Sunday, 22 September 2019

How Router Choose Best Path? Cisco Router Path Section

How Router Choose Best Path? Cisco Router Path Section

This article is about How Router Choose Best Path and how router build routing table. We will see how to use several routing protocols. For understanding the concept how router choose best path we need to know how router works. For exploring the router functionality we will discus concept related to it. First we learn the router switching functionality:

Router Switching Function:

One of the main functions of a router is to forward packets to its destination. This is achieved through a switching function , which is the process that a router uses to accept a packet in one interface and forward it through another interface.
Note: in this context, the term “switching” literally means moving packets from source to destination and should not be confused with the function of a layer 2 switch.
Once the router has determined the exit interface through the route determination function , the router must encapsulate the packet in the data link frame of the exit interface. What does a router do when it receives a packet from a network that is destined for another network? The router executes the following three main steps:

  1. Uncapsulate the plot header and the Layer 2 trailer to expose the Layer 3 package.
  2. Examine the destination IP address of the IP packet to find the best path in the routing table.
  3. If the router finds a route to the destination, it encapsulates the layer 3 packet in a new layer 2 frame and forwards the frame through the output interface.

As shown in the following image, the devices have Layer 3 IPv4 addresses, and the Ethernet interfaces have Layer 2 data link addresses.

Routing Decision:

We have already mentioned that one of the main functions of routers is to determine the best route to send packets. To determine the best route, the router searches its routing table for a network address that matches the destination IP address of the packet and can find 3 determinations:
Network directly connected : If the destination IP address of the packet belongs to a device on a network that is directly connected to one of the router interfaces, that packet is forwarded directly to the destination device. This means that the destination IP address of the packet is a host address on the same network as the router interface.
Remote network : If the destination IP address of the packet belongs to a remote network, the packet is forwarded to another router. Only remote networks can be reached by forwarding packets to another network.
No particular route : if the destination IP address of the packet does not belong to a connected or remote network, the router determines if a gateway of last resort is available. The gateway of last resort is set when a default route is configured or learned on a router. If there is a default route, the packet is forwarded to the gateway of last resort. If the router does not have a default route, the packet is discarded.

The Best Route

The determination of the best route implies the evaluation of several routes to the same destination network and the selection of the optimal or shortest route to reach that network. When there are several routes to the same network, each route uses a different output interface on the router to reach that network.
The best path is chosen by a routing protocol based on the value or metric it uses to determine the distance to reach that network. A metric is a quantitative value that is used to measure the distance that exists to a given network, therefore, the best path to a network is the route with the lowest metric.
Dynamic routing protocols generally use their own rules and metrics to build and update routing tables. Here are some dynamic protocols and the metrics they use:


  1. Routing Information Protocol (RIP) : hop count.
  2. OSPF (Open Shortest Path First) protocol : the cost of Cisco based on cumulative bandwidth from source to destination.
  3. Enhanced Internal Gateway Routing Protocol (EIGRP) : bandwidth, delay, load, reliability.

Load Balance

What happens if a routing table has two or more routes with identical metrics to the same destination network? In case they have a metric of the same cost it is called “ load balancing of the same cost ” and the router does what it does is forward the packets using both routes equally. If configured correctly, load balancing can increase the effectiveness and performance of the network. Load balancing of the same cost can be configured to use both dynamic routing protocols and static routes.

Note: only EIGRP supports load balancing with a different cost.

Best Path on Router Configured with Multiple Routing Protocols:

It is possible to configure a router with several routing protocols and several static routes. If this occurs, the routing table can have more than one route source for the same destination network. For example, if RIP and EIGRP are configured on a router, both routing protocols can discover the same destination network. However, each routing protocol may decide to take a different route to reach the destination according to the metrics of that routing protocol. RIP chooses a route according to the hop count, while EIGRP chooses a route according to the composite metric. How does the router know which route to use? ... with the administrative distance
The Cisco IOS uses what is known as "administrative distance" (AD) to determine the route to be installed in the IP routing table. The AD represents the “reliability” of the route: the smaller the AD, the more reliable the origin of the route will be . For example, the AD of a static route is 1, while the AD of a route discovered by EIGRP is 90. The router chooses the route with the lowest AD between two different routes to the same destination. When a router can choose between a static route and an EIGRP route, the static route has priority. Likewise, a route directly connected with an AD of 0 has priority over a static route with an AD of 1.





Thursday, 19 September 2019

Basic Initial Cisco Router Configuration | CCNA

Basic Initial Cisco Router Configuration | CCNA

In this article of CCNA series you will learn the Basic Initial Cisco Router Configuration with commands example and about routing. We have already seen that the Ethernet switches work at the data link layer (layer 2) and are used to forward Ethernet frames between devices within the same network. Now, when the source and destination IP addresses are on different networks , the Ethernet frame must be sent to a router.
Important considerations:


  • The router uses its routing table to find the best route to resend a packet.
  • When a host sends a packet to a device on a different IP network, the packet is forwarded to the default gateway .
  • The default gateway is the destination that routes traffic from the local network to the devices in the remote networks.

WHY IS ROUTING NECESSARY?

Simply put, a router connects a network with another network . Communication between networks would not be possible without a router that determines the best route to the destination and forwards traffic to the next router on that route. The router is responsible for routing traffic between networks.
And when we talk about the best route we realize the speed with which we access a web page when we click on a link in the browser.
In the following image we see that the routers interconnect the networks in the different sites. When a packet arrives at a router interface, it uses the routing table to determine how to reach the destination network.

ROUTERS CHOOSE THE BEST ROUTES

The main functions of a router are the following:

Determine the best route to send packages.
Forward packets to your destination.
It's simple, when the router receives a packet, it analyzes the destination address of the packet and uses the routing table to find the best route to that network.

A router can receive a packet encapsulated in one type of data link frame and forward it through an interface that uses another type of data link frame. Precisely, the different data link technologies to which a router can be connected include Ethernet, PPP, Frame Relay, DSL, cable technology and wireless technology (802.11, Bluetooth, etc.).

 PACKAGE FORWARDING MECHANISMS

Routers support three packet forwarding mechanisms:

Process switching : (old and slow) 

When a packet arrives at an interface, it is forwarded to the control plane, where the CPU matches the destination address with an entry in the routing table and then determines the interface of Check out and resend the package. The router does this with each packet, even if the destination is the same for a packet stream.

Fast switching : 

Use a fast switching cache to store the next hop information. When a packet arrives at an interface, it is forwarded to the control plane, where the CPU looks for a match in the fast switching cache. If it finds none, the process switching is applied to the packet, and this is forwarded to the outgoing interface. If another packet with the same destination arrives at an interface, the next hop information in the cache is reused without CPU intervention.
Fast switching solves a problem by performing all mathematical calculations once and remembers the answer for subsequent identical problems.

Cisco Express Forwarding (CEF):  

It is the latest and most used packet forwarding mechanism in Cisco IOS . Like fast switching, CEF assembles a forwarding information base (FIB) and an adjacency table. The FIB contains previously calculated reverse searches, next hop information for routes, including interface and layer 2 information.

DEVICE CONNECTION

Generally the devices connect to a network via a wired Ethernet connection or a wireless connection. Now, to enable access to the network , devices with IP address information must be configured to identify the corresponding items, including:


  • IP Address : Identifies a unique host on a local network.
  • Subnet Mask: Identifies which subnet on the network the host can communicate with.
  • Default Gateway : Identifies the IP address of the router to which a packet should be sent when the destination is not in the same subnet of the local network.

When a host sends a packet to a device on a different IP network, the packet is forwarded to the default gateway

Basic Initial Router Configuration 

Once we have reviewed the previous topics, we will go to the basic configuration of a router. Cisco routers and switches have many similarities. They support similar command structures, as well as many of the same commands. Therefore, the initial configuration steps are similar for both devices.


  • Assign a name to the device
  • Protect administration access
  • Set up a warning

We recommend you read: How to Configure a Cisco Router 

R1> in
R1 # conf t
Enter configuration commands, one per line. End with CNTL / Z.
R1 (config) #
R1 (config) #enable secret MyPassEnable
R1 (config) #line console 0
R1 (config-line) #pass MyPassConsole
R1 (config-line) #login 
R1 (config-line) #exit
R1 (config) #line vty 0 4 
R1 (config-line) #pass MyPassVty
R1 (config-line) #login
R1 (config-line) #exit
R1 (config) #service password-encryption
R1 (config) #banner motd #SOLO AUTHORIZED ACCESS! #
R1 (config) #exit
R1 #
% SYS-5-CONFIG_I: Configured from console by console
R1 # copy running-config startup-config 
Destination filename [startup-config]? 
Building configuration ...
[OKAY]
R1 #

IP Configuration of Router Interface

A feature that distinguishes switches from routers is the type of interfaces each supports. While Layer 2 switches support LAN networks (they have several FastEthernet or Gigabit Ethernet ports), the routers support LAN and WAN networks, and can interconnect different types of networks (they support many types of interfaces).
For example, G2 ISRs have one or two integrated Gigabit Ethernet interfaces and high-speed WAN interface card (HWIC) slots to support other types of network interfaces, including serial, DSL and cable interfaces.
For an interface to be available, it must meet the following requirements:
  1. Be configured with an IP address and subnet mask: use the ip address [ ip-address] [subnet-mask] command for interface configuration.
  2. Activate the interface: LAN and WAN interfaces are not enabled (shutdown) by default. To enable an interface, it must be activated using the no shutdown command . (It's like turning on the interface.) The interface must also be connected to another device (a hub, a switch or another router) for the physical layer to activate.
  3. It is advisable to configure a description (brief of up to 240 characters) on each interface with the description command

Example : The configuration commands for Router R1 will be displayed


GigabitEthernet 0/0 interface configuration with 
 IP address 192.168.10.1 and subnet mask 255.255.255.0.
The link is described as "Link to LAN 1" and the interface is activated.
R1 (config) # interface gigabitethernet 0/0
R1 (config-if) # ip address 192.168.10.1 255.255.255.0
R1 (config-if) # description Link to LAN 1
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface GigabitEthernet0 / 0, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0 / 0, changed state to up
GigabitEthernet 0/1 interface configuration with address 
IP 192.168.11.1 and subnet mask 255.255.255.0. 
The link is described as "Link to LAN 2" and the interface is activated.
R1 (config-if) # interface gigabitethernet 0/1
R1 (config-if) # ip address 192.168.11.1 255.255.255.0
R1 (config-if) # description Link to LAN 2
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface GigabitEthernet0 / 1, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0 / 1, changed state to up

Serial interface 0/0/0 configuration with address 
IP 209.165.200.224 and subnet mask 255.255.255.252. 
The link is described as "Link to R1" and the interface is activated.
R1 (config-if) # interface Serial 0/0/0
R1 (config-if) # ip address 209.165.200.224 255.255.255.252
R1 (config-if) # description Link to R1
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface Serial0 / 0/0, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0 / 0/0, changed state to up

You have correctly configured the interfaces of router R1.

How to assign IPv6 to Cisco Router interface

 The configuration of an IPv6 interface is similar to the configuration of an interface for IPv4. In most cases, the only difference in the commands is the use of ipv6 instead of ip .

The following must be done with the IPv6 interface:

  • Configure with IPv6 address and subnet mask: use ip address [ipv6-address / prefix-length]
  • Activate the interface: the interface must be activated using the no shutdown command .
  • An interface can generate its own IPv6 link-local address without having a global unicast address using the ipv6 enable interface configuration command .

Example : The configuration commands for Router R1 will be displayed

GigabitEthernet 0/0 interface configuration with IPv6 address 
 2001: db8: acad: 1 :: 1/64. The link is described as "Link to LAN 1"
and the interface is activated.
R1 (config) # interface gigabitethernet 0/0
R1 (config-if) # ipv6 address 2001: db8: acad: 1 :: 1/64
R1 (config-if) # description Link to LAN 1
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface GigabitEthernet0 / 0, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0 / 0, changed state to up
GigabitEthernet 0/1 interface configuration with address 
IPv6 2001: db8: acad: 2 :: 1/64. The link is described as "Link to LAN 2"
and the interface is activated.
R1 (config-if) # interface gigabitethernet 0/1
R1 (config-if) # ipv6 address 2001: db8: acad: 2 :: 1/64
R1 (config-if) # description Link to LAN 2
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface GigabitEthernet0 / 1, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0 / 1, changed state to up
Serial interface 0/0/0 configuration with address 
IPv6 2001: db8: acad: 3 :: 2/64. The link is described as "Link to R1"
and the interface is activated.

R1 (config-if) # interface Serial 0/0/0
R1 (config-if) # ipv6 address 2001: db8: acad: 3 :: 2/64
R1 (config-if) # description Link to R1
R1 (config-if) # no shutdown
% LINK-5-CHANGED: Interface Serial0 / 0/0, changed state to up
% LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0 / 0/0, changed state to up

You have correctly configured the IPv6 interfaces of router R1.

VERIFICATION OF THE INTERFACE CONFIGURATION

There are several show commands that can be used to verify the operation and configuration of an interface. The following three commands are particularly useful for quickly identifying the status of an interface:


  • show ip interface brief : shows a summary of all interfaces, including the IPv4 address of the interface and the current operating status.
  • show ip route : shows the contents of the IPv4 routing table that is stored in RAM. In the Cisco IOS the active interfaces must appear with two related entries identified with the code “C” (connected) or “L” (local)
  • show running-config interface interface-id : shows the commands configured on the specified interface.



Tuesday, 10 September 2019

Backup & Restore Cisco Router Configurations VIA TFTP to Flash USB

Backup & Restore Cisco Router Configurations VIA TFTP to Flash USB

This section explains the file systems on routers and switches . It also provide information regarding backup, restore or copy Cisco Router Configuration via TFTP to Flash USB using different techniques. Cisco IOS configuration files such as startup-config or running-config must be archived. These files can be saved in a text file or stored on a TFTP server.

Some router models also have a USB port, and a file backup can be created on a USB drive. If necessary, these files can be copied to the router or switch from the TFTP server or USB drive.

Router File Systems

In addition to implementing and protecting a small network , the network administrator must also manage the configuration files. Configuration file management is important for backup and recovery in case of device failure. The Cisco IOS file system (IFS) provides a single interface to all file systems used by a router, including the following:


  • Flash memory file systems
  • Network file systems (TFTP and FTP)
  • Any other terminal for reading or writing data, such as NVRAM memory, running configuration and ROM memory, among others

With Cisco IFS, you can view and sort all files (image, text file, etc.), including files on remote servers. For example, it is possible to view a configuration file on a remote server to verify that it is the correct configuration file before loading it into the router. Cisco IFS allows the administrator to navigate through different directories, list the files in one of them and create sub-directories in flash memory or on a disk. The directories available depend on the device.

The Flash File System

In Image 2, the content of the current default file system is shown, which in this case is flash, as indicated by the asterisk that preceded the entry in the previous illustration.

There are several files located in flash memory, but the one of greatest interest specifically is the last one on the list: it is the name of the current Cisco IOS image file that runs in RAM.

The NVRAM File System

To view the contents of NVRAM memory, you must change the current default file system with the cd (change directory) command .

The pwd (current working directory) command verifies that we are viewing the NVRAM directory. Finally, the dir (directory) command lists the content of NVRAM memory. Although several configuration files are listed, the one of particular interest is the startup configuration file.

Creating Configuration backup with TFTP Server

Copies of the configuration files should be stored as backup files in the event of a problem. The configuration files can be stored on a trivial file transfer protocol (TFTP) server or on a USB drive. A configuration file should also be included in the network documentation. To save the running configuration or startup configuration on a TFTP server, use the copy running-config tftp or copy startup-config tftp command :

Router # copy running-config tftp
Remote host []? 13,108.2,155
Name of configuration file to write [tokyo-config]? Tokyo.2
Write file tokyo. 2 to 131.108.2.155? [confirm]
Writing tokyo.2 !!!!!! [OKAY]

Follow these steps to back up the running configuration on a TFTP server:

  • Step 1 . Enter the copy running-config tftp command .
  • Step 2 . Enter the IP address of the host where the configuration file will be stored.
  • Step 3 . Enter the name to be assigned to the configuration file.
  • Step 4 . Press Enter to confirm each choice.

Restore Configuration File via TFTP on Cisco Router

To restore the running configuration or startup configuration from a TFTP server, use the copy tftp running-config or copy tftp startup-config command. Follow these steps to restore the running configuration from a TFTP server:


  • Step 1 . Enter the copy tftp running-config command .
  • Step 2 . Enter the IP address of the host where the configuration file is stored.
  • Step 3 . Enter the name to be assigned to the configuration file.
  • Step 4 . Press Enter to confirm each choice.

Save Cisco Router Configurations on USB

The universal serial bus (USB) storage feature enables certain Cisco router models to support USB flash drives. Images, settings and other files can be copied to Cisco USB flash memory and from it with the same reliability with which files are stored and recovered with a Compact Flash card. In addition, modular integrated service routers can boot with any image of Cisco IOS software stored in USB flash memory. Cisco USB flash memory modules are available in 64 MB, 128 MB and 256 MB versions.

To be compatible with a Cisco router, a USB flash drive must be FAT16 format . Otherwise, the show file systems command displays an error indicating that the file system is incompatible.
Here is an example of using the dir command in a USB file system:

Router # dir usbflash0:
Directory of usbflash0: /
1 -rw- 30125020 Dec 22 2032 05:31:32 +00: 00 c3825-entservicesk9-mz.123-14.T
63158272 bytes total (33033216 bytes free)

Ideally, the USB flash memory can contain multiple copies of the Cisco IOS configurations and several router configurations. The USB flash memory allows an administrator to easily move and copy those IOS files and settings from one router to another.

Backup Configurations to USB FLASH DRIVE

When backing up to a USB port, it is recommended to issue the show file systems command to verify that the USB drive is present and confirm the name:

Then use the copy run usbflash0: / command to copy the configuration file to the USB flash drive. Be sure to use the name of the flash drive as indicated in the file system. The bar is optional, but indicates the root directory of the USB flash drive.

R1 # copy running-config usbflash0:
Destination filename [running-config]? R1-Config
5024 bytes copied in 0.736 secs (6826 bytes / sec)
The IOS will request the file name. If the file already exists on the USB flash drive, the router will request the overwrite confirmation.

Use the dir command to view the file on the USB drive, and the more command to view the content:
 Restore Configuration Settings Using A USB FLASH DRIVE
To copy the file again, you must edit the R1-Config USB file with a text editor to transform it into a valid configuration file; otherwise, there are many entries that are invalid commands and no interface will appear.

R1 # copy usbflash0: / R1-Config running-config
Destination filename [running-config]?

Creating Backup & Restoring Using Text Files (TERA TERM, Putty)

Configuration files can be saved or archived in a text file using Tera Term.

As shown in the figure, the steps are:
  • Step 1 . On the File menu, click Log .
  • Step 2 . Choose the location to save the file. Tera Term will start capturing text.
  • Step 3 . Once the capture begins, execute the show running-config or show startup-config command on the privileged EXEC entry request. The text that appears in the terminal window will be placed in the chosen file.
  • Step 4 . When the capture is complete, select Close in the Log window of TeraTerm.
  • Step 5 . Look at the file to verify that it is not damaged.

RESTORING TEXT SETTINGS

A configuration can be copied from a file to a device. When copied from a text file and pasted into a terminal window, the IOS executes each line of the configuration text as if it were a command.
This means that the file will need editing to ensure that the encrypted passwords are in the form of text and that IOS messages and non-command text, such as “–More–“, are removed.
In turn, in the CLI, the device must be set to the global configuration mode to receive the commands from the text file that are pasted into the terminal window.
When Tera Term is used, the steps are as follows:
  • Step 1 . On the File menu, click Send to send the file.
  • Step 2 . Locate the file you should copy on the device and click Open.
  • Step 3 . Tera Term will paste the file into the device.
The text in the file will be applied as commands in the CLI and will become the configuration running on the device. This is a convenient method to manually configure a router.





Monday, 9 September 2019

Cisco Show Commands Ping and Tracert Basic commands

Cisco Show Commands Ping and Tracert Basic commands 

In this post you will learn some Cisco Basic commands including Cisco Show Commands, Ping and Tracert commands. At the end of this topic you will several commands to monitor and maintain network connectivity. To test network connectivity to local and remote destinations, commands such as ping , telnet and traceroute are often used . On Cisco IOS devices, the show version command can be used to verify and troubleshoot some of the basic hardware and software components. To view information of all network interfaces on a router, the show ip interface command is used .
Ping and tracert commands are used to establish the relative performance of the network. And the basic show commands to verify the configuration and status of a device interface and use the basic commands of the host and IOS to obtain information about the devices in a network.
Once the network is implemented, the administrator should be able to test the network connectivity to make sure it works correctly. In addition, it is recommended that the network administrator perform a network registration.

THE PING COMMAND

The ping command is an effective way to test connectivity. Generally, this test is known as the " protocol stack test ", because the ping command goes from layer 3 of the OSI model to layer 2 and then to layer 1. This command uses the ICMP protocol to verify connectivity. The ping command does not always identify the nature of a problem, but it can help identify its origin, an important first step in troubleshooting a network failure.
The ping command provides a method to test the protocol stack and IPv4 address configuration on a host, as well as to test connectivity to local or remote destination hosts, as shown in the illustration.

IOS PING INDICATORS

A ping emitted from the IOS results in one of several indications for each ICMP echo sent. The most common indicators are:


  • ! (exclamation point): indicates the reception of an ICMP echo response message. Indicates that the ping completed successfully and verifies layer 3 connectivity.
  • . (period): Indicates that the time was up while waiting for an ICMP echo response message. May indicate communication problems. You can point out that there was a connectivity problem somewhere along the route. It can also indicate that a route router did not have a route to the destination and did not send an ICMP message of unreachable destination. You can also point out that the ping was blocked by device security.
  • U : An unreachable ICMP message was received. Indicates that a router on the route did not have a route to the destination address or that the ping request was blocked and responded with an ICMP message of unreachable destination.

LOOPBACK TEST

The ping command is used to verify the internal IP configuration on the local host. Remember that this test is performed using the ping command at a reserved address called " loopback address " (127.0.0.1). This verifies that the protocol stack works correctly from the network layer to the physical layer and vice versa, without actually placing a signal in the media.
Ping commands are entered on a command line. Use the following syntax to ping the loopback address:

EXTENDED PING

Cisco IOS offers an "extended" mode of the ping command .
This mode is entered by typing " ping " (without the quotes) in the privileged EXEC mode, without a destination IP address. Then, a series of input requests is presented, as shown in the following example. Pressing Enter accepts the indicated default values.
The following example shows how to force the source address for a ping to be 10.1.1.1 (see R2 in the illustration); the source address for a standard ping would be 209.165.200.226. In this way, the network administrator can verify remotely (from R2) that R1 has route 10.1.1.0/24 in its routing table.
By entering a longer timeout period than the default, possible latency problems can be detected. If the ping test is successful with a higher value, there is a connection between the hosts, but there may be a latency problem in the network.

INTERPRETATION OF TRACERT MESSAGES

A trace provides a list of hops when a packet is routed through a network. The form of the command depends on where the command is issued. When you perform the scan from a Windows computer, use tracert . When tracking from a router's CLI, use traceroute .
Here, on the basis that the command is issued from a Windows computer, the tracert form is used:

The only correct answer was that of router A's gateway. The timeout for trace requests timed out, which means that the next hop router did not respond. The results of the trace command indicate that the fault is then in the internetwork beyond the LAN.

Cisco SHOW COMMANDS

The Cisco IOS CLI show commands show important information about device configuration and operation. Network technicians use show commands frequently to view configuration files, check the status of processes and device interfaces, and verify the device's operating status. The show commands are available regardless of whether the device was configured using the CLI or Cisco Configuration Professional.
You can display the status of almost all router processes or functions using a show command. Some of the best known show commands are:
show running-config
show interfaces
show arp
show ip route
show protocols
show version

VIEW ROUTER CONFIGURATION USING THE SHOW VERSION COMMAND

Once the boot configuration file is loaded and the router boots correctly, the show version command can be used to verify and resolve the problems of some of the basic hardware and software components used during the boot process.

The result of the show version command includes the following:

  • The version of the Cisco IOS software that is being used.
  • The bootstrap software version of the system stored in the ROM that was initially used to boot the router.
  • The full filename of the Cisco IOS image and where the bootstrap program placed it.
  • The type of router CPU and the amount of RAM. It may be necessary to update the amount of RAM when updating Cisco IOS software.
  • The quantity and type of physical interfaces of the router.
  • The amount of NVRAM. The NVRAM is used to store the startup-config file.
  • The amount of router flash memory. It may be necessary to update the amount of flash when updating Cisco IOS software.
  • The currently configured value of the software configuration register in hexadecimal format.

The configuration log tells the router how to start. There are several possible configurations for the configuration register. The most common are the following:

  • 0x2102 : factory default settings for Cisco routers (load the IOS image from flash memory and boot configuration file from NVRAM).
  • 0x2142 : The router ignores the content of nonvolatile RAM (NVRAM).

On a switch, the show version command displays information about the currently loaded software version, along with hardware and device information.
Some of the data shown by this command are the following:
  • Software version: IOS software version.
  • Bootstrap version: bootstrap version.
  • System activity time: time elapsed since the last time it was restarted.
  • System restart information : restart method (for example, off and on, collapse).
  • Software image name: IOS file name.
  • Switch platform and processor type : model number and processor type.
  • Memory type (shared / main) : Main processor RAM and shared packet I / O buffering.
  • Hardware interfaces: interfaces available on the switch.
  • Configuration log : sets boot specifications, console speed settings and related parameters.

HOST AND IOS COMMANDS

The IP address of the default gateway of a host can be seen by issuing the ipconfig command on the command line of a Windows computer.

A tool to analyze the MAC address of a PC is ipconfig / all . Note that, the PC's MAC address now appears along with several details related to the layer 3 addressing of the device. Try using this command.

In addition, the manufacturer of the network interface on the PC can be identified by the OUI portion of the MAC address. This can be investigated on the Internet. The DNS client service on Windows PCs optimizes the performance of DNS name resolution by previously storing resolved names in memory. The ipconfig / displaydns command shows all DNS entries in cache on a Windows computer system.

ARP COMMAND OPTIONS

The arp command allows you to create, edit and display physical address assignments to known IPv4 addresses. This command is executed from the Windows command prompt.

To execute an arp command, enter the following at a host prompt:
C: \ host1> arp -a
The arp -a command lists all the devices that are currently in the host's ARP cache, which includes the IPv4 address, physical address and type of addressing (static / dynamic) for each device.

SHOW CDP NEIGHBORS COMMAND OPTIONS

Examine the result of the show cdp neighbors commands , with the topology of Image 10. Note that R3 has collected detailed information about R2 and the switch connected to the R3 Fast Ethernet interface.
CDP is a Cisco-exclusive protocol that runs on the data link layer. Because the CDP protocol works at the data link layer, it is possible for two or more Cisco network devices to obtain information from each other even if there is no Layer 3 connectivity. In network detection situations, the neighbor's IP address with CDP is usually the only information needed to connect to that device via Telnet. For obvious reasons, CDP can pose a security risk. Because some versions of IOS send CDP publications by default, it is important that you know how to disable CDP.

SHOW IP INTERFACE BRIEF COMMAND

In the same way that commands and utilities are used to verify the configuration of a host, the commands can be used to verify the interfaces of intermediary devices.

ROUTER INTERFACE VERIFICATION

One of the most used commands is the show ip interface brief command . This command provides a shorter result than the show ip interface command . Provides a summary of the key information for all the network interfaces of a router.

The result of show ip interface brief shows all the router interfaces, the IP address assigned to each interface (if any) and the operating status of the interface. Depending on the result, the FastEthernet0 / 0 interface has the IP address 192.168.254.254. In the last two columns of this line, the status of layer 1 and layer 2 of this interface is shown. The up (active) value in the Status column shows that that interface operates at layer 1. The up value in the Protocol column indicates that the layer 2 protocol works. Also note that the Serial 0/0/1 interface was not enabled. This is indicated by the administratively down value in the Status column. As with any final device, it is possible to verify layer 3 connectivity with the ping and traceroute commands. In this example, both the ping command and the trace command show satisfactory connectivity.

VERIFICATION OF SWITCH INTERFACES

The show ip interface brief command can also be used to verify the status of the switch interfaces. The IP address for the switch is applied to a VLAN interface. In this case, the Vlan1 interface received the IP address 192.168.254.250 and is enabled and running.
The result also shows that the FastEthernet0 / 1 interface is inactive. This indicates that there is no device connected to the interface or that the device that is connected to it has a network interface that does not work.

On the other hand, the result shows that the FastEthernet0 / 2 and FastEthernet0 / 3 interfaces work. This is indicated by the up value in the Status and Protocol columns.

Layer 3 connectivity on the switch can also be tested with the show ip interface brief and traceroute commands . In this example, both commands show satisfactory connectivity.

It is important to note that no IP address is required for a switch to fulfill its function of frame forwarding at layer 2. An IP address is required only if the switch is managed over the network via Telnet or SSH.



How to Maintain Network Security Steps

How to Maintain Network Security Steps

This is a brief on "How to Maintain Network Security Steps". After the end of this article you will able to understand the following  Network Security Steps:

  • Security threats and vulnerabilities need to be taken into account when planning the implementation of a network. All network devices must be protected. This includes routers, switches, devices for end users and even security devices. Networks should be protected against malicious software, such as viruses, Trojan horses and worms.
  • Networks must also be protected against network attacks: recognition, access and denial of service. There are several ways to protect the network against network attacks.
  • Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices.
  • To protect network devices, it is important to use strong passwords. In addition, when accessing network devices remotely, it is recommended to enable SSH instead of the Telnet protocol, which is not secure.

1. SECURITY MEASURES FOR NETWORK DEVICES

Whether they are wired or wireless networks, computer networks are increasingly fundamental to everyday activities. Both people and organizations depend on PCs and networks. Intrusions of unauthorized persons can cause costly network interruptions and job losses. Attacks on a network can be devastating and can cause loss of time and money due to damage or theft of important information or assets.

CATEGORIES OF NETWORK SECURITY THREATS

Intruders can access a network through software vulnerabilities, hardware attacks or by deciphering someone's username and password. Typically, intruders who gain access through software modification or exploitation of software vulnerabilities are called hackers.
Once a hacker gains access to the network, four types of threats may arise:

  • Information theft : Unauthorized entry into a computer to obtain confidential information. The information can be used or sold for different purposes.
  • Identity theft: A form of information theft in which personal information is stolen in order to usurp the identity of another person. Identity theft is a growing problem that costs billions of dollars a year.
  • Data loss or manipulation : Unauthorized entry into a computer to destroy or alter data records. Examples of data loss: sending a virus that changes the format of a PC's hard drive. Example of data manipulation: unauthorized entry into a system of records to modify information, such as the price of an item.
  • Service interruption : Prevent legitimate users from accessing services that they should be able to access.

Even in small networks, security threats and vulnerabilities must be taken into account when planning a network implementation.

PHYSICAL SECURITY

When you think about network security, or even computer security, you may think of attackers who exploit software vulnerabilities.
If the network resources are exposed to physical risks, an attacker may deny the use of such resources.
The four kinds of physical threats are as follows:

  1. Hardware threats : physical damage to servers, routers, switches, wiring plant and workstations
  2. Environmental threats : extremes of temperature (too hot or too cold) or extremes of humidity (too wet or too dry)
  3. Electrical threats : voltage spikes, insufficient voltage supply (partial blackouts), power without conditioning (noise) and total power drop
  4. Maintenance threats : poor management of key electrical components (electrostatic discharge), lack of critical spare parts, poor wiring and labeling
Some of these problems must be addressed in the organization's policies. Some of them depend on a good management and administration of the organization.

TYPES OF SECURITY VULNERABILITIES

Three network security factors are vulnerability, threats and attacks .

  • Vulnerability is the degree of weakness inherent in each network and device. This includes routers, switches, desktops, servers and even security devices.
  • Threats include people interested in taking advantage of every security weakness and trained to do so.
Threats are carried out with a variety of tools, scripts and programs to initiate attacks against networks and network devices. Typically, network devices that suffer attacks are terminals, such as servers and desktops.

2. VULNERABILITIES AND NETWORK ATTACKS

Malicious code attacks include various types of PC programs that were created with the intention of causing data loss or damage to them. The three main types of malicious code attacks are viruses, Trojan horses and worms .

VIRUSES, WORMS AND TROJAN HORSES


  • Virus : A virus is a type of malicious software that is associated with another program to execute a specific unwanted function on a workstation.

Note : In general, viruses require a delivery mechanism, a vector, such as a zip file or some other executable file attached to an email, to transport the virus code from one system to another.

  • Trojan horse : it only differs in that the entire application was created in order to appear to be something else, when in reality it is an attack tool.
  • Worms : they are autonomous programs that attack a system and try to exploit a specific vulnerability of the target. Once the vulnerability is exploited, the worm copies its program from the attacking host to the recently attacked system to restart the cycle.

The anatomy of a worm attack is as follows:

  1. Enabling vulnerability : the worm is installed by exploiting known vulnerabilities of the systems, such as naive end users who open executable attachments without checking emails.
  2. Propagation mechanism : After obtaining access to a host, the worm is copied to that host and then selects new targets.
  3. Content : once a host was infected with the worm, the attacker has access to the host, often as a privileged user. Attackers can use a local vulnerability to raise their privilege level to that of administrator.

RECONNAISSANCE ATTACKS

In addition to malicious code attacks, networks may fall prey to various network attacks.
Network attacks can be classified into three main categories:

  • Recognition attacks : unauthorized detection and schematization of systems, services or vulnerabilities.
  • Access attacks : unauthorized manipulation of data, access to the system or user privileges.
  • Denial of service : they consist of deactivating or damaging networks, systems or services. 
  • Reconnaissance attacks

External attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space allocated to a particular company or entity. Once the IP address space is determined, an attacker can ping the publicly available IP addresses to identify the addresses that are active. To contribute to the automation of this step, an attacker can use a ping scan tool, such as fping or gping, that systematically ping all network addresses in a given range or subnet. This is similar to reviewing a section of a phone book and calling each number to see who attends.

ATTACKS WITH ACCESS

Access attacks exploit known vulnerabilities of authentication services, FTP services and Web services to gain access to Web accounts, confidential databases and other confidential information. An access attack allows a person to gain unauthorized access to information that they do not have the right to see. Access attacks can be classified into four types: Password attack, Trust exploitation, Port redirection and Man-in-the-middle attack.



One of the most common types of access attacks is password attack . Password attacks can be implemented with packet detection programs to obtain user accounts and passwords that are transmitted as unencrypted text. Password attacks can also refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password or both. These repeated attempts are called " dictionary attacks " or "brute force attacks."

ATTACKS ON DOS (DENIAL OF SERVICE)

DoS attacks are the best known form of attack and are also among the most difficult to eliminate. Even within the community of attackers, DoS attacks are considered trivial and are frowned upon, since they require very little effort to execute. However, due to ease of implementation and potentially considerable damage, security administrators must pay special attention to DoS attacks.

DoS attacks have many forms. Fundamentally, they prevent authorized persons from using a service by consuming system resources.

3. MITIGATION OF NETWORK ATTACKS

Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading on the network. Antivirus software can be implemented at the user level and at the network level.Staying up to date with the latest advances in these types of attacks can also contribute to a more effective defense against them. Mitigating worm attacks requires the diligence of network and systems administration personnel. The following are the recommended steps to mitigate worm attacks:

  • Containment : contain the spread of the worm within the network. Divide the uninfected parts of the network into sections.
  • Inoculation : start patching all systems and, if possible, examine for vulnerable systems.
  • Quarantine : Track all infected machines within the network. Disconnect or remove infected machines from the network or block them.
  • Treatment : clean all infected systems and apply patches. Some worms may require a complete reinstallation of the central system to clean the system.

BACKUPS, UPDATES AND PATCHES

The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and apply patches to all vulnerable systems.

This is difficult with uncontrolled user systems in the local network. The administration of numerous systems involves the creation of an image of standard software (operating system and accredited applications whose use is authorized in client systems) that is implemented in new or updated systems. However, security requirements change, and updated security patches may have to be installed on systems that are already implemented.

AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices. AAA is a way of controlling who is allowed to access a network (authenticate), control what people can do while they are there (authorize) and observe the actions they take while accessing the network (accounting).

  • Authentication : Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and answer questions, token cards and other methods.
  • Accounting : Accounting records what the user does, including the elements he accesses, the amount of time he accesses the resource and all the changes that were made.
  • The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it and how much that user can spend, and keeps track of the items in which the user spent money, as shown in the illustration.

FIREWALLS

In addition to protecting the individual computers and servers connected to the network, it is important to control inbound and outbound network traffic. The firewall is one of the most effective security tools available for the protection of internal network users against external threats. The firewall resides between two or more networks and controls traffic between them, in addition to preventing unauthorized access. Firewall products use different techniques to determine what access to allow and what access to deny on a network.

FIREWALL TECHNIQUES

These techniques are as follows:

  • Packet filtering : prevents or allows access based on IP or MAC addresses.
  • Application filtering : prevents or allows access to specific types of applications according to port numbers.
  • URL filtering : prevents or allows access to websites based on specific keywords or URLs.
  • Stateful packet inspection (SPI) : Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packages are blocked, unless specifically allowed. The SPI may also include the ability to recognize and filter specific types of attacks, such as denial of service (DoS) attacks.

FIREWALLS PRODUCTS

Firewall products can support one or more of these filtering capabilities. In addition, firewalls usually perform network address translation (NAT). The NAT translates an address or group of IP addresses internal and external public IP address sent through the network. This allows you to hide the internal IP addresses of external users.
Firewall products come in different formats.

  • Application- based firewalls: An application- based firewall is a firewall built into a dedicated hardware device, known as a security application.
  • Server- based firewalls: A server- based firewall consists of a firewall application that runs on a network operating system (NOS), such as UNIX or Windows.
  • Integrated firewalls: An integrated firewall is implemented by adding firewall functionalities to an existing device, such as a router.
  • Personal firewalls: Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default on the OS or they may come from an external provider.

TERMINAL SECURITY

A network is just as secure as its weakest link. The main threats that are most analyzed in the media are external threats, such as Internet worms and DoS attacks. But the protection of the internal network is as important as the protection of the perimeter of a network. The internal network consists of network terminals. A terminal, or a host, is a computer system or an individual device that acts as a network client. Common terminals are laptops, desktops, servers, smartphones and tablet PCs. If users do not apply security to terminal devices, no security precaution will guarantee a secure network.
The security of terminal devices is one of the most challenging jobs for a network administrator, since it includes human nature. Employees should be trained on the correct use of the network. In general, these policies include the use of antivirus software and host intrusion prevention. The most comprehensive terminal security solutions depend on network access control.

4. DEVICE PROTECTION

A part of network security is to protect the devices themselves, including end devices and intermediaries, such as network devices. When a new operating system is installed on a device, the security settings are set to default values. In most cases, that level of security is insufficient.


On Cisco routers, the Cisco AutoSecure feature can be used to protect the system, as described in the illustration. There are some simple steps that must be followed and that apply to most operating systems:

  • Usernames and default passwords must be changed immediately.
  • Access to system resources should be restricted only to people who are authorized to use those resources.
  • Whenever possible, all unnecessary services and applications should be deactivated and uninstalled.
  • All devices with security patches should be updated as they become available.

SECURE PASSWORDS

To protect network devices, it is important to use strong passwords. The standard guidelines that should be followed are as follows:

  • Use a password length of at least eight characters and preferably ten characters or more. The longer it is, the better the password.
  • Create complex passwords. Include a combination of upper and lower case letters, numbers, symbols and spaces, if allowed.
  • Avoid passwords based on repetition, common dictionary words, sequences of letters or numbers, usernames, family or pet names, biographical information, identification numbers, ancestor names or other easily identifiable information.
  • Enter a password with spelling errors on purpose. For example, Smith = Smyth = 5mYth, or Security = 5security.
  • Change passwords frequently. If a password is compromised without knowing it, the opportunities for the attacker to use it are limited.
  • Do not write down passwords or leave them in obvious places, for example, on your desktop or monitor.

On Cisco routers, the initial spaces for passwords are ignored, but the spaces that follow the first character are not ignored.
Note : One method to create a strong password is to use the space bar in the password and create a phrase composed of many words. This is called a " passphrase ".
Administrators must ensure that strong passwords are used throughout the network. One way to achieve this is to use the same “brute force” attack tools that attackers use as a method to verify password security.

BASIC SECURITY PRACTICES

When implementing devices, it is important to follow all safety guidelines set by the organization. This includes the designation of devices in such a way that it facilitates the tasks of registration and monitoring, but also maintains some type of security. It is not recommended to provide too much information about the use of the device in the host name. There are many other basic security measures that must be implemented.

ADDITIONAL PASSWORD SECURITY

Secure passwords are useful insofar as they are secret. Various measures can be taken to ensure that passwords remain secret. Through the global configuration command service password-encryption , unauthorized persons are prevented from seeing the passwords as unencrypted text in the configuration file. This command causes the encryption of all unencrypted passwords.

Also, to ensure that all configured passwords have a specific minimum length, use the security passwords min-length command of the global configuration mode.

Another way in which hackers discover passwords is simply by brute force attacks, that is, by testing several passwords until one works. It is possible to avoid such attacks if attempts to log in to the device are blocked when a certain number of errors occur within a specific period.

Router (config) # login block-for 120 attempts 3 within 60
This command blocks login attempts for 120 seconds if there are three failed login attempts in 60 seconds.

Example of secure configuration:

Router (config) #service password-encryption
Router (config) #security password min-length 8
Router (config) #login block-for 120 attempts 3 within 60
Router (config) #line vty 0 4
Router (config-vty) # exec-timeout 10 
Router (config-vty) #end
# Show running-config router
-more-
!
line vty 0 4
 password 7 03095A0F034F38435B49150A1819
 exec-timeout 10
 login

MESSAGES

The warning messages are similar to the entry prohibition notices. They are important in order to sue anyone who accesses the system inappropriately in court. Make sure that the warning messages comply with the organization's security policies.

Router (config) # banner motd # message #
EXEC TIMEOUT
Another recommendation is to configure execution timeouts. When configuring the runtime, it instructs the Cisco device to automatically disconnect users on a line after they have been inactive during the runtime timeout value.
Execution timeouts can be configured on console, vty and auxiliary ports.

Router (config) # line vty 0 4
Router (config-vty) # exec-timeout 10
This command disconnects users after 10 minutes.

ACTIVATE SSH

The old protocol to manage devices remotely is Telnet. Telnet is not safe. The data contained in a Telnet packet is transmitted without encryption. Using a tool like Wireshark, it is possible for someone to detect a Telnet session and obtain password information. For this reason, it is especially recommended to enable SSH on devices to obtain a secure remote access method. It is possible to configure a Cisco device to support SSH through four steps:


  1. Step 1 . Make sure the router has a unique host name and configure the network's IP domain name using the ip domain-name domain-name command in global configuration mode.
  2. Step 2 . Unidirectional secret keys must be generated for a router to encrypt SSH traffic. The key is precisely what is used to encrypt and decrypt data. To create an encryption key, use the crypto key generate rsa general-keys modulus module-size command in global configuration mode. AND
Router (config) # crypto key generate rsa general-keys modulus 1024
  1. Step 3 . Create a username entry in the local database using the username secret secret name command of the global configuration mode.
  2. Step 4. Enable incoming SSH sessions by vty using the line vty login local and transport input ssh commands .


The router's SSH service can now be accessed using SSH client software.