zeldor.biz

Linux, programming and more

CCNA Exploration 4 – Module 7

by Leave a Comment

Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP only communicates the IP address to the device.
Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device.
Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address.

1
2
3
4
5
6
7

R1(config)# ip dhcp exclude-address 192.168.10.1 192.168.10.9
R1(config)# ip dhcp exclude-address 192.168.10.254
R1(config)# ip dhcp pool LAN-POOL-1
R1(dhcp-config)# network 192.168.10.0 255.255.255.0
R1(dhcp-config)# default router 192.168.10.1
R1(dhcp-config)# domain-name span.com
R1(dhcp-config)# end

Configure DHCP address:

1
2
3

Eagle(config)# interface fa0/0
Eagle(config-if)# ip address dhcp
Eagle(config-if)# no shut

Configure DHCP relay:

1
2
3
4

R1# config t 
R1(config)# interface Fa0/0
R1(config-if)# ip helper-address 192.168.11.5
R1(config-if)# end

Configure Static NAT

1

R2(config)#ip nat inside source static 192.168.20.254 209.165.202.131

Configure Dynamic NAT Overload

1
2
3
4
5
6
7
8
9
10

R2(config)#ip nat pool R2POOL 209.165.202.128 209.165.202.130 netmask 255.255.255.252
R2(config)#ip nat inside source list R2NAT pool R2POOL overload
 
 
R2(config)#interface Serial 0/1/0
R2(config-if)#ip nat outside
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip nat inside
# optional
ISP(config)#ip route 209.165.202.128 255.255.255.224 serial0/0/0

IPV6 Dual Stack Configuration:

1
2
3
4
5

conf t
pv6 unicast-routing
interface ethernet0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2001:470:1f0b:1514::7/64

IPV6 Routing:

1
2
3
4
5

Router(config)# ipv6 unicast-routing
Router(config-if)# ipv6 address ipv6prefix/prefix-length eui-64
 
DNS Resolver:
ip name-server 2001:470:1f0b:1514::1

CCNA Exploration 4 – Module 6

by Leave a Comment

Carrier protocol:
The protocol over which the information is traveling (Frame Relay, ATM, MPLS).
Encapsulating protocol:
The protocol that is wrapped around the original data (GRE, IPSec, L2F, PPTP, L2TP).


Passenger protocol:

The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).
Data Encryption Standard (DES) algorithm – Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below.
Triple DES (3DES) algorithm – A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
Advanced Encryption Standard (AES) – The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
Rivest, Shamir, and Adleman (RSA) – An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

Peer authentication methods:
RSA signatures
PSKs

DES – Encrypts and decrypts packet data.
3DES – Provides significant encryption strength over 56-bit DES.
AES – Provides stronger encryption, depending on the key length used, and faster throughput.
MD5 – Authenticates packet data, using a 128-bit shared secret key.
SHA-1 – Authenticates packet data, using a 160-bit shared secret key.
DH – Allows two parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.

AH provides the following:
Authentication
Integrity

ESP provides the following:
Confidentiality
Authentication
Integrity

[Read more…]

CCNA Exploration 4 – Module 5

by Leave a Comment

Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.

Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.

Standard ACL:

1

access-list 10 permit 192.168.30.0 0.0.0.255

Extended ACL:

1

access-list 103 permit tcp 192.168.30.0 0.0.0.255 any eq 80

You assign a number based on which protocol you want filtered:
(1 to 99) and (1300 to 1999): Standard IP ACL
(100 to 199) and (2000 to 2699): Extended IP ACL

1
2
3

ip access-list extended TELNETTING
remark Do not allow Gates workstation to Telnet
deny tcp host 192.168.10.13 any eq telnet

Editing named ACLs:

1
2
3
4

ip access-list standard WEBSERVER
15 permit host 192.168.11.10
end
show access-lists

Debug:

1

show access-lists
1
2
3
4

R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit any
R1(config)#interface fa0/1
R1(config-if)#ip access-group 10 out
1
2
3
4
5
6

R3(config)# ip access-list standard NO_ACCESS
R3(config-std-nacl)# deny host 192.168.30.128
R3(config-std-nacl)# permit any
R3(config-std-nacl)# exit
R3(config)# interface fa0/0
R3(config-if)# ip access-group NO_ACCESS

More extended:

1
2
3
4

access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www
access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 permit ip any any
1
2
3
4
5
6
7
8
9
10
11

R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
# The second statement allows the lower half of the 192.168.30.0/24 network access to any other destinations.
 
R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any
 
 
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255
R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255
R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www
R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any
R3(config)#access-list 130 deny ip any any

CCNA Exploration 4 – Module 3

by Leave a Comment

Some correct answers from CCNA-4 Module 3 Exam:

Q: What two methods does Frame Relay technology use to process frames that contain errors?
Frame Relay services depend on the upper layer protocols to handle error recovery.
The receiving device drops any frames that contain errors without notifying the sender.

Q: What consideration must be taken into account if RIP is used on Frame Relay multiaccess networks?
To forward routing updates, address-to-DLCI mapping must be done via the use of the frame-relay map command coupled with the broadcast keyword.

Q: Which best describes the benefit of using Frame Relay as opposed to a leased line or ISDN service?
Customers only pay for the local loop and the bandwidth they purchase from the network provider.

Q: What best describes the use of a data-link connection identifier (DLCI)?
locally significant address used to identify a virtual circuit

Q: What is created between two DTEs in a Frame Relay network?
virtual circuit

Q: Which two items allow the router to map data link layer addresses to network layer addresses in a Frame Relay network?
Inverse ARP
LMI status messages

Q: Which three actions might a Frame Relay switch perform when it detects an excessive build-up of frames in its queue?
drops frames from the queue that have the DE bit set
sets the FECN bit on all frames it receives on the congested link
sets the BECN bit on all frames it places on the congested link

Q: Which statement about Frame Relay subinterfaces is correct?
Point-to-point subinterfaces act like leased lines and eliminate split-horizon routing issues.

SSH trick to improve your system security

by Leave a Comment

This ASCII-art graph represents your host’s public key, which uniquely identifies (or at least, it better damn should uniquely identify!) it. This representation was added mainly because it is way easier to be able to visually record the shape of your most frequently used hosts.

Enable visualization for hostkeys:

1
2

id@acer:~$ cat .ssh/config 
VisualHostKey   yes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

id@acer:~$ ssh root@192.168.1.3
Host key fingerprint is b6:dc:cb:ff:33:83:aa:03:56:94:0c:bc:7f:38:cf:b7
+--[ RSA 2048]----+
|     ..o .       |
|      . +        |
|       o         |
|      . .        |
|       oS.       |
|      oo+o.      |
|     . .o=.  .   |
|        ..o.o +  |
|        .o++Eo.+ |
+-----------------+
root@192.168.1.3's password: 
Linux piper 2.6.26-2-xen-686 #1 SMP Mon Jun 21 10:37:05 UTC 2010 i686