Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
258 Cards in this Set
- Front
- Back
Write basic router config
|
Hostname mycisco
ip domain name doriviere.com ip domain-lookup ip name-server 10.10.10.3 ip default-gateway 10.10.10.1 enable password cisco line vty 0 5 login Password ciscco Banner motd Ceci est un equipement secure |
|
Config SSH for VTY lines?
|
Crypto key generate RSA modulus 2048
Line vty 0 5 Transport input ssh |
|
Command to create vlans?
|
VLANS
Vlan 10,20,30 Ou Vlan 10 name myfirst vlan Ou Vlan database Vlan 10 name myfirst vlan |
|
Assign ports to vlans?
What are the mode available? What command make an interface layer 3 only? Trunk ports? |
Int f0/1 ou Int range fa0/1 – 12
Switchport mode access Switchport access vlan 1 Int f0/1 ou Int range fa0/1 – 12 Switchport trunk encap dot1q Switchport mode trunk ou switchport mode dynamic desirable Switchport trunk allowed vlan 10 20 30 40 |
|
Vtp domain. What vtp mean?
Describe VTP operation? Describe VTP machine type or role? 3 types or role Describe role of each? |
VTP domain mydomain
Vtp server Vtp password cisco |
|
What are the protocol use for trunking? 2 protocols
What mode are available on each? |
802.1Q and ISL are DTP protocols
mode are trunk,dynamic desirable, dynamic auto DTP frames are sent every 30sec so that neighbor are aware of link mode.only dynamic desirable aggressively request trunking. mode trunk expect you to be trunk unconditionnaly. no negociation |
|
How to configure pervlan spanning tree?
How to configure port costs? What are 2 encapsulation for stp? |
Spanning-tree vlan 100 priority 4096
---Port cost Int fa0/1 Spanning-tree cost 10 -vlan port cost int fa0/24 switchport trunk encap dot1q switchport mode trunk spanning tree vlan 10 cost 10 |
|
loadbalancing vlans
|
to come
|
|
Spanning-tree features on interfaces ?
Globally ? |
on Interface
Int fa/0 Spanning tree portfast Spanning portfast bpdu guard Spanning tree guard root Spanning tree loop guard Udld enable -Globalement Spanning-tree portfast default Spanning-tree loopgard default Spanning-tree backbone fast Spanning-tree uplink fast Udld enable (enable par defaut pour fibre) |
|
configure a layer 2 etherchannel
|
Int fa0/1
No ip address Switchport Channel-group 105 mode desirable Int fa0/2 Switchport Channel-group 105 mode desirable Int port-channel 105 Switchport mode trunk |
|
configure layer 3 etherchannel
|
Int fa0/1
No swithport Channel-group 110 mode desirable Int fa0/2 No switchport Channel-group 110 mode desirable Int port-channel 110 Ip address 10.10.10.2 255.255.255.0 |
|
configure etherchannel loadbalancing
|
Port-channel load-balance src-mac
Port-channel load-balance dst-mac Port-channel load-balance src-dst-mac |
|
what is the use of preempt and track
give example of config |
to come
|
|
port security:what happens when a security violation is detected?
what to do - what command? |
depend on the command switchport port-security violation (restrict or protect or shutdown). protect and restrict allow only the maximum secure address and drop packets from remaining mac. (restrict send snmp). shutdown put the port in err disable mode. You then have to do shut /no shut
|
|
configure dhcp on a router
|
ip dhcp pool pool42
network 10.124.42.0 255.255.255.0 dns-server 24.200.241.37 24.201.245.77 default-router 10.124.42.1 lease 7 ! |
|
configure dhcp on a pix for inside
|
dhcpd dns 192.168.0.1
! dhcpd address 176.0.10.10-176.0.10.30 inside dhcpd enable inside |
|
configure route processor redundancy
configure srm redundancy explai terms |
(route processor – RPR ou RPR +
Redundancy Mode rpr-plus -Redondance SRM (sup hybride) Redundancy High-availability |
|
redondance rpr et rpr + (expliquez)
|
Mode rpr-plus active sinon par defaut c’est le HSA (high system availability feature) qui met en standy le 2em supervisor. Avec RPR+, le switchover est plus rapide
You can use show redundancy Note redundancy switchover force a donner le controle au supervisor en standby |
|
configurer hsrp load balance avec preempt
|
ROUTER A
Int vlan 1 Ip address 10.1.1.1 Standby 1 ip 10.1.1.5 Standby 1 priority 110 Standby 1 preempt Standby 1 track s0 (interface tracking – router will lower priority) Int vlan 2 Standby 2 ip 20.2.2.1 Standby 2 priority 200 ROUTER B Standby 1 ip 10.1.1.5 Standby 1 priority 200 Int vlan 2 Int vlan 1 Ip address 20.2.2.1 Standby 2 ip 20.2.2.5 Standby 2 priority 100 Standby 2 preempt |
|
configurer intervlan routing sur une switch layer 3
|
with switch virtual interface (SVI)
Ip routing Router eigrp 10 Network 10.0.0.0 Int vlan 10 Ip address 10.10.1.0 255.255.255.0 int vlan 20 Ip address 10.20.1.0 255.255.255.0 |
|
configurer intervlan routing avec router on a stick
|
Router eigrp 10
Network 10.0.0.0 Int fa0/0 No ip address Int fa0/0.120 Encapsulation dot1q 120 Int 10.0.0.1 255.255.255.0 No shut |
|
configurer mls qos avec Ingress frame tagged as COS value of 4
Setup all ingress vers port 30000 a dscp 16 On veut que la voix prenne la queue prioritaire 4,6,7 prennent la queue 3 La queue 4 est mise en stricte priorite Cependant on veut que la 3 recoivent 2 fois plus de bandwidht que les autres |
Mls qos
Int rangr fa0/1 – 10 Switchport access vlan 500 Mls qos trust dscp Mls qos trust cisco-phone Spanning-tree portfast Int fa0/11 Mls qos cos 4 Access-list 100 permit tcp any any eq 30000 Class-map mymap Match access-group 100 Exit Policy-map mypolicy Class mymap Set ip dscp 16 Exit Int f0/11 Service-policy input mypolicy Int range f0/1-24 Wrr-queue cos-ma p 4 5 Wrr-queue cos-map 3 4 6 7 Priority-queue out Wrr-queue bandwidth 20 20 40 20 |
|
configuration de switch pour la voix
|
Int range f0/1 – 10
Switchport access vlan 2 Switchport voice vlan 5 Spanning-tree portfast Power inline auto Exit Mls qos Int range f0/1 – 24 Mls qos trust cos Mls qos trust device cisco-plone Wrr-queue cos-map 4 5 Wee-queue cos-map 3 4 6 7 Priority-queue out |
|
commande que l'on peut utilise sur les trunk entre les switch pour truster la voix et les phones
|
On peut utiliser auto qos voip cisco-phone
Sur le trunk entre les switch, faire aussi auto qos voip trust |
|
configurer span et rspan
|
SPAN
Monitor session 1 source interface f0/1 both Monitor session 1 destination interface fo0/5 RSPAN Vlan 300 Remote-span Monitor session 1 source vlan 5 rx Monitor session 1 remote vlan 300 Monitor session 1 destination interface f0/5 |
|
configurer snmp
|
to come
|
|
expliquer concepts snmp
|
to come
|
|
configurer userid et pass sur asa
configurer connection a tacacs inside et outside configurer tacacs+ local pour http, ssh, enable |
username steve password steve privilege 15
username notacacsavail password notacacsavail privilege 15 enable password notacacsavail aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server TACACS+ (inside) host 192.168.0.30 mytacacskey timeout 10 aaa-server TACACS+ (outside) host 192.168.0.30 mytacacskey timeout 10 aaa-server LOCAL protocol local aaa authentication http console TACACS+ LOCAL aaa authentication ssh console TACACS+ LOCAL aaa authentication telnet console TACACS+ LOCAL aaa authentication enable console TACACS+ LOCAL |
|
commande pour autoriser telnet et ssh outside et inside
|
You may need on pix
telnet 192.168.0.106 255.255.255.255 outside telnet timeout 5 ssh 192.168.0.106 255.255.255.255 outside |
|
configurer vacl, donner les etapes
|
Ip vacl
1.Access list 2. donnez nom a votre vacl 3.associez-le a votre acl en 1 4. determinez l’action (forward, drop, redirect) 5.exit 6. appliquer votre map aux vlans Mac vacl (non ip traffic) |
|
configurer vacl - donner un exemple
|
Access-list 100 permit ip 10.10.10.0 0.0.0.255 11.11.11.0 0.0.0.255 eq 21
Vlan Acess-map mymap 100 Match ip address 100 Action drop Exit vlan Filter mymap vlan-list 10-20 |
|
configurer MQC (modular qos cli)
|
1. Defice access-lists
2. define your class (class-map). Don’t forget match-all ou match-any 3. define your policy (policy-map (that use your class, bandwidth our queue-limit or other 4. apply your policy to an ingress interface |
|
example de MQC
|
Access-list 2 permit 10.1.1.0 0.0.0.255
Class-map map2 matc-all Match acesss-group 2 Exit Policy-map policy2 Class map2 Set cos 1 Int f0/1 Service-policy input policy2 |
|
parametre requis pour ipvpn
|
VPN – Partie 1 : IKE (negotiation tunnel et echange de cles)
Crypto isakmp 1)Encryption – 2) hashing – 3) type authentication – 4) diffie Helman - 5) cle et addresse du pair – 6) lifetime VPN – Partie 2 : IPSEC (etablissement du SA) Crypto ipsec 1) transform set (ESP ou AH) 2) crypto map ipsec-isakmp avec le pair (set peer) – le transform set –et l’access list match address |
|
donner example de configuration de nat avec ios
|
interface FastEthernet0/0
ip address 192.168.0.42 255.255.255.0 ip nat outside interface FastEthernet0/1.1 ip address 10.124.42.1 255.255.255.0 ip nat inside access-list 100 deny ip 10.124.0.0 0.0.255.255 10.125.0.0 0.0.255.255 access-list 100 permit ip 10.124.0.0 0.0.255.255 any ip nat pool bureauchef 192.168.0.47 192.168.0.47 netmask 255.255.255.0 ip nat inside source list 100 pool bureauchef overload |
|
donner example de configuration IPsec
|
Access-list protect permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
Nat (inside) 0 access-list protect Access-list ipsec permit udp host 201.201.201.1 host 202.202.202.1 eq isakmp Access-list ipsec permit ah host 201.201.201.1 host 202.202.202.1 Access-list ipsec esp host 201.201.201.1 host 202.202.202.1 Access-group ipsec in interface outside Isakmp policy 10 authen pre-share Isakmp policy 10 encr 3des Isakmp policy 10 hash md5 Isakmp policy 10 group 2 Isakmp key mykeyuncrakable address 202.202.202.1 Crypto ipsec transform-set mytransform esp-md5-hmac esp-des Crypto map mymap 10 ipsec-isakmp Crypto map mymap 10 set peer 202.202.202.1 Crypto map mymap 10 match address protect Crypto map mymap 10 set transform-set mytransform Crypto map mymap 10 interface outside |
|
donner example de config ipsec avec un CA
|
Exactement pareil
Rajoutez Ca generate rsa key 512 Ca identity caserver 172.16.1.1 Ca configure caserver ra 1 5 cr1optional Ca authenticate caserver Ca enroll caserver mychallenge Ca save all Static nat pour le serveur ca Static (inside, ouside) 200.200.200.1 172.16.1.1 net mask 255.255.255.255 remplacez Isakm ppolicy 10 authentication rsa-sig |
|
piste de troubleshoot de ipsec
|
verifier que tous les parametres phases 1 et 2 sont ok
verifier acl verifier crypto acl verifier isakmp enable outside verifier sysopt permit ip-vpn |
|
example de config nat avec overload sur asa
|
global (outside) 1 192.168.0.25-192.168.0.30 netmask 255.255.255.0
global (outside) 1 192.168.0.31 netmask 255.255.255.0 nat (inside) 1 176.0.10.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 |
|
example de macro
|
macro name change_vlan
interface Vlan1 no desc no ip address shutdown interface vlan250 description production ip address 10.101.3.1 255.255.255.0 no shutdown @ To apply the macro, you have to enter; macro global apply change_vlan |
|
DTP protocol and mode?
|
PAGP (on, auto,active) et LACP (on, passive, active)
|
|
vtp mode and difference
vtp version difference |
vtp mode are server, client, transparent
version 2 has consistency check, token ring support. You just have to enable it on server with command [vtp version 2] and it will be propagated on all the domain |
|
Negociation protocol for etherchannel,
difference and mode |
pagp (port aggregation protocol is cisco proprietary),
lacp (link aggregation control protocol is standard defined in 802.3ad) pagp has negociation mode on, auto and desirable lacp has on, passive and active only desirable or active mode actively ask to form a channel |
|
Access list contents are usually merge in CAM, TCAM, FIB or ARP
|
Access list are merge- compiled in TCAM (ternary content address memory)
|
|
route caching is known as ___ whereas topology based switching is known as _____
|
route caching concepts is route once and switch many. Topology based switching will use the CEF (cisco express Forwarding features of Multilayer switches)
|
|
How is link speed is determined and how is duplexing is determined. What are the impact
|
link speed is determined by electrical signaling of the link. Duplexing is a negociation via exchange of information. Therefore, speed will be almost allways be set between switch but if autonegotiate fails. switch will drop into half duplex
|
|
How many etherchannel link can be aggregated?
|
2 to 8 can be bundle
|
|
write code for etherchannel Gi3/1 to gi3/4. Switch should actively negotiate. Switch should not wait to listen. Load bakabce hashing are on source and destination ports numbers
|
port-channel load-balance src-dst-port
int range gi 3/1 - 4 channel-protocol pagp channel-group 1 mode desirable non-silent |
|
What is MPF on the ASA? Give example of what you can do with MPF
|
Modular policy framework. With MPF, you can do detailed inspection of connections through an ASA
You can perform connection restrictions (ex: limit number of connection, close half open connections. You can prioritize traffic (voice). You can do traffic policing (limit traffic inbound or outbound) |
|
What are the components of MPF
|
class map to identify traffic (usually tie with an access-list)
policy-map to associate one or more policies to a class map service policy to tie the policy to one or many interfaces on the ASA |
|
Write a MPF code that limit half-open connection to 1000 and that allow only 150 connections per client connection to the outside interface
|
access-list connection permit tcp any any
class-map connectall match access-list connection policy-map mypolicy class connectall set connection connection-per-client-max 150 set connection-embryonic-connection-max 1000 service policy mypolicy interface outside |
|
Give 5 important policies that you can implement using policy map (in MPF)
|
connection limits
route traffic to csc card route traffic to ips card traffic policing: rate limiting traffic prioritization |
|
Write a MPF code that limit trafic per customer to 56kbps with burst of 10kbps in either direction. Each customer is on specific vlan, each vlan is tie to an interface
|
To come
|
|
a company as an ipsec vpn with a branch. tunnel group is call branch_office_tunnel. Write the code to prioritize voice
|
class-map branch_office
match tunnel-group branch_office_tunnel match dscp cs5 policy-map mypolicy class branch_office priority exit priority-queue outside |
|
You have IPSEC tunnel in a hub and spoke setup (1 hub, 2 spoke A and B). What command you should not forget to allow A and B to communicate
|
same-security traffic permit intra-interface
this allow the vpn traffic to out and in the same interface |
|
How many connections are required for an IPSEC VPN? When and how are those connections set up?
|
3 connections required. 1 management. 2 data.
management is set in phase I (this allow the peer to exchange and negociate ipsec parameters). 2 data connections are set in phase II (and use to protect the actual data flow) you see the connections with show crypto isakmp sa and show crypto ipsec sa commands |
|
Explain the 2 modes that can be used to setup the management connection in ISAKMP/IKE phase I
|
aggressive and main mode.aggressive faster, less secure. Aggressive is use when we select pre-shared key.
main mode is more secure and is used when we selec CA (certificates) |
|
What protocol/port is used between the peer when setting up the management connection in phase I
|
UDP port 500
|
|
what could be the cause if management and data connection are established but data cannot be transmitted?
|
Check if there is a firewall in between
crypto isakmp nat-traversal command could be required (nat-t is enabled by default, just check if it is not disabled) |
|
What is the destination port used by NAT-T and what problem this can causes?
|
NAT-T uses a destination port of 4500. The intermediate firewall in between can filter it. port 4500 of NAT-T cannot be change. You can use command crypto isakmp ipsec-over-tcp. With this command, you use port 10000 and TCP for NAT T and you can change port 10000 if need be
|
|
when doing an IPSEC VPN, what are the 2 options to allow traffic from a lower to a higher security level interface
|
use ACL
or use sysopt connection permit-vpn (this command is very important when setting up vpns) |
|
give an example of configuration of ipsec phase one between peer 10.0.0.1 and 11.0.0.1. Use preshare key mysecret key.
|
crypto isakmp enable outside
sysopt connection permit vpn crypto isakmp policy 10 encryption 3des hashing md5 preshare key mysecret peer 11.0.0.1 df 2 |
|
you're using RIP in your ASA. How would you inject default route into the routing process
|
default-information originate
|
|
Why would I need QOS on my network?
|
Help with jitter, delay, packet loss.
Help classify traffic and give priority to mission critical application like voice or video |
|
What is jitter?
|
Variation in delay
|
|
What is delay?
|
LENGTH OF TIME BETWEEN EMISSION OF PACKET AND ITS RECEPTION
|
|
Which command trust Cisco phone on an interface
|
MLS QOS TRUST DEVICE CISCO PHONE
|
|
What is the basic command to activate QOS on a switch that support QOS?
|
MLS QOS
|
|
Which basic cisco command is applied on an interface that need QOS?
|
MLS QOS trust COS
or MLS QOS trust DSCP or MLS QOS trust IP-precedence |
|
At which OSI layer will you find COS (class of service)
|
COS field is used to mark the class of service on layer 2
|
|
At which OSI layer will you find DSCP?
|
The DSCP value (differentiated service code point) are mainly used to mark the class of service at layer 3
|
|
What priority is usually provided to voice ON voip NETWORK that enable QOS?
|
COS = 5
|
|
Which command trust a cisco phone plugged on a switch interface?
|
MLS QOS TRUST DEVICE CISCO PHONE
|
|
You have a VOIP network and user are complaining that the conversation are choppy. What is the main reason of this?
|
a) Could be QOS not enable on network. b) Cause could be bad marking and classification of voice packet in order to give it high priority over data packet.
c) Could be lack of bandwidth. Delay or jitter on network |
|
What is VOIP?
|
VoIP stands for Voice over Internet Protocol. It means the transmission of voice and call control data over the Internet. In other words, this technology allows you to make phone calls over the Internet
|
|
How does VOIP work?
|
Analog voice signal is sampled and digitized. Voice sampling is usually done 8,000 times per second. To reduce bandwidth, a voice CODEC is used. Voice CODEC is a compression/ decompression algorithm that compressed voice data into packet that are sent and route through an IP network. To help with delay or jitter, QOS can be used. At the other end, voice packet are decompressed and convert to analog voice signal
|
|
What is a signaling protocol in VOIP?
|
Protocol used in VOIP to set up, manage and tear down the VoIP phone call
|
|
What are 2 signaling protocol use by CISCO phone?
|
SIP, H323
|
|
How do you provide power to VOIP phone?
|
Use switch that support POE (power over Ethernet).
Some switch need POE to be enable on the interfaces with command POWER INLINE AUTO |
|
What is a codec in IP telephony?
|
In the VoIP world, codecs are used to encode voice for transmission across IP networks. Compression is used to minimize the bandwidth
|
|
Name 1 or 2 codecs used in VOIP
|
G711, G723, G729, G726, G722
|
|
What is the minimum bandwidth used with a voice conversation using the following codecs?
|
G711 use about 87kbps
G729 use about 31kbps G723 use about 21kbps |
|
You’re setting up an IPSEC VPN (site to Site). Describe the 2 common phases?
|
IPSEC VPN (Site to Site) are set in 2 phases. (Phase 1 is ISAKMP/IKE negociation) and (Phase 2 is IPSEC DATA CONNECTION ESTABLISHMENTS).
In Phase 1. The tunnel is setup. Parameters are negotiated. Especially the encryption keys. Phase 2 deals with the establishment of the tunnel and encryption of the data payload. |
|
What protocol is used in phase I for secure exchange of the encryption key required?
|
Diffie-Helman : DH allow a secure exchanges of the private and public keys before the two devices can start negotiating phase I and setup the IPSEC tunnel
|
|
enable password 7 XXXX
enable secret 5 XXXXX What “7” after password stands for? What “5” after secret stands for? Which one will you likely be able to crack? |
Type 7 is a proprietary Cisco encryption algorithm known to be very weak and easy to decrypt. Plenty of tool exists on the web.
Type 5 is MD5 Hashing (Message-digest algorithm 5). Very Strong and almost unbreakable. |
|
What is a packet filtering firewall and what is a stateful firewall?
|
Packet filtering inspect each packet against a set of rules (or access-list). It accepts the traffic if there is a match and drop if no match. Packet filtering does not track the full session.
Stateful firewall keep track of each session or connection (TCP our UDP) from the beginning to the end and can adjust itself to meet specific connections requirements (ex: ftp). |
|
Define NAT. Define PAT. What is nat 0 used for?
|
Network address translation. Port address Translation. NAT 0 = This tells the security device not to nat (i.e not to translate internal address to external address)
|
|
What is the difference between and IPS and a IDS
|
IPS= Intrusion Prevention System. Detect malicious patterns. Detect attacks and automatically react in realtime by blocking ports or dropping traffic. IDS= Intrusion Detection System. Detect malicious pattern. Detect attacks. Just Notified a syslog server or trigger alarm
|
|
Give example of encryption methods?
|
DES= Data encryption standard
3DES= triple des AES= Advance encryption standard |
|
Give example of a hashing mechanism?
|
MD5= Message digest 5
SHA= Secure hashing algorythm |
|
What is the difference between encryption and hashing?
|
They have different purposes.
Encryption is 2 way: One end (the sender) encrypts (plain text to cyphertext) for the purpose of ensuring confidentiality. The other end (the receiver) decrypts. Hashing is 1 way: You hash to obtain a unique string (the hash values) from the original string. Hashing ensure integrity. If there is a change in the original string, hashing will provide a different hash value. |
|
What is the role of a CA?
|
CA in the public key infrastructure is used to Issue digital certificate to certify parties.
|
|
Define those concepts in security (DOS, WEP, SA, CIA, AAA, ACL)?
|
DOS=Denial of Service attack
WEP=Wireless Equivalent Privacy SA=Security Association CIA=confidentiality, Integrity, Accountability AAA=Authentication, Authorization, Accounting ACL=Access control list ESP=ENCRYPT SECURITY PAYLOAD AH=AUTHENTICATION HEADER |
|
Main parameters in ISAKMP/IKE phase 1 negociation?
|
Encryption, hashing, Authentification, Diffie-Hellman group, lifetime
|
|
What are the CSC-SSM for the CISCO ASA firewall?
|
Content Security and control – Security Service module
(it is a feature card that you can add to the 5510 to 5580 series so that they can perform dvance security like URL FILTERING , SPAM, ANTIVIRUS CONTROL ) |
|
What are the AIP-SSM for the CISCO ASA firewall
|
Advance Inspection and Prevention – Security Service module
(it is a feature card that you can add to the 5510 to 5580 series so that they can perform IDS or IPS function ) |
|
Describe active/Standby failover
active/active failover Hardware Failover Stateful Failover |
Active/Standby: The 2nd security applicance take over and change state to active if primary fails
Active/Active: Both security appliance are handling traffic and security at the same time and are load-balancing hardware failover: all connections are drop in case of failure of primary. When secondary takes over. Clients have to make connections again Stateful failover: Per connection state and all ASA status (NAT, TCP connections, UDP connections, ARP tables, IPSEC tunnels information) are passed between primary and secondary ASA at all time. There fore if primary fails, secondary can continue supporting all the individual connections. |
|
What do you have to do if you want active/active failover to work
|
Security Contexts should be configured on the ASA.
|
|
What do you have to do if you want active/active failover to work?
|
Security Contexts should be configured on the ASA
|
|
What are Security contexts in the ASA?
|
Security Contexts can be defined as virtual firewall. It is a way to have 2 independent instance of ASA running on the same appliance. Each instance can have its own policies, setup and even manager
|
|
how many connections are created for each VPN tunnel?
|
3 connections are used for each VPN tunnel: 1 management connection and 2 data connections
|
|
For an IPSEC tunnel, there is 1 management connection and 2 data connections. Why?
|
1st connection is the management connection (to exchange the ISAKMP or IKE policies and parameters negociated in phase I) – see question 1.
2nd and 3rd connection are the actual data connections (negotiated in phase 2). Those are the data connections that are protected using ESP or AH (see question 1 and question 15.). You need 2 because each connection is uni-directionnal |
|
What is an hub and spoke IP VPN NETWORK?
|
One central office and 2 or more remote offices or branch offices connected via VPN tunnels
|
|
Hub and spoke design, all traffic go into and out the same outside interface. What is a key command to allow this kind of vpn traffic?
|
Same-security-traffic intra-interface
|
|
WHAT IS THE DIFFERENCE BETWEEN THE COMMANDS
SAME SECURITY TRAFFIC PERMIT INTER-INTERFACE AND SAME SECURITY TRAFFIC PERMIT INTRA-INTERFACE? |
Same-security-traffic intra-interface permits traffic in and out same interface
Same-security-traffic inter-interface permits traffic between interfaces having same security level (ex: 2 DMZ) |
|
What is the MPF (modular policy framework) used in ASA for?
|
MPF (modular policy framework) allow to apply security policies to class of traffic
|
|
Give examples on where you would need MPF?
|
-Policy would be used for example to redirect traffic into a CSC card or AIP card (see Q19 and Q20)
-Policy would be used to assigned priority to voice traffic via ASA -Policy could be used to identify some traffic (layer 4 to 7) and take action on what to do on them. -Policy can be used to rate-limit traffic by customer or level of traffic -Policy can be used to limit number of connections by clients or by group |
|
What is the usage of Basic Threat detection on the ASA. What command to use?
|
Basic Threat detection is a nice feature on the ASA (new in version 8) that quickly and simply allow you to detect and prevent most common network attack. Basic threat cannot replace an IPS card or device but it is a quick and easy way to mitigate security attack on the ASA
Command is: Threat-detection basic-threat |
|
Give some known potential threat that Basic Threat detection can monitor and block?
|
Deny of service
Aggressive scanning attack Half-open TCP connections Unusual ICMP packets |
|
What is a SHUN?
|
A shun is a command used to immediately bloc traffic to and from a specific IP address.
For example, if you notice strange behavior from a possible attacker you can issue command SHUN xxx.xxx.xxx.xxx (where xxx replace source ip address to block) |
|
: What is NAT-T?
|
If you have a device doing NAT that is in the middle of 2 end devices trying to negociate a tunnel, the tunnel will fail.
(This happen usually when a user behind a firewall doing NAT is trying to connect to his office via VPN). NAT-T (or Nat Traversal) is a technique to establish and maintain end-to-end tunnel even though there is a NAT device or a firewall doing NAT in between. NAT-T is enable by default. |
|
is the difference between GRE over IPSEC and IPSEC VPN?
|
GRE (Generic Routing Protocol) is a tunneling technique mainly used to allow non IP traffic over IP network.
Unfortunately, GRE is not secure (encryption can be used but is weak). The best thing is to use IPSEC VPN to setup a secure tunnel first, then use GRE to flow the non-IP traffic inside this IPSEC tunnel |
|
IP address space - public?
|
CLASS A: UP TO 127.255.255.255 /8 - begin with 0 (binary) - 2^24 -2 HOSTS ET 2^8-2 NET
CLASS B: 128.0.0.0 – 191.255.255.255 /16. begin with 10 - 2^16-2 HOSTS (NOTE COMME LA CLASSE COMMENCE PAR 10, CLASS C: 192.0.0.0 TO 223.255.255.255 – /24. Begin with 110 CLASS D: 224.0.0.0 - 239.255.255.255 CLASS E: 240.0.0.0 - 255.255.255.254 |
|
IP address space private
|
CLASS A: 10.0.0.0 / 8 (10.0.0.0 - 10.255.255.255)
CLASS B: 172.16.0.0 /12 (172.16.0.0 - 172.31.255.255) CLASS C: 192.168.0.0 /16 (192.168.0.0 - 192.168.255.255) |
|
Automatic Private IP addressing (APIPA)
|
DHCP does not work, PC will be assigned address 169.254.0.0 - 169.254.255.255
|
|
Well known multicast (2,5,6,9,10,18.102)?
|
224.0.0.2 BGP hello multicast (via udp port 646)
224.0.0.5 OSPF-AllSPFRouters 224.0.0.6 The OSPF AllDRouters 224.0.0.9 The RIP version 2 group address. 224.0.0.10 - EIGRP group address. 224.0.0.18 VRRP 224.0.0.102 HSRP ver2 |
|
Describe PFS, when it is used and command to enable it?
|
Perfect forward secrecy. When you have multiple tunnel, you may need to be sure that the crypto key that you enter are note related together. command is PFS enable.
make sure that both peer use PFS or NO PFS |
|
Role of routing in IPSEC VPN and how to set routing?
|
Routing is critical for IPSEC vpn. you should have a route to send traffic accros the vpn tunnel or you should use RRI (reverse route injection) to redistribute route in the crypto acl into your routing process (eigrp or ospf). use SET REVERSE-ROUTE in the crypto map.
|
|
write the code to enable logging for troubleshooting in an ASA
|
ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging |
|
write the step code for an ASA packet capture
|
1)create an access-list
ex: access−list test 2) create the capture capture mycapture access-list test interface outside 3) show capture mycapture |
|
WAN connections technologies?
|
x25 (64kbps)
frame relay (56kbps to 1.5mbps) SMDS (switched miltimegabit data service) 1.5 to 45mbps telephone -dialup telephone- leased lines T1 (1.5) /T2 (6.3) /T3 (45) /T4 (275) ISDN ATM SONET |
|
Imagine a frame-based MPLS network configured for simple unicast IP forwarding, with
four routers, R1, R2, R3, and R4. The routers connect in a mesh of links so that they are all directly connected to the other routers. R1 uses LDP to advertise prefix 1.1.1.0/24, label 30, to the other three routers. What must be true in order for R2 to advertise a label for 1.1.1.0/24 to R1 using LDP? |
to come
|
|
In a frame-based MPLS network configured for unicast IP forwarding, LSR R1 receives a
labeled packet, with a label value of 55. Which should be true for R1 forwarding decision? |
to come
|
|
What is an extension to the BGP NLRI field?
|
to come
|
|
Which controls into which VRFs a PE adds routes when receiving an IBGP
update from another PE? |
to come
|
|
An ingress PE router in an internetwork configured for MPLS VPN receives an unlabeled
packet. What will it do? |
to come
|
|
Which define which packets are in the same MPLS FEC when using MPLS VPNs?
|
to come
|
|
Explain the MPLS unicast IP forwarding process
|
to come
|
|
Label Switch Router
(LSR) |
Any router that pushes labels onto packets, pops labels from packets, or
simply forwards labeled packets. |
|
Edge LSR (E-LSR)
|
An LSR at the edge of the MPLS network, meaning that this router
processes both labeled and unlabeled packets. |
|
How FIB is used in MPLS ?
|
Used for incoming unlabeled packets. Cisco IOS matches the packet’s destination IP
address to the best prefix in the FIB and forwards the packet based on that entry. |
|
How is LFIB used?
|
Used for incoming labeled packets. Cisco IOS compares the label in the incoming
packet to the LFIB’s list of labels and forwards the packet based on that LFIB entry. |
|
WHat is the side of the MPLS header?
What is the size of the label? |
The MPLS header is a 4-byte header, located immediately before the IP header. The MPLS label is 20-bit field in the
MPLS header |
|
What is MPLS TTL propagation?
|
mecanism so that MPLS routers propagate same TTL across MPLS network (do not decrement TTL)
|
|
configure MPLS on LSR router for unicast IP
|
IP CEF
MPLS IP MPLS LABEL PROTOCOL LDP int G0/0/1 mpls IP router eigrp 1 network xxxxx |
|
What command to use to see the LIB entries
|
show mpls ldp bindings
|
|
what command show the FIB entry?
|
show ip cef xxxxxx
|
|
what command shows the LFIB entry, local taf, outgoing tag or label and interface
|
show mpls forwarding-table xxxxxx
|
|
how LDP (label distribution protocol) discover LDP neighbors?
|
use Hello via multicast address 224.0.0.2 (udp port 646). After discovery of neighbor.
|
|
What problem MPLS VPN help to solve?
|
- service provider can offer layer 3 vpn services
- older layer2 frame relay and atm are replaced - overlapping address for different customers are no longer an issue |
|
What are 3 main components for MPLS network?
|
VRF (virtual routing and forwarding)
RD (route distinguishers) RT (route targets) |
|
what is a VRF
|
to support multiple customer, VRF is a virtual router. each customer routing table keep separate
|
|
What are the components of each VRF?
|
- RIB (routing table)
- CEF FIB (populated with RIB info) - Separate instance of routing protocol process on CE routers |
|
how LDP (label distribution protocol) discover LDP neighbors?
|
use Hello via multicast address 224.0.0.2 (udp port 646). After discovery of neighbor.
|
|
How FIB is used in MPLS ?
|
Used for incoming unlabeled packets. Cisco IOS matches the packet’s destination IP
address to the best prefix in the FIB and forwards the packet based on that entry. |
|
configure BGP PE to PE routing session
|
to come
|
|
configure BGP PE to CE routing session
|
int loopback1
ip address 1.1.1.1 255.255.255.255 router bgp 1 neighbor 11.11.11.11 remote-as 11 neighbor 11.11.11.11 update-source loopback 1 neighbor 11.11.11.11 ebgp-multihop 2 neighbor 11.11.11.11 password fred |
|
how to configure static route CE TO PE
|
Use static route
Use network ip.... mask ..... Use redistribution |
|
Command to verify VPN
|
show ip vrf
show ip vrp interfaces vrf-name show ip protocols vrf vrf-mame show ip interface interface num show op bgp vpnv4 show tag-switching forwarding vrf vrf0name |
|
Give 2 ways a PE router can learn Ip prefix from CE
|
- via static config
- through BGP session with CE router (or via RIP exchange with CE router) |
|
define RD (route distinguisher_
|
8 byte prefix to custome's ipv4 address. Used only within a single internet service provider's MPLS network. It is used to distinguish the distinct VPN routes of separate customers who connect to the provider.
|
|
command to see RD of customer in MPLS network
|
show ip vrf (vrfname). Will show vrfname, RD and interfaces
|
|
How to check the route table in a given VRF
|
show ip route vrf (vrfname)
|
|
How to see if interfaces are up for given customer or given VRF
|
show ip vrf interfaces
|
|
how to see bgp routes for a given vrf
|
show ip bgp vpnv4 vrf (vrfname)
for all routes show ip bgp vpnv4 all |
|
what are the 2 types of connection that can be used for failover
|
1) failover cable or link (via hub or switch on own vlan). this is to replicate commands and status
2) stateful cable or link (for state infos, conn and xlate tables). You can use a dedicated interface or use same LBF link for failover or stateful info |
|
write example of active/standby failover
configure just the LBF e0/2. than add stateful to use the LBF for both failover an linkstate |
int e0/2
no shut failover lan unit primary failover lan interface lanfail e0/2 failover interface ip lanfail 172.16.100.1 255.255.255.0 standby 172.16.100.2 failover link lanfail |
|
describe AES?
|
Advanced encryption standard. adopt by us govt and world about 2001/2002. block cipher with key of 128,192,256 bit and block from 128 k to 256 k.
|
|
what is a cipher?
What is a block cipher? |
encryption/decryption algorythm
symetric key cipher. same key to encrypt/decrypt. |
|
describe 3DES?
|
Triple data encryption algorythm. applies DES 3 times on each data block.
ciphertext=(ek3(dk2(ek1(plaintext)))) block are 64k. keys are 56bits each for a total of 168 bits. common standard end of year 90. |
|
describe DES?
|
Data encryption standard.
block cipher. apply crypto key of size (40,56,64,128) to block of 56k. Very popular and of 70ies. crack via brute force in around 2000 in 22h. |
|
Describe SHA?
|
Secure hashing algorithm. around 1994. take text and produce message digest or hash value of 160bits. SHA is considered stronger but slower to MD5 (hash value of 128bits)
|
|
non-repudiation?
|
principle to garantee the origin of the data. (ex: hashing provide integrity but does not provide non-repudiation)
|
|
Message authentication code?
|
MAC. This is a checksum to validate data sent across and insecure medium. HMAC is a specific MAC that use MD5 or SHA on top of message+key
|
|
10 domaines securite suivant ISC2
|
Systèmes et Méthodologies de contrôle d’accès
Sécurité des Télécommunications et des Réseaux Pratiques de gestion de la sécurité Sécurité des développements d’applications et de systèmes Cryptographie Architecture et Modèles de Sécurité Sécurité des opérations Continuité des opérations et Plan de reprise en cas de désastre Loi, investigations et éthique Sécurité physique |
|
ITIL?
|
Soutien:
La gestion des incidents La gestion des problèmes La gestion des changements La gestion des mises en production La gestion des configurations Fourniture des Services des TI La gestion financière des services TI La gestion de la capacité La gestion de la disponibilité La gestion de la continuité des services des TI La gestion des niveaux de service Autres Planification pour la mise en œuvre des services Gestion de la sécurité Gestion des infrastructures des TIC Point de vue de l'entreprise Gestion des applications Gestion du parc logiciel |
|
Port security?
|
1)switchport port-security maximum x
2)switchport port-security mac-address sticky (so that switch can learn secure mac address) 3)swithport port-security violation restrict or protect or shutdown |
|
By default port security is what?
|
1 mac per port. violation shutdown
|
|
configure e0/2 for lan and state failover with monitor interfaces
|
failover
failover lan unit primary failover lan interface fover Ethernet0/2 failover link fover Ethernet0/2 failover interface ip fover 192.168.1.1 255.255.255.0 standby 192.168.1.2 monitor-interface ES-Mgmt-3 monitor-interface ES-NW-122 monitor-interface ES-Sabre-127 monitor-interface ES-WS-128 |
|
Frame-Relay?
|
Switched datalink layer protocol. can build multiple virtual circuit using HDLC encap. More efficient than X25 (that it replaces)
|
|
packet switching vs circuit switching
|
WAN communications method-groups all transmitted data, irrespective of content, type, or structure – into blocks, called packets. Variable-bit-rate data streams (sequences of packets) over a shared network, buffered and queudWhen traversing network adapters, switches, routers and other network nodes, packets are buffered and queued
Circuit switching - dedicated connections of constant bit rate and constant delay between nodes |
|
Example of circuit switching?
|
circuit switching: direct physical connection between peer. (ex: telephone, ISDN, some T1
|
|
type of packet switched in networks?
|
packet switch can be connection-less or connection oriented
connectionless example: udp, ip Connection oriented example: x25, frame relay, atm, mpls, tcp |
|
Connectionless networks?
|
No session is etablished for the session. Session is not reliable. No state information for the session.
Each packet is labeled with destination address and sequence number. Packet can take any route or path before reaching destination where packet are put back in sequence and are reassemble. |
|
Connection oriented networks?
|
session is established first (such as a phone call). A virtual circuit is established (ex: PVC in VC (virtual circuit). Each packet is labeled with this circuit ID and follow same virtual circuit path
|
|
Difference between x25 and frame relay?
|
Both are packet switching.
X25 is reliable. Acknowledgement is done and resending of data is performed. Lots of overhead. Frame Relay is not reliable. no overhead thus lot faster than X25. X25 is a network layer protocol. FR is a datalink layer protocol. X25 is old but used by financial institution. |
|
ARP and inverse ARP
|
Address resolution protocol is used to dynamically map the address to mac address. First router check is ARP cache and if not found, it broadcast an ARP request. On frame relay circuit, Router send and inverse ARP request.
|
|
Inverse ARP in Frame Relay
|
Invented for Frame Relay. Way to learn address via the circuit itself (which is considered as a hardware address). This work well in point to point. But in hub an spoke topology, spoke see only hub via IARP. for spoke to see spoke, routing should be correctly set or use frame relay map.
|
|
Frame Relay DLCI, LMI,CIR,Bc,
|
Datalink connection identifier itentify logical circuit between customer CPE and FR switch.
LMI local management interface is signaling standard between cpe and FR to manage connection, status, keepalive CIR commited information rate (agreed bits per second) Bc commited burst (maximum bits agred on time period Tc (measurement interval) |
|
FECN, BECN, DE
|
Forward explicit congestion notification
Backward explicit congestion notification DE discard eligibility. if fecn or becn, set this bit to on |
|
sample frame-relay config example?
|
int s1/0
encap frame-relay frame-relay lmi type (ansi, cisco or q933i) bandwidth 56 frame-relay inverse-arp (remember frame-relay relay on inverse arp a lot) |
|
when inverse arp is not supported on frame-relay, what to do
|
You will configure address-to-dlci statically
frame-relay map ip 10.0.0.1 120 broadcast 120=dlci 10.0.0.1 = remote DLCI broadcast optional. if not indicate, use static rotue |
|
frame relay topology
|
star or hub and spoke
partial mesh full mesh |
|
example of hub and spoke (split horizon issue)
|
need to use sub interface
all interfaces can be on same subnet (which is not the case on full mesh) int s1/0 encap frame-relay int s1/0.2 multipoint ip address 10.0.1.1 255.255.255.0 bandwitdth 64 frame-relay map ip 10.0.1.2 120 broadcast frame-relay map ip 10.0.1.3 130 broadcast |
|
why would you prefer to select a loopback interface as bgp neighbor
|
if the interfacefail. the tcp socket will close. bgp neighborship can only be up when associate interface is up
|
|
what are the steps to use loopback interface for bgp neighborship
|
1. configure address on loopback interface
2. use neighbor neighbor ip update-source loopbackn (n is local loopback) 3. neighbor neighbor ip remote as n 4 neighbor neighbor-ip ebgp-multihop 2 (do not forget routing should be able to reach loopback interface |
|
why when using loopback as bgp neighbor, you have to use ebgp-multihop
|
ebgp-multihop 2 is required because by default ttl is set to 1 in the ip header. when the packet will arrive at the neighbor, it will be discard if left to 1
|
|
what are the bgp neighbor states
|
-idle (down or awaiting)
-connect (waiting tcp connection to complete) -active (tcp complete, waiting bgp messages) -opensent bgp open message sent to peer, not replied yet -openconfirm (open message received from peer) -established (neighbor relationship ok.now it is time to exchanges updates) |
|
show ip bgp summary show state/PfxRcd at 6 ?
|
state is established. 6 prefixes received. (otherwise, a bgp state would show there)
|
|
how to administratively shutdown a bgp neighbor?
|
router bgp n
neighbor neighbor_ip shutdown Sate/PfxRcd should then show idle |
|
What are the BGP message types?
|
-Open (to establish neighbor relationship - including asn and md5 values)
-keepalive (periodic hello or bgp will down the neighbor relationship) -Update (to exchange PA - path attribute and associated prefix/lenght) -Notification (to signa bgp error) |
|
what us NLRI?
|
Network layer reachability Information is another term to describe ip prefix and length use by bgp
|
|
what is show ip bgp neighbors ipaddress advertised-routes
|
show routes advertised
|
|
what is show ip bgp neighboors ipaddress received-routes
|
show routes learned
|
|
ICANN?
IANA? |
Internet Corporation for Assigned Network Numbers - own the processes on how ipv4/6 addresses are allocated and assigned.
IANA (Internet assigned Numbers authority) carries out the policy They also manage the development of the DNS naming structure and the top domain (ex: .com). They also responsible for assigment of bgp asn |
|
explain the process of managing IPV4 address?
|
1. ICANN and IANA group public ipv4 by geographic location
2. those are allocate to regional internet registries (RIR 3. RIR subdivise address and provide to NIR(national internet registries) or to LIR (local internet registries) LIR sometimes=ISPs 4. LIR or NIR can subdivise even further |
|
What us default BGP PA?
|
As Path
|
|
Explain assignment of BGP ASN by IANA
|
0 reserved
1-64495 (public use) 64496-64511 (reserved) 64512-65534 (private use) 65535 (reserved) |
|
Explain those concepts?
single homed dual homed single multihomed dual multihomed |
1 link per isp. 1isp
2+ links per isp. 1isp 1 link per isp. 2isp+ 2+ links. 2+ isps |
|
administrative distance?
|
connected 0
static 1 eigrp summary 5 ebgp 20 eigrp internal 90 igrp 100 ospf 110 isis 115 rip 120odr 160 eigrp (ext) 170 ibgp 200 |
|
quickly check interface flapping. bgp flapping?
|
show log
|
|
Analyser et trouver l'origine d'une addresse IP
|
show ip arp
show mac-address-table show mac-address-table xx.xx.xx.xx vlan x |
|
faire un capture avec un router?
|
access-list 140 permit ip host 10.159.12.4 host 10.159.12.3
access-list 140 permit ip host 10.159.12.3 host 10.159.12.4 debug ip packet 140 detail |
|
probleme de routing?
|
show ip route | include xx.xx.xx.xx
show ip bgp summary (pour l'addresse du peer) show ip bgp neighbor xx.xx.xx.xx routes (routes recues) show ip bgp neighbor xx.xx.xx.xx advertises-routes (routes donnees) |
|
SSH (v1 and v2)
|
SSH secure Shell, use public key infrastructure (private/public key) for secure remote access.
SSH1 developped in 95. SSH2 more strong, use diffie helman, strong integrity check with MAC (not compatible with SSH1) |
|
command SSH
|
ssh -l admin 57.31.46.253 -1
(sans le -1, vous pouvez avoir rsa modulus to small. -1 = SSH version 1. Peu utiliser maintenant |
|
Primary ASA failed and secondary take over. You fixed the primary. while on the primary, what command can reactivate the primary asa and restore it to active status.
|
failover active
|
|
to create virtual firewalls on the ASA, you have to convert from single context mode to multiple context mode. 1) what is the default name of the security context created when converting? 2) Which command did you use to convert from single mode to multiple operation mode?
|
1) name is admin context or admin.
2) You have to issue command: mode multiple. (to revert back mode single) |
|
Which three commands can verify what the boot image is?
|
show bootvar
show startup-config show version |
|
Which two technologies can secure the control plane of the Cisco router?
|
routing protocol authentication
CPPr (control plane protection against rogue packet or DOS) |
|
Give 3 tunnelling method support by cisco vpn client
|
IPSEC over TCP
IPSEC over UDP IPSEC ESP (encapsulation security payload) NAT transparent IPSEC |
|
It is best practice to configure an ASA to support AAA server for user authentication. 1) By default how long the ASA wait for an AAA server that is not responding 2) What ASA will do after that if there is still no response?
|
1) ASA wait for response 5 sec.
2) if response not obtain, ASA will query AAA server again up 4 times. (this can be change with timeout command) |
|
What are the commands use to check connection and translation table? What are the difference between connection and translations?
|
show connection. show xlate.
Connections show actual TCP or UDP connection through the ASA and Translation show NAT or PAT translation via the ASA. |
|
Describe the configuration steps and command to initiate packet capture on the ASA?
|
1) first create an access-list for the packet to be capture
2) use the command: capture packet [capturename] access-list [nameof accesslist] interface [nameof interface] 3) show capture [capturename] |
|
Websense is being deployed as URL filtering service for various airport site. what command should be use to configure the internet firewall to work in conjuction with the websense filtering appliance. (ex: Websense is placed in DMZ, security level 40, IP 57.236.10.102)
|
url-server (DMZ) vendor websense host 57.236.10.102
|
|
how ping is working?
|
source send an echo request packet (icmp type 8) and wait for an echo reply (icmp type 0). If failure icmp type is 3 for destination unreachable with code 0 = net unreachable. 1 = host unreachable. 2 = protocol unreachable. 3 = port unreachable. 4 = fragmentation needed and DF set. 5 = source route failed.
|
|
how preempt works?
|
When the state of a tracked interface changes to down, the active router decrements its priority. The standby router reads this value from the hello packet priority field, and becomes active if this value is lower than its own priority and the standby preempt is configured. You can configure by how much the router must decrement the priority. By default, it decrements its priority by ten.
|
|
How the priority field is used?
|
The priority field is used to elect the active router and the standby router for the specific group. In the case of an equal priority, the router with the highest IP address for the respective group is elected as active. Furthermore, if there are more than two routers in the group, the second highest IP address determines the standby router and the other router/routers are in the listen state
|
|
Hsrp destination ip?
|
The destination address of HSRP hello packets is the all routers multicast address (224.0.0.2)
|
|
hsrp tcp ou udp?
|
UDP, since HSRP runs on UDP port 1985
|
|
what is that mac 0000.0c07.ac0a?
|
0000.0c07.ac is hsrp. 0a is the group number 10
|
|
states of HSRP
|
Disabled, init, listen, speak, standby and active.
standby take over after 3 hellos are missed (3x10 sec) Router in listen state become next standby |
|
GLPB vs HSRP
|
GLPB load balance without having to configure 2 different ips for balancing routers.
GLPB use automatic selection of getaways (pc use same ips but this can point out to different mac) |
|
mac address vrrp and hsrp
|
0000.5E00.01XX (VRRP). BY DEFAULT VRRP IS PREEMPT
00-00-0c-07-ac-xx (XX is the standby group) |
|
filtering with ASA, relation between server and filter
|
for filtering with ASA firewall.
URL-server should be use in conjunction with filter url url server is the websense server |
|
give a few command for url filtering
|
for filtering, we have
url-server (inside) xxxxxx filter url xxxxxx filter https xxxx be careful, filter url 443 is not filtering https Example: url-server (servicelan) vendor websense host 57.250.243.13 timeout 30 protocol TCP version 1 connections 5 filter url except 57.6.104.0 255.255.255.0 0.0.0.0 0.0.0.0 allow filter https 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate |
|
what is WCCP
|
we can WCCP protocol on the ASA (service_number 0 is http and 70 is HTTPS)
WCCP is the Web cache control protocol (to speed up http and https request) |
|
give example of config using WCCP
|
url-server (servicelan) vendor websense host 57.250.243.13 timeout 30 protocol TCP version 1 connections 5
access-list wccp_clients extended permit ip 57.6.104.0 255.255.255.0 any access-list wccp_clients extended deny ip any any wccp 0 redirect-list wccp_clients password StaWGbt wccp interface inside 0 redirect in wccp 70 redirect-list wccp_clients password StaWGbt wccp interface inside 70 redirect in |
|
give command to troubleshoot WCCP
|
debug wccp events
debug wccp packets show wccp |
|
IPDSLAM concept: G.SHDSL
|
Single pair high speed digital subscriber line. type of DSL that provide symetric data transfer up to 2.3mbps each way to distance up to 5km
|
|
IPDSLAM connectors and ports
|
24 ports G.SHDL. 2 ethernet port for up link. The 24 ports are done via a 50 pin RJ21 telco connector. a cable of 24 twisted pair is bring to a patch panel usualy. Support PPP for layer 2 switching
|
|
Basic config of IPDSLAM
|
Ip address on ethernet ports
default gateway bridge name,number and desc vlan name, number and desc interface ip address (for A and B) G.HDSL BCP link all 3 together |
|
a
|
a
|
|
a
|
a
|
|
PPP
|
Point-to-Point Protocol, or PPP, is a data link protocol commonly used to establish a direct connection between two networking nodes.
PPP has replaced old SLIP (serial link internet protocol) and LAPB used in X25. Beauty of PPP is that it can work with many layer 3 protocol IP, IPX, etc. |
|
in hsrp environnement, how is it recommend to configure nat inside
|
Behavior will be unpredictable if both HSRP routers have the same static NAT and are not configured with the hsrp group
ip nat inside source static 192.168.5.33 3.3.3.5 redundancy HSRP1 (hsrp1 is the group name) |
|
packet capture. how to download and put in pcap
|
you may have to do
http enable http host xx.xx.xx.xx 255.255.255.255 outside === on browser https://firewall/capture/captname https://firewall/capture/captname/pcap for pcap format username=blank. pass=enable pass |
|
frame relay memotechnique
|
limp
====== show int (up, encap) show frame relay lmi (keep alives sent and increasing) show frame relay map (mapping of layer 3 to layer 2) show frame pvc (pvc status, cir, fecn, becn) |
|
nat with HSRP
|
ARP to address configured with NAT static mapping have NAT responds with the BIA MAC address on the interface to which the ARP is pointing.
NAT inside interfaces must be enabled and configured to belong to a group. Static NAT mappings must be mirrored on two or more HSRP routers, because NAT state will not be exchanged Behavior will be unpredictable if both HSRP routers have the same static NAT and are not configured with the hsrp keyword linking them to the same HSRP group. |
|
example of NAT with HSRP
|
ip nat outside
standby ip 57.31.140.1 standby priority 105 standby preempt standby name NATREDUNDANCY |
|
inside local
inside global outside local outside global |
simple
inside address that is local inside address that is global (give to outside) outside address that is local (presented to inside) outside address that is global |
|
What are the 3 methods to filter route
|
ACL and distribute-list
prefix list and distribute-list route map |
|
rules of spantree
|
1) root election (lowest bridge id+mac)
2) designated ports of root bridge are all ports of root 3) root port of other switches: lowest sum path to root. (reminder all root et designated are forwarding ports) 4) automatically vis a vis of root ports are designated port (each collision domain has only 1designated) 5) for other segments: designated is lowest path cost of switch to the root bridge 6) all other port after 6 are blocked |
|
spantree command
|
show spanning-tree bridge (mac address switch)
show spanning-tree root (who is root, forward port, etc.. show spanning-tree active show spanning-tree blockedports show spanning-tree summary show spanning-tree brief |
|
changing spanning tree root
|
change bridge priority (spanning-tree vlan x priority y. or spanning-tree vlan x root primary)
|
|
Note on frame-relay.
|
multipoint (you have to precise multipoint on sub interface command)
point-to-point (use inverse arp. you have to precise point-to-point on sub interface command) if you do use the interface (and not the subinterface), do a frame-relay map ip...broadcast. this help also to make spokes to communicate |
|
example of route-map with set ip next hop
|
access-list 1 permit 1.1.1.0 0.0.0.255
access-list 2 permit 2.2.2.0 0.0.0.255 ! route-map myroute permit 10 match ip address 2 set ip next-hop 10.1.1.2 ! route-map myroute permit 20 match ip address 1 set ip next-hop 10.1.1.2 |
|
3 way to filter routes using distribute-list
|
access-list
prefix list route map |
|
exemple of filtering route using prefix list
|
router eigrp 1
network 3.0.0.0 distribute-list prefix myprefix out ip prefix-list myprefix seq 5 deny 3.3.3.0/24 |
|
enable and query ip accounting
|
int fa0/0
ip accounting exit show ip accounting |
|
enable and query ip cache-flow
|
int fa0/0
ip route cache-flow exit show ip cache flow |
|
enable and query ip mac-accounting
|
int fa0/0
ip accounting mac-address exit show int mac-accounting |
|
commande for a GRE tunnel
|
int tunnel 0
ip address 1.1.1.1 255.255.255.0 tunnel source WanIntAddress tunnell destinatin OtherSideIP |
|
using asa. I telnet to outside interface. telnet open but no prompt and message IPSEC: Received a non-IPSec packet show on log?
|
you can telnet to outside interface if telnet xxxxx xxxx outside existe but if you don't have a vpn. it will not work if security-level <>100. SSH will work of course
|
|
code to set weight and local-pref to 200
|
access-list 1 permit xx.xx.xx.xx 0.0.0.255
route-map mymap permit 10 match ip address 1 set weight = 100 set local-pref=100 route map mymap permit 20 router bgp 1 neighbor xx.xx.xx.xx remote as 2 neighbor xx.xx.xx.xx route-map mymap in |
|
ip policy to force icmp take a route and all other packet another one
|
reminder ip policy is applied on interface
int e0/0 ip policy route-map mymap access-list 100 permit icmp any any route-map mymap permit 10 match ip address 100 set ip next-hop xx.xx.xx.xx route-map mymap permit 20 |
|
with EBGP, send a default BGP route
|
router bgp 1
neigbor xx.xx.xx.xx default-originate |
|
n wlla omni
|
prefer
next hop reachable highest weight highest local pref route local router originated???? shortest as path origin set??? Lowest MED (multi-exit discriminator) n? i? |