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES DHCP. up up FastEthernet0/1 unassigned = YES NVRAM up down DCHPClient(config)#int f0/0 DCHPClient(config-if}#shutdown DCHPClient(config-if}#no shutdown, DCHPClient(config-if}#end 00: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 00:51:19: DHCPSN: DHCP packet being sent to PI snooping process HCP_SNOOPING: received new DHCP packet from input interface (FastEthernet HCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input FaQ/3, MAC da: fF fIF-fTFf, MAC sa: O1C.5808.ff8e, IP da: 255.255.255.255, IP sa: 0.0.0.0. DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddis 10010] DHCP chaddr: 001¢.5808.f18e 00:51:19: DHCP_SNOOPING: add relay information option. (00:51:19: DHCP_SNOOPING._sW: Encoding opt82 in vian-mod-port format 00:51:19: DHCP_SNOOPING: binary dump of relay info option, length: 20 data: (0x52 OxI2 Ox1 Ox6 OxO Ox44 OxO OxA OxO Ox2 0x2 OX8 OxO Ox6 OxO OxB OxBE OXE2 OxFA OxO 00:51:19: DHCP_SNOOPING_SW bridge packet get invalid mat entry: FFFF.FFFF.FFFF, pac ket is flooded to ingress VLAN: (10) 00:51:19: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Viant0. 00:51:20: %LINK-3-UPDOWN: Interface FastEthemet0/3, changed state to up NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 13300:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed s tate to up 00:51:23: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 00:51:23: DHCPSN: DHCP packet being sent to Pl snooping process DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/O unassigned YESDHCP up = up FastEthernet0/1 unassigned YES NVRAM up. down * Client is not able to get ip address from DHCP as by default once we enable DHCP snooping all the ports will be treated as untrusted and switch do not allow DHCP offer messanges on untrusted ports. + We need to configure the ports connecting to DHCP as trusted so that | can forward DHCP offer messages SW/I(config)#int f0/1 SWI(config-if}#ip dhep snooping trust SWI(configif}#exit (One more issue that with IOS DHCP servers is the switch inserts the option but leaves the “giaddr” field at zero. Thus, a DHCP Server may assume that option has been formatted incorrectly, because a DHCP Relay is supposed to set the “giaddr” field to its own IP address. An lOS DHCP server will reject by default such DHCP messages. To overcome this issue, you may use one of the following methods: 1. Instruct the IOS DHCP Server to accept DHCP messages with a zero “giaddr” by using the global command ip dhep relay information trust-all or the interface-level command ip dhcp relay information trusted . 2. Configure the DHCP Snooping feature in the switch not to insert Option 82. This is accomplished by using the command no ip dhep-snooping information option.Trust the port where you receive the original DHCP message. The DHCP Snooping feature does not insert any Information Option into the received packets, SW1I(config)#no ip dhep snooping information opt DCHPClientésh ip int brief Interface IP-Address_ OK? Method Status Protocol FastEthernet0/0 192.168.1.1_ YES DHCP up up FastEthernet0/1 unassigned YES NVRAM up, down NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 134swt 01:00:18: %SYS-5-CONFIG_I: Configured from console by vtyl (192.168.1.10) 01:00:37: DHCP_SNOOPING: checking expired snoop binding entries 01:00:38: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 01:00:38: DHCPSN: DHCP packet being sent to PI snooping process : DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3) : DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa0/3, MAC da: if.sffft, MAC sa: 001c.5808 ff8e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001¢.5808.ff8e 01:00:38: DHCP_SNOOPING, SW bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (10) 01:00:38: DHCP_SNOOPING_sW: bridge packet send packet to cpu port: Vianl0. 01:00:38: DHCP_SNOOPING_ SW bridge packet send packet to port: FastEthernet0/1. 01:00:38: DHCPSN: Found ingress pkt on Fa0/1 VLAN 10 01:00:38: DHCPSN: DHCP packet being sent to Pl snooping process 01:00:38: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthemet0/1) (01:00:38: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Fa0/1, MAC da: fff. fF-fff, MAC sa: 0019.aald.8596, IP da: 255.255.255.255, |P sa: 192.168.1100, DHGP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.1, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001¢.5808.ff8e DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001c.5808.ff8e 42: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is on flooded to ingress VLAN: (10) 01:00:42: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vianl0. 01:00:42: DHCP_SNOOPING_sW bridge packet send packet to port: FastEthernet0/1. 01:00:42: DHCPSN: Found ingress pkt on Fa0/I VLAN 10 01:00:42: DHCPSN: DHCP packet being sent to Pl snooping process 01:00:42: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/1) 01:00:42: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: FaO/1, MAC da: ff. FESTA, MAC sa: 0019.aald.8596, IP da: 255.255.255.255, |P sa: 192.168.1.100, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.1, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001¢.5808.ff8e 01:00:42: DHCP_SNOOPING: direct forward dhep reply to output port: FastEthernet0/3. 01:00:42: DHCPSN: Found ingress pkt on Fa0/3 VLAN 10 01:00:42: DHCPSN: DHCP packet being sent to Pl snooping process 01:00:42; DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernet0/3) 01:00:42: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 135Fa0/3, MAC da: fff. fff. fff, MAC sa: 001c.5808.f8e, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP claddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 001c.5808.118e 01:00:42: DHCP_SNOOPING_SW bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded .0.0,0, DHCP chad: to ingress VLAN: (10) 01:00:42: DHCP_SNOOPING. SW: bridge packet send packet to cpu port: Vianl0. 01:00:42: DHCP_SNOOPING._SW: bridge packet send packet to port: FastEthernet0/1. 01:00:42: DHCPSN: Found ingress pkt on Fa0/I VLAN 10 (01:00:42: DHCPSN: DHCP packet being sent to Pl snooping process (01:00:42: DHCP_SNOOPING: received new DHCP packet from input interface (FastEthernetO/1) 01:00:42: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Fa0/1, MAC da: ffff.fFFfff, MAC sa: 0019.aa1d.8596, IP da: 255.255.255.255, |P sa: 192.168.1.100, DHE? ciaddr: 0.0.0.0, DHCP yiaddr: 192.168.1.1, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 001c.5808.ff8e 01:00:42: DHCP_$NOOPING: add binding on port FastEthemet0/3. 01:00:42: DHCP_$NOOPING: added entry to table (index 82) 01:00:42: DHCP_SNOOPING: dump binding entry: Mac=00:1C:58:08:FF:8E Ip=192.168.1.1 Id Type=dhep-snooping Vian=10 If=FastEthernet0/3 .ct forward dhcp reply to output port: FastEthernet0/3.. SWI#sh ip dhep snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is disabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) SWI#sh ip dhep snooping binding MacAddress IpAddress _Lease(sec) Type VIAN Interface 00:1C:58:08:FF:8E 192,168.11 86338 —dhep-snooping 10 FastEthernet0/3 Total number of bindings: 1 SWI#sh ip dhep snooping database Agent URL : flash:DHCP.txt Write delay Timer : 300 seconds Abort Timer : 300 seconds NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 136Agent Running : No Delay Timer Expiry : 112 (00:01:52) Abort Timer Expiry : Not Running Last Succeded Time : 00:30:24 UTC Mon Mar 1 1993 Last Failed Time : None Last Failed Reason : No failure recorded. Total Attempts 1 Startup Failures: 0 Successful Transfers: 1 Failed Transfers: 0 Successful Reads © Failed Reads : 0 Successful Writes : 1 Failed Writes ° Media Failures 0 SWi#sh flash: Directory of flash:/ 2 -twx 322 Jan 11970 00:05:09 +00:00 system_env_vars 3 -nwx 984 Mar 11993 00:01:19 +00:00 vian.dat 5 -twx 6917476 Mar 1 1993 00:22:16 +00:00 c3550-ipservicesk9-mz.122-25.sec2.bin 7 drwx 128 Mar 11993 00:12:36 +00:00 ¢3550-i9q312-mz.121-11.EAl 20 -rwx 2795 Mar 1 1993 00:50:20 +00:00 config.text 22 -rwx 13. Jan 11970 00:05:09 +00:00 env_vars 23 -rwx 47 Mar 11993 00:30:24 +00:00 DHCP.txt 26 -rwx 24 Mar 11993 00:50:21 +00:00 private-config.text 15998976 bytes total (7676416 bytes free) SWi#more flash:DHCP.txt 20916015 ‘TYPE DHCP-SNOOPING VERSION 1 BEGIN 192.168.1.1 10 OO1c.5808.ff8e 2B92BIBA Fa0/3. 4d 3955 END TASK: * Configure a Rouge DHCP server on R2 ( connecting on 0/2) * SWI {0/2 is default in in untrusted port and it should not get IP addrss from DHCP rogue server. R2-RougeDHCP(config)fint f0/0 R2-RougeDHCP(config-if) ip address 192.168.1.200 255.255.255.0 R2-RougeDHCP(config-if}#no shutdown R2-RougeDHCP(config-if}#end R2-RougeDHCP(config)#ip dhcp pool ROUGE NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 137R2-RougeDHCP(dhcp-config)#network 192.168.1.0 255.255.255.0 R2-RougeDHCP(dhep-config)#Aefault-router |192,168:1:200 R2-RougeDHCP(dhep-config)#exit DCHPClient#release dhep {0/0 DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 unassigned YES NVRAM_ up down DCHPClient(config)#int f0/0 DCHPClient(config-if#shutdown DCHPClient(config-if}#no shutdown DCHPClient(config.if}end TASK: + Shutdown the interface f0/1 connecting to dhep server. * verify again by releasing IP address on Client . SWI(config)#int f0/1 SWI (config-if}#shutdown SWI(config-if}#exit DCHPClient#release dhep 0/0 DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES DHCP. up up FastEthernet0/1 unassigned YES NVRAM up down DCHPClient(config)#int f0/0 DCHPClient(config-if}#shutdown DCHPClient(config-if}#no shutdown DCHPClientésh ip int brief Interface IP-Address OK? Method Status Protocol Fastéthernet0/0 unassigned YES DHCP up up FastEthernet0/1 unassigned YES NVRAM up down TASK: * Remove the IP DHCP snooping configuration from the client. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 138SW/I(config)#no ip dhep snooping SW1I(config)#no ip dhep snooping vian 10 SW/I(config)#no ip dhep snooping database flash! SW/I(config)#exit SWI(config)int f0/1 SW/I(config-if}#no ip dhep snooping trust SW/I(config.if}#end DCHPClient#release dhep £0/0 DCHPClient(config)#int £0/0 DCHPClient(config-f) shutdown DCHPClient(config-if}#no shutdown DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/O 192.168.1.1 YES DHCP up up FastEthernet0/1 unassigned YES NVRAM up down + Now the client will be getting the IP address from the rouge DHCP server as the valid DHCP server is down and there is no DHCP snooping configured, + we configured gateway on rouge dhCP server to 192.168.1.200. to test and verify disable IP routing and Trace DCHPClient(config)#no ip routing DCHPClient(config)#exit DCHPClientétraceroute 172.16.1.1 Type escape sequence to abort. Tracing the route to 172.16.1.1 1192.168.1.200 0 msec O msec 4 msec TASK : Reconfigure IP dhep snooping and prevent the client from getting IP address and gateway from rouge DHCP ensure that Client is reachable to Valid DHCP server. SWA(config)#int fO/1 SWI(config-if#no shutdown SWI(config-ifi#end SW/I(config)# ip dhep snooping SW/(config)# ip dhep snooping vlan 10 SW/I(config)# ip dhep snooping database flash:DHCP.txt SW/I(config)# no ip dhep snooping information option NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 139SW/I(config)#int f0/1 SW/I(config-if}#ip dhep snooping trust SW(config-if}fend DCHPClient#release dhep f0/0 DCHPClient(config)#int f0/0 DCHPClient(config-if}#shutdown DCHPClient(config-if}#no shutdown DCHPClient(config-if)#end DCHPClient#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 unassigned = YES NVRAM up down DCHPClient#traceroute 172.16.1.1 Type escape sequence to abort. Tracing the route to 172.16.1.1 2.192.168.1.100 1H * IH SW1#sh ip dhep snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 Insertion of option 82 is disabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) FastEthernet0/1 yes ut NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 140IP spoofing Attack NA., Direct network trafic interrupted User2 Qe f : rough sacar user 'scomputer ser compiar thinks stating thinks e's aking to ‘User 2's computer Usera's computer Man in the Middle Attacker , TCP Sync Flooding Attack NA, » Attacker floods with numerous TCP syne with Unused IP address. (IP Spoofing) » Server busy responding by could net find source Result: » Denial of service » Bandwidth utilization. > NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 141MOA. TCP Sync Flooding Attack o oF Sorver ® [S/N wih unused souce IP acess smuagancn ® Srnwin vena oie access wiotorensnes © ® [S/N wih unused source P acess NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 142IP Source Guard > prevent IP packet spoofing and TCP syne Flooding Attacks in LAN > Validates the Correct source IP & mac address > Accept the packets with source IP addresses matching bindings created for the port » For Binding uses DHCP Snooping information ‘or can bind IP to port manually IP source guard is configured on untrusted L2 interfaces | Configuring IP Source Guard netuont CA, ‘Switch (config)# interface fO/1 Switch config: switehport Mode access Switeh(config-l)# Switchport access vlan 10 ‘Switch (config:if)# switchport Port-security Switch config: ip verify souree port-seaurity Switch config)# IP source binding 000.000.1111 vian 10 192.168.1.1 interface f0/1 Switeh(contig)# ip dhep snooping Switeh(config)# ip dhep snooping vlan 10 E NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 143LAB : IP Source Guard ; 192.168.1.50 TASK: * Connect topology and assign ip addressing as per the diagram. * create vlan 10 and assign all ports connecting in vlan 10 SWI(config)# vlan 10 SW/I(config)# int range f0/1 - 2 SWI(config SWI(config SWI(config SWI(config SWA(config)#int vlan 10 SWA(config-if)# ip address 192.168.1.50 255.255.255.0 SWI(config-if¥no shutdown SWA(config-if)#end Ri(config)#int £0/0 Ri(config-if}#ip address 192.168.1.1 255.255.255.0 Ri(config-if}#exit R2(config)#int f0/0 R2(config-if}#ip address 192.168.1.2 255.255.255.0 R2(config-if}fexit Rifping 192.168.1.2 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.2. timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution: com Page 144ay ‘Siiecess Fate IS TOO NperEENE (5/5), round-trip min/avg/max = 1/2/4 ms Rifping 192.168.1.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds: tua ‘SUEEBESIFAEE is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms TASK; * Configure SWI to prevent IP address spoofing on f0/I - 2 interfaces. * Enforce Layer 2 filtering for the MAC addresses corresponding to secured IP addresses at the same time. SW/I(config)# int range fO/1 - 2 SWI(config SW(config SWI(config-if-range)fexit SW/I(config)#ip dhep snooping SW/I(config)#ip dhep snooping vlan 10 SW/I(config)#end * Once you enable IP Source Guard, the switch only permits IP packets that match the DHCP snooping database or static IP to MAC addresses and port bindings. + The switch also allows ingress DHCP packets for hosts to obtain IP addresses. * IP Source Guard relieves you from the need of applying any IP ingress filtering on individual ports to prevent IP address spoofing. + The switch filters packets based onboththe source IP and MAC addresses, and the secure MAC address is taken from the DHCP snooping database or a static mapping entry. + You may enable IP Source Guard on a trunk port as well. © In this case, DHCP snooping must be enabled on all trunked VLANs for filtering to work properly. swiping 192.168.1.1 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. mun Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 ms timeout is 2 seconds: swueping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2. timeout is 2 seconds: mnt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms SWIish ip arp Protocol Address Age (min) Hardware Addr Type Interface NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 145Internet 192.168.1.50 = 000b.bee2.fa00 ARPA VlanlO Internet 192.168.1.10 © adba.dbbe.dI85 ARPA Vianl0 SW/I(config)#ip source binding 0019.aa1d.8596 vian 10 192.168.1.1 interface fO/1 SW/I(config)#ip source binding 0018.73c3.0b20 vlan 10 192.168.1.2 interface f0/2 SWI(config)#end SW/lish ip source binding MacAddress IpAddress—_Lease(sec) Type VIAN Interface 00:19:AA:1D:85:96 192.168.1.1 infinite static 10_FastEthernet0/1 00:18: 08:20 192.168.1.2 infinite static 10 FastEthernet0/I Total number of bindings: 2 Ri#ping 192.168.1.2 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. ny timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms RI#SWIsh ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vian FaQ/l ip-mac active 192,168.11 00:19:AA:1D:85:96 10 Fa0/2ip-mac active 192.168.1.2 0011 : Ensure that filtering actually prevents IP address spoofing by changing the IP on RI Ri(config)#int f0/0 Ri(config-if}#ip address 192.168.1.5 255.255.255.0 Ri(config-ifexit Rifping 192.168.1.2 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is O percent (0/5) Ri(config)#int £0/0 Ri(config-if}#ip address 192.168.1.1 255.255.255.0 RI(config-ifexit Rifping 192.168.1.2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 146Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 second: mt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 147ARP Spoofing XA, Normal Traffic Pattern Target Computer Switch Router <— — Sniffer = ARP Spoofing NA, Poisoned ARP Cache ‘Target Computer Switch Router Uv Sniffer | NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 148Dynamic ARP Inspection MOA. Dynamic ARP Table Enis: MAG Aen Por 1 + Prevents from ARP spoofing attacks + Creates a special IP to MAC gener address binding table in the waca switch, + This table is dynamically built based on the DHCP. snooping database contents or + You can also add static entries to the database manually Using ARP Inspection accoss- scier lists + DAL associates each interface with a trusted state or an untrusted state. + Trusted interfaces bypass all DAI. + Untrusted interfaces undergo DA validation. DAI (Mac to IP binding ) NEA. » When enabled by default, the IP ARP Inspection feature builds all ARP mapping Information based on the DHCP bindings table. » If there are hosts on the segment not using DHCP for address allocation, you must configure ARP accesslsts. SWWI(configh#arp accesslst ARP_VLANIO SWI(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aald.8596 log SWi(config-arp-nac}# permit ip host 192.168.1.2 mac host 0018.73c3.0520 log SwI(config-arp-nac) ext SWI (config}#ip arp inspection vlan 10 SNVI(contfig}#ip arp inspection filter ARP_VLANIO vlan 10 EE NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 149Dynamic ARP Inspection Configuration vm CA. SWI (config)#ip dhep snooping ‘SWW1(contig)#ip dhep snooping vlan 10 SWI(config)#exit SWI (config)Warp access-list ARP_VLANIO SWWI(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aald.8596 log ‘SWA(config-arp-necl)# permit ip host 192.168.1.2 mac host 0018.73c3.0620 log SWI (config-arp-nadl) exit 192; SNU1(config}#ip arp inspection vlan 10 ‘UWI (config)#ip arp inspection filter ARP_VLANIO vlan 10 SW (confighfint 10/5, SW (con‘ig'fip arp inspection trust SWI(config-ffend 192.168.1.10 'SWIL#sh ip arp inspection vlan 10 Source Mac Validation Disabled Destination Mac Validation : Disabled IP Acldres Validation: Disabled Vian Configuration Operation ACL Match Static ACL 10 Embled Active ARPVLANIO. No. Vian ACL Logging DHCP Logging 10 Deny Deny 3 192.168.1.10 1192.168.1.50 a NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 150192.168.1.50 192.168. TASK: * Configure f0/1 - 2 connecting to RI/R2 as access ports in vlan 10 * Connect topology and assign ip addressing as per the diagram. * create vlan 10 and assign all ports connecting in vlan 10 SW1(config)# vlan 10 SW/1(config)#int vlan 10 SWI (config-if}# ip address 192.168.1.50 255.255.255.0 SWI(config-if}#no shutdown SWI(config.if}fend SW/I(config)# int range (0/1 - 2 SWI(configif-range)# switchport mode access Frange)# switchport access vlan 10 Frange)# spanning-tree portfast Ri(config)#int 0/0 Ri(config-if}#ip address 192.168.1.1 255.255.255.0 Ri(config-if}#exit R2(config)#int f0/0 R2(config-iNfip address 192.168.1.2 255.255.255.0 R2(configif)#exit Rifping 192.168.1.2 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd Floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 151Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rifping 192.168.1.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds: mt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms TASK: ‘+ Configure SWI to prevent ARP poisoning attacks on VLAN 10, ‘+ Without configuring trust ports on SW1, ensure it enforces ARP security for SW2 and SW. SW/1I(config)#ip dhep snooping SW/1(config)#ip dhep snooping vian 10 SW/I(config#exit Sw#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: mnt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms sw#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms SWIish ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.50 = 000b.bee2.fa00 ARPA VianlO Internet 192.168. 0 a4ba.dbbe.di85 ARPA Vianl0 Intemet 192.168.1136 O019.aa1d.8596 ARPA VlaniO Intemet 192.168.1.2 71 0018.73c3.0b20 ARPA VlantO SW/I(config)#arp access-list ARP_VLANIO SWI(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aald.8596 log SWI(config-arp-nacl)# permit ip host 192.168.1.2 mac host 0018.73c3.0620 log SVW1(config-arp-nacl)#petnit ip Ost 192.168.1.10 mac host |a4baldbbe:d185 10g SW (config-arp-nacl)exit NOTE * Here 0/5 port is connecting to my PC and i am accessing routers via telnet. + To ensure that this port should not go with DAI inspection we can configure this port as trusted port. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 152© Orwe can add entry of my PC mac ( a4ba.dbbe.d185) binded to ip address 192.168.1.10 in ARP access-list * Note that implementing ARP Inspection may break some services, such as Proxy ARP. * To resolve these issues, ARP Inspection allows you to configure some ports as trusted for ARP Inspection. * On trusted ports, the switch does not inspect any ARP message. It is common to trust ARP messages on switch uplink ports, pointing toward the network core. SWI(config)#int f0/5 SNU1(config-if #iplap inspection trast SWI(config-if}fend * When the switch receives an ARP packet on an ARP-untrusted (the default state) port, it inspects the packet contents. * Based on the IP to MAC address binding. information in the packet, the switch permits the packet only if it matches the ARP Inspection table. This prevents ARP poisoning attacks ‘SW1{config)#ip arp inspection vlan 10 SWi(config)#ip arp inspection filter ARP_VLANIO vlan 10 SW1#sh ip arp inspection vian 10 Source Mac Validation: Disabled Destination Mac Validation : Disabled IP Address Validation: Disabled Vian Configuration Operation ACL Match fic ACL Vian ACL Logging DHCP Logging SWclear arp-cache Rigping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. mnt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms imeout is 2 seconds: Ri#ping 192.168.1.2 ‘Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.2. timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 153Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Rifping 192.168.1.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds: alti Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms Ri¥ping 192.168.1.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms * Change the MAC address entry for RI on VLAN 10 interface and observe how the switch denies the violating ARP packets. + Asyou can see, there is no DHCP snooping entry to match the new SW2 MAC address, so the ARP packets are dropped by the switch. Swish arp access-list ARP access list ARP_VLANIO permit ip host 192.168.1.1 mac host 0019.aald.8596 log permit ip host 192.168.1.2 mac host 0018.73c3.0b20 log permit ip host 192.168.1.10 mac host a4ba.dbbe.d185 log SW/I(config)#arp access-list ARP_VLANIO SWI(config-arp-nacl}#no permit ip host 192.168.1.1 mac host 0019.aa1d.8596 log SWI(config-arp-nacl)# permit ip host 192.168.1.1 mac host aaaa.aaaa.aaaa log SWI(config-arp-nacl)#end Ri#ping 192.168.1.2 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 0 percent (0/5) SWF 02:23:46: %SW_DAI-4-DHCP_SNOGPING|DENY# il invalid ARPS(Req) OnlFaO/NVian 10.([0019.aa1d.8596/192.168. 1.1/000b. bee2.fa00/192.168.1.50/02:23:46 UTC Mon Mar 1 1993]) 02:28:46: %5W_DAI-42DHCP/SNOOPINGDENYEN vali ARDS (ReelORIFAOM, vIan TASK : + Reconfigure ARP access-list back to previous stage. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 154* configure FO/S port as trusted port and should not go with DAI inspection. SW/I(config)#arp access-list ARP_VLANTO SWI(config-arp-nacl}#no permit ip host 192.168.1.1 mac host aaaa.aaaa.aaaa log SW/I(config-arp-nacl)# permit ip host 192.168.1.1 mac host 0019.aald.8596 log SWI (config-arp-nacl)#exit NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 155Storm Control broadcast storms occurs when packets flood the LAN, creating excessive traffic and degrading network performance. STP failure oF misconfiguration Unicast storms created by faulty host NICs » Broadcast, multicast. or unicast packets are flooded on all ports in the same VLAN. » These storms can increase the CPU Utilization on a switch to 100%, reducing the performance of the network. > Storm Control MOA. Storm control is used to limit the amount of unicast, multicast, or broadcast traffic received inbound on a port. » Monitor multicast/broadcast/unicast traffic & Suppress I. » Done on port basis. Actions: 1 slow it down 2. put port to error disable State. Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 156Storm Control Rising Threshold Falling Threshold Suppression thresholds in three types: 1. bandwidth as a percentage of the physical interface 2. traffic rate in packets per second 3. traffic rate in bits per second , Storm Control Configuration Switch(contig-if)# storm-control broadcast level 75 60 Switch(contig-if)# storm-control multicast level pps 1000 500 Switch(config-if)# storm-control action shutdown SWB storm-control broadcast Interface Fiter State Upper tower Current Fa0/2 Unk Down 75.00% 60.00% 0.00% SWE storm-control multicast Inveriace Fier State Upper Lower Current FO UnkDown Tk pps S00 pps Opps | Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 157AOA. Metro Ethernet lines > Initaly Ethemet was only restricted to LAN (distance lirits) » Use fiter Standards support for longer distances. » Overcome both speed and Distance lis » Service providers started using Ethernet in WAN. (cote —, Cs aspen (el ase! (FE = Advantages Support high Speeds up to 100 Mpbs or 1 Gbps ( Frame relay upto 44 Mbps) Customer end uses Ethernet Interface (Instead of Serial) NA. (cept tere SOON, great cromentbe —( rodertetan >> Oe Ope Pet | {—wasanpectaoen | ae Chere Beret ~ aspen sa = tasonen ie rE Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 158Private VLAN MOA. ‘Addreses two problems that service providers face when using VLANs, switch supports up to 1005 active VLANs. Ifa service provider assigns one VLAN per custorner, {islets the numbers of customers the service provider can suppor. ‘To enable IP routing, each VLAN Is assigned a subnet address space ora block of addresses, ‘which can ees in wasting the unused IP addresses, and cause IP address management problems Private VLAN XA, » Using private VLANs provides scalability and IP address management benefits for service providers and Layer 2 security for customers. » Private VLANs partition a regular VLAN domain into subdomains. » Asubdomain is represented by a pair of VLANS: a primary VLAN and a secondary VLAN. Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 6589038, +91 7036826345 uuw.noasolution: on’ Page 159ene MOA. Iuolated VLANs: Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level ‘Community VANS Ports within a community VLAN can communicate with each other but cannct communicate with ports in other communities atthe Layer 2 level. Promiscuous Port attaches to a routes firewall, ee: «an communicate with all hosts (including isolated and community ports) Ee Private VLAN Advantage : » Reduce VLAN and IP subnet consumption; » you can prevent traffic between end st and IP subnet even though they are in the same VLAN |, Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 160Metro Ethernet Switches ME 3400 catalyst 3750 , ME3800X, ME 4900, Private VLAN Configuration water OA SwI(onfigvtp mode transparent swi(config)Fvlan 10 ‘WV/1(config-vian)fprivate-vlan primary SwWI(config-vian}fexit Sw(con‘ighfvlan 100 ‘\01(eonfg-vian}#private-vian community SWI(config-vian}fexit sw(con‘ig)Pvlan 200 ‘WI(confg-vian)#private-van community SWWI(config-vion}fexit ‘w(eonfig)#vlan 500 ‘WI(config-vian)private-vlan isolated SWwigontgedanttend Note: Isolated VLAN can be only one and ‘Community VLAN can be many NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 161SW/(config-vian)private-vlan association ? WORD VLAN IDs ofthe private VLANSto be configured, add Add a VLAN to private VIAN list remove Remove a VLAN from private VLAN fst 99 (contig-vian)fprivate vlan association add 100,200,500 ‘SWi(eonfig-vian) end SWUsh vlan privatewlan Primary Secondary Type 10 100, commmunity 10 200. community 10 500d Configuring Promiscuous Port Swtconfigint 0/20 SWI{config-f)#switchport mode private-vlan promiscuous 'WI(config:#switchpertprivate-vian mapping 10 100,200,500 SWI(config-ifend — Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 6589038, +91 7036826345 uww.noasolution: on’ Page 162Configuring Community Secondary VLAN SWI(configyint range 07 - 2 SWI (configitrange)éswitchpor mode private-wlan host SWI (configirange)éswitchport privatewlan host-asociation 10 100 SW (configitint range 10/5 0/24 SWI (configirange)fswitchport mode private-vlen host SWI(config range) switchportprivate-tan host-asccition 10 200, Configuring Isolated Secondary VLAN ‘SW (config) int range f0/3 , 10/22 ‘SW (config.itrange)4switchport mode private-vian host SWWI(config-itrange)4switchport private-vian host-association 10 500 ‘SW(config-itrange)#end, Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 uww.noasolution: con” Page 163; ea MOA. Private VLAN Verification Sw vin privates = Primary Secondary Type Ports oe YO 100 community Fa/l.F0/2.Fay20 eae 10 200 community Fo, Fa0/20 F20/24 i . 6 10 500 lated FOP F020, 0/22 ar om wash interacs stats | in connected Feo anmected 1000 afull 100 1970080 A ron comected 10100 fll 3100 1/1008. ras connected 105500 all 100 10100807. Fos connected 10.200 all #100 101000 e7X. ea720 connected 10 sf 900 1/f008aeTX roaz ennectes 10500 efull 2100 1o0ORasetx rea eonected 10200 efull 2100 10/008aseTX = Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions..com Page 164LAB: PRIVATE VLAN TASK: + Configure VIP mode as transparent and all ports connecting to end devi * Create vian 100, 200 , 500 and configure vian 100 and 200 as community vian-type and vlan 500 as isolated vian-type + VIAN 100. 200.500 will be acting as secondary vians and associate them to primary vlan 10 SW/I(config)#interface range f0/1 -3 , 0/5, 10/20 , f0/22, f0/24 SWI(config SWI(config SWI(config -range)#switchport access vlan 10 SWI#sh vlan VLAN Name Status Ports 1 default active _Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/I1, Fa0/12, Fa0/13 FaQ/14, Fa0/15, Fa0/16, FaO/17 FaQ/I8, Fa0/19, Fa0/21, Fa0/22 Fa0/23, GiO/1, Gio/2 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 1655/3 (config)#int £0/20 5W3(config-if}#no switchport SW (config-if)#ip add 192.168.1.10 255.255.255.0 SW/3(config-if}#no shut $W3(config-if)#end w2(config)#int f0/24 sw2(config-if}#no switchport sw2(configif}#ip add 192.168.1.6 255.255.255.0 sw2(configify#no sh sw2(config-if)#end R-l(confighint g0/0 R-(config-if}#ip add 192.168.1.1 255.255.255.0 R-l(config.if}#no sh R-(config-if}#end R-2(config)#int g0/0 R-2(config-if)#ip add 192.168.1.2 255.255.255.0 R-2(config-if)#no sh R-2(config-if}end, R-3(config)#int g0/0 R-3 (config-if)#ip add 192.168.1.3 255.255.255.0 R-3(config-if#no sh R-3(config-if}end sW4(config)#int £0/22 SW4(config-if}#no switchport sWw4(config-if}#ip add 192.168.1.4 255.255.255.0 SwW4(config-if)#no sh sw4(config-iffend R-5(config)#int g0/0 R-5(config-i ip add 192.168.1.5 255.255.255.0 R-5(config-if}#no sh R-5(config-if)fend R-S#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: mt Success rate is 80 percent (4/5), round-trip min/avg/max = V/1/1 ms R-S#ping 192.168.1.2 Type escape sequence to abort. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 166Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: ltt Success rate is 80 percent (4/5), round-trip min/avg/ma: R-S#fping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds: alti Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms VA ms R-S#ping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. im timeout is 2 seconds: Success rate is 60 percent (3/5), round-trip min/avg/max = 1/2/4 ms R-S#ping 192.168.1.4 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R-S#ping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1: my timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R-Séping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: Success rate is 60 percent (3/5), round-trip min/avg/max = 1/1/1 ms R-S#ping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: mt Success rate is 100 percent (5/5), round-trip min/avg/max = /1/4 ms R-S#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: nt Success rate is 60 percent (3/5), round-trip min/avg/max = V/1/1 ms NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 167sw SW/I(config)#vtp mode transparent SW/I(config)#vlan 10 SW1(config-vian)#private-vian primary SW/I(config-vian)#exit SW1(config)#vlan 100 SW/1(config-vian)#private-vian community SW/I(config-vian)#exit SW1(config)#vlan 200 W1(config-vian)#private-vian community SWI (config-vian) exit SW1(config)#vlan 500 WI (config-vian)#private-vian isolated SWI (config-vian)#end Note: + Isolated VLAN can be only one and Community VLAN can be many * Here VLAN 10s the primary VLAN and VLAN 100. 200.500 will be acting as secondary vlans associated to primary vlan ( VLAN 10) with the following command : SWI (config)#vlan 10 SWI (config-vian)#private-vian association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list SW1(config-vian)#private-vian association add 100,200,500 SW1(config-vian}#end Swish vlan private-vlan Primary Secondary Type Ports TASK: Configure the port fa0/20 as Promiscuous as it needs to be accessed by all vlan. SW(config)#int £0/20 SW/I(config-iN#switchport mode private-vian 2 host Set the mode to private-vian host NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 168promiscuous Set the mode to private-vian promiscuous SW (config-iN#switchport mode private-vian promiscuous SW/I(config-iN#switchport private-vian association ? host Set the private VLAN host association mapping Set the private VLAN promiscuous mapping SWI (config-if)#switchport private-vlan mapping 10 100,200,500 SWI(configifytend ‘The above command assign the port to primary Vian and maps the vlan 100, 200 , 500. TAS * Configure the port fa0/1 and fa0/2 to separate community so that they can talk to each other and promiscuous port SW/I(config)#int range fO/1 - 2 SW/I(config-if-range)#switchport mode private-vian host SWI (config-if-range)#switchport private-vian host-association 10 100 SWI(config-if-range)#end The above command assigns fa0/1 and fa0/2 to a separate community 100 as these two can communicate with each other and fa0/20 (promiscuous port) TASK: * Configure the port fa0/24 and fa0/5 to separate community so that they can talk to each other and promiscuous port SWI(config)#int range f0/5 . 0/24 SWI (config-if-range)#switchport mode private-vian host SWI (config-if-range)#switchport private-vian host-association 10 200 SWI (config-if-range)#end The above command assigns fa0/5 and fa0/24 to a separate community 200 as these two can communicate with each other and fa0/20 (promiscuous port). TASK * Configure the port fa0/3 and fa0/22 so that they cannot talk to each other but they can talk to fa0/20 ( promiscuous port) SWI(config)#int range f0/3 , £0/22 SWI (config-if-range)switchport mode private-vian host SWI (config-if-range)#switchport private-vian host-association 10 500 SWI (config-if-range)#end NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 169The above command assigns fa0/3 and fa0/22 as ISOLATED ports configured as Vian 500 and these two cannot communicate with each other but can talk to gateway port fa0/20 (promiscuous port). Swish vian private-vian Primary Secondary Type Ports 10 100 community _—Fa0/1, Fa0/2, Fa0/20 10 200 community —_—_—Fa0/5, Fa0/20, Fa0/24 10 500 isolated Fa0/3, Fa0/20, Fa0/22 SWI#sh interfaces status | in connected Fao/t connected 10,100 a-full a-100 10/100BaseTX Fao/2 connected 10,100 a-full a-100 10/100BaseTX Fao/3 connected 10,500 a-full a-100 10/100BaseTX Fao/s connected 10,200 a-full a-100 10/100BaseTX Fao/20 connected 10 — a-full a-100 10/100BaseTX Fao/22 connected 10,500 a-full a-100 10/100BaseTX Fa0/24 connected 10,200 a-full a-100 10/100BaseTx sw3#ping 192.168.1.1 ‘Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168. imeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 ms Sw3#ping 192.168.1.2 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. mt timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms SWw3#ping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168, nt timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms Sw3#ping 192.168.1.4 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. amt timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max = V/1/1 ms Sw3#ping 192.168.1.5 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 170Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. mt Success rate is 100 percent (5/5), round-trip min/avg/max = V/1/4 ms timeout is 2 seconds: Sw3#ping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: ant Success rate is 80 percent (4/5), round-trip min/avg/max = V/1/I ms R-lping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: afttt Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R-léping 192.168.1.10 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Rel#ping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds: Success rate is 0 percent (0/5) Rel#ping 192.168.1.4 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: Success rate is 0 percent (0/5) R-l#ping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: Success rate is O percent (0/5) Relfping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 171Success rate is O percent (0/5) R-2Aping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: mt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R-2#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R-2#ping 192.168.1.3 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.3. timeout is 2 seconds: Success rate is 0 percent (0/5) R-2#ping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: Success rate is 0 percent (0/5) R-2Aping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: Success rate is 0 percent (0/5) R-2Aping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: Success rate is 0 percent (0/5) R-3#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: mn Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 172R-34#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. timeout is 2 seconds: Success rate is O percent (0/5) R-3ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168. , timeout is 2 seconds: Success rate is O percent (0/5) R-34ping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. timeout is 2 seconds: Success rate is 0 percent (0/5) R-34ping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds: Success rate is 0 percent (0/5) R-3#ping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: Success rate is 0 percent (0/5) swaping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = /1/4 ms SWw4#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Success rate is O percent (0/5) swiping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on’ Page 173Success rate is O percent (0/5) swa4#tping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: Success rate is O percent (0/5) swwa#ping 192.168.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. timeout is 2 seconds: Success rate is 0 percent (0/5) swiping 192.168.1.6 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.6. timeout is 2 seconds: Success rate is 0 percent (0/5) R-S#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: my Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R-Séping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R-SAping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Success rate is 0 percent (0/5) R-S#ping 192.168.1.2 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is O percent (0/5) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 174R-S#ping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1. timeout is 2 seconds: Success rate is O percent (0/5) R-S#ping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168. . timeout is 2 seconds: Success rate is O percent (0/5) sw2#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms sw2#tping 192.168.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms swiping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Success rate is 0 percent (0/5) sw2#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Success rate is 0 percent (0/5) sw2#ping 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds: Success rate is O percent (0/5) swaeping 192.168.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds: NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution on Page 175Success rate is O percent (0/5) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 176Types of ACLs NA. VLAN ACLs (VACLs) OA, provide access control forall packets u re bridged within a VAN nso smasens 2. that are routed inte or out ofa VAN wuw20 wa senzs00 You ean configure VACLs for IP nd MAC-Iayer teat » a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action isto deny the packet. Packets can either enter the VLAN through a Layer 2 port Cr through a Layer 3 port after being routed, » VLAN ACL not defined by direction (inbound/outbound) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 177Vian ACL (Contd) » Are similar to Router-maps statements a » Set conditions are classed “actions” which include drop, Forward, redirect » VACLare numbered for ordering. » Applied to traffic to specified VLAN ~ 2 Tae ‘wave aentoae alienzoae teaseas Vian ACL Configuration OA, (Configl# Vian Accete-map CCIE 10 (Configeaccessmap )# Match ip address 101 (Configaccess-map }# Action Drop (Config-accessmap )# exit (Config Vian acese-map CCIE 20 / (Configaccessmap }# Action forward (Configeaccessmap }# exit (Configy# Vian fer CCIE vans 10 # show Vian Access-map ca Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 178NA. IPV6 First Hop Security IPV6 First Hop Security WGA, te en » There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. » Its Important that the 1PV6 deployments are secure » Preventing Internal Threats at Access layer (MAN in Middle & Denial of Service attack) » Layer 2 security differs between IPv4 and IPv6 because of the functionality in Layer 2 ‘operations Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 179Neighbor discovery protocol NA. » Neighbor Solicitation / Neighbor Advertisement messages > Duplicate Address Detection > Multicast (no broadcasts in IPV6) » NDP process (similar to ARP in IPV4) FESO::1 FESO::2 2001: 1/64 2001:12::2/64 ‘MAC : 0000.1111.1111 ‘MAC : 000.222.2222 MOA. Ipv6 neighbor discovery Process » NS message requesting the layer 2 address information > NA message replying with layer 2 address information can Eeon2 a | a MAC; 0000.1111.1111 ‘MAC : 0000.2222.2022 Det= coicted-nade muticaet of 8 Data=lnklayorakdoas of A ‘Query = what ie your Ink adress? ICMP ys Type = 125, Sh OM y6 Type = 198 Sr lirklayeradsress of 8 a Scan rn oa aan i NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 180NA. 2 s : FEBOEZ Rispingfe80:2 FEBO::T Output interface: fastetheret0i0 2001:12::1/64 2001:12::2/64 “ype escape sequence to abort MAC: 000.111.1111 MAC: 0000.2222.2222 Sending 5, 100-byte ICMP Echos to FEGO:2, tmeout is 2 seconds: Packet sent witha source address of FEBO:*1 Success rate is 100 percent (5/5), roundtrip minfavgfmax = 16/31/76 ms Riv Rie Rie Rie ‘Mar 1 03:14:16.187: ICMPV6-ND: DELETE -> INCMP: FEBO:2 ‘Mar 1 03:14:16,187: ICMPV6-ND: Sending NS for FEBO::2 on FastEthernet0O *Mar 1 03:14:16 211: ICMPV6-ND: Received NA fot FEGO:2 on FastEthemt0l0 from FEBD:2 *Mar 1 03:14:16.211: CMPVG-ND: INCMP -> REACH: FEBO::2 Rie Rie *Mar 1 03:14:21,251: ICMPV8-ND: Received NS for FEBO::1 on FastEthernet00 from FEBO:2 ‘Mar 1 03:14:21.231: IGMPV8-ND: Sending NA for FE80:1 on FastEthemet00 Rie “Mar 1 03:14:46,211: ICMPV6-ND: REACH > STALE: FE8O:2 MOA. Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer address of a neighbor is identified. Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link. Neighbor solicitation messages are also used in the stateless auto configuration process to verify the uniqueness of unicast IPv6 addresses before the addresses are assigned to an interface. 2 = FEBO::1 FE80:2 2001:12:1/64 2001:12::2/64 Mac Mac 000.111.1111 (000.222.2222 NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 181NA. + Router Solicitation / Router Advertisements + Router Advertisement Spoofing + IPv6 RA Guard | ee -—s -—S ee) Router Solicitation + Ask for information about local Router Router Advertisements + Advertise yourself as Router NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 182Router Advertisement Spoofing NA, , » cannot distinguish between valid and “bogus” NDP eee eee oss {ese a peanto on aan + and provide hosts with a Sar manana _ Ee order to disrupt tt = ‘Walid Router es a a ae Service) oer acd { oecee arnaner oe data (Man-in-the-Middle) — s IPv6 RA Guard NOA o).. » prevention mechanism against. =“IpysRAGuad ~~~ —~S Rogue RA attack that utilizes RA. | EY, @ cae ged mabe Sean » blocks unauthorized Router ‘Advertisements (RAS) pod Roster Atetforiet s. =? drop or forward them LZ. Router NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 183IPv6 RA Guard Configuration NEA ine CASEY (eer ees a woe eae bo Io SS (config ipvs na raguard attach-poliey UNTRUSTED (config) ipv6 nd raguard policy TRUST a (config-re-guard)# device-role router (config interface festethemet 0/2 (config: ipv6 nd raguardattach-poliey TRUST Devicet show ipv6 nd raguard policy raguardt In host mode, all RA and router redirect messages are clsallowed on the port NA. (config ipus nd raguard policy UNTRUSTED , Si ae (configre guard) devicerole host au S&S (config vlan configuration 10 Som (config lan-contightipy6 nd raguard attach-policy UNTRUSTED (confit ipw6 nd raguard policy TRUST (confg-e-guard)# device-role router (conf) interface fstethernet 0/2 {config ipvs nd raguard attach-policy TRUST NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions.com Page 184DHCP spoofing Attack OA, + Attacker activates DHCP alia server on VLAN. - + Attacker replies to valid client DHCP requests. re © Attacker assigns IP eee OM configuration information 4 . that establishes rogue device a. =~ as client default gateway. * Attacker establishes “man-in- % the-midale” attack. ae Unauthorized DHCPv6 Server » Responds to Bogus Offer from Attacker DHCP > Result in Denial of Service, Man-in-the-Midlle attacks
Das könnte Ihnen auch gefallen
CCNA Security - Chapter 1 - Modern Network Security Threats
Dokument75 Seiten
CCNA Security - Chapter 1 - Modern Network Security Threats
Thong Pham Duy
Noch keine Bewertungen
Ccna Brush Up Notes
Dokument215 Seiten
Ccna Brush Up Notes
Nikhil Desai
100% (6)
Part 3 EIGRP PDF
Dokument2 Seiten
Part 3 EIGRP PDF
madagoneraju
100% (1)
Zeitschriften
Podcasts
Noten
STP
Dokument35 Seiten
STP
rejith rajan
300-115 by Aditya Gaur v-7
Dokument4 Seiten
300-115 by Aditya Gaur v-7
madagoneraju
Ccna Book Final
Dokument77 Seiten
Ccna Book Final
madagoneraju
l3 Hsrpconfig
Dokument20 Seiten
l3 Hsrpconfig
Joel Abissey
CCNA Day1
Dokument199 Seiten
CCNA Day1
stars7771
Cisco C
Dokument701 Seiten
Cisco C
cborn99
Cisco Networking Essentials
Dokument36 Seiten
api-19655487
100% (4)
CCNA Presentation
Dokument584 Seiten
CCNA Presentation
wantknow
100% (6)
Network Systems Engineer Ii
Dokument6 Seiten
madagoneraju
Dokument6 Seiten
madagoneraju
Routing
Dokument19 Seiten
Routing
api-3738707
Network Engineer Interview Questions Answers PDF
Dokument25 Seiten
madagoneraju
Routing
Dokument19 Seiten
Routing
api-3738707
IPv6 Migration Connections II SOW Template
Dokument63 Seiten
madagoneraju
Dokument25 Seiten
madagoneraju
C6K PFC DFC CFC
Dokument6 Seiten
C6K PFC DFC CFC
madagoneraju
Routing
Dokument19 Seiten
Routing
api-3738707
Top 100 Networking Interview Questions & Answers
Dokument22 Seiten
Top 100 Networking Interview Questions & Answers
yrikki
0% (1)
Dokument63 Seiten
madagoneraju
Routing
Dokument19 Seiten
Routing
api-3738707
Dokument36 Seiten
api-19655487
100% (4)
Dokument36 Seiten
api-19655487
100% (4)
Determining IP Routes: © 2000, Cisco Systems, Inc
Dokument40 Seiten
Determining IP Routes: © 2000, Cisco Systems, Inc
madagoneraju
100% (1)
C6K PFC DFC CFC
Dokument6 Seiten
C6K PFC DFC CFC
madagoneraju
Ospf
Dokument11 Seiten
Ospf
Subhasish Biswal
Etd195 20080624171700
Dokument229 Seiten
Etd195 20080624171700
madagoneraju
The Yellow House: A Memoir (2019 National Book Award Winner)
Von Everand
The Yellow House: A Memoir (2019 National Book Award Winner)
Sarah M. Broom
Bewertung: 4 von 5 Sternen
4/5 (98)
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
Von Everand
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
Margot Lee Shetterly
4/5 (895)
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
Von Everand
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
Mark Manson
4/5 (5794)
The Little Book of Hygge: Danish Secrets to Happy Living
Von Everand
The Little Book of Hygge: Danish Secrets to Happy Living
Meik Wiking
Bewertung: 3.5 von 5 Sternen
3.5/5 (400)
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
Von Everand
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
Gilbert King
4.5/5 (266)
Shoe Dog: A Memoir by the Creator of Nike
Von Everand
Shoe Dog: A Memoir by the Creator of Nike
Phil Knight
4.5/5 (537)
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
Von Everand
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
Ashlee Vance
4.5/5 (474)
Never Split the Difference: Negotiating As If Your Life Depended On It
Von Everand
Never Split the Difference: Negotiating As If Your Life Depended On It
Chris Voss
4.5/5 (838)
Grit: The Power of Passion and Perseverance
Von Everand
Grit: The Power of Passion and Perseverance
Angela Duckworth
4/5 (588)
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
Von Everand
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
Dave Eggers
3.5/5 (231)
Principles: Life and Work
Von Everand
Principles: Life and Work
Ray Dalio
4/5 (599)
The Emperor of All Maladies: A Biography of Cancer
Von Everand
The Emperor of All Maladies: A Biography of Cancer
Siddhartha Mukherjee
4.5/5 (271)
Yes Please
Von Everand
Yes Please
Amy Poehler
4/5 (1891)
The World Is Flat 3.0: A Brief History of the Twenty-first Century
Von Everand
The World Is Flat 3.0: A Brief History of the Twenty-first Century
Thomas L. Friedman
3.5/5 (2259)
On Fire: The (Burning) Case for a Green New Deal
Von Everand
On Fire: The (Burning) Case for a Green New Deal
Naomi Klein
4/5 (73)
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
Von Everand
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
Ben Horowitz
4.5/5 (344)
Rise of ISIS: A Threat We Can't Ignore
Von Everand
Rise of ISIS: A Threat We Can't Ignore
Jay Sekulow
3.5/5 (137)
Team of Rivals: The Political Genius of Abraham Lincoln
Von Everand
Team of Rivals: The Political Genius of Abraham Lincoln
Doris Kearns Goodwin
4.5/5 (234)
Fear: Trump in the White House
Von Everand
Fear: Trump in the White House
Bob Woodward
3.5/5 (738)
John Adams
Von Everand
John Adams
David McCullough
4.5/5 (2409)
The Unwinding: An Inner History of the New America
Von Everand
The Unwinding: An Inner History of the New America
George Packer
4/5 (45)
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
Von Everand
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
Brené Brown
4/5 (1090)
Steve Jobs
Von Everand
Steve Jobs
Walter Isaacson
4.5/5 (806)
Angela's Ashes: A Memoir
Von Everand
Angela's Ashes: A Memoir
Frank McCourt
4.5/5 (440)
Bad Feminist: Essays
Von Everand
Bad Feminist: Essays
Roxane Gay
4/5 (1015)
The Glass Castle: A Memoir
Von Everand
The Glass Castle: A Memoir
Jeannette Walls
4.5/5 (1712)
The Light Between Oceans: A Novel
Von Everand
The Light Between Oceans: A Novel
M.L. Stedman
4.5/5 (789)
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
Von Everand
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
Viet Thanh Nguyen
4.5/5 (121)
The Outsider: A Novel
Von Everand
The Outsider: A Novel
Stephen King
4/5 (1839)
Brooklyn: A Novel
Von Everand
Brooklyn: A Novel
Colm Tóibín
3.5/5 (1937)
A Man Called Ove: A Novel
Von Everand
A Man Called Ove: A Novel
Fredrik Backman
4.5/5 (4609)
The Woman in Cabin 10
Von Everand
The Woman in Cabin 10
Ruth Ware
3.5/5 (2322)
Wolf Hall: A Novel
Von Everand
Wolf Hall: A Novel
Hilary Mantel
4/5 (3811)
Manhattan Beach: A Novel
Von Everand
Manhattan Beach: A Novel
Jennifer Egan
3.5/5 (792)
The Perks of Being a Wallflower
Von Everand
The Perks of Being a Wallflower
Stephen Chbosky
4.5/5 (2102)
Little Women
Von Everand
Little Women
Louisa May Alcott
4/5 (104)
The Art of Racing in the Rain: A Novel
Von Everand
The Art of Racing in the Rain: A Novel
Garth Stein
4/5 (4200)
Sing, Unburied, Sing: A Novel
Von Everand
Sing, Unburied, Sing: A Novel
Jesmyn Ward
4/5 (1103)
Her Body and Other Parties: Stories
Von Everand
Her Body and Other Parties: Stories
Carmen Maria Machado
4/5 (821)
A Tree Grows in Brooklyn
Von Everand
A Tree Grows in Brooklyn
Betty Smith
4.5/5 (1929)
The Constant Gardener: A Novel
Von Everand
The Constant Gardener: A Novel
John le Carré
3.5/5 (104)
Conversion To Islam in India
Dokument154 Seiten
Conversion To Islam in India
cevadhan
4TH Monthly Examination in English 10
Dokument2 Seiten
4TH Monthly Examination in English 10
Jemar Quezon Lifana
An Exploration of Self Fulfillment in Vikram Seth's Select Novels The Golden Gate and A Suitable Boy
Dokument4 Seiten
An Exploration of Self Fulfillment in Vikram Seth's Select Novels The Golden Gate and A Suitable Boy
Editor IJTSRD
The Gift of The Magy Actitivity Sheets
Dokument4 Seiten
The Gift of The Magy Actitivity Sheets
begonafcl4574
Rc004 Relative Pronouns
Dokument2 Seiten
Rc004 Relative Pronouns
Алишер Носиров
Books
Dokument2 Seiten
Books
Eldiyar Azamatov
Yoga Sutra With Bhoja Manuscript
Dokument106 Seiten
Yoga Sutra With Bhoja Manuscript
KeithSav
100% (1)
About Allahabad
Dokument15 Seiten
About Allahabad
EASHAN
Introduction To Historical Linguistics: Anthony Arlotto
Dokument1 Seite
Introduction To Historical Linguistics: Anthony Arlotto
Patricia Nicole Monderin
UP Book Opt
Dokument146 Seiten
UP Book Opt
Suyash Yadav
Chinese Martial Arts: From Antiquity To The Twenty-First Century Ebook: Lorge, Peter A.: Kindle Store PDF
Dokument7 Seiten
Chinese Martial Arts: From Antiquity To The Twenty-First Century Ebook: Lorge, Peter A.: Kindle Store PDF
jilongfeng666
21 Century Literature From The Philippines and The World
Dokument26 Seiten
21 Century Literature From The Philippines and The World
Jin Anthonie Tan
Bsee 34 Reviewer
Dokument6 Seiten
Bsee 34 Reviewer
Shaina Leila Apolonio Garcia
Fisa 1
Dokument2 Seiten
Fisa 1
roxanabana
18th Century British
Dokument11 Seiten
18th Century British
HARHIN KAMAL
Etruscan GlossaryA
Dokument35 Seiten
Etruscan GlossaryA
Верка Павловић
Baburnama Article
Dokument31 Seiten
Baburnama Article
Dr. Muhammad Ali Dinakhel
Harry Potter Fairy Tale Prince Real Boy and Archetypal Hero
Dokument34 Seiten
Harry Potter Fairy Tale Prince Real Boy and Archetypal Hero
Den Tebow
Difficult Books (Guardian Article)
Dokument8 Seiten
Difficult Books (Guardian Article)
Jennifer
What Moral Lesson Have You Drawn Out of Your Reading, Frankenstein, Explain Your Own Ideas?
Dokument6 Seiten
What Moral Lesson Have You Drawn Out of Your Reading, Frankenstein, Explain Your Own Ideas?
muneeba khan
Frisch, Homo Faber
Dokument185 Seiten
Frisch, Homo Faber
Humza Azam
100% (2)
467 1 English For Everyone. Level 1 Beginner. Course Book. 2016 184p. in
Dokument116 Seiten
467 1 English For Everyone. Level 1 Beginner. Course Book. 2016 184p. in
lich.phan
Alice's Adventures in Wonderland and Through The Looking-Glass A Publishing History
Dokument263 Seiten
Alice's Adventures in Wonderland and Through The Looking-Glass A Publishing History
R. McC
100% (2)
Allan Sekula 1951 2013 Sally Stein Obituary
Dokument2 Seiten
Allan Sekula 1951 2013 Sally Stein Obituary
hansimann
What Distinguishes Major Types of Translation?: The Translator
Dokument22 Seiten
What Distinguishes Major Types of Translation?: The Translator
Marta Peris Ferri
Literature Module f1
Dokument58 Seiten
Literature Module f1
Anonymous YaOsE6n
91% (35)
đề cầu giấy
Dokument4 Seiten
đề cầu giấy
Khánh Linh Hoàng
English Literature Paper
Dokument6 Seiten
English Literature Paper
Taniya
Out of My Mind CH 30-33 End
Dokument22 Seiten
Out of My Mind CH 30-33 End
api-302177577
Aug Vald
Dokument12 Seiten
Aug Vald
Michael Feliciano

Sikandar CCIE-RS-v5-Security Workbook PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sikandar CCIE-RS-v5-Security Workbook PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Das könnte Ihnen auch gefallen