CCIE CCIE Security Version 1.1 Student Guide Volume 4Copyright ¢ 2003, Cisco Systems, Inc. All rights reserved. Cisco Systems has more thn 200 offices in the following countries and regions. Addresses, phone ‘numbers, and fax numbers are listed on the Cisco Web site at wir cisco som go office, Argan» Ausalia Aun Belgium Bra» Bulgari» Canada «Chile» Chia PRC » Clon» Costa Ric Croatia» Case Repu» Denmirk= Dubai, UAE = Finland France» Germany» Greece = Hong Kong SAR + Indi ndonesi «read re = lly = apa = Koen = Laer» Malays = Merico ~The Netbeans = [Neve Zealand» Nera» Pera» Pipa » Plan» Pras» Peo Rico» Romani» Rus Sah Arabia ® Seon» Singapore Slovakia Slovenia South Africa Spain «Sweden «Sita» Tatwan «Taian» Turkey Usriie- Unie Kingdom = United Sate = Venezuela = Vitam Zine Copyright € 2003, Cisco Systems, Ine. Al rghts reserved. CCTP the Cisco Powered Network ‘mark, the Cisco Systems Verifid logo, Cisco Unity, Follow Me Browsing, FormShare, Inert ‘Qubtict, iQ Breakthrough, iQ Expertise, iQ FastTrack, te iQ logo, iQ Net Readiness Scorecard, ‘Networking Academy, SeriptShare, SMARTaet, TransPath and Voice LAN are trademarks af Cisco Systems, Inc; Changing the Way We Work, Live, Play, and Lear, Discover All Thats Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study ae service marks of Cisco Systems, Inc; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CNP. Cisco, the Cisco Certified latemetwork Exper logo, Cisco 10S, the Cisco 10S logo, Cisco Press, Cisco Systems, Cisco ‘Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise Solver, EtherChannel,EtherSwitc, Fast Step, GigaStack, 10S, IP/TV, LightSteam, MGX, MICA, the ‘Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pr-Routing, RateMUX, Resta, SlideCast, SuataView Pls, Statm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. andor it affiliates inthe US. and certain other counties. All other trademarks mentioned in tis document of Web ste are the property oftheir espective ‘owners. The use ofthe wor pariner does not imply a partnership relationship between Cisco and any other company. (0203R)MODULE 1 - COURSE INTRODUCTION 14 ‘Overview rt Course Objectives 2 isco Certification Track 43 Learner Skills and Knowledge 14 Leamer Responsibilities 15 General Administration 16 Course Roadmap 17 Icons and Symbols 18 Leamer Introductions 19 Lab Registration 1-10 What to Expect the Day ofthe Lab a The Utimate Test 12 Starting the Test 13 Aer the Test 114 MODULE 2 - PACKET SWITCHED TECHNOLOGIES 24 Overview ZA Outline a LESSON ONE: FRAME RELAY CONFIGURATION 23 Overview 23 Importance 23 Objectives 23 Learner Skills and Knowledge 24 Outline 24 Physical Interface Configuration 26 Subinterface Configuration an Summary 246 Next Steps 246 References 246 Lesson Assessment 2a7 LESSON TWO: TROUBLESHOOTING FRAME RELAY 249 Overview Zio Importance 249 Objectives 249 Leaner Skills and Knowledge 220 Outline 220 Verifying Frame Relay Operation (Layer 1 and 2) 221 Verifying Frame Relay Operation (Layer 3) 229 Summary 2.35 Next Steps 2.35 References 235 Lesson Assessment 236 LESSON THREE: ATM CONFIGURATION AND TROUBLESHOOTING 2-37 Overview Zar Importance 237 Objectives 237 Learner Skills and Knowledge 238 Copyright© 2003, Cisco System, ne. ‘Coie Security v1.Outline 2:38 ATM Fundamentals 2:39 ‘ATM Virtual Connections 2-40 Routing over ATM 2.49 Configuring the AL and Encapsulation Type 251 Configuring PVC Traffic Parameters 256 Troubleshooting ATM. 261 ‘Summary 267 Next Steps 267 References 267 Lesson Assessment 2-68 MODULE 3 - ISDN TECHNOLOGIES 3-4 ‘Overview ot Outline a4 LESSON ONE: ISDN CONFIGURATION 33 ‘Overview a3 Importance 33 Objectives 33 Learner Skills and Knowledge a4 Outline 34 Network Diagram 35 Basic Configuration 36 Dial-On-Demand Routing (DDR) a7 Dialer Profiles ata ‘Summary 321 Next Steps 324 References 321 Lesson Assessment 3:22 LESSON TWO: PPP FEATURES 3-25 Overview 325 Importance 3:25 Objectives 3:25 Learner Skills and Knowledge 3.26 Outline 3-26 PAP 327 CHAP. 3-32 PPP Multilink 340 PPP Callback 343 Caller Identification 3.48 ‘Summary 347 Next Steps 347 References 347 Lesson Assessment 348 LESSON THREE: USING ISDN AS A BACKUP CONNECTION 3-51 ‘Overview 351 Importance 351 Objectives 351 Learner Skills and Knowledge 3-52 Outline 3-52 Floating Static Routes 353 ii CCIE Security © 2003, cisco Systems, neBackup Interface 3-54 Backup Delay 3-55 Dialer Watch Configuration 3-58 Characteristics of the Backup Methods 361 ‘Summary 3-63 Next Steps 3-63 References 3.63 Lesson Assessments 3-64 LESSON FOUR: TROUBLESHOOTING 3-67 Overview 367 Importance 3.67 Objectives 3.67 Learner Skills and Knowledge 3.68 Outline 3-68 ‘Show Commands 3-69 Debug Commands 3-76 ‘Summary 3-85 Next Steps 3-85 References 3-85 Lesson Assessments 3-89 MODULE 4 - CATALYST 3550 SWITCHING 44 verview wt Outline at LESSON ONE: CATALYST 3550 BASIC CONFIGURATION 43, varview a3 Importance 43 Objectives 43 Learner Skills and Knowledge 4g Outline 44 Management Interface Configuration 45 VTP Configuration 47 VLAN Configuration 44 Troubleshooting VTP and VLANs 416 ‘Summary 418 Next Steps 418 References 418 Lesson Review 4-19 LESSON TWO: CATALYST 3550 INTERFACE CONFIGURATION 4-24 ‘Overview 42 Importance 421 Objectives 421 Learner Skills and Knowledge 4.22 Outline 422 Overview of Switchports 423 ‘Access Port Configuration 425 Trunk Port Configuration 4.26 Tunnel Port Configuration 431 Layer’ Interfaces 4-42 General Interface Commands 444 Copyright© 2003, Cisco System, ne. ‘Coie Security v1.Ether Channel 4-50 ‘Summary 4-60 Next Steps 4-60 References 4-60 Lesson Assessments 461 LESSON THREE: CATALYST 3550 ADVANCED CONFIGURATION 4-63 ‘Overview 463 Importance 4-63 Objectives 4-63 Learner Skills and Knowledge 4.65 Outline 4-65 Spanning Tree 4-66 Monitoring and Analyzing Traffic 4.91 Fallback Bridging 4-100 ‘Summary 4-104 Next Steps 4-104 References 4104 Lesson Assessment 4-105 LESSON FOUR: CATALYST 3550 SECURITY CONFIGURATION ‘Overview Importance Objectives Learner Skills and Knowledge Outline Port Security Protected Ports 802.1X Authentication ‘Summary Next Steps References Lesson Assessment MODULE 5 ~ DISTANCE VECTOR ROUTING PROTOCOLS 5-4 ‘Overview St Outline a LESSON ONE: ROUTING INFORMATION PROTOCOL (RIP) 53 ‘Overview 53 Importance 53 Objectives 53 Learner Skills and Knowledge 54 Outline Ba RIP 55 RIP Version 2 (RIPv2) 87 Optional RIP Configuration Tasks 5-10 Trouble Shooting B12 Summary 515 Next Steps 515 References 515 Lesson Assessment 516 iv CCIE Security © 2003, cisco Systems, neLESSON TWO: ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP) S47 ‘Overview SAT Importance BAT Objectives S47 Learner Skills and Knowledge 518 Outline 518 What is EIGRP? 5-19 Configuring EIGRP. 521 EIGRP Route Summarization 5.25 Load Balancing with EIGRP. 5.29 EIGRP Split Horizon 5.32 Verifying EIGRP Operation 5.34 ‘Summary 5:39 Next Steps 5:39 References 5.39 Lesson Assessment 5-40 MODULE 6 - LINK-STATE ROUTING PROTOCOLS 6-1 ‘Overview et Outline et LESSON ONE: CONFIGURING OSPF IN A SINGLE AREA 6-3 ‘Overview es Importance 63 Objectives 63 Learner Skills and Knowledge 64 Outline 64 OSPF Configuration in a Broadcast Multi-Access Topology 65 Controlling the Designated Router/Backup Designated Router 67 (DRIBDR) Election OSPF Operation in an NBMA Topology 613 ‘Summary 6-21 Next Steps 6-21 References 621 Lesson Assessment 6-32 LESSON TWO: MULTI-AREA OSPF ENVIRONMENTS, 6-25 ‘Overview 6-25 Importance 6-25 Objectives 6-25 Learner Skills and Knowledge 6-26 Outline 6-26 Configuring OSPF in a Mult-area Environment 627 Route Summarization 6-34 ‘Summary 6-39 Next Steps 6-39 References 6-39 Lesson Assessment 6-40 LESSON THREE: ADVANCED OSPF FEATURES 6-43 ‘Overview 643 Importance 6-43 Copyright© 2003, Cisco System, ne. Cole SecuniywttvObjectives 6-43 Leamer Skills and Knowledge 6-44 Outiine 6-44 Virtual Links Overview 6-45 OSPF Authentication 6-48 OSPF Demand Circuits 651 Summary 654 Next Steps 6-54 References 6-54 Lesson Assessment 655 LESSON FOUR: TROUBLESHOOTING OSPF 6-59 Overview 658 Importance 658 Objectives 6-59 Leamer Skills and Knowledge 660 Outine 6-60 Verifying OSPF Operation 661 Troubleshooting a Flapping OSPF Demand Circuit over ISON 6-67 Summary 6-73 Next Steps 6-73 References 6-73 Lesson Assessment 6-74 MODULE 7 ~ BGP TECHNOLOGIES TA Overview 7A Outiine TA LESSON ONE: iBGP CONFIGURATION 73 werview 7 Importance 73 Objectives 73 Leamer Skills and Knowledge 74 Outiine Th BGP Functions 15 Terminology 76 BGP Path Selections wa Components 78 BGP Basic Configuration T9 BGP Advanced Configuration Rule of Synchronization 745 Summary 732 Next Steps 7-32 References 732 Lesson Assessment 7-33 LESSON TWO: eBGP CONFIGURATION 7-35 ‘Overview 7:35 Importance 7-38 Objectives 7-35 Leamer Skills and Knowledge 736 Outline 7-36 eBGP Basic Configuration 737 eBGP Advanced Configuration 7-38 ‘Advanced Configuration Options 7.43 (CCIE Security © 2003, cisco Systems, neCommunities TAT ‘Summary 7-50 Next Steps 7-50 References 7-50 Lesson Assessment 751 LESSON THREE: ADVERTISING NETWORKS 7-53 ‘Overview 753 Importance 7-53 Objectives 753 Learner Skills and Knowledge 7-54 Outline 7-54 ‘Advertising Methods 7-55 Redistributing Static Routes 758 Redistributing Dynamic Routes 7-58 Using the Network Command 7-60 ‘Summary 761 Next Steps 761 References 761 Lesson Assessment 7-62 LESSON FOUR: BGP ADVANCED OPTIONS 7-65 ‘Overview 785 Importance 7-65 Objectives 7-65 Learner Skills and Knowledge 7-68 Outline 7-68 Using Private AS Numbers 7-87 Dampening 7-69 Route Aggregation 13 Conditional Advertisement and Route Filtering 7-85 Peer Groups 7-123, ‘Summary 7-126 Next Steps 7-126 References 7-128 Lesson Assessment 7427 LESSON FIVE: TROUBLESHOOTING 7-129 verview 7125 Importance 7-129 Objectives 7-129 Leamer Skills and Knowledge 7-130 Outline 7-130 ‘Show Commands 7-131 Debug Commands 7-149) ‘Summary 7-188 Next Steps 7-158 References 7-188 Lesson Assessment 7-159 MODULE 8 ~ ADVANCED ROUTING TECHNIQUES 8 ‘Overview et Outline at Copyright© 2003, Cisco System, ne. COE Secuniyvt.t vilLESSON ONE: STATIC AND DEFUALT ROUTING 83 ‘Overview es Importance 83 Objectives 83 Learner Skills and Knowledge a4 Outline a4 Static and Floating Routes, 85 Default Routing 86 The Route 0.0.0.0 39 ‘Summary 813 Next Steps 813 References a3 Lesson Assessment ata LESSON TWO: ROUTE REDISTRIBUTION AND CONTROL. 8-15 ‘Overview B15 Importance 815 Objectives 815 Learner Skills and Knowledge ate Outline 816 Redistribution Review a7 Default Metric 818 VLSM to FLSM Redistribution 821 ‘Summarization 8:23 Filtering 8.25 ‘Summary 8-32 Next Steps 8:32 References 8-32 Lesson Assessment 8.33 LESSON THREE: AUTHENTICATION 8-35 ‘Overview 5-35 Importance 8.35 Objectives 8-35 Learner Skills and Knowledge 836 Outline 8-36 ‘Authentication Concepts 837 OSPF Authentication 8-40 RIPv2 Authentication 8-42 ISS Authentication aad EIGRP Authentication 8-46 BGP Authentication a7 ‘Summary 8.48 Next Steps 8.48 References 8-48 Lesson Assessment 8.49 MODULE 9 ~ PIX TECHNOLOGIES 9-1 Overview ot Outline ot LESSON ONE: PIX CONFIGURATION 9-3 ‘Overview a3 Vili CCIE Security © 2003, cisco Systems, neImportance 93 Objectives 93 Learner Skills and Knowledge ot Outline 4 Basic PIX Configuration 95 Filtering, Conduits, ACLs & Object Grouping 924 ‘Advanced NAT, PAT, Globals and Statics, 48 Securing the PIX & Multimedia 61 ‘Summary 973 Next Steps 973 Lesson Review ~ Practice Labs ora LESSON TWO: PIX SERVICES AND ATTACK GUARDS 9-79 verview 379 Importance 9-79 Objectives 9-79 Learner Skills and Knowledge 9-80 Outline 9-80 Attack Guards at NTP and SNMP 9-104 DHCP and Multicast 9-109) Services 118 ‘Summary 9-133 Next Steps 9-133, Lesson Review ~ Practice Labs e134 MODULE 10 - VPN TECHNOLOGIES 10-1 Overview 101 Outline 10-1 LESSON ONE: VPN TUNNELS ON IOS ROUTERS 10-3 ‘Overview 10-3 Importance 10-3 Objectives 10-3 Learner Skills and Knowledge 10-4 Outline 10-4 Overview 105 ‘Authentication Using Pre Shared Keys 10-6 ‘Authentication Using Digital Certificates 10-8 ‘Authentication Using Encrypted Nonces 10-11 IPSec Tunnel Configuration 10-14 Remote Access Via IPSec 10-17 GRE Tunnels 10-22 ‘Summary 10-34 Next Steps 10-34 References 10-34 Lesson Assessment 10-35 LESSON TWO: VPNS ON PIX FIREWALLS 10-37 ‘Overview 10-37 Importance 10-37 Objectives 10-37 Leamer Skills and Knowledge 10-38 Outline 10-38 Copyright© 2003, Cisco System, ne. ‘Coie Security v1.Overview 10-39 ‘Authentication Using Pre Shared Keys 10-40 ‘Authentication Using Digital Certificates 10-42 IPSec Tunnel Configuration 10-45 Remote Access Via IPSec 10.47 Remote Access Via PPTP Configuration 10-50 Summary 1082 Next Steps 1052 References 10-62 Lesson Assessment 1053 LESSON THREE: VPN CONCENTRATOR 10-55 Overview 10.55 Importance 1055 Objectives 1055 Leamer Skils and Knowledge 1056 Outline 1056 Overview 1057 IPSec Site to Site 1058 VPN Concentrator Remote Access 10-73 Summary 10-81 Next Steps 10-81 References 10-81 Lesson Assessment 10-82 MODULE 11 - IDS TECHNOLOGIES 144 Overview Tr Outline 14 LESSON ONE: PIX IDS CONFIGURATION 11-3 Overview Tr Importance 113 Objectives 113 Leaner Skills and Knowledge 114 Outline 114 PIX IDS Overview 145 PIX IDS Configuration 118 Configuring Shunning 14-12 Summary 11645 Next Steps 11045 References 11-15 Lesson Assessment 11-16 LESSON TWO: IOS IDS CONFIGURATION 14-17 Overview Thi Importance 1147 Objectives 11417 Leamer Skils and Knowledge 11618 Outline 11018 Cisco 10S Firewall IDS Introduction 1119 Configuring the 10S IDS Feature 14-23 Configuring, Disabling, and Excluding Signatures 11429 Greating and Applying Audit Rules 114-83 Verifying 10S IDS Operation 11-38 Summary 1142 X CCIE Security © 2003, cisco Systems, neNext Steps 11-42 References 14-42 Lesson Assessment 11-43 MODULE 12 - IOS TECHNOLOGIES 424 Overview Tat Outiine 124 LESSON ONE: IOS SERVICES 12-3 Overview 123 Importance 123 Objectives 123 Leamer Skills and Knowledge 125 Outiine 125 Basic NTP Configuration 126 NTP Authentication Configuration 1242 Verifying NTP Operation 1244 NAT Configuration 12-46 Verifying NAT Operation 12:22 Basic HSRP Configuration 12.25 HSRP Interface Tracking Configuration 12-32 HSRP Authentication Configuration 12:34 Verifying HSRP Operation 12:36 DHCP Server Configuration 12-40 Verifying DHCP Server Operation 12-44 Summary 12.46 Next Steps 12-46 References 12-46 Lesson Assessment 12-48 LESSON TWO: IOS SECURITY 12-51 Overview 1251 Importance 1251 Objectives 1251 Leamer Skills and Knowledge 12:52 Outine 12-52 Controling Access to a Cisco Router 12-53 Configuring Privilege Levels 12.58 Hardening Cisco Routers 12-62 ‘Access Control Lists 12.73 TCP intercept 12.95 Context-Based Access Control (CBAC) 12-405 Summary 12-129 Next Steps 12-128 References 12-128 Lesson Assessment 12-130 MODULE 13 - AUTHENTICATION, AUTHORIZATION, AND 4134 ACCOUNTING (AAA) Overview TA Outiine 1341 LESSON ONE: AAA ON THE IOS 13-3 Copyright© 2003, Cisco System, ne. ‘Coie Security v1.ADDITIONAL RESOURCES ‘Overview 135 Importance 133 Objectives 13.3 Learner Skills and Knowledge 134 Outline 13-4 ‘Authentication Commands 135 ‘Authorization Commands 13-38 ‘Accounting Commands 13.46 ‘Summary 13-59 Next Steps 13-59 Lesson Assessment 13-60 LESSON TWO: AAA ON THE PIX FIREWALL 13-61 ‘Overview 13-61 Importance 13-61 Objectives 13-61 Leamer Skills and Knowledge 13-62 Outline 13-62 AAA Commands 13-63 ‘Summary 13-89 Next Steps 13-89 Lesson Assessment 13-20 LESSON THREE: AAA ON THE VPN CONCENTRATOR 13-91 Overview 13-91 Importance 13-91 Objectives 13-91 Leamer Skills and Knowledge 13-92 Outline 13-92 User AAA Configuration 13-93 Management AAA Configuration 13-112 ‘Summary 13-125 Next Steps 13-125 Lesson Assessment 13-126 “Appendix A: Configuring a Terminal Server ‘Appendix B: Configuring a Frame Relay Switch ‘Appendix C: Configuration Register Settings ‘Appendix D: Course Glossary ‘Appendix E: Answers to Review Questions CCIE Security © 2003, cisco Systems, ne____1 Course Introduction Overview Outline ‘The Cisco Certified Internetworking Expert (CCIE) Security Prep course helps qualified CCIE candidates prepare for the CCIE Security Hands-on Lab Exam, Major topics covered include Frame Relay, Integrated Services Digital Network (ISDN), Asynchronous Transfer Mode (ATM), Layer 2 Switching, Routing Protocols, IOS Security, PIX Security, VPNs, and IDS. ‘The Course Introduction includes these topics: = Course Objectives Cisco's Centfication Track = Leamer Skills and Knowledge = Leamer Responsibilities = General Administration Course Roadmap = Icons and Symbols = Leamer Intoduetions Lab Registrationm= What to Expect the Day of the Lab 12 CCIE Secunty Prep vit (Copyright © 2003, Cisco Systeme, neCourse Objectives ‘This topic lists the course objectives. Course Objectives Upon completing this course, you will have: + An in-depth knowledge of the Cisco IOS + A foundation to prepare for the CCIE Security Hands-on Lab Exam + The skills to quickly diagnose and troubleshoot problems in a network environment Upon completing this course, you will have: = An in-depth knowledge of the Cisco Internetwork Operating System (IOS), the PIX ‘operating system, the VPN concentrator operating system, and the IDS sensor operating system mA foundation to prepare for the CCIE Security Hands-on Lab Exam The skills to quickly diagnose and troubleshoot problems in a network environment Copyright© 2003, Cia Systems, ie (Course Induction 12