1 (a) Explain the static and dynamic routing protocols? 3.

25

#Static Routing
A router with manually configured routing tables is known as a static router. A network administrator,
with knowledge of the internetwork topology, manually builds and updates the routing table,
programming all routes in the routing table. Static routers can work well for small internetworks but do
not scale well to large or dynamically changing internetworks due to their manual administration.

A good example of a static router is a multihomed computer running Windows 2000

#Dynamic Routing
A router with dynamically configured routing tables is known as a dynamic router. Dynamic routing
consists of routing tables that are built and maintained automatically through an ongoing communication
between routers.
The ability to scale and recover from internetwork faults makes dynamic routing the better choice for
medium, large, and very large internetworks.

A good example of a dynamic router is a computer with Windows 2000 Server and the Routing and
Remote Access Service running the Routing Information Protocol (RIP) and Open Shortest Path First
(OSPF) routing protocols for IP and RIP for IPX.

(b) What is VLSM & CIDR ? Why we use loopback address in the
Practical networking operation? 3
# VLSM
Variable Length Subnet Mask (VLSM) is a numerical masking sequence, or IP address subset, based on
overall network requirements.

# CIDR

Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that is used to
create unique identifiers for networks and individual devices.

#loopback
I strictly use loopbacks for management of routers. Theory behind that is that a loopback is always
available (unless your router is dead), Loopback interfaces are always up, so will be reachable if
any interface on the router is connected to the rest of the network.

# Rapid Spanning Tree Protocol (RSTP)

RSTP provides significantly faster recovery in response to network changes or failures,
introducing new convergence behaviors and bridge port roles to do this. RSTP was designed to
be backwards-compatible with standard STP.
#Root guard
The root guard feature of Cisco switches is designed to provide a way to enforce the placement of
root bridges in the network. Root guard limits the switch ports out of which the root bridge may be

negotiated.

# BPDU
BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP) Topology from
BPDU related attacks. ... When a BPDU Guard enabled port receive BPDU from the connected
device, BPDU Guard disables the port and the port state is changed to Errdisable state.
# Internet security infrastructure
Thus, network infrastructure security is clearly a pressing need, especially in light of recent
national attacks, as the attacks have the potential for affecting the entireInternet infrastructure,
which may have serious consequences on the securityand economic vitality of the society.

#DMZ
A DMZ (demilitarized zone) on a home router refers to a DMZ Host. ... A home router
DMZ host is a host on the internal network that has all UDP and TCP ports open and exposed,
except those ports otherwise
forwarded.

#Loop guard
Loop guard and UDLD are two ways to protect your fiber cables from causingloops in the
network. In short, loop guard is a spanning-tree optimisation,
# router in stack
This is a stack router for javascript application used which depends on history package

# What is NAT and PAT in networking?

Port Address Translation (PAT), is an extension to network address translation (NAT)
that permits multiple devices on a local area network (LAN) to be mapped to a single
public IP address. The goal of PAT is to conserve IP addresses.

#Static and dynamic nat

Static NAT enables a PC on a stub domain to maintain an assigned IP address when
communicating with other devices outside its network or the Internet.
When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP
address from the pool that is not already in use by another host. Dynamic NAT is useful when fewer
addresses are available than the actual number of hosts to be translated.

#simple block diagram of campus networking system

# Policy Based routing
In computer networking, policy-based routing (PBR) is a technique used to
make routing decisions basedon policies set by the network administrator. ... For example, a
network administrator might want to forward a packet based on the source address, not the
destination address.

When using any combination of these commands within a policy the commands are
evaluated in the following order:

1. set ip next-hop

2. set interface

3. set ip default next-hop

4. set default interface

Benefits of Policy Based Routing:

1. Source-based transit provider selection: Internet service providers (ISPs) and other

organizations can use PBR to route traffic originating from different sets of users through

different Internet connections across policy routers.

2. Quality of service (QoS): Organizations can provide QoS to differentiated traffic by

setting the ToS values in the IP packet headers in routers at the periphery of the network

and then leveraging queuing mechanisms to prioritize traffic in the network’s core or

backbone. This setup improves network performance by eliminating the need to classify

the traffic explicitly at each WAN interface in the network’s core or backbone.

3. Cost savings: An organization can direct the bulk traffic associated with a specific

activity to use a higher-bandwidth, high-cost link for a short time and to continue basic

connectivity over a lower-bandwidth, low-cost link for interactive traffic. For example, a
dial-on- demand Integrated Services Digital Network (ISDN) line could be brought up in

response to traffic destined for a finance server; PBR would select this link.

4. Load sharing: In addition to the dynamic load-sharing capabilities offered by

destination-based routing, network managers can implement policies to distribute traffic

among multiple paths based on the traffic characteristics.

#Private Key/Symmetric Ciphers

The same key is used to encrypt the document before sending and to decrypt it once it
is received. Example : DES,3DES,AES,IDEA

Features of Symmetric Ciphers

! Fast to encrypt and decrypt, suitable for large

volumes of data
! Brute force attack only to crack.
! Problem - how do you distribute the keys?

#Public/Private Keys
We generate a cipher key pair. One key is the
private key, the other is the public key.
The private key remains secret and should be
protected.
The public key is freely distributable. It is related
mathematically to the private key, but you cannot
(easily) reverse engineer the private key from the
public key.
Use the public key to encrypt data.
Only someone with the private
key can decrypt.
(One key is used to encrypt the document, a different key is used to decrypt it.)

#One-Way Hashing Functions

• Mathematical function that generates a fixed length result regardless of amount

of data used.
• Cannot generate original data from fixed-length result.
• Two sets of data that produce the same fixed-length result. are called collisions.
Example: MD5,SHA-1,SHA-3.

@Digital signature
a digital code (generated and authenticated by public key encryption) which is
attached to an electronically transmitted document to verify its contents and the
sender's identity.

Private Key Protection: The storage of private keys in a secure location is mandatory when
dealing with PKI. Many people take private keys for corporate CAs completely offline, store them in a
secure place, and only use them when they need to generate a new key.

What is Packet Sniffing?

Packet sniffing is the act of capturing packets of data flowing across a computer network. The software
or device used to do this is called a packet sniffer.

b) Briefly describe the DoS attack.

A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent
legitimate users from accessing the service. In a DoS attack, the attacker usually sends
excessive messages asking the network or server to authenticate requests that have invalid
return addresses.

A DoS attack can be done in a several ways. The basic types of DoS attack include:

1. Flooding the network to prevent legitimate network traffic

2. Disrupting the connections between two machines, thus preventing access to a
service
3. Preventing a particular individual from accessing a service.
 4. Disrupting a service to a specific system or individual

DoS attacks can cause the following problems:

1. Ineffective services
2. Inaccessible services
3. Interruption of network traffic
4. Connection interference

@What are the principles of Symmetric key Cryptography?

Symmetric encryption consist of 5 ingredients.

1. Plaintext: original message or data provided to algorithm as input.

2. Encryption algorithm : Performs various substitutions and transformations on the plaintext.

3. Secret key : It is also an input to the algorithm. Exact substitution and transformations depends on
the key.

4. Cipher-text : Scrambled message produced as O/P. It depends upon plaintext and secret key. For a
same message two different key will produce two different cipher-texts.

5. Decryption algorithm : reverse of encryption. Its I/P is ciphertext and same secret key and
generates the original plaintext.

@Describe RSA Algorithm with example

RSA is an algorithm used by modern computers to encrypt and decrypt messages. It is an
asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This
is also called public key cryptography, because one of them can be given to everyone. The other
key must be kept private.

@What are the several issues of network security?

Network security issues
When businesses connect their systems and computers, one user's problems may affect everyone on the
network. Despite the many benefits of using networks, networking raises a greater potential for security
issues such as:
 data loss
 security breaches
 malicious attacks, such as hacking and viruses
 Dealing with common network security issues
Typical preventive measures to help you avoid network security threats include:

 security devices such as firewalls and anti-virus software

 security settings in the router or the operating system
 data encryption systems for sensitive data
 data backup, including the use of off-site backup
 restricting access to the network infrastructure to authorised personnel only
 training staff in the safe and secure use of the equipment

@Man in the middle Attack

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where
the attacker secretly relays and possibly alters the communication between two parties who
believe they are directly communicating with each other.

@What is Firewall?
In computing, a firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.

(a) Explain the type of Secure Mac Address?

To conclude this chapter, a list of best practices is presented here for implementing, managing, and maintaining
secure Layer 2 network:

 Manage the switches in a secure manner. For example, use SSH, authentication mechanism, access list,
and set privilege levels.
 Restrict management access to the switch so that untrusted networks are not able to exploit management
interfaces and protocols such as SNMP.
 Always use a dedicated VLAN ID for all trunk ports.
 Be skeptical; avoid using VLAN 1 for anything.
 Disable DTP on all non-trunking access ports.
 Deploy the Port Security feature to prevent unauthorized access from switching ports.
 Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.
 Use MD5 authentication where applicable.
 Disable CDP where possible.
 Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
 Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal
operations.
 Use port security mechanisms to provide protection against a MAC flooding attack.
 Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where
applicable.
 Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).
 Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).
(b) Recommendatations for securing Layer 2 Networks ?
(c) You can configure these types of secure MAC addresses:
(d)
(e) •Static secure MAC addresses—These are manually configured by using the switchport
port-security mac-address mac-address interface configuration command, stored in the
address table, and added to the switch running configuration.
(f)
(g) •Dynamic secure MAC addresses—These are dynamically learned, stored only in the
address table, and removed when the switch restarts.
(h)
(i) •Sticky secure MAC addresses—These can be dynamically learned or manually configured,
stored in the address table, and added to the running configuration. If these addresses are
saved in the configuration file, the interface does not need to dynamically relearn them when
the switch restarts. Although sticky secure addresses can be manually configured, we do
not recommend it.

(ii) Zone Based Firewall

Zone-Based Policy Overview. Cisco IOS Classic Firewall stateful inspection (formerly
known as Context-Based Access Control, or CBAC) employed an interface-based
configuration model, in which a stateful inspection policy was applied to an interface.

@What is IP Spoofing
IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking
technique in which a cracker masquerades as a trusted host to conceal his identity,
spoof a Web site, hijack browsers, or gain access to a network.

@What is Firewall ? Why use firewall ?

Firewalls can be implemented as both hardware and software, or a combination of
both. Network firewallsare frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet, especially intranets.