Router Boot-up Process
There are four major phases to the bootup process:
1. Performing the POST
2. Loading the bootstrap program
3. Locating and loading the Cisco IOS software
4. Locating and loading the startup configuration file or entering setup mode
1. Performing the POST
The Power-On Self Test (POST) is a common process that occurs on almost every computer during bootup. The POST process is used to test the router hardware. When the router is powered on, software on the ROM chip conducts the POST. During this self-test, the router executes diagnostics from ROM on several hardware components including the CPU, RAM, and NVRAM. After the POST has been completed, the router executes the bootstrap program.
2. Loading the Bootstrap Program
After the POST, the bootstrap program is copied from ROM into RAM. Once in RAM, the CPU executes the instructions in the bootstrap program. The main task of the bootstrap program is to locate the Cisco IOS and load it into RAM.
Note: At this point, if you have a console connection to the router, you will begin to see output on the screen.
3. Locating and Loading Cisco IOS
Locating the Cisco IOS software. The IOS is typically stored in flash memory, but can also be stored in other places such as a TFTP (Trivial File Transfer Protocol) server.
If a full IOS image can not be located, a scaled-down version of the IOS is copied from ROM into RAM. This version of IOS is used to help diagnose any problems and can be used to load a complete version of the IOS into RAM.
Note: A TFTP server is usually used as a backup server for IOS but it can also be used as a central point for storing and loading the IOS. IOS management and using the TFTP server is discussed in a later course.
4. Locating and Loading the Configuration File
Locating the Startup Configuration File. After the IOS is loaded, the bootstrap program searches for the startup configuration file, known as startup-config, in NVRAM. This file has the previously saved configuration commands and parameters including:
interface addresses
routing information
passwords
any other configurations saved by the network administrator
If the startup configuration file, startup-config, is located in NVRAM, it is copied into RAM as the running configuration file, running-config.
Executing the Configuration File. If a startup configuration file is found in NVRAM, the IOS loads it into RAM as the running-config and executes the commands in the file, one line at a time. The running-config file contains interface addresses, starts routing processes, configures router passwords and defines other characteristics of the router.
Enter Setup Mode (Optional). If the startup configuration file can not be located, the router prompts the user to enter setup mode. Setup mode is a series of questions prompting the user for basic configuration information. Setup mode is not intended to be used to enter complex router configurations, and it is not commonly used by network administrators.
When booting a router that does not contain a startup configuration file, you will see the following question after the IOS has been loaded:
Command Line Interface
Depending on the platform and IOS, the router may ask the following question before displaying the prompt:
Would you like to terminate autoinstall? [yes]:
Press the Enter key to accept the default answer.
Router>
Note: If a startup configuration file was found, the running-config may contain a hostname and the prompt will display the hostname of the router.
Once the prompt displays, the router is now running the IOS with the current running configuration file. The network administrator can now begin using IOS commands on this router.
Note: The bootup process is discussed in more detail in a later course.
Showing posts with label CCNA. Show all posts
Showing posts with label CCNA. Show all posts
Thursday, November 27, 2008
Tuesday, November 18, 2008
CCNA Exam Topic : Planning & Designing
CCNA Exam Topic : Planning & Designing
The MDA Company is implementing dialup services to enable remote office employees to connect to the local network. The company uses several different Layer 3 protocols on the network. Authentication of the users connecting to the network is required for security. Additionally, some employees will be dialing long distance and will need callback support. Which protocol is the best choice for these remote access services?
A. 802.1
B. Frame relay
C. HDLC
D. PPP
E. SLIP
F. PAP
Answer: D
Question 10:
Refer to the diagram. All hosts have connectivity with one another. Which statements describe the addressing scheme that is in use in the network? (Choose three.)
A. The subnet mask in use is 255.255.255.192.
B. The subnet mask in use is 255.255.255.128.
C. The IP address 172.16.1.25 can be assigned to hosts in VLAN1
D. The IP address 172.16.1.205 can be assigned to hosts in VLAN1
E. The LAN interface of the router is configured with one IP address.
F. The LAN interface of the router is configured with multiple IP addresses.
Answer: BCF
Question 11:
Which routing protocols will support the following IP addressing scheme? (Choose three.)
A. RIP version 1
B. RIP version 2
C. IGRP
D. EIGRP
E. OSPF
Answer: BDE
Question 12:
A company with 25 computers decides to connect its network to the Internet. The company would like for all of the computers to have access to the Internet at the same time, but the company only has four usable public IP addresses. What should be configured on the router so that all computers can connect to the Internet simultaneously?
A. static NAT
B. global NAT
C. dynamic NAT
D. static NAT with ACL’s
E. dynamic NAT with overload
Answer: E
Question 13:
A network administrator would like to implement NAT in the network shown in the graphic to allow inside hosts to use a private addressing scheme. Where should NAT be configured?
A. Corporate router
B. Engineering router
C. Sales router
D. all routers
E. all routers and switches
Answer: A
Question 14:
Which of the following describe private IP addresses? (Choose two.)
A. addresses chosen by a company to communicate with the Internet
B. addresses that cannot be routed through the public Internet
C. addresses that can be routed through the public Internet
D. a scheme to conserve public addresses
E. addresses licensed to enterprises or ISPs by an Internet registry organization
Answer: BD
The exhibit shows a company network. The network administrator would like to permit only hosts on the 172.30.16.0/24 network to access the Internet. Which wild card mask and address combination will only match addresses on this network?
A. 172.30.0.0 0.0.0.0
B. 172.30.16.0 0.0.0.255
C. 172.30.0.0 0.0.15.255
D. 172.30.16.0 0.0.31.255
E. 172.30.16.0 0.0.255.255
CCNA Planning & Designing topic explains all the actual and real questions that would be on ccna test.
Question 1:
Which of the following host addresses are members of networks that can be routed across the public Internet?(Choose three.)
A. 10.172.13.65
B. 172.16.223.125
C. 172.64.12.29
D. 192.168.23.252
E. 198.234.12.95
F. 212.193.48.254
Answer: CEF
Explanation:
Private IP address scheme
Class A: 10.0.0.0 – 10.255.255.255
Class B: 172.16.0.0 – 172.31.255.255
Class C: 192.168.0.0 – 192.168.255.255
Other then private ip addresses remaining IP’s addresses are routed across internet.
Question 2:
Given a subnet mask of 255.255.255.224, which of the following addresses can be assigned to network hosts?
(Choose three.)
A. 15.234.118.63
B. 92.11.178.93
C. 134.178.18.56
D. 192.168.16.87
E. 201.45.116.159
F. 217.63.12.192
Answer: BCD
Explanation:
For calculating network hosts range for subnet 255.255.255.224
Simple method to find out network subnet is 256 -224 = 32
Write down the multiples of 32 to get subnet networks
Host range for subnet 255.255.255.224 are between this ranges below
0 ----- 31 (0 is network address and 31 is broadcast address)
32 -----63
64 -----95
96 -----127
128 ----159
160---- 191
192 ----223
224 ----255
Question 3:
When variable length subnet masking is used, what does the term route aggregation describe?
A. calculating the total number of available host addresses in the AS
B. combining routes to multiple networks into one supernet
C. reducing the number of unusable addresses by creating many subnets from one supernet
D. reclaiming unused address space by changing the subnet size
Answer: B
Explanation:
Route aggregration is an effort to route smaller prefixes via an aggregated larger prefix (supernetting). The advantage is obvious: Many /24 networks, for example, could be aggregated to larger networks like /23, /22 or even bigger prefixes.
Question 4:
ABC Company is merging with several local businesses that use routers from multiple vendors. Which routing protocol would work best to connect ABC Company with the enterprise networks it has acquired by providing scalability and VLSM support while minimizing network overhead?
A. RIP v1
B. RIP v2
C. IGRP
D. OSPF
E. EIGRP
Answer: D
Explanation:
Since only OSPF,EIGRP and RIPv2 supports VLSM in above options. It requires working with multi vendor and providing scalability OSPF is best choice of the three mentioned.
Question 5:
Which of the following IP addresses fall into the CIDR block of 115.64.4.0/22? (Choose three.)
A. 115.64.8.32
B. 115.64.7.64
C. 115.64.6.255
D. 115.64.3.255
E. 115.64.5.128
F. 115.64.12.128
Answer: BCE
Explanation:
/22 is 8bits + 8bits + 6bits i.e 11111111.11111111.11111100.0
Third octet 11111100 = 128+64+32+16+8+4
= 252 therefore subnet mask is 255.255.252.0
Subnet networks are 256-252= 4
Host range for above subnet are
0------- 3
4 ------ 7
Host that fall under 115.64.4.0 /22 networks are
4 5 6 7
Question 6:
In the implementation of VLSM techniques on a network using a single Class C IP address, which subnet mask is the most efficient for point-to-point serial links?
A. 255.255.255.0
B. 255.255.255.240
C. 255.255.255.248
D. 255.255.255.252
E. 255.255.255.254
Answer: D
Explanation:
For point-to-point serial link exist only two hosts so the best possible subnet mask for two useable hosts for class C network is 255.255.255.252
Question 7:
Which statements are true regarding classless routing protocols? (Choose two.)
A. The use of discontiguous subnets is not allowed.
B. The use of variable length subnet masks is permitted.
C. RIP v1 is a classless routing protocol.
D. IGRP supports classless routing within the same autonomous system.
E. RIP v2 supports classless routing.
Answer: BE
Question 8:
The company internetwork is subnetted using 29 bits. Which wildcard mask should be used to configure an extended access list to permit or deny access to an entire subnetwork?
A. 255.255.255.224
B. 255.255.255.248
C. 0.0.0.224
D. 0.0.0.8
E. 0.0.0.7
F. 0.0.0.3
Answer: E
Explanation:
29 bits subnet is 8bits + 8bits + 8bits + 5bits
255.255.255.(5bits)
11111000 = 128+64+32+16+8+0+0+0
= 248
Subnet is 255.255.255.248
Simple method to calculate the Wildcard mask from known subnet is to
Reverse 1’s into 0’s and 0’s into 1’s from the binary representation of subnet.
For above example (248 = 11111000 subnet)
11111000 (subnet) = 00000111 (wildcard mask) last octet.
= 7 (wildcard mask) for last octet.
Converting the remaining first 3 octets of subnet into wildcard mask using above method
Resulted wildcard mask is 0.0.0.7
The MDA Company is implementing dialup services to enable remote office employees to connect to the local network. The company uses several different Layer 3 protocols on the network. Authentication of the users connecting to the network is required for security. Additionally, some employees will be dialing long distance and will need callback support. Which protocol is the best choice for these remote access services?
A. 802.1
B. Frame relay
C. HDLC
D. PPP
E. SLIP
F. PAP
Answer: D
Question 10:
Refer to the diagram. All hosts have connectivity with one another. Which statements describe the addressing scheme that is in use in the network? (Choose three.)
A. The subnet mask in use is 255.255.255.192.B. The subnet mask in use is 255.255.255.128.
C. The IP address 172.16.1.25 can be assigned to hosts in VLAN1
D. The IP address 172.16.1.205 can be assigned to hosts in VLAN1
E. The LAN interface of the router is configured with one IP address.
F. The LAN interface of the router is configured with multiple IP addresses.
Answer: BCF
Question 11:
Which routing protocols will support the following IP addressing scheme? (Choose three.)
A. RIP version 1B. RIP version 2
C. IGRP
D. EIGRP
E. OSPF
Answer: BDE
Question 12:
A company with 25 computers decides to connect its network to the Internet. The company would like for all of the computers to have access to the Internet at the same time, but the company only has four usable public IP addresses. What should be configured on the router so that all computers can connect to the Internet simultaneously?
A. static NAT
B. global NAT
C. dynamic NAT
D. static NAT with ACL’s
E. dynamic NAT with overload
Answer: E
Question 13:
A network administrator would like to implement NAT in the network shown in the graphic to allow inside hosts to use a private addressing scheme. Where should NAT be configured?
A. Corporate routerB. Engineering router
C. Sales router
D. all routers
E. all routers and switches
Answer: A
Question 14:
Which of the following describe private IP addresses? (Choose two.)
A. addresses chosen by a company to communicate with the Internet
B. addresses that cannot be routed through the public Internet
C. addresses that can be routed through the public Internet
D. a scheme to conserve public addresses
E. addresses licensed to enterprises or ISPs by an Internet registry organization
Answer: BD
Question 15:
Refer to the graphic. A host is connected to switch port Fa0/3 with a crossover cable. The host and switch have been fully configured for IP connectivity as shown. However, the port indicator on switch port Fa0/3 is not on, and the host can not communicate with any other hosts including those connected to VLAN 2 on the same switch. Based on the information given, what is the problem?
A. Switch port Fa0/3 is not configured as a trunk port.
B. The cable is the wrong type.
C. The switch has been assigned an incorrect subnet mask.
D. Switch port Fa0/3 has been blocked by STP.
E. The switch and the hosts must be in the same subnet.
Answer: B
Explanation:
Straight through cable is used to connect a host to switch.
Question 16:
What kind of cable should be used to establish a trunked link between two Catalyst 2950 switches?
A. a straight-through cable
B. an EIA/TIA-232 serial cable
C. an auxiliary cable
D. a modem cable
E. a cross-over cable
Answer: E
Explanation:
Cross-over cable is used to connect two switches.
Question 17:
What is the purpose of Spanning Tree Protocol?
A. to prevent routing loops
B. to create a default route
C. to provide multiple gateways for hosts
D. to maintain a loop-free Layer 2 network topology
E. to enhance the functions of SNMP
Answer: D
Question 18:
The network 172.25.0.0 has been divided into eight equal subnets. Which of the following IP addresses can be assigned to hosts in the third subnet if the ip subnet-zero command is configured on the router? (Choose three.)
A. 172.25.78.243
B. 172.25.98.16
C. 172.25.72.0
D. 172.25.94.255
E. 172.25.96.17
F. 172.25.100.16
Answer: ACD
Question 19:
Which wild card mask will enable a network administrator to permit access to the Internet for only hosts that are assigned an address in the range of 192.168.8.0 through 192.168.15.255?
A. 0.0.0.0
B. 0.0.0.255
C. 0.0.255.255
D. 0.0.7.255
E. 0.0.3.255
Answer: D
Question 20:The exhibit shows a company network. The network administrator would like to permit only hosts on the 172.30.16.0/24 network to access the Internet. Which wild card mask and address combination will only match addresses on this network?
A. 172.30.0.0 0.0.0.0B. 172.30.16.0 0.0.0.255
C. 172.30.0.0 0.0.15.255
D. 172.30.16.0 0.0.31.255
E. 172.30.16.0 0.0.255.255
Hotspot 2: Topology Question
Hotspot 2: Topology Question
640-802 CCNA Hotspot Topology Exhibit
Question 1:
Note: host 172.30.4.4 is wrongly given in Question the correct host must be 172.30.0.4
Answers: 702
Explanation:
The destination layer 2 address is a DLCI for frame-relay network. The destination host packet address is 172.30.0.4 corresponding DLCI is 702.
This can be confirmed by looking at the show frame-relay map output which shows the frame-relay map statements for layer 3 address to its corresponding layer 2 address IP 172.30.0.4 is mapped to DLCI 702 .
Question 2:
Answers: frame-relay map ip 172.30.0.3 196 broadcast
Explanation:
The show frame-relay map command above output provides the dynamic mapping for S-AMER (.3 as per topology the complete address is 172.30.0.3) to DLCI 196.
To create a static frame-relay map on dubai router to S-AMER we use the following command
Syntax: frame-relay map protocol protocol-address dlci [broadcast]
frame-relay map ip 172.30.0.3 196 broadcast
Question 3:
Answers: The serial connection to the MidEast branch office
Explanation:
By seeing the partial running config provided for Dubai router ... We can identify what encapuslation type is configured on each interface
Interface serial 1/0 : encapsulation frame-relay
Interface serial 1/2 and serial 1/3 : Both have encapsulation ppp
Interaface serial 1/1: Has no config info on encapsulation type this determines the default encapsulation (HDLC) is not changed on this interface.
Serial 1/1 is connection to MidEast branch office from Dubai router which has the default encapsulation.
Question 4:
Answers: T1net
Saturday, November 15, 2008
RIP V2 SIM NEW
LAB: RIP V2
Question#
Central Florida Widgets recently installed a new router in their office (NEW_RTR). Complete the network installation by performing the initial router configurations and configuring RIP V2 routing using the router Command Line Interface (CLI) on the NEW_RTR .
Click on image for larger picture
Configure the router per the following requirements:
1) Name of the router is NEW_RTR
2) Enable-secret password is cisco
3) The password to access user EXEC mode using the console is class
4) The password to allow telnet access to the router is class
5) IPV4 addresses must be configured as follows:
5.1) Ethernet network 209.165.202.128 /27 – Router has the last assignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the last assignable host
address in subnet.
6) Interfaces should be enabled.
7) Router protocol is RIPv2
Explanation:
Step1:
Click on the console host, you will get a pop-up screen CLI of Router.
Router>
Configure the new router as per the requirements provided in Lab question
Requirement 1:
Name of the router is NEW_RTR
Step2:
To change the hostname of the router to NEW_RTR follow the below steps
Router>
Router>enable
Router# configure terminal
Router (config)# hostname NEW_RTR
NEW_RTR(config)#
Requirement 2:
Enable-secret password is cisco
Step3:
To set the enable secret password to cisco use the following command
NEW_RTR(config)#enable secret cisco
Requirement 3:
The password to access user EXEC mode using the console is class
Step 4:
We need to configure the line console 0 with the password class
Also remember to type login command after setting up the password on line con 0 which allows router to accept logins via console.
NEW_RTR(config)# line con 0
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#
Requirement 4:
The password to allow telnet access to the router is class
Step 5:
To allow telnet access we need to configure the vty lines 0 4 with the password class
Also remember to type login command after setting up the password on line vty 0 4 which allows router to accept logins via telnet.
NEW_RTR(config)# line vty 0 4
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#
Requirement 5:
5.1) Ethernet network 209.165.202.128 /27 – Router has the last assignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the last assignable host
address in subnet.
Step 6:
Ethernet network 209.165.202.128 /27 – Router has the last assignable host address in subnet.
Ethernet Interface on router NEW_RTR is Fast Ethernet 0/0 as per the exhibit
First we need to identify the subnet mask
Network: 209.165.202.128 /27
Subnet mask: /27: 27 bits = 8 + 8 + 8 + 3
=8(bits).8(bits).8(bits) .11100000 (3bits)
=255.255.255.11100000
=11100000 = 128+64+32+0+0+0+0+0
= 224
Subnet mask: 255.255.255.224
Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks :::::: Valid Host address range :::::: Broadcast address
209.165.202.0 :::::: 209.165.202.1 - 209.165.202.30 ::::: 209.165.202.31
209.165.202.32 :::::: 209.165.202.33 - 209.165.202.62 ::::: 209.165.202.63
209.165.202.64 :::::: 209.165.202.65 - 209.165.202.94 :::::: 209.165.202.95
209.165.202.96 :::::: 209.165.202.97 - 209.165.202.126 :::::: 209.165.202.127
209.165.202.128 :::::: 209.165.202.129 - 209.165.202.158 :::::: 209.165.202.159
209.165.202.160 :::::: 209.165.202.161 - 209.165.202.190 :::::: 209.165.202.191
209.165.202.192 :::::: 209.165.202.193 - 209.165.202.222 :::::: 209.165.202.223
209.165.202.224 :::::: 209.165.202.225 - 209.165.202.254 :::::: 209.165.202.255
Use above table information for network 209.165.202.128 /27 to identify
First assignable host address: 209.165.202.129
Last assignable host address: 209.165.202.158
This IP address (209.165.202.158) which we need to configure on Fast Ethernet 0/0 of the router using the subnet mask 255.255.255.224
NEW_RTR(config)#interface fa 0/0
NEW_RTR(config-if)#ip address 209.165.202.158 255.255.255.224
Requirement 6:
To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit
Step 7:
Serial Network is 192.0.2.16 /28 - Router has the last assignable host address in subnet.
Serial Interface on NEW_RTR is Serial 0/0/0 as per the exhibit
First we need to identify the subnet mask
Network: 192.0.2.16 /28
Subnet mask: /28: 28bits = 8bits+8bits+8bits+4bits
=8(bits).8(bits).8(bits) .11110000 (4bits)
=255.255.255.11100000
=11100000 = 128+64+32+16+0+0+0+0
= 240
Subnet mask: 255.255.255.240
Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks ::::: Valid Host address ::::::::::: Broadcast address
192.0.2.0 :::::: 192.0.2.1 - 192.0.2.14 ::::::: 192.0.2.15
192.0.2.16 ::::::: 192.0.2.17 - 192.0.2.30 ::::::: 192.0.2.31
192.0.2.32 :::::::: 192.0.2.33 - 192.0.2.46 :::::: 192.0.2.47
and so on ….
Use above table information for network 192.0.2.16 /28 to identify
First assignable host address: 192.0.2.17
Last assignable host address: 192.0.2.30
We need to configure Last assignable host address (192.0.2.30) on serial 0/0/0 using the subnet mask 255.255.255.240
NEW_RTR(config)#interface serial 0/0/0
NEW_RTR(config-if)#ip address 192.0.2.30 255.255.255.240
Requirement 6:
To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit
Requirement 7:
Router protocol is RIPv2
Step 8:
Need to enable RIPv2 on router and advertise its directly connected networks
NEW_RTR(config)#router rip
To enable RIP v2 routing protocol on router use the command version 2
NEW_RTR(config-router)#version 2
Optional: no auto-summary (Since LAB networks do not have discontinuous networks)
RIP v2 is classless, and advertises routes including subnet masks, but it summarizes routes by default.
So the first things we need to do when configuring RIP v2 is turn off auto-summarization with the router command no auto-summary if you must perform routing between disconnected subnets.
NEW_RTR (config-router) # no auto-summary
Advertise the serial 0/0/0 and fast Ethernet 0/0 networks into RIP v2 using network command
NEW_RTR(config-router)#network 192.0.2.16
NEW_RTR(config-router)#network 209.165.202.128
NEW_RTR(config-router)#end
Step 9:
Important please do not forget to save your running-config to startup-config
NEW_RTR# copy run start
Any questions are welcomed on above LAB...
Best of Luck!!!!!
Question#
Central Florida Widgets recently installed a new router in their office (NEW_RTR). Complete the network installation by performing the initial router configurations and configuring RIP V2 routing using the router Command Line Interface (CLI) on the NEW_RTR .
Click on image for larger picture
Configure the router per the following requirements:
1) Name of the router is NEW_RTR
2) Enable-secret password is cisco
3) The password to access user EXEC mode using the console is class
4) The password to allow telnet access to the router is class
5) IPV4 addresses must be configured as follows:
5.1) Ethernet network 209.165.202.128 /27 – Router has the last assignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the last assignable host
address in subnet.
6) Interfaces should be enabled.
7) Router protocol is RIPv2
Explanation:
Step1:
Click on the console host, you will get a pop-up screen CLI of Router.
Router>
Configure the new router as per the requirements provided in Lab question
Requirement 1:
Name of the router is NEW_RTR
Step2:
To change the hostname of the router to NEW_RTR follow the below steps
Router>
Router>enable
Router# configure terminal
Router (config)# hostname NEW_RTR
NEW_RTR(config)#
Requirement 2:
Enable-secret password is cisco
Step3:
To set the enable secret password to cisco use the following command
NEW_RTR(config)#enable secret cisco
Requirement 3:
The password to access user EXEC mode using the console is class
Step 4:
We need to configure the line console 0 with the password class
Also remember to type login command after setting up the password on line con 0 which allows router to accept logins via console.
NEW_RTR(config)# line con 0
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#
Requirement 4:
The password to allow telnet access to the router is class
Step 5:
To allow telnet access we need to configure the vty lines 0 4 with the password class
Also remember to type login command after setting up the password on line vty 0 4 which allows router to accept logins via telnet.
NEW_RTR(config)# line vty 0 4
NEW_RTR(config-line)#password class
NEW_RTR(config-line)#login
NEW_RTR(config-line)# exit
NEW_RTR(config)#
Requirement 5:
5.1) Ethernet network 209.165.202.128 /27 – Router has the last assignable host
address in subnet.
5.2) Serial Network is 192.0.2.16 /28 - Router has the last assignable host
address in subnet.
Step 6:
Ethernet network 209.165.202.128 /27 – Router has the last assignable host address in subnet.
Ethernet Interface on router NEW_RTR is Fast Ethernet 0/0 as per the exhibit
First we need to identify the subnet mask
Network: 209.165.202.128 /27
Subnet mask: /27: 27 bits = 8 + 8 + 8 + 3
=8(bits).8(bits).8(bits) .11100000 (3bits)
=255.255.255.11100000
=11100000 = 128+64+32+0+0+0+0+0
= 224
Subnet mask: 255.255.255.224
Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks :::::: Valid Host address range :::::: Broadcast address
209.165.202.0 :::::: 209.165.202.1 - 209.165.202.30 ::::: 209.165.202.31
209.165.202.32 :::::: 209.165.202.33 - 209.165.202.62 ::::: 209.165.202.63
209.165.202.64 :::::: 209.165.202.65 - 209.165.202.94 :::::: 209.165.202.95
209.165.202.96 :::::: 209.165.202.97 - 209.165.202.126 :::::: 209.165.202.127
209.165.202.128 :::::: 209.165.202.129 - 209.165.202.158 :::::: 209.165.202.159
209.165.202.160 :::::: 209.165.202.161 - 209.165.202.190 :::::: 209.165.202.191
209.165.202.192 :::::: 209.165.202.193 - 209.165.202.222 :::::: 209.165.202.223
209.165.202.224 :::::: 209.165.202.225 - 209.165.202.254 :::::: 209.165.202.255
Use above table information for network 209.165.202.128 /27 to identify
First assignable host address: 209.165.202.129
Last assignable host address: 209.165.202.158
This IP address (209.165.202.158) which we need to configure on Fast Ethernet 0/0 of the router using the subnet mask 255.255.255.224
NEW_RTR(config)#interface fa 0/0
NEW_RTR(config-if)#ip address 209.165.202.158 255.255.255.224
Requirement 6:
To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit
Step 7:
Serial Network is 192.0.2.16 /28 - Router has the last assignable host address in subnet.
Serial Interface on NEW_RTR is Serial 0/0/0 as per the exhibit
First we need to identify the subnet mask
Network: 192.0.2.16 /28
Subnet mask: /28: 28bits = 8bits+8bits+8bits+4bits
=8(bits).8(bits).8(bits) .11110000 (4bits)
=255.255.255.11100000
=11100000 = 128+64+32+16+0+0+0+0
= 240
Subnet mask: 255.255.255.240
Different subnet networks and there valid first and last assignable host address range for above subnet mask are
Subnet Networks ::::: Valid Host address ::::::::::: Broadcast address
192.0.2.0 :::::: 192.0.2.1 - 192.0.2.14 ::::::: 192.0.2.15
192.0.2.16 ::::::: 192.0.2.17 - 192.0.2.30 ::::::: 192.0.2.31
192.0.2.32 :::::::: 192.0.2.33 - 192.0.2.46 :::::: 192.0.2.47
and so on ….
Use above table information for network 192.0.2.16 /28 to identify
First assignable host address: 192.0.2.17
Last assignable host address: 192.0.2.30
We need to configure Last assignable host address (192.0.2.30) on serial 0/0/0 using the subnet mask 255.255.255.240
NEW_RTR(config)#interface serial 0/0/0
NEW_RTR(config-if)#ip address 192.0.2.30 255.255.255.240
Requirement 6:
To enable interfaces
Use no shutdown command to enable interfaces
NEW_RTR(config-if)#no shutdown
NEW_RTR(config-if)#exit
Requirement 7:
Router protocol is RIPv2
Step 8:
Need to enable RIPv2 on router and advertise its directly connected networks
NEW_RTR(config)#router rip
To enable RIP v2 routing protocol on router use the command version 2
NEW_RTR(config-router)#version 2
Optional: no auto-summary (Since LAB networks do not have discontinuous networks)
RIP v2 is classless, and advertises routes including subnet masks, but it summarizes routes by default.
So the first things we need to do when configuring RIP v2 is turn off auto-summarization with the router command no auto-summary if you must perform routing between disconnected subnets.
NEW_RTR (config-router) # no auto-summary
Advertise the serial 0/0/0 and fast Ethernet 0/0 networks into RIP v2 using network command
NEW_RTR(config-router)#network 192.0.2.16
NEW_RTR(config-router)#network 209.165.202.128
NEW_RTR(config-router)#end
Step 9:
Important please do not forget to save your running-config to startup-config
NEW_RTR# copy run start
Any questions are welcomed on above LAB...
Best of Luck!!!!!
EIGRP SIM (New)
LAB: EIGRP
Question#
After adding RTR_2 router, no routing updates are being exchanged between RTR_1 and the new location. All other inter connectivity and internet access for the existing locations of the
company are working properly.
The task is to identify the fault(s) and correct the router configuration to provide full connectivity between the routers.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords on all routers are cisco .
IP addresses are listed in the chart below.
RTR_A#show run
!
!
interface FastEthernet0/0
ip address 192.168.60.97 255.255.255.240
!
interface FastEthernet0/1
ip address 192.168.60.113 255.255.255.240
!
interface Serial0/0
ip address 192.168.36.14 255.255.255.252
clockrate 64000
!
router eigrp 212
network 192.168.36.0
network 192.168.60.0
no auto-summary
!
RTR_A#show ip route
192.168.36.0/30 is subnetted, 1 subnets
C 192.168.36.12 is directly connected, Serial 0/0
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.96/28 is directly connected, FastEthernet0/0
C 192.168.60.112/28 is directly connected, FastEthernet0/1
D 192.168.60.128/28 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D 192.168.60.144/28 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D 192.168.60.24/30 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
D* 198.0.18.0 [ 90/21026560 ] via 192.168.36.13, 00:00:57, Serial 0/0
********************************************************************************
RTR_2#show run
!
!
interface FastEthernet0/0
ip address 192.168.77.34 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.60.65 255.255.255.240
!
interface FastEthernet1/0
ip address 192.168.60.81 255.255.255.240
!
!
router eigrp 22
network 192.168.77.0
network 192.168.60.0
no auto-summary
!
RTR_2#show ip route
192.168.60.0/28 is variably subnetted, 2 subnets
C 192.168.60.80 is directly connected, FastEthernet1/0
C 192.168.60.64 is directly connected, FastEthernet0/1
192.168.77.0/30 is subnetted, 1 subnets
C 192.168.77.32 is directly connected, FastEthernet0/0
**********************************************************
RTR_B#show run
!
interface FastEthernet0/0
ip address 192.168.60.129 255.255.255.240
!
interface FastEthernet0/1
ip address 192.168.60.145 255.255.255.240
!
interface Serial0/1
ip address 192.168.60.26 255.255.255.252
!
router eigrp 212
network 192.168.60.0
!
RTR_B#show ip route
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.24/30 is directly connected, Serial0/1
C 192.168.60.128/28 is directly connected, FastEthernet0/0
C 192.168.60.144/28 is directly connected, FastEthernet0/1
D 192.168.60.96/28 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
D 192.168.60.112/28 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
192.168.36.0/30 is subnetted, 1 subnets
D 192.168.36.12 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
D* 198.0.18.0 [ 90/21026560 ] via 192.168.60.25, 00:00:57, Serial 0/1
**************************************************************************
RTR_1#show run
!
!
interface FastEthernet0/0
ip address 192.168.77.33 255.255.255.252
!
interface Serial1/0
ip address 198.0.18.6 255.255.255.0
!
!
interface Serial0/0
ip address 192.168.36.13 255.255.255.252
clockrate 64000
!
interface Serial0/1
ip address 192.168.60.25 255.255.255.252
clockrate 64000
!
!
router eigrp 212
network 192.168.36.0
network 192.168.60.0
network 192.168.85.0
network 198.0.18.0
no auto-summary
!
ip classless
ip default-network 198.0.18.0
ip route 0.0.0.0 0.0.0.0 198.0.18.5
ip http server
RTR_1#show ip route
192.168.36.0/30 is subnetted, 1 subnets
C 192.168.36.12 is directly connected, Serial 0/0
192.168.60.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.60.24/30 is directly connected, Serial0/1
D 192.168.60.128/28 [ 90/21026560 ] via 192.168.60.26, 00:00:57, Serial 0/1
D 192.168.60.144/28 [ 90/21026560 ] via 192.168.60.26, 00:00:57, Serial 0/1
D 192.168.60.96/28 [ 90/21026560 ] via 192.168.36.14, 00:00:57, Serial 0/0
192.168.77.0/30 is subnetted, 1 subnets
C 192.168.77.32 is directly connected, FastEthernet0/0
C 192.0.18.0/24 is directly connected, Serial 1/0
*S 0.0.0.0 via 198.0.18.5
Explanation:
Step1:
Identify the faults in configuration on RTR_1 and RTR_2. As the SIM specifies all other inter connectivity and internet access for the existing locations of the company are working properly.
Routing Protocols used in the SIM is EIGRP with AS 212 as provided by exhibit.
Faults Identified:
- Wrong AS (EIGRP 22) provided at RTR_2 (New router)
- RTR_1 does not advertise the new network between RTR_1 and RTR_2 into EIGRP.
Step2: Correcting the EIGRP AS to 212
Wrong AS (EIGRP 22) provided at RTR_2 (New router)
All routers that want to exchange routes within EIGRP needs to be in same Autonomous System.
Step 2.1:
First we need to remove the current wrong EIGRP AS 22 from Router RTR_2
Click on Host-F to get CLI of RTR_2
RTR_2>enable
Password : cisco (Provided by SIM Q )
RTR_2#conf t
RTR_2(conf)#
Step 2.2:
Removing the wrong EIGRP routing process with AS 22
RTR_2(conf)#no router eigrp 22
The above statement removes all the EIGRP configuration configured for AS 22 .
Step 2.3:
Adding the correct EIGRP configuration
Start the EIGRP routing process with AS 212
RTR_2(conf)#router eigrp 212
Step 2.4:
Advertise the directly connected networks into EIGRP on RTR_2
Fa 0/0 - 192.168.77.34
Fa 1/0 - 192.168.60.81
Fa 0/1 - 192.168.60.65
RTR_2(config-router)#network 192.168.60.0
RTR_2(config-router)#network 192.168.77.0RTR_2(config-router)#no auto-summary
RTR_2(config-router)#end
Step 2.5:
Important save the changes made to router RTR_2
RTR_2#copy run start
Step 3:
RTR_1 does not advertise the new network between RTR_1 and RTR_2 into EIGRP.
Click on Host-G to get CLI of RTR_1The network 192.168.77.0 is used between RTR_1 Fa0/0 - RTR_2 Fa 0/0
This network needs to be advertise into EIGRP routing process at RTR_1
RTR_1>enable
Password : cisco (Provided by SIM Q )
RTR_1#conf t
RTR_1(conf)#
Step 3.1:
Enter EIGRP routing process for AS 212
RTR_1(conf)#router eigrp 212
Step 3.2:
The network 192.168.77.0 is used between RTR_1 Fa0/0 - RTR_2 Fa 0/0 . Advertise this network into EIGRP
RTR_1(config-router)#network 192.168.77.0
RTR_1(config-router)#end
Step 3.3:
Important save the changes made to router RTR_1
RTR_1#copy run start
Verification:
From RTR_2 CLI
ping RTR_1 Serial 1/0 IP address 198.0.18.6
RTR_2#ping 198.0.18.6
!!!!!
A successful ping shows the new RTR_2 will have full connectivity with other routers.
CCNA Router Simulator Question - VTP SIM
VTP SIM TESTLET IS ANOTHER SIM EXAM QUESTION
VTP SIM
Question:
This task requires you to use the CLI of Sw-AC3 to answer five multiple-choice questions. This does not require any configuration.
To answer the multiple-choice questions, click on the numbered boxes in the right panel.
There are five multiple-choice questions with this task. Be sure to answer all five questions before leaving this item.
Important: The VTP simlet has a pool of 10 question . Test may have only 5 Questions for VTP SIM
some very usefull commands to answer this simlet:
show cdp neighbor , show cdp neighbor detail , show interface trunk or switchport , show mac-address-table, show spanning-tree, show vlan , show vtp status , show run .
The pool of 10 questions are discussed here starting with the 4 questions in the above picture.
Question 1 :
What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?
Answer:
Fa 0/8 (As per the picture above)
To find out the associate interface number for a given mac address on the switch use the show mac-address-table command and search for the mac address 0010.5a0c.ffba and its associated interface number.
Question 2 :
what ports on Sw-AC3 are operating has trunks (choose two)?
Answer:
Fa 0/9 and Fa 0/12 (As per the picture above)
To find out the ports operating has trunks on a switch
Use the show interface trunk command this will display all the trunk ports configured on switch.
(or)
Use the show interface switchport command and check the output of the command for operational mode : type trunk for each and every interface.
Question 3:
What kind of router is VLAN-R1 ?
Answer:
2611 ( as per picture above)
To know details of directly connected Neighbor, use the following command on the switch show cdp neighbors command, this output gives the following details about its neighbors
Device ID, Local Interface ,Holdtme, Capability, Platform, Port ID
To know what kind of router is VLAN-R1 we need to identify its platform details from above command output.
Question 4:
Which switch is the root bridge for VLAN 1 ?
Answer:
Sw-AC3 (As per the question above in picture)
Step1: Use the Show spanning-tree vlan 1 command this output provide the mac address of the root bridge.
Step2: now use the show mac-address-table command this output associates the mac address to a interface number.
Step3: use the command show cdp neighbors this output will give us the local interface associated with the hostname(Device ID).
Question 5 :
Out of which port on switch Sw-Ac3 would a frame containing an IP packet with destination address that is not on a local LAN be forwarded?
Answer:
To forward any packet with destination address other then the subnet network of the switch, the switch usually forwards this IP packets to the layer 3 device example router connected to it.
Step1: Find the default-gateway(Router or layer 3 device) configured on the switch.
use the Show run command to view the IP address used to configure default-gateway on the switch.
Step2: Look for the router VLAN-R1 after using the show cdp neighbor detail command
Sample output of show cdp neighbor detail command for better understanding the output details
Device ID: C2950-1
Entry address(es):
Platform: Cisco WS-C2950T-24, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/15
Holdtime : 139 sec
Two things to notice from above output
Interface: FastEthernet0/0 this statement provides that the neighbor(c2950-1) is connected to fa 0/0 on the c3660-2 local switch.
Port ID (outgoing port): FastEthernet0/15 this explains that neighbor (c2950-1) uses fa 0/15 port to reach c3660-2 switch.
FOR OUR QUESTION WE SHOULD LOOK FOR THE ROUTER VLAN-R1 corresponding details and to which port it is connected on local switch Sw-Ac3.
Step3: The port number to which the routerVLAN-R1 is connected on switch Sw-Ac3 is used to forward the packets with destination address that is not on a local LAN.
Question 6:
What address should be configured as the default-gateway for the host connected to interface fa 0/4 of SW-Ac3 ?
Answer:
Step1: Find the details of the VLAN assigned to interface fa 0/4 by using the show vlan command on Sw-Ac3.
The above exhibit question has fa 0/4 configured has VLAN1 based on the output from show vlan command.
Step2: From the exhibit question we know that VLAN1 is configured on router using sub-interface fa 0/0.1 with IP address 192.168.1.254 /24.
Step3: 192.168.1.254 should be configure as default-gateway address for the host connected to fa 0/4 on switch.
Because VLAN1 corresponds to fa 0/4 on Sw-Ac3 and host connected to fa 0/4 will be member of vlan1.
Question 7:
Out of which ports will frame with source mac-address 0015.5A0Cc.A086 and destination mac-address 000A.8A47.0612 be forwarded ?
Answer:
Step1: Use Show mac-address-table command on the switch.
The output of a show mac-address-table provides the mapping of mac address with port numbers. Search the output for the two mac-addresses provided in the question and select the destination mac address corresponding port number for correct answers.
Step2: If you do not find the above destination mac-address in SHOW MAC-ADDRESS-TABLE output , then the frame will be broadcast or flooded to all ports ( all ports may be ports of particular vlan on switch ,Selection of VLAN will be depending on the source mac-address port vlan membership) except the port it recieved from.
Question 8:
From which switch did Sw-Ac3 receive VLAN information ?
Answer:
Step1: Use Sw-Ac3#show vtp status command .
Sample output of show vtp status command
switch# show vtp status
VTP Version : 2
Configuration Revision : 255
Maximum VLANs supported locally : 1005
Number of existing VLANs : 35
VTP Operating Mode : Server
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x08 0x7E 0x54 0xE2 0x5A 0x79 0xA9 0x2D
Configuration last modified by 127.0.0.12 at 8-7-02 11:21:43
Local updater ID is 127.0.0.12 on interface EO0/0 (first interface found)
The local updater ID in the above output identifies the ip address of the device which is providing the VLAN information. The address could also be of the switch itself.
Step 2: Show cdp neighbor detail provides the hostname for corresponding to that IP address.
Question 9:
Refer to the exhibit. SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
Answer:
Step1: On switch Sw-Ac3 use show vtp status command. Notice the output for domain name, Both switches must have same domain name configured to exchange vtp messages (exhibit domain name: home-office ).
Step2: If domain name matches, Then note Configuration Revision number of the Sw-Ac3 and compare it with the SwX , Whichever switch has highest configuration revision number will become the vtp updater. The switch which becomes vtp updater will replace other switch vlan information with its own vlan information.
Example if SwX revision number is highest , Then VLAN information that is configured in Sw-Ac3 will be replaced by the VLAN information in the SwX.
VTP SIM
Question:
This task requires you to use the CLI of Sw-AC3 to answer five multiple-choice questions. This does not require any configuration.
To answer the multiple-choice questions, click on the numbered boxes in the right panel.
There are five multiple-choice questions with this task. Be sure to answer all five questions before leaving this item.
Important: The VTP simlet has a pool of 10 question . Test may have only 5 Questions for VTP SIM
some very usefull commands to answer this simlet:
show cdp neighbor , show cdp neighbor detail , show interface trunk or switchport , show mac-address-table, show spanning-tree, show vlan , show vtp status , show run .
The pool of 10 questions are discussed here starting with the 4 questions in the above picture.
Question 1 :
What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?
Answer:
Fa 0/8 (As per the picture above)
To find out the associate interface number for a given mac address on the switch use the show mac-address-table command and search for the mac address 0010.5a0c.ffba and its associated interface number.
Question 2 :
what ports on Sw-AC3 are operating has trunks (choose two)?
Answer:
Fa 0/9 and Fa 0/12 (As per the picture above)
To find out the ports operating has trunks on a switch
Use the show interface trunk command this will display all the trunk ports configured on switch.
(or)
Use the show interface switchport command and check the output of the command for operational mode : type trunk for each and every interface.
Question 3:
What kind of router is VLAN-R1 ?
Answer:
2611 ( as per picture above)
To know details of directly connected Neighbor, use the following command on the switch show cdp neighbors command, this output gives the following details about its neighbors
Device ID, Local Interface ,Holdtme, Capability, Platform, Port ID
To know what kind of router is VLAN-R1 we need to identify its platform details from above command output.
Question 4:
Which switch is the root bridge for VLAN 1 ?
Answer:
Sw-AC3 (As per the question above in picture)
Step1: Use the Show spanning-tree vlan 1 command this output provide the mac address of the root bridge.
Step2: now use the show mac-address-table command this output associates the mac address to a interface number.
Step3: use the command show cdp neighbors this output will give us the local interface associated with the hostname(Device ID).
Question 5 :
Out of which port on switch Sw-Ac3 would a frame containing an IP packet with destination address that is not on a local LAN be forwarded?
Answer:
To forward any packet with destination address other then the subnet network of the switch, the switch usually forwards this IP packets to the layer 3 device example router connected to it.
Step1: Find the default-gateway(Router or layer 3 device) configured on the switch.
use the Show run command to view the IP address used to configure default-gateway on the switch.
Step2: Look for the router VLAN-R1 after using the show cdp neighbor detail command
Sample output of show cdp neighbor detail command for better understanding the output details
Device ID: C2950-1
Entry address(es):
Platform: Cisco WS-C2950T-24, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/15
Holdtime : 139 sec
Two things to notice from above output
Interface: FastEthernet0/0 this statement provides that the neighbor(c2950-1) is connected to fa 0/0 on the c3660-2 local switch.
Port ID (outgoing port): FastEthernet0/15 this explains that neighbor (c2950-1) uses fa 0/15 port to reach c3660-2 switch.
FOR OUR QUESTION WE SHOULD LOOK FOR THE ROUTER VLAN-R1 corresponding details and to which port it is connected on local switch Sw-Ac3.
Step3: The port number to which the routerVLAN-R1 is connected on switch Sw-Ac3 is used to forward the packets with destination address that is not on a local LAN.
Question 6:
What address should be configured as the default-gateway for the host connected to interface fa 0/4 of SW-Ac3 ?
Answer:
Step1: Find the details of the VLAN assigned to interface fa 0/4 by using the show vlan command on Sw-Ac3.
The above exhibit question has fa 0/4 configured has VLAN1 based on the output from show vlan command.
Step2: From the exhibit question we know that VLAN1 is configured on router using sub-interface fa 0/0.1 with IP address 192.168.1.254 /24.
Step3: 192.168.1.254 should be configure as default-gateway address for the host connected to fa 0/4 on switch.
Because VLAN1 corresponds to fa 0/4 on Sw-Ac3 and host connected to fa 0/4 will be member of vlan1.
Question 7:
Out of which ports will frame with source mac-address 0015.5A0Cc.A086 and destination mac-address 000A.8A47.0612 be forwarded ?
Answer:
Step1: Use Show mac-address-table command on the switch.
The output of a show mac-address-table provides the mapping of mac address with port numbers. Search the output for the two mac-addresses provided in the question and select the destination mac address corresponding port number for correct answers.
Step2: If you do not find the above destination mac-address in SHOW MAC-ADDRESS-TABLE output , then the frame will be broadcast or flooded to all ports ( all ports may be ports of particular vlan on switch ,Selection of VLAN will be depending on the source mac-address port vlan membership) except the port it recieved from.
Question 8:
From which switch did Sw-Ac3 receive VLAN information ?
Answer:
Step1: Use Sw-Ac3#show vtp status command .
Sample output of show vtp status command
switch# show vtp status
VTP Version : 2
Configuration Revision : 255
Maximum VLANs supported locally : 1005
Number of existing VLANs : 35
VTP Operating Mode : Server
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x08 0x7E 0x54 0xE2 0x5A 0x79 0xA9 0x2D
Configuration last modified by 127.0.0.12 at 8-7-02 11:21:43
Local updater ID is 127.0.0.12 on interface EO0/0 (first interface found)
The local updater ID in the above output identifies the ip address of the device which is providing the VLAN information. The address could also be of the switch itself.
Step 2: Show cdp neighbor detail provides the hostname for corresponding to that IP address.
Question 9:
Refer to the exhibit. SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
Answer:
Step1: On switch Sw-Ac3 use show vtp status command. Notice the output for domain name, Both switches must have same domain name configured to exchange vtp messages (exhibit domain name: home-office ).
Step2: If domain name matches, Then note Configuration Revision number of the Sw-Ac3 and compare it with the SwX , Whichever switch has highest configuration revision number will become the vtp updater. The switch which becomes vtp updater will replace other switch vlan information with its own vlan information.
Example if SwX revision number is highest , Then VLAN information that is configured in Sw-Ac3 will be replaced by the VLAN information in the SwX.
Examenes CCNA 4.0 Exploration Network Fundamentals
Examenes CCNA4.0 Exploration Network Fundamentals
This ebook have questions and answers for CCNA-4.0 Exploration Network Fundamentals
Network step by step happily to provide it to you.
Link download:
http://www.youthgeneration.net/forum/index.php?topic=71.0
This ebook have questions and answers for CCNA-4.0 Exploration Network Fundamentals
Network step by step happily to provide it to you.
Link download:
http://www.youthgeneration.net/forum/index.php?topic=71.0
Monday, November 3, 2008
Testking 640-802 v22
Exam Number/Code: 640-802
Exam Name: Cisco Certified Network Associate
Guarantee your 640-802 success with our 640-802 Exam Resources. Our exams are developed by experiences IT Professionals working in today's prospering companies and date centers. All our practice exams including 640-802 exam guarantee you the exam success you need.
640-802 can be a challenging exam, measuring your 640-802 Exam skills, and compliments the other exams in this certification.Test King Questions and Answers provide you the complete coverage of the certification exams. Our testing questions and answers was prepared by veteran Certified Experts at Test King. Each preparation exam will make you feel like you're taking the actual exam!
TestKing's commitment to product quality, to our team and to our customers continues to differentiate us from other companies. TestKing uses an experienced team of certified subject-matter experts, technical writers, and technical editors to create and edit the most in-depth and realistic exam questions. Every TestKing product goes through a rigorous, multi-stage editing process to ensure comprehensive coverage of exam objectives.
TestKing products are so comprehensive that IT professionals who use TestKing to prepare for their certification exams feel confident they will pass their exams on the first try--or otherwise be eligible to receive a refund on their purchases. Pass your MCSE, MCSA, MCDBA, Cisco CCNA, CCNP, CCIE, CompTIA A+, HP, IBM, Nortel, Novell, SUN, Oracle , CISSP, CIW, CheckPoint exams on your First Try
Link download is in our forum:
http://www.youthgeneration.net/forum/index.php?topic=68.0
Saturday, October 25, 2008
Pass4Sure 640-802 v3.22
Exam Number/Code: 640-802
Exam Name: Cisco Certified Network Associate
"Cisco Certified Network Associate", also known as 640-802 exam, is a Cisco certification.
Preparing for the 640-802 exam? Searching 640-802 Test Questions, 640-802 Practice Exam, 640-802 Dumps?
With the complete collection of questions and answers, Pass4sure has assembled to take you through 254 Q&As to your 640-802 Exam preparation. In the 640-802 exam resources, you will cover every field and category in CCNA helping to ready you for your successful Cisco Certification
Link Download
Pass: http://networkstepbystep.blogspot.com/
Exam Name: Cisco Certified Network Associate
"Cisco Certified Network Associate", also known as 640-802 exam, is a Cisco certification.
Preparing for the 640-802 exam? Searching 640-802 Test Questions, 640-802 Practice Exam, 640-802 Dumps?
With the complete collection of questions and answers, Pass4sure has assembled to take you through 254 Q&As to your 640-802 Exam preparation. In the 640-802 exam resources, you will cover every field and category in CCNA helping to ready you for your successful Cisco Certification
Link Download
Pass: http://networkstepbystep.blogspot.com/
Monday, October 20, 2008
PIX Lab: Tutorial in PIX
Following is PIX LAB tutorial:
Let visit this thread in forum to download
- Basci PIX Configuration
- Installing WebSENSE
- Config NAT Stats and Conduits
- Config Multiple Interfaces
- Config Authentication
- Config the Primary PIX Firewall
- Verify IPSec Configuration
- Passwrod Recovery & Image Update
- Configuring the CSIS Feature Set
- Configure Cisco Secure ACS NT
- Configure AAA and Authentication Proxy
- Verify Authentication Proxy Configuration
- Configure the PIX as a DHCP Server Configuring PIX as a DHCP Client
- Configuring Logging
- Configuring Logging -Verification
- Denying Outbound Traffic
- Allowing Outbound Traffic
- Configure PIX to work with Websense
- Configure WebSense to Block by URL
- WebSense to Block by Workstation
- Configure the Fixup Protocol on PIX
- Configuring PIX for IDS Signatures
- CSACS Install and Add User
- Configure IKE and IPsec on the PIX
Let visit this thread in forum to download
Thursday, October 16, 2008
How to build a secure Enterprise Firewall?
Firewalls and their architecture are a critical part of sound network security, but they are only the beginning to a secure enterprise network. In this paper, we will cover the fundamentals of good firewall design using a single multi-homed firewall design with stateful failover. The end result will be a network that is simple to manage, high performance, high availability, high security, and budget saving.
What is the most important aspect?
There has been some fierce debate in design philosophy on whether it is best to have one brand of firewall or more. I personally subscribe to the idea that two are usually not better than one because firewall vulnerabilities are rarely the problem in vast majority of break-ins. Hackers typically don’t need to hack the firewall because they come in through the ports that are already open and exploit the weaknesses on the servers behind the firewall. Additionally, there usually is nothing there for the hacker to hack on the firewall, because any smart administrator will lock that firewall down to drop all connections to the firewall it self except for the designated firewall management stations. Even if for example there is a known vulnerability in Apache or SSH on your firewall, the threat can only come from the designated management stations which are well protected or even turned off
1. Human factors comprises 99% of all firewall compromises
2. The cost of running multiple vendor firewalls may even force you to give up on the very things you need to be most concerned about.
3. Finite resources are usually much better spent hardening a single platform.
4. The biggest problem in firewall security is poor maintenance, bad policy and bad network design
Firewall design goals:
The first point is rather obvious; simply by limiting the service port access from the Internet to your DMZ servers, you can greatly reduce the chances that they will be hacked. On an SMTP mail server for example, only TCP port 25 is permitted from the Internet. Therefore, if that SMTP server happened to have a vulnerability in it’s web server service or daemon, it would not be exposed to the Internet where worms and hackers are always on the prowl for port 80 vulnerabilities.
1. The first critical component of secure firewall architecture is policy design.
In firewall policies, this simply means that unless there is a specific reason that a service needs to be used, that service should be blocked by default.
To implement this default service blocking policy, only one simple firewall rule needs to be implemented globally at the end of all policy sets, the any-any-any-drop rule. This simply means that the default behavior of the firewall will drop all packets from any source to any destination on any service. It is important that this rule is the last rule in any policy set because firewalls act from top to bottom.
==> The narrower these rules are made, the more secure the network is.
For example, users should be permitted outbound ports for common services like HTTP, FTP, media services, but nothing else should be permitted unless there is a special case to allow such traffic. When there is a special case based on a business need, tightly targeted rules should be added when approved. A very common error that administrators make is that they extend user rights to server and DMZ networks. Outbound rules that are appropriate for users are generally not appropriate for servers. When you really think about it, there is no reason that your Web server needs to surf the Web. Servers should serve and are rarely a client. The bottom line is, the DMZ or Server farm should almost always never be permitted to initiate traffic. Servers typically take in requests, but almost never request services from the public Internet except for XML and EDI applications with business partners. Other exceptions can be things like legitimate vendor sites that provide drivers and software updates, but all exceptions should be narrowly defined. Following these strict guidelines can vastly reduce server compromises, to the point that even the intra-subnet spread of worms like Code Red and NIMDA could have been prevented had such policies been in place even if the servers were not patched.
Implementing a good firewall network design:
The Extranet and WAN zone is for the internal interfaces of routers that connect the remote WAN sites and partner sites. Using this configuration allows you to secure against WAN and Extranet sites without having to buy or configure firewall feature sets on the routers them selves. One can even go to the extreme of putting the external interfaces of the routers in a non-NAT zone on the firewall, this helps prevent hackers from compromising the router from the outside. This approach allows the high availability enterprise firewall to secure countless routers.
The guest zone is something new, but this is actually a security feature. Instead of guests connecting to your internal LAN when they need access to VPN or the Internet, have them connect to a guest network with access to the Internet but not your internal LAN. This new zone is extremely useful in the wireless environment. With new Wi-Fi infrastructure technology supporting VLANs and 802.1q trunking, a single wireless Wi-Fi infrastructure can support multiple VLANs, one internal VLAN running it’s own SSID and 802.1x/EAP security, and a guest VLAN that runs a simple WEP password for Internet only access.
What is the most important aspect?
There has been some fierce debate in design philosophy on whether it is best to have one brand of firewall or more. I personally subscribe to the idea that two are usually not better than one because firewall vulnerabilities are rarely the problem in vast majority of break-ins. Hackers typically don’t need to hack the firewall because they come in through the ports that are already open and exploit the weaknesses on the servers behind the firewall. Additionally, there usually is nothing there for the hacker to hack on the firewall, because any smart administrator will lock that firewall down to drop all connections to the firewall it self except for the designated firewall management stations. Even if for example there is a known vulnerability in Apache or SSH on your firewall, the threat can only come from the designated management stations which are well protected or even turned off
1. Human factors comprises 99% of all firewall compromises
2. The cost of running multiple vendor firewalls may even force you to give up on the very things you need to be most concerned about.
3. Finite resources are usually much better spent hardening a single platform.
4. The biggest problem in firewall security is poor maintenance, bad policy and bad network design
Firewall design goals:
A good firewall policy and network design can mitigate (but not eliminate) the following security risks:
- The Internet attacking your DMZ servers
- Any part of your network attacking the Internet
- Your users or servers attacking your DMZ servers
- Your DMZ servers attacking your users, servers or even further harming them selves
- Threats from business partners and extranets
- Threats from remote offices via WAN connections
The first point is rather obvious; simply by limiting the service port access from the Internet to your DMZ servers, you can greatly reduce the chances that they will be hacked. On an SMTP mail server for example, only TCP port 25 is permitted from the Internet. Therefore, if that SMTP server happened to have a vulnerability in it’s web server service or daemon, it would not be exposed to the Internet where worms and hackers are always on the prowl for port 80 vulnerabilities.
The next point may seem a bit odd, why would one be concerned about protecting the public Internet with one’s own network? While this may seem to be just a good exercise in Netizenship (Internet citizenship), it is also for the selfish purpose of protecting one’s own Internet connection. Take the recent SQL slammer worm for instance; it managed to decimate large segments of the Internet for an entire day. Had there been better firewall policies in place, you could have prevented the DoS (Denial of Service) effect on your Internet connection and also saved the Internet.
One of the least recognized dangers in security is the internal threat. The most expensive firewall on the planet cannot protect your network from “Sneaker net” with conventional designs, a phenomenon where your user walks in to your network with a laptop or disk infected with a virus or worm from home or some other source. A good network design and firewall policy would protect your DMZ servers from your servers and users the same way it protects them from the Internet.
The reverse situation of the above is also a potential threat. Since DMZ servers are exposed to the public Internet, there is a chance that they can be compromised by a hacker or worm. It is essential that you limit the damage that your DMZ servers can do to your internal servers or user stations. Additionally, a tight firewall policy can also prevent DMZ servers from further damaging them selves. If a server is compromised by a hacker through some known or unknown vulnerability, the first thing they will try to do is down load a “root kit”. The firewall policy should prevent the downloading of this deadly payload and make life harder on the attacker.
Additional threats from Extranet partners and Remote office WANs can also be mitigated. Routers that connect these networks using WAN technologies such as frame relay, ISDN, private lease line, or VPN tunnels can be secured by the firewall. Trying to implement security with firewall enabled routers on each and every one of those routers is expensive not only in terms of hardware/software costs, but setup and administration as well. An enterprise firewall can provide simple and centralized management of WAN and Extranet security with additional zones beyond the conventional triple homed design.
The bottom line is that firewalls can limit the flow of traffic between network zones which are broken down by logical organization and functional purposes. A firewall cannot however limit and protect hosts from other hosts within the same subnet because data never passes the firewall for inspection. This is why the more zones a firewall supports, the more useful it is in a well designed enterprise network. This is now easier than ever to accomplish since all of the major players like Cisco and Nokia support trunking of interfaces. A single gigabit port can easily support as many zones as you like and still perform much better than several fast Ethernet ports.
Implementing a good firewall policy:1. The first critical component of secure firewall architecture is policy design.
In firewall policies, this simply means that unless there is a specific reason that a service needs to be used, that service should be blocked by default.
To implement this default service blocking policy, only one simple firewall rule needs to be implemented globally at the end of all policy sets, the any-any-any-drop rule. This simply means that the default behavior of the firewall will drop all packets from any source to any destination on any service. It is important that this rule is the last rule in any policy set because firewalls act from top to bottom.
==> The narrower these rules are made, the more secure the network is.
For example, users should be permitted outbound ports for common services like HTTP, FTP, media services, but nothing else should be permitted unless there is a special case to allow such traffic. When there is a special case based on a business need, tightly targeted rules should be added when approved. A very common error that administrators make is that they extend user rights to server and DMZ networks. Outbound rules that are appropriate for users are generally not appropriate for servers. When you really think about it, there is no reason that your Web server needs to surf the Web. Servers should serve and are rarely a client. The bottom line is, the DMZ or Server farm should almost always never be permitted to initiate traffic. Servers typically take in requests, but almost never request services from the public Internet except for XML and EDI applications with business partners. Other exceptions can be things like legitimate vendor sites that provide drivers and software updates, but all exceptions should be narrowly defined. Following these strict guidelines can vastly reduce server compromises, to the point that even the intra-subnet spread of worms like Code Red and NIMDA could have been prevented had such policies been in place even if the servers were not patched.
Implementing a good firewall network design:
Figure 1 illustrates a Pix 525 with 2 Gigabit Ethernet ports and 6 100-Mbit Fast Ethernet ports. This is a great way to achieve physical separation of the different subnets needed for an Enterprise network, provided that each port is plugged in to a physically different Ethernet switch. How ever, I can tell you that this is rarely done and is often impractical to deploy more than half a dozen physical switches in the data center for each subnet. More often than not, enterprises employ virtual LANs by segmenting a single physical switch in to multiple bridge groups, which is extremely easy to provision addition ports for any existing subnet or future ones. Because of this and the fact that all the enterprise firewall vendors have added 802.1q trunking support (Cisco came late in February 2003), one can easily use a single Gigabit port to connect the Layer 3 core switch, DMZ, extranet, guest subnet, and any other VLAN subnets that an enterprise needs. Therefore, one can do with out the second Gigabit Ethernet card and 4 port Fast Ethernet card in the PIX 525 shown in figure 1. This has how ever raised need for Layer 2 switch security against things like “VLAN hopping” which is rarely discussed even among experts, but we shall leave that for another piece. But even with the trunked Gigabit port, you should continue using the two built in Fast Ethernet ports for public Internet and stateful failover synchronization. Bottom line, two firewalls in the same class as a PIX 525 can provide enough flexibility and throughput for most enterprise networks.
Figure 2 illustrates the use of the two firewalls in a stateful failover configuration. Network connections were only drawn to the logical firewall to avoid messy connectors in the drawing, but in reality there would be a physical connection to each firewall for each subnet. Those connections could be physically separate cables or a single trunked cable over a single Gigabit connection in to your 802.1q VLAN capable switch. The two built in fast Ethernet ports in a PIX 525 are used for the public Internet connection and the stateful failover synchronizing, and the remaining internal subnets can share the Gigabit port. This configuration is much faster than a configuration with separate fast Ethernet ports that often get congested when trying to do network intensive tasks like tape backup between zones.
The internal side of the firewall can connect the following subnets:
- Core layer 3 switch
- DMZ
- Extranet and WAN
- Guest zone
- Others
The core layer 3 connection typically goes to your core switch with routing capability between VLANs. Those VLANs from that core switch may contain hundreds of user VLANs with tens of thousands of users, and server farm VLANs with hundreds of servers that do not get direct Internet exposure. You must understand how ever that there is no firewall between the server farm VLANs and the user VLANs in this example, because user to server traffic is routed by the core L3 switch and never passes through the firewall. There are companies that go to the extreme of putting all of their servers directly behind the firewall and separated from the users, but the management of that many internal servers behind a firewall with a lot of port requirements can be very difficult, so this is not often done.
DMZ is used for servers that need to be accessed from the public Internet. This is directly behind the firewall and is always filtered for traffic.The Extranet and WAN zone is for the internal interfaces of routers that connect the remote WAN sites and partner sites. Using this configuration allows you to secure against WAN and Extranet sites without having to buy or configure firewall feature sets on the routers them selves. One can even go to the extreme of putting the external interfaces of the routers in a non-NAT zone on the firewall, this helps prevent hackers from compromising the router from the outside. This approach allows the high availability enterprise firewall to secure countless routers.
The guest zone is something new, but this is actually a security feature. Instead of guests connecting to your internal LAN when they need access to VPN or the Internet, have them connect to a guest network with access to the Internet but not your internal LAN. This new zone is extremely useful in the wireless environment. With new Wi-Fi infrastructure technology supporting VLANs and 802.1q trunking, a single wireless Wi-Fi infrastructure can support multiple VLANs, one internal VLAN running it’s own SSID and 802.1x/EAP security, and a guest VLAN that runs a simple WEP password for Internet only access.
VLAN SECURITY
by Rik Farrow
VLAN INSECURITY
VLANS WERE CREATED TO ISOLATE LANS, BUT NOT FOR THE PURPOSES OF SECURITY
Virtual LANs (VLANs) make it possible to isolate traffic that shares the same switch, and even groups of switches. The switch designers had something other than security in mind when they added this form of isolation. VLANs make it possible to share a switch among many LANs, by filtering and limiting broadcast traffic. But this form of isolation relies on software and configuration, not the physical isolation that security people like myself really like to see.
In the last couple of years, some firewalls have become VLAN aware, so that policies can be created that rely on the tags that identify a packet as belonging to a particular VLAN. While firewalls that are VLAN aware add a lot of flexibility useful to Web hosting sites, the tags that these firewalls rely on were not designed with security in mind. VLAN tags can be created by devices other than switches, and valid tags that will fool the firewall can easily be added to packets.
Let's take a look at VLANs, including how they work, why this has little to do with security, and failures of VLANs to maintain isolation. And, if you decide to use VLANs as part of your security architecture, what you should do to minimize the weaknesses involved.
PARTITIONS
The term "switch" today denotes a device that switches network traffic between interfaces, named ports. But not too long ago, switches were called bridges. Even today, if you read the IEEE standards used in switches, the term inevitably used is bridge. And if you are familiar with the way bridges work, you might want to skip ahead.
You use bridges to connect segments of the same LAN, that is, a local network that does not require routing. The bridge software learns which port that network devices have been connected to by examining the source MAC (Medium Access Control) addresses in the packets that the bridge passes. At first, the bridge
knows nothing, and must distribute all the packets it receives to every port. But over time, the bridge learns how to send packets out the correct interface by building spanning trees, an algorithm developed for choosing the right interface and avoiding loops. By sending packets out on a single port, the bridge reduces overall network traffic. Think of the bridge in highway terms, something that connects different roads, and only passes necessary traffic between these roads.
Although the use of bridges does reduce overall network traffic, making networks more efficient, bridges still need to send broadcast packets to all ports. Just as in any LAN, broadcasts mean just that, a message broadcast to all systems. ARP (Address Resolution Protocol) packets provide an important example of broadcast messages.
As bridge hardware grew more capable, with increasing number of ports and the addition of management software, a new feature appeared. You could partition a bridge, split a single bridge into multiple, virtual bridges. When split this way, broadcasts, instead of going to all ports, get limited to only those ports associated with the virtual bridge, and its virtual LAN.
Limiting broadcasts to a VLAN does not seem by itself to prevent a system on one VLAN from hopping to another VLAN-- that is, contacting a system on the same bridge, but a different VLAN. But remember that broadcasts get used to acquire the MAC address that is associated with a particular IP address, using ARP, and without the MAC address, one system cannot communicate with another on the same network. Routers, or switches that support layer three, support passing traffic between VLANs.
Over time, people have begun to consider switches as security devices rather than networking devices. Switches do make sniffing traffic destined for other systems more difficult (but not impossible, as exploits exist for doing so). And switches do produce a software-based isolation between VLANs. But that isolation is imperfect at best.
In a document found on the Cisco web site (See Resources), two scenarios are described where packets can hop VLANs, that is, pass between two VLANs on the same switch. In the first example, systems have established TCP/IP communications on the same VLAN, then the switch gets configured so that one system's port now belongs to a different VLAN. Communications continues between the two systems because each has the MAC address of the other in its ARP cache, and the bridge knows which destination MAC address gets directed to which port. In the second example, someone wishing to hop VLANs manually enters a static ARP entry for the desired system. Doing so requires that the person somehow learns the MAC address of the target system, perhaps through physical access to the target system.
Each of these two examples can be blocked by using switch software that removes the information necessary for passing packets between VLANs. In higher end Cisco switches, separate spanning trees, the tables that map MAC addresses to ports, exist for each VLAN. Other switches either have similar features, or can use configuration to filter the bridging information available to members of each VLAN.
Given the relative dearth of information about hopping VLANs within a single switch, this issue does not appear to be a serious problem.
TRUNKING
Multiple switches can share the same VLANs through configuration and tagging of the packets exchanged between switches. You can configure a switch so that a port acts as a trunk, an interface that can carry packets for any VLAN. When packets get sent between switches, each packet gets tagged, based on the IEEE standard for passing VLAN packets between bridges, 802.1Q. The receiving switch removes the tag and forwards the packet to the correct port or VLAN in the case of a broadcast packet.
802.1Q tags get added to Ethernet headers right after the source address and are four bytes long. The first two bytes contain 81 00, the 802.1Q Tag Protocol Type. The last two bytes contain a possible priority, a flag, and 12 bits for the VLAN Identifier (VID). VIDs can range from 0 to 4095, but both zero and 4095 are reserved values. The default value for the VID is one, and thus also the default value for unassigned ports in a switch configured with VLANs.
An administrator may configure a port to act as a trunk, although the default configuration for Cisco switches is that trunking is "desirable", and a port can negotiate trunking if it discovers that another switch is connected to that port. And, unless the administrator changes the configuration, a trunk port belongs to VLAN 1, which is called its native VLAN. Ports used for trunking can be assigned to any VLAN, and it turns out that putting trunk ports into a VLAN of their own is a good idea.
In 1999, David Taylor posted information to Bugtraq about tests he had run using Cisco switches, in attempts to force packets to hop VLANs. Taylor first attempted to use VLAN tagging to hop VLANs within a single switch, without success. The VLAN tags really have no purpose except for carrying VLAN information between switches, and get ignored if presented on non-trunk ports.
But when Taylor used two switches, he could force packets to hop VLANs under certain conditions. Just as in the early example from Cisco documentation, the MAC addresses of the target system had to be known in advance. The other key condition was that the initiating system, the "attacker", must belong to the same VLAN as the trunk used to connect the switches. In Taylor's first attempt, the attacker and the trunk were both in VLAN one, and the target in VLAN two.
Subsequent investigation by a Cisco employee (you can find this at http://online.securityfocus.com/archive/1/27062) pointed out that this behaviour was not only supported by the 802.1Q standard, but also worked on other, non-Cisco, switches as well.
You can easily prevent VLAN hopping by configuring trunk ports so that their native VLANs do not match the VID of any other VLANs that you have configured. Remember that by default, the native VLAN for a trunk will be VID one, the default for any VLAN. You can choose to set the native VLAN for trunks to be 1001, or any value that your switch supports and is not used for any other VLAN.
FIREWALLS AND VLANS
Now that I have discussed how switches share VLAN information, we can examine firewalls that support VLAN-related policy. Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. Although I have only mentioned Ethernet in examples, 802.1Q tagging also applies to other network media, such as ATM and FDDI. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions.
802.1Q tags do not provide authentication. Tags just provide a form of identification, added by switches, that a particular packet came from a particular VLAN. That a firewall would act on this information is no more ridiculous than acting on the source address of a packet, as IP source addresses are also an unauthenticated means of identification--and one that can be spoofed.
Spoofing IP source addresses has been done for many years, and spoofing VLAN tags can be done as well. The most recent Linux operating systems (kernels in the 2.4 vintage) include support for acting as VLAN switches, and can generate any VLAN tag that the local system administrator chooses. Other software exists for spoofing VLAN tags. Taylor used the Network Associates' Sniffer Pro v.2.0.01 to generate packets, and this can be done in software as well.
The key to safely using 802.1Q tags for policy decisions is to design a network where switch trunks get connected to the firewall interface where decisions will be made based on VLAN tags. If there are other routes to this firewall interface, the possibility that packets with spoofed VLAN tags increases. The switches themselves must be properly configured, with trunk ports specifically configured for trunking, and added to a non-default VID.
Implicit in any discussion of switches is protecting administrative access to the switches themselves. Switches and other network equipment typically expose three different means for administrative access: telnet, HTTP, and SNMP. You should always disable methods of administrative access that you don't use, as well as adding access control to the methods that you do use. While the firewall can control access to switches when the source of an attempt is external, the firewall can do nothing about an internal attacker--or one that has gained access to an internal system.
Switches were not designed as security devices. Their use as such simply evolved over time, and is ancillary to their main use as devices that improve network performance. If you use a switch for security reasons, you are relying on the correct configuration of the switch, including understanding not only the standards that the switch software is based upon, but also the correct implementation of those standards. The 802.1Q spec itself is 211 pages long, and is only one of a handful of standards that a compliant switch manufacturer must support.
Any time that you need to segregate networks for serious security purposes, I recommend that you not use a switch.
VLAN INSECURITY
VLANS WERE CREATED TO ISOLATE LANS, BUT NOT FOR THE PURPOSES OF SECURITY
Virtual LANs (VLANs) make it possible to isolate traffic that shares the same switch, and even groups of switches. The switch designers had something other than security in mind when they added this form of isolation. VLANs make it possible to share a switch among many LANs, by filtering and limiting broadcast traffic. But this form of isolation relies on software and configuration, not the physical isolation that security people like myself really like to see.
In the last couple of years, some firewalls have become VLAN aware, so that policies can be created that rely on the tags that identify a packet as belonging to a particular VLAN. While firewalls that are VLAN aware add a lot of flexibility useful to Web hosting sites, the tags that these firewalls rely on were not designed with security in mind. VLAN tags can be created by devices other than switches, and valid tags that will fool the firewall can easily be added to packets.
Let's take a look at VLANs, including how they work, why this has little to do with security, and failures of VLANs to maintain isolation. And, if you decide to use VLANs as part of your security architecture, what you should do to minimize the weaknesses involved.
PARTITIONS
The term "switch" today denotes a device that switches network traffic between interfaces, named ports. But not too long ago, switches were called bridges. Even today, if you read the IEEE standards used in switches, the term inevitably used is bridge. And if you are familiar with the way bridges work, you might want to skip ahead.
You use bridges to connect segments of the same LAN, that is, a local network that does not require routing. The bridge software learns which port that network devices have been connected to by examining the source MAC (Medium Access Control) addresses in the packets that the bridge passes. At first, the bridge
knows nothing, and must distribute all the packets it receives to every port. But over time, the bridge learns how to send packets out the correct interface by building spanning trees, an algorithm developed for choosing the right interface and avoiding loops. By sending packets out on a single port, the bridge reduces overall network traffic. Think of the bridge in highway terms, something that connects different roads, and only passes necessary traffic between these roads.
Although the use of bridges does reduce overall network traffic, making networks more efficient, bridges still need to send broadcast packets to all ports. Just as in any LAN, broadcasts mean just that, a message broadcast to all systems. ARP (Address Resolution Protocol) packets provide an important example of broadcast messages.
As bridge hardware grew more capable, with increasing number of ports and the addition of management software, a new feature appeared. You could partition a bridge, split a single bridge into multiple, virtual bridges. When split this way, broadcasts, instead of going to all ports, get limited to only those ports associated with the virtual bridge, and its virtual LAN.
Limiting broadcasts to a VLAN does not seem by itself to prevent a system on one VLAN from hopping to another VLAN-- that is, contacting a system on the same bridge, but a different VLAN. But remember that broadcasts get used to acquire the MAC address that is associated with a particular IP address, using ARP, and without the MAC address, one system cannot communicate with another on the same network. Routers, or switches that support layer three, support passing traffic between VLANs.
Over time, people have begun to consider switches as security devices rather than networking devices. Switches do make sniffing traffic destined for other systems more difficult (but not impossible, as exploits exist for doing so). And switches do produce a software-based isolation between VLANs. But that isolation is imperfect at best.
In a document found on the Cisco web site (See Resources), two scenarios are described where packets can hop VLANs, that is, pass between two VLANs on the same switch. In the first example, systems have established TCP/IP communications on the same VLAN, then the switch gets configured so that one system's port now belongs to a different VLAN. Communications continues between the two systems because each has the MAC address of the other in its ARP cache, and the bridge knows which destination MAC address gets directed to which port. In the second example, someone wishing to hop VLANs manually enters a static ARP entry for the desired system. Doing so requires that the person somehow learns the MAC address of the target system, perhaps through physical access to the target system.
Each of these two examples can be blocked by using switch software that removes the information necessary for passing packets between VLANs. In higher end Cisco switches, separate spanning trees, the tables that map MAC addresses to ports, exist for each VLAN. Other switches either have similar features, or can use configuration to filter the bridging information available to members of each VLAN.
Given the relative dearth of information about hopping VLANs within a single switch, this issue does not appear to be a serious problem.
TRUNKING
Multiple switches can share the same VLANs through configuration and tagging of the packets exchanged between switches. You can configure a switch so that a port acts as a trunk, an interface that can carry packets for any VLAN. When packets get sent between switches, each packet gets tagged, based on the IEEE standard for passing VLAN packets between bridges, 802.1Q. The receiving switch removes the tag and forwards the packet to the correct port or VLAN in the case of a broadcast packet.
802.1Q tags get added to Ethernet headers right after the source address and are four bytes long. The first two bytes contain 81 00, the 802.1Q Tag Protocol Type. The last two bytes contain a possible priority, a flag, and 12 bits for the VLAN Identifier (VID). VIDs can range from 0 to 4095, but both zero and 4095 are reserved values. The default value for the VID is one, and thus also the default value for unassigned ports in a switch configured with VLANs.
An administrator may configure a port to act as a trunk, although the default configuration for Cisco switches is that trunking is "desirable", and a port can negotiate trunking if it discovers that another switch is connected to that port. And, unless the administrator changes the configuration, a trunk port belongs to VLAN 1, which is called its native VLAN. Ports used for trunking can be assigned to any VLAN, and it turns out that putting trunk ports into a VLAN of their own is a good idea.
In 1999, David Taylor posted information to Bugtraq about tests he had run using Cisco switches, in attempts to force packets to hop VLANs. Taylor first attempted to use VLAN tagging to hop VLANs within a single switch, without success. The VLAN tags really have no purpose except for carrying VLAN information between switches, and get ignored if presented on non-trunk ports.
But when Taylor used two switches, he could force packets to hop VLANs under certain conditions. Just as in the early example from Cisco documentation, the MAC addresses of the target system had to be known in advance. The other key condition was that the initiating system, the "attacker", must belong to the same VLAN as the trunk used to connect the switches. In Taylor's first attempt, the attacker and the trunk were both in VLAN one, and the target in VLAN two.
Subsequent investigation by a Cisco employee (you can find this at http://online.securityfocus.com/archive/1/27062) pointed out that this behaviour was not only supported by the 802.1Q standard, but also worked on other, non-Cisco, switches as well.
You can easily prevent VLAN hopping by configuring trunk ports so that their native VLANs do not match the VID of any other VLANs that you have configured. Remember that by default, the native VLAN for a trunk will be VID one, the default for any VLAN. You can choose to set the native VLAN for trunks to be 1001, or any value that your switch supports and is not used for any other VLAN.
FIREWALLS AND VLANS
Now that I have discussed how switches share VLAN information, we can examine firewalls that support VLAN-related policy. Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. Although I have only mentioned Ethernet in examples, 802.1Q tagging also applies to other network media, such as ATM and FDDI. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions.
802.1Q tags do not provide authentication. Tags just provide a form of identification, added by switches, that a particular packet came from a particular VLAN. That a firewall would act on this information is no more ridiculous than acting on the source address of a packet, as IP source addresses are also an unauthenticated means of identification--and one that can be spoofed.
Spoofing IP source addresses has been done for many years, and spoofing VLAN tags can be done as well. The most recent Linux operating systems (kernels in the 2.4 vintage) include support for acting as VLAN switches, and can generate any VLAN tag that the local system administrator chooses. Other software exists for spoofing VLAN tags. Taylor used the Network Associates' Sniffer Pro v.2.0.01 to generate packets, and this can be done in software as well.
The key to safely using 802.1Q tags for policy decisions is to design a network where switch trunks get connected to the firewall interface where decisions will be made based on VLAN tags. If there are other routes to this firewall interface, the possibility that packets with spoofed VLAN tags increases. The switches themselves must be properly configured, with trunk ports specifically configured for trunking, and added to a non-default VID.
Implicit in any discussion of switches is protecting administrative access to the switches themselves. Switches and other network equipment typically expose three different means for administrative access: telnet, HTTP, and SNMP. You should always disable methods of administrative access that you don't use, as well as adding access control to the methods that you do use. While the firewall can control access to switches when the source of an attempt is external, the firewall can do nothing about an internal attacker--or one that has gained access to an internal system.
Switches were not designed as security devices. Their use as such simply evolved over time, and is ancillary to their main use as devices that improve network performance. If you use a switch for security reasons, you are relying on the correct configuration of the switch, including understanding not only the standards that the switch software is based upon, but also the correct implementation of those standards. The 802.1Q spec itself is 211 pages long, and is only one of a handful of standards that a compliant switch manufacturer must support.
Any time that you need to segregate networks for serious security purposes, I recommend that you not use a switch.
Subscribe to:
Posts (Atom)
Posts
