Pages

CCNA Chapter 11 It’s a Network

The majority of businesses are small businesses. It is not surprising then that the majority of networks are small networks.

Small Networks
With small networks, the design of the network is usually simple.
The number and type of devices on the network are significantly reduced compared to that of a larger network. 
Managing a small network requires many of the same skills as those required for managing a larger one. The majority of work is focused on maintenance and troubleshooting of existing equipment, as well as securing devices and information on the network.

When selecting the type of intermediate devices, there are a number of factors that need to be considered:
 - Cost - is typically one of the most important factors when selecting equipment for a small business network. The cost of a switch or router is determined by its capacity and features. Other factors that impact the cost are network management capabilities, embedded security technologies, and optional advanced switching technologies.
Also the expense of cable runs required to connect every device and how much redundancy to incorporate into the network
- Speed and Types of Ports/Interfaces - Choosing the number and type of ports on a router or switch is a critical decision.
- Expandability - Networking devices come in both fixed and modular physical configurations. Fixed configurations have a specific number and type of ports or interfaces. Modular devices have expansion slots that provide the flexibility to add new modules as requirements evolve.
- Operating System Features and Services - a network device can support certain features and services, such as: Security / QoS / VoIP / Layer 3 switching / NAT / DHCP.

Even on a small network, address assignment within the network should not be random.
Planning and documenting the IP addressing scheme helps the administrator to track device types.

Another important part of network design is reliability. 
A failure of the network can be very costly. In order to maintain a high degree of reliability, redundancy is required in the network design. Redundancy helps to eliminate single points of failure.
Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas.
Small networks typically provide a single exit point toward the Internet via one or more default gateways. With one router in the topology, the only redundancy in terms of Layer 3 paths is enabled by utilizing more than one inside Ethernet interface on the router. However, if the router fails, the entire network loses connectivity to the Internet. For this reason, it may be advisable for a small business to pay for a least-cost option account with a second service provider for backup.

To help ensure this availability, the network designer should take the following steps:
Step 1. Secure file and mail servers in a centralized location.
Step 2. Protect the location from unauthorized access by implementing physical and logical security measures.
Step 3. Create redundancy in the server farm that ensures if one device fails, files are not lost.
Step 4. Configure redundant paths to the servers.

The network administrator should consider the various types of traffic and their treatment in the network design. The router(s) and switch(es) in a small network should be configured to support real-time traffic, such as voice and video, in a distinct manner relative to other data traffic.
A good network design will classify traffic carefully according to priority.

Many companies have established a policy of using secure versions of these protocols whenever possible. These protocols are HTTPS, SFTP, and SSH. 

Infrastructure
To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic. Older switches may not support Power over Ethernet (PoE). Obsolete cabling may not support the bandwidth requirements. The switches and cabling would need to be upgraded to support these applications.

VoIP
VoIP is implemented in an organization that still uses traditional telephones. VoIP uses voice-enabled routers. VoIP is much less expensive than an integrated IP telephony solution, but the quality of communications does not meet the same standards.

IP Telephony
In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling. There are now many vendors with dedicated IP telephony solutions for small networks.

Real-time Applications
To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement. RTP and RTCP enable control and scalability of the network resources by allowing quality of service (QoS) mechanisms to be incorporated. These QoS mechanisms provide valuable tools for minimizing latency issues for real-time streaming applications.

To scale a network, several elements are required: 
- Network documentation - physical and logical topology 
- Device inventory - list of devices that use or comprise the network 
- Budget - itemized IT budget, including fiscal year equipment purchasing budget
- Traffic analysis - protocols, applications, and services and their respective traffic requirements should be documented

Large Networks
Supporting and growing a small network requires being familiar with the protocols and network applications running over the network. 
Information gathered by the protocol analyzer is analyzed based on the source and destination of the traffic as well as the type of traffic being sent. This analysis can be used to make decisions on how to manage the traffic more efficiently.

It is the responsibility of the network administrator to track network utilization and traffic flow requirements, and implement network modifications in order to optimize employee productivity as the network and business grow. Need to monitor: OS Version/Non-Network Applications/Network Applications / CPU, Drive, RAM Utilization.
To determine traffic flow patterns, it is important to:
 - Capture traffic during peak utilization times to get a good representation of the different traffic types.
 - Perform the capture on different network segments, because some traffic will be local to a particular segment.

Network Security
Network Device Security Measures
Intrusion by an unauthorized person can result in costly network outages and loss of work. Attacks to a network can be devastating and can result in a loss of time and money due to damage or theft of important information or assets.
After the hacker gains access to the network, four types of threats may arise:
 - Information theft - Breaking into a computer to obtain confidential information.
 - Identity theft - personal information is stolen for the purpose of taking over someone's identity.
 - Data loss/manipulation - Breaking into a computer to destroy or alter data records.
 - Disruption of service - Preventing legitimate users from accessing services to which they should be entitled (ex: DoS).

The four classes of physical threats are: 
 - Hardware threats - physical damage to servers, routers, switches, cabling plant, and workstations 
 - Environmental threats - temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) 
 - Electrical threats - voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss 
 - Maintenance threats - poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Some of these issues must be dealt with in an organizational policy. Some of them are subject to good leadership and management in the organization.

Three network security factors are vulnerability, threat, and attack.
Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices.
Threats include the people interested and qualified in taking advantage of each security weakness. Such individuals can be expected to continually search for new exploits and weaknesses.
Threats are realized by a variety of tools, scripts, and programs to launch attacks against networks and network devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.
There are three primary vulnerabilities or weaknesses:
- Technological: HTTP, ICMP, OS Windows, Linux ..
- Configuration: unsecured user account, misconfigured internet services, unsecured default settings...
- Security policy: lack of policy, politics, non-existent disaster plan.

All three of these vulnerabilities or weaknesses can lead to various attacks, including malicious code attacks and network attacks.

Malicious code attacks include a number of types of computer programs that were created with the intention of causing data loss or damage. The three main types of malicious code attacks are viruses, Trojan horses, and worms.

- A virus is malicious software that is attached to another program to execute a particular unwanted function on a workstation. An example is a program that is attached to command.com (the primary interpreter for Windows systems) and deletes certain files and infects any other versions of command.com that it can find.
- A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. An example of a Trojan horse is a software application that runs a simple game on a workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every address in the user's address book. The other users receive the game and play it, thereby spreading the Trojan horse to the addresses in each address book.
 - Worms are self-contained programs that attack a system and try to exploit a specific vulnerability in the target. Upon successful exploitation of the vulnerability, the worm copies its program from the attacking host to the newly exploited system to begin the cycle again. The anatomy of a worm attack is as follows: 
The enabling vulnerability - A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who opens unverified executable attachments in emails. 
Propagation mechanism - After gaining access to a host, a worm copies itself to that host and then selects new targets. 
Payload - After a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.

Network attacks can be classified into three major categories: 
1) Reconnaissance attacks - the unauthorized discovery and mapping of systems, services, or vulnerabilities 
2) Access attacks - the unauthorized manipulation of data, system access, or user privilege (One of the most common types of access attacks is the password attack. Password attacks can be implemented using a packet sniffer to yield user accounts and passwords that are transmitted as clear text. Repeated attempts are called dictionary attacks or brute-force attacks)
3) Denial of service - the disabling or corruption of networks, systems, or services (packet storm, ping flood )
DoS attacks are the most publicized form of attack and also among the most difficult to eliminate.

Mitigating Network Attacks
- Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. Antivirus software can be deployed at the user level and at the network level.
- Updates - keeping up to date with the latest developments in these sorts of attacks can also lead to a more effective defense against these attacks.

 - Worm attack mitigation requires diligence on the part of system and network administration staff.
The following are the recommended steps for worm attack mitigation: 
 1) Containment - Contain the spread of the worm within the network. Compartmentalize uninfected parts of the network. 
 2) Inoculation - Start patching all systems and, if possible, scanning for vulnerable systems. 
 3) Quarantine - Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network. 
 4) Treatment - Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems

One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time, as shown in the figure. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.

 - AAA
Authentication, authorization, and accounting (AAA, or “triple A”) network security services provide the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to watch the actions they perform while accessing the network (accounting). AAA provides a higher degree of scalability than the console, AUX, VTY, and privileged EXEC authentication commands alone. 
For larger networks, a more scalable solution is external authentication. External authentication allows all users to be authenticated through an external network server. The two most popular options for external authentication of users are RADIUS (an open standard with low use of CPU resources and memory) and TACACS+ (security mechanism that enables modular authentication, authorization, and accounting services).

 - A firewall is one of the most effective security tools available for protecting internal network users from external threats: 
 * Packet filtering - Prevents or allows access based on IP or MAC addresses. 
 * Application filtering - Prevents or allows access by specific application types based on port numbers. 
 * URL filtering - Prevents or allows access to websites based on specific URLs or keywords. 
 * Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks such as denial of service (DoS).

Firewall products come packaged in various forms:
 * Appliance-based firewalls - An appliance-based firewall is a firewall that is built-in to a dedicated hardware device known as a security appliance. 
 * Server-based firewalls - A server-based firewall consists of a firewall application that runs on a network operating system (NOS) such as UNIX or Windows. 
 * Integrated firewalls - An integrated firewall is implemented by adding firewall functionality to an existing device, such as a router. 
 * Personal firewalls - Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default from the OS or may come from an outside vendor.

- Endpoint security
An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints are laptops, desktops, servers, smart phones, and tablets. If users are not practicing security with their endpoint devices, no amount of security precautions will guarantee a secure network.
Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.
Endpoint security also requires securing Layer 2 devices in the network infrastructure to prevent against Layer 2 attacks such as MAC address spoofing, MAC address table overflow attacks, and LAN storm attacks. This is known as attack mitigation.

Securing Devices
When a new operating system is installed on a device, the security settings are set to the default values. Cisco AutoSecure feature can be used to assist securing the system.
* Default usernames and passwords should be changed immediately.
* Access to system resources should be restricted to only the individuals that are authorized to use those resources.
* Any unnecessary services and applications should be turned off and uninstalled, when possible.
* All devices should be updated with security patches as they become available
* To protect network devices, it is important to use strong passwords (deliberately misspell, complex, at least 8 characters). Change passwords often.
Administrators should ensure that strong passwords are used across the network. One way to accomplish this is to use the same “brute force” attack tools that attackers use as a way to verify password strength.

Additional Password Security
service password-encryption
security passwords min-length

!
This command will block login attempts for 120 seconds, if there are three failed login attempts within 60 seconds.
login block-for 120 attempts 3 within 60
banner motd #message#
Router(config)# line vty 0 4
Router(config-vty)# exec-timeout 10 
SSH over Telnet remote access
ip domain-name domain-name
! crypto key generate rsa general-keys modulus
modulus-size
crypto key generate rsa general-keys modulus 1024  
username name secret secret
! on vty lines
login local  
transport input ssh 
Basic Network Performance

Ping
A ping issued from the IOS will yield one of several indications for each ICMP echo that was sent. The most common indicators are:
! - indicates receipt of an ICMP echo reply message
. - indicates a time expired while waiting for an ICMP echo reply message
U - an ICMP unreachable message was received
Testing the Loopback
ping 127.0.0.1

The Cisco IOS offers an "extended" mode of the ping command. This mode is entered by typing ping in privileged EXEC mode, without a destination IP address.

One of the most effective tools for monitoring and troubleshooting network performance is to establish a network baseline.
A baseline is a process for studying the network at regular intervals to ensure that the network is working as designed.
An effective use of the stored information is to compare the results over time 

Traceroute
A trace returns a list of hops as a packet is routed through a network. The form of the command depends on where the command is issued. When performing the trace from a Windows computer, use tracert. When performing the trace from a router CLI, use traceroute
! windows OS

tracert 10.1.0.2
! Cisco IOS  
traceroute 10.1.0.2
Show commands
Some of the more popular show commands are:
show running-config
show interfaces
show arp 
show ip routeshow ip interface brief|
show protocols 
show version
Show version
 - The Cisco IOS software version being used.
 - The version of the system bootstrap software, stored in ROM memory that was initially used to boot the router.
 - The complete filename of the Cisco IOS image and where the bootstrap program located it.
 - Type of CPU on the router and amount of RAM. It may be necessary to upgrade the amount of RAM when upgrading the Cisco IOS software.
 - The number and type of physical interfaces on the router.
 - The amount of NVRAM. NVRAM is used to store the startup-config file.
 - The amount of flash memory on the router. It may be necessary to upgrade the amount of flash when upgrading the Cisco IOS software.
 - The currently configured value of the software configuration register in hexadecimal.
Host commands
! windows OS
ipconfig /all
ipconfig /displaydns
arp -a
! cisco IOS
show cdp neighbors
show cdp neighbors detail
CDP is a Cisco-proprietary protocol that runs at the data link layer.
Because CDP operates at the data link layer, two or more Cisco network devices, such as routers that support different network layer protocols, can learn about each other even if Layer 3 connectivity does not exist.
When a Cisco device boots up, CDP starts up by default.
CDP provides the following information about each CDP neighbor device: 
 - Device identifiers - For example, the configured host name of a switch
 - Address list - Up to one network layer address for each protocol supported
 - Port identifier - The name of the local and remote port-in the form of an ASCII character string such as ethernet0
 - Capabilities list - For example, whether this device is a router or a switch
 - Platform - The hardware platform of the device; for example, a Cisco 1841 series router

To disable CDP globally, use the global configuration command no cdp run.
To disable CDP on an interface, use the interface command no cdp enable.

Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
device1.cisco.com   Eth 0/1        122          T S       WS-C2900  2/11
device2.cisco.com   Eth 0/1        179           R        4500      Eth 0
device3.cisco.com   Eth 0/1        155           R        2500      Eth 0
device4.cisco.com   Eth 0/1        155           R        2509      Eth 0

R2#show cdp neighbors detail
-------------------------
Device ID: R3
Entry address(es):
IP address: 10.2.2.3
Platform: Cisco 3640, Capabilities: Router Switch IGMP
Interface: FastEthernet1/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 125 sec
Version :
Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 11:43 by prod_rel_team
advertisement version: 2
VTP Management Domain: '
Duplex: full
Router and Switch File Systems
In addition to implementing and securing a small network, it is also the job of the network administrator to manage configuration files. Managing the configuration files is important for purposes of backup and retrieval in the event of a device failure.
The Cisco IOS File System (IFS) provides a single interface to all the file systems a router uses, including:
- Flash memory file systems
- Network file systems (TFTP and FTP)
- Any other endpoint for reading or writing data such as NVRAM, the running configuration, ROM, and others

show file systems - this command provides useful information such as the amount of available and free memory, the type of file system, and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw), shown in the Flags column of the command output.
Router# show file systems
File Systems:
        Size(b)       Free(b)      Type  Flags  Prefixes
             -             -       ram     rw   tmp:
             -             -    opaque     rw   system:
      42541056      42541056      disk     rw   disk1: disk1:0:#
*    512065536      30834688      disk     rw   disk0:#
      65536000      19811932     flash     rw   bootflash: sup-bootflash:
             -             -    opaque     ro   ivfs:
        129004        102228     nvram     rw   const_nvram:
     125802334             0    opaque     ro   microcode: sup-microcode:
             0     609689428    opaque     rw   image: sup-image:
             -             -    opaque     rw   null:
             -             -    opaque     ro   tar:
       1964024       1949453     nvram     rw   nvram:
             -             -   network     rw   rcp:
             -             -   network     rw   tftp:
             -             -   network     rw   http:
             -             -   network     rw   ftp:
             -             -      disk     rw   disk1:1:
Notice that the flash file system also has an asterisk preceding it. This indicates that flash is the current default file system. The bootable IOS is located in flash; therefore, the pound symbol (#) is appended to the flash listing indicating that it is a bootable disk.
 
Navigation commands:
cd (change directory) 
pwd (present working directory)
dir (directory) command lists the contents of file system

Back up and Restore Configuration files
1) Log terminal session
Save show running-config or show startup-config

2) Backup - copy running-config tftp  /  copy startup-config tftp
Restore - copy tftp startup-config  /  copy tftp running-config

3) USB
Cisco USB flash modules are available in 64MB, 128 MB, and 256MB versions.
To be compatible with a Cisco router, a USB flash drive must be formatted in a FAT16 format. If that is not the case, the show file systems command will display an error indicating an incompatible file system.
On PC - save the file (config) as a plain text file onto the USB flash drive.
! insert USB drive in router
*Feb 5 20:38:04.678: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
*Feb 8 13:51:34.831: %USBFLASH-4-FORMAT: usbflash0 contains unexpected values inpartition table or boot sector. Device needs formatting before use!

! format USB drive
Router# format usbflash1:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "usbflash1:".  Continue? [confirm]
Format: Drive communication & 1st Sector Write OK...
Format: All system sectors written. OK...
Format: Total data sectors in formatted partition: 8518475
Router# dir usbflash0:
Directory of usbflash0:/
1 -rw- 30125020 Dec 22 2032 05:31:32 +00:00 c3825-entservicesk9-mz.123-14.T
63158272 bytes total (33033216 bytes free)

! backup to USB
copy run usbflash0:/

! restore from USB
R1#
copy usbflash0:/R1-Config running-config
Destination filename [running-config]?

USB flash can hold multiple copies of the Cisco IOS and multiple router configurations. 
 
Integrated Router
A home network is very similar to a small-business network. However, most home networks, and many small business networks, do not require high-volume devices, such as dedicated routers and switches. Smaller scale devices, as long as they provide the same functionality of routing and switching, are all that are required. For this reason, many home and small business networks utilize the service of a multi-function device.
Multi-function devices will be referred to as integrated routers.

In addition to supporting routing, switching and wireless connectivity, many additional features may be available on an integrated router, including: DHCP service, a firewall, and even network attached storage services.

Integrated routers can range from small devices designed for home office and small business applications to more powerful devices that can support enterprise branch offices:
 - Linksys wireless router (simple)
 - Cisco ISR (Cisco integrated services) - offers a wide range of products, including those designed for small office and home office environments as well as those designed for larger network.

All integrated routers allow for basic configuration settings such as passwords, IP addresses, and DHCP settings, which are the same whether the device is being used to connect wired or wireless hosts. However, if using the wireless functionality, additional configuration parameters are required, such as setting the wireless mode, SSID, and the wireless channel.

Wireless Mode - Most integrated wireless routers support 802.11b, 802.11g, and 802.11n.
Service Set Identifier (SSID) - There may be many other wireless networks in your area. It is important that the wireless devices connect to the correct WLAN. This is done using a Service Set Identifier (SSID).
The SSID is a case-sensitive, alpha-numeric name for your home wireless network. The name can be up to 32-characters in length. The SSID is used to tell wireless devices which WLAN they belong to and with which other devices they can communicate.
Wireless Channel -
Channels are created by dividing up the available RF spectrum. Each channel is capable of carrying a different conversation. This is similar to the way that multiple television channels are transmitted across a single medium. Multiple APs can function in close proximity to one another as long as they use different channels for communication.

Some of the more basic security measures include:
- Change default values for the SSID, usernames, and passwords
- Disable broadcast SSID
- Configure encryption using WEP or WPA
Encryption is the process of transforming data so that even if it is intercepted it is unusable.

Wired Equivalency Protocol (WEP) 
WEP is an advanced security feature that encrypts network traffic as it travels through the air. WEP uses pre-configured keys to encrypt and decrypt data.
A WEP key is entered as a string of numbers and letters and is generally 64 bits or 128 bits long. In some cases, WEP supports 256 bit keys as well. To simplify creating and entering these keys, many devices include a Passphrase option. The passphrase is an easy way to remember the word or phrase used to automatically generate a key.
There are weaknesses within WEP, including the use of a static key on all WEP enabled devices.
One way to overcome this vulnerability is to change the key frequently. Another way is to use a more advanced and secure form of encryption known as Wi-Fi Protected Access (WPA).

Wi-Fi Protected Access (WPA)
WPA also uses encryption keys from 64 bits up to 256 bits. However, WPA, unlike WEP, generates new, dynamic keys each time a client establishes a connection with the AP. For this reason, WPA is considered more secure than WEP because it is significantly more difficult to crack.
There are several other security implementations that can be configured on a wireless AP, including MAC address filtering, authentication, and traffic filtering. However, those security implementations are beyond the scope of this course.

Configuring the Integrated Router
Initially access the router by cabling a computer to one of the router’s LAN Ethernet ports.
The Linksys device has a default configuration that allows switching and basic routing services. It is also configured, by default, as a DCHP server. Basic configuration tasks, such as changing the default username and password, changing the default Linksys IP address, and even default DHCP IP address ranges, should be conducted before the AP is connected to a live network.

To enable wireless connectivity, the wireless mode, SSID, RF channel, and any desired security encryption mechanism must be configured.
Next, set the SSID.
The choice of RF channel used for the integrated router must be made relative to the other wireless networks around it.
Adjacent wireless networks must use non-overlapping channels in order to optimize throughput. Most access points now offer a choice to allow the router to automatically locate the least congested channel.
Finally, select the encryption mechanism that you prefer and enter a key or passphrase.

Configure a Wireless Client
In order for a wireless client to connect to the WLAN, the client configuration settings must match that of the wireless router. This includes the SSID, security settings, and channel information (if the channel was manually set). These settings are specified in the client software.
One of the most common tests for verifying successful data transmission is the ping test. If the ping is successful, data transmission is possible.