11
  • Week 12 Main Banner

    Chapter 11: Objectives

    Upon completion of this chapter, you will be able to:
    Identify the devices and protocols used in a small network.
    Explain how a small network serves as the basis of larger networks.
    Describe the need for basic security measures on network devices.
    Identify security vulnerabilities and general mitigation techniques.
    Configure network devices with device hardening features to mitigate security threats.
    Use the output of ping and tracert commands to establish relative network performance.
    Use basic show commands to verify the configuration and status of a device interface.

    Chapter 11

    Create and Grow
    Keeping the Network Safe
    Basic Network Performance
    Managing IOS Configuration Files
    Integrated Routing Services
    Summary
  • Create and Grow Banner

    Device Selection for a Small Network cont...

    Expandability

    Networking devices come in both fixed and modular physical configurations. Fixed configurations have a specific number and type of ports or interfaces. Modular devices have expansion slots that provide the flexibility to add new modules as requirements evolve. Switches are available with additional ports for high-speed uplinks. Routers can be used to connect different types of networks. Care must be taken to select the appropriate modules and interfaces for the specific media.

    Operating System Features and Services

    Depending on the version of the operating system, a network device can support certain features and services, such as:
    Security
    Quality of Service (QoS)
    Voice over IP (VoIP)
    Layer 3 switching
    Network Address Translation (NAT)
    Dynamic Host Configuration Protocol (DHCP)

    Small Network Topologies

    The majority of businesses are small. It is not surprising then that the majority of networks are also small. A typical small-business network is shown in the 📷 figure.

    With small networks, the design of the network is usually simple. The number and type of devices included are significantly reduced compared to that of a larger network. The network topologies typically involve a single router and one or more switches. Small networks may also have wireless access points (possibly built into the router) and IP phones. As for connection to the Internet, normally a small network has a single WAN connection provided by DSL, cable, or an Ethernet connection.

    Managing a small network requires many of the same skills as those required for managing a larger one. The majority of work is focused on maintenance and troubleshooting of existing equipment, as well as securing devices and information on the network. The management of a small network is either done by an employee of the company or a person contracted by the company, depending on the size and type of the business.

    Device Selection for a Small Network

    In order to meet user requirements, even small networks require planning and design. Planning ensures that all requirements, cost factors, and deployment options are given due consideration.

    When implementing a small network, one of the first design considerations is the type of intermediate devices to use to support the network. When selecting the type of intermediate devices, there are a number of factors that need to be considered, as shown in the 📷 figure.

    Cost

    The cost of a switch or router is determined by its capacity and features. The device capacity includes the number and types of ports available and the backplane speed. Other factors that impact the cost are network management capabilities, embedded security technologies, and optional advanced switching technologies. The expense of cable runs required to connect every device on the network must also be considered. Another key element affecting cost considerations is the amount of redundancy to incorporate into the network.

    Speed and Types of Ports/Interfaces

    Choosing the number and type of ports on a router or switch is a critical decision. Newer computers have built-in 1 Gb/s NICs. 10 Gb/s ports are already included with some workstations and servers. While it is more expensive, choosing Layer 2 devices that can accommodate increased speeds allows the network to evolve without replacing central devices.

    X
    Small Network Topology Diagram
    X
    Factors to Consider in Choosing a Device
  • Traffic Management

    The network administrator should consider the various types of traffic and their treatment in the network design. The routers and switches in a small network should be configured to support real-time traffic, such as voice and video, in a distinct manner relative to other data traffic. In fact, a good network design will classify traffic carefully according to priority, as shown in the 📷 figure. In the end, the goal for a good network design, even for a small network, is to enhance the productivity of the employees and minimize network downtime.

    Common Applications

    The network is only as useful as the applications that are on it. There are two forms of software programs or processes that provide access to the network: network applications and application layer services.

    Network Applications

    Applications are the software programs used to communicate over the network. Some end-user applications are network-aware, meaning that they implement application layer protocols and are able to communicate directly with the lower layers of the protocol stack. Email clients and web browsers are examples of this type of application.

    Application Layer Services

    Other programs may need the assistance of application layer services to use network resources like file transfer or network print spooling. Though transparent to an employee, these services are the programs that interface with the network and prepare the data for transfer. Different types of data, whether text, graphics or video, require different network services to ensure that they are properly prepared for processing by the functions occurring at the lower layers of the OSI model.

    Each application or network service uses protocols, which define the standards and data formats to be used. Without protocols, the data network would not have a common way to format and direct data. In order to understand the function of various network services, it is necessary to become familiar with the underlying protocols that govern their operation.

    IP Addressing for a Small Network

    When implementing a small network, it is necessary to plan the IP addressing space. All hosts within an internetwork must have a unique address. The IP addressing scheme should be planned, documented and maintained based on the type of device receiving the address.

    Examples of different types of devices that will factor into the IP design are:
    End devices for users
    Servers and peripherals
    Hosts that are accessible from the Internet
    Intermediary devices

    Planning and documenting the IP addressing scheme helps the administrator track device types. For example, if all servers are assigned a host address between the range of 50-100, it is easy to identify server traffic by IP address. This can be very useful when troubleshooting network traffic issues using a protocol analyzer.

    Additionally, administrators are better able to control access to resources on the network based on IP address when a deterministic IP addressing scheme is used. This can be especially important for hosts that provide resources to the internal network as well, as to the external network. Web servers or e-commerce servers play such a role. If the addresses for these resources are not planned and documented, the security and accessibility of the devices are not easily controlled. If a server has a random address assigned, blocking access to this address is difficult, and clients may not be able to locate this resource.

    Each of these different device types should be allocated to a logical block of addresses within the address range of the network.

    Redundancy in a Small Network

    Another important part of network design is reliability. Even small businesses often rely heavily on their network for business operation. A failure of the network can be very costly. In order to maintain a high degree of reliability, redundancy is required in the network design. Redundancy helps to eliminate single points of failure. There are many ways to accomplish redundancy in a network. Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas, as shown in the 📷 figure.

    Small networks typically provide a single exit point toward the Internet via one or more default gateways. If the router fails, the entire network loses connectivity to the Internet. For this reason, it may be advisable for a small business to pay for a second service provider as backup.
    X
    Redundancy to a Server Farm
    X
    Traffic Management
  • Voice and Video Applications cont...

    IP Telephony

    In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling. There are now many vendors with dedicated IP telephony solutions for small networks.

    Real-time Applications

    To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement. RTP and RTCP enable control and scalability of the network resources by allowing Quality of Service (QoS) mechanisms to be incorporated. These QoS mechanisms provide valuable tools for minimizing latency issues for real-time streaming applications.

    Video and Voice Applications
    Video and Voice Applications

     

    Common Protocols

    Most of a technician’s work, in either a small or a large network, will in some way be involved with network protocols. Network protocols support the applications and services used by employees in a small network. Common network protocols are shown in the 📷 figure.

    These network protocols comprise the fundamental toolset of a network professional. Each of these network protocols define:
    Processes on either end of a communication session
    Types of messages
    Syntax of the messages
    Meaning of informational fields
    How messages are sent and the expected response
    Interaction with the next lower layer

    Many companies have established a policy of using secure versions of these protocols whenever possible. These protocols are HTTPS, SFTP, and SSH.

    Voice and Video Applications

    Businesses today are increasingly using IP telephony and streaming media to communicate with customers and business partners, as shown in Figure 1. The network administrator must ensure the proper equipment is installed in the network and that the network devices are configured to ensure priority delivery. Figure 2 shows elements of a small network that support real-time applications.

    Infrastructure

    To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic. The network designer must determine whether the existing switches and cabling can support the traffic that will be added to the network.

    VoIP

    VoIP devices convert analog into digital IP packets. The device could be an analog telephone adapter (ATA) that is attached between a traditional analog phone and the Ethernet switch. After the signals are converted into IP packets, the router sends those packets between corresponding locations. VoIP is much less expensive than an integrated IP telephony solution, but the quality of communications does not meet the same standards. Voice and video over IP solutions for small businesses can be realized, for example, with Skype and non-enterprise versions of Cisco WebEx.

    X
    Network Services
  • Employee Network Utilisation

    In addition to understanding changing traffic trends, a network administrator must also be aware of how network use is changing. A small network administrator has the ability to obtain in-person IT “snapshots” of employee application utilisation for a significant portion of the employee workforce over time. These snapshots typically include information such as:
    OS and OS Version
    Non-Network Applications
    Network Applications
    CPU Utilisation
    Drive Utilisation
    RAM Utilisation

    Documenting snapshots for employees in a small network over a period of time will go a long way toward informing the network administrator of evolving protocol requirements and associated traffic flows. A shift in resource utilisation may require the network administrator to adjust network resource allocations accordingly.

    Small Network Growth

    Growth is a natural process for many small businesses, and their networks must grow accordingly. Ideally, the network administrator has enough lead time to make intelligent decisions about growing the network in-line with the growth of the company.

    To scale a network, several elements are required:
    Network documentation - physical and logical topology
    Device inventory - list of devices that use or comprise the network
    Budget - itemized IT budget, including fiscal year equipment purchasing budget
    Traffic analysis - protocols, applications, and services and their respective traffic requirements, should be documented

    These elements are used to inform the decision-making that accompanies the scaling of a small network.

    Protocol Analysis

    When trying to determine how to manage network traffic, especially as the network grows, it is important to understand the type of traffic that is crossing the network as well as the current traffic flow. If the types of traffic are unknown, a protocol analyzer will help identify the traffic and its source.

    To determine traffic flow patterns, it is important to:
    Capture traffic during peak utilization times to get a good representation of the different traffic types.
    Perform the capture on different network segments; some traffic will be local to a particular segment.

    Information gathered by the protocol analyzer is evaluated based on the source and destination of the traffic, as well as the type of traffic being sent. This analysis can be used to make decisions on how to manage the traffic more efficiently. This can be done by reducing unnecessary traffic flows or changing flow patterns altogether by moving a server, for example.

    Sometimes, simply relocating a server or service to another network segment improves network performance and accommodates the growing traffic needs. At other times, optimizing the network performance requires major network redesign and intervention.
  • Keeping the Network Safe Banner

    Types of Vulnerabilities

    Technological Vulnerabilities
    Configuration Vulnerabilities
    Security Policy

      

    Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.

    There are three primary vulnerabilities or weaknesses:
    Technological, as shown in Figure 1
    Configuration, as shown in Figure 2
    Security policy, as shown in Figure 3

    All three of these vulnerabilities or weaknesses can lead to various attacks, including malicious code attacks and network attacks.

    Types of Threats

    Whether wired or wireless, computer networks are essential to everyday activities. Individuals and organizations alike depend on their computers and networks. Intrusion by an unauthorized person can result in costly network outages and loss of work. Attacks on a network can be devastating and can result in a loss of time and money due to damage or theft of important information or assets.

    Intruders can gain access to a network through software vulnerabilities, hardware attacks or through guessing someone's username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are often called hackers.

    After the hacker gains access to the network, four types of threats may arise, as shown in the 📷 figure.

    Physical Security

    An equally important vulnerability is the physical security of devices. An attacker can deny the use of network resources if those resources can be physically compromised.

    The four classes of physical threats are:
    Hardware threats - physical damage to servers, routers, switches, cabling plant, and workstations
    Environmental threats - temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
    Electrical threats - voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
    Maintenance threats - poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

    These issues must be dealt with in an organizational policy.
    X
    Type of Threat Diagram
  • Reconnaissance Attacks

    In addition to malicious code attacks, it is also possible for networks to fall prey to various network attacks. Network attacks can be classified into three major categories:
    Reconnaissance attacks - the discovery and mapping of systems, services, or vulnerabilities
    Access attacks - the unauthorized manipulation of data, system access, or user privileges
    Denial of service - the disabling or corruption of networks, systems, or services

    For reconnaissance attacks, external attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, an attacker can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, an attacker may use a ping sweep tool, such as fping or gping, which systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.

    Access Attacks

    Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack allows an individual to gain unauthorized access to information that they have no right to view. Access attacks can be classified into four types:
    Password attacks
    Trust Exploitation
    Port Redirection
    Man-in-the-Middle

    Denial of Service Attacks

    Denial of Service (DoS) attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.

    DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources.

    To help prevent DoS attacks it is important to stay up to date with the latest security updates for operating systems and applications. Updates to operating systems have made the ping of death no longer a threat.

    Types of Malware

    Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or inflict “bad” or illegitimate action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware.

    Viruses

    A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.

    Worms

    Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided.

    Trojan Horses

    A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create back doors to give malicious users access to the system.

    Unlike viruses and worms, Trojan horses do not reproduce by infecting other files, nor do they self-replicate. Trojan horses must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.
  • Firewalls cont...

    URL filtering - Prevents or allows access to websites based on specific URLs or keywords
    Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)

    Firewall products may support one or more of these filtering capabilities. Firewall products come packaged in various forms.

    Endpoint Security

    An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints, are laptops, desktops, servers, smartphones, and tablets. Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. A company must have well-documented policies in place and employees must be aware of these rules. Employees need to be trained on proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.

    Device Security Overview

    When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system, as shown in the 📷 figure. In addition, there are some simple steps that should be taken that apply to most operating systems:
    Default usernames and passwords should be changed immediately.
    Access to system resources should be restricted to only the individuals that are authorized to use those resources.
    Any unnecessary services and applications should be turned off and uninstalled when possible.

    Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time and do not have the most up-to-date patches installed. It is important to update any software and install any security patches prior to implementation.

    Backup, Upgrade, Update, and Patch

    Keeping up-to-date with the latest developments can lead to a more effective defense against network attacks. As new malware is released, enterprises need to keep current with the latest versions of antivirus software.

    The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. However, security requirements change and already deployed systems may need to have updated security patches installed.

    One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time, as shown in the 📷 figure. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.

    Authentication, Authorization, and Accounting

    Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and what actions they perform while accessing the network (accounting).

    The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on, as shown in the 📷 figure. Refer to the Chapter Appendix to learn more about AAA.

    Firewalls

    A firewall is one of the most effective security tools available for protecting users from external threats. Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. Host-based firewalls or personal firewalls are installed on end systems. Firewall products use various techniques for determining what is permitted or denied access to a network. These techniques are:
    Packet filtering - Prevents or allows access based on IP or MAC addresses
    Application filtering - Prevents or allows access by specific application types based on port numbers
    X
    OS Patches
    X
    The AAA Concept is similar to the Use of a Credit Card
    X
    Locking Down Your Router
  • Basic Security Practices cont...

    Exec Timeout

    Another recommendation is setting executive timeouts. By setting the exec timeout, you are telling the Cisco device to automatically disconnect users on a line after they have been idle for the duration of the exec timeout value. Exec timeouts can be configured on console, VTY, and aux ports using the exec-timeout command in line configuration mode.

    Router(config)# line vty 0 4

    Router(config-line)# exec-timeout 10

    This command configures the device to disconnect idle users after 10 minutes.

    Enable SSH

    Telnet is not secure. Data contained within a Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to enable SSH on devices for secure remote access. It is possible to configure a Cisco device to support SSH using four steps, as shown in the 📷 figure.

    Step 1. Ensure that the router has a unique hostname, and then configure the IP domain name of the network using the ip domain-name command in global configuration mode.

    Step 2. One-way secret keys must be generated for a router to encrypt SSH traffic. To generate the SSH key, use the crypto key generate rsa general-keys command in global configuration mode. The specific meaning of the various parts of this command are complex and out of scope for this course. Just note that the modulus determines the size of the key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the key, but the longer it takes to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits.

    Step 3. Create a local database username entry using the username global configuration command.

    Step 4. Enable inbound SSH sessions using the line vty commands login local and transport input ssh.

    The router can now be remotely accessed only by using SSH.

    Passwords

    To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
    Use a password length of at least 8 characters, preferably 10 or more characters. A longer password is a better password.
    Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
    Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
    Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
    Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
    Do not write passwords down and leave them in obvious places such as on the desk or monitor.

    The 📷 figure shows examples of strong and weak passwords.

    On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not. Therefore, one method to create a strong password is to use the space bar and create a phrase made of many words. This is called a passphrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess.

    Basic Security Practices

    Additional Password Security

    Strong passwords are only as useful as they are secret. There are several steps that can be taken to help ensure that passwords remain secret. Using the global configuration command service password-encryption prevents unauthorised individuals from viewing passwords in plain text in the configuration file, as shown in the 📷 figure. This command causes the encryption of all passwords that are unencrypted.

    Additionally, to ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length command in global configuration mode.

    Another way hackers learn passwords is simply by brute-force attacks, trying multiple passwords until one works. It is possible to prevent this type of attack by blocking login attempts to the device if a set number of failures occur within a specific amount of time.

    Router(config)# login block-for 120 attempts 3 within 60

    This command will block login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
    X
    Weak and Strng Password
    X
    Basic Security Practices
    X
    Enable SSH
  • Basic Network Performance

    Network Baseline

    One of the most effective tools for monitoring and troubleshooting network performance is to establish a network baseline. Creating an effective network performance baseline is accomplished over a period of time. Measuring performance at varying times and loads will assist in creating a better picture of overall network performance.

    The output derived from network commands can contribute data to the network baseline.

    One method for starting a baseline is to copy and paste the results from an executed ping, trace, or other relevant commands into a text file. These text files can be time stamped with the date and saved into an archive for later retrieval and comparison. Among items to consider are error messages and the response times from host to host. If there is a considerable increase in response times, there may be a latency issue to address.

    Corporate networks should have extensive baselines; more extensive than we can describe in this course. Professional-grade software tools are available for storing and maintaining baseline information. In this course, we only cover some basic techniques and discuss the purpose of baselines.

    Best practices for baseline processes can be found here.

    Interpreting Trace Messages

    A trace returns a list of hops as a packet is routed through a network. The form of the command depends on where the command is issued. When performing the trace from a Windows computer, use tracert. When performing the trace from a router CLI, use traceroute, as shown in the 📷 figure.

    The 📷 figure shows example output of the tracert command entered on Host 1 to trace the route to Host 2. The only successful response was from the gateway on Router A. Trace requests to the next hop timed out, meaning that the next hop router did not respond. The trace results indicate that there is either a failure in the internetwork beyond the LAN or that these routers have been configured not to respond to echo requests used in the trace.

    Interpreting Ping Results

    Using the ping command is an effective way to test connectivity. The ping command uses the Internet Control Message Protocol (ICMP) and verifies Layer 3 connectivity. The ping command will not always pinpoint the nature of a problem, but it can help to identify the source of the problem, an important first step in troubleshooting a network failure.

    IOS Ping Indicators

    A ping issued from the IOS will yield one of several indications for each ICMP echo request that was sent. The most common indicators are:
    ! - indicates receipt of an ICMP echo reply message, as shown in the 📷 figure
    . - indicates a time expired while waiting for an ICMP echo reply message
    U - an ICMP unreachable message was received

    The "." (period) may indicate that a connectivity problem occurred somewhere along the path. It may also indicate that a router along the path did not have a route to the destination and did not send an ICMP destination unreachable message. It also may indicate that the ping was blocked by device security. When sending a ping on an Ethernet LAN it is common for the first echo request to timeout if the ARP process is required.

    The "U" indicates that a router along the path responded with an ICMP unreachable message. The router either did not have a route to the destination address or that the ping request was blocked.

    Testing the Loopback

    The ping command can also be used to verify the internal IP configuration on the local host by pinging the loopback address, 127.0.0.1, as shown in the 📷 figure. This verifies the proper operation of the protocol stack from the network layer to the physical layer - and back - without actually putting a signal on the media.

    Extended Ping

    The Cisco IOS offers an "extended" mode of the ping command. This mode is entered by typing ping in privileged EXEC mode, without a destination IP address. As shown in the figure, a series of prompts are then presented. Pressing Enter accepts the indicated default values. The example illustrates how to force the source address for a ping to be 10.1.1.1 (see R2 in the 📷 figure); the source address for a standard ping would be 209.165.200.226. By doing this, the network administrator can verify from R2 that R1 has a route to 10.1.1.0/24.
    X
    IOS Ping Indicators
    X
    Testing the Loopback
    X
    Extended Ping
    X
    Testing the Path to a Remote Host
    X
    Tracing the Route from Host 1 to Host 2
  • ipconfig
    ipconfig/all
    ipconfig/displaydns

      

    The arp Command

    The arp command is executed from the Windows command prompt, as shown in the 📷 figure. The arp –a command lists all devices currently in the ARP cache of the host, which includes the IPv4 address, physical address, and the type of addressing (static/dynamic), for each device.

    The cache can be cleared by using the arp -d* command in the event the network administrator wants to repopulate the cache with updated information.

    Note: The ARP cache only contains information from devices that have been recently accessed. To ensure that the ARP cache is populated, ping a device so that it will have an entry in the ARP table.

    Common show Commands Revisited

    The Cisco IOS CLI show commands display relevant information about the configuration and operation of the device.

    Network technicians use show commands extensively for viewing configuration files, checking the status of device interfaces and processes, and verifying the device operational status. The show commands are available whether the device was configured using the CLI or Cisco Configuration Professional.

    The status of nearly every process or function of the router can be displayed using a show command. Some of the more popular show commands are:
    show running-config
    show interfaces
    show arp
    show ip route
    show protocols
    show version

    The ipconfig Command

    As shown in Figure 1, the IP address of the default gateway of a host can be viewed by issuing the ipconfig command at the command line of a Windows computer.

    As shown in Figure 2, use the ipconfig /all command to view the MAC address as well as a number of details regarding the Layer 3 addressing of the device.

    The DNS Client service on Windows PCs optimizes the performance of DNS name resolution by storing previously resolved names in memory, as well. As shown if Figure 3, the ipconfig /displaydns command displays all of the cached DNS entries on a Windows computer system.
    X
    Learning About the Nodes on the Network
  • The show ip interface brief Command cont...

    Verifying the Switch Interfaces

    On Figure 2, click the S1 button. The show ip interface brief command can also be used to verify the status of the switch interfaces. The Vlan1 interface is assigned an IP address of 192.168.254.250 and has been enabled and is operational.

    The output also shows that the FastEthernet0/1 interface is down. This indicates that either no device is connected to the interface or the device that is connected has a network interface that is not operational.

    In contrast, the output shows that the FastEthernet0/2 and FastEthernet0/3 interfaces are operational. This is indicated by both the Status and Protocol being shown as up.

    Interface Testing
    Interface Testing Interface Testing

     

    The show cdp neighbors Command

    Cisco Discovery Protocol (CDP) is a Cisco-proprietary protocol that runs at the data link layer. Because CDP operates at the data link layer, two or more Cisco network devices, such as routers that support different network layer protocols, can learn about each other even if Layer 3 connectivity does not exist.

    When a Cisco device boots, CDP starts by default. CDP automatically discovers neighboring Cisco devices running CDP, regardless of which Layer 3 protocol or suites are running. CDP exchanges hardware and software device information with its directly connected CDP neighbors.

    The show cdp neighbors detail command reveals the IP address of a neighboring device. CDP will reveal the neighbor's IP address regardless of whether or not you can ping the neighbor. This command is very helpful when two Cisco routers cannot route across their shared data link. The show cdp neighbors detail command will help determine if one of the CDP neighbors has an IP configuration error.

    CDP provides the following information about each CDP neighbor device:
    Device identifiers - For example, the configured host name of a switch
    Address list - Up to one network layer address for each protocol supported
    Port identifier - The name of the local and remote port in the form of an ASCII character string, such as FastEthernet 0/0
    Capabilities list - For example, whether this device is a router or a switch
    Platform - The hardware platform of the device; for example, a Cisco 1841 series router

    For network discovery situations, knowing the IP address of the CDP neighbor is often all the information needed to Telnet into that device.

    For obvious reasons, CDP can be a security risk. Because some IOS versions send out CDP advertisements by default, it is important to know how to disable CDP.

    To disable CDP globally, use the global configuration command no cdp run. To disable CDP on an interface, use the interface command no cdp enable.

    The show ip interface brief Command

    In the same way that commands and utilities are used to verify a host configuration, commands can be used to verify the interfaces of intermediate devices. The Cisco IOS provides commands to verify the operation of router and switch interfaces.

    Verifying Router Interfaces

    One of the most frequently used commands is the show ip interface brief command. This command provides a more abbreviated output than the show ip interface command. It provides a summary of the key information for all the network interfaces on a router.

    Figure 1 shows the topology that is being used in this example.

    On Figure 2, click the R1 button. The show ip interface brief output displays all interfaces on the router, the IP address assigned to each interface, if any, and the operational status of the interface.

  • Managing IOS Configuration Files
    File Systems
    Flash
    NVRAM

      

    Switch File Systems

    With the Cisco 2960 switch flash file system, you can copy configuration files, and archive (upload and download) software images.

    The command to view the file systems on a Catalyst switch is the same as on a Cisco router: show file systems.

    Router File Systems

    The Cisco IOS File System (IFS) allows the administrator to navigate to different directories and list the files in a directory, and to create subdirectories in flash memory or on a disk. The directories available depend on the device.

    Figure 1 displays the output of the show file systems command, which lists all of the available file systems on a Cisco 1941 router. This command provides useful information such as the amount of available and free memory, the type of file system, and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw), shown in the Flags column of the command output.

    Although there are several file systems listed, of interest to us will be the tftp, flash, and nvram file systems.

    Notice that the flash file system also has an asterisk preceding it. This indicates that flash is the current default file system. The bootable IOS is located in flash; therefore, the pound symbol (#) is appended to the flash listing, indicating that it is a bootable disk.

    The Flash File System

    Figure 2 displays the output from the dir command. Because flash is the default file system, the dir command lists the contents of flash. Several files are located in flash, but of specific interest is the last listing. This is the name of the current Cisco IOS file image that is running in RAM.

    The NVRAM File System

    To view the contents of NVRAM, you must change the current default file system using the cd (change directory) command, as shown in Figure 3. The pwd (present working directory) command verifies that we are viewing the NVRAM directory. Finally, the dir (directory) command lists the contents of NVRAM. Although there are several configuration files listed, of specific interest is the startup-configuration file.
  • Backing up and Restoring TFTP

    Backup Configurations with TFTP

    Copies of configuration files should be stored as backup files in the event of a problem. Configuration files can be stored on a Trivial File Transfer Protocol (TFTP) server or a USB drive. A configuration file should also be included in the network documentation.

    To save the running configuration or the startup configuration to a TFTP server, use either the copy running-config tftp or copy startup-config tftp command as shown in the 📷 figure. Follow these steps to backup the running configuration to a TFTP server:

    Step 1. Enter the copy running-config tftp command.

    Step 2. Enter the IP address of the host where the configuration file will be stored.

    Step 3. Enter the name to assign to the configuration file.

    Step 4. Press Enter to confirm each choice.

    Restoring Configurations with TFTP

    To restore the running configuration or the startup configuration from a TFTP server, use either the copy tftp running-config or copy tftp startup-config command. Use these steps to restore the running configuration from a TFTP server:

    Step 1. Enter the copy tftp running-config command.

    Step 2. Enter the IP address of the host where the configuration file is stored.

    Step 3. Enter the name to assign to the configuration file.

    Step 4. Press Enter to confirm each choice.

    Backing Up and Restoring Using Text Files

    Backup Configurations with Text Capture (Tera Term)

    Configuration files can be saved/archived to a text file using Tera Term.

    As shown in the 📷 figure, the steps are:

    Step 1. On the File menu, click Log.

    Step 2. Choose the location to save the file. Tera Term will begin capturing text.

    Step 3. After capture has been started, execute the show running-config or show startup-config command at the privileged EXEC prompt. Text displayed in the terminal window will be directed to the chosen file.

    Step 4. When the capture is complete, select Close in the Tera Term: Log window.

    Step 5. View the file to verify that it was not corrupted.

    Restoring Text Configurations

    A configuration can be copied from a file to a device. When copied from a text file and pasted into a terminal window, the IOS executes each line of the configuration text as a command. This means that the file will require editing to ensure that encrypted passwords are in plain text and that non-command text such as "--More--" and IOS messages are removed. This process is discussed in the lab.

    Further, at the CLI, the device must be set at the global configuration mode to receive the commands from the text file being pasted into the terminal window.

    When using Tera Term, the steps are:

    Step 1. On the File menu, click Send file.

    Step 2. Locate the file to be copied into the device and click Open.

    Step 3. Tera Term will paste the file into the device.

    The text in the file will be applied as commands in the CLI and become the running configuration on the device. This is a convenient method for manually configuring a router.
    X
    Saving to a Text File in Tera Term
    X
    Backing up and RFestoring TFTP
  • Backing Up and Restoring Using a USB
    Backing Up and Restoring Using a USB
    Backing Up and Restoring Using a USB

      

    Using USB Ports on a Cisco Router

    The Universal Serial Bus (USB) storage feature enables certain models of Cisco routers to support USB flash drives. The USB flash feature provides an optional secondary storage capability and an additional boot device. Images, configurations, and other files can be copied to or from the Cisco USB flash memory with the same reliability as storing and retrieving files using the Compact Flash card. In addition, modular integrated services routers can boot any Cisco IOS Software image saved on USB flash memory. Ideally, USB flash can hold multiple copies of the Cisco IOS and multiple router configurations.

    Use the dir command to view the contents of the USB flash drive, as shown in the 📷 figure.

    Backing Up and Restoring Using a USB

    Backup Configurations with a USB Flash Drive

    When backing up to a USB port, it is a good idea to issue the show file systems command to verify that the USB drive is there and confirm the name, as shown in Figure 1.

    Next, use the copy run usbflash0:/ command to copy the configuration file to the USB flash drive. Be sure to use the name of the flash drive, as indicated in the file system. The slash is optional but indicates the root directory of the USB flash drive.

    The IOS will prompt for the filename. If the file already exists on the USB flash drive, the router will prompt to overwrite, as seen in Figure 2.

    Use the dir command to see the file on the USB drive and use the more command to see the contents, as seen in Figure 3.

    Restore Configurations with a USB Flash Drive

    In order to copy the file back, it will be necessary to edit the USB R1-Config file with a text editor. Assuming the file name is R1-Config, use the command copy usbflash0:/R1-Config running-config to restore a running configuration.
    X
    Cisco 1941 Router USB Port
  • Integrated Routing Services Banner

    Configuring the Integrated Router

    Step 1 - Access the router by cabling a computer to one of the router’s LAN Ethernet ports.
    Step 2 - The connecting device will automatically obtain IP addressing information from Integrated Router.
    Step 3 - Change default username and password and the default Linksys IP address for security purposes.

    Enabling Wireless

    Step 1 - Configure the wireless mode
    Step 2 - Configure the SSID
    Step 3 - Configure RF channel
    Step 4 - Configure any desired security encryption

    Configure a Wireless Client

    The wireless client configuration settings must match that of the wireless router. 
    SSID
    Security Settings
    Channel
    Wireless client software can be integrated into the device operating system or stand alone, downloadable, wireless utility software.

    Multi-function Device

    Multi-function Device
    Incorporates a switch, router, and wireless access point.
    Provides routing, switching and wireless connectivity.
    Linksys wireless routers, are simple in design and used in home networks

    Cisco Integrated Services Router (ISR) product family offers a wide range of products, designed for small office to larger networks.

    Wireless Capability

    Wireless Mode – Most integrated wireless routers support 802.11b, 802.11g and 802.11n.
    Service Set Identifier (SSID) – Case-sensitive, alpha-numeric name for your home wireless network.
    Wireless Channel – RF spectrum can be divided up into channels.

    Basic Security of Wireless

    Change default values
    Disable SSID broadcasting
    Configure Encryption using WEP or WPA
    Wired Equivalency Protocol (WEP) - Uses pre-configured keys to encrypt and decrypt data. Every wireless device allowed to access the network must have the same WEP key entered.
    Wi-Fi Protected Access (WPA) – Also uses encryption keys from 64 bits up to 256 bits. New keys are generated each time a connection is established with the AP; therefore, more secure.
  • Summary

    In this chapter, you learned:
    Good network design incorporates reliability, scalability, and availability.
    Networks must be secured from viruses, Trojan horses, worms and network attacks.
    The importance of documenting Basic Network Performance.
    How to test network connectivity using ping and traceroute.
    How to use IOS commands to monitor and view information about the network and network devices.
    How to backup configuration files using TFTP or USB.
    Home networks and small business often use integrated routers, which provide the functions of a switch, router and wireless access point.