Cisco – Page 2

CCNA Exploration 4 – Module 6

September 28, 2010 by Igor Drobot Leave a Comment

Carrier protocol:
The protocol over which the information is traveling (Frame Relay, ATM, MPLS).
Encapsulating protocol:
The protocol that is wrapped around the original data (GRE, IPSec, L2F, PPTP, L2TP).

Passenger protocol:

The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).
Data Encryption Standard (DES) algorithm – Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below.
Triple DES (3DES) algorithm – A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
Advanced Encryption Standard (AES) – The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
Rivest, Shamir, and Adleman (RSA) – An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

Peer authentication methods:
RSA signatures
PSKs

DES – Encrypts and decrypts packet data.
3DES – Provides significant encryption strength over 56-bit DES.
AES – Provides stronger encryption, depending on the key length used, and faster throughput.
MD5 – Authenticates packet data, using a 128-bit shared secret key.
SHA-1 – Authenticates packet data, using a 160-bit shared secret key.
DH – Allows two parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.

AH provides the following:
Authentication
Integrity

ESP provides the following:
Confidentiality
Authentication
Integrity

[Read more…]

CCNA Exploration 4 – Module 4

September 26, 2010 by Igor Drobot Leave a Comment

Configure R1 with OSPF simple authentication:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication
 
R1(config-router)#interface S0/0/0
R1(config-if)#ip ospf authentication-key cisco123

1
2
3

R2(config)#interface S0/0/1
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco12

Configure Router to support Cisco SDM:

R1# configure terminal
R1(config) # ip http server
R1(config) # ip http secure-server
R1(config) # ip http authentication local
R1(config) # username Student privilege 15 secret cisco
R1(config) # line vty 0 4
R1(config-line) # privilege level 15
R1(config-line) # login local
R1(config-line) # transport input telnet ssh
R1(config-line) # exit

Additional security for VTY:

R1 (config) # line vty 0 4
R1 (config-line) # exec-timeout 3
R1 (config-line) # exit
R1 (config) # service tcp-keepalives in

Additional tricks:

1
2
3

Router (config) # crypto key generate rsa
Router (config) # ip ssh time-out 15
Router (config) # ip ssh authentication-retries 2

Supports incoming telnet and SSH sessions:

R1 (config) # line vty 0 4
R1 (config-line) # no transport input
R1 (config-line) # transport input telnet ssh
R1 (config-line) # exit

Supports only incoming SSH sessions:

R1 (config) # line vty 0 4
R1 (config-line) # no transport input
R1 (config-line) # transport input ssh
R1 (config-line) # exit

Frame Relay

September 25, 2010 by Igor Drobot Leave a Comment

Before a Cisco router is able to transmit data over Frame Relay, it needs to know which local DLCI maps to the Layer 3 address of the remote destination. Cisco routers support all Network layer protocols over Frame Relay, such as IP, IPX, and AppleTalk. This address-to-DLCI mapping can be accomplished either by static or dynamic mapping.

The Frame Relay service provider assigns DLCI numbers. Usually, DLCIs 0 to 15 and 1008 to 1023 are reserved for special purposes. Therefore, service providers typically assign DLCIs in the range of 16 to 1007.

To map between a next hop protocol address and DLCI destination address, use this command:

1	frame-relay map protocol protocol-address dlci [broadcast] [ietf] [cisco]

Use the keyword ietf when connecting to a non-Cisco router.
You can greatly simplify the configuration for the Open Shortest Path First (OSPF) protocol by adding the optional broadcast keyword when doing this task.

Static FR Address Mapping:

R1 (config) # interface s0/0/0
R1 (config-if) # ip address 10.1.1.1 255.255.255.0
R1 (config-if) # encapsulation frame-relay
R1 (config-if) # no frame-relay inverse-arp
R1 (config-if) # frame-relay map ip 10.1.1.2 102 broadcast cisco
R1 (config-if) # no shut

R1 (config) # interface s0/0/0
R1 (config-if) # ip address 10.1.1.1 255.255.255.252
R1 (config-if) # encapsulation frame-relay
R1 (config-if) # bandwidth 64
R1 (config-if) # frame relay map ip 10.1.1.2 102 broadcast

1	R1 (config-if) # frame-relay lmi-type ansi

Basically, the LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE).

US Bandwidth:
E0 64 kbit/s
E1 2.048 Mbit/s
E2 8.448 Mbit/s
E3 34.368 Mbit/s
E4 139.264 Mbit/s
E5 564.992 Mbit/s
T1 1,536 Kb/s UP and DOWN

CISCO CCNA-4 – Accessing the WAN Chapter one

August 24, 2010 by Igor Drobot Leave a Comment

WANs generally connect devices that are separated by a broader geographical area than can be served by a LAN.

WANs use the services of carriers, such as telephone companies, cable companies, satellite systems, and network providers.

WANs use serial connections of various types to provide access to bandwidth over large geographic areas.

The Hierarchical Network Model

Access layer-Grants user access to network devices. In a network campus, the access layer generally incorporates switched LAN devices with ports that provide connectivity to workstations and servers. In the WAN environment, it may provide teleworkers or remote sites access to the corporate network across WAN technology.
Distribution layer-Aggregates the wiring closets, using switches to segment workgroups and isolate network problems in a campus environment. Similarly, the distribution layer aggregates WAN connections at the edge of the campus and provides policy-based connectivity.
Core layer (also referred to as the backbone) – A high-speed backbone that is designed to switch packets as fast as possible. Because the core is critical for connectivity, it must provide a high level of availability and adapt to changes very quickly. It also provides scalability and fast convergence.

Enterprise Campus Architecture:
An enterprise campus network is a building or group of buildings connected into one network that consists of many LANs.
It is generally limited to a fixed geographic area, but it can span several neighboring buildings.
The architecture is modular and scalable and can easily expand to include additional buildings or floors as required.
Enterprise Branch Architecture:
This module allows businesses to extend the applications and services found at the enterprise campus to thousands of remote locations and users or to a small group of branches.
Enterprise Data Center Architecture:
Data centers are responsible for managing and maintaining the many data systems that are vital to modern business operations.
This module centrally houses the data and resources to enable users to effectively create, collaborate, and interact.
Enterprise Teleworker Architecture:
This module leverages the network resources of the enterprise from home using broadband services such as cable modem or DSL to connect to the corporate network.
Typically implemented using remote access VPNs.
Enterprise Edge Architecture:
This module often functions as a liaison between the campus module and the other modules in the Enterprise Architecture.

PAP – 2 Way handshake
PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.

CHAP is a more secure procedure for connecting to a system than PAP

CHAP – 3 Way handshake

CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message.

[Read more…]