Professional Documents
Culture Documents
.com
Web:
Contact:
http://networksims.com
support@networksims.com
NetworkSims.com
CCNA
Example
> enable
# config t
(config)# hostname mars
mars (config)# ip domain-n ?
WORD Default domain name
mars (config)# ip domain-name fred.co
mars (config)# int e0
mars (config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
arp
Set arp type (arpa, probe, snap) or timeout
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bgp-policy
Apply policy propogated by bgp community string
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
clns
CLNS interface subcommands
cmns
OSI CMNS
crypto
Encryption/Decryption commands
custom-queue-list
Assign a custom queue list to an interface
dampening
Enable event dampening
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
NetworkSims.com
diffserv
dot1q
dot1x
duplex
exit
fair-queue
flow-sampler
full-duplex
glbp
half-duplex
help
hold-queue
ip
isis
iso-igrp
keepalive
llc2
load-interval
diffserv (Provisioning)
dot1q interface configuration commands
Interface Config Commands for 802.1x
Configure duplex operation.
Exit from interface configuration mode
Enable Fair Queuing on an Interface
Attach flow sampler to the interface
Configure full-duplex operational mode
Gateway Load Balancing Protocol interface commands
Configure half-duplex and related commands
Description of the interactive help system
Set hold queue depth
Interface Internet Protocol config commands
IS-IS commands
ISO-IGRP interface subcommands
Enable keepalive
LLC2 Interface Subcommands
Specify interval for load calculation for an
interface
logging
Configure logging for interface
loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mls
mls interface commands
mop
DEC MOP server commands
mtu
Set the interface Maximum Transmission Unit (MTU)
netbios
Use a defined NETBIOS access list or enable
name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
pagp
PAgP interface subcommands
pppoe
pppoe interface subcommands
pppoe-client
pppoe client
priority-group
Assign a priority group to an interface
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rate-limit
Rate Limit
roles
Specify roles (by entering roles mode)
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
snapshot
Configure snapshot support on the interface
snmp
Modify SNMP interface parameters
speed
Configure speed operation.
standby
HSRP interface configuration commands
tarp
TARP interface subcommands
timeout
Define timeout values for this interface
traffic-shape
Enable Traffic Shaping on an Interface or
Sub-Interface
transmit-interface
Assign a transmit interface to a receive-only
interface
trunk-group
Configure interface to be in a trunk group
tx-ring-limit
Configure PA level transmit ring limit
vlan-id
Process VLAN-encapsulated packets with a specific
VLAN ID
vlan-range
Process VLAN-encapsulated packets with a range of
VLAN IDs
vrrp
VRRP Interface configuration commands
mars (config-if)# ip address 36.109.222.1 255.255.255.128
mars (config-if)# no shutdown
mars (config-if)# description testing123
mars (config-if)# speed ?
10
Force 10 Mbps operation
100
Force 100 Mbps operation
NetworkSims.com
Example
> enable
# config t
(config)# int s0
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
autodetect
Autodetect Encapsulations on Serial interface
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
NetworkSims.com
bridge-group
carrier-delay
cdp
clock
compress
custom-queue-list
dce-terminal-timing-enable
decnet
default
delay
description
dialer
dialer-group
down-when-looped
dxi
encapsulation
exit
fair-queue
full-duplex
half-duplex
help
hold-queue
idle-character
ignore
ignore-dcd
ignore-hw
invert
ip
ipx
keepalive
line-power
llc2
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mop
mtu
multilink-group
netbios
network-clock-priority
no
nrzi-encoding
ntp
physical-layer
ppp
priority-group
pulse-time
random-detect
rate-limit
serial
service-policy
shutdown
smds
smrp
snapshot
snmp
NetworkSims.com
source
timeout
traffic-shape
Example
> enable
# config t
(config)# ip name-server 51.16.207.1
(config)# ena ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
(config)# enable password default1
(config)# enable secret ankle
Router(config)# user bunty ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
NetworkSims.com
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
view
Set view name
<cr>
(config)# username bunty password apple
(config)# exit
# sh running
Example
> enable
# config t
(config)# ip domain-name work.org
(config)# hostname wyoming
wyoming (config)# int e0
wyoming (config-if)# no shutdown
wyoming (config-if)# int s0
wyoming (config-if)# no shutdown
wyoming (config-if)# int s1
wyoming (config-if)# no shutdown
(config)# exit
# sh running
NetworkSims.com
This challenge involves the configuration banners and the HTTP server.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# hostname Amsterdam
amsterdam (config)# banner ?
LINE
c banner-text c, where 'c' is a delimiting character
exec
Set EXEC process creation banner
incoming
Set incoming terminal line banner
login
Set login banner
motd
Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp
Set Message for SLIP/PPP
amsterdam (config)# bann mo ?
LINE c banner-text c, where 'c' is a delimiting character
amsterdam (config)# banner motd my device
amsterdam (config)# banner login how are you
amsterdam (config)# banner exec main device
amsterdam (config)# ip http server
amsterdam (config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
max-connections
Set maximum number of concurrent http server connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# exit
# sh running
NetworkSims.com
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# router ?
bgp
Border Gateway Protocol (BGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
(config)# router rip
(config-router)# ?
Router configuration commands:
address-family
Enter Address Family command mode
auto-summary
Enable automatic network number summarization
default
Set a command to its defaults
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
flash-update-threshold Specify flash update threshold in second
help
Description of the interactive help system
input-queue
Specify input queue depth
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
Negate a command or set its defaults
offset-list
Add or subtract offset from RIP metrics
output-delay
Interpacket delay for RIP updates
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing
protocol
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
validate-update-source Perform sanity checks against source address of
routing updates
version
Set routing protocol version
(config-router)# version 2
(config-router)# network 166.248.0.0
(config-router)# network 200.169.96.0
(config-router)# network 137.205.232.0
(config-network)# exit
(config)# cdp ?
advertise-v2
CDP sends version-2 advertisements
NetworkSims.com
holdtime
Specify the holdtime (in sec) to be sent in packets
log
Log messages generated by CDP
source-interface Insert the interface's IP in all CDP packets
timer
Specify the rate at which CDP packets are sent
(in sec)
run
(config)# cdp run
(config)# int e0
(config)# int fa0/0
(config-if)# cdp ?
enable Enable CDP on interface
log
Log messages generated by CDP
(config-if)# cdp enable
(config-if)# exit
(config)# ip subnet-zero
(config)# ip classless
(config)# exit
# sh running
Objectives
The objectives of this challenge are to:
Setup logging.
Define the clock.
Define HTTP settings.
Example
> enable
# config t
(config)# logging ?
Hostname or A.B.C.D
buffered
cns-events
console
count
exception
facility
history
host
monitor
on
origin-id
rate-limit
reload
NetworkSims.com
10
server-arp
source-interface
trap
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer 440240
(config)# logging host 138.24.170.8
(config)# logging trap emergency
(config)# logging monitor emergency
(config)# logging console emergency
(config)# logging buffer emergency
(config)# clock timezone AKDT
(config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
max-connections
Set maximum number of concurrent http server connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# ip http server
(config)# ip http max-connections 7
(config)# ip http port 1024
(config)# exit
# sh running
Define CDP.
Example
> enable
# config t
(config)# ip default-gateway 139.35.119.5
(config)# cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime
Specify the holdtime (in sec) to be sent in packets
timer
Specify the rate at which CDP packets are sent
run
(in sec)
NetworkSims.com
11
Example
> enable
# config t
(config)# snmp-s ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
context
Create/Delete a context apart from default
drop
Silently drop SNMP packets
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
location
Text for mib object sysLocation
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# smmp-server community annt RO
(config)# smmp-server contact steven
(config)# smmp-server location uk
(config)# smmp-server host 78.113.70.11
(config)# smmp-server enable traps
NetworkSims.com
12
Example
> enable
# config t
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# no shutdown
(config-if)# description students
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation ppp
(config-if)# ppp ?
accm
Set initial Async Control Character Map
acfc
Options for HDLC Address & Control Field Compression
authentication Set PPP link authentication method
bridge
Enable PPP bridge translation
chap
Set CHAP authentication parameters
ipcp
Set IPCP negotiation options
lcp
PPP LCP configuration
link
Set miscellaneous link parameters
max-bad-auth
Allow multiple authentication failures
multilink
Make interface multilink capable
pap
Set PAP authentication parameters
pfc
Options for Protocol Field Compression
NetworkSims.com
13
quality
Set minimum Link Quality before link is down
reliable-link
Use LAPB with PPP to provide a reliable link
timeout
Set PPP timeout parameters
use-tacacs
Use TACACS to verify PPP authentications
(config-if)# ppp authentication?
chap
Challenge Handshake Authentication Protocol (CHAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
pap
Password Authentication Protocol (PAP)
(config-if)# ppp authentication chap
(config-if)# clock ?
rate Configure serial interface clock speed
(config-if)# clock rate ?
Speed (bits per second)
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
Choose clockrate from list above
(config-if)# clock rate 56000
(config-if)# carrier-delay 8
(config-if)# bandwidth 198
(config-if)# no fair-queue
(config)# end
# sh running
NetworkSims.com
14
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int s1
(config-if)# ip address 46.187.202.5 254.0.0.0
(config-if)# no shutdown
(config-if)# description academics
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
(config-if)# clock rate 56000
(config-if)# carrier-delay 2
(config-if)# bandwidth 63
(config-if)# no fair-queue
(config-if)# end
# sh running
Example
> en
# config t
(config)# ip default-gateway 36.125.171.9
(config)# hostname montana
montana (config)# ip host tennessee 211.99.108.9
NetworkSims.com
15
Example
> en
# config t
(config)# line con ?
<0-0> First Line number
(config)# line con 0
(config-line)# pas ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
(config-line)# password lothian
(config-line)# timeout ?
login Timeouts related to the login sequence
(config-line)# timeout login ?
response Timeout for any user input during login sequences
(config-line)# timeout login response ?
<0-300> Timeout in seconds
(config-line)# timeout login response 19
(config-line)# exec-timeout ?
<0-35791> Timeout in minutes
(config-line)# exec-timeout 11
(config-line)# log
synchronous Synchronized message output
(config-line)# log synchronous
(config-line)# line vty 0 8
(config-line)# login
(config-line)# password mississippi
(config-line)# timeout login response 12
(config-line)# exec-timeout 10
(config-line)# exit
(config)# exit
# sh running
NetworkSims.com
16
Example
# clock ?
set Set the time and date
# clock set 06:25
# config t
(config)# ip subnet-zero
(config)# ip classless
(config)# boot system ?
WORD
TFTP filename or URL
flash Boot from flash memory
mop
Boot from a Decnet MOP server
rcp
Boot from a server via rcp
tftp
Boot from a tftp server
(config)# boot system tftp c28.bin
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)# ip dhcp pool ?
WORD Pool name
(config)# ip dhcp pool paris
(config-dhcp)# exit
(config)# aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
(config)# aaa new-model
NetworkSims.com
17
Example
> en
# config t
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
2
2
2
2
2
(config)# int e0
(config-if)# ip access-group
(config-if)# ip access-group 2 in
Example
> en
# config t
(config)# access-list 2 permit host 130.152.162.10
NetworkSims.com
18
(config)#
(config)#
(config)#
(config)#
access-list
access-list
access-list
access-list
2
2
2
2
(config)# int s0
(config-if)# ip access-group
(config-if)# ip access-group 2 in
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 105 ?
deny
Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
remark
Access list entry comment
(config)# access-list 105 permit ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
NetworkSims.com
19
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
(config)# access-list
255.255.255.0 eq ftp
(config)# access-list
255.255.255.0 eq ftp
105
105
permit
deny
tcp
tcp
100.120.83.0
35.208.170.0
255.255.255.0
71.252.23.0
255.255.255.0
184.124.8.0
Example
> en
# config t
(config)# ip access-list ?
extended
Extended Access List
log-update Control access list log updates
NetworkSims.com
20
logging
Control access list logging
standard
Standard Access List
(config)# ip access-list standard
<1-99> Standard IP access-list number
WORD
Access-list name
(config)# ip access-list standard leeds
(config-std-nacl)# deny ?
Hostname or A.B.C.D Address to match
any
Any source host
host
A single host address
(config-std-nacl)# deny host 193.34.245.4
(config-std-nacl)# permit host 16.21.50.10
(config-std-nacl)# deny 18.223.156.0 0.15.255.255
(config-std-nacl)# permit 139.32.80.0 0.15.255.255
(config-std-nacl)# exit
(config)# int s0
(config-if)# ip access-group
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group leeds in
(config-if)# exit
(config)# ip access-list extended tennessee
(config-ext-nacl)# deny ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config-ext-nacl)# deny tcp host 198.89.74.1 host 208.177.41.6 eq telnet
(config-ext-nacl)# permit tcp host 205.198.245.6 host 202.226.135.3 eq telnet
(config-ext-nacl)# deny tcp 54.83.187.0 255.255.255.0 101.167.107.0 255.255.255.0
eq telnet
(config-ext-nacl)# permit tcp 56.248.48.0 255.255.255.0 138.236.218.0 255.255.255.0
eq telnet
(config-ext-nacl)# exit
(config)# int s1
(config-if)# ip access-group tennessee in
NetworkSims.com
21
Example
> en
# config t
# sh run
Building configuration...
Current configuration : 1380 bytes
!
version 12.0
service udp-small-servers
service tcp-small-servers
no ip subnet-zero
!
!
username fred password bert
username albert password ink
username martin password orange
!
no ip classless
no ip subnet-zero
!
interface ethernet 0
shutdown
!
interface ethernet 1
shutdown
!
interface serial 0
--More------ press any key --shutdown
!
interface serial 1
shutdown
!
interface bri 0
shutdown
!
!
ip host sun 192.168.1.1
ip host mars 10.0.0.1
ip host jupiter 172.10.1.1
cdp holdtime 120
cdp timer 60
!
end
(config)# no username fred password bert
(config)# no username albert password ant
(config)# no username martin password animal
(config)# no ip host sun
(config)# no ip host jupiter
(config)# no ip host mars
NetworkSims.com
22
Example
> en
# sh run
Building configuration...
Current configuration : 1380 bytes
!
version 12.0
service udp-small-servers
service tcp-small-servers
no ip subnet-zero
!
no ip classless
no ip subnet-zero
!
interface ethernet 0
shutdown
!
interface ethernet 1
shutdown
!
interface serial 0
shutdown
!
interface serial 1
--More------ press any key --shutdown
!
interface bri 0
shutdown
!
!
router rip
network 192.168.1.0
network 10.0.0.0
network 172.10.10.0
!
cdp holdtime 120
cdp timer 60
!
!
end
# config t
NetworkSims.com
23
(config)# router
(config-router)#
(config-router)#
(config-router)#
rip
no network 192.168.1.0
no network 10.0.0.0
no network 172.10.10.0
Example
> en
# sh run
Building configuration...
Current configuration : 1380 bytes
!
version 12.0
service udp-small-servers
service tcp-small-servers
no ip subnet-zero
!
!
snmp-server community annt ro
snmp-server contact steven
snmp-server location uk
snmp-server host 78.113.70.11
snmp-server enable traps
snmp-server chassis-ID paris
!
!
!
no ip classless
no ip subnet-zero
!
!
interface ethernet 0
shutdown
!
interface ethernet 1
--More------ press any key --shutdown
!
interface serial 0
shutdown
!
interface serial 1
shutdown
NetworkSims.com
24
!
interface bri 0
shutdown
!
!
!
!
!
!
!
cdp holdtime 120
cdp timer 60
!
!
end
# config t
(config)# no snmp-server
(config)# no snmp-server
(config)# no snmp-server
(config)# no snmp-server
(config)# no snmp-server
(config)# no snmp-server
community annt RO
contact steven
location uk
host 78.113.70.11
enable traps
chassis-ID paris
Objectives
The objectives of this challenge are to:
Example
NetworkSims.com
25
> en
# config t
(config)# int vlan 1
(config-if)# ip address 148.183.229.5 255.255.248.0
(config-if)# exit
(config)# ip domain-name perthshire.cc
(config)# ip default-gateway 148.183.229.6
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# line con 0
(config-line)# password texas
(config-line)# exit
(config)# ip http server
(config)# ip http port 1024
(config)# cdp run
(config)# ip name-server 14.154.109.7
NetworkSims.com
26
Example
# config t
(config)# line vty 0 15
(config-line)# login
(config-line)# password manchester
(config-line)# exit
(config)# username june password default1
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community popup
(config)# snmp-server contact june
(config)# snmp-server location glasgow
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server enable ?
informs Enable SNMP Informs
NetworkSims.com
27
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton
Example
# config t
Enter configuration commands, one per line.
(config)# ip default-gateway 142.163.250.7
(config)# ip host ?
WORD Name of host
(config)# ip host brechin
<0-65535>
Default telnet port number
A.B.C.D
Host IP address
additional Append addresses
(config)# ip host brechin 209.250.181.10
(config)# ip host mississippi 208.194.196.5
(config)# ip host westvirginia 205.27.128.4
(config)# exit
# show hosts
NetworkSims.com
28
Example
# config t
Enter configuration commands, one per line.
(config)# int fa0/1
(config-if)# no shutdown
(config-if)# description aironet 1200
(config-if)# speed 100
(config-if)# duplex full
NetworkSims.com
29
> en
# config t
(config)# int vlan 1
(config-if)# ip address 131.45.110.4 255.192.0.0
(config-if)# shutdown
(config)# vlan 1
(config-vlan)# name test
(config-vlan)# exit
(config)# int vlan 2
(config-if)# ip address 81.200.53.4 255.255.0.0
(config-if)# exit
(config)# vlan 2
(config-vlan)# name test2
(config-vlan)# exit
Example
> en
# config t
(config)# int vlan 1
(config-if)# ip address 131.45.110.4 255.192.0.0
(config-if)# shutdown
(config)# vlan 1
Switch(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops
zero if none specified)
NetworkSims.com
mode
30
stp
tb-vlan1
Setup VLAN 2.
NetworkSims.com
31
Example
> en
# vlan database
(vlan)# vlan 2 name amsterdam
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int vlan 2
(config-if)# ip address 161.161.238.9 255.255.255.248
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport access ?
vlan Set VLAN when interface is in access mode
(config-if)# switchport access vlan 2
(config-if)# int fa0/5
(config-if)# switchport access vlan 2
Example
> en
# config t
(config)# line con 0
(config-line)# password lothian
(config-line)# timeout ?
login Timeouts related to the login sequence
(config-line)# timeout login ?
response Timeout for any user input during login sequences
(config-line)# timeout login response ?
NetworkSims.com
32
Router Challenge 32
Outline
This challenge involves the configuration of Simple Network Time Protocol (SNTP).
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# sntp server 192.168.1.100
amsterdam (config)# sntp broadcast client
amsterdam (config)# exit
amsterdam # clock set 05:44
amsterdam # show sntp
SNTP server
Stratum
Version
Last Receive
NetworkSims.com
33
192.168.1.100
16
never
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
NetworkSims.com
34
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
NetworkSims.com
35
show command | include word this finds all lines with word
show command | begin word
this finds all lines which begin with word
show command | exclude word this finds all lines without word
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
NetworkSims.com
include cisco
include product
include ver
begin power
exclude pca
36
Advanced Routing
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
NetworkSims.com
37
Objectives
The objectives of this challenge are to:
Setup E0 parameters.
Setup IP helper addresses.
Example
> en
# config t
(config)# int e0
(config-if)# ip address 204.184.207.9 255.255.255.192
(config-if)# ip helper-address 132.61.138.4
(config-if)# int s0
(config-if)# ip address 192.184.207.9 255.255.255.192
(config-if)# ip helper-address 132.61.138.4
(config-if)# int s1
(config-if)# ip address 10.18.207.9 255.255.255.192
(config-if)# ip helper-address 132.61.138.4
Objectives
The objectives of this challenge are to:
NetworkSims.com
38
Example
> en
# config t
Enter configuration commands, one per line.
(config)# hostname washington
Example
> en
# config t
(config)# router rip
(config-router)# version 2
NetworkSims.com
39
40
Outline
This challenge involves the configuration of OSPF.
Objectives
The objectives of this challenge are to:
Setup OSPF
Define networks within a given area.
Define OSPF parameters.
Example
> en
# config t
(config)# router ospf ?
<1-65535> Process ID
(config)# router ospf 146
(config-router)# network 211.79.208.0 0.0.0.255 area 0
(config-router)# network 130.184.0.0 0.0.0.255 area 0
(config-router)# network 206.198.48.0 0.0.0.255 area 0
(config-router)# ?
Router configuration commands:
area
OSPF area parameters
auto-cost
Calculate OSPF interface cost according to bandwidth
capability
Enable specific OSPF feature
compatible
OSPF compatibility list
default
Set a command to its defaults
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
discard-route
Enable or disable discard-route installation
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
domain-id
OSPF domain-id
domain-tag
OSPF domain-tag
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
ignore
Do not complain about specific event
log-adjacency-changes Log changes in adjacency state
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
Negate a command or set its defaults
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing protocol
router-id
router-id for this OSPF process
summary-address
Configure IP address summaries
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
(config-router)#area ?
<0-4294967295> OSPF area ID as a decimal value
NetworkSims.com
41
A.B.C.D
OSPF area ID in IP address format
(config-router)#area 0 ?
authentication Enable authentication
default-cost
Set the summary default-cost of a NSSA/stub area
nssa
Specify a NSSA area
range
Summarize routes matching address/mask (border routers only
stub
Specify a stub area
virtual-link
Define a virtual link and its parameters
(config-router)#area 0 range ?
A.B.C.D IP address to match
(config-router)#area 0 range 192.168.64.0 ?
A.B.C.D IP mask for address
(config-router)#area 0 range 192.168.64.0 255.255.255.0
(config-router)# exit
(config)# int e0
(config-if)# ip address 211.79.215.7 255.255.255.0
(config-if)# ip ospf ?
authentication
Enable authentication
authentication-key
Authentication password (key)
cost
Interface cost
database-filter
Filter OSPF LSA during synchronization and flooding
dead-interval
Interval after which a neighbor is declared dead
demand-circuit
OSPF demand circuit
hello-interval
Time between HELLO packets
message-digest-key
Message digest authentication password (key)
mtu-ignore
Ignores the MTU in DBD packets
network
Network type
priority
Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay
Link state transmit delay
(config-if)# ip ospf hello-interval ?
<1-65535> Seconds
(config-if)# ip ospf hello-interval 26
(config-if)# ip ospf dead-interval 9
Objectives
The objectives of this challenge are to:
Define BGP.
Example
NetworkSims.com
42
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int e0
(config-if)# ip address 159.44.31.9 255.255.240.0
(config-if)# no shut
(config-if)# int s0
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
audit
Apply IDS audit name
auth-proxy
Apply authenticaton proxy
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
inspect
Apply inspect name
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
NetworkSims.com
43
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
rsvp
RSVP interface commands
rtp
RTP parameters
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip unnumbered e0
(config-if)# no shut
(config-if)# int s1
(config-if)# ip unnumbered e0
(config-if)# no shut
Objectives
The objectives of this challenge are to:
Setup IP directed.
Example
> en
# config t
config)# int e0
NetworkSims.com
44
NetworkSims.com
45
Objectives
The objectives of this challenge are to:
Example
> en
(config)# int e0
(config-if)# ip address 199.68.92.6 255.255.254.0
(config-if)# no shutdown
(config-if)# exit
(config)# no ip forward-protocol ?
nd
Sun's Network Disk protocol
sdns
Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood
Fast flooding of UDP broadcasts
udp
Packets to a specific UDP port
(config)# no ip forward-protocol udp ?
<0-65535>
Port number
biff
Biff (mail notification, comsat, 512)
bootpc
Bootstrap Protocol (BOOTP) client (68)
bootps
Bootstrap Protocol (BOOTP) server (67)
discard
Discard (9)
dnsix
DNSIX security protocol auditing (195)
domain
Domain Name Service (DNS, 53)
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol (500)
mobile-ip
Mobile IP registration (434)
nameserver
IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns
NetBios name service (137)
netbios-ss
NetBios session service (139)
ntp
Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip
Routing Information Protocol (router, in.routed, 520)
snmp
Simple Network Management Protocol (161)
snmptrap
SNMP Traps (162)
sunrpc
Sun Remote Procedure Call (111)
syslog
System Logger (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
tftp
Trivial File Transfer Protocol (69)
time
Time (37)
who
Who service (rwho, 513)
NetworkSims.com
46
xdmcp
X Display Manager
(config)# no ip forward-protocol
(config)# no ip forward-protocol
(config)# no ip forward-protocol
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int e0
(config-if)# ip address 101.189.132.9 255.255.224.0
(config-if)# no shutdown
(config-if)# exit
(config)# ip route ?
A.B.C.D Destination prefix
profile Enable IP routing table profile
vrf
Configure static route for a VPN Routing/Forwarding instance
(config)# ip route 188.240.190.0 ?
A.B.C.D Destination prefix mask
(config)# ip route 188.240.190.0 255.255.224.0 ?
(config)# ip route 188.240.190.0 255.255.224.0 101.189.132.9
(config)# ip ?
access-list
Named access-list
accounting-list
Select hosts for which IP accounting information is
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits
Sets the maximum number of transit entries
address-pool
Specify default IP address pooling mechanism
alias
Alias an IP address to a TCP port
as-path
BGP autonomous system path filter
audit
Intrusion Detection System
auth-proxy
Authentication Proxy
bgp-community
format for BGP community
bootp
Config BOOTP services
cef
Cisco Express Forwarding
classless
Follow classless routing forwarding rules
community-list
Add a community list entry
default-gateway
Specify default gateway (if not routing IP)
NetworkSims.com
47
default-network
dhcp
dhcp-server
domain-list
domain-lookup
domain-name
dvmrp
extcommunity-list
finger
flow-aggregation
flow-cache
flow-export
forward-protocol
48
Outline
This challenge involves the configuration of direct broadcasts.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
config)# int e0
(config-if)# ip address 169.230.0.3 255.255.255.0
(config-if)# no shut
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
audit
Apply IDS audit name
auth-proxy
Apply authenticaton proxy
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
inspect
Apply inspect name
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rip
Router Information Protocol
NetworkSims.com
49
route-cache
Enable fast-switching cache for outgoing packets
rsvp
RSVP interface commands
rtp
RTP parameters
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)#ip directed-broadcast
<1-199>
A standard IP access list number
<1300-2699> A standard IP expanded access list number
<cr>
(config-if)#ip directed-broadcast
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# router rip
(config-router)# no auto-summary
(config-router)# version 2
(config-router)# network 199.224.24.0
(config-router)# network 205.188.16.8
(config-router)# network 10.0.0.0
(config-router)# exit
(config)# ip classless
(config)# int e0
(config-if)# ip address 199.224.25.3 255.255.255.0
(config-if)# ip rip
NetworkSims.com
50
Objectives
The objectives of this challenge are to:
Define EIGRP.
Apply MD5 authentication on an interface.
Define the authentication key chain.
Example
# config t
(config)# router eigrp 142
(config-router)# network 205.104.0.0
(config-router)# int s0
(config-if)# ip address 205.118.116.6 255.255.255.224
(config-if)# ip authentication mode eigrp 142 md5
(config-if)# ip authentication key-chain eigrp 142 ann
(config-if)# exit
(config)# key chain ann
(config-keychain)# key 1
(config-keychain-key)# key-string hotel
(config-keychain-key)# exit
NetworkSims.com
51
Define BGP.
Example
# config t
(config)# hostname leeds
leeds (config)# router bgp 172
leeds (config-router)# network 205.8.87.0
leeds (config-router)# neighbor 192.168.1.0 remote-as 100
leeds (config-router)# neighbor 192.168.1.0 update-source loopback0
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
52
Define BGP.
Example
# config t
(config)# hostname leeds
leeds (config)# router bgp 172
leeds (config-router)# network 205.8.87.0 ?
backdoor
Specify a BGP backdoor route
mask
Network mask
route-map Route-map to modify the attributes
<cr>
leeds (config-router)# network 205.8.87.0 mask ?
A.B.C.D Network mask
leeds (config-router)# network 205.8.87.0 mask 255.255.255.48
leeds (config-router)# network 25.8.87.0 mask 255.255.255.0
leeds (config-router)# network 5.8.87.0 mask 255.255.0.0
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
NetworkSims.com
53
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Example
# config t
(config)# access-list 1 permit 1 10.0.0.0 0.0.0.255
(config)# route-map test
(config-route-map)# match ip address 1
(config-route-map)# exit
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 300
(config-router)# neighbor 11.11.11.11 route-map 1 out
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
NetworkSims.com
54
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Prevent leakage of private AS numbers.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 remote-as 64512
neighbor 12.12.12.12 remote-as 311
neighbor 12.12.12.12 remove-private-as
Explanation
NetworkSims.com
55
There are legal (or public) AS numbers and private ones. A private one can be setup when
connecting to a single provider. These are in the range of 64,512 to 65,535. Thus the
following defines a private AS:
(config-router)# neighbor 11.11.11.11 remote-as 64512
When private AS numbers are assigned, they should not be advertised to the Internet, as
they are not unique. Thus the command:
(config-router)# neighbor 12.12.12.12 remove-private-as
Removes all private AS in the range from 64,512 to 65,535, in the broadcast to 12.12.12.12.
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
NetworkSims.com
56
Define BGP.
Defines neighbours.
Define aggregate-address.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 remote-as 300
neighbor 12.12.12.12 remote-as 311
network 160.0.0.0
aggregate-address 160.0.0.0 255.0.0.0
Explanation
With the atomic aggregation attribute, multiple destinations are grouped within a single
update. Thus:
(config-router)# aggregate-address 160.0.0.0 255.0.0.0
means that there are many routes contained, and have been aggregated into a single route.
This will then create a single routing entry in the BGP routing table.
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
57
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define aggregate-address.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 remote-as 300
neighbor 12.12.12.12 remote-as 311
network 160.0.0.0
bgp default local-preference 100
Explanation
The local preference attribute in BGP is used to give a degree of preference to routes when
comparing them with other routes. Thus:
(config-router)# bgp default local-preference 100
bgp 172
neighbor 1.1.1.1 remote-as 200
neighbor 12.12.12.12 remote-as 311
network 180.0.0.0
bgp default local-preference 50
Thus routes which are advertised by both these routers, there will be preference for the
route by the router which has a larger value of the local-preference parameter.
Topology
NetworkSims.com
58
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define local-preference with a route-map.
Example
# config t
(config)# access-list 1 permit 1 10.0.0.0 0.0.0.255
(config)# route-map test
(config-route-map)# match ip address 1
NetworkSims.com
59
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define a metric within a route-map.
NetworkSims.com
60
Example
# config t
(config)# access-list 1 permit 1 10.0.0.0 0.0.0.255
(config)# route-map test
(config-route-map)# match ip address 1
(config-route-map)# set metric 14
(config-route-map)# exit
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 route-map test out
(config-router)# network 160.0.0.0
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
NetworkSims.com
61
Define BGP.
Defines neighbours.
Define a distribution-list.
Example
# config t
(config)# access-list 1 deny 1 10.0.0.0 0.0.0.255
(config)# access-list 1 permit any
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 111
(config-router)# neighbor 22.33.44.55 remote-as 222
(config-router)# neighbor 11.11.11.11 distribute-list 1 out
(config-router)# network 160.0.0.0
Explanation
The distribution-list filter option allows the restriction of routing information on routes that
have been learnt. Thus the commands:
(config-router)# neighbor 11.11.11.11 remote-as 111
(config-router)# neighbor 11.11.11.11 distribute-list 1 out
will not transmit the 10.0.0.0/24 route information to the neighbor with the address of
11.11.11.11. In the access-list:
(config)# access-list 1 deny 1 10.0.0.0 0.0.0.255
(config)# access-list 1 permit any
The permit any is required as it would block everything that did not match the first
statement. Thus a permit any is required at the end of the acces-list.
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
NetworkSims.com
62
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define a distribution-list.
Example
# config t
(config)# access-list 103 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
(config)# access-list 103 deny ip 20.0.0.0 0.0.0.255 30.0.0.0 0.0.0.255
(config)# access-list 103 permit ip any any
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 111
(config-router)# neighbor 22.33.44.55 remote-as 222
(config-router)# neighbor 11.11.11.11 distribute-list 103 out
(config-router)# network 160.0.0.0
NetworkSims.com
63
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define an ip prefix-list.
Example
NetworkSims.com
64
# config t
(config)# ip prefix-list test deny 0.0.0.0/0
(config)# ip prefix-list test permit 172.16.0.0/16
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 111
(config-router)# neighbor 22.33.44.55 remote-as 222
(config-router)# neighbor 11.11.11.11 prefix-list test out
(config-router)# network 160.0.0.0
(config-router)# exit
(config)# exit
# sh ip prefix
ip prefix-list test: 2 entries
seq 5 deny 0.0.0.0/0
seq 10 permit 172.16.0.0/16
Explanation
An ip prefix-list is a good alternative to access-lists, as they provide performance
improvements and great flexibility.
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
NetworkSims.com
65
Outline
This challenge involves the configuration of BGP using an ip prefix-list configuration.
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define an ip prefix-list.
Example
# config t
(config)# ip prefix-list test permit 192.0.0.0/8 le 24
(config)# ip prefix-list test deny 192.0.0.0/8 ge 25
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 111
(config-router)# neighbor 22.33.44.55 remote-as 222
(config-router)# neighbor 11.11.11.11 prefix-list test out
(config-router)# network 160.0.0.0
(config-router)# exit
(config)# exit
# sh ip prefix
ip prefix-list test: 2 entries
seq 5 permit 192.0.0.0/8 le 24
seq 10 deny 192.0.0.0/8 ge 25
Explanation
With ip prefix-list, the ge abd ke are used to specify the range for the matched prefixes.
Thus:
(config)# ip prefix-list test permit 192.0.0.0/8 le 24
(config)# ip prefix-list test deny 192.0.0.0/8 ge 25
NetworkSims.com
66
where the sequence number is automatically incremented by five, each entry. The sequence
numbers start from the lowest to the highest.
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
67
Objectives
The objectives of this challenge are to:
Define BGP.
Defines neighbours.
Define the default-originate.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 remote-as 111
neighbor 22.33.44.55 remote-as 222
neighbor 11.11.11.11 default-originate
network 160.0.0.0
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
68
Objectives
The objectives of this challenge are to:
Define ISIS.
Defines the NET.
Applies ISIS on interfaces.
Example
# config t
(config)# router isis
(config-router)# net 49.0001.0000.0000.000a.00
(config-router)# passive-interface loopback2
(config-router)# is-type level-1
(config-router)# exit
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# ip router isis
(config-if)# int s0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
(config-if)# ip router isis
(config-if)# int s1
(config-if)# ip address 192.168.2.1 255.255.255.0
(config-if)# no shutdown
(config-if)# ip router isis
(config-if)# int loopback 2
(config-if)# ip address 192.168.3.1 255.255.255.0
69
Objectives
The objectives of this challenge are to:
Define RIP.
Define redistribution of static routes.
Define the passive interface.
Define static routes.
Define the default route.
Example
# config t
(config)# router rip
(config-router)# network 192.168.0.0
(config-router)# passive-interface bri0
(config-router)# redistribute static
(config-router)# exit
(config)# ip route 172.168.0.0 255.255.255.0 bri0
(config)# ip route 0.0.0.0 0.0.0.0 bri0
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# int s0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
The passive interface is typically used in dial-up connections, where constant updates
would require multiple connections, thus a passive interface is defined. For example in
Figure 1, the highlighted device is setup with a static route to a destination. This route is
then redistritubed to other devices, but not the device connected to the BRI as it is a passive
interface, as it is a static link.
# config t
(config)# router rip
(config-router)# network 192.168.0.0
(config-router)# passive-interface bri0
(config-router)# redistribute static
(config-router)# exit
(config)# ip route 172.168.0.0 255.255.255.0 10.0.0.1
(config)# ip route 0.0.0.0 0.0.0.0 bri0
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# int s0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
192.168.0.1
bri0
192.168.0.2
bri0
Static
route
is redistributed
172.168.0.0/24
Figure 1
NetworkSims.com
70
Objectives
The objectives of this challenge are to:
Define RIP.
Define distribution-list and an associated access-list.
Example
# config t
(config)# router rip
(config-router)# network 192.168.0.0
(config-router)# distribute-list 10 out
(config-router)# exit
(config)# access-list 10 deny 10.0.1.0 0.0.0.255
(config)# access-list 10 permit any
Explanation
The distribute-list is used to define the routing information that a device sends or receives.
For example:
(config-router)# distribute-list 10 out
(config-router)# exit
(config)# access-list 10 deny 10.0.1.0 0.0.0.255
(config)# access-list 10 permit any
defines that all the routing information relating to 10.0.1.0/24 will be removed from any
outgoing routing information.
NetworkSims.com
71
Outline
This challenge involves the configuration of distribute-lists for RIP in order to define the
routing information that is sent or received on a given interface.
Objectives
The objectives of this challenge are to:
Define RIP.
Define distribution-list for S0, and an associated access-list.
Example
# config t
(config)# int s0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# router rip
(config-router)# network 192.168.0.0
(config-router)# distribute-list 10 out s0
(config-router)# exit
(config)# access-list 10 deny 10.0.1.0 0.0.0.255
(config)# access-list 10 permit any
Explanation
The distribute-list is used to define the routing information that a device sends or receives.
For example:
(config-router)# distribute-list 10 out s0
(config-router)# exit
(config)# access-list 10 deny 10.0.1.0 0.0.0.255
(config)# access-list 10 permit any
defines that all the routing information relating to 10.0.1.0/24 will be removed from any
outgoing routing information on S0.
NetworkSims.com
72
Objectives
The objectives of this challenge are to:
Define EIGRP.
Define distribution-list for S0, and an associated access-list.
Example
# config t
(config)# router eigrp 128
(config-router)# network 192.168.0.0
(config-router)# distribute-list 10 out s0
(config-router)# exit
(config)# access-list 10 deny any
Explanation
The distribute-list is used to define the routing information that a device sends or receives.
For example:
(config-router)# distribute-list 10 out s0
(config-router)# exit
(config)# access-list 10 deny any
defines that all the routes for S0 will be denied for outgoing updates, thus S0 is a passive
interface.
Example
# config t
NetworkSims.com
73
Explanation
The policy-based routing allows traffic to flow from one port to another based on its details.
For example:
(config)# access-list 5 permit 192.168.0.0 0.0.0.255
(config)# access-list 10 permit 172.16.0.0 0.0.0.255
(config)# route-map R1 permit 10
(config-route-map)# match ip address 5
(config-route-map)# set interface s0
(config-route-map)# exit
(config)# route-map R2 permit 10
(config-route-map)# match ip address 10
(config-route-map)# set interface s1
(config-route-map)# exit
and:
(config)# int e0
(config-if)# ip policy route-map R1
(config-if)# exit
(config)# int e1
(config-if)# ip policy route-map R2
(config-if)# exit
defines that traffic that matches 192.168.0.0 on S0 is routed through E0, and traffic that
matches 172.16.0.0 is routed through E1.
NetworkSims.com
74
Define RIP.
Define redistribution for RIP.
Define EIGRP.
Define redistribution for EIGRP.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config)# router
(config-router)#
(config-router)#
rip
network 10.0.0.0
redistribution eigrp 33 metric 2
exit
eigrp 33
network 20.0.0.0
redistribution rip metric 10000 100 255 1 1500
Define RIP.
Define redistribution for RIP.
Define EIGRP.
Define redistribution for EIGRP.
Example
# config t
(config)# router rip
(config-router)# network 10.0.0.0
(config-router)# redistribution eigrp 33 metric 2
NetworkSims.com
75
(config-router)#
(config)# router
(config-router)#
(config-router)#
exit
eigrp 33
network 20.0.0.0
redistribution connected metric 10000 100 255 1 1500
Define RIP.
Define redistribution for RIP.
Define EIGRP.
Define redistribution for EIGRP.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
rip
network 10.0.0.0
redistribution eigrp 33
redistribute connected
default-metric 2
exit
eigrp 33
network 20.0.0.0
redistribute rip
redistribute static
default-metric 10000 100 255 1 1500
NetworkSims.com
76
Objectives
The objectives of this challenge are to:
Define RIP.
Define redistribution for RIP.
Define OSPF.
Define redistribution for OSPF.
Example
# config t
(config)# router rip
(config-router)# passive-interface s0
(config-router)# passive-interface s1
(config-router)# exit
(config)# router ospf 33
(config-router)# network 20.0.0.0 area 0
(config-router)# network 30.0.0.0 area 0
(config-router)# redistribute rip subnets
Explanation
The following stops RIP updates into the OSPF connections:
(config)# router rip
(config-router)# passive-interface s0
(config-router)# passive-interface s1
ospf 33
network 20.0.0.0 area 0
network 30.0.0.0 area 0
redistribute rip subnets
Without the redistribute rip subnet, would cause OSPF to only redistribute routes that are
not subnetted (which is the default).
NetworkSims.com
77
s0
s1
Area 0
Define RIP.
Define redistribution for RIP.
Define OSPF.
Define redistribution for OSPF.
Example
# config t
(config)# access-list 10 permit 172.16.1.0 0.0.0.255
(config)# access-list 10 deny any
(config)# router rip
(config-router)# passive-interface s0
(config-router)# passive-interface s1
(config-router)# exit
(config)# router ospf 33
(config-router)# redistribute rip subnets
(config-router)# distribute-list 10 in rip
Explanation
The access-list of:
NetworkSims.com
78
along with:
(config-router)# distribute-list 10 in rip
s0
s1
Area 0
Define RIP.
Define redistribution for RIP.
Define OSPF.
Define redistribution for OSPF.
Example
# config t
(config)# access-list 10 permit 172.16.1.0 0.0.0.255
(config)# access-list 10 deny any
(config)# router rip
(config-router)# passive-interface s0
(config-router)# passive-interface s1
NetworkSims.com
79
(config-router)# exit
(config)# router ospf 33
(config-router)# area 1 range 192.168.1.0 0.0.0.255
Define OSPF.
Define OSPF costs for S0 and S1.
Define bandwidth requirements on S0 and S1.
Example
# config t
(config)# int s0
(config-if)# ip ospf cost 64
(config-if)# bandwidth 100
(config-if)# exit
(config)# int s1
(config-if)# ip ospf cost 64
(config-if)# bandwidth 100
(config-if)# exit
(config)# router ospf 33
(config-router)# network 20.0.0.0 area 0
(config-router)# network 30.0.0.0 area 0
Explanation
With OSPF costs are used to determine the best route. This value for an interface, for Cisco
IOS, is:
100,000,000/bandwidth
Thus a 56kbps link has a cost fo 100,000,000/56,000 which is 1,785. A new cost can be defined
with the following:
(config)# int s0
(config-if)# ip ospf cost 64
NetworkSims.com
80
Cost
1785
Define OSPF.
Define OSPF costs for S0 and S1.
Define bandwidth requirements on S0 and S1.
Define the reference bandwidth.
Example
# config t
(config)# int s0
(config-if)# ip ospf cost 64
(config-if)# bandwidth 100
(config-if)# exit
(config)# int s1
(config-if)# ip ospf cost 64
(config-if)# bandwidth 100
(config-if)# exit
(config)# router ospf 33
NetworkSims.com
81
Explanation
With OSPF costs are used to determine the best route. This value for an interface, for Cisco
IOS, is:
100,000,000/bandwidth
Interface medium
56kbps serial connection
T1 link (1.544Mbps)
E1 link (2.048Mbps)
Ethernet (10Mbps)
Fast Ethernet (100Mbps)
4Mbps Token Ring
16Mbps Token Ring
Cost
1785
64
48
10
1
25
10
These costs work well up to 100 MBps, but do not work for bandwidths over this, such as
for Gigabit Ethernet. To adject the reference bandwidth the auto-cost command can be used,
such as:
(config-router)# auto-cost reference-bandwidth 1000
Define OSPF.
Define OSPF authentication key for S0 and S1.
Apply authentication to OSPF.
Example
NetworkSims.com
82
# config t
(config)# int s0
(config-if)# ip ospf authentication-key test
(config-if)# exit
(config)# int s1
(config-if)# ip ospf authentication-key test
(config-if)# exit
(config)# router ospf 33
(config-router)# area 0 authentication
Define OSPF.
Define OSPF authentication key for S0 and S1.
Apply authentication to OSPF.
Example
# config t
(config)# int s0
(config-if)# ip ospf message-digest-key 1 md5 0 default1
(config-if)# exit
(config)# int s1
(config-if)# ip ospf message-digest-key 1 md5 0 default1
(config-if)# exit
(config)# router ospf 33
(config-router)# area 0 authentication message-digest
NetworkSims.com
83
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
network 192.168.1.0 area 0
network 192.168.2.0 area 2
area 2 stub
Explanation
A stub area is one which has no routes to an external automous network. In the case of:
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
network 192.168.1.0 area 0
network 192.168.2.0 area 2
area 2 stub
Stub
area
External
Autonomous
System (AS)
s0
Area 0
s1
Area 2
NetworkSims.com
84
Objectives
The objectives of this challenge are to:
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
network 192.168.1.0 area 0
network 192.168.2.0 area 2
area 2 stub no-summary
Explanation
A stub area is one which has no routes to an external automous network. In the case of:
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
network 192.168.1.0 area 0
network 192.168.2.0 area 2
area 2 stub no-summary
Stub
area
External
Autonomous
System (AS)
s0
Area 0
s1
Area 2
NetworkSims.com
85
Objectives
The objectives of this challenge are to:
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
NetworkSims.com
ospf 33
network 192.168.1.0 area 0
network 192.168.2.0 area 1
area 2 nssa
86
Remote Access
Objectives
The objectives of this challenge are to:
Example
> en
# config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)# line ?
<0-10>
First Line number
aux
Auxiliary line
console Primary terminal line
tty
Terminal controller
vty
Virtual terminal
(config)# line 3
(config-line)# transport ?
input
Define which protocols to use when connecting to the terminal
server
output
Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
(config-line)# transport input ?
all
All protocols
none
No protocols
pad
X.3 PAD
rlogin Unix rlogin protocol
telnet TCP/IP Telnet protocol
(config-line)# transport input all
(config-line)# modem ?
CTS-Alarm
Alarm device which only uses CTS for call control
DTR-active
Leave DTR low unless line has an active incoming connection
or EXEC
Dialin
Configure line for a modern dial-in modem
NetworkSims.com
87
Host
Devices that expect an incoming modem call
InOut
Configure line for incoming AND outgoing use of modem
Printer
Devices that require DSR/CD active
answer-timeout Set interval between raising DTR and CTS response
dtr-delay
Set interval during which DTR is held low
(config-line)# modem inout
(config-line)# login ?
local
Local password checking
tacacs Use tacacs server for password checking
<cr>
(config-line)# login local
(config-line)# speed ?
<0-4294967295> Transmit and receive speeds
(config-line)# speed 2400
(config-line)# rotary ?
<0-100> Rotary group to add line to
(config-line)# rotary 4
(config-line)# flow ?
NONE
Set no flow control
hardware Set hardware flow control
software Set software flow control
(config-line)# flow none
(config-line)# autoselect ?
arap
Set line to allow ARAP autoselection
during-login Do autoselect at the Username/Password prompt
ppp
Set line to allow PPP autoselection
slip
Set line to allow SLIP autoselection
timeout
Set wait timeout for initial autoselect byte
<cr>
(config-line)# autoselect ppp
(config-line)# stopbits 1.5
(config-line)# modem dialin
Objectives
The objectives of this challenge are to:
Example
NetworkSims.com
88
> en
# config t
(config)# int ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
Group-Async
Async Group interface
Loopback
Loopback interface
MFR
Multilink Frame Relay bundle interface
Multilink
Multilink-group interface
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Vif
PGM Multicast Host interface
Virtual
Virtual interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
range
interface range command
(config)# int async ?
<1-65> Async interface number
(config)# int async 5
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# ppp authentication ?
chap
Challenge Handshake Authentication Protocol (CHAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
pap
Password Authentication Protocol (PAP)
(config-if)# ppp authentication chap
Objectives
The objectives of this challenge are to:
NetworkSims.com
89
Example
> en
# config t
(config)#ip nat ?
inside
Inside address translation
outside
Outside address translation
pool
Define pool of addresses
service
Special translation for application using non-standard port
translation NAT translation entry configuration
(config)#ip nat inside
destination Destination address translation
source
Source address translation
(config)# ip nat inside ?
destination Destination address translation
source
Source address translation
(config)# ip nat inside source ?
list
Specify access list describing local addresses
route-map Specify route-map
static
Specify static local->global mapping
(config)# ip nat inside source static ?
A.B.C.D Inside local IP address
esp
IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config)# ip nat inside source static 193.84.250.1 ?
A.B.C.D Inside global IP address
(config)# ip nat inside source static 193.84.250.1 195.151.136.5
(config)# int e0
(config-if)# ip nat ?
inside
Inside interface for address translation
outside Outside interface for address translation
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
Objectives
The objectives of this challenge are to:
Define an ACL.
Implement a dialer-list.
Define ISDN parameters.
NetworkSims.com
90
Example
> en
# config t
(config)# access-list 2
(config)# access-list 2 permit host 168.86.68.8
(config)# access-list 2 deny host 206.207.17.5
(config)# access-list 2 permit 99.22.1.0 0.0.255.255
(config)# dialer-list ?
<1-10> Dialer group number
(config)# dialer-list 39 ?
protocol Permit or Deny based on protocols
(config)# dialer-list 39 protocol ?
appletalk
AppleTalk
bridge
Bridging
clns
OSI Connectionless Network Service
clns_es
CLNS End System
clns_is
CLNS Intermediate System
decnet
DECnet
decnet_node
DECnet node
decnet_router-L1 DECnet router L1
decnet_router-L2 DECnet router L2
hpr
HPR
ip
IP
ipx
Novell IPX
llc2
LLC2
netbios
NETBIOS
vines
Banyan Vines
xns
XNS
(config)# dialer-list 39 protocol ip ?
deny
Deny specified protocol
list
Add access list to dialer list
permit Permit specified protocol
(config)# dialer-list 39 protocol ip permit
(config)# dialer-list 39 protocol ipx permit
(config)# dialer-list 39
protocol Permit or Deny based on protocols
(config)# dialer-list 39 protocol ?
appletalk
AppleTalk
bridge
Bridging
clns
OSI Connectionless Network Service
clns_es
CLNS End System
clns_is
CLNS Intermediate System
decnet
DECnet
decnet_node
DECnet node
decnet_router-L1 DECnet router L1
decnet_router-L2 DECnet router L2
hpr
HPR
ip
IP
ipx
Novell IPX
llc2
LLC2
netbios
NETBIOS
vines
Banyan Vines
xns
XNS
(config)# dialer-list 39 protocol ip
deny
Deny specified protocol
list
Add access list to dialer list
permit Permit specified protocol
(config)# dialer-list 39 protocol ip list
<1-199>
IP access list
<1300-2699> IP expanded access list
NetworkSims.com
91
(config)# dialer-list
(config)# isdn ?
T310cisco-action
T310cisco-timeout
leased-line
39 protocol ip list 2
NetworkSims.com
92
ipcp
Set IPCP negotiation options
lcp
PPP LCP configuration
link
Set miscellaneous link parameters
max-bad-auth
Allow multiple authentication failures
multilink
Make interface multilink capable
pap
Set PAP authentication parameters
quality
Set minimum Link Quality before link is down
reliable-link
Use LAPB with PPP to provide a reliable link
timeout
Set PPP timeout parameters
use-tacacs
Use TACACS to verify PPP authentications
(config-if)# ppp authentication chap
(config-if)# dialer ?
callback-secure
Enable callback security
enable-timeout
Set length of time an interface stays down before it
is available for dialing
fast-idle
Set idle time before disconnecting line with an
unusually high level of contention
hold-queue
Configure output hold queue
idle-timeout
Specify idle timeout before disconnecting line
load-threshold
Specify threshold for placing additional calls
map
Define multiple dial-on-demand numbers
pool-member
Specify dialer pool membership
priority
Specify priority for use in dialer group
redial
Configure redial for this interface
rotary-group
Add to a dialer rotary group
snapshot
Enable snapshot address for dialer profile
string
Specify telephone number to be passed to DCE device
vpdn
Enable vpdn dial
wait-for-carrier-time How long the router will wait for carrier
watch-disable
Time to wait before bringing down watched route link
watch-group
Assign interface to dialer-watch-list
(config-if)# dialer fast-idle 30
(config-if)# dialer-group 39
Define E0 settings.
Enable AAA.
Define AAA authentication.
Example
> en
NetworkSims.com
93
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def local
authen ppp def none
authen banner new york
authen fail personal device
author network default none
author exec default none
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# aaa new-model
(config)# aaa authorization command 1 test local
(config)# aaa authorization network 1 test local
(config)# aaa authentication login default local-case
(config)# line con 0
(config-line)# login authentication default
(config-line)# line aux 0
(config-line)# login authentication default
(config-line)# line vty 0 15
(config-line)# login authentication default
(config-line)# exit
(config)# username ben password fries
(config)# username ben password yellow
NetworkSims.com
94
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# aaa new-model
(config)# aaa authorization command 1 test local
(config)# aaa authorization network 1 test local
(config)# aaa authentication login munich local
(config)# username ann password doghouse
(config)# username daniel password bravo
(config)# int bri0
(config-if)# encapsulation ppp
(config-if)# ppp authentication chap munich
Objectives
The objectives of this challenge are to:
Enable IPSec.
Define an IKE policy.
Define the encryption for IKE.
Define the authentication protocol for IKE.
Define the authentication type.
Define the Diffie-Hellman method.
For pre-share, define the identity.
For pre-share, define the key and the address.
For pre-share, define the transform set.
NetworkSims.com
95
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
authentication pre-share
lifetime 10500
group 1
exit
isakmp identity hostname
isakmp key test address 192.168.1.1
ipsec transform-set finland esp-des
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname newhampshire
(config)# access-list 109 permit ip 50.93.142.0 0.0.255.255
136.163.130.0 0.0.255.255
NetworkSims.com
96
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname london
NetworkSims.com
97
(config)# int e0
(config-if)# ip address 136.22.25.1 255.252.0.0
(config-if)# no shut
(config-if)# ip access-group 101 in
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname london
(config)# ip domain-name test.com
london (config)# crypto key generate rsa
london (config)# crypto ca identity idaho
(ca-identity)# ?
Syntax: enrollment url [url]
Syntax: enrollment mode ra
Syntax: crl option
Syntax: query [url]
london (ca-identity)# enrollment url http://helpcert
NetworkSims.com
98
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int s0
(config-if)# ip address 196.85.163.9 255.255.192.0
(config-if)# no shutdown
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation frame-relay
(config-if)# frame-relay ?
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable inverse ARP on a DLCI
ip
Frame Relay Internet Protocol config commands
lapf
set LAPF parameter
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
NetworkSims.com
99
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
priority-dlci-group
qos-autosense
route
svc
traffic-shaping
traps-maximum
100
Outline
This challenge involves the configuration of frame relay.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int s0
(config-if)# ip address 62.250.1.7 255.0.0.0
(config-if)# no shut
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation frame-relay
(config-if)# frame-relay map ip 62.250.1.12 ?
<16-1007> DLCI
(config-if)# frame-relay map ip 62.250.1.12 102
broadcast
Broadcasts should be forwarded to this address
cisco
Use CISCO Encapsulation
compress
Enable TCP/IP and RTP/IP header compression
ietf
Use RFC1490/RFC2427 Encapsulation
nocompress
Do not compress TCP/IP headers
payload-compression Use payload compression
rtp
RTP header compression parameters
tcp
TCP header compression parameters
<cr>
(config-if)# frame-relay map ip 62.250.1.12 102 broadcast
(config-if)# frame-relay map ip 62.250.1.15. 103 broadcast
(config-if)# frame-relay ?
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
intf-type
Configure a FR DTE/DCE/NNI interface
NetworkSims.com
101
inverse-arp
ip
lapf
lmi-n391dte
lmi-n392dce
lmi-n392dte
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
priority-dlci-group
qos-autosense
route
svc
traffic-shaping
traps-maximum
Ref
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/wan_c/wcdfrely.
htm
Objectives
The objectives of this challenge are to:
NetworkSims.com
102
Example
> en
# config t
(config)# map-class frame kirkcaldy
(config-map-class)# frame-relay traffic ?
<600-45000000> Committed Information Rate (CIR)
(config-map-class)# frame-relay traffic 9600 ?
<0-45000000> Peak rate (CIR + EIR)
<cr>
(config-map-class)# frame-relay traffic 9600 18000
(config-map-class)# frame-relay adaptive-shaping ?
becn
Enable rate adjustment in response to BECN
foresight Enable rate adjustment in response to ForeSight messages and BECN
(config-map-class)# frame-relay adaptive-shaping becn
(config-map-class)# frame-relay priority-group 3
(config-map-class)# exit
(config)# int s0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# encapsulation frame-relay
(config-if)# frame-relay traffic-shaping
(config-if)# frame-relay class kirkcaldy
Explanation
Traffic shaping controls the traffic going out of an interface, and should match the flow of
traffic to the required rate at which the remote device wishes to receive the data. The
commands used include:
frame-relay adaptive-shaping [becn | foresight]1
NetworkSims.com
103
Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart4/qcf
rts.htm
Objectives
The objectives of this challenge are to:
Example
# config t
(config)# map-class frame-relay ion
(config-map-class)# frame-relay priority-group 37
(config-map-class)# exit
(config)# priority-list 37 protocol ip normal
(config)# priority-list 37 default ?
high
medium
normal
low
(config)# priority-list 37 default medium
(config)# int s0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# encapsulation frame-relay
(config-if)# frame-relay traffic-shaping
(config-if)# frame-relay class kirkcaldy
Explanation
NetworkSims.com
104
With priority queing the traffic is prioritized using a priority-list, and the priority-group
command within the class-map defines which priority-list to use. These queues are: high,
medium, normal, or low priority. Thus, the router searches in the high queue first, and
transmit these packets before the other queues, and so on. Thus the high priority traffic is
defined as traffic which must go, no matter what, while other traffic can be dropped.
To configure priority the following protocol is used:
priority-list list-number protocol protocol-name {high | medium | normal |
low} queue-keyword keyword-value
where
Protocol classifies the traffic. It is typically IP, but can be IPX, AppleTalk, and so on.
List-number defines that all statements use the same policy, and can range from 1 to 16.
Queue-keyword can be one of: fragments, gt, lt, list, tcp, and udp.
Keyword-value specifies the port for TCP or UDP.
The default queue for all other traffic can then be specified with:
priority-list list-number default {high | medium | normal | low}
Ref
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_c
hapter09186a00800b75b0.html
Objectives
The objectives of this challenge are to:
NetworkSims.com
105
Example
# config t
> en
# config t
(config)# access-list 100 permit tcp 215.78.24.0 255.255.0.0 97.49.56.0
255.255.0.0 eq smtp
(config)# map-class frame-relay ion
(config-map-class)# frame-relay priority-group 37
(config-map-class)# exit
(config)# queue-list ?
<1-16> Queue list number
(config)# queue-list 13 ?
default
Set custom queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
lowest-custom Set lowest number of queue to be treated as custom
protocol
priority queueing by protocol
queue
Configure parameters for a particular queue
stun
Establish priorities for stun packets
(config)# queue-list 13 protocol ?
arp
IP ARP
bridge
Bridging
cdp
Cisco Discovery Protocol
compressedtcp Compressed TCP
ip
IP
ipx
Novell IPX
llc2
llc2
pad
PAD links
snapshot
Snapshot routing support
(config)# queue-list 13 protocol ip ?
<0-16> queue number
(config)# queue-list 13 protocol ip 1 ?
fragments Prioritize fragmented IP packets
gt
Classify packets greater than a specified size
list
To specify an access list
lt
Classify packets less than a specified size
tcp
Prioritize TCP packets 'to' or 'from' the specified port
udp
Prioritize UDP packets 'to' or 'from' the specified port
<cr>
(config)# queue-list 13 protocol ip 1 list ?
<1-199>
IP access list
<1300-2699> IP expanded access list
(config)# queue-list 13 protocol ip 1 list 100
(config)# queue-list 13 queue 1 byte-count 1000 limit 2
(config)# queue-list 13 queue 2 byte-count 700 limit 20
(config)# queue-list 13 default 2
(config)# int s0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# encapsulation frame-relay
(config-if)# frame-relay traffic-shaping
NetworkSims.com
106
Explanation
This example uses two queues, which are identified by an ACL (in this case they are the
same, but normally they would have different ACLs). For example the first queue is
matched to the ACL with a number of 100:
queue-list 13 protocol ip 1 list 100
The following command defines that queue 1 has a byte-count limit of 1000 bytes and that
there is a maximum of two packets in the queue:
queue-list 13 queue 1 byte-count 1000 limit 2
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps1893/products_command_reference_
chapter09186a008007dec9.html
Example
> en
# config t
(config)# int s0
(config-if)# ip address 139.202.25.3 255.255.255.240
(config-if)# no shut
(config-if)# backup ?
delay
Delays before backup line up or down transitions
interface Configure an interface as a backup
NetworkSims.com
107
load
Load thresholds for line up or down transitions
(config-if)# backup interface ?
Async
Async interface
BRI
ISDN Basic Rate Interface
BVI
Bridge-Group Virtual Interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
Group-Async
Async Group interface
Lex
Lex interface
Loopback
Loopback interface
Multilink
Multilink-group interface
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan
Catalyst Vlans
(config-if)# backup interface bri0
(config-if)# backup delay ?
<0-4294967294> Seconds
never
Never activate the backup line
(config-if)# backup delay 52 ?
<0-4294967294> Seconds
never
Never deactivate the backup line
(config-if)# backup delay 52 83
(config-if)# backup load 86 68
Remember to check that the BRI0 interface is now a backup, such as:
# sh interface bri0
BRI0 is standby mode, line protocol is down
Hardware is PQUICC BRI with U interface
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Explanation
NetworkSims.com
108
A backup route is important to provide resiliance. The following defines that the BRI0
interface will be the backup route:
backup interface bri0
Then to activate the backup after 52 seconds of the primary line being in active, and for the
secondary to backup after 83 seconds of the primary line being re-activated, the following
command is used:
backup delay 52 83
When loading is used, the following defines that the backup route becomes active when at
86% of the full load, and deactives at 68% of full load:
backup load 86 68
Ref:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_c
hapter09186a00800ca527.html
Example
> en
# config t
(config)# int s0
(config-if)# encapsulation frame-relay
(config-if)# fair-queue 128
(config-if)# bandwidth 100
(config-if)# exit
NetworkSims.com
109
(config)# exit
Ref:
http://www.opalsoft.net/qos/WhyQos-2424.htm
Define CBWFQ.
Example
NetworkSims.com
110
> en
# config t
(config)# access-list 108 permit ip 162.78.102.0 0.0.255.255 247.226.90.0
0.0.255.255
(config)# class-map tayside
(config-cmap)# match access-group 108
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# class tayside
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output ankle
Explanation
The following shows an example of limiting all the traffic which fits access-list 111 to
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
(config-pmap)# class cmap
(config-pmap-c)# bandwidth 2000
# class-map cmap
(config-cmap)# match access-group 111
# int s0
(config-if)# service-policy output pmap
Ref:
http://www.netcraftsmen.net/welcher/papers/newqos121.html
NetworkSims.com
111
Example
> en
# config t
(config)# access-list 7 permit 195.11.220.0 31.255.255.255
(config)# ip nat pool mynatpool 150.122.41.150 150.122.41.99
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
netmask
Example
NetworkSims.com
112
> en
# config t
(config)# ip nat inside source static 160.94.210.50 93.123.33.13
(config)# ip nat inside source static 160.94.210.53 93.123.33.15
(config)# ip nat inside source static 160.94.210.55 93.123.33.18
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
Explanation
In this case the lines:
(config)# ip nat inside source static 160.94.210.50 93.123.33.13
(config)# ip nat inside source static 160.94.210.53 93.123.33.15
(config)# ip nat inside source static 160.94.210.55 93.123.33.18
defines that a host with the address of 160.94.210.50 will be viewed from the outside of the
network as 93.123.33.13. Thus, for example, if the host at 160.94.210.50 is a Web server, users
from outside the network will access it using the address of 93.123.33.13. Normally servers
which have public access have a static mappings as this allows them to be accessed through
the static mapping.
Theory
Network address translation (NAT) is defined in RFC1631, and swaps one network address
with another. This allows private networks (RFC1918) to be created, which are then
translated to public address when they access the Internet. A router can operate at the
border of a domain and translate addresses from private to public, and vice-versa. For
example, a node could be given a private address of 192.168.10.12. The NAT could then
translate this to a public address of 168.10.34.31. The NAT table would then have the
mapping of:
Private
192.168.10.12
Public
168.10.34.21
If a host from outside the domain sends a data packet back to the domain, the NAT will
translate the public address back into the private address. These translations can be
statically assigned, such as where it is setup with a permanent mapping, or dynamically,
where the tables can change as the network requires. Figure 1 gives an example, where the
destination address is 11.22.33.44. The address in this case is changed from 192.168.10.12 to
168.10.34.21, as the data packet goes out of the domain, and is changed back when it comes
back into the domain.
NetworkSims.com
113
Outgoing
Outgoingdata
data
IP
IP Src:
Src: 168.10.34.21
168.10.34.21
IP
Dest:
IP Dest: 11.22.33.44
11.22.33.44
Outgoing
Outgoingdata
data
NAT
NAT
Router
Router
IP
IP Src:
Src: 11.22.33.44
11.22.33.44
IP
Dest:
IP Dest: 192.168.10.12
192.168.10.12
IP
IP Src:
Src: 11.22.33.44
11.22.33.44
IP
IP Dest:
Dest: 168.10.34.21
168.10.34.21
Incoming
Incomingdata
data
Incoming
Incomingdata
data
Figure 1
Example of NAT
NetworkSims.com
114
Src:
Src: 192.168.10.12:4444
192.168.10.12:4444
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
Src:
Src: 168.10.34.21:5555
168.10.34.21:5555
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
N
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 192.168.10.12:4444
192.168.10.12:4444
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 168.10.34.21:5555
168.10.34.21:5555
Incoming
Incomingdata
data
Incoming
Incomingdata
data
PAT (Port address translation) Maps many addresses to one global address.
Figure 2
Outgoing
Outgoingdata
data
Src:
Src: 168.10.34.21:5555
168.10.34.21:5555
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
N
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 192.168.10.12:4444
192.168.10.12:4444
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 168.10.34.21:5555
168.10.34.21:5555
Incoming
Incomingdata
data
Incoming
Incomingdata
data
IP:port (inside)
192.168.10.12:4444
192.168.10.12:4445
192.168.10.12:4446
192.168.10.20:1234
Figure 3
IP:port (outside)
168.10.34.21:5555
168.10.34.21:5556
168.10.34.21:5557
168.10.34.21:5558
Ipdest:port
11.122.33.44:80
11.122.33.44:80
11.122.33.44:80
11.122.33.44:80
NAT types
The three main types of NAT are:
w1.x1.y1.z1
a1.b1.c1.d1
NetworkSims.com
N
a2.b2.c2.d2
Private
address
w2.x2.y2.z2
Public
address
one
for
does
115
not hide the internal network. As the network addresses are statically defined, the nodes
inside the network can be contacted directly from outside. Static translation also does
not save in network addresses, although an organisation may limit access by limiting the
number of private addresses which are available.
IP
Masquerading
(Dynamic
w.x.y.z
a1.b1.c1.d1
Translation). A single public IP address
is
used for the whole network. The table is
thus dynamic, and uses TCP ports to
N
identify
connections. It has the
w.x.y.z
a2.b2.c2.d2
advantage that a complete network
Private
Public
requires only a single public address,
address
address
but, of course, the network which is
allocted with private addresses is dependent upon the NAT device for its connection to
external networks.
Load Balancing Translation. With this, a request is made to a resource, such as to a
WWW server, the NAT device then looks at the current loading of the systems, and
forwards the request to the one which is most lightly used (Figure 4).
NAT device selects the
least used resource
a1.b1.c1.d1
Or
a1.b1.c1.d1
Or
an.bn.cn.dn
w.x.y.z
Private
address
a1.b1.c1.d1
a1.b1.c1.d1
Public
address
an.bn.cn.dn
Server pool
Figure 4
NAT backtracking
Dynamic NAT is good at isolating the external network from a pubic untrusted network, as
it allows the NAT device to create a table of connections which have been initiated from
inside. Thus external devices cannot contact hosts as they cannot be mapped into in the
NAT device. Unfortunately some applications, such as FTP and IRC, require a server
connection to be setup on the host. Thus the NAT device must be able to implement
backtracking of connections, as illustrated in Figure 5.
NetworkSims.com
116
w1.x1.y1.z1
a1.b1.c1.d1
N
w2.x2.y2.z2
a2.b2.c2.d2
Private
address
Public
address
NAT is good
as we are isolated
from the external
public network, where
our hosts make the
initiate connections
w.x.y.z
a1.b1.c1.d1
N
a2.b2.c2.d2
Private
address
Public
address
Figure 5
NAT backtracking
NAT weaknesses
Static NAT is poor for security, as it does not hide the network. This is because there is a
one-to-one mapping, and external nodes can thus connect to internal devices. It also does
not hide the host from the external network, so that it can be traced, if the mapping table is
known. Dynamic NAT is much better for security, as it hides the network. Unfortunately it
has two major weaknesses:
- Backtracking allows external parties to trace back a connection.
- If the NAT device becomes compromised the external party can redirect traffic.
These weaknesses are illustrated in Figure 5.
Dynamic NAT is good for security,
as it hides the network. Unfortunately it
has two major weaknesses:
w1.x1.y1.z1
a1.b1.c1.d1
Backtracking
N
Corporate
WWW
site
NetworkSims.com
Compromised
NAT table
causes the connection
to point to the external
intruders WWW site
External
Intruders
WWW site
117
where the submask length is defined by the optional netmask agument (such as
255.255.255.0), or by a length using prefix-length (or 24 for the 255.255.255.0 subnet mask).
After this, the types of packets which will be translated will be defined. This is achieved
with the access-list command, and has the form:
RouterA# config t
RouterA(config)#access-list access-list-number permit source
[source-wildcard]
where the access list number is defined. This is then applied to one of the interfaces using
the command (for s0):
RouterA# config t
RouterA (config) # int s0
RouterA(config-if)#ip nat inside
This will translate data packets which are coming into the port. To translate outgoing one,
the ip nat outside command is used.
For example, to define a pool of addresses from 180.10.11.1 to 180.10.11.254:
RouterA(config)#ip nat pool org_pool 180.10.11.1 180.10.11.254 netmask 255.255.255.0
which defines the global addresses as org_pool. This will be used to send translated data
packets out in the Internet. An access-list command is then used to match the translation
addresses:
RouterA(config)#access-list 2 permit 192.168.10.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pool
NetworkSims.com
org_pool.
118
RouterA(config)#interface e0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s0
RouterA(config-if)#ip nat outside
Thus if a host with an address of 192.168.10.10 sends a data packet out of the network, it will
have one of the addresses from the pool, such as 180.10.11.1. All the hosts outside the
network will use the address from the pool to communicate with the node. By default, these
entries remain in the table for up to 24 hours (in order to allow communications to return).
The time-out can be changed using the command:
RouterA(config)#ip nat translation timeout seconds
This is an important factor, especially when there is a large number of hosts which can only
use a limited pool of addresses. A lower time-out will allow an address to be released, so
that another node can use it.
NAT also enhances security as it limits external users in their connection to local
network, as the translations of addresses will not be permanent (unless a static translation is
implemented). NAT thus hides the topology of the network.
Static translation uses a fixed lookup table to translate the addresses, where each
address which requires an Internet address has a corresponding public IP address. If it is
used on its own, it cannot thus preserve IP address. Thus, typically the two methods are
used, where important nodes, such as servers, will have a static entry, as this guarantees
them an address, while other nodes, which are less important, will be granted a dynamic
translation. This also aids security as the important devices can run enhanced security and
monitoring software, which might not be possible on lower-level devices, which are
typically administered on a daily basis by non-IT personnel.
Static addresses are also useful in translating network topologies from one network
address structure to another, or even when individual nodes are moved from one subnet to
another.
An example of configuring for static addresses of a node of 192.168.10.10 to the
address of 180.10.11.1:
RouterA(config)#ip nat inside source static 192.168.10.10 180.10.11.1
This can this be applied to the inside and outside interfaces with:
RouterA(config)#interface e0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s0
RouterA(config-if)#ip nat outside
NAT allows organisations to quickly remap their addresses, as conditions require, such as
changing Internet access provider, or to respond to a network breach.
NetworkSims.com
119
One of the advanced features of NAT routers is their ability to use Port Address
Translation (PAT), which allows multiple inside addresses to map to the same global
address. This is sometimes called a many-to-one NAT, or address overloading. With address
overloading, man private addressed nodes can access the Internet using a single global
address. The NAT router keeps track of the different conversations by mapping TCP and
UDP port numbers in the translation table. A translation entry is one which maps one IP
address and port pair to another, and is called an extended table entry. This table will match
internal private IP addresses and ports, to the global address.
The NAT command is used to configure PAT with:
RouterA(config)#ip nat inside source list access-list-number pool name overload
For example, if a network has 20 IP global addresses from 180.10.11.1 to 180.10.11.20, then
the router could be configured with:
RouterA(config)#ip nat pool org_pat_pool 180.10.11.1 180.10.11.20 netmask
255.255.255.0
RouterA(config)#access-list 2 permit 10.1.1.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pat_pool overload
RouterA(config)#interface e 0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s 0
RouterA(config-if)#ip nat outside
This creates an access-list with a label of 2, which is applied using the overload method, to
provide PAT. This method is obviously important in a home network, where users are
granted an IP address for their router. The home network can then be setup with private
addresses.
NetworkSims.com
120
Example
> en
# config t
(config)# access-list 7 permit 195.11.220.0 31.255.255.255
(config)# ip nat pool mynatpool 150.122.41.99 150.122.41.150 netmask
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool overload
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
Explanation
NAT overload is used when more addresses are required than are in the pool. In this case:
(config)# access-list 7 permit 195.11.220.0 31.255.255.255
defines the pool of addresses what will be used. As NAT overload is used there can be
many more addresses which can be mapped to this pool. Finally NAT overload is defined
with:
(config)# ip nat inside source list 7 pool mynatpool overload
With NAT overload, the device overloads the first address. Once it reaches it limit of
overloading the device moves onto the second address, and so on.
Define an overloaded NAT, and define the port for the external address.
NetworkSims.com
121
Example
> en
# config t
(config)# access-list 8 permit 195.11.220.0 31.255.255.255
(config)# ip nat inside source list 8 interface s0 ?
overload Overload an address translation
<cr>
(config)# ip nat inside source list 8 interface s0 overload
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
Explanation
NAT overload without a pool is used where there is only a single address to be used, which
is borrowed from the external interface. In this case:
(config)# access-list 8 permit 195.11.220.0 31.255.255.255
where the address on the S0 interface is used as the external address. Thus all of the internal
addresses will be translated to the single external address when it passes from inside the
network to the outside. This is often the case of a home network, which typically has only a
single address for the network connection.
NetworkSims.com
122
Example
> en
# config t
(config)# access-list 7 permit host 195.11.220.2
(config)# ip nat pool globalnat 208.132.69.7 208.132.69.57
255.255.192.0 ?
type Specify the pool type
<cr>
(config)# ip nat pool globalnat 208.132.69.7 208.132.69.57
255.255.192.0 type ?
match-host Keep host numbers the same after translation
rotary
Rotary address pool
(config)# ip nat pool globalnat 208.132.69.7 208.132.69.57
255.255.192.0 type rotary
(config)# ip nat inside destination list 7 pool mynatpool
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
netmask
netmask
netmask
Explanation
TCP Load Distribution is used where there is a pool of servers, and the NAT translation
assigns the mapping to one of these, in order to even the load. The command:
(config)# ip nat pool
255.255.192.0 type rotary
globalnat
208.132.69.7
208.132.69.57
netmask
defines that the addresses should be assigned to the pool. For example the translations
would be:
1st:
2nd:
3rd:
Inside Local
208.132.69.7 <208.132.69.8 <208.132.69.9 <-
Inside Global
195.11.220.2
195.11.220.2
195.11.220.2
and so on. Thus when the first connection comes in for the address of 195.11.220.2, it will be
translated to 208.132.69.7, the second for 208.132.69.8. Thus each of the servers will have a
more equal loading. The following command defines a dynamic destination translation
(where normally NAT would translate from a source node in the inside network):
(config)# ip nat inside destination list 7 pool mynatpool
123
Outline
This challenge involves the configuration of NAT for overlapping networks.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 7 permit 195.11.220.0 31.255.255.255
(config)# ip nat pool mynatpool 150.122.41.99 150.122.41.150 netmask
255.255.255.0
(config)# ip nat pool yournatpool 140.12.41.99 140.22.41.150 netmask
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool
(config)# ip nat outside source list 7 pool yournatpool
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
NetworkSims.com
124
Example
> en
# config t
(config)# int dialer0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# description test link
(config-if)# encapsulation ppp
(config-if)# ppp authentication chap
(config-if)# dialer remote-name temp
(config-if)# dialer idle-timeout 100
(config-if)# dialer fast-idle 80
(config-if)# dialer string 2221111
(config-if)# dialer pool 1
(config-if)# dialer-group 1
(config-if)# int bri0
(config-if)# dialer pool-member 1
Example
> en
# config t
(config)# map-class
(config-map-class)#
(config-map-class)#
(config-map-class)#
NetworkSims.com
dialer kirkcaldy
dialer fast-idle 15
dialer idle-timeout 60
exit
125
Explaination
In the previous example (Challenge 75), the following was used:
(config)# int dialer0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# description test link
(config-if)# encapsulation ppp
(config-if)# ppp authentication chap
(config-if)# dialer remote-name temp
(config-if)# dialer idle-timeout 100
(config-if)# dialer fast-idle 80
(config-if)# dialer string 2221111
(config-if)# dialer pool 1
(config-if)# dialer-group 1
(config-if)# int bri0
(config-if)# dialer pool-member 1
In order to allow reuse a class-map can be created for the characteristics of the dialup string,
such as:
(config)# map-class
(config-map-class)#
(config-map-class)#
(config-map-class)#
dialer kirkcaldy
dialer fast-idle 15
dialer idle-timeout 60
exit
NetworkSims.com
126
Objectives
The objectives of this challenge are to:
Define AAA.
Define the local server.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login default local
(config)# username fred password bert
(config)# username fred1 password bert2
Define AAA.
Define the radius server.
Example
> enable
# config t
(config)# aaa new-model
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with `@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
NetworkSims.com
127
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host 39.100.234.1
(config)# radius-server key ?
LINE Text of shared key
(config)# radius-server key krinkle
(config)# aaa ?
accounting
Accounting configurations parameters.
authentication Authentication configurations parameters.
authorization
Authorization configurations parameters.
configuration
Authorization configuration parameters.
nas
NAS specific configuration
new-model
Enable NEW access control commands and functions.(Disables
OLD commands.)
processes
Configure AAA background processes
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication login ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication login default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
local
Use local username authentication.
local-case Use case-sensitive local username authentication.
none
NO authentication.
(config)# aaa authentication login default group radius
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication ppp ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication ppp default radius
(config)# aaa authorization ?
commands
For exec (shell) commands.
config-commands For configuration mode commands.
exec
For starting an exec (shell).
network
For network services. (PPP, SLIP, ARAP)
NetworkSims.com
128
reverse-access
For reverse access connections
(config)# aaa authorization network ?
WORD
Named authorization list.
default The default authorization list.
(config)# aaa authorization network default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
local
Use local username authentication.
local-case Use case-sensitive local username authentication.
(config)# aaa authorization network default group radius
(config)# aaa authorization exec default group radius
Define AAA.
Define the Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# tacacs-server host 39.100.234.1
(config)# tacacs-server key krinkle
(config)# aaa authentication login default group tacacs
(config)# aaa authentication ppp default group tacacs
(config)# aaa authorization network default group tacacs
(config)# aaa authorization exec default group tacacs
NetworkSims.com
129
Define AAA.
Define privileges.
Define command authorization for a Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
(config)# privilege exec level 7 ping
(config)# privilege exec level 7 configure terminal
(config)# privilege exec level 7 configure
(config)# radius-server host 39.100.234.1
(config)# radius-server key krinkle
(config)# aaa authorization commands 0 default group tacacs+
(config)# aaa authorization commands 15 default group tacacs+
(config)# aaa authorization commands 7 default group tacacs+
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
130
tunnel
where
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege
moves these commands to Level 7. For example ping is a Level 1 command and is now a
Level 7, while the rest have moved from Level 15 to Level 7.
Example
> enable
# config t
(config)# username fred
(config)# username test
(config)# username fred
(config)# username test
(config)# username test
(config)# access-list 9
(config)# username fred
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
NetworkSims.com
131
Level 15. This is the highest level of privilege, and has a prompt of router#.
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
NetworkSims.com
132
Objectives
The objectives of this challenge are to:
Define Tacacs+.
Define accounting for start and stop events.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa account network default start-stop group tacacs+
(config)# aaa account reverse-access default group tacacs+
Define E0.
Define ATM.
Define bridge protocol.
Example
> enable
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# bridge-group 1
(config-if)# exit
(config)# int atm0
(config-if)# mac-address 1111.2222.3333
(config-if)# dsl operating-mode auto
(config-if)# bridge-group 1
(config-if)# pvc 8/35
(config-if-atm-vc)# encapsulation aal5snap
(config-if-atm-vc)# exit
(config-if)# exit
NetworkSims.com
133
Explanation
In this case a bridge is created between the E0 and the ATM0 port. The encapsulation is
aal5snap (AAL5 Link Control/Subnet Access Protcol) which supports multiple protocols
over the same PVC.
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# int atm0
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-atm-vc)# pppoe-client dial-pool-number 1
(config-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
(config-if)# ip address negotiated
(config-if)# encapsulation ppp
(config-if)# dialer pool 1
(config-if)# ip mtu 1492
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
Explanation
PPPoE encapsulates PPP within an Ethernet frame.
NetworkSims.com
134
Define a dialer.
Define ATM.
Example
> enable
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# exit
(config)# int atm0
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-atm-vc)# encapsulation aal5mux ppp dialer
(config-atm-vc)# dialer pool member 1
(config-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
(config-if)# ip address negotiated
(config-if)# encapsulation ppp
(config-if)# dialer pool 1
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
(config-if)# exit
(config)# ip nat inside source list 10 interface dialer0 overload
(config)# access-list 10 permit 10.0.0.0 0.0.0.255
(config)# ip route 0.0.0.0 0.0.0.0 dialer0
Explanation
PPPoA encapsulates PPP within ATM cells.
NetworkSims.com
135
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# vpdn enable
(config)# vpdn-group test
(config-vpdn)# request-dialin
(config-vpdn-req-in)# protocol pppoe
(config-vpdn-req-in)# exit
(config-vpdn)# exit
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# exit
(config)# int atm0
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-atm-vc)# pppoe-client dial-pool-number 1
(config-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
(config-if)# ip address negotiated
(config-if)# encapsulation ppp
(config-if)# dialer pool 1
(config-if)# ip mtu 1492
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
136
Outline
This challenge involves the configuration of interactive PPP sessions.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int async 6
(config-if)# encapsulation ppp
(config-if)# async ?
default Specify default parameters
dynamic Specify parameters which user may change
mode
Specify line mode (interactive or dedicated interface use)
(config-if)# async mode ?
dedicated
Line is dedicated as an async interface
interactive Line may be switched between interactive use and async interface
(config-if)# async mode interactive
(config-if)# exit
(config)# line 1
(config-line)# autoselect ?
arap
Set line to allow ARAP autoselection
during-login Do autoselect at the Username/Password prompt
ppp
Set line to allow PPP autoselection
slip
Set line to allow SLIP autoselection
timeout
Set wait timeout for initial autoselect byte
<cr>
(config-line)# autoselect ppp
(config-line)# autoselect during-login
NetworkSims.com
137
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int loopback1
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# exit
(config)# int async 6
(config-if)# ip unnumbered loopback1
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address 192.168.1.1
Explanation
NetworkSims.com
138
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with the IP address of 192.168.1.1 (Figure
1).
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address 192.168.1.1
192.168.1.1
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address pool testing
(config)# ip local pool testing 10.0.0.1 10.0.0.10
Explanation
NetworkSims.com
139
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with an IP address from the pool of
addresses from 10.0.0.1 to 10.0.0.10 (see Figure 1).
Async 6
PSTN
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address pool
pool testing
testing
(config)#
(config)# ip
ip local
local pool
pool testing
testing 10.0.0.1
10.0.0.1 10.0.0.10
10.0.0.10
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address dhcp-pool wyoming
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
NetworkSims.com
140
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
Explanation
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with the IP address of taking from the
dhcp pool (Figure 1).
Async 6
PSTN
Host is assigned the
address from the DHCP pool
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address dhcp-pool
dhcp-pool wyoming
wyoming
(config)#
(config)# ip
ip dhcpd
dhcpd pool
pool wyoming
wyoming
(config-dhcp)#
(config-dhcp)# network
network 249.189.108.0
249.189.108.0 255.255.255.0
255.255.255.0
(config-dhcp)#
(config-dhcp)# dns-server
dns-server 249.189.108.58
249.189.108.58
(config-dhcp)#
(config-dhcp)# netbios-name-server
netbios-name-server 249.189.108.61
249.189.108.61
(config-dhcp)#
(config-dhcp)# lease
lease 33
(config-dhcp)#
default-router
249.189.108.87
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)#
(config-dhcp)# exit
exit
(config)#ip
(config)#ip dhcp
dhcp excluded-address
excluded-address 249.189.108.26
249.189.108.26
(config)#
(config)# ip
ip dhcp
dhcp ping
ping timeout
timeout 350
350
NetworkSims.com
141
Example
> enable
# config t
(config)# hostname edinburgh
(config)# username newyork password test
(config)# int async 6
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# dialer map ip 192.168.1.2 name newyork
(config-if)# ppp pap sent-username edinburgh password ttt
Explanation
In this example the username is set as the hostname of the remote device. Figure 1 shows an
example configuration for two devices, on which either can connect to the other.
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname edinburgh
edinburgh
(config)#
(config)# username
username newyork
newyork password
password test
test
(config)#
int
async
(config)# int async 66
(config-if)#
encapsulation
ppp
(config-if)# encapsulation ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.1
192.168.1.1 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.2
192.168.1.2 name
name newyork
newyork
(config-if)#
ppp
pap
sent-username
edinburgh
(config-if)# ppp pap sent-username edinburgh password
password ttt
ttt
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname newyork
newyork
(config)#
(config)# username
username edinburgh
edinburgh password
password ttt
ttt
(config)#
(config)# int
int async
async 66
(config-if)#
encapsulation
ppp
(config-if)# encapsulation ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.2
192.168.1.2 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.1
192.168.1.1 name
name edinburgh
edinburgh
(config-if)#
ppp
pap
sent-username
newyork
(config-if)# ppp pap sent-username newyork password
password test
test
NetworkSims.com
142
telnet IP 2002
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int loopback0
(config-if)# ip address 10.0.0.1 255.255.255.255
(config-if)# exit
(config)# int e0
(config-if)# ip address 192.168.1.100 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# line 1 16
(config-line)# tran input ?
all
All protocols
none
No protocols
pad
X.3 PAD
rlogin Unix rlogin protocol
telnet TCP/IP Telnet protocol
v120
Async over ISDN
(config-line)# transport input all
(config-line)# no ?
absolute-timeout
Set absolute timeout for line disconnection
access-class
Filter connections based on an IP access list
activation-character
Define the activation character
autobaud
Set line to normal autobaud
autocommand
Automatically execute an EXEC command
autocommand-options
Autocommand options
autohangup
Automatically hangup when last connection closes
autoselect
Set line to autoselect
buffer-length
Set DMA buffer length
data-character-bits
Size of characters being handled
databits
Set number of data bits per character
disconnect-character
Define the disconnect character
dispatch-character
Define the dispatch character
dispatch-machine
Reference a TCP dispatch state machine
dispatch-timeout
Set the dispatch timer
domain-lookup
Enable domain lookups in show commands
editing
Enable command line editing
escape-character
Change the current line's escape character
exec
Configure EXEC
exec-banner
Enable the display of the EXEC banner
exec-character-bits
Size of characters to the command exec
exec-timeout
Set the EXEC timeout
flowcontrol
Set the flow control
flush-at-activation
Clear input stream at activation
full-help
Provide help to unprivileged user
history
Enable and control the command history function
NetworkSims.com
143
hold-character
insecure
international
ip
length
location
lockable
logging
login
logout-warning
modem
monitor
motd-banner
notify
ntp
padding
parity
password
private
privilege
refuse-message
rotary
rxspeed
script
session-disconnect-warning
session-limit
session-timeout
special-character-bits
speed
start-character
stop-character
stopbits
telnet
terminal-type
timeout
transport
txspeed
vacant-message
width
x25
(config-line)# no exec
(config-line)# exit
(config)# exit
# sh version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-I-L), Version 12.0(2a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Fri 01-Jan-99 14:38 by phanguye
Image text-base: 0x0302E1C0, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c)XB1, PLATFORM SPECIFIC RELEASE SOFTWARE (fc1)
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c)XB1, PLATFORM SPECIFIC
RELEASE SOFTWARE (fc1)
cons uptime is 32 minutes
System restarted by power-on
System image file is "flash:c2500-i-l.120-2a"
NetworkSims.com
144
NetworkSims.com
145
password 7 045805071F70
login
!
end
# sh
Tty
0
1
2
* 3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
* 18
19
20
21
22
line
Typ
CTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
AUX
VTY
VTY
VTY
VTY
VTY
Tx/Rx
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
A Modem
-
Uses
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
Noise
0
22
62
20
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
Overruns
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Int
-
Noise
0
22
62
20
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
Overruns
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Int
-
NetworkSims.com
A Modem
-
Uses
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
146
Example
> en
# config t
(config)# int vlan 1
(config-if)# ip address ?
A.B.C.D IP address
(config-if)# ip address 148.183.229.5 ?
A.B.C.D IP subnet mask
(config-if)# ip address 148.183.229.5 255.255.248.0
(config-if)# exit
(config)# ip domain-name ?
WORD Default domain name
(config)# ip domain-name perthshire.cc
(config)# ip default-gateway ?
A.B.C.D IP address of default gateway
(config)# ip default-gateway 148.183.229.6
NetworkSims.com
147
Example
> en
# config t
(config)#lin con ?
<0-0> First Line number
(config)# line con 0
(config-line)# password ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
(config-line)# password texas
(config-line)# exit
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http server
(config)# ip http port ?
<0-65535> HTTP port
(config)# ip http port 1024
(config)# cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime
Specify the holdtime (in sec) to be sent in packets
timer
Specify the rate at which CDP packets are sent
run
(config)# cdp run
(config)# ip name-server 14.154.109.7
(in sec)
NetworkSims.com
148
Example
# config t
(config)#line vty ?
<0-15> First Line number
(config)#line vty 0 ?
<1-15> Last Line number
<cr>
(config)# line vty 0 15
(config-line)# login
(config-line)# password manchester
(config-line)# exit
(config)# username june ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
<cr>
(config)# username june password ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
(config)# username june password default1
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community ?
WORD SNMP community string
(config)# snmp-server community popup
(config)# snmp-server contact ?
LINE identification of the contact person for this managed node
NetworkSims.com
149
Example
# config t
Enter configuration commands, one per line.
(config)# ip default-gateway 142.163.250.7
(config)# ip host ?
WORD Name of host
(config)# ip host brechin ?
NetworkSims.com
150
<0-65535>
Default telnet port number
A.B.C.D
Host IP address
additional Append addresses
(config)# ip host brechin 209.250.181.10
(config)# ip host mississippi 208.194.196.5
(config)# ip host westvirginia 205.27.128.4
(config)# exit
# show hosts
Example
# config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)# int fa0/1
(config-if)# no shutdown
(config-if)# description ?
LINE Up to 240 characters describing this interface
(config-if)# description aironet 1200
(config-if)# speed ?
10
Force 10 Mbps operation
100
Force 100 Mbps operation
auto Enable AUTO speed configuration
(config-if)# speed 100
(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
(config-if)# duplex full
(config-if)# int fa0/2
(config-if)# no shutdown
(config-if)# exit
(config)# cdp run
(config)# int fa0/1
(config-if)# cdp ?
enable Enable CDP on interface
(config-if)# cdp enable
NetworkSims.com
151
(config-if)# exit
(config)# cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime
Specify the holdtime (in sec) to be sent in packets
timer
Specify the rate at which CDP packets are sent (in sec)
run
(config)# cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
(config)# cdp timer 89
(config)# cdp hold ?
<10-255> Length of time (in sec) that receiver must keep this packet
(config)# cdp holdtime 41
Example
> en
# vlan database
(vlan)# vlan 1 name newjersey
VLAN 1 added:
Name: newjersey
(vlan)# ?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit
Apply changes, bump revision number, and exit mode
no
Negate a command or set its defaults
reset Abandon current changes and reread current database
show
Show database information
vlan
Add, delete, or modify values associated with a single VLAN
vtp
Perform VTP administrative functions.
(vlan)# vlan 2 ?
are
Maximum number of All Route Explorer hops for this VLAN
backupcrf Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
state
Operational state of the VLAN
NetworkSims.com
152
ste
stp
tb-vlan1
tb-vlan2
<cr>
(vlan)#vlan 2 name ?
WORD The ascii name for the VLAN
(vlan)# vlan 2 name brighton
VLAN 2 added:
Name: brighton
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int vlan 1
(config-if)# ip address 131.45.110.4 255.192.0.0
(config-if)# shutdown
(config-if)# exit
(config)# int vlan 2
(config-if)# ip address 81.200.53.4 255.255.0.0
(config-if)# exit
Note the vlan database command will be phased-out. An improved method is:
Switch(config)# vlan 1
Switch(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp
Spanning tree characteristics of the VLAN
tb-vlan1
ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2
ID number of the second translational VLAN for this VLAN (or
zero if none)
Switch(config-vlan)# name ?
WORD The ascii name for the VLAN
Switch(config-vlan)# name newjersey
153
Outline
This challenge involves the configuration of switchport access parameters.
Objectives
The objectives of this challenge are to:
Setup VLAN 2.
Define switchport access for VLAN 2.
Example
> en
# vlan database
(vlan)# vlan 2 name amsterdam
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int vlan 2
(config-if)# ip address 161.161.238.9 255.255.255.248
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport access
vlan Set VLAN when interface
(config-if)# switchport access
(config-if)# int fa0/5
(config-if)# switchport access
?
is in access mode
vlan 2
vlan 2
Note the vlan database command will be phased-out. An improved method is:
Switch(config)# vlan 2
Switch(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
NetworkSims.com
154
said
shutdown
state
ste
stp
tb-vlan1
tb-vlan2
Switch(config-vlan)# name ?
WORD The ascii name for the VLAN
Switch(config-vlan)# name newjersey
Example
> en
# config t
(config)# line con 0
(config-line)# password lothian
(config-line)# timeout ?
login Timeouts related to the login sequence
(config-line)# timeout login ?
response Timeout for any user input during login sequences
(config-line)# timeout login response ?
<0-300> Timeout in seconds
(config-line)# timeout login response 19
(config-line)# exec-timeout ?
<0-35791> Timeout in minutes
(config-line)# exec-timeout 11
(config-line)# log ?
synchronous Synchronized message output
(config-line)# log synchronous
(config-line)# line vty 0 8
(config-line)# login
(config-line)# password mississippi
(config-line)# timeout login response 12
(config-line)# exec-timeout 10
NetworkSims.com
155
Example
# clock ?
set Set the time and
# clock set 06:25
# config t
(config)# ip ?
Global IP configuration
access-list
accounting-list
accounting-threshold
accounting-transits
alias
default-gateway
dhcp-server
domain-list
domain-lookup
domain-name
finger
ftp
gdp
gratuitous-arps
host
host-routing
hp-host
http
icmp
igmp
local
name-server
radius
rcmd
reflexive-list
security
source-route
sticky-arp
subnet-zero
tacacs
tcp
NetworkSims.com
date
subcommands:
Named access-list
Select hosts for which IP accounting information is
kept
Sets the maximum number of accounting entries
Sets the maximum number of transit entries
Alias an IP address to a TCP port
Specify default gateway (if not routing IP)
Specify address of DHCP server to use
Domain name to complete unqualified host names.
Enable IP Domain Name System hostname translation
Define the default domain name
finger server
FTP configuration commands
Router discovery mechanism
Generate gratuitous ARPs for PPP/SLIP peer addresses
Add an entry to the ip hostname table
Enable host-based routing (proxy ARP and redirect)
Enable the HP proxy probe service
HTTP server configuration
ICMP options
IGMP options
Specify local options
Specify address of name server to use
RADIUS configuration commands
Rcmd commands
Reflexive access list
Specify system wide security information
Process packets with source routing header options
Allow the creation of sticky ARP entries
Allow 'subnet zero' subnets
TACACS configuration commands
Global TCP parameters
156
telnet
Specify telnet options
tftp
tftp configuration commands
(config)# ip subnet-zero
(config)# ip classless
(config)# boot system ?
WORD
TFTP filename or URL
flash Boot from flash memory
mop
Boot from a Decnet MOP server
rcp
Boot from a server via rcp
tftp
Boot from a tftp server
(config)# boot system tftp c28.bin
(config)# ip dhcp ?
conflict
database
excluded-address
limited-broadcast-address
ping
pool
relay
smart-relay
NetworkSims.com
157
Example
# config t
(config)# int e0/1
(config-if)# description aironet 1200
(config-if)# shutdown
(config-if)# int e0/2
(config-if)# description production depart
(config-if)# shutdown
(config-if)# int e0/3
(config-if)# shutdown
Example
> en
# config t
(config)# ip name-server 205.105.14.3
(config)# password dates
(config)# enable password default
(config)# enable secret dates
(config)# username katie password hotel
(config)# username william password eggplant
(config)# username anne ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege this.level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
NetworkSims.com
158
Example
# config t
(config)# int fa0/1
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
protected
Configure an interface to be a protected port
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
trunk
Set trunking characteristics of the interface
unicast
Set unicast suppression level on this interface
voice
Voice appliance attributes
<cr>
(config-if)# switchport mode ?
access
Set trunking mode to ACCESS unconditionally
dot1q-tunnel Set trunking mode to DOT1Q TUNNEL unconditionally
dynamic
Set trunking mode to dynamically negotiate access or trunk mode
trunk
Set trunking mode to TRUNK unconditionally
(config-if)# switchport mode trunk
(config-if)# switchport trunk ?
allowed
Set allowed VLAN characteristics when interface is in trunking
mode
encapsulation Set trunking encapsulation when interface is in trunking mode
native
Set trunking native characteristics when interface is in
trunking mode
pruning
Set pruning VLAN characteristics when interface is in trunking
NetworkSims.com
159
mode
switchport trunk encapsulation ?
Interface uses only 802.1q trunking encapsulation when trunking
Interface uses only ISL trunking encapsulation when trunking
Device will negotiate trunking encapsulation with peer on
interface
(config-if)#switch trunk encapsulation ?
dot1q
Interface uses only 802.1q trunking encapsulation when trunking
isl
Interface uses only ISL trunking encapsulation when trunking
negotiate Device will negotiate trunking encapsulation with peer on
interface
(config-if)# switchport trunk encapsulation dot1q
(config-if)#
dot1q
isl
negotiate
(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree cost ?
<1-200000000> port path cost
(config-if)# spanning-tree cost 3
(config-if)# int fa0/2
(config-if)# switchport mode trunk
(config-if)# switchport trunk encapsulation dot1q
(config-if)# spanning-tree cost 31
(config-if)# int fa0/3
(config-if)# switchport mode trunk
(config-if)# switchport trunk encapsulation dot1q
(config-if)# spanning-tree cost 33
Example
> en
# config t
(config)# ip default-gateway 36.125.171.9
NetworkSims.com
160
Enable logging.
Define Syslog server.
Define buffer size.
Define logging level.
Example
> enable
# config t
(config)# lo ?
Hostname or A.B.C.D
buffered
cns-events
console
exception
facility
file
history
monitor
on
rate-limit
source-interface
trap
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
informational
Informational messages
notifications
Normal but significant conditions
warnings
Warning conditions
<cr>
NetworkSims.com
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)
161
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)
Enable HTTP.
Define the HTTP server port.
Define authentication.
Define the helper path.
Define an access-class number.
Create banners.
Example
> en
# config t
(config)# ip http server
(config)# ip http port ?
<0-65535> HTTP port
(config)# ip http port 1024
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
help-path
HTTP help root URL
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http authentication ?
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
NetworkSims.com
162
Example
# clock ?
set Set the time and date
# clock set 06:25
(config)# ip subnet-zero
(config)# ip classless
(config)# boot ?
boothlpr
Boot Helper System Image
buffersize
Specify the buffer size for filesystem-simulated NVRAM
config-file
Configuration File
enable-break
Enable Break while booting
helper
Helper Image(s)
helper-config-file
Helper Configuration File
manual
Manual Boot
private-config-file Private Configuration File
system
System Image
(config)# boot system ?
WORD
TFTP filename or URL
flash Boot from flash memory
mop
Boot from a Decnet MOP server
rcp
Boot from a server via rcp
tftp
Boot from a tftp server
(config)# boot system tftp c28.bin
163
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)#ip dhcp pool ?
WORD Pool name
(config)# ip dhcp pool wyoming
(config-dhcp)# network 249.189.108.0 ?
/nn or A.B.C.D Network mask or prefix length
<cr>
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server ?
Hostname or A.B.C.D Server's name or IP address
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)# ip dhcp e ?
A.B.C.D Low IP address
(config)# ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
WORD
Pool name
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout ?
<100-10000> Ping timeout in milliseconds
(config)# ip dhcp ping timeout 350
164
Outline
This challenge involves the configuration of services on the device.
Objectives
The objectives of this challenge are to:
Setup services.
Define timestamp formats.
Disable small TCP servers.
Disable small UDP servers.
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
NetworkSims.com
165
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
Example
> en
# vlan database
(vlan)# vlan 1 name indiana
VLAN 1 added:
Name: indiana
(vlan)# vlan 2 name california
VLAN 2 added:
NetworkSims.com
166
Name: california
(vlan)# vlan 10 name finland
VLAN 10 added:
Name: finland
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
GigabitEthernet
GigabitEthernet IEEE 802.3z
Group-Async
Async Group interface
Lex
Lex interface
Loopback
Loopback interface
Multilink
Multilink-group interface
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Transparent
Transparent interface
Tunnel
Tunnel interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan
Catalyst Vlans
fcpa
Fiber Channel
range
interface range command
(config)# int range fa0/3 - 4
(config-if-range)# switchport access ?
vlan Set VLAN when interface is in access mode
(config-if-range)# switchport access vlan ?
<1-1005> VLAN ID of the VLAN when this port is in access mode
dynamic
When in access mode, this interfaces VLAN is controlled by VMPS
(config-if-range)# switchport access vlan 2
(config-if-range)# exit
(config)# int range fa0/5 - 7
(config-if-range)# switchport access vlan 10
(config-if-range)# exit
(config)# int range fa0/3 - 4
(config-if-range)# shutdown
NetworkSims.com
167
Example
> enable
# config t
(config)# username ?
WORD User name
(config)# username bill ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
<cr>
(config)# username bill password ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
(config)# username bill password smith
(config)# logging ?
Hostname or A.B.C.D IP address of the logging host
buffered
Set buffered logging parameters
cns-events
Set CNS Event logging level
console
Set console logging level
exception
Limit size of exception flush output
facility
Facility parameter for syslog messages
file
Set logging file parameters
history
Configure syslog history table
monitor
Set terminal line (monitor) logging level
on
Enable logging to all supported destinations
rate-limit
Set messages per second limit
source-interface
Specify interface for source address in logging
transactions
trap
Set syslog server logging level
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
NetworkSims.com
168
informational
Informational messages
(severity=6)
notifications
Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging buffer 440240
(config)# logging trap ?
<0-7>
Logging severity level
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational Informational messages
(severity=6)
notifications Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap emergency
(config)# logging monitor emergency
(config)# logging console emergency
(config)# logging buffer emergency
(config)# access-list 2 permit host 192.168.1.1
(config)# access-list 2 deny any
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http server
(config)# ip http port 1024
(config)# ip http authentication ?
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
(config)# ip http authentication local
(config)# exit
# sh running
NetworkSims.com
169
Alt:
# vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
(vlan)# vlan 1 name fred
Example
> enable
# config t
(config)# int vlan1
NetworkSims.com
170
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
NetworkSims.com
171
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1
default
active
Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
2
VLAN0002
active
Fa0/1
1002 fddi-default
act/unsup
1003 token-ring-default
act/unsup
1004 fddinet-default
act/unsup
1005 trnet-default
act/unsup
VLAN
---1
2
1002
1003
1004
1005
Type
----enet
enet
fddi
tr
fdnet
trnet
SAID
---------100001
100002
101002
101003
101004
101005
MTU
----1500
1500
1500
1500
1500
1500
Parent
------
RingNo
------
BridgeNo
--------
Stp
---ieee
ibm
BrdgMode
--------
Trans1
-----0
0
0
0
0
0
Trans2
-----0
0
0
0
0
0
Alt:
# vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
(vlan)# vlan 1 name fred
NetworkSims.com
172
Example
> enable
# config t
(config)# int vlan1
(config-if)# ip address 1.2.3.4 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# vlan 1
(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp
Spanning tree characteristics of the VLAN
tb-vlan1
ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2
ID number of the second translational VLAN for this VLAN (or
zero if none)
(config-vlan)# mtu ?
<576-18190> Value of VLAN Maximum Tranmission Unit
NetworkSims.com
173
1 ?
Maximum number of All Route Explorer hops for this VLAN
Backup CRF mode of the VLAN
Bridging characteristics of the VLAN
Media type of the VLAN
VLAN Maximum Transmission Unit
Ascii name of the VLAN
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
Ring number of FDDI or Token Ring type VLANs
IEEE 802.10 SAID
Operational state of the VLAN
Maximum number of Spanning Tree Explorer hops for this VLAN
Spanning tree characteristics of the VLAN
ID number of the first translational VLAN for this VLAN (or zero
if none)
ID number of the second translational VLAN for this VLAN (or zero
if none)
NetworkSims.com
174
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vtp mode ?
client
Set the device to client mode.
server
Set the device to server mode.
transparent Set the device to transparent mode.
(config)# vtp mode transparent
(config)# vlan 1006
(config-vlan)# name test
(config-vlan)# mtu 1500
(config-vlan)# end
# sh running
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
vtp mode transparent
!
!
NetworkSims.com
175
vlan 1006
name test
mtu 1500
!
!
Note: If the transparent mode was not set, the following would appear:
(config)# vlan 1006
(config-vlan)# exit
% Failed to create VLANs 1006
VLAN(s) not available in Port Manager.
Failed to commit extended VLAN(s) changes.
Objectives
The objectives of this challenge are to:
Setup VMPS.
Example
# config t
(config)# vmps ?
reconfirm Set VMPS reconfirm interval
retry
Set VMPS retry count
server
Configure server IP address
(config)# vmps server ?
Hostname or A.B.C.D IP address
(config)# vmps server 199.156.165.8 ?
primary Specify primary server
<cr>
(config)# vmps server 199.156.165.8 primary
(config)# vmps server 208.89.97.3
(config)# vmps server 206.81.143.1
(config)# vm reconfirm ?
<0-120> Number of minutes between reconfirmations
(config)# vm retry ?
<1-10> Retry count per server
(config)# vmps reconfirm 50
(config)# vmps retry 5
NetworkSims.com
176
Example
> enable
# config t
(config)# vmps ?
NetworkSims.com
177
reconfirm
retry
server
NetworkSims.com
178
In this example the FA0/1 VLAN will be configured for its VLAN membership from the
VMPS server.
# config t
(config)# vlan 1
(config-vlan)# name utah
(config-vlan)# exit
(config)# access-list 10 permit 20.123.92.0 0.0.0.1
(config)# vlan access-map utah
(config-access-map)# action forward
(config-access-map)# match ip access 10
(config-access-map)# exit
(config)# vlan filter utah vlan-list 1
Example
# config t
# config t
(config)# vlan 1
(config-vlan)# name utah
(config-vlan)# exit
(config)# access-list 10 permit ?
Hostname or A.B.C.D Address to match
any
Any source host
host
A single host address
(config)# access-list 10 permit 20.123.92.0 0.0.0.1
(config)# vlan access-map ?
WORD Vlan access map tag
(config)# vlan access-map utah
(config-access-map)# ?
action
Take the action
NetworkSims.com
179
NetworkSims.com
180
5
Cisco Switch Challenge 28
Outline
This challenge involves the configuration VLAN filtering to drop TCP packets.
Objectives
The objectives of this challenge are to:
Example
Switch(config)# ip access-list extended test
Switch(config-ext-nacl)# ?
Ext Access List configuration commands:
default
Set a command to its defaults
deny
Specify packets to reject
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit
Exit from access-list configuration mode
no
Negate a command or set its defaults
permit
Specify packets to forward
remark
Access list entry comment
Switch(config-ext-nacl)# permit any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map London 10
Switch(config-access-map)# ?
Vlan access-map configuration commands:
action
Take the action
default Set a command to its defaults
exit
Exit from vlan access-map configuration mode
match
Match values.
no
Negate a command or set its defaults
Switch(config-access-map)# match ?
ip
IP based match
mac MAC based match
Switch(config-access-map)# match ip ?
address Match IP address to access control.
Switch(config-access-map)# match ip address ?
NetworkSims.com
181
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
<cr>
Switch(config-access-map)# match ip address test
Switch(config-access-map)# action ?
drop
Drop packets
forward Forward packets
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# vl ?
WORD
ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q
dot1q parameters
filter
Apply a VLAN Map
internal
internal VLAN
Switch(config)# vlan filter ?
WORD VLAN map name
Switch(config)# vl f test ?
vlan-list VLANs to apply filter to
Switch(config)# vlan filter test vlan-list 10
Example
Switch(config)# ip access-list extended test
Switch(config-ext-nacl)# ?
Ext Access List configuration commands:
default
Set a command to its defaults
deny
Specify packets to reject
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit
Exit from access-list configuration mode
no
Negate a command or set its defaults
permit
Specify packets to forward
remark
Access list entry comment
Switch(config-ext-nacl)# permit any any
Switch(config-ext-nacl)# exit
NetworkSims.com
182
NetworkSims.com
183
Example
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vtp domain ?
WORD The ascii name for the VTP administrative domain.
(config)# vtp domain ?
WORD The ascii name for the VTP administrative domain.
(config)# vtp domain samoa
Changing VTP domain name from NULL to samoa
(config)# vtp password ?
WORD The ascii password for the VTP administrative domain.
(config)# vtp password orange
Setting device VLAN database password to orange
(config)# vtp mode server
Setting device to VTP SERVER mode.
(config)# vtp pruning ?
<cr>
(config)# vtp pruning
Pruning switched ON
(config)# vtp version ?
<1-2> Set the adminstrative domain VTP version number
(config)# vtp version 2
184
mode server
domain test
password testing
version 2
pruning
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
NetworkSims.com
185
mode
password
pruning
version
(config)# vt m
client
server
transparent
(config)# vt m
?
Set the device to client mode.
Set the device to server mode.
Set the device to transparent mode.
server
:
:
:
:
:
:
:
:
:
20
0
0
11
0
0
0
0
0
NetworkSims.com
186
Note
With VTP, a trunk port must be defined so that advertisements can be sent.
The default details are:
VTP name = Null
VTP mode = Server
VTP version = 2
VTP password = None
VTP pruning = Disabled
NetworkSims.com
187
(config)#
(config)#
(config)#
(config)#
vtp
vtp
vtp
vtp
domain test
password testing
version 2
pruning
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vt m
client
server
transparent
(config)# vt m
?
Set the device to client mode.
Set the device to server mode.
Set the device to transparent mode.
client
VTP statistics
VTP password
VTP domain status
# sh vtp status
VTP Version
: 2
Configuration Revision
: 25
Maximum VLANs supported locally : 1005
Number of existing VLANs
: 69
VTP Operating Mode
: Client
VTP Domain Name
: test
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42
Local updater ID is 10.1.1.59 on interface Vl1 (lowest numbered VLAN interface
found)
# sh vtp counters
NetworkSims.com
188
VTP statistics:
Summary advertisements received
Subset advertisements received
Request advertisements received
Summary advertisements transmitted
Subset advertisements transmitted
Request advertisements transmitted
Number of config revision errors
Number of config digest errors
Number of V1 summary errors
:
:
:
:
:
:
:
:
:
20
0
0
11
0
0
0
0
0
Note
With VTP, a trunk port must be defined so that advertisements can be sent.
The default details are:
VTP name = Null
VTP mode = Server
VTP version = 2
VTP password = None
VTP pruning = Disabled
NetworkSims.com
189
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vt m
client
server
transparent
?
Set the device to client mode.
Set the device to server mode.
Set the device to transparent mode.
Example
> enable
# config t
NetworkSims.com
190
?
mode
mode
mode
mode
to
to
to
to
ACCESS unconditionally
DOT1Q TUNNEL unconditionally
dynamically negotiate access or trunk mode
TRUNK unconditionally
NetworkSims.com
191
> enable
# config t
(config)# int fa0/1
(config-if)# l2protocol-tunnel cdp
(config-if)# l2protocol-tunnel stp
(config-if)# l2protocol-tunnel shutdown-threshold 100
(config-if)# exit
(config)# l2protocol-tunnel cos 5
Example
> enable
# config t
(config)# int fa0/1
(config-if)# l2protocol-tunnel ?
cdp
Cisco Discovery Protocol
drop-threshold
Set drop threshold for protocol packets
point-to-point
point-to-point L2 Protocol
shutdown-threshold Set shutdown threshold for protocol packets
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
<cr>
(config-if)# l2protocol-tunnel cdp
(config-if)# l2protocol-tunnel stp
(config-if)# l2protocol-tunnel shutdown-threshold ?
<1-4096>
Packets/sec rate beyond which interface is put to err-disable
cdp
Cisco Discovery Protocol
point-to-point point-to-point L2 Protocol
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
(config-if)# l2protocol-tunnel shutdown-threshold 100
(config)# l2protocol-tunnel ?
cos Class of Service
(config)# l2protocol-tunnel cos ?
<0-7> priority value
(config)# l2protocol-tunnel cos 5
NetworkSims.com
192
Objectives
The objectives of this challenge are to:
Setup VLANs.
Define spanning-tree settings.
Example
> en
# vlan database
(vlan)# vlan 2 name amsterdam
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int vlan 2
(config-if)# ip address 161.161.238.9 255.255.255.248
(config-if)# exit
(config)# spanning-tree ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend
Spanning Tree 802.1t extensions
loopguard
Spanning tree loopguard options
mode
Spanning tree operating mode
pathcost
Spanning tree pathcost options
portfast
Spanning tree portfast options
uplinkfast
Enable UplinkFast Feature
vlan
VLAN Switch Spanning Tree
(config)# spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config)# spanning-tree vlan 2
forward-time Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
priority
Set the bridge priority for the spanning tree
root
Configure switch as root
<cr>
(config)# spanning-tree vlan 2 root ?
primary
Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
(config)# spanning-tree vlan 2 root primary
(config)# int fa0/1
(config-if)# spanning-tree cost 32
(config)# int fa0/2
NetworkSims.com
193
Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
Enable BackboneFast Feature
Spanning tree etherchannel specific configuration
Spanning Tree 802.1t extensions
Spanning tree loopguard options
Spanning tree operating mode
Multiple spanning tree configuration
Spanning tree pathcost options
Spanning tree portfast options
Enable UplinkFast Feature
VLAN Switch Spanning Tree
Switch(config)# spanning-tree
bpdufilter Enable portfast
bpduguard
Enable portfast
default
Enable portfast
portfast ?
bdpu filter on this switch
bpdu guard on this switch
by default on all access ports
NetworkSims.com
194
aging
Port-security aging commands
mac-address Secure mac address
maximum
Max secure addrs
violation
Security Violation Mode
<cr>
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security max ?
<1-5120> Maximum addresses
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address ?
H.H.H
48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)# switchport port-security mac-address 0000.1111.2222
Enable UDLD.
Apply it on an interface.
Example
> enable
# config t
(config)# udld ?
aggressive Enable UDLD protocol in aggressive mode on fiber ports except
where locally configured
enable
Enable UDLD protocol on fiber ports except where locally
configured
message
Set UDLD message parameters
(config)# udld enable
(config)# int fa0/1
(config-if)# udld ?
port Enable UDLD protocol on this interface
(config-if)# udld port ?
aggressive Enable UDLD protocol in aggressive mode on this interface
<cr>
NetworkSims.com
195
NetworkSims.com
196
Interface Fa0/10
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/11
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/12
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/13
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/14
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/15
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/16
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/17
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/18
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/19
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Current bidirectional state: Unknown
Interface Fa0/20
--Port enable administrative configuration setting: Disabled
NetworkSims.com
197
Enable UDLD.
Apply it on an interface.
Example
> enable
# config t
(config)# rm ?
alarm Configure an rmon alarm
event Configure an RMON event
(config)# rm a ?
<1-65535> alarm number
(config)# rmon a 10 ?
WORD MIB object to monitor
(config)# rmon a 10 ifEntry.20.1 ?
<1-2147483647> Sample interval
(config)# rmon a 10 ifEntry.20.1 20 ?
NetworkSims.com
198
absolute
delta
Example
> enable
NetworkSims.com
199
# config t
(config)# no spanning-tree ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend
Spanning Tree 802.1t extensions
loopguard
Spanning tree loopguard options
mode
Spanning tree operating mode
mst
Multiple spanning tree configuration
pathcost
Spanning tree pathcost options
portfast
Spanning tree portfast options
uplinkfast
Enable UplinkFast Feature
vlan
VLAN Switch Spanning Tree
(config)# no spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config)# no spanning-tree vlan 1 ?
forward-time Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
priority
Set the bridge priority for the spanning tree
root
Configure switch as root
<cr>
(config)# no spanning-tree vlan 1
Example
> enable
# config t
(config)# spanning-tree ?
NetworkSims.com
200
Example
> enable
# config t
(config)# spanning-tree ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend
Spanning Tree 802.1t extensions
NetworkSims.com
201
loopguard
Spanning tree loopguard options
mode
Spanning tree operating mode
mst
Multiple spanning tree configuration
pathcost
Spanning tree pathcost options
portfast
Spanning tree portfast options
uplinkfast
Enable UplinkFast Feature
vlan
VLAN Switch Spanning Tree
(config)# spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config)# spanning-tree vlan 1 root ?
primary
Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
(config)# spanning-tree vlan 1 root secondary ?
diameter Network diameter of this spanning tree
<cr>
(config)# spanning-tree vlan 1 root secondary
spanning-tree
spanning-tree
spanning-tree
spanning-tree
cost 100
vlan 1 cost 100
vlan 1 port-priority 100
port-priority 100
Example
> enable
# config t
(config)# int fa0/1
Switch(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
NetworkSims.com
202
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
mst
Multiple spanning tree
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree cost ?
<1-200000000> port path cost
(config-if)# spanning-tree cost 100
(config-if)# spanning-tree v 1 ?
cost
Change an interface's per VLAN spanning tree path cost
port-priority Change an interface's spanning tree port priority
(config-if)# spanning-tree vlan 1 cost ?
<1-200000000> Change an interface's per VLAN spanning tree path cost
(config-if)# spanning-tree vlan 1 cost 100
(config-if)# spanning-tree port- ?
<0-240> port priority in increments of 16
(config-if)# spanning-tree port-priority 100
(config-if)# spanning-tree vlan 1 p ?
<0-240> port priority in increments of 16
(config-if)# spanning-tree vlan 1 port-priority 100
NetworkSims.com
203
cost 100
vlan 1 cost 100
vlan 1 port-priority 100
port-priority 100
Example
> enable
# config t
(config)# spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config)# spanning-tree vlan ANY ?
forward-time Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
priority
Set the bridge priority for the spanning tree
root
Configure switch as root
<cr>
(config)# spanning-tree vlan 1 forward-time ?
<4-30> number of seconds for the forward delay timer
(config)# spanning-tree vlan 1 forward-time 10
(config)# spanning-tree vlan 1 hello-time ?
<1-10> number of seconds between generation of config BPDUs
(config)# spanning-tree vlan 1 hello-time 10
(config)# spanning-tree vlan 1 m ?
<6-40> maximum number of seconds the information in a BPDU is valid
(config)# spanning-tree vlan 1 max-age 10
(config)# int fa0/1
Switch(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
mst
Multiple spanning tree
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree cost ?
<1-200000000> port path cost
(config-if)# spanning-tree cost 100
(config-if)# spanning-tree v 1 ?
cost
Change an interface's per VLAN spanning tree path cost
port-priority Change an interface's spanning tree port priority
(config-if)# spanning-tree vlan 1 cost ?
<1-200000000> Change an interface's per VLAN spanning tree path cost
(config-if)# spanning-tree vlan 1 cost 100
(config-if)# spanning-tree port- ?
<0-240> port priority in increments of 16
(config-if)# spanning-tree port-priority 100
NetworkSims.com
204
Example
> enable
# config t
(config)# spanning-tree ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend
Spanning Tree 802.1t extensions
loopguard
Spanning tree loopguard options
mode
Spanning tree operating mode
mst
Multiple spanning tree configuration
pathcost
Spanning tree pathcost options
portfast
Spanning tree portfast options
NetworkSims.com
205
uplinkfast
Enable UplinkFast Feature
vlan
VLAN Switch Spanning Tree
(config)# spanning-tree mst ?
WORD
MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time
Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
max-hops
Set the max hops value for the spanning tree
(config)# spanning-tree mst configuration ?
<cr>
(config)# spanning-tree mst configuration
(config-mst)# ?
abort
exit
instance
name
no
private-vlan
revision
show
(config-mst)# instance ?
<0-15> MST instance id
(config-mst)# instance 1 ?
vlan Range of vlans to add to the instance mapping
(config-mst)# instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200
(config-mst)# instance 1 vlan 1
(config-mst)# name ?
WORD Configuration name
(config-mst)# name fred
(config-mst)# revision ?
<0-65535> Configuration revision number
(config-mst)# revision 1
(config-mst)# exit
(config)# spanning-tree mode ?
mst
Multiple spanning tree mode
pvst
Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode
(config)# spanning-tree mode mst
Notes
The command:
(config)# spanning-tree mode mst
enables both MSTP and RSTP. All the switches in the MST region require the same
configuration for their MST settings.
NetworkSims.com
206
Example
NetworkSims.com
207
> enable
# config t
(config)# spanning-tree mst ?
WORD
MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time
Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
max-hops
Set the max hops value for the spanning tree
(config)# spanning-tree mst 1 ?
priority Set the bridge priority for the spanning tree
root
Configure switch as root
(config)# spanning-tree mst 1 root ?
primary
Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
(config)# spanning-tree mst 1 root primary
(config)# spanning-tree mst hello-time ?
<1-10> number of seconds between generation of config BPDUs
(config)# spanning-tree mst hello-time 10
(config)# spanning-tree mst forward-time ?
<4-30> number of seconds for the forward delay timer
(config)# spanning-tree mst forward-time 10
(config)# spanning-tree mst 1 ?
priority Set the bridge priority for the spanning tree
root
Configure switch as root
(config)# spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096
(config)# spanning-tree mst 1 priority 10
(config)# spanning-tree mst max-age ?
<6-40> maximum number of seconds the information in a BPDU is valid
(config)#
<1-40>
(config)#
(config)#
spanning-tree mst
maximum number of
spanning-tree mst
spanning-tree mst
max-hops ?
hops a BPDU is valid
max-age 10
max-hops 10
NetworkSims.com
208
This challenge involves configuring a secondary root switch for a given instance.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# spanning-tree mst ?
WORD
MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time
Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
max-hops
Set the max hops value for the spanning tree
(config)# spanning-tree mst 1 ?
priority Set the bridge priority for the spanning tree
root
Configure switch as root
(config)# spanning-tree mst 1 root ?
primary
Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
(config)# spanning-tree mst 1 root secondary
(config)# spanning-tree mst hello-time ?
<1-10> number of seconds between generation of config BPDUs
(config)# spanning-tree mst hello-time 10
(config)# spanning-tree mst forward-time ?
<4-30> number of seconds for the forward delay timer
(config)# spanning-tree mst forward-time 10
(config)# spanning-tree mst 1 ?
priority Set the bridge priority for the spanning tree
root
Configure switch as root
(config)# spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096
(config)# spanning-tree mst 1 priority 10
(config)# spanning-tree mst max-age ?
NetworkSims.com
209
<6-40>
(config)#
<1-40>
(config)#
(config)#
max-hops ?
hops a BPDU is valid
max-age 10
max-hops 10
NetworkSims.com
210
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vtp domain ?
WORD The ascii name for the VTP administrative domain.
(config)# vtp domain test
(config)# vtp mode ?
client
Set the device to client mode.
server
Set the device to server mode.
transparent Set the device to transparent mode.
(config)# vtp mode server
(config)# int fa0/6
(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
mst
Multiple spanning tree
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config-if)# spanning-tree vlan 10 ?
cost
Change an interface's per VLAN spanning tree path cost
port-priority Change an interface's spanning tree port priority
(config-if)# spanning-tree vlan 10 cost ?
<1-200000000> Change an interface's per VLAN spanning tree path cost
(config-if)# spanning-tree vlan 10 port-priority ?
<0-240> port priority in increments of 16
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
NetworkSims.com
211
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
Note the default port-priority is 128. Thus in this example the port priorities for the first
trunk will be:
VLAN 10 10
VLAN 11 10
VLAN 12 10
VLAN 13 128
VLAN 14 128
VLAN 15 128
And for the second trunk:
VLAN 10 128
VLAN 11 128
VLAN 12 128
VLAN 13 10
VLAN 14 10
VLAN 15 10
Thus the lower priority will be taken, so VLAN 10, 11 and 12 will go through Trunk 1, and
VALN 13, 14 and 15 will go through Trunk 2. If either of the trunks fail, the traffic which
would normally go through the failed trunk will use the other trunk. In this way there is a
fail-back solution, along with load balancing.
NetworkSims.com
212
Example
> enable
# config t
(config)# vtp domain test
(config)# vtp mode server
(config)# int fa0/6
(config-if)# spanning-tree vlan 10 cost 10
(config-if)# spanning-tree vlan 11 cost 10
(config-if)# spanning-tree vlan 12 cost 10
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk
(config-if)# exit
(config)# int fa0/10
(config-if)# spanning-tree vlan 13 cost 10
(config-if)# spanning-tree vlan 14 cost 10
(config-if)# spanning-tree vlan 15 cost 10
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk
Note the default cost is 19. Thus in this example the cost for the first trunk will be:
VLAN 10 10
VLAN 11 10
VLAN 12 10
VLAN 13 19
VLAN 14 19
NetworkSims.com
213
VLAN 15 19
And for the second trunk:
VLAN 10 19
VLAN 11 19
VLAN 12 19
VLAN 13 10
VLAN 14 10
VLAN 15 10
Thus the lower cost will be taken, so VLAN 10, 11 and 12 will go through Trunk 1, and
VALN 13, 14 and 15 will go through Trunk 2. If either of the trunks fails, the traffic which
would normally go through the failed trunk will use the other trunk. In this way there is a
fail-back solution, along with load balancing.
Define MST.
Example
Switch(config)#spanning-tree mst ?
WORD
MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time
Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
max-hops
Set the max hops value for the spanning tree
Switch(config)#spanning-tree mst configuration
Switch(config-mst)#?
abort
Exit region configuration mode, aborting changes
exit
Exit region configuration mode, applying changes
instance
Map vlans to an MST instance
NetworkSims.com
214
name
no
private-vlan
revision
show
Switch(config-mst)#instance ?
<0-15> MST instance id
Switch(config-mst)#instance 1 ?
vlan Range of vlans to add to the instance mapping
Switch(config-mst)#instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200
Switch(config-mst)#instance 1 vlan 10
Switch(config-mst)#name ?
WORD Configuration name
Switch(config-mst)#name region1
Switch(config-mst)#revision ?
<0-65535> Configuration revision number
Switch(config-mst)#revision 1
Switch(config-mst)#show pending
Pending MST configuration
Name
[region1]
Revision 1
Instance Vlans mapped
-------- --------------------------------------------------------------------0
1-9,11-4094
1
10
------------------------------------------------------------------------------Switch(config-mst)#
NetworkSims.com
215
Example
> enable
# config t
(config)# spanning-tree mst 1 root primary
(config)# spanning-tree mst hello-time 10
(config)# spanning-tree mst forward-time 10
(config)# spanning-tree mst 1 priority 10
(config)# spanning-tree mst max-age 10
(config)# spanning-tree mst max-hops 10
(config)# int fa0/1
(config-if)# spanning-tree mst 1 cost 10
(config-if)# spanning-tree mst 1 port-priority 10
(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
mst
Multiple spanning tree
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree link-type ?
point-to-point Consider the interface as point-to-point
shared
Consider the interface as shared
(config-if)# spanning-tree link-type point-to-point
NetworkSims.com
216
Example
# config t
(config)# int fa0/1
(config-if)# channel-group ?
<1-64> Channel group number
(config-if)# channel-g 3 ?
mode Etherchannel Mode of the interface
(config-if)# channel-g 3 m ?
active
Enable LACP unconditionally
auto
Enable PAgP only if a PAgP device
desirable Enable PAgP unconditionally
on
Enable Etherchannel only
passive
Enable LACP only if a LACP device
(config-if)# channel-group 3 mode ?
active
Enable LACP unconditionally
auto
Enable PAgP only if a PAgP device
desirable Enable PAgP unconditionally
on
Enable Etherchannel only
passive
Enable LACP only if a LACP device
(config-if)# channel-group 3 mode on
(config-if)# int fa0/2
(config-if)# channel-group 4 mode on
is detected
is detected
is detected
is detected
NetworkSims.com
217
Example
(config)# lacp ?
system-priority
channel-group 1 mode ?
Enable LACP unconditionally
Enable PAgP only if a PAgP device is detected
Enable PAgP unconditionally
Enable Etherchannel only
Enable LACP only if a LACP device is detected
218
Outline
The Dot1q encapsulation protocol allows for a trunk connection to interconnect VLANs on
different switches.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int fa0/1
(config-if)# sw ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
NetworkSims.com
219
protected
pruning
trunk
unicast
voice
<cr>
(config-if)# sw mo ?
access
Set trunking
dot1q-tunnel Set trunking
dynamic
Set trunking
trunk
Set trunking
(config-if)# switchport mode
(config-if)# exit
mode to
mode to
mode to
mode to
access
ACCESS unconditionally
DOT1Q TUNNEL unconditionally
dynamically negotiate access or trunk mode
TRUNK unconditionally
NetworkSims.com
220
Example
> enable
# config t
(config)# int fa0/1
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/3
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/4
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk mode dot1q
(config-if)# switchport access ?
vlan Set VLAN when interface is in access mode
(config-if)# switchport access vlan ?
<1-4094> VLAN ID of the VLAN when this port is in access mode
dynamic
When in access mode, this interfaces VLAN is controlled by VMPS
(config-if)# switchport access vlan 5
NetworkSims.com
221
In this example FA0/6 will stop trunking for VLAN 5, and the native VLAN is defined as
VLAN 6.
NetworkSims.com
222
Example
> enable
# config t
(config)# int fa0/1
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/3
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/4
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk mode dot1q
(config-if)# switchport t ?
allowed
Set allowed VLAN characteristics when interface is in trunking
mode
encapsulation Set trunking encapsulation when interface is in trunking mode
native
Set trunking native characteristics when interface is in
trunking mode
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
(config-if)# switchport t a ?
vlan Set allowed VLANs when interface is in trunking mode
(config-if)# switchport t a v ?
WORD
VLAN IDs of the allowed VLANs when this port is in trunking mode
add
add VLANs to the current list
all
all VLANs
except all VLANs except the following
none
no VLANs
remove remove VLANs from the current list
(config-if)# switchport trunk allowed vlan remove ?
WORD VLAN IDs of disallowed VLANS when this port is in trunking mode
(config-if)# switchport trunk allowed vlan remove 2
(config-if)# switchport trunk allowed vlan remove 3
NetworkSims.com
223
Example
> enable
# config t
(config)# int fa0/1
(config-if)# switchport mode access
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport mode access
(config-if)# exit
NetworkSims.com
224
NetworkSims.com
225
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
# int fa0/1
(config-if)# no switchport
(config-if)# ip address ?
A.B.C.D IP address
(config-if)# ip address 1.2.3.4 ?
A.B.C.D IP subnet mask
(config-if)# ip address 1.2.3.4 255.255.0.0
(config-if)# no shutdown
(config-if)# exit
(config)# ip ?
Global IP configuration subcommands:
access-list
Named access-list
accounting-list
Select hosts for which IP accounting information is
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits
Sets the maximum number of transit entries
alias
Alias an IP address to a TCP port
as-path
BGP autonomous system path filter
bgp-community
format for BGP community
cef
Cisco Express Forwarding
classless
Follow classless routing forwarding rules
community-list
Add a community list entry
default-gateway
Specify default gateway (if not routing IP)
default-network
Flags networks as candidates for default routes
dhcp
Configure DHCP server, relay and snooping parameters
dhcp-server
Specify address of DHCP server to use
domain-list
Domain name to complete unqualified host names.
domain-lookup
Enable IP Domain Name System hostname translation
domain-name
Define the default domain name
NetworkSims.com
226
dvmrp
extcommunity-list
finger
flow-aggregation
flow-cache
flow-export
forward-protocol
NetworkSims.com
227
Example
> enable
# config t
(config)# ip default-gateway ?
A.B.C.D IP address of default gateway
(config)# ip default-gateway 1.2.3.4
(config)# arp ?
A.B.C.D IP address of ARP entry
vrf
Configure static ARP for a VPN Routing/Forwarding instance
(config)# arp 1.2.3.4 ?
H.H.H 48-bit hardware address of ARP entry
(config)# arp 1.2.3.4 1.1.1 ?
arpa
ARP type ARPA
sap
ARP type SAP (HP's ARP type)
smds
ARP type SMDS
snap
ARP type SNAP (FDDI and TokenRing)
srp-a ARP type SRP (side A)
srp-b ARP type SRP (side B)
(config)# int fa0/1
(config-if)# arp ?
arpa
Standard arp protocol
frame-relay Enable ARP for a frame relay interf
probe
HP style arp protocol
snap
IEEE 802.3 style arp
timeout
Set ARP cache timeout
(config-if)# arp arpa
(config-if)# arp t ?
<0-2147483> Seconds
(config-if)# arp timeout 10
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
NetworkSims.com
228
address
Set the IP address of an interface
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
ospf
OSPF interface commands
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip proxy-arp
NetworkSims.com
229
10
5
Example
> enable
# config t
(config)# int fa0/1
(config)# no switchport
(config-if)# ip irdp ?
<cr>
address
addresses to proxy-advertise
holdtime
how long a receiver should believe the information
maxadvertinterval maximum time between advertisements
minadvertinterval minimum time between advertisements
multicast
advertisements are sent with multicasts
preference
preference level for this interface
(config-if)# ip irdp ?
(config-if)# ip irdp multicast
(config-if)# ip irdp max ?
0
advertise only when solicitated
<4-1800> maximum time between advertisements (default 600 seconds)
(config-if)# ip irdp ma ?
0
advertise only when solicitated
<4-1800> maximum time between advertisements (default 600 seconds)
(config-if)# ip irdp maxadvertinterval 10
(config-if)# ip irdp holdtime ?
<0-9000> holdtime (default 1800 seconds)
(config-if)# ip irdp holdtime 10
(config-if)# ip irdp minadvertinterval ?
<3-1800> minimum time between advertisements (default 450 seconds)
(config-if)# ip irdp minadvertinterval 5
(config-if)# ip irdpp ?
<-2147483648 - 2147483647>
Notes
NetworkSims.com
230
Example
> enable
# config t
(config)# int fa0/1
(config)# no switchport
(config-if)# ip directed-broadcast ?
<1-199>
A standard IP access list number
<1300-2699> A standard IP expanded access list number
<cr>
(config-if)# exit
NetworkSims.com
231
(config)# ip forward-protocol ?
nd
Sun's Network Disk protocol
sdns
Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood
Fast flooding of UDP broadcasts
udp
Packets to a specific UDP port
(config)# ip forward-protocol udp ?
<0-65535>
Port number
biff
Biff (mail notification, comsat, 512)
bootpc
Bootstrap Protocol (BOOTP) client (68)
bootps
Bootstrap Protocol (BOOTP) server (67)
discard
Discard (9)
dnsix
DNSIX security protocol auditing (195)
domain
Domain Name Service (DNS, 53)
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol (500)
mobile-ip
Mobile IP registration (434)
nameserver
IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns
NetBios name service (137)
netbios-ss
NetBios session service (139)
ntp
Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip
Routing Information Protocol (router, in.routed, 520)
snmp
Simple Network Management Protocol (161)
snmptrap
SNMP Traps (162)
sunrpc
Sun Remote Procedure Call (111)
syslog
System Logger (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
tftp
Trivial File Transfer Protocol (69)
time
Time (37)
who
Who service (rwho, 513)
xdmcp
X Display Manager Control Protocol (177)
<cr>
(config)# ip forward-protocol udp time
(config)# ip forward-protocol udp echo
(config)# ip forward-protocol udp syslog
NetworkSims.com
232
Define a helper-address.
Example
> enable
# config t
(config)# ip forward-protocol udp time
(config)# ip forward-protocol udp echo
(config)# ip forward-protocol udp syslog
(config)# ip forward-protocol ?
nd
Sun's Network Disk protocol
sdns
Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood
Fast flooding of UDP broadcasts
udp
Packets to a specific UDP port
(config)# ip forward-protocol spanning-tree
(config)# int fa0/1
(config)# no switchport
(config-if)# ip helper-address ?
A.B.C.D IP destination address
(config-if)# ip helper-address 1.2.3.4
NetworkSims.com
233
Example
> enable
# config t
(config)# ip forward-protocol ?
nd
Sun's Network Disk protocol
sdns
Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood
Fast flooding of UDP broadcasts
udp
Packets to a specific UDP port
(config)# ip forward-protocol turbo-flood
(config)# int fa0/1
(config)# no switchport
(config-if)# ip broadcast-address ?
A.B.C.D IP broadcast address
(config-if)# ip broadcast-address 1.2.3.4
(config-if)# exit
Enable IP routing.
Define RIP details for the network to broadcast into.
NetworkSims.com
234
# config t
(config)# ip routing
(config)# router rip
(config-router)# router rip
(config-router)# network 10.0.0.0
(config-router)# neighbor 10.0.0.1
Example
> enable
# config t
(config)# ip routing
(config)# router ?
bgp
Border Gateway Protocol (BGP)
egp
Exterior Gateway Protocol (EGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
static
Static routes
(config)# router rip
Switch(config-router)# ?
Router configuration commands:
address-family
Enter Address Family command mode
auto-summary
Enable automatic network number summarization
default
Set a command to its defaults
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
flash-update-threshold Specify flash update threshold in second
help
Description of the interactive help system
input-queue
Specify input queue depth
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
Negate a command or set its defaults
offset-list
Add or subtract offset from IGRP or RIP metrics
output-delay
Interpacket delay for RIP updates
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing
protocol
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
validate-update-source Perform sanity checks against source address of
routing updates
version
Set routing protocol version (config-router)
# network ?
A.B.C.D Network number
(config-router)# network 10.0.0.0
(config-router)# neighbor 10.0.0.1
235
Enable IP routing.
Define RIP version.
Define RIP timers.
Disable auto-summary.
Example
> enable
# config t
(config)# ip routing
(config)# router rip
(config-router)# version ?
<1-2> version
(config-router)# timers ?
basic Basic routing protocol update timers
(config-router)# timers basic ?
<0-4294967295> Interval between updates
(config-router)# timers basic 10 ?
<1-4294967295> Invalid
(config-router)# timers basic 10 10 ?
<0-4294967295> Holddown
(config-router)# timers basic 10 10 10 ?
<1-4294967295> Flush
(config-router)# timers basic 10 10 10 10 ?
<1-4294967295> Sleep time, in milliseconds
NetworkSims.com
236
<cr>
(config-router)# timers basic 10 10 10 10
(config-router)# no ?
address-family
auto-summary
default-information
default-metric
distance
distribute-list
flash-update-threshold
input-queue
maximum-paths
neighbor
network
offset-list
output-delay
passive-interface
redistribute
Enable IP routing.
Define RIP version.
Define RIP Version 2.
Define Authenticated RIP.
NetworkSims.com
237
(config-keychain-key)# exit
(config-keychain)# exit
(config)# router rip
(config-router)# version 2
(config)# int fa0/1
(config-if)# ip rip authentication key-chain test
(config-if)# ip rip authentication mode md5
Example
> enable
# config t
(config)# ip routing
(config)# key ?
chain
Key-chain management
config-key Set a private configuration key
(config)# key chain ?
WORD Key-chain name
(config)# key chain test
(config-keychain)# ?
Key-chain configuration commands:
default Set a command to its defaults
exit
Exit from key-chain configuration mode
key
Configure a key
no
Negate a command or set its defaults
(config-keychain)# key ?
<0-2147483647> Key identifier
(config-keychain)# key 1
(config-keychain-key)# ?
Key-chain key configuration commands:
accept-lifetime Set accept lifetime of key
default
Set a command to its defaults
exit
Exit from key-chain key configuration mode
key-string
Set key string
no
Negate a command or set its defaults
send-lifetime
Set send lifetime of key
(config-keychain-key)# key-string ?
<0-7> Encryption type (0 to disable encryption, 7 for proprietary)
LINE
The key
(config-keychain-key)# key-string mykey
(config-keychain-key)# exit
(config-keychain)# exit
(config)# router rip
(config-router)# version 2
<1-2> version
(config)# int fa0/1
(config-if)# ip ri ?
authentication Authentication control
receive
advertisement reception
send
advertisement transmission
v2-broadcast
send ip broadcast v2 update
(config-if)# ip rip a ?
key-chain Authentication key-chain
mode
Authentication mode
NetworkSims.com
238
key-chain ?
key-chain test
mode ?
mode md5
Enable IP routing.
Define a summary address.
Define no split-horizon.
Example
> enable
# config t
(config)# ip routing
(config)# router rip
(config-router)# network 10.0.0.0
(config-router)# version 2
(config)# int fa0/1
(config-if)# no switchport
(config-if)# ip summary-address ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
rip
Routing Information Protocol (RIP)
(config-if)# ip summary-address r ?
NetworkSims.com
239
A.B.C.D IP address
(config-if)# ip summary-address r 1.2.3.4 ?
A.B.C.D IP network mask
(config-if)# ip summary-address rip 1.2.3.4 255.255.0.0
(config-if)# no ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
ospf
OSPF interface commands
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# no ip split-horizon
NetworkSims.com
240
Enable IP routing.
Define IGRP details.
Example
> enable
# config t
(config)# ip routing
(config)# router ?
bgp
Border Gateway Protocol (BGP)
egp
Exterior Gateway Protocol (EGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
static
Static routes
(config)# router igrp ?
<1-65535> Autonomous system number
(config)# router igrp 111
(config-router)# ?
Router configuration commands:
default
Set a command to its defaults
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
input-queue
Specify input queue depth
maximum-paths
Forward packets over multiple paths
metric
Modify IGRP routing metrics and parameters
neighbor
Specify a neighbor router
NetworkSims.com
241
network
no
offset-list
passive-interface
redistribute
Example
> enable
# config t
(config)# ip routing
NetworkSims.com
242
(config)# router ?
bgp
Border Gateway Protocol (BGP)
egp
Exterior Gateway Protocol (EGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
static
Static routes
(config)# router ospf ?
<1-65535> Process ID
(config)# router ospf 111
(config-router)# ?
Router configuration commands:
area
OSPF area parameters
auto-cost
Calculate OSPF interface cost according to bandwidth
capability
Enable specific OSPF feature
compatible
OSPF compatibility list
default
Set a command to its defaults
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
discard-route
Enable or disable discard-route installation
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
domain-id
OSPF domain-id
domain-tag
OSPF domain-tag
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
ignore
Do not complain about specific event
log-adjacency-changes Log changes in adjacency state
max-metric
Set maximum metric
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
Negate a command or set its defaults
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing protocol
router-id
router-id for this OSPF process
summary-address
Configure IP address summaries
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
(config-router)# net 1.2.3.4 ?
A.B.C.D OSPF wild card bits
(config-router)# net 1.2.3.4 255.255.255.0 ?
area Set the OSPF area ID
(config-router)# net 1.2.3.4 255.255.255.0 a ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D
OSPF area ID in IP address format
(config-router)# net 1.2.3.4 255.255.255.0 a 0 ?
<cr>
(config-router)# net 1.2.3.4 255.255.255.0 area 0
243
Enable IP routing.
Define OSPF.
OSPF details on an interface.
Example
> enable
# config t
(config)# ip routing
(config)# router ospf 111
(config-router)# net 1.2.3.4 255.255.255.0 area 0
(config-router)# exit
(config)# int fa0/1
(config-if)# ip ospf ?
authentication
Enable authentication
authentication-key
Authentication password (key)
cost
Interface cost
database-filter
Filter OSPF LSA during synchronization and flooding
dead-interval
Interval after which a neighbor is declared dead
demand-circuit
OSPF demand circuit
hello-interval
Time between HELLO packets
message-digest-key
Message digest authentication password (key)
mtu-ignore
Ignores the MTU in DBD packets
network
Network type
priority
Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay
Link state transmit delay
(config-if)# ip ospf cost ?
NetworkSims.com
244
<1-65535>
Cost
Enable IP routing.
Define OSPF.
OSPF area details.
NetworkSims.com
245
cost 10
dead-interval 10
hello-interval 10
priority 10
retransmit-interval 10
transmit-delay 10
Example
> enable
# config t
(config)# ip routing
(config)# router ospf 111
(config-router)# net 1.2.3.4 255.255.255.0 area 0
(config-router)# exit
(config)# int fa0/1
(config-if)# ip ospf ?
authentication
Enable authentication
authentication-key
Authentication password (key)
cost
Interface cost
database-filter
Filter OSPF LSA during synchronization and flooding
dead-interval
Interval after which a neighbor is declared dead
demand-circuit
OSPF demand circuit
hello-interval
Time between HELLO packets
message-digest-key
Message digest authentication password (key)
mtu-ignore
Ignores the MTU in DBD packets
network
Network type
priority
Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay
Link state transmit delay
(config-router)# ar ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D
OSPF area ID in IP address format
Switch(config-router)# ar 1 authentication ?
message-digest Use message-digest authentication
<cr>
(config-router)# area 1 authentication message-digest
(config-router)# area 1 authentication
(config-router)# ar 1 r ?
A.B.C.D IP address to match
(config-router)# area 1 range 192.168.1.1 255.0.0.0
NetworkSims.com
246
Objectives
The objectives of this challenge are to:
Enable IP routing.
Define EIGRP details.
Example
> enable
# config t
(config)# ip routing
(config)# router ?
bgp
Border Gateway Protocol (BGP)
egp
Exterior Gateway Protocol (EGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
static
Static routes
(config)# router eigrp ?
<1-65535> Autonomous system number
(config)# router eigrp 111
(config-router)# ?
Router configuration commands:
auto-summary
Enable automatic network number summarization
default
Set a command to its defaults
default-information Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
eigrp
EIGRP specific commands
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
maximum-paths
Forward packets over multiple paths
metric
Modify IGRP routing metrics and parameters
NetworkSims.com
247
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
Negate a command or set its defaults
offset-list
Add or subtract offset from IGRP or RIP metrics
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing protocol
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
variance
Control load balancing variance
(config-router)# eigrp ?
log-neighbor-changes
Enable/Disable IP-EIGRP neighbor logging
log-neighbor-warnings Enable/Disable IP-EIGRP neighbor warnings
router-id
router-id for this EIGRP process
stub
Set IP-EIGRP as stubbed router
(config-router)# eigrp log-neighbor-changes
(config-router)# network 10.0.0.0
(config-router)# exit
(config)# int fa0/1
(config-if)# int fa0/1
(config-if)# ip summary-address ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
rip
Routing Information Protocol (RIP)
(config-if)# ip summary-address eigrp ?
<1-65535> Autonomous system number
(config-if)# ip summary-address eigrp 100 1.2.3.0
(config-if)# ip hello-interval ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
(config-if)# ip hello-interval e ?
<1-65535> Autonomous system number
(config-if)# ip hello-interval e 100 5
(config-if)# ip hold-time ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
(config-if)# ip hold-time eigrp ?
<1-65535> Autonomous system number
(config-if)# ip hold-time eigrp 10 ?
<1-65535> Seconds before neighbor is considered down
(config-if)# ip hold-time eigrp 10
248
Enable IP routing.
Define BGP.
BGP AS details.
Example
> enable
# config t
(config)# ip routing
(config)# router bgp 111
(config-router)# ?
Router configuration commands:
address-family
Enter Address Family command mode
aggregate-address
Configure BGP aggregate entries
auto-summary
Enable automatic network number summarization
bgp
BGP specific commands
default
Set a command to its defaults
default-information Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Specify a network to announce via BGP
no
Negate a command or set its defaults
redistribute
Redistribute information from another routing protocol
synchronization
Perform IGP synchronization
table-map
Map external entry attributes into routing table
timers
Adjust routing timers
(config-router)# net ?
A.B.C.D Network number
(config-router)# net 1.2.3.40
(config-router)# nei ?
A.B.C.D Neighbor address
WORD
Neighbor tag
(config-router)# nei 1.2.3.4 ?
activate
Enable the Address Family for this Neighbor
advertise-map
specify route-map for conditional advertisement
advertisement-interval
Minimum interval between sending BGP routing updates
allowas-in
Accept as-path with my AS present in it
default-originate
Originate default route to this neighbor
description
Neighbor specific description
NetworkSims.com
249
disable-connected-check
distribute-list
ebgp-multihop
filter-list
local-as
maximum-prefix
next-hop-self
next-hop-unchanged
password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
route-reflector-client
send-community
shutdown
soft-reconfiguration
timers
translate-update
unsuppress-map
update-source
version
weight
Enable IP routing.
Define BGP.
BGP neighbor details.
NetworkSims.com
250
Example
> enable
# config t
(config)# ip routing
(config)# router bgp 111
(config-router)# ?
Router configuration commands:
address-family
Enter Address Family command mode
aggregate-address
Configure BGP aggregate entries
auto-summary
Enable automatic network number summarization
bgp
BGP specific commands
default
Set a command to its defaults
default-information Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
help
Description of the interactive help system
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Specify a network to announce via BGP
no
Negate a command or set its defaults
redistribute
Redistribute information from another routing protocol
synchronization
Perform IGP synchronization
table-map
Map external entry attributes into routing table
timers
Adjust routing timers
(config-router)# net ?
A.B.C.D Network number
(config-router)# net 1.2.3.40
(config-router)# nei ?
A.B.C.D Neighbor address
WORD
Neighbor tag
(config-router)# nei 1.2.3.4 ?
activate
Enable the Address Family for this Neighbor
advertise-map
specify route-map for conditional advertisement
advertisement-interval
Minimum interval between sending BGP routing updates
allowas-in
Accept as-path with my AS present in it
default-originate
Originate default route to this neighbor
description
Neighbor specific description
disable-connected-check one-hop away EBGP peer using loopback address
distribute-list
Filter updates to/from this neighbor
ebgp-multihop
Allow EBGP neighbors not on directly connected
networks
filter-list
Establish BGP filters
local-as
Specify a local-as number
NetworkSims.com
251
maximum-prefix
next-hop-self
next-hop-unchanged
password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
route-reflector-client
send-community
shutdown
soft-reconfiguration
timers
translate-update
unsuppress-map
update-source
version
weight
Enable IP routing.
Define BGP.
BGP neighbor details with a route-map
NetworkSims.com
252
Example
> enable
# config t
(config)# ip routing
(config)# route-map TESTING permit 10
(config-route-map)# ?
Route Map configuration commands:
default
Set a command to its defaults
description Route-map comment
exit
Exit from route-map configuration mode
help
Description of the interactive help system
match
Match values from routing table
no
Negate a command or set its defaults
set
Set values in destination routing protocol
(config-route-map)# match ?
as-path
Match BGP AS path list
community
Match BGP community list
extcommunity Match BGP/VPN extended community list
interface
Match first hop interface of route
ip
IP specific information
length
Packet length
metric
Match metric of route
route-type
Match route-type of route
tag
Match tag of route
(config-route-map)# match community ?
<1-99>
Community-list number (standard)
<100-199> Community-list number (expanded)
WORD
Community-list name
(config-route-map)# match community test
(config-route-map)#
as-path
automatic-tag
comm-list
community
dampening
default
extcommunity
interface
ip
level
local-preference
metric
metric-type
origin
tag
traffic-index
weight
NetworkSims.com
set ?
Prepend string for a BGP AS-path attribute
Automatically compute TAG value
set BGP community list (for deletion)
BGP community attribute
Set BGP route flap dampening parameters
Set default information
BGP extended community attribute
Output interface
IP specific information
Where to import route
BGP local preference path attribute
Metric value for destination routing protocol
Type of metric for destination routing protocol
BGP origin code
Tag value for destination routing protocol
BGP traffic classification number for accounting
BGP weight for routing table
253
NetworkSims.com
254
Outline
This challenge involves enabling VRF (VPN Routing Forwarding).
Objectives
The objectives of this challenge are to:
Enable IP routing.
Define VRF.
Apply VRF forwarding on an interface.
Example
> enable
# config t
(config)# ip routing
(config)# route-map TESTING permit 10
(config)# ip vrf NEWV
(config-vrf)# ?
IP VPN Routing/Forwarding instance configuration commands:
default
Set a command to its defaults
description
VRF specific description
exit
Exit from VRF configuration mode
export
VRF export
import
VRF import
maximum
Set a limit
no
Negate a command or set its defaults
rd
Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
(config-vrf)# input ?
map Route-map based VRF import
(config-vrf)# input m ?
WORD VRF import route-map name
(config-vrf)# input m TESTING
(config-vrf)# rd ?
NetworkSims.com
255
ASN:nn or IP-address:nn
(config-vrf)# rd 192.168.1.1:12 ?
<cr>
(config-vrf)# rd 192.168.1.1:12
(config-vrf)# exit
(config)# int fa0/1
(config-if)# ip vrf ?
forwarding Configure forwarding table
sitemap
Configure route-map for routes received from this site
(config-if)# ip vrf forwarding ?
WORD Table name
(config-if)# ip vrf forwarding NEWV
Example
Switch# config t
Switch(config)# int fa0/1
Switch(config-if)# no switchport
Switch(config-if)# standby ?
<0-255>
group number
authentication Authentication
NetworkSims.com
256
delay
HSRP initialisation delay
ip
Enable HSRP and set the virtual IP address
name
Redundancy name string
preempt
Overthrow lower priority designated routers
priority
Priority level
timers
Hello and hold timers
track
Priority tracking
Switch(config-if)# standby ip ?
A.B.C.D Virtual IP address
<cr>
Switch(config-if)# standby ip 192.168.128.3
Switch(config-if)# standby priority ?
<0-255> Priority value
Switch(config-if)# standby priority 120 ?
preempt Overthrow lower priority designated routers
<cr>
Switch(config-if)# standby priority 120 preempt ?
delay Wait before preempting
<cr>
Switch(config-if)# standby priority 120 preempt delay ?
<0-3600> Number of seconds to delay
minimum
Delay at least this long
sync
Wait for IP redundancy clients
Switch(config-if)# standby priority 120 preempt delay 300
Switch(config-if)# end
Switch# sh sta
FastEthernet0/1 - Group 0
Local state is Init (interface down), priority 120, may preempt
Preemption delayed for at least 300 secs
Hellotime 3 sec, holdtime 10 sec
Virtual IP address is 192.168.128.3 configured
Active router is unknown
Standby router is unknown
0 state changes, last state change never
IP redundancy name is "hsrp-Fa0/1-0" (default)
5.1
Explanation
HSRP uses an active router, a standby router, and a virtual router. The active router is the
normal routing device, and the standby router listens to all the traffic going to and from the
active device, as well as sending HELLO packets. If it detects a failure of the active device it
takes over its IP address and MAC address, so that hosts do not notice the failure of the
main device. The objective is thus to provide a consistent gateway address for the hosts.
HSRP allows the switch to provide failover for another device. To activate HSRP the
standby ip interface configuration command is used. If there is an IP address in this
command, it will be used as a standby address, otherwise it will be learned through the
standby function.
NetworkSims.com
257
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_
chapter09186a008047646d.html#wp1059790
Example
Switch# config t
Switch(config)# interface fa0/1
Switch(config-if)# ip address 10.0.0.1 255.255.255.0
Switch(config-if)# no switchport
Switch(config-if)# standby 1 ip 10.0.0.3
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 2 preempt
Switch(config-if)# end
258
Outline
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# glbp 10 authentication text testing
(config-if)# glbp 10 forwarder preempt delay minimum 60
(config-if)# glbp 10 load-balancing host-dependent
(config-if)# glbp 10 preempt delay minimum 60
(config-if)# glbp 10 priority 254
(config-if)# glbp 10 timers 5 18
(config-if)# glbp 10 ip 192.168.0.2
Example
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# glbp ?
<0-1023> Group number
(config-if)# glbp 10 ?
authentication Authentication method
forwarder
Forwarder configuration
ip
Enable group and set virtual IP address
load-balancing Load balancing method
name
Redundancy name
preempt
Overthrow lower priority designated routers
priority
Priority level
timers
Adjust GLBP timers
weighting
Gateway weighting and tracking
(config-if)# glbp 10 authentication ?
md5
MD5 authentication
text Plain text authentication
(config-if)# glbp 10 authentication text ?
WORD Text authentication string
(config-if)# glbp 10 authentication text testing
(config-if)# gl 10 forwarder ?
preempt Overthrow lower priority active forwarders
(config-if)# gl 10 forwarder preempt ?
delay Wait before preempting
<cr>
(config-if)# gl 10 forwarder preempt delay ?
minimum Delay at least this long
(config-if) glbp 10 forwarder preempt delay minimum ?
<0-3600> Number of seconds for minimum delay
(config-if)# glbp 10 forwarder preempt delay minimum 60
(config-if)# glbp 10 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin
Load balance equally using each forwarder in turn
weighted
Load balance in proportion to forwarder weighting
(config-if)# glbp 10 load-balancing host-dependent
NetworkSims.com
259
NetworkSims.com
260
route for network traffic from a failed router or circuit.. This challenge involves the
configuration of VRRF.
Objectives
The objectives of this challenge are to:
Outline
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# vrrp 10 description text
(config-if)# vrrp 10 priority level
(config-if)# vrrp 10 preempt delay minimum 10
(config-if)# vrrp group timers learn
(config-if)# vrrp IP 192.168.0.2
Example
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# vrrp 10 description text
(config-if)# vrrp 10 priority level
(config-if)# vrrp 10 preempt delay minimum 10
(config-if)# vrrp group timers learn
(config-if)# vrrp IP 192.168.0.2
NetworkSims.com
261
Example
> enable
Switch# config t
Switch(config)# ip multicast
Switch(config)# int fa0/1
Switch(config-if)# no switchport
Switch(config-if)# ip pim ?
bsr-border
Border of PIM domain
dense-mode
Enable PIM dense-mode operation
nbma-mode
Use Non-Broadcast Multi-Access (NBMA) mode on interface
neighbor-filter
PIM peering filter
query-interval
PIM router query interval
sparse-dense-mode Enable PIM sparse-dense-mode operation
sparse-mode
Enable PIM sparse-mode operation
version
PIM version
<cr>
Switch(config-if)# ip pim version ?
<1-2> version number
Switch(config-if)# ip pim version 2
Switch(config-if)# ip pim dense-mode ?
proxy-register Send proxy registers
<cr>
Switch(config-if)# ip pim dense-mode
Switch(config-if)# ip pim bsr-border
NetworkSims.com
262
Note: You will not see the ip pim command on an interface unless it is defined as a Layer 3
port.
Example
> enable
Switch# config t
Switch(config)# ip multicast
Switch(config)# access-list 1 permit 224.1.1.1 0.0.0.0
Switch(config)# ip pim ?
accept-register
Registers accept filter
accept-rp
RP accept filter
autorp
Configure AutoRP global operations
bsr-candidate
Candidate bootstrap router (candidate BSR)
register-rate-limit Rate limit for PIM data registers
rp-address
PIM RP-address (Rendezvous Point)
rp-announce-filter
Auto-RP announce message filter
rp-candidate
To be a PIMv2 RP candidate
send-rp-announce
Auto-RP send RP announcement
send-rp-discovery
Auto-RP send RP discovery message (as RP-mapping agent)
spt-threshold
Source-tree switching threshold
ssm
Configure Source Specific Multicast
Switch(config)# ip pim rp-address ?
A.B.C.D IP address of Rendezvous-point for group
Switch(config)# ip pim rp-address 1.2.3.4 ?
<1-99>
Access-list reference for group
<1300-1999> Access-list reference for group (expanded range)
WORD
IP Named Standard Access list
override
Overrides Auto RP messages
<cr>
Switch(config)# ip pim rp-address 1.2.3.4 1
NetworkSims.com
263
This challenge involves auto-RP for an existing sparse-mode cloud in mulitcast routing.
Objectives
The objectives of this challenge are to:
Example
> enable
Switch# config t
Switch(config)# ip multicast
Switch(config)# access-list 5 permit 224.1.1.1 0.0.0.0
Switch(config)# ip pim ?
accept-register
Registers accept filter
accept-rp
RP accept filter
autorp
Configure AutoRP global operations
bsr-candidate
Candidate bootstrap router (candidate BSR)
register-rate-limit Rate limit for PIM data registers
rp-address
PIM RP-address (Rendezvous Point)
rp-announce-filter
Auto-RP announce message filter
rp-candidate
To be a PIMv2 RP candidate
send-rp-announce
Auto-RP send RP announcement
send-rp-discovery
Auto-RP send RP discovery message (as RP-mapping agent)
spt-threshold
Source-tree switching threshold
ssm
Configure Source Specific Multicast
Switch(config)# ip pi send-rp-announce ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
GigabitEthernet
GigabitEthernet IEEE 802.3z
Lex
Lex interface
Loopback
Loopback interface
Multilink
Multilink-group interface
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Tunnel
Tunnel interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan
Catalyst Vlans
Switch(config)# ip pim send-rp-announce fa0/1 ?
Switch(config)# ip pim send-rp-announce fa0/1 ?
scope RP announcement scope
Switch(config)# ip pim send-rp-announce fa0/1 scope ?
<1-255> TTL of the RP announce packet
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 ?
group-list Group access-list
interval
RP announcement interval
<cr>
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 group-list ?
<1-99> Access-list reference for multicast groups
NetworkSims.com
264
WORD
Example
> enable
Switch# config t
Switch(config)# ip multicast
Switch(config)# access-list 5 permit 224.1.1.1 0.0.0.0
Switch(config)# access-list 6 permit 19.10.11.12
Switch(config)# ip pim rp-announce-filter ?
group-list Group address access-list
rp-list
RP address access-list
Switch(config)# ip pim rp-announce-filter rp-list ?
<1-99> Access-list reference for RP
WORD
IP Named Standard Access list
Switch(config)# ip pim rp-announce-filter rp-list 6 ?
group-list Group address access-list
<cr>
Switch(config)# ip pim rp-announce-filter rp-list 6 group-list ?
NetworkSims.com
265
Define PIM.
ip
ip
ip
ip
ip
pim
pim
pim
pim
pim
rp-address 192.168.1.1 10
send-rp-announce fa0/1 scope 30 group-list 5
accept-rp 1.2.3.4 10
send-rp-discovery scope 10
rp-announce-filter rp-list 2 group-list 1
Example
# config t
(config)# int fa0/1
(config-if)# no switchport
(config-if)# ip pim ?
bsr-border
Border of PIM domain
dense-mode
Enable PIM dense-mode operation
nbma-mode
Use Non-Broadcast Multi-Access (NBMA) mode on interface
neighbor-filter
PIM peering filter
query-interval
PIM router query interval
sparse-dense-mode Enable PIM sparse-dense-mode operation
sparse-mode
Enable PIM sparse-mode operation
version
PIM version
NetworkSims.com
266
<cr>
(config-if)# ip pim sparse-mode
(config-if)# ip pim version ?
<1-2> version number
(config-if)# ip pim version 2
(config-if)# ip pim bsr-border
(config-if)# ip multicast ?
boundary
Boundary for administratively scoped multicast addresses
helper-map
Broadcast to Multicast map OR Multicast to Broadcast map
rate-limit
Rate limit multicast data packets
ttl-threshold TTL threshold for multicast packets
(config-if)# ip multicast boundary ?
<1-99>
Access-list number
<1300-1999> <access-list> (expanded range)
WORD
IP Named Standard Access list
(config-if)# ip multicast boundary 10
(config-if)# exit
(config)# access-list 10 permit 220.1.1.1 0.0.0.0
(config)# ip pim ?
accept-register
accept-rp
autorp
bsr-candidate
register-rate-limit
rp-address
rp-announce-filter
rp-candidate
send-rp-announce
send-rp-discovery
spt-threshold
ssm
NetworkSims.com
267
interval
<cr>
RP announcement interval
NetworkSims.com
268
Define IGMP.
Notes
# config t
(config)# int fa0/1
(config-if)# no switchport
(config-if)# ip igmp ?
access-group
helper-address
immediate-leave
join-group
last-member-query-interval
querier-timeout
query-interval
query-max-response-time
static-group
tcn
unidirectional-link
v3lite
version
(config-if)# ip igmp jo ?
A.B.C.D IP group address
NetworkSims.com
269
Notes
# config t
(config)# access-list 101 deny host 225.5.5.5 0.0.0.0
(config)# access-list 101 permit any any
(config)# int fa0/1
(config-if)# no switchport
NetworkSims.com
270
(config-if)# ip igmp ?
access-group
helper-address
immediate-leave
join-group
last-member-query-interval
querier-timeout
query-interval
query-max-response-time
static-group
tcn
unidirectional-link
v3lite
version
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
ip
ip
ip
ip
ip
ip
igmp
igmp
igmp
igmp
igmp
igmp
access-group 101
join-group 224.0.0.1
querier-timeout 10
query-interval 10
query-max-response-time 10
version 2
Notes
# config t
NetworkSims.com
271
272
Outline
This challenge involves the using IGMP snooping.
Objectives
The objectives of this challenge are to:
Defines VLANs.
Enable IGMP snooping.
Example
> en
(vlan)# vlan database
(vlan)# ?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit
Apply changes, bump revision number, and exit mode
no
Negate a command or set its defaults
reset Abandon current changes and reread current database
show
Show database information
vlan
Add, delete, or modify values associated with a single VLAN
vtp
Perform VTP administrative functions.
(vlan)# vlan ?
<1-1005> ISL VLAN index
(vlan)# vlan
are
backupcrf
bridge
media
mtu
name
parent
ring
said
state
ste
stp
tb-vlan1
tb-vlan2
1 ?
Maximum number of All Route Explorer hops for this VLAN
Backup CRF mode of the VLAN
Bridging characteristics of the VLAN
Media type of the VLAN
VLAN Maximum Transmission Unit
Ascii name of the VLAN
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
Ring number of FDDI or Token Ring type VLANs
IEEE 802.10 SAID
Operational state of the VLAN
Maximum number of Spanning Tree Explorer hops for this VLAN
Spanning tree characteristics of the VLAN
ID number of the first translational VLAN for this VLAN (or zero
if none)
ID number of the second translational VLAN for this VLAN (or zero
if none)
<cr>
(vlan)#
WORD
(vlan)#
(vlan)#
vlan 1 name ?
The ascii name for the VLAN
vlan 1 name edinburgh
vlan 2 name glasgow
NetworkSims.com
273
(vlan)# exit
# config t
(config)# ip igmp snooping ?
(config)# ip igmp snooping vlan 1 immediate-leave
(config)# ip igmp snooping vlan 2 immediate-leave
(config)# exit
# show ip igmp snoop
Global IGMP Snooping configuration:
----------------------------------IGMP snooping
: Enabled
IGMPv3 snooping (minimal) : Enabled
Report suppression
: Enabled
TCN solicit query
: Disabled
TCN flood query count
: 2
Vlan 1:
-------IGMP snooping
Immediate leave
Multicast router learning mode
Source only learning age timer
CGMP interoperability mode
:
:
:
:
:
Enabled
Enabled
pim-dvmrp
10
IGMP_ONLY
Note the vlan database command will be phased-out. An improved method is:
Switch(config)# vlan 1
Switch(config-vlan)#?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp
Spanning tree characteristics of the VLAN
tb-vlan1
ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2
ID number of the second translational VLAN for this VLAN (or
zero if none)
Switch(config-vlan)# name ?
WORD The ascii name for the VLAN
----------------
NetworkSims.com
274
Switch# sh env
all
fan
power
rps
temperature
?
Show
Show
Show
Show
Show
Example
NetworkSims.com
275
> en
# config t
(config)# access-list 108 permit ip 162.78.102.0 0.0.255.255 247.226.90.0
0.0.255.255
(config)# class-map tayside
(config-cmap)# ?
QoS class-map configuration commands:
description Class-Map description
exit
Exit from QoS class-map configuration mode
match
classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
(config-cmap)# match ?
access-group
Access group
any
Any packets
class-map
Class map
destination-address Destination address
input-interface
Select an input interface to match
ip
IP specific values
mpls
Multi Protocol Label Switching specific values
not
Negate this match result
protocol
Protocol
source-address
Source address
vlan
VLANs to match
(config-cmap)# match ac ?
<1-2699> Access list index
name
Named Access List
(config-cmap)# match access-group 108
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# ?
QoS policy-map configuration commands:
class
policy criteria
description Policy-Map description
exit
Exit from QoS policy-map configuration mode
no
Negate or set default values of a command
rename
Rename this policy-map
(config-pmap)# class tayside
(config-pmap-c)# ?
QoS policy-map class configuration commands:
bandwidth Bandwidth
exit
Exit from QoS class action configuration mode
no
Negate or set default values of a command
trust
Set trust value for the class
<cr>
police
Police
set
Set QoS values
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int fa0/1
(config-if)# service-policy ?
history Keep history of QoS metrics
input
Assign policy-map to the input of an interface
NetworkSims.com
276
output
Assign policy-map to the output of an interface
Switch(config-if)# se o ?
WORD policy-map name
(config-if)# service-policy output ankle
Explanation
The following shows an example of limiting all the traffic which fits access-list 111 to
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
(config-pmap)# class cmap
(config-pmap-c)# bandwidth 2000
# class-map cmap
(config-cmap)# match access-group 111
# int s0
(config-if)# service-policy output pmap
Ref:
http://www.netcraftsmen.net/welcher/papers/newqos121.html
NetworkSims.com
277
Example
(config)# mls qos
(config)# int fa0/1
(config-if)# no switchport
(config-if)# mls ?
qos qos command keyword
(config-if)# mls qos ?
cos
Configure interface COS parameters
dscp-mutation Apply DSCP-DSCP map to DSCP trusted port
monitor
Collect QoS statistics
trust
Configure trust state of interface
(config-if)# mls qos trust ?
cos
Classify by packet COS
device
trusted device class
dscp
Classify by packet DSCP
ip-precedence Classify by packet IP precedence
<cr>
(config-if)# mls qos trust cos
(config-if)# priority-queue ?
out egress priority queue
(config-if)# priority-queue out
(config-if)# wrr-queue ?
bandwidth
Configure WRR bandwidth
cos-map
Configure cos-map for a queue id
min-reserve Configure min-reserve level
(config-if)# wrr-queue bandwidth ?
<1-65536> enter bandwidth weight for qid 1
(config-if)#
<1-65536>
(config-if)#
<1-65536>
(config-if)#
<1-65536>
(config-if)#
wrr-queue bandwidth 3 ?
enter bandwidth weight for
wrr-queue bandwidth 3 8 ?
enter bandwidth weight for
wrr-queue bandwidth 3 8 10
enter bandwidth weight for
wrr-queue bandwidth 3 8 10
qid 2
qid 3
?
qid 4
12
NetworkSims.com
278
Overview
(config)# priority-list 1 q 20 40 60 80
(config)# priority-list 1 protocol http high
(config)# priority-list 1 protocol ipx low
(config)# int fa0/1
(config-if)# priority-group 1
Example
(config)# priority-list ?
<1-16> Priority list number
(config)# priority-list 1 ?
default
Set priority queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
NetworkSims.com
279
protocol
priority queueing by protocol
queue-limit Set queue limits for priority queues
(config)# priority-list 1 q ?
<0-32767> High limit
(config)# priority-list 1 q 20 ?
<0-32767> Medium limit
(config)# priority-list 1 q 20 40 ?
<0-32767> Normal limit
(config)# priority-list 1 q 20 40 60 ?
<0-32767> Lower limit
(config)# priority-list 1 q 20 40 60 80 ?
<cr>
(config)# priority-list 1 q 20 40 60 80
(config)# prio 1 p ?
aarp
AppleTalk ARP
appletalk
AppleTalk
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
Cisco Discovery Protocol
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
ISO CLNS Intermediate System
cmns
ISO CMNS
compressedtcp
Compressed TCP (VJ)
decnet
DECnet
decnet_node
DECnet Node
decnet_router-l1 DECnet Router L1
decnet_router-l2 DECnet Router L2
dlsw
Data Link Switching (Direct encapsulation only)
http
HTTP
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
Remote Source-Route Bridging
snapshot
Snapshot routing support
stun
Serial Tunnel
(config)# priority-list 1 protocol http ?
high
medium
normal
low
(config)# priority-list 1 protocol http high
(config)# priority-list 1 protocol ipx low
(config)# int fa0/1
(config-if)# priority-group 1
NetworkSims.com
280
Define queues.
Apply CQ.
Overview
(config)# queue-list 1 protocol ip 1
(config)# queue-list 1 protocol ip 2
(config)# queue-list 1 protocol ip 3
(config)# queue-list 1 queue 1 limit
(config)# queue-list 1 queue 2 limit
(config)# queue-list 1 queue 3 limit
(config)# int vlan1
(config-if)# custom-queue-list 1
tcp www
udp rip
40
40
80
Example
(config)# queue-list ?
<1-16> Queue list number
(config)# queue-list 1 ?
default
Set custom queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
lowest-custom Set lowest number of queue to be treated as custom
protocol
priority queueing by protocol
queue
Configure parameters for a particular queue
stun
Establish priorities for stun packets
Switch(config)#queue-list 1 protocol ?
arp
IP ARP
bridge
Bridging
cdp
Cisco Discovery Protocol
compressedtcp Compressed TCP
ip
IP
Switch(config)# queue-list 1 protocol ip ?
<0-16> queue number
Switch(config)# queue-list 1 protocol ip 1 ?
fragments Prioritize fragmented IP packets
gt
Classify packets greater than a specified size
NetworkSims.com
281
list
To specify an access list
lt
Classify packets less than a specified size
tcp
Prioritize TCP packets 'to' or 'from' the specified port
udp
Prioritize UDP packets 'to' or 'from' the specified port
(config)# queue-list 1 protocol ip 1
(config)# queue-list 1 protocol ip 1 tcp ?
<0-65535>
Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd, 514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh, 512)
finger
Finger (79)
ftp
File Transfer Protocol (21)
ftp-data
FTP data connections (used infrequently, 20)
gopher
Gopher (70)
hostname
NIC hostname server (101)
ident
Ident Protocol (113)
irc
Internet Relay Chat (194)
klogin
Kerberos login (543)
kshell
Kerberos shell (544)
login
Login (rlogin, 513)
lpd
Printer service (515)
nntp
Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2
Post Office Protocol v2 (109)
pop3
Post Office Protocol v3 (110)
smtp
Simple Mail Transport Protocol (25)
sunrpc
Sun Remote Procedure Call (111)
syslog
Syslog (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
telnet
Telnet (23)
time
Time (37)
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web (HTTP, 80)
(config)# queue-list 1 protocol ip 2 tcp www
(config)# queue-list 1 protocol ip 1 u ?
<0-65535>
Port number
biff
Biff (mail notification, comsat, 512)
bootpc
Bootstrap Protocol (BOOTP) client (68)
bootps
Bootstrap Protocol (BOOTP) server (67)
discard
Discard (9)
dnsix
DNSIX security protocol auditing (195)
domain
Domain Name Service (DNS, 53)
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol
(500)
mobile-ip
Mobile IP registration (434)
nameserver
IEN116 name service (obsolete, 42)
NetworkSims.com
282
Example
NetworkSims.com
283
> en
# config t
(config)# cdp run
(config)# int vlan 10
(config)# int vlan 10
(config-vlan)# exit
(config)# int vlan 20
(config-vlan)# exit
(config)# int fa0/1
(config-if)# cdp enable
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
protected
Configure an interface to be a protected port
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
trunk
Set trunking characteristics of the interface
unicast
Set unicast suppression level on this interface
voice
Voice appliance attributes
<cr>
(config-if)# switchport access vlan 10
(config-if)# switchport voice ?
vlan Vlan for voice traffic
(config-if)# switchport voice vlan ?
<1-4094> Vlan for voice traffic
dot1p
Priority tagged on PVID
none
Don't tell telephone about voice vlan
untagged Untagged on PVID
(config-if)# switchport voice vlan 20
(config-if)# au ?
qos Configure AutoQoS
(config-if)# auto qos ?
voip Configure AutoQoS for VoIP
(config-if)# auto qos voip ?
cisco-phone Trust the QoS marking of Cisco IP Phone
trust
Trust the COS marking
(config-if)# auto qos voip cisco-phone
(config-if)# exit
NetworkSims.com
284
Note:
For Auto QoS VoIP, CDP needs to be enabled.
Define MLS.
Apply to FA0/1.
Define 802.1P frames.
Example
> enable
# config t
(config)# mls ?
aclmerge Modify behavior of ACL merge
qos
QoS parameters
(config)# mls qos
(config-if)# mls ?
qos qos command keyword
(config-if)# mls
cos
dscp-mutation
monitor
trust
(config-if)# mls
cos
device
dscp
ip-precedence
qos ?
Configure interface COS parameters
Apply DSCP-DSCP map to DSCP trusted port
Collect QoS statistics
Configure trust state of interface
qos trust ?
Classify by packet COS
trusted device class
Classify by packet DSCP
Classify by packet IP precedence
NetworkSims.com
285
<cr>
(config-if)# mls qos trust cos
(config-if)# switchport voice ?
vlan Vlan for voice traffic
(config-if)# switchport voice vlan ?
<1-4094> Vlan for voice traffic
dot1p
Priority tagged on PVID
none
Don't tell telephone about voice vlan
untagged Untagged on PVID
(config-if)# switchport voice vlan dot1p
Define MLS.
Define the routing for 802.1Q frames.
Apply to FA0/1.
Define the CoS value 0 lowest priority, 7 highest priority.
Example
> enable
# config t
(config)# mls ?
aclmerge Modify behavior of ACL merge
qos
QoS parameters
(config)# mls qos
(config)# int fa0/1
(config-if)# mls qos trust cos
NetworkSims.com
286
Define MLS.
Define the routing for 802.1Q frames.
Apply to FA0/1.
Example
> enable
# config t
(config)# mls ?
aclmerge Modify behavior of ACL merge
qos
QoS parameters
(config)# mls qos
NetworkSims.com
287
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 9 permit 193.91.79.4
(config)# access-list 9 deny any
(config)# ip http access-class ?
<1-99> Access list number
(config)# ip http access-class 9
(config)# ip http server
288
Outline
This challenge involves the configuration to deny access for a single host to the Web server.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 11 deny 192.1.179.24
(config)# access-list 11 permit any
(config)# ip http access-class ?
<1-99> Access list number
(config)# ip http access-class 11
(config)# ip http server
Objectives
The objectives of this challenge are to:
Define an access-list which permits a single host access to the Telnet server.
Apply the access-list onto the Telnet server.
Example
# config t
(config)# access-list 8 permit 205.191.68.8
(config)# access-list 8 deny any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-list ?
<1-199>
IP access list
<1300-2699> IP expanded access list
NetworkSims.com
289
WORD
Access-list name
(config-line)# access-list 8 ?
in
Filter incoming connections
out Filter outgoing connections
(config-line)# access-list 8 in
Example
# config t
(config)# access-list 8 deny 205.191.68.8
(config)# access-list 8 permit any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-list ?
<1-199>
IP access list
<1300-2699> IP expanded access list
WORD
Access-list name
(config-line)# access-list 8 ?
in
Filter incoming connections
out Filter outgoing connections
(config-line)# access-list 8 in
NetworkSims.com
290
Example
> en
# config t
(config)# access-list 6 permit 12.84.44.10
(config)# access-list 6 deny any
(config)# username david ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege this.level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
(config)# username david access-class ?
<1-199>
Access-class number
<1300-2699> Expanded Access-class number
(config)# username david access-class 6
(config)# username anne ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege this.level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
(config)# username anne nopassword
Define port-security.
NetworkSims.com
291
Example
> en
# config t
(config)# int fa0/1
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
protected
Configure an interface to be a protected port
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
trunk
Set trunking characteristics of the interface
unicast
Set unicast suppression level on this interface
voice
Voice appliance attributes
<cr>
(config-if)# switchport mode ?
access
Set trunking mode to ACCESS unconditionally
dot1q-tunnel Set trunking mode to DOT1Q TUNNEL unconditionally
dynamic
Set trunking mode to dynamically negotiate access or trunk mode
trunk
Set trunking mode to TRUNK unconditionally
(config-if)# switchport mode access
(config-if)# switchport port-security violation ?
protect
Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
(config-if)# switchport port-security violation shutdown
(config-if)# switchport port-security ?
aging
Port-security aging commands
mac-address Secure mac address
maximum
Max secure addresses
violation
Security violation mode
<cr>
(config-if)# switchport port-security mac-address ?
H.H.H
48 bit mac address
sticky Configure dynamic secure addresses as sticky
(config-if)# switchport port-security mac-address 00e0.4e3d.a1bb
NetworkSims.com
292
Example
# config t
(config)# access-list 6 permit 111.101.136.8
(config)# access-list 6 deny any
(config)# snmp-server community fries ?
<1-99>
Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
ro
Read-only access with this community string
rw
Read-write access with this community string
view
Restrict this community to a named MIB view
<cr>
(config)# snmp-server community fries rw ?
<1-99>
Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
<cr>
(config)# snmp-server community fries rw 6
Define AAA.
Define the local server.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
dot1x
Set authentication lists for IEEE 802.1x.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
NetworkSims.com
293
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication login ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication login default ?
enable
group
line
local
local-case
none
Or
> enable
# config t
(config)# aaa new-model
(config)# aaa authen login default group ?
WORD
Server-group name
radius
Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
Define AAA.
Define the radius server.
Example
> enable
# config t
(config)# aaa new-model
(config)# radius-server ?
NetworkSims.com
294
attribute
authorization
challenge-noecho
NetworkSims.com
295
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication ppp ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication ppp default radius
(config)# aaa authorization ?
commands
For exec (shell) commands.
config-commands For configuration mode commands.
exec
For starting an exec (shell).
network
For network services. (PPP, SLIP, ARAP)
reverse-access
For reverse access connections
(config)# aaa authorization network ?
WORD
Named authorization list.
default The default authorization list.
(config)# aaa authorization network default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
local
Use local username authentication.
local-case Use case-sensitive local username authentication.
(config)# aaa authorization network default group radius
(config)# aaa authorization exec default group radius
Define AAA.
Define the Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# tacacs-server ?
administration
Start tacacs+ deamon handling administrative messages
attempts
Number of login attempts via TACACS
directed-request
Allow user to specify tacacs server to use with `@server'
dns-alias-lookup
Enable IP Domain Name System Alias lookup for TACACS
servers
extended
Enable extended TACACS
host
Specify a TACACS server
NetworkSims.com
296
key
last-resort
optional-passwords
Define AAA.
Define privileges.
Define command authorization for a Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# privilege ?
cns_connect_intf_config
config-rtr-http
configure
exec
interface
interface
ipenacl
ipsnacl
line
mac-enacl
map-class
map-list
NetworkSims.com
297
mstp_cfg
MSTP configuration mode
null-interface
Null interface configuration mode
preauth
AAA Preauth definitions
rtr
RTR Entry Configuration
sg-radius
Radius Server-group Definition
sg-tacacs+
Tacacs+ Server-group Definition
template
Template configuration mode
vc-class
VC class configuration mode
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
(config)# privilege exec level 7 ping
(config)# privilege exec level 7 configure terminal
(config)# privilege exec level 7 configure
(config)# radius-server host 39.100.234.1
(config)# radius-server key krinkle
(config)# aaa authorization commands 0 default group tacacs+
(config)# aaa authorization commands 15 default group tacacs+
(config)# aaa authorization commands 7 default group tacacs+
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
298
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege
moves these commands to Level 7. For example ping is a Level 1 command and is now a
Level 7, while the rest have moved from Level 15 to Level 7.
Define AAA
Enable 802.1x.
Define re-authentication.
Example
> en
# config t
(config)# int fa0/1
(config-if)# no switchport
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
(config-if)# dot1x port-control ?
auto
PortState will be set to AUTO
force-authorized
PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized
(config-if)# dot1x port-control auto
(config-if)# dot1 reauthentication ?
<cr>
(config-if)# dot1x re-authentication
(config-if)# dot1 timeout ?
quiet-period
QuietPeriod in Seconds
NetworkSims.com
299
reauth-period
server-timeout
supp-timeout
tx-period
Enable AAA.
Define the Radius server.
radius server.
Enable 802.1x.
Define re-authentication.
Define Dot1x timeouts.
Example
> en
# config t
(config)# aaa new-model
NetworkSims.com
300
NetworkSims.com
301
NetworkSims.com
302
Example
> enable
# config t
(config)# username fred
(config)# username test
(config)# username fred
(config)# username test
(config)# username test
(config)# access-list 9
(config)# username fred
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
303
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
Define Tacacs+.
Define accounting for start and stop events.
Example
NetworkSims.com
304
> enable
# config t
(config)# aaa new-model
(config)# aaa account network default start-stop group tacacs+
(config)# aaa account reverse-access default group tacacs+
Define AAA.
Define port authentication.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication dot1x default group radius
(config)# int fa0/1
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
guest-vlan
Configure Guest-vlan on this interface
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
(config-if)# dot1 port-control ?
auto
PortState will be set to AUTO
force-authorized
PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized
(config-if)# dot1x port-control auto
(config-if)# int fa0/2
(config-if)# dot1x port-control auto
(config-if)# int fa0/4
(config-if)# dot1x port-control auto
(config-if)# exit
(config)# exit
# sh dot1x all
Sysauthcontrol
= Disabled
Dot1x Protocol Version
= 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
# sh dot1x all
NetworkSims.com
305
Enable 802.1x.
Define re-authentication.
Example
> en
# config t
(config)# int fa0/1
(config-if)# switchport mode access
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
NetworkSims.com
306
Example
> en
# config t
Switch(config)# ip dhcp ?
conflict
database
excluded-address
limited-broadcast-address
ping
pool
relay
smart-relay
snooping
NetworkSims.com
307
Example
> enable
Switch# config t
Switch(config)# int vlan 1
Switch(config-vlan)# ip address 1.2.3.4 255.0.0.0
Switch(config-vlan)# exit
Switch(config)# int fa0/1
Switch(config-if)# storm-control ?
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast
Unicast address storm control
Switch(config-if)# storm-control multicast ?
level Set storm suppression level on this interface
Switch(config-if)# storm-control multicast level ?
NetworkSims.com
308
<0 - 100>
storm
Filter State
------------inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
Level
------100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
Current
------N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Switch# sh
Interface
--------Fa0/1
Fa0/2
Fa0/3
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Fa0/8
Fa0/9
Fa0/10
Fa0/11
Fa0/12
Fa0/13
Fa0/14
Fa0/15
Fa0/16
Fa0/17
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
Fa0/23
Fa0/24
storm multi
Filter State
------------Forwarding
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
Level
------50.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
Current
------0.00%
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
NetworkSims.com
309
Gi0/1
Gi0/2
Switch# sh
Interface
--------Fa0/1
inactive
inactive
stor fa0/1 m
Filter State
------------Forwarding
100.00%
100.00%
N/A
N/A
Level
------50.00%
Current
------0.00%
Example
> en
# config t
(config)# mac ?
access-list
Named access-list
address-table Configure the MAC address table
(config)# mac acc ?
extended Extended Access List
(config)# mac acc ex ?
WORD access-list name
(config)# mac acc ex Edinburgh
(config-ext-macl)# ?
Extended MAC Access List configuration commands:
default Set a command to its defaults
deny
Specify packets to reject
exit
Exit from MAC Named ACL configuration mode
no
Negate a command or set its defaults
permit
Specify packets to forward
(config-ext-macl)# deny ?
H.H.H 48-bit source MAC address
any
any source MAC address
host
A single source host
(config-ext-macl)# deny host 1.1.1 ?
H.H.H 48-bit destination MAC address
any
any destination MAC address
host
A single destination host
(config-ext-macl)# deny host 1.1.1 any
(config-ext-macl)# permit any any
(config-ext-macl)# exit
(config)# int fa0/1
NetworkSims.com
310
(config-if)# mac ?
access-group MAC access-group configuration commands
(config-if)# mac access-group ?
WORD ACL name
(config-if)# mac access-group Edinburgh ?
in Apply to Ingress
(config-if)# mac acc Edinburgh in
(config-if)# exit
(config)# exit
# show access-list
Extended MAC access list Edinburgh
deny host 1.1.1 any
permit any any
Example
> en
# config t
(config)# monitor ?
session Configure a SPAN session
(config)# monitor session
<1-2> SPAN session number
(config)# monitor session 1 ?
destination SPAN destination interface, VLAN
source
SPAN source interface, VLAN
(config)# monitor session 1 destination ?
interface SPAN destination interface
remote
SPAN destination Remote
(config)# monitor session 1 source interface ?
FastEthernet
FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
(config)# monitor session 1 des interface fa0
,
Specify another range of interfaces
Specify a range of interfaces
both Monitor received and transmitted traffic
rx
Monitor received traffic only
NetworkSims.com
311
tx
Monitor transmitted traffic only
<cr>
(config)# monitor session 1 source interface fa0/3
(config)# monitor session 1 destination interface fa0/7
(config)# exit
# sh monitor
Session 1
--------Source Ports:
RX Only:
None
TX Only:
None
Both:
FA0/3
Destination Ports: FA0/7
# config t
(config)# int vlan 1
(config-if)# ip address 148.183.229.5 255.255.248.0
(config-if)# exit
(config)# ip domain-name perthshire.cc
(config)# ip default-gateway 148.183.229.6
Example
NetworkSims.com
312
# config t
(config)# snmp-server host 1.2.3.4
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
ip
IP ToS configuration for SNMP traffic
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server enable ?
informs Enable SNMP Informs
traps
Enable SNMP Traps
(config)# snmp-server enable traps ?
bridge
Enable SNMP STP Bridge MIB traps
c2900
Enable SNMP c2900 traps
cluster
Enable Cluster traps
config
Enable SNMP config traps
entity
Enable SNMP entity traps
envmon
Enable SNMP environmental monitor traps
flash
Enable SNMP FLASH notifications
hsrp
Enable SNMP HSRP traps
mac-notification Enable SNMP MAC Notification traps
port-security
Enable SNMP port security traps
rtr
Enable SNMP Response Time Reporter traps
snmp
Enable SNMP traps
syslog
Enable SNMP syslog traps
vlan-membership
Enable SNMP VLAN membership traps
vlancreate
Enable SNMP VLAN created traps
vlandelete
Enable SNMP VLAN deleted traps
vtp
Enable SNMP VTP traps
<cr>
(config)# snmp-server enable traps mac-notification
(config)# mac ?
access-list
address-table
Named access-list
Configure the MAC address table
NetworkSims.com
313
<cr>
(config)# mac address-table notification
(config)# mac address-table notification interval 60
(config)# mac address-table notification history-size 160
(config)# int fa0/6
(config-if)# snmp ?
ifindex Persist ifindex for the interface
trap
Allow a specific SNMP trap
(config-if)# snmp trap ?
link-status
Allow SNMP LINKUP and LINKDOWN traps
mac-notification MAC Address notification for the interface
(config-if)# snmp trap mac-notification ?
added
Enable Mac Address added notification for this port
removed Enable Mac Address removed notification for this port
(config-if)# snmp trap mac-notification added
(config-if)# end
# show mac address-table notification
MAC Notification Feature is Disabled on the switch
Interval between Notification Traps : 60 secs
Number of MAC Addresses Added : 0
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 0
Maximum Number of entries configured in History Table : 120
Current History Table Length : 0
MAC Notification Traps are Disabled
History Table contents
---------------------# sh mac address-table notification interface
MAC Notification Feature is Enabled on the switch
MAC Notification Flags For All Ethernet Interfaces :
---------------------------------------------------Interface
MAC Added Trap MAC Removed Trap
---------------------- ---------------FastEthernet0/1
Disabled
Disabled
FastEthernet0/2
Disabled
Disabled
FastEthernet0/3
Disabled
Disabled
FastEthernet0/4
Disabled
Disabled
FastEthernet0/5
Disabled
Disabled
FastEthernet0/6
Enabled
Disabled
FastEthernet0/7
Disabled
Disabled
FastEthernet0/8
Disabled
Disabled
FastEthernet0/9
Disabled
Disabled
FastEthernet0/10
Disabled
Disabled
FastEthernet0/11
Disabled
Disabled
FastEthernet0/12
Disabled
Disabled
FastEthernet0/13
Disabled
Disabled
FastEthernet0/14
Disabled
Disabled
FastEthernet0/15
Disabled
Disabled
FastEthernet0/16
Disabled
Disabled
FastEthernet0/17
Disabled
Disabled
FastEthernet0/18
Disabled
Disabled
FastEthernet0/19
Disabled
Disabled
FastEthernet0/20
Disabled
Disabled
FastEthernet0/21
Disabled
Disabled
FastEthernet0/22
Disabled
Disabled
FastEthernet0/23
Disabled
Disabled
NetworkSims.com
314
FastEthernet0/24
GigabitEthernet0/1
GigabitEthernet0/2
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
mode access
port-security mac-address 1.2.3
mode access
port-security mac-address 1.2.4
mode access
port-security mac-address 1.2.5
Example
# config t
(config)# int fa0/1
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
NetworkSims.com
315
priority
protected
pruning
trunk
unicast
voice
<cr>
# sh port-security address
Secure Mac Address Table
------------------------------------------------------------------Vlan
Mac Address
Type
Ports
Remaining Age
(mins)
--------------------------------1
0001.0002.0003
SecureConfigured
Fa0/1
------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 5120
Note
The default for the ports might be:
(config-if)# switchport mode dynamic desirable
NetworkSims.com
316
command
Example
> en
# config t
(config)# mac ?
access-list
address-table
Named access-list
Configure the MAC address table
NetworkSims.com
317
Mac Address
----------0012.00b0.2780
0012.00b0.2781
0012.00b0.2782
0012.00b0.2783
0012.00b0.2784
0012.00b0.2785
0012.00b0.2786
0012.00b0.2787
0012.00b0.2788
0012.00b0.2789
0012.00b0.278a
0012.00b0.278b
0012.00b0.278c
0012.00b0.278d
0012.00b0.278e
0012.00b0.278f
0012.00b0.2790
0012.00b0.2791
0012.00b0.2792
0012.00b0.2793
0012.00b0.2794
0012.00b0.2795
0012.00b0.2796
0012.00b0.2797
0012.00b0.2798
0012.00b0.2799
0012.00b0.279a
0100.0c00.0000
0100.0ccc.cccc
0100.0ccc.cccd
0100.0ccd.cdce
0180.c200.0000
0180.c200.0001
0180.c200.0002
NetworkSims.com
Type
-------STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
Ports
----CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
318
All
0180.c200.0003
STATIC
CPU
All
0180.c200.0004
STATIC
CPU
All
0180.c200.0005
STATIC
CPU
All
0180.c200.0006
STATIC
CPU
All
0180.c200.0007
STATIC
CPU
All
0180.c200.0008
STATIC
CPU
All
0180.c200.0009
STATIC
CPU
All
0180.c200.000a
STATIC
CPU
All
0180.c200.000b
STATIC
CPU
All
0180.c200.000c
STATIC
CPU
All
0180.c200.000d
STATIC
CPU
All
0180.c200.000e
STATIC
CPU
All
0180.c200.000f
STATIC
CPU
All
0180.c200.0010
STATIC
CPU
1
0001.0001.0001
STATIC
Fa0/1
1
000d.28fb.ebda
DYNAMIC
Gi0/2
1
000d.298e.f359
DYNAMIC
Gi0/1
Total Mac Addresses for this criterion: 51
On a switch, the secure address table holds secure MAC addresses and their associated
ports and VLANs. The command allows a secure address that is forwarded to only one port
per VLAN. Thus:
(config)# mac-address-table static 1.1.1 vlan 1 int fa0/1
Will forward anything for the MAC address of 1.1.1 on VLAN 1 to FA0/1.
An alternative is:
> en
# config t
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
(config)# mac-address-table
?
ageing-time ?
static ?
static 1.1.1 ?
static 1.1.1 vlan
static 1.1.1 vlan
static 1.1.1 vlan
static 1.1.1 vlan
?
1 ?
1 int ?
1 int fa0/1
NetworkSims.com
319
Example
> en
# config t
Switch(config)# snmp-server host 192.168.0.1
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac-address-table notification interval ?
<0-2147483647> Notification interval in seconds
Switch(config)# mac-address-table notification interval 60
Switch(config)# mac-address-table notification history-size ?
<0-500> Number of entries in history table
Switch(config)# mac-address-table notification history-size 100
Switch(config)# interface fastethernet0/1
Switch(config-if)# snmp ?
ifindex Persist ifindex for the interface
trap
Allow a specific SNMP trap
Switch(config-if)# snmp trap ?
link-status
Allow SNMP LINKUP and LINKDOWN traps
mac-notification MAC Address notification for the interface
Switch(config-if)# snmp trap mac-notification ?
added
Enable Mac Address added notification for this port
removed Enable Mac Address removed notification for this port
Switch(config-if)# snmp trap mac-notification added
MAC address notification is used to track whenever a machine connects to the network. In
this case whenever a new MAC address is learned, or one is removed, generates an SNMP
trap. If there are many machines connecting, the traps can be grouped together, and sent at
regular intervals (such as 60 second in the example).
320
Final test
The most up-to-date version of this test is at:
http://networksims.com/
NetworkSims.com
321
Fault Challenge 1
Fault:
Outline
This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's to find
the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
Try to use debugging tools, such as ping and traceroute to find the fault, rather than looking
in each of the configurations. WHEN YOU FIND THE FAULT... FIX IT, and TEST THAT IT
WORKS
NetworkSims.com
322
Fault Challenge 2
Fault:
Outline
FAULT: This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's
to find the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
Try to use debugging tools, such as ping and traceroute to find the fault, rather than looking
in each of the configurations. WHEN YOU FIND THE FAULT... FIX IT, and TEST THAT IT
WORKS.
Fault Challenge 3
NetworkSims.com
323
Fault:
Outline
This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's to find
the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
Try to use debugging tools, such as ping and traceroute to find the fault, rather than looking
in each of the configurations. WHEN YOU FIND THE FAULT... FIX IT, and TEST THAT IT
WORKS
Fault Challenge 4
Fault:
Outline
NetworkSims.com
324
An ACL which blocks incoming ICMP pings has been added ... find it and remove it. Use
ping and traceroute... The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
ICMP deny has been applied to one of the incoming ports, find it, and remove it. Use PING
and TRACEROUTE.
Fault Challenge 5
Fault:
Outline
An ACL which blocks outgoing ICMP pings has been added ... find it and remove it. Use
ping and traceroute... The hosts have been setup as:
H1- 192.168.0.2
NetworkSims.com
325
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
ICMP deny has been applied to one of the outgoing ports, find it, and remove it. Use PING
and TRACEROUTE.
Fault Challenge 6
Fault:
Outline
There is a break in a connection between the devices. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
326
Objectives
There is a break in a connection between the devices, find it, and remove it. Use PING and
TRACEROUTE. Possible solutions:
Link between Host 1 and R1, E0
Link between Host 2 and R4, E1
Link between Host 3 and R5, E1
Link between R1, S0 and R2, S0
Link between R1, S1 and R3, S0
Link between R2, S1 and R3, S1
Link between R3, E0 and R5, E0
Link between R4, E0 and R2, E0
Fault Challenge 7
Fault:
Outline
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes. The
addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
327
Objectives
A standard ACL which denies H1, H2 or H3 has been applied. Use PING and
TRACEROUTE. Possible solutions:
Acl Deny H1 on R1, E0.
Acl Deny H1 on R2, E0.
Acl Deny H1 on R4, S0.
Acl Deny H1 on R5, E0.
Acl Deny H2 on R3, E0.
Acl Deny H1 on R2, S0.
Acl Deny H2 on R4, S0.
Acl Deny H2 on R5, E0.
Acl Deny H3 on R5, E1.
Acl Deny H3 on R4, E0.
Acl Deny H3 on R2, S1.
Acl Deny H3 on R1, E0.
Acl Deny H3 on R3, S1.
Fault Challenge 8
Fault:
Outline
NetworkSims.com
328
This topology has an extended ACL set which bars a whole subnet which contains either
H1, H2 or H3. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
This topology has an extended ACL set which bars a whole subnet which contains either
H1, H2 or H3. Use PING and TRACEROUTE. Possible solutions:
Acl R1, E1, where all hosts on the subnet that H1 is on cannot ping a single host: on
H2
Acl R1, E1, where all hosts on the subnet that H1 is on cannot ping a single host: on
H3.
Acl R3, E0, where all hosts on the subnet that H2 is on cannot ping a single host: on
H1.
Acl R3, E0, where all hosts on the subnet that H2 is on cannot ping a single host: on
H3.
Acl R5, E1, where all hosts on the subnet that H3 is on cannot ping a single host: on
H1.
Acl R5, E1, where all hosts on the subnet that H3 is on cannot ping a single host: on
H2.
Fault Challenge 9
NetworkSims.com
329
Fault:
Single IP error
Outline
The devices have been set but there is a fault in one of the IP addresses. As we have a ring
the devices may still give a ping, but the traceroute will give unexpected results. The
addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
The devices have been set but there is a fault in one of the IP addresses. Use PING and
TRACEROUTE. Possible solutions:
R1, E0.
R1, S0.
R1, E1.
R2, E0.
R2, E1.
R3, E0.
R3, E1.
R3, S0.
R4, E0.
NetworkSims.com
330
R4, E1.
R4, S0.
R5, S0.
R5, S1.
Note: The IP addresses for the routers have been hidden, so that it is not possible to simply
view the addresses, rather than actually fault-finding.
Fault Challenge 10
Fault:
Outline
The devices have been set but there is a fault in the status of one of the ports or on the
gateways of the hosts. As we have a ring the devices may still give a ping, but the traceroute
will give unexpected results. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
One of the ports has been shutdown. Use PING and TRACEROUTE to find it. Possible
solutions:
NetworkSims.com
331
R1, E0.
R1, S0.
R1, E1.
R2, E0.
R2, E1.
R3, E0.
R3, E1.
R3, S0.
R4, E0.
R4, E1.
R4, S0.
R5, S0.
R5, S1.
Note: The IP addresses for the routers have been hidden, so that it is not possible to simply
view the addresses, rather than actually fault-finding.
Fault Challenge 11
Fault:
Outline
The devices have been set but there is a fault in the routing network definition. As we have
a ring the devices may still give a ping, but the traceroute will give unexpected results. Once
you have found the fault, fix it. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
332
Objectives
One of the ports has been shutdown. Use PING and TRACEROUTE to find it.
Fault Challenge 12
Fault:
Outline
An ACL which blocks incoming ICMP pings has been added ... find it and remove it. Once
you have found the fault, fix it. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
333
Objectives
ICMP deny has been applied to one of the incoming ports, find it, and remove it. Use PING
and TRACEROUTE. Remember as it's a ring you will still be able to ping and traceroute, but
it might take a longer route, as there could be an alterative route. Example solutions:
Fault Challenge 13
Fault:
Outline
An ACL which blocks outgoing ICMP pings has been added ... find it and remove it. Once
you have found the fault, fix it. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
334
Objectives
ICMP deny has been applied to one of the outgoing ports, find it, and remove it. Use PING
and TRACEROUTE. Remember as it's a ring you will still be able to ping and traceroute, but
it might take a longer route, as there could be an alterative route. Example solutions:
Fault Challenge 14
Fault:
Outline
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes. Try
ping'ing around and perform TRACEROUTE's to find the ACL. The addresses of the nodes
are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
335
Objectives
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes, trying
ping'ing around and perform TRACEROUTE's to find the ACL. Example solutions:
Fault Challenge 15
Fault:
Outline
This topology has an extended ACL set which bars hosts from a host subnet access to a
single host. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
336
Objectives
This topology has an extended ACL set which bars hosts from a host subnet access to a
single host. Example solutions:
Acl R1, E1, where all hosts on the subnet that H1 is on cannot ping a single host: on
H2. You should be able to ping the port 192.168.1.1 as it only blocks for one
destination.
Acl R1, E1, where all hosts on the subnet that H1 is on cannot ping a single host: on
H3. You should be able to ping the port 192.168.2.1 as it only blocks for one
destination.
Acl R3, E0, where all hosts on the subnet that H2 is on cannot ping a single host: on
H1. You should be able to ping the port 192.168.1.1 as it only blocks for one
destination.
Acl R3, E0, where all hosts on the subnet that H2 is on cannot ping a single host: on
H3. You should be able to ping the port 192.168.2.1 as it only blocks for one
destination.
and so on.
Fault Challenge 16
Fault:
Outline
This topology has a disabled port on the switch or on the routers. The addresses of the
nodes are:
NetworkSims.com
337
H1- 192.168.0.2
H2- 192.168.1.2
[Gateway: 192.168.0.1]
[Gateway: 192.168.1.1]
and:
R1, E0: 1.2.3.4
R1, E1: 192.168.0.1
R2, E0: 1.2.3.5
R2, E1: 192.168.1.1
R3, E0: 1.2.3.6
R4, E0: 1.2.3.7
R5, E0: 1.2.3.8
Objectives
This topology has an extended ACL set which bars hosts from a host subnet access to a
single host. Example solutions:
NetworkSims.com
338
Fault Challenge 17
Fault:
Outline
This topology has one of the switch ports incorrected assigned to the wrong VLAN. The
addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
[Gateway: 192.168.0.1]
[Gateway: 192.168.1.1]
and:
R1, E0: 1.2.3.4
R1, E1: 192.168.0.1
R2, E0: 1.2.3.5
R2, E1: 192.168.1.1
R3, E0: 1.2.3.6
R4, E0: 1.2.3.7
R5, E0: 1.2.3.8
NetworkSims.com
339
Objectives
This topology has an extended ACL set which bars hosts from a host subnet access to a
single host. Example solutions:
NetworkSims.com
340
Wireless
Example
> enable
ap# sh version
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JA, RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 27-Feb-06 09:09 by ssearch
ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.3(2)JA4, RELEASE SOFTWARE (fc1)
ap uptime is 28 minutes
System returned to ROM by power-on
System image file is "flash:/c1200-k9w7-mx.123-8.JA/c1200-k9w7-mx.123-8.JA"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
NetworkSims.com
341
NetworkSims.com
342
NetworkSims.com
343
!
!
line con 0
line vty 0 4
login local
!
end
# config t
(config)# int bvi 1
ap(config-if)# ip address ?
A.B.C.D IP address
pool
IP Address autoconfigured from a local DHCP pool
ap(config-if)# ip address 158.234.223.7 ?
A.B.C.D IP subnet mask
(config-if)# ip address 158.234.223.7 255.192.0.0
(config-if)# description cisco
(config-if)# int fa0
(config-if)# no shut
(config-if)# description production depart
(config-if)# speed 10
(config-if)# int d0
(config-if)# no shut
Explanation
One of the most popular access points for creating infrastructure networks is the Cisco
Aironet 1200 device, which is an industry-standard wireless access point. It has two main
networking ports: radio port named Dot11radio0 (D0) and an Ethernet one (E0 or FA0).
Each of these ports can programmed with an IP address, but a special port named BVI1 is
normally used to define the IP address for both ports. Figure 1 outlines this, and how the
port is programmed.
... diagrams missed out in this version
Objectives
The objectives of this challenge are to:
NetworkSims.com
344
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 158.234.223.7 255.192.0.0
(config-if)# description cisco
(config-if)# int fa0
(config-if)# no shut
(config-if)# description production depart
(config-if)# speed 10
(config-if)# duplex full
(config-if)# cdp ?
enable Enable CDP on interface
log
Log messages generated by CDP
(config-if)# cdp enable
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int bvi1
(config-if)# ip address 202.86.171.1 255.255.255.254
(config-if)# int d0
(config-if)# no shut
(config-if)# exit
(config)# hostname oslo
oslo (config)# ip default-gateway ?
A.B.C.D IP address of default gateway
oslo (config)# ip default-gateway 136.182.33.11
NetworkSims.com
345
oslo (config)#
Explanation
Another important configuration is the default-gateway which is used in order to redirect
any data packets which are not destined for the local network. For this the wireless access
point will send these data packets which have an unknown destination to the default
gateway, which will, hopefully, find a destination for them, or at least know of another
router which might be able to help on routing the packets. In most cases the defaultgateway is defined as the IP address of the router port which connects to the Ethernet
connection of the wireless access point. An example configuration is:
# config t
(config)# ip ?
(config)# ip default-gateway ?
(config)# ip default-gateway 192.168.1.254
(config)# exit
NetworkSims.com
346
guest-mode
guest ssid
information-element Add information element
infrastructure-ssid ssid used to associate to other infrastructure devices
ip
IP options
max-associations
set maximum associations for ssid
mbssid
Multiple BSSID
mobility
enable L3 mobility
no
Negate a command or set its defaults
vlan
bind ssid to vlan
wpa-psk
Configure Wi-Fi Protected Access pre-shared key
(config-ssid)# exit
(config)# int d0
(config-if)# ssid ?
LINE radio Service Set ID (Up to 32 characters)
(config-if)# ssid minnesota
(config-if)# int d0
(config-if)# channel ?
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
least-congested Scan for best frequency
(config-if)# channel 1
(config-if)# exit
(config)# ip default-gateway 205.98.14.11
(config)# ip domain-name ?
WORD Default domain name
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Note that the setting of SSID is now done in the global configuration mode, and the SSID is
then associated with the D0 port.
Example IOS Version 12.1
> en
# config t
(config)# int d0
(config-if)# ssid minnesota
(config-if-ssid)# exit
(config-if)# int d0
(config-if)# channel ?
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
least-congested Scan for best frequency
(config-if)# channel 1
(config-if)# exit
(config)# ip default-gateway 205.98.14.11
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Explanation
The radio SSID (Service Set ID) uniquely identifies a wireless network within a limited
physical domain. It is setup within the access point with:
# config t
(config)# int dot11radio0
(config-if)# ssid fred
(config-if-ssid)# guest-mode
NetworkSims.com
347
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time interval,
such as:
# config t
(config)# int dot11radio0
(config-if)# beacon ?
dtim-period
dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 1000
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
13
13
1
Figure 1
Channels in an area
NetworkSims.com
348
Example
> en
# config t
(config)# enable ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
ap(config)# enable password ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE
The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
(config)# enable password hotel
ap(config)# enable sec ?
0
Specifies an UNENCRYPTED password will follow
5
Specifies an ENCRYPTED secret will follow
LINE
The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
(config)# enable secret hotel
(config)# username lynn password foxtrot
(config)# ip http server
(config)# ip subnetzero
Explanation
A wireless access point is typically accessible through the TELNET and/or HTTP proposal.
The HTTP service is important as it allows remote access through a Web browser, and can
be authenticated locally with:
# config t
(config) # username ?
(config) # username fred password bert
NetworkSims.com
349
(config)
(config)
(config)
(config)
#
#
#
#
ip http ?
ip http server
ip http authentication local
exit
NetworkSims.com
350
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
antenna
dot11 radio antenna setting
arp
Set arp type (arpa, probe, snap) or timeout
bandwidth
Set bandwidth informational parameter
beacon
dot11 radio beacon
bridge-group
Transparent bridging interface parameters
broadcast-key
Configure broadcast key rotation period
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
channel
Set the radio frequency
countermeasure
countermeasure
custom-queue-list
Assign a custom queue list to an interface
dampening
Enable event dampening
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dot11
IEEE 802.11 config interface commands
dot1x
IEEE 802.1X subsystem
encryption
Configure dot11 encryption parameters
exit
Exit from interface configuration mode
fair-queue
Enable Fair Queuing on an Interface
fragment-threshold
IEEE 802.11 packet fragment threshold
help
Description of the interactive help system
hold-queue
Set hold queue depth
infrastructure-client
Reserve a dot11 virtual interface for a WGB client
--More------ press any key --ip
Interface Internet Protocol config commands
keepalive
Enable keepalive
l2-filter
Set Layer2 ACL for packet received by upper layer
protocols
load-interval
Specify interval for load calculation for an
interface
logging
Configure logging for interface
loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mtu
Set the interface Maximum Transmission Unit (MTU)
no
Negate a command or set its defaults
ntp
Configure NTP
packet
max packet retries
parent
Specify parents with which to associate
payload-encapsulation
IEEE 802.11 packet encapsulation
power
Set radio transmitter power levels
preamble-short
Use 802.11 short radio preamble
priority-group
Assign a priority group to an interface
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rts
dot11 Request To Send
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
snmp
Modify SNMP interface parameters
speed
Set allowed radio bit rates
--More------ press any key --ssid
Configure radio service set parameters
station-role
role of the radio
timeout
Define timeout values for this interface
traffic-class
Radio traffic class parameters
transmit-interface
Assign a transmit interface to a receive-only
interface
tx-ring-limit
Configure PA level transmit ring limit
world-mode
Dot11 radio world mode
NetworkSims.com
351
(config-if)#
<cr>
(config-if)#
(config-if)#
(config-if)#
1.0
11.0
2.0
5.5
basic-1.0
basic-11.0
basic-2.0
basic-5.5
range
throughput
<cr>
(config-if)#
(config-if)#
world-mode ?
world-mode
no shut
speed ?
Allow 1 Mb/s rate
Allow 11 Mb/s rate
Allow 2 Mb/s rate
Allow 5.5 Mb/s rate
Require 1 Mb/s rate
Require 11 Mb/s rate
Require 2 Mb/s rate
Require 5.5 Mb/s rate
Set rates for best range
Set rates for best throughput
speed 1.0
ssid fred
NetworkSims.com
352
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dot11
IEEE 802.11 config interface commands
dot1x
IEEE 802.1X subsystem
encryption
Configure dot11 encryption parameters
exit
Exit from interface configuration mode
fair-queue
Enable Fair Queuing on an Interface
fragment-threshold
IEEE 802.11 packet fragment threshold
help
Description of the interactive help system
hold-queue
Set hold queue depth
infrastructure-client
Reserve a dot11 virtual interface for a WGB client
--More------ press any key --ip
Interface Internet Protocol config commands
keepalive
Enable keepalive
l2-filter
Set Layer2 ACL for packet received by upper layer
protocols
load-interval
Specify interval for load calculation for an
interface
logging
Configure logging for interface
loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mtu
Set the interface Maximum Transmission Unit (MTU)
no
Negate a command or set its defaults
ntp
Configure NTP
packet
max packet retries
parent
Specify parents with which to associate
payload-encapsulation
IEEE 802.11 packet encapsulation
power
Set radio transmitter power levels
preamble-short
Use 802.11 short radio preamble
priority-group
Assign a priority group to an interface
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rts
dot11 Request To Send
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
snmp
Modify SNMP interface parameters
speed
Set allowed radio bit rates
--More------ press any key --ssid
Configure radio service set parameters
station-role
role of the radio
timeout
Define timeout values for this interface
traffic-class
Radio traffic class parameters
transmit-interface
Assign a transmit interface to a receive-only
interface
tx-ring-limit
Configure PA level transmit ring limit
world-mode
Dot11 radio world mode
(config-if)#
<cr>
(config-if)#
world-mode ?
world-mode
(config-if)# no shut
(config-if)# speed ?
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
NetworkSims.com
353
range
Set rates for
throughput Set rates for
<cr>
(config-if)# speed 1.0
(config-if)# ssid fred
(config-if-ssid)# max-assoc
<1-255> association limit
(config-if-ssid)# max-assoc
best range
best throughput
?
9
NetworkSims.com
354
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config)# int d0
(config-if)# station ?
repeater Repeater access point
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
(config-if-ssid)# guest-mode
NetworkSims.com
355
NetworkSims.com
356
(config-ssid)# max-assoc 24
(config-ssid)# exit
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config)# int d0
(config-if)# packet ?
retries retries
(config-if)# packet retries ?
<1-128> max packet retries before giving up
(config-if)# packet retries 7
(config-if)# premable-short
(config-if)# ssid oklahoma
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091
(config-if)# channel 4
NetworkSims.com
357
Example
The following sets up the DHCP server:
> en
# config t
(config)# ip dhcpd pool Wyoming
(dhcp-config)# ?
DHCP pool configuration commands:
accounting
Send Accounting Start/Stop messages
bootfile
Boot file name
class
Specify a DHCP class
client-identifier
Client identifier
client-name
Client name
default-router
Default routers
dns-server
DNS servers
domain-name
Domain name
exit
Exit from DHCP pool configuration mode
hardware-address
Client hardware address
host
Client IP address and mask
import
Programatically importing DHCP option parameters
lease
Address lease time
netbios-name-server NetBIOS (WINS) name servers
netbios-node-type
NetBIOS node type
network
Network number and mask
next-server
Next server in boot process
no
Negate a command or set its defaults
option
Raw DHCP options
origin
Configure the origin of the pool
subnet
Subnet allocation commands
update
Dynamic updates
utilization
Configure various utilization parameters
vrf
Associate this pool with a VRF
(dhcp-config)# n?
netbios-name-server netbios-node-type network next-server
no
(dhcp-config)# network ?
A.B.C.D Network number in dotted-decimal notation
(config-dhcp)# network 249.189.108.0 255.255.255.254
(dhcp-config)# dns ?
Hostname or A.B.C.D Server's name or IP address
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)# ip dhcp excluded-address ?
A.B.C.D Low IP address
NetworkSims.com
358
Example
The following sets up an IP hosts table:
> en
# config t
(config)# ip default-gateway 36.125.171.9
(config)# hostname Montana
montana (config)# ip host ?
WORD Name of host
montana (config)# ip host tennessee ?
<0-65535>
Default telnet port number
A.B.C.D
Host IP address
additional Append addresses
montana (config)# ip host tennessee 211.99.108.9
montana (config)# ip host kirkcaldy 154.242.2.8
montana (config)# ip host edinburgh 64.2.249.2
NetworkSims.com
359
Objectives
The objectives of this challenge are to:
Enable CDP.
Define CDP holdtime.
Define CDP timer.
Apply CDP onto E0.
Example
The following sets up CDP:
# config t
(config)# cdp ?
advertise-v2
CDP sends version-2 advertisements
holdtime
Specify the holdtime (in sec) to be sent in packets
source-interface Insert the interface's IP in all CDP packets
timer
Specify the rate at which CDP packets are sent (in sec)
run
(config)# cdp run
(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
(config)# cdp holdtime 66
(config)# cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
(config)# cdp timer 94
(config)# int e0
(config-if)# cdp enable
Explanation
CDP (Cisco Discovery Protocol) is used to discover Cisco devices which connect to a given
port. It is set globally on the device with cdp run, and then the timers are set as:
# config t
(config)# cdp
(config)# cdp
(config)# cdp
(config)# cdp
(config)# cdp
(config)# end
?
holdtime ?
holdtime 120
timer ?
timer 50
NetworkSims.com
360
# config t
(config)# int fa0
(config-if)# cdp ?
(config-if)# cdp enable
(config-if)# end
show
show
show
show
cdp
cdp
cdp
cdp
?
neighbors
neighbors detail
neighbors traffic
Example
The following sets up the HTTP server parameters:
> en
# config t
(config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
help-path
HTTP help root URL
max-connections
Set maximum number of concurrent http server connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# ip http server
(config)# ip http port ?
NetworkSims.com
361
Example
The following sets up the CON and VTY settings:
> en
# config t
(config)# line con 0
(config-line)# ?
Line configuration commands:
access-class
Filter connections based on an IP access list
activation-character
Define the activation character
autocommand
Automatically execute an EXEC command
autocommand-options
Autocommand options
data-character-bits
Size of characters being handled
databits
Set number of data bits per character
default
Set a command to its defaults
domain-lookup
Enable domain lookups in show commands
editing
Enable command line editing
escape-character
Change the current line's escape character
exec
Configure EXEC
exec-banner
Enable the display of the EXEC banner
exec-character-bits
Size of characters to the command exec
exec-timeout
Set the EXEC timeout
exit
Exit from line configuration mode
NetworkSims.com
362
flowcontrol
full-help
help
history
international
ip
length
location
logging
login
modem
monitor
motd-banner
no
notify
padding
parity
password
privilege
refuse-message
rotary
rxspeed
session-timeout
NetworkSims.com
363
Objectives
The objectives of this challenge are to:
Example
The following sets up loopback settings:
> en
# clock ?
set Set the time and date
# clock set 03:52
# config t
(config)# ip subnet-zero
(config)# ip dhcp pool ion
(config)# int e0
(config-if)# ip address 80.24.45.1 255.255.252.0
(config-if)# no shutdown
(config-if)# exit
(config)# int loopback ?
<0-2147483647> Loopback interface number
(config)# int loopback 45
(config-if)# ip address 195.253.209.21 255.255.128.0
Enable logging.
Define logging levels.
Example
The following sets up the CON and VTY settings:
NetworkSims.com
364
> enable
# config t
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
Informational messages
(severity=6)
notifications
Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
xml
Enable logging in XML to XML logging buffer
<cr>
(config)# logging buffer 440240
(config)# logging host 138.24.170.8
(config)# logging trap ?
<0-7>
Logging severity level
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational Informational messages
(severity=6)
notifications Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap emergency
(config)# logging monitor emergency
(config)# logging console emergency
(config)# logging buffer emergency
Example
The following sets up the CON and VTY settings:
NetworkSims.com
365
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
NetworkSims.com
366
Example
The following sets up the SNMP settings:
# config t
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community popup
(config)# snmp-server contact june
(config)# snmp-server location glasgow
NetworkSims.com
367
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server enable ?
informs Enable SNMP Informs
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton
Explanation
SNMP (Simple Network Management Protocol) is a well-supported standard which can be
used to monitor and control devices. It typically runs of hubs, switches and bridges. Many
SNMP devices provides both general network management and device management
through a serial cable, modem, or over the network from a remote computer. It involves a
primary management station communicating with different management processes. Figure
1 shows an out-line of an SNMP-based system. A SNMP agent runs SNMP management
software. An SNMP server sends commands to the agent which responses back with the
results. In this figure the server asks the agent for its routing information and the agent
responds with its routing table. These responses can either be polled (the server sends a
request for information) or interrupt-driven (where the agent sends its information at given
events). A polled system tends to increase network traffic as the agent may not have any
updated information (and the server must re-poll for the information).
The SNMP (Simple Network Management Protocol) protocol is initially based in the
RFC1157 document. It defines a simple protocol which gives network element management
information base (MIB). There are two types of MIB: MIB-1 and MIB-2. MIB-1 was defined
in 1988 and has 114 table entries, divided into two groups. MIB-2 is a 1990 enhancement
which has 171 entries organized into 10 groups (RFC 1213). Most devices are MIB-1
compliant and newer one with both MIB-1 and MIB-2.
The database contains entries with four fields:
NetworkSims.com
368
accessible.
Status field. Contains an indication on whether the entry in the MIB is mandatory (the
managed device must implement the entry), optional (the managed device may
implement the entry) or obsolete (the entry is not used).
SNMP is a very simple protocol but suffers from the fact that it is based on connectionless,
unreliable, UDP. The IAB have recommended that the Common Management Information
Services (CMIS) and Common Management Information Protocol (CMIP) be accepted as
standard for future TCP/IP systems. The two main version of SNMP are SNMP Ver1 and
SNMP Ver2. SNMP has added security to stop intruders determining network loading or
the state of the network.
The SNMP architecture is based on a collection of:
SNMP-managed devices
(runs managed agent software)
Routing table
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
MIB
MIB
MIB
Figure 1
SNMP
SNMP
server
server
software
software
SNMP architecture
NetworkSims.com
369
# config t
(config)# snmp-server community public RO
The RO defines read-only access, while RW defines read-write access. To setup the SNMP
contact, the location:
(config)# snmp-server contact fred smith
(config)# snmp-server location room c6
SNMP contains a database of monitored network conditions, such as the number of errors in
data packets, the IP addresses of the interfaces, and so on. It can also be setup to trigger on
certain traps, such as on syslog traps. To enable all of SNMP traps so that all the data is
monitored:
(config)# snmp-server enable traps
SNMP uses an MIB database to store its values. To display its contents:
# show snmp mib
NetworkSims.com
370
.1 System MIB
.1.3.6.1.2.1.1.4.0
.0 - CCITT
.1 ISO
.3 ISO
.6 DOD
.1 Internet
.1 Directory
.2 Management
.3 Experimental
.4 Private
.1.3.6.1.2.1.1.4.0
sysDescr (1), sysObjectID (2),
sysUpTime (3), sysContact (4),
sysName (5), sysLocation (6),
sysServices (7),
Figure 3 SNMP object ID
iso(1).
org(3).
dod(6).
internet(1).
mgmt(2).
mib-2(1).
icmp(5).
icmpInMsgs(1).
NetworkSims.com
Description
Hostname
Uptime
System Description
System Contact
System Location
IOS Version
1-Minute CPU Util.
5-Minute CPU Util.
Object ID
.1.3.6.1.2.1.1.5.0
.1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.1.0
.1.3.6.1.2.1.1.4.0
.1.3.6.1.2.1.1.6.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.5
.1.3.6.1.4.1.9.2.1.57.0
.1.3.6.1.4.1.9.2.1.58.0
371
freeMem
ciscoImageString.4
Free memory
IOS feature set
.1.3.6.1.4.1.9.2.1.8.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.4
Example
The following sets up the hot standby function:
> en
# config t
(config)# int bvi1
(config-if)# ip address 202.86.171.1 255.255.255.254
(config-if)# int d0
(config-if)# no shut
(config-if)# int e0
(config-if)# no shut
(config-if)# exit
(config)# iapp ?
standby Configure AP standby mode parameters
(config)# iapp standby ?
mac-address
MAC address of the primary AP
poll-frequency
Standby polling frequency
primary-shutdown Shutdown primary radios on failover
timeout
Standby polling timeout
<cr>
(config)# iapp standby mac ?
H.H.H MAC address of the primary AP Radio
(config)# iapp standby mac-address 00e0.9143.5615
(config)# iapp standby timeout ?
<5-600> Standby polling timeout in seconds
(config)# iapp standby timeout 234
(config)# iapp standby poll-frequency ?
<1-30> Standby polling frequency in seconds
(config)# iapp standby poll-frequency 11
(config)# iapp standby primary-shutdown ?
<cr>
Explanation
NetworkSims.com
372
The hot standby function is used to provide a backup to another access point, and is
configured in the same way, so that it is fails, the hot standby device can become active, and
associates the active clients, automatically. The only setting that will differ is the IP address
of the device. In the following configuration, the MAC address of the device to be
monitored is 1111.abcd.ef10. The timeout period in which the device will determine if the
monitored device has stopped working is five seconds, and the poll time is two seconds:
# config t
(config)# iapp standby mac 1111.abcd.ef10
(config)# iapp standby timeout 5
(config)# iapp standby polltime 2
The hot standby device has a different IP address (as it may cause a conflict when the two
devices are operating at the same time, but, for the sake of seamless operation, the hot
standby device must be setup with the following settings by identical:
-
SSID.
IP Subnet Mask.
Default gateway.
Data rates.
Encryption and authentication settings.
NetworkSims.com
373
> en
# config t
(config)# dot11 ssid mississippi
(config-ssid)# infrastructure-ssid
(config-ssid)# exit
(config)# int bvi1
(config-if)# ip address 160.51.42.9 255.255.128.0
(config-if)# int d0
(config-if)# no shut
(config-if)# ssid mississippi
(config-if)# station ?
non-root
Non-root (bridge)
repeater
Repeater access point
root
Root access point or bridge
scanner
Scanner access point
workgroup-bridge Workgroup Bridge
(config-if)# station repeater
(config-if)# parent ?
<1-4>
Parent number
timeout Time in seconds to look for parent
(config-if)# parent 1 ?
H.H.H Parent MAC addr
(config-if)# parent 1 00e0.4e3d.c533 ?
<cr>
(config-if)# parent 1 00e0.4e3d.c533
(config-if)# parent timeout ?
<0-65535> Timeout in seconds
NetworkSims.com
374
Example
The following sets up a standard access-list:
> en
# config t
(config)# access-list 3 permit ?
Hostname or A.B.C.D Address to match
any
Any source host
host
A single host address
(config)# access-list 3 permit host 199.237.96.4
(config)# access-list 3 deny host 163.209.141.8
(config)# access-list 3 permit 48.13.112.0 ?
A.B.C.D Wildcard bits
log
Log matches against this entry
<cr>
(config)# access-list 3 permit 48.13.112.0 0.15.255.255
(config)# access-list 3 deny 208.147.31.0 1.255.255.255
(config)# int e0
(config-if)# ip access-group 3 ?
in
inbound packets
out outbound packets
(config-if)# ip access-group 3 in
NetworkSims.com
375
Example
The following sets up an extended ACL:
> en
# config t
(config)# access-list 106 ?
deny
Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
remark
Access list entry comment
(config)# access-list 106 permit tcp host 202.33.249.1 host 162.97.253.5 eq
syslog
(config)# access-list 106 deny tcp host 197.85.151.8 host 196.123.113.4 eq
syslog
(config)# access-list 106 permit tcp 123.183.27.0 255.255.255.0 110.233.17.0
255.255.255.0 eq syslog
(config)# access-list 106 deny tcp 24.81.208.0 255.255.255.0 127.46.93.0
255.255.255.0 eq syslog
(config)# int e0
(config-if)# ip access-group 106 in
NetworkSims.com
376
NetworkSims.com
377
Example
The following sets up mobile IP:
> en
# config t
(config)# ip proxy-mobile ?
aap
Authoritative AP
enable Enable WLAN Proxy Mobile IP
pause
Disables Proxy Mobile IP without removing configuration
secure Security association
(config)# ip proxy-mobile enable
(config)# int bvi1
NetworkSims.com
378
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
arp
Set arp type (arpa, probe, snap) or timeout
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
custom-queue-list
Assign a custom queue list to an interface
dampening
Enable event dampening
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
duplex
Configure duplex operation.
exit
Exit from interface configuration mode
fair-queue
Enable Fair Queuing on an Interface
full-duplex
Configure full-duplex operational mode
half-duplex
Configure half-duplex and related commands
help
Description of the interactive help system
hold-queue
Set hold queue depth
ip
Interface Internet Protocol config commands
keepalive
Enable keepalive
l2-filter
Set Layer2 ACL for packet received by upper layer
protocols
load-interval
Specify interval for load calculation for an
interface
logging
Configure logging for interface
--More------ press any key --loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mtu
Set the interface Maximum Transmission Unit (MTU)
no
Negate a command or set its defaults
ntp
Configure NTP
priority-group
Assign a priority group to an interface
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
snmp
Modify SNMP interface parameters
speed
Configure speed operation.
timeout
Define timeout values for this interface
transmit-interface
Assign a transmit interface to a receive-only
interface
tx-ring-limit
Configure PA level transmit ring limit
(config-if)# ip proxy-mobile ?
<cr>
(config-if)# ip proxy-mobile
(config-if)# int d0
(config-if)# ip proxy-mobile
(config-if)# int e0
(config-if)# ip proxy-mobile
NetworkSims.com
379
Objectives
The objectives of this challenge are to:
Define a VLAN.
Enable 802.1q on sub-interfaces.
Example
> en
# config t
(config)# dot11 ssid test
(config-ssid)# vlan 10
(config-ssid)# exit
(config)# int d0.1
(config-subif)# ?
Interface configuration commands:
arp
Set arp type (arpa, probe, snap) or timeout
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
cdp
CDP interface subcommands
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
encapsulation
Set encapsulation type for an interface
exit
Exit from interface configuration mode
ip
Interface Internet Protocol config commands
keepalive
Enable keepalive
logging
Configure logging for interface
mtu
Set the interface Maximum Transmission Unit (MTU)
no
Negate a command or set its defaults
service-policy Configure QoS Service Policy
shutdown
Shutdown the selected interface
timeout
Define timeout values for this interface
(config-subif)# encapsulation?
dot1Q IEEE 802.1Q Virtual LAN
(config-subif)# encapsulation dot1q ?
<1-4094> IEEE 802.1Q VLAN ID
(config-subif)# encapsulation dot1q 1 ?
native
Make this as native vlan
second-dot1q Configure this subinterface as a 1Q-in-1Q subinterface
<cr>
(config-subif)# encapsulation dot1Q 10 native
(config-subif)# exit
(config)# int fa0.1
(config-subif)# encapsulation dot1Q 10 native
(config-if)# exit
380
This is an intermediate test, which revises some of the main principles of Wireless
configuration. It will show knowledge of:
Hostname
BVI settings.
Gateway setting.
Domain name setting.
D0 settings.
SSID settings.
Username and password.
HTTP enable.
Example
> en
# config t
(config)# dot11 lbs test
(dot11-lbs)#?
lbs configuration commands:
channel-match only reports tag packet in the same tx & rx channel
exit
Exit from LBS sub mode
interface
enable LBS on radio interface
method
method used for AP to locate tag
multicast
multicast MAC address of LBS TAGs
no
Negate a command or set its defaults
packet-type
packet type used by the LBS tag and server
server
remote LBS server IP address and UDP port number
(dot11-lbs)# server a ?
A.B.C.D IP address
(dot11-lbs)# server a 1.2.3.4 ?
port server UDP port number
(dot11-lbs)# server a 1.2.3.4 p ?
<1024-65535> port number
NetworkSims.com
381
Description
With LBS, access points monitor location packets sent by LBS positioning tags, and thus
allow assets to be tracked. On receiving a positioning packet, the access point determines
the received signal strength indication (RSSI). It then creates a UDP packet with the RSSI
value and the current time, which it then forwards to a location server. Next the location
server determines the position of the tag based on the information received.
Enable AAA.
Define local authentication.
Example
The following sets up AAA:
> en
# config t
(config)# aaa new-model
(config)# aaa authentication login default local
(config)# aaa authorization exec local
(config)# aaa authorization network local
(config)# user ?
WORD User name
(config)# user test ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
NetworkSims.com
382
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
view
Set view name
<cr>
(config)# user test password ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
(config)# username test password bert
Enable AAA.
Define local RADIUS.
Define RADIUS settings.
Example
The following sets up AAA:
> en
# config t
(config)# aaa new-model
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with `@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
NetworkSims.com
383
NetworkSims.com
384
Enable AAA.
Define RADIUS.
Define an SSID.
Associate RADIUS account with an SSID.
Example
> en
# config t
(config)# aaa new-model
(config)# radius h ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# rad h 1.2.3.4 ?
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
backoff
Retry backoff pattern (Default is retransmits with constant
delay)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
timeout
Time to wait for this RADIUS server to reply (overrides
default)
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813
(config)# dot11 ssid test
(config-ssid)# accounting test-acc
NetworkSims.com
385
Example
> en
# config t
(config)# hostname test
(config)# ip defaulf-gatway 192.168.0.1
(config)# ip domain-name perth.cc
(config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
help-path
HTTP help root URL
max-connections
Set maximum number of concurrent http server connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# ip http secure-server
(config)# ip http secure-port ?
<0-65535> Secure port number(above 1024 or default 443)
(config)# ip http secure-port 443
Example
> en
NetworkSims.com
386
# config t
(config)# hostname test
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
aaa new-model
tacacs-server host 39.100.234.1
tacacs-server key krinkle
aaa authentication login default group tacacs
aaa authentication ppp default group tacacs
aaa authorization network default group tacacs
aaa authorization exec default group tacacs
Example
> enable
# config t
(config)# username fred ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
view
Set view name
<cr>
(config)# username fred password bert
(config)# username test nopassword
(config)# username fred privilege 15
(config)# username test privilege 1
(config)# username test user-maxlinks 2
NetworkSims.com
387
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of wap>.
Level 15. This is the highest level of privilege, and has a prompt of wap#.
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
NetworkSims.com
388
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# banner motd my device
amsterdam (config)# banner login how are you
amsterdam (config)# banner exec main device
amsterdam (config)# ip http server
NetworkSims.com
389
Set the system clock (this would not be required if an SNTP server is used,
obviously).
Example
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# sntp ?
broadcast Configure SNTP broadcast services
logging
Enable SNTP message logging
server
Configure SNTP server
amsterdam (config)# snt s ?
Hostname or A.B.C.D Name or IP address of server
amsterdam (config)# sntp server 192.168.1.100 ?
version Configure NTP version
<cr>
amsterdam (config)# sntp server 192.168.1.100
amsterdam (config)# sntp broadcast ?
client Enable SNTP broadcast client mode
amsterdam (config)# sntp broadcast client
amsterdam (config)# exit
amsterdam # clock set 05:44
amsterdam # show sntp
SNTP server
Stratum
Version
Last Receive
192.168.1.100
16
1
never
Broadcast client mode is enabled.
Example
> enable
# config t
(config) # access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1100-1199>
Extended 48-bit MAC address access list
<1300-1999>
IP standard access list (expanded range)
NetworkSims.com
390
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
(config) # access-list 701 ?
deny
Specify packets to reject
permit Specify packets to forward
(config) # access-list 701 deny ?
H.H.H 48-bit hardware address
(config) # access-list 701 deny 1111.2222.3333 ?
H.H.H 48-bit hardware address mask
<cr>
(config) # access-list 701 deny 1111.2222.3333 ffff.ffff.ffff
(config) # access-list 701 deny 1112.2222.3333 ffff.ffff.ffff
(config) # access-list 701 deny 1113.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group ?
<1-255> Assign an interface to a Bridge Group.
(config-if) # bridge-group 1
(config-if) # bridge-group 1 ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching a
group list
input-lat-service-permit
Permit input LAT service advertisements matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching a
group list
output-lat-service-permit Permit output LAT service advertisements matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination MAC
addresses
(config-if) # bridge-group 1 input-address-list 701
NetworkSims.com
391
This challenge involves the configuration of filtering outgoing MAC addresses for D0.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config) # access-list 701 deny 1111.2222.3333 ffff.ffff.ffff
(config) # access-list 701 deny 1112.2222.3333 ffff.ffff.ffff
(config) # access-list 701 deny 1113.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if)# l2-filter ?
block-arp
avoid arp attack
bridge-group-acl Use bridge-group ACLs
(config-if)# l2-filter bridge-group-acl ?
<cr>
(config-if) # l2-filter bridge-group-acl
(config-if)# bridge- ANY ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching a
group list
input-lat-service-permit
Permit input LAT service advertisements matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching a
group list
output-lat-service-permit Permit output LAT service advertisements matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination MAC
addresses
NetworkSims.com
392
(config-if) # bridge-group 1
(config-if)# bridge- ANY output-a ?
<700-799> Ethernet address access list
(config-if) # bridge-group 1 output-address-list 701
Example
> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group 1
(config-if) # bridge-group 1 output-pattern-list ?
<1100-1199> Pattern access list number
(config-if) # bridge-group 1 output-pattern-list 1102
NetworkSims.com
393
Example
> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group 1
(config-if) # bridge-group 1 input-pattern-list ?
<1100-1199> Pattern access list number
(config-if) # bridge-group 1 input-pattern-list 1102
Example
> enable
# config t
(config) # access-list 701 permit 1111.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 1112.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 1113.2222.3333 ffff.ffff.ffff
(config) # access-list 701 deny 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group 1
(config-if) # bridge-group 1 intput-address-list 701
NetworkSims.com
394
This challenge involves the configuration of ARP caching for connected wireless nodes, and
to enable Cisco Aironet extensions.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int bvi 1
(config-if)# ip address 158.234.223.7 255.192.0.0
(config-if)# exit
(config)# dot11 arp-cache
(config)# int d0
(config-if)# dot11 ?
extension Cisco IEEE 802.11 extension
qos
Dot11 QOS configuration
(config-if)# dot11 ex ?
aironet Cisco Aironet extension
power
Enable Cisco proprietary native power management
(config-if)# dot11 extension aironet
Explanation
The Cisco Aironet extensions are:
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew the
WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the clients,
once they associate.
Load balancing. This allows the access point to select the best access point in terms of
signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and adjust
their settings automatically.
NetworkSims.com
395
Example
> enable
# config t
(config)# int bvi 1
(config-if)# ip address 158.234.223.7 255.192.0.0
(config-if)# exit
(config)# no dot11 arp-cache
(config)# int d0
(config-if)# no dot11 extension aironet
Explanation
The Cisco Aironet extensions are:
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew the
WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the clients,
once they associate.
Load balancing. This allows the access point to select the best access point in terms of
signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and adjust
their settings automatically.
NetworkSims.com
396
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# beacon ?
dtim-period dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 2000
(config-if)# beacon dtim?
<1-100> dtim count
(config-if)# beacon dtim 50
Explanation
The beacon period is defined as the amount of time between access point beacons in
Kilomicroseconds (1 Ksec is 1,024 millseconds). The default is 100 Ksec. If the beacon
period is 1000, the time between beacons is approximately 1 second (1.024 seconds).
The Data Beacon Rate defines how often the DTIM (delivery traffic indication message)
appears in a beacon, where the DTIM tells power-save client devices that a packet is waiting
for them. The default DTIM is 2. If the DTIM is set at 5, and the beacon period is 1000, a
packet with a DTIM will be sent every 5 seconds (approx).
RTS Explained
Outline: This challenge involves an analysis of RTS.
NetworkSims.com
397
Explanation
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are within
range of the same access point, but are not within range of each other, as illustrated in
Figure 1. As they do not know that they both exist on the network, they may try to
communicate with the access point at the same time. When they do, their data frames may
collide when arriving simultaneously at the access point, which causes a loss of data frames
from the nodes. The RTS threshold tries to overcome this by enabling the handshaking
signals of Ready To Send (RTS) and Clear To Send (CTS). When a node wishes to
communicate with the access point it sends a RTS signal to the access point. Once the access
point defines that it can then communicate, tit sends a CTS signal. The node can then send
its data, as illustrated in Figure 2. RTS threshold determines the data frame size that is
required, in order for it send an RTS to the WAP. The default value is 4000.
# config t
(config)# int dot11radio0
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
<0-2347> threshold in bytes
(config-if)# rts threshold 2000
RTS retries defines the number of times that an access point will transmit an RTS signal
before it stops sending the data frame. Values range from 1 to 128. For example:
NetworkSims.com
398
# config t
(config)# int dot11radio0
(config-if)# rts retries ?
<1-128> max retries
(config-if)# rts retries 10
(config-if)# end
Fragment-threshold Explained
Outline: This challenge involves an analysis of the fragment-threshold.
Objectives: The objectives of this challenge are to explain fragment-threshold.
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 1000
Explanation
A wireless data frame can have up to 2312 data bytes in the data payload. This large amount
could hog the bandwidth too much, and not give an even share to all the nodes on the
network, as illustrated in Figure 1. Research has argued that creating smaller data frames,
often known as cells, is more efficient in using the available bandwidth, and also for
switching data frames. Thus wireless systems provides a fragment threshold, in which the
larger data frames are split into smaller parts, as illustrated in Figure 2. An example of the
configuration is:
# config t
(config)# int dot11radio0
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 700
NetworkSims.com
399
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# po lo cc ?
<1 - 50> One of: 1 5 10 20 30 50
maximum
Set local power to allowed maximum
(config-if)# power local 50
(config-if)# power client ?
<1 - 50> One of: 1 5 10 20 30 50
local
Set client power to Access Point local power
maximum
Set client power to allowed maximum
(config-if)# power client 10
Explanation
The power of the access point and also of the clients are important as they will define the
coverage of the signal, and must also be within the required safety limits. Thus, the more
radio power that is used to transmit the signal, the wider the scope of the wireless network.
Unfortunately, the further that the signal goes, the more chance that an intruder can pick up
the signal, and, possibly, gain access to its contents, as illustrated in Figure 1. To control this
power, the access point can set up its own radio power, and also is able to set the power
transmission of the client adapter. An example in setting the local power, and the client is
shown next:
# config t
(config)# int dot11radio0
(config-if)# power ?
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 30
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 10
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will typically
go to sleep, and will only be awoken by the access point, or if there is activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a compromise
between the two.
NetworkSims.com
400
Max-associations Explained
Outline: This challenge involves an analysis of the power settings.
Objectives: The objectives of this challenge are to explain the maximum associations.
Example (12.3)
> enable
# config t
(config)# dot11 ssid fred
(config-ssid)# max ?
<1-255> association limit
(config-ssid)# max-assoc 9
(config-ssid)# exit
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# ssid fred
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# ssid fred
(config-if-ssid)# max-assoc ?
<1-255> association limit
(config-if-ssid)# max-assoc 9
Explanation
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS (Denial of
Service), or due to poor planning. To set the maximum number of associations, the maxassociations command is used within the SSID setting:
# config t
(config)# int dot11radio0
(config-if)# ssid fred
(config-if-ssid)# max ?
<1-255> association limit
(config-if-ssid)# max 100
(config)# exit
NetworkSims.com
401
Preamble Explained
Outline: This challenge involves an analysis of the preamble.
Objectives: The objectives of this challenge are to explain the preamble.
Explanation
This can either be set to Long (which is the default) or short. A long preamble allows for
interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows for faster
operations (as the preamble is kept to a minimum) and can be used where the transmission
parameters must be maximized, and that there are no interoperatablity problems. To set
short preamble:
# config t
(config)# int dot11radio0
(config-if)# preamble-short
(config-if)# end
Station-role Explained
Outline: This challenge involves an analysis of the station role.
Objectives: The objectives of this challenge are to explain the station role.
Explanation
A root access point is used to connect a wireless client to a fix network, whereas a repeater
access point does not connect to a wired LAN, and basically forwards the data packets to
another repeater or to a wireless access point which is connected to a wired network (Figure
1). With a repeater, of course, the Ethernet port will not operate. The repeater access point
typically associates with an access point which has the best connectivity, however they can
be setup to connect to a specific access point. In the following case, the access point will
associate with the parent with the specified MAC address (1111.2222.3333):
# config t
NetworkSims.com
402
Or
# config t
(config)# interface d0
(config-if)# ssid napier
(config-ssid)# infrastructure-ssid
(config-ssid)# exit
(config-if)# station-role repeater
(config-if)# dot11 extensions aironet
(config-if)# parent 1 1111.2222.3333
(config-if)# parent 2 2222.aaaa.bbbb
(config-if)# end
It is possible to define up to four parents, so that if one fails to association, it can use others.
In most cases the Cisco Aironet extensions must be enabled, as it aids the association
process, but this can cause incompatibility problems with non-Cisco devices.
... diagrams missed out in demo version
The repeater will start with the first parent, and, if it cannot connect, it will then try the next
parent, and so on. Overall, repeaters are fairly good at extending the range of a wireless
network, but reduce the throughput, as bandwidth is wasted in relaying the data from
repeaters. As an approximation the actual throughput will be reduced by at least half.
NetworkSims.com
403
The throughout of a wireless network can be reduced by enabling short slot time. When
enabled it reduces the slot time from 20 microseconds to 9 microseconds. The backoff time is
the time that wireless nodes and is a random multiple of the slot-time. Thus reducing the
slot time will typically reduce the backoff time. To enable it:
(config)# int d0
(config-if)# short-time-short
Note that short slot time is only available in IEEE 802.11g. By default it is disabled.
Explanation
MAC authentication cache on the access points is typically used where MAC-authenticated
clients roam around the network. When it is enabled it reduces the time overhead in reauthenticating the nodes with an authentication server. When a node is initially
authenticated, its MAC address is added to the cache.
NetworkSims.com
404
Example
> enable
# config t
(config)# int bvi1
(config-if)# ip address 208.1.7.8 255.255.255.224
(config-if)# int d0
(config-if)# st ?
non-root
Non-root (bridge)
repeater
Repeater access point
root
Root access point or bridge
scanner
Scanner access point
workgroup-bridge Workgroup Bridge
(config-if)# station scanner
(config-if)# monitor ?
frames Monitor dot11 frames
(config-if)# monitor frames ?
endpoint endpoint station where the captured traffic is
(config-if)# monitor frames endpoint ?
ip IP address
(config-if)# monitor frames endpoint ip ?
address IP address
(config-if)# monitor frames endpoint ip address ?
A.B.C.D Destination IP Address xxx.xxx.xxx.xxx
(config-if)# monitor frames endpoint ip address 10.0.0.1 ?
port UDP port number
(config-if)# monitor frames endpoint ip address 10.0.0.1 port ?
<1024-65535> Destination UDP port number 1024 to 65535
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
(config-if)# exit
(config)# wlccp ?
ap
Enable WLCCP AP
authentication-server Authentication Server
wds
Enable Wireless Domain Service Manager
wnm
Configure Wireless Network Manager
(config)# wlccp ap ?
username
wds
(config)# wlccp au ?
client
For Clients
infrastructure For Infrastructure Nodes
(config)# wlccp wd ?
aaa
Authentication, Authorization, and Accounting
interface
Interface to send WDS Adv
priority
Priority of WDS
recovery
WDS Graceful Recovery
statistics Roaming statistics
NetworkSims.com
405
(config)# wlccp wn ?
ip IP configuration commands
Explanation
The scanner mode is used in WIDS where the access point listens on all of the radio
channels and reports activity. As it is used as a WIDS, it does not accept any associations.
The monitor command can then be used to forward all of the data packets received to a
specific address on a certain port, such as for 10.0.0.1 on UDP port 1111 :
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
Enabled
10.0.0.1
1111
128 bytes
: Disabled
:
:
:
:
0
0
0
0
Total
Total
Total
Total
Total
:
:
:
:
:
0
0
0
0
0
No.
No.
No.
No.
No.
of
of
of
of
of
frames captured
data frames captured
control frames captured
Mgmt frames captured
CRC errored frames captured
: 0
: 0
NetworkSims.com
406
Explanation
A major problem occurs when the Ethernet/Radio port fails, and in some situations the
radio port of the access-point should shutdown. The following shuts down the D0 port
when the Ethernet connection fails:
(config-if)# station ?
non-root
Non-root (bridge)
repeater
Repeater access point
root
Root access point or bridge
scanner
Scanner access point
workgroup-bridge Workgroup Bridge
(config-if)# station root ?
access-point Access point
ap-only
Bridge root in access point only mode
bridge
Bridge root (without wireless client)
fallback
Root AP action if Ethernet port fails
(config-if)# station root fallback ?
repeater Become a repeater
shutdown Shutdown the radio
(config-if)# station root fallback shutdown
By default the Web page is then accessed by the client with (http://10.0.0.1):
NetworkSims.com
407
out-bytes
50720
NetworkSims.com
remote-ipaddress:port
10.0.0.2:4046
10.0.0.2:4047
10.0.0.2:4049
10.0.0.2:4048
10.0.0.2:4051
10.0.0.2:4052
in-bytes
396
427
5352
4885
396
4878
out-bytes
192
192
52152
85094
192
86257
end-time
00:00:46
00:00:52
00:01:59
00:02:04
00:25:23
00:26:30
03/01
03/01
03/01
03/01
03/01
03/01
408
10.0.0.1:80
10.0.0.1:8080
10.0.0.1:8080
10.0.0.2:4053
10.0.0.2:4064
10.0.0.2:4065
5041
401
4343
50737
192
85878
00:26:35 03/01
00:47:16 03/01
00:48:21 03/01
out-bytes
all information
connection information
history information
server status information
application session module information
statistics information
status information
NetworkSims.com
409
(config-if)#
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
exit
http secure-server
1024 bit RSA keys ...[OK]
http secure-port ?
Secure port number(above 1024 or default 443)
http secure-port 443
By default the Web page is then accessed by the client with (https://10.0.0.1), afterwhich the
client responds with:
... graphic missed out on version see help file.
and then (the password is the default enable password):
... graphic missed out on version see help file.
and then:
... graphic missed out on version see help file.
The data transferred between the client and server will then be encrypted. To verify the
details:
ap#sh ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.123-8.JA/html/level/1;zflash:/c1200k9w7-mx.123-8.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.123-8.JA/html/level/15;flash:/c1200-k9w7mx.123-8.JA/html;zflash:/c1200-k9w7-mx.123-8.JA/html;flash:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 120 seconds
Server life time-out: 120 seconds
Maximum number of requests allowed on a connection: 60
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
ap#sh ip http server conn
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
NetworkSims.com
410
NetworkSims.com
411
9.0
Allow 9 Mb/s rate
nom-1.0
Allow Nominal 1 Mb/s rate
nom-11.0 Allow Nominal 11 Mb/s rate
nom-12.0 Allow Nominal 12 Mb/s rate
nom-18.0 Allow Nominal 18 Mb/s rate
nom-2.0
Allow Nominal 2 Mb/s rate
nom-24.0 Allow Nominal 24 Mb/s rate
nom-36.0 Allow Nominal 36 Mb/s rate
nom-48.0 Allow Nominal 48 Mb/s rate
nom-5.5
Allow Nominal 5.5 Mb/s rate
nom-54.0 Allow Nominal 54 Mb/s rate
nom-6.0
Allow Nominal 6 Mb/s rate
ap(config-if)#traffic-stream pri 0 sta 1.0
Thus the best effort for this access point is a rate of 1.0Mbps. If this was advertised to client,
they would choice if this was the best rate for the best effort.
SSH Explained
Outline: This challenge involves an analysis of SSH.
Objectives: The objectives of this challenge are to explain SSH.
Explanation
The TELNET protocol is insecure as the text is passed as plain text. An improved method is
to use SSH, which encrypts data. It requires that the domain-name and an RSA key pair:
ap# config t
Enter configuration commands, one per line.
ap(config)# ip domain-name test.com
ap(config)# crypto key generate rsa
How many bits in the modulus [512]:
% Generating 512 bit RSA keys ...[OK]
NetworkSims.com
412
An SSH client such as putty can then be used to connect to the access point:
... graphic missed out on version see help file.
after which the client shows the message:
... graphic missed out on version see help file.
which sets the timeout to 60 seconds, and a maximum of two retries. Finally, to prevent
Telnet sessions:
ap(config)#line vty 0 4
ap(config-line)# transport input ssh
LEAP Explained
Outline: This challenge involves an analysis of LEAP.
Objectives: The objectives of this challenge are to explain LEAP.
Explanation
The following uses a local RADIUS server to authenticate using LEAP authentication:
(config)# hostname ap
(config)# aaa new-model
(config)# int bvi1
(config-if)# ip address 192.168.1.110 255.255.255.0
(config-if)# exit
(config)# dot11 ssid APskills
NetworkSims.com
413
1813
key
In this case the user login for LEAP will be aaauser with a password of aaauser. Notice that
the NAS is set to the local IP address, and that the Radius server is set also as the local IP
address.
Notice also that the shared key (in this case named sharedkey) must be set the same for the
NAS and the Radius server.
Next setup the clients to support LEAP authentication, as shown in Figure 1. Once the client
has associated, determine the associated devices with:
# show dot assoc
802.11 Client Stations on Dot11Radio0:
SSID [APskills] :
MAC Address
IP address
0090.4b54.d83a 192.168.1.111
Others:
Device
4500-radio
Name
-
Parent
self
State
EAP-Assoc
After which the WAP will display a message such as the following on a successful
association:
*Mar 1 00:00:51.750: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0090.4b54.d83a
Associated KEY_MGMT[WPA]
D0 Encapsulation
Outline: This challenge involves setting up the encapsulation on D0.
NetworkSims.com
414
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
415
Outline: This challenge involves filtering the output of the show command.
Objectives: The objectives of this challenge are to outline the usage of the filtering of the
output in the show command.
Explanation
The filtering output includes:
show command | include word this finds all lines with word
show command | begin word
this finds all lines which begin with word
show command | exclude word this finds all lines without word
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
NetworkSims.com
416
(config-if)# bridge-port 1 ?
<cr>
circuit-group
input-address-list
input-lat-service-deny
NetworkSims.com
417
# config t
(config)# dot11 ssid fred
(config-ssid)# mbssid guest-mode dtim 10
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
Note:
Large DTIM values are useful for increasing the battery life for power-save client devices.
NetworkSims.com
418
An example is:
# config t
(config)# dot11 ssid fred
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)# ip redirection host 192.168.1.1
(config-ssid)# exit
NetworkSims.com
419
(config-ssid)#ip red
in Apply to input
(config-ssid)#ip red
<cr>
(config-ssid)#ip red
(config-ssid)# exit
NetworkSims.com
420
# config t
(config)# dot11 ssid fred
(config-ssid)# vlan 22
(config-ssid)# exit
(config)# int d0
(config-if)# encryption vlan 22 key 1 size 40 aaaaaaaaaa
which defines a 40-bit encryption key of aaaaaaaaaa (which is a hexadecimal value). The
other option is for a 128-bit key which has 32 hexadecimal digits. In this case the interface is
assigned to VLAN 22, so that all the other nodes in this VLAN will receive broadcasts from
a node in the VLAN.
wep128
wep40
ckip
cmic
ckip-cmic
tkip
NetworkSims.com
421
tkip
tkip wep128
tkip wep40
which enables the broadcast-key on VLAN 22, and defines that the broadcast key is changed
every 100 seconds.
Authentication
Explained
based
on
MAC-address
NetworkSims.com
422
WPA-PSK Explained
Outline: This challenge involves defining the pres shared key for WPA-PSK.
Explanation
Unfortunately, WEP suffers from many problems, and should not be used for sensitive data.
An improvement which keeps compatibility with WEP is TKIP. One method is WPA-PSK
(Pre-shared key), where the users defines a pre-share key, which is setup on both the access
point and the client. An example setup of the WPA-PSK on a Linksys access point (Figure 1)
is shown, and on a client (Figure 2) with the same shared key of napieruniversity.
> enable
# config t
(config)# dot11 ssid texas
(config-ssid)# wpa-psk ascii napieruniversity
(config-ssid)# exit
(config)# int d0
(config-if)# ssid texas
where:
NetworkSims.com
423
This is the time that a client device must wait before it can reattempt to authenticate, after it
has failed an authentication. This occurs when the client device fails three logins or does not
reply to three authentication requests. 1-65,545 seconds.
(config)# dot1x timeout supp-response 10
This is the time that the access point waits for a reply to an EAP/dot1x message from a client
before the authentication is failed.
(config-if)# dot1x reauth-period 10
This is the time that the access point waits before it asks the client to reauthenticate itself.
(config-if)# countermeasure tkip hold-time
This defines the TKIP MIC failure holdtime, and is caused when the access point detects two
MIC failures in a period of 60 seconds. It will then, for the holdtime period, blocks all TKIP
clients on the interface.
WLCCP Explained
Outline: This challenge involves defining WLCCP (Wireless LAN Context Communication
Protocol).
Explanation
In large campus area networks, it is important that mobile nodes are able to migrate from
one access point to another. If possible they must hand the current context from one access
point to the other.
WLCCP establishes and manages wireless network topologies in a SWAN (Smart Wireless
Architecture for Networking). It securely manages an operational context for mobile clients,
typically in a campus-type network. In the registration phase, it can automatically create
and delete network link, and securely distribute operational context, typically with Layer 2
forwarding paths.
With WLCCP, a sole infrastructure node is defined as the central control point within each
subnet, and allows access points and mobile nodes to select a parent node for a least-cost path
to the backbone connection. An example is
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login testi group radius
(config)# aaa authentication login testc group radius
NetworkSims.com
424
which defines that the authentication of infrastructure devices is done using the server
group testi, and that client devices using the testing SSID are authenticated using the server
group of testc.
NetworkSims.com
425
Example
> en
# config t
(config)# hostname test
(config)# aaa new-model
(config)# tacacs-server ?
administration
Start tacacs+ deamon handling administrative messages
cache
AAA auth cache default server group
directed-request Allow user to specify tacacs server to use with `@server'
dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS
servers
host
Specify a TACACS server
key
Set TACACS+ encryption key.
packet
Modify TACACS+ packet options
timeout
Time to wait for a TACACS server to reply
(config)# tacacs-server host ?
Hostname or A.B.C.D IP address of TACACS server
<cr>
(config)# tacacs-server host 39.100.234.1
ap(config)# tacacs-server key ?
0
Specifies an UNENCRYPTED key will follow
7
Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key
(config)# tacacs-server key crinkle
(config)# aaa authentication ?
arap
Set authentication lists for arap.
attempts
Set the maximum number of authentication attempts
banner
Message to use when starting login/authentication.
dot1x
Set authentication lists for IEEE 802.1x.
enable
Set authentication list for enable.
eou
Set authentication lists for EAPoUDP
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
sgbp
Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication login ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa
cache
enable
group
line
local
local-case
none
NetworkSims.com
426
NetworkSims.com
427
(config)# aaa
none
start-stop
stop-only
NetworkSims.com
428
# config t
(config)# dot11 ssid network1
(config-ssid)# mbssid guest-mode
(config-ssid)# exit
# config t
(config)# dot11 ssid network2
(config-ssid)# exit
# config t
(config)# dot11 ssid network3
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
(config-if)# ssid network1
(config-if)# ssid network2
(config-if)# ssid network3
Example
> en
# config t
(config)# dot11 ssid network1
(config-ssid)# mbssid guest-mode
(config-ssid)# exit
# config t
(config)# dot11 ssid network2
(config-ssid)# exit
# config t
(config)# dot11 ssid network3
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
(config-if)# ssid network1
(config-if)# ssid network2
(config-if)# ssid network3
Define sub-interfaces.
NetworkSims.com
429
Create VLANs.
Define multiple SSIDs.
dot1q 1 native
dot1q 1 native
dot1q 2
dot1q 2
dot1q 3
dot1q 3
Example
> en
# config t
(config)# dot11 ssid network1
(config-ssid)# vlan 1
(config-ssid)# exit
# config t
(config)# dot11 ssid network2
(config-ssid)# vlan 2
NetworkSims.com
430
(config-ssid)# exit
# config t
(config)# dot11 ssid network3
(config-ssid)# vlan 3
(config-ssid)# exit
(config)# int d0.1
(config-if)# encapsulation
(config-if)# exit
(config)# int e0.1
(config-if)# encapsulation
(config-if)# exit
(config)# int d0.2
(config-if)# encapsulation
(config-if)# exit
(config)# int e0.2
(config-if)# encapsulation
(config-if)# exit
(config)# int d0.3
(config-if)# encapsulation
(config-if)# exit
(config)# int e0.1
(config-if)# encapsulation
(config-if)# end
dot1q 1 native
dot1q 1 native
dot1q 2
dot1q 2
dot1q 3
dot1q 3
# show vlan
Virtual LAN ID:
Dot11Radio0.1
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0
Received:
1
1
Transmitted:
0
0
Dot11Radio0.2
Protocols Configured:
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
Virtual LAN ID:
Received:
17
17
Dot11Radio0.3
Protocols Configured:
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
NetworkSims.com
431
This assigns three VLANs. The first is allowed to the network1 SSID, the second to network2
and the third to network3.
Theory
In the following example VLAN 1 is associated to Scotland on the first Aironet, Ireland on
the next, and France on the third one. Each of the nodes which connect to VLAN 1 will all be
part of the same network, even though they connect to different Aironets. The same applies
to VLAN 2, where nodes connecting to England, Wales and Germany, will be in the same
network. The key factor is that the switch supports 802.1q which will trunk between the
ports on the switch.
An example of trunking on the switch is:
# config t
(config)# int vlan 1
(config-vlan)# exit
(config)# int vlan 2
(config-vlan)# exit
(config)# int fa0/1
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan 1
(config-if)# switchport trunk allowed add vlan 1,2
(config-if)# switchport mode trunk
(config-if)# switchport nonegotiate
(config-if)# int fa0/2
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan 1
(config-if)# switchport trunk allowed add vlan 1,2
(config-if)# switchport mode trunk
(config-if)# switchport nonegotiate
(config-if)# int fa0/3
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan 1
(config-if)# switchport trunk allowed add vlan 1,2
(config-if)# switchport mode trunk
(config-if)# switchport nonegotiate
Diagram has been left-out in this version see e-Book.
When the bridge group is added to the radio port the following are added:
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
NetworkSims.com
432
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled"
This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load
element:
AP(config)# dot11 phone
Objectives
The objectives of this challenge are to:
Enable IEEE 802.11 phone support for the legacy QBSS load element.
Example
> en
# config t
(config)# dot11 phone
(config)# int d0
NetworkSims.com
433
(config-if)# traffic-control ?
0
Parameters for priority 0
1
Parameters for priority 1
2
Parameters for priority 2
3
Parameters for priority 3
4
Parameters for priority 4
5
Parameters for priority 5
6
Parameters for priority 6
7
Parameters for priority 7
background
Parameters for the background access class
best-effort Parameters for the best effort access class
video
Parameters for the video access class
voice
Parameters for voice access class
(config-if)# traffic-c best-effort ?
cw-max
802.11 contention window maximum
cw-min
802.11 contention window minimum
fixed-slot 802.11 fixed backoff slot time
<cr>
(config-if)# traffic-c be cw-min ?
<0-10> CwMin will be ( 2 to the power of the entered value ) - 1
(config-if)# traffic-c best cw-min 4 ?
cw-max
802.11 contention window maximum
fixed-slot 802.11 fixed backoff slot time
<cr>
(config-if)# traffic-c best cw-min 4 cw-max ?
<0-10> CwMax will be ( 2 to the power of the entered value ) - 1
(config-if)# traffic-c best cw-min 4 cw-max 10 ?
fixed-slot 802.11 fixed backoff slot time
<cr>
(config-if)# traffic-c best cw-min 4 cw-max 10 fixed-slot ?
<0-16> 802.11 fixed backoff slot time
(config-if)# traffic-class best-effort cw-min 4 cw-max 10 fixed-slot 2
This configuration enables 802.11-compliant phone support and configures the best effort
traffic class for contention windows and fixed-slot backoff values. In this case the backoff for
best effort is started, where it waits a minimum of the 802.11 Short Inter-Frame Space time
plus two backoff slots.
NetworkSims.com
434
PIX/SPNA
NetworkSims.com
435
DESCRIPTION:
domain-name
Change domain name
(config)# ip address outside 192.168.1.1 255.255.255.0
(config)# interface e0 auto
(config)# exit
# show ip add
# show running
# sh int e0
Interface Ethernet0 outside, is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000d.6585.77d9, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 1 VLAN untagged packets, 28 bytes
Dropped 0 VLAN untagged packets
NetworkSims.com
436
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:
see also:
nameif, security-level
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# help shut
USAGE:
[no] shutdown
DESCRIPTION:
shutdown
Shutdown the selected interface
(config-if)# no shutdown
(config-if)# exit
(config)# exit
# show ip add
# sh ip add
System IP Addresses:
IP address outside 192.168.1.1
IP address inside 0.0.0.0
IP address inf2 0.0.0.0
Current IP Addresses:
IP address outside 0.0.0.0
IP address inside 0.0.0.0
IP address inf2 0.0.0.0
# show running
myPIX # sh int e0
Interface Ethernet0 outside, is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000d.6585.77d9, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
NetworkSims.com
437
NetworkSims.com
438
# show running
# sh int e1
Interface Ethernet1 inside, is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000d.6585.77d9, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 1 VLAN untagged packets, 28 bytes
Dropped 0 VLAN untagged packets
NetworkSims.com
439
SYNTAX:
<username>
NetworkSims.com
440
(config-if)# exit
(config)# int e2
(config-if)# help nameif
USAGE:
nameif <if_name>
no nameif [<if_name>]
show running-config [all] nameif [<interface>]
show nameif [<interface>]
clear nameif
DESCRIPTION:
nameif
SYNTAX:
<if_name>
<interface>:
see also:
security-level, interface, static, global, nat
(config-if)# nameif jupiter
(config-if)# help security-level
USAGE:
security-level <0-100>
no security-level [<0-100>]
DESCRIPTION:
security-level
SYNTAX:
<0-100>
see also:
nameif
(config-if)# security-level 50
(config-if)# exit
(config)# help username
USAGE:
username <username> {nopassword|password <password>
[encrypted]} [privilege <level>]
no username <name>
[no] username <name> attributes
clear configure username [<name>]
show running-config [all] username [<name> [attributes]]
DESCRIPTION:
username
NetworkSims.com
441
SYNTAX:
<username>
SYNTAX:
<pw>
The password for this privilege level
<level>
The privilege level
<encrypted>
Indicates that this password is encrypted
(config)# enable ?
NetworkSims.com
442
mode commands/options:
password of up to 16 alphanumeric characters
passwd kent
help password
USAGE:
[no] password|passwd <password> encrypted
clear configure passwd
DESCRIPTION:
passwd
SYNTAX:
<password>
encrypted
see also:
telnet
(config)# help http
USAGE:
[no] http <local_ip> <mask> <if_name>
[no] http server enable
DESCRIPTION:
http
SYNTAX:
<local_ip>
<mask>
<if_name>
see also:
password, aaa
(config)# http server enable
(config)# help banner
USAGE:
banner {exec | login | motd} <text>
no banner {exec | login | motd} [<text>]
show banner [{exec | login | motd}]
NetworkSims.com
443
clear banner
DESCRIPTION:
banner
SYNTAX:
exec
login
motd
<text>
Example
(config)# help route
USAGE:
[no] route <if_name> <foreign_ip> <mask> <gateway>
[<metric>|tunneled]
clear configure route [<if_name>]
clear route [<if_name>]
show running-config route
show route [<if_name>]
DESCRIPTION:
NetworkSims.com
444
route
SYNTAX:
<if_name>
<foreign_ip>
<mask>
<gateway>
<metric>
tunneled
see also:
rip, ping
NetworkSims.com
445
Example
myPIX (config)# hostname arizona
arizona (config)# domain-name fife.nu
arizona (config)# show domain-name
myPIX (config)# help telnet
USAGE:
[no] telnet <local_ip> <mask> <if_name>
telnet timeout <number>
no telnet timeout [<number>]
DESCRIPTION:
telnet
SYNTAX:
<local_ip>
<mask>
<if_name>
<number>
see also:
ssh, password, aaa
arizona (config)# telnet timeout 8
arizona (config)# help ssh
USAGE:
[no] ssh <local_ip> <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh sessions [<client_ip>]
ssh disconnect <session_id>
DESCRIPTION:
ssh
Add SSH access to the Device console, set idle timeout, set
version supported, enable Secure Copy as an SSH application,
display a list of active SSH sessions, and terminate an SSH
session.
NetworkSims.com
446
SYNTAX:
<local_ip>
<mask>
<if_name>
<number>
<client_ip>
<session_id>
see also:
telnet, password, enable, aaa
arizona (config)# ssh timeout 9
pixfirewall(config)# help console
USAGE:
[no] console timeout <number>
DESCRIPTION:
console
SYNTAX:
<number>
see also:
telnet, ssh, passwd, aaa
arizona (config)# console timeout 9
arizona (config)# show telnet
arizona (config)# show ssh
arizona (config)# show console
Rename the interfaces, and define the security level on each interface.
Note: A port with the name of outside always has a security level of 0, while a port with the
name of inside always has a security level of 100.
NetworkSims.com
447
orkney
security61
Example (6.x)
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
NetworkSims.com
448
NetworkSims.com
449
# nameif
# config t
(config)# help interface
USAGE:
interface <type> <port>
interface <type> <port>.<subif_number>
no interface <type> <port>.<subif_number>
show running-config [default] interface {<type> <port>[.<subif_number>]}
show interface {<type> <port>[.<subif_number>] | <if_name>}
[detail|stats|ip brief]
clear config interface {<type> <port>[.<subif_number>]}
clear interface {<type> <port>[.<subif_number>]}
DESCRIPTION:
interface
SYNTAX:
<type>
<port>
<subif_number>
<if_name>
allocate-interface
(config)# int e0
(config-if)# nameif gretna
(config-if)# security-level 0
(config-if)# help du
USAGE:
duplex auto|full|half
no duplex [auto|full|half]
DESCRIPTION:
duplex
SYNTAX:
auto
full
half
see also:
speed
(config-if)# duplex full
(config-if)# help speed
USAGE:
NetworkSims.com
450
speed 10|100|1000|auto
no speed [10|100|1000|auto]
DESCRIPTION:
speed
SYNTAX:
Possible Ethernet values are:
10
Force 10 Mbps operation
100
Force 100 Mbps operation
auto
Enable AUTO speed configuration
Possible GigabitEthernet values are:
10
Force 10 Mbps operation
100
Force 100 Mbps operation
1000
Force 1000 Mbps operation
auto
Enable AUTO speed configuration
see also:
duplex
(config-if)# speed 100
(config-if)# exit
(config)# int e1
(config-if)# nameif alabama
(config-if)# security-level 100
(config-if)# duplex full
(config-if)# speed 100
(config-if)# exit
(config)# int e2
(config-if)# nameif uranus
(config-if)# security-level 50
(config-if)# duplex full
(config-if)# speed 100
(config-if)# exit
(config)# exit
# show running
Commands
NetworkSims.com
451
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
Example
myPIX (config)# help dhcpd
USAGE:
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
SYNTAX:
<ip1>
<ip2>
<dnsip>
<winsip>
<lease_length>
<timeout>
<domain_name>
<code>
<string>
<hex_string>
<address_1>
<address_2>
<srv_ifc_name>
<clnt_if_name>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
452
Outline
This challenge involves the configuration of fixups.
Objectives
The objectives of this challenge are to:
Example (V6.x)
myPIX (config)# help fixup
USAGE:
[no] fixup protocol <prot> [<option>] <port>[-<port>]
DESCRIPTION:
fixup
SYNTAX:
<prot>
<option>
option to the inspection function
<port1>[-<port2>]
A range of ports to enable the fixup
myPIX (config)# fixup protocol ?
configure mode commands/options:
ctiqbe
dns
ftp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
NetworkSims.com
453
rtsp
sip
skinny
smtp
snmp
sqlnet
sunrpc
sunrpc_udp
tftp
xdmcp
myPIX (config)# fix pro http ?
configure mode commands/options:
WORD
Specify port(s) to enable fixup, <port1>[-<port2>]; default port(s):
ctiqbe--------------2748 ftp-------------------21
gtp------------2123,3386 h323-h225-----------1720
h323-ras-------1718-1719 http------------------80
ils------------------389 mgcp-----------2427,2727
netbios----------137-138 pptp----------------1723
rsh------------------514 rtsp-----------------554
sip-----------------5060 skinny--------------2000
smtp------------------25 snmp-----------------161
sqlnet--------------1521 sunrpc---------------111
sunrpc_udp-----------111 tftp------------------69
xdmcp----------------177
highs Ports 1024-65535
lows
Ports 1-1023
udp
Enable SIP over UDP application inspection
myPIX (config)# fixup protocol http 161
myPIX (config)# fixup protocol ftp 60
myPIX (config)# fixup protocol smtp 84
myPIX (config)# show fixup
Example (V7.x)
As V6.x but replace show fixup with:
myPIX # sh run fix
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.
myPIX # sh run service-p
service-policy global_policy global
myPIX # sh run policy-m
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
NetworkSims.com
454
inspect
inspect
inspect
inspect
sip
netbios
tftp
http
Example
myPIX (config)# domain-name fife.nu
myPIX (config)# username fred password bert
myPIX (config)# help ca
USAGE:
crypto ca trustpoint <name>
no crypto ca trustpoint <name> [noconfirm]
crypto ca authenticate <name> [fingerprint <hex value>] [nointeractive]
crypto ca enroll <name> [noconfirm]
crypto ca import <name> certificate [nointeractive]
crypto ca import <name> pkcs12 <passphrase> [nointeractive]
crypto ca export <name> pkcs12 <passphrase>
crypto ca crl request <name>
crypto ca certificate map <sequence #>
crypto ca certificate chain <name>
clear configure crypto ca trustpoint
clear configure ca certificate map [<sequence #>]
clear crypto ca crls [<name>]
show crypto ca crls [<name>]
show crypto ca certificates [<name>]
show running-config [all] crypto ca
DESCRIPTION:
ca
SYNTAX:
trustpoint
authenticate
enroll
NetworkSims.com
Define a CA trustpoint
Get the CA certificate
Request a certificate from a CA
455
import
export
NetworkSims.com
456
nat
SYNTAX:
<if_name>
<nat_id>
<local_ip>
<mask>
dns
tcp
TCP connections.
udp
UDP connections.
<max_conns>
<emb_limit>
norandomseq
<acl-name>
access-list name.
see also:
NetworkSims.com
457
SYNTAX:
<(ext_if_name)> The external network interface name
<nat_id>
<global_ip>
interface
see also:
NetworkSims.com
458
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
int e2
ip address 172.16.0.1 255.128.0.0
nameif inf2
exit
NetworkSims.com
459
SYNTAX:
<real_ifc>
<mapped_ifc>
tcp
udp
<real_ip>
<real_port>
<mapped_ip>
<mask>
<mapped_port>
interface
<mapped_port>
<acl_name>
dns
norandomseq
nailed
<max_conn>
NetworkSims.com
460
see also:
nat, global
myPIX (config)# static ?
configure mode commands/options:
( Open parenthesis for (<internal_if_name>,<external_if_name>) pair
where <internal_if_name> is the Internal or prenat interface and
<external_if_name> is the External or postnat interface
myPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13
myPIX (config)# show running static
Example
myPIX # help activation-key
USAGE:
activation-key <activation-key-four-or-five-tuple>
show activation-key
DESCRIPTION:
activation-key
Modify activation-key.
SYNTAX:
<activation-key-four-or-five-tuple>
a four or five element hexadecimal string.
myPIX (config)# activation-key 1aa3aaab abfbcef1 133445ee ee56f6b0
myPIX (config)# show activation-key
461
Outline
This challenge involves the configuration of an access-list.
Objectives
The objectives of this challenge are to:
Example
myPIX (config)# help access-l
USAGE:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list <id> [line <line_num>] [extended] {deny | permit}
{<protocol> | object-group <protocol_obj_grp_id>}
{host <sip> | <sip> <smask> |
object-group <network_obj_grp_id>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
{<dip> <dmask> | object-group <network_obj_grp_id>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
[log [disable] | [<level>] | [default] [interval <secs>]]
[no] access-list <id> [line <line_num>] {deny | permit} icmp
{host <sip> | <sip> <smask> |
object-group <network_obj_grp_id>}
{<dip> <dmask> | object-group <network_obj_grp_id>}
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable] | [<level>] | [default] [interval <secs>]]
[no] access-list <id> webtype {deny|permit}
url {<url-string>|any} [log {disable | default | level}
[interval <seconds>]] [time-range <name>] [inactive]
[no] access-list <id> webtype {deny | permit>
tcp {host <host-addr> | <dest-addr> <dest-mask> | any}
[{{EQ | NEQ | LT | GT} <port> | RANGE <port> <port>}]
[log {disable | default | <level>} [interval <seconds>]]
[time-range <name> ] [ inactive ]
[no] access-list <id> [line <line_num>] remark <text>
access-list deny-flow-max <n>
access-list alert-interval <secs>
Standard access list:
Use this to configure policy having destination host or network only
[no] access-list <id> standard {deny|permit} {any | <ip> <mask> | host <ip>}
[no] access-list <id> remark <text>
Generic Commands:
NetworkSims.com
462
SYNTAX:
<id>
<line_num>
<webtype>
deny
permit
object-group
obj_grp_id
remark
<protocol>
<sip>
Source IP address
<smask>
<dip>
Destination IP address
<dmask>
<operator>
<port>
<text>
comment (remark)
log
disable
default
<level>
interval
<secs>
<icmp_type>
0 echo-reply,
NetworkSims.com
463
3 unreachable,
4 source-quench,
5 redirect,
6 alternate-address,
8 echo,
9 router-advertisement,
10 router-solicitation,
11 time-exceeded,
12 parameter-problem,
13 timestamp-request,
14 timestamp-reply,
15 information-request,
16 information-reply,
17 address-mask-request,
18 address-mask-reply,
31 conversion-error or
32 mobile-redirect
see also:
access-group, object-group
myPIX (config)# access-list uranus permit ip host 26.32.188.8 host 129.67.195.1
myPIX (config)# access-list uranus deny ip host 201.122.28.7 host 209.215.90.6
myPIX (config)# help access-g
USAGE:
[no]
override]
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
<if_name>
per-user-override
see also:
access-list, object-group
myPIX (config)# access-group uranus in interface outside
NetworkSims.com
464
Example
myPIX (config)# help object-group
USAGE:
[no] object-group protocol | network | icmp-type <obj_grp_id>
[no] object-group service <obj_grp_id> tcp|udp|tcp-udp
show running-config [all] object-group
[protocol | service | icmp-type | network]
show running-config [all] object-group id <obj_grp_id>
clear configure object-group [protocol | service | icmp-type | network]
DESCRIPTION:
object-group
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of
<obj_grp_id>
tcp|udp|tcp-udp
show
clear
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
protocol-object, network-object,
port-object, icmp-object, group-object
myPIX (config)# object-group network montana
myPIX(config-network)# exit
myPIX (config)# object-group protocol newyork
myPIX(config-protocol)# exit
myPIX (config)# object-group icmp-type birmingham
myPIX(config-icmp-type)# exit
NetworkSims.com
465
(config)#
(config)#
(config)#
(config)#
NetworkSims.com
466
SYNTAX:
<if_name>
<ip_address>
<number>
<value>
The
The
The
The
see also:
clock
myPIX (config)# ntp server ?
configure mode commands/options:
Hostname or A.B.C.D IP address of peer
myPIX (config)# ntp server 73.35.212.5 ?
configure mode commands/options:
key
Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
pixfirewall(config)# ntp server 73.35.212.5 source ?
configure mode commands/options:
Current available interface(s):
florida
Name of interface Ethernet2
orkney
Name of interface Ethernet1
columbia
Name of interface Ethernet0
myPIX (config)# ntp server 73.35.212.5 source columbia
myPIX (config)# ntp server 70.51.127.73 source orkney
myPIX (config)# ntp server 69.49.18.8 source florida
myPIX (config)# exit
myPIX # show ntp status
Enable failover.
Define failover addresses.
Define failover poll time.
Example (V6.x)
NetworkSims.com
467
failover
failover polltime [unit] [msec] <time> [holdtime <seconds>]
failover polltime interface <seconds>
failover replication http
failover lan unit primary|secondary
failover interface ip <ifc_name> <ip_address> <mask> standby
<ip_address>
[no] failover interface-policy <n>[%]
[no] failover key <shared_key>
[no] failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
[no] failover link <ifc_name> [<phyifc>[.<subifc_id>]]
[no] failover mac address <phyifc> <act_mac> <stn_mac>
[no] failover timeout <hh:mm:ss>
[no] failover lan enable
[no] failover active
failover reset
failover reload-standby
show failover [history|interface|state|statistics]
DESCRIPTION:
failover
SYNTAX:
active
Make this the active unit of a failover pair
reset
Force both units back to an unfailed state
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
Number/percent of monitored interfaces causing failover
[unit] [msec] <time>
Unit poll interval (500msec-999msec, 1-15 seconds)
holdtime <seconds>
Unit holdtime (3-45 seconds)
polltime interface <seconds>
Interface poll interval (3-15 seconds)
replication http
Enable HTTP (port 80) connection replication
lan unit {primary|secondary}
Specify the unit as primary or secondary
lan interface
Specify the failover interface parameters
link
Specify the stateful interface parameters
interface ip
Specify IP and mask for failover/stateful interface
interface-policy
Specify interface monitoring failure policy
key <shared_key>
Specify failover encryption shared key
show failover
Display failover runtime info
mac address
Specify virtual mac address for a physical interface
<phyifc>
Physical interface name
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
Active and standby mac address
timeout
Specify failover reconnect timeout value for ASR sessions
lan enable
Enable LAN-Based failover on PIX platform
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX (config)# failover poll 2
NetworkSims.com
468
Example (V7.x)
myPIX (config)# help fail
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
failover
failover polltime [unit] [msec] <time> [holdtime <seconds>]
failover polltime interface <seconds>
failover replication http
failover lan unit primary|secondary
failover interface ip <ifc_name> <ip_address> <mask> standby
<ip_address>
[no] failover interface-policy <n>[%]
[no] failover key <shared_key>
[no] failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
[no] failover link <ifc_name> [<phyifc>[.<subifc_id>]]
[no] failover mac address <phyifc> <act_mac> <stn_mac>
[no] failover timeout <hh:mm:ss>
[no] failover lan enable
[no] failover active
failover reset
failover reload-standby
show failover [history|interface|state|statistics]
DESCRIPTION:
failover
SYNTAX:
active
Make this the active unit of a failover pair
reset
Force both units back to an unfailed state
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
Number/percent of monitored interfaces causing failover
[unit] [msec] <time>
Unit poll interval (500msec-999msec, 1-15 seconds)
holdtime <seconds>
Unit holdtime (3-45 seconds)
polltime interface <seconds>
Interface poll interval (3-15 seconds)
replication http
Enable HTTP (port 80) connection replication
lan unit {primary|secondary}
Specify the unit as primary or secondary
lan interface
Specify the failover interface parameters
link
Specify the stateful interface parameters
interface ip
Specify IP and mask for failover/stateful interface
interface-policy
Specify interface monitoring failure policy
key <shared_key>
Specify failover encryption shared key
show failover
Display failover runtime info
mac address
Specify virtual mac address for a physical interface
<phyifc>
Physical interface name
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
Active and standby mac address
timeout
Specify failover reconnect timeout value for ASR sessions
lan enable
Enable LAN-Based failover on PIX platform
myPIX (config)# failover active
myPIX (config)# failover int ?
NetworkSims.com
469
Objectives
The objectives of this challenge are to:
Enable failover.
Define failover addresses.
Define failover parameters.
Example (V6.x)
NetworkSims.com
470
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit primary
failover lan interface inf2
show failover
Example (V6
7.x)
myPIX (config)# failover ?
configure mode commands/options:
interface
Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
key
Configure the failover shared secret
lan
Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link
Configure the interface and vlan to be used as a link for
stateful update information
mac
Specify the virtual mac address for a physical interface
polltime
Configure failover poll interval
replication
Enable HTTP (port 80) connection replication
timeout
Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active
Make this system to be the active unit of the failover pair
reload-standby Force standby unit to reboot
reset
Force an unit or failover group to an unfailed state
myPIX (config)# failover active
myPIX (config)# failover int ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
myPIX (config)# fai int ip ?
configure mode commands/options:
WORD Interface name
myPIX (config)# fai int ip ANY ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan ?
configure mode commands/options:
NetworkSims.com
471
Enable failover.
Define failover addresses.
Define failover parameters.
Example (V6.x)
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit secondary
failover lan interface inf2
show failover
NetworkSims.com
472
Example (V7.x)
myPIX (config)# failover active
myPIX (config)# failover interface ip outside 157.202.212.2 standby 157.202.212.3
myPIX (config)# failover interface ip inside 73.105.56.11 standby 73.105.56.12
myPIX (config)# failover interface ip inf2 166.209.230.11 standby 166.209.230.12
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit secondary
failover lan interface inf2
show failover
Define ISAKMP.
Define ISAKMP policy.
Enable ISAKMP on an interface.
Example
pixfirewall(config)# isakmp
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3des>
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp policy <priority> lifetime <seconds>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [noconfig-mode]
isakmp enable <if_name>
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp nat-traversal [<natkeepalive>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)# help isakmp
USAGE:
isakmp am-disable
isakmp ipsec-over-tcp [port <port1>..<port10>]
isakmp disconnect-notify
(DEPRECATED) isakmp key <keystring> address <peer-address> [netmask <mask>]
[no-xauth] [no-config-mode]
NetworkSims.com
473
SYNTAX:
am-disable
ipsec-over-tcp
port
<port1..port10>
disconnect-notify
key
NetworkSims.com
474
peer
<fqdn | ip>
reload-wait
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
Enable IPSEC.
Define a crypto map.
Apply a crypto map.
Example
(config)# help sysopt
USAGE:
[no] sysopt connection { permit-ipsec |
timewait | {tcpmss [minimum] <bytes>}
[no] sysopt noproxyarp <if-name>
[no] sysopt nodnsalias { inbound | outbound }
[no] sysopt radius ignore-secret
[no] sysopt uauth allow-http-cache
show running-config [all] sysopt
clear configure sysopt
DESCRIPTION:
sysopt
SYNTAX:
NetworkSims.com
475
connection permit-ipsec
- Exempt IPSec traffic from access check.
connection timewait
- TCP conn undergoes TIMEWAIT state.
connection tcpmss
- Set maximum limit of TCP MSS to <bytes>.
connection tcpmss minimum - Set minimum limit of TCP MSS to <bytes>.
noproxyarp <if-name>
- Disable proxy arp on interface <if-name>.
nodnsalias inbound
- Disable alias inbound DNS A record translation.
nodnsalias outbound
- Disable alias outbound DNS A record translation.
radius ignore-secret
- Ignore secret in RADIUS accounting responses.
uauth allow-http-cache
- Allow browser to use cached user credentials.
see also: alias, ca, ipsec, isakmp, map, dynamic-map
(config)# sysopt connection permit-ipsec
(config)# help cry
USAGE:
crypto { ca | dynamic-map | ipsec | isakmp | key | map }
For more detailed help, please refer directly to the subcommands
DESCRIPTION:
crypto
SYNTAX:
ca
dynamic-map
ipsec
isakmp
key
map
NetworkSims.com
476
Enable PPTP.
Define local pool.
Create VPDN group.
Enable VPDN on an interface.
Example
(config)# sysopt connection permit-pptp
(config)# help ip
USAGE:
ip local pool <poolname> <ip1>[-<ip2>] [mask <netmask>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
clear configure ip audit [configuration]
DESCRIPTION:
ip
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
see also:
NetworkSims.com
477
SYNTAX:
<address_pool_name>
<dns_ip>
<wins_ip>
<auth_aaa_group>
<acct_aaa_group>
<hello_time>
<if_name>
<name>
<passwd>
<tnl_id>
<sess_id>
<store-local>
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
NetworkSims.com
478
Setup Websense.
Define URL filtering.
Define URL cache distance.
Example
(config)# help url-server
USAGE:
[no] url-server <(if_name)>
<seconds>] [protocol TCP|UDP [version
[no] url-server <(if_name)>
[timeout <seconds>] [protocol TCP|UDP
show url-server stat
clear url-server stat
DESCRIPTION:
url-server
SYNTAX:
<if_name>
<vendor_name>
<local_ip>
[port <N>]
[timeout <N>]
stat
NetworkSims.com
479
see also:
filter, url-cache
myPIX (config)# url-server (inside) vendor websense host 192.168.1.1 timeout 47
myPIX (config)# help filter
USAGE:
[no] filter url <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
[no] filter ftp <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow] [interact-block]
[no] filter https <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow]
[no] filter activex|java <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip>
<mask>
DESCRIPTION:
filter
SYNTAX:
url|ftp|https|java|activex
<lcl_ip>
<frgn_ip>
<mask>
[allow]
[proxy-block]
[longurl-truncate]
When a long URL has exceeded the buffer limit,
truncate the URL sent to the url-server by only sending the
destination hostname or IP address
[longurl-deny]
[cgi-truncate]
[interact-block]
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
480
Outline
This challenge involves the configuration of local AAA.
Objectives
The objectives of this challenge are to:
Example
myPIX (config)# help aaa-server
USAGE:
[no] aaa-server <tag> <(if_name)> host <ip_address>
[no] aaa-server <tag> protocol <protocol>
clear configure aaa-server [<tag>]
show running-config [all] aaa-server [<tag> [<(if_name)>
host <ip_address>]]
show aaa-server [<tag> [host <hostname>]]
show aaa-server protocol <protocol>
clear aaa-server statistics [<tag> [host <hostname>]]
clear aaa-server statistics protocol <protocol>
test aaa-server authentication <group tag> [host <ip_address>]
[username <user>] [password <password>]
test aaa-server authorization <group tag> [host <ip_address>]
[username <user>]
DESCRIPTION:
aaa-server
SYNTAX:
<tag>
<if_name>
NetworkSims.com
481
SYNTAX:
secure-http-client
HTTP client authentication is secured (over SSL)
include|exclude
Include or exclude the service, local and foreign network which
needs to be authenticated, authorized, and accounted
<svc>
<if_name>
<l_ip>
<l_mask>
<f_ip>
<f_mask>
<server_tag>
LOCAL
NetworkSims.com
482
aaa-server
username
aaa authentication http console orange
aaa authentication serial console orange
aaa authentication telnet console orange
aaa authentication enable console orange
Enable AAA.
Define authentication.
Example
myPIX (config)# aaa-server orange protocol radius
myPIX (config)# aaa-server orange (inside) host 155.109.40.4 beetroot
myPIX (config)# aaa authentication http console orange
myPIX (config)# aaa authentication serial console orange
myPIX (config)# aaa authentication telnet console orange
NetworkSims.com
483
This challenge involves the configuration of Telent, SSH, and HTTP access.
Objectives
The objectives of this challenge are to:
Example
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
Example
> en
NetworkSims.com
484
myPIX # config t
myPIX (config)# help snmp-server
USAGE:
[no] snmp-server community|contact|location <text>
[no] snmp-server host <if_name> <local_ip> [trap|poll]
[community <text>] [version {1|2c}] [udp-port <port>]
[no] snmp-server enable [traps [all | <feature> [<trap1> ... <trapn>]]]
show snmp-server statistics
show running-config [all] snmp-server
clear configure snmp-server
DESCRIPTION:
snmp-server
SYNTAX:
community
contact
location
<text>
host
<if_name>
<local_ip>
[trap|poll]
udp-port
<port>
version
[1|2c]
enable
traps
all
<feature>
<trapn>
listen-port
statistics
see also:
logging
myPIX (config)# snmp-server
Not enough arguments.
Usage: [no] snmp-server community|contact|location <text>
NetworkSims.com
485
myPIX
myPIX
myPIX
myPIX
myPIX
Enable logging.
Define logging levels.
Example
> en
myPIX # config t
myPIX (config)# help logg
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging enable
logging timestamp
logging standby
logging debug-trace
logging emblem
logging flash-bufferwrap
logging flash-minimum-free <kbytes>
logging flash-maximum-allocation <kbytes>
logging ftp-bufferwrap
logging ftp-server <ftp-server> <path> <username> <password>
logging buffer-size <bytes>
logging permit-hostdown
logging from-address <mail-address>
logging recipient-address <mail-address> [level <level>]
logging host <in_if> <l_ip> [{tcp|6}|{udp|17}[/<port#>]]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging
logging
logging
logging
logging
logging
logging
logging
[format
emblem]
NetworkSims.com
console <level>|<list>
buffered <level>|<list>
mail <level>|<list>
monitor <level>|<list>
history <level>|<list>
trap <level>|<list>
message <syslog_id> level <level>
asdm <level>|<list>
486
SYNTAX:
enable
timestamp
standby
debug-trace
ftp-server
<ftp-server>
<path>
<username>
<password>
buffer-size
<bytes>
NetworkSims.com
487
<level>
NetworkSims.com
488
Objectives
The objectives of this challenge are to:
# config t
(config)# ip address outside 212.246.206.7 255.255.255.0
(config)# ip address inside 22.229.82.10 255.255.255.0
(config)# ip address inf2 165.31.47.6 255.255.255.0
(config)# vpdn group 7 request dialout pppoe
(config)# vpdn group 7 localname newmexico
(config)# vpdn group 7 ppp authen pap
(config)# vpdn username daniel password dates
(config)# ip address outside pppoe setroute
(config)# int e0
(config-if)# nameif outside
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# nameif inside
(config-if)# ip address 192.168.2.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# int e2
(config-if)# nameif inf2
(config-if)# ip address 192.168.3.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# vpdn group 7 request dialout pppoe
(config)# vpdn group 7 localname newmexico
(config)# vpdn group 7 ppp authen pap
(config)# vpdn username daniel password dates
(config)# ip address outside pppoe setroute
NetworkSims.com
489
Example
myPIX (config)# help rip
USAGE:
[no] rip <if_name> default|passive [version <1|2>]
[authentication <text|md5> <key> <key id>]
DESCRIPTION:
rip
SYNTAX:
<if_name>
default
passive
<key>
<key id>
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
route, ping
rip outside passive version 1
rip inside passive version 1
rip inf2 passive version 1
NetworkSims.com
490
Example
myPIX # config t
myPIX (config)# multicast interface outside
myPIX(config-multicast)# igmp max 39
myPIX(config-multicast)# igmp version 2
myPIX(config-multicast)# igmp query-interval 33
myPIX(config-multicast)# igmp query-max 17
myPIX(config-multicast)# igmp forward interface inside
myPIX(config-multicast)# exit
myPIX (config)# multicast interface inside
myPIX(config-multicast)# exit
myPIX (config)# multicast interface inf2
Example
myPIX # config t
myPIX (config)# help ip
USAGE:
ip local pool <poolname> <ip1>[-<ip2>] [mask <netmask>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
clear configure ip audit [configuration]
DESCRIPTION:
ip
NetworkSims.com
491
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
see also:
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
Example
myPIX # config t
myPIX (config)# sysopt security fragguard
myPIX (config)# help fragment
USAGE:
NetworkSims.com
492
SYNTAX:
size
<limit>
chain
<limit>
timeout <limit>
queue
statistics
<interface>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
USAGE:
[no] arp <if_name> <ip> <mac> [alias]
[no] arp timeout <seconds>
show arp [statistics]
clear arp [statistics]
show running-config [all] arp [timeout]
clear configure arp
DESCRIPTION:
arp
Change or view the ARP table, add or delete static ARP entries,
set or clear the ARP timeout value and clear ARP statistics
SYNTAX:
<if_name>
<ip>
<mac>
alias
<seconds>
statistics
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
493
Outline
This challenge involves the configuration of MTU for each interface.
Objectives
The objectives of this challenge are to:
Example
myPIX
myPIX
myPIX
myPIX
myPIX
# config t
(config)# nameif e0 delaware security_0
(config)# ip address delaware 134.100.122.5 255.255.252.0
(config)# interface e0 auto
(config)# help mtu
USAGE:
mtu <if_name> <bytes> | (300-65535)
DESCRIPTION:
mtu
SYNTAX:
<if_name>
<bytes>
(config)#
(config)#
(config)#
(config)#
NetworkSims.com
494
Example (V 7.x)
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
# config t
# int e0
(config-if)# nameif delaware
(config-if)# security 0
(config-if)# ip address 134.100.122.5 255.255.252.0
(config-if)# no shutdown
(config-if)# exit
(config)# help mtu
USAGE:
mtu <if_name> <bytes> | (300-65535)
DESCRIPTION:
mtu
SYNTAX:
<if_name>
<bytes>
etc
NetworkSims.com
495
Example
myPIX # config t
myPIX (config)# help object-group
USAGE:
[no] object-group protocol | network | icmp-type <obj_grp_id>
[no] object-group service <obj_grp_id> tcp|udp|tcp-udp
show running-config [all] object-group
[protocol | service | icmp-type | network]
show running-config [all] object-group id <obj_grp_id>
clear configure object-group [protocol | service | icmp-type | network]
DESCRIPTION:
object-group
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of
<obj_grp_id>
tcp|udp|tcp-udp
show
clear
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
protocol-object, network-object,
port-object, icmp-object, group-object
myPIX (config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of
network
Specifies a group of
protocol
Specifies a group of
service
Specifies a group of
pixfirewall(config)# object-group
NetworkSims.com
496
NetworkSims.com
497
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
myPIX(config-network)#
myPIX(config-network)#
myPIX(config-network)#
myPIX(config-network)#
port-object
port-object
port-object
port-object
eq telnet
eq ftp
eq www
range 1411 1422
NetworkSims.com
498
Example
myPIX # config t
myPIX (config)# help icmp
USAGE:
[no] icmp permit|deny <ip-address> <net-mask> [<icmp-type>] <if-name>
clear configure icmp
show running-config [all] icmp
DESCRIPTION:
icmp
SYNTAX:
deny
permit
<ip-address>
<net-mask>
IP address
Mask to be applied to <ip-address>
<icmp-type>
<if-name>
see also:
access-list, access-group
myPIX(config)# icmp permit 10.0.0.0 255.255.0.0 ?
configure mode commands/options:
<0-255>
Enter ICMP type number (0 - 255)
alternate-address
conversion-error
echo
echo-reply
information-reply
information-request
mask-reply
mask-request
mobile-redirect
parameter-problem
redirect
router-advertisement
router-solicitation
source-quench
time-exceeded
timestamp-reply
timestamp-request
traceroute
Current available interface(s):
inf
Name of interface Ethernet2
inside
Name of interface Ethernet1
outside Name of interface Ethernet0
NetworkSims.com
499
SYNTAX:
<ip>
<warn>
Example
myPIX # config t
myPIX (config)# help macUSAGE:
[no] mac-list <id> deny|permit <mac> <macmask>
show mac-list [id]
NetworkSims.com
500
SYNTAX:
<id>
deny
permit
<mac>
<macmask>
myPIX (config)#
myPIX (config)#
myPIX (config)#
Mask to be
mac-list 1
mac-list 1
mac-list 1
applied to <mac>
deny 0000.1111.ffff
deny 0000.2222.ffff
deny 0000.3333.ffff
Example
# config t
myPIX (config)# hostname myPIX
myPIX (config)# int e0
myPIX (config-if)# nameif fred
NetworkSims.com
501
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
Define class maps. Remember the class map defines the traffic which is interesting.
In this case the class-map relates to defining TCP ports and an access-list.
Apply the class maps.
Define a policy map and apply it to an interface.
Example
myPIX# config t
myPIX(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq
echo
myPIX(config)# class-map ?
myPIX(config)# class-map delaware
myPIX(config-cmap)# ?
myPIX(config-cmap)# description ?
myPIX(config-cmap)# description testing
myPIX(config-cmap)# match ?
myPIX(config-cmap)# match port ?
myPIX(config-cmap)# match port tcp ?
myPIX(config-cmap)# match port tcp eq ?
NetworkSims.com
502
Example
An example, which has not yet been implemented in the challenge, is:
pix1(config)# class-map TEST
pix1(config-cmap)# match port tcp eq 25
pix1(config-cmap)# match tunnel-group S2S
pix1(config-cmap)# exit
pix1(config)# class-map VOICE
pix1(config-cmap)# match dscp ef
pix1(config-cmap)# exit
pix1(config)# class-map EXECTEST
pix1(config-cmap)# match access-list 112
pix1(config-cmap)# exit
pix1(config)# policy-map NEW
pix1(config-cmap)# class TEST
503
Outline
PIX Version 7.x only
The new PIX image supports multiple contexts.
Objectives
The objectives of this challenge are to:
NetworkSims.com
504
Define E0 details.
Define E1 details.
NetworkSims.com
505
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:
see also:
nameif, security-level
myPIX (config-if)# ip address dhcp
myPIX (config-if)# no shutdown
myPIX (config-if)# int e1
myPIX (config-if)# nameif mars
myPIX (config-if)# ip address dhcp
myPIX (config-if)# no shutdown
myPIX (config-if)# int e2
myPIX (config-if)# nameif pluto
NetworkSims.com
506
Define E0 details.
Define E1 details.
Define a static mapping (with non-default names).
NetworkSims.com
507
Define E0 details.
Define an access-list
Apply the access-list to E0.
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
<if_name>
per-user-override
see also:
access-list, object-group
amsterdam (config)# access-group 101 in interface california
508
Outline
This challenge manually generates a public and private RSA key.
Objectives
The objectives of this challenge are to:
Define E0 details.
Generate RSA keys.
Display public key.
864886f7 0d010101
1631c8ca 24f5e102
1eddd836 090a6b94
46d61ace ffd6aa62
31bb660d 4e47587b
crypto ca ?
05000381
826acdb7
2ec34e2c
250c21d6
ace9bee9
8d003081
346dfaf2
cbca8ebe
4356610e
4e6ea81c
89028181
64770144
a3f4490a
7d2e6d61
78b6e7cd
00eff641
0dc8625e
3daee2aa
86591d35
67020301 0001
NetworkSims.com
509
accept-subordinates
crl
default
NetworkSims.com
510
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
(config)# int e2
(config-if)# nameif newyork
(config-if)# exit
(config)# username anne password test
(config)# username anne attrib
(config-username)# vpn-tunnel-protocol ipsec
(config-username)# vpn-simultaneous ?
Example
> ?
clear
enable
exit
help
login
logout
ping
quit
show
Reset functions
Turn on privileged commands
Exit from the EXEC
Interactive help for commands
Log in as a particular user
Exit from the EXEC
Send echo messages
Exit from the EXEC
Show running system information
> clear ?
igmp Clear multicast membership related information
> enable ?
<0-15>
<cr>
> exit ?
<cr>
> help ?
enable
exit
login
logout
NetworkSims.com
511
perfmon
ping
quit
> login ?
<cr>
> logout ?
<cr>
> ping ?
Hostname or A.B.C.D
Hostname or X:X:X:X::X
<cr>
> quit ?
<cr>
> show ?
checksum
curpriv
flash:
history
version
Display
Display
Display
Display
Display
-rw-rw-
5103672
5919340
image.bin
asdm-501.bin
NetworkSims.com
512
: media index
: media index
: media index
0: irq 10
1: irq 11
2: irq 11
SYNTAX:
address
all
assigned
free
old
pool
header
packet
dump
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
NetworkSims.com
513
queue history
enable
buffer-size
detail
# help bo
USAGE:
[no] boot system | config <url>
clear configure boot [system | config]
DESCRIPTION:
boot
SYNTAX:
system <url>
PC
00105689
001dba60
00112cf5
00116edf
001db106
003cda1f
003cd97a
003cd9cb
00b6e13d
006f6c3e
00a4d60d
006e73bd
008ce47d
0074ff85
00b89581
00908601
009eba89
009e7911
009d8925
009d9d31
SP
00ffbe90
011c63d0
0120bec0
0120e410
012168c0
0121ab00
0121cc20
0121ed40
0122f5e0
01238cb8
0123adf8
012481b8
0124dd80
0124fed8
012527b0
01258b00
012636b8
01267910
01269a40
0126bb80
NetworkSims.com
STATE
00db4a10
00db4a78
00db49c8
00db5ff8
00dbe540
00db49c8
00db4a78
00db49c8
00db49c8
00db49c8
00db49c8
00d3a280
00d441f0
00d3af64
00db49c8
00db49c8
016dda58
00d5ad60
00d5a730
00db49c8
Runtime
0
593450
0
0
0
0
1270490
0
0
0
0
0
0
0
7780
0
0
0
0
0
SBASE
00ff9f08
011c2478
01209f48
0120c4c8
01214948
01218b88
0121aca8
0121cdc8
0122d658
01236d50
01238e70
01246240
0124be08
0124df60
01250838
01256b98
0125f7d0
012659c8
01267ae8
01269c08
Stack Process
8072/8192 block_diag
16044/16384 Dispatch Unit
7772/8192 Reload Control Thread
8008/8192 aaa
7308/8192 dbgtrace
7840/8192 557mcfix
7660/8192 557poll
7776/8192 557statspoll
7788/8192 Chunk Manager
7684/8192 PIX Garbage Collector
7428/8192 route_process
8056/8192 IP Address Assign
8056/8192 QoS Support Module
8056/8192 Client Update Task
7740/8192 Checkheaps
7276/8192 Session Manager
15636/16384 uauth
7660/8192 SMTP
7276/8192 Logger
7292/8192 Thread Logger
514
Mwe 00ac127b
Msi 00487913
Mwe 004907b1
Mwe 009edfa9
Mwe 009ededd
Mwe 009f893b
Mrd 005e39c6
Mwe 00166f31
Mwe 0017c064
Msi 00189b71
Mwe 00a78685
Mwe 00a78475
Mwe 00a637df
Msi 00ac1b7a
Mwe 00691e95
Mwe 001d48dd
thread
Mwe 0081bbd9
Mwe 008212d4
Lsi 0070b0a9
Lsi 006f1020
Mwe 0041eb69
Mwe 004117a9
Mwe 009add91
Daemon
Mwe 009838b4
Mwe 009af891
Keeper
M* 001e41e7
Csi 007260e9
Msi 007268bd
Mwe 00a9ead8
Msi 00aaa63b
Mwe 00aa70f7
Msi 00aa9f28
01278230 00d85390
0131e2a8 00db49c8
013231d8 00dcca70
0133e988 00d5b770
013409a0 00d5b770
01350d90 00d5b8f0
0122b330 00db4a78
01225ea8 00db49c8
01631c38 01228490
01633c60 00db49c8
01635c78 00db49c8
01637cb0 00db49c8
0166fdb8 00d80128
01671dc0 00db49c8
016864c8 00db49c8
016cf518 00d11ef0
0170df38
01710038
01212690
01771498
01773808
01778ba8
0177bb80
00db49c8
00db49c8
00db49c8
00db49c8
00db49c8
00d2c9c0
00d5a0f8
0177db30 017b5b68
0177fdd0 00db49c8
0009feec
017aaa60
017b0c48
017bd5e0
017bf608
017c1630
017c3760
00db4a78
00db49c8
00db49c8
00d8457c
00db49c8
00d84688
00db49c8
0
0
0
0
0
0
813010
0
0
0
0
0
0
0
0
0
0
0
0
0
0
017a49d8
017a8af8
017aed70
017bb688
017bd6b0
017bf6d8
017c17f8
4844/16384 ci/console
7340/8192 update_cpu_usage
7364/8192 NIC status poll
8024/8192 vpnfo_thread_msg
7808/8192 vpnfo_thread_timer
8024/8192 vpnfo_thread_sync
7824/8192 vpnfo_thread_unsent
# sh startup
: Saved
: Written by enable_15 at 15:48:15.415 UTC Thu Dec 28 2006
PIX Version 7.0(1)
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
NetworkSims.com
515
hostname pixfirewall
ftp mode passive
pager lines 2
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a0b3ec1d272c2e58183687ffb14a65a8
# a?
# b?
# c?
NetworkSims.com
516
Example
pixfirewall# help ?
activation-key
arp
blocks
boot
Modify activation-key
Show ARP cache or clear ARP cache or statistics
System packet buffer utilization
Configure the system image and startup-config file to boot
the system
capture
Capture inbound and outbound packets on one or more
interfaces
cd
Change the working directory
configure
Configure from terminal
copy
Copy files from and to, disk or flash or TFTP server or HTTP
server
crashinfo
Configure, test and view crash information collection
debug
Debug packets or ICMP tracings through the system
delete
Delete a file
dir
Display the directory contents
disable
Exit from privileged mode
downgrade
Downgrade the file system and reboot
erase
Erase and format filesystem
exit
Exit the current command mode
format
Format filesystem
fsck
File system check
kill
Terminate a telnet session
logging
Configure, show, clear logging command options or operational
data
logout
Exit from current user profile to unprivileged mode
memory
System memory utilization
mkdir
Create new directory
more
Display a file's contents
ospf
Display or clear OSPF information
perfmon
Change or view performance monitoring options
ping
Test connectivity from specified interface to an IP address
pwd
Display the current directory
quit
Exit the current command mode
reload
Halt and reload system
rename
Rename a file
resource
Display or clear resource usage
rmdir
Remove existing directory
shun
Manages the filtering of packets from undesired hosts
terminal
Turn on/off syslogging or set pagers for the terminal
traffic
Counters for traffic statistics
undebug
Undebug packets or ICMP tracings through the system
who
Show active administration sessions
write
Write config to net, flash, or terminal, or erase flash
pixfirewall# help act
USAGE:
activation-key <activation-key-four-or-five-tuple>
show activation-key
DESCRIPTION:
activation-key
Modify activation-key.
SYNTAX:
NetworkSims.com
517
<activation-key-four-or-five-tuple>
pixfirewall# help arp
Unrecognized command: arp
At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
activation-key
boot
blocks
capture
configure
copy
Crashinfo
debug
disable
firewall
kill
logout
logging
memory
mode
more
ospf
perfmon
ping
priority-queue
quit
reload
resource
session
hw-module
Perform
shun
terminal
downgrade
Modify activation-key.
Configure the system image and startup-config file used to boot
the system
System packet buffer (block) utilization and diagnostic
tools. By default, the maximum, lowest, and current
available counts are displayed for each block size.
Capture inbound and outbound packets on one or more interfaces
Configure from terminal
Copy files from and to, disk or flash or TFTP server or HTTP server
Read, write and configure crash write to flash. Force a crash.
Enable debugging functions
Exit from privileged mode
Switch to router/transparent mode.
Terminate a telnet session
Exit from current user profile to unprivileged mode
Configure, show or clear logging command options or
operational data
System memory utilization and diagnostic tools
Toggle between single and multiple security context mode
Display a file's contents
Show or clear OSPF information
Display perfmon stats or change options
Test connectivity from specified interface to an IP address
Configure a priority queue object
Disable, end configuration or logout
Halt and reload system
Display system resource allocation and usage
Open a command session to another module
NetworkSims.com
518
SYNTAX:
address
all
assigned
free
old
pool
header
packet
dump
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
queue history
enable
buffer-size
detail
pixfirewall# help bo
USAGE:
[no] boot system | config <url>
clear configure boot [system | config]
DESCRIPTION:
boot
SYNTAX:
system <url>
help cap
NetworkSims.com
519
USAGE:
capture <capture-name> [type raw-data] [type asp-drop <drop-code>]
[type isakmp]
[access-list <acl-name>] [buffer <buf-size>]
[ethernet-type <type>] [interface <if-name>]
[packet-length <bytes>]
[circular-buffer]
clear capture <capture-name>
no capture <capture-name> [type raw-data][type asp-drop <drop-code>]
[type isakmp]
[access-list <acl_name>] [circular-buffer] [interface <if-name>]
show capture [[context-name/]<capture-name> [access-list <acl-name>]
[count <number>] [detail] [dump][decode][packet-number <number>]]
DESCRIPTION:
capture
SYNTAX:
<capture-name>
<context-name>
<acl-name>
<buf-size>
<type>
name of
name of
capture
size of
capture
capture
the context
IP packets that match access-list <acl-name>
capture buffer in bytes, range <84-33554432>
Ethernet packets of <type>, valid types are
ip, arp, rarp, ipx, ip6, ppoed, pppoes and <0-65535>
<if-name>
- the physical interface to listen
<bytes>
- maximum length to save from each packet
circular-buffer - overwrite buffer from beginning when full
count
- display <number> of packets in capture
detail
- display more information for each packet
dump
- display the hex dump for each packet
see also: copy
pixfirewall# help cd
USAGE:
cd [{disk0:|disk1:|flash:}][<path>]
DESCRIPTION:
cd
SYNTAX:
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<path>
Directory name
pixfirewall# help conf
USAGE:
configure terminal
DESCRIPTION:
configure
SYNTAX:
see also:
NetworkSims.com
520
[/<options>]
[/<options>]
[/<options>]
[/<options>]
DESCRIPTION:
copy
SYNTAX:
<options>
NetworkSims.com
521
USAGE:
no debug all | undebug all
[no] debug aaa [<1-255>]
[no] debug appfw chunk|event|eventverb|regex [<1-255>]
[no] debug arp
[no] debug arp-inspection [<1-255>]
[no] debug cmgr [<1-255>]
[no] debug context [<1-255>]
[no] debug cplane [<1-255>]
[no] debug crypto isakmp [timers [<1-255>]] |
[capture <cap_name> [options]] |
[<1-255>]
[no] debug ctiqbe [<1-255>]
[no] debug ctm [<1-255>]
[no] debug dhcpc detail|error|packet [<1-255>]
[no] debug dhcpd packet|event [<1-255>]
[no] debug dhcprelay error|packet|event [<1-255>]
[no] debug disk file|filesystem|file-verbose [<1-255>]
[no] debug dns [resolver|all [<1-255>]]
[no] debug entity [<1-255>]
[no] debug fixup tcp|udp|onat [<1-255>]
[no] debug fover cable|fail|fmsg|ifc|open|rx|rxdmp|rxip|
switch|sync|tx|txdmp|txip|verify|off
[no] debug fsm [<1-255>]
[no] debug ftp client [<1-255>]
[no] debug generic [<1-255>]
[no] debug h323 h225|h245|ras [asn|event]
[no] debug http [<1-255>]
[no] debug http-map
[no] debug icmp trace [<1-255>]
[no] debug igmp [group [A.B.C.D]|interface [<if_name>]]
[no] debug ils [<1-255>]
[no] debug imagemgr [<1-255>]
[no] debug ipsec-over-tcp [<1-255>]
[no] debug ipv6 icmp|interface|nd|packet|routing
[no] debug iua-proxy [<1-255>]
[no] debug kerberos [<1-255>]
[no] debug ldap [<1-255>]
[no] debug mac-address-table [<1-255>]
[no] debug menu aaa|ipsec-over-tcp|ctm|vpnlb|ike|ipaddrutl|
qos|pki|vpnfo [LINE]
[no] debug mfib db|init|mrib|pak|ps|signal [<group_addr>]
[no] debug mgcp messages|parser|sessions
[no] debug module-boot [<1-255>]
[no] debug mrib client|io|route[<host_name>]|table
[no] debug np drops[breaks acl|all|bad-crypto|bad-ipsec-natt|
bad-ipsec-prot|bad-ipsec-udp|bad-tcp-cksum|bad-tcp-flags|
clear|ctm-error|dst-l2-lookup-fail|flow-expired|fo-standby|
ids-fail-close|ids-request|ifc-classify|inspect-dns|
inspect-icmp|intercept-unexpected|interface-down|
invalid-app-length|invalid-encap|invalid-ethertype|
invalid-ip-addr|invalid-ip-length|invalid-ip-option|
invalid-tcp|invalid-tcp-hlength|invalid-udp-length|
ip-fragment|ipsec-clearpkt-notun|ipsec-ipv6|ipsec-need-sa|
ipsec-spoof|ipsec-tun-down|ipsecudp-keepalive|l2-acl|
l2-same-lan-port|large-buf-alloc-fail|lu-invalid-pkt|
natt-keepalive|no-adjacency|no-mcast-entry|no-mcast-intrf|
no-punt-cb|no-route|np-sp-invalid-spi|queue-removed|
rate-exceeded|rpf-violated|security-failed|send-ctm-error|
show|tcp-acked|tcp-bad-option-len|tcp-bad-option-list|
tcp-bad-sack-allow|tcp-bad-winscale|tcp-buffer-full|
tcp-conn-limit|tcp-data-past-fin|tcp-discarded-ooo|
NetworkSims.com
522
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
<if_name>
<host_name>
<user_name>
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
tcp-dual-open|tcp-mss-exceeded|tcp-mss-no-syn|
tcp-not-syn|tcp-paws-fail|tcp-reserved-set|
tcp-rst-syn-in-win|tcp-syn-data|tcp-synack-data|
tcp-tsopt-notallowed|tcp-winscale-no-syn|
unable-to-add-flow|unable-to-create-flow|
unimplemented|unsupport-ipv6-hdr|
unsupported-ip-version break]
ntdomain [<1-255>]
ntp adjust|authentication|events|loopfilter|
packets|params|select|sync|validity
ospf [adj|database-timer|events|flood|lsa-generation|
packet|retransmission|tree|spf[external|inter|intra]]
parser cache [<1-255>]
asdm history <1-255>
pim [df-election [interface <ifname>] [rp <addr>] |
group <group_addr> | interface <ifname> | neighbor]
[pix process|uauth|cls|pkt2pc|acl[<1-4294967295>]]
pppoe error|packet|event [<1-255>]
pptp [<1-255>]
radius [all|decode|session|user user_name]
rip [<1-255>]
rtsp [<1-255>]
sdi [<1-255>]
sequence [<1-255>]
session-command [<1-255>]
sip [<1-255>]
skinny [<1-255>]
smtp [<1-255>]
sqlnet [<1-255>]
ssh [<1-255>]
ssl cipher|device [<1-255>]
sunrpc [<1-255>]
tacacs [session|user user_name]
tcp-map
timestamps [<1-255>]
vpn-sessiondb [<1-255>]
xdmcp [<1-255>]
Interface name.
Hostname or A.B.C.D IP group address.
User name.
DESCRIPTION:
debug
Delete a file
SYNTAX:
/recursive
Recursive delete
/noconfirm
No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
NetworkSims.com
523
<path>
File to be deleted
SYNTAX:
/all
List all files
/recursive
List files recursively
all-filesystems
List files on all filesystems
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<path>
Directory or file name
pixfirewall# help dis
USAGE:
disable
DESCRIPTION:
disable
pixfirewall# help do
USAGE:
downgrade [/noconfirm] <image_url>
[activation-key (flash|file|<actkey>)]
[config <config_url>]
DESCRIPTION:
downgrade
SYNTAX:
noconfirm
<image_url>
activation-key
flash
file
<actkey>
config
<config_url>
Notes: The default for activation-key is to use the 4-tuple key in flash.
The default for config is to use the file downgrade.cfg in flash.
pixfirewall#
help er
USAGE:
NetworkSims.com
524
erase {disk0:|disk1:|flash:}
DESCRIPTION:
erase
SYNTAX:
{disk0:|disk1:|flash:}
Filesystem to be formatted
pixfirewall# help ex
USAGE:
quit|exit
DESCRIPTION:
quit
pixfirewall# help f?
format
fsck
pixfirewall# help fo
USAGE:
format {disk0:|disk1:|flash:}
DESCRIPTION:
format
Format filesystem
SYNTAX:
{disk0:|disk1:|flash:}
Filesystem to be formatted
pixfirewall# help fs
USAGE:
fsck [/nocrc] flash:
DESCRIPTION:
fsck
SYNTAX:
nocrc
SYNTAX:
NetworkSims.com
525
<telnet_id>
see also:
who
pixfirewall# help logging
USAGE:
logging savelog [<logfile>]
clear logging [asdm | buffer]
show logging [{message [<syslog_id>|all]} | asdm | queue | setting]
show running-config [all] logging [level | disabled | rate-limit]
DESCRIPTION:
logging
SYNTAX:
savelog
<logfile>
disable
level
message
queue
rate-limit
see also:
USAGE:
show memory [detail]
[no] memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
[clear|show] memory delayed-free-poisoner
DESCRIPTION:
memory
SYNTAX:
detail
delayed-free-poisoner
enable
validate
NetworkSims.com
526
SYNTAX:
/noconfirm
No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<path>
Directory name
pixfirewall# help more
USAGE:
more [/ascii] || [/binary] || [/ebcdic] [filesystem] <path>
DESCRIPTION:
more
SYNTAX:
/ascii
/binary
/ebcdic
[filesystem]
<path>
pixfirewall#
USAGE:
show ospf [<pid> [<ip_addr>]]...
...interface [<interface>]
...neighbor [detail] [<interface>] [<nbr-router-id>]
...[summary-address]
...database [router | network | summary |
asbr-summary | external | nssa-external]
[<ip_addr>] [internal]
[self-originate | adv-router <ip_addr>]
NetworkSims.com
527
...database database-summary
...request-list <nbr-router-id> <interface>
...flood-list <interface>
...retransmission-list <nbr-router-id> <interface>
...border-routers
...virtual-links
clear ospf [<pid>]
...process
...counters [neighbor [<nbr-interface>] [<nbr-id>]]
DESCRIPTION:
ospf
SYNTAX:
<pid>
OSPF process ID
<nbr-router-id> Neighbor router address
<interface>
Interface name as specified by nameif
pixfirewall# help per
USAGE:
perfmon interval <seconds>
perfmon quiet | verbose
perfmon settings
DESCRIPTION:
perfmon
SYNTAX:
show perfmon
<seconds>
verbose
quiet
settings
SYNTAX:
[if_name]
NetworkSims.com
528
<pattern>
<count>
Repeat count.
<bytes>
<seconds>
Timeout in seconds.
validate
Validate reply data.
pixfirewall# help pwd
USAGE:
pwd
DESCRIPTION:
pwd
SYNTAX:
quick
noconfirm
save-config
max-hold-time
at
in
reason
<source
path>
DESCRIPTION:
rename
Rename a file
SYNTAX:
/noconfirm
No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<source path>
Source file path
NetworkSims.com
529
SYNTAX:
Where:
<resource_name>
<counter_name>
<count_threshold>
Default command: 'show resource
pixfirewall# help rm
USAGE:
rmdir /noconfirm [{disk0:|disk1:|flash:}] <path>
DESCRIPTION:
rmdir
SYNTAX:
/noconfirm
No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<path>
Directory name
pixfirewall# help sh
USAGE:
shun <src_ip> [<dst_ip> <sport> <dport> [<prot>]] [vlan <vlan_number>]
no shun <src_ip> [vlan <vlan_number>]
show shun [<src_ip>|statistics]
clear shun [statistics]
DESCRIPTION:
shun
SYNTAX:
src_ip the
dst_ip the
sport
the
dport
the
prot
the
vlan_number
pixfirewall#
NetworkSims.com
530
USAGE:
terminal monitor
terminal no monitor
[no] terminal pager [lines <lines>]
DESCRIPTION:
terminal
SYNTAX:
lines
number of lines per page
pixfirewall# help tra
USAGE:
show traffic
clear traffic
DESCRIPTION:
traffic
Counters for traffic statistics
pixfirewall# help u?
undebug
pixfirewall# help unde
USAGE:
no debug all | undebug all
[no] debug aaa [<1-255>]
[no] debug appfw chunk|event|eventverb|regex [<1-255>]
[no] debug arp
[no] debug arp-inspection [<1-255>]
[no] debug cmgr [<1-255>]
[no] debug context [<1-255>]
[no] debug cplane [<1-255>]
[no] debug crypto isakmp [timers [<1-255>]] |
[capture <cap_name> [options]] |
[<1-255>]
[no] debug ctiqbe [<1-255>]
[no] debug ctm [<1-255>]
[no] debug dhcpc detail|error|packet [<1-255>]
[no] debug dhcpd packet|event [<1-255>]
[no] debug dhcprelay error|packet|event [<1-255>]
[no] debug disk file|filesystem|file-verbose [<1-255>]
[no] debug dns [resolver|all [<1-255>]]
[no] debug entity [<1-255>]
[no] debug fixup tcp|udp|onat [<1-255>]
[no] debug fover cable|fail|fmsg|ifc|open|rx|rxdmp|rxip|
switch|sync|tx|txdmp|txip|verify|off
[no] debug fsm [<1-255>]
[no] debug ftp client [<1-255>]
[no] debug generic [<1-255>]
[no] debug h323 h225|h245|ras [asn|event]
[no] debug http [<1-255>]
[no] debug http-map
[no] debug icmp trace [<1-255>]
[no] debug igmp [group [A.B.C.D]|interface [<if_name>]]
[no] debug ils [<1-255>]
[no] debug imagemgr [<1-255>]
NetworkSims.com
531
[no]
[no]
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
debug
debug
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
NetworkSims.com
ipsec-over-tcp [<1-255>]
ipv6 icmp|interface|nd|packet|routing
iua-proxy [<1-255>]
kerberos [<1-255>]
ldap [<1-255>]
mac-address-table [<1-255>]
menu aaa|ipsec-over-tcp|ctm|vpnlb|ike|ipaddrutl|
qos|pki|vpnfo [LINE]
mfib db|init|mrib|pak|ps|signal [<group_addr>]
mgcp messages|parser|sessions
module-boot [<1-255>]
mrib client|io|route[<host_name>]|table
np drops[breaks acl|all|bad-crypto|bad-ipsec-natt|
bad-ipsec-prot|bad-ipsec-udp|bad-tcp-cksum|bad-tcp-flags|
clear|ctm-error|dst-l2-lookup-fail|flow-expired|fo-standby|
ids-fail-close|ids-request|ifc-classify|inspect-dns|
inspect-icmp|intercept-unexpected|interface-down|
invalid-app-length|invalid-encap|invalid-ethertype|
invalid-ip-addr|invalid-ip-length|invalid-ip-option|
invalid-tcp|invalid-tcp-hlength|invalid-udp-length|
ip-fragment|ipsec-clearpkt-notun|ipsec-ipv6|ipsec-need-sa|
ipsec-spoof|ipsec-tun-down|ipsecudp-keepalive|l2-acl|
l2-same-lan-port|large-buf-alloc-fail|lu-invalid-pkt|
natt-keepalive|no-adjacency|no-mcast-entry|no-mcast-intrf|
no-punt-cb|no-route|np-sp-invalid-spi|queue-removed|
rate-exceeded|rpf-violated|security-failed|send-ctm-error|
show|tcp-acked|tcp-bad-option-len|tcp-bad-option-list|
tcp-bad-sack-allow|tcp-bad-winscale|tcp-buffer-full|
tcp-conn-limit|tcp-data-past-fin|tcp-discarded-ooo|
tcp-dual-open|tcp-mss-exceeded|tcp-mss-no-syn|
tcp-not-syn|tcp-paws-fail|tcp-reserved-set|
tcp-rst-syn-in-win|tcp-syn-data|tcp-synack-data|
tcp-tsopt-notallowed|tcp-winscale-no-syn|
unable-to-add-flow|unable-to-create-flow|
unimplemented|unsupport-ipv6-hdr|
unsupported-ip-version break]
ntdomain [<1-255>]
ntp adjust|authentication|events|loopfilter|
packets|params|select|sync|validity
ospf [adj|database-timer|events|flood|lsa-generation|
packet|retransmission|tree|spf[external|inter|intra]]
parser cache [<1-255>]
asdm history <1-255>
pim [df-election [interface <ifname>] [rp <addr>] |
group <group_addr> | interface <ifname> | neighbor]
[pix process|uauth|cls|pkt2pc|acl[<1-4294967295>]]
pppoe error|packet|event [<1-255>]
pptp [<1-255>]
radius [all|decode|session|user user_name]
rip [<1-255>]
rtsp [<1-255>]
sdi [<1-255>]
sequence [<1-255>]
session-command [<1-255>]
sip [<1-255>]
skinny [<1-255>]
smtp [<1-255>]
sqlnet [<1-255>]
ssh [<1-255>]
ssl cipher|device [<1-255>]
sunrpc [<1-255>]
tacacs [session|user user_name]
tcp-map
532
Interface name.
Hostname or A.B.C.D IP group address.
User name.
DESCRIPTION:
debug
SYNTAX:
erase
terminal
mem
standby
net
see also:
configure
<tftp_ip>
<filename>
NetworkSims.com
533
Example
pixfirewall# sh nameif
Interface
Name
Ethernet0
outside
Ethernet1
inside
Ethernet2
inf2
pixfirewall# config t
pixfirewall(config)# help arp
Security
0
100
50
USAGE:
[no] arp <if_name> <ip> <mac> [alias]
[no] arp timeout <seconds>
show arp [statistics]
clear arp [statistics]
show running-config [all] arp [timeout]
clear configure arp
DESCRIPTION:
arp
Change or view the ARP table, add or delete static ARP entries,
set or clear the ARP timeout value and clear ARP statistics
SYNTAX:
<if_name>
<ip>
<mac>
alias
<seconds>
statistics
NetworkSims.com
534
Example
pixfirewall(config)# ftp-map ftpm
pixfirewall(config-ftp-map)# ?
Ftp-map configuration commands:
mask-syst-reply Mask reply to syst command
no
Negate a command or set its defaults
request-command FTP request command inspection
pixfirewall(config-ftp-map)# mask- ?
ftp-map mode commands/options:
<cr>
pixfirewall(config-ftp-map)# re ?
ftp-map mode commands/options:
deny Specify FTP request commands to block
pixfirewall(config-ftp-map)# re den ?
ftp-map mode commands/options:
appe Append to a file
cdup Change to parent of current directory
dele Delete a file at server site
get
FTP client command for the retr command - retrieve a file
help Help information from server
mkd
Create a directory
put
FTP client command for the stor command - store a file
rmd
Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a file with a unique name
pixfirewall(config-ftp-map)# exit
pixfirewall(config)# mgcp-map mmap
pixfirewall(config-mgcp-map)# ?
NetworkSims.com
535
Commands
pixfirewall(config)# int e0
pixfirewall(config-if)# ipv6 address autoconfig
pixfirewall(config-if)# ipv6 enable
pixfirewall(config-if)# exit
pixfirewall(config)# int e1
pixfirewall(config-if)# ipv6 address 2001:400:3:1::1/64
pixfirewall(config-if)# ipv6 enable
pixfirewall(config-if)# ipv6 nd ns-interval 100
pixfirewall(config-if)# ipv6 nd ra-interval 100
pixfirewall(config-if)# ipv6 nd reachable-time 100
pixfirewall(config-if)# ipv6 nd prefix 0800::/64
pixfirewall(config-if)# exit
pixfirewall(config)# ipv6 route outside ::/0 2001:400:3:1::1
pixfirewall(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
pixfirewall# sh ipv interface
pixfirewall# sh ipv6 route
Example
pixfirewall(config)#
NetworkSims.com
int e0
536
pixfirewall(config-if)# ipv6 ?
interface mode commands/options:
IPv6 interface subcommands:
address Configure IPv6 address on interface
enable
Enable IPv6 on interface
nd
IPv6 interface Neighbor Discovery subcommands
configure mode commands/options:
access-list Configure access policy for IPv6 traffic through the system
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
pixfirewall(config-if)# ipv6 address ?
interface mode commands/options:
Hostname or X:X:X:X::X IPv6 link-local address
X:X:X:X::X/<0-128>
IPv6 prefix
autoconfig
Obtain address using autoconfiguration
configure mode commands/options:
WORD Access list identifier
pixfirewall(config-if)# ipv6 address autoconfig
pixfirewall(config-if)# ipv6 enable
pixfirewall(config-if)# exit
pixfirewall(config)# int e1
pixfirewall(config-if)# ipv6 address 2001:400:3:1::1/64
pixfirewall(config-if)# ipv6 enable
pixfirewall(config-if)# ipv6 nd ?
interface mode commands/options:
dad
Duplicate Address Detection
ns-interval
Set advertised NS retransmission interval
prefix
Configure IPv6 Routing Prefix Advertisement
ra-interval
Set IPv6 Router Advertisement Interval
ra-lifetime
Set IPv6 Router Advertisement Lifetime
reachable-time Set advertised reachability time
suppress-ra
Suppress IPv6 Router Advertisements
pixfirewall(config-if)# ipv6 nd ns-interval ?
interface mode commands/options:
<1000-3600000> Retransmission interval in milliseconds
pixfirewall(config-if)# ipv6 nd ns-interval 100
pixfirewall(config-if)# ipv6 nd p ?
interface mode commands/options:
X:X:X:X::X/<0-128> IPv6 prefix x:x::y/<z>
default
Specify prefix default parameters
pixfirewall(config-if)# ipv6 nd prefix 0800::/64
pixfirewall(config-if)# ipv6 nd ra-interval ?
interface mode commands/options:
<3-1800> RA Interval (sec)
msec
Interval in milliseconds
pixfirewall(config-if)# ipv6 nd ra-interval 100
NetworkSims.com
537
exit
pixfirewall(config)# ipv ?
configure mode commands/options:
access-list Configure access policy for IPv6 traffic through the system
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
pixfirewall(config)# ipv route ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Outside Name of interface Ethernet0
pixfirewall(config)# ipv r outside ?
configure mode commands/options:
X:X:X:X::X/<0-128> IPv6 prefix
pixfirewall(config)# ipv r outside ::/0 ?
configure mode commands/options:
Hostname or X:X:X:X::X IPv6 name or address
pixfirewall(config)# ipv6 route outside ::/0 2001:400:3:1::1
NetworkSims.com
538
Show
Show
IPv6
Show
Show
Show
IPv6
sh ipv6 route
NetworkSims.com
539
via ::,
via ::,
ff00::/8
via ::,
via ::,
via ::,
inside
inf2
[0/0]
outside
inside
inf2
Define OSPF.
Example
pixfirewall(config)# router ?
configure mode commands/options:
ospf Open Shortest Path First (OSPF)
pixfirewall(config)# router ospf ?
pixfirewall(config)# router os ?
configure mode commands/options:
<1-65535> Process ID
pixfirewall(config)# router ospf 111
pixfirewall(config-router)# ?
Router configuration commands:
area
OSPF area parameters
compatible
OSPF compatibility list
default-information Control distribution of default information
distance
Define an administrative distance
exit
Exit from router configuration mode
help
Interactive help for router subcommands
ignore
Do not complain about specific event
log-adj-changes
Log changes in adjacency state
neighbor
Specify a neighbor router
network
Add/remove interfaces to/from OSPF routing process
no
Negate a command
redistribute
Redistribute information from another routing process
router-id
router-id for this OSPF process
summary-address
Configure IP address summaries
timers
Adjust routing timers
pixfirewall(config-router)# net ?
router mode commands/options:
A.B.C.D Network address
pixfirewall(config-router)# net 10.0.0.0 ?
NetworkSims.com
540
NetworkSims.com
541
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x
0
Number of opaque AS LSA 0. Checksum Sum 0x
0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0x ff12
Number of opaque link LSA 0. Checksum Sum 0x
0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit
Exit from MPF class-map configuration mode
help
Help for MPF class-map configuration commands
match
Configure classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
pixfirewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748
dns-------udp--53
NetworkSims.com
542
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
Match IP DSCP (DiffServ CodePoints)
flow
Flow based Policy
port
Match TCP/UDP port(s)
precedence
Match IP precedence
rtp
Match RTP port numbers
tunnel-group
Match a Tunnel Group
pixfirewall(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
pixfirewall(config-cmap)# match access-list Columbia
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit
Exit from MPF class action configuration mode
help
Help for MPF policy-map configuration commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
Negate or set default values of a command
police
Rate limit traffic for this class
priority Strict scheduling priority for this class
set
Set QoS values or connection values
<cr>
pixfirewall(config-pmap-c)# ips ?
mpf-policy-map-class mode commands/options:
inline
Inline mode IPS
promiscuous Promiscuous mode IPS
configure mode commands/options:
df-bit
Set IPsec DF policy
fragmentation
Set IPsec fragmentation policy
security-association Set security association lifetime
transform-set
Define transform and settings
pixfirewall(config-pmap-c)# ips promiscuous ?
mpf-policy-map-class mode commands/options:
fail-close Block traffic if IPS card fails
fail-open
Permit traffic if IPS card fails
pixfirewall(config-pmap-c)# ips promiscuous fail-close
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ?
configure mode commands/options:
WORD Specify policy-map name
pixfirewall(config)# service-policy ANY ?
NetworkSims.com
543
In this case global is used to define all the interfaces in the PIX. Other alternatives are:
pixfirewall(config)# service-policy ptest interface inside
pixfirewall(config)# service-policy ptest interface outside
pixfirewall(config)# service-policy ptest interface inf2
Define a TCP-map.
Example
pixfirewall(config)# tcp-map test
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
allow packet
tcp-options
Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# urgent-flag ?
tcp-map mode commands/options:
allow Allow packet with urgent flag and urgent offset
clear Clear urgent flag and urgent offset and allow packet
pixfirewall(config-tcp-map)# exit
pixfirewall(config)# class-map ctest
NetworkSims.com
544
pixfirewall(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit
Exit from MPF class-map configuration mode
help
Help for MPF class-map configuration commands
match
Configure classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
pixfirewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
dscp
flow
port
precedence
rtp
tunnel-group
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
NetworkSims.com
545
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp range ftp-data ?
mpf-class-map mode commands/options:
<0-65535>
Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
NetworkSims.com
546
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp range ftp-data www
pixfirewall(config-cmap)# exit
pixfirewall(config-cmap)# policy-map testing
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# set ?
mpf-policy-map-class mode commands/options:
connection Configure connection parameters
configure mode commands/options:
password-recovery Password recovery configuration
resetinbound
Send reset to a denied inbound TCP packet
resetoutside
Send reset to a denied TCP packet to outside interface
pixfirewall(config-pmap-c)# set connection ?
mpf-policy-map-class mode commands/options:
advanced-options
Configure advanced connection parameters
conn-max
Keyword to set the maximum number of all simultaneous
connections that are allowed. Default is 0 which
means unlimited connections.
embryonic-conn-max
Keyword to set the maximum number of TCP embryonic
connections that are allowed. Default is 0 which
means unlimited connections.
random-sequence-number Enable/disable TCP sequence number randomization.
Default is to enable TCP sequence number
randomization
timeout
Configure connection timeout parameters
pixfirewall(config-pmap-c)# set connection advanced-options ?
mpf-policy-map-class mode commands/options:
WORD Enter TCP map name
NetworkSims.com
547
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit
Exit from MPF class-map configuration mode
help
Help for MPF class-map configuration commands
match
Configure classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
pixfirewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
NetworkSims.com
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
548
sqlnet----tcp--1521
xdmcp-----udp--177
tftp------udp--69
dscp
Match IP DSCP (DiffServ CodePoints)
flow
Flow based Policy
port
Match TCP/UDP port(s)
precedence
Match IP precedence
rtp
Match RTP port numbers
tunnel-group
Match a Tunnel Group
pixfirewall(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
pixfirewall(config-cmap)# match access-list Columbia
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit
Exit from MPF class action configuration mode
help
Help for MPF policy-map configuration commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
Negate or set default values of a command
police
Rate limit traffic for this class
priority Strict scheduling priority for this class
set
Set QoS values or connection values
<cr>
pixfirewall(config-pmap-c)# set ?
mpf-policy-map-class mode commands/options:
connection Configure connection parameters
configure mode commands/options:
password-recovery Password recovery configuration
resetinbound
Send reset to a denied inbound TCP packet
resetoutside
Send reset to a denied TCP packet to outside interface
pixfirewall(config-pmap-c)# set connection ?
mpf-policy-map-class mode commands/options:
advanced-options
Configure advanced connection parameters
conn-max
Keyword to set the maximum number of all simultaneous
connections that are allowed. Default is 0 which
means unlimited connections.
embryonic-conn-max
Keyword to set the maximum number of TCP embryonic
connections that are allowed. Default is 0 which
means unlimited connections.
random-sequence-number Enable/disable TCP sequence number randomization.
Default is to enable TCP sequence number
randomization
timeout
Configure connection timeout parameters
pixfirewall(config-pmap-c)# set connection timeout ?
mpf-policy-map-class mode commands/options:
embryonic
Configure absolute time after which an embryonic TCP connection
will be closed, default is 0:00:30.
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
tcp
Configure idle time after which a TCP connection state will be
closed, default is 1:00:00
pixfirewall(config-pmap-c)# set connection timeout embryonic ?
NetworkSims.com
549
In this case global is used to define all the interfaces in the PIX. Other alternatives are:
pixfirewall(config)# service-policy ptest interface inside
pixfirewall(config)# service-policy ptest interface outside
pixfirewall(config)# service-policy ptest interface inf2
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list Columbia
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# set ?
mpf-policy-map-class mode commands/options:
connection Configure connection parameters
configure mode commands/options:
NetworkSims.com
550
In this case the TCP Intercept is used to proxy connections after the second one, thus the PIX
firewall will send the SYN, ACK reply to a SYN request.
Define a TCP-map.
Define that checksums must be verified.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
NetworkSims.com
551
exceed-mss
In this case the checksum of all TCP segments will be checked. If they are incorrect, as in the
case of spoofed data packets, they will be dropped. This, though, will have a performance
impact on the firewall, and should be checked for its performance. The access-list:
pixfirewall(config)# access-list Columbia permit ip any any
Define a TCP-map.
Define that Exceeded-MSS is allowed or not.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
NetworkSims.com
552
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
allow packet
tcp-options
Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# exceed-mss ?
tcp-map mode commands/options:
allow Allow packet that exceed the Maximum Segment Size
drop
Drop packet that exceed the Maximum Segment Size
pixfirewall(config-tcp-map)# exceed-mss allow
pixfirewall(config-tcp-map)# exit
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list test
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map testing
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# set connection advanced-options TEST
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy testing global
Define a TCP-map.
Check for TCP re-transmissions.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
NetworkSims.com
553
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
allow packet
tcp-options
Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# check-retransmission
pixfirewall(config-tcp-map)# exit
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list test
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map testing
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# set connection advanced-options TEST
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy testing global
Define a TCP-map.
Define the limit for the TCP queue.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
NetworkSims.com
554
exceed-mss
Define a TCP-map.
Define the action of reserved bits.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
NetworkSims.com
555
allow packet
Options in TCP header
Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# reserved-bit ?
tcp-options
ttl-evasion-protection
Define a TCP-map.
Define the action of SYN-Data.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
NetworkSims.com
556
reserved-bits
Define a TCP-map.
Disable TTL evasion protection.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
pixfirewall(config-tcp-map)# ?
NetworkSims.com
557
With TTL evasion, an attacker can send a packet to the firewall with a small TTL (Time-toLive). Once it goes to zero, somewhere between the firewall and the host, the packet is
dropped. The attacker can then send more packets with high TTLs which will get through.
The rebuilt segments could then contain malicious information, which would not be
detected by IDSs or the firewalls.
Define a TCP-map.
Disable/enable TCP Window variations.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# tcp-map TEST
NetworkSims.com
558
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
Set a command to its defaults
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
Negate a command or set its defaults
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
allow packet
tcp-options
Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# window-variation ?
tcp-map mode commands/options:
allow-connection Allow connection with unexpected window size variation
drop-connection
Drop connection with unexpected window size variation
pixfirewall(config-tcp-map)# window-variation drop
pixfirewall(config-tcp-map)# exit
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list test
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map testing
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# set connection advanced-options TEST
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy testing global
With TTL evasion, an attacker can send a packet to the firewall with a small TTL (Time-toLive). Once it goes to zero, somewhere between the firewall and the host, the packet is
dropped. The attacker can then send more packets with high TTLs which will get through.
The rebuilt segments could then contain malicious information, which would not be
detected by IDSs or the firewalls.
NetworkSims.com
559
Example
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test1
pixfirewall(config-if)# exit
pixfirewall(config)# int e1
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test2
pixfirewall(config-if)# exit
pixfirewall(config)# int e2
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test3
pixfirewall(config-if)# exit
pixfirewall(config)# ip ?
configure mode commands/options:
audit
Configure the Intrusion Detection System
local
Define a local pool of IP addresses
verify Configure Unicast Reverse Path Filtering on an interface
pixfirewall(config)# ip verify ?
configure mode commands/options:
reverse-path Keyword to indicate Reverse-Path Filtering
pixfirewall(config)# ip verify reverse-path ?
configure mode commands/options:
interface Keyword to apply RPF on an interface
pixfirewall(config)# ip verify reverse-path interface ?
configure mode commands/options:
Current available interface(s):
test3
Name of interface Ethernet2
test2
Name of interface Ethernet1
test1
Name of interface Ethernet0
pixfirewall(config)# ip verify reverse-path interface test1
pixfirewall(config)# ip verify reverse-path interface test2
pixfirewall(config)# ip verify reverse-path interface test3
NetworkSims.com
560
Objectives
The objectives of this challenge are to:
Define maximum fragments per packet (using the fragment chain command)
Define the maximum number of awaiting fragments (using the fragment size
command).
Define the timeout for all the parts of a packet to arrive (using the fragment timeout
command).
Example
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test1
pixfirewall(config-if)# exit
pixfirewall(config)# int e1
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test2
pixfirewall(config-if)# exit
pixfirewall(config)# int e2
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test3
pixfirewall(config-if)# exit
pixfirewall(config)# fragment ?
configure mode commands/options:
chain
Configure maximum number of elements in a fragment set
size
Configure maximum number of blocks in database
timeout Configure number of seconds to assemble a fragment set
pixfirewall(config)# fragment chain ?
configure mode commands/options:
<1-8200> Maximum number of elements in a fragment set, default is 24
pixfirewall(config)# fragment chain 1 ?
configure mode commands/options:
Current available interface(s):
Test3
Name of interface Ethernet2
Test2
Name of interface Ethernet1
Test1
Name of interface Ethernet0
<cr>
pixfirewall(config)# fragment chain 1 test3
pixfirewall(config)# fragment size ?
configure mode commands/options:
<1-30000> Maximum number of blocks in database, default is 200
pixfirewall(config)# fragment size 10 test1
pixfirewall(config)# fragment timeout ?
configure mode commands/options:
NetworkSims.com
561
<1-30>
The fragment chain command is used to define the fragments per packet, while the
fragment size command defines the maximum number of fragments that await assembly.
Also the fragment timeout command is used to limit the time for all parts of a packet to
arrive.
The command:
(config)# fragment chain 500
Would define the fragments per packet on all interfaces, while:
(config)# fragment chain 500 outside
would define it for the outside interface.
Example
pixfirewall(config)# int e0.1
pixfirewall(config-subif)# ?
Interface configuration commands:
default
Set a command to its defaults
description
Interface specific description
exit
Exit from interface configuration mode
help
Interactive help for interface subcommands
igmp
IGMP interface commands
ip
Configure ip addresses.
ipv6
IPv6 interface subcommands
management-only Dedicate an interface to management. Block thru traffic
NetworkSims.com
562
nameif
no
ospf
pim
security-level
Example
pixfirewall(config)# group-policy ?
configure mode commands/options:
WORD < 65 char Enter the name of the group policy
pixfirewall(config)# group-policy test ?
configure mode commands/options:
attributes Enter the attributes sub-command mode
NetworkSims.com
563
external
Enter this keyword to specify an external group policy
internal
Enter this keyword to specify an internal group policy
pixfirewall(config)# group-policy test attributes
pixfirewall(config-group-policy)# ?
group_policy configuration commands:
backup-servers
Configure list of backup servers to be used
by the remote client
banner
Configure a banner, or welcome text to be
displayed on the VPN remote client
client-access-rule
Specify rules permitting/denying access to
specific client types and versions.
client-firewall
Configure the firewall requirements for
users in this group-policy
default-domain
Configure default domain name given to
users of this group
dhcp-network-scope
Specify the range of IP addresses to
indicate to the DHCP server for address
assignment
dns-server
Configure the primary and secondary DNS
servers
exit
Exit from group-policy configuration mode
group-lock
Enter name of an existing tunnel-group that
users are required to connect with
help
Help for group_policy configuration
commands
ip-comp
Enter this command to enable IP
compression(LZS)
ip-phone-bypass
Configure to allow Cisco IP phones behind
Hardware clients to bypass the Individual
User Authentication process.
ipsec-udp
Enter this command to allow a client to
operate through a NAT device using UDP
encapsulation
ipsec-udp-port
Enter the UDP port to be used by the client
for IPSec through NAT
leap-bypass
Enable/disable LEAP packets from Cisco
wireless devices to bypass the individual
user authentication process. This setting
applies only to HW clients.
nem
Configure hardware clients to use network
extension mode. This setting applies only
to HW clients.
no
Remove an attribute value pair
password-storage
Enable/disable storage of the login
password on the client system
pfs
Enter this command to indicate that the
remote client needs to perform PFS
re-xauth
Enter this command to enable
reauthentication of the user on IKE rekey
secure-unit-authentication
Configure interactive authentication. This
setting applies only to HW clients.
split-dns
Configure list of domains to be resolved
through the Split Tunnel
split-tunnel-network-list
Configure name of access-list for split
tunnel configuration
split-tunnel-policy
Select the split tunneling method to be
used by the remote client
user-authentication
Configure individual user authentication.
This setting applies only to HW clients.
user-authentication-idle-timeout Configure the idle timeout period in
minutes. If there is no communication in
this period, the system terminates the
NetworkSims.com
564
vpn-access-hours
vpn-filter
vpn-idle-timeout
vpn-session-timeout
vpn-simultaneous-logins
vpn-tunnel-protocol
wins-server
NetworkSims.com
565
NetworkSims.com
566
Example
# config t
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif ?
interface mode commands/options:
WORD < 49 char A name by which this interface will be referred in all other
Commands
(config-if)# nameif out
(config-if)# security ?
interface mode commands/options:
<0-100> Security level for the interface
(config-if)# security 0
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# ip address outside 192.168.2.1 255.255.255.0
(config-if)# nameif in
(config-if)# no shutdown
(config-if)# exit
(config)# same-security-traffic ?
configure mode commands/options:
permit Keyword for enabling this functionality
(config)# same-security-traffic permit ?
configure mode commands/options:
inter-interface Permit communication between different interfaces with the
same security level
intra-interface Permit communication between VPN peers connected to the same
NetworkSims.com
567
interface
(config)# same-security-traffic permit inter-interface
(config)# cry key ?
configure mode commands/options:
generate Generate new keys
zeroize
Remove keys
(config)# crypto key generate ?
configure mode commands/options:
dsa Generate DSA keys
rsa Generate RSA keys
(config)# crypto key generate rsa ?
configure mode commands/options:
general-keys Generate a general purpose RSA key pair for signing and
encryption
label
Provide a label
modulus
Provide number of modulus bits on the command line
noconfirm
Specify this keyword to suppress all interactive prompting.
usage-keys
Generate seperate RSA key pairs for signing and encryption
<cr>
(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
512
512 bits
768
768 bits
(config)# crypto key generate rsa modulus 1024
(config)# telnet 204.134.17.7 255.255.192.0 inside
(config)# telnet 201.13.14.2 255.255.240.0 outside
(config)# telnet 210.1.170.5 255.255.224.0 inf2
(config)# telnet timeout 10
(config)# show telnet
(config)# show telnet timeout
(config)# ssh 204.134.17.7 255.255.192.0 inside
(config)# ssh timeout 10
(config)# http server enable
(config)# http 204.134.17.7 255.255.192.0 inside
(config)# http 201.13.14.2 255.255.240.0 outside
NetworkSims.com
568
Example
# config t
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif ?
interface mode commands/options:
WORD < 49 char A name by which this interface will be referred in all other
Commands
(config-if)# nameif edinburgh
(config-if)# exit
(config)# exit
(config)# route ?
configure mode commands/options:
Current available interface(s):
Inf2 Name of interface Ethernet2
Inside
Name of interface Ethernet1
Edinburgh Name of interface Ethernet0
(config)# route Edinburgh ?
configure mode commands/options:
Hostname or A.B.C.D The foreign network for this route, 0 means default
(config)# route Edinburgh 0 ?
configure mode commands/options:
A.B.C.D The netmask for the destined foreign network
(config)# route Edinburgh 0 0 ?
configure mode commands/options:
Hostname or A.B.C.D The address of the gateway by which the foreign network
is reached.
(config)# route Edinburgh 0 0 192.168.0.2
(config)# route Edinburgh 0 0 192.168.0.3 ?
configure mode commands/options:
<1-255>
Distance metric for this route, default is 1
tunneled Enable the default tunnel gateway option, metric is set
to 255
<cr>
(config)# route Edinburgh 0 0 192.168.0.3 tunneled
NetworkSims.com
569
Example
# config t
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif ?
interface mode commands/options:
WORD < 49 char A name by which this interface will be referred in all other
Commands
(config-if)# nameif Edinburgh
(config-if)# pim ?
interface mode commands/options:
dr-priority
PIM Hello DR priority
hello-interval
PIM neighbor Hello announcement interval
join-prune-interval PIM periodic Join-Prune announcement interval
<cr>
configure mode commands/options:
accept-register
Register accept filter
old-register-checksum Generate registers compatible with older IOS versions
rp-address
Configure Sparse-Mode Rendezvous Point
spt-threshold
Configure threshold for SPT switchover on last-hop
(config-if)# pim
(config-if)# pim dr-priority ?
interface mode commands/options:
<0-4294967295> Hello DR priority, preference given to larger value
(config-if)# pim dr-priority 50
(config-if)# pim hello-interval ?
interface mode commands/options:
<1-3600> Hello interval in seconds
(config-if)# pim hello-interval 50
(config-if)# pi join-prune-interval ?
interface mode commands/options:
<10-600> Join-Prune interval in seconds
(config-if)# pi join-prune-interval 50
(config-if)# exit
(config)# pim ?
configure mode commands/options:
accept-register
Register accept filter
old-register-checksum Generate registers compatible with older IOS versions
rp-address
Configure Sparse-Mode Rendezvous Point
spt-threshold
Configure threshold for SPT switchover on last-hop
NetworkSims.com
570
Example
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# exit
(config)# dhcprelay ?
configure mode commands/options:
enable
Start a DHCP server task on an interface, but at least one
dhcpdrelay server must be configured before enable is issued
server
Configure dhcprelay server information
NetworkSims.com
571
setroute
Example
# config t
pixfirewall(config)# firewall ?
NetworkSims.com
572
mode commands/options:
Specify packets to reject
Specify packets to forward
access-list TEST ethertype deny ?
NetworkSims.com
573
Example
# config t
pixfirewall(config)# auto-update ?
configure mode commands/options:
device-id
Specify the device ID reported to the Auto Update Server
poll-period Specify how often to poll the Auto Update Server
server
Specify the URL of the Auto Update Server
timeout
Specify maximum wait to contact the Auto Update Server
pixfirewall(config)# auto-update device-id ?
configure mode commands/options:
hardware-serial Hardware serial number
hostname
Host name
ipaddress
IP address of the specified interface
mac-address
MAC address of the specified interface
string
Text string
pixfirewall(config)# auto-update device-id hostname
pixfirewall(config)# auto-update poll-period ?
configure mode commands/options:
<1-35791> Period in minutes between poll updates
pixfirewall(config)# auto-update poll-period 10
pixfirewall(config)# auto-update server ?
NetworkSims.com
574
NetworkSims.com
575
pixfirewall(config)# mac-address-table ?
configure mode commands/options:
aging-time Configure duration that a bridge entry will remain in the table,
default is 5 minutes
static
Add static entries to the table
pixfirewall(config)# mac-address-table aging-time ?
configure mode commands/options:
<5-720> Aging interval in minutes
pixfirewall(config)# mac-address-table aging-time 10
pixfirewall(config)# mac-address-table static ?
configure mode commands/options:
Current available interface(s):
$E2.NAME$\tName of interface Ethernet2
$E1.NAME$\tName of interface Ethernet1
$E0.NAME$\tName of interface Ethernet0
pixfirewall(config)# mac-address-table static 1.1.1 ?
configure mode commands/options:
H.H.H MAC address
pixfirewall(config)# mac-address-table static 1.1.1 0.0.0 ?
configure mode commands/options:
<cr>
Example
NetworkSims.com
576
# config t
pixfirewall(config)# firewall transparent
pixfirewall(config)# ip address 1.2.3.4 255.255.255.0
pixfirewall(config)# mac-address-table ?
configure mode commands/options:
aging-time Configure duration that a bridge entry will remain in the table,
default is 5 minutes
static
Add static entries to the table
pixfirewall(config)# mac-address-table a ?
configure mode commands/options:
<5-720> Aging interval in minutes
pixfirewall(config)# mac-address-table static ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Outside
Name of interface Ethernet0
pixfirewall(config)# mac-address-table static outside ?
configure mode commands/options:
H.H.H MAC address
pixfirewall(config)# mac-address-table static outside 1.1.1
pixfirewall(config)# mac-learn ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Outside
Name of interface Ethernet0
pixfirewall(config)# mac-learn outside ?
configure mode commands/options:
disable Disable mac learning on the interface
pixfirewall(config)# mac-learn outside disable
NetworkSims.com
577
Objectives
The objectives of this challenge are to:
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq ?
mpf-class-map mode commands/options:
<0-65535>
Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
NetworkSims.com
578
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp eq 2748
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dns
esmtp
ftp
gtp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
sqlnet
sunrpc
tftp
xdmcp
pixfirewall(config-pmap-c)# inspect ctiqbe
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest interface outside
NetworkSims.com
579
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port udp eq 53
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect dns ?
mpf-policy-map-class mode commands/options:
maximum-length Maximum DNS packet length
<cr>
pixfirewall(config-pmap-c)# inspect dns max-length ?
mpf-policy-map-class mode commands/options:
<512-65535> Enter maximum DNS packet length
pixfirewall(config-pmap-c)# inspect dns max 1500
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest interface outside
Example
NetworkSims.com
580
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq 21
pixfirewall(config-cmap)# exit
pixfirewall(config)# ftp-map ftest
pixfirewall(config-ftp-map)# ?
Ftp-map configuration commands:
mask-syst-reply Mask reply to syst command
no
Negate a command or set its defaults
request-command FTP request command inspection
pixfirewall(config-ftp-map)# request-command ?
ftp-map mode commands/options:
deny Specify FTP request commands to block
pixfirewall(config-ftp-map)# request-command deny ?
ftp-map
appe
cdup
dele
get
help
mkd
put
rmd
rnfr
rnto
site
stou
mode commands/options:
Append to a file
Change to parent of current directory
Delete a file at server site
FTP client command for the retr command - retrieve a file
Help information from server
Create a directory
FTP client command for the stor command - store a file
Remove a directory
Rename from
Rename to
Specify server specific command
Store a file with a unique name
NetworkSims.com
581
Objectives
The objectives of this challenge are to:
Note: An access-list is required in this case, instead of a match command in the class-map,
as there are more than one protocol. Only the tunnel-group allows to match more than one
protocol. Thus we need an access-list to identify ports 2123 and 3386.
Example
# config t
pixfirewall(config)# access-list atest permit udp any any eq 2123
pixfirewall(config)# access-list atest permit udp any any eq 3386
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
Match IP DSCP (DiffServ CodePoints)
flow
Flow based Policy
port
Match TCP/UDP port(s)
precedence
Match IP precedence
rtp
Match RTP port numbers
tunnel-group
Match a Tunnel Group
pixfirewall(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config-cmap)# exit
pixfirewall(config)# gtp-map gtest
pixfirewall(config-gtp-map)# ?
NetworkSims.com
582
description
GRP configuration map description
drop
Message ID, APN or GTP version to drop
help
Displays help
mcc
Three-digit mobile code (000-999)
message-length Message length max and min values
permit errors
Permits packets with errors
permit response Permit GSN loading balance
request-queue
Maximum requests for the queue
timeout
Idle timeout
tunnel-limit
Maximum number of tunnels
pixfirewall(config-gtp-map)# request-queue 100
pixfirewall(config-gtp-map)# mcc 044
pixfirewall(config-gtp-map)# message-length min 10 max 1000
pixfirewall(config-gtp-map)# tunnel-limit 10000
pixfirewall(config-gtp-map)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect gtp gtest
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest interface outside
Note: An access-list is required in this case, instead of a match command in the class-map,
as there are more than one protocol. Only the tunnel-group allows to match more than one
protocol. Thus we need an access-list to identify ports 2123 and 3386.
Example
# config t
pixfirewall(config)# access-list atest permit udp any any eq 1720
pixfirewall(config)# access-list atest permit udp any any eq 1721
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match ?
NetworkSims.com
583
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
Match IP DSCP (DiffServ CodePoints)
flow
Flow based Policy
port
Match TCP/UDP port(s)
precedence
Match IP precedence
rtp
Match RTP port numbers
tunnel-group
Match a Tunnel Group
pixfirewall(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect h323 ?
mpf-policy-map-class mode commands/options:
h225 Enable H.225 signalling inspection
ras
Enable RAS inspection
pixfirewall(config-pmap-c)# inspect h323 ras
pixfirewall(config-pmap-c)# inspect h323 h225
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest interface outside
NetworkSims.com
584
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match tcp port eq 80
pixfirewall(config-cmap)# exit
pixfirewall(config)# http-map htest
pixfirewall(config-http-map)# ?
Http-map configuration commands:
content-length
Content length range inspection
content-type-verification Content type inspection
max-header-length
Maximum header size inspection
max-uri-length
Maximum URI size inspection
no
Negate a command or set its defaults
port-misuse
Application inspection
request-method
Request method inspection
strict-http
Strict HTTP inspection
transfer-encoding
Transfer encoding inspection
pixfirewall(config-http-map)# content-l ?
http-map mode commands/options:
max Maximum content length allowed
min Minimum content length allowed
pixfirewall(config-http-map)# content-l min ?
http-map mode commands/options:
<1-65535> Number of bytes
pixfirewall(config-http-map)# content-l min 1 ?
http-map mode commands/options:
action Action taken when a violation occurs
max
Maximum content length allowed
pixfirewall(config-http-map)# content-l min 1 max ?
http-map mode commands/options:
<1-50000000> Number of bytes
pixfirewall(config-http-map)# content-l min 1 max 1000 ?
http-map mode commands/options:
action Action taken when a violation occurs
pixfirewall(config-http-map)# content-l min 1 max 1000 action ?
http-map mode commands/options:
allow Allow the message
drop
Close the connection
reset Close the connection with a TCP reset message
pixfirewall(config-http-map)# content-l min 10 max 1000 action reset
pixfirewall(config-http-map)# content-type-verification ?
http-map mode commands/options:
action
Action taken when a violation occurs
match-req-rsp Check response matches ACCEPT value in request message
pixfirewall(config-http-map)# content-type-verification match ?
http-map mode commands/options:
action Action taken when a violation occurs
NetworkSims.com
585
mode commands/options:
Allow the message
Close the connection
Close the connection with a TCP reset message
NetworkSims.com
586
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
AppleTalk name binding
at-zis
AppleTalk zone information
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
Message send protocol
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
kerberos Kerberos v5
hostnames
csnet-ns CSO name server
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ns NETBIOS Name Service
netbios-ssn
NETBIOS session
snmp
SNMP
cmip-man ISO management over IP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
at-echo AppleTalk echo
z3950
NISO Z39.50 database
imap3
Interactive Mail Access
exec
Comsat 513 login
shell
No passwords used
printer
Line printer spooler
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews
NetworkSims.com
587
Example
# config t
# config t
pixfirewall(config)# access-list atest permit udp any any eq 2427
pixfirewall(config)# access-list atest permit udp any any eq 2727
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config-cmap)# exit
pixfirewall(config)# mgcp-map mtest
pixfirewall(config-mgcp-map)# ?
mgcp-map configuration commands:
call-agent
Add a Call-Agent
command-queue Configure Command Queue
gateway
Add a Gateway
help
Help for mgcp-map configuration commands
no
Negate or set default values of a command
pixfirewall(config-mgcp-map)# call-agent ?
mgcp-map mode commands/options:
A.B.C.D IP address
pixfirewall(config-mgcp-map)# call-agent 1.2.3.4 ?
mgcp-map mode commands/options:
<0-2147483647> ID of the group
pixfirewall(config-mgcp-map)# call-agent 1.2.3.4 111
pixfirewall(config-mgcp-map)# command-limit ?
mgcp-map mode commands/options:
<1-2147483647> Command limit
pixfirewall(config-mgcp-map)# command-limit 100
pixfirewall(config-mgcp-map)# gateway ?
mgcp-map mode commands/options:
A.B.C.D IP address
pixfirewall(config-mgcp-map)# gateway 1.2.3.5 111
pixfirewall(config-mgcp-map)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect mgcp mtest
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
NetworkSims.com
588
Example
# config t
pixfirewall(config)# access-list atest permit tcp any any eq 554
pixfirewall(config)# access-list atest permit tcp any any eq 8554
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect rtsp
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
NetworkSims.com
589
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq 5060
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect sip
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
pixfirewall(config)# timeout ?
configure mode commands/options:
conn
Configure idle time after which a TCP connection state
will be closed, default is 1:00:00
h225
Configure idle time after which an H.225 signaling conn
will be closed, default is 1:00:00
h323
Configure idle time after which an H.323 control connection
will be closed, default is 0:05:00
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
icmp
Configure idle timeout for ICMP, default is 0:00:02
mgcp
Configure idle time after which an MGCP media connection
will be closed, default is 0:05:00
mgcp-pat
Configure the time after which an MGCP PAT Xlate
will be removed, default is 0:05:00
sip
Configure idle time after which a SIP control connection
will be closed, default is 0:30:00
sip_media
Configure idle time after which a SIP Media connection
will be closed, default is 0:02:00
sunrpc
Configure idle time after which a SUNRPC slot
will be closed, default is 0:10:00
uauth
Configure idle time after which an authentication will no
longer be cached and the user will need to re-authenticate on
their connection, default is 0:05:00. The default uauth timer
is absolute.
udp
Configure idle time after which general UDP states
will be closed, default is 0:02:00, This timer does not
apply to DNS or SUNRPC
xlate
Configure idle time after which a dynamic address
will be returned to the free pool, default is 3:00:00
pixfirewall(config)# timeout sip ?
configure mode commands/options:
0:0:0 | <0:5:0> - <1192:59:59>
<0-0>
Also:
NetworkSims.com
590
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq 2000
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect skinny
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
NetworkSims.com
591
Limiting to seven basic SMTP commands, plut the eight extended ones.
Montoring the command-response phase, so that messages are not send out-ofsequence.
Catches truncated commands.
Catches commands without a carridge-return/line-feed sequence.
And so on.
Objectives
The objectives of this challenge are to:
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq 25
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect esmtp
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
NetworkSims.com
592
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
AppleTalk name binding
at-zis
AppleTalk zone information
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
Message send protocol
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
kerberos Kerberos v5
hostnames
csnet-ns CSO name server
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ns NETBIOS Name Service
netbios-ssn
NETBIOS session
snmp
SNMP
cmip-man ISO management over IP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
at-echo AppleTalk echo
z3950
NISO Z39.50 database
imap3
Interactive Mail Access
exec
Comsat 513 login
shell
No passwords used
printer
Line printer spooler
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews
NetworkSims.com
593
Example
# config t
pixfirewall(config)# access-list atest permit tcp any any eq 161
pixfirewall(config)# access-list atest permit tcp any any eq 162
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config-cmap)# exit
pixfirewall(config)# snmp-map stest
pixfirewall(config-snmp-map)# ?
snmp-map configuration commands:
deny Deny SNMP traffic
help Help for snmp-map configuration commands
no
Negate or set default values of a command
pixfirewall(config-snmp-map)# deny ?
snmp-map mode commands/options:
version Specify the version to deny
pixfirewall(config-snmp-map)# deny version ?
snmp-map mode commands/options:
1
SNMP version 1
2
SNMP version 2 (party based)
2c SNMP version 2c (community based)
3
SNMP version 3
pixfirewall(config-snmp-map)# deny version ?
pixfirewall(config-snmp-map)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect snmp stest
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
NetworkSims.com
594
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
AppleTalk name binding
at-zis
AppleTalk zone information
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
Message send protocol
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
kerberos Kerberos v5
hostnames
csnet-ns CSO name server
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ns NETBIOS Name Service
netbios-ssn
NETBIOS session
snmp
SNMP
cmip-man ISO management over IP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
at-echo AppleTalk echo
z3950
NISO Z39.50 database
imap3
Interactive Mail Access
exec
Comsat 513 login
shell
No passwords used
printer
Line printer spooler
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews
NetworkSims.com
595
Objectives
The objectives of this challenge are to:
Example
# config t
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# match port tcp eq 111
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# inspect rpc
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ptest global
The firewall can create an RPC services table to control Sun RPC traffic through the security
appliance with:
pixfirewall(config)# sunrpc ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Outside
Name of interface Ethernet0
pixfirewall(config)# sunrpc inside ?
configure mode commands/options:
Hostname or A.B.C.D IP address of SUNRPC server
pixfirewall(config)# sunrpc inside 1.2.3.4 ?
configure mode commands/options:
A.B.C.D The network mask to be applied to IP address
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 ?
configure mode commands/options:
service Specify the SUNRPC service program number after this keyword
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service ?
configure mode commands/options:
<0-2147483647> SUNRPC service program number
NetworkSims.com
596
NetworkSims.com
597
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
<start>[-<end>]
NetworkSims.com
598
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
AppleTalk name binding
at-zis
AppleTalk zone information
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
Message send protocol
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
kerberos Kerberos v5
hostnames
csnet-ns CSO name server
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ns NETBIOS Name Service
netbios-ssn
NETBIOS session
snmp
SNMP
cmip-man ISO management over IP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
at-echo AppleTalk echo
z3950
NISO Z39.50 database
imap3
Interactive Mail Access
exec
Comsat 513 login
shell
No passwords used
printer
Line printer spooler
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews
NetworkSims.com
599
Define a route-map.
Define redistribution.
Example
# config t
(config)# route-map ?
configure mode commands/options:
WORD < 58 char Route map tag
(config)# route-map rtest ?
configure mode commands/options:
<0-65535> Sequence to insert to/delete from existing route-map entry
deny
Route map denies set operations
permit
Route map permits set operations
<cr>
(config)# route-map rtest permit
(config-route-map)# ?
Route Map configuration commands:
exit
Exit from route-map configuration mode
help
Interactive help for route-map subcommands
match Match values from routing table
no
Negate a command
set
Set values in destination routing protocol
(config-route-map)# match ?
route-map mode commands/options:
interface
Match first hop interface of route
ip
Match IP address or next-hop or route-source
metric
Match metric of route
route-type Match route-type of route
(config-route-map)# match metric ?
route-map mode commands/options:
<0-4294967295> Metric value
(config-route-map)# match metric 1
(config-route-map)# set ?
route-map mode commands/options:
metric
Set metric value for destination routing protocol
metric-type Set type of metric for destination routing protocol
(config-route-map)# set metric- ?
route-map mode commands/options:
type-1 OSPF external type 1 metric
type-2 OSPF external type 2 metric
(config-route-map)# set metric- type-1
(config-route-map)# set metric ?
NetworkSims.com
600
Define OSPF.
Define E1 OSPF parameters.
Example
(config)# router ospf 111
(config-router)# network 10.0.0.0 255.0.0.0 area 0
NetworkSims.com
601
(config-router)# exit
(config)# int e1
(config-if)# ospf cost 20
(config-if)# ospf retransmit-interval 20
(config-if)# ospf transmit-delay 20
(config-if)# ospf priority 20
(config-if)# ospf hello-interval 20
(config-if)# ospf dead-interval 20
(config-if)# ospf authentication-key test
(config-if)# ospf message-digest-key 1 md5 test
(config-if)# ospf authentication message-digest
Define OSPF.
Define OSPF routing area details.
Define OSPF stub details.
Define route timers.
Define default route.
Define logging of neighbors.
Outline
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
ospf 111
area 1 authentication
area 1 authentication message-digest
area 10 stub
area 10 default-cost 15
summary-address 1.2.3.0 255.255.0.0
area 10 range 2.3.4.0 255.255.0.0
default-information originate always
log-adj-changes detail
timers spf 10 10
Example
pixfirewall(config)# router ospf 111
pixfirewall(config-router)# ?
Router configuration commands:
area
OSPF area parameters
NetworkSims.com
602
compatible
default-information
distance
exit
help
ignore
log-adj-changes
neighbor
network
no
redistribute
router-id
summary-address
timers
pixfirewall(config-router)# area ?
router mode commands/options:
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D
OSPF area ID in IP address format
pixfirewall(config-router)# area 1 ?
router mode commands/options:
authentication Enable authentication
default-cost
Set the summary default-cost of a NSSA/stub area
filter-list
Filter networks between OSPF areas
nssa
Specify a NSSA area
range
Summarize routes matching address/mask (border routers only)
stub
Specify a stub area
virtual-link
Define a virtual link and its parameters
<cr>
pixfirewall(config-router)# area 1 authentication
pixfirewall(config-router)# area 1 authentication ?
router mode commands/options:
message-digest Use message-digest authentication
<cr>
pixfirewall(config-router)# area 1 authentication message-digest
pixfirewall(config-router)# area 10 stub
pixfirewall(config-router)# area 10 default-cost ?
router mode commands/options:
<0-65535> Stub's advertised external route metric
pixfirewall(config-router)# area 10 default-cost 15
Route summarization allows for various routes to summarized into a single address, and
help to reduce the size of the routing tables:
pixfirewall(config-router)# summary-address ?
router mode commands/options:
A.B.C.D IP summary address
pixfirewall(config-router)# summary-address 1.2.3.0 ?
router mode commands/options:
A.B.C.D Summary mask
pixfirewall(config-router)# summary-address 1.2.3.0 255.255.0.0
NetworkSims.com
603
NetworkSims.com
604
Example
In the following example, the addresses of the ports are:
E0 (outside) 10.0.0.1
E1 (inside) 192.168.0.1
E2 (dmz) 172.16.10.1
The email server is at 172.16.10.2 and will be mapped to 10.0.0.3 for external access.
The default gateway is at 10.0.0.2
(config)# fixup protocol smtp 25
(config)# int e0
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# nameif outside
(config-if)# mac-address 1111.2222.3333
(config-if)# no shutdown
(config-if)# exit
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif inside
(config-if)# mac-address 2222.3333.4444
(config-if)# no shutdown
(config-if)# exit
NetworkSims.com
605
(config)# int e2
(config-if)# ip address 172.16.10.1 255.255.255.0
(config-if)# nameif dmz
(config-if)# mac-address 3333.4444.5555
(config-if)# no shutdown
(config-if)# exit
Next permit access from the outside interface to the Email server:
(config)#access-list outside_int permit tcp any host 10.0.0.3 eq smtp
Allow all outgoing connections from the Email server to external nodes:
(config)# access-list dmz_interface permit tcp host 172.16.10.2 any eq smtp
Map the Email server on the DMZ, which is at 172.16.0.2, and let its
accessible address be 10.0.0.3:
(config)# static (dmz,outside) 10.0.0.3 172.16.0.2
NetworkSims.com
606
14 ASA/New PIX
Cisco PIX Challenge 97
Outline
This challenge involves configurating external access to an email server on the DMZ.
Objectives
The objectives of this challenge are to:
Example
In the following example, the addresses of the ports are:
E0 (outside) 10.0.0.1
E1 (inside) 192.168.0.1
E2 (dmz) 172.16.10.1
The email server is at 172.16.10.2 and will be mapped to 10.0.0.3 for external access.
The default gateway is at 10.0.0.2
(config)# fixup protocol smtp 25
(config)# int e0
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# nameif outside
(config-if)# mac-address 1111.2222.3333
(config-if)# no shutdown
(config-if)# exit
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif inside
(config-if)# mac-address 2222.3333.4444
(config-if)# no shutdown
(config-if)# exit
(config)# int e2
(config-if)# ip address 172.16.10.1 255.255.255.0
(config-if)# nameif dmz
NetworkSims.com
607
Next permit access from the outside interface to the Email server:
(config)#access-list outside_int permit tcp any host 10.0.0.3 eq smtp
Allow all outgoing connections from the Email server to external nodes:
(config)# access-list dmz_interface permit tcp host 172.16.10.2 any eq smtp
Map the Email server on the DMZ, which is at 172.16.0.2, and let its
accessible address be 10.0.0.3:
(config)# static (dmz,outside) 10.0.0.3 172.16.0.2
Commands
(config)# int e0
(config-if)# nameif newjersey
(config-if)# ip address 1.2.3.5 255.255.0.0
(config-if)# no shutdown
NetworkSims.com
608
(config-if)# exit
(config)# webvpn
(config-webvpn)# port 444
(config-webvpn)# enable newjersey
(config-webvpn)# exit
(config)# sla mon 1
(config-sla-monitor)# t e p i 1.2.3.4 i newjersey
(config-sla-monitor-echo)# ?
Example
(config)# int e0
(config-if)# nameif newjersey
(config-if)# exit
(config)# webvpn
(config-webvpn)# ?
WebVPN commands:
apcf
authorization-dn-attributes
authorization-required
auto-signon
cache
character-encoding
csd
customization
default-idle-timeout
enable
exit
file-encoding
help
http-proxy
https-proxy
java-trustpoint
memory-size
no
port
port-forward
proxy-bypass
rewrite
sso-server
svc
tunnel-group-list
url-list
(config-webvpn)# port ?
webvpn mode commands/options:
<1-65535> The WebVPN server's SSL listening port. TCP port 443 is the
default.
NetworkSims.com
609
NetworkSims.com
610
Define a time-range.
Implement a time-ranged ACL.
Define an AAA group tag.
Define an AAA host.
Define AAA host details.
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# time-range workingday
(config-time-range)# periodic weekday 5:00 to 9:00
(config-time-range)# periodic saturday 3:00 to 15:00
(config-time-range)# exit
(config)# access-list Columbia permit ip any any time-range workingday
(config)# aaa-server test protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
NetworkSims.com
611
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
key testkey
authentication-port 1645
accounting-port 1646
retry-interval 10
exit
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# time-range workingday
(config-time-range)# ?
Time range configuration commands:
absolute absolute time and date
exit
Exit from time-range configuration mode
help
Help for time-range configuration commands
no
Negate a command or set its defaults
periodic periodic time and date
(config-time-range)# ab ?
trange mode commands/options:
end
ending time and date
start starting time and date
(config-time-range)# periodic ?
trange mode commands/options:
Friday
Friday
Monday
Monday
Saturday
Saturday
Sunday
Sunday
Thursday
Thursday
Tuesday
Tuesday
Wednesday Wednesday
daily
Every day of the week
weekdays
Monday thru Friday
weekend
Saturday and Sunday
exec mode commands/options:
interval Performance monitoring interval in seconds
quiet
Turn on quiet mode for perfomance monitoring
settings View perfomance monitoring settings
verbose
Turn on verbose mode for perfomance monitoring
(config-time-range)# periodic weekday ?
trange mode commands/options:
hh:mm Starting time
(config-time-range)# periodic weekday 5:00 ?
trange mode commands/options:
to ending day and time
(config-time-range)# periodic weekday 5:00 to ?
trange mode commands/options:
NetworkSims.com
612
NetworkSims.com
613
<1-5>
(config-aaa-server-group)# reactivation-mode ?
aaa-server-group mode commands/options:
depletion Failed servers will remain inactive until all other servers in
this group are inactive
timed
Failed servers will be reactivated after 30 seconds of down time
(config-aaa-server-group)# exit
(config)# aaa-server test ?
configure mode commands/options:
(
Open parenthesis for the name of the network interface
where the designated AAA server is accessed
deadtime
Specify the amount of time that will elapse between the
disabling of the last server in the group and the
subsequent re-enabling of all servers
host
Enter this keyword to specify the IP address for the
server
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
protocol
Enter the protocol for a AAA server group
(config)# aaa-server test (newyork) ?
configure mode commands/options:
host Enter this keyword to specify the IP address for the server
(config)# aaa-server test (newyork) h ?
configure mode commands/options:
Hostname or A.B.C.D Enter an IP address or a name
WORD < 129 char
Enter a DNS name
(config)# aaa-server test (newyork) h 1.2.3.4 ?
configure mode commands/options:
WORD
Alphanumeric keyword up to 128 characters used as the encryption key
for communicating with the AAA server.
timeout Specify the maximum time to wait for response from configured server
<cr>
(config)# aaa-server test (inside) host 1.2.3.4
(config-aaa-server-host)# ?
AAA server configuration commands:
accounting-port
Specify the port number to be used for accounting
acl-netmask-convert Specify the ACL Downloadable Netmask Operation
authentication-port Specify the port number to be used for authentication
exit
Exit from aaa-server host configuration mode
help
Help for AAA server configuration commands
key
Specify the secret used to authenticate the NAS to the
AAA server
no
Remove an item from aaa-server host configuration
radius-common-pw
Specify a common password for all RADIUS authorization
transactions
retry-interval
Specify the amount of time between retry attempts
timeout
Specify the maximum time to wait for response from
configured server
(config-aaa-server-host)# acc ?
aaa-server-host mode commands/options:
<0-65535> Enter port number (0 - 65535)
configure mode commands/options:
NetworkSims.com
614
commands/options:
this keyword to specify auto-detect netmask
this keyword to specify standard netmask
this keyword to specify wildcard netmask
configured server
(config-aaa-server-host)# key ?
aaa-server-host mode commands/options:
WORD < 129 char Enter an alphanumeric string up to 128 characters
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# radius ?
aaa-server-host mode commands/options:
WORD < 128 char Enter an alphanumeric string up to 127 characters
(config-aaa-server-host)# ret ?
aaa-server-host mode commands/options:
<1-10> Number of seconds (1 - 10)
(config-aaa-server-host)# tim ?
aaa-server-host mode commands/options:
<1-300> Number of seconds (1 - 300)
(config-aaa-server-host)# authentication-port 1645
(config-aaa-server-host)# accounting-port 1646
(config-aaa-server-host)# retry-interval 10
NetworkSims.com
615
Commands
# show version
(config)# int e0
(config-if)# no nameif
(config-if)# no shutdown
(config-if)# no ip address
(config-if)# no ip security-level
(config-if)# exit
(config)# int e1
(config-if)# no nameif
(config-if)# no shutdown
(config-if)# no ip address
(config-if)# no ip security-level
(config-if)# exit
(config)# int redundant 1
(config-if)# nameif inside
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# member-interface e0
(config-if)# member-interface e1
(config-if)# no shutdown
(config-if)# exit
(config)# exit
Example
# show version
Cisco PIX Security Appliance Software Version 7.0(1)
Device Manager Version 5.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pixfirewall up 10 mins 40 secs
Hardware:
PIX-515E, 96 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0
1: Ext: Ethernet1
2: Ext: Ethernet2
: media index
: media index
: media index
0: irq 10
1: irq 11
2: irq 11
NetworkSims.com
616
VPN-DES
VPN-3DES-AES
Cut-through Proxy
Guards
URL Filtering
Security Contexts
GTP/GPRS
VPN Peers
:
:
:
:
:
:
:
:
Enabled
Enabled
Enabled
Enabled
Enabled
0
Disabled
Unlimited
After the redundant interface is define, there should be no changes to the interfaces
involved, apart from setting the duplex and speed settings, which are inherited by the
NetworkSims.com
617
redundant interface. A great strength of interface redundancy is that it responds within 0.5s,
which is faster than for failover.
To change the active interface to e1, the following command is used:
# redundant-interface redundant1 active-member e1
Commands
# show version
# config t
(config)# int e0
(config-if)# nameif outside
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# int e1
(config-if)# nameif inside
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 100
(config-if)# exit
(config)# ip verify reverse-path interface inside
(config)# ip verify reverse-path interface outside
(config)# exit
# show ip verify statistics
Example
NetworkSims.com
618
# show version
# config t
(config)# int e0
(config-if)# nameif outside
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# int e1
(config-if)# nameif inside
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 100
(config-if)# exit
(config)# ip verify ?
configure mode commands/options:
reverse-path Keyword to indicate Reverse-Path Filtering
(config)# ip verify reverse-path ?
configure mode commands/options:
interface Keyword to apply RPF on an interface
(config)# ip verify reverse-path interface ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Outside
Name of interface Ethernet0
(config)# ip verify reverse-path interface inside
(config)# ip verify reverse-path interface outside
# sh ip ?
address Show IP addresses, DHCP leases
audit
Show ip audit statistics
local
Show ip local pool information
verify
Show Reverse Path Verify (RPF) statistics
|
Output modifiers
<cr>
# sh ip verify ?
statistics Show Reverse Path Verify (RPF) statistics
# sh ip verify statistics
interface outside: 100 unicast rpf drops
interface inside: 300 unicast rpf drops
interface inf: 43 unicast rpf drops
NetworkSims.com
619
The PIX/ASA devices can have multiple default routes, each with a different cost. It can also
have a default route for tunneled traffic, thus non-encrypted traffic, without a static route,
would go via the normal default gateway, and encrypted traffic, without a static route,
would go via the tunneled gateway.
Objectives
The objectives of this challenge are to:
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# route Glasgow 0 0 192.168.0.1
(config)# route Glasgow 0 0 192.168.0.2
(config)# route Glasgow 0 0 192.168.0.3 tunneled
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# route ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Glasgow
Name of interface Ethernet0
(config)# route Glasgow ?
configure mode commands/options:
Hostname or A.B.C.D The foreign network for this route, 0 means default
(config)# route Glasgow 0 ?
configure mode commands/options:
A.B.C.D The netmask for the destined foreign network
(config)# route Glasgow 0 0 ?
NetworkSims.com
620
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
NetworkSims.com
621
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# frequency 10
(config-sla-monitor-echo)# num-packets 100
(config-sla-monitor-echo)# request-data-size 100
(config-sla-monitor-echo)# tos 10
(config-sla-monitor-echo)# timeout 100
(config-sla-monitor-echo)# threshold 100
(config-sla-monitor-echo)# exit
(config-sla-monitor)# exit
(config)# sla monitor 3 schedule life forever now
(config)# track 1 rtr 3 reachability
(config)# route Glasgow 0 0 192.168.0.2 track 1
(config)# exit
# show track
# show route
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# sla ?
configure mode commands/options:
monitor IP Service Level Agreement Monitor
(config)# sla mon ?
configure mode commands/options:
<1-2147483647> Entry Number
schedule
IP SLA Monitor Entry Scheduling
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# ?
IP SLA Monitor Echo Configuration Commands:
default
Set a command to its defaults
exit
Exit probe configuration
frequency
Frequency of an operation
no
Negate a command or set its defaults
num-packets
Number of Packets
request-data-size Request data size
threshold
Operation threshold in milliseconds
timeout
Timeout of an operation
tos
Type Of Service
<cr>
(config-sla-monitor-echo)# freq ?
sla-monitor-echo mode commands/options:
<1-604800> Frequency in seconds
(config-sla-monitor-echo)# num ?
NetworkSims.com
622
In this case the default gateway is at 192.168.0.2, and will be tracked for SLA 3.
NetworkSims.com
623
This challenge uses DHCP to track the default route. The device will poll the DHCP server
to determine the default route.
Objectives
The objectives of this challenge are to:
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# dhcp client route track 1
(config-if)# ip address dhcp setroute
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# frequency 10
(config-sla-monitor-echo)# num-packets 100
(config-sla-monitor-echo)# request-data-size 100
(config-sla-monitor-echo)# tos 10
(config-sla-monitor-echo)# timeout 100
(config-sla-monitor-echo)# threshold 100
(config-sla-monitor-echo)# exit
(config-sla-monitor)# exit
(config)# sla monitor 3 schedule life forever now
(config)# track 1 rtr 3 reachability
(config)# route Glasgow 0 0 192.168.0.2 track 1
(config)# exit
# show track
# show route
Example
# config t
(config)# int e0
(config-if)# nameif Glasgow
(config-if)# dhcp ?
NetworkSims.com
624
mode commands/options:
Configure the Intrusion Detection System
Define a local pool of IP addresses
Configure Unicast Reverse Path Filtering on an interface
(config-if)# ip address ?
interface mode commands/options:
Hostname or A.B.C.D Firewall's network interface address
dhcp
Keyword to use DHCP to poll for information. Enables the
DHCP client feature on the specified interface
pppoe
Keyword to use PPPoE to poll for information. Enables
the PPPoE client feature on the specified interface
(config-if)# ip address dhcp ?
interface mode commands/options:
setroute Keyword to set the default route using the default gateway
parameter the DHCP server returns
<cr>
(config-if)# ip address dhcp setroute
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# frequency 10
(config-sla-monitor-echo)# num-packets 100
(config-sla-monitor-echo)# request-data-size 100
NetworkSims.com
625
(config-sla-monitor-echo)# tos 10
(config-sla-monitor-echo)# timeout 100
(config-sla-monitor-echo)# threshold 100
(config-sla-monitor-echo)# exit
(config-sla-monitor)# exit
(config)# sla monitor 3 schedule life forever now
(config)# track 1 rtr 3 reachability
(config)# route Glasgow 0 0 192.168.0.2 track 1
(config)# exit
# show track
# show route
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# pppoe client route track 1
(config-if)# ip address pppoe setroute
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
NetworkSims.com
626
Example
# config t
(config)# int e0
(config-if)# nameif Glasgow
(config-if)# pppoe ?
interface mode commands/options:
client PPPoE client configuration
(config-if)# pppoe client ?
interface mode commands/options:
route
Options for routes installed by pppoe
secondary Options for backup pppoe interfaces
vpdn
Configure VPDN parameters
(config-if)# pppoe client route ?
interface mode commands/options:
distance Administrative distance for pppoe routes
track
Track pppoe routes
(config-if)# pppoe client route track ?
interface mode commands/options:
<1-500> Tracked object number
(config-if)# pppoe client route track 1 ?
interface mode commands/options:
<cr>
(config-if)# pppoe client route track 1
(config-if)# ip ?
interface mode commands/options:
address Configure the ip address and mask for an interface
configure
audit
local
verify
mode commands/options:
Configure the Intrusion Detection System
Define a local pool of IP addresses
Configure Unicast Reverse Path Filtering on an interface
NetworkSims.com
627
(config-if)# ip address ?
interface mode commands/options:
Hostname or A.B.C.D Firewall's network interface address
dhcp
Keyword to use DHCP to poll for information. Enables the
DHCP client feature on the specified interface
pppoe
Keyword to use PPPoE to poll for information. Enables
the PPPoE client feature on the specified interface
(config-if)# ip address pppoe ?
interface mode commands/options:
setroute Keyword to set the default route using the default gateway
parameter the PPPoE server returns
<cr>
(config-if)# ip address pppoe setroute ?
interface mode commands/options:
<cr>
(config-if)# ip address pppoe setroute
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# frequency 10
(config-sla-monitor-echo)# num-packets 100
(config-sla-monitor-echo)# request-data-size 100
(config-sla-monitor-echo)# tos 10
(config-sla-monitor-echo)# timeout 100
(config-sla-monitor-echo)# threshold 100
(config-sla-monitor-echo)# exit
(config-sla-monitor)# exit
(config)# sla monitor 3 schedule life forever now
(config)# track 1 rtr 3 reachability
(config)# route Glasgow 0 0 192.168.0.2 track 1
(config)# exit
# show track
# show route
NetworkSims.com
628
Objectives
The objectives of this challenge are to:
Define a route-map.
Define OSPF routing details.
Redistribute routes using the route-map.
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# route-map testing permit
(config-route-map)# match metric 1
(config-route-map)# set metric 5
(config-route-map)# set metric-type type-1
(config-route-map)# set tag 1
(config-route-map)# exit
(config)# router ospf 111
(config-router)# network 192.168.0.0 255.255.255.0 area 0
(config-router)# redistribute ospf 1 route-map testing
(config-router)# exit
Example
(config)# route-map ?
configure mode commands/options:
WORD < 58 char Route map tag
(config)# route-map rtest ?
configure mode commands/options:
<0-65535> Sequence to insert to/delete from existing route-map entry
deny
Route map denies set operations
permit
Route map permits set operations
<cr>
(config)# route-map testing permit
(config-route-map)# ?
Route Map configuration commands:
exit
Exit from route-map configuration mode
help
Interactive help for route-map subcommands
match Match values from routing table
no
Negate a command
set
Set values in destination routing protocol
pixfirewall(config-route-map)# match ?
route-map mode commands/options:
interface
Match first hop interface of route
ip
Match IP address or next-hop or route-source
NetworkSims.com
629
metric
route-type
NetworkSims.com
630
In this case:
(config)# route-map testing permit
(config-route-map)# match metric 1
(config-route-map)# set metric 5
(config-route-map)# set metric-type type-1
(config-route-map)# set tag 1
(config-route-map)# exit
(config)# router ospf 111
(config-router)# network 192.168.0.0 255.255.255.0 area 0
(config-router)# redistribute ospf 1 route-map testing
(config-router)# exit
will redistribute the routes from OSPF process 1 into OSPF process 111, using a match
metric of 1. The PIX/ASA will then redistribute these with a metric of 5, with a Type-1
metric tag, and a tag value of 1.
Define a route-map.
Define OSPF routing details.
Redistribute routes using the route-map.
Commands
NetworkSims.com
631
Example
(config)# router ospf 111
(config-router)# network 10.0.0.0 255.0.0.0 area 0
(config-router)# exit
(config)# int e1
(config-if)# ospf ?
interface mode commands/options:
authentication
Enable authentication
authentication-key
Authentication password (key)
cost
Interface cost
database-filter
Filter OSPF LSA during synchronization and flooding
dead-interval
Interval after which a neighbor is declared dead
hello-interval
Time between HELLO packets
message-digest-key
Message digest authentication password (key)
mtu-ignore
Ignores the MTU in DBD packets
network
Network type
priority
Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay
Link state transmit delay
(config-if)# ospf cost ?
interface mode commands/options:
<1-65535> Cost
(config-if)# ospf cost 20
pixfirewall(config-if)# ospf retransmit-interval ?
interface mode commands/options:
<1-65535> Seconds
(config-if)# ospf retransmit-interval 20
(config-if)# ospf transmit-delay ?
interface mode commands/options:
<1-65535> Seconds
(config-if)# ospf transmit-delay 20
(config-if)# ospf priority ?
NetworkSims.com
632
NetworkSims.com
633
command which cause a single route summarization to be sent for the network address of
2.3.4.0, which should cover all the networks within this area (10).
Default Route. In this case a boundary router generates a default route for the whole of the
OSPF domain. For example:
(config-router)# default-information originate always
forces the boundary device to generate a default route for the OSPF routing domain.
Route Calculation Timers. This relates to the delays used with OSPF for topolology
changes, and for SPF (Shortest Path First) calculations. For example:
NetworkSims.com
634
defines a delay between receiving a change is the SPF calculation as 10 seconds, and a hold
time betwee consecutive SPF calculations of 20 seconds.
Logging Neighbor state. This is used to log the state of neigbhoring devices. For example:
(config-router)# log-adj-changes detail
Define OSPF.
Define OSPF routing area details.
Define OSPF stub details.
Define route timers.
Define default route.
Define logging of neighbors.
Outline
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
ospf 111
area 1 authentication
area 1 authentication message-digest
area 10 stub
area 10 default-cost 15
summary-address 1.2.3.0 255.255.0.0
area 10 range 2.3.4.0 255.255.0.0
default-information originate always
log-adj-changes detail
timers spf 10 10
Example
(config)# router ospf 111
(config-router)# ?
Router configuration commands:
area
OSPF area parameters
compatible
OSPF compatibility list
default-information Control distribution of default information
distance
Define an administrative distance
exit
Exit from router configuration mode
help
Interactive help for router subcommands
ignore
Do not complain about specific event
log-adj-changes
Log changes in adjacency state
neighbor
Specify a neighbor router
network
Add/remove interfaces to/from OSPF routing process
no
Negate a command
NetworkSims.com
635
redistribute
router-id
summary-address
timers
(config-router)# area ?
router mode commands/options:
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D
OSPF area ID in IP address format
(config-router)# area 1 ?
router mode commands/options:
authentication Enable authentication
default-cost
Set the summary default-cost of a NSSA/stub area
filter-list
Filter networks between OSPF areas
nssa
Specify a NSSA area
range
Summarize routes matching address/mask (border routers only)
stub
Specify a stub area
virtual-link
Define a virtual link and its parameters
<cr>
(config-router)# area 1 authentication
(config-router)# area 1 authentication ?
router mode commands/options:
message-digest Use message-digest authentication
<cr>
(config-router)# area 1 authentication message-digest
(config-router)# area 10 stub
(config-router)# area 10 default-cost ?
router mode commands/options:
<0-65535> Stub's advertised external route metric
(config-router)# area 10 default-cost 15
Route summarization allows for various routes to summarized into a single address, and
help to reduce the size of the routing tables:
(config-router)# summary-address ?
router mode commands/options:
A.B.C.D IP summary address
(config-router)# summary-address 1.2.3.0 ?
router mode commands/options:
A.B.C.D Summary mask
(config-router)# summary-address 1.2.3.0 255.255.0.0
NetworkSims.com
636
A.B.C.D
NetworkSims.com
637
The PIX/ASA devices can passively listen to RIP updates, using RIP Version 1 or RIP
Version 2. RIP Version 1 only supports classful addressing, with unencrypted broadcasts,
while RIP Version 2 supports classless addressing, and authentication. This challenge
defines RIP Version 1.
Objectives
The objectives of this challenge are to:
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# rip Glasgow passive version 1
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# rip ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Glasgow
Name of interface Ethernet0
(config)# rip Glasgow ?
configure mode commands/options:
default Configure the system to advertise default route
passive Enable the system to passively listen to RIP updates
(config)# rip Glasgow passive ?
configure mode commands/options:
version RIP version, default is RIPv1
<cr>
(config)# rip Glasgow passive version ?
configure mode commands/options:
1 RIP Version 1 (RIPv1)
2 RIP Version 2 (RIPv2)
NetworkSims.com
638
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# rip Glasgow passive version 2 authentication text popup
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# rip ?
configure mode commands/options:
Current available interface(s):
NetworkSims.com
639
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Glasgow
Name of interface Ethernet0
(config)# rip Glasgow ?
configure mode commands/options:
default Configure the system to advertise default route
passive Enable the system to passively listen to RIP updates
(config)# rip Glasgow passive ?
configure mode commands/options:
version RIP version, default is RIPv1
<cr>
(config)# rip Glasgow passive version ?
configure mode commands/options:
1 RIP Version 1 (RIPv1)
2 RIP Version 2 (RIPv2)
(config)# rip Glasgow passive version 2 ?
configure mode commands/options:
authentication Authenticate using the specified mode
<cr>
(config)# rip Glasgow version 2 authentication ?
configure mode commands/options:
md5
Authenticate using md5 mode
text Authenticate using text mode
(config)# rip Glasgow passive version 2 authentication text ?
configure mode commands/options:
WORD < 17 char The shared key to be used for authentication
(config)# rip Glasgow passive version 2 authentication text popup
NetworkSims.com
640
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# rip authentication mode text
(config-if)# rip send version 2
(config-if)# rip receive version 2
(config-if)# rip authentication key test key-id 1
(config-if)# exit
(config)# router rip
(config-router)# network 192.168.0.0
(config-router)# network 192.168.1.0
(config-router)# version 2
(config-router)# passive-interface Glasgow
(config-router)# exit
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# rip ?
interface mode commands/options:
authentication Authentication control
receive
advertisement reception
send
advertisement transmission
(config-if)# rip a ?
interface mode commands/options:
key
Authentication key
mode Authentication mode
(config-if)# rip a m ?
interface mode commands/options:
md5
Keyed message digest
text Clear text authentication
(config-if)# rip a m t ?
NetworkSims.com
641
NetworkSims.com
642
(config-router)# network ?
router mode commands/options:
Hostname or A.B.C.D Network address
(config-router)# network 192.168.0.0
(config-router)# network 192.168.1.0
(config-router)# version ?
router mode commands/options:
<1-2> version
exec mode commands/options:
/md5
Compute an MD5 signature for a file
disk0: File to be verified
flash: File to be verified
(config-router)# version 2
(config-router)# default-information ?
router mode commands/options:
originate Distribute a default route
(config-router)# default-information o ?
router mode commands/options:
route-map Route-map reference
<cr>
(config-router)# default-information originate
(config-router)# passive-interface ?
router mode commands/options:
Current available interface(s):
default Suppress routing updates on all interfaces
Glasgow Name of interface ETHERNET0
Inside
Name of interface ETHERNET1
Inf2
Name of interface ETHERNET2
<cr>
(config-router)# passive-interface Glasgow
(config-router)# exit
EIGRP routing.
High-availability functionality.
SSL VPN enhancements.
SSL VPN support for Windows Vista and Mac OS X clients is now available.
AnyConnect VPN client.
Local certificate authority.
NetworkSims.com
643
The PIX/ASA devices can thus enable EIGRP routing, which is an enhancement of IGRP.
The main advantage of this protocol is that it only sends out routing information when there
is a change in the topology. EIPGRP is one of the new features of the PIX/ASA device.
Objectives
The objectives of this challenge are to:
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# authentication mode eigrp 111 md5
(config-if)# authentication key eigrp 111 testing key-id 1
(config-if)# exit
(config)# router eigrp 111
(config-router)# network 192.168.0.0
(config-router)# network 192.168.1.0
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# authentication mode eigrp 111 md5
(config-if)# authentication key eigrp 111 testing key-id 1
(config-if)# exit
(config)# router eigrp 111
(config-router)# network 192.168.0.0
(config-router)# network 192.168.1.0
NetworkSims.com
644
This challenge involves taking a PIX test on routing protocols. The main facts are:
PIX/ASA have used RIP and OSPF, and have now added EIGRP.
RIP uses hop count to determine the best route.
OSPF uses a link-state algorithm to determine the best route.
OSPF uses the DUAL algorithm to determine the best route.
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# dhcpd enable glasgow
(config)# dhcpd dns 197.174.60.1
(config)# dhcpd address 197.174.60.2-197.174.60.22 glasgow
(config)# dhcpd wins 195.94.110.3
(config)# dhcpd lease 6
(config)# dhcpd domain athome.com
(config)# show dhcpd
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
NetworkSims.com
645
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# dhcpd ?
configure mode commands/options:
address
Configure the IP pool address range after this keyword
auto_config
Enable auto configuration from client
dns
Configure the IP addresses of the DNS servers after this
keyword
domain
Configure DNS domain name after this keyword
enable
Enable the DHCP server
lease
Configure the DHCPD lease length after this keyword
option
Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
wins
Configure the IP addresses of the NETBIOS servers after this
keyword
pixfirewall(config)# dhcpd enable ?
configure mode commands/options:
Available interfaces on which to enable the DHCP server:
Glasgow Name of interface ETHERNET0
Inside
Name of interface ETHERNET1
Inf2
Name of interface ETHERNET2
<cr>
(config)# dhcpd enable glasgow
(config)# dhcpd dn ?
configure mode commands/options:
Hostname or A.B.C.D IP address of server 1
(config)# dhcpd dns 197.174.60.1
(config)# dhcpd add ?
configure mode commands/options:
WORD IP address[es], <ip1>[-<ip2>]
(config)# dhcpd address 197.174.60.2-197.174.60.22 glasgow
(config)# dhcpd wins ?
configure mode commands/options:
Hostname or A.B.C.D IP address of server 1
(config)# dhcpd wins 195.94.110.3
(config)# dhcpd lease ?
configure mode commands/options:
<300-1048575> The length of lease, in seconds, granted to DHCP client
from the DHCP server, default is 3600
(config)# dhcpd lease 6
(config)# dhcpd domain ?
configure mode commands/options:
WORD DNS domain name
(config)# dhcpd domain athome.com
(config)# show dhcpd
NetworkSims.com
646
Outline
Cisco IP phones download their configuration from TFTP servers, which are not
preconfigured on them. Thus they send a DHCP request with an option field set to 150 (for a
list of TFTP servers) or 66 (for a single TFTP server) to discover the address for their
configuration. Also they may request the default gateway with an option of 3.
Objectives
The objectives of this challenge are to:
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# dhcpd enable glasgow
(config)# dhcpd dns 197.174.60.1
(config)# dhcpd address 197.174.60.2-197.174.60.22 glasgow
(config)# dhcpd wins 195.94.110.3
(config)# dhcpd lease 6
(config)# dhcpd domain athome.com
(config)# dhcpd option 150 ip 192.168.0.1
(config)# dhcpd option 66 ascii 192.168.0.1
(config)# dhcpd option 3 ip 192.168.0.2
(config)# show dhcpd
Example
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# security-level 0
(config-if)# exit
(config)# dhcpd ?
configure mode commands/options:
address
Configure the IP pool address range after this keyword
NetworkSims.com
647
auto_config
dns
NetworkSims.com
648
Hostname or A.B.C.D
IP address of server 1
Commands
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# exit
(config)# dhcprelay server 192.168.1.2
(config)# dhcprelay enable Edinburgh
(config)# dhcprelay timeout 10
NetworkSims.com
649
(config)# exit
# show dhcprelay statistics
# show dhcprelay state
Example
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# exit
(config)# dhcprelay ?
configure mode commands/options:
enable
Start a DHCP server task on an interface, but at least one
dhcpdrelay server must be configured before enable is issued
server
Configure dhcprelay server information
setroute Configure the DHCP Relay Agent to change the first default
router address (in the packet sent from the DHCP server) to
the address of the client interface
timeout
Configure timeout, the number of seconds for relay address
negotiation after this keyword
configure mode commands/options:
infinity Always stay on shared-tree
(config)# dhcprelay server ?
configure mode commands/options:
Hostname or A.B.C.D IP address of dhcprelay server to which
requests are forwarded
(config)# dhcprelay server 192.168.1.2
(config)# dhcprelay setroute ?
configure mode commands/options:
Available client interface names:
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Edinburgh Name of interface Ethernet0
(config)# dhcprelay enable ?
configure mode commands/options:
Available interfaces on which relay agent will accept client requests:
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Edinburgh Name of interface Ethernet0
(config)# dhcprelay enable Edinburgh
(config)# dhcprelay timeout ?
configure mode commands/options:
<1-3600> Enter number of seconds for relay address negotiation, default
is 60 seconds
<cr>
(config)# dhcprelay timeout 10
(config)# exit
# show dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST
0
DHCPDISCOVER
7
NetworkSims.com
650
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
BOOTREPLY
DHCPOFFER
DHCPACK
3
0
0
0
0
7
3
The main application of DDNS is where hosts are continually changing their IP address
(such as in mobile applications), and hosts can still find each other. The mapping is thus
held on a DHCP server. The main advantage of DDNS is that a host can notify a DHCP
server of a change of the active DNS configuration of its configured parameters, such as,
typically, for hostnames and addresses. The most common DDNS setups are where the
DHCP client updates the A RR, and the DHCP server updates PTR RR, and where the
DHCP server updates both.
In this example the client updates both A RR and PTR RR for a defined static IP address.
Objectives
The objectives of this challenge are to:
NetworkSims.com
651
Define a DDNS update method for the client to update both the A RR and the PTR
RR using the ddns both command.
Associate the DDNS update method with an interface.
Commands
In this example the hostname is defined as myddns.com, which will associate with an IP
address of 192.168.1.1:
# config t
(config)# ddns update method myddns
(DDNS-update-method)# ddns both
(DDNS-update-method)# exit
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# ddns update myddns
(config-if)# ddns update hostname myddns.com
(config-if)# exit
(config)# exit
Example
# config t
(config)# ddns ?
configure mode commands/options:
update Configure dynamic DNS update
(config)# ddns update ?
configure mode commands/options:
method Configure dynamic DNS update method
(config)# ddns update method ?
configure mode commands/options:
WORD Dynamic DNS update method name
(config)# ddns update method myddns
(DDNS-update-method)# ?
Dynamic DNS update method configuration commands:
ddns
IETF standardized Dynamic DNS update
exit
Exit from DNS dynamic update method configuration mode
help
Help for Dynamic DNS update method configuration commands
interval Specify interval between DNS updates
no
Negate a command or set its defaults
(DDNS-update-method)# ddns ?
dynupd-method mode commands/options:
both Update both DNS A and PTR records
<cr>
configure mode commands/options:
update Configure dynamic DNS update
(DDNS-update-method)# ddns both ?
NetworkSims.com
652
nameif Edinburgh
ip address 192.168.1.1 255.255.255.0
ddns update myddns
ddns update hostname myddns.com
exit
NetworkSims.com
653
(config)# exit
Commands
# config t
(config)# dhcp-client update dns server none
(config)# ddns update method myddns
(DDNS-update-method)# ddns both
(DDNS-update-method)# exit
(config)# int e0
(config-if)# ip address dhcp
(config-if)# nameif Edinburgh
(config-if)# ddns update myddns
(config-if)# ddns update hostname myddns.com
(config-if)# exit
(config)# exit
Example
# config t
(config)# dhcp-client ?
configure mode commands/options:
update Configure automatic updates
(config)# dhcp-client update ?
configure mode commands/options:
NetworkSims.com
654
dns
NetworkSims.com
655
Commands
NetworkSims.com
656
# config t
(config)# dhcpd update dns both override
(config)# ddns update method myddns
(DDNS-update-method)# ddns both
(DDNS-update-method)# exit
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ddns update myddns
(config-if)# ddns update hostname myddns.com
(config-if)# dhcp client update dns server none
(config-if)# ip address dhcp
(config-if)# exit
(config)# exit
Example
# config t
pixfirewall(config)# dhcpd ?
configure mode commands/options:
address
Configure the IP pool address range after this keyword
auto_config
Enable auto configuration from client
dns
Configure the IP addresses of the DNS servers after this
keyword
domain
Configure DNS domain name after this keyword
enable
Enable the DHCP server
lease
Configure the DHCPD lease length after this keyword
option
Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
wins
Configure the IP addresses of the NETBIOS servers after this
keyword
(config)# dhcpd u ?
configure mode commands/options:
dns Configure DNS dynamic updates
(config)# dhcpd u d ?
configure mode commands/options:
both
Update both A and PTR DNS records
interface Specify interface to which action will apply to
override
Server overrides client request
<cr>
(config)# dhcpd u d b ?
configure mode commands/options:
interface Specify interface to which action will apply to
override
Server overrides client request
<cr>
(config)# dhcpd update dns both override
(config)# ddns update method myddns
(DDNS-update-method)# ddns both
(DDNS-update-method)# exit
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address dhcp
(config-if)# ddns update myddns
(config-if)# ddns update hostname myddns.com
NetworkSims.com
657
(config-if)# dhcp c ?
interface mode commands/options:
route
Options for routes installed by dhcp
update Dynamically update information
(config-if)# dhcp c u ?
interface mode commands/options:
dns Dynamic DNS update configuration
(config-if)# dhcp c u d ?
interface mode commands/options:
server Dynamic DNS updates requested of server
<cr>
(config-if)# dhcp c u d s ?
interface mode commands/options:
both Server updates both (A and PTR) records
none Ask server to perform no updates
(config-if)# exit
(config)# exit
Commands
NetworkSims.com
658
# config t
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# exit
(config)# wccp web-cache
(config)# wccp interface Edinburgh web-cache redirect in
(config)# exit
Example
# config t
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address dhcp
(config-if)# exit
(config)# wccp ?
configure mode commands/options:
<0-254>
Dynamically defined service identifier number
interface Keyword to specify an interface
web-cache Standard web caching service
(config)# wccp web ?
configure mode commands/options:
group-list
Set the access-list used to permit group membership
password
Authentication password (key)
redirect-list Set the access-list used to permit redirection
<cr>
(config)# wccp web-cache
(config)# wccp interface ?
configure mode commands/options:
Current available interface(s):
Inf2
Name of interface Ethernet2
Inside
Name of interface Ethernet1
Edinburgh Name of interface Ethernet0
(config)# wccp in Edinburgh ?
configure mode commands/options:
<0-254>
Dynamically defined service identifier number
web-cache Standard web caching service
(config)# wccp in Edinburgh web-cache ?
configure mode commands/options:
redirect Set packet redirection options for the service
(config)# wccp in Edinburgh web-cache redirect ?
configure mode commands/options:
in Redirect to a Cache Engine appropriate ingress packets
(config)# wccp in Edinburgh web-cache redirect in ?
configure mode commands/options:
<cr>
NetworkSims.com
659
A version number.
A type.
A checksum.
Group. This is the multicast address to be joined.
Thus when a multicast packet is sent, the multicast router will then know that at least one of
the host that are interested in receiving packets for a specific multicast address. The router
then requires to implement multicast routing between the routers in order to get the data
packet to the host(s).
Multicast routing protocols typically work on two main methods:
NetworkSims.com
660
Dense mode. This works by flooding data into the network and then pruning back
parts of the tree. This tree represent a set of routers, and the more pruning that is
done, the smaller the tree, and the less bandwidth will be wasted in sending
multicast packets. Thus if there are no branches of interested within an AS, the
border router sends a prune message to the upstream router.
Sparse mode. This uses a Rendezvous Point (RP), where join messages are sent to
the RP's unicast address. It cuts down bandwidth, and is efficient, but requires
careful configuration on devices.
DVMRP (Distance Vector Multicast Routing Protocol). DVMRP uses IGMP sub-code
13, and implements Dense Flooding, which is effective, but not inefficient in its
usage of bandwidth. With this the router floods the whole network at the start, and
then prune back subnets that are not of interest.
PIM (Protocol Independent Multicast). PIM uses IP protocol 103. In dense mode
operation it operates like DVMRP. It implements joins, prunes, and grafts, where a
graft is the opposite of a prune, and adds a branch back onto the tree.
Enable multicast routing. When this is enabled on the device, IGMP Version 2 is
automatically enabled on the interfaces.
Disable IGMP on E1. This is useful in cutting down on excess traffic, if an interface is
not used for multicast traffic.
Commands
# config t
(config)# multicast-routing
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# nameif Glasgow
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# no igmp
(config-if)# exit
Example
# config t
(config)# multicast-routing
NetworkSims.com
661
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# nameif Glasgow
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# no igmp
(config-if)# exit
Commands
# config t
(config)# multicast-routing
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp join-group 224.0.0.1
(config-if)# exit
(config)# int e1
(config-if)# nameif Glasgow
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp static-group 224.0.0.1
(config-if)# exit
Example
NetworkSims.com
662
# config t
(config)# multicast-routing
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp ?
interface mode commands/options:
access-group
group membership access
forward
forward
join-group
join multicast group
limit
host join limit
query-interval
host query interval
query-max-response-time max query response value
query-timeout
previous querier timeout
static-group
static multicast group
version
version
<cr>
(config-if)# igmp join-group ?
interface mode commands/options:
A.B.C.D IP group address
(config-if)# igmp join-group 224.0.0.1
(config-if)# exit
(config)# int e1
(config-if)# nameif Glasgow
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp static-group ?
interface mode commands/options:
A.B.C.D IP group address
(config-if)# igmp static-group 224.0.0.1
(config-if)# exit
(config)# exit
# show igmp traffic
IGMP Traffic Counters
Elapsed time since counters cleared: 00:00:35
Valid IGMP Packets
Queries
Reports
Leaves
Mtrace packets
DVMRP packets
PIM packets
Received
10
5
2
0
0
0
30
Errors:
Malformed Packets
Martian source
Bad Checksums
0
0
0
Sent
4
0
0
0
0
0
0
663
Commands
# config t
(config)# multicast-routing
(config)# access-list 100 permit igmp host 20.10.10.1 host 224.0.0.1
(config)# int e0
(config-if)# nameif Edinburgh
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp access-group 100
(config-if)# igmp join-group 224.0.0.1
(config-if)# igmp limit 20
(config-if)# igmp query-interval 100
(config-if)# igmp query-timeout 100
(config-if)# exit
(config)# int e1
(config-if)# nameif Glasgow
(config-if)# ip address 192.168.0.2 255.255.255.0
(config-if)# no shutdown
(config-if)# igmp static-group 224.0.0.1
(config-if)# exit
Example
# config t
(config)# multicast-routing
(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval
Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
flow maximum. If not specified, the default value is 300 sec
NetworkSims.com
664
deny-flow-max
NetworkSims.com
665
Rendezvous Point (RP). This is a router is the root of a distribution tree for a
multicast group. Receivers then send join messages for a group, and senders send
their data to the RP so that receivers can thus discover senders, and thus receive data
from them.
Designated Router (DR). There can be several PIM-SM routers on a local network.
One of these, the DR, then acts on behalf of directly connected hosts. An election
process determines the winning interface.
NetworkSims.com
666
Sparse Mode (SM). PIM-SM is the most popular deployment, and is efficient for
routing to multicast groups that may span many subnets. It constructs a tree from
each sender to the receivers in the multicast group. All routers in a common PIM-SM
require to know the RP (Rendezvous Point). The command used for this is pim rpaddress IP. PIM-SM is used when there are very few nodes subscribing to multicast
sessions.
Dense Mode (DM). PIM-DM flooded packets throughout the networks and then
prunes-off the branches where there were receivers exist.
Source Specific Mode (SSM).
Bidirectional Mode (Bidir).
For a multicast group (G), the host joins using IGMP. The router then forwards multicast
packets only to the interfaces where host have joined the group. Designated Routers
Commands
# config t
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# pim
(config-if)# pim dr-priority 50
(config-if)# pim hello-interval 50
(config-if)# pim join-prune-interval 50
(config-if)# exit
(config)# pim rp-address 192.168.0.1
Example
NetworkSims.com
667
# config t
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif ?
interface mode commands/options:
WORD < 49 char A name by which this interface will be referred in all other
Commands
(config-if)# nameif Edinburgh
(config-if)# pim ?
interface mode commands/options:
dr-priority
PIM Hello DR priority
hello-interval
PIM neighbor Hello announcement interval
join-prune-interval PIM periodic Join-Prune announcement interval
<cr>
configure mode commands/options:
accept-register
Register accept filter
old-register-checksum Generate registers compatible with older IOS versions
rp-address
Configure Sparse-Mode Rendezvous Point
spt-threshold
Configure threshold for SPT switchover on last-hop
(config-if)# pim
(config-if)# pim dr-priority ?
interface mode commands/options:
<0-4294967295> Hello DR priority, preference given to larger value
(config-if)# pim dr-priority 50
(config-if)# pim hello-interval ?
interface mode commands/options:
<1-3600> Hello interval in seconds
(config-if)# pim hello-interval 50
(config-if)# pi join-prune-interval ?
interface mode commands/options:
<10-600> Join-Prune interval in seconds
(config-if)# pi join-prune-interval 50
(config-if)# exit
(config)# pim ?
configure mode commands/options:
accept-register
Register accept filter
old-register-checksum Generate registers compatible with older IOS versions
rp-address
Configure Sparse-Mode Rendezvous Point
spt-threshold
Configure threshold for SPT switchover on last-hop
(config)# pim accept-register ?
configure mode commands/options:
list
Access list
route-map Route-map
(config)# pim old-register-checksum ?
configure mode commands/options:
<cr>
NetworkSims.com
668
Commands
# config t
(config)# access-list 10 standard permit 10.0.0.1 0.0.0.255
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# multicast boundary 10
(config-if)# exit
Example
# config t
(config)# access-list 10 standard permit 10.0.0.1 0.0.0.255
(config)# int e0
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# nameif Edinburgh
(config-if)# multicast boundary 10
(config-if)# exit
NetworkSims.com
669
NetworkSims.com
670
Version number (4 bits) contains the version number, such as 6 for IP Ver6. It is
used to differentiate between IPv4 and IPv6.
Priority (4 bits) indicates the priority of the datagram, and gives 16 levels of
priority (0 to 15). The first eight values (0 to 7) are used where the source is
providing congestion control (which is traffic that backs-off when congestion
occurs). Examples are 0 defines no priority, 1 defines background traffic (such as
netnews) and 2 defines unattended transfer (such as e-mail), 3 (reserved). The other
values are used for traffic that will not back off in response to congestion (such as
real-time traffic). The lowest priority for this is 8 (traffic which is the most willing to
be discarded) and the highest is 15 (traffic which is the least willing to be discarded).
Flow label (24 bits) still experimental, but will be used to identify different data
flow characteristics. It is assigned by the source and can be used to label data packets
which require special handling by IPv6 routers, such as defined QoS (Quality of
Service) or real-time services.
NetworkSims.com
671
Payload length (16 bits) defines the total size of the IP datagram (and includes the
IP header attached data).
Next header this field indicates which header follows the IP header (it uses the
same IPv4). For example: 0 defines IP information; 1 defines ICMP information; 6
defines TCP information and 80 defines ISO-IP.
Hop limit defines the maximum number of hops that the datagram takes as it
traverses the network. Each router decrements the hop limit by 1; when it reaches 0
it is deleted. This has been renamed from IPv4, where it was called time-to-live, as it
better describes the parameter.
IP addresses (128 bits) defines IP address. There will be three main groups of IP
addresses: unicast, multicast and anycast. A unicast address identifies a particular
host, a multicast address enables the hosts within a particular group to receive the
same packet, and the anycast address will be addressed to a number of interfaces on
a single multicast address.
1
Version
9 10 11 12 13 14 15 16
Priority
Flow label
Flow label
Payload length
Next header
Hop limit
Source IP address
Destination IP address
Figure 1
IPv6 addresses do not use the dotted notion and are written in a hexadecimal format, such
as:
114F:0000:0000:0000:0006:0600:4411:CB1D
Often the leading zeros are omitted to give:
114F:0:0:0:6:600:4411:CB1D
This address can be shorted further by converting all zero values to a double colon, to give:
114F::6:600:4411:CB1D
NetworkSims.com
672
Link-local. These have a scope on the local link (which are the nodes on the same
subnet).
Site-local. These have a scope within the organization (private site addressing).
Global. These have global scope and are IPv6 Internet addresses.
Of the 128 bit global unicast addresses, the format can be viewed as:
Objectives
The objectives of this challenge are to:
Define IPv6 on E0 using the autoconfig option for the address (ipv6 address
autoconfig) which enables stateless autoconfiguration, where the interface itself
configures its own address based on the prefixes it receives from Router
Advertisements (using the Modified EUI-64 Interface ID).
Define IPv6 neighbor discovery to learn about neighboring devices.
Define a static IPv6 mapping (if the automated discovery does not work).
Define the default route.
Commands
(config)# int e0
(config-if)# ipv6 address autoconfig
(config-if)# ipv6 enable
(config-if)# exit
(config)# int e1
(config-if)# ipv6 address 2001:400:3:1::1/64
(config-if)# ipv6 enable
(config-if)# ipv6 nd ns-interval 1000
(config-if)# ipv6 nd ra-interval 1000
(config-if)# ipv6 nd reachable-time 100
(config-if)# ipv6 nd prefix 0800::/64
(config-if)# exit
(config)# ipv6 route outside ::/0 2001:400:3:1::1
(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
# sh ipv interface
# sh ipv6 route
Step-by-step
(config)#
int e0
NetworkSims.com
673
! The next command defines that the interface builds its own IPv6 address
! based on Router Advertisements:
(config-if)# ipv6 address autoconfig
int e1
! The next command assigns a global address on the interface, which automatically creates a
! link-local address (using the Interface ID):
(config-if)# ipv6 address 2001:400:3:1::1/64
! IPv6 contains a duplicate address detection system. To determine the interval for neighbor
! solicitation message with the following (in this case 1000 milliseconds):
(config-if)# ipv6 nd ns-interval 1000
! The interval between IPv6 router advertisement retransmissions on an interface can be defined
! with:
(config-if)# ipv6 nd ra-interval 1000
! The time that a remote IPv6 node is considered reachable after a reachability confirmation event
! has occurred, is defined with:
(config-if)# ipv6 nd reachable-time 100
! The IPv6 prefix which is included in IPv6 router advertisements is defined with:
(config-if)# ipv6 nd prefix 0800::/64
(config-if)# exit
! To define a default route:
(config)# ipv6 route outside ::/0 2001:400:3:1::1
! To define a static entry, if discovery does not work:
(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
(config)# exit
# sh ipv interface
# sh ipv6 route
Example
NetworkSims.com
674
(config)# int e0
(config-if)# ipv6 ?
interface mode commands/options:
IPv6 interface subcommands:
address Configure IPv6 address on interface
enable
Enable IPv6 on interface
nd
IPv6 interface Neighbor Discovery subcommands
configure mode commands/options:
access-list Configure access policy for IPv6 traffic through the system
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
(config-if)# ipv6 address ?
interface mode commands/options:
Hostname or X:X:X:X::X IPv6 link-local address
X:X:X:X::X/<0-128>
IPv6 prefix
autoconfig
Obtain address using autoconfiguration
configure mode commands/options:
WORD Access list identifier
(config-if)# ipv6
(config-if)# ipv6
(config-if)# exit
(config)# int e1
(config-if)# ipv6
(config-if)# ipv6
(config-if)# ipv6
address autoconfig
enable
address 2001:400:3:1::1/64
enable
nd ?
NetworkSims.com
675
NetworkSims.com
676
Show
Show
IPv6
Show
Show
Show
IPv6
# sh ipv6 interface
outside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77d9 [TENTATIVE]
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff85:77d9
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
inside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77da [TENTATIVE]
Global unicast address(es):
2001:400:3:1::1, subnet is 2001:400:3:1::/64 [TENTATIVE]
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff85:77da
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
# sh ipv6 route
IPv6 Routing Table - 2 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
NetworkSims.com
677
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
fe80::/10 [0/0]
via ::, outside
via ::, inside
via ::, inf2
ff00::/8 [0/0]
via ::, outside
via ::, inside
via ::, inf2
114F:0000:0000:0000:0006:0600:4411:CB1D
Often the leading zeros are omitted to give:
114F:0:0:0:6:600:4411:CB1D
This address can be shorted further by converting all zero values to a double colon, to give:
114F::6:600:4411:CB1D
The unicast address contains 128 bits, and has the following fields:
Field Prefix (FP) field (3 bits). This identifies when the address is unicast, multicast,
and so on). A value of 001 identifies aggregatable global unicasts.
Top-Level Aggregation Identifier (TLA ID field) (13 bits). This is used to identify the
authority responsible for the address at the highest level of the routing hierarchy.
Res field (8 bits). This is reserved so that the TLA or NLA IDs can be expanded for
future use.
NLA ID field (24 bits). This is used to identify ISPs, and can be organized to reflect a
hierarchy, or multitiered relationship, among providers.
SLA ID field (16 bits). This is used by individual organizations in order to defined a
local addressing hierarchy and to identify subnets.
Interface ID field (64 bits) This uses an IEEE EUI-64 format and is a unique ID for
the network interface. In Ethernet-type networks, it uses the 16 bits from the MAC
address of the network port.
The RFC 3513 defines the IPv6 addressing architecture, and defines that all IPv6 addresses,
apart from those beginning with 000, are constructed of a 64-bit Modified EUI-64 format. In
NetworkSims.com
678
this challenge the PIX/ASA is setup to check the received source IPv6 address against the
source MAC address, so that the sending interface has used the Modified EUI-64 format. If it
has not, the packet is dropped, and an error message shown.
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ipv6 address autoconfig
(config-if)# ipv6 enable
(config-if)# exit
(config)# ipv6 enforce-eui64 inside
(config)# ipv6 enforce-eui64 outside
Example
(config)# int e0
(config-if)# ipv6 address autoconfig
(config-if)# ipv6 enable
(config-if)# exit
(config)# ipv6 ?
configure mode commands/options:
access-list
Configure access policy for IPv6 traffic through the system
enforce-eui64 Enforce correct EUI-64 source address
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
(config)# ipv6 enforce-eui-64 ?
configure mode commands/options:
Current available interface(s):
Inf2 Name of interface Ethernet2
Inside Name of interface Ethernet1
Outside Name of interface Ethernet0
(config)# ipv6 enforce-eui64 inside
(config)# ipv6 enforce-eui64 outside
679
Commands
(config)# ipv6 access-list testing deny ip 3EFE:3031:5::/48 any
(config)# ipv6 access-list testing deny ip 3EFE:3031:8::/48 any
(config)# ipv6 access-list testing permit ip any any
(config)# int e0
(config-if)# ipv6 address autoconfig
(config-if)# ipv6 enable
(config-if)# exit
(config)# ipv6 enforce-eui64 inside
(config)# ipv6 enforce-eui64 outside
(config)# access-group testing interface inside
(config)# access-group testing interface outside
Example
(config)# ipv6 ?
configure mode commands/options:
access-list
Configure access policy for IPv6 traffic through the system
enforce-eui64 Enforce correct EUI-64 source address
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
(config)# ipv6 access-list ?
configure mode commands/options:
WORD Access list identifier
(config)# ipv6 access-list testing ?
configure
deny
line
permit
remark
mode commands/options:
Specify packets to reject
Use this to specify line number at which ACE should be entered
Specify packets to forward
Specify a comment (remark) for the access-list after this keyword
NetworkSims.com
680
681
Outline
This challenge involves taking a PIX test on IPv6. The main facts are:
CLI access login. This involves the user authentication for login to the device.
Privilege mode authentication. This defines the privileged level for the access. With a
Cisco device the highest privileged level is 15.
Command authentication. This defines the commands that can be executed for given
levels of user authentication.
Network access authentication.
VPN authentication/authorization.
The local user database is also useful as a fallback system, when the back-end user
authentication system, such as for a RADIUS user authentication system fails, the local
database should still work.
Objectives
The objectives of this challenge are to:
NetworkSims.com
682
Commands
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# domain-name shetland.gov
amsterdam (config)# int e0
amsterdam (config-if)# nameif california
amsterdam (config-if)# exit
amsterdam (config)# int e1
amsterdam (config-if)# nameif texas
amsterdam (config-if)# exit
amsterdam (config)# int e2
amsterdam (config-if)# nameif newyork
amsterdam (config-if)# exit
amsterdam (config)# username bert password test privilege 15
amsterdam (config)# username anne password test
amsterdam (config)# username anne attrib
amsterdam (config-username)# service-type nas-prompt
Example
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# domain-name shetland.gov
amsterdam (config)# int e0
amsterdam (config-if)# nameif california
amsterdam (config-if)# exit
amsterdam (config)# int e1
amsterdam (config-if)# nameif texas
amsterdam (config-if)# exit
amsterdam (config)# int e2
amsterdam (config-if)# nameif newyork
amsterdam (config-if)# exit
amsterdam (config)# username ?
configure mode commands/options:
WORD < 65 char Enter the name of the user. A minimum of 4 characters is
required. A maximum of 64 characters is allowed.
amsterdam (config)# username anne ?
configure mode commands/options:
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has no password
password
The password for this user
amsterdam (config)# username anne password ?
configure mode commands/options:
WORD Enter the password for this user
amsterdam (config)# username anne password test
amsterdam (config)# username bert password test ?
configure mode commands/options:
encrypted
Indicates the <password> entered is encrypted
mschap
The password will be converted to unicode and hashed using MD4.
User entries must be created this way if they are to be
authenticated using MSCHAPv1 or MSCHAPv2
NetworkSims.com
683
nt-encrypted
privilege
<cr>
NetworkSims.com
684
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
The console keyword is important as it defines that management sessions are authenticated,
whereas local defines that the local database is used.
Also users can be authenticated for the enable mode with:
(config)# aaa authentication enable console MYLOCAL
Where level 15 is the level required for the enable password command. Also the aaa-server
command can be used to intercept any outgoing AAA requests to the local database:
(config)# aaa-server MYLOCAL protocol local
Objectives
The objectives of this challenge are to:
Commands
> enable
# config t
(config)# int e0
(config-if)# nameif california
(config-if)# exit
(config)# int e1
(config-if)# nameif texas
(config-if)# exit
(config)# int e2
(config-if)# nameif newyork
(config-if)# exit
(config)# username bert password test privilege 15
(config)# username anne password test
(config)# aaa-server MYLOCAL protocol local
(config-aaa-server-group)# exit
(config)# aaa authentication serial console MYLOCAL
(config)# aaa authentication telnet console MYLOCAL
(config)# aaa authentication ssh console MYLOCAL
(config)# aaa authentication http console MYLOCAL
(config)# aaa authentication enable console MYLOCAL
NetworkSims.com
685
Example
> enable
# config t
(config)# int e0
(config-if)# nameif california
(config-if)# exit
(config)# int e1
(config-if)# nameif texas
(config-if)# exit
(config)# int e2
(config-if)# nameif newyork
(config-if)# exit
(config)# username bert password test privilege 15
(config)# username anne password test
pixfirewall(config)# aaa-s ?
configure mode commands/options:
WORD < 17 char Enter a AAA server group tag
pixfirewall(config)# aaa-s MYLOCAL ?
configure mode commands/options:
(
Open parenthesis for the name of the network interface
where the designated AAA server is accessed
deadtime
Specify the amount of time that will elapse between the
disabling of the last server in the group and the
subsequent re-enabling of all servers
host
Enter this keyword to specify the IP address for the
server
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
protocol
Enter the protocol for a AAA server group
(config)# aaa-server MYLOCAL protocol ?
configure mode commands/options:
http-form Protocol HTTP form-based
kerberos
Protocol Kerberos
ldap
Protocol LDAP
local
Protocol Local
nt
Protocol NT
radius
Protocol RADIUS
sdi
Protocol SDI
tacacs+
Protocol TACACS+
(config)# aaa-server MYLOCAL protocol local
(config-aaa-server-group)# exit
(config)# aaa ?
configure mode commands/options:
accounting
Configure user accounting parameters
authentication Configure user authentication parameters
authorization
Configure user authorization parameters
local
AAA Local method options
mac-exempt
Configure MAC Exempt parameters
proxy-limit
Configure number of concurrent proxy connections allowed per
user
(config)# aaa authentication ?
NetworkSims.com
686
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
NetworkSims.com
687
This defines a group name of TEST. Next the details of each of the servers in the group are
defined, such as for a single server host of:
(config)# aaa-server test
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
(config-aaa-server-host)#
Which defines that the server is on the (newyork) interface, and has an address of 1.2.3.4.
With RADIUS a shared key is used, which is defined by the key command. This must be the
same as the key defined on the server. In this case the authenticdation and accounting ports
are defined as 1645 and 1646, respectively.
The main settings for RADIUS are:
Accounting-port. This is the port which the RADIUS server listens to account
communications on. Default = 1646.
Authorization-port. This is the port which the RADIUS server listens to
authorization communications on. Default = 1645.
Retry-interval. This is the time that the device will wait for the RADIUS server to
communicate before it tries again. Default = 10 seconds.
Timeout. This is the timeout that the device will wait before it times-out the
communications. Default = 10 seconds.
Key. This is the key that the device and the server will use.
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server test protocol radius
(config-aaa-server-group)# max-failed-attempts 5
NetworkSims.com
688
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
pixfirewall(config)# aaa-server ?
configure mode commands/options:
WORD < 17 char Enter a AAA server group tag
pixfirewall(config)# aaa-server test ?
configure mode commands/options:
(
Open parenthesis for the name of the network interface
where the designated AAA server is accessed
deadtime
Specify the amount of time that will elapse between the
disabling of the last server in the group and the
subsequent re-enabling of all servers
host
Enter this keyword to specify the IP address for the
server
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
protocol
Enter the protocol for a AAA server group
pixfirewall(config)# aaa-server test protocol ?
configure mode commands/options:
kerberos Protocol Kerberos
ldap
Protocol LDAP
nt
Protocol NT
radius
Protocol RADIUS
sdi
Protocol SDI
tacacs+
Protocol TACACS+
(config)# aaa-server test protocol radius
(config-aaa-server-group)# ?
AAA server configuration commands:
accounting-mode
Enter this keyword to specify accounting mode
exit
Exit from aaa-server group configuration mode
help
Help for AAA server configuration commands
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
no
Remove an item from aaa-server group configuration
reactivation-mode
Specify the method by which failed servers are
reactivated
(config-aaa-server-group)# max-failed-attempts ?
NetworkSims.com
689
NetworkSims.com
690
retry-interval
timeout
transactions
Specify the amount of time between retry attempts
Specify the maximum time to wait for response from
configured server
(config-aaa-server-host)# key ?
aaa-server-host mode commands/options:
WORD < 129 char Enter an alphanumeric string up to 128 characters
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# accounting-port ?
aaa-server-host mode commands/options:
<0-65535> Enter port number (0 - 65535)
(config-aaa-server-host)# accounting-port 1646
(config-aaa-server-host)# authentication-port 1645
(config-aaa-server-host)# retry-interval ?
aaa-server-host mode commands/options:
<1-10> Number of seconds (1 - 10)
(config-aaa-server-host)# retry-interval 10
This defines a group name of TEST. Next the details of each of the servers in the group are
defined, such as for a single server host of:
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# exit
NetworkSims.com
691
Which defines that the server is on the (newyork) interface, and has an address of 1.2.3.4.
With RADIUS a shared key is used, which is defined by the key command. This must be the
same as the key defined on the server.
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server TEST protocol tacacs+
(config-aaa-server-group)# max-failed-attempts 5
(config-aaa-server-group)# reactivation-mode depletion deadtime 10
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# exit
This defines a group name of TEST. Next the details of each of the servers in the group are
defined, such as for a single server host of:
NetworkSims.com
692
Which defines that the server is on the (newyork) interface, and has an address of 1.2.3.4.
With LDAP the main parameters which can be set are:
ldap-base-dn
ldap-defaults
ldap-dn
ldap-login-dn
ldap-login-password
ldap-naming-attribute
ldap-scope
timeout
server-port
For LDAP the PIX/ASA passes the user details to the LDAP server, by default, in a plaintext
format for the username and password. If this is seen as a security problem, the username
and password can be sent over an SSL connection using the ldap-over-ssl command. Also
the LDAP server type can be Sun, Microsoft or Auto-detect. This is defined with the servertype command.
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server TEST protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# timeout 10
(config-aaa-server-host)# ldap-over-ssl enable
NetworkSims.com
693
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server TEST protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# ?
AAA server configuration
exit
help
ldap-attribute-map
ldap-base-dn
commands:
Exit from aaa-server host configuration mode
Help for AAA server configuration commands
Specify the name of the LDAP attribute mapping table
Specify the location to begin searching in the LDAP
hierarchy
ldap-login-dn
Specify the DN to be used to bind to the LDAP server
ldap-login-password
Specify password to be used to bind to the LDAP server
ldap-naming-attribute Specify the Relative Distinguished Name attribute that
uniquely identifies an entry on the LDAP server
ldap-over-ssl
Specify if an SSL connection is needed to the LDAP
server
ldap-scope
Specify the extent of the search in the LDAP hierarchy
no
Remove an item from aaa-server host configuration
sasl-mechanism
Specify which authentication mechanism(s) to use with
the LDAP server
server-port
Specify the port number to be used for AAA operations
server-type
Specify the vendor of the LDAP server
timeout
Specify the maximum time to wait for response from
configured server
(config-aaa-server-host)# ldap-over-ssl ?
aaa-server-host mode commands/options:
enable Require an SSL connection to the LDAP server
(config-aaa-server-host)# ldap-over-ssl enable
(config-aaa-server-host)# server-type ?
aaa-server-host mode commands/options:
auto-detect Specify the vendor of the LDAP server is auto-detected
microsoft
Specify the vendor of the LDAP server is Microsoft
sun
Specify the vendor of the LDAP server is Sun
<external_if_name> is the External or postnat interface
(config-aaa-server-host)# server-type Microsoft
(config-aaa-server-host)# sasl-mechanism ?
aaa-server-host mode commands/options:
digest-md5 select Digest-MD5
kerberos
select Kerberos
configure mode commands/options:
permit Keyword for enabling this functionality
(config-aaa-server-host)# sasl-mechanism digest-md5
(config-aaa-server-host)# timeout 10
NetworkSims.com
694
(config-aaa-server-host)# exit
Where:
Where:
ldap-scope subtree searches all the levels beneath the base DN (Distinguished
Name).
ldap-base-dn location123 defines that location123 is the location to begin searching
in the LDAP hierarchy
ldap-login-dn testing123 defines that testing123 is the DN used to bind to the
LDAP server.
Objectives
The objectives of this challenge are to:
NetworkSims.com
695
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# tunnel-group TEST type ipsec-ra
(config)# tunnel-group TEST general-attributes
(config-general)# authorization-server-group LDAP1
(config-general)# exit
(config)# aaa-server LDAP1 protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# ldap-login-dn testing123
(config-aaa-server-host)# ldap-base-dn location123
(config-aaa-server-host)# ldap-scope subtree
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
(config)# tunnel-group TEST ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes
Enter the ipsec-attributes sub command mode
type
Enter the type of this group-policy
(config)# tunnel-group TEST type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra
IPSec Remote Access group
(config)# tunnel-group TEST type ipsec-ra
(config)# tunnel-group TEST general-attributes
(config-general)# ?
group_policy configuration commands:
accounting-server-group
Enter name of the accounting server group
address-pool
Enter a list of address pools to assign
addresses from
authentication-server-group Enter name of the authentication server group
authorization-server-group
Enter name of the authorization server group
default-group-policy
Enter name of the default group policy
dhcp-server
Enter IP address or name of the DHCP server
exit
Exit from tunnel-group general attribute
NetworkSims.com
696
help
no
strip-group
strip-realm
configuration mode
Help for tunnel group configuration commands
Remove an attribute value pair
Enable strip-group processing
Enable strip-realm processing
(config-general)# authorization-server-group ?
tunnel-group-general mode commands/options:
WORD < 17 char Name of authorization server group
(config-general)# authorization-server-group LDAP1
(config-general)# exit
(config)# aaa-server LDAP1 protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# ldap-login-dn ?
aaa-server-host mode commands/options:
LINE < 129 char The DN used to bind to the LDAP server
(config-aaa-server-host)# ldap-login-dn testing123
(config-aaa-server-host)# ldap-base-dn ?
aaa-server-host mode commands/options:
LINE < 129 char The location to begin searching in the LDAP hierarchy
(config-aaa-server-host)# ldap-base-dn location123
(config-aaa-server-host)# ldap-scope ?
aaa-server-host mode commands/options:
onelevel Search only one level beneath the Base DN
subtree
Search all levels beneath the Base DN
(config-aaa-server-host)# ldap-scope subtree
Objectives
The objectives of this challenge are to:
NetworkSims.com
697
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server TEST protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# timeout 10
(config-aaa-server-host)# ldap-over-ssl enable
(config-aaa-server-host)# server-type Microsoft
(config-aaa-server-host)# sasl-mechanism digest-md5
(config-aaa-server-host)# exit
(config)# ldap attribute-map testing
(config-ldap-attribute-map)# map-name testing Cisco1
(config-ldap-attribute-map)# map-value testing Cisco2
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server TEST protocol ldap
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
(config-aaa-server-host)# timeout 10
(config-aaa-server-host)# ldap-over-ssl enable
(config-aaa-server-host)# server-type Microsoft
(config-aaa-server-host)# sasl-mechanism digest-md5
(config-aaa-server-host)# exit
(config)# ldap ?
configure mode commands/options:
attribute-map keyword
(config)# ldap attribute-map ?
configure mode commands/options:
LINE < 64 char Enter LDAP Mapping Name
(config)# ldap attribute-map testing
(config-ldap-attribute-map)# ?
LDAP commands:
exit
Exit from LDAP Attribute configuration mode
map-name
map-name configuration
map-value map-value configuration
no
Remove a LDAP configuration
(config-ldap-attribute-map)# map-name ?
ldap mode commands/options:
WORD Enter Customer Atribute Name.
NetworkSims.com
698
NetworkSims.com
699
cVPN3000-LDAP-Password
cVPN3000-LDAP-Request-Type
cVPN3000-LDAP-Scope
cVPN3000-LDAP-Version
cVPN3000-MS-Client-Subnet-Mask
cVPN3000-PFS-Required
cVPN3000-PPTP-Encryption
cVPN3000-PPTP-MPPC-Compression
cVPN3000-Primary-DNS
cVPN3000-Primary-WINS
cVPN3000-Require-HW-Client-Auth
cVPN3000-Require-Individual-User-Auth
cVPN3000-Required-Client-Firewall-Description
cVPN3000-Required-Client-Firewall-Product-Code
cVPN3000-Required-Client-Firewall-Vendor-Code
cVPN3000-SEP-Card-Assignment
cVPN3000-Secondary-DNS
cVPN3000-Secondary-WINS
cVPN3000-Simultaneous-Logins
cVPN3000-Strip-Realm
cVPN3000-TACACS-Authtype
cVPN3000-TACACS-Privilege-Level
cVPN3000-Tunnel-Group-Lock
cVPN3000-Tunneling-Protocols
cVPN3000-Use-Client-Address
cVPN3000-User-Auth-Server-Name
cVPN3000-User-Auth-Server-Port
cVPN3000-User-Auth-Server-Secret
cVPN3000-WebVPN-ACL-Filters
cVPN3000-WebVPN-Apply-ACL-Enable
cVPN3000-WebVPN-Citrix-Support-Enable
cVPN3000-WebVPN-Content-Filter-Parameters
cVPN3000-WebVPN-Enable-Functions
cVPN3000-WebVPN-Exchange-NETBIOS-Name
cVPN3000-WebVPN-Exchange-Server-Address
cVPN3000-WebVPN-File-Access-Enable
cVPN3000-WebVPN-File-Server-Browsing-Enable
cVPN3000-WebVPN-File-Server-Entry-Enable
cVPN3000-WebVPN-Forwarded-Ports
cVPN3000-WebVPN-Homepage
cVPN3000-WebVPN-Port-Forwarding-Auto-Download-Enable
cVPN3000-WebVPN-Port-Forwarding-Enable
cVPN3000-WebVPN-Port-Forwarding-Exchange-Proxy-Enable
cVPN3000-WebVPN-Port-Forwarding-HTTP-Proxy-Enable
cVPN3000-WebVPN-Port-Forwarding-Name
cVPN3000-WebVPN-SVC-Client-DPD
cVPN3000-WebVPN-SVC-Compression
cVPN3000-WebVPN-SVC-Enable
cVPN3000-WebVPN-SVC-Gateway-DPD
cVPN3000-WebVPN-SVC-Keep-Enable
cVPN3000-WebVPN-SVC-Keepalive
cVPN3000-WebVPN-SVC-Rekey-Method
cVPN3000-WebVPN-SVC-Rekey-Period
cVPN3000-WebVPN-SVC-Required-Enable
cVPN3000-WebVPN-Single-Sign-On-Server-Name
cVPN3000-WebVPN-URL-Entry-Enable
cVPN3000-WebVPN-URL-List
cVPN3000-X509-Cert-Data
(config-ldap-attribute-map)# map-name testing cVPN3000-WebVPN-URL-List
(config-ldap-attribute-map)# map-value ?
ldap mode commands/options:
NetworkSims.com
700
customer-attribute-names:
(config-ldap-attribute-map)# map-value testing cVPN3000-WebVPN-URL-List
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
include
include
include
include
include
which will authenticates all Telnet, SSH, Ftp, Http and Https accesses on the inside
interface, for all source and destination addresses (where 0 is the same as 0.0.0.0). In this
case SERVERTAG is the tag that defines the authentication, such as:
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include http outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include https outside 0 0 0 0 SERVERTAG
NetworkSims.com
701
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication ?
configure mode commands/options:
command Specify this keyword to allow command authorization to be configured
for all administrators on all consoles
exclude Exclude the service, local and foreign network which needs to be
authenticated, authorized, and accounted
include Include the service, local and foreign network which needs to be
authenticated, authorized, and accounted
match
Specify this keyword to configure an ACL to match
(config)# aaa authentication include ?
configure mode commands/options:
WORD
Specify <protocol[/<port>] as the service to be authorized or
accounted
any
Specify all TCP as the service to be authenticated, authorized or
accounted
ftp
Specify FTP as the service to be authenticated, authorized or
accounted
http
Specify HTTP as the service to be authenticated, authorized or
accounted
https
Specify HTTPS as the service to be authenticated, authorized or
accounted
icmp/
Specify icmp/<port> as the service to be authorized or accounted
ssh
Specify SSH as the service to be authenticated, authorized or
accounted
tcp/
Specify tcp/<port> as the service to be authenticated, authorized or
accounted
tcp/0
Specify all TCP as the service to be authenticated, authorized or
accounted
telnet Specify telnet as the service to be authenticated, authorized or
accounted
udp/
Specify udp/<port> as the service to be authorized or accounted
(config)# aaa authentication include telnet ?
configure mode commands/options:
Current available interface(s):
newyork Name of interface Ethernet0
(config)# aaa authentication include te newyork ?
configure mode commands/options:
Hostname or A.B.C.D The address and mask of the local/internal host which is
source or destination for connections requiring
authentication
(config)# aaa authentication include telnet newyork 0 ?
configure mode commands/options:
A.B.C.D Network mask to apply to <local ip address>
NetworkSims.com
702
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
include
include
include
include
include
which defines that all Telnet accesses will be authenticated against user credendials. If a
more complex method of filtering is required, ACLs can be used to determine the traffic to
be authenticated. For example:
(config)#
(config)#
(config)#
(config)#
192.168.0.0
tcp any any
tcp any any
TEST inside
255.255.255.0
eq ftp
eq http
SERVERTAG
which will authenticates all incoming traffic from 192.168.0.0/24, and also all FTP and HTTP
accesses on the inside interface. In this case SERVERTAG is the tag that defines the
authentication, such as:
NetworkSims.com
703
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# access-list TEST permit 192.168.0.0 255.255.255.0
(config)# access-list TEST permit tcp any any eq ftp
(config)# access-list TEST permit tcp any any eq http
(config)# aaa authenication match TEST newyork SERVERTAG
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# access-list TEST permit 192.168.0.0 255.255.255.0
(config)# access-list TEST permit tcp any any eq ftp
(config)# access-list TEST permit tcp any any eq http
(config)# aaa ?
configure mode commands/options:
accounting
Configure user accounting parameters
authentication Configure user authentication parameters
authorization
Configure user authorization parameters
local
AAA Local method options
mac-exempt
Configure MAC Exempt parameters
proxy-limit
Configure number of concurrent proxy connections allowed per
user
(config)# aaa authentication ?
configure mode commands/options:
command Specify this keyword to allow command authorization to be configured
for all administrators on all consoles
exclude Exclude the service, local and foreign network which needs to be
authenticated, authorized, and accounted
include Include the service, local and foreign network which needs to be
authenticated, authorized, and accounted
match
Specify this keyword to configure an ACL to match
NetworkSims.com
704
SERVERTAG
Along with this devices can be exempted from authentication with a MAC-list, such as:
(config)# mac-list MACLIST permit 00c0.0000.0001 ffff.ffff.ffff
(config)# mac-list MACLIST permit 00c0.0000.0002 ffff.ffff.ffff
which will allow the devices with the MAC addresses of 00c0.0000.0001 and 000c.0000.0002
to pass through without authentication. This is then applied with:
(config)# aaa mac-exempt match MACLIST
Objectives
The objectives of this challenge are to:
NetworkSims.com
705
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication secure-http-client
(config)# access-list TEST permit 192.168.0.0 255.255.255.0
(config)# access-list TEST permit tcp any any eq ftp
(config)# access-list TEST permit tcp any any eq http
(config)# aaa authenication match TEST newyork SERVERTAG
(config)# mac-list MACLIST permit 00c0.0000.0001 ffff.ffff.ffff
(config)# mac-list MACLIST permit 00c0.0000.0002 ffff.ffff.ffff
(config)# aaa mac-exempt match MACLIST
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication secure-http-client
(config)# access-list TEST permit 192.168.0.0 255.255.255.0
(config)# access-list TEST permit tcp any any eq ftp
(config)# access-list TEST permit tcp any any eq http
(config)# aaa authenication match TEST newyork SERVERTAG
(config)# mac-list ?
configure mode commands/options:
WORD Mac list identifier
(config)# mac-list MACLIST ?
configure mode commands/options:
deny
Specify packets to reject
permit Specify packets to forward
(config)# mac-list MACLIST permit ?
configure mode commands/options:
H.H.H Match based on source MAC address
(config)# mac-list MACLIST permit 00c0.0000.0001
NetworkSims.com
706
which defines a limit for 50 active connections for each user. The maximum number that can
be set is 128, and the default is 16. Also the timeout for inactivity after a successful
authentication is defined with:
(config)# timeout uauth 00:30:00 inactivity
Commands
NetworkSims.com
707
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include http outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include https outside 0 0 0 0 SERVERTAG
(config)# aaa proxy-limit 50
(config)# timeout uauth 00:30:00 inactivity
(config)# exit
# show uauth
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa authentication include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include http outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include https outside 0 0 0 0 SERVERTAG
(config)# aaa proxy-limit ?
configure mode commands/options:
<1-128> Number of concurrent proxy connections allowed per user (1 - 128),
default is 16
disable Disable concurrent proxy connections
(config)# aaa proxy-limit 50
(config)# timeout ?
configure mode commands/options:
conn
Configure idle time after which a TCP connection state
will be closed, default is 1:00:00
h225
Configure idle time after which an H.225 signaling conn
will be closed, default is 1:00:00
h323
Configure idle time after which an H.323 control connection
will be closed, default is 0:05:00
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
icmp
Configure idle timeout for ICMP, default is 0:00:02
mgcp
Configure idle time after which an MGCP media connection
will be closed, default is 0:05:00
mgcp-pat
Configure the time after which an MGCP PAT Xlate
will be removed, default is 0:05:00
sip
Configure idle time after which a SIP control connection
will be closed, default is 0:30:00
sip_media
Configure idle time after which a SIP Media connection
will be closed, default is 0:02:00
sunrpc
Configure idle time after which a SUNRPC slot
NetworkSims.com
708
uauth
udp
xlate
NetworkSims.com
Current
1
0
Most Seen
1
1
709
User name
Output modifiers
# sh uauth fred
Authenticated Users
Authen In Progress
Current
0
0
Most Seen
0
0
aaa
aaa
aaa
aaa
aaa
accounting
accounting
accounting
accounting
accounting
include
include
include
include
include
which will accounts for all Telnet, SSH, Ftp, Http and Https accesses on the inside interface,
for all source and destination addresses (where 0 is the same as 0.0.0.0). In this case
SERVERTAG is the tag that defines the accounting, such as:
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
Objectives
The objectives of this challenge are to:
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa accounting include telnet outside 0 0 0 0 SERVERTAG
NetworkSims.com
710
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
accounting
accounting
accounting
accounting
include
include
include
include
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
(config)# aaa accounting include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include http outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include https outside 0 0 0 0 SERVERTAG
Key commands
Local authentication:
(config)# aaa-server MYLOCAL protocol local
(config-aaa-server-group)# exit
(config)# aaa authentication serial console MYLOCAL
(config)# aaa authentication telnet console MYLOCAL
(config)# aaa authentication ssh console MYLOCAL
(config)# aaa authentication http console MYLOCAL
(config)# aaa authentication enable console MYLOCAL
RADIUS authentication:
(config)# aaa-server TEST protocol radius
(config-aaa-server-group)# max-failed-attempts 5
(config-aaa-server-group)# reactivation-mode depletion deadtime 10
(config-aaa-server-group)# exit
(config)# aaa-server TEST (inside) host 1.2.3.4
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# authentication-port 1645
(config-aaa-server-host)# accounting-port 1646
NetworkSims.com
711
(config-aaa-server-host)# retry-interval 10
(config-aaa-server-host)# exit
Tacacs+ authentication:
(config)# aaa-server TEST protocol tacacs+
(config-aaa-server-group)# max-failed-attempts 5
(config-aaa-server-group)# reactivation-mode depletion deadtime 10
(config-aaa-server-group)# exit
(config)# aaa-server TEST (inside) host 1.2.3.4
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# exit
NetworkSims.com
712
Initially the failover cable connects between the PIX devices (primary and secondary). The
cable end marked "Primary" is connected to the primary unit, and the other end to the
secondary unit.
The IP address of an interface and its standby address can be defined with:
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
(config-if)# no shutdown
(config)# int e1
(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
(config-if)# no shutdown
Next the stateful failover is configured on the Stateful Failover link, such as:
(config)# failover link inf2 e2
in this case inf2 is the name of the physical interface (e2). This will be used for the failover
link. Next an IP address and failover address for the Stateful Failover link can be assigned:
(config)# int e2
(config-if)# no shutdown
(config)# failover interface ip inf2 192.168.2.1 255.255.255.0 standby 192.168.2.2
Objectives
The objectives of this challenge are to:
Enable failover.
Define failover addresses.
Commands
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
(config-if)# no shutdown
(config-if)# exit
(config)# int e2
(config-if)# no shutdown
(config-if)# exit
(config)# failover link inf2 e2
(config)# failover interface ip inf2 192.168.2.1 255.255.255.0 standby 192.168.2.2
(config)# failover
NetworkSims.com
713
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
(config-if)# no shutdown
(config-if)# exit
(config)# int e1
(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
(config-if)# no shutdown
(config-if)# exit
(config)# int e2
(config-if)# no shutdown
(config-if)# exit
(config)# failover link inf2 e2
(config)# failover interface ip inf2 192.168.2.1 255.255.255.0 standby 192.168.2.2
(config)# failover
Where E2 is used as the failover link, and the standby addresses for E0 and E1 are
192.168.0.2 and 192.168.1.2, respectively.
NetworkSims.com
714
15 Windows/UNIX host
Windows Challenge 1
Outline
This challenge involves the configuration of network properties for Windows.
Objectives
The objectives of this challenge are to:
Example
> ping 192.168.0.1
NetworkSims.com
715
timed
timed
timed
timed
out.
out.
out.
out.
from
from
from
from
192.168.0.1:
192.168.0.1:
192.168.0.1:
192.168.0.1:
bytes=32
bytes=32
bytes=32
bytes=32
time=3ms
time=1ms
time=1ms
time=1ms
TTL=64
TTL=64
TTL=64
TTL=64
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 192.168.0.3
: 255.255.255.0
: 192.168.0.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
freds
Peer-Peer
No
No
NetworkSims.com
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
716
<1 ms
<1 ms
<1 ms
bills [192.168.0.3]
Trace complete.
>tracert 192.168.0.20
Tracing route to 192.168.0.20 over a maximum of 30 hops
1
Windows Challenge 2
Outline
This challenge involves the configuration of network properties for Windows.
Objectives
The objectives of this challenge are to:
Use NSLOOKUP.
Show the ARP cache.
Show the Windows version.
Use IPCONFIG to show details.
Example
Press return to boot!
Booting PC...in Windows XP
>
Use:
VER
IPCONFIG
IPCONFIG /ALL
NSLOOKUP
ARP -a
ARP
NET
TRACERT
or PING
> nslookup www.intel.com
Name: www.intel.com
Address: 84.53.136.24
NetworkSims.com
717
> arp -a
Interface: 192.168.0.3 --- 0x2
Internet Address
Physical Address
192.168.0.1
00-38-4d-10-d6-43
Type
dynamic
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
> ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 4:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 192.168.0.3
: 255.255.255.0
: 192.168.0.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
freds
Peer-Peer
No
No
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
:
:
:
Windows Challenge 3
Outline
This challenge involves the configuration of network properties for Windows.
NetworkSims.com
718
Objectives
The objectives of this challenge are to:
Use netstat.
Use assoc.
Use chkdsk.
Example
C:\> netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
-a
-b
-e
-n
-o
-p proto
-r
-s
-v
interval
C:\> netstat -a
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
freds:smtp
freds:http
freds:epmap
freds:https
freds:microsoft-ds
freds:1026
freds:2393
freds:2394
NetworkSims.com
Foreign Address
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
719
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
freds:2725
freds:3389
freds:8674
freds:8679
freds:8680
freds:8681
freds:8898
freds:8899
freds:8901
freds:8902
freds:62514
freds:62514
freds:62514
freds:62516
freds:62516
freds:62516
freds:netbios-ssn
freds:9106
freds:9111
freds:netbios-ssn
freds:snmp
freds:microsoft-ds
freds:isakmp
freds:983
freds:1276
freds:1775
freds:2325
freds:2326
freds:3456
freds:4500
freds:9109
freds:ntp
freds:1900
freds:2126
freds:62514
freds:ntp
freds:netbios-ns
freds:netbios-dgm
freds:1900
freds:ntp
freds:netbios-ns
freds:netbios-dgm
freds:1900
freds:0
LISTENING
freds:0
LISTENING
localhost:62514
ESTABLISHED
localhost:62514
ESTABLISHED
localhost:62516
ESTABLISHED
localhost:62516
ESTABLISHED
localhost:8899
ESTABLISHED
localhost:8898
ESTABLISHED
localhost:8902
ESTABLISHED
localhost:8901
ESTABLISHED
freds:0
LISTENING
localhost:8674
ESTABLISHED
localhost:8679
ESTABLISHED
freds:0
LISTENING
localhost:8680
ESTABLISHED
localhost:8681
ESTABLISHED
freds:0
LISTENING
s.nowhere.ac.uk:1026 ESTABLISHED
mail.nowhere.ac.uk:1402 ESTABLIS
freds:0
LISTENING
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
C:\> netstat -b
Active Connections
Proto Local Address
TCP
freds:8674
[vpngui.exe]
Foreign Address
localhost:62514
State
ESTABLISHED
PID
3660
TCP
freds:8679
[ipseclog.exe]
localhost:62514
ESTABLISHED
976
TCP
freds:8680
[cvpnd.exe]
localhost:62516
ESTABLISHED
260
TCP
freds:8681
[vpngui.exe]
localhost:62516
ESTABLISHED
3660
TCP
freds:8898
[firefox.exe]
localhost:8899
ESTABLISHED
2160
NetworkSims.com
720
TCP
freds:8899
[firefox.exe]
localhost:8898
ESTABLISHED
2160
TCP
freds:8901
[firefox.exe]
localhost:8902
ESTABLISHED
2160
TCP
freds:8902
[firefox.exe]
localhost:8901
ESTABLISHED
2160
TCP
freds:62514
[cvpnd.exe]
localhost:8679
ESTABLISHED
260
TCP
freds:62514
[cvpnd.exe]
localhost:8674
ESTABLISHED
260
TCP
freds:62516
[ipseclog.exe]
localhost:8681
ESTABLISHED
976
TCP
freds:62516
[ipseclog.exe]
localhost:8680
ESTABLISHED
976
TCP
freds:9106
[OUTLOOK.EXE]
s.nowhere.ac.uk:1026
TCP
freds:9111
3648
[OUTLOOK.EXE]
mail.nowhere-mail.nowhere.ac.uk:1402
ESTABLISHED
3648
ESTABLISHED
C:\> netstat -e
Interface Statistics
Bytes
Unicast packets
Non-unicast packets
Discards
Errors
Unknown protocols
Received
Sent
88491198
164944
452
0
0
1007
45842271
153335
296
0
2
C:\> netstat -n
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
127.0.0.1:8674
127.0.0.1:8679
127.0.0.1:8680
127.0.0.1:8681
127.0.0.1:8898
127.0.0.1:8899
127.0.0.1:8901
127.0.0.1:8902
127.0.0.1:62514
127.0.0.1:62514
127.0.0.1:62516
127.0.0.1:62516
10.0.212.177:9106
10.0.212.177:9111
Foreign Address
127.0.0.1:62514
127.0.0.1:62514
127.0.0.1:62516
127.0.0.1:62516
127.0.0.1:8899
127.0.0.1:8898
127.0.0.1:8902
127.0.0.1:8901
127.0.0.1:8674
127.0.0.1:8679
127.0.0.1:8680
127.0.0.1:8681
10.0.8.10:1026
10.0.222.7:1402
State
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
C:\> netstat -r
NetworkSims.com
721
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 00 34 02 f0 ...... Intel(R) PRO/Wireless 2200BG Network Connection
- Deterministic Network Enhancer Miniport
0x3 ...00 03 0d 36 38 99 ...... Realtek RTL8169/8110 Family Gigabit Ethernet NIC
- Deterministic Network Enhancer Miniport
0x20005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Deterministic Ne
twork Enhancer Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination
Netmask
Gateway
Interface Metric
0.0.0.0
0.0.0.0
192.168.0.1
192.168.0.2
25
127.0.0.0
255.0.0.0
127.0.0.1
127.0.0.1
1
10.0.0.0
255.255.0.0 10.0.212.177 10.0.212.177
25
10.0.1.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.2.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.5.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.8.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.13.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.14.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.15.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.16.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.22.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.26.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.27.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.28.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.29.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.30.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.31.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.35.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.36.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.37.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.50.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.62.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.63.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.64.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.65.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.74.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.75.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.76.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.77.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.78.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.79.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.80.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.81.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.101.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.102.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.103.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.112.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.140.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.162.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.163.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.165.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.166.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.210.2 255.255.255.255
192.168.0.1
192.168.0.2
1
10.0.211.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.212.177 255.255.255.255
127.0.0.1
127.0.0.1
25
10.0.221.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.222.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.223.0
255.255.255.0 10.0.212.177 10.0.212.177
1
NetworkSims.com
722
10.0.244.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.246.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.247.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.255.255 255.255.255.255 10.0.212.177 10.0.212.177
25
192.168.0.0
255.255.255.0
192.168.0.2
192.168.0.2
25
192.168.0.1 255.255.255.255
192.168.0.2
192.168.0.2
1
192.168.0.2 255.255.255.255
127.0.0.1
127.0.0.1
25
192.168.0.255 255.255.255.255
192.168.0.2
192.168.0.2
25
224.0.0.0
240.0.0.0 10.0.212.177 10.0.212.177
25
224.0.0.0
240.0.0.0
192.168.0.2
192.168.0.2
25
255.255.255.255 255.255.255.255 10.0.212.177 10.0.212.177
1
255.255.255.255 255.255.255.255
192.168.0.2
3
1
255.255.255.255 255.255.255.255
192.168.0.2
192.168.0.2
1
Default Gateway:
192.168.0.1
===========================================================================
Persistent Routes:
None
C:\> netstat -s
IPv4 Statistics
Packets Received
Received Header Errors
Received Address Errors
Datagrams Forwarded
Unknown Protocols Received
Received Packets Discarded
Received Packets Delivered
Output Requests
Routing Discards
Discarded Output Packets
Output Packet No Route
Reassembly Required
Reassembly Successful
Reassembly Failures
Datagrams Successfully Fragmented
Datagrams Failing Fragmentation
Fragments Created
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
182154
0
55
0
0
514
181638
176717
0
0
0
4
2
0
0
0
0
ICMPv4 Statistics
Messages
Errors
Destination Unreachable
Time Exceeded
Parameter Problems
Source Quenches
Redirects
Echos
Echo Replies
Timestamps
Timestamp Replies
Address Masks
Address Mask Replies
Received
12902
0
5965
0
0
0
0
3
6934
0
0
0
0
Sent
12974
22
5964
0
0
0
0
6985
3
0
0
0
0
NetworkSims.com
=
=
=
=
1970
315
26
440
723
Current Connections
Segments Received
Segments Sent
Segments Retransmitted
=
=
=
=
14
150768
145270
52
=
=
=
=
12003
24829
1
18306
C:\> set
ALLUSERSPROFILE=C:\\Documents and Settings\\All Users.WINDOWS
APPDATA=C:\\Documents and Settings\\Fred\\Application Data
CLASSPATH=.;C:\\Program Files\\Java\\jre1.5.0\\lib\\ext\\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\\Program Files\\Common Files
COMPUTERNAME=freds
ComSpec=C:\\WINDOWS\\system32\\cmd.exe
DISPLAY=localhost:0.0
EDITOR=vi
C:\> bootcfg /?
BOOTCFG /parameter [arguments]
Description:
This command line tool can be used to configure, query, change or
delete the boot entry settings in the BOOT.INI file.
Parameter List:
/Copy
Makes a copy of an existing boot entry [operating
systems] section for which you can add OS options to.
/Delete
/Query
/Raw
/Timeout
/Default
/EMS
/Debug
/Addsw
/Rmsw
/Dbg1394
NetworkSims.com
724
/?
Examples:
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
/Copy /?
/Delete /?
/Query /?
/Raw /?
/Timeout /?
/EMS /?
/Debug /?
/Addsw /?
/Rmsw /?
/Dbg1394 /?
/Default /?
/?
C:\> bootcfg
Boot Loader Settings
-------------------timeout: 30
default: multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS
Boot Entries
-----------Boot entry ID:
Friendly Name:
Path:
OS Load Options:
1
"Microsoft Windows XP Professional"
multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS
/noexecute=optin /noexecute=alwaysoff /fastdetect
C:\> diskpart
Microsoft DiskPart version 5.1.3565
Copyright (C) 1999-2003 Microsoft Corporation.
On computer: freds
C:\> assoc /?
.aac=Winamp.File
.aif=AIFFFile
.ARC=WinZip
.ARJ=WinZip
.asf=Winamp.File
UNIX Challenge 4
Outline
This challenge involves the configuration of network properties for UNIX.
Objectives
The objectives of this challenge are to:
NetworkSims.com
725
Example
% ifconfig eth0 192.168.0.1 netmask 255.255.255.0
% ifconfig eth0 mtu 1500
% ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Timeout
Timeout
Timeout
Timeout
for
for
for
for
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
from
from
from
from
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
bytes=32
bytes=32
bytes=32
bytes=32
time
time
time
time
1ms
1ms
1ms
1ms
TTL=128
TTL=128
TTL=128
TTL=128
UNIX Challenge 5
Outline
This challenge involves the configuration of network properties for UNIX.
Objectives
The objectives of this challenge are to:
Example
NetworkSims.com
726
% ls
% cd bin
[/bin ]% ls
[/bin ]% cd /etc
[/etc ]% ls
[/etc ]% nslookup www.intel.com
Name: www.intel.com
Address: 84.53.136.24
[/etc ]% cat hosts
138.38.32.45 bath
198.4.6.3 compuserve
193.63.76.2 niss
148.88.8.84 hensa
146.176.2.3 janet
146.176.151.51 sun
[/etc ]% cat protocols
# The form for each entry is:
# "official protocol name" "protocol number" "aliases"
# Internet (IP) protocols
ip 0 IP # internet protocol, pseudo protocol number
icmp 1 ICMP # internet control message protocol
ggp 3 GGP # gateway-gateway protocol
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
[/etc ]% cat netgroups
# The format for each entry is: groupname member1 member2 ...
# (hostname, username, domainname)
engineering hardware software (host3, mikey, hp)
hardware (hardwhost1, chm, hp) (hardwhost2, dae, hp)
software (softwhost1, jad, hp) (softwhost2, dds, hp)
[/etc ]% cat passwd
root:FDEc6.32:1:0:Super user:/user:/bin/csh
fred:jt.06hLdiSDaA:2:4:Fred Blogs:/user/fred:/bin/csh
fred2:jtY067SdiSFaA:3:4:Fred Smith:/user/fred2:/bin/csh
[/etc ]% cat groups
root::0:root
other::1:root,hpdb
bin::2:root,bin
sys::3:root,uucp
freds_grp::4:fred,fred2,fred3
[/etc ]% cat mnttab
/dev/dsk/c201d6s0 / hfs defaults 0 1 850144122 1
/dev/dsk/c201d5s0 /win hfs defaults 1 2 850144127 1
castor:/win /net/castor_win nfs rw,suid 0 0 850144231 0
miranda:/win /net/miranda_win nfs rw,suid 0 0 850144291 0
spica:/usr/opt /opt nfs rw,suid 0 0 850305936 0
triton:/win /net/triton_win nfs rw,suid 0 0 850305936 0
[/etc ]% cat inetd.conf
# "service_name" "sock_type" "proto" "flags" "user" "server_path" "args"
NetworkSims.com
727
NetworkSims.com
728
0
0
0
0
0
0
0
0
UNIX Tutorial
MOVING AROUND
Initially you will be in the top-level (/).
1 List the directory with the ls command.
What directories are available?
NetworkSims.com
729
1 Enter the arp command, and determine the options used with arp.
2 Enter the arp -a command, to show the current arp table
List some of the MAC addresses and IP mappings.
SHOWING PROCESSES
The ps command can be used to show currently running processes.
1 Enter the ps command, and determine the currently running processes for the user.
2 Enter the ps -al command, and all the running processes
List some of the processes.
3 Enter the ps -ef command, for a more complete list of running processes
List some of the processes.
LISTING KEY NETWORK FILES
Many of the key network configuration files are in the /etc directory.
1 Go to the /etc directory with cd etc.
2 Enter the cat hosts command, and determine its contents.
List some the contents.
3 Enter the cat passwd command, and determine its contents.
List some the contents.
4 Enter the cat protocols command, and determine its contents.
List some the contents.
5 Enter the cat rpc command, and determine its contents.
List some the contents.
6 Enter the cat services command, and determine its contents.
List some the contents.
7 Enter the cat aliases command, and determine its contents.
List some the contents.
8 Enter the cat mnttab command, and determine its contents.
NetworkSims.com
730
NetworkSims.com
731
Netstat
1 Enter the netstat command.
List some of the open ports, for both the source and the destination.
2 Enter the netstat -i command to list information on the interfaces.
List the information given.
3 Enter the netstat -nr command to list the routing table.
List the information given.
4 Enter the netstat -m command to show the buffers.
List the information given.
5 Enter the netstat -s command to show protocol summaries.
List the information given.
DHCP files
DHCP allows nodes to be allocated IP addresses based on their MAC address.
1 Go into the /var folder with cd /var
2 Go into the /var/dhcp folder with cd dhcp
List the files in this folder.
3 Enter the cat dhcptab command, to list the contents of dhcptab
Outline its contents
4 Enter the cat 152_10_6_0 command, to list the contents of 152_10_6_0
Outline its contents
NetworkSims.com
732
NetworkSims.com
733
16 CCNP ISCW
Cisco Router Challenge 1
Outline
This challenge involves the configuration of the E0 port on a router.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int e0
(config-if)# ip address 36.109.222.1 255.255.255.128
(config-if)# no shutdown
(config-if)# description testing123
(config-if)# speed 10
(config-if)# duplex half
(config-if)# end
Objectives
NetworkSims.com
734
Example
> en
# config t
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
2
2
2
2
2
(config)# int e0
(config-if)# ip access-group 2 in
Example
> en
# config t
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
(config)# access-list
2
2
2
2
2
(config)# int s0
NetworkSims.com
735
(config-if)# ip access-group 2 in
Example
> en
# config t
(config)# access-list 105 ?
deny
Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
remark
Access list entry comment
(config)# access-list 105 permit ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
(config)# access-list
255.255.255.0 eq ftp
NetworkSims.com
105
permit
tcp
100.120.83.0
255.255.255.0
71.252.23.0
736
(config)# access-list
255.255.255.0 eq ftp
105
deny
tcp
35.208.170.0
255.255.255.0
184.124.8.0
Example
> en
# config t
(config)# ip access-list ?
extended
Extended Access List
log-update Control access list log updates
logging
Control access list logging
standard
Standard Access List
(config)# ip access-list standard
<1-99> Standard IP access-list number
WORD
Access-list name
(config)# ip access-list standard leeds
(config-std-nacl)# deny ?
Hostname or A.B.C.D Address to match
NetworkSims.com
737
any
Any source host
host
A single host address
(config-std-nacl)# deny host 193.34.245.4
(config-std-nacl)# permit host 16.21.50.10
(config-std-nacl)# deny 18.223.156.0 0.15.255.255
(config-std-nacl)# permit 139.32.80.0 0.15.255.255
(config-std-nacl)# exit
(config)# int s0
(config-if)# ip access-group ?
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group leeds in
(config-if)# exit
(config)# ip access-list extended tennessee
(config-ext-nacl)# deny ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config-ext-nacl)# deny tcp host 198.89.74.1 host 208.177.41.6 eq telnet
(config-ext-nacl)# permit tcp host 205.198.245.6 host 202.226.135.3 eq telnet
(config-ext-nacl)# deny tcp 54.83.187.0 255.255.255.0 101.167.107.0 255.255.255.0
eq telnet
(config-ext-nacl)# permit tcp 56.248.48.0 255.255.255.0 138.236.218.0 255.255.255.0
eq telnet
(config-ext-nacl)# exit
(config)# int s1
(config-if)# ip access-group tennessee in
Define AAA.
Define the local server.
NetworkSims.com
738
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login default local
(config)# username fred password bert
(config)# username fred1 password bert2
Define AAA.
Define the radius server.
Example
> enable
# config t
(config)# aaa new-model
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with `@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host 39.100.234.1
(config)# radius-server key ?
LINE Text of shared key
(config)# radius-server key krinkle
(config)# aaa ?
NetworkSims.com
739
accounting
authentication
authorization
configuration
nas
new-model
NetworkSims.com
740
Define AAA.
Define the Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# radius-server host 39.100.234.1
(config)# radius-server key krinkle
(config)# aaa authentication login default group tacacs
(config)# aaa authentication ppp default group tacacs
(config)# aaa authorization network default group tacacs
(config)# aaa authorization exec default group tacacs
Define AAA.
Define privileges.
Define command authorization for a Tacacs+ server.
Example
> enable
NetworkSims.com
741
# config t
(config)# aaa new-model
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
(config)# privilege exec level 7 ping
(config)# privilege exec level 7 configure terminal
(config)# privilege exec level 7 configure
(config)# radius-server host 39.100.234.1
(config)# radius-server key krinkle
(config)# aaa authorization commands 0 default group tacacs+
(config)# aaa authorization commands 15 default group tacacs+
(config)# aaa authorization commands 7 default group tacacs+
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
Thus:
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
NetworkSims.com
742
moves these commands to Level 7. For example ping is a Level 1 command and is now a
Level 7, while the rest have moved from Level 15 to Level 7.
Example
> enable
# config t
(config)# username fred
(config)# username test
(config)# username fred
(config)# username test
(config)# username test
(config)# access-list 9
(config)# username fred
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
743
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
Define Tacacs+.
Define accounting for start and stop events.
NetworkSims.com
744
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa account network default start-stop group tacacs+
(config)# aaa account reverse-access default group tacacs+
Define AAA.
Define port authentication.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication dot1x default group radius
(config)# int fa0/1
(config-if)# dot1x port-control auto
(config-if)# int fa0/2
(config-if)# dot1x port-control auto
(config-if)# int fa0/4
(config-if)# dot1x port-control auto
(config-if)# exit
(config)# exit
# sh dot1x all
Sysauthcontrol
= Disabled
Dot1x Protocol Version
= 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
# sh dot1x all
Dot1x Info for interface FastEthernet0/1
---------------------------------------------------Supplicant MAC <Not Applicable>
AuthSM State
= N/A
BendSM State
= N/A
PortStatus
= N/A
MaxReq
= 2
HostMode
= Single
NetworkSims.com
745
Port Control
= Auto
QuietPeriod
= 60 Seconds
Re-authentication = Disabled
ReAuthPeriod
= 3600 Seconds
ServerTimeout
= 30 Seconds
SuppTimeout
= 30 Seconds
TxPeriod
= 30 Seconds
Guest-Vlan
= 0
# sh dot1x stat interface fa0/1
PortStatistics Parameters for Dot1x
-------------------------------------------TxReqId = 0
TxReq = 0
TxTotal = 0
RxStart = 0
RxLogoff = 0
RxRespId = 0
RxInvalid = 0
RxLenErr = 0
RxTotal= 0
RxVersion = 0
LastRxSrcMac 0000.0000.0000
RxResp = 0
Define an access-list.
Define an priority-group.
Define a route-cache.
Example
> en
# config t
(config)# access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1000-1099>
IPX SAP access list
<1100-1199>
Extended 48-bit MAC address access list
<1200-1299>
IPX summary address access list
<1300-1999>
IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
dynamic-extended Extend the dynamic ACL abolute timer
rate-limit
Simple rate-limit specific access list
(config)# access-list 105 ?
deny
Specify packets to reject
NetworkSims.com
746
NetworkSims.com
747
(config-if)# ip route-cache
(config-if)# int e1
(config-if)# ip route-cache
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
NetworkSims.com
748
Example
> en
# config t
NetworkSims.com
749
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
aaa
aaa
new-model
authen loging def radius
authen ppp def radius
authen banner new york
authen fail personal device
author network default radius
author exec default radius
Setup of Tacacs+.
Example
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def tacacs+
authen ppp def tacacs+
authen banner new york
authen fail personal device
author network default tacacs+
author exec default tacacs+
Example
NetworkSims.com
750
> en
# config t
(config)# access-list 7 permit host 23.17.220.3
(config)# access-list 7 deny any
(config)# ip http server
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http access-class ?
<1-99> Access list number
(config)# ip http access-class 7
Example
> en
# config t
(config)# access-list 7 deny host 23.17.220.3
(config)# access-list 7 permit any
(config)# ip http server
(config)# ip http access-class 7
NetworkSims.com
751
Example
> en
# config t
(config)# access-list 1 permit host 202.179.77.6
(config)# access-list 1 deny any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-class ?
<1-199>
IP access list
<1300-2699> IP expanded access list
WORD
Access-list name
(config-line)# access-class 1 ?
in
Filter incoming connections
out Filter outgoing connections
(config-line)# access-class 1 in
Example
> en
# config t
(config)# access-list 1 deny host 202.179.77.6
(config)# access-list 1 permit any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-class ?
(config-line)# access-class 1 in
752
Outline
This challenge involves the configuration of IP Inspect.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect one-minute ?
high Specify high-watermark for clamping
low
Specify low-watermark for clamping
(config)# ip inspect one-minute low 360
(config)# ip inspect one-minute high 410
(config)# ip inspect max-incomplete low 720
(config)# ip inspect max-inomplete high 770
(config)# ip inspect dns-timeout 1
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect tcp synwait-time ?
<1-2147483> Timeout in seconds
(config)# ip inspect tcp synwait-time 35
(config)# ip inspect tcp finwait-time 5
(config)# ip inspect tcp max-incomplete ?
host Specify max half-open connection per host
(config)# ip inspect tcp max-incomplete host 800
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect tcp idle-time 70
NetworkSims.com
753
Setup a CBAC.
Define the protocols which the CBAC applies to.
Example
> en
# config t
(config)# access-list 105 permit ip any any
(config)# int fa0/0
(config-if)# ip access-group 105 in
(config-if)# exit
(config)# ip inspect name cisco ?
cuseeme
CUSeeMe Protocol
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
Transmission Control Protocol
tftp
TFTP Protocol
udp
User Datagram Protocol
vdolive
VDOLive Protocol
(config)# ip inspect name cisco tcp
(config)# ip inspect name cisco udp
(config)# ip inspect name cisco ftp
(config)# ip inspect name cisco sqlnet
(config)# int e0
(config-if)#ip inspect ?
WORD Name of inspection defined
(config-if)#ip inspect cisco
(config-if)#ip inspect cisco in
(config-if)# exit
(config)# access-list 106 deny ip any any
(config)# int s0
(config-if)# ip access-group 106 in
NetworkSims.com
754
Explanation
ACLs are fairly static in their operation, and they do not take into account the context of a
data packet. Thus they cannot detect the actual state of a connection. A typical type of attack
in a system is DoS (Denial-of-Service), which is caused when multiple remote clients make
access to the same server. Knowing the context of a data packet, or its associated connection
thus allows finer control of the security of the system. For example in a DoS the firewall
could detect that the number of connections in a given time limit had exceeded a given
number, and block any other ones, within a given time. Context-based Access Control
(CBAC) are thus stateful, and dynamic, and can look further into packets than normal
ACLs. In client-server communications the key states in most connections are:
Context-based Access Control is used to implement firewall options, such as limiting the
number of open connections. A typical attack is the DoS (Denial of Service) attack, where
the external party opens up multiple connections. To overcome this, the router can be setup
to detect a minimum threshold for half-open sessions. The half-open session is where either
the client or server quits the session without the other side knowing about it. In a DoS, the
client opens a connection, and does not complete it. The server does not know that the client
has disconnected, thus the connection still takes some resources on the server, which can
become overburdened if there are many open sessions. On the Napier pods, use Pod C
(Router 1) for an example of router which implements these CBACs.
Global timeouts and thresholds
The main limits that are defined are:
ip inspect tcp synwait-time. This defines the time to wait before a connection drops.
Default: 30 seconds.
ip inspect tcp finwait-time. This defined the time after a FIN flag for a connection to be
dropped. Default: 5 seconds.
ip inspect tcp idle-time. This defines the length of time that a connection can be idle.
Default: 1 hour.
ip inspect dns-time. This defines the amount of time of a time-out for a DNS query.
Default: 5 seconds.
ip inspect max-incomplete high. This defines the maximum number of half-open
connections, before it starts to delete them one-by-one. Default: 500.
NetworkSims.com
755
ip inspect max-incomplete low. This defines the lower limit for the half-open
connections. Default: 400.
ip inspect one-minute high. This defines the maximum number of half-open
connections in a minute, before it starts to delete them one-by-one. Default: 500 per
minute.
ip inspect one-minute low. This defines the lower limit for the half-open connections
over a minute. Default: 400.
For example to limit the maximum open sessions at any time to between 900 and 1100:
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect max-incomplete low 900
(config)# ip inspect max-incomplete high 1100
NetworkSims.com
756
Example
> en
# config t
(config)# ip port-map http port 1126
(config)# ip port-map ftp port 1188
(config)# ip port-map smtp port 1897
(config)# ip port-map telnet port 1189
(config)# exit
# show ip port-map
Default mapping: vdolive
port
Default mapping: sunrpc
port
Default mapping: netshow
port
Default mapping: cuseeme
port
Default mapping: tftp
port
Default mapping: rtsp
port
Default mapping: realmedia
port
Default mapping: streamworks
port
Default mapping: ftp
port
Default mapping: telnet
port
Default mapping: rtsp
port
Default mapping: h323
port
Default mapping: sip
port
Default mapping: smtp
port
Default mapping: http
port
Default mapping: msrpc
port
Default mapping: exec
port
Default mapping: login
port
Default mapping: sql-net
port
Default mapping: shell
port
Default mapping: mgcp
port
Default mapping: http
port
Default mapping: ftp
port
Default mapping: smtp
port
Default mapping: telnet
port
7000
111
1755
7648
69
8554
7070
1558
21
23
554
1720
5060
25
80
135
512
513
1521
514
2427
1126
1188
1897
1189
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
user defined
user defined
user defined
Explanation
Many ports are well-known on the Internet, such as port 23 for Telnet and port 80 for HTTP.
In many situations the port mapping to the protocol is not always standard, such as HTTP
using port 8080. The ip port-map command can be used to remap ports to their application.
An example of the command is:
(config) # ip port-map ?
cuseeme
CUSeeMe Protocol
dns
Domain Name Server
exec
Remote Process Execution
finger
Finger
ftp
File Transfer Protocol
gopher
Gopher
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
Hypertext Transfer Protocol
imap
Internet Message Access Protocol
kerberos
Kerberos
ldap
Lightweight Directory Access Protocol
login
Remote login
NetworkSims.com
757
lotusnote
mgcp
ms-sql
msrpc
netshow
nfs
nntp
pop2
pop3
realmedia
rtsp
sap
shell
sip
smtp
snmp
sql-net
streamworks
sunrpc
sybase-sql
tacacs
telnet
tftp
vdolive
Lotus Note
Media Gateway Control Protocol
Microsoft SQL
Microsoft Remote Procedure Call
Microsoft NetShow
Network File System
Network News Transfer Protocol
Post Office Protocol - Version 2
Post Office Protocol - Version 3
RealNetwork's Realmedia Protocol
Real Time Streaming Protocol
SAP
Remote command
Session Initiation Protocol
Simple Mail Transfer Protocol
Simple Network Management Protocol
SQL-NET
StreamWorks Protocol
SUN Remote Procedure Call
Sybase SQL
Login Host Protocol (TACACS)
Telnet
Trivial File Transfer Protocol
VDOLive Protocol
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
7000
111
1755
7648
69
8554
7070
1558
21
23
8080
554
1720
5060
25
80
135
512
513
1521
514
2427
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
port 8080
port 80
user defined
system defined
NetworkSims.com
758
Setup logging.
Define an audit-trail.
Example
> en
# config t
(config)# logging on
(config)# logging 150.74.40.1
(config)# logging ?
Hostname or A.B.C.D IP address of the logging host
buffered
Set buffered logging parameters
cns-events
Set CNS Event logging level
console
Set console logging level
count
Count every log message and timestamp last occurance
exception
Limit size of exception flush output
facility
Facility parameter for syslog messages
history
Configure syslog history table
host
Set syslog server host name or IP address
monitor
Set terminal line (monitor) logging level
on
Enable logging to all supported destinations
rate-limit
Set messages per second limit
source-interface
Specify interface for source address in logging
transactions
trap
Set syslog server logging level
(config)# logging host 18.46.203.4
(config)# logging trap ?
<0-7>
Logging severity level
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational Informational messages
(severity=6)
notifications Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap warning
(config)# logging monitor warning
(config)# logging console warning
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
NetworkSims.com
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
759
informational
Informational messages
(severity=6)
notifications
Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging buffer warnings
(config)# logging buffer 981997
(config)# ip inspect audit-trail
(config)# no ip inspect alert-off
Example
> en
#config t
(config)# access-list 107 deny tcp any any ?
ack
Match on the ACK bit
dscp
Match packets with given dscp value
eq
Match only packets on a given port number
established Match established connections
fin
Match on the FIN bit
fragments
Check non-initial fragments
gt
Match only packets with a greater port number
log
Log matches against this entry
log-input
Log matches against this entry, including input interface
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
precedence
Match packets with given precedence value
psh
Match on the PSH bit
range
Match only packets in the range of port numbers
rst
Match on the RST bit
syn
Match on the SYN bit
time-range
Specify a time-range
tos
Match packets with given TOS value
urg
Match on the URG bit
<cr>
(config)# access-list 107 deny tcp any any established
(config)# access-list 107 permit tcp any any
(config)# int s0
(config-if)# ip access-group ?
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group 107 ?
in
inbound packets
NetworkSims.com
760
Define AAA.
Setup an authentication proxy.
Example
> en
# config t
(config)# aaa new-model
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http authentication ?
aaa
Use AAA access control methods
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
(config)# ip http authentication aaa
(config)# ip auth-proxy ?
auth-cache-time
Authorization Cache Timeout in min
auth-proxy-audit
Authentication Proxy Auditing
auth-proxy-banner Authentication Proxy Banner
name
Specify an Authentication Proxy Rule
<cr>
(config)# ip auth-proxy auth-cache-time ?
<1-35791> Timeout in minutes
(config)# ip auth-proxy auth-cache-time 45
(config)# ip auth-proxy name yellow http
(config)# int fa0
(config-if)# ip auth-proxy ?
WORD Name of authenticaion proxy rule
(config-if)# ip auth-proxy yellow
(config-if)# exit
# show ip auth-proxy configuration
NetworkSims.com
761
# sh ip auth-proxy config
Example
> en
# config t
(config)# ip
attack
info
name
notify
audit ?
Specify default action for attack signatures
Specify default action for informational signatures
Specify an IDS audit rule
Specify the notification mechanisms (nr-director or log) for the
alarms
po
Specify nr-director's PostOffice information (for sending events
to the nr-directors
signature Add a policy to a signature
smtp
Specify SMTP Mail spam threshold
(config)# ip audit notify ?
log
Send events as syslog messages
nr-director Send events to the nr-director
(config)# ip audit notify log
(config)# logging 132.191.125.3
(config)# ip audit ?
attack
Specify default action for attack signatures
info
Specify default action for informational signatures
name
Specify an IDS audit rule
notify
Specify the notification mechanisms (nr-director or log) for the
alarms
po
Specify nr-director's PostOffice information (for sending events
to the nr-directors
signature Add a policy to a signature
smtp
Specify SMTP Mail spam threshold
(config)# ip audit info ?
action Specify the actions
(config)# ip audit info action ?
NetworkSims.com
762
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
authentication pre-share
group 1
exit
isakmp identity hostname
isakmp key test address 192.168.1.1
ipsec transform-set test esp-des
NetworkSims.com
763
Example
> en
# config t
(config)# hostname newhampshire
(config)# access-list 109 permit ip 50.93.142.0 0.0.255.255
136.163.130.0 0.0.255.255
(config)# crypto isakmp enable
(config)# crypto isakmp policy 111
(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default
Set a command to its defaults
encryption
Set encryption algorithm for protection suite
exit
Exit from ISAKMP protection suite configuration mode
group
Set the Diffie-Hellman group
hash
Set hash algorithm for protection suite
lifetime
Set lifetime for ISAKMP security association
no
Negate a command or set its defaults
(config-isakmp)# en ?
3des Three key triple DES
aes
AES - Advanced Encryption Standard.
des
DES - Data Encryption Standard (56 bit keys).
(config-isakmp)# encryption des
(config-isakmp)# hash ?
md5 Message Digest 5
sha Secure Hash Standard
(config-isakmp)# hash sha
(config-isakmp)# authentication ?
pre-share Pre-Shared Key
NetworkSims.com
764
rsa-encr
Rivest-Shamir-Adleman Encryption
rsa-sig
Rivest-Shamir-Adleman Signature
(config-isakmp)# authentication pre-share
(config-isakmp)# g ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
(config-isakmp)# group 1
(config-isakmp)# exit
(config)# crypto isakmp identity hostname
(config)# crypto isakmp key test address 192.168.1.1
(config)# crypto ipsec transform-set finland esp-des
(config)# crypto map manchester 10 ipsec-isakmp
(config-crypto-map)# ?
Crypto Map configuration commands:
default
Set a command to its defaults
description
Description of the crypto map statement policy
dialer
Dialer related commands
exit
Exit from crypto map configuration mode
match
Match values.
no
Negate a command or set its defaults
qos
Quality of Service related commands
reverse-route Reverse Route Injection.
set
Set values for encryption/decryption
Router(config-crypto-map)# match ?
address Match address of packets to encrypt.
Router(config-crypto-map)# match address ?
<100-199>
IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD
Access-list name
(config-crypto-map)# match address 109
(config-crypto-map)# set ?
identity
Identity restriction.
isakmp-profile
Specify isakmp Profile
peer
Allowed Encryption/Decryption peer.
pfs
Specify pfs settings
security-association Security association parameters
transform-set
Specify list of transform sets in priority order
(config-crypto-map)# set peer 144.55.62.1
(config-crypto-map)# set transform-set ?
WORD Proposal tag
(config-crypto-map)# set transform-set finland
(config-crypto-map)# set pfs group1
(config-crypto-map)# exit
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# crypto map Manchester
(config-if)# exit
(config)# exit
# show crypto ipsec sa
interface: E0
Crypto map tag: Manchester, local addr 192.168.1.1
protected vrf: (none)
NetworkSims.com
765
144.55.62.1
192.168.1.1
state
QM_IDLE
conn-id slot
1
0
status
ACTIVE
NetworkSims.com
766
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname london
london (config)# access-list 101 permit ahp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit esp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit udp host 117.84.81.2 host
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0
(config-if)# ip address 136.22.25.1 255.252.0.0
(config-if)# no shut
(config-if)# ip access-group 101 in
Example
NetworkSims.com
767
> en
# config t
(config)# access-list 110 deny udp any any eq snmp
(config)# int e0
(config-if)# ip access-group 110 in
(config-if)# exit
(config)# service timestamps log datetime
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption
(config)# no snmp-server community annt RO
(config)# no snmp-server contact steven
(config)# no snmp-server location uk
(config)# no snmp-server host 78.113.70.11
(config)# no snmp-server enable traps
(config)# no snmp-server chassis-ID paris
Example
> en
# config t
(config)# cryto key pubkey-chain rsa
(config-pubkey-chain)# addressed-key 142.217.4.10
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
NetworkSims.com
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
0123
768
(config-pubkey-key)# exit
(config-pubkey-chain)# exit
(config)# exit
# show crypto key pubkey rsa
Define EIGRP.
Apply MD5 authentication on an interface.
Define the authentication key chain.
Example
# config t
(config)# router eigrp 142
(config-router)# network 205.104.0.0
(config-router)# int s0
(config-if)# ip address 205.118.116.6 255.255.255.224
(config-if)# ip authentication mode eigrp 142 md5
(config-if)# ip authentication key-chain eigrp 142 ann
(config-if)# exit
(config)# key chain ann
(config-keychain)# key 1
(config-keychain-key)# key-string hotel
(config-keychain-key)# exit
NetworkSims.com
769
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001
An SSH client such as putty can then be used to connect to the access point:
... graphic missed out on version see help file.
after which the client shows the message:
... graphic missed out on version see help file.
NetworkSims.com
770
which sets the timeout to 60 seconds, and a maximum of two retries. Finally, to prevent
Telnet sessions:
ap(config)#line vty 0 4
ap(config-line)# transport input ssh
NetworkSims.com
771
mac-address
name
preempt
priority
timers
track
ap (config-if)# st 1 au ?
WORD Plain text authentication string
md5
Use MD5 authentication
text Plain text authentication
ap (config-if)# st 1 i ?
A.B.C.D Virtual IP address
<cr>
ap (config-if)# st 1 m ?
H.H.H MAC address
ap (config-if)# st 1 n ?
WORD name string
ap (config-if)# st 1 pre ?
delay Wait before preempting
<cr>
ap (config-if)# st 1 pri ?
<0-255> Priority value
ap (config-if)# st 1 ti ?
<1-254> Hello interval in seconds
msec
Specify hello interval in milliseconds
ap (config-if)# st 1 ti 1 ?
<2-255> Hold time in seconds
ap (config-if)# st 1
<1-500>
Async
BVI
CDMA-Ix
CTunnel
Dialer
FastEthernet
Lex
Loopback
MFR
Multilink
Port-channel
Tunnel
Vif
Virtual-PPP
Virtual-TokenRing
tr ?
Tracked object number
Async interface
Bridge-Group Virtual Interface
CDMA Ix interface
CTunnel interface
Dialer interface
FastEthernet IEEE 802.3
Lex interface
Loopback interface
Multilink Frame Relay bundle interface
Multilink-group interface
Ethernet Channel of interfaces
Tunnel interface
PGM Multicast Host interface
Virtual PPP interface
Virtual TokenRing
HSRP uses a priority scheme to determine the default active router. The active router is
assigned a higher priority than all the other HSRP-configured routers (the default priority is
100). It uses multicast messages to advertise priority among HSRP-configured routers. Thus,
if the active router fails to send these messages within a certain time (defined in the timers
option), the standby router with the highest priority takes over.
NetworkSims.com
772
Example
> en
# config t
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
NetworkSims.com
773
Define AAA.
Define the local server.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login default local
(config)# username fred password bert
(config)# username fred1 password bert2
Define AAA.
Define the radius server.
Example
> enable
# config t
(config)# aaa new-model
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with `@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
retransmit
Specify the number of retries to active server
NetworkSims.com
774
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host 39.100.234.1
(config)# radius-server key ?
LINE Text of shared key
(config)# radius-server key krinkle
(config)# aaa ?
accounting
Accounting configurations parameters.
authentication Authentication configurations parameters.
authorization
Authorization configurations parameters.
configuration
Authorization configuration parameters.
nas
NAS specific configuration
new-model
Enable NEW access control commands and functions.(Disables
OLD commands.)
processes
Configure AAA background processes
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication login ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication login default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
local
Use local username authentication.
local-case Use case-sensitive local username authentication.
none
NO authentication.
(config)# aaa authentication login default group radius
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication ppp ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication ppp default radius
(config)# aaa authorization ?
commands
For exec (shell) commands.
config-commands For configuration mode commands.
exec
For starting an exec (shell).
network
For network services. (PPP, SLIP, ARAP)
reverse-access
For reverse access connections
NetworkSims.com
775
Define AAA.
Define the Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# tacacs-server host 39.100.234.1
(config)# tacacs-server key krinkle
(config)# aaa authentication login default group tacacs
(config)# aaa authentication ppp default group tacacs
(config)# aaa authorization network default group tacacs
(config)# aaa authorization exec default group tacacs
Define AAA.
NetworkSims.com
776
Define privileges.
Define command authorization for a Tacacs+ server.
Example
> enable
# config t
(config)# aaa new-model
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
(config)# privilege exec level 7 ping
(config)# privilege exec level 7 configure terminal
(config)# privilege exec level 7 configure
(config)# radius-server host 39.100.234.1
(config)# radius-server key krinkle
(config)# aaa authorization commands 0 default group tacacs+
(config)# aaa authorization commands 15 default group tacacs+
(config)# aaa authorization commands 7 default group tacacs+
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
777
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege
moves these commands to Level 7. For example ping is a Level 1 command and is now a
Level 7, while the rest have moved from Level 15 to Level 7.
Example
> enable
# config t
(config)# username fred
(config)# username test
(config)# username fred
(config)# username test
(config)# username test
(config)# access-list 9
(config)# username fred
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
NetworkSims.com
778
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
NetworkSims.com
779
Objectives
The objectives of this challenge are to:
Define Tacacs+.
Define accounting for start and stop events.
Example
> enable
# config t
(config)# aaa new-model
(config)# aaa account network default start-stop group tacacs+
(config)# aaa account reverse-access default group tacacs+
Define E0.
Define ATM.
Define bridge protocol.
Example
> enable
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# bridge-group 1
(config-if)# exit
(config)# int atm0
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
apollo
Apollo interface subcommands
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
atm
Modify ATM parameters
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
NetworkSims.com
780
cdp
class-int
clns
crypto
custom-queue-list
decnet
default
delay
description
dspu
exit
fair-queue
fras
help
hold-queue
ip
ipv6
ipx
isis
iso-igrp
lan-name
lane
lat
llc2
load-interval
locaddr-priority
logging
loopback
mac-address
map-group
max-reserved-bandwidth
mls
mpls
mpoa
mtu
multilink-group
multiring
netbios
no
ntp
priority-group
pvc
random-detect
rate-limit
sap-priority
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
NetworkSims.com
781
traffic-shape
Explanation
In this case a bridge is created between the E0 and the ATM0 port. The encapsulation is
aal5snap (AAL5 Link Control/Subnet Access Protcol) which supports multiple protocols
over the same PVC.
NetworkSims.com
782
This challenge involves the configuration of ATM with a dialer interface and to encapsulate
PPP within an Ethernet environment.
Objectives
The objectives of this challenge are to:
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# int atm0
(config-if)# dsl operating-mode auto
(config-if)# pvc ?
<0-7>
Enter VPI/VCI value(slash required)
<1-1023> Enter VCI value
WORD
Optional handle to refer to this connection
(config-if)# pvc 8/35
(config-if-atm-vc)# ?
ATM virtual circuit configuration commands:
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
Configure default vc-class name
default
Set a command to its defaults
dialer
set dialer pool this pvc belongs to
encapsulation Select ATM Encapsulation for VC
exit-vc
Exit from ATM VC configuration mode
ilmi
Configure ILMI management
inarp
Change the inverse arp timer on the PVC
no
Negate a command or set its defaults
oam
Configure oam parameters
oam-pvc
Send oam cells on this pvc
pppoe-client
pppoe client
protocol
Map an upper layer protocol to this connection.
ubr
Enter Unspecified Peak Cell Rate (pcr) in Kbps.
ubr+
Enter Peak Cell Rate(pcr)Minimum Cell Rate(mcr) in Kbps.
vbr-nrt
Enter Variable Bit Rate (pcr)(scr)(bcs)
vcci
VCC Identifier
(config-if-atm-vc)# pppoe-client dial-pool-number 1
(config-if-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
(config-if)# ip address negotiated
(config-if)# encapsulation ppp
(config-if)# dialer pool 1
(config-if)# ip mtu 1492
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
Explanation
PPPoE encapsulates PPP within an Ethernet frame.
NetworkSims.com
783
Define a dialer.
Define ATM.
Example
> enable
# config t
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# exit
(config)# int atm0
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-if-atm-vc)# ?
ATM virtual circuit configuration commands:
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
Configure default vc-class name
default
Set a command to its defaults
dialer
set dialer pool this pvc belongs to
encapsulation Select ATM Encapsulation for VC
exit-vc
Exit from ATM VC configuration mode
ilmi
Configure ILMI management
inarp
Change the inverse arp timer on the PVC
no
Negate a command or set its defaults
oam
Configure oam parameters
oam-pvc
Send oam cells on this pvc
pppoe-client
pppoe client
protocol
Map an upper layer protocol to this connection.
ubr
Enter Unspecified Peak Cell Rate (pcr) in Kbps.
ubr+
Enter Peak Cell Rate(pcr)Minimum Cell Rate(mcr) in Kbps.
vbr-nrt
Enter Variable Bit Rate (pcr)(scr)(bcs)
vcci
VCC Identifier
(config-atm-vc)# encapsulation aal5mux ppp dialer
(config-atm-vc)# dialer pool member 1
(config-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
NetworkSims.com
784
Explanation
PPPoA encapsulates PPP within ATM cells.
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# vpdn enable
(config)# vpdn-group ?
WORD VPDN Group name
(config)# vpdn-group test
(config-vpdn)# ?
VPDN group configuration commands:
accept-dialin
VPDN accept-dialin group configuration
accept-dialout
VPDN accept-dialout group configuration
default
Set a command to its defaults
description
Description for this VPDN group
exit
Exit from VPDN group configuration mode
ip
IP settings for tunnel
no
Negate a command or set its defaults
redirect
Call redirection options
request-dialin
VPDN request-dialin group configuration
request-dialout VPDN request-dialout group configuration
source
Configuration source for this vpdn-group
source-ip
Set source IP address for this vpdn-group
vpn
VPN ID/VRF name
NetworkSims.com
785
(config-vpdn)# request-dialin ?
<cr>
(config-vpdn)# request-dialin
(config-vpdn-req-in)# ?
VPDN group request-dialin configuration commands:
default
Set a command to its defaults
dnis
Initiate a tunnel based on DNIS
domain
Initiate a tunnel based on domain name
exit
Exit from VPDN group request dialin sub-configuration mode
multihop Initiate a multihop tunnel based on peer hostname or tunnel ID
no
Negate a command or set its defaults
protocol Tunneling protocol to be used
(config-vpdn-req-in)# protocol ?
l2f
Use L2F
l2tp
Use L2TP
pptp
Use PPTP
pppoe Use PPPoE
(config-vpdn-req-in)# protocol pppoe
(config-vpdn-req-in)# exit
(config-vpdn)# exit
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# exit
(config)# int atm0
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
apollo
Apollo interface subcommands
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
atm
Modify ATM parameters
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
class-int
Configure default vc-class name
clns
CLNS interface subcommands
crypto
Encryption/Decryption commands
custom-queue-list
Assign a custom queue list to an interface
decnet
Interface DECnet config commands
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dspu
Down Stream PU
exit
Exit from interface configuration mode
fair-queue
Enable Fair Queuing on an Interface
fras
DLC Switch Interface Command
help
Description of the interactive help system
hold-queue
Set hold queue depth
ip
Interface Internet Protocol config commands
ipv6
IPv6 interface subcommands
ipx
Novell/IPX interface subcommands
isis
IS-IS commands
iso-igrp
ISO-IGRP interface subcommands
lan-name
LAN Name command
lane
Modify LANE parameters
lat
LAT commands
llc2
LLC2 Interface Subcommands
load-interval
Specify interval for load calculation for an
NetworkSims.com
786
interface
Assign a priority group
Configure logging for interface
Configure internal loopback on an interface
Manually set interface MAC address
Configure static map group
Maximum Reservable Bandwidth on an Interface
mls sub/interface commands
Configure MPLS interface parameters
MPOA interface configuration commands
Set the interface Maximum Transmission Unit (MTU)
Put interface in a multilink bundle
Enable RIF usage for a routable protocol
Use a defined NETBIOS access list or enable
name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
priority-group
Assign a priority group to an interface
pvc
Configure ATM PVC parameters
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rate-limit
Rate Limit
sap-priority
Assign a priority group
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
smrp
Simple Multicast Routing Protocol interface
subcommands
sna
SNA pu configuration
snapshot
Configure snapshot support on the interface
snmp
Modify SNMP interface parameters
source-bridge
Configure interface for source-route bridging
squelch
10BaseT 100 meter limit enforcement
sscop
SSCOP Interface Subcommands
standby
Interface HSRP configuration commands
svc
Configure ATM SVC parameters
tag-switching
Tag Switching interface configuration commands
tarp
TARP interface subcommands
timeout
Define timeout values for this interface
traffic-shape
Enable Traffic Shaping on an Interface or
Sub-Interface
transmit-interface
Assign a transmit interface to a receive-only
interface
vines
VINES interface subcommands
xns
XNS interface subcommands
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-if-atm-vc)# ?
ATM virtual circuit configuration commands:
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
Configure default vc-class name
default
Set a command to its defaults
dialer
set dialer pool this pvc belongs to
encapsulation Select ATM Encapsulation for VC
exit-vc
Exit from ATM VC configuration mode
ilmi
Configure ILMI management
inarp
Change the inverse arp timer on the PVC
no
Negate a command or set its defaults
oam
Configure oam parameters
oam-pvc
Send oam cells on this pvc
pppoe-client
pppoe client
protocol
Map an upper layer protocol to this connection.
ubr
Enter Unspecified Peak Cell Rate (pcr) in Kbps.
locaddr-priority
logging
loopback
mac-address
map-group
max-reserved-bandwidth
mls
mpls
mpoa
mtu
multilink-group
multiring
netbios
NetworkSims.com
787
ubr+
Enter Peak Cell Rate(pcr)Minimum Cell Rate(mcr) in Kbps.
vbr-nrt
Enter Variable Bit Rate (pcr)(scr)(bcs)
vcci
VCC Identifier
(config-if-atm-vc)# pppoe-client dial-pool-number 1
(config-if-atm-vc)# exit
(config-if)# exit
(config)# int dialer0
(config-if)# ip address negotiated
(config-if)# encapsulation ppp
(config-if)# dialer pool 1
(config-if)# ip mtu 1492
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
Example
> enable
# config t
(config)# int async 6
(config-if)# encapsulation ppp
(config-if)# async ?
default Specify default parameters
dynamic Specify parameters which user may change
mode
Specify line mode (interactive or dedicated interface use)
(config-if)# async mode ?
dedicated
Line is dedicated as an async interface
interactive Line may be switched between interactive use and async interface
(config-if)# async mode interactive
(config-if)# exit
(config)# line 1
(config-line)# autoselect ?
arap
Set line to allow ARAP autoselection
during-login Do autoselect at the Username/Password prompt
NetworkSims.com
788
ppp
Set line to allow PPP autoselection
slip
Set line to allow SLIP autoselection
timeout
Set wait timeout for initial autoselect byte
<cr>
(config-line)# autoselect ppp
(config-line)# autoselect during-login
Example
> enable
# config t
(config)# int loopback1
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# exit
(config)# int async 6
(config-if)# ip unnumbered loopback1
NetworkSims.com
789
This challenge involves the configuration of a specific address for the dial-in host.
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address 192.168.1.1
Explanation
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with the IP address of 192.168.1.1 (Figure
1).
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# int
int async
async 66
(config-if)#
peer
(config-if)# peer default
default ip
ip address
address 192.168.1.1
192.168.1.1
NetworkSims.com
790
Objectives
The objectives of this challenge are to:
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address pool testing
(config)# ip local pool testing 10.0.0.1 10.0.0.10
Explanation
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with an IP address from the pool of
addresses from 10.0.0.1 to 10.0.0.10 (see Figure 1).
Async 6
PSTN
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address pool
pool testing
testing
(config)#
ip
local
pool
testing
10.0.0.1
(config)# ip local pool testing 10.0.0.1 10.0.0.10
10.0.0.10
NetworkSims.com
791
Example
> enable
# config t
(config)# int async 6
(config-if)# peer default ip address dhcp-pool wyoming
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
Explanation
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with the IP address of taking from the
dhcp pool (Figure 1).
NetworkSims.com
792
Async 6
PSTN
Host is assigned the
address from the DHCP pool
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address dhcp-pool
dhcp-pool wyoming
wyoming
(config)#
(config)# ip
ip dhcpd
dhcpd pool
pool wyoming
wyoming
(config-dhcp)#
(config-dhcp)# network
network 249.189.108.0
249.189.108.0 255.255.255.0
255.255.255.0
(config-dhcp)#
(config-dhcp)# dns-server
dns-server 249.189.108.58
249.189.108.58
(config-dhcp)#
netbios-name-server
249.189.108.61
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)#
(config-dhcp)# lease
lease 33
(config-dhcp)#
(config-dhcp)# default-router
default-router 249.189.108.87
249.189.108.87
(config-dhcp)#
(config-dhcp)# exit
exit
(config)#ip
(config)#ip dhcp
dhcp excluded-address
excluded-address 249.189.108.26
249.189.108.26
(config)#
(config)# ip
ip dhcp
dhcp ping
ping timeout
timeout 350
350
Example
> enable
# config t
(config)# hostname edinburgh
(config)# username newyork password test
(config)# int async 6
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# dialer map ip 192.168.1.2 name newyork
(config-if)# ppp pap sent-username edinburgh password ttt
Explanation
NetworkSims.com
793
In this example the username is set as the hostname of the remote device. Figure 1 shows an
example configuration for two devices, on which either can connect to the other.
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname edinburgh
edinburgh
(config)#
(config)# username
username newyork
newyork password
password test
test
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# encapsulation
encapsulation ppp
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
ip
address
192.168.1.1
(config-if)# ip address 192.168.1.1 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.2
192.168.1.2 name
name newyork
newyork
(config-if)#
(config-if)# ppp
ppp pap
pap sent-username
sent-username edinburgh
edinburgh password
password ttt
ttt
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname newyork
newyork
(config)#
(config)# username
username edinburgh
edinburgh password
password ttt
ttt
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# encapsulation
encapsulation ppp
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.2
192.168.1.2 255.255.255.0
255.255.255.0
(config-if)#
dialer
map
ip
192.168.1.1
(config-if)# dialer map ip 192.168.1.1 name
name edinburgh
edinburgh
(config-if)#
(config-if)# ppp
ppp pap
pap sent-username
sent-username newyork
newyork password
password test
test
NetworkSims.com
794
17 CCNP ONT
Cisco Router Challenge 130
Outline
This challenge involves the configuration of a dial-peer.
Objectives
The objectives of this challenge are to:
Setup a dial-peer.
Example
> enable
# config t
Router(config)# dial-peer ?
cor
Class of Restriction
hunt
Define the dial peer hunting choice
outbound
Define the outbound options
terminator Define the address terminate character
voice
Voice type
Router(config)# dial-p v ?
<1-2147483647> Voice dial-peer tag
Router(config)# dial-p voice 1 ?
mmoip Multi Media Over IP
pots
Telephony
voatm Voice over ATM
vofr
Voice over Frame Relay
voip
Voice over IP
Router(config)# dial-p voice 1 pots
Router(config-dial-peer)# ?
DIALPEER configuration commands:
answer-address
The Call Destination Number
application
The selected application
call-block
Incoming Call Blocking
capacity
capacity update timer config
carrier-id
Configure Carrier ID
clid
Caller ID option
corlist
set the Class of Restriction lists
default
Set a command to its defaults
description
Dialpeer specific description
destination-pattern
A full E.164 telephone number prefix
digit-strip
Use digit strip option for the POTS digits replacement
direct-inward-dial
Use Called Number as final call destination
NetworkSims.com
795
dnis-map
exit
fax
forward-digits
NetworkSims.com
796
ip
max-conn
Define QoS.
Limit the bandwidth.
Define a queue-limit.
NetworkSims.com
797
Example
> en
# config t
(config)# class-map ?
WORD
class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
(config)# class-map tayside
(config-cmap)#?
QoS class-map configuration commands:
description Class-Map description
exit
Exit from QoS class-map configuration mode
match
classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# ?
QoS policy-map configuration commands:
class
policy criteria
description Policy-Map description
exit
Exit from QoS policy-map configuration mode
no
Negate or set default values of a command
rename
Rename this policy-map
<cr>
(config-pmap)# class tayside
Router(config-pmap-c)# ?
QoS policy-map class configuration commands:
bandwidth
Bandwidth
exit
Exit from QoS class action configuration mode
fair-queue
Enable Flow-based Fair Queuing in this Class
no
Negate or set default values of a command
police
Police
priority
Strict Scheduling Priority for this Class
queue-limit
Queue Max Threshold for Tail Drop
random-detect
Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set
Set QoS values
shape
Traffic Shaping
<cr>
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of Available Bandwidth
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit ?
<1-512> Packets
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output ankle
NetworkSims.com
798
Define QoS.
Define a default class.
Example
> en
# config t
(config)# class-map ?
WORD
class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
(config)# class-map tayside
(config-cmap)#?
QoS class-map configuration commands:
description Class-Map description
exit
Exit from QoS class-map configuration mode
match
classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# ?
QoS policy-map configuration commands:
class
policy criteria
description Policy-Map description
exit
Exit from QoS policy-map configuration mode
no
Negate or set default values of a command
rename
Rename this policy-map
<cr>
(config-pmap)# class tayside
Router(config-pmap-c)# ?
QoS policy-map class configuration commands:
bandwidth
Bandwidth
exit
Exit from QoS class action configuration mode
fair-queue
Enable Flow-based Fair Queuing in this Class
no
Negate or set default values of a command
police
Police
priority
Strict Scheduling Priority for this Class
NetworkSims.com
799
queue-limit
Queue Max Threshold for Tail Drop
random-detect
Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set
Set QoS values
shape
Traffic Shaping
<cr>
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of Available Bandwidth
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit ?
<1-512> Packets
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# class ?
WORD
class-map name
class-default
System default class matching otherwise unclassified
packets
(config-pmap)# class class-default
(config-pmap-c)# fair-queue
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output ankle
The class-default class does not have to be created before it is used in the policy-map. It is
supports any other traffic which does not match the class maps.
Define QoS.
Define interesting traffic types with a class-map.
# config t
(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq echo
(config)# class-map Delaware
(config-cmap)# ?
QoS class-map configuration commands:
description Class-Map description
exit
Exit from QoS class-map configuration mode
match
classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
(config-cmap)# description testing
NetworkSims.com
800
(config-cmap)# match ?
access-group
Access group
any
Any packets
class-map
Class map
cos
IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class
Discard behavior identifier
dscp
Match DSCP in IP(v4) and IPv6 packets
fr-de
Match on Frame-relay DE bit
fr-dlci
Match on fr-dlci
input-interface
Select an input interface to match
ip
IP specific values
mpls
Multi Protocol Label Switching specific values
not
Negate this match result
packet
Layer 3 Packet length
precedence
Match Precedence in IP(v4) and IPv6 packets
protocol
Protocol
qos-group
Qos-group
source-address
Source address
(config-cmap)# match protocol ?
arp
IP ARP
bgp
Border Gateway Protocol
bridge
Bridging
bstun
Block Serial Tunnel
cdp
Cisco Discovery Protocol
citrix
Citrix Traffic
compressedtcp Compressed TCP
cuseeme
CU-SeeMe desktop video conference
custom-01
Custom protocol custom-01
custom-02
Custom protocol custom-02
custom-03
Custom protocol custom-03
custom-04
Custom protocol custom-04
custom-05
Custom protocol custom-05
custom-06
Custom protocol custom-06
custom-07
Custom protocol custom-07
custom-08
Custom protocol custom-08
custom-09
Custom protocol custom-09
custom-10
Custom protocol custom-10
dhcp
Dynamic Host Configuration
dlsw
Data Link Switching (Direct encapsulation only)
dns
Domain Name Server lookup
egp
Exterior Gateway Protocol
eigrp
Enhanced Interior Gateway Routing Protocol
exchange
MS-RPC for Exchange
fasttrack
FastTrack Traffic - KaZaA, Morpheus, Grokster...
finger
Finger
ftp
File Transfer Protocol
gnutella
Gnutella Traffic - BearShare,LimeWire,Gnotella...
gopher
Gopher
gre
Generic Routing Encapsulation
http
World Wide Web traffic
icmp
Internet Control Message
imap
Internet Message Access Protocol
ip
IP
ipinip
IP in IP (encapsulation)
ipsec
IP Security Protocol (ESP/AH)
ipv6
IPV6
irc
Internet Relay Chat
kazaa2
Kazaa Version 2
kerberos
Kerberos
l2tp
L2F/L2TP tunnel
ldap
Lightweight Directory Access Protocol
llc2
llc2
NetworkSims.com
801
napster
Napster Traffic
netbios
NetBIOS
netshow
Microsoft Netshow
nfs
Network File System
nntp
Network News Transfer Protocol
notes
Lotus Notes(R)
novadigm
Novadigm EDM
ntp
Network Time Protocol
pad
PAD links
pcanywhere
Symantec pcANYWHERE
pop3
Post Office Protocol
pppoe
PPP over Ethernet
pptp
Point-to-Point Tunneling Protocol
printer
print spooler/lpd
qllc
qllc protocol
rcmd
BSD r-commands (rsh, rlogin, rexec)
rip
Routing Information Protocol
rsrb
Remote Source-Route Bridging
rsvp
Resource Reservation Protocol
rtp
Real Time Protocol
rtspplayer
RTSP players streaming protocol
secure-ftp
FTP over TLS/SSL
secure-http
Secured HTTP
secure-imap
Internet Message Access Protocol over TLS/SSL
secure-irc
Internet Relay Chat over TLS/SSL
secure-ldap
Lightweight Directory Access Protocol over TLS/SSL
secure-nntp
Network News Transfer Protocol over TLS/SSL
secure-pop3
Post Office Protocol over TLS/SSL
secure-telnet Telnet over TLS/SSL
smtp
Simple Mail Transfer Protocol
snapshot
Snapshot routing support
snmp
Simple Network Management Protocol
socks
SOCKS
sqlnet
SQL*NET for Oracle
sqlserver
MS SQL Server
ssh
Secured Shell
streamwork
Xing Technology StreamWorks player
stun
Serial Tunnel
sunrpc
Sun RPC
syslog
System Logging Utility
telnet
Telnet
tftp
Trivial File Transfer Protocol
vdolive
VDOLive streaming video
vofr
voice over Frame Relay packets
xwindows
X-Windows remote access
(config-cmap)# match protocol http
(config-cmap)# match protocol ftp
(config-cmap)# match protocol telnet
(config-cmap)# match access-list 100
(config-cmap)# exit
(config)# class-map VOICE
(config-cmap)# exit
(config)# class-map EXECTEST
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# ?
QoS policy-map configuration commands:
class
policy criteria
description Policy-Map description
exit
Exit from QoS policy-map configuration mode
no
Negate or set default values of a command
rename
Rename this policy-map
<cr>
NetworkSims.com
802
Define CBWFQ.
Example
> en
NetworkSims.com
803
# config t
(config)# access-list 108 permit ip 162.78.102.0 0.0.255.255 247.226.90.0
0.0.255.255
(config)# class-map tayside
(config-cmap)# match access-group 108
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# class tayside
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output ankle
Explanation
The following shows an example of limiting all the traffic which fits access-list 111 to
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
(config-pmap)# class cmap
(config-pmap-c)# bandwidth 2000
# class-map cmap
(config-cmap)# match access-group 111
# int s0
(config-if)# service-policy output pmap
Ref:
http://www.netcraftsmen.net/welcher/papers/newqos121.html
804
Outline
This challenge involves the configuration of auto QoS on an interface.
Objectives
The objectives of this challenge are to:
Define CEF (Cisco Express Forwarding), as this is required for Auto QoS.
Enable NBAR (Network Based Application Recognition), as this is required for Auto
QoS.
Define the bandwidth on an interface.
Enable Auto QoS.
Example
> en
# config t
(config)# ip cef
(config)# int s0
(config-if)# bandwidth ?
<1-10000000> Bandwidth in kilobits
inherit
Specify how bandwidth is inherited
(config-if)# bandwidth 256
(config-if)# ip nbar ?
protocol-discovery Enable NBAR protocol discovery
(config-if)# ip nbar protocol ?
<cr>
(config-if)# ip nbar protocol
(config-if)# auto ?
qos Configure AutoQoS
(config-if)# auto qos ?
voip Configure AutoQoS for VoIP
(config-if)# auto qos voip ?
trust Trust the DSCP marking
<cr>
(config-if)# auto qos voip
(config-if)# exit
(config)# exit
# sh ip nbar pr
Serial0/0
Input
Output
Protocol
Packet Count
Packet Count
Byte Count
Byte Count
5 minute bit rate (bps)
5 minute bit rate
(bps)
------------------------ ------------------------ ----------------------bgp
0
0
NetworkSims.com
805
citrix
cuseeme
custom-01
custom-02
custom-03
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
dns
egp
eigrp
exchange
fasttrack
finger
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
806
ftp
gnutella
gopher
gre
http
icmp
imap
ipinip
ipsec
irc
kazaa2
kerberos
l2tp
ldap
napster
netbios
netshow
nfs
nntp
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
807
notes
novadigm
ntp
pcanywhere
pop3
pptp
printer
rcmd
rip
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-irc
secure-ldap
secure-nntp
secure-pop3
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
808
secure-telnet
smtp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
syslog
telnet
tftp
vdolive
xwindows
unknown
Total
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Explanation
Key facts:
CCNP Objective: QoS Implementation Methods.
NetworkSims.com
809
AutoQoS for the Enterprise is the next generation of QoS generation, and uses NBAR
for traffic discovery and classification. The basic Auto QoS is Auto QoS VoIP.
For Auto QoS to work, CEF and NBAR must be enabled. Also the bandwidth must be
correctly defined on the interface.
AutoQoS automatically generate QoS commands.
AutoQoS analyzes network traffic and tries to optimize the QoS through traffic classes
that the AutoQoS Discovery method to create policies, which are applied to the
interface(s).
AutoQoS simplifies the configuration.
AutoQoS uses Classification (This uses AutoQoS Discovery with NBAR to discover the
requirements); Policy generation (This uses access-lists, class-maps and policy maps to
optimize the setup); Configuration (This configures the required interfaces);
Monitoring and reporting (This continually updates and reports on the operation); and
Consistancy (This allows for consistancy across a range of devices).
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# police ?
<8000-2000000000> Bits per second
cir
Committed information rate
(config-pmap-c)# police 100 ?
<1000-512000000> Burst bytes
NetworkSims.com
810
bc
Conform burst
conform-action
action when rate is less than conform burst
pir
Peak Information Rate
<cr>
(config-pmap-c)# police 100 500
(config-pmap-c-police)# exit
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
In this case VoIP is detected on TCP port 1720 and on UDP ports from 16384 to 32767:
(config)# access-list 100 udp any any range 16384 32000
(config)# access-list 100 tcp any any eq 1720
H.323. TCP port 1720 is used for H.323 Host Call, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in MS Messenger, and so on.
H.323 (Callserve). UDP port 1719 and TCP port 1720 are used for call signalling, and
UDP ports from 5000 to 65535 for RTP (Realtime Transport Protocol). This is used in
Callserve, and so on.
SIP. TCP/UDP port 560 is used for signaling, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in SIP, and so on.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 560
(config)# access-list 100 udp any any eq 560
(config)# class-map VOIP
NetworkSims.com
811
In this case VoIP is detected on TCP/UDP port 560 for the call setup and on UDP ports from
16384 to 32767 for the actual call traffic:
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 560
(config)# access-list 100 udp any any eq 560
H.323. TCP port 1720 is used for H.323 Host Call, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in MS Messenger, and so on.
H.323 (Callserve). UDP port 1719 and TCP port 1720 are used for call signalling, and
UDP ports from 5000 to 65535 for RTP (Realtime Transport Protocol). This is used in
Callserve, and so on.
SIP. TCP/UDP port 560 is used for signaling, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in SIP, and so on.
NetworkSims.com
812
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of total Bandwidth
remaining
% of the remaining bandwidth
(config-pmap-c)# bandwidth 50
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of total Bandwidth
NetworkSims.com
813
remaining
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# priority ?
<8-2000000> Kilo Bits per second
percent
% of total bandwidth
(config-pmap-c)# priority 100
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
The main differences between the bandwidth and priority commands are:
bandwidth Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
NetworkSims.com
Yes
No
814
Built-in policer
Provides low latency
No
No
priority Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
Built-in policer
Provides low latency
Yes
Yes
Yes
Yes
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# priority ?
<8-2000000> Kilo Bits per second
percent
% of total bandwidth
(config-pmap-c)# priority percent 50
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
The main differences between the bandwidth and priority commands are:
bandwidth Command
NetworkSims.com
815
Yes
No
No
No
priority Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
Built-in policer
Provides low latency
Yes
Yes
Yes
Yes
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# priority percent 60
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# priority percent 40
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
NetworkSims.com
816
In this case 60% of the bandwidth will be allocated to VoIP traffic, and 40% to HTTP traffic.
To recap the difference between the bandwidth and priority commands are:
bandwidth Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
Built-in policer
Provides low latency
Yes
No
No
No
priority Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
Built-in policer
Provides low latency
Yes
Yes
Yes
Yes
Example
> en
# config t
(config)# ip nbar pdlm tftp://1.2.3.4/test.pdlm
(config)# ip nbar port-map http tcp 80 8080
(config)# ip nbar port-map ftp tcp 21
(config)# int s0
(config-if)# ip nbar protocol-discovery
Router# sh ip nbar port
port-map bgp
port-map bgp
port-map citrix
port-map citrix
port-map cuseeme
NetworkSims.com
udp
tcp
udp
tcp
udp
179
179
1604
1494
7648 7649 24032
817
port-map cuseeme
port-map custom-01
port-map custom-01
port-map custom-02
port-map custom-02
port-map custom-03
port-map custom-03
port-map custom-04
port-map custom-04
port-map custom-05
port-map custom-05
port-map custom-06
port-map custom-06
port-map custom-07
port-map custom-07
port-map custom-08
port-map custom-08
port-map custom-09
port-map custom-09
port-map custom-10
port-map custom-10
port-map dhcp
port-map dns
port-map dns
port-map exchange
port-map fasttrack
port-map finger
port-map ftp
port-map gnutella
port-map gopher
port-map gopher
port-map http
port-map imap
port-map imap
port-map irc
port-map irc
port-map kerberos
port-map kerberos
port-map l2tp
port-map ldap
port-map ldap
port-map napster
4444 5555
port-map netbios
port-map netbios
port-map netshow
port-map nfs
port-map nfs
port-map nntp
port-map nntp
port-map notes
port-map notes
port-map novadigm
port-map novadigm
port-map ntp
port-map ntp
port-map pcanywhere
NetworkSims.com
137 138
137 139
1755
2049
2049
119
119
1352
1352
3460 3461 3462 3463 3464 3465
3460 3461 3462 3463 3464 3465
123
123
22 5632
818
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
pcanywhere
pop3
pop3
pptp
printer
printer
rcmd
rip
rsvp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-imap
secure-irc
secure-irc
secure-ldap
secure-ldap
secure-nntp
secure-nntp
secure-pop3
secure-pop3
secure-telnet
smtp
snmp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
sunrpc
syslog
telnet
tftp
vdolive
xwindows
tcp
udp
tcp
tcp
udp
tcp
tcp
udp
udp
tcp
tcp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
tcp
tcp
udp
tcp
tcp
tcp
tcp
tcp
udp
udp
tcp
udp
tcp
udp
tcp
tcp
65301 5631
110
110
1723
515
515
512 513 514
520
1698 1699
554 7070
990
443
585 993
585 993
994
994
636
636
563
563
995
995
992
25
161 162
161 162
1080
1521
1433
22
1558
111
111
514
23
69
7000
6000 6001 6002 6003
NetworkSims.com
819
Example
> en
# config t
(config)# ip nbar pdlm tftp://1.2.3.4/test.pdlm
(config)# ip nbar port-map http tcp 80 8080
(config)# ip nbar port-map ftp tcp 21
(config)# class-map cTest
(config-cmap)#
(config-cmap)#
(config-cmap)#
(config-cmap)#
This example a traffic queue of 512kbps is assigned for HTTP, FTP and TELNET traffic.
Example
> en
# config t
(config)# class-map cTest
(config-cmap)# m pro http ?
host Server Host Name
mime Match MIME Type
url
Match URL String
<cr>
(config-cmap)# m pro http url ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http url edinburgh*
(config-cmap)# exit
NetworkSims.com
820
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output pTest
Example
> en
# config t
(config)# class-map cTest
(config-cmap)# m pro http host ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http host cisco*
(config-cmap)# exit
This matches any host with cisco, such as cisco.com, and so on. The matching characters are:
*
?
NetworkSims.com
821
|
(|)
[]
Or
Match one choice in the parenthesis such as (gif | jpeg)
Match in a range, such as jpeg[0-9]
Example
> en
# config t
(config)# class-map cTest
(config-cmap)# m pro http mime ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http mine *jpeg
(config-cmap)# exit
This matches any MIME type of jpeg. Other typical MIME types are gif, mp3, avi, and so on.
The matching characters are:
*
?
|
(|)
[]
NetworkSims.com
822
Example
> en
# config t
(config)# class-map cTest
(config-cmap)# m pro http ?
host Server Host Name
mime Match MIME Type
url
Match URL String
<cr>
(config-cmap)# m pro http url ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http url edinburgh*
(config-cmap)# exit
NetworkSims.com
823
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# class-map cTest
(config-cmap)# m pro http host ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http host cisco*
(config-cmap)# exit
This matches any host with cisco, such as cisco.com, and so on. The matching characters are:
*
?
|
(|)
[]
Example
> en
NetworkSims.com
824
# config t
(config)# class-map cTest
(config-cmap)# m pro http mime ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http mine *jpeg
(config-cmap)# exit
Example
> en
# config t
(config)# class-map cTest
Router(config-cmap)# match protocol ?
arp
IP ARP
bgp
Border Gateway Protocol
bridge
Bridging
bstun
Block Serial Tunnel
cdp
Cisco Discovery Protocol
citrix
Citrix Traffic
compressedtcp Compressed TCP
cuseeme
CU-SeeMe desktop video conference
custom-01
Custom protocol custom-01
custom-02
Custom protocol custom-02
custom-03
Custom protocol custom-03
custom-04
Custom protocol custom-04
custom-05
Custom protocol custom-05
custom-06
Custom protocol custom-06
custom-07
Custom protocol custom-07
custom-08
Custom protocol custom-08
custom-09
Custom protocol custom-09
custom-10
Custom protocol custom-10
dhcp
Dynamic Host Configuration
NetworkSims.com
825
dlsw
dns
egp
eigrp
exchange
fasttrack
finger
ftp
gnutella
gopher
gre
http
icmp
imap
ip
ipinip
ipsec
ipv6
irc
kazaa2
kerberos
l2tp
ldap
llc2
napster
netbios
netshow
nfs
nntp
notes
novadigm
ntp
pad
pcanywhere
pop3
pppoe
pptp
printer
qllc
rcmd
rip
rsrb
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-irc
secure-ldap
secure-nntp
secure-pop3
secure-telnet
smtp
snapshot
snmp
socks
sqlnet
sqlserver
ssh
streamwork
stun
sunrpc
NetworkSims.com
826
syslog
System Logging Utility
telnet
Telnet
tftp
Trivial File Transfer Protocol
vdolive
VDOLive streaming video
vofr
voice over Frame Relay packets
xwindows
X-Windows remote access
(config-cmap)# match protocol fast ?
file-transfer File transfer stream
<cr>
(config-cmap)# match protocol fast file-transfer ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol fasttrack file-transfer *
(config-cmap)# exit
Notes
Fasttrack matches traffic such as KaZaA, Morpheus, Grokster. It is also possible to apply
other known peer-to-peer protocols such as:
(config-cmap)# match protocol napster
(config-cmap)# match protocol kazaa2
(config-cmap)# match protocol gnutella
Example
> en
# config t
(config)# class-map AUDIO
(config-cmap)# match protocol rtp ?
NetworkSims.com
827
audio
Match voice packets
payload-type Match an explicit PT
video
Match video packets
<cr>
(config-cmap)# match protocol rtp audio ?
<cr>
(config-cmap)# match protocol rtp payload- ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol rtp video ?
<cr>
(config-cmap)# match protocol rtp audio
(config-cmap)# exit
(config)# class-map VIDEO
(config-cmap)# match protocol rtp video
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class AUDIO
(config-pmap-c)# priority percent 60
(config-pmap-c)# exit
(config-pmap)# class VIDEO
(config-pmap-c)# priority percent 40
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
IP phone.
Gateways.
Multipoint control units.
Application servers.
Gatekeepers.
NetworkSims.com
828
Call agents.
Video-end points.
829
Outline
This challenge involves the configuration of Weighted Fair Queue (WFQ).
> CCNP ONT Area: Unit 4: Congestion Management and Queuing
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int s0
(config-if)# fair-queue ?
<1-4096> Congestive Discard Threshold
<cr>
(config-if)# fair-queue 1 ?
<16-4096> Number Dynamic Conversation Queues
<cr>
(config-if)# fair-queue 1 16 ?
<0-1000> Number Reservable Conversation Queues
<cr>
(config-if)# fair-queue 1 16 100
(config-if)# hold-time ?
<0-4096> Queue length
(config-if)# hold-time 100 ?
in
Input queue
out Output queue
(config-if)# hold-time 100 out ?
<cr>
(config-if)# hold-time 100 out ?
Default are:
Congestive discard threshold 64 messages
Dynamic queues
256 queues
Reservable queues
0 queues
NetworkSims.com
830
Define CBWFQ.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit 60
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# bandwidth 64
(config-pmap-c)# queue-limit 80
(config-pmap-c)# exit
(config-pmap)# class class-default
(config-pmap-c)# fair-queue 16
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
Default are:
Congestive discard threshold 64 messages
NetworkSims.com
831
Dynamic queues
Reservable queues
256 queues
0 queues
Define CBWFQ.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# bandwidth percent 60
(config-pmap-c)# queue-limit 60
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# bandwidth percent 40
(config-pmap-c)# queue-limit 80
(config-pmap-c)# exit
(config-pmap)# class class-default
(config-pmap-c)# fair-queue 16
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
NetworkSims.com
832
Define CBWFQ.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of total Bandwidth
remaining
% of the remaining bandwidth
(config-pmap-c)# bandwidth r ?
percent % of the remaining bandwidth
(config-pmap-c)# bandwidth remaining percent 60
(config-pmap-c)# queue-limit 60
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# bandwidth remaining percent 40
(config-pmap-c)# queue-limit 80
(config-pmap-c)# exit
(config-pmap)# class class-default
(config-pmap-c)# fair-queue 16
(config-pmap-c)# exit
(config-pmap)# exit
NetworkSims.com
833
(config)# int e0
(config-if)# service-policy output NEW
Define LLQ
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# priority 50
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# bandwidth 50
(config-pmap-c)# exit
(config-pmap)# class class-default
(config-pmap-c)# fair-queue 16
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
834
Outline
This challenge involves the configuration of Weighted RR (WRR).
> CCNP ONT Area: Unit 4: Congestion Management and Queuing
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# mls qos
(config)# int fa0/1
(config-if)# no switchport
(config-if)# mls ?
qos qos command keyword
(config-if)# mls qos ?
cos
Configure interface COS parameters
dscp-mutation Apply DSCP-DSCP map to DSCP trusted port
monitor
Collect QoS statistics
trust
Configure trust state of interface
(config-if)# mls qos trust ?
cos
Classify by packet COS
device
trusted device class
dscp
Classify by packet DSCP
ip-precedence Classify by packet IP precedence
<cr>
(config-if)# mls qos trust cos
(config-if)# priority-queue ?
out egress priority queue
(config-if)# priority-queue out
(config-if)# wrr-queue ?
bandwidth
Configure WRR bandwidth
cos-map
Configure cos-map for a queue id
min-reserve Configure min-reserve level
(config-if)# wrr-queue bandwidth ?
<1-65536> enter bandwidth weight for qid 1
(config-if)# wrr-queue bandwidth ?
<1-65536> enter bandwidth weight for qid 1
NetworkSims.com
835
Define PQ.
Apply priority-list onto an interface.
Example
> en
# config t
(config)# priority-list ?
<1-16> Priority list number
(config)# priority-list 1 ?
default
Set priority queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
protocol
priority queueing by protocol
queue-limit Set queue limits for priority queues
(config)# priority-list 1 queue-limit ?
<0-32767> High limit
(config)# priority-list 1 queue-limit 10 ?
<0-32767> Medium limit
NetworkSims.com
836
Define CBWRED
Example
> en
# config t
NetworkSims.com
837
NetworkSims.com
838
Minimum threshold. When the queue is less than this value, no packets are dropped.
Maximum threshold. When then the queue is greater than this value, all packets are
dropped.
Mark Probability Denominator. When the queue is between the minimum and
maximum threshold values, the packets are dropped based on this probability.
Thus:
(config-pmap-c)# random-detect prece 10 20 30
Will not drop until there is a queue of 10, and will always drop when the queue is over 30.
In-between 10 and 20, it will drop 30% of packets.
See the next challenge for tagging the traffic with the DSCP value.
NetworkSims.com
839
Example
> en
# config t
(config)# class-map VOIP
(config-cmap)# match ?
access-group
Access group
any
Any packets
class-map
Class map
cos
IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class
Discard behavior identifier
dscp
Match DSCP in IP(v4) and IPv6 packets
fr-de
Match on Frame-relay DE bit
fr-dlci
Match on fr-dlci
input-interface
Select an input interface to match
ip
IP specific values
mpls
Multi Protocol Label Switching specific values
not
Negate this match result
packet
Layer 3 Packet length
precedence
Match Precedence in IP(v4) and IPv6 packets
protocol
Protocol
qos-group
Qos-group
source-address
Source address
(config-cmap)# match ip ?
dscp
Match IP DSCP (DiffServ CodePoints)
precedence Match IP precedence
rtp
Match RTP port nos
(config-cmap)# match ip dscp ?
<0-63>
Differentiated services codepoint value
af11
Match packets with AF11 dscp (001010)
af12
Match packets with AF12 dscp (001100)
af13
Match packets with AF13 dscp (001110)
af21
Match packets with AF21 dscp (010010)
af22
Match packets with AF22 dscp (010100)
af23
Match packets with AF23 dscp (010110)
af31
Match packets with AF31 dscp (011010)
af32
Match packets with AF32 dscp (011100)
af33
Match packets with AF33 dscp (011110)
af41
Match packets with AF41 dscp (100010)
af42
Match packets with AF42 dscp (100100)
af43
Match packets with AF43 dscp (100110)
cs1
Match packets with CS1(precedence 1) dscp (001000)
cs2
Match packets with CS2(precedence 2) dscp (010000)
cs3
Match packets with CS3(precedence 3) dscp (011000)
cs4
Match packets with CS4(precedence 4) dscp (100000)
cs5
Match packets with CS5(precedence 5) dscp (101000)
cs6
Match packets with CS6(precedence 6) dscp (110000)
cs7
Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef
Match packets with EF dscp (101110)
(config-cmap)# match ip dscp af21 af22 af23 cs2
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match ip ip dscp af11 af12 a13 cs1
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# random-detect ?
dscp
dscp-based
NetworkSims.com
840
Minimum threshold. When the queue is less than this value, no packets are dropped.
NetworkSims.com
841
Maximum threshold. When then the queue is greater than this value, all packets are
dropped.
Mark Probability Denominator. When the queue is between the minimum and
maximum threshold values, the packets are dropped based on this probability.
Thus:
(config-pmap-c)# random-detect prece 10 20 30
Will not drop until there is a queue of 10, and will always drop when the queue is over 30.
In-between 10 and 20, it will drop 30% of packets.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# set ?
atm-clp
Set ATM CLP bit to 1
cos
Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
NetworkSims.com
842
dscp
Set DSCP in IP(v4) and IPv6 packets
fr-de
Set FR DE bit to 1
ip
Set IP specific values
mpls
Set MPLS specific values
precedence
Set precedence in IP(v4) and IPv6 packets
qos-group
Set QoS Group
(config-pmap-c)# set ip ?
dscp
Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
(config-pmap-c)# set ip dscp ?
<0-63>
Differentiated services codepoint value
af11
Match packets with AF11 dscp (001010)
af12
Match packets with AF12 dscp (001100)
af13
Match packets with AF13 dscp (001110)
af21
Match packets with AF21 dscp (010010)
af22
Match packets with AF22 dscp (010100)
af23
Match packets with AF23 dscp (010110)
af31
Match packets with AF31 dscp (011010)
af32
Match packets with AF32 dscp (011100)
af33
Match packets with AF33 dscp (011110)
af41
Match packets with AF41 dscp (100010)
af42
Match packets with AF42 dscp (100100)
af43
Match packets with AF43 dscp (100110)
cs1
Match packets with CS1(precedence 1) dscp (001000)
cs2
Match packets with CS2(precedence 2) dscp (010000)
cs3
Match packets with CS3(precedence 3) dscp (011000)
cs4
Match packets with CS4(precedence 4) dscp (100000)
cs5
Match packets with CS5(precedence 5) dscp (101000)
cs6
Match packets with CS6(precedence 6) dscp (110000)
cs7
Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef
Match packets with EF dscp (101110)
(config-pmap-c)# set ip dscp 46
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# set ip dscp 10
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
843
Outline
This challenge involves tagging traffic with the Precedence value.
> CCNP ONT Area: Unit 5: Congestion Avoidance, Policing, Shaping and Link Efficiency
Mechanisms
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# set ?
atm-clp
Set ATM CLP bit to 1
cos
Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
dscp
Set DSCP in IP(v4) and IPv6 packets
fr-de
Set FR DE bit to 1
ip
Set IP specific values
mpls
Set MPLS specific values
precedence
Set precedence in IP(v4) and IPv6 packets
qos-group
Set QoS Group
(config-pmap-c)# set ip ?
dscp
Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
(config-pmap-c)# set ip prec ?
<0-7>
IP precedence
<0-7>
Precedence value
critical
Set packets with critical precedence (5)
flash
Set packets with flash precedence (3)
flash-override Set packets with flash override precedence (4)
immediate
Set packets with immediate precedence (2)
internet
Set packets with internetwork control precedence (6)
network
Set packets with network control precedence (7)
NetworkSims.com
844
priority
Set packets with priority precedence (1)
routine
Set packets with routine precedence (0)
(config-pmap-c)# set ip prec 5
(config-pmap-c)# exit
(config-pmap)# class DATA
(config-pmap-c)# set ip prec 1
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW
Example
> en
# config t
(config)# int e0
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
NetworkSims.com
845
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
audit
Apply IDS audit name
auth-proxy
Apply authenticaton proxy
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
flow
NetFlow related commands
header-compression IPHC options
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
idle-group
Specify interesting packets for idle-timer
igmp
IGMP interface commands
information-reply
Enable sending ICMP Information Reply messages
inspect
Apply inspect name
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
Enable sending ICMP Mask Reply messages
mobile
Mobile IP support
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nbar
Network-Based Application Recognition
next-hop-self
Configures IP-EIGRP next-hop-self
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
router
IP router interface commands
rsvp
RSVP Interface Commands
rtp
RTP parameters
sap
Session Announcement Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression and other parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip rtp ?
compression-connections Maximum number of compressed connections
header-compression
Enable RTP header compression
priority
Assign a priority queue for RTP streams
reserve
Assign a reserved queue for RTP streams
NetworkSims.com
846
Example
> en
# config t
(config)# int s0
(config-if)# encapsulate ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulate frame-relay
(config-if)# clock ?
rate Configure serial interface clock speed
(config-if)# clock rate ?
Speed (bits per second)
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
NetworkSims.com
847
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
Choose clockrate from list above
(config-if)# clock rate 1200
(config-if)# frame-relay ?
accounting
Special accounting instruction
address-reg
ELMI address registration
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
congestion-management Enable Frame Relay congestion management
de-group
Associate a DE group with a DLCI
fragment
Enable end-to-end fragmentation for all PVCs
fragmentation
Adaptive fragmentation
ifmib-counter64
Support IF-MIB's total packet/byte counts of Counter64
on FR if/subif when main interface's ifSpeed < 20 Mbps
interface-dlci
Define a DLCI on an interface/subinterface
interface-queue
configure PVC interface queueing
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable FR inverse ARP
ip
Frame Relay Internet Protocol config commands
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
set LMI monitored event count
lmi-n393dte
set LMI monitored event count
lmi-t392dce
set DCE polling verification timer
lmi-type
Use CISCO-ANSI-CCITT type LMI
local-dlci
Set source DLCI when LMI is not supported
map
Map a protocol address to a DLCI address
multicast-dlci
Set DLCI of a multicast group
policing
Enable Frame Relay policing
priority-dlci-group
Define a priority group of DLCIs
qos-autosense
enable QOS autosense
route
frame relay route for pvc switching
traffic-shaping
Enable Frame Relay Traffic Shaping
traps-maximum
set max traps FR generates at link up or when getting
LMI Full Status message
(config-if)# frame-relay map ?
bridge Bridging
bstun
Block Serial Tunnel
dlsw
Data Link Switching (Direct encapsulation only)
ip
IP
ipv6
IPV6
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
NetworkSims.com
848
rsrb
stun
NetworkSims.com
849
Example
> en
# config t
(config)# int e0
(config-if)# ip tcp ?
adjust-mss
Adjust the mss of transit packets
compression-connections Maximum number of compressed connections
header-compression
Enable TCP header compression
(config-if)# ip tcp header-compression
(config-if)# ip tcp compression-connections ?
<3-256> Number of connections
(config-if)# ip tcp compression-connections 20
(config-if)# ip tcp header-compression
Example
> en
# config t
(config)# int dialer0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# description test link
(config-if)# encapsulation ppp
(config-if)# ppp ?
accm
Set initial Async Control Character Map
accounting
Set PPP network accounting method
acfc
Options for HDLC Address & Control Field Compression
authentication Set PPP link authentication method
authorization
Set PPP network authorization method
bridge
Enable PPP bridge translation
NetworkSims.com
850
caller
chap
direction
dnis
eap
encrypt
ipcp
iphc
lcp
link
loopback
max-bad-auth
max-configure
NetworkSims.com
851
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 560
(config)# access-list 100 udp any any eq 560
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# police ?
<8000-2000000000> Bits per second
cir
Committed information rate
(config-pmap-c)# police 1000 ?
<1000-512000000> Burst bytes
bc
Conform burst
conform-action
action when rate is less than conform burst
pir
Peak Information Rate
<cr>
(config-pmap-c)# police 1000 5000 ?
<1000-512000000> Maximum burst bytes
conform-action
action when rate is less than normal burst
<cr>
(config-pmap-c)# police 1000 5000 9000
(config-pmap-c-police)# ?
QoS Class Police configuration commands:
conform-action action when rate is less than conform burst
exceed-action
action when rate is within conform and conform + exceed burst
exit
Exit from Police configuration mode
no
Negate or set default values of a command
violate-action action when rate is greater than conform + exceed burst
(config-pmap-c-police)# exit
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int e0
NetworkSims.com
852
In this example the traffic flow is policed for an average rate of 1000 bits per second, a
normal burst size of 5000 bytes, and an excess burst size of 9000.
Example
> en
# config t
(config)# int s0
(config-if)# traffic-shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
group
configure token bucket: group <access-list> CIR (bps) [Bc (bits)
[Be (bits)]]
rate
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]]
(config-if)# traffic-shape rate ?
<8000-100000000> Target Bit Rate (bits per second)
(config-if)# traffic-shape rate 100 ?
<0-100000000> bits per interval, sustained
<cr>
(config-if)# traffic-shape rate 100 200 ?
<0-100000000> bits per interval, excess in first interval
<cr>
(config-if)# traffic-shape rate 100 200 300 ?
<0-4096> Set buffer limit
<cr>
(config-if)# traffic-shape rate 100 200 300
(config-if)# exit
(config)# int s1
(config-if)# traffic-shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
group
configure token bucket: group <access-list> CIR (bps) [Bc (bits)
[Be (bits)]]
rate
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]]
(config-if)# traffic-shape rate ?
<8000-100000000> Target Bit Rate (bits per second)
NetworkSims.com
853
Example
> en
# config t
(config)# access-list 101 permit ip host 1.2.3.4 any any
(config)# access-list 102 permit ip host 1.2.3.5 any any
(config)# int s0
(config)# int s0
(config-if)# traffic-shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
group
configure token bucket: group <access-list> CIR (bps) [Bc (bits)
[Be (bits)]]
rate
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]]
(config-if)# traffic-shape group ?
<1-2699> selecting Access list
(config-if)# traffic-shape group 101 ?
<8000-100000000> Target Bit Rate (bits per second)
(config-if)# traffic-shape group 101 1000 ?
<0-100000000> bits per interval, sustained
<cr>
(config-if)# traffic-shape group 101 1000
(config-if)# traffic-shape group 102 6000
NetworkSims.com
854
This defines that the average rate for traffic from 1.2.3.4 will be 1000 bps, while it will be
6000 bps from 1.2.3.5. No other shaping will occur.
Example
> en
# config t
(config)# int s0
(config-if)# encapsulation frame-relay
(config-if)# traffic-shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
group
configure token bucket: group <access-list> CIR (bps) [Bc (bits)
[Be (bits)]]
rate
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]]
(config-if)# traffic-shape rate 1000000
(config-if)# traffic-shape adaptive ?
<1-100000000> Lower Bound Target Bit Rate (bits per second)
(config-if)# traffic-shape adaptive 60000
(config-if)# traffic-shape fecn-adapt
This defines a committed information rate (CIR) of 60,000 bps, and an access rate of
1,000,000 bps.
FECN (Forward Explicit Congestion Notification)
BECN (Backward Explicit Congestion Notification)
Definitions:
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci787381,00.html
855
Outline
This challenge involves class-based shaping, where the shaping profile can be defined in a
policy-map.
> CCNP ONT Area: Unit 5: Congestion Avoidance, Policing, Shaping and Link Efficiency
Mechanisms
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
average
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
fecn-adapt
Enable Traffic Shaping reflection of FECN as BECN
fr-voice-adapt Enable rate adjustment depending on voice presence
max-buffers
Set Maximum Buffer Limit
peak
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc+Be per interval
(config-pmap-c)# shape average ?
<8000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
(config-pmap-c)# shape average 8000 ?
<256-154400000> bits per interval, sustained. Needs to be multiple of 128.
Recommend not to configure it, the algorithm will find out
the best value
<cr>
(config-pmap-c)# exit
NetworkSims.com
856
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# match access-group 101
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# class VOIP
(config-pmap-c)# shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
average
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
fecn-adapt
Enable Traffic Shaping reflection of FECN as BECN
fr-voice-adapt Enable rate adjustment depending on voice presence
max-buffers
Set Maximum Buffer Limit
peak
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc+Be per interval
NetworkSims.com
857
In this case the VOICE traffic will be given a bandwidth of 512 kbps, and an output which is
shaped to 800,000 bps, whereas DATA will be given a bandwidth of 256 kbps, and a peak
throughput of 300,000 bps.
NetworkSims.com
858
This challenge involves setting up a crypto map and applying it to an interface, with a QoS
for a tunnel. It uses the qos pre-classified interface command which is a command that is
restriced to tunnels, crypto maps, and is not avaliable on normal interfaces.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int tunnel1
(config-if)# ip 1.2.3.4 255.255.255.0
(config-if)# int tunnel1
(config-if)# crypto ?
ipsec Set IPSec parameters
map
Assign a Crypto Map
(config-if)# crypto m ?
WORD Crypto Map tag
<cr>
(config-if)# crypto m manchester
(config-if)# tunnel ?
checksum
destination
flow
key
mode
path-mtu-discovery
protection
sequence-datagrams
source
tos
ttl
udlr
NetworkSims.com
859
pre-classify
NetworkSims.com
860
address
Define CoPP.
Apply the CoPP.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 560
(config)# access-list 100 udp any any eq 560
(config)# class-map VOIP
(config-cmap)# match access-group 100
(config-cmap)# exit
NetworkSims.com
861
Example
NetworkSims.com
862
> en
# config t
(config)# telephony-service
(config-telephony)# ?
Cisco IOS Telephony Service configuration commands:
application
The selected application
call-forward
Define E.164 telephone number for call forwarding
create
create cnf for ethernet phone
date-format
Set date format for IP Phone display
default
Set a command to its defaults
dialplan-pattern Define E.164 telephone number prefix
directory
Define directory naming order
dn-webedit
enable Edit DN through Web
exit
Exit from telephony-service configuration mode
ip
Define IP address and port for Telephony-Service/Fallback
keepalive
Define keepalive timeout period to unregister IP phones
load
Select the IP phone firmware load file
max-conferences
Define max number of 3 party G.711 conferences
max-dn
Maximum directory numbers supported
max-ephones
Define max number of IP phones
moh
Define music-on-hold filename
mwi
Define IP address and port for MWI Server
network-locale
Define ephone network locale
no
Negate a command or set its defaults
reset
reset ethernet phone
restart
restart ethernet phone
service
Service configuration in ITS
time-format
Set time format for IP Phone display
time-webedit
enable Edit Time through Web
timeouts
Define timeout value for IP phone
transfer-pattern Define valid call transfer destinations
transfer-system
Define call transfer system: blind/consult and
local/end-to-end
url
Define Ephone URL's
user-locale
Define ephone user locale
voicemail
Set the voicemail access number called when the MESSAGES IP
phone button is pressed
web
define username for admin user
(config-telephony)# max-ep ?
<1-48> Maximum phones to support
(config-telephony)# max-ep 10 ?
<cr>
(config-telephony)# max-ephones 10
(config-telephony)# max-dn ?
<1-192> Maximum directory numbers supported
(config-telephony)# max-dn 10 ?
<cr>
(config-telephony)# max-dn 10
config-telephony)# keepalive ?
NetworkSims.com
863
<10-65535>
Time in seconds
(config-telephony)# keepalive 10
(config-telephony)# system message this is a Cisco IP phone
(config-telephony)# create ?
cnf-files create XML cnf for ethernet phone
(config-telephony)# create cnf-files
(config-telephony)# ip ?
source-address Define IP address and port for Telephony-Service/Fallback
(config-telephony)# ip source-address ?
A.B.C.D Define IP source address
(config-telephony)# ip source-address 1.2.3.4 ?
port Define tcp port for Telephony Service/CM FALLBACK
<cr>
(config-telephony)# ip source-address 1.2.3.4 p ?
<2000-9999> Specify the port: 2000 - 9999
<cr>
(config-telephony)# ip source-address 192.168.0.1 port 2000
(config-telephony)# voicemail ?
WORD voicemail access number
(config-telephony)# voicemail 5555
(config-telephony)# web ?
admin
define username for admin user
customize define customization file name
(config-telephony)# web admin ?
customer customer admin
system
system admin
(config-telephony)# web admin system ?
name
admin username
password admin password
(config-telephony)# web admin system name ?
WORD username for admin
(config-telephony)# web admin system name username test password pass
(config-telephony)# dn-webedit
(config-telephony)# time-webedit
NetworkSims.com
864
Example
> en
# config t
(config)# telephony-service
(config-telephony)# max-ephones 10
(config-telephony)# max-dn 10
(config-telephony)# keepalive 10
(config-telephony)# system message this is a Cisco IP phone
(config-telephony)# create cnf
(config-telephony)# ip source-address 192.168.0.1 port 2000
(config-telephony)# voicemail 5555
(config-telephony)# web admin system name username test password pass
(config-telephony)# exit
(config)# ephone-dn 1
(config-ephone-dn)# ?
Ephone DN configuration commands:
application
The selected application
call-forward
Define E.164 telephone number for call forwarding
caller-id
Configure port caller id parameters
cor
Class of Restriction on dial-peer for this dn
default
Set a command to its defaults
description
dn desc, for DN Qualified Display Name
exit
Exit from ephone-dn configuration mode
feed
set live feed multicast stream mode
hold-alert
Set Call On-Hold timeout alert parameters
huntstop
Stop hunting on Dial-Peers
intercom
Define intercom/auto-call extension number
loopback-dn
Define dn-tag to create loopback dn pair with this ephone-dn
moh
set live-feed music-on-hold mode (with optional multicast)
mwi
set message waiting indicator options (mwi)
name
Define dn user name
no
Negate a command or set its defaults
number
Define E.164 telephone number
paging
set audio paging mode
preference
Preference for the attached dial-peer for the primary dn
number
transfer-mode Define call transfer mode: blind vs. consult
translate
Translation rule
(config-ephone-dn)# number 5501
(config-ephone-dn)# name fred
(config-ephone-dn)# call-forward noan 5503 timeout 10
(config-ephone-dn)# exit
(config)# ephone-dn 2
(config-ephone-dn)# number ?
WORD A sequence of digits - representing telephone number
(config-ephone-dn)# number 5502 ?
no-reg
Set E164 not register
NetworkSims.com
865
secondary
secondary dn number
<cr>
(config-ephone-dn)# number 5502
(config-ephone-dn)# name ?
LINE user name, use quoted string if including spaces
(config-ephone-dn)# name bert
(config-ephone-dn)# call-forward ?
all
forward all calls
busy forward call on busy
noan forward call on no-answer
(config-ephone-dn)# call-forward all ?
WORD A sequence of digits - representing E.164 number
(config-ephone-dn)# call-forward all 5504
Define an e-Phone.
Define telephony settings.
Define directory numbers.
Define a call forwarding number on a non-answer.
Example
> en
# config t
(config)# ephone 1
(config-ephone)# ?
Ethernet phone configuration commands:
button
define button to dn map
default
Set a command to its defaults
exit
Exit from ephone configuration mode
keepalive
Define keepalive timeout period to unregister IP phone
mac-address
define ethernet phone MAC address
no
Negate a command or set its defaults
paging-dn
set audio paging dn group for phone
reset
reset ethernet phone
restart
restart ethernet phone
speed-dial
Define ip-phone speed-dial number
type
Define ip-phone type
NetworkSims.com
866
username
define username to access ethernet phone from Web
vm-device-id define voice-mail id string
(config-ephone)# mac-address ?
H.H.H Mac address
<cr>
(config-ephone)# mac-address 1.2.3.4
(config-ephone)# type ?
7910
Cisco IP Phone 7910
7935
Polycom 7935
7940
Cisco IP Phone 7940
7960
Cisco IP Phone 7960
ata
ATA phone emulation for analog phone
cipc
Cisco IP
vgc-phone vg248 phone emulation for analog phone
(config-ephone)# type cipc
(config-ephone)# button ?
LINE button-index:dn-index pairs example 1:2 2:5
(config-ephone)# button 1:1
(config-ephone)# exit
(config)# telephony-service
(config-telephony)# max-ephones 10
(config-telephony)# max-dn 10
(config-telephony)# keepalive 10
(config-telephony)# system message this is a Cisco IP phone
(config-telephony)# create test
(config-telephony)# ip source-address 192.168.0.1 port 2000
(config-telephony)# voicemail 5555
(config-telephony)# exit
(config)# ephone-dn 1
(config-ephone-dn)# number 5501
(config-ephone-dn)# name fred
(config-ephone-dn)# call-forward noan 5503 timeout 10
(config-ephone-dn)# exit
(config)# ephone-dn 2
(config-ephone-dn)# number 5502
(config-ephone-dn)# name bert
(config-ephone-dn)# call-forward all 5504
If Cisco IP Communicator is used to simulate Ethernet phones, then the type is cipc.
For button 1:2, assigns the first button to the second directory number.
NetworkSims.com
867
Example
> en
# config t
(config)# cdp run
(config)# int vlan 10
(config)# int vlan 10
(config-vlan)# exit
(config)# int vlan 20
(config-vlan)# exit
(config)# int fa0/1
(config-if)# cdp enable
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
protected
Configure an interface to be a protected port
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
trunk
Set trunking characteristics of the interface
unicast
Set unicast suppression level on this interface
voice
Voice appliance attributes
<cr>
(config-if)# switchport access vlan 10
(config-if)# switchport voice ?
vlan Vlan for voice traffic
(config-if)# switchport voice vlan ?
<1-4094> Vlan for voice traffic
dot1p
Priority tagged on PVID
none
Don't tell telephone about voice vlan
untagged Untagged on PVID
(config-if)# switchport voice vlan 20
(config-if)# au ?
qos Configure AutoQoS
(config-if)# auto qos ?
voip Configure AutoQoS for VoIP
NetworkSims.com
868
Note:
For Auto QoS VoIP, CDP needs to be enabled.
Example
> en
# config t
(config)# queue-list ?
<1-16> Queue list number
(config)# queue-list 1 ?
default
Set custom queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
lowest-custom Set lowest number of queue to be treated as custom
protocol
priority queueing by protocol
queue
Configure parameters for a particular queue
stun
Establish priorities for stun packets
(config)# queue-list 1 protocol ?
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
Cisco Discovery Protocol
compressedtcp Compressed TCP
dlsw
Data Link Switching (Direct encapsulation only)
ip
IP
ipv6
IPV6
llc2
llc2
pad
PAD links
NetworkSims.com
869
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
Remote Source-Route Bridging
snapshot
Snapshot routing support
stun
Serial Tunnel
(config)# que 1 protocol ip ?
<0-16> queue number
(config)# queue-list 1 protocol ip 2 ?
fragments Prioritize fragmented IP packets
gt
Classify packets greater than a specified size
list
To specify an access list
lt
Classify packets less than a specified size
tcp
Prioritize TCP packets 'to' or 'from' the specified port
udp
Prioritize UDP packets 'to' or 'from' the specified port
<cr>
(config)# queue-list 1 protocol ip 2 tcp ?
<0-65535>
Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd, 514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh, 512)
finger
Finger (79)
ftp
File Transfer Protocol (21)
ftp-data
FTP data connections (20)
gopher
Gopher (70)
hostname
NIC hostname server (101)
ident
Ident Protocol (113)
irc
Internet Relay Chat (194)
klogin
Kerberos login (543)
kshell
Kerberos shell (544)
login
Login (rlogin, 513)
lpd
Printer service (515)
nntp
Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2
Post Office Protocol v2 (109)
pop3
Post Office Protocol v3 (110)
smtp
Simple Mail Transport Protocol (25)
sunrpc
Sun Remote Procedure Call (111)
syslog
Syslog (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
telnet
Telnet (23)
time
Time (37)
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web (HTTP, 80)
(config)# queue-list 1 protocol ip 2 tcp 22
(config)# queue-list 1 protocol ip 2 tcp telnet
(config)# queue-list 1 protocol ip 3 tcp pop3
(config)# queue-list 1 protocol ip 3 tcp smtp
(config)# queue-list 1 protocol ip 4 tcp www
(config)# queue-list 1 default 4
(config)# queue-list 1 queue 1 ?
NetworkSims.com
870
Example
> en
# config t
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# queue-list 1 protocol ip 2 ?
fragments Prioritize fragmented IP packets
gt
Classify packets greater than a specified size
list
To specify an access list
lt
Classify packets less than a specified size
tcp
Prioritize TCP packets 'to' or 'from' the specified port
udp
Prioritize UDP packets 'to' or 'from' the specified port
<cr>
(config)# queue-list 1 protocol ip 2 list 100
(config)# queue-list 1 protocol ip 3 list 101
(config)# queue-list 1 default 3
(config)# queue-list 1 queue 2 limit 100
(config)# queue-list 1 queue 3 byte-count 1000
(config)# int s0
(config-if)# custom-queue-list 1
NetworkSims.com
871
Example
> en
# config t
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# access-list 101 tcp any any eq 80
(config)# priority-list ?
<1-16> Priority list number
(config)# priority-list ANY ?
default
Set priority queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
protocol
priority queueing by protocol
queue-limit Set queue limits for priority queues
(config)# priority-list 1 protocol ?
arp
IP ARP
bridge
Bridging
cdp
Cisco Discovery Protocol
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
ISO CLNS Intermediate System
cmns
ISO CMNS
compressedtcp Compressed TCP (VJ)
http
HTTP
ip
IP
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
rsrb
Remote Source-Route Bridging
snapshot
Snapshot routing support
(config)# priority-list 1 protocol ip ?
high
NetworkSims.com
872
medium
normal
low
(config)# priority-list
fragments Prioritize
gt
Prioritize
list
To specify
lt
Prioritize
tcp
Prioritize
udp
Prioritize
<cr>
(config)# priority-list
(config)# priority-list
1 protocol ip high ?
fragmented IP packets
packets greater than a specified size
an access list
packets less than a specified size
TCP packets 'to' or 'from' the specified port
UDP packets 'to' or 'from' the specified port
1 protocol ip high list 100
1 protocol ip low list 101
Note:
It is also possible to base the queue on protocols, such as:
(config)# priority-list 1 protocol ip low tcp 22
(config)# priority-list 1 protocol ip high tcp www
To give a high priority for WWW traffic, and a low one for SSH.
NetworkSims.com
873
18 Security
Cisco Router Challenge 31
Outline
This challenge involves the configuration of a priority group.
Objectives
The objectives of this challenge are to:
Define an access-list.
Define an priority-group.
Define a route-cache.
Example
> en
# config t
(config)# access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1000-1099>
IPX SAP access list
<1100-1199>
Extended 48-bit MAC address access list
<1200-1299>
IPX summary address access list
<1300-1999>
IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
dynamic-extended Extend the dynamic ACL abolute timer
rate-limit
Simple rate-limit specific access list
(config)# access-list 105 ?
deny
Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
remark
Access list entry comment
(config)# access-list 105 permit tcp host 144.93.24.10 host 131.33.204.2 eq dns
(config)# access-list 105 deny tcp host 154.31.216.9 host 26.100.164.1 eq dns
(config)# access-list 105 permit tcp 243.76.220.0 255.255.0.0 89.36.160.0
255.255.0.0 eq dns
NetworkSims.com
874
NetworkSims.com
875
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
NetworkSims.com
876
uptime
Timestamp with system uptime
<cr>
(config)# service timestamps log datetime
(config)# sequence-numbers
compress-config
Compress the configuration file
config
TFTP load config files
dhcp
Enable DHCP server and relay agent
disable-ip-fast-frag
Disable IP particle-based fast fragmentation
exec-callback
Enable exec callback
exec-wait
Delay EXEC startup on noisy lines
finger
Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber
enable line number banner for each exec
nagle
Enable Nagle's congestion control algorithm
old-slip-prompts
Allow old scripts to operate with slip/ppp
pad
Enable PAD commands
password-encryption
Encrypt system passwords
prompt
Enable mode specific prompt
pt-vty-logging
Log significant VTY-Async events
sequence-numbers
Stamp logger messages with a sequence number
slave-log
Enable log capability of slave IPs
tcp-keepalives-in
Generate keepalives on idle incoming network
connections
tcp-keepalives-out
Generate keepalives on idle outgoing network
connections
tcp-small-servers
Enable small TCP servers (e.g., ECHO)
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption
Objectives
The objectives of this challenge are to:
Example
NetworkSims.com
877
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def radius
authen ppp def radius
authen banner new york
authen fail personal device
author network default radius
author exec default radius
Objectives
The objectives of this challenge are to:
Setup of Tacacs+.
Example
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def tacacs+
authen ppp def tacacs+
authen banner new york
authen fail personal device
author network default tacacs+
author exec default tacacs+
NetworkSims.com
878
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 7 permit host 23.17.220.3
(config)# access-list 7 deny any
(config)# ip http server
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http access-class ?
<1-99> Access list number
(config)# ip http access-class 7
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 7 deny host 23.17.220.3
(config)# access-list 7 permit any
(config)# ip http server
(config)# ip http access-class 7
NetworkSims.com
879
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 1 permit host 202.179.77.6
(config)# access-list 1 deny any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-class ?
<1-199>
IP access list
<1300-2699> IP expanded access list
WORD
Access-list name
(config-line)# access-class 1 ?
in
Filter incoming connections
out Filter outgoing connections
(config-line)# access-class 1 in
Objectives
NetworkSims.com
880
Example
> en
# config t
(config)# access-list 1 deny host 202.179.77.6
(config)# access-list 1 permit any
(config)# line vty 0 15
(config-line)# login
(config-line)# access-class ?
(config-line)# access-class 1 in
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
NetworkSims.com
881
Objectives
The objectives of this challenge are to:
Setup a CBAC.
Define the protocols which the CBAC applies to.
Example
> en
# config t
(config)# access-list 105 permit ip any any
(config)# int fa0/0
NetworkSims.com
882
Objectives
The objectives of this challenge are to:
Example
> en
# config t
NetworkSims.com
883
7000
111
1755
7648
69
8554
7070
1558
21
23
554
1720
5060
25
80
135
512
513
1521
514
2427
1126
1188
1897
1189
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
user defined
user defined
user defined
Objectives
The objectives of this challenge are to:
Setup logging.
Define an audit-trail.
Example
> en
# config t
(config)# logging on
NetworkSims.com
884
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)
NetworkSims.com
885
Objectives
The objectives of this challenge are to:
Example
> en
#config t
(config)# access-list 107 deny tcp any any ?
ack
Match on the ACK bit
dscp
Match packets with given dscp value
eq
Match only packets on a given port number
established Match established connections
fin
Match on the FIN bit
fragments
Check non-initial fragments
gt
Match only packets with a greater port number
log
Log matches against this entry
log-input
Log matches against this entry, including input interface
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
precedence
Match packets with given precedence value
psh
Match on the PSH bit
range
Match only packets in the range of port numbers
rst
Match on the RST bit
syn
Match on the SYN bit
time-range
Specify a time-range
tos
Match packets with given TOS value
urg
Match on the URG bit
<cr>
(config)# access-list 107 deny tcp any any established
(config)# access-list 107 permit tcp any any
(config)# int s0
(config-if)# ip access-group ?
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group 107 ?
in
inbound packets
out outbound packets
(config-if)# ip access-group 107 in
NetworkSims.com
886
Objectives
The objectives of this challenge are to:
Define AAA.
Setup an authentication proxy.
Example
> en
# config t
(config)# aaa new-model
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http authentication ?
aaa
Use AAA access control methods
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
(config)# ip http authentication aaa
(config)# ip auth-proxy ?
auth-cache-time
Authorization Cache Timeout in min
auth-proxy-audit
Authentication Proxy Auditing
auth-proxy-banner Authentication Proxy Banner
name
Specify an Authentication Proxy Rule
<cr>
(config)# ip auth-proxy auth-cache-time ?
<1-35791> Timeout in minutes
(config)# ip auth-proxy auth-cache-time 45
(config)# ip auth-proxy name yellow http
(config)# int fa0
(config-if)# ip auth-proxy ?
WORD Name of authenticaion proxy rule
(config-if)# ip auth-proxy yellow
(config-if)# exit
# show ip auth-proxy configuration
# sh ip auth-proxy config
NetworkSims.com
887
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# ip
attack
info
name
notify
audit ?
Specify default action for attack signatures
Specify default action for informational signatures
Specify an IDS audit rule
Specify the notification mechanisms (nr-director or log) for the
alarms
po
Specify nr-director's PostOffice information (for sending events
to the nr-directors
signature Add a policy to a signature
smtp
Specify SMTP Mail spam threshold
(config)# ip audit notify ?
log
Send events as syslog messages
nr-director Send events to the nr-director
(config)# ip audit notify log
(config)# logging 132.191.125.3
(config)# ip audit ?
attack
Specify default action for attack signatures
info
Specify default action for informational signatures
name
Specify an IDS audit rule
notify
Specify the notification mechanisms (nr-director or log) for the
alarms
po
Specify nr-director's PostOffice information (for sending events
to the nr-directors
signature Add a policy to a signature
smtp
Specify SMTP Mail spam threshold
(config)# ip audit info ?
action Specify the actions
(config)# ip audit info action ?
alarm Generate events for matching signatures
drop
Drop packets matching signatures
reset Reset the connection (if applicable)
(config)# ip audit info action drop
(config)# ip audit attack action reset
(config)# ip audit signature ?
NetworkSims.com
888
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
authentication pre-share
group 1
exit
isakmp identity hostname
isakmp key test address 192.168.1.1
ipsec transform-set test esp-des
NetworkSims.com
889
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname newhampshire
(config)# access-list 109 permit ip 50.93.142.0 0.0.255.255
136.163.130.0 0.0.255.255
(config)# crypto isakmp enable
(config)# crypto isakmp policy 111
(config-isakmp)# encryption des
(config-isakmp)# hash sha
(config-isakmp)# authentication pre-share
(config-isakmp)# group 1
(config-isakmp)# exit
(config)# crypto isakmp identity hostname
(config)# crypto isakmp key test address 192.168.1.1
(config)# crypto ipsec transform-set finland esp-des
(config)# crypto map manchester 10 ipsec-isakmp
(config-cryto-map)# match address 109
(config-cryto-map)# set peer 144.55.62.1
(config-cryto-map)# set transform-set finland
(config-cryto-map)# exit
(config)# int e0
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# no shut
(config-if)# crypto map manchester
NetworkSims.com
890
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# hostname london
london (config)# access-list 101 permit ahp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit esp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit udp host 117.84.81.2 host
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0
(config-if)# ip address 136.22.25.1 255.252.0.0
(config-if)# no shut
(config-if)# ip access-group 101 in
891
Outline
This challenge involves setting blocking SNMP.
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# access-list 110 deny udp any any eq snmp
(config)# int e0
(config-if)# ip access-group 110 in
(config-if)# exit
(config)# service timestamps log datetime
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption
(config)# no snmp-server community annt RO
(config)# no snmp-server contact steven
(config)# no snmp-server location uk
(config)# no snmp-server host 78.113.70.11
(config)# no snmp-server enable traps
(config)# no snmp-server chassis-ID paris
NetworkSims.com
892
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# cryto key pubkey-chain rsa
(config-pubkey-chain)# addressed-key 142.217.4.10
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# key-string 01234567 01234567
(config-pubkey-key)# exit
(config-pubkey-chain)# exit
(config)# exit
# show crypto key pubkey rsa
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
0123
Objectives
The objectives of this challenge are to:
Define EIGRP.
Apply MD5 authentication on an interface.
NetworkSims.com
893
Example
# config t
(config)# router eigrp 142
(config-router)# network 205.104.0.0
(config-router)# int s0
(config-if)# ip address 205.118.116.6 255.255.255.224
(config-if)# ip authentication mode eigrp 142 md5
(config-if)# ip authentication key-chain eigrp 142 ann
(config-if)# exit
(config)# key chain ann
(config-keychain)# key 1
(config-keychain-key)# key-string hotel
(config-keychain-key)# exit
NetworkSims.com
894
01010105
36B4710C
BE52CBF4
466A19DD
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001
An SSH client such as putty can then be used to connect to the access point:
... graphic missed out on version see help file.
after which the client shows the message:
... graphic missed out on version see help file.
which sets the timeout to 60 seconds, and a maximum of two retries. Finally, to prevent
Telnet sessions:
ap(config)#line vty 0 4
ap(config-line)# transport input ssh
NetworkSims.com
895
Example
> enable
# config t
(config)# access-list 150 tcp permit tcp any host 172.10.1.1
(config)# ip tcp intercept list 150
(config)# ip tcp intercept mode intercept
Example
> enable
# config t
(config)# ip inspect ?
L2-transparent Transparent Mode commands
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
hashtable-size Specify size of hashtable
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect name ?
WORD Name of inspection defined
(config)# ip inspect name test ?
cuseeme
CUSeeMe Protocol
esmtp
Extended SMTP
NetworkSims.com
896
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
icmp
ICMP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
sip
SIP Protocol
skinny
Skinny Client Control Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
Transmission Control Protocol
tftp
TFTP Protocol
udp
User Datagram Protocol
vdolive
VDOLive Protocol
(config)# ip inspect name test ftp
(config)# ip inspect name test h323
(config)# ip inspect name test http
(config)# int e0
(config-if)# ip inspect ?
WORD Name of inspection defined
(config-if)# ip inspect test in
(config-if)# int e1
(config-if)# ip inspect ?
WORD Name of inspection defined
(config-if)# ip inspect test out
Explanation
Inspection rules are used to define the traffic types and applications that are to be inspected.
First the applications to be monitored are defined, such as:
(config)#ip inspect name BILLS ?
cuseeme
CUSeeMe Protocol
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
Transmission Control Protocol
tftp
TFTP Protocol
udp
User Datagram Protocol
vdolive
VDOLive Protocol
NetworkSims.com
897
Note that the name of the rule is case sensitive, such as:
#show ip inspect name bills
%Inspect name bills is not defined
# show ip inspect name BILLS
Inspection name BILLS
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
(config)# ip inspect audit-trail
Inspection name BILLS
http alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
tcp alert is on audit-trail is on timeout 3600
18.1.1
CBACs are used along with ACLs, as the CBAC modifies the ACL in order that it operates
correctly. An inspection rule is applied in a similar way to an ACL, such as:
(config)# access-list 101 permit ip 10.0.0.1 0.0.0.255 any
(config)# access-list 101 deny ip any any
(config)#int fa0
(config-if)#ip inspect ?
WORD Name of inspection defined
(config-if)#ip inspect BILLS ?
in
Inbound inspection
out Outbound inspection
Notice no traffic is
allowed on the incoming
port. The CBAC fixes
this.
and:
(config)# access-list 102 permit tcp any host 10.0.0.1 eq www
(config)# access-list 102 deny ip any any
NetworkSims.com
898
(config)#int s0
(config-if)#ip access-group 102 in
which applies the BILLS inspection rule onto the FA0 interface for the incoming direction.
Thus when a host on the network which connects to the FA0 interface initiates a connection
with a remote Web server, the inspection rule kicks in an modifies ACL number 102, to
allow the conversation between the hosts. If there was no inspection rule the reply would be
blocked. If a host from outside the network (connected to S0) tries to connect to a node
inside the network with it being first being initiated, its traffic would be blocked, as the
CBAC will have no record of a connection.
To test a CBAC:
#sh ip inspect config
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name BILLS
http alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
tcp alert is on audit-trail is on timeout 3600
NetworkSims.com
899
Example
> en
# config t
(config)# security ?
authentication Authentication security CLIs
passwords
Password security CLIs
(config)# security passwords ?
min-length Minimum length of passwords
(config)# security passwords min ?
<0-16> Minimum length of all user/enable passwords
(config)# service ?
compress-config
Compress the configuration file
config
TFTP load config files
dhcp
Enable DHCP server and relay agent
disable-ip-fast-frag
Disable IP particle-based fast fragmentation
exec-callback
Enable exec callback
exec-wait
Delay EXEC startup on noisy lines
finger
Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber
enable line number banner for each exec
nagle
Enable Nagle's congestion control algorithm
old-slip-prompts
Allow old scripts to operate with slip/ppp
pad
Enable PAD commands
password-encryption
Encrypt system passwords
prompt
Enable mode specific prompt
pt-vty-logging
Log significant VTY-Async events
sequence-numbers
Stamp logger messages with a sequence number
slave-log
Enable log capability of slave IPs
tcp-keepalives-in
Generate keepalives on idle incoming network
connections
tcp-keepalives-out
Generate keepalives on idle outgoing network
connections
tcp-small-servers
Enable small TCP servers (e.g., ECHO)
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service timestamps ?
debug Timestamp debug messages
log
Timestamp log messages
<cr>
(config)# service timestamps log ?
datetime Timestamp with date and time
uptime
Timestamp with system uptime
<cr>
(config)# service timestamps log datetime
(config)# sequence-numbers ?
compress-config
Compress the configuration file
config
TFTP load config files
dhcp
Enable DHCP server and relay agent
disable-ip-fast-frag
Disable IP particle-based fast fragmentation
exec-callback
Enable exec callback
exec-wait
Delay EXEC startup on noisy lines
finger
Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber
enable line number banner for each exec
NetworkSims.com
900
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
Enable 802.1x.
Define re-authentication.
Example
> en
# config t
(config)# int fa0/1
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
(config-if)# dot1x port-control ?
auto
PortState will be set to AUTO
force-authorized
PortState set to Authorized
NetworkSims.com
901
Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
Enable BackboneFast Feature
Spanning tree etherchannel specific configuration
Spanning Tree 802.1t extensions
Spanning tree loopguard options
Spanning tree operating mode
Multiple spanning tree configuration
Spanning tree pathcost options
Spanning tree portfast options
Enable UplinkFast Feature
VLAN Switch Spanning Tree
NetworkSims.com
902
Switch(config)# spanning-tree
bpdufilter Enable portfast
bpduguard
Enable portfast
default
Enable portfast
portfast ?
bdpu filter on this switch
bpdu guard on this switch
by default on all access ports
Example
NetworkSims.com
903
> en
# config t
Switch(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
snooping
DHCP Snooping
Switch(config)# ip dhcp snooping ?
information DHCP Snooping information
vlan
DHCP Snooping vlan
<cr>
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan ?
<1-4094> DHCP Snooping vlan first number
Switch(config)# ip dhcp snooping vlan 4
Switch(config)# int fa0/1
Switch(config-if)# ip dhcp ?
snooping DHCP Snooping
Switch(config-if)# ip dhcp snooping ?
limit DHCP Snooping limit
trust DHCP Snooping trust config
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit ?
rate DHCP Snooping limit
Switch(config-if)# ip dhcp snooping limte rate ?
<1-4294967294> DHCP snooping rate limit
Switch(config-if)# ip dhcp snooping limte rate 30
NetworkSims.com
904
19 Cisco
Academy
Security 1
Network
NetworkSims.com
00036B00
34D122BC
485AD29F
BD7929AE
30680261
59CD560F
A982AB04
763EDDB9
00D56417
9600714C
950DD4CA
A1020301
15E52D1C
E8DB3AA8
ED113E5F
0001
905
NetworkSims.com
906
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
NetworkSims.com
907
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption
NetworkSims.com
908
rsvp
RSVP Interface Commands
rtp
RTP parameters
sap
Session Announcement Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression and other parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# no ip redirects
(config-if)# no ip unreachables
(config-if)# no ip mask-reply
To disable multiroute-cache:
(config-if)# no ip mroute-cache
(config-if)# exit
Example
> en
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
rip
version 2
network 194.205.128.0
?
NetworkSims.com
909
NetworkSims.com
910
key-chain ?
key-chain martin
mode ?
mode md5
Example
> en
# config t
(config)# access-list 10 permit 10.0.0.0 0.0.0.255
(config)# router rip
(config-router)# distribution-list 10 in fa0/1
(config-router)# passive-interface fa0/2
(config-router)# version 2
(config-router)# network 194.205.128.0
(config-router)# exit
(config)# key chain martin
(config-keychain)# key 1
(config-keychain-key)# key-string officer
(config-keychain-key)# exit
(config-keychain)# exit
(config)# int fa0/1
(config-if)# ip rip authentication key-chain martin
(config-if)# ip rip authentication mode md5
The passive-interface command stops the transmission of the routing tables on the specified
interface.
911
Outline
This challenge involves the configuration of basic PIX details.
Objectives
The objectives of this challenge are to:
NetworkSims.com
912
NetworkSims.com
913
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:
see also:
nameif, security-level
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# help shut
USAGE:
[no] shutdown
DESCRIPTION:
shutdown
Shutdown the selected interface
(config-if)# no shutdown
(config-if)# exit
(config)# exit
# show ip add
# sh ip add
System IP Addresses:
IP address outside 192.168.1.1
IP address inside 0.0.0.0
IP address inf2 0.0.0.0
Current IP Addresses:
IP address outside 0.0.0.0
IP address inside 0.0.0.0
IP address inf2 0.0.0.0
# show running
myPIX # sh int e0
Interface Ethernet0 outside, is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000d.6585.77d9, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 1 VLAN untagged packets, 28 bytes
NetworkSims.com
914
NetworkSims.com
915
NetworkSims.com
916
SYNTAX:
<username>
NetworkSims.com
917
SYNTAX:
<if_name>
<interface>:
see also:
security-level, interface, static, global, nat
(config-if)# nameif jupiter
(config-if)# help security-level
USAGE:
security-level <0-100>
no security-level [<0-100>]
DESCRIPTION:
security-level
SYNTAX:
<0-100>
see also:
nameif
(config-if)# security-level 50
(config-if)# exit
(config)# help username
USAGE:
username <username> {nopassword|password <password>
[encrypted]} [privilege <level>]
no username <name>
[no] username <name> attributes
clear configure username [<name>]
show running-config [all] username [<name> [attributes]]
DESCRIPTION:
username
SYNTAX:
<username>
<nopassword>
<password>
encrypted
<level>
attributes
NetworkSims.com
918
SYNTAX:
<pw>
The password for this privilege level
<level>
The privilege level
<encrypted>
Indicates that this password is encrypted
(config)# enable ?
configure mode commands/options:
password Configure password for the enable command
(config)# enable password ?
configure mode commands/options:
WORD Enter a password for the privilege level
<cr>
NetworkSims.com
919
mode commands/options:
password of up to 16 alphanumeric characters
passwd kent
help password
USAGE:
[no] password|passwd <password> encrypted
clear configure passwd
DESCRIPTION:
passwd
SYNTAX:
<password>
encrypted
see also:
telnet
(config)# help http
USAGE:
[no] http <local_ip> <mask> <if_name>
[no] http server enable
DESCRIPTION:
http
SYNTAX:
<local_ip>
<mask>
<if_name>
see also:
password, aaa
(config)# http server enable
(config)# help banner
USAGE:
banner {exec | login | motd} <text>
no banner {exec | login | motd} [<text>]
show banner [{exec | login | motd}]
clear banner
DESCRIPTION:
banner
SYNTAX:
NetworkSims.com
920
exec
login
motd
<text>
Example
mypix(config)# help route
USAGE:
[no] route <if_name> <foreign_ip> <mask> <gateway>
[<metric>|tunneled]
clear configure route [<if_name>]
clear route [<if_name>]
show running-config route
show route [<if_name>]
DESCRIPTION:
route
SYNTAX:
<if_name>
<foreign_ip>
NetworkSims.com
921
<mask>
<gateway>
<metric>
tunneled
see also:
rip, ping
(config)#
(config)#
(config)#
(config)#
Example
NetworkSims.com
922
SYNTAX:
<local_ip>
<mask>
<if_name>
<number>
see also:
ssh, password, aaa
arizona (config)# telnet timeout 8
arizona (config)# help ssh
USAGE:
[no] ssh <local_ip> <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh sessions [<client_ip>]
ssh disconnect <session_id>
DESCRIPTION:
ssh
Add SSH access to the Device console, set idle timeout, set
version supported, enable Secure Copy as an SSH application,
display a list of active SSH sessions, and terminate an SSH
session.
SYNTAX:
<local_ip>
<mask>
<if_name>
<number>
<client_ip>
NetworkSims.com
923
<session_id>
see also:
telnet, password, enable, aaa
arizona (config)# ssh timeout 9
pixfirewall(config)# help console
USAGE:
[no] console timeout <number>
DESCRIPTION:
console
SYNTAX:
<number>
see also:
telnet, ssh, passwd, aaa
arizona (config)# console timeout 9
arizona (config)# show telnet
arizona (config)# show ssh
arizona (config)# show console
Rename the interfaces, and define the security level on each interface.
Note: A port with the name of outside always has a security level of 0, while a port with the
name of inside always has a security level of 100.
Example (Ver 6.x)
myPIX (config)# nameif e0 strathclyde security24
myPIX
(config)#
nameif
e1
myPIX (config)# nameif e2 rhodeisland security44
orkney
security61
NetworkSims.com
924
# config t
(config)# int e0
(config-if)# nameif strathclyde
(config-if)# security-level 24
(config-if)# exit
(config)# int e1
(config-if)# nameif orkney
(config-if)# security-level 61
(config-if)# exit
(config)# int e2
(config-if)# nameif rhodeisland
(config-if)# security-level 44
(config-if)# exit
(config)# exit
# show running
Example (6.x)
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
NetworkSims.com
925
(config-if)# exit
(config)# int e1
(config-if)# nameif alabama
(config-if)# security-level 100
(config-if)# shutdown
(config-if)# exit
(config)# int e2
(config-if)# nameif uranus
(config-if)# security-level 50
(config-if)# shutdown
(config-if)# exit
(config)# exit
# show running
NetworkSims.com
926
[detail|stats|ip brief]
clear config interface {<type> <port>[.<subif_number>]}
clear interface {<type> <port>[.<subif_number>]}
DESCRIPTION:
interface
SYNTAX:
<type>
<port>
<subif_number>
<if_name>
allocate-interface
(config)# int e0
(config-if)# nameif gretna
(config-if)# security-level 0
(config-if)# help du
USAGE:
duplex auto|full|half
no duplex [auto|full|half]
DESCRIPTION:
duplex
SYNTAX:
auto
full
half
see also:
speed
(config-if)# duplex full
(config-if)# help speed
USAGE:
speed 10|100|1000|auto
no speed [10|100|1000|auto]
DESCRIPTION:
speed
SYNTAX:
Possible Ethernet values are:
10
Force 10 Mbps operation
NetworkSims.com
927
100
auto
Example
myPIX (config)# help dhcpd
USAGE:
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
NetworkSims.com
928
SYNTAX:
<ip1>
<ip2>
<dnsip>
<winsip>
<lease_length>
<timeout>
<domain_name>
<code>
<string>
<hex_string>
<address_1>
<address_2>
<srv_ifc_name>
<clnt_if_name>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
Example (V6.x)
myPIX (config)# help fixup
NetworkSims.com
929
USAGE:
[no] fixup protocol <prot> [<option>] <port>[-<port>]
DESCRIPTION:
fixup
SYNTAX:
<prot>
<option>
option to the inspection function
<port1>[-<port2>]
A range of ports to enable the fixup
myPIX (config)# fixup protocol ?
configure mode commands/options:
ctiqbe
dns
ftp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
rtsp
sip
skinny
smtp
snmp
sqlnet
sunrpc
sunrpc_udp
tftp
xdmcp
myPIX (config)# fix pro http ?
configure mode commands/options:
WORD
Specify port(s) to enable fixup, <port1>[-<port2>]; default port(s):
ctiqbe--------------2748 ftp-------------------21
gtp------------2123,3386 h323-h225-----------1720
h323-ras-------1718-1719 http------------------80
ils------------------389 mgcp-----------2427,2727
netbios----------137-138 pptp----------------1723
rsh------------------514 rtsp-----------------554
NetworkSims.com
930
sip-----------------5060 skinny--------------2000
smtp------------------25 snmp-----------------161
sqlnet--------------1521 sunrpc---------------111
sunrpc_udp-----------111 tftp------------------69
xdmcp----------------177
highs Ports 1024-65535
lows
Ports 1-1023
udp
Enable SIP over UDP application inspection
myPIX (config)# fixup protocol http 161
myPIX (config)# fixup protocol ftp 60
myPIX (config)# fixup protocol smtp 84
myPIX (config)# show fixup
Example (V7.x)
As V6.x but replace show fixup with:
myPIX # sh run fix
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.
myPIX # sh run service-p
service-policy global_policy global
myPIX # sh run policy-m
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
NetworkSims.com
931
Example
myPIX (config)# domain-name fife.nu
myPIX (config)# username fred password bert
myPIX (config)# help ca
USAGE:
crypto ca trustpoint <name>
no crypto ca trustpoint <name> [noconfirm]
crypto ca authenticate <name> [fingerprint <hex value>] [nointeractive]
crypto ca enroll <name> [noconfirm]
crypto ca import <name> certificate [nointeractive]
crypto ca import <name> pkcs12 <passphrase> [nointeractive]
crypto ca export <name> pkcs12 <passphrase>
crypto ca crl request <name>
crypto ca certificate map <sequence #>
crypto ca certificate chain <name>
clear configure crypto ca trustpoint
clear configure ca certificate map [<sequence #>]
clear crypto ca crls [<name>]
show crypto ca crls [<name>]
show crypto ca certificates [<name>]
show running-config [all] crypto ca
DESCRIPTION:
ca
SYNTAX:
trustpoint
authenticate
enroll
import
export
Define a CA trustpoint
Get the CA certificate
Request a certificate from a CA
Import certificate or pkcs-12 data
Export a trustpoint configuration with all associated
keys and certificates in PKCS12 format
crl
For manual CRL polling, displaying, and erasing.
certificate map
Define certificate attributes map
certificate chain
Enter certificate chain configuration mode for the
indicated trustpoint
noconfirm
Suppress all interactive prompting
nointeractive
Execute the command in non-interactive mode
fingerprint
A key consisting of alphanumeric characters that is
used to authenticate the CA's certificate.
<name>
A nickname for the CA server.
<passphrase>
A required password that gives the CA administrator
some authentication when a user calls to ask for a
certificate to be revoked.
It can be up to 80 characters in length.
<sequence #>
Sequence to insert into certificate map entry
see also: key, crypto, ipsec, isakmp, tunnel-group
myPIX (config)# ca generate rsa key 256
myPIX (config)# show ca mypubkey rsa
NetworkSims.com
932
SYNTAX:
<if_name>
<nat_id>
<local_ip>
<mask>
NetworkSims.com
933
dns
tcp
TCP connections.
udp
UDP connections.
<max_conns>
<emb_limit>
norandomseq
<acl-name>
access-list name.
see also:
SYNTAX:
<(ext_if_name)> The external network interface name
<nat_id>
NetworkSims.com
934
interface
see also:
NetworkSims.com
935
Objectives
The objectives of this challenge are to:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
int e2
ip address 172.16.0.1 255.128.0.0
nameif inf2
exit
SYNTAX:
NetworkSims.com
936
<real_ifc>
<mapped_ifc>
tcp
udp
<real_ip>
<real_port>
<mapped_ip>
<mask>
<mapped_port>
interface
<mapped_port>
<acl_name>
dns
norandomseq
nailed
<max_conn>
<emb_limit>
see also:
nat, global
myPIX (config)# static ?
configure mode commands/options:
( Open parenthesis for (<internal_if_name>,<external_if_name>) pair
where <internal_if_name> is the Internal or prenat interface and
<external_if_name> is the External or postnat interface
myPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13
myPIX (config)# show running static
937
Outline
This challenge involves the configuration of the activation key.
Objectives
The objectives of this challenge are to:
Example
myPIX # help activation-key
USAGE:
activation-key <activation-key-four-or-five-tuple>
show activation-key
DESCRIPTION:
activation-key
Modify activation-key.
SYNTAX:
<activation-key-four-or-five-tuple>
a four or five element hexadecimal string.
myPIX (config)# activation-key 1aa3aaab abfbcef1 133445ee ee56f6b0
myPIX (config)# show activation-key
Example
myPIX (config)# help access-l
NetworkSims.com
938
USAGE:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list <id> [line <line_num>] [extended] {deny | permit}
{<protocol> | object-group <protocol_obj_grp_id>}
{host <sip> | <sip> <smask> |
object-group <network_obj_grp_id>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
{<dip> <dmask> | object-group <network_obj_grp_id>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
[log [disable] | [<level>] | [default] [interval <secs>]]
[no] access-list <id> [line <line_num>] {deny | permit} icmp
{host <sip> | <sip> <smask> |
object-group <network_obj_grp_id>}
{<dip> <dmask> | object-group <network_obj_grp_id>}
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable] | [<level>] | [default] [interval <secs>]]
[no] access-list <id> webtype {deny|permit}
url {<url-string>|any} [log {disable | default | level}
[interval <seconds>]] [time-range <name>] [inactive]
[no] access-list <id> webtype {deny | permit>
tcp {host <host-addr> | <dest-addr> <dest-mask> | any}
[{{EQ | NEQ | LT | GT} <port> | RANGE <port> <port>}]
[log {disable | default | <level>} [interval <seconds>]]
[time-range <name> ] [ inactive ]
[no] access-list <id> [line <line_num>] remark <text>
access-list deny-flow-max <n>
access-list alert-interval <secs>
Standard access list:
Use this to configure policy having destination host or network only
[no] access-list <id> standard {deny|permit} {any | <ip> <mask> | host <ip>}
[no] access-list <id> remark <text>
Generic Commands:
show access-list [<id>]
show running-config access-list
[alert-interval | deny-flow-max | <id>]
clear configure access-list [<id>]
clear access-list [<id> [counters]]
DESCRIPTION:
access-list
SYNTAX:
<id>
<line_num>
<webtype>
deny
NetworkSims.com
939
permit
object-group
obj_grp_id
remark
<protocol>
<sip>
Source IP address
<smask>
<dip>
Destination IP address
<dmask>
<operator>
<port>
<text>
comment (remark)
log
disable
default
<level>
interval
<secs>
<icmp_type>
0 echo-reply,
3 unreachable,
4 source-quench,
5 redirect,
6 alternate-address,
8 echo,
9 router-advertisement,
10 router-solicitation,
11 time-exceeded,
12 parameter-problem,
13 timestamp-request,
14 timestamp-reply,
15 information-request,
16 information-reply,
17 address-mask-request,
18 address-mask-reply,
31 conversion-error or
32 mobile-redirect
see also:
access-group, object-group
myPIX (config)# access-list uranus permit ip host 26.32.188.8 host 129.67.195.1
NetworkSims.com
940
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
<if_name>
per-user-override
see also:
access-list, object-group
myPIX (config)# access-group uranus in interface outside
Example
myPIX (config)# help object-group
USAGE:
[no] object-group protocol | network | icmp-type <obj_grp_id>
[no] object-group service <obj_grp_id> tcp|udp|tcp-udp
show running-config [all] object-group
[protocol | service | icmp-type | network]
show running-config [all] object-group id <obj_grp_id>
clear configure object-group [protocol | service | icmp-type | network]
NetworkSims.com
941
DESCRIPTION:
object-group
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of
<obj_grp_id>
tcp|udp|tcp-udp
show
clear
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
protocol-object, network-object,
port-object, icmp-object, group-object
myPIX (config)# object-group network montana
myPIX(config-network)# exit
myPIX (config)# object-group protocol newyork
myPIX(config-protocol)# exit
myPIX (config)# object-group icmp-type birmingham
myPIX(config-icmp-type)# exit
NetworkSims.com
942
> enable
myPIX # config t
myPIX (config)# nameif e0 columbia security0
myPIX (config)# nameif e1 orkney security100
myPIX (config)# nameif e2 florida security50
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
SYNTAX:
<if_name>
<ip_address>
<number>
<value>
The
The
The
The
see also:
clock
myPIX (config)# ntp server ?
configure mode commands/options:
Hostname or A.B.C.D IP address of peer
myPIX (config)# ntp server 73.35.212.5 ?
NetworkSims.com
943
Enable failover.
Define failover addresses.
Define failover poll time.
Example (V6.x)
myPIX (config)# help fail
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
failover
failover polltime [unit] [msec] <time> [holdtime <seconds>]
failover polltime interface <seconds>
failover replication http
failover lan unit primary|secondary
failover interface ip <ifc_name> <ip_address> <mask> standby
<ip_address>
[no] failover interface-policy <n>[%]
[no] failover key <shared_key>
[no] failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
[no] failover link <ifc_name> [<phyifc>[.<subifc_id>]]
[no] failover mac address <phyifc> <act_mac> <stn_mac>
[no] failover timeout <hh:mm:ss>
[no] failover lan enable
[no] failover active
failover reset
NetworkSims.com
944
failover reload-standby
show failover [history|interface|state|statistics]
DESCRIPTION:
failover
SYNTAX:
active
Make this the active unit of a failover pair
reset
Force both units back to an unfailed state
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
Number/percent of monitored interfaces causing failover
[unit] [msec] <time>
Unit poll interval (500msec-999msec, 1-15 seconds)
holdtime <seconds>
Unit holdtime (3-45 seconds)
polltime interface <seconds>
Interface poll interval (3-15 seconds)
replication http
Enable HTTP (port 80) connection replication
lan unit {primary|secondary}
Specify the unit as primary or secondary
lan interface
Specify the failover interface parameters
link
Specify the stateful interface parameters
interface ip
Specify IP and mask for failover/stateful interface
interface-policy
Specify interface monitoring failure policy
key <shared_key>
Specify failover encryption shared key
show failover
Display failover runtime info
mac address
Specify virtual mac address for a physical interface
<phyifc>
Physical interface name
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
Active and standby mac address
timeout
Specify failover reconnect timeout value for ASR sessions
lan enable
Enable LAN-Based failover on PIX platform
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX (config)# failover poll 2
myPIX (config)# show failover
Example (V7.x)
myPIX (config)# help fail
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
failover
failover polltime [unit] [msec] <time> [holdtime <seconds>]
failover polltime interface <seconds>
failover replication http
failover lan unit primary|secondary
failover interface ip <ifc_name> <ip_address> <mask> standby
<ip_address>
failover interface-policy <n>[%]
failover key <shared_key>
failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
failover link <ifc_name> [<phyifc>[.<subifc_id>]]
failover mac address <phyifc> <act_mac> <stn_mac>
NetworkSims.com
945
SYNTAX:
active
Make this the active unit of a failover pair
reset
Force both units back to an unfailed state
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
Number/percent of monitored interfaces causing failover
[unit] [msec] <time>
Unit poll interval (500msec-999msec, 1-15 seconds)
holdtime <seconds>
Unit holdtime (3-45 seconds)
polltime interface <seconds>
Interface poll interval (3-15 seconds)
replication http
Enable HTTP (port 80) connection replication
lan unit {primary|secondary}
Specify the unit as primary or secondary
lan interface
Specify the failover interface parameters
link
Specify the stateful interface parameters
interface ip
Specify IP and mask for failover/stateful interface
interface-policy
Specify interface monitoring failure policy
key <shared_key>
Specify failover encryption shared key
show failover
Display failover runtime info
mac address
Specify virtual mac address for a physical interface
<phyifc>
Physical interface name
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
Active and standby mac address
timeout
Specify failover reconnect timeout value for ASR sessions
lan enable
Enable LAN-Based failover on PIX platform
myPIX (config)# failover active
myPIX (config)# failover int ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
myPIX (config)# fai int ip ?
configure mode commands/options:
WORD Interface name
myPIX (config)# fai int ip ANY ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
NetworkSims.com
946
Objectives
The objectives of this challenge are to:
Enable failover.
Define failover addresses.
Define failover parameters.
Example (V6.x)
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit primary
failover lan interface inf2
show failover
Example (V6
7.x)
myPIX (config)# failover ?
configure mode commands/options:
interface
Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
NetworkSims.com
947
key
lan
link
mac
polltime
replication
timeout
<cr>
exec mode commands/options:
active
Make this system to be the active unit of the failover pair
reload-standby Force standby unit to reboot
reset
Force an unit or failover group to an unfailed state
myPIX (config)# failover active
myPIX (config)# failover int ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
myPIX (config)# fai int ip ?
configure mode commands/options:
WORD Interface name
myPIX (config)# fai int ip ANY ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan 157.202.212.3
?
configure mode commands/options:
<cr>
myPIX (config)# failover interface ip address outside 157.202.212.2
myPIX (config)# failover interface ip address inside 73.105.56.11
myPIX (config)# failover interface ip address inf2 166.209.230.11
myPIX (config)# failover poll 2
myPIX (config)# failover lan ?
configure mode commands/options:
enable
Enable LAN-Based failover
interface Configure the interface and vlan to be used for failover
communication
unit
Configure the unit as primary or secondary
myPIX (config)# failover lan key mypix
myPIX (config)# failover lan unit primary
myPIX (config)# failover lan interface inf2
myPIX (config)# show running failover
NetworkSims.com
948
Enable failover.
Define failover addresses.
Define failover parameters.
Example (V6.x)
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit secondary
failover lan interface inf2
show failover
Example (V7.x)
myPIX (config)# failover active
myPIX (config)# failover interface ip outside 157.202.212.2 standby 157.202.212.3
myPIX (config)# failover interface ip inside 73.105.56.11 standby 73.105.56.12
myPIX (config)# failover interface ip inf2 166.209.230.11 standby 166.209.230.12
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit secondary
failover lan interface inf2
show failover
NetworkSims.com
949
Objectives
The objectives of this challenge are to:
Example
myPIX (config)# help aaa-server
USAGE:
[no] aaa-server <tag> <(if_name)> host <ip_address>
[no] aaa-server <tag> protocol <protocol>
clear configure aaa-server [<tag>]
show running-config [all] aaa-server [<tag> [<(if_name)>
host <ip_address>]]
show aaa-server [<tag> [host <hostname>]]
show aaa-server protocol <protocol>
clear aaa-server statistics [<tag> [host <hostname>]]
clear aaa-server statistics protocol <protocol>
test aaa-server authentication <group tag> [host <ip_address>]
[username <user>] [password <password>]
test aaa-server authorization <group tag> [host <ip_address>]
[username <user>]
DESCRIPTION:
aaa-server
SYNTAX:
<tag>
<if_name>
NetworkSims.com
950
SYNTAX:
secure-http-client
HTTP client authentication is secured (over SSL)
include|exclude
Include or exclude the service, local and foreign network which
needs to be authenticated, authorized, and accounted
<svc>
<if_name>
<l_ip>
<l_mask>
<f_ip>
<f_mask>
<server_tag>
LOCAL
NetworkSims.com
951
<proxy limit>
aaa-server
username
aaa authentication http console orange
aaa authentication serial console orange
aaa authentication telnet console orange
Enable AAA.
Define authentication.
Example
myPIX (config)# aaa-server orange protocol radius
myPIX (config)# aaa-server orange (inside) host 155.109.40.4 beetroot
myPIX (config)# aaa authentication http console orange
myPIX (config)# aaa authentication serial console orange
myPIX (config)# aaa authentication telnet console orange
NetworkSims.com
952
Example
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
Example
> en
myPIX # config t
myPIX (config)# help snmp-server
USAGE:
[no] snmp-server community|contact|location <text>
[no] snmp-server host <if_name> <local_ip> [trap|poll]
[community <text>] [version {1|2c}] [udp-port <port>]
[no] snmp-server enable [traps [all | <feature> [<trap1> ... <trapn>]]]
show snmp-server statistics
show running-config [all] snmp-server
NetworkSims.com
953
SYNTAX:
community
contact
location
<text>
host
<if_name>
<local_ip>
[trap|poll]
udp-port
<port>
version
[1|2c]
enable
traps
all
<feature>
<trapn>
listen-port
statistics
see also:
logging
myPIX (config)# snmp-server
Not enough arguments.
Usage: [no] snmp-server community|contact|location <text>
[no] snmp-server host [<if_name>] <local_ip> [trap|poll]
[no] snmp-server enable traps
myPIX (config)# snmp-server community oldest ro
myPIX (config)# snmp-server location edinburgh
myPIX (config)# snmp-server host inside 160.61.110.11
myPIX (config)# snmp-server contact june
myPIX (config)# snmp-server enable traps
954
Outline
This challenge involves the configuration of logging.
Objectives
The objectives of this challenge are to:
Enable logging.
Define logging levels.
Example
> en
myPIX # config t
myPIX (config)# help logg
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging enable
logging timestamp
logging standby
logging debug-trace
logging emblem
logging flash-bufferwrap
logging flash-minimum-free <kbytes>
logging flash-maximum-allocation <kbytes>
logging ftp-bufferwrap
logging ftp-server <ftp-server> <path> <username> <password>
logging buffer-size <bytes>
logging permit-hostdown
logging from-address <mail-address>
logging recipient-address <mail-address> [level <level>]
logging host <in_if> <l_ip> [{tcp|6}|{udp|17}[/<port#>]]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[format
emblem]
[no]
[no]
[no]
[no]
[no]
[no]
NetworkSims.com
955
SYNTAX:
enable
timestamp
standby
debug-trace
ftp-server
<ftp-server>
<path>
<username>
<password>
buffer-size
<bytes>
NetworkSims.com
956
<interval>
Define class maps. Remember the class map defines the traffic which is interesting.
In this case the class-map relates to defining TCP ports and an access-list.
NetworkSims.com
957
Example
myPIX# config t
myPIX(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq
echo
myPIX(config)# class-map ?
myPIX(config)# class-map delaware
myPIX(config-cmap)# ?
myPIX(config-cmap)# description ?
myPIX(config-cmap)# description testing
myPIX(config-cmap)# match ?
myPIX(config-cmap)# match port ?
myPIX(config-cmap)# match port tcp ?
myPIX(config-cmap)# match port tcp eq ?
myPIX(config-cmap)# match port tcp eq 80
myPIX(config-cmap)# match port tcp eq 21
myPIX(config-cmap)# match port tcp eq 23
myPIX(config-cmap)# match port udp eq 23
myPIX(config-cmap)# match access-list ?
myPIX(config-cmap)# match access-list 100
myPIX(config-cmap)# match dscp ?
myPIX(config-cmap)# exit
myPIX(config)# class-map VOICE
myPIX(config-cmap)# exit
myPIX(config)# class-map EXECTEST
myPIX(config-cmap)# exit
myPIX(config)# policy-map ?
myPIX(config)# policy-map NEW
myPIX(config-pmap)# ?
myPIX(config-pmap)# description ?
myPIX(config-pmap)# description test
myPIX(config-pmap)# class ?
myPIX(config-pmap)# class delaware
myPIX(config-pmap-c)# ?
myPIX(config-pmap-c)# inspect ?
myPIX(config-pmap-c)# ips ?
myPIX(config-pmap-c)# police ?
myPIX(config-pmap-c)# police 1000 ?
myPIX(config-pmap-c)# police 1000 500
myPIX(config-pmap-c)# set ?
myPIX(config-pmap-c)# set conn ?
myPIX(config-pmap-c)# exit
myPIX(config-pmap)# exit
myPIX(config)# service-policy ?
myPIX(config)# service-policy NEW ?
myPIX(config)# service-policy NEW interface ?
myPIX(config)# service-policy NEW interface outside
Example
An example, which has not yet been implemented in the challenge, is:
pix1(config)# class-map TEST
pix1(config-cmap)# match port tcp eq 25
pix1(config-cmap)# match tunnel-group S2S
NetworkSims.com
958
pix1(config-cmap)# exit
pix1(config)# class-map VOICE
pix1(config-cmap)# match dscp ef
pix1(config-cmap)# exit
pix1(config)# class-map EXECTEST
pix1(config-cmap)# match access-list 112
pix1(config-cmap)# exit
pix1(config)# policy-map NEW
pix1(config-cmap)# class TEST
Define E0 details.
Define E1 details.
Define a static mapping (with non-default names).
NetworkSims.com
959
Define E0 details.
Define an access-list
Apply the access-list to E0.
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
NetworkSims.com
960
<if_name>
per-user-override
see also:
access-list, object-group
amsterdam (config)# access-group 101 in interface california
Define AAA
Enable 802.1x.
Define re-authentication.
Example
> en
# config t
(config)# int fa0/1
(config-if)# no switchport
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
(config-if)# dot1x port-control ?
auto
PortState will be set to AUTO
force-authorized
PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized
(config-if)# dot1x port-control auto
(config-if)# dot1 reauthentication ?
<cr>
(config-if)# dot1x re-authentication
(config-if)# dot1 timeout ?
quiet-period
QuietPeriod in Seconds
reauth-period
Time after which an automatic re-authentication should be
initiated
server-timeout Timeout for Radius Retries
supp-timeout
Timeout for Supplicant retries
tx-period
Timeout for Supplicant Re-transmissions
(config-if)# dot1 timeout reauth-period ?
<1-65535> Enter a value between 1 and 65535
NetworkSims.com
961
Enable AAA.
Define the Radius server.
radius server.
Enable 802.1x.
Define re-authentication.
Define Dot1x timeouts.
Example
> en
# config t
(config)# aaa new-model
(config)# aaa authen dot1x ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication dot1x default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
NetworkSims.com
962
local
local-case
none
NetworkSims.com
963
964
Outline
This challenge involves enabling an authentication proxy using Tacacs+.
Objectives
The objectives of this challenge are to:
Enable AAA.
Define the Tacacs+ server.
Define authentication proxy settings for the HTTP server.
Example
> en
# config t
(config)# aaa new-model
(config)# aaa authentication login default group tacacs+
(config)# aaa authorization ?
auth-proxy
For Authentication Proxy Services
cache
For AAA cache configuration
commands
For exec (shell) commands.
config-commands For configuration mode commands.
configuration
For downloading configurations from AAA server
exec
For starting an exec (shell).
ipmobile
For Mobile IP services.
network
For network services. (PPP, SLIP, ARAP)
reverse-access
For reverse access connections
template
Enable template authorization
(config)# aaa authorization auth-proxy ?
default The default authorization list.
(config)# aaa authorization auth-proxy default ?
group Use server-group.
local Use local database.
(config)# aaa authorization auth-proxy default group ?
WORD
Server-group name
radius
Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
(config)# aaa authorization auth-proxy default group tacacs+
NetworkSims.com
965
ip auth-proxy name AR ?
FTP Protocol
HTTP Protocol
Telnet Protocol
ip auth-proxy name AR http
(config)# int e0
(config-if)# ip auth-proxy ?
WORD Name of authenticaion proxy rule
(config-if)# ip auth-proxy AR ?
<cr>
(config-if)# ip auth-proxy AR
NetworkSims.com
966
Example
> en
# config t
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect one-minute ?
high Specify high-watermark for clamping
low
Specify low-watermark for clamping
(config)# ip inspect one-minute low 360
(config)# ip inspect one-minute high 410
(config)# ip inspect max-incomplete low 720
(config)# ip inspect max-inomplete high 770
(config)# ip inspect dns-timeout 1
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect tcp synwait-time ?
<1-2147483> Timeout in seconds
(config)# ip inspect tcp synwait-time 35
(config)# ip inspect tcp finwait-time 5
(config)# ip inspect tcp max-incomplete ?
host Specify max half-open connection per host
(config)# ip inspect tcp max-incomplete host 800
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect tcp idle-time 70
(config)# ip inspect udp idle-time 57
967
Outline
This challenge involves the configuration of a context based access-list (CBAC).
Objectives
The objectives of this challenge are to:
Setup a CBAC.
Define the protocols which the CBAC applies to.
Example
> en
# config t
(config)# access-list 105 permit ip any any
(config)# int fa0/0
(config-if)# ip access-group 105 in
(config-if)# exit
(config)# ip inspect name cisco ?
cuseeme
CUSeeMe Protocol
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
Transmission Control Protocol
tftp
TFTP Protocol
udp
User Datagram Protocol
vdolive
VDOLive Protocol
(config)# ip inspect name cisco tcp
(config)# ip inspect name cisco udp
(config)# ip inspect name cisco ftp
(config)# ip inspect name cisco sqlnet
(config)# int e0
(config-if)#ip inspect ?
WORD Name of inspection defined
(config-if)#ip inspect cisco
(config-if)#ip inspect cisco in
(config-if)# exit
(config)# access-list 106 deny ip any any
(config)# int s0
(config-if)# ip access-group 106 in
Explanation
ACLs are fairly static in their operation, and they do not take into account the context of a
data packet. Thus they cannot detect the actual state of a connection. A typical type of attack
in a system is DoS (Denial-of-Service), which is caused when multiple remote clients make
NetworkSims.com
968
access to the same server. Knowing the context of a data packet, or its associated connection
thus allows finer control of the security of the system. For example in a DoS the firewall
could detect that the number of connections in a given time limit had exceeded a given
number, and block any other ones, within a given time. Context-based Access Control
(CBAC) are thus stateful, and dynamic, and can look further into packets than normal
ACLs. In client-server communications the key states in most connections are:
Context-based Access Control is used to implement firewall options, such as limiting the
number of open connections. A typical attack is the DoS (Denial of Service) attack, where
the external party opens up multiple connections. To overcome this, the router can be setup
to detect a minimum threshold for half-open sessions. The half-open session is where either
the client or server quits the session without the other side knowing about it. In a DoS, the
client opens a connection, and does not complete it. The server does not know that the client
has disconnected, thus the connection still takes some resources on the server, which can
become overburdened if there are many open sessions. On the Napier pods, use Pod C
(Router 1) for an example of router which implements these CBACs.
Global timeouts and thresholds
The main limits that are defined are:
ip inspect tcp synwait-time. This defines the time to wait before a connection drops.
Default: 30 seconds.
ip inspect tcp finwait-time. This defined the time after a FIN flag for a connection to be
dropped. Default: 5 seconds.
ip inspect tcp idle-time. This defines the length of time that a connection can be idle.
Default: 1 hour.
ip inspect dns-time. This defines the amount of time of a time-out for a DNS query.
Default: 5 seconds.
ip inspect max-incomplete high. This defines the maximum number of half-open
connections, before it starts to delete them one-by-one. Default: 500.
ip inspect max-incomplete low. This defines the lower limit for the half-open
connections. Default: 400.
ip inspect one-minute high. This defines the maximum number of half-open
connections in a minute, before it starts to delete them one-by-one. Default: 500 per
minute.
NetworkSims.com
969
ip inspect one-minute low. This defines the lower limit for the half-open connections
over a minute. Default: 400.
For example to limit the maximum open sessions at any time to between 900 and 1100:
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect max-incomplete low 900
(config)# ip inspect max-incomplete high 1100
Setup a CBAC.
Define the protocols which the CBAC applies to.
NetworkSims.com
970
Example
> en
# config t
(config)# ip inspect name cisco ?
cuseeme
CUSeeMe Protocol
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
Transmission Control Protocol
tftp
TFTP Protocol
udp
User Datagram Protocol
vdolive
VDOLive Protocol
(config)# ip inspect name cisco icmp ?
alert
Turn on/off alert
audit-trail Turn on/off audit trail
timeout
Specify the inactivity timeout time
<cr>
(config)# ip inspect name cisco icmp timeout ?
<5-43200> Timeout in seconds
(config)# ip inspect name cisco icmp timeout 10
(config)# ip inspect name cisco http ?
alert
Turn on/off alert
audit-trail Turn on/off audit trail
java-list
Specify a standard access-list to apply the Java blocking. If
specified, MUST appear directly after option "http"
timeout
Specify the inactivity timeout time
urlfilter
Specify URL filtering for HTTP traffic
<cr>
(config)# ip inspect nam cisco http alert ?
off Turn off alert
on
Turn on alert
(config)# ip inspect nam cisco http alert off
(config)# ip inspect name cisco ftp ?
alert
Turn on/off alert
audit-trail
timeout
<cr>
NetworkSims.com
971
Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
Enable BackboneFast Feature
Spanning tree etherchannel specific configuration
Spanning Tree 802.1t extensions
Spanning tree loopguard options
Spanning tree operating mode
Multiple spanning tree configuration
Spanning tree pathcost options
Spanning tree portfast options
Enable UplinkFast Feature
VLAN Switch Spanning Tree
Switch(config)# spanning-tree
bpdufilter Enable portfast
bpduguard
Enable portfast
default
Enable portfast
portfast ?
bdpu filter on this switch
bpdu guard on this switch
by default on all access ports
NetworkSims.com
972
Example
> en
# config t
Switch(config)# ip dhcp ?
conflict
database
excluded-address
limited-broadcast-address
ping
NetworkSims.com
973
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
snooping
DHCP Snooping
Switch(config)# ip dhcp snooping ?
information DHCP Snooping information
vlan
DHCP Snooping vlan
<cr>
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan ?
<1-4094> DHCP Snooping vlan first number
Switch(config)# ip dhcp snooping vlan 4
Switch(config)# int fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# ip dhcp ?
snooping DHCP Snooping
Switch(config-if)# ip dhcp snooping ?
limit DHCP Snooping limit
trust DHCP Snooping trust config
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit ?
rate DHCP Snooping limit
Switch(config-if)# ip dhcp snooping limit rate ?
<1-4294967294> DHCP snooping rate limit
Switch(config-if)# ip dhcp snooping limit rate 30
Example
pixfirewall(config)# ftp-map ftpm
pixfirewall(config-ftp-map)# ?
Ftp-map configuration commands:
mask-syst-reply Mask reply to syst command
no
Negate a command or set its defaults
request-command FTP request command inspection
pixfirewall(config-ftp-map)# mask- ?
ftp-map mode commands/options:
NetworkSims.com
974
<cr>
pixfirewall(config-ftp-map)# re ?
ftp-map mode commands/options:
deny Specify FTP request commands to block
pixfirewall(config-ftp-map)# re den ?
ftp-map mode commands/options:
appe Append to a file
cdup Change to parent of current directory
dele Delete a file at server site
get
FTP client command for the retr command - retrieve a file
help Help information from server
mkd
Create a directory
put
FTP client command for the stor command - store a file
rmd
Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a file with a unique name
pixfirewall(config-ftp-map)# exit
pixfirewall(config)# mgcp-map mmap
pixfirewall(config-mgcp-map)# ?
mgcp-map configuration commands:
call-agent
Add a Call-Agent
command-queue Configure Command Queue
gateway
Add a Gateway
help
Help for mgcp-map configuration commands
no
Negate or set default values of a command
pixfirewall(config-mgcp-map)# call ?
mgcp-map mode commands/options:
A.B.C.D IP address
pixfirewall(config-mgcp-map)# gat ?
mgcp-map mode commands/options:
A.B.C.D IP address
PIX/ASA Test
End of unit test
Take the on-line test, go to:
http://networksims.com/e_ns.html
Key facts
Not available in this version.
Network Security 1
End of unit test
NetworkSims.com
975
NetworkSims.com
976
20 Cisco
Academy
Security 2
Network
Example
> en
# config t
# copy tftp://10.0.0.1/new.sdf flash:new.sdf
(config)# config t
(config)# ip ips ?
deny-action Specify Deny action
fail
Specify what to do during any failures
name
Specify an IPS rule
notify
Specify the notification mechanisms (SDEE, nr-director or log)
for the alarms
sdf
Specify the location of the signature definition file
signature
Add a policy to a signature
(config)# ip ips na ?
WORD Name of IPS rule
(config)# ip ips na TEST ?
list Specify an access list to match
<cr>
(config)# ip ips name TEST
(config)# ip ips sd ?
builtin
Use the built in signature definition file
location Location of the signature definition file
(config)# ip ips sdf location ?
NetworkSims.com
977
WORD
trap
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
Informational messages
(severity=6)
notifications
Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
xml
Enable logging in XML to XML logging buffer
<cr>
(config)# logging buffer 440240
(config)# logging host 138.24.170.8
(config)# logging trap emergency
(config)# logging monitor emergency
(config)# logging console emergency
(config)# logging buffer emergency
In this case the logging of traps will be sent to the Syslog server.
978
Outline
This challenge involves the configuration of IDS signatures.
Objectives
The objectives of this challenge are to:
Example
myPIX # config t
myPIX (config)# help ip
USAGE:
ip local pool <poolname> <ip1>[-<ip2>] [mask <netmask>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
clear configure ip audit [configuration]
DESCRIPTION:
ip
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
see also:
NetworkSims.com
979
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
ip
ip
ip
ip
ip
ip
audit
audit
audit
audit
audit
audit
Example
NetworkSims.com
980
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
authentication pre-share
group 1
exit
isakmp identity hostname
isakmp key test address 192.168.1.1
ipsec transform-set test esp-des
Example
> en
# config t
(config)# hostname newhampshire
(config)# access-list 109 permit ip 50.93.142.0 0.0.255.255
136.163.130.0 0.0.255.255
(config)# crypto isakmp enable
(config)# crypto isakmp policy 111
(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default
Set a command to its defaults
encryption
Set encryption algorithm for protection suite
exit
Exit from ISAKMP protection suite configuration mode
NetworkSims.com
981
group
Set the Diffie-Hellman group
hash
Set hash algorithm for protection suite
lifetime
Set lifetime for ISAKMP security association
no
Negate a command or set its defaults
(config-isakmp)# en ?
3des Three key triple DES
aes
AES - Advanced Encryption Standard.
des
DES - Data Encryption Standard (56 bit keys).
(config-isakmp)# encryption des
(config-isakmp)# hash ?
md5 Message Digest 5
sha Secure Hash Standard
(config-isakmp)# hash sha
(config-isakmp)# authentication ?
pre-share Pre-Shared Key
rsa-encr
Rivest-Shamir-Adleman Encryption
rsa-sig
Rivest-Shamir-Adleman Signature
(config-isakmp)# authentication pre-share
(config-isakmp)# g ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
(config-isakmp)# group 1
(config-isakmp)# exit
(config)# crypto isakmp identity hostname
(config)# crypto isakmp key test address 192.168.1.1
(config)# crypto ipsec transform-set finland esp-des
(config)# crypto map manchester 10 ipsec-isakmp
(config-crypto-map)# ?
Crypto Map configuration commands:
default
Set a command to its defaults
description
Description of the crypto map statement policy
dialer
Dialer related commands
exit
Exit from crypto map configuration mode
match
Match values.
no
Negate a command or set its defaults
qos
Quality of Service related commands
reverse-route Reverse Route Injection.
set
Set values for encryption/decryption
Router(config-crypto-map)# match ?
address Match address of packets to encrypt.
Router(config-crypto-map)# match address ?
<100-199>
IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD
Access-list name
(config-crypto-map)# match address 109
(config-crypto-map)# set ?
identity
Identity restriction.
isakmp-profile
Specify isakmp Profile
peer
Allowed Encryption/Decryption peer.
pfs
Specify pfs settings
security-association Security association parameters
transform-set
Specify list of transform sets in priority order
(config-crypto-map)# set peer 144.55.62.1
(config-crypto-map)# s t ?
WORD Proposal tag
NetworkSims.com
982
NetworkSims.com
983
144.55.62.1
192.168.1.1
state
QM_IDLE
conn-id slot
1
0
status
ACTIVE
Example
> en
# config t
(config)# hostname london
london (config)# access-list 101 permit ahp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit esp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit udp host 117.84.81.2 host
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0
(config-if)# ip address 136.22.25.1 255.252.0.0
(config-if)# no shut
(config-if)# ip access-group 101 in
NetworkSims.com
984
Objectives
The objectives of this challenge are to:
Define ISAKMP.
Define ISAKMP policy.
Enable ISAKMP on an interface.
Example
pixfirewall(config)# isakmp
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3des>
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp policy <priority> lifetime <seconds>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [noconfig-mode]
isakmp enable <if_name>
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp nat-traversal [<natkeepalive>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)# help isakmp
USAGE:
isakmp am-disable
isakmp ipsec-over-tcp [port <port1>..<port10>]
isakmp disconnect-notify
(DEPRECATED) isakmp key <keystring> address <peer-address> [netmask <mask>]
[no-xauth] [no-config-mode]
isakmp enable <if_name>
isakmp identity {auto|address|hostname|key_id <key_id_str>}
(DEPRECATED) isakmp keepalive <threshold> [<retry-interval>]
isakmp nat-traversal [<natkeepalive>]
(DEPRECATED) isakmp client configuration address-pool local <pool-name>
[<if_name>]
(DEPRECATED) isakmp peer fqdn | ip <fqdn | ip> {no-xauth | no-mode-cfg}
isakmp policy <priority> authen {<pre-share|rsa-sig|dsa-sig>}
isakmp policy <priority> encrypt {<des|3des|aes|aes-192|aes-256>}
isakmp policy <priority> group {<1|2|5|7>}
isakmp policy <priority> hash {<md5|sha>}
isakmp policy <priority> lifetime <seconds>
isakmp reload-wait
DESCRIPTION:
isakmp
SYNTAX:
am-disable
ipsec-over-tcp
port
NetworkSims.com
985
<port1..port10>
disconnect-notify
key
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
986
Outline
This challenge involves the configuration of crypto details.
Objectives
The objectives of this challenge are to:
Enable IPSEC.
Define a crypto map.
Apply a crypto map.
Example
(config)# help sysopt
USAGE:
[no] sysopt connection { permit-ipsec |
timewait | {tcpmss [minimum] <bytes>}
[no] sysopt noproxyarp <if-name>
[no] sysopt nodnsalias { inbound | outbound }
[no] sysopt radius ignore-secret
[no] sysopt uauth allow-http-cache
show running-config [all] sysopt
clear configure sysopt
DESCRIPTION:
sysopt
SYNTAX:
connection permit-ipsec
- Exempt IPSec traffic from access check.
connection timewait
- TCP conn undergoes TIMEWAIT state.
connection tcpmss
- Set maximum limit of TCP MSS to <bytes>.
connection tcpmss minimum - Set minimum limit of TCP MSS to <bytes>.
noproxyarp <if-name>
- Disable proxy arp on interface <if-name>.
nodnsalias inbound
- Disable alias inbound DNS A record translation.
nodnsalias outbound
- Disable alias outbound DNS A record translation.
radius ignore-secret
- Ignore secret in RADIUS accounting responses.
uauth allow-http-cache
- Allow browser to use cached user credentials.
see also: alias, ca, ipsec, isakmp, map, dynamic-map
(config)# sysopt connection permit-ipsec
(config)# help cry
USAGE:
crypto { ca | dynamic-map | ipsec | isakmp | key | map }
For more detailed help, please refer directly to the subcommands
DESCRIPTION:
crypto
NetworkSims.com
987
Key Operations
SYNTAX:
ca
dynamic-map
ipsec
isakmp
key
map
Enable PPTP.
Define local pool.
Create VPDN group.
Enable VPDN on an interface.
Example
(config)# sysopt connection permit-pptp
(config)# help ip
USAGE:
NetworkSims.com
988
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
see also:
NetworkSims.com
989
SYNTAX:
<address_pool_name>
<dns_ip>
<wins_ip>
<auth_aaa_group>
<acct_aaa_group>
<hello_time>
<if_name>
<name>
<passwd>
<tnl_id>
<sess_id>
<store-local>
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
Example
# config t
(config)# hostname test
test(config)# ip host FRED 1.2.3.4
test(config)# ip domain-name test.com
test(config)# crypto ?
ca
Certification authority
dynamic-map Specify a dynamic crypto map template
NetworkSims.com
990
identity
Enter a crypto identity list
ipsec
Configure IPSEC policy
isakmp
Configure ISAKMP policy
key
Long term key operations
keyring
Key ring commands
map
Enter a crypto map
mib
Configure Crypto-related MIB Parameters
pki
Public Key components
wui
Crypto HTTP configuration interfaces
xauth
X-Auth parameters
test(config)# crypto ca ?
authenticate Get the CA certificate
certificate
Actions on certificates
crl
Actions on certificate revocation lists
enroll
Request a certificate from a CA
export
Export certificate or PKCS12 file
import
Import certificate or PKCS12 file
profile
Define a certificate profile
trustpoint
Define a CA trustpoint
test(config)# cry ca t ?
WORD CA Server Name
test(config)# cry ca t ANY ?
<cr>
test (config)# crypto ca trustpoint testing
test(ca-trustpoint)# ?
CA Trust Point configuration commands:
authorization
Authorization parameters.
auto-enroll
Automatically enroll this router identity
crl
CRL options
default
Set a command to its defaults
enrollment
Enrollment parameters
exit
Exit from certificate authority trustpoint entry mode
fqdn
include fully-qualified domain name
ip-address
include ip address
match
Match a certificate map
no
Negate a command or set its defaults
ocsp
OCSP parameters
password
revocation password
primary
Specify trustpoint as primary
query
Query parameters
regenerate
Regenerate keys on re-enrollment
revocation-check Revocation checking options
root
Protocol to get CA certificate
rsakeypair
Specify rsakeypair for this identity
serial-number
include serial number
show
Show this router trustpoint
source
Specify source
subject-name
Subject Name
usage
Certificate Usage
vrf
vrf to use for enrollment and obtaining CRLs
test(ca-trustpoint)# enrollment ?
http-proxy HTTP proxy server for enrollment
mode
Mode supported by the Certificate Authority
profile
Specify an profile for enrollment
retry
Polling parameters
terminal
Enroll via the terminal (cut-and-paste)
url
CA server enrollment URL
test(ca-trustpoint)# enrollment url ?
WORD
HTTP URL
flash:
Enroll via flash: file system
ftp:
Enroll via ftp: file system
http:
Enroll via http: file system
NetworkSims.com
991
https:
Enroll via https: file system
null:
Enroll via null: file system
nvram:
Enroll via nvram: file system
pem
Include PEM encapsulation boundaries
rcp:
Enroll via rcp: file system
scp:
Enroll via scp: file system
system: Enroll via system: file system
tftp:
Enroll via tftp: file system
<cr>
test(ca-trustpoint)# enrollment url http:/testing/1.dll
test(ca-trustpoint)# crl ?
optional Optional crl
query
Query crl
test(ca-trustpoint)# crl optional
test(ca-trustpoint)# exit
test(config)# crypto ca
WORD CA Server Name
test(config)# crypto ca
test(config)# crypto ca
WORD CA Server Name
<cr>
test(config)# crypto ca
authenticate ?
authenticate fred
enroll ?
enroll fred
Example
# config t
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
context
Create/Delete a context apart from default
drop
Silently drop SNMP packets
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
NetworkSims.com
992
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
location
Text for mib object sysLocation
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community popup ro
(config)# snmp-server contact june
(config)# snmp-server location glasgow
(config)# snmp-server enable ?
informs Enable SNMP Informs
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton
(config)# access-list 10 permit 10.0.0.0 0.0.0.255
(config)# access-list 10 deny any
(config)# snmp-server com popup ?
<1-99>
Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD
Access-list name
ro
Read-only access with this community string
rw
Read-write access with this community string
view
Restrict this community to a named MIB view
<cr>
(config)# snmp-server community popup ro ?
<1-99>
Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD
Access-list name
<cr>
(config)# snmp-server community popup ro 10
NetworkSims.com
993
Example
# config t
(config)# aaa new-model
(config)# aaa authentication login DEFAULT1 ?
enable
Use enable password for authentication.
group
Use Server-group
krb5
Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line
Use line password for authentication.
local
Use local username authentication.
local-case
Use case-sensitive local username authentication.
none
NO authentication.
(config)# aaa authentication login DEFAULT1 local
(config)# aaa authorization network DEFAULT2 ?
group
Use server-group.
if-authenticated Succeed if user has authenticated.
local
Use local database.
none
No authorization (always succeeds).
(config)# aaa authorization network DEFAULT2 local
(config)# username fred password bert
(config)# ip local pool POOL1 10.0.0.1 10.0.0.254
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
isakmp policy 5
encryption des
hash md5
authentication pre-share
group 2
exit
The following details will be used by users for their VPN connection:
(config)# crypto isakmp client configuration group MYCONNECTION
(config-isakmp-group)# ?
ISAKMP group policy config commands:
access-restrict
Restrict clients in this group to an interface
acl
Specify split tunneling inclusion access-list number
backup-gateway
Specify backup gateway
dns
Specify DNS Addresses
domain
Set default domain name to send to client
firewall
Enforce group firewall feature
group-lock
Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key
pre-shared key/IKE password
max-logins
Set maximum simultaneous logins for users in this group
max-users
Set maximum number of users for this group
netmask
netmask used by the client for local connectivity
no
Negate a command or set its defaults
pfs
The client should propose PFS
pool
Set name of address pool
save-password
Allows remote client to save XAUTH password
split-dns
DNS name to append for resolution
NetworkSims.com
994
wins
Specify WINS Addresses
<cr>
(config-isakmp-group)# domain ?
WORD default domain name
(config-isakmp-group)# domain test.com
(config-isakmp-group)# key ?
0
Specifies an UNENCRYPTED password will follow
6
Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
(config-isakmp-group)# key testing
(config-isakmp-group)# pool ?
WORD address pool name
(config-isakmp-group)# pool POOL1
(config-isakmp-group)# exit
The user, if successful, will then be allocated an address from the IP pool (POOL1).
Now we must define the IPSec transform to be used:
(config)# crypto ipsec transform-set MYSET esp-des
(cfg-crypto-trans)# ?
Crypto transform configuration commands:
default Set a command to its defaults
exit
Exit from crypto transform configuration mode
mode
encapsulation mode (transport/tunnel)
no
Negate a command or set its defaults
(cfg-crypto-trans)# exit
NetworkSims.com
995
NetworkSims.com
996
21 Router Additional
Cisco Router Challenge 195
Outline
This challenge involves the configuration of SIP with a Cisco SIP Gateway FXO setup. Some
routers have Foreign Exchange Station (FXS) interfaces which can connect to a standard
telephone, fax machine, or similar device and thus must provide ringing, voltage supplies,
and a dial tone. Normally the FXS interface uses an RJ-11 connector to connect to telephone
equipment.
Objectives
The objectives of this challenge are to:
Outline
> enable
# sh version
# config t
(config)# sip-au
(config-sip-ua)# ?
(config-sip-ua)# exit
(config)# voice-port ?
(config)# voice-port 1/0/0
(config-voiceport)# ?
(config-voiceport)# description ?
(config-voiceport)# description testing
(config-voiceport)# input ?
(config-voiceport)# input gain ?
(config-voiceport)# input gain 8
(config-voiceport)# caller-id ?
(config-voiceport)# caller-id enable
(config-voiceport)# exit
(config)# dial-peer ?
(config)# dial-peer voice ?
(config)# dial-peer voice 200 ?
(config)# dial-peer voice 200 voip
(config-dial-peer)# ?
(config-dial-peer)# exit
(config)# gateway
(config-gateway)# ?
NetworkSims.com
997
Example
> enable
# sh version
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M),
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 11:18 by prod_rel_team
Version
12.4(12),
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Router uptime is 5 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c2600-testk9-mz.124-12.bin"
Cisco 2611XM (MPC860P) processor (revision 1.0) with 111616K/19456K bytes of memory.
Processor board ID JAD07130QPE
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
2 Voice FXO interfaces
2 Voice FXS interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x3162
# config t
(config)# sip-au
(config-sip-ua)# ?
SIP UA configuration commands:
aaa
sip-ua AAA related configuration
authentication
Digest Authentication Configuration
calling-info
Specify treatment of calling information
default
Set a command to its defaults
disable-early-media Disable early-media cut through
exit
Exit from sip-ua configuration mode
max-forwards
Change number of max-forwards for SIP Methods
mwi-server
Configure a mwi Server
nat
Enable NAT(Network Address Traversal) settings for the
SIP User Agent
no
Negate a command or set its defaults
notify
SIP Signaling Notify Configuration
offer
Configure settings for Offers made from the Gateway
reason-header
Configure settings for supporting SIP Reason Header
redirection
Enable call redirection (3xx) handling
registrar
Configure SIP registrar VoIP Interface
remote-party-id
Enable Remote-Party-ID support in SIP User Agent
retry
Change default retries for each SIP Method
set
Sets the PSTN cause to SIP status code (and vice versa)
and sets the PSTN cause to SIP requests
sip-server
Configure a SIP Server Interface
srv
DNS SRV Query Type
suspend-resume
Enable support for ISDN SUSPEND/RESUME
timers
SIP Signaling Timers Configuration
transport
Enable SIP UA transport for TCP/UDP
(config-sip-ua)# exit
(config)# voice-port ?
<1-1> Voice interface slot
(config)# voice-port 1/0/0
<1-1> Voice interface slot
NetworkSims.com
998
RELEASE
(config-voiceport)# ?
Voice-port configuration commands:
battery-reversal
Enable FXS battery-reversal generation
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
caller-id
Configure port caller id parameters
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
cptone
Configure voice call progress tone locale
default
Set a command to its defaults
description
Description of what this port is connected to
disc_pi_off
close voice path when disconnect with PI received
disconnect-ack
FXS sending disconnect acknowledge
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
mwi
Enable MWI on this port
no
Negate a command or set its defaults
non-linear
Use non-linear processing during echo cancellation
output
Configure output attenuation for voice
playout-delay
Configure voice playout delay buffer
ren
Ringer Equivalence Number
ring
Ring frequency Parameters
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure supervisory disconnect lcfo
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
Configure interface to be in a trunk group
voice-class
Set voiceport voice class control parameters
(config-voiceport)# description ?
LINE A string (up to 64 characters) describing the port connection (e.g.
pbx1)
(config-voiceport)# description testing
(config-voiceport)# input ?
gain Configure gain in db for voice input
(config-voiceport)# input gain ?
<-6 - 14> gain in db
(config-voiceport)# input gain 8
(config-voiceport)# caller-id ?
alerting
Define caller id alerting method
attenuation Configure caller id tx attenuation
block
Block the caller id of the calls made from this port
enable
Enable caller id on this port
format
Change caller id format
(config-voiceport)# caller-id enable
(config-voiceport)# exit
(config)# dial-peer ?
cor
Class of Restriction
hunt
Define the dial peer hunting choice
outbound
Define the outbound options
terminator Define the address terminate character
voice
Voice type
NetworkSims.com
999
NetworkSims.com
1000
translate-outgoing
translation-profile
trunk-group-label
trunkgroup
vad
voice
voice-class
(config-dial-peer)# exit
(config)# gateway
Translation rule
Translation profile
Configure Trunk Group Label
trunk groups associated with this peer
Use VoiceActivityDetection as necessary option
Configure GATEWAY dial-peer for voice services
Set Dial-peer voice class control parameters
(config-gateway)# ?
GATEWAY configuration commands:
default
Set a command to its defaults
emulate
Gateway emulation configuration
exit
Exit from gateway configuration mode
no
Negate a command or set its defaults
security Gateway security configuration
timer
Gateway-wide timers
Outline
> enable
# config t
(config)# int loopback 0
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# exit
(config)# dlsw remote 0 tcp 11.0.0.1
(config)# dlsw bridge 1
(config)# dlsw udp-disable
(config)# int fa0
(config-if)# bridge-group 1
(config-if)# exit
(config)# bridge 1 protocol ieee
Example
In the following case the local address is 10.0.0.1, and the remote address is 11.0.0.1.
NetworkSims.com
1001
> enable
# config t
(config)# int loopback 0
(config-if)# ip address 10.0.0.1
(config-if)# exit
(config)# dlsw ?
allroute-netbios
allroute-sna
bgroup-list
bridge-group
cache-ignore-netbios-datagram
circuit-keepalives
disable
explorerQ-depth
fast-hpr-support
group-cache
history-log
icannotreach
icanreach
llc2
load-balance
local-peer
mac-addr
max-multiple-rifs
multicast
netbios-cache-length
netbios-keepalive-filter
netbios-name
peer-log-changes
peer-on-demand-defaults
port-list
prom-peer-defaults
redundant-rings
remote-peer
ring-list
rsvp
timer
tos
touch-timer
transparent
udp-disable
(config)# dl local- ?
biu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
NetworkSims.com
255.255.255.0
Use All routes Broadcast for NETBIOS Explorers
Use All routes Broadcast for SNA Explorers
Configure a transparent bridge group list
DLSw interconnection to transparent bridging
Don't cache source mac/name of NetBIOS
datagrams
Configure DLSw+ to generate periodic circuit
keepalives
Disable DLSw without altering the
configuration
Configure depth of DLSw control queues
Enable fast-switched HPR transport
Border Peer Caching Options
Configure DLSw Circuit-History Log Capability
Configure a resource not locally reachable by
this router
Configure resources locally reachable by this
router
Dlsw llc2 options
Configure load balancing
Configure local peer
Configure a static MAC address - location or
path
Configure maximum multiple rifs per interface
Configure DLSw Multicast Capability
Configure NetBIOS name length
Filter NetBIOS session alive packets
Configure a static NetBios name - location or
path
print logging message in router log ONLY for
error events
Change peer-on-demand defaults
Configure a port list
Change prom-peer-defaults
Configure redundant ring-list
Configure a remote peer
Configure a ring list
Configure reservations using RSVP
Configure DLSw timers
Change IP Type Of Service precedence bits
Configure DLSw touch timers
Configure transparent media options
Disable DLSw UDP unicast feature
1002
peer-id
promiscuous
v2-single-tcp
vrf
<cr>
peer 10.0.0.1 ?
XID3 max receivable i-field spoofing and BIU segmenting
Capable of operating as a border peer
Set cluster id for this router
Set peer cost advertised to remote peers
Set the peer group number for this router
Initial Pacing Window Size for this local peer
Set the default remote peer keepalive interval
Local peer largest frame size
Maximum Pacing Window Size for this local peer
This router will not initiate remote peer connections
local-peer IP address; required for TCP/FST and peer
groups
Accept connections from non-configured remote peers
use dlsw v2 single tcp peer bringup for all remote peers
from this router
VRF in which dlsw local peer resides
NetworkSims.com
1003
bytes-netbios-out
circuit-weight
cluster
cost
dest-mac
dmac-output-list
dynamic
host-netbios-out
keepalive
lf
lsap-output-list
passive
priority
rif-passthru
rsvp
tcp-queue-max
timeout
v2-single-tcp
<cr>
NetworkSims.com
1004
Outline
> enable
# config t
(config)# frame-relay switching
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# clock-rate 56000
(config-if)# frame-relay intf-type dce
(config-if)# no shutdown
(config-if)# frame-relay route 100 interface s1 101
(config-if)# exit
(config)# int s1
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# clock-rate 56000
(config-if)# frame-relay intf-type dce
(config-if)# no shutdown
(config-if)# frame-relay route 101 interface s0 100
In this case the S0 interface advertises a DCLI of 100, and S1 advertises a DCLI of 101.
Example
> enable
# config t
(config)# frame-relay ?
address
Address Registration with neighbor
de-list
Build a classification list to be used in setting the DE bit
switching enable frame relay pvc switching
(config)# frame-relay switching
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
NetworkSims.com
1005
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation frame-relay
(config-if)# clock-rate 56000
(config-if)# frame-relay ?
accounting
Special accounting instruction
address-reg
ELMI address registration
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
congestion-management Enable Frame Relay congestion management
de-group
Associate a DE group with a DLCI
fragment
Enable end-to-end fragmentation for all PVCs
fragmentation
Adaptive fragmentation
ifmib-counter64
Support IF-MIB's total packet/byte counts of Counter64
on FR if/subif when main interface's ifSpeed < 20 Mbps
interface-dlci
Define a DLCI on an interface/subinterface
interface-queue
configure PVC interface queueing
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable FR inverse ARP
ip
Frame Relay Internet Protocol config commands
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
set LMI monitored event count
lmi-n393dte
set LMI monitored event count
lmi-t392dce
set DCE polling verification timer
lmi-type
Use CISCO-ANSI-CCITT type LMI
local-dlci
Set source DLCI when LMI is not supported
map
Map a protocol address to a DLCI address
multicast-dlci
Set DLCI of a multicast group
policing
Enable Frame Relay policing
priority-dlci-group
Define a priority group of DLCIs
qos-autosense
enable QOS autosense
route
frame relay route for pvc switching
traffic-shaping
Enable Frame Relay Traffic Shaping
traps-maximum
set max traps FR generates at link up or when getting
LMI Full Status message
(config-if)# frame-relay intf-type dce
(config-if)# no shutdown
(config-if)# frame-relay route ?
<16-1007> input dlci to be switched
(config-if)# frame-relay route 100 ?
interface outgoing interface for pvc switching
(config-if)# frame-relay route 100 i ?
Serial Serial
(config-if)# frame-relay route 100 interface s1 ?
<16-1007> output dlci to use when switching
(config-if)# frame-relay route 100 interface s1 101
(config-if)# exit
(config)# exit
NetworkSims.com
1006
Local
Switched
Unused
Active
0
0
0
Inactive
0
1
0
Deleted
0
0
0
Static
0
0
0
DLCI = 100, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 0
out bytes 0
in BECN pkts 0
in DE pkts 0
out bcast pkts 0
output pkts 0
dropped pkts 0
out FECN pkts 0
out DE pkts 0
out bcast bytes 0
in bytes 0
in FECN pkts 0
out BECN pkts 0
Num Pkts Switched 0
pvc create time 00:01:50, last time pvc status changed 00:01:50
PVC Statistics for interface Serial1 (Frame Relay DCE)
Local
Switched
Unused
Active
0
0
0
Inactive
0
1
0
Deleted
0
0
0
Static
0
0
0
DLCI = 101, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 0
out bytes 0
in BECN pkts 0
in DE pkts 0
out bcast pkts 0
output pkts 0
dropped pkts 0
out FECN pkts 0
out DE pkts 0
out bcast bytes 0
in bytes 0
in FECN pkts 0
out BECN pkts 0
Num Pkts Switched 0
pvc create time 00:01:11, last time pvc status changed 00:01:11
Output Intf
Serial1
Serial0
Output Dlci
101
100
Status
active
active
Outline
NetworkSims.com
1007
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no shutdown
(config-if)# no frame-replay inverse-arp
(config-if)# exit
(config)# int s0.100 point-to-point
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay interface-dlci 101
Example
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no frame-relay ?
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable inverse ARP on a DLCI
ip
Frame Relay Internet Protocol config commands
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
set LMI monitored event count
lmi-n393dte
set LMI monitored event count
lmi-t392dce
set DCE polling verification timer
lmi-type
Use CISCO-ANSI-CCITT type LMI
local-dlci
Set source DLCI when LMI is not supported
map
Map a protocol address to a DLCI address
multicast-dlci
Set DLCI of a multicast group
priority-dlci-group Define a priority group of DLCIs
qos-autosense
enable QOS autosense
route
frame relay route for pvc switching
traffic-shaping
Enable Frame Relay Traffic Shaping
traps-maximum
set max traps FR generates at link up or when getting
LMI Full Status message
(config-if)# no frame-replay inverse-arp ?
<cr>
bridge
Bridging
interval Set inarp time interval on an interface
ip
IP
qllc
qllc protocol
(config-if)# no frame-replay inverse-arp
(config-if)# no shutdown
(config-if)# exit
(config)# int s0.100 ?
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
(config)# int s0.100 point-to-point
(config-subif)# ?
Interface configuration commands:
apollo
Apollo interface subcommands
NetworkSims.com
1008
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
cdp
CDP interface subcommands
clns
CLNS interface subcommands
crypto
Encryption/Decryption commands
decnet
Interface DECnet config commands
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dlsw
DLSw Interface Subcommands
dspu
Down Stream PU
dxi
ATM-DXI configuration commands
exit
Exit from interface configuration mode
frame-relay
Set frame relay parameters
fras
DLC Switch Interface Command
ip
Interface Internet Protocol config commands
ipv6
IPv6 interface subcommands
ipx
Novell/IPX interface subcommands
isis
IS-IS commands
iso-igrp
ISO-IGRP interface subcommands
lat
LAT commands
llc2
LLC2 Interface Subcommands
map-group
Configure static map group
mls
mls sub/interface commands
mpls
Configure MPLS interface parameters
mtu
Set the interface Maximum Transmission Unit (MTU)
netbios
Use a defined NETBIOS access list or enable name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
pulse-time
Force DTR low during resets
rate-limit
Rate Limit
service-policy Configure QoS Service Policy
shutdown
Shutdown the selected interface
smds
Modify SMDS parameters
smrp
Simple Multicast Routing Protocol interface subcommands
sna
SNA pu configuration
snapshot
Configure snapshot support on the interface
tag-switching
Tag Switching interface configuration commands
tarp
TARP interface subcommands
timeout
Define timeout values for this interface
traffic-shape
Enable Traffic Shaping on an Interface or Sub-Interface
vines
VINES interface subcommands
xns
XNS interface subcommands
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay ?
class
Define a map class on the interface
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
inverse-arp
Enable/disable inverse ARP on a DLCI
ip
Frame Relay Internet Protocol config commands
map
Map a protocol address to a DLCI address
payload-compression Use payload compression
priority-dlci-group Define a priority group of DLCIs
(config-subif)# frame-relay interface-dlci ?
<16-1007> Define a switched or locally terminated DLCI
(config-subif)# frame-relay interface-dlci 101
NetworkSims.com
1009
Outline
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no shutdown
(config-if)# no frame-replay inverse-arp
(config-if)# exit
(config)# int s0.100 point-to-point
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay interface-dlci 101
(config-fr-dlci)# class voipmap
(config-fr-dlci)# vofr cisco
(config-fr-dlci)# exit
(config-if)# exit
(config)# map-class frame-relay voipmap
(config-map-class)# frame-relay fair-queue
(config-map-class)# frame-relay voice bandwidth 64000
(config-map-class)# frame-relay fragment
Example
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no shutdown
(config-if)# no frame-replay inverse-arp
(config-if)# exit
(config)# int s0.100 point-to-point
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay interface-dlci 101
(config-fr-dlci)# ?
NetworkSims.com
1010
NetworkSims.com
1011
Outline
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no frame-relay inverse-arp
(config-if)# no shutdown
(config-if)# exit
(config)# int s0.100 multipoint
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# no ip split-horizon
(config-subif)# frame-relay map ip 10.1.1.1 100 broadcast
(config-subif)# frame-relay map ip 10.2.2.1 101 broadcast
(config-subif)# no ip split-horizon
Example
> enable
# config t
(config)# int s0
(config-if)# no ip address
(config-if)# encapsulation frame-relay
(config-if)# no shutdown
(config-if)# exit
(config)# int s0.100 ?
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
(config)# int s0.100 multipoint
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay ?
class
Define a map class on the interface
NetworkSims.com
1012
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
inverse-arp
Enable/disable inverse ARP on a DLCI
ip
Frame Relay Internet Protocol config commands
map
Map a protocol address to a DLCI address
payload-compression Use payload compression
priority-dlci-group Define a priority group of DLCIs
(config-subif)# frame-relay map ?
apollo
Apollo Domain
appletalk AppleTalk
bridge
Bridging
bstun
Block Serial Tunnel
clns
ISO CLNS
decnet
DECnet
dlsw
Data Link Switching
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
Remote Source-Route Bridging
stun
Serial Tunnel
vines
Banyan VINES
xns
Xerox Network Services
(config-subif)# frame-relay map ip ?
A.B.C.D Protocol specific address
(config-subif)# frame-relay map ip 10.1.1.1 ?
<16-1007> DLCI
(config-subif)# frame-relay map ip 10.1.1.1 ANY ?
broadcast
Broadcasts should be forwarded to this address
cisco
Use CISCO Encapsulation
compress
Enable TCP/IP and RTP/IP header compression
ietf
Use RFC1490/RFC2427 Encapsulation
nocompress
Do not compress TCP/IP headers
payload-compression Use payload compression
rtp
RTP header compression parameters
tcp
TCP header compression parameters
<cr>
(config-subif)# frame-relay map ip 10.1.1.1 100 broadcast
(config-subif)# frame-relay map ip 10.2.2.1 101 broadcast
Router(config-subif)# no ?
apollo
Apollo interface subcommands
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
cdp
CDP interface subcommands
clns
CLNS interface subcommands
crypto
Encryption/Decryption commands
decnet
Interface DECnet config commands
delay
Specify interface throughput delay
description
Interface specific description
dlsw
DLSw Interface Subcommands
dspu
Down Stream PU
dxi
ATM-DXI configuration commands
frame-relay
Set frame relay parameters
fras
DLC Switch Interface Command
ip
Interface Internet Protocol config commands
NetworkSims.com
1013
ipv6
ipx
isis
iso-igrp
lat
llc2
map-group
mls
mpls
mtu
netbios
ntp
pulse-time
rate-limit
service-policy
shutdown
smds
smrp
sna
snapshot
tag-switching
tarp
timeout
traffic-shape
vines
xns
(config-subif)# no ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
mask-reply
Enable sending ICMP Mask Reply messages
mobile
Mobile IP support
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
NetworkSims.com
1014
rip
route-cache
router
rsvp
sap
security
split-horizon
summary-address
unnumbered
unreachables
urd
verify
vrf
wccp
(config-subif)# no ip split-horizon ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
<cr>
(config-subif)# no ip split-horizon
In this case inverse-arp is disabled, thus a frame-relay map statements are required to map the IP
addresses to the DLCI. It is good practice to disable inverse ARP, so that the devices do not learn
incorrect details.
Outline
> enable
# config t
(config)# int atm0
(config-if)# no ip address
(config-if)# no atm ilmi-keepalive
(config-if)# exit
(config)# int atm0.100
(config-subif)# ip address 10.1.1.1 255.255.255.0
(config-subif)# pvc 0/99
(config-if-atm-vc)# protocol ip 10.1.1.2 broadcast
(config-if-atm-vc)# encapsulation aal5snap
NetworkSims.com
1015
Example
(config)# int atm0
(config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
apollo
Apollo interface subcommands
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
atm
Modify ATM parameters
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
class-int
Configure default vc-class name
clns
CLNS interface subcommands
crypto
Encryption/Decryption commands
custom-queue-list
Assign a custom queue list to an interface
decnet
Interface DECnet config commands
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dspu
Down Stream PU
exit
Exit from interface configuration mode
fair-queue
Enable Fair Queuing on an Interface
fras
DLC Switch Interface Command
help
Description of the interactive help system
hold-queue
Set hold queue depth
ip
Interface Internet Protocol config commands
ipv6
IPv6 interface subcommands
ipx
Novell/IPX interface subcommands
isis
IS-IS commands
iso-igrp
ISO-IGRP interface subcommands
lan-name
LAN Name command
lane
Modify LANE parameters
lat
LAT commands
llc2
LLC2 Interface Subcommands
load-interval
Specify interval for load calculation for an
interface
locaddr-priority
Assign a priority group
logging
Configure logging for interface
loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
map-group
Configure static map group
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mls
mls sub/interface commands
mpls
Configure MPLS interface parameters
mpoa
MPOA interface configuration commands
mtu
Set the interface Maximum Transmission Unit (MTU)
multilink-group
Put interface in a multilink bundle
multiring
Enable RIF usage for a routable protocol
netbios
Use a defined NETBIOS access list or enable
name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
priority-group
Assign a priority group to an interface
pvc
Configure ATM PVC parameters
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rate-limit
Rate Limit
sap-priority
Assign a priority group
NetworkSims.com
1016
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
transmit-interface
vines
xns
(config-if)# no ?
access-expression
apollo
appletalk
arp
atm
backup
bandwidth
bridge-group
carrier-delay
cdp
class-int
clns
crypto
custom-queue-list
decnet
delay
description
dspu
fair-queue
fras
hold-queue
ip
ipv6
ipx
isis
iso-igrp
lan-name
lane
lat
llc2
load-interval
locaddr-priority
logging
loopback
mac-address
map-group
max-reserved-bandwidth
mls
mpls
mpoa
NetworkSims.com
1017
mtu
multilink-group
multiring
netbios
ntp
priority-group
pvc
random-detect
rate-limit
sap-priority
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
transmit-interface
vines
xns
(config-if)# no atm ?
address-registration
arp-server
auto-configuration
class
classic-ip-extensions
clock
e164
esi-address
idle-timeout
ilmi-enable
ilmi-keepalive
ilmi-pvc-discovery
multicast
multipoint-interval
Address Registration
Configure IP ARP Server
ATM interface auto configuration
Configure default map class name
Specify the type of Classic IP extensions
ATM TX clock source
E164 Configuration
7-octet ATM ESI address
Set idle time before disconnecting a SVC
ILMI Configuration
Keepalive polling configuration
Enable ILMI PVC Discovery
E.164 ATM SMDS address
Set minimum interval between multipoint party
additions
multipoint-signalling Multipoint Signalling
nsap-address
20-octet ATM NSAP address
oversubscribe
Allow oversubscription of ATM link
pvc
Create a PVC
rate-queue
ATM Rate Queue
smds-address
E.164 ATM SMDS address
sonet
ATM SONET mode
uni-version
UNI Version
vc-per-vp
ATM VCIs per VPI
(config-if)# no atm ilmi-keepalive ?
<1-65535> seconds
<cr>
(config-if)# no atm ilmi-keepalive
(config-if)# no ip address ?
NetworkSims.com
1018
A.B.C.D IP address
<cr>
(config-if)# no ip address
(config-if)# exit
(config)# int atm0.101 ?
mpls
Treat as an MPLS link
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
tag-switching
Treat as a tag switching link (obsolete, use mpls)
Router(config-subif)# ?
Interface configuration commands:
apollo
Apollo interface subcommands
appletalk
Appletalk interface subcommands
arp
Set arp type (arpa, probe, snap) or timeout
atm
Modify ATM parameters
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bridge-group
Transparent bridging interface parameters
cdp
CDP interface subcommands
class-int
Configure default vc-class name
clns
CLNS interface subcommands
crypto
Encryption/Decryption commands
decnet
Interface DECnet config commands
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
dspu
Down Stream PU
exit
Exit from interface configuration mode
fras
DLC Switch Interface Command
ip
Interface Internet Protocol config commands
ipv6
IPv6 interface subcommands
ipx
Novell/IPX interface subcommands
isis
IS-IS commands
iso-igrp
ISO-IGRP interface subcommands
lane
Modify LANE parameters
lat
LAT commands
llc2
LLC2 Interface Subcommands
map-group
Configure static map group
mls
mls sub/interface commands
mpls
Configure MPLS interface parameters
mtu
Set the interface Maximum Transmission Unit (MTU)
multiring
Enable RIF usage for a routable protocol
netbios
Use a defined NETBIOS access list or enable name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
pvc
Configure ATM PVC parameters
rate-limit
Rate Limit
service-policy Configure QoS Service Policy
shutdown
Shutdown the selected interface
smrp
Simple Multicast Routing Protocol interface subcommands
sna
SNA pu configuration
snapshot
Configure snapshot support on the interface
source-bridge
Configure interface for source-route bridging
sscop
SSCOP Interface Subcommands
standby
Interface HSRP configuration commands
svc
Configure ATM SVC parameters
tag-switching
Tag Switching interface configuration commands
tarp
TARP interface subcommands
timeout
Define timeout values for this interface
traffic-shape
Enable Traffic Shaping on an Interface or Sub-Interface
vines
VINES interface subcommands
xns
XNS interface subcommands
NetworkSims.com
1019
NetworkSims.com
1020
(config-if-atm-vc)# pro ip ?
A.B.C.D Protocol specific address
inarp
Use inarp on this protocol
(config-if-atm-vc)# pro ip 10.1.1.2 ?
broadcast Pseudo-broadcast
no
Prevent Pseudo-broadcast on this connection
<cr>
(config-if-atm-vc)# protocol ip 10.1.1.2 broad ?
<cr>
(config-if-atm-vc)# protocol ip 10.1.1.2 broad ?
(config-if-atm-vc)# encap ?
aal5ciscoppp Cisco PPP over AAL5 Encapsulation
aal5mux
AAL5+MUX Encapsulation
aal5nlpid
AAL5+NLPID Encapsulation
aal5snap
AAL5+LLC/SNAP Encapsulation
(config-if-atm-vc)# encap aal5snap
(config-if-atm-vc)# exit
(config-if)# exit
Router# sh atm ?
arp-server
class-links
ilmi-configuration
ilmi-status
interface
map
pvc
route
signalling
svc
traffic
vc
vp
# sh atm map
Map list ATM0.101pvc1 : PERMANENT
ip 1.1.1.1 maps to VC 1, VPI 0, VCI 99, ATM0.101
, broadcast
# sh atm pvc
Interface
0.101
VCD /
Name
VPI
VCI
Type
Encaps
SC
Peak
Kbps
Avg/Min Burst
Kbps
Cells
Sts
# sh atm tr
0 Input packets
0 Output packets
0 Broadcast packets
0 Packets received on non-existent VC
0 Packets attempted to send on non-existent VC
0 OAM cells received
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
0 OAM cells sent
F5 OutEndloop: 0, F5 OutSegloop: 0,
F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0,
F4 OutRDI: 0
0 OAM cell drops
# sh atm vc
VC not configured on interface ATM0
0.101
1
0
99
PVC
NetworkSims.com
SNAP
UBR
INAC
1021
# sh atm vp
Interface
VPI
Data
VCs
CES
VCs
Peak
Kbps
CES
Kbps
Status
Outline
(config)# int loopback 22
(config-if)# ip address 60.1.1.1 255.255.255.0
(config-if)# exit
(config)# router rip
(config-router)# version 2
(config-router)# offset-list 1 out 14 fa0/1
(config-router)# network 60.0.0.0
(config-router)# network 172.0.0.0
(config-router)# exit
(config)# access-list 1 permit 60.1.1.0
Example
(config)# int loopback 22
(config-if)# ip address 60.1.1.1 255.255.255.0
(config-if)# exit
(config)# router rip
(config-router)# version 2
(config-router)# offset-list ?
<0-99>
Access list of networks to apply offset (0 selects all networks)
<1300-1999> Access list of networks to apply offset (expanded range)
WORD
Access-list name
(config-router)# offset-list 1 ?
in
Perform offset on incoming updates
out Perform offset on outgoing updates
NetworkSims.com
1022
Thus the next router will receive a hop metric of 14 for the loopback interface, and any
further routers will receive a metric of 15, which defines that it is unreachable.
Define E0.
Define conversion for NAT to detect an RIP multicast and convert it to a unicast
destination address.
Outline
(config)# int e0
(config-if)# ip address 60.1.1.1 255.255.255.0
(config-if)# exit
(config)# ip nat outside source static udp 60.1.1.2 520 224.0.0.0 520
NetworkSims.com
1023
nat o s
Specify
Specify
Specify
?
access list describing global addresses
route-map
static global->local mapping
(config)# ip nat o s s ?
A.B.C.D Outside global IP address
network Subnet translation
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config)# ip nat o s s u ?
A.B.C.D Outside global IP address
(config)# ip nat o s s u 60.1.1.2 ?
<1-65535> Global UDP/TCP port
(config)# ip nat o s s u 60.1.1.2 520 ?
A.B.C.D Outside local IP address
(config)# ip nat o s s u 60.1.1.2 520 60.1.1.2 ?
<1-65535> Local UDP/TCP port
(config)# ip nat o s s u 60.1.1.2 520 60.1.1.2 520 ?
add-route
Add a static route for outside local address
extendable Extend this translation when used
no-alias
Do not create an alias for the local address
<cr>
(config)# ip nat outside source static udp 60.1.1.2 520 224.0.0.0 520
NetworkSims.com
1024
Objectives
The objectives of this challenge are to:
Outline
(config)# int e0
(config-if)# ip address 60.1.1.1 255.255.255.0
(config-if)# ip address 60.1.1.2 255.255.255.0 secondary
(config-if)# exit
(config)# router rip
(config-router)# distribution-list 1 out e0
(config-router)# distribution-list 1 out s0
(config-router)# exit
(config)# access-list 1 deny 60.60.60.0
(config)# access-list 1 permit any
In this case there will be no routing tables sent to the 60.60.60.0 network.
Background
(config)# int e0
(config-if)# ip address 60.1.1.1 255.255.255.0
(config-if)# ip address 60.1.1.2 255.255.255.0 secondary
(config-if)# exit
(config)# router rip
(config-router)# distribute-list ?
<1-199>
IP access list number
<1300-2699> IP expanded access list number
WORD
Access-list name
gateway
Filtering incoming updates based on gateway
prefix
Filter prefixes in routing updates
(config-router)# distribute-list 1 ?
in
Filter incoming routing updates
out Filter outgoing routing updates
(config-router)# distribute-list 1 out ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
CDMA-Ix
CDMA Ix interface
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
Lex
Lex interface
Loopback
Loopback interface
MFR
Multilink Frame Relay bundle interface
Multilink
Multilink-group interface
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Tunnel
Tunnel interface
Vif
PGM Multicast Host interface
Virtual-PPP
Virtual PPP interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
<cr>
(config-router)# distribution-list 1 out e0
NetworkSims.com
1025
Outline
(config)# int e0
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit
exceed-action drop
(config-if)# exit
(config)# access-list rate-limit 20 mask A2
Background
(config)# access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1100-1199>
Extended 48-bit MAC address access list
<1300-1999>
IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
dynamic-extended Extend the dynamic ACL abolute timer
rate-limit
Simple rate-limit specific access list
(config)# access-list rate-limit ?
<1-99>
Precedence ACL index
<100-199> MAC address ACL index
(config)# access-list rate-limit 20 ?
<0-7> Precedence
mask
Use precedence bitmask
(config)# access-list rate-limit 20 mask ?
<0-FF> Precedence bit mask
(config)# access-list rate-limit 20 mask A2 ?
<cr>
(config)# access-list rate-limit 20 mask A2
NetworkSims.com
1026
(config)# int e0
(config-if)# rate-limit-limit ?
input
Rate limit on input
output Rate limit on output
(config-if)# rate-limit in ?
<8000-2000000000> Bits per second
access-group
Match access list
qos-group
Match qos-group ID
(config-if)# rate-limit input access-group ?
<1-2699>
Access list index
rate-limit Match rate-limit access list
(config-if)# rate-limit input access-group rate-limit ?
<1-199> Rate-limit access list index
(config-if)# rate-limit input access-group rate-limit 20 ?
<8000-2000000000> Bits per second
(config-if)# rate-limit input access-group rate-limit 20 8000 ?
<1000-512000000> Normal burst bytes
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 ?
<2000-1024000000> Maximum burst bytes
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 ?
conform-action action when rate not exceeded
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform ?
continue
scan other rate limits
drop
drop packet
set-prec-continue rewrite packet precedence, scan other rate limits
set-prec-transmit rewrite packet precedence and send it
set-qos-continue
set qos-group, scan other rate limits
set-qos-transmit
set qos-group and send it
transmit
transmit packet
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit ?
exceed-action action when rate exceeded
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit
exceed-action ?
continue
scan other rate limits
drop
drop packet
set-prec-continue rewrite packet precedence, scan other rate limits
set-prec-transmit rewrite packet precedence and send it
set-qos-continue
set qos-group, scan other rate limits
set-qos-transmit
set qos-group and send it
transmit
transmit packet
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit
exceed-action drop ?
<cr>
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit
exceed-action drop ?
NetworkSims.com
1027
1 0000 0010
2 0000 0100
3 0000 1000
4 0001 0000
5 0010 0000
6 0100 0000
7 1000 0000
Thus to use one ACL to catch IP precedence values of 1, 5 and 7, the values are added
together:
1 0000 0010
5 0010 0000
7 1000 0000
------------------1010 0010
------------------Thus the mask, in hex, will be:
A2 (1010 0010)
Define LAM.
Define redistribution of mobile subnets.
Outline
(config)# int e0
(config-if)# ip mobile arp
NetworkSims.com
1028
(config-if)# exit
(config)# int e1
(config-if)# ip mobile arp
(config-if)# exit
(config)# router ospf 100
(config-router)# redistribute mobile subnets
Background
(config)# int e0
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# ip mobile ?
arp
ARP discovery of mobile hosts
foreign-service
Mobile IP foreign agent service
prefix-length
Include Prefix-Length extension in advertisement
registration-lifetime Time until registration expires
router-service
Mobile router support
(config-if)# ip mobile arp ?
access-group Access list of acceptable mobile hosts
timers
Set keepalive and holdtime timers
<cr>
(config-if)# ip mobile arp
(config-if)# int e1
(config-if)# ip address 10.0.1.1 255.255.255.0
(config-if)# ip mobile arp
(config-if)# exit
(config)# router ospf 100
(config-router)# redistribute ?
bgp
Border Gateway Protocol (BGP)
connected
Connected
egp
Exterior Gateway Protocol (EGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
iso-igrp
IGRP for OSI networks
metric
Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
route-map
Route map reference
static
Static routes
subnets
Consider subnets for redistribution into OSPF
tag
Set tag for routes redistributed into OSPF
<cr>
(config-router)# redistribute mobile ?
metric
Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
route-map
Route map reference
subnets
Consider subnets for redistribution into OSPF
tag
Set tag for routes redistributed into OSPF
<cr>
(config-router)# redistribute mobile subnets ?
metric
Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
route-map
Route map reference
subnets
Consider subnets for redistribution into OSPF
tag
Set tag for routes redistributed into OSPF
<cr>
NetworkSims.com
1029
Define LAM.
Define redistribution of mobile subnets.
Outline
(config)# int e0
(config-if)# ip mobile arp access-group 20
(config-if)# exit
(config)# int e1
(config-if)# ip mobile arp access-group 20
(config-if)# exit
(config)# router ospf 100
(config-router)# redistribute mobile subnets
(config-router)# exit
(config)# access-list 20 permit 10.0.0.0 0.0.0.255
Background
(config)# int e0
(config-if)# ip address 10.0.0.1 255.255.255.0
(config-if)# ip mobile ?
arp
ARP discovery of mobile hosts
foreign-service
Mobile IP foreign agent service
prefix-length
Include Prefix-Length extension in advertisement
registration-lifetime Time until registration expires
router-service
Mobile router support
(config-if)# ip mobile arp ?
access-group Access list of acceptable mobile hosts
timers
Set keepalive and holdtime timers
<cr>
(config-if)# ip mobile arp access-group ?
<1-99> IP standard access list
WORD
Access-list name
NetworkSims.com
1030
NetworkSims.com
1031
Define a priority-list.
Apply it on E0.
Define DLSW details.
Outline
(config)# int e0
(config-if)# priority-group 2
(config-if)# exit
(config)# priority-list 2 protocol dlsw medium
(config)# priority-list 2 protocol ip high
(config)# dlsw local-peer peer-id 192.168.0.2
(config)# dlsw remote-peer 0 tcp 192.168.0.1
(config)# dlsw bridge-group 1
(config)# dlsw udp-disable
Background
(config)# int e0
(config-if)# priority-group ?
<1-16> Priority group
(config-if)# priority-group 2
(config-if)# exit
(config)# priority-list ?
<1-16> Priority list number
(config)# priority-list 2 ?
default
Set priority queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
protocol
priority queueing by protocol
queue-limit Set queue limits for priority queue
(config)# priority-list 2 protocol ?
aarp
AppleTalk ARP
appletalk
AppleTalk
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
Cisco Discovery Protocol
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
ISO CLNS Intermediate System
cmns
ISO CMNS
compressedtcp
Compressed TCP (VJ)
decnet
DECnet
decnet_node
DECnet Node
decnet_router-l1 DECnet Router L1
decnet_router-l2 DECnet Router L2
dlsw
Data Link Switching (Direct encapsulation only)
http
HTTP
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
NetworkSims.com
1032
qllc
rsrb
snapshot
stun
qllc protocol
Remote Source-Route Bridging
Snapshot routing support
Serial Tunnel
(config)# priority-list 2 p dl ?
high
medium
normal
low
(config)# priority-list 2 protocol dlsw medium
(config)# priority-list 2 protocol ip ?
high
medium
normal
low
(config)# priority-list 2 protocol ip high
(config)# dlws ?
allroute-netbios
Use All routes Broadcast for NETBIOS Explorers
allroute-sna
Use All routes Broadcast for SNA Explorers
bgroup-list
Configure a transparent bridge group list
bridge-group
DLSw interconnection to transparent bridging
cache-ignore-netbios-datagram Don't cache source mac/name of NetBIOS
datagrams
circuit-keepalives
Configure DLSw+ to generate periodic circuit
keepalives
disable
Disable DLSw without altering the
configuration
explorerQ-depth
Configure depth of DLSw control queues
fast-hpr-support
Enable fast-switched HPR transport
group-cache
Border Peer Caching Options
history-log
Configure DLSw Circuit-History Log Capability
icannotreach
Configure a resource not locally reachable by
this router
icanreach
Configure resources locally reachable by this
router
llc2
Dlsw llc2 options
load-balance
Configure load balancing
local-peer
Configure local peer
mac-addr
Configure a static MAC address - location or
path
max-multiple-rifs
Configure maximum multiple rifs per interface
multicast
Configure DLSw Multicast Capability
netbios-cache-length
Configure NetBIOS name length
netbios-keepalive-filter
Filter NetBIOS session alive packets
netbios-name
Configure a static NetBios name - location or
path
peer-log-changes
print logging message in router log ONLY for
error events
peer-on-demand-defaults
Change peer-on-demand defaults
port-list
Configure a port list
prom-peer-defaults
Change prom-peer-defaults
redundant-rings
Configure redundant ring-list
remote-peer
Configure a remote peer
ring-list
Configure a ring list
rsvp
Configure reservations using RSVP
timer
Configure DLSw timers
tos
Change IP Type Of Service precedence bits
touch-timer
Configure DLSw touch timers
transparent
Configure transparent media options
udp-disable
Disable DLSw UDP unicast feature
(config)# dlsw local- ?
NetworkSims.com
1033
biu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
peer-id
promiscuous
v2-single-tcp
vrf
<cr>
peer 192.168.0.2 ?
XID3 max receivable i-field spoofing and BIU segmenting
Capable of operating as a border peer
Set cluster id for this router
Set peer cost advertised to remote peers
Set the peer group number for this router
Initial Pacing Window Size for this local peer
Set the default remote peer keepalive interval
Local peer largest frame size
Maximum Pacing Window Size for this local peer
This router will not initiate remote peer connections
local-peer IP address; required for TCP/FST and peer
groups
Accept connections from non-configured remote peers
use dlsw v2 single tcp peer bringup for all remote peers
from this router
VRF in which dlsw local peer resides
remote 0 ?
Use Frame Relay for remote peer transport
Use fast sequence transport (FST) for remote peer transport
Use a direct interface for remote peer transport
Use TCP for remote peer transport
NetworkSims.com
1034
keepalive
Set keepalive interval for this remote peer
lf
Largest Frame Size for this Remote Peer
lsap-output-list
Filter output IEEE 802.5 encapsulated packets
passive
Local peer will not initiate this remote peer connection
priority
Enable prioritization features for this remote peer
rif-passthru
Use rif_passthru for this remote peer
rsvp
Configure reservations using RSVP
tcp-queue-max
Maximum output TCP queue size for this remote peer
timeout
Set retransmission timeout value for this remote peer
v2-single-tcp
use dlsw v2 single tcp peer bringup for this remote peer
<cr>
(config)# dlsw remote-peer 0 tcp 192.168.0.1
(config)# dlsw bridge-group 1
(config)# dlsw udp-disable
Define a time-range.
Outline
(config)# time-range workingday
(config-time-range)# periodic weekday 5:00 to 9:00
(config-time-range)# periodic saturday 3:00 to 15:00
(config-time-range)# exit
(config)# access-list Columbia permit ip any any time-range workingday
Example
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# nameif newyork
(config-if)# exit
(config)# time-range workingday
(config-time-range)# ?
Time range configuration commands:
absolute absolute time and date
exit
Exit from time-range configuration mode
help
Help for time-range configuration commands
no
Negate a command or set its defaults
periodic periodic time and date
NetworkSims.com
1035
(config-time-range)# ab ?
trange mode commands/options:
end
ending time and date
start starting time and date
(config-time-range)# periodic ?
trange mode commands/options:
Friday
Friday
Monday
Monday
Saturday
Saturday
Sunday
Sunday
Thursday
Thursday
Tuesday
Tuesday
Wednesday Wednesday
daily
Every day of the week
weekdays
Monday thru Friday
weekend
Saturday and Sunday
exec mode commands/options:
interval Performance monitoring interval in seconds
quiet
Turn on quiet mode for perfomance monitoring
settings View perfomance monitoring settings
verbose
Turn on verbose mode for perfomance monitoring
(config-time-range)# periodic weekday ?
trange mode commands/options:
hh:mm Starting time
(config-time-range)# periodic weekday 5:00 ?
trange mode commands/options:
to ending day and time
(config-time-range)# periodic weekday 5:00 to ?
trange mode commands/options:
hh:mm Ending time - stays valid until beginning of next minute
(config-time-range)# periodic weekday 5:00 to 9:00
(config-time-range)# exit
NetworkSims.com
1036
Outline
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# glbp 10 authentication text testing
(config-if)# glbp 10 forwarder preempt delay minimum 60
(config-if)# glbp 10 load-balancing host-dependent
(config-if)# glbp 10 preempt delay minimum 60
(config-if)# glbp 10 priority 254
(config-if)# glbp 10 timers 5 18
(config-if)# glbp 10 ip 192.168.0.2
Example
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# glbp ?
<0-1023> Group number
(config-if)# glbp 10 ?
authentication Authentication method
forwarder
Forwarder configuration
ip
Enable group and set virtual IP address
load-balancing Load balancing method
name
Redundancy name
preempt
Overthrow lower priority designated routers
priority
Priority level
timers
Adjust GLBP timers
weighting
Gateway weighting and tracking
(config-if)# glbp 10 authentication ?
md5
MD5 authentication
text Plain text authentication
(config-if)# glbp 10 authentication text ?
WORD Text authentication string
(config-if)# glbp 10 authentication text testing
(config-if)# gl 10 forwarder ?
preempt Overthrow lower priority active forwarders
(config-if)# gl 10 forwarder preempt ?
delay Wait before preempting
<cr>
(config-if)# gl 10 forwarder preempt delay ?
minimum Delay at least this long
(config-if) glbp 10 forwarder preempt delay minimum ?
<0-3600> Number of seconds for minimum delay
(config-if)# glbp 10 forwarder preempt delay minimum 60
(config-if)# glbp 10 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin
Load balance equally using each forwarder in turn
weighted
Load balance in proportion to forwarder weighting
(config-if)# glbp 10 load-balancing host-dependent
NetworkSims.com
1037
NetworkSims.com
1038
route for network traffic from a failed router or circuit.. This challenge involves the
configuration of VRRF.
Objectives
The objectives of this challenge are to:
Outline
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# vrrp 10 description text
(config-if)# vrrp 10 priority level
(config-if)# vrrp 10 preempt delay minimum 10
(config-if)# vrrp group timers learn
(config-if)# vrrp IP 192.168.0.2
Example
(config)# interface fa0
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# vrrp 10 description text
(config-if)# vrrp 10 priority level
(config-if)# vrrp 10 preempt delay minimum 10
(config-if)# vrrp group timers learn
(config-if)# vrrp IP 192.168.0.2
NetworkSims.com
1039
22 Switch Additional
Cisco Switch Challenge 127
Outline
This challenge involves setting up CNS.
Objectives
The objectives of this challenge are to:
Enable CNS.
Example
> en
# config t
(config)# cn ?
config
Configuration Agent
event
Event Agent
exec
Exec Agent
id
Get CNS ID for CNS agents
trusted-server Trusted Server Configuration
(config)# cn ev ?
WORD Hostname or ip address of event gateway
(config)# cn ev 10.0.0.1 ?
<0-65535>
Event Gateway port number, default is 11011
backup
Event Agent backup gateway
encrypt
Enable Event Agent encryption
failover-time Seconds to wait for route to Primary after we already have
route to backup
keepalive
Keepalive timeout retry_count
source
bind socket to a source ip
<cr>
(config)# cn ev 10.0.0.1 k ?
<0-65535> timeout in seconds , default is 0
(config)# cn ev 10.0.0.1 k 120 ?
<0-65535> retry count , default is 0
(config)# cn ev 10.0.0.1 k 120 10 ?
failover-time Seconds to wait for route to Primary after we already have
route to backup
<cr>
NetworkSims.com
1040
Enable Web-cache.
NetworkSims.com
1041
Example
> en
Switch# config t
Switch(config)# ip wccp ?
web-cache Standard web caching service
Switch(config) # ip wccp web-cache ?
password Authentication password (key)
<cr>
Switch(config)# ip wccp web-cache
Switch(config)# interface fastethernet0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config)# interface fastethernet0/2
Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp ?
web-cache Standard web caching service
Switch(config-if)# ip wccp web-cache ?
redirect Set packet redirection options for the service
Switch(config-if)# ip wccp web-cache redirect ?
in Redirect to a Cache Engine appropriate inbound packets
Switch(config-if)# ip wccp web-cache redirect in ?
<cr>
Switch(config-if)# ip wccp web-cache redirect in
Explanation
The Web Cache Communication Protocol (WCCP) is used to configure the switch to
redirect traffic to cache engines, which transparently store frequently accessed
content and then deliver the cached version to the clients. WCCP is enabled on the
switch with:
In this example the Web cache is connected to FA0/1, and web accesses are directed to this
port.
1042
Outline
This challenge involves setting up MSDP.
Objectives
The objectives of this challenge are to:
Enable MSDP.
Example
> en
Switch# config t
Switch(config)# ip msdp ?
cache-rejected-sa Store rejected SAs from all peers
cache-sa-state
Configure this system to cache SA state
default-peer
Default MSDP peer to accept SA messages from
description
Peer specific description
filter-sa-request Filter SA-Requests from peer
keepalive
Configure keepalive parameters for a peer
mesh-group
Configure an MSDP mesh-group
originator-id
Configure MSDP Originator ID
peer
Configure an MSDP peer
redistribute
Inject multicast route entries into MSDP
sa-filter
Filter SA messages from peer
sa-limit
Configure SA limit for a peer
shutdown
Administratively shutdown MSDP peer
timer
MSDP timer
ttl-threshold
Configure TTL Thresold for MSDP Peer
Switch(config)# ip msdp cache-sa-state ?
<cr>
Switch(config)# ip msdp cache-sa-state
Switch(config)# ip msdp filter-sa ?
Hostname or A.B.C.D Peer name or address
Switch(config)# ip msdp filter-sa 1.2.3.4 ?
list Access-list
<cr>
Switch(config)# ip msdp filter-sa 1.2.3.4
NetworkSims.com
1043
Objectives
The objectives of this challenge are to:
Define VLANs.
Setup MVR
Example
> enable
# config t
(config)# vlan 1
(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
Negate a command or set its defaults
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
stp
Spanning tree characteristics of the VLAN
tb-vlan1
ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2
ID number of the second translational VLAN for this VLAN (or
zero if none)
(config-vlan)# name ?
WORD The ascii name for the VLAN
(config-vlan)# name edinburgh
(config-vlan)# no ?
are
Maximum number of All Route Explorer hops for this VLAN (or
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit mode
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
zero if none specified)
NetworkSims.com
1044
stp
tb-vlan1
(config)# mvr
(config)# mvr group ?
A.B.C.D IP multicast address
(config)# mvr group 224.1.23.4
(config)# mvr querytime ?
<1-100> time value in units of 1/10 seconds
(config)# mvr querytime 5
(config)# mvr vlan ?
<1-4094> MVR Multicast VLAN id
(config)# mvr vlan 12
(config)# mv m ?
compatible Compatible Mode
dynamic
Dynamic Mode
<cr>
(config)# mvr mode dynamic
Define a bridge-group.
Apply it to FA0/2
Example
> enable
# config t
Switch(config)# bridge ?
NetworkSims.com
1045
<1-255>
crb
irb
mac-address-table
Switch(config)# bridge 10 ?
acquire
address
aging-time
bitswap-layer3-addresses
bridge
circuit-group
domain
forward-time
hello-time
lat-service-filtering
max-age
BPDUs
priority
protocol
route
NetworkSims.com
1046
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination MAC
addresses
Switch(config-if)# bridge-group 10
Switch(config-if)# bridge-group 10 path-cost ?
<0-65535> Path cost (higher values are higher costs)
Switch(config-if)# bridge-group 10 path-cost 10
Switch(config-if)# bridge-group 10 spanning-disable
Example
> enable
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
NetworkSims.com
1047
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
tcp-keepalives-out
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
NetworkSims.com
1048
MAC address notification allows the tracking of MAC address activity through SNMP using
a trap which sends information to an SNMP server when there is activity. The trap interval
defines the time that the updates will be send to the SNMP server which can reduce
network traffic when there are a great deal of MAC address activity.
Objectives
The objectives of this challenge are to:
Example
# config t
(config)# mac add ?
aging-time
Set MAC address table entry maximum age
notification Enable/Disable MAC Notification on the switch
static
static keyword
(config)# mac add s ?
H.H.H 48 bit mac address
(config)# mac add s 1.1.1 ?
vlan VLAN keyword
(config)# mac add s 1.1.1 v ?
<1-4094> VLAN id of mac address table
(config)# mac add s 1.1.1 v 1 ?
drop
drop frames
interface interface
Switch(config)# mac add s 1.1.1 v 1 interface ?
FastEthernet
FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel
Ethernet Channel of interfaces
(config)# mac address-table static 1.1.1 vlan 1 interface fa0/1
(config)# mac address-table static 1.1.2 vlan 1 interface fa0/2
# sh mac address-table static
Mac Address Table
------------------------------------------Vlan
---All
All
All
Mac Address
----------0012.00b0.2780
0012.00b0.2781
0012.00b0.2782
NetworkSims.com
Type
-------STATIC
STATIC
STATIC
Ports
----CPU
CPU
CPU
1049
All
0012.00b0.2783
STATIC
CPU
All
0012.00b0.2784
STATIC
CPU
All
0012.00b0.2785
STATIC
CPU
All
0012.00b0.2786
STATIC
CPU
All
0012.00b0.2787
STATIC
CPU
All
0012.00b0.2788
STATIC
CPU
All
0012.00b0.2789
STATIC
CPU
All
0012.00b0.278a
STATIC
CPU
All
0012.00b0.278b
STATIC
CPU
All
0012.00b0.278c
STATIC
CPU
All
0012.00b0.278d
STATIC
CPU
All
0012.00b0.278e
STATIC
CPU
All
0012.00b0.278f
STATIC
CPU
All
0012.00b0.2790
STATIC
CPU
All
0012.00b0.2791
STATIC
CPU
All
0012.00b0.2792
STATIC
CPU
All
0012.00b0.2793
STATIC
CPU
All
0012.00b0.2794
STATIC
CPU
All
0012.00b0.2795
STATIC
CPU
All
0012.00b0.2796
STATIC
CPU
All
0012.00b0.2797
STATIC
CPU
All
0012.00b0.2798
STATIC
CPU
All
0012.00b0.2799
STATIC
CPU
All
0012.00b0.279a
STATIC
CPU
All
0100.0c00.0000
STATIC
CPU
All
0100.0ccc.cccc
STATIC
CPU
All
0100.0ccc.cccd
STATIC
CPU
All
0100.0ccd.cdce
STATIC
CPU
All
0180.c200.0000
STATIC
CPU
All
0180.c200.0001
STATIC
CPU
All
0180.c200.0002
STATIC
CPU
All
0180.c200.0003
STATIC
CPU
All
0180.c200.0004
STATIC
CPU
All
0180.c200.0005
STATIC
CPU
All
0180.c200.0006
STATIC
CPU
All
0180.c200.0007
STATIC
CPU
All
0180.c200.0008
STATIC
CPU
All
0180.c200.0009
STATIC
CPU
All
0180.c200.000a
STATIC
CPU
All
0180.c200.000b
STATIC
CPU
All
0180.c200.000c
STATIC
CPU
All
0180.c200.000d
STATIC
CPU
All
0180.c200.000e
STATIC
CPU
All
0180.c200.000f
STATIC
CPU
All
0180.c200.0010
STATIC
CPU
Total Mac Addresses for this criterion: 48
1050
Notes
# config t
(config)# ip sdr ?
cache-timeout Timeout period for entries
(config)#ip sdr cache-timeout ?
<1-4294967295> Timeout in minutes
(config)#ip sdr cache-timeout 10 ?
<cr>
(config)#ip sdr cache-timeout 10
(config)# int fa0/1
(config-if)# no switchport
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
ospf
OSPF interface commands
NetworkSims.com
1051
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip cgmp ?
proxy
CGMP for hosts and proxy for multicast routers
router-only CGMP proxy for multicast routers only
<cr>
(config-if)# ip cgmp
(config)# int fa0/2
(config-if)# no switchport
(config-if)# ip cgmp proxy
(config)# int fa0/3
(config-if)# no switchport
(config-if)# ip cgmp router-only
NetworkSims.com
1052
23 CCVP (Voice)
Cisco CCVP Test 1
Introduction to Voice Technologies
The most up-to-date version of this test is at:
http://networksims.com/v01.html
Commands
> enable
# config t
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# no shutdown
(config-if)# description students
(config-if)# encapsulation ppp
(config-if)# ppp authentication chap
(config-if)# clock rate 56000
(config-if)# carrier-delay 8
(config-if)# bandwidth 198
(config-if)# exit
(config)# router eigrp 111
(config-network)# network 10.0.0.1
NetworkSims.com
1053
Example
> enable
# config t
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# no shutdown
(config-if)# description students
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation ppp
(config-if)# ppp ?
accm
Set initial Async Control Character Map
acfc
Options for HDLC Address & Control Field Compression
authentication Set PPP link authentication method
bridge
Enable PPP bridge translation
chap
Set CHAP authentication parameters
ipcp
Set IPCP negotiation options
lcp
PPP LCP configuration
link
Set miscellaneous link parameters
max-bad-auth
Allow multiple authentication failures
multilink
Make interface multilink capable
pap
Set PAP authentication parameters
pfc
Options for Protocol Field Compression
quality
Set minimum Link Quality before link is down
reliable-link
Use LAPB with PPP to provide a reliable link
timeout
Set PPP timeout parameters
use-tacacs
Use TACACS to verify PPP authentications
(config-if)# ppp authentication?
chap
Challenge Handshake Authentication Protocol (CHAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
pap
Password Authentication Protocol (PAP)
(config-if)# ppp authentication chap
(config-if)# clock ?
rate Configure serial interface clock speed
(config-if)# clock rate ?
Speed (bits per second)
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
NetworkSims.com
1054
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
Choose clockrate from list above
(config-if)# clock rate 56000
(config-if)# carrier-delay 8
(config-if)# bandwidth 198
(config-if)# exit
(config)# router eigrp 111
(config-network)# network 10.0.0.1
# sh running
Example
> enable
# config t
(config)# int s1
(config-if)# ip address 46.187.202.5 254.0.0.0
(config-if)# no shutdown
(config-if)# description academics
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
(config-if)# clock rate 56000
(config-if)# bandwidth 63
(config-if)# exit
(config)# router eigrp 111
(config-network)# network 10.0.0.1
# sh running
NetworkSims.com
1055
Outline
> enable
# sh version
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal groudstart
(config-voiceport)# cptone GB
(config-voiceport)# ring cadanece pattern01
(config-voiceport)# exit
(config)# exit
# show voice port
# show voice dsp
Example
> enable
# sh version
NetworkSims.com
1056
Version
12.4(12),
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Router uptime is 5 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c2600-testk9-mz.124-12.bin"
Cisco 2611XM (MPC860P) processor (revision 1.0) with 111616K/19456K bytes of memory.
Processor board ID JAD07130QPE
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
2 Voice FXO interfaces
2 Voice FXS interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x3162
# config t
(config)# voice-port ?
(config)# voice-port 1/0/0
(config-voiceport)# signal ?
groundStart Ground Start
loopStart
Loop Start
(config-voiceport)# signal groudstart
(config-voiceport)# cptone ?
locale
2 letter ISO-3166 country code
AR
AU
AT
BE
BR
CA
CN
CO
C1
C2
CY
CZ
DK
EG
FI
FR
DE
GH
GR
HK
HU
Argentina
Australia
Austria
Belgium
Brazil
Canada
China
Colombia
Custom1
Custom2
Cyprus
Czech Republic
Denmark
Egypt
Finland
France
Germany
Ghana
Greece
Hong Kong
Hungary
IS
IN
ID
IE
IL
IT
JP
JO
KE
KR
LB
LU
MY
MX
NP
NL
NZ
NG
NO
PK
PA
Iceland
India
Indonesia
Ireland
Israel
Italy
Japan
Jordan
Kenya
Korea Republic
Lebanon
Luxembourg
Malaysia
Mexico
Nepal
Netherlands
New Zealand
Nigeria
Norway
Pakistan
Panama
PE
PH
PL
PT
RU
SA
SG
SK
SI
ZA
ES
SE
CH
TW
TH
TR
GB
US
VE
ZW
Peru
Philippines
Poland
Portugal
Russian Federation
Saudi Arabia
Singapore
Slovakia
Slovenia
South Africa
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
United Kingdom
United States
Venezuela
Zimbabwe
(config-voiceport)# cptone GB
(config-voiceport)# ring ?
cadence
Ringing cadence on/off durations
frequency The ring frequency to be used in the FXS interface
(config-voiceport)# ring cadence ?
NetworkSims.com
1057
RELEASE
define
pattern01
pattern02
pattern03
pattern04
pattern05
pattern06
pattern07
pattern08
pattern09
pattern10
pattern11
pattern12
NetworkSims.com
1058
Ring Frequency is 25 Hz
Hook Status is On Hook
Ring Active Status is inactive
Ring Ground Status is inactive
Tip Ground Status is active
Digit Duration Timing is set to 100 ms
InterDigit Duration Timing is set to 100 ms
Hookflash-in Timing is set to max=1000 ms, min=150 ms
Hookflash-out Timing is set to 400 ms
No disconnect acknowledge
Ring Cadence is defined by CPTone Selection
Ring Cadence are [20 40] * 100 msec
Ringer Equivalence Number is set to 1
Foreign Exchange Station 1/0/1 Slot is 1, Sub-unit is 0, Port is 1
Type of VoicePort is FXS
Operation State is DORMANT
Administrative State is UP
No Interface Down Failure
Description is not set
Noise Regeneration is enabled
Non Linear Processing is enabled
Non Linear Mute is disabled
Non Linear Mute is disabled
Non Linear Threshold is -21 dB
Music On Hold Threshold is Set to -38 dBm
In Gain is Set to 0 dB
Out Attenuation is Set to 3 dB
Echo Cancellation is enabled
Echo Cancellation NLP mute is disabled
Echo Cancellation NLP threshold is -21 dB
Echo Cancel Coverage is set to 8 ms
Echo Cancel worst case ERL is set to 6 dB
Playout-delay Mode is set to adaptive
Playout-delay Nominal is set to 60 ms
Playout-delay Maximum is set to 250 ms
Playout-delay Minimum mode is set to default, value 40 ms
Playout-delay Fax is set to 300 ms
Connection Mode is normal
Connection Number is not set
Initial Time Out is set to 10 s
Interdigit Time Out is set to 10 s
Call Disconnect Time Out is set to 60 s
Supervisory Disconnect Time Out is set to 750 ms
Ringing Time Out is set to 180 s
Wait Release Time Out is set to 30 s
Companding Type is u-law
Region Tone is set for US
Analog Info Follows:
Currently processing none
Maintenance Mode Set to None (not in mtc mode)
Number of signaling protocol errors are 0
Impedance is set to 600r Ohm
Station name None, Station number None
Translation profile (Incoming):
Translation profile (Outgoing):
Voice card specific Info Follows:
Signal Type is loopStart
Ring Frequency is 25 Hz
Hook Status is On Hook
Ring Active Status is inactive
NetworkSims.com
1059
PAK
RST AI VOICEPORT TS ABORT
TX/RX
PACK COUNT
==== === == ======== ======= ===== ======= === == ========= == ===== ============
C542 001 01 None
4.4.21 IDLE idle
0 0 1/0/0
NA
0
604/613
C542 002 01 None
4.4.21 IDLE idle
0 0 1/0/1
NA
0
597/594
Outline
> enable
# sh version
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal loopstart
(config-voiceport)# ring number 3
(config-voiceport)# dial-type dtmf
Example
> enable
# sh version
# config t
(config)# voice-port 1/0/0
(config-voiceport)# ?
Voice-port configuration commands:
battery-reversal
Enable FXS battery-reversal generation
NetworkSims.com
1060
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
caller-id
Configure port caller id parameters
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
cptone
Configure voice call progress tone locale
default
Set a command to its defaults
description
Description of what this port is connected to
disc_pi_off
close voice path when disconnect with PI received
disconnect-ack
FXS sending disconnect acknowledge
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
mwi
Enable MWI on this port
no
Negate a command or set its defaults
non-linear
Use non-linear processing during echo cancellation
output
Configure output attenuation for voice
playout-delay
Configure voice playout delay buffer
ren
Ringer Equivalence Number
ring
Ring frequency Parameters
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure supervisory disconnect lcfo
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
Configure interface to be in a trunk group
voice-class
Set voiceport voice class control parameters
(config-voiceport)# signal loopstart
(config-voiceport)# ?
Voice-port configuration commands:
battery-reversal
Enable FXO battery-reversal detection
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
cptone
Configure voice call progress tone locale
default
Set a command to its defaults
description
Description of what this port is connected to
dial-type
Configure type of dialer for voice
disc_pi_off
close voice path when disconnect with PI received
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
no
Negate a command or set its defaults
non-linear
Use non-linear processing during echo cancellation
output
Configure output attenuation for voice
playout-delay
Configure voice playout delay buffer
pre-dial-delay
FXO Pre-dial Delay
ring
Number of rings
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure answer + disconnect supervision options
NetworkSims.com
1061
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
Configure interface to be in a trunk group
voice-class
Set voiceport voice class control parameters
(config-voiceport)# ring ?
number Number of rings for the FXO interface
(config-voiceport)# ring number ?
<1-10> The number of rings detected before closing loop
(config-voiceport)# ring number 3
(config-voiceport)# dial ?
dtmf
touch-tone dialer
mf
mf-tone dialer
pulse pulse dialer
(config-voiceport)# dial-type dtmf
This answers on the third ring and uses DTMF (touch-tone dialer) ring tone type.
Outline
> enable
# sh version
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal groudstart
(config-voiceport)# cptone GB
(config-voiceport)# ring cadanece pattern01
(config-voiceport)# timeout call-disconnect 10
(config-voiceport)# timeout initial 15
(config-voiceport)# timeout interdigit 20
(config-voiceport)# timeout ringing 60
NetworkSims.com
1062
Example
> enable
# sh version
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal groudstart
(config-voiceport)# cptone GB
(config-voiceport)# ring cadanece pattern01
(config-voiceport)# timeout ?
call-disconnect Call Disconnect Timeout after Destination Hangs Up in
seconds
hookflash-in
Define hookflash-in delay in milliseconds
initial
Initial Timeout duration in seconds
interdigit
Interdigit Timeout duration in seconds
power-denial
Duration for which power-denial is applied
ringing
Ringing no answer timeout duration in seconds
wait-release
Wait release timeout duration in seconds
(config-voiceport)# timeout call-disconnect ?
<0-120>
seconds
infinity infinite timeout
(config-voiceport)# timeout initial ?
<0-120> seconds
(config-voiceport)# timeout interdigit ?
<0-120> seconds
(config-voiceport)# timeout power-denial ?
<0-1500> milliseconds
(config-voiceport)# timeout ringing ?
<5-60000> seconds
infinity
infinite timeout
(config-voiceport)# timeout wait-release ?
<1-3600> seconds
infinity infinite timeout
(config-voiceport)# timeout call-disconnect 10
(config-voiceport)# timeout initial 15
(config-voiceport)# timeout interdigit 20
(config-voiceport)# timeout ringing 60
(config-voiceport)# timeout hookflash-in 500
This sets the ringing timeout to 60 seconds, which gives the user up to one minute to answer
the call. It also increases the interdigit timeout to 20 seconds, which again gives users a
maximum time between dialing digits of 20 seconds.
The hookflash is a brief interruption in the loop current when a trunk route starts, and is not
taken as a call disconnect. It is caused by momentarily pressing down the cradle on a
telephone. Also, some telephones reserve a button (such as 'recall') that sends a timed loop
break.
1063
Outline
There are two main base TDM (Time Division Multiplexing) streams, these are E1 (mainly
used in Europe) and T1 (mainly used in the USA). These streams give 2.048Mbps (for E1
with 32 channels) and 1.544Mbps (for T1 with 24 channels). This challenge involves defining
the paramters for a T1 connection.
Objectives
The objectives of this challenge are to:
Outline
> enable
# sh version
# config t
(config)# controller t1
(config-controller)# framing esf
(config-controller)# clock source line
(config-controller)# linecode b8zs
(config-controller)# ds0-group 1 timeslots 1-2 type e&m-wink-start
(config-controller)# pri-group timeslots 1-24
(config-controller)# no shutdown
(config-controller)# exit
(config)# isdn switch-type primary-qsig
Example
> enable
# sh version
# config t
(config)# controller t1
(config-controller)# ?
Controller configuration commands:
cablelength
Specify cable length for a DS1 link
cas-group
Configure the specified timeslots for CAS(Channel Associate Signals)
channel-group Specify timeslots to channel-group mapping for an interface
clock
Specify the clock source for a DS1 link
default
Set a command to its defaults
description
Controller specific description
ds0
ds0 commands
exit
Exit from controller configuration mode
fdl
Specify the FDL standard for a DS1 data link
framing
Specify the type of Framing on a DS1 link
help
Description of the interactive help system
NetworkSims.com
1064
linecode
Specify line encoding method for a DS1 link
loopback
Put the entire T1 line into loopback
no
Negate a command or set its defaults
pri-group
Configure specified timeslots for PRI
shutdown
Shut down a DS1 link (send Blue Alarm)
(config-controller)# framing esf
(config-controller)# clock source line
(config-controller)# linecode b8zs
(config-controller)# ds0-group 1 timeslots 1-2 type e&m-wink-start
(config-controller)# no shutdown
(config-controller)# exit
(config)# isdn switch-type primary-qsig
(config)# exit
# sh controller t1
T1 is up.
Applique type is Channelized T1
Cablelength is long gain36 0db
No alarms detected.
alarm-trigger is not set
Slot 4 CSU Serial #09480883 Model TEB HWVersion 6.00 RX level = 0DB
Configured clock mode swapped to Loop-timed by priority clocking!!
Framing is ESF, Line Code is B8ZS, Clock Source is Line.
Outline
> enable
# sh version
# config t
(config)# controller
(config-controller)#
(config-controller)#
(config-controller)#
(config-controller)#
NetworkSims.com
e1
framing esf
clock source line
linecode crc4
no shutdown
1065
(config-controller)# exit
(config)# isdn switch-type primary-qsig
Example
> enable
# sh version
# config t
(config)# controller e1
(config-controller)# framing crc4
(config-controller)# clock source line
(config-controller)# linecode hdb3
(config-controller)# no shutdown
(config-controller)# exit
(config)# isdn switch-type primary-qsig
(config)# exit
# show controllers e1
E1 is up.
Applique type is Channelized E1 - balanced
No alarms detected.
Version info of Slot 0: HW: 2, Firmware: 4, PLD Rev: 2
Manufacture Cookie is not programmed.
Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary.
Data in current interval (251 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 24 hours)
0 Line Code Violations, 0 Path Code Violations,
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
NetworkSims.com
1066
Outline
> enable
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal loopstart
(config-voiceport)# ring number 3
(config-voiceport)# dial-type dtmf
(config-voiceport)# input gain 1
(config-voiceport)# impedance 600r
(config-voiceport)# output attenuation 0
Example
> enable
# config t
(config)# voice-port 1/0/0
(config-voiceport)# signal loopstart
(config-voiceport)# ring number 3
(config-voiceport)# dial-type dtmf
(config-voiceport)# impedance ?
600r 600 Ohms real
(config-voiceport)# impedance 600r
(config-voiceport)# input ?
gain Configure gain in db for voice input
Router(config-voiceport)# input gain ?
<-6 - 14> gain in db
(config-voiceport)# input gain 1
(config-voiceport)# output ?
attenuation Amount of attenuation inserted at transmit side
of the interface
(config-voiceport)# output attenuation ?
<-6 - 14> attenuation in db
(config-voiceport)# output attenuation 0
(config-voiceport)# no ?
Voice-port configuration commands:
battery-reversal
Enable FXO battery-reversal detection
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
cptone
Configure voice call progress tone locale
default
Set a command to its defaults
description
Description of what this port is connected to
dial-type
Configure type of dialer for voice
disc_pi_off
close voice path when disconnect with PI received
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
no
Negate a command or set its defaults
non-linear
Use non-linear processing during echo cancellation
NetworkSims.com
1067
output
playout-delay
pre-dial-delay
ring
shutdown
signal
snmp
station-id
supervisory
threshold
timeouts
timing
translate
translation-profile
trunk-group
voice-class
(config-voiceport)# no echo-cancel ?
coverage
Echo Cancel Coverage
enable
Echo Cancel Enable
suppressor Echo Suppressor
(config-voiceport)# no echo-cancel enable
POTs dial peers. This connects to a traditional phone network (POTs), such as for PBX
or PSTN. The dial peers have a telephone number and a specific voice port for the edge
device.
VoIP dial peers. This connects to an IP network, and the dial peers have a destination
address, and a next-hop router. Normally it destination is defined as the loopback
address of the remote device.
Objectives
NetworkSims.com
1068
Outline
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
voice 1 pots
destination-pattern 11
port 1/0/0
exit
voice 2 voip
destination-pattern 22
session target ipv4:88.10.11.12
In the first example the phone is on a POTs network, thus when the phone dials Extension
11 it will get sent to Port 1/0/0 (where it should find the remote connection). In the second
example, the phone connects to an IP network thus if it dials Extension 22, it will be directed
to the IP address of 88.10.11.12.
Example
> enable
# config t
(config)# dial-peer ?
cor
Class of Restriction
hunt
Define the dial peer hunting choice
outbound
Define the outbound options
terminator Define the address terminate character
voice
Voice type
(config)# dial-peer voice ?
<1-2147483647> Voice dial-peer tag
(config)# dial-peer voice 1 ?
mmoip Multi Media Over IP
pots
Telephony
voatm Voice over ATM
vofr
Voice over Frame Relay
voip
Voice over IP
(config)# dial-p voice 1 pots
(config-dial-peer)# ?
DIALPEER configuration commands:
answer-address
The Call Destination Number
authentication
SIP Digest Authentication Configuration
call-block
Incoming Call Blocking
capacity
capacity update timer config
carrier-id
Configure Carrier ID
clid
Caller ID option
corlist
set the Class of Restriction lists
default
Set a command to its defaults
description
Dialpeer specific description
destination
Outbound dial-peer match config
destination-pattern
A full E.164 telephone number prefix
NetworkSims.com
1069
digit-strip
direct-inward-dial
dnis-map
exit
fax
forward-digits
NetworkSims.com
1070
This challenge involves the configuration of a dial peer for a default destination pattern, and
to define a preference for the dial-peer.
Objectives
The objectives of this challenge are to:
Outline
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
voice 1 pots
destination-pattern 11
port 1/0/0
exit
voice 3 voip
destination-pattern .T
session target ipv4:88.10.11.12
preference 1
voice 2 voip
destination-pattern 22
session target ipv4:88.10.11.13
preference 2
The .T option matches at least one digit, and is typically used as a default destination
pattern, where it will execute this one if none of the others match. With the preference
command the device will pick the dial-peer with the highest preference.
Example
> enable
# config t
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 3 voip
(config-dial-peer)# destination-pattern .T
(config-dial-peer)# session target ipv4:88.10.11.12
(config-dial-peer)# prefe ?
<0-10> Preference order
(config-dial-peer)# preference 1
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# session target ipv4:88.10.11.13
(config-dial-peer)# preference 2
NetworkSims.com
1071
Outline
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection plar 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# session target ipv4:88.10.11.12
In this example when the telephone connected to voice port 1/0/0 is picked-up, this router
(Remote Router) will automatically generate the digits for 22 for a dial peer lookup. It will
then match these digits to the Dial-peer number 2, and send the call automatically to a
destination of 88.10.11.12 (the loopback address of the Central Router), where the device
there will send it to the correct voice port:
| Remote |
| Central
|
Telephone --Voice1/0/0-| Router |------| Router
|--- Telephone
(Ext. 11)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22)
NetworkSims.com
1072
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection ?
plar
Private Line Auto Ringdown
tie-line A tie line
trunk
A Straight Tie Line
(config-voiceport)# connection plar ?
WORD A string of digits including wild cards
tied dedicated tie to this number
(config-voiceport)# connection plar 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# session target ipv4:88.10.11.12
Outline
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection trunk 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# session target ipv4:88.10.11.12
NetworkSims.com
1073
In this example there will be a direct connection from the phone connected to the
destionation, which makes a connection back through dial-peer 1:
| Remote |
| Central
|
Telephone --Voice1/0/0-| Router |------| Router
|--- Telephone
(Ext. 11)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22)
In this example, both dial-peers are required, one for the outbound connection (dial-peer 2),
and the other to map the connection back to the same port (dial-peer 1).
In this case the dial-peer on the other side (Central Router) will be:
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection trunk 11
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# session target ipv4:10.0.0.1
Example
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection ?
plar
Private Line Auto Ringdown
tie-line A tie line
trunk
A Straight Tie Line
(config-voiceport)# connection trunk ?
WORD A string of digits including wild cards
(config-voiceport)# conn tr 22 ?
answer-mode Slave mode trunking
retry-timer timer value for retry connetion
<cr>
(config-voiceport)# connection trunk 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22
(config-dial-peer)# session target ipv4:88.10.11.12
1074
Outline
This challenge involves the configuration of a tie-line route. A tie-line are often used to
assign a decided circuit between two PBXs. With this there will be an IP network in-between
the PBX connections, thus two remote sites with PBXs can be connected via a tie-line over an
IP network.
Objectives
The objectives of this challenge are to:
Define a POTs dial peer.
Define a VoIP dial peer.
Define a tie-line connection.
Outline
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection tie-line 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11..
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22..
(config-dial-peer)# session target ipv4:88.10.11.12
With tie-line there is a direct connection from the two telephone connections. Any phone
from the 11.. extension, will be able to connect direct to a phone on the 22.. telephone
system.
| Remote |
| Central
|
Telephone --Voice1/0/0-| Router |------| Router
|--- Telephone
(Ext. 11..)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22..)
For example, if a user phones Ext 2211 from the 11... network, the call will be routed to the
22.. network, and the same goes for the 22.. network, where a call to the 11.. network will be
routed to the 11.. telephone network. In this case the dial-peer on the other side (Central
Router) will be:
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection tie-line 11
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 22..
NetworkSims.com
1075
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
port 1/0/0
exit
voice 2 voip
destination-pattern 11..
session target ipv4:10.0.0.1
Example
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection tie-line 22
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern 11..
(config-dial-peer)# port 1/0/0
(config-dial-peer)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 22..
(config-dial-peer)# session target ipv4:88.10.11.12
Define a translation-rule.
Apply translation-rule.
Outline
> enable
# config t
(config)# voice translation-rule 111
(cfg-translation-rule)# rule 1 /^666/ /444\1/
(cfg-translation-rule)# exit
(config)# dial-peer 10 pots
(config-dial-peer)# destination-pattern 99..
(config-dial-peer)# translate-outgoing called 111
(config-dial-peer)# forward-digits all
(config-dial-peer)# exit
(config)# voice translation-profile 111
Outline
NetworkSims.com
1076
> enable
# config t
(config)# voice ?
call
Voice call related configuration.
cause-code
Sets the internal Q850 cause code mapping
class
Control parameters class
disc-pi-incoming-on disconn with PI from incoming leg is maintained
dnis-map
Create or add to a dnis-map
dsp
DSP functions
enum-match-table
enum match table entry
hpi
Host port interface
hunt
Dialpeer hunt conditions.
iec
Configure Internal Error Code behavior
register
voice register commands
rtp
enable to open RTP in both directions.
service
Global packet telephony service commands
source-group
Source Group configuration commands
statistics
Voice Statistics
translation-profile Translation profile configuration commands
translation-rule
Translation Rule configuration commands
vad-time
Voice activity detection hangover period
(config)# voice translation-rule ?
<1-2147483647> Translation rule tag
(config)# voice translation-rule 111
(cfg-translation-rule)# ?
Translation rule configuration commands:
default Set a command to its defaults
exit
Exit from Translation rule configuration mode
help
Description of the interactive help system
no
Negate a command or set its defaults
rule
Translation rule
(cfg-translation-rule)# rule ?
<1-15> Translation rule tag
(cfg-translation-rule)# rule 1 ?
/WORD/ Matching pattern
reject Call block rule
(cfg-translation-rule)# rule 1 /^666/ ?
/WORD/ Replacement pattern
(cfg-translation-rule)# rule 1 /^666/ /444\1/ ?
plan Match and replace the number plan
type Match and replace the number type
<cr>
(cfg-translation-rule)# rule 1 /^666/ /444\1/
(cfg-translation-rule)# exit
(config)# dial-peer voice 10 pots
(config-dial-peer)# ?
DIALPEER configuration commands:
answer-address
The Call Destination Number
authentication
SIP Digest Authentication Configuration
call-block
Incoming Call Blocking
capacity
capacity update timer config
carrier-id
Configure Carrier ID
clid
Caller ID option
corlist
set the Class of Restriction lists
default
Set a command to its defaults
description
Dialpeer specific description
destination
Outbound dial-peer match config
destination-pattern
A full E.164 telephone number prefix
NetworkSims.com
1077
digit-strip
direct-inward-dial
dnis-map
exit
fax
forward-digits
NetworkSims.com
1078
translate
Example
> en
# config t
(config)# int e0
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
audit
Apply IDS audit name
auth-proxy
Apply authenticaton proxy
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
flow
NetFlow related commands
header-compression IPHC options
NetworkSims.com
1079
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
idle-group
Specify interesting packets for idle-timer
igmp
IGMP interface commands
information-reply
Enable sending ICMP Information Reply messages
inspect
Apply inspect name
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
Enable sending ICMP Mask Reply messages
mobile
Mobile IP support
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nbar
Network-Based Application Recognition
next-hop-self
Configures IP-EIGRP next-hop-self
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rgmp
Enable/disable RGMP
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
router
IP router interface commands
rsvp
RSVP Interface Commands
rtp
RTP parameters
sap
Session Announcement Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression and other parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
urd
Configure URL Rendezvousing
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip rtp ?
compression-connections Maximum number of compressed connections
header-compression
Enable RTP header compression
priority
Assign a priority queue for RTP streams
reserve
Assign a reserved queue for RTP streams
(config-if)# ip rtp header-compression
(config-if)# encapsulation ppp
(config-if)# ip rtp compression-connections ?
<3-1000> Number of connections
(config-if)# ip rtp compression-connections 20
NetworkSims.com
1080
This challenge involves compression the RTP header for a frame relay connection.
> CCNP ONT Area: Unit 5: Congestion Avoidance, Policing, Shaping and Link Efficiency
Mechanisms
Objectives
The objectives of this challenge are to:
Example
> en
# config t
(config)# int s0
(config-if)# encapsulate ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulate frame-relay
(config-if)# clock ?
rate Configure serial interface clock speed
(config-if)# clock rate ?
Speed (bits per second)
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
NetworkSims.com
1081
1300000
2000000
4000000
8000000
<300-4000000>
Choose clockrate from list above
(config-if)# clock rate 1200
(config-if)# frame-relay ?
accounting
Special accounting instruction
address-reg
ELMI address registration
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
congestion-management Enable Frame Relay congestion management
de-group
Associate a DE group with a DLCI
fragment
Enable end-to-end fragmentation for all PVCs
fragmentation
Adaptive fragmentation
ifmib-counter64
Support IF-MIB's total packet/byte counts of Counter64
on FR if/subif when main interface's ifSpeed < 20 Mbps
interface-dlci
Define a DLCI on an interface/subinterface
interface-queue
configure PVC interface queueing
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable FR inverse ARP
ip
Frame Relay Internet Protocol config commands
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
set LMI monitored event count
lmi-n393dte
set LMI monitored event count
lmi-t392dce
set DCE polling verification timer
lmi-type
Use CISCO-ANSI-CCITT type LMI
local-dlci
Set source DLCI when LMI is not supported
map
Map a protocol address to a DLCI address
multicast-dlci
Set DLCI of a multicast group
policing
Enable Frame Relay policing
priority-dlci-group
Define a priority group of DLCIs
qos-autosense
enable QOS autosense
route
frame relay route for pvc switching
traffic-shaping
Enable Frame Relay Traffic Shaping
traps-maximum
set max traps FR generates at link up or when getting
LMI Full Status message
(config-if)# frame-relay map ?
bridge Bridging
bstun
Block Serial Tunnel
dlsw
Data Link Switching (Direct encapsulation only)
ip
IP
ipv6
IPV6
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
Remote Source-Route Bridging
stun
Serial Tunnel
(config-if)# frame-relay map ip ?
A.B.C.D Protocol specific address
(config-if)# frame-relay map ip 1.2.3.4 ?
<16-1007> DLCI
(config-if)# frame-relay map ip 1.2.3.4 111 ?
broadcast
Broadcasts should be forwarded to this address
cisco
Use CISCO Encapsulation
compress
Enable TCP/IP and RTP/IP header compression
NetworkSims.com
1082
ietf
nocompress
payload-compression
rtp
tcp
<cr>
Define H.323
Outline
NetworkSims.com
1083
> enable
# config t
(config)# int e0
(config-if)# ip address 1.2.3.4 255.255.0.0
(config-if)# h323-gateway voip interface
(config-if)# h323-gateway voip h323-id gw_1
(config-if)# h323-gateway voip id gk.testing.com ipaddr 1.2.3.5 1718
(config-if)# h323-gateway voip bind srcaddr 1.2.3.4
(config-if)# h323- gateway voip tech-prefix 1#
(config-if)# exit
(config)# dial-peer voice 2 voip
(config-dial-peer)# destination-pattern 1166..
(config-dial-peer)# session target ras
(config-dial-peer)# exit
(config)# dial-peer voice 3 pots
(config-dial-peer)# destination-pattern 911
(config-dial-peer)# port 1/0/0
(config-dial-peer)# no register e164
(config-dial-peer)# exit
(config)# gateway
NetworkSims.com
1084
h323-gateway voip interface. This enables the router interface for H.323 processing.
h323-gateway voip h323-id gw_1. This defines the H323 ID for the router.
h323-gateway voip id gk.testing.com ipaddr 1.2.3.5 1718. This defines the ID of the
gatekeeper for its IP address and TCP port number.
h323- voip tech-prefix 10#. This registers a technology prefix which tells the gateway
that this gateway can handle 1# destinations (see explanation below)
h323- voip bind srcaddr 1.2.3.4. This defines the source address for H.323 packets
(1.2.3.4).
With no register e164, the router, when communicating with the gateway, does not register
the destination pattern and thus defines that it must use an alternative method for gaining
it.
For a technology-prefix, the administrator defines different classes of gateway, such as:
1# - voice gateway.
2# - voicemail gateway.
3# H.320 gateway.
And so on.
The tech-pref is then added to the number that is required, so that it reaches the right
gateway. For example a caller might use 1#1112222 for a telephone at 1112222 for a voice
gateway. On receiving this, the voice gateway will strip-off the tech-prefix, and sends it to
the telephone at 1112222.
NetworkSims.com
1085
Outline
> enable
# config t
(config)# sip-ua
(config-sip-ua)# retry invite 10
(config-sip-ua)# retry response 10
(config-sip-ua)# retry cancel 10
(config-sip-ua)# retry bye 10
(config-sip-ua)# sip-server dns:test
(config-sip-ua)# exit
(config)# dial-peer voice 66 voip
(config-dial-peer)# destination-pattern 111
(config-dial-peer)# session protocol sipv2
(config-dial-peer)# session target ipv4:1.2.3.4
(config-dial-peer)# exit
(config)# dial-peer voice 66 voip
(config-dial-peer)# destination-pattern 111
(config-dial-peer)# session protocol sipv2
(config-dial-peer)# session target sip-server
(config-dial-peer)# exit
(config)# exit
# sh sip-ua status
# sh sip-ua timers
Example
> enable
# config t
(config)# sip-ua
(config-sip-ua)# ?
SIP UA configuration commands:
aaa
sip-ua AAA related configuration
authentication
Digest Authentication Configuration
calling-info
Specify treatment of calling information
default
Set a command to its defaults
disable-early-media Disable early-media cut through
exit
Exit from sip-ua configuration mode
max-forwards
Change number of max-forwards for SIP Methods
mwi-server
Configure a mwi Server
NetworkSims.com
1086
nat
NetworkSims.com
1087
Outline
> enable
# config t
(config)# ccm-manager mgcp
(config)# mgcp
(config)# mgcp call-agent 192.168.0.1
(config)# voice 1/0/0
(config-voiceport)# exit
(config)# voice 1/0/1
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# application mgcpapp
(config-dial-peer)# voice 1/0/0
(config)# dial-peer voice 2 pots
(config-dial-peer)# application mgcpapp
(config-dial-peer)# voice 1/0/1
NetworkSims.com
1088
(config-dial-peer)# exit
(config)# exit
# show mgcp statistics
# show call application voice summary
# show mgcp
# show call active voice brief
# show call history voice
Example
> enable
# config t
(config)# ccm ?
application
config
download-tones
fallback-mgcp
fax
mgcp
music-on-hold
redundant-host
sccp
shut-backhaul-interfaces
switchback
application specific
MGCP download configuration
Enable Tone Download from TFTP server
Enable Fallback from MGCP to H.323 mode if no Call
Manager is available
Enable fax protocol for MGCP
Enable Call Manager Application MGCP mode
Enable multicast Music-on-hold
Redundant host list
Enable Call Manager Application SCCP mode
Shutdown the backhauled interfaces if no Call
Manager is available
Configure switchback options for rehoming to
higher-order Call Manager
NetworkSims.com
1089
timer
vad
validate
voice-quality-stats
<cr>
(config)# mgcp
(config)# mgcp call-agent ?
WORD Hostname or IP address of the call-agent
(config)# mgcp call-agent 192.168.0.1
(config)# voice 1/0/0
(config-voiceport)# exit
(config)# voice 1/0/1
(config-voiceport)# exit
(config)# dial-peer voice 1 pots
(config-dial-peer)# ap ?
WORD Application name (Use show call application voice summary for list)
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
application mgcpapp
voice 1/0/0
voice 2 pots
application mgcpapp
voice 1/0/1
NetworkSims.com
description
builtin:app_test_rcvr_script.tcl
builtin:app_clid_authen_script.tcl
builtin:app_clid_col_npw_npw_script.tcl
builtin:Session_Service.C
builtin:CallTreatment_Service.C
builtin:app_fax_hop_on_script.tcl
1090
ipsla-testcall
clid_authen_npw
session
clid_col_npw_3
lib_off_app
stcapp
MGCPAPP
Tcl Script
Tcl Script
Tcl Script
Tcl Script
CCAPI
CCAPI
CCAPI
builtin:app_test_place_script.tcl
builtin:app_clid_authen_npw_script.tcl
builtin:app_session_script.tcl
builtin:app_clid_col_npw_3_script.tcl
Libretto Offramp
SCCP Call Control Application
MGCP Application
# show mgcp
MGCP Admin State DOWN, Oper State DOWN - Cause Code NONE
MGCP call-agent: none Initial protocol service is MGCP 0.1
MGCP block-newcalls DISABLED
MGCP validate domain name DISABLED
MGCP send SGCP RSIP: forced/restart/graceful/disconnected DISABLED
MGCP quarantine mode discard/step
MGCP quarantine of persistent events is ENABLED
MGCP dtmf-relay for VoIP disabled for all codec types
MGCP dtmf-relay for VoAAL2 disabled for all codec types
MGCP voip modem passthrough disabled
MGCP voaal2 modem passthrough disabled
MGCP voip modem relay: Disabled.
MGCP TSE payload: 100
MGCP T.38 Named Signalling Event (NSE) response timer: 200
MGCP Network (IP/AAL2) Continuity Test timer: 200
MGCP 'RTP stream loss' timer: 5
MGCP request timeout 500
MGCP maximum exponential request timeout 4000
MGCP gateway port: 2427, MGCP maximum waiting delay 3000
MGCP restart delay 0, MGCP vad DISABLED
MGCP rtrcac DISABLED
MGCP system resource check DISABLED
MGCP xpc-codec: DISABLED, MGCP persistent hookflash: DISABLED
MGCP persistent offhook: ENABLED, MGCP persistent onhook: DISABLED
MGCP piggyback msg ENABLED, MGCP endpoint offset DISABLED
MGCP simple-sdp DISABLED
MGCP undotted-notation DISABLED
MGCP codec type g711ulaw, MGCP packetization period 20
MGCP JB threshold lwm 30, MGCP JB threshold hwm 150
MGCP LAT threshold lwm 150, MGCP LAT threshold hwm 300
MGCP PL threshold lwm 1000, MGCP PL threshold hwm 10000
MGCP CL threshold lwm 1000, MGCP CL threshold hwm 10000
MGCP playout mode is adaptive 60, 40, 200 in msec
MGCP Fax Playout Buffer is 300 in msec
MGCP media (RTP) dscp: ef, MGCP signaling dscp: af31
MGCP default package: line-package
MGCP supported packages: gm-package dtmf-package trunk-package line-package
hs-package atm-package ms-package dt-package res-package
mt-package fxr-package
MGCP Digit Map matching order: shortest match
SGCP Digit Map matching order: always left-to-right
MGCP VoAAL2 ignore-lco-codec DISABLED
MGCP T.38 Fax is ENABLED
MGCP T.38 Fax ECM is ENABLED
MGCP T.38 Fax NSF Override is DISABLED
MGCP T.38 Fax Low Speed Redundancy: 0MGCP T.38 Fax High Speed Redundancy: 0
MGCP control bind :DISABLED
MGCP media bind :DISABLED
MGCP Upspeed payload type for G711ulaw: 0, G711alaw: 8
MGCP Dynamic payload type for G.726-16K codec
MGCP Dynamic payload type for G.726-24K codec
MGCP Dynamic payload type for G.Clear codec
MGCP Guaranteed scheduler time is disabled
NetworkSims.com
1091
NetworkSims.com
1092
FastConnect=TRUE
SessionProtocol=cisco
SessionTarget=ipv4:1.14.82.14
OnTimeRvPlayout=40
GapFillWithSilence=0 ms
GapFillWithPrediction=0 ms
GapFillWithInterpolation=0 ms
GapFillWithRedundancy=0 ms
HiWaterPlayoutDelay=67 ms
LoWaterPlayoutDelay=67 ms
ReceiveDelay=67 ms
LostPackets=0 ms
EarlyPackets=0 ms
LatePackets=0 ms
VAD = enabled
CoderTypeRate=g729r8
CodecBytes=20
cvVoIPCallHistoryIcpif=0
SignalingType=cas
Modem passthrough signaling method is nse
Buffer Fill Events = 0
Buffer Drain Events = 0
Percent Packet Loss = 0
Consecutive-packets-lost Events = 0
Corrected packet-loss Events = 0
Last Buffer Drain/Fill Event = 373sec
Time between Buffer Drain/Fills = Min 0sec Max 0sec
GENERIC:
SetupTime=104443 ms
Index=2
PeerAddress=50110
PeerSubAddress=
PeerId=100
PeerIfIndex=104
LogicalIfIndex=10
DisconnectCause=10
DisconnectText=normal call clearing.
ConnectTime=104964
DisconectTime=143330
CallDuration=00:06:23
CallOrigin=2
ChargedUnits=0
InfoType=speech
TransmitPackets=37717
TransmitBytes=5706436
ReceivePackets=37668
ReceiveBytes=6609552
TELE:
ConnectionId=[0x4B091A27 0x3EDD0003 0x0 0xFEFD4]
TxDuration=375300 ms
VoiceTxDuration=375300 ms
FaxTxDuration=0 ms
CoderTypeRate=g711ulaw
NoiseLevel=-75
ACOMLevel=11
SessionTarget=
ImgPages=0
1093
Outline
This challenge involves the configuration of SIP with a Cisco SIP Gateway FXO setup. Some
routers have Foreign Exchange Station (FXS) interfaces which can connect to a standard
telephone, fax machine, or similar device and thus must provide ringing, voltage supplies,
and a dial tone. Normally the FXS interface uses an RJ-11 connector to connect to telephone
equipment.
Objectives
The objectives of this challenge are to:
Outline
> enable
# sh version
# config t
(config)# sip-au
(config-sip-ua)# ?
(config-sip-ua)# exit
(config)# voice-port 1/0/0
(config-voiceport)# description testing
(config-voiceport)# input gain 8
(config-voiceport)# caller-id enable
(config-voiceport)# exit
(config)# dial-peer voice 200 voip
(config-dial-peer)# exit
(config)# gateway
Example
> enable
# sh version
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M),
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 11:18 by prod_rel_team
Version
12.4(12),
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Router uptime is 5 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c2600-testk9-mz.124-12.bin"
Cisco 2611XM (MPC860P) processor (revision 1.0) with 111616K/19456K bytes of memory.
Processor board ID JAD07130QPE
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
2 Voice FXO interfaces
NetworkSims.com
1094
RELEASE
NetworkSims.com
1095
ren
Ringer Equivalence Number
ring
Ring frequency Parameters
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure supervisory disconnect lcfo
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
Configure interface to be in a trunk group
voice-class
Set voiceport voice class control parameters
(config-voiceport)# description ?
LINE A string (up to 64 characters) describing the port connection (e.g.
pbx1)
(config-voiceport)# description testing
(config-voiceport)# input ?
gain Configure gain in db for voice input
(config-voiceport)# input gain ?
<-6 - 14> gain in db
(config-voiceport)# input gain 8
(config-voiceport)# caller-id ?
alerting
Define caller id alerting method
attenuation Configure caller id tx attenuation
block
Block the caller id of the calls made from this port
enable
Enable caller id on this port
format
Change caller id format
(config-voiceport)# caller-id enable
(config-voiceport)# exit
(config)# dial-peer ?
cor
Class of Restriction
hunt
Define the dial peer hunting choice
outbound
Define the outbound options
terminator Define the address terminate character
voice
Voice type
(config)# dial-peer voice ?
<1-2147483647> Voice dial-peer tag
(config)# dial-peer voice 200 ?
mmoip Multi Media Over IP
pots
Telephony
voatm Voice over ATM
vofr
Voice over Frame Relay
voip
Voice over IP
(config)# dial-peer voice 200 voip
(config-dial-peer)# ?
DIALPEER configuration commands:
acc-qos
The Minimally Acceptable Quality of Service to be
used in getting to this peer
answer-address
The Call Destination Number
application
The selected application
call
Per Voip dial-peer Call configuration
call-block
Incoming Call Blocking
carrier-id
Configure Carrier ID
clid
Caller ID option
NetworkSims.com
1096
codec
corlist
default
description
destination-pattern
dnis-map
dtmf-relay
exit
expect-factor
fax
fax-relay
huntstop
icpif
incoming
ip
max-conn
max-redirects
modem
no
numbering-type
permission
playout-delay
preference
req-qos
roaming
rtp
session
settle-call
shutdown
signal-type
signaling
snmp
supplementary-service
tech-prefix
tone
translate-outgoing
translation-profile
trunk-group-label
trunkgroup
vad
voice
voice-class
(config-dial-peer)# exit
(config)# gateway
(config-gateway)# ?
GATEWAY configuration commands:
default
Set a command to its defaults
emulate
Gateway emulation configuration
exit
Exit from gateway configuration mode
no
Negate a command or set its defaults
security Gateway security configuration
timer
Gateway-wide timers
1097
Define CEF (Cisco Express Forwarding), as this is required for Auto QoS.
Enable NBAR (Network Based Application Recognition), as this is required for Auto
QoS.
Define the bandwidth on an interface.
Enable Auto QoS.
Example
> en
# config t
(config)# ip cef
(config)# int s0
(config-if)# bandwidth ?
<1-10000000> Bandwidth in kilobits
inherit
Specify how bandwidth is inherited
(config-if)# bandwidth 256
(config-if)# ip nbar ?
protocol-discovery Enable NBAR protocol discovery
(config-if)# ip nbar protocol ?
<cr>
(config-if)# ip nbar protocol
(config-if)# auto ?
qos Configure AutoQoS
(config-if)# auto qos ?
voip Configure AutoQoS for VoIP
(config-if)# auto qos voip ?
trust Trust the DSCP marking
<cr>
NetworkSims.com
1098
Input
Output
Packet Count
Packet Count
Byte Count
Byte Count
5 minute bit rate (bps)
5 minute bit rate
(bps)
------------------------ ------------------------ ----------------------bgp
0
0
0
0
0
0
citrix
0
0
0
0
0
0
cuseeme
0
0
0
0
0
0
custom-01
0
0
0
0
0
0
custom-02
0
0
0
0
0
0
custom-03
0
0
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
dns
egp
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1099
eigrp
exchange
fasttrack
finger
ftp
gnutella
gopher
gre
http
icmp
imap
ipinip
ipsec
irc
kazaa2
kerberos
l2tp
ldap
napster
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1100
netbios
netshow
nfs
nntp
notes
novadigm
ntp
pcanywhere
pop3
pptp
printer
rcmd
rip
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1101
secure-irc
secure-ldap
secure-nntp
secure-pop3
secure-telnet
smtp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
syslog
telnet
tftp
vdolive
xwindows
unknown
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1102
Total
0
0
0
0
0
0
0
0
0
0
Explanation
Key facts:
CCNP Objective: QoS Implementation Methods.
AutoQoS for the Enterprise is the next generation of QoS generation, and uses NBAR
for traffic discovery and classification. The basic Auto QoS is Auto QoS VoIP.
For Auto QoS to work, CEF and NBAR must be enabled. Also the bandwidth must be
correctly defined on the interface.
AutoQoS automatically generate QoS commands.
AutoQoS analyzes network traffic and tries to optimize the QoS through traffic classes
that the AutoQoS Discovery method to create policies, which are applied to the
interface(s).
AutoQoS simplifies the configuration.
AutoQoS uses Classification (This uses AutoQoS Discovery with NBAR to discover the
requirements); Policy generation (This uses access-lists, class-maps and policy maps to
optimize the setup); Configuration (This configures the required interfaces);
Monitoring and reporting (This continually updates and reports on the operation); and
Consistancy (This allows for consistancy across a range of devices).
Example
> en
# config t
(config)# cdp run
(config)# int vlan 10
NetworkSims.com
1103
Note:
NetworkSims.com
1104
Outline
> en
# config t
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
threshold interface e0
threshold global cpu-avg low 10 high 50 busyout
threshold global total-calls low 15 high 5000 busyout
threshold global total-mem low 15 high 5000 busyout
threshold global io-mem low 15 high 5000 busyout
spike 20 steps 10 size 1000
treatment on
treatment action hairpin
Example
> en
# config t
(config)# call thres ?
global
the global resources of this gateway
interface
interface triggers for this gateway
poll-interval the poll interval for some resources
(config)# call threshold interface e0
(config)# call thres ?
global
the global resources of this gateway
interface
interface triggers for this gateway
poll-interval the poll interval for some resources
(config)# call
cpu-5sec
cpu-avg
io-mem
proc-mem
total-calls
total-mem
th g ?
the CPU utilization in the last 5 seconds
the average CPU utilization
the IO memory utilization
the Processor memory utilization
the total number of calls
the total memory utilization
NetworkSims.com
1105
NetworkSims.com
1106
24 MPLS
Cisco MPLS
MPLS Introduction
The most up-to-date version of this test is at:
http://networksims.com/i01.html
Commands
> enable
# config t
(config)# ip cef
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# ip route-cache cef
(config-if)# mpls ip
(config-if)# exit
(config)# router ospf 101
(config-router)# network 10.0.0.0 0.0.0.255 area 1
(config)# mpls ldp router-id loopback5
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
NetworkSims.com
1107
Example
> enable
# config t
(config)# ip cef
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# ip route- ?
cef
Enable Cisco Express Forwarding
flow
Enable Flow fast-switching cache
policy
Enable fast-switching policy cache for outgoing packets
same-interface Enable fast-switching on the same interface
<cr>
(config-if)# ip route-cache cef
(config-if)# mpls ?
accounting
Enable MPLS accounting on this interface
ip
Configure dynamic MPLS forwarding for IP
label
Label properties
ldp
Configure Label Distribution Protocol (LDP) parameters
mtu
Set tag switching Maximum Transmission Unit
netflow
Configure Egress Netflow Accounting
traffic-eng Configure Traffic Engineering parameters
(config-if)# mpls ip
(config-if)# exit
(config)# router ospf 101
(config-router)# network 10.0.0.0 0.0.0.255 area 1
(config-router)# exit
(config)# mpls ?
atm
Configure ATM options
ip
Dynamic MPLS forwarding for IP
ipv6
Dynamic MPLS forwarding for IPv6
label
Label properties
ldp
Label Distribution Protocol
static
Configure static label bindings
traffic-eng Configure Traffic Engineering parameters
(config)# mpls ldp ?
advertise-labels Label advertisements
atm
Configure ATM MPLS options
backoff
Set LDP session backoff parameters
discovery
LDP discovery
explicit-null
Advertise Explicit Null label in place of Implicit Null
graceful-restart Configure LDP Graceful Restart
holdtime
LDP session holdtime
igp
Configure IGP-related LDP parameters
logging
Enable LDP logging
loop-detection
Enable LDP Loop Detection
maxhops
Limit hop count for LDP LSP setup
neighbor
Configure neighbor parameters
path-vector
Path Vector for LDP LSP setup
request-labels
Access list to specify valid downstream on demand
destinations.
router-id
Select interface to prefer for LDP identifier address
session
Configure session parameters
tcp
Set TCP parameters for LDP
(config)# mpls ldp router-id ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
CDMA-Ix
CDMA Ix interface
NetworkSims.com
1108
CTunnel
CTunnel interface
Dialer
Dialer interface
Ethernet
IEEE 802.3
FastEthernet
FastEthernet IEEE 802.3
Group-Async
Async Group interface
Lex
Lex interface
Loopback
Loopback interface
MFR
Multilink Frame Relay bundle interface
Multilink
Multilink-group interface
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Serial
Serial
TokenRing
IEEE 802.5
Tunnel
Tunnel interface
Vif
PGM Multicast Host interface
Virtual-PPP
Virtual PPP interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
(config)# mpls ldp router-id loopback5
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
Commands
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# exit
(config)# int atm0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config)# int atm0.1 point-to-point
(config-subif)# ip address 138.10.11.1 255.255.255.238
(config-subif)# mpls ip
(config-subif)# pvc 2/100
(config-if-atm-vc# encapsulation aal5snap
(config-if-atm-vc# exit
NetworkSims.com
1109
(config-if)# exit
(config)# router ospf 101
(config-router)# network 10.0.0.0 0.0.0.255 area 1
Example
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# exit
(config)# int atm0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config)# int atm0.1 ?
mpls
Treat as an MPLS link
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
tag-switching
Treat as a tag switching link (obsolete, use mpls)
<cr>
(config)# int atm0.1 point-to-point
(config-subif)# ip address 138.10.11.1 255.255.255.238
(config-subif)# mpls ?
atm
Tag controlled ATM parameters
ip
Configure dynamic MPLS forwarding for IP
label
Label properties
ldp
Configure Label Distribution Protocol (LDP) parameters
mtu
Set tag switching Maximum Transmission Unit
netflow
Configure Egress Netflow Accounting
traffic-eng Configure Traffic Engineering parameters
(config-subif)# mpls ip
(config-subif)# pvc ?
<0-7>
Enter VPI/VCI value(slash required)
<1-1023> Enter VCI value
WORD
Optional handle to refer to this connection
(config-subif)# pvc 2/100
(config-if-atm-vc)# encapsulation ?
aal5ciscoppp Cisco PPP over AAL5 Encapsulation
aal5mux
AAL5+MUX Encapsulation
aal5nlpid
AAL5+NLPID Encapsulation
aal5snap
AAL5+LLC/SNAP Encapsulation
(config-if-atm-vc# encapsulation aal5snap
(config-if)# exit
(config)# router ospf 101
(config-router)# network 10.0.0.0 0.0.0.255 area 1
Cisco MPLS
MPLS Basics
The most up-to-date version of this test is at:
http://networksims.com/i02.html
NetworkSims.com
1110
Configure VRF.
Configure RD (which is used to make a unique IP address).
Configure import and export policy (RT).
Associate VRF with an interface
Commands
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
(config)# ip vrf Testing
(config-vrf)# rd 1:100
(config-vrf)# route-target both 1:100
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
Example
NetworkSims.com
1111
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
(config)# ip vrf ?
WORD VPN Routing/Forwarding instance name
(config)# ip vrf Testing
(config-vrf)# ?
IP VPN Routing/Forwarding instance configuration commands:
bgp
Commands pertaining to BGP
context
Associate SNMP context with this vrf
default
Set a command to its defaults
description
VRF specific description
exit
Exit from VRF configuration mode
maximum
Set a limit
mdt
Backbone Multicast Distribution Tree
no
Negate a command or set its defaults
rd
Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
vpn
Configure VPN ID as specified in rfc2685
(config-vrf)# rd 1:100
(config-vrf)# rd ?
ASN:nn or IP-address:nn
(config-vrf)# route-target
ASN:nn or IP-address:nn
both
export
import
?
Target VPN Extended Community
Both import and export Target-VPN community
Export Target-VPN community
Import Target-VPN community
The RD value creates routing and forwarding tables. It is added at the beginning of
customer IP addresses, to convert them to unique IP address. It can either be:
16-bit AS number: 32-bit number. For example 1:100, which has an AS of 1, and a 32-bit
number of 100.
32-bit IP number: 16-bit number. For example 192.168.1.1:1, which has a 16-bit value of 1.
NetworkSims.com
1112
Configure VRF.
Configure RD (which is used to make a unique IP address).
Configure import and export policy (RT).
Associate VRF with an interface.
Configure BGP PE-PE on a PE device.
Commands
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
(config)# ip vrf Testing
(config-vrf)# rd 1:100
(config-vrf)# route-target both 1:100
(config)# int s0
(config-if)# ip address 138.199.17.1 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
(config)# router bgp 1
(config-router)# neighbor 138.199.17.1 remote-as 1
(config-router)# neighbor 138.199.17.1 update-source loopback5
(config-router)# address-family vpn4
(config-router-af)# neighbor 1.2.3.4 send-community extended
(config-router-af)# neighbor 1.2.3.4 activate
Example
> enable
# config t
(config)# ip cef
(config)# int loopback5
(config-if)# ip address 138.199.17.2 255.255.255.248
(config-if)# ip vrf forwarding Testing
(config-if)# exit
NetworkSims.com
1113
(config)# ip vrf ?
WORD VPN Routing/Forwarding instance name
(config)# ip vrf Testing
(config-vrf)# ?
IP VPN Routing/Forwarding instance configuration commands:
bgp
Commands pertaining to BGP
context
Associate SNMP context with this vrf
default
Set a command to its defaults
description
VRF specific description
exit
Exit from VRF configuration mode
maximum
Set a limit
mdt
Backbone Multicast Distribution Tree
no
Negate a command or set its defaults
rd
Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
vpn
Configure VPN ID as specified in rfc2685
(config-vrf)# rd 1:100
(config-vrf)# rd ?
ASN:nn or IP-address:nn
(config-vrf)# route-target
ASN:nn or IP-address:nn
both
export
import
?
Target VPN Extended Community
Both import and export Target-VPN community
Export Target-VPN community
Import Target-VPN community
NetworkSims.com
1114
redistribute
Redistribute information from another routing protocol
variance
Control load balancing variance
(config-router-af)# neighbor ?
A.B.C.D
Neighbor address
WORD
Neighbor tag
X:X:X:X::X Neighbor IPv6 address
(config-router-af)# neighbor 1.2.3.4 ?
activate
Enable the Address Family for this Neighbor
advertise-map
specify route-map for conditional advertisement
advertisement-interval Minimum interval between sending BGP routing updates
allowas-in
Accept as-path with my AS present in it
description
Neighbor specific description
distribute-list
Filter updates to/from this neighbor
dmzlink-bw
Propagate the DMZ link bandwidth
ebgp-multihop
Allow EBGP neighbors not on directly connected
networks
filter-list
Establish BGP filters
local-as
Specify a local-as number
maximum-prefix
Maximum number of prefix accept from this peer
next-hop-self
Disable the next hop calculation for this neighbor
password
Set a password
peer-group
Member of the peer-group
prefix-list
Filter updates to/from this neighbor
remote-as
Specify a BGP neighbor
remove-private-AS
Remove private AS number from outbound updates
route-map
Apply route map to neighbor
route-reflector-client Configure a neighbor as Route Reflector client
send-community
Send Community attribute to this neighbor
shutdown
Administratively shut down this neighbor
soft-reconfiguration
Per neighbor soft reconfiguration
timers
BGP per neighbor timers
unsuppress-map
Route-map to selectively unsuppress suppressed routes
update-source
Source of routing updates
version
Set the BGP version to match a neighbor
weight
Set default weight for routes from this neighbor
(config-router-af)# neighbor 1.2.3.4 send ?
both
Send Standard and Extended Community attributes
extended Send Extended Community attribute
standard Send Standard Community attribute
<cr>
(config-router-af)# neighbor 1.2.3.4 send-community extended
(config-router-af)# neighbor 1.2.3.4 activate
NetworkSims.com
1115
Commands
> enable
# config t
(config)# mgcp
(config)# mgcp call-agent 192.168.1.1
(config)# ccm-manager mgcp
If the MGCP configuration is to be loaded from CallManager, the IP address of the TFTP
server (such as CallManager) must be defined, such as:
(config)# ccm-manager config
(config)# ccm-manager config server 192.168.1.2
NetworkSims.com
1116
And there needs to be at least one dial peer in case CallManager is not available:
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
Example
> enable
# config t
> enable
# config t
(config)# mgcp
(config)# mgcp call-agent 192.168.1.1
(config)# ccm-manager mgcp
(config)# ccm-manager config server 192.168.1.2
(config)# ccm-manager control
(config)# dial-peer voice 100 pots
(config-dial-peer)# application mgcpapp
(config-dial-peer)# port 1/0/1
(config-dial-peer)# exit
(config)# dial-peer voice 200 pots
(config-dial-peer)# destination-pattern 123..
(config-dial-peer)# incoming called-number .
(config-dial-peer)# port 1/0/1
(config-dial-peer)# exit
(config)# int loopback15
(config-if)# ip address 192.168.1.1 255.255.255.0
(config-if)# exit
(config)# mgcp bind ?
control bind only MGCP control packets
media
bind only media packets
NetworkSims.com
1117
NetworkSims.com
1118
None
2428
30 seconds
15 seconds
23:59:59 UTC Feb 28 1993 (elapsed time: 00:05:3
00:02:21 UTC Mar 1 1993 (elapsed time: 00:03:10
None
None
Graceful
Enabled/OFF
None
None
1
0
1
0
0
0
0
NetworkSims.com
1119
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
SGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
NetworkSims.com
1120
Commands
> enable
# config t
(config)# voice class codec 44
(config-class)# ?
(config-class)# codec preference 1 g728
(config-class)# codec preference 2 g729r8
(config-class)# codec preference 3 g726r32
(config-class)# exit
(config)# dial-peer voice 3 voip
(config-dial-peer)# destination-pattern .T
(config-dial-peer)# session target ipv4:88.10.11.12
(config-dial-peer)# preference 1
(config-dial-peer)# voice-class code 44
Example
> enable
# config t
(config)# voice class codec 44
(config-class)# ?
VOICECLASS configuration commands:
codec Set class codec parameters
exit
Exit from voice class configuration mode
help
Description of the interactive help system
no
Negate a command or set its defaults
(config-class)# codec ?
preference Set priority order for using this codec
(config-class)# codec preference ?
<1-14> Priority order (1 = Highest)
(config-class)# codec preference 1 ?
clear-channel Clear Channel 64000 bps (No voice capabilities: data transport
only)
g711alaw
G.711 A Law 64000 bps
g711ulaw
G.711 u Law 64000 bps
g723ar53
G.723.1 ANNEX-A 5300 bps (contains built-in vad that cannot be
disabled)
g723ar63
G.723.1 ANNEX-A 6300 bps (contains built-in vad that cannot be
disabled)
g723r53
G.723.1 5300 bps
g723r63
G.723.1 6300 bps
g726r16
G.726 16000 bps
g726r24
G.726 24000 bps
g726r32
G.726 32000 bps
g728
G.728 16000 bps
g729br8
G.729 ANNEX-B 8000 bps (contains built-in vad that cannot be
disabled)
g729r8
G.729 8000 bps
(config-class)# codec preference 1 g728
(config-class)# codec preference 2 g729r8
(config-class)# codec preference 3 g726r32
(config-class)# exit
(config)# dial-peer voice 3 voip
(config-dial-peer)# destination-pattern .T
NetworkSims.com
1121
Commands
> enable
# config t
(config)# voice service voip
(conf-voi-serv)# allow-connections h323 to h323
(conf-voi-serv)# h323
(conf-serv-h323)# no h225 timeout keepalive
(conf-serv-h323)# call service stop
(conf-serv-h323)# call start slow
Example
> enable
# config t
(config)# voice service voip
Router(conf-voi-serv)# ?
VOICE SERVICE configuration commands:
allow-conn Define connections
cause-code Sets the internal cause code for SIP and H323
default
Set a command to its defaults
exit
Exit from voice service configuration mode
fax
Global fax commands
h323
Global H.323 configuration commands
modem
Global modem commands
no
Negate a command or set its defaults
shutdown
Stop VoIP services gracefully without dropping active calls
signaling
Global setting for signaling payload handling
sip
SIP configuration commands
(conf-voi-serv)# allow-connections h323 to h323
(conf-voi-serv)# h323
(conf-serv-h323)# ?
VOICE SERVICE VOIP H323 configuration commands:
bearercap-ie Specify bearercap_ie coding
call
Global setting for H.323 Calls
default
Set a command to its defaults
exit
Exit from voice service voip h323 configuration mode
NetworkSims.com
1122
h225
TCP H225 call signalling channel
h245
H245 Signalling
h450
H450 parameter configuration
no
Negate a command or set its defaults
ras
Gateway RAS configuration
session
H323 Voice Protocol session config
(conf-serv-h323)# no ?
bearercap-ie Specify bearercap_ie coding
call
Global setting for H.323 Calls
h225
TCP H225 call signalling channel
h245
H245 Signalling
h450
H450 parameter configuration
ras
Gateway RAS configuration
session
H323 Voice Protocol session config
(conf-serv-h323)# no h225 ?
signal
Specify signaling options
timeout Specify timeout for maintaining connections
(conf-serv-h323)# no h225 t ?
keepalive KEEPALIVE timeout
setup
SETUP timeout
tcp
H225 CSA connection type
(conf-serv-h323)# no h225 timeout keepalive
(conf-serv-h323)# call ?
service H.323 service configuration
start
Global setting for H.323 Call start procedures: Fast/Slow Start
(Default: Fast Start)
(conf-serv-h323)# call service ?
stop Stop H.323 service
(conf-serv-h323)# call
(conf-serv-h323)# call
fast Use Fast Start
slow Use Slow Start
service stop
start ?
procedures to initiate call
procedures to initiate call
NetworkSims.com
1123
Commands
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
Example
> enable
# config t
(config)# dial-peer voice 1111 voip
(config-dial-peer)# session ?
protocol
The session protocol to be used in getting to this peer
target
The session target for this peer
transport The transport layer protocol used for this peer
(config-dial-peer)# session target ?
WORD A string specifying the session target
(config-dial-peer)# session target ipv4:10.1.1.1
(config-dial-peer)# sess protocol ?
cisco
Cisco Session Protocol
multicast Multicast Session Protocol(voice conferencing)
sipv2
IETF Session Inititation Protocol
(config-dial-peer)# session protocol sipv4
(config-dial-peer)# sess transport ?
system defer to voice service voip session transport
tcp
Transport Layer Protocol - TCP
udp
Transport Layer Protocol - UDP
(config-dial-peer)# session transport tcp
(config-dial-peer)# exit
(config)# dial-peer voice 1112 voip
(config-dial-peer)# session target ipv4:10.1.1.1
(config-dial-peer)# session protocol sipv4
(config-dial-peer)# voice-class sip transport switch udp tcp
(config-dial-peer)# destination-pattern 99..
By default UDP is used as the transport protocol. In the first dial-peer the command:
(config-dial-peer)# session transport tcp
NetworkSims.com
1124
is used so that SIP switches from UDP to TCP when the voice packets get to within 200
bytes of the MTU (Maximum Transmission Unit), and thus avoid any fragmentation of the
UDP segments.
The command:
(config-dial-peer)# voice-class sip transport switch udp tcp
is used to enable switching between UDP and TCP transport SIP messages in a specific dial
peer.
Allow a gateway to register E.164 numbers on non-SIP phones with a registrar. For
this the registrar command is used.
Specify the IP address of the SIP server (using sip-server).
Define maximum SIP hops (using max-forwards). This value can range between 1
and 70 (the default is 70).
Disable the listening for SIP UA for messages on port 5060 for UDP (no transport
udp), and will thus listen for TCP messages.
Show the configured E.164 phone number registration (using show sip-ua register
status).
Verify the SIP UA configuration (using show sip-ua status).
Commands
> enable
# config t
(config)# sip-ua
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config)# exit
NetworkSims.com
1125
# sh sip-ua status
# show sip-ua register status
Example
> enable
# config t
(config)# sip-ua
(config-sip-ua)# registrar ?
WORD Registrar Server address
(config-sip-ua)# registrar ipv4:192.168.1.1 tcp
(config-sip-ua)# registrar ipv4:192.168.1.2 tcp secondary
(config-sip-ua)# sip ?
WORD Specify the Server address
(config-sip-ua)# sip-server ipv4:192.168.1.3
(config-sip-ua)# no ?
aaa
sip-ua AAA related configuration
authentication
Digest Authentication Configuration
calling-info
Specify treatment of calling information
disable-early-media Disable early-media cut through
max-forwards
Change number of max-forwards for SIP Methods
mwi-server
Configure a mwi Server
nat
Enable NAT(Network Address Traversal) settings for the
SIP User Agent
notify
SIP Signaling Notify Configuration
offer
Configure settings for Offers made from the Gateway
reason-header
Configure settings for supporting SIP Reason Header
redirection
Enable call redirection (3xx) handling
registrar
Configure SIP registrar VoIP Interface
remote-party-id
Enable Remote-Party-ID support in SIP User Agent
retry
Change default retries for each SIP Method
set
Sets the PSTN cause to SIP status code (and vice versa)
and sets the PSTN cause to SIP requests
sip-server
Configure a SIP Server Interface
srv
DNS SRV Query Type
suspend-resume
Enable support for ISDN SUSPEND/RESUME
timers
SIP Signaling Timers Configuration
transport
Enable SIP UA transport for TCP/UDP
(config-sip-ua)# no tr ?
tcp Disable SIP User Agent in TCP Mode
udp Disable SIP User Agent in UDP Mode
(config-sip-ua)# no transport udp
(config-sip-ua)# max-forwards ?
<1-70> Number of max-forwards
(config-sip-ua)# max-forwards 15
(config-sip-ua)# exit
(config)# exit
# sh sip-ua status
SIP User Agent Status
SIP User Agent for UDP : DISABLED
SIP User Agent for TCP : ENABLED
SIP User Agent bind status(signaling): DISABLED
SIP User Agent bind status(media): DISABLED
SIP early-media for 180 responses with SDP: ENABLED
SIP max-forwards : 70
SIP DNS SRV version: 2 (rfc 2782)
NAT Settings for the SIP-UA
Role in SDP: NONE
Check media source packets: DISABLED
Maximum duration for a telephone-event in NOTIFYs: 2000 ms
SIP support for ISDN SUSPEND/RESUME: ENABLED
Redirection (3xx) message handling: ENABLED
NetworkSims.com
1126
Allow hairpinned calls for all dial peers with redirect ip2ip.
Set the IP address for all SIP traffic as the local loopback.
Define that the gateway acts as a registrar server.
Commands
> enable
# config t
(config)# sip-ua
(config-sip-ua)# redirect ip2ip
(config-sip-ua)# sip
(config-sip-ua)# bind control source-interface loopback10
(config-sip-ua)# registrar server expires max 1000 min 500
(config-sip-ua)# exit
(config)# exit
# sh sip-ua status
Example
> enable
# config t
(config)# voice service voip
(config-sip-ua)# redirect ip2ip
(config-sip-ua)# sip
(config-sip-ua)# bind control source-interface loopback10
(config-sip-ua)# registrar server expires max 1000 min 500
(config-sip-ua)# exit
(config)# exit
NetworkSims.com
1127
# sh sip-ua status
Define CP tone.
Define timeouts for wait-release and call-disconnect.
Define supervisory disconnect.
Commands
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# timeouts wait-release 10
(config-voiceport)# timeouts call-disconnect 10
(config-voiceport)# cptone us
(config-voiceport)# supervisory disconnect dualtone mid-call
Example
> enable
# config t
(config)# voice 1/0/0
Router(config-voiceport)# ?
Voice-port configuration commands:
battery-reversal
Enable FXS battery-reversal generation
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
caller-id
Configure port caller id parameters
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
NetworkSims.com
1128
cptone
Configure voice call progress tone locale
default
Set a command to its defaults
description
Description of what this port is connected to
disc_pi_off
close voice path when disconnect with PI received
disconnect-ack
FXS sending disconnect acknowledge
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
mwi
Enable MWI on this port
no
Negate a command or set its defaults
non-linear
Use non-linear processing during echo cancellation
output
Configure output attenuation for voice
playout-delay
Configure voice playout delay buffer
ren
Ringer Equivalence Number
ring
Ring frequency Parameters
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure supervisory disconnect lcfo
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
Configure interface to be in a trunk group
voice-class
Set voiceport voice class control parameters
(config-voiceport)# timeouts ?
call-disconnect Call Disconnect Timeout after Destination Hangs Up in
seconds
hookflash-in
Define hookflash-in delay in milliseconds
initial
Initial Timeout duration in seconds
interdigit
Interdigit Timeout duration in seconds
power-denial
Duration for which power-denial is applied
ringing
Ringing no answer timeout duration in seconds
wait-release
Wait release timeout duration in seconds
(config-voiceport)# timeout w ?
<1-3600> seconds
infinity infinite timeout
(config-voiceport)# timeouts wait-release 10
(config-voiceport)# timeout call ?
<0-120>
seconds
infinity infinite timeout
(config-voiceport)# timeouts call-disconnect 10
(config-voiceport)# cp ?
locale
2 letter ISO-3166 country code
AR
AU
AT
BE
BR
CA
CN
CO
C1
C2
CY
CZ
Argentina
Australia
Austria
Belgium
Brazil
Canada
China
Colombia
Custom1
Custom2
Cyprus
Czech Republic
NetworkSims.com
IS
IN
ID
IE
IL
IT
JP
JO
KE
KR
LB
LU
Iceland
India
Indonesia
Ireland
Israel
Italy
Japan
Jordan
Kenya
Korea Republic
Lebanon
Luxembourg
PE
PH
PL
PT
RU
SA
SG
SK
SI
ZA
ES
SE
Peru
Philippines
Poland
Portugal
Russian Federation
Saudi Arabia
Singapore
Slovakia
Slovenia
South Africa
Spain
Sweden
1129
DK Denmark
MY Malaysia
CH Switzerland
EG Egypt
MX Mexico
TW Taiwan
FI Finland
NP Nepal
TH Thailand
FR France
NL Netherlands
TR Turkey
DE Germany
NZ New Zealand
GB United Kingdom
GH Ghana
NG Nigeria
US United States
GR Greece
NO Norway
VE Venezuela
HK Hong Kong
PK Pakistan
ZW Zimbabwe
HU Hungary
PA Panama
(config-voiceport)# cptone us
(config-voiceport)# su ?
disconnect Configure supervisory disconnect lcfo
(config-voiceport)# supervisory disconnect dualtone mid-call
Commands
> enable
# config t
(config)# voice 1/0/0
(config-voice-port)# supervisory disconnect dualtone pre-connect voice-class 5
(config-voice-port)# exit
(config)# voice class dualtone 5
(cfg-dual-detect)# freq-max-power 20
(cfg-dual-detect)# freq-min-power 10
(cfg-dual-detect)# cadence-variation 10
(cfg-dual-detect)# freq-max-deviation 10
(cfg-dual-detect)# freq-max-delay 10
Example
> enable
# config t
(config)# voice 1/0/0
(config-voice-port)# supervisory disconnect dualtone pre-connect voice-class 5
(config-voice-port)# exit
(config)# voice class dualtone 5
(cfg-dual-detect)# ?
VOICECLASS configuration commands:
cadence-variation
Cadence variation allowed
exit
Exit from voice class configuration mode
NetworkSims.com
1130
freq-max-delay
freq-max-deviation
freq-max-power
Commands
> enable
# config t
(config)# controller
(config-controller)#
(config-controller)#
(config-controller)#
(config-controller)#
(config-controller)#
(config-controller)#
(config-controller)#
NetworkSims.com
t1
framing esf
linecode b8zs
pri-group timeslots 1-10
no shutdown
clock source line
ds0-group 1 t 1-4 type e&m-fgd
ds0-group 2 t 5-24 type fgd-enna
1131
Example
> enable
# config t
(config)# controller t1
Router(config-controller)# ?
Controller configuration commands:
cablelength
Specify the cable length for a DS1 link
channel-group Specify the timeslots to channel-group mapping for an
interface
clock
Specify the clock source for a DS1 link
default
Set a command to its defaults
description
Controller specific description
ds0-group
DS0 time slots that make up a logical voice port
exit
Exit from controller configuration mode
framing
Specify the type of Framing on a DS1 link
help
Description of the interactive help system
linecode
Specify the line encoding method for a DS1 link
loopback
Put the entire T1 line into loopback
no
Negate a command or set its defaults
pri-group
Configure the specified timeslots for PRI
shutdown
Shut down a DS1 link (send Blue Alarm)
(config-controller)# framing ?
esf Extended Superframe
sf
Superframe
(config-controller)# framing esf
(config-controller)# linecode ?
ami
AMI encoding
b8zs B8ZS encoding
(config-controller)# linecode b8zs
(config-controller)# pri-group timeslots 1-10
(config-controller)# no shutdown
(config-controller)# clock source line
(config-controller)# ds0-group ?
<1-11> ds0-group-number
(config-controller)# ds0-group 1 ?
timeslots number of timeslots
(config-controller)# ds0-group 1 t ?
<1-24> timeslot-list
(config-controller)# ds0-group 1 t 1-4 type ?
e&m-delay-dial
e&m-fgd
e&m-immediate-start
e&m-wink-start
ext-sig
fgd-eana
fxo-ground-start
fxo-loop-start
fxs-ground-start
fxs-loop-start
(config-controller)# ds0-group 1 t 1-4 type e&m-fgd
(config-controller)# ds0-group 2 t 5-24 type fgd-enna
1132
Circuits
The most up-to-date version of this test is at:
http://networksims.com/ga05.html
NetworkSims.com
1133