CCIE Security Exam Quick Reference Sheets

Chia sẻ: Trần Đức Biền | Ngày: | Loại File: PDF | Số trang:0

0
113
lượt xem
30
download

CCIE Security Exam Quick Reference Sheets

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tài liệu tham khảo về CCIE Security Exam Quick Reference Sheets

Chủ đề:
Lưu

Nội dung Text: CCIE Security Exam Quick Reference Sheets

  1. CCIE Security Exam Quick Reference Sheets Table of Contents Copyright..................................................................................................... 1 About the Author........................................................................................ 3 About the Technical Reviewer..................................................................... 3 Foreword.................................................................................................... 4 Chapter 1. General Networking................................................................... 5 Networking Basics........................................................................................................................................................................... 5 IP Overview..................................................................................................................................................................................... 7 TCP.................................................................................................................................................................................................. 8 Hot Standby Router Protocol........................................................................................................................................................ 10 Routing Protocols........................................................................................................................................................................... 11 Border Gateway Protocol............................................................................................................................................................... 15 IP Multicast Overview................................................................................................................................................................... 16 Questions....................................................................................................................................................................................... 16 Chapter 2. Security Protocols.................................................................... 18 RADIUS......................................................................................................................................................................................... 18 TACACS+....................................................................................................................................................................................... 19 Message Digest 5, Secure Hash Algorithm, and Hash Message Authentication Codes.............................................................. 20 Data Encryption Standard (and Triple Data Encryption Standard)............................................................................................ 22 IP Security..................................................................................................................................................................................... 25 Authentication Header and Encapsulating Security Payload Protocols...................................................................................... 26 Tunnel and Transport Modes....................................................................................................................................................... 27 Secure Shell................................................................................................................................................................................... 27 PPTP.............................................................................................................................................................................................. 28 L2TP.............................................................................................................................................................................................. 29 GRE............................................................................................................................................................................................... 30 Secure Sockets Layer..................................................................................................................................................................... 31 Questions....................................................................................................................................................................................... 32 Chapter 3. Application Protocols............................................................... 33 HTTP............................................................................................................................................................................................. 33 Simple Mail Transfer Protocol...................................................................................................................................................... 33 FTP................................................................................................................................................................................................ 34 Domain Name System................................................................................................................................................................... 35 TFTP.............................................................................................................................................................................................. 36 Network Time Protocol................................................................................................................................................................. 36 Lightweight Directory Access Protocol......................................................................................................................................... 37 Syslog............................................................................................................................................................................................. 37 Questions....................................................................................................................................................................................... 38 Chapter 4. Security Technologies.............................................................. 40 Authentication Technologies........................................................................................................................................................ 40 Authorization Technologies.......................................................................................................................................................... 40 Authentication Proxy..................................................................................................................................................................... 41 Packet Filtering.............................................................................................................................................................................. 41 Content Filtering........................................................................................................................................................................... 41 URL Filtering................................................................................................................................................................................ 42 Public Key Infrastructure.............................................................................................................................................................. 42 IPsec VPN...................................................................................................................................................................................... 43 Secure Sockets Layer Virtual Private Networks........................................................................................................................... 44 Intrusion Detection and Prevention Systems............................................................................................................................... 45 Cisco Security Agent...................................................................................................................................................................... 45 Event Correlation.......................................................................................................................................................................... 45 Adaptive Threat Defense............................................................................................................................................................... 46 Network Admission Control......................................................................................................................................................... 47 802.1x Authentication.................................................................................................................................................................. 48 Endpoint Security......................................................................................................................................................................... 49
  2. CCIE Security Exam Quick Reference Sheets Network Address Translation....................................................................................................................................................... 50 Questions....................................................................................................................................................................................... 51 Chapter 5. Cisco Security Appliances and Applications............................. 52 Cisco Secure PIX Firewall and Cisco Adaptive Security Appliance Firewall............................................................................... 52 Cisco VPN 3000 Concentrators.................................................................................................................................................... 53 Cisco Easy VPN Software and Hardware Clients......................................................................................................................... 53 Cisco IOS Firewall......................................................................................................................................................................... 54 Cisco IOS Intrusion Prevention System....................................................................................................................................... 55 Cisco IOS IPsec VPN..................................................................................................................................................................... 56 Cisco IOS Trust and Identity........................................................................................................................................................ 58 Cisco Traffic Anomaly Detector and Cisco Guard Distributed DoS Mitigation Appliance......................................................... 60 Catalyst 6500 Firewall Services Module....................................................................................................................................... 61 Cisco Catalyst 6500 Intrusion Detection Services Module.......................................................................................................... 62 Questions....................................................................................................................................................................................... 63 Chapter 6. Cisco Security Management..................................................... 65 Cisco Adaptive Security Device Manager..................................................................................................................................... 65 Cisco Security Device Manager..................................................................................................................................................... 65 Cisco Security Manager................................................................................................................................................................. 66 Questions....................................................................................................................................................................................... 67 Chapter 7. Cisco Security General.............................................................. 70 Cisco Hardware Overview............................................................................................................................................................. 70 Cisco Router Operating Modes and Management........................................................................................................................ 71 Basic Cisco Router Security.......................................................................................................................................................... 72 IP Access Lists............................................................................................................................................................................... 73 Cisco NetFlow................................................................................................................................................................................ 73 CAM Table Overflow and MAC Address Spoofing....................................................................................................................... 74 VLAN Hopping.............................................................................................................................................................................. 75 Spanning Tree Protocol Security................................................................................................................................................... 75 DHCP Starvation Attack................................................................................................................................................................ 75 Cisco Discovery Protocol............................................................................................................................................................... 76 VLAN Trunking Protocol Security................................................................................................................................................ 76 IEEE 802.1x Extensible Authentication Protocol Security.......................................................................................................... 76 Questions....................................................................................................................................................................................... 77 Chapter 8. Security Solutions.................................................................... 78 Viruses, Trojans, Worms, and Spyware........................................................................................................................................ 78 Denial-of-Service Attacks.............................................................................................................................................................. 79 Network Attack Mitigation........................................................................................................................................................... 80 Theft of Information and Its Prevention...................................................................................................................................... 82 Questions...................................................................................................................................................................................... 84 Chapter 9. Security General...................................................................... 87 Need for Network Security Policy................................................................................................................................................. 87 Standards Bodies........................................................................................................................................................................... 87 Newsgroups................................................................................................................................................................................... 87 Information Security Standards................................................................................................................................................... 87 Attacks, Vulnerabilities, and Common Exploits.......................................................................................................................... 88 BCP 38........................................................................................................................................................................................... 90 Intrusion Detection Systems and Configuring Cisco IOS Software for Security Against Intrusion........................................... 90 Security Audit and Validation....................................................................................................................................................... 91 Risk Assessment/Analysis............................................................................................................................................................ 92 Change Management Process....................................................................................................................................................... 92 Incident Response Teams and Framework.................................................................................................................................. 92 Computer Security Forensics........................................................................................................................................................ 93 Common RFCs.............................................................................................................................................................................. 93 Questions....................................................................................................................................................................................... 93 Answers.................................................................................................... 95 Chapter 1........................................................................................................................................................................................ 95 Chapter 2....................................................................................................................................................................................... 95 Chapter 3....................................................................................................................................................................................... 95
  3. CCIE Security Exam Quick Reference Sheets Chapter 4....................................................................................................................................................................................... 95 Chapter 5....................................................................................................................................................................................... 96 Chapter 6....................................................................................................................................................................................... 96 Chapter 7....................................................................................................................................................................................... 96 Chapter 8....................................................................................................................................................................................... 97 Chapter 9....................................................................................................................................................................................... 97
  4. CCIE Security Exam Quick Reference Sheets Page 1 Return to Table of Contents CHAPTER 1 General Networking ................................4 CHAPTER 2 Security Protocols ................................17 CHAPTER 3 Application Protocols............................32 CHAPTER 4 Security Technologies ..........................39 CHAPTER 5 CCIE Security Exam Cisco Security Appliances and Applications............................................51 Quick Reference Sheets CHAPTER 6 Cisco Security Management ...............64 CHAPTER 7 Cisco Security General.........................69 CHAPTER 8 Security Solutions.................................77 Lancy Lobo Umesh Lakshman CHAPTER 9 Security General ...................................86 Appendix Answers ..................................................94 ciscopress.com
  5. CCIE Security Exam Quick Reference Sheets Page 2 Return to Table of Contents CCIE Security Exam Feedback Information Quick Reference Sheets At Cisco Press, our goal is to create Short Cuts of the highest quality and value. Each Short Cut is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Lancy Lobo and Umesh Lakshman Copyright © 2007 Cisco Systems, Inc. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this Short Cut, or otherwise alter it to better suit your needs, you can contact Published by: us through e-mail at feedback@ciscopress.com. Please make sure to include the Short Cut title and ISBN Cisco Press in your message. 800 East 96th Street Indianapolis, IN 46240 USA We greatly appreciate your assistance. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and Corporate and Government Sales retrieval system, without written permission from the publisher, except for the inclusion of brief quotations Cisco Press offers excellent discounts on this Short Cut when ordered in quantity for bulk purchases or in a review. special sales. First Digital Edition May 2007 For more information please contact: U.S. Corporate and Government Sales ISBN-10: 1-58705-334-9 1-800-382-3419 ISBN-13: 978-1-58705-334-4 corpsales@pearsontechgroup.com For sales outside the U.S. please contact: Warning and Disclaimer International Sales Copyright Safari Books Online #921789 international@pearsoned.com This Short Cut is designed to provide information about networking. Every effort has been made to make this Short Cut as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this Short Cut or from the use of the discs or programs that may accompany it. The opinions expressed in this Short Cut belong to the authors and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this Short Cut that are known to be trademarks or service marks have been appropri- ately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this Short Cut should not be regarded as affecting the validity of any trademark or service mark.
  6. CCIE Security Exam Quick Reference Sheets Page 3 Return to Table of Contents [2] ABOUT THE AUTHOR CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman About the Authors Lancy Lobo, CCIE No. 4690 (Routing and Switching, Service Provider, Umesh Lakshman is a systems engineer with the Customer Proof of Security), is a network consulting engineer in Cisco Systems Advanced Concept Labs (CPOC) team at Cisco, where he supports Cisco sales Engineering Services, supporting the Cisco strategic service provider teams by demonstrating advanced technologies, such as MPLS and and enterprise customers. He has more than 11 years of experience high-end routing with the Cisco CRS-1 and Cisco 12000 series, to with data communication technologies and protocols. He has supported customers in a pre-sales environment. Umesh has conducted several the Cisco strategic service provider customers to design and imple- customer training sessions for MPLS and MPLS VPNs. He holds CCNA, ment large-scale routed networks. He holds a bachelor’s degree in elec- CCNP, and CCIP certifications and is working toward achieving his tronics and telecommunication engineering from Bombay University, CCIE certification. Umesh has a bachelor’s degree in electrical and as well as a management degree from Jones International University. electronics engineering from Madras University and a master’s degree He is currently pursuing a Ph.D. in organizational management at in electrical and computer engineering from Wichita State University. Capella University. About the Technical Reviewer Greg Abelar has been an employee of Cisco since December 1996. He for Plantronics, Inc. From 1985 to 1991, Greg was employed by the was an original member of the Cisco Technical Assistance Security Team, County Bank of Santa Cruz, working as an applications programmer. helping to hire and train many of the engineers. He has held various Greg is the author of Securing Your Business with Cisco ASA and PIX positions in both the Security Architecture and Security Technical Firewalls, as well as Security Threat Mitigation and Response. He was Marketing Engineering Teams at Cisco. Greg is the primary founder also a coauthor of version two of the premier Internet security white and project manager of the Cisco written CCIE Security exam. Before paper “SAFE: A Security Blueprint for Enterprise and Networks.” Greg his employment at Cisco, Greg worked at Apple Computer, Inc., for lives with his wife, Ellen, and three children, Jesse, Ethan, and Ryan, eight years as a TCP/IP, IPX, and AppleTalk cross-platform escalation in Aptos, California. engineer. At Apple, he also served as a project leader in technical platform deployment for the Apple worldwide network. From 1991 to 1996, Greg worked as both a systems programmer and an IT manager © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  7. CCIE Security Exam Quick Reference Sheets Page 4 Return to Table of Contents [3] FOREWORD CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Foreword The CCIE Security written exam was the result of the foresight and perseverance of several Cisco TAC engineers working out of an office near Santa Cruz, California. Initially, the CCIE Security test was seen as unnecessary because security was not viewed as a core technology of the Internet. However, as a result of the vision of some strong managers within the Cisco Customer Advocacy group and some highly damaging security attacks, this mindset has changed. The CCIE Security exam is now viewed as a “must have” core credential by many Cisco customers. I’ve been fortu- nate enough to have been not only involved in the initial creation of the CCIE Security test, but to also have participated in all three versions of the test since then. I was proud to have had a foreword written in my first book by one of the security industry’s pioneering engineers, Dr. Martin Hellman. When Martin accepted the invitation to write the fore- word for my book, he expressed appreciation for the simple fact that I was spending time to make people aware that security is a critical issue. This Short Cut not only carries on that spirit of raising awareness, it cuts right through to the core knowledge that people will need, in conjunction with their security experience, to study and pass this third version of the CCIE Security written exam. Armed with the information contained here and the credentials achieved with the help of this Short Cut, individuals will have the knowledge they need to address the security concerns of most enterprises and small-to-medium businesses. My hat is off to Cisco Press for recognizing the need for this work and to Umesh Lakshman and Lancy Lobo, the authors who put in so much time and effort to bring this Short Cut to market. —Greg Abelar Security Author/Security Technical Marketing Engineer Cisco April 2007 © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  8. CCIE Security Exam Quick Reference Sheets Page 5 Return to Table of Contents [4] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman General Networking Application Layer • Interface to the end user on the OSI stack • Examples: Telnet, FTP, SMTP Presentation • Enables parity when information is transmitted between multiple systems at the application layer Layer • Defines coding and conversion algorithms that are applied to data from the application layer Networking Basics Session • Examples: ASCII, JPEG, TIFF, MP3 • Manages session establishment, upkeep, and teardown between devices The International Organization for Standardization (ISO) developed the Layer • Examples: H323, RTCP Open Systems Interconnection (OSI) model to enable delineation of Transport • Responsible for segmentation of information received from higher layers prior to network various functions performed by devices in the network as well as the Layer layer handoff applications. The OSI model consists of seven layers. Figure 1-1 • Also provides reliable data transport for some protocols • Fundamental entity is called a Layer 4 segment or datagram outlines the OSI model and functions of each layer. • Examples: TCP, UDP, RTP Connection-oriented protocols provide guaranteed delivery of data- Network • Identifies the optimal path to a specific network destination by means of routing decision grams between devices in a network. Connectionless protocols provide Layer • Also responsible for device identification using IP addressing best-effort services during the transmission of datagrams between • Fundamental entity is called a Layer 3 packet network devices. • Examples: IP, IPX Data Link • Primarily performs the functions associated with transmission of data across a link reliably Peer-to-peer connectivity in a network involves each layer in the OSI Layer • Error notification, flow control, and frame sequencing are also performed by the data link layer stack on a single peer interacting with layers either higher or lower in • Consists of two sublayers: logical link control (LLC), which enables communication of devices over a single link, and MAC, which provides the means for protocols to access the physical layer media the same peer and the same layer in the adjoining peer. For example, • Fundamental entity is called a Layer 2 frame when Host A communicates with Host B, the transport layer in Host A • Examples: ISDN, PPP, HDLC, SDLC, Ethernet and its variants, Frame Relay interacts with session and network layers in Host A and the transport Physical • Consists of standards that define hardware specifications such as cables, connectors, NICs, layer in Host B. Each layer adds a header before being processed by Layer electrical and mechanical specifications, bit ordering, encoding, signaling, and transmission rates the adjoining lower layer. An exception to the rule is the data link layer, • Examples: RS-232, V.35, T1, E1, 10BASE-T, 100BASE-TX, POTS, SONET, DSL, 802.11x, RJ-45 where a header and a trailer (cyclic redundancy check [CRC]) are added before being processed by the physical layer. FIGURE 1-1 The OSI model © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  9. CCIE Security Exam Quick Reference Sheets Page 6 Return to Table of Contents [5] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Ethernet in a nutshell same priorities. n Ethernet uses carrier sense multiple access collision detect n MAC addresses of end stations are stored in the content address- (CSMA/CD) to detect collisions on the Ethernet broadcast able memory (CAM) table on the switches. When receiving domain. Devices operating in full-duplex mode do not implement frames on a switch, the incoming source address is added to the CSMA/CD. CAM table. Frames whose destination is not identified in the CAM table are broadcast out all ports on the VLAN. n CSMA/CD enables devices to transmit data when no other devices on the broadcast domain are doing the same. In the event of n A VLAN is a group of devices (that can span across switches) that contention, the contending devices implement a backoff algorithm function as if they were on a single broadcast domain. By default, and wait for a random period of time before trying to access the VLAN 1 is used for management purposes on all switches (native network to send data. VLAN). n For more information about Ethernet specifications and limita- n Bridges communicate using frames called bridge protocol data tions, refer to the Cisco Ethernet overview located at units (BPDU). BPDUs are sent out all ports that are not in a http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ blocking state. A root bridge has all ports in a forwarding state. To ethernet.htm#wp1020792. ensure a loop-free topology, nonroot bridges block any paths to the root that are not required. BPDUs use the destination MAC address 01-08-C2-00-00-00 in Ethernet environments. Bridging and switching n Forwarding frames from one interface to the other is called switch- ing or bridging; the forwarding decision is based on the MAC Bridge port states address. n Disabled—The port does not participate in spanning tree. n Spanning Tree Protocol (STP) is used to ensure loop-free topology n Listening—The port listens for frames but does not forward between switches in a Layer 2 domain. During spanning-tree oper- frames to the interface. ation (which runs on all Cisco switches), a root bridge is elected n Learning—The port does not forward frames out this port, but the based on bridge priority (lower priority preferred, range 0–65,535, source address of the end station attached to the port is added to default 32,768). Lower-priority MAC addresses are used in the the CAM table. event of multiple bridges contending for the root bridge with the © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  10. CCIE Security Exam Quick Reference Sheets Page 7 Return to Table of Contents [6] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman n Forwarding—The port forwards and receives frames on the inter- face. IP Overview n IP is a network layer protocol in the Internet protocol suite and is n Blocking—Spanning tree has placed this port in blocking state to encapsulated in a data link layer protocol. IP provides best-effort avoid a loop. service. n Portfast—Enables end stations to have immediate connectivity to n IP Version 4 is the fourth iteration of IP, and it is the first version the switching domain without making the port go through all the of the protocol to be widely deployed. It uses 32-bit (4-byte) STP states. addresses; IPv6 is a successor of IPv4. The main feature of IPv6 that is driving adoption today is the larger address space. Addresses in IPv6 are 128 bits long versus 32 bits in IPv4. EtherChannel and trunking n Bundling Ethernet, Fast Ethernet, or Gigabit Ethernet ports n The ToS bit in the IP header identifies the priority of the packet together into a single logical link is called EtherChannel; all ports when upper-layer protocols handle the packet. It has eight values: are in forwarding state. The ports need to be in the same VLAN or 000-Routine, 001-priority, 010-immediate, 011-flash, 100-flash broadcast domain and have same the speed/duplex. override, 101-critical (VoIP, real-time applications), 110-internet- work control, 111-network control. n The maximum number of physical ports that can be bundled into an EtherChannel is eight. n Flags are used to identify whether the packet can be fragmented (2 lower-order bits of 3 total bits are used) in the IP header. n The channel-group command is used in IOS to configure EtherChannels. n The Protocol field is used to identify the higher-layer protocol. For a complete list of protocol numbers, refer to n A trunk is a physical or logical connection between two switches http://www.iana.org/assignments/protocol-numbers. that carry more than one VLAN. n Inter-Switch Link (ISL) is a Cisco proprietary protocol that enables switches to save VLAN information as traffic flows through the switch. 802.1Q is the IEEE standard trunking. n For more information about EtherChannel load balancing, refer to http://www.cisco.com/warp/public/473/4.html. © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  11. CCIE Security Exam Quick Reference Sheets Page 8 Return to Table of Contents [7] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Figure 1-2 outlines the IP header format. TCP Version IP Header Type of Service Total Length Figure 1-3 outlines the TCP header format. Length (IPL) Source Port Destination Port Identification Flags Fragment Offset Identifies the Source Port for TCP Services Identifies the Destination Port for TCP Services Sequence Number TTL (Time to Live) Protocol Header Checksum Number Assigned to First Byte of Data in a Message Acknowledgment Number Source Address (32 Bits) Contains Sequence Number of the Next Byte of Data in Transmission Data Offset Window Number of 32-bit Reserved Flags Destination Address (32 Bits) Words in TCP Header Defines the Size in Bytes of Sender’s Buffer/Window Checksum Urgent Pointer Indicates Data Corruption Options Options Data Data FIGURE 1-2 IP header format outline Types of Flags in TCP header: URG (Urgent) Subnetting, Variable-Length Subnet • Notification that urgent data is being transmitted ACK (Acknowledge) Masking, and Classless Interdomain • The packet is an acknowledgment to a SYN or FIN received earlier RST (Reset) Routing • Reset connection PSH (Push) The following link outlines the fundamentals of IP addressing, subnetting • Notification to receiver to send data to application layer immediately upon reception (including variable-length subnet masking [VLSM]), and classless SYN (Synchronize) • Initialize or establish a connection interdomain routing (CIDR): FIN (Finished) • Terminate session because sender has sent all pertinent data http://www.cisco.com/warp/public/701/3.html. FIGURE 1-3 TCP header format outline © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  12. CCIE Security Exam Quick Reference Sheets Page 9 Return to Table of Contents [8] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman n TCP is a connection-oriented protocol, and thus ensures guaran- TABLE 1-1 TCP services teed delivery of data. Service Characteristics n TCP connection setup and teardown between two devices A and B Gratuitous ARP A gratuitous ARP is when the MAC address in a system is changed. That is, the MAC address for a given host’s consists of the following steps: IP address mapping is changed for any valid reason, 1. A sends SYN to B. such as network card replacement or router failure. In this case, when the host or router is rebooted or 2. B replies with SYN+ACK to A. replaced, the device sends a gratuitous ARP packet 3. A replies with ACK to B. advising all hosts of the new MAC address. Because 4. Data is forwarded between the two devices. this is a broadcast packet, all the hosts in the network receive and process this packet. They update their old 5. To tear down the session, A sends FIN to B. mapping in the ARP cache with this new mapping. This 6. B responds with ACK and FIN to A. ensures that devices can communicate immediately. 7. A responds with ACK and completes teardown of the TCP DHCP Used to provide an IP address/host configuration to a session. device after bootup; it typically consists of a DHCP server that services the device IP addressing/configura- Table 1-1 provides an overview of all TCP services. tion requests on the network. Routers, switches, fire- walls, and wireless access points can also be configured TABLE 1-1 TCP services as DHCP servers to service requests. DHCP can provide Service Characteristics configurations such as IP address, default gateway, Address Resolution Used to resolve a device’s MAC address when the IP Domain Name System (DNS) servers, Windows Internet Protocol (ARP) address is known. Naming Service (WINS) servers, and so on. Reverse ARP Used by a device during bootup to request an IP address Hot Standby Router See the following section. (RARP) for a specific MAC; replaced by DHCP. Protocol (HSRP) Inverse ARP Used in Frame Relay, and used to resolve the remote- FTP Connection-oriented protocol (uses TCP). FTP side data-link connection identifier (DLCI). maintains two concurrent connections between two devices in the network for data transfer; port 20 is used for data, and port 21 is used for control. See Chapter 3, “Application Protocols,” for differences between active and passive FTP. © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  13. CCIE Security Exam Quick Reference Sheets Page 10 Return to Table of Contents [9] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman TABLE 1-1 TCP services Configuration Flowchart for HSRP Service Characteristics Configure a Standby Group and Virtual IP Address Router(config-if)#standby group-number ip virtual-ip-address TFTP Connectionless protocol (uses User Datagram Protocol Router(config-if)#standby group-number priority priority Configure HSRP Priority on Interface [UDP]). Simpler than FTP. Best-effort service for data transfer between two devices and considered insecure in Configure Interface Tracking Router(config-if)#standby group-number track interface-type interface-number comparison to FTP, which has a secure option. Router(config-if)#standby preempt [delay minimum seconds Configure HSRP Preemption reload seconds sync seconds] Router(config-if)#standby authentication clear-text Configure HSRP Authentication authentication-string Hot Standby Router Protocol Configure HSRP Timers Router(config-if)#standby timers hello-timer-in-seconds hold-time-in-seconds OR Router(config-if)#standby timers msec hello-timer-in- Hot Standby Router Protocol (HSRP) is used to provide redundancy by mseconds msec hold-time-in-mseconds making two or more routers/switches share a single IP address that is R2-Configuration: interface Ethernet0/0 ip address 10.1.1.2 255.255.255.0 used as a default gateway for end stations on the device connected on standby ip 10.1.1.100 standby timers msec 15 msec 50 standby 100 preempt the segment. Routers that are thus configured to share a single virtual standby 100 priority 150 .2 IP address that functions as a default gateway are called HSRP groups. E0/0 R2 A router functions either in active or standby state when operating with .1 HSRP HSRP. The router in active state performs packet-forwarding functions; 10.1.1.0/24 Group 100 the router in standby state is ready to take over packet-forwarding func- R1-Configuration: R1 R4 ip route 0.0.0.0 0.0.0.0 10.1.1.100 tions if the router in active state fails. .3 E0/0 R3 Figure 1-4 outlines the configuration flowchart for HSRP. It also R3-Configuration: interface Ethernet0/0 ip address 10.1.1.3 255.255.255.0 outlines a basic configuration for HSRP operation. standby ip 10.1.1.100 standby timers msec 15 msec 50 standby 100 preempt standby 100 priority 120 FIGURE 1-4 HSRP configuration flowchart © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  14. CCIE Security Exam Quick Reference Sheets Page 11 Return to Table of Contents [ 10 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Table 1-2 lists the default values for HSRP. n In a classless routing protocol, the netmask is always propagated with the route being advertised, whereas in a classful routing TABLE 1-2 HSRP default values protocol, the netmask cannot be propagated. Standby group number 0–255. n RIPv2 supports authentication for sessions and equal-cost load Standby MAC address System assigned as 0000.0c07.acXX, where XX balancing. is the HSRP group number. n Timers are Update(30Sec), Invalid(180Sec), HoldDown (unused), Standby priority Default is 100. Range is 0–255 (higher priority and Flush (120Sec). is preferred as active in HSRP group). n RIPv2 uses multicast addresses to send updates in the network; Standby delay Default is 0 delay. Both minimum and reload 224.0.0.9 is the address used to send updates (triggered and delays can be set in a range of 0–10,000 seconds. normal) to all RIP routers in network. Standby track Default is 10. interface priority Configuring RIP Step 1. Enable the RIP routing process by using the command Standby hello time 3 seconds (when configured for msec option, range is 15–999 milliseconds). router rip. Standby hold time 10 seconds (when configured for msec option, Step 2. Configure the version number of the RIP process using the range is 50–3000 milliseconds). version command under the Routing Information Protocol routing process. Step 3. Configure the networks to be enabled for RIP routing using Routing Protocols the network network-number command under the RIP routing process. Step 4. (Optional) Configure passive interfaces for the RIP routing Routing Information Protocol (and Routing process to only inbound RIP updates using the passive- Information Protocol Version 2) interface command. Thus, they do not discover neighbors n Routing Information Protocol (RIP) is a distance vector protocol. or form an adjacency out that interface. n RIPv1 is classful, RIPv2 is classless, metric is hop count, and the maximum hop count is 15 hops. © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  15. CCIE Security Exam Quick Reference Sheets Page 12 Return to Table of Contents [ 11 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Step 5. Authentication is configured under the interface configura- TABLE 1-4 Configuring key management tion using the commands in Table 1-3. Command Function accept-lifetime start-time Defines the time period when the key can TABLE 1-3 Configuring RIP authentication {infinite | end-time | be received Command Function duration seconds} ip rip authentication key-chain Enables RIP authentication on the send-lifetime start-time Defines the time period when the key can name-of-chain interface in interface configuration {infinite | end-time | be sent mode duration seconds} ip rip authentication mode Configures authentication mode on {text | md5} interface in interface configuration mode Interior Gateway Routing Protocol n In addition, key management needs to be configured by defining a n Interior Gateway Routing Protocol (IGRP) is a distance vector key chain. You must also identify the keys that belong to the key protocol, classful in nature. chain and specify how long each key is valid. Each key has its n Uses a composite metric that factors in internetwork delay, band- own key identifier (specified with the key number command), width, reliability, and load. which is stored locally. The combination of the key identifier and n Enables unequal-cost load balancing using the variance the interface associated with the message uniquely identifies the authentication algorithm and message digest algorithm 5 (MD5) command. IGRP accepts up to four paths to the same destination. authentication key in use. Table 1-4 identifies commands used to n Timers are Update(90Sec), Invalid(270Sec=3xUpdateTimer), configure key management. HoldDown (280sec=(3xUpdateTimer+10sec)) and Flush (630Sec=7xUpdateTimer). TABLE 1-4 Configuring key management n IGRP metric = [K1 * Bandwidth + (K2 * Bandwidth) / (256 – Command Function Load) + K3 * Delay] * [K5 / (Reliability + K4)], where the default key chain name-of-chain Defines the name of the key chain constant values are K1 = K3 = 1 and K2 = K4 = K5 = 0. key number Configures a key number key-string text Configures a key string that will be used for authentication © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  16. CCIE Security Exam Quick Reference Sheets Page 13 Return to Table of Contents [ 12 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Configuring IGRP Open Shortest Path First protocol n Enable the IGRP routing process using the router igrp n The Open Shortest Path First (OSPF) protocol is a link-state autonomous-system-number command. protocol defined in RFC 1247 that calculates the best path to desti- n Associate networks with an IGRP routing process using the nations based on the shortest path first (SPF) or Djikstra’s algo- network network-number command. rithm. n (Optional) Adjust the IGRP metric weights using the command n Routing is performed in a hierarchy. The backbone area is called metric weights tos k1 k2 k3 k4 k5. Area 0 and is the heart of the OSPF domain. All other nonback- bone areas need to be connected to Area 0. In the event they are n (Optional) Adjust the routing protocol timers using the command not, temporary virtual links have to be configured via a transit area timers basic update invalid holddown flush [sleeptime]. to Area 0 to make the area appear like it is connected to Area 0. n Define the variance associated with a particular path to enable n Designated Router (DR) and Backup Designated Router (BDR) unequal-cost load balancing using the command variance election happens on multiaccess networks. Updates are sent either multiplier. to AllSPFRouters (224.0.0.5) or to AllDRouters (224.0.0.6), which n Distribute traffic proportionately to the ratios of metrics, or by the includes the DR and the BDR. minimum-cost route using the traffic-share {balanced | min} n A router running the OSPF sends link-state advertisements (LSA) command. over all adjacencies whose networks have been enabled for OSPF. The LSAs describe all the router’s links or interfaces, the router’s References neighbors, and the state of the links wherein the links might http://www.cisco.com/warp/public/103/3.html connect to stub networks (other OSPF routers either in the same area or different areas or routers that are not part of the OSPF http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/ domain). Because of the varying types of link-state information, 12cgcr/np1_c/1cprt1/1cigrp.htm OSPF defines multiple LSA types: Type 1: Router LSA—Contains information on the router and directly connected links; flooded within the area © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  17. CCIE Security Exam Quick Reference Sheets Page 14 Return to Table of Contents [ 13 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman Type 2: Network LSA—Contains information on networks and TABLE 1-5 Configuring OSPF authentication routers connected to the same; generated by DR; flooded within Command Function the area ip ospf message-digest-key key Configures an MD5 authentication key under the interface configuration Type 3: Summary LSA—Identifies networks reachable outside the area; generated by the Area Border Router (ABR) area area-number authentication Enables all interfaces in an area for plain-text authentication (under OSPF Type 4: ASBR Summary LSA—Identifies network reachability process configuration) to an Autonomous System Boundary Router (ASBR) from an area area-number authentication Enables all interfaces in an area for ABR; generated by the ABR MD5 message-digest authentication (under OSPF process Type 5: External LSA—Generated by the ASBR; identifies configuration) networks reachable by ASBR; flooded through the OSPF domain For more information about OSPF and configuring OSPF, refer to the Cisco OSPF design guide located at Enhanced Interior Gateway Routing http://www.cisco.com/warp/public/104/1.html#t20 (recom- Protocol mended). n Enhanced Interior Gateway Routing Protocol (EIGRP) is a hybrid n To configure authentication in OSPF, three modes are supported: routing protocol; classless in nature, with metric calculated using null, plain text, and MD5. By default, null authentication is used. the same formula as IGRP. Table 1-5 identifies the commands required to enable OSPF n Updates are not at regular intervals but only during a network or authentication. topology change (triggered). In addition, the updates are partial, TABLE 1-5 Configuring OSPF authentication such that only route changes are propagated, versus the entire routing table, and are sent to routers only where the change affects Command Function routing decisions. ip ospf authentication Enables OSPF authentication under the interface configuration n Can route IP, Internetwork Packet Exchange (IPX), and ip ospf authentication-key key Configures a plain-text authentication AppleTalk. key on the interface n Uses DUAL algorithm for faster convergence. © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  18. CCIE Security Exam Quick Reference Sheets Page 15 Return to Table of Contents [ 14 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman n EIGRP uses multicast to send updates by sending messages to In addition, the key chain must be configured as defined earlier in the 224.0.0.10, which enables the message/update to be sent to all “Routing Information Protocol (and Routing Information Protocol EIGRP speakers in the domain. Version 2)” section. Configuring EIGRP n Enable the EIGRP routing process using the router eigrp Border Gateway Protocol autonomous-system-number command in global configuration Border Gateway Protocol (BGP) is an exterior gateway protocol used mode. as the de facto standard for routing in the Internet today. BGP is n Configure networks to be enabled for EIGRP routing using the considered a path vector protocol because routing information command network network. exchange also propagates information on the path of autonomous systems via which the route was learned. BGP uses TCP port 179 n Disable automatic summarization using the command no auto- (transport layer) for information exchange. In addition, BGP maintains summary. a BGP table that contains information about all probable paths to reach n For more information about EIGRP and its configuration, refer to a specific destination. Only the best path is imported into the routing the EIGRP design guide at table. For complete coverage of BGP attributes and their operation in http://www.cisco.com/warp/public/103/eigrp-toc.html (recom- route selection, refer to http://www.cisco.com/univercd/cc/td/doc/ mended). cisintwk/ito_doc/bgp.htm. In addition, it is recommended that you visit n Authentication is configured on EIGRP similar to RIPv2 by the BGP Cisco FAQ located at http://www.cisco.com/warp/public/459/ configuring the authentication modes on the interface and associat- bgpfaq_5816.shtml. ing an authentication key chain instance (see Table 1-6). TABLE 1-6 Configuring EIGRP authentication Configuring BGP (basics only) Command Function n Enable BGP on the router using the command router bgp ip authentication key-chain Associates an EIGRP autonomous system autonomous-system-number. eigrp autonomous-system and key chain per interface in interface n Configure explicit neighbors using the neighbor ip-address name-of-chain configuration mode remote-as remote-as-number command. ip authentication mode eigrp Configures authentication mode as MD5 on autonomous-system md5 the interface in interface configuration mode © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
  19. CCIE Security Exam Quick Reference Sheets Page 16 Return to Table of Contents [ 15 ] CHAPTER 1 CCIE Security Exam Quick Reference Sheets by Lancy Lobo and Umesh Lakshman n (Optional) Configure networks to be advertised into the BGP process using the network network-number mask subnet-mask Questions command. 1. Routing occurs at what layer of the OSI model? n For interior BGP (iBGP) sessions, change the source of BGP a. Network layer updates to a specific interface using the command neighbor ip- b. Data link layer address update-source interface-type interface-number. c. Transport layer n For further configurations and in-depth coverage of BGP, refer to d. Application layer the Cisco BGP case studies located at 2. IP RIP runs over ___, port number ___. http://www.cisco.com/warp/public/459/bgp-toc.html (recom- a. UDP, 21 mended). b. TCP, 24 n Authentication (MD5) can be enabled per neighbor using the c. TCP, 520 command neighbor ip-address password string. d. UDP, 520 3. In what field or fields does the IP checksum calculate the check- IP Multicast Overview sum value? Multicast is a subset of broadcast wherein just a specific subset of hosts a. Data only receive the packet (versus all hosts on a broadcast domain). The host b. Header and data chooses as to membership to a certain multicast group address, thus c. Header only enabling the host to receive packets destined for that group. Multicast addresses are Class D addresses ranging from 224.0.0.0 to d. Not used in an IP packet 239.255.255.255. A large number of multicast protocols are in use 4. Which of the following routing protocols support authentication today in networks. You can find detailed coverage of these protocols at mechanisms? (Choose all that apply.) http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ipmulti.htm a. OSPFv2 and http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/ b. BGP mcst_sol/mcst_ovr.htm. In addition, special multicast addresses can be used to send messages/updates to subsets of hosts (for example, c. RIPv1 224.0.0.1 [all hosts], 224.0.0.2 [all multicast routers on a subnet]). d. EIGRP e. IGRP © 2007 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 97 for more details.
Đồng bộ tài khoản