DHCP Operation

Posted: 23rd July 2020 by ccna7guru in ITN

The DHCP Process:

•When an IPv4, DHCP-configured device boots up or connects to the network, the client broadcasts a DHCP discover (DHCPDISCOVER) message to identify any available DHCP servers on the network.

•A DHCP server replies with a DHCP offer (DHCPOFFER) message, which offers a lease to the client. (If a client receives more than one offer due to multiple DHCP servers on the network, it must choose one.)

•The client sends a DHCP request (DHCPREQUEST) message that identifies the explicit server and lease offer that the client is accepting. 

•The server then returns a DHCP acknowledgment (DHCPACK) message that acknowledges to the client that the lease has been finalized.

• If the offer is no longer valid, then the selected server responds with a DHCP negative acknowledgment (DHCPNAK) message and the process must begin with a new DHCPDISCOVER message.

Note: DHCPv6 has a set of messages that is similar to those for DHCPv4. The DHCPv6 messages are SOLICIT, ADVERTISE, INFORMATION REQUEST, and REPLY.

Se han desarrollado dos arquitecturas de red principales para admitir la virtualización de la red: •Redes definidas por software (SDN) : una arquitectura de red que virtualiza la red, ofreciendo un nuevo enfoque para la administración y administración de redes que busca simplificar y optimizar el proceso de administración. •Infraestructura centrada en aplicaciones (ACI) de Cisco: Solución de hardware diseñada específicamente para integrar la computación en la nube con la administración de centros de datos.

Redes Definidas por Software -Tecnologías de Virtualización

Los componentes de SDN pueden incluir los siguientes: •OpenFlow: Este enfoque se desarrolló en la Universidad de Stanford para administrar el tráfico entre routers, switches, puntos de acceso inalámbrico y un controlador. El protocolo OpenFlow es un elemento básico en el desarrollo de soluciones de SDN. •OpenStack: Este enfoque es una plataforma de virtualización y coordinación disponible para armar entornos escalables en la nube y proporcionar una solución de infraestructura como servicio (IaaS). OpenStack se usa frecuentemente en conjunto con Cisco ACI. La organización en la red es el proceso para automatizar el aprovisionamiento de los componentes de red como servidores, almacenamiento, switches, routers y aplicaciones. •Otros componentes: otros componentes incluyen la interfaz a Routing System (I2RS), la interconexión transparente de varios enlaces (TRILL), Cisco FabricPath (FP) e IEEE 802.1aq Shortest Path Bridging (SPB).

Activity – Switch It!

Posted: 4th August 2020 by ccna7guru in SRWE
witch learns and forwards frames
witch learns and forwards frames.

Use above activity to check your understanding of how a switch learns and forwards frames.

Configure SSH

Posted: 4th August 2020 by ccna7guru in SRWE
Tags: , , , , ,

Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct network connectivity settings

Step 1

Verify SSH support.

Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS that supports cryptographic features, this command is unrecognized.

S1# show ip ssh

Step 2

Configure the IP domain.

Configure the IP domain name of the network using the ip domain-name domain-name global configuration mode command. In the figure, the domain-name value is cisco.com.


S1(config)# ip domain-name cisco.com

Step 3

Generate RSA key pairs.

Not all versions of the IOS default to SSH version 2, and SSH version 1 has known security flaws. To configure SSH version 2, issue the ip ssh version 2 global configuration mode command. Generating an RSA key pair automatically enables SSH. Use the crypto key generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key pair. When generating RSA keys, the administrator is prompted to enter a modulus length. The sample configuration in the figure uses a modulus size of 1,024 bits. A longer modulus length is more secure, but it takes longer to generate and to use.

Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA key pair is deleted, the SSH server is automatically disabled.

S1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024

Step 4

Configure user authentication.

The SSH server can authenticate users locally or using an authentication server. To use the local authentication method, create a username and password pair using the username username secret password global configuration mode command. In the example, the user admin is assigned the password ccna.

S1(config)# username admin secret ccna

Step 5

Configure the vty lines.

Enable the SSH protocol on the vty lines by using the transport input ssh line configuration mode command. The Catalyst 2960 has vty lines ranging from 0 to 15. This configuration prevents non-SSH (such as Telnet) connections and limits the switch to accept only SSH connections. Use the line vty global configuration mode command and then the login local line configuration mode command to require local authentication for SSH connections from the local username database.

S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit

Step 6

Enable SSH version 2.

By default, SSH supports both versions 1 and 2. When supporting both versions, this is shown in the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global configuration command.

S1(config)# ip ssh version 2

Disable Unused Services

Posted: 1st August 2020 by ccna7guru in ITN
Tags:

Cisco routers and switches start with a list of active services that may or may not be required in your network. Disable any unused services to preserve system resources, such as CPU cycles and RAM, and prevent threat actors from exploiting these services. The type of services that are on by default will vary depending on the IOS version. For example, IOS-XE typically will have only HTTPS and DHCP ports open. You can verify this with the show ip ports all command, as shown in the example.

show ip ports all
show ip ports all 

IOS versions prior to IOS-XE use the show control-plane host open-ports command. We mention this command because you may see it on older devices. The output is similar. However, notice that this older router has an insecure HTTP server and Telnet running. Both of these services should be disabled. As shown in the example, disable HTTP with the no ip http server global configuration command. Disable Telnet by specifying only SSH in the line configuration command, transport input ssh.

show control-plane host open-ports
show control-plane host open-ports

Reconnaissance Attacks

Posted: 31st July 2020 by ccna7guru in ITN
Tags: , ,

In addition to malicious code attacks, it is also possible for networks to fall prey to various network attacks. Network attacks can be classified into three major categories:

  • Reconnaissance attacks – The discovery and mapping of systems, services, or vulnerabilities.
  • Access attacks – The unauthorized manipulation of data, system access, or user privileges.
  • Denial of service – The disabling or corruption of networks, systems, or services.

For reconnaissance attacks, external threat actors can use internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, a threat actor can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, a threat actor may use a ping sweep tool, such as fping or gping. This systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.

FHRP Options

Posted: 24th July 2020 by ccna7guru in SRWE
Tags: , , ,

The FHRP used in a production environment largely depends on the equipment and needs of the network. The table lists all the options available for FHRPs.

Hot Standby Router Protocol (HSRP)
HRSP is a Cisco-proprietary FHRP that is designed to allow for transparent failover of a first-hop IPv4 device. HSRP provides high network availability by providing first-hop routing redundancy for IPv4 hosts on networks configured with an IPv4 default gateway address. HSRP is used in a group of routers for selecting an active device and a standby device. In a group of device interfaces, the active device is the device that is used for routing packets; the standby device is the device that takes over when the active device fails, or when pre-set conditions are met. The function of the HSRP standby router is to monitor the operational status of the HSRP group and to quickly assume packet-forwarding responsibility if the active router fails.

HSRP for IPv6
This is a Cisco-proprietary FHRP that provides the same functionality of HSRP, but in an IPv6 environment. An HSRP IPv6 group has a virtual MAC address derived from the HSRP group number and a virtual IPv6 link-local address derived from the HSRP virtual MAC address. Periodic router advertisements (RAs) are sent for the HSRP virtual IPv6 link-local address when the HSRP group is active. When the group becomes inactive, these RAs stop after a final RA is sent.

Virtual Router Redundancy Protocol version 2 (VRRPv2)
This is a non-proprietary election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on an IPv4 LAN. This allows several routers on a multiaccess link to use the same virtual IPv4 address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups, in case the virtual router master fails.

VRRPv3
This provides the capability to support IPv4 and IPv6 addresses. VRRPv3 works in multi-vendor environments and is more scalable than VRRPv2.

Gateway Load Balancing Protocol (GLBP)
This is a Cisco-proprietary FHRP that protects data traffic from a failed router or circuit, like HSRP and VRRP, while also allowing load balancing (also called load sharing) between a group of redundant routers.

GLBP for IPv6
This is a Cisco-proprietary FHRP that provides the same functionality of GLBP, but in an IPv6 environment. GLBP for IPv6 provides automatic router backup for IPv6 hosts configured with a single default gateway on a LAN. Multiple first-hop routers on the LAN combine to offer a single virtual first-hop IPv6 router while sharing the IPv6 packet forwarding load.

ICMP Router Discovery Protocol (IRDP)
Specified in RFC 1256, IRDP is a legacy FHRP solution. IRDP allows IPv4 hosts to locate routers that provide IPv4 connectivity to other (nonlocal) IP networks.

Remote-Access VPNs

Posted: 28th June 2020 by ccna7guru in ITN

In the previous topic you learned about the basics of a VPN. Here you will learn about the types of VPNs.

VPNs have become the logical solution for remote-access connectivity for many reasons. As shown in the figure, remote-access VPNs let remote and mobile users securely connect to the enterprise by creating an encrypted tunnel. Remote users can securely replicate their enterprise security access including email and network applications. Remote-access VPNs also allow contractors and partners to have limited access to the specific servers, web pages, or files as required. This means that these users can contribute to business productivity without compromising network security.

Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL. As shown in the figure, a remote user must initiate a remote access VPN connection.

The figure displays two ways that a remote user can initiate a remote access VPN connection: clientless VPN and client-based VPN.

Remote-Access VPNs
Remote-Access VPNs
  • Clientless VPN connection -The connection is secured using a web browser SSL connection. SSL is mostly used to protect HTTP traffic (HTTPS), and email protocols such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel. The SSL connection is first established, and then HTTP data is exchanged over the connection.
  • Client-based VPN connection – VPN client software such as Cisco AnyConnect Secure Mobility Client must be installed on the remote user’s end device. Users must initiate the VPN connection using the VPN client and then authenticate to the destination VPN gateway. When remote users are authenticated, they have access to corporate files and applications. The VPN client software encrypts the traffic using IPsec or SSL and forwards it over the internet to the destination VPN gateway.

Enterprise Networking, Security, and Automation (ENSA)

Posted: 28th June 2020 by ccna7guru in ENSA

These course materials will assist you in developing the skills necessary to do the following:

  • Explain how single-area OSPF operates in both point-to-point and broadcast multiaccess networks.
  • Verify single-area OSPFv2 in both point-to-point and broadcast multiaccess networks.
  • Explain how vulnerabilities, threats, and exploits can be mitigated to enhance network security.
  • Explain how ACLs are used as part of a network security policy.
  • Implement standard IPv4 ACLs to filter traffic and secure administrative access.
  • Configure NAT services on the edge router to provide IPv4 address scalability.
  • Explain how WAN access technologies can be used to satisfy business requirements.
  • Explain how VPNs secure site-to-site and remote access connectivity.
  • Explain how networking devices implement QoS.
  • Implement protocols to manage the network.
  • Explain the characteristics of scalable network architectures.
  • Troubleshoot enterprise networks.
  • Explain the purpose and characteristics of network virtualization.
  • Explain how network automation is enabled through RESTful APIs and configuration management tools.

OSPFv3

Posted: 21st June 2020 by ccna7guru in ENSA

OSPFv3 is the OSPFv2 equivalent for exchanging IPv6 prefixes. Recall that in IPv6, the network address is referred to as the prefix and the subnet mask is called the prefix-length.

Similar to its IPv4 counterpart, OSPFv3 exchanges routing information to populate the IPv6 routing table with remote prefixes.

Note: With the OSPFv3 Address Families feature, OSPFv3 includes support for both IPv4 and IPv6. OSPF Address Families is beyond the scope of this curriculum.

OSPFv2 runs over the IPv4 network layer, communicating with other OSPF IPv4 peers, and advertising only IPv4 routes.

OSPFv3 has the same functionality as OSPFv2, but uses IPv6 as the network layer transport, communicating with OSPFv3 peers and advertising IPv6 routes. OSPFv3 also uses the SPF algorithm as the computation engine to determine the best paths throughout the routing domain.

OSPFv3 has separate processes from its IPv4 counterpart. The processes and operations are basically the same as in the IPv4 routing protocol, but run independently. OSPFv2 and OSPFv3 each have separate adjacency tables, OSPF topology tables, and IP routing tables, as shown in the figure.

The OSPFv3 configuration and verification commands are similar to those used in OSPFv2.

OSPFv2 and OSPFv3 Data Structures
OSPFv2 and OSPFv3 Data Structures