Chapter 11. It’s a Network

What are the devices and protocols used in a small network?

How does a small network serve as the basis of larger networks?

Why are basic security measures needed on network devices?

What are security vulnerabilities and general mitigation techniques?

How do you configure network devices with device-hardening features to mitigate security threats?

How do you use the output of the ping and tracert commands to establish relative network performance?

How do you use the basic show commands to verify the configuration and status of a device interface?

Which file systems are present on routers and switches?

How do you apply the commands to back up and restore an IOS configuration file?

expandability page 550

operating system features and services page 550

network applications page 554

IMAP page 555

infrastructure page 556

Voice over IP (VoIP) page 557

IP telephony page 557

Real-Time Transport Protocol (RTP) page 557

Real-Time Transport Control Protocol (RTCP) page 557

information theft page 560

identity theft page 560

data loss/manipulation page 560

disruption of service page 560

reconnaissance attacks page 565

access attacks page 565

denial of service attacks page 565

containment page 567

inoculation page 567

quarantine page 567

treatment page 567

appliance-based firewalls page 570

server-based firewalls page 570

integrated firewalls page 570

personal firewalls page 570

banners page 575

exec timeout page 575

Secure Shell (SSH) page 576

ipconfig page 590

arp page 591

show cdp neighbors page 592

With small networks, the design of the network is usually simple. The number and types of devices on the network are significantly reduced compared to that of a larger network, as shown in Figure 11-1. The network topologies for small networks typically involve a single router and one or more switches. Small networks may also have wireless access points (possibly built into the router) and IP phones. As for connection to the Internet, normally a small network has a single WAN connection provided by DSL, cable, or an Ethernet connection.

Managing a small network requires many of the same skills as those required for managing a larger one. The majority of work is focused on maintenance and troubleshooting of existing equipment, as well as securing devices and information on the network. The management of a small network is done either by an employee of the company or by a person contracted by the company, depending on the size of the business and the type of business.

One of the first design considerations when implementing a small network is the type of intermediate devices to use to support the network. When selecting the type of intermediate devices, there are a number of factors that need to be considered, as shown in Figure 11-2.

Do we order just enough ports for today’s needs, or do we consider growth requirements?

Do we require a mixture of UTP speeds?

Do we require both UTP and fiber ports?

Newer computers have built-in 1-Gbps NICs. 10-Gbps ports are already included with some workstations and servers. Although it is more expensive, choosing Layer 2 devices that can accommodate increased speeds makes it possible for the network to evolve without replacing central devices.

Do we order devices with upgradable modules?

What type of WAN interfaces, if any, are required on the router(s)?

Security

Quality of service (QoS)

Voice over IP (VoIP)

Layer 3 switching

Network address translation (NAT)

Dynamic Host Control Protocol (DHCP)

Routers can be expensive, depending on the interfaces and features needed. Additional modules, such as fiber optics, increase the cost of the network devices.

Examples of different types of devices that will factor into the IP design are

End devices for users

Servers and peripherals

Hosts that are accessible from the Internet

Intermediary devices

Planning and documenting the IP addressing scheme helps the administrator to track device types. For example, if all servers are assigned a host address in the range 50 to 100, it is easy to identify server traffic by IP address. This can be very useful when troubleshooting network traffic issues using a protocol analyzer.

Additionally, administrators are better able to control access to resources on the network based on IP address when a deterministic IP addressing scheme is used. This can be especially important for hosts that provide resources both to the internal network and to the external network. Web servers or e-commerce servers play such a role. If the addresses for these resources are not planned and documented, the security and accessibility of the devices are not easily controlled. If a server has a random address assigned, blocking access to this address is difficult and clients may not be able to locate this resource.

Each of these different device types should be allocated to a logical block of addresses within the address range of the network.

Click the buttons in Activity 11.1.1.3 to see the method for assignment.

The smaller the network, the less the chance that redundancy of equipment will be affordable. Therefore, a common way to introduce redundancy is through the use of redundant switch connections between multiple switches on the network and between switches and routers.

Also, servers often have multiple NIC ports that enable redundant connections to one or more switches. In a small network, servers typically are deployed as web servers, file servers, or email servers.

Small networks typically provide a single exit point toward the Internet via one or more default gateways. With one router in the topology, the only redundancy in terms of Layer 3 paths is enabled by utilizing more than one inside Ethernet interface on the router. However, if the router fails, the entire network loses connectivity to the Internet. For this reason, it may be advisable for a small business to pay for a least-cost option account with a second service provider for backup.

Step 1. Secure file and mail servers in a centralized location.

Step 2. Protect the location from unauthorized access by implementing physical and logical security measures.

Step 3. Create redundancy in the server farm that ensures if one device fails, files are not lost.

Step 4. Configure redundant paths to the servers.

In addition, modern networks often use some form of voice or video over IP for communication with customers and business partners. This type of converged network is implemented as an integrated solution or as an additional form of raw data overlaid onto the IP network. The network administrator should consider the various types of traffic and their treatment in the network design. The router(s) and switch(es) in a small network should be configured to support real-time traffic, such as voice and video, in a distinct manner relative to other data traffic. In fact, a good network design will classify traffic carefully according to priority, as shown in Figure 11-3. Traffic classes could be as specific as

File transfer

Email

Voice

Video

Messaging

Transactional

In the end, the goal for a good network design, even for a small network, is to enhance productivity of the employees and minimize network downtime.

Each application or network service uses protocols, which define the standards and data formats to be used. Without protocols, the data network would not have a common way to format and direct data. In order to understand the function of various network services, it is necessary to become familiar with the underlying protocols that govern their operation.

DNS

Telnet

IMAP, SMTP, POP (email)

DHCP

HTTP

FTP

Click the servers in the figure in Activity 11.1.2.2 for a brief description of the network services each provides.

These network protocols comprise the fundamental tool set of a network professional. Each of these network protocols defines

Processes on either end of a communication session

Types of messages

Syntax of the messages

Meaning of informational fields

How messages are sent and the expected response

Interaction with the next lower layer

Many companies have established a policy of using secure versions of HTTP, FTP, and Telnet protocols whenever possible. These protocols are HTTPS, SFTP, and SSH.

Network documentation: Physical and logical topology

Device inventory: List of devices that use or comprise the network

Budget: Itemized IT budget, including fiscal year equipment purchasing budget

Traffic analysis: Documentation of protocols, applications, and services and their respective traffic requirements

These elements are used to inform the decision making that accompanies the scaling of a small network.

As shown in Figure 11-6, protocol analyzers enable a network professional to quickly compile statistical information about traffic flows on a network.

When trying to determine how to manage network traffic, especially as the network grows, it is important to understand the type of traffic that is crossing the network as well as the current traffic flow. If the types of traffic are unknown, the protocol analyzer will help identify the traffic and its source.

To determine traffic flow patterns, it is important to do the following:

Capture traffic during peak utilization times to get a good representation of the different traffic types.

Perform the capture on different network segments because some traffic will be local to a particular segment.

Information gathered by the protocol analyzer is analyzed based on the source and destination of the traffic as well as the type of traffic being sent. This analysis can be used to make decisions on how to manage the traffic more efficiently. This can be done by reducing unnecessary traffic flows or changing flow patterns altogether by moving a server, for example.

Sometimes, simply relocating a server or service to another network segment improves network performance and accommodates the growing traffic needs. At other times, optimizing the network performance requires major network redesign and intervention.

These snapshots typically include information such as

OS and OS version

Non-network applications

Network applications

CPU utilization

Drive utilization

RAM utilization

Documenting snapshots for employees in a small network over a period of time will go a long way toward informing the network administrator of evolving protocol requirements and associated traffic flows. For example, it may be that some employees are using offsite resources such as social media in order to better position a company with respect to marketing. When they began working for the company, these employees may have focused less on Internet-based advertising. This shift in resource utilization may require the network administrator to shift network resource allocations accordingly.

It is the responsibility of the network administrator to track network utilization and traffic flow requirements, and implement network modifications in order to optimize employee productivity as the network and business grow.

Intruders can gain access to a network through software vulnerabilities, through hardware attacks, or by guessing someone’s username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are often called hackers.

After the hacker gains access to the network, four types of threats may arise:

Information theft: Breaking into a computer to obtain confidential information

Identity theft: A form of information theft where personal information is stolen for the purpose of taking over someone’s identity

Data loss/manipulation: Breaking into a computer to destroy or alter data records

Disruption of service: Preventing legitimate users from accessing services to which they should be entitled.

Click the images in Activity 11.2.1.1 to see more information.

Even in small networks, it is necessary to consider security threats and vulnerabilities when planning a network implementation.

The four classes of physical threats are

Hardware threats: Physical damage to servers, routers, switches, cabling plant, and workstations

Environmental threats: Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)

Electrical threats: Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss

Maintenance threats: Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

Some of these issues must be dealt with in an organizational policy. Some of them are subject to good leadership and management in the organization.

Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices.

Threats include the people interested and qualified in taking advantage of each security weakness. Such individuals can be expected to continually search for new exploits and weaknesses.

Threats are realized by a variety of tools, scripts, and programs to launch attacks against networks and network devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.

There are three primary vulnerabilities or weaknesses:

Technology, as shown in Figure 11-8

Configuration, as shown in Figure 11-9

Security policy, as shown in Figure 11-10

All three of these vulnerabilities or weaknesses can lead to various attacks, including malicious code attacks and network attacks.

A virus is malicious software that is attached to another program to execute a particular unwanted function on a workstation. An example is a program that is attached to command.com (the primary interpreter for Windows systems) and deletes certain files and infects any other versions of command.com that it can find.

A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. An example of a Trojan horse is a software application that runs a simple game on a workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every address in the user’s address book. The other users receive the game and play it, thereby spreading the Trojan horse to the addresses in each address book.

Viruses normally require a delivery mechanism, a vector, such as a zip file or some other executable file attached to an email, to carry the virus code from one system to another. The key element that distinguishes a computer worm from a computer virus is that human interaction is required to facilitate the spread of a virus.

Worms are self-contained programs that attack a system and try to exploit a specific vulnerability in the target. Upon successful exploitation of the vulnerability, the worm copies its program from the attacking host to the newly exploited system to begin the cycle again. The anatomy of a worm attack is as follows:

The enabling vulnerability: A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who open unverified executable attachments in emails.

Propagation mechanism: After gaining access to a host, a worm copies itself to that host and then selects new targets.

Payload: After a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.

Reconnaissance attacks: The unauthorized discovery and mapping of systems, services, or vulnerabilities

Access attacks: The unauthorized manipulation of data, system access, or user privileges

Denial of service (DoS) attacks: The disabling or corruption of networks, systems, or services

DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources.

Keeping up to date with the latest developments in these sorts of attacks can also lead to a more effective defense against these attacks. As new virus or Trojan applications are released, enterprises need to keep current with the latest versions of antivirus software as well.

Worm attack mitigation requires diligence on the part of system and network administration staff. The following are the recommended steps for worm attack mitigation:

Containment: Contain the spread of the worm within the network. Compartmentalize uninfected parts of the network.

Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.

Quarantine: Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network.

Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network. Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. However, security requirements change, so already-deployed systems may need to have updated security patches installed.

One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time, as shown in Figure 11-11. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.

In a small network, local authentication is often used. With local authentication, each device maintains its own database of username/password combinations. However, when there are more than a few user accounts in a local device database, managing those user accounts becomes complex. Additionally, as the network grows and more devices are added to the network, local authentication becomes difficult to maintain and does not scale. For example, if there are 100 network devices, all user accounts must be added to all 100 devices.

For larger networks, a more scalable solution is external authentication. External authentication allows all users to be authenticated through an external network server. The two most popular options for external authentication of users are RADIUS and TACACS+:

RADIUS is an open standard with low use of CPU resources and memory. It is used by a range of network devices, such as switches, routers, and wireless devices.

TACACS+ is a security mechanism that enables modular AAA services. It uses a TACACS+ daemon running on a security server.

The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, identifies how much that user can spend, and keeps account of what items the user spent money on, as shown in Figure 11-12.

A firewall is one of the most effective security tools available for protecting internal network users from external threats. A firewall resides between two or more networks and controls the traffic between them. It also helps to prevent unauthorized access. Firewall products use various techniques for determining what is permitted or denied access to a network. These techniques are

Packet filtering: Prevents or allows access based on IP or MAC addresses.

Application filtering: Prevents or allows access by specific application types based on port numbers.

URL filtering: Prevents or allows access to websites based on specific URLs or keywords.

Stateful packet inspection (SPI): Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks such as DoS attacks.

Firewall products may support one or more of these filtering capabilities. Additionally, firewalls often perform network address translation (NAT). NAT translates an internal IP address or group of IP addresses into an outside, public IP address that is sent across the network. This allows internal IP addresses to be concealed from outside users.

Firewall products come packaged in various forms, as shown in Figure 11-13 and described here:

Appliance-based firewalls: An appliance-based firewall is a firewall that is built-in to a dedicated hardware device known as a security appliance.

Server-based firewalls: A server-based firewall consists of a firewall application that runs on a network operating system (NOS) such as Linux or Windows.

Integrated firewalls: An integrated firewall is implemented by adding firewall functionality to an existing device, such as a router.

Personal firewalls: Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default from the OS or may come from an outside vendor.

Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. A company must have well-documented policies in place, and employees must be aware of and follow those policies. Employees need to be trained on proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.

Endpoint security also requires securing Layer 2 devices in the network infrastructure to prevent against Layer 2 attacks such as MAC address spoofing, MAC address table overflow attacks, and LAN storm attacks. This is known as attack mitigation.

When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system. Figure 11-15 shows a typical network with devices that need to be secured. There are some simple steps that should be taken that apply to most operating systems:

Change default usernames and passwords immediately.

Restrict access to system resources to only the individuals that are authorized to use those resources.

Turn off and uninstall, when possible, any unnecessary services and applications.

All devices should be updated with security patches as they become available. Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time and do not have the most up-to-date patches installed. It is important, prior to implementation, to update any software and install any security patches.

Use a password length of at least 8 characters, preferably 10 or more characters. A longer password is a better password.

Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.

Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information (such as birthdates, ID numbers, and ancestor names), or other easily identifiable pieces of information.

Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.

Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.

Do not write passwords down and leave them in obvious places such as on the desk or monitor.

Tables 11-1 and 11-2 provide examples of weak and strong passwords, respectively.

On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use a space in the password and create a phrase made of many words. This is called a pass phrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess.

Administrators should ensure that strong passwords are used across the network. One way to accomplish this is to use the same “brute force” attack tools that attackers use as a way to verify password strength.

Additionally, to ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length command in global configuration mode.

Another way hackers learn passwords is simply by brute-force attacks, trying multiple passwords until one works. It is possible to prevent this type of attack by blocking login attempts to the device if a set number of failures occurs within a specific amount of time. The following command will block login attempts for 120 seconds if three failed login attempts occur within 60 seconds:

Click here to view code image

Router(config)# login block-for 120 attempts 3 within 60

Click here to view code image

Router(config)# banner motd #message#

Click here to view code image

Router(config)# line vty 0 4
Router(config-vty)# exec-timeout 10

Step 1. Ensure that the router has a unique hostname, and then configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.

Step 2. Generate one-way secret keys for a router to encrypt SSH traffic. The key is what is actually used to encrypt and decrypt data. To create an encryption key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode, as shown next. The specific meaning of the various parts of this command are complex and out of scope for this course, but for now, just note that the modulus determines the size of the key and can be configured from 360 bits to 2,048 bits. The larger the modulus, the more secure the key, but the longer it takes to encrypt and decrypt information. The minimum recommended modulus length is 1,024 bits.

Click here to view code image

Router(config)# crypto key generate rsa general-keys modulus 1024

Step 3. Create a local database username entry using the username name secret secret global configuration command.

Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

The router SSH service can now be accessed using SSH client software.

The ping command will not always pinpoint the nature of a problem, but it can help to identify the source of the problem, an important first step in troubleshooting a network failure.

The ping command provides a method for checking the protocol stack and IPv4 address configuration on a host as well as testing connectivity to local or remote destination hosts, as shown in Figure 11-18. There are additional tools that can provide more information than ping, such as telnet or trace, which will be discussed in more detail later.

! (exclamation mark) indicates receipt of an ICMP Echo Reply message. This indicates that the ping completed successfully and verifies Layer 3 connectivity.

. (period) indicates a time expired while waiting for an ICMP Echo Reply message. This may indicate problems in the communication or that a connectivity problem occurred somewhere along the path. It may also indicate that a router along the path did not have a route to the destination and did not send an ICMP Destination Unreachable message. It also may indicate that ping was blocked by device security.

U indicates an ICMP Destination Unreachable message was received. This indicates that a router along the path did not have a route to the destination address or that the ping request was blocked and responded with an ICMP Destination Unreachable message.

You enter ping commands at a command line. Enter the ping loopback command with this syntax:

C:> ping 127.0.0.1

The reply from this command would look something like this:

Click here to view code image

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

The result indicates that four 32-byte test packets were sent and were returned from host 127.0.0.1 in a time of less than 1 ms. TTL stands for Time-to-Live and defines the number of hops that the ping packet has remaining before it will be dropped.

Click here to view code image

R2# ping
Protocol [ip]:
Target IP address: 192.168.10.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/97/132 ms

Entering a longer timeout period than the default allows for possible latency issues to be detected. If the ping test is successful with a longer value, a connection exists between the hosts, but latency may be an issue on the network.

Note that entering “y” to the “Extended commands” prompt provides more options that are useful in troubleshooting.

The output derived from network commands can contribute data to the network baseline.

One method for starting a baseline is to copy and paste the results from an executed ping, trace, or other relevant command into a text file. These text files can be time stamped with the date and saved into an archive for later retrieval.

An effective use of the stored information is to compare the results over time (see Figure 11-22). Among items to consider are error messages and the response times from host to host. If there is a considerable increase in response times, there may be a latency issue to address.

The importance of creating documentation cannot be emphasized enough. Verification of host-to-host connectivity, latency issues, and resolutions of identified problems can assist a network administrator in keeping a network running as efficiently as possible.

Corporate networks should have extensive baselines...more extensive than we can describe in this course. Professional-grade software tools are available for storing and maintaining baseline information. In this course, we only cover some basic techniques and discuss the purpose of baselines.

You can find best practices for baseline processes here: http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014fb3b.shtml.

Capturing ping command output can also be completed from the IOS prompt, as shown in Figure 11-23.

Like ping commands, trace commands are entered in the command line and take an IP address as the argument.

Assuming that the command will be issued from a Windows computer, we use the tracert form:

Click here to view code image

C:> tracert 10.1.0.2
Tracing route to 10.1.0.2 over a maximum of 30 hops
1 2 ms 2 ms 2 ms 10.0.0.254
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C

The only successful response was from the gateway on Router A. Trace requests to the next hop timed out, meaning that the next hop router did not respond. The trace results indicate that the failure is therefore in the internetwork beyond the LAN.

Capturing the traceroute output can also be done from the router prompt, as shown in Figure 11-25.

Network technicians use show commands extensively for viewing configuration files, checking the status of device interfaces and processes, and verifying the device operational status.

The status of nearly every process or function of the router can be displayed using a show command. The following are some of the more popular show commands:

show running-config (see Figure 11-26)

show interfaces (see Figure 11-27)

show arp (see Figure 11-28)

show ip route (see Figure 11-29)

show protocols (see Figure 11-30)

show version (see Figure 11-31)

The Cisco IOS Software version being used.

The version of the system bootstrap software, stored in ROM memory, that was initially used to boot the router.

The complete filename of the Cisco IOS image and where the bootstrap program located it.

Type of CPU on the router and amount of RAM. It may be necessary to upgrade the amount of RAM when upgrading the Cisco IOS Software.

The number and type of physical interfaces on the router.

The amount of NVRAM. NVRAM is used to store the startup-config file.

The amount of flash memory on the router. It may be necessary to upgrade the amount of flash when upgrading the Cisco IOS Software.

The currently configured value of the software configuration register in hexadecimal.

The configuration register tells the router how to boot up. For example, the factory default setting for the configuration register is 0x2102. This value indicates that the router attempts to load a Cisco IOS Software image from flash and loads the startup configuration file from NVRAM. It is possible to change the configuration register and, therefore, change where the router looks for the Cisco IOS image and the startup configuration file during the bootup process. If there is a second value in parentheses, it denotes the configuration register value to be used during the next reload of the router.

Click the Note icon at the bottom-right corner of the video 11.3.3.2 to obtain more information about the configuration register.

Software version: IOS software version

Bootstrap version: Bootstrap version

System up-time: Time since last reboot

System restart info: Method of restart (e.g., power cycle, crash)

Software image name: IOS filename

Switch platform and processor type: Model number and processor type

Memory type (shared/main): Main processor RAM and shared packet I/O buffering

Hardware interfaces: Interfaces available on the switch

Configuration register: Sets bootup specifications, console speed setting, and related parameters

A tool to examine the MAC address of our computer is ipconfig /all. Note that in Figure 11-33, the MAC address of the computer is now displayed along with a number of details regarding the Layer 3 addressing of the device.

In addition, the manufacturer of the network interface in the computer can be identified through the OUI portion of the MAC address. This can be researched on the Internet.

The DNS Client service on Windows PCs optimizes the performance of DNS name resolution by storing previously resolved names in memory. The ipconfig /displaydns command displays all of the cached DNS entries on a Windows computer system.

To execute an arp command, at the command prompt of a host, enter

C:host1> arp -a

As shown in Figure 11-34, the arp –a command lists all devices currently in the ARP cache of the host, which includes the IPv4 address, physical address, and the type of addressing (static/dynamic), for each device.

The cache can be cleared by using the arp –d command in the event the network administrator wants to repopulate the cache with updated information.

CDP is a Cisco-proprietary protocol that runs at the data link layer (Layer 2). Because CDP operates at the data link layer, two or more Cisco network devices, such as routers that support different network layer protocols, can learn about each other even if Layer 3 connectivity does not exist.

When a Cisco device boots up, CDP starts up by default. CDP automatically discovers neighboring Cisco devices running CDP, regardless of which Layer 3 protocol or suites are running. CDP exchanges hardware and software device information with its directly connected CDP neighbors.

CDP provides the following information about each CDP neighbor device:

Device identifiers: For example, the configured hostname of a switch

Address list: Up to one network layer address for each protocol supported

Port identifier: The name of the local and remote port, in the form of an ASCII character string such as ethernet0

Capabilities list: For example, whether this device is a router or a switch

Platform: The hardware platform of the device; for example, a Cisco 1841 series router

The show cdp neighbors detail command reveals the IP address of a neighboring device. CDP will reveal the neighbor’s IP address regardless of whether or not you can ping the neighbor. This command is very helpful when two Cisco routers cannot route across their shared data link. The show cdp neighbors detail command will help determine if one of the CDP neighbors has an IP configuration error.

For network discovery situations, knowing the IP address of the CDP neighbor is often all the information needed to telnet into that device. For obvious reasons, CDP can be a security risk. Because some IOS versions send out CDP advertisements by default, it is important to know how to disable CDP. To disable CDP globally, use the global configuration command no cdp run. To disable CDP on an interface, use the interface command no cdp enable.

Figure 11-37 shows the topology that is being used in this example.

In Activity 11.3.4.4 Part 2, click the R1 button. The show ip interface brief output displays all interfaces on the router, the IP address assigned to each interface, if any, and the operational status of the interface.

According to the output, the Fast Ethernet 0/0 interface has an IP address of 192.168.254.254. The last two columns in this line show the Layer 1 and Layer 2 status of this interface. The up in the Status column shows that this interface is operational at Layer 1. The up in the Protocol column indicates that the Layer 2 protocol is operational.

Also notice that the Serial 0/0/1 interface has not been enabled. This is indicated by administratively down in the Status column.

As with any end device, we can verify Layer 3 connectivity with the ping and traceroute commands. In this example, both the ping and traceroute commands show successful connectivity.

The output also shows that the FastEthernet0/1 interface is down. This indicates either that no device is connected to the interface or that the device that is connected to this interface has a network interface that is not operational.

In contrast, the output shows that the FastEthernet0/2 and FastEthernet0/3 interfaces are operational. This is indicated by both the Status and Protocol being shown as up.

You can also test the Layer 3 connectivity of the switch with the show ip interface brief and traceroute commands. In this example, both the ping and trace commands show successful connectivity.

It is important to keep in mind that an IP address is not required for a switch to perform its job of frame forwarding at Layer 2. An IP address is only necessary if the switch will be managed over the network using Telnet or SSH. If the network administrator plans to remotely connect to the switch from a location outside of the local LAN, then a default gateway must also be configured.

The Cisco IOS File System (IFS) provides a single interface to all the file systems a router uses, including

Flash memory file systems

Network file systems (TFTP and FTP)

Any other endpoint for reading or writing data such as NVRAM, the running configuration, ROM, and others

With Cisco IFS, all files can be viewed and classified (image, text file, and so forth), including files on remote servers. For example, it is possible to view a configuration file on a remote server to verify that it is the correct configuration file before loading the file on the router.

Cisco IFS allows the administrator to move around to different directories, list the files in a directory, and create subdirectories in flash memory or on a disk. The directories available depend on the device.

The Figure 11-38 displays the output of the show file systems command, which lists all of the available file systems on a Cisco 1941 router, in this example. This command provides useful information such as the amount of available and free memory, the type of file system, and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw), shown in the Flags column of the command output.

Although there are several file systems listed in Figure 11-38, of interest to us are the flash and NVRAM file systems.

Notice that the flash file system also has an asterisk preceding it. This indicates that flash is the current default file system. The bootable IOS is located in flash; therefore, the pound symbol (#) is appended to the flash listing, indicating that it is a bootable disk.

The command to view the file systems on a Catalyst switch is the same as the command to view the file systems on a Cisco router: show file systems (as shown in Figure 11-41).

Many basic UNIX commands are supported on Cisco switches and routers: cd for changing to a file system or directory, dir to display directories on a file system, and pwd to display the working directory.

As shown in Figure 11-42, the steps are as follows:

Step 1. On the File menu, click Log.

Step 2. Choose the location to save the file. Tera Term will begin capturing text.

Step 3. After capture has been started, execute the show running-config or show startup-config command at the privileged EXEC prompt. Text displayed in the terminal window will be directed into the chosen file.

Step 4. When the capture is complete, select Close in the Tera Term: Log window.

Step 5. View the file to verify that it was not corrupted.

Further, at the CLI, the device must be set at the global configuration mode to receive the commands from the text file being pasted into the terminal window.

When using Tera Term, the steps are as follows:

Step 1. On the File menu, click Send file.

Step 2. Locate the file to be copied into the device and click Open.

Step 3. Tera Term will paste the file into the device.

The text in the file will be applied as commands in the CLI and become the running configuration on the device. This is a convenient method for manually configuring a router.

To save the running configuration or the startup configuration to a TFTP server, use either the copy running-config tftp command, as shown in Figure 11-43, or the copy startup-config tftp command. Follow these steps to back up the running configuration to a TFTP server:

Step 1. Enter the copy running-config tftp command.

Step 2. Enter the IP address of the host where the configuration file will be stored.

Step 3. Enter the name to assign to the configuration file, or press the Enter key to continue.

Step 4. Press Enter to confirm each choice.

Step 1. Enter the copy tftp running-config command.

Step 2. Enter the IP address of the host where the configuration file is stored.

Step 3. Enter the name to assign to the configuration file.

Step 4. Press Enter to confirm each choice.

Cisco USB flash modules are available in 64 MB, 128 MB, and 256 MB versions.

To be compatible with a Cisco router, a USB flash drive must be formatted in a FAT16 format. If that is not the case, the show file systems command will display an error indicating an incompatible file system.

Here is an example of the use of the dir command on a USB file system:

Click here to view code image

Router# dir usbflash0:
Directory of usbflash0:/
1 -rw- 30125020 Dec 22 2032 05:31:32 +00:00 c3825-entservicesk9-mz.123-14.T
63158272 bytes total (33033216 bytes free)

Ideally, USB flash can hold multiple copies of the Cisco IOS and multiple router configurations. The USB flash allows an administrator to easily move and copy those IOS files and configurations from router to router, and many times, the copying process can take place several times faster than it would over a LAN or WAN feature enables certain models of Cisco routers to support USB flash drives. Note that the IOS may not recognize the proper size of the USB flash, but that does not necessarily mean that the flash is unsupported. Additionally, the USB ports on a router are usually USB 2.0, as shown in Figure 11-44.

Next, use the copy running-config usbflash0:/ command to copy the configuration file to the USB flash drive. Be sure to use the name of the flash drive, as indicated in the file system. The slash is optional but indicates the root directory of the USB flash drive.

The IOS will prompt for the filename. If the file already exists on the USB flash drive, the router will prompt for overwrite, as shown in Figure 11-46.

Use the dir command to see the file on the USB drive, and use the more command to see the contents, as shown in Figure 11-47.

Click here to view code image

R1# copy usbflash0:/R1-Config running-config
Destination filename [running-config]?

In order to meet user requirements, even small networks require planning and design. Planning ensures that all requirements, cost factors, and deployment options are given due consideration. An important part of network design is to ensure reliability, scalability, and availability.

Supporting and growing a small network requires being familiar with the protocols and network applications running over the network. Protocol analyzers enable a network professional to quickly compile statistical information about traffic flows on a network. Information gathered by the protocol analyzer is analyzed based on the source and destination of the traffic as well as the type of traffic being sent. This analysis can be used by a network technician to make decisions on how to manage the traffic more efficiently. Common network protocols include DNS, Telnet, SMTP, POP, DHCP, HTTP, and FTP.

It is a necessity to consider security threats and vulnerabilities when planning a network implementation. All network devices must be secured. This includes routers, switches, end-user devices, and even security devices. Networks need to be protected from malicious software, such as viruses, Trojan horses, and worms. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems.

Networks must also be protected from network attacks. Network attacks can be classified into three major categories: reconnaissance, access attacks, and denial of service. There are several ways to protect a network from network attacks:

Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), to control what they can do while they are there (authorize), and watch the actions they perform while accessing the network (accounting).

A firewall is one of the most effective security tools available for protecting internal network users from external threats. A firewall resides between two or more networks and controls the traffic between them. It also helps to prevent unauthorized access.

To protect network devices, it is important to use strong passwords. Also, when accessing network devices remotely, it is highly recommended to enable SSH instead of the unsecured Telnet.

After the network has been implemented, a network administrator must be able to monitor and maintain network connectivity. There are several commands available toward this end. For testing network connectivity to local and remote destinations, commands such as ping, telnet, and traceroute are commonly used.

On Cisco IOS devices, the show version command can be used to verify and troubleshoot some of the basic hardware and software components used during the bootup process. To view information for all network interfaces on a router, the show ip interface command is used. The show ip interface brief command can also be used to view a more abbreviated output than is provided by the show ip interface command. CDP is a Cisco-proprietary protocol that runs at the data link layer. Because CDP operates at the data link layer, two or more Cisco network devices, such as routers that support different network layer protocols, can learn about each other even if Layer 3 connectivity does not exist.

Configuration files such as startup-config and running-config should be archived. These files can be saved to a text file or stored on a TFTP server. Some models of routers also have a USB port, in which case a file can be backed up to a USB drive. If needed, these files can be copied to the router and/or switch from the TFTP server or USB drive.

Class Activity 11.5.1.1: Design and Build a Small Business Network

Lab 11.2.4.5: Accessing Network Devices with SSH

Lab 11.2.4.6: Securing Network Devices

Lab 11.3.2.3: Testing Network Latency with Ping and Traceroute

Lab 11.3.4.6: Using the CLI to Gather Network Device Information

Lab 11.4.2.6: Managing Router Configuration Files with Tera Term

Lab 11.4.2.7: Managing Device Configuration Files Using TFTP, Flash, and USB

Lab 11.4.2.8: Researching Password Recovery Procedures

Packet Tracer Activity 11.3.3.4: Using show Commands

Packet Tracer Activity 11.4.2.5: Backing Up Configuration Files

Packet Tracer Activity 11.5.1.2: Skills Integration Challenge

1. A small accounting firm consists of 20 workstations and 3 servers. The company is assigned a network of 209.165.200.224/27. What is a Cisco-recommended approach for managing the IP addressing scheme for the network?

A. Assign static IP addresses for workstations and servers in a sequence of installation steps

B. Divide the network into two subnets, one for workstations and the other for servers

C. Add a DHCP server and assign dynamic IP addresses for workstations and servers via the DHCP server

D. Assign static IP addresses for servers in the upper block of the address pool and allow dynamic IP addresses for workstations

2. A small advertising company has a web server that provides critical business service. The company connects to the Internet through a leased line service to an ISP. Which approach best provides cost-effective redundancy for the Internet connection?

A. Add a second NIC to the web server

B. Add another web server to prepare failover support

C. Add another connection to the Internet via a DSL line to another ISP

D. Add multiple connections between the switches and the edge router

3. What are two examples of maintenance threats to a network? (Choose two.)

A. Poor labeling

B. Unconditioned power

C. Temperature extremes

D. Physical damage to routers

E. Lack of critical spare parts

4. Which statement is an example of a network security threat?

A. A router is configured with a weak password.

B. Telnet is used for all remote management of network devices.

C. A switch is running an old version of IOS with known security bugs.

D. A disgruntled employee has the administrator password to all of the network devices.

E. The company security policy does not specify how many characters must be in a password.

5. Which malicious code attack is self-contained and tries to exploit a specific vulnerability in a system being attacked?

A. Virus

B. Worm

C. Trojan horse

D. Social engineering

6. Which AAA component assigns varying levels of rights to users of network resources?

A. Auditing

B. Accounting

C. Authorization

D. Access control

E. Authentication

F. Acknowledgement

7. When configuring a switch for SSH access, what other command that is associated with the login local command is required to be entered on the switch?

A. enable secret password

B. password password

C. username username secret secret

D. login block-for seconds attempts number within seconds

8. A user complains that the workstation cannot access the network. The network technician asks the user to issue the ping 127.0.0.1 command. What is the purpose of using this command?

A. To test the reachability of a remote network

B. To verify that the NIC is configured with a static address

C. To verify that the TCP/IP stack is operational

D. To check that the workstation can reach a DHCP server

9. What conclusion can be drawn from the results of the following command issued by a user on the workstation?

Click here to view code image

C:Usersuser10> tracert www.cisco.com

Tracing route to e144.dscb.akamaiedge.net [184.50.224.170]
over a maximum of 30 hops:

 1   15 ms    2 ms    3 ms   192.168.10.254
 2    *       *       *     Request timed out.
 3   11 ms   12 ms   13 ms   173-219-253-70-link.sta.suddenlink.net [173.219.253.70]
 4   13 ms   15 ms   21 ms   173-219-253-224-link.sta.suddenlink.net [173.219.253.224]
 5   20 ms   19 ms   19 ms   173-219-253-234-link.sta.suddenlink.net [173.219.253.234]
 6   29 ms   22 ms   21 ms   xe-4-2-0.edge1.Washington1.Level3.net [4.79.20.57]
 7   21 ms   22 ms   21 ms   ae-4-90.edge2.Washington4.Level3.net [4.69.149.208]
 8   31 ms   21 ms   22 ms   xe-0-4-0-2.r04.asbnva02.us.bb.gin.ntt.net [129.250.9.153]
 9   41 ms   38 ms   38 ms   ae-7.r20.asbnva02.us.bb.gin.ntt.net [129.250.3.16]
10   98 ms   58 ms   60 ms   ae-3.r20.dllstx09.us.bb.gin.ntt.net [129.250.3.51]
11   61 ms   58 ms   65 ms   ae-2.r07.dllstx09.us.bb.gin.ntt.net [129.250.3.67]
12   65 ms   58 ms   66 ms   a184-50-224-170.deploy.akamaitechnologies.com
[184.50.224.170]

Trace complete.

A. One of the routers in the path is not operational.

B. A ping to the website takes about 63 milliseconds.

C. The IP address of the workstation is 192.168.10.254.

D. There are 12 hops between the workstation and the website.

10. While downloading an IOS image from a TFTP server, an administrator sees long strings of exclamation marks (!) output to the console. What does this mean?

A. The transfer is working.

B. The TFTP server is not responding.

C. The IOS file is corrupt and is failing the checksum verification.

D. There is not enough space in flash to hold the image.