Tuesday, June 12, 2007

Improving Security on Cisco Routers

Introduction:

This document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. This document is about basic boilerplate configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware.

Cisco IOS software has many security-specific features, such as packet-filtering access lists, the Cisco IOS Firewall Feature Set, TCP Intercept, AAA, and encryption. Many other features, such as packet logging and quality of service (QoS) features, can be used to increase network security against various attacks. None of these are discussed, except in passing. This is not a document about firewall configuration. For the most part, this is a document about how to secure the router itself, and ignores the equally important issue of the protection of other network devices.

Password Management
Passwords and similar secrets, such as Simple Network Management Protocol (SNMP) community strings, are the primary defense against unauthorized access to your router. The best way to handle most passwords is to maintain them on a TACACS+ or RADIUS authentication server. However, almost every router still has a locally configured password for privileged access, and can also have other password information in its configuration file.

enable secret
The enable secret command is used to set the password that grants privileged administrative access to the IOS system. An enable secret password must always be set. Use the enable secret command, not the older enable password command. The enable password command uses a weak encryption algorithm.
If no enable secret is set, and a password is configured for the console TTY line, the console password can be used to receive privileged access, even from a remote VTY session. This is almost certainly not what you want, and is another reason to be certain to configure an enable secret.

service password-encryption (and limitations)
The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful to prevent casual observers from reading passwords, such as when they look at the screen over the shoulder of an administrator.

However, the algorithm used by the service password-encryption command is a simple Vigenere cipher. Any competent amateur cryptographer can easily reverse it in a few hours. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers, and should not be used for this purpose. Any Cisco configuration file that contains encrypted passwords must be treated with the same care used for a cleartext list of those same passwords.

This weak encryption warning does not apply to passwords set with the enable secret command, but it does apply to passwords set with the enable password command.

The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible as far as Cisco knows. It is, however, subject to dictionary attacks. A dictionary attack is when a computer tries every word in a dictionary or other list of candidate passwords. Therefore, remember to keep your configuration file out of the hands of untrusted people, especially if you are not sure your passwords are well chosen.

Control Interactive Access
Anyone who can log in to a Cisco router can display information which you probably do not want to make available to the general public. A user who can log in to the router might be able to use it as a relay for further network attacks. Anyone who can get privileged access to the router can reconfigure it. You need to control interactive logins to the router in order to prevent inappropriate access.
Although most interactive access is disabled by default, there are exceptions. The most obvious exception is the interactive sessions that are from directly connected asynchronous terminals, such as the console terminal, and from integrated modem lines.

Console Ports
It is important to remember that the console port of a Cisco IOS device has special privileges. In particular, if a BREAK signal is sent to the console port during the first few seconds after a reboot, the password recovery procedure can easily be used to take control of the system. This means that attackers who interrupt power or induce a system crash, and who have access to the console port via a hardwired terminal, a modem, a terminal server, or some other network device, can take control of the system, even if they do not have physical access to it or the ability to log in to it normally.
Any modem or network device that gives access to the Cisco console port must be secured to a standard comparable to the security used for privileged access to the router. At a bare minimum, any console modem should be of a type that can require the dialup user to supply a password for access, and the modem password must be carefully managed.

General Interactive Access
There are more ways to get interactive connections to routers than users realize. Cisco IOS software, which depends on the configuration and software version, can support these connections:
via Telnet
rlogin
SSH
non IP-based network protocols, such as LAT, MOP, X.29, and V.120
possibly other protocols
via local asynchronous connections and modem dial-ins

More protocols for interactive access are always being added. Interactive Telnet access is available not only on the standard Telnet TCP port (port 23), but on a variety of higher-numbered ports as well.

All interactive access mechanisms use the IOS TTY abstraction (in other words, they all involve sessions on lines of one sort or another). Local asynchronous terminals and dialup modems use standard lines, known as TTYs. Remote network connections, regardless of the protocol, use virtual TTYs (VTYs). The best way to protect a system is to make certain that appropriate controls are applied on all lines, which includes both VTY lines and TTY lines.

Because it is difficult to make certain that all possible modes of access have been blocked, administrators should use some sort of authentication mechanism in order to make sure that logins on all lines are controlled, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices.

The login and no password commands can be configured in order to completely prevent interactive logins. This is the default configuration for VTYs, but not for TTYs. There are many ways to configure passwords and other forms of user authentication for TTY and VTY lines. Refer to the Cisco IOS software documentation for more information.

control TTYs

Local asynchronous terminals are less common than they once were, but they still exist in some installations. Unless the terminals are physically secured, and usually even if they are, the router should be configured to require users on local asynchronous terminals to log in before they use the system. Most TTY ports in modern routers are either connected to external modems, or are implemented by integrated modems. The security of these ports is obviously even more important than securing local terminal ports.

By default, a remote user can establish a connection to a TTY line over the network. This is known as reverse Telnet. This allows the remote user to interact with the terminal or modem connected to the TTY line. It is possible to apply password protection for such connections. Often, it is desirable to allow users to make connections to modem lines, so that they can make outgoing calls. However, this feature can allow a remote user to connect to a local asynchronous terminal port, or even to a dial-in modem port, and simulate the login prompt of the router to steal passwords. This feature can also do other things that can trick local users or interfere with their work.

Issue the transport input none configuration command in order to disable this reverse Telnet feature on any asynchronous or modem line that should not receive connections from network users. If possible, do not use the same modems for both dial-in and dial-out, and do not allow reverse Telnet connections to the lines you use for dial-in.

Control VTYs and Ensure VTY Availability
Any VTY must be configured to accept connections only with the protocols actually needed. This is performed with the transport input command. For example, a VTY that is expected to receive only Telnet sessions is configured with the transport input telnet command, while a VTY that permits both Telnet and SSH sessions has the transport input telnet ssh command. If your software supports an encrypted access protocol such as SSH, then enable only that protocol, and disable cleartext Telnet. Also, issue the ip access-class command in order to restrict the IP addresses from which the VTY accepts connections.

A Cisco IOS device has a limited number, usually five, of VTY lines. When all of the VTYs are in use, no more remote interactive connections can be established. This creates the opportunity for a denial-of-service attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator might not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.

One way to reduce this exposure is to configure a more restrictive ip access-class command on the last VTY in the system than on the other VTYs. The last VTY, usually VTY 4, can be restricted to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network.

Another useful tactic is to issue the exec-timeout command in order to configure VTY timeouts. This prevents an idle session from consuming a VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it also provides some protection against sessions accidentally left idle. Similarly, if

you enable TCP keepalives on incoming connections with the service tcp-keepalives-in command, this can help to guard against both malicious attacks and orphaned sessions caused by remote system crashes.

You can disable all non IP-based remote access protocols and use IPSec encryption for all remote interactive connections to the router in order to provide complete VTY protection. IPSec is an extra-cost option, and its configuration is beyond the scope of this document.

Warning Banners
In some jurisdictions, civil and criminal prosecution of crackers who break into your systems is made much easier if you provide a banner that informs unauthorized users that their use is unauthorized. In other jurisdictions, you can be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent. One method to provide this notification is to put it into a banner message configured with the Cisco IOS banner login command.
Legal notification requirements are complex, and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you must consider what information is put into your banner:

  1. A notice that the system is to be logged in to or used only by specifically authorized personnel, and perhaps information about who can authorize use.
  2. A notice that any unauthorized use of the system is unlawful, and can be subject to civil and/or criminal penalties.
  3. A notice that any use of the system can be logged or monitored without further notice, and that the resulting logs can be used as evidence in court.
  4. Specific notices required by specific local laws.
    From a security, rather than a legal point of view, your login banner must not contain any specific information about your router, its name, its model, what software it runs, or who owns it. This information can be abused by crackers.

Commonly Configured Management Services
Many users use protocols other than interactive remote login in order to manage their networks. The most common protocols for this purpose are SNMP and HTTP.
Neither of these protocols is enabled by default, and, as for any other service, the most secure option isto not enable them at all. However, if they are enabled, they must be secured as described in this section.

SNMP
SNMP is very widely used for router monitoring, and frequently for router configuration changes. Unfortunately, version 1 of the SNMP protocol, which is the most commonly used, uses a very weak authentication scheme based on a community string. This amounts to a fixed password transmitted over the network without encryption. If possible, use SNMP version 2, which supports an MD5-based digest authentication scheme and allows for restricted access to various management data.

If you must use SNMP version 1, choose inobvious community strings. Do not choose, for example, "public" or "private". If possible, avoid the use of the same community strings for all network devices. Use a different string or strings for each device, or at least for each area of the network. Do not make a read-only string the same as a read-write string. If possible, periodic SNMP version 1 polling should be done with a read-only community string. Read-write strings should be used only for actual write operations.

SNMP version 1 is not suited to use across the public Internet for these reasons:

  1. It uses cleartext authentication strings.
  2. Most SNMP implementations send those strings repeatedly as part of periodic polling.
  3. It is an easily spoofable, datagram-based transaction protocol.

You must carefully consider the implications before you use it that way.
In most networks, legitimate SNMP messages come only from certain management stations. If this is true in your network, you should probably use the access list number option on the snmp-server community command in order to restrict SNMP version 1 access to only the IP addresses of the management stations. Do not use the snmp-server community command for any purpose in a pure SNMP version 2 environment. This command implicitly enables SNMP version
For SNMP version 2, configure digest authentication with the authentication and md5 keywords of the snmp-server party configuration command. If possible, use a different MD5 secret value for each router.

SNMP management stations often have large databases of authentication information, such as community strings. This information can provide access to many routers and other network devices. This concentration of information makes the SNMP management station a natural target for attack, and it must be secured accordingly.

HTTP
Most recent Cisco IOS software versions use the World Wide Web HTTP protocol in order to support remote configuration and monitoring. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network. Unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet.

If you choose to use HTTP for management, issue the ip http access-class command in order to restrict access to appropriate IP addresses. Also, issue the ip http authentication command in order to configure authentication. As with interactive logins, the best choice for HTTP authentication is to use a TACACS+ or RADIUS server. Avoid the use of the enable password as an HTTP password.

Management and Interactive Access via the Internet (and Other Untrusted Networks)
Many users manage their routers remotely, and sometimes this is done over the Internet. Any unencrypted remote access carries some risk, but access over a public network such as the Internet is especially dangerous. All remote management schemes, which includes interactive access, HTTP, and SNMP, are vulnerable.

The attacks discussed in this section are relatively sophisticated ones, but they are not out of the reach of crackers today. These attacks can often be thwarted if the public network providers involved have taken proper security measures. You need to evaluate your level of trust in the security measures used by all the providers that carry your management traffic. Even if you trust your providers, it is recommended to take at least some steps to protect yourself from the results of any mistakes that might occur.
All the cautions here apply as much to hosts as to routers. This document discusses the protection of router login sessions, but you should use analogous mechanisms to protect your hosts if you administer those hosts remotely.
Remote Internet administration is useful, but requires careful attention to security.

Packet Sniffers
Crackers frequently break into computers owned by Internet service providers (ISPs), or into computers on other large networks, and install packet sniffer programs. These programs monitor the traffic that passes through the network and steal data, such as passwords and SNMP community strings. Although this has become more difficult as network operators improve their security, it is still relatively common. In addition to the risk from outside crackers, it is not unheard of for rogue ISP personnel to install sniffers. Any password sent over an unencrypted channel is at risk. This includes the login and enable passwords for your routers.

If possible, avoid logging in to your router that uses any unencrypted protocol over any untrusted network. If your router software supports it, use an encrypted login protocol such as SSH or Kerberized Telnet. Another possibility is to use IPSec encryption for all router management traffic, which includes Telnet, SNMP, and HTTP. All of these encryption features are subject to certain export restrictions imposed by the United States Government, and are special-order, extra-cost items on Cisco routers.

If you do not have access to an encrypted remote access protocol, another possibility is to use a one-time password system such as S/KEY or OPIE, together with a TACACS+ or RADIUS server. This controls both interactive logins and privileged access to your router. The advantage here is that a stolen password is of no use, because it is made invalid by the very session in which it is stolen. Non-password data transmitted in the session remains available to eavesdroppers, but many sniffer programs are set up to concentrate on passwords.

If you absolutely must send passwords over cleartext Telnet sessions, change your passwords frequently, and pay close attention to the path traversed by your sessions.

Other Internet Access Dangers
In addition to packet sniffers, remote Internet management of routers presents these security risks:

1.In order to manage a router over the Internet, you must permit at least some Internet hosts to have access to the router. It is possible that these hosts can be compromised, or that their addresses can be spoofed. By permitting interactive access from the Internet, you make your security dependent not only on your own anti-spoofing measures, but on those of the service providers involved.

2.You can make sure that all the hosts that are permitted to log into your router are under your own control in order to reduce dangers. Also, use encrypted login protocols with strong authentication.
It is sometimes possible to hijack an unencrypted TCP connection (such as a Telnet session), and actually take control away from a user who is logged in. Although such hijack attacks are not as common as simple packet sniffing and can be complex to mount, these attacks are possible, and might be used by an attacker who has your network specifically in mind as a target. The only real solution to the problem of session hijack is to use a strongly authenticated encrypted management protocol.

3.Denial of service attacks are relatively common on the Internet. If your network is subjected to a denial of service attack, you might not be able to reach your router to collect information or take defensive action. Even an attack on a network of another person can impair your management access to your own network. Although you can take steps to make your network more resistant to denial of service attacks, the only real defense against this risk is to have a separate, out-of-band management channel, such as a dialup modem, for use in emergencies.

Logging
Cisco routers can record information about a variety of events, many of which have security significance. Logs can be invaluable to characterize and respond to security incidents. These are the main types of logging used by Cisco routers:

AAA logging—Collects information about user dial-in Connections,Logins, logouts, HTTP accesses, privilege level changes, commands executed, and similar events. AAA log entries are sent to authentication servers that use the TACACS+ and/or RADIUS protocols, and are recorded locally by those servers, typically in disk files. If you use a TACACS+ or RADIUS server, you can enable AAA logging of various sorts. Issue AAA configuration commands, such as aaa accounting, in order to enable this. Detailed description of AAA configuration is beyond the scope of this document.

SNMP trap logging—Sends notifications of significant changes in system status to SNMP management stations. Use SNMP traps only if you have an SNMP management infrastructure that already exists.

System logging—Records a large variety of events, which depends on the system configuration. System logging events can be reported to a variety of destinations, which include these:

1.The system console port (logging console).
2.Servers that use the UNIX syslog protocol (logging ip-Address, logging trap).
3.Remote sessions on VTYs and local sessions on TTYs (logging monitor, terminal monitor).
4.A local logging buffer in router RAM (logging buffered).

From a security point of view, the most important events usually recorded by system logging are interface status changes, changes to the system configuration, access list matches, and events detected by the optional firewall and intrusion detection features.

Each system logging event is tagged with an urgency level. The levels range from debugging information (at the lowest urgency), to major system emergencies. Each logging destination can be configured with a threshold urgency, and receives logging events only at or above that threshold.

Save Log Information
By default, system logging information is sent only to the asynchronous console port. Because many console ports are unmonitored, or are connected to terminals without historical memory and with relatively small displays, this information might not be available when it is needed, especially when a problem is debugged over the network.

Almost every router must save system logging information to a local RAM buffer. The logging buffer is of a fixed size, and retains only the newest information. The contents of the buffer are lost whenever the router is reloaded. Even so, a moderately-sized logging buffer is often of great value. On low-end routers, a reasonable buffer size might be 16384 or 32768 bytes. On high-end routers with lots of memory (and many logged events), even 262144 bytes might be appropriate. You can issue the show memory command to make sure that your router has enough free memory to support a logging buffer. Issue the logging buffered buffer-size configuration command in order to create the buffer.

Most larger installations have syslog servers. You can send logging information to a server with the logging server-ip-address, and you can control the urgency threshold for logging to the server with the logging trap urgency command. Even if you have a syslog server, you should still enable local logging.

If your router has a real-time clock or runs NTP, issue the service timestamps log datetime msecs command in order to time-stamp log entries.

Record Access List Violations
If you use access lists to filter traffic, you might want to log packets that violate your filtering criteria. Earlier Cisco IOS software versions use the log keyword in order to support logging. This causes logging of the IP addresses and port numbers associated with packets that match an access list entry. Later versions provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it.

It is not a good idea to configure logging for access list entries that match very large numbers of packets. This causes log files to grow excessively large, and can cut into system performance. However, access list log messages are rate-limited, so the impact is not catastrophic.

Access list logging can also be used to log the suspect traffic in order to characterize traffic associated with network attacks.

Secure IP Routing
This section discusses some basic security measures related to the way in which the router forwards IP packets.

Anti-Spoofing
Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible.

Anti-spoofing must be done at every point in the network where it is practical. It is usually both easiest and most effective at the borders between large address blocks, or between domains of network administration. It is usually impractical to perform anti-spoofing on every router in a network, because of the difficulty to determine which source addresses might legitimately appear on any given interface.

If you are an ISP, you might find that effective anti-spoofing along with other effective security measures, causes expensive, annoyed problem subscribers to take their business to other providers. ISPs must apply anti-spoofing controls at dialup pools and other end-user connection points (refer to RFC 2267 ).

Administrators of corporate firewalls or perimeter routers sometimes install anti-spoofing measures to prevent hosts on the Internet from assuming the addresses of internal hosts, but do not take steps to prevent internal hosts from assuming the addresses of hosts on the Internet. Try to prevent spoofing in both directions. There are at least three good reasons to perform anti-spoofing in both directions at an organizational firewall:

1.Internal users are less tempted to launch network attacks and less likely to succeed if they do try.

2.Accidentally misconfigured internal hosts are less likely to cause trouble for remote sites. Therefore, these are less likely to generate angry telephone calls or damage the reputation of your organization.

3.Outside crackers often break into networks as launching pads for further attacks. These crackers might be less interested in a network with outgoing spoofing protection.

Anti-Spoofing with Access Lists
Unfortunately, it is not practical to give a simple list of commands that provide appropriate spoofing protection. The access list configuration depends too much on the individual network. The basic goal is to discard packets that arrive on interfaces that are not viable paths from the supposed source addresses of those packets. For example, on a two-interface router that connects a corporate network to the Internet, any datagram that arrives on the Internet interface, but whose source address field claims that it came from a machine on the corporate network, should be discarded.
Similarly, any datagram that arrives on the interface connected to the corporate network, but whose source address field claims that it came from a machine outside the corporate network, should be discarded. If CPU resources allow it, anti-spoofing should be applied on any interface where it is feasible to determine what traffic can legitimately arrive.
ISPs that carry transit traffic can have limited opportunities to configure anti-spoofing access lists, but such an ISP can usually at least filter outside traffic that claims to originate within the address space of the ISP.
In general, anti-spoofing filters must be built with input access lists. This means that packets must be filtered at the interfaces through which they arrive at the router, not at the interfaces through which they leave the router. This is configured with the ip access-group list in interface configuration command. You can use output access lists in some two-port configurations in order to anti-spoof, but input lists are usually easier to understand even in those cases. Furthermore, an input list protects the router itself from spoofing attacks, whereas an output list protects only devices behind the router.

When anti-spoofing access lists exist, they should always reject datagrams with broadcast or multicast source addresses, and datagrams with the reserved loopback address as a source address. It is usually appropriate for an anti-spoofing access list to filter out all ICMP redirects, regardless of source or destination address. These are the appropriate commands:

access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any

The fourth command filters out packets from many BOOTP/DHCP clients. Therefore, it is not appropriate in all environments.

Path Integrity
Many attacks depend on the ability to influence the paths datagrams take through the network. If they control routing, crackers can spoof the address of another user machine and have the return traffic sent to them, or they can intercept and read data intended for someone else. Routing can also be disrupted purely for denial of service purposes.

IP Source Routing
The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram takes toward its ultimate destination, and generally the route that any reply takes. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it is possible to send them datagrams with source routing options in order to crash machines that run these implementations.

A Cisco router with the no ip source-route command set never forwards an IP packet which carries a source routing option. You should use this command, unless your network needs source routing.

ICMP Redirects
An ICMP redirect message instructs an end node to use a specific router as its path to a particular destination. In an IP network that functions properly, a router sends redirects only to hosts on its own local subnets. No end node ever sends a redirect, and no redirect is ever traversed more than one network hop. However, an attacker can violate these rules. Some attacks are based on this. Filter out incoming ICMP redirects at the input interfaces of any router that lies at a border between administrative domains. Also,
It is not unreasonable for any access list that is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This causes no operational impact in a correctly configured network.

This filter prevents only redirect attacks launched by remote attackers. It is still possible for attackers to cause significant trouble using redirects if their host is directly connected to the same segment as a host that is under attack.

Routing Protocol Filter and Authentication
If you use a dynamic routing protocol that supports authentication, enable that authentication. This prevents malicious attacks on the routing infrastructure, and can also help to prevent damage caused by misconfigured rogue devices on the network.

For the same reasons, service providers and other operators of large networks are generally well advised to use route filtering (with the distribute-list in command) to prevent their routers from accepting clearly incorrect routing information. Although excessive use of route filtering can destroy the advantages of dynamic routing, judicious use often helps to prevent unpleasant results. For example, if you use a dynamic routing protocol to communicate with a stub customer network, you should not accept any routes from that customer other than routes to the address space you have actually delegated to the customer.

Detailed instruction on how to configure routing authentication and route filtering is beyond the scope of this document. Documentation is available on the Cisco website and elsewhere. Because of the complexity involved, novices are advised to seek experienced advice before configuring these features on important networks.

Flood Management
Many denial of service attacks rely on floods of useless packets. These floods congest network links, slow down hosts, and can overload routers as well. Careful router configuration can reduce the impact of such floods.
An important part of flood management is to be aware of where performance bottlenecks lie. If a flood overloads a T1 line, then filtering out the flood on the router at the source end of the line is effective, whereas filtering at the destination end has little or no effect. If the router itself is the most overloaded network component, then filtering protections that place heavy demands on the router can make matters worse. Keep this in mind when you consider the implementation of the suggestions in this section.

Router Self-Protection
Before a router can protect other parts of the network from the effects of floods, the router itself must be protected from overload.


Switching Modes and Cisco Express Forwarding
The CEF switching mode, available in Cisco IOS Software Releases 11.1CC, 11.1CT, 11.2GS, and 12.0, replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts to arrive for new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.

Although most flooding denial of service attacks send all of their traffic to one or a few targets and do not tax the traditional cache maintenance algorithm, many popular SYN flooding attacks use randomized source addresses. The host under attack replies to some fraction of the SYN flood packets, which creates traffic for a large number of destinations. Therefore, routers configured for CEF perform better under SYN floods (directed at hosts, not at the routers themselves) than routers that use the traditional cache. CEF is recommended when available.

Scheduler Configuration
When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so much time in response to interrupts from the network interfaces that no other work is done. Some very fast packet floods can cause this condition. Issue the scheduler interval command, which instructs the router to stop handling interrupts and attend to other business at regular intervals, in order to reduce the effect. A typical configuration might include the scheduler interval 500 command, which indicates that process-level tasks are to be handled no less frequently than every 500 milliseconds. This command rarely has any negative effects, and should be a part of your standard router configuration unless you know of a specific reason to leave it out.

Many newer Cisco platforms use the scheduler allocate command instead of the scheduler interval command. The scheduler allocate command takes two parameters: a period in microseconds for the system to run with interrupts enabled, and a period in microseconds for the system to run with interrupts masked. If your system does not recognize the scheduler interval 500 command, issue the scheduler allocate 3000 1000 command. These values were chosen to represent the midpoints of the ranges. The range for the first value is 400 to 60000, and the range for the second value is 100 to 4000. These parameters can be tuned.

Finger
Cisco routers provide an implementation of the finger service, which is used to find out which users are logged into a network device. Although this information is not usually sensitive, it is sometimes useful to an attacker. The finger service can be disabled with the no service finger command.

NTP
The Network Time Protocol (NTP) is not especially dangerous, but any unneeded service can represent a path for penetration. If NTP is actually used, it is important to explicitly configure trusted time source, and to use proper authentication. This is because the corruption of the time base is a good way to subvert certain security protocols. If NTP is not used on a particular router interface, it can be disabled with the ntp disable interface command.

CDP
Cisco Discovery Protocol (CDP) is used for some network management functions, but is dangerous because it allows any system on a directly-connected segment to learn that the router is a Cisco device, and to determine the model number and the Cisco IOS software version that is run. This information can be used to design attacks against the router. CDP information is accessible only to directly-connected systems. The CDP protocol can be disabled with the no cdp running global configuration command. CDP can be disabled on a particular interface with the no cdp enable command.

Stay Up To Date
Like all software, Cisco IOS software has bugs. Some of these bugs have security implications. In addition, new attacks are always invented, and behavior that might have been considered correct when a piece of software was written can have bad effects when deliberately exploited.

Router Security

It's incomprehensible that many routers -- the most critical element of any network -- still lack the physical and logical controls to prevent miscreants from easily owning them. Yet, routers continue to use default access passwords, such as the device vendor's name or some other easily guessable code. Imagine buying a Ford Explorer and configuring the nifty keyless entry code to 3673. It's easy to remember, but it's also the first combination a car thief will try. Why? That numeric code maps to "F-O-R-D" on a telephone keypad.
The key to securing the core routing infrastructure is access control. At a minimum, the following controls should be deployed:
  • Limit physical access to routers to authorized personnel.
  • Use encrypted access, such as SSH, to communicate with routers.
  • If there's a reason to use unencrypted access, such as Telnet,
  • limit the access to specific trusted hosts. If possible, authentication should be based on a one-time password scheme.
  • Have a generic login prompt with no information pertaining to system type or vendor name so a potential attacker won't easily be able to exploit a known vulnerability against a specific operating system or vendor.
  • Log all activity, such as configuration changes and image upgrades, to help detect illegal activity.
  • Disable HTTP and SNMP access if they aren't used

Cisco Practice Tools download

Practice for the CCNA exam by using a router simulator

Download Now:

http://www.download.com/Sem-Sim-Cisco-CCNA-Exam-Router-Simulator/3000-2051_4-10219362.html?

Cisco Practice Tests from Boson 5.0

Download Now:

http://www.download.com/Cisco-Practice-Tests-from-Boson/3000-2051_4-7705228.html?tag=lst-0-2

Cisco CDP Monitor 3.01

Download now:
http://www.download.com/Cisco-CDP-Monitor/3000-2085_4-10587259.html?tag=lst-0-6

PrepLogic Practice Exam Cisco CCNA (640-801) 3.1.11

Download now:
http://www.download.com/PrepLogic-Practice-Exam-Cisco-CCNA-640-801-/3000-2051_4-10483274.html

Boson NetSim for CCNP 6.0

Description:

The Boson NetSim emulates both switching bridge tables and routing protocol tables to allow you to go OUTSIDE the labs.

Download:

http://rapidshare.com/files/26557869/BosonCCNPv6.0Beta3b.rar

Cisco Voice Gateways and Gatekeeper

Cisco Voice Gateways and Gatekeepers provides detailed solutions to real-world problems encountered when implementing a VoIP network. This practical guide helps you understand Cisco gateways and gatekeepers and configure them properly. Gateway selection, design issues, feature configuration, and security and high-availability issues are all covered in depth. The abundant examples, screen shots, configuration snips, and case studies make this a truly practical and useful guide for anyone interested in the proper implementation of gateways and gatekeepers in a VoIP network. Emphasis is placed on the accepted best practices and common issues encountered in real-world deployments.

Download

http://rapidshare.com/files/9838517/Cisco.Voice.Gateways.and.Gatekeepers.rar

Download Free Cisco Books

Cisco Press - Penetration Testing and Network Defense

download
http://austin.youareinferior.net/books/Cisco%20Press%20-%20Penetration%20Testing%20and%20Network%20Defense.chm

The Complete Cisco VPN Configuration Guide (Networking Technology)



The Complete Cisco VPN Configuration Guide (Networking Technology)
With increased use of Internet connectivity and less reliance on private WAN networks, virtual private networks (VPNs) provide a much-needed secure method of transferring critical information. As Cisco Systems® integrates security and access features into routers, firewalls, clients, and concentrators, its solutions become ever more accessible to companies with networks of all sizes. The Complete Cisco VPN Configuration Guide contains detailed explanations of all Cisco® VPN products, describing how to set up IPsec and Secure Sockets Layer (SSL) connections on any type of Cisco device, including concentrators, clients, routers, or Cisco PIX® and Cisco ASA security appliances. With copious configuration examples and troubleshooting scenarios, it offers clear information on VPN implementation designs.
Part I, “VPNs,” introduces the topic of VPNs and discusses today’s main technologies, including IPsec. It also spends an entire chapter on SSL VPNs, the newest VPN technology and one that Cisco has placed particular emphasis on since 2003. Part II, “Concentrators,” provides detail on today’s concentrator products and covers site-to-site and remote-access connection types with attention on IPsec and WebVPN. Part III covers the Cisco VPN Client versions 3.x and 4.x along with the Cisco3002 Hardware Client. Cisco IOS® routers are the topic of Part IV, covering scalable VPNs with Dynamic Multipoint VPN, router certificate authorities, and router remote access solutions. Part V explains Cisco PIX and Cisco ASA security appliances and their roles in VPN connectivity, including remote access and site-to-site connections. In Part VI, a case study shows how a VPN solution is best implemented in the real world using a variety of Cisco VPN products in a sample network.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Download

Cables and Connectors

Ethernet interface specifications

The base unit of a MAX has an Ethernet interface that supports the physical specifications of IEEE 802.3 and IEEE 802.14 with Ethernet 2 (Ethernet/DIX) framing. It provides a single Ethernet interface that auto-senses the Ethernet type to which it is connected. The following types are supported:

10Base-T (Unshielded Twisted Pair): Twisted pair Ethernet and IEEE 802.3 (10Base-T) with an RJ-45 connector, labeled LAN UTP.
100 Base-T: 100 Mbits/s Baseband Modulation on Twisted Pair
The Ethernet address used to identify the Ethernet interface resides in the MAX unit's motherboard.

Required equipment
To install the Ethernet interface, you must have either of the equipment described in the sections below.
10Base-T You need a twisted-pair Ethernet cable and a dual twisted-pair cable terminated with RJ-45 modular jacks.
Use an EIA/TIA 568 or IEEE 802.3 10Base-T cable.

100Base-T You need a twisted-pair Ethernet cable and a dual twisted-pair cable terminated with RJ-45 modular jacks.
Use one of the following cables:100BASE-T2, 100BASE-T4 (not very popular), 100BASE-TX, or 100BASE-FX.

Improving Security on Cisco Routers

This document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. This document is about basic boilerplate configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware.
For more details see

Cisco Router Configuration Backups

Cisco router products allow using TFTP ("Trivial File Transfer Protocol") on a network server to read and write configuration files. Whenever a router configuration is changed, it is important to save the configuration file on the Linux server so that a backup is maintained.
Red Hat disables the TFTP service by default, because it can be a real security hole if not configured properly. The TFTP daemon allows anyone to read and write files without performing authentication. The way I personally set things up is to create a ``/tftpboot/'' directory, owned by root, and then modify the existing configuration line in the ``/etc/inetd.conf'' file to specify the file location:

tftpd dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot
Adding the ``/tftpboot'' path at the end of the above line specifically indicates where the TFTP daemon is allowed to access files. Although you can actually leave this part out and allow TFTP to access files anywhere on your system, as TFTP is considered somewhat of a security risk, this would probably be a very bad idea.
Once you have enabled the TFTP service, don't forget to type:

killall -HUP inetd

The above command restarts the INETD daemon to recognize whatever changes you have made to the inetd.conf file.
Creating a backup of a router configuration file involves a 3-step process: setting permissions on an existing file (or creating a new one) to allow writes, writing the backup file, and then resetting permissions to restrict access to the file.
An example router backup session follows:
mail:~# cd /tftpboot
mail:/tftpboot# chmod a+w xyzrouter-confg
chmod: xyzrouter-confg: No such file or directory
mail:/tftpboot# touch xyzrouter-confg
mail:/tftpboot# chmod a+w loyola-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# write network
Remote host []? 123.12.41.41
Name of configuration file to write [xyzrouter-confg]?
Write file xyzrouter-confg on host 123.12.41.41? [confirm]
Building configuration...
Writing xyzrouter-confg !! [OK]
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit
In case of router failure (caused, for example, by a power surge during a lightning storm), these backup files can be helpful to reload the router configuration. Again, restoring from a configuration file involves a 3-step process: setting permissions on the existing file, loading the file, and then resetting permissions to restrict access to the file. An example router restoration session follows.
mail:~# cd /tftpboot
mail:/tftpboot# chmod a+r xyzrouter-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config network
Host or network configuration file [host]?
Address of remote host [255.255.255.255]? 123.12.41.41
Name of configuration file [xyzrouter-confg]?
Configure using loyola-confg from 123.12.41.41? [confirm]
Loading xyzrouter-confg from 123.12.41.41 (via BRI0): !
[OK - 1265/32723 bytes]
xyzrouter# write
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit

Password Recovery Procedure for the Cisco VPN 3000 Series

The password recovery procedure for the following Cisco Virtual Private Network (VPN) products running version 2.5.1 or later.
Cisco VPN 3002
Cisco VPN 3015
Cisco VPN 3060
Cisco VPN 3005
Cisco VPN 3030
Cisco VPN 3080

Note: For concentrators running code version 2.5 or earlier, contact the Cisco TAC for password recovery assistance.
Default Password
The factory default passwords for the Cisco VPN 3000 Series are:
username: admin
password: admin


Follow the steps below to recover a password

Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable between the console port on the VPN Concentrator and the COM1 or serial port on the PC (Cisco supplies the cable with the system).
Start a terminal emulator (HyperTerminal) on the PC. Configure a connection on COM1 with port settings of: 9600 bits per second 8 data bits no parity 1 stop bit hardware flow control Set the emulator for VT100 emulation, or let it auto-detect the emulation type.
When the Concentrator boots, and after the diagnostics check is complete, a line of three dots (...) appears on the console, a sample of which is shown below for reference. Press Ctrl-C within 3 seconds after seeing these dot. This displays a menu that lets you reset the system passwords to their defaults.
Boot-ROM Initializing...
Boot configured 128Mb of RAM. ...
!--- At this second set of three dots, press Ctrl-C

Loading image ..........
Verifying image checksum ...........
Active image loaded and verified...
Starting loaded image...
Starting power-up diagnostics...
...
Main Menu Options
-----------------
1 - Reset Passwords
Q - Quit Main Menu

Set-up and usage of a Virtual Private Network using the Cisco VPN Client

In order to use a VPN connection, you need a VPN password. This password is not the same as your UGent password. If you do not have a VPN/dial-in password or if you forgot it, then you can easily create a new VPN password via: https://password.ugent.be Please note that you can only create or change a VPN password from a host on the UGent Network and not via another provider.

Installation and configuration of the Cisco VPN client on PC

You can download the latest version of the VPN client software (9 Mb). After agreeing with the Statement concerning the use of Cisco VPN client, click on the link that apllies to your system, then click on "execute" (possibly twice).
In the window WinZip Self-Extractor, choos 'unzip'.
In the following window (language choice), click 'ok'.
Click 'next' in the welcoming screen.
Accept, when desired, the licence agreement by checking the option 'I accept the licence agreement', and then choose 'Next'.
Choose 'Next' if you accept the standard location for installation of your files.
Choose 'Next' to proceed with the installation.
Click 'Finish' to complete the installation procedure.
Click 'Yes' to reboot your PC.
After rebooting, open the Cisco VPN Client via 'Start'- Programs - Cisco Systems VPN Client, VPN Client.
Download the
UGent VPN client config file to the folder VPN Client. Click 'Save'.
Save in: choose to save the file to your desktop
In the window Download Complete, choose 'close'.
In the VPN Client (via 'Start - Programs - Cisco Systems VPN Client - VPN Client'), choose 'import' (icon).
In the appearing dialogue box select the folder VPNClient and then the file 'UGent.pcf'
Choose OK to complete the import.
In order to use the VPN-connection, follow the steps under
Use of the VPN-connection
Installation of Cisco VPN client on Mac
The software is only suitable for MacOS X 10.1.5 or higher
The latest version of the vpnclient-software can be downloaded
here (9MB).
This can only be done after agreeing to the
Declaration on the use of the Cisco VPN-cient. Once accepted, the download can be done time and again, without ever having to agree again.
The software is available as a .hqx file. This contains these files after unpacking:
vpnclient-darwin-4.9.00.0050-universal-k9.dmg
By double-clicking the .dmg file (disk image), it is mounted as an extra device called CiscoVPNClient. In some cases it might happen, that after unpacking the archive, the file vpnclient-darwin-4.0.2.C-GUI-k9.dmg does not have the extension .dmg. This means it can not be opened by double-clicking. Rename the file manually, by adding .dmg, after that, you should be able to open the file.
On this device you should find the installation as "Cisco VPN client.mpkg"
Double-click and follow the instructions. Click on the padlock if the message "You need an Administrator password to install the
software" and enter a login/password of your own Mac with administrator privileges.
Keep on following the instructions on the screen, among other things agree with the licence and the picking of the harddisk
where the software should be installed.
If the installation was successful, you'll find the programm under
Applications - VPNclient. Start thee client.
To configure it, import the configuration file will suffice.
Choose the button Import and choose the file UGent.pcf that was also in the downloaded file.
After importing the file, the connection can be be made immediately.

Use of a VPN-connection

When a VPN is needed, you can start it as follows:
Start the VPN via Start, Programs, Cisco Systems VPN Client, VPN Client. Select UGent and choose Connect. Enter your log-in name and corresponding
VPN-password. For Mac, start the VPN with Applications - VPNclient.
Select UGent and choose Connect.
Enter your login name and corresponding
VPN-passwordSince December 16th 2003, restrictions have been introduced concerning the used volume over a VPN. More info can be found on the webpage concerning the volume restriction.

Possible problems

If you have a firewall installed, then it is possible that the firewall has not been configured well. In that case, you will get an error message even before the verification of your log-in and password. Turn off the firewall and firts try to set up the VPN connection withou the firewall. After that you can adjust the firewall settings.
An update of F-Secure Anti-Virus for example could be the cause of the fact that your computer is restarting every time you want to use the VPN connection (Cisco).
Other programmaes as well, such as Skype can cause problems as well when using the VPN connection.
More Detail are in
Cisco Routing & Switching TrainingCisco Internetwork Troubleshooting (CIT)
Who Should Attend
CIT provides advanced training for senior-level network support professionals. The target audience is expected to be highly educated, with a background in engineering.Cisco Career CertificationsThis course is part of the following Certifications:

1.CCNP (Cisco Certified Network Professional)
2.CCIE (Cisco Certified Internetwork Expert) Routing & Switching
3.CCIE (Cisco Certified Internetwork Expert) Service Provider
4.CCIE (Cisco Certified Internetwork Expert) Security
5.CCIE (Cisco Certified Internetwork Expert) Voice

Prerequisites
Interconnecting Cisco Network Devices (ICND)
Building Scalable Cisco Internetworks (BSCI)
Building Cisco Multilayer Switched Networks (BCMSN)
Building Cisco Remote Access Networks (BCRAN) or equivalent field experience

Course Objectives
The goal of CIT is to provide learners with hands-on experience in troubleshooting sub-optimal performance in a converged network and is an integral part of any approach to obtain the technical proficiency of Cisco Certified Network Professional (CCNP). CIT deepens the learner's technical ability rather than introducing new baseline technology. After completing this course, the student should be able to:

Given a fully operational internetwork, interconnecting end systems using Cisco systems routers and switches, administrative access to the network, and access to Cisco IOS commands and applications that are used to discover baseline configuration information, students will establish a baseline, so that the topology and configuration is diagrammed and tabulated.
Given interconnecting end systems using Cisco systems routers and switches, and the principles of a layered model troubleshooting approach, students will determine and document a troubleshooting strategy so that internetwork problems can be detected and corrected consistently.

Given the sub-optimal operation of an internetwork at the physical or data link layer, a list of user-reported symptoms, and a network baseline, students will use Cisco IOS commands and applications to resolve optimization and failure problems at the physical or data link layer, so that the framed data moves from one end of a data link to another at the expected data error rate determined in the network baseline

Given the sub-optimal operation of an internetwork at the network layer, a network baseline, and a list of user-reported and system-gathered symptoms, students will use Cisco IOS commands and applications to resolve optimization and failure problems at the network layer, so that students can verify connectivity at Layer 3, the routing tables show reachability to all expected network devices specified in the baseline, and traffic is flowing over the correct path detailed in the baseline

Course Content
Establishing a Baseline
Determining an effective troubleshooting strategy
Resolving Problems at the Physical and Data Link layers
Resolving Problems at the Network Layer
Resolving Problems at the Transport and Application Layers

CCNP Self-Study:

CCNP Self-Study:
Building Cisco Multilayer Switched Networks (BCMSN)

Building Cisco Multilayer Switched Networks (BCMSN), 2nd Edition, is a self-study learning resource for CCNP and CCDP certification candidates preparing for the BCMSN 642-811 exam. This self-study resource includes sample questions and answers and lab excercises in each chapter. Including coverage of intermediate to advance networking switching technologies, this book helps CCNP candidates, as well as networking professionals, gain an understanding of switching fundamentals and best practices. Switching topics found in this book include Layer 2 and 3 switching, AVVID deployments in multilayer switching networks, QoS, CEF-based MLS, Catalyst switching architectures, and an introduction to Metro Ethernet. This is the only book authorized by Cisco Systems for early-stage, self-study learning of the BCMSN topics.

The CCNP certification indicates advanced or journeyman knowledge of networks. One of the four requirements to achieve CCNP certification is passing the BCMSN exam. Focused on intermediate-level switching issues, the BCMSN exam assesses a candidate's skill at building campus networks using multilayer switching technologies over high speed Ethernet. The exam addresses both routing and switching concepts, covering both Layer 2 and Layer 3 technologies including IP multicast. The BCMSN exam is also a requirement for CCDP certification.

Introduction to Building Cisco Multilayer Switched Networks.

Hardware-Switching and Software-Switching Terminology. Multilayer Switching Overview. Enterprise Composite Network Model for Building Cisco Multilayer Switched Networks. Introducing the Cisco Catalyst Switches. Summary. Review Questions.

2. The Roles of Switches in Designing Cisco Multilayer Switched Networks.

Data-Link Technologies. Designing Cisco Multilayer Switched Networks Using the Cisco Catalyst Switches and Data-Link Technologies. Using the Cisco Catalyst Switches and Data-Link Technologies. Case Study: Designing a Cisco Multilayer Switched Network. Summary. Review Questions.

3. Initial Configuration and Troubleshooting of Cisco Multilayer Switches.

Comparing Cisco CatOS and Cisco IOS (Native Mode). Initial Configuration of Management Parameters of Cisco Catalyst Switches. Managing Catalyst Switch Configurations. Understanding the Cisco IOS File System and Software Images on Catalyst Switches. Upgrading Software Versions on Catalyst Switches. Overview of Converting Cisco CatOS to Cisco Native IOS. Basic Troubleshooting Practices. Initial Configuration Troubleshooting Tips. Summary. Configuration Exercise: Configuring a Cisco IOS-Based Catalyst Switch. Review Questions.

4. Implementing and Configuring VLANs.

VLANs. Troubleshooting VLANs. Private VLANs. VLAN Trunking. Configuring ISL and 802.1Q Trunking. VLAN Trunking Protocol. Summary. Configuration Exercise: Configuring VLAN, Trunking, and VTP in Multilayer Switched Networks. Review Questions.

5. Understanding and Configuring the 802.1D, 802.1s, and 802.1w Spanning-Tree Protocols.

Overview of the Spanning Tree Protocol. Bridging Loop. STP (IEEE 802.1D). STP Operation. Sample Scenario of STP Election Process. STP Topology Changes. Per VLAN Spanning Tree Plus. STP and IEEE 802.1Q Trunks. Configuring the Basic Parameters of PVST+. Verifying the STP Configuration. Rapid Spanning Tree Protocol. Multiple Spanning Tree. Configuring Basic Parameters of MST. Summary. Configuration Exercise: Configuring and Verifying Spanning-Tree Bridge Priorities and Spanning-Tree Port Cost. Configuration Exercise: Configuring and Verifying Spanning-Tree Bridge Priorities. Review Questions.

6. Understanding and Configuring Cisco-Specific Spanning Tree Protocol Features and Troubleshooting STP.

Enhancements to 802.1D Spanning Tree Protocol. Improving Spanning-Tree Resiliency. Preventing Forwarding Loops and Black Holes. Troubleshooting STP. Summary. Configuration Exercise: Configuring BackboneFast, UplinkFast, and Root Guard. Review Questions.

7. Configuring Layer 2 and Layer 3 Features.

EtherChannel. CDP. Port Security. Multiple Default Gateways. MAC Address Notification. Layer 3 Protocol Filtering. DHCP for Management IP Configuration. Debounce Timer Feature. Broadcast and Multicast Suppression. DHCP Snooping. Baby Giants and Jumbo Frame. UDLD and Aggressive Mode UDLD. Case Study: Function of Aggressive Mode UDLD. Summary. Configuration Exercise. Review Questions.

8. Understanding and Configuring Inter-VLAN Routing.

Introduction to Inter-VLAN Routing. IP Broadcast Forwarding. Summary. Configuration Exercise: Configuring Inter-VLAN Routing on Cisco IOS-Based Catalyst Switches. Review Questions.

9. Understanding and Configuring Multilayer Switching.

Understanding Traditional MLS. Understanding CEF-Based MLS. CEF-Based MLS Configuration, Verification, and Troubleshooting. Summary. Configuration Exercise: Troubleshooting CEF-Based MLS. Review Questions.

10. Understanding and Implementing Quality of Service in Cisco Multilayer Switched Networks.
The Need for QoS. QoS Service Models. Catalyst QoS Fundamentals. WAN QoS. QoS in the Multilayer Switched Network. Summary. Configuration Exercise: Configuring QoS on Cisco IOS-Based Catalyst Switches. Review Questions.

11. Deploying Multicast in the Multilayer Switched Network.

Introduction to Multicast. IP Multicast Protocol. Multicast Hardware-Based Switching Methods. Layer 2 Multicast Protocols. IP Multicast in the Multilayer Switched Network. Configuring Multicast. Monitoring and Verifying IP Multicast Traffic. Summary. Configuration Exercise: Configuring and Verifying Multicast in the Multilayer Switched Network. Review Questions.

12. Implementing High Availability Options in Multilayer Switches.

Achieving High Availability in Multilayer Switches. Implementing Redundant Supervisor Engines in Catalyst Switches. Router Redundancy Using Single Router Mode on the Catalyst 6500 Series of Switches. Implementing Redundant Supervisor Uplink Modules in Catalyst Switches. Implementing Redundant Power Supplies. Implementing Default Gateway Router Redundancy in Multilayer Switched Networks. Cisco IOS Server Load Balancing. Summary. Configuration Exercise: Configuring and Verifying RPR+ and HSRP. Review Questions.

13. Introduction to Deploying Cisco IP Telephony.

Network Design Recommendations for IP Telephony. Best Practices for Deploying IP Telephony in the Enterprise Composite Network Model. Summary. Configuration Exercise: Configuring Voice VLANs on a Catalyst Switch. Review Questions.

14. Implementing Management and Data Plane Security Features on Cisco Catalyst Switches.

Catalyst Switch Configurations for Security in Multilayer Switched Networks. Configuring AAA. Network Access Security Using IEEE 802.1X. Applying Security Using Access Control Lists. Understanding the Role of Private VLANs as a Security Feature. Understanding the Role of QoS as a Security Feature. Summary. Configuration Exercise: AAA, 802.1X, and VACLs. Review Questions.

15. Introduction to the Catalyst Switching Architectures.

Catalyst 6500. Catalyst 4500. Catalyst 3750. Catalyst 3550. Catalyst 2950. Summary. Review Questions.

16. Introduction to Storage Networking.

Storage Networking Overview. Storage Networking Protocols. Campus Network Integration. Cisco Storage Solutions. Summary. Review Questions.

17. Designing, Building, and Connecting Cisco Multilayer Switched Networks Using Metro Solutions.

Introduction to Cisco Metro Solutions. Metro Ethernet. Examining Metro Ethernet Tunneling. EoMPLS Implementation. Summary. Review Questions.

18. Performance and Connectivity Troubleshooting Tools for Multilayer Switches.

Techniques to Enhance Performance. Monitoring Performance with SPAN and VSPAN. Monitoring Performance with RSPAN. Monitoring Performance Using VACLs with the Capture Option. Troubleshooting Using L2 Traceroute. Performance Monitoring Using the Network Analysis Module in the Catalyst 6500 Family of Switches.

How to Choose a Cisco IOS Software Release

Introduction
This document provides guidelines to help you choose the most appropriate Cisco IOS® Software release to meet your needs, and provides suggestions and tools to aid you in your choice.

Note: In order to use the troubleshooting tools described in this document, you must be a registered customer and you must be logged in.

Prerequisites
Requirements
There are no specific requirements for this document.

Components Used
This document is not restricted to specific software and hardware versions.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

How Do I Choose a Cisco IOS Software Release?
The most important factors to take into account are:

Hardware Support

Feature Support

Cisco IOS Software Release Version

Memory Requirements

Hardware Support
The first thing to check when you choose a Cisco IOS Software release is hardware support. You can find the software requirements of your hardware in the Cisco Product Documentation section of the Documentation CD, but Cisco recommends that you use the Cisco Software Advisor ( registered customers only) , which allows you to search for Cisco IOS Hardware Support.

Note: In order to use the tools, you must:

Compile a list of the different software versions that support all your hardware.

Determine which features have to be deployed within your network.

Feature Support
If you have the output of a show version command from your Cisco device, you can use the Output Interpreter Tool ( registered customers only) to display potential issues and fixes. In order to use this tool, you must be a registered customer, be logged in, and have JavaScript enabled.

It is important to check for feature support, especially if you plan to use recent software features. If you want to keep the same features as the version that currently runs on your router, and you are not sure which feature set you use, issue the show version command on your router.

The second line of the show version command looks like this:

IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(9), RELEASE SOFTWARE (fc1)The "JS" is the feature set. In this example, J stands for "Enterprise" and S stands for "Plus". With this knowledge, you can choose a similar feature set.

In order to find out which Cisco IOS Software supports all of the features you plan to use, it is best to use the Cisco Software Advisor ( registered customers only) , which allows you to search by feature(s) or by release, and it even allows you to compare two releases. Write down the different software versions that meet your requirements and that are compatible with your hardware.

Cisco IOS Software Release Version
You still have to choose the particular Cisco IOS Software release you want to run. All of them are fine as long as they support your hardware, contain the features you want, and are compatible with the memory of your router (see Memory Requirements). Here are some general recommendations and guidelines to make it easier for you:

Release Format
Cisco IOS Software releases use the format A.B(C)D where:

A, B, and C are numbers.

D (if present) is a letter.

A.B is a major release.

C is the maintenance version. A higher maintenance number means more bug fixes. Any feature, bug fix, and hardware support available in a particular maintenance version are also available in the next one.

D, if present, indicates that the release is not a major release, but an extension of a major release. These extensions usually provide new features and new hardware support.

Note: Older releases are often more stable than new ones, but also contain fewer features.

Cisco IOS Software Image
The Cisco IOS Software image is either ED, LD, GD, or DF:

ED stands for "Early Deployment." Early Deployment releases offer new feature, platform, or interface support. Most non-major releases contain ED releases.

GD stands for "General Deployment." A major release of Cisco IOS Software reaches the "General Deployment" milestone when Cisco feels it is suitable for deployment anywhere in customer networks where the features and functionality of the release are required. Criteria for reaching the "General Deployment" milestone are based on, but not limited to, customer feedback surveys from production and test networks using the releases, Customer Engineer bug reports, and reported field experience. Only major releases are candidates for the General Deployment milestone.

LD stands for "Limited Deployment." A major release of Cisco IOS Software is said to be in the "Limited Deployment" phase of its life cycle during the period between its first shipment and the GD milestone.

DF stands for "Deferred." DF releases are not available for downloading because of known defects. These should not be installed on your router.

When choosing a release, Cisco recommends a GD release when possible. Only choose an ED release if your hardware and software features leave you no other choice.

Memory Requirements
Before you install a new Cisco IOS Software image on your router, check if your router meets the memory requirements for that image. For this, issue the show version command on your router, and look for these lines:

...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...
16384K bytes of processor board System flash (Read ONLY)The first line tells you how much Dynamic RAM (DRAM) and Packet memory are installed in your router. Some platforms use a fraction of their DRAM as Packet memory. The memory requirements take this into account, so you have to add both numbers to find the amount of DRAM available on your router (from a memory requirement point of view).

Example 1: Separate DRAM and Packet Memory
...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...The 4000, 4500, 4700, and 7500 routers have separate DRAM and Packet memory, so you only need to look at the first number. This shows that the router has 65536 K (or 64 M) of DRAM.

Example 2: Combined DRAM and Packet Memory
...
cisco 2611 (MPC860) processor (revision 0x202) with 29696K/3072K bytes of memory
...The 1000, 1600, 2500, 2600, 3600, and 7200 routers use a fraction of DRAM as Packet memory, so you need to add both numbers to find out the real amount of DRAM. In this example, the router has 2969 K + 3072 K = 32768 K (or 32 M) of DRAM.

Example 3: Available Flash Memory
...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...
16384K bytes of processor board System flash (Read ONLY)The bottom line tells you how much Flash memory is available. Some of it might already be in use. In order to find out the amount of free Flash memory, issue a show flash command:

Router#show flash

System flash directory:
File Length Name/status
1 8407884 c2600-io3s56i-mz.121-6
[8407948 bytes used, 8369268 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)Variants of the show flash command can be used to inspect different specific Flash devices on the platform. Refer to the show flash command definition for information on how to use these variants.

Example 4: Memory Available in Cisco Catalyst 6500/6000 Switches
For Catalyst 6500/6000 Series Switches that run in Hybrid mode, the DRAM must be calculated separately for the Supervisor and Multilayer Switch Feature Card (MSFC).

This is show version command output from the Supervisor module:

Console>show version

WS-C6009 Software, Version NmpSW: 6.2(0.11)KEY

Copyright (c) 1995-2000 by Cisco Systems

NMP S/W compiled on Oct 5 2000, 01:18:33


!--- Output suppressed.


DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1 65408K 45402K 20006K 16384K 8683K 7701K 512K 253K 259K


Uptime is 1 day, 19 hours, 54 minutes

Console> (enable) The Supervisor module has 64 MB (65408 KB) of DRAM present.

This is output of the show version command from the MSFC card:

MSFC#show version

Cisco Internetwork Operating System Software
IOS (tm) MSFC Software (C6MSFC-JSV-M),
Version 12.1(8a)E2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)


!--- Output suppressed.


cisco Cat6k-MSFC (R5000) processor with 57344K/8192K bytes of memory.


!--- Output suppressed.

The MSFC card has a DRAM of 64 MB (57344 KB + 8192 KB).

For Catalyst 6500/6000 Series Switches that run in Native IOS mode, the show version command displays the combined DRAM memory from the Supervisor and MSFC.

Router#show version

Cisco Internetwork Operating System Software


!--- Output suppressed.


System image file is "sup-bootflash:c6sup22-jsv-mz"

cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory.


!--- Output suppressed.

The combined DRAM memory present in the switch is 128 MB (112640 KB + 18432 KB).

You need to satisfy both the DRAM and the Flash requirements to be able to use the software you choose. If you do not meet the requirements, you can either add more Flash or more DRAM in the router, or choose another Cisco IOS Software release. You may also consider a reduced feature set or an older release, since they have less features, and therefore fewer requirements.

To find the memory requirements for a particular release, you can use the Cisco IOS Upgrade Planner ( registered customers only) or the Release notes. To access the release notes for a Cisco IOS Software release:

Go to the Cisco IOS Upgrade Planner ( registered customers only) .

Select the major release in which you are interested.

Select Platform Specific Release Notes (or just Release Notes prior to Cisco IOS Software Release 11.2).

Select Cross-Platform Release Notes for the main release (for example, Cisco IOS Software Release 12.0 or 11.3), or choose the correct platform for other releases (such as Cisco IOS Software Release 12.1T or 12.0S).

Select Memory Requirements (or System Requirements, depending on the Cisco IOS Software release) and look for the memory requirements for your Cisco IOS Software image.

For Cisco 3600 and 2600 routers, the number of interfaces also influences the amount of memory necessary. Use the 2600/3600/3700 Memory Calculator ( registered customers only) to verify the requirements. Note that the tool and the release notes provide minimum requirements for normal utilization of the router. If you plan to have, for example, large routing tables on your router, consider installing additional memory.

Download the Cisco IOS Software Image
You should now be ready to go to the Cisco IOS Upgrade Planner ( registered customers only) . Follow these steps:

Select the major release in which you are interested.

Select the platform.

Select the exact version you want to download. (At this point, you can see which versions are GD, LD, or ED [DF releases are not available for downloading]).

Select the feature set you want.

The memory requirements for that feature set are displayed. If your router matches them, go ahead and download the image.