Cisco Technical Help

Voip Book for Dummies

2007-10-13T12:37:00.000-07:00

Product Details
Paperback: 281 pages
Publisher: Wiley-VCH (May 30, 2006)
Language: German
ISBN-10: 3527702628
ISBN-13: 978-3527702626
Download DescriptionPut your phone system on your computer network and see the savings See how to get started with VoIP, how it works, and why it saves you money VoIP is techspeak for “”voice over Internet protocol,”" but it could spell “”saving big bucks”" for your business! Here’s where to get the scoop in plain English. Find out how VoIP can save you money, how voice communication travels online, and how to choose the best way to integrate your phone system with your network at home or at the office. Discover how to: Use VoIP for your business or home phone service Choose the best network type Set up VoIP on a wireless network Understand transports and services Demonstrate VoIP’s advantages to management

Download:

http://rs75.rapidshare.com/files/36593970/VoIP.rar

Cisco Routers for the Desperate

2007-09-01T13:45:00.000-07:00

This is a short book that can be read in a single sitting. However, like most hands-on technology books, it’s best to read it in front of a computer accessing the resource being discussed. In this case, a Telnet session with a Cisco router is the fastest way to learn and retain the survival lessons taught. Author Michael Lucas has obviously read many of those thick Cisco router management books, and has effectively distilled the most important morsels of information into this brief handbook. By Chapter 4 (there are nine chapters in all, plus a useful Appendix on IP addresses and netmasks), the book had worked its magic on me. The black rectangular Cisco box sitting in the server rack was no longer the mysterious 2001-like monolith that hummed along and somehow had something to do with delivering my executing Web code to the world. Rather, it was just another computer that could be told what to do. More importantly, it was now a system that I could understand — and even troubleshoot when the time came.

The book quickly teaches readers about working with the Cisco command line, which is the entry path into router configuration, management, WAN connections, and even upgrading Cisco’s Internetwork Operating System (IOS). Chapter 5 on troubleshooting routers is the book’s most important section, and is the real reason behind buying the book in the first place. Focusing on the two primary problem areas for routers (crashes and/or network failure or slowness), the suggestions offered should ideally be incorporated into a disaster recovery procedure for router recovery. At 25 pages, Chapter 7 on redundancy with BGP and HSRP is the book’s lengthiest and most complex chapter, requiring a re-read to grok all the router concepts and blocks of capital letters (ARIN, ASN, BGP, HSRP, MRTG, and RADB). Nevertheless, once these initially cryptic concepts are understood, they not only make sense, they also bring an even deeper appreciation for the complexity that Cisco routers are capable of managing.

Download:

http://rapidshare.com/files/12916306/Cisco_Routers_For_The_Desperate_Router_Management_The_Easy_Way.zip

H.323 versus SIP: A Comparison

2007-09-01T13:08:00.000-07:00

Philosophy

H.323 was designed with a good understanding of the requirements for multimedia communication over IP networks, including audio, video, and data conferencing. It defines an entire, unified system for performing these functions, leveraging the strengths of the IETF and ITU-T protocols.
As a result, it might be reasonable for users to expect about the same level of robustness and interoperability as is found on the PSTN today, although this admittedly varies across the globe.
H.323 was designed to scale to add new functionality. The most widely deployed use of H.323 is "Voice over IP" followed by "Videoconferencing", both of which are described in the H.323 specifications

SIP was designed to setup a "session" between two points and to be a modular, flexible component of the Internet architecture. It has a loose concept of a call (that being a "session" with media streams), has no support for multimedia conferencing, and the integration of sometimes disparate standards is largely left up to each vendor.
As a result, SIP is now a 10-year old protocol with a vast number of interoperability problems. While SIP has been successfully deployed in some environments, those are generally "closed" environments where the means of interoperability has been PSTN gateways.

Reliability

H.323 has defined a number of features to handle failure of intermediate network entities, including "alternate gatekeepers", "alternate endpoints", and a means of recovering from connection failures

SIP has not defined procedures for handling device failure. If a proxy fails, the user agent detects this through timer expiration. It is the responsibility of the user-agent to send a re-INVITE to another proxy, leading to long delays in call establishment.

Message Definition
H.323-> ASN.1, a standardized, extremely precise, easy-to-understand structural notation that is used by many other systems.

SIP->ABNF, or Augmented Backus-Naur Form, a syntactical notation. SIP uses the ABNF as defined in RFC 2234

Message Encoding
H.323 encodes messages in a compact binary format that is suitable for narrowband and broadband connections. Messages are efficiently encoded and decoded by machines, with decoders widely available (e.g., Ethereal).

SIP messages are encoded in ASCII text format, suitable for humans to read. As a consequence, the messages are large and less suitable for networks where bandwidth, delay, and/or processing are a concern.
SIP messages get so large that they sometimes exceed the MTU size when going over WAN links, resulting in delays, packet loss, etc. As a result, effort has been made to binary encode SIP (e.g., RFC 3485 and RFC 3486).

Media Transport
H.323 - RTP/RTCP, SRTP

SIP - RTP/RTCP, SRTP

Extensibility -Vendor Specific
H.323 is extended with non-standard features in such a way as to avoid conflicts between vendors. Globally unique identifiers prevent feature and data element collision.

SIP is extended by adding new header lines or message bodies that may be used by different vendors to serve different purposes, thus risking interoperability problems.

Extensibility -Standard

H.323 is extended by the standards community to add new features to H.323 in such a way as to not impact existing features. However, new revisions of H.323 are published periodically, which introduce new functionality that is mandatory, yet done in such a way as to preserve backward compatibility

SIP is extended by the standards community to add new features to SIP in such a way as to not impact existing features. However, new revisions of SIP are potentially not backward compatible (e.g., RFC 3261 was not entirely compatible with RFC 2543). In addition, several extensions are "mandatory" in some implementations, which cause interoperability problems

Scalability -Load Balancing

H.323 has the ability to load balance endpoints across a number of alternate gatekeepers in order to scale a local point of presence. In addition, endpoints report their available and total capacity so that calls going to a set of gateways, for example, may be best distributed across those gateways.

SIP has no notion of load balancing, except "trial and error" across pre-provisioned devices or devices learned from DNS SRV records. There is no means of detecting the load on a particular gateway or to know whether a device has failed, meaning that proxies simply have to try a PSTN gateway, wait for the call to timeout, and then try another

Scalability -Call Signaling
When an H.323 gatekeeper is used, it may simply provide address resolution through one RAS message exchange, or it may route all call signaling traffic. In large networks, the direct call model may be used so that endpoints connect directly to one another.

When using a SIP proxy to perform address resolution for the SIP device, the proxy is required to handle at least 3 full message exchanges for every call. In large networks, such as IMS networks, the number of messages on the wire may be excessive. A basic call between two users may require as many as 30 messages on the wire!

Scalability -Statelessness

An H.323 gatekeeper can be stateless using the direct call model.
A SIP proxy can be stateless if it does not fork, use TCP, or use multicast

Scalability -Address Resolution
H.323 defines an interface between the endpoint and gatekeeper for address resolution using ARQ or LRQ. The H.323 gatekeeper may use any number of protocols to discover the destination address of the callee, including LRQs to other gatekeepers, Annex G/H.225.0, TRIP, ENUM, and/or DNS. The endpoint does not have to be concerned with the mechanics of this process, and the processing requirements for address resolution placed on the gatekeeper by H.323 are for just a single message exchange.

While SIP has no address-resolution protocol, per se, a SIP user agent may route its INVITE message through a proxy or redirect server in order to resolve addresses. The SIP proxy may use various protocols to discover the destination address of the callee, including TRIP, ENUM, and/or DNS. The endpoint does not have to be concerned with the mechanics of this process. Unfortunately, the processing requirements placed on the SIP proxy are higher than with H.323 because at least 3 message exchanges must take place between the SIP device, SIP proxy, and the next hop.

Addressing

Flexible addressing mechanisms, including URIs, e-mail addresses, and E.164 numbers.
H.323 supports these aliases:
E.164 dialed digits
generic H.323 ID
URL
transport address
email address
party number
mobile UIM
ISUP numberH.323 also supports overlap sending with no additional overhead, except conveyance of the newly received digits in a single message.

SIP only understands URI-style addresses. This works fine for SIP-SIP devices, but causes some confusion when trying to translated various dialed digits. The unofficial convention is that a "+" sign is inserted in the SIP URI (e.g., "sip:+18005551212@example.com") in order to indicate that the number is in E.164 format, versus a user ID that might be numeric.
SIP has support for overlapped signaling defined in RFC 3578, though additional digit received requires transmission of three messages on the wire (a new INVITE, a 484 response to indicate that the address is incomplete, and an ACK).

Billing
Even with H.323's direct call model, the ability to successfully bill for the call is not lost because the endpoint reports to the gatekeeper the beginning and end time of the call via the RAS protocol. Various pieces of billing information may be present in the ARQ and DRQ messages at the start and end of the call

If the SIP proxy wants to collect billing information, it has no choice but to stay in the call signaling path for the entire duration of the call so that it can detect when the call completes. Even then, the statistics are skewed because the call signaling may have been delayed. Otherwise, there is no mechanism in SIP to perform any accounting/billing function.

Call Setup

A call can be established in as few as 1.5 round trips using UDP:
Setup -> <- Connect Ack ->
Of course, more elaborate call establishment procedures may be required to negotiate complex capabilities, negotiate complex video modes, etc.

A call can be established in as few as 1.5 round trips using UDP:
INVITE -> <- 200 OK Ack ->
Most real-world flows are more complex, as they often pass through one or more proxy devices, have intermediary response messages, and "negotiate" capabilities through a "trial and error" process that is far from scientific.

Capability Negotiation
H.323 entities may exchange capabilities and negotiate which channels to open, including audio, video, and data channels. Individual channels may be opened and closed during the call without disrupting the other channels.

SIP entities have limited means of exchanging capabilities. RFC 3407 is the state of the art, which is more or less a "declaration" mechanism, not a negotiation procedure. The end result is still a "trial and error" approach in case the called party does not support the proposed media

Call Forking

H.323 gatekeeper can control the call signaling and may fork the call to any number of devices simultaneously.

SIP proxies can control the call signaling and may fork the call to any number of devices simultaneously.

PSTN Interworking
H.323 borrows from traditional PSTN protocols, e.g., Q.931, and is therefore well suited for PSTN integration. However, H.323 does not employ the PSTN's circuit-switched technology--like SIP, H.323 is completely packet-switched. How Media Gateway Controllers fit into the overall H.323 architecture is well-defined within the standard.

SIP has no commonality with the PSTN and such signaling must be "shoe-horned" into SIP. SIP has no architecture that describes the decomposition of the gateway into the Media Gateway Controller and the Media Gateways. This has been a recent study of 3GPP and others in the form of IMS. Presently, there are about 4 "IMS" variants: 3GPP, ITU NGN, 3GPP2, and PacketCable. Pick the architecture you like best, I suppose.

Services
H.323 Services may be provided to the endpoint through a web-browser interface using HTTP or a feature server using Megaco/H.248. In addition, services may be provided to an endpoint as it places a call, as a call arrives, or during the middle of a call by a gatekeeper or other entity that routes the call signaling. As a result, H.323 is well-suited to providing new services.

SIP devices can receive service from a SIP proxy as the endpoint places a call, as a call arrives, or during the middle of a call. There is no defined way within SIP of providing services via a web browser or a feature server, as everything is done within the context of a "session".

Video and Data Conferencing
H.323 fully supports video and data conferencing. Procedures are in place to provide control for the conference as well as lip synchronization of audio and video streams.

SIP has limited support for video and no support for data conferencing protocols like T.120. SIP has no protocol to control the conference and there is no mechanism within SIP for lip synchronization. There is no standard means of recovering from packet loss in a video stream (to parallel H.323's "video fast update" command).

Administrative Requirements
H.323 does not require a gatekeeper. A call can be made directly between two endpoints.
However, most devices do utilize a gatekeeper for the purpose of registration and address resolution

SIP does not require a proxy. A call can be made directly between two user agents.
However, most devices do utilize a SIP proxy for the purpose of registration, address resolution, and call routing.

Codecs
H.323 supports any codec, standardized or proprietary. No registration authority is required to use any codec in H.323.

SIP supports any IANA-registered codec (as a legacy feature) or other codec whose name is mutually agreed upon.

Firewall/NAT support
Provided by H.323 "proxy" or by the endpoint, both in conjunction with a gatekeeper residing in the public network. Refer to H.460.17, H.460.18, and H.460.19.

SIP does not defined a NAT/FW traversal mechanism, as this is left to other standard. Some standards that have been defined or are being defined are STUN, TURN, ANAT, and ICE. (All of this has been work in progress for years, with most workable solutions done by agreed convention.)

Transport protocol
H.323 Reliable or unreliable, e.g., TCP or UDP. Most H.323 entities use a reliable transport for signaling.

SIP Reliable or unreliable, e.g., TCP or UDP. Most SIP entities use an unreliable transport for signaling.

Third-party Call Control
H.323 ->Yes, through third-party pause and re-routing which is defined within H.323. More sophisticated control is defined by the related H.450.x series of standards.

SIP->Yes, through SIP as described in RFC 3

Conferencing Entity
H.323-Yes, an MC is required for this, but it could be co-located in a participating endpoint, or all endpoints could contain an MC. A stand-alone conference bride may provide this functionality and H.323 has well-defined procedures for such entities.

SIP-No; however, SIP user agents may perform conferencing themselves. A stand-alone conference bridge may also provide this functionality

Authentication
H 323 - Yes, via H.235.

SIP-Yes, via HTTP (Digest and Basic), SSL, PGP, S/MIME, or various other means.

DTMF Carriage
H323 - Three ways, with the alphanumeric choice of the H.245 UserInputIndication message being the baseline carriage common to all H.323 endpoints

SIP- Three ways. There is no baseline carriage, which presents issues of interoperability. However, transport of DTMF via the INFO method and RFC 2833 are most common.

Cisco CCNP Exam (640-604) Simulator 4.0.0

2007-09-01T13:02:00.000-07:00

Ensure your success in Cisco CCNP exam (640-604) with Whizlabs simulator, the most effective training software for the Cisco certification exams. Developed by highly experienced and certified professionals, it offers 5 mock exams (280 questions) on the latest pattern in a simulated environment.Last but not the least; it comes with FREE technical support and "Unconditional 100% Money Back Guarantee". Check out the FREE demo version. System Requirements 32 MB RAM, 20 MB HD Space,Internet Explorer (5 or above) What's new New test engine, Updated content

Download :

http://software.filefactory.com/Windows/Whizlabs_Cisco_CCNP_Exam_640-604_Simulator_4-0-0/Download.html

WinAgents RouterTweak 1.0.136.0

2007-09-01T12:57:00.000-07:00

WinAgents RouterTweak is a specialized terminal shell making it easier to control the configuration of routers, switches and firewalls from the Cisco Systems company

Knowing the principles of working with the command line interface of Cisco devices, you can use WinAgents RouterTweak to automate the most common tasks of network device administration. This approach saves your time by allowing you to hand over routine operations to the program. Here are some benefits you get by using WinAgents RouterTweak:

Reducing the time needed to connect to a device. Having specified the username and password for connecting to a device only once, you will not have to spend time on entering them again when you connect to your router next time. WinAgents RouterTweak will enter the account data itself and switch to the privileged mode if necessary. Viewing the configuration of a device in a convenient form. Just click once to get the configuration of your device in a visual form. Syntax highlighting and the structure tree of the device configuration will allow you to quicker find your bearings among numerous configuration commands.

Increasing the speed of work with access control lists (ACL). WinAgents RouterTweak allows you to do without a TFTP server while editing access control lists. You can add, edit and remove commands located in the middle of ACLs. The program knows about the peculiarities of using the command line interface with Cisco access control lists and takes them into account while editing ACLs.

Usability in editing the configuration of devices. It is easier to edit configuration commands due to the context help system. While you are adding a new command to the configuration file, WinAgents RouterTweak requests its possible parameters from the device. In the process of editing commands, you see the list of available variants for each command all the time and can select one of them without entering the entire string.

Download :

http://software.filefactory.com/Windows/WinAgents_RouterTweak_1-0-136-0/Download.html

File Size
3.43 MB

VoIP Hacks Tips and Tools

2007-09-01T12:51:00.000-07:00

VoIP is simply overflowing with hack potential, and VoIP Hacks is the practical guide from O'Reilly that presents these possibilities to you. It provides dozens of hands-on projects for building a VoIP network, showing you how to tweak and customize a multitude of exciting things to get the job done. Along the way, you'll also learn which standards and practices work best for your particular environment. Among the quick and clever solutions showcased in the book are those for:

gauging VoIP readiness on an enterprise network

*using SIP, H.323, and other signaling specifications
*providing low-layer security in a VoIP environment
*employing IP hardphones, analog telephone adapters, and softPBX servers
*dealing with and avoiding the most common VoIP deployment mistakes

Download :

http://rapidshare.com/files/3934671/VoIP.Hacks.Tips._.Tools.for.Internet.Telephony-OReilly.rar

Cisco: A Beginner's Guide, Fourth Edition

2007-09-01T11:59:00.001-07:00

TITLE : Cisco: A Beginner's Guide, Fourth Edition (Beginner's Guide (Osborne Mcgraw Hill)) (Paperback)

AUTHOR : by Toby Velte (Author), Anthony Velte (Author)

PUBLISHER : McGraw-Hill Osborne Media publisher

ISBN : 0072263830

EDITION : 4th

PUB DATE : November 17, 2006

LANGUAGE : English

RLS DATE : 04/26/2007

BBLFORMAT : CHM SIZE : 11 x 2.88 MB

Here is a fully updated edition of the bestselling introductory guide to Cisco products and technologies. Cisco: A Beginner's Guide, Fourth Edition provides you with a practical hands-on resource for successfully designing and managing a Cisco network. Learn to work with Cisco routers and switches, wireless technologies, and storage tools. You'll also get full details on network security, including firewalls, as well as communications solutions such as VoIP. This is a must-have resource for anyone interested in internetworking and Cisco technologies.

- Work with Cisco's Internet technologies

- Configure Cisco routers and networks

- Understand Cisco internetworking technologies including LAN switches, multilayered switching, and VLANs

- Secure your network using CiscoSecure ACS, Cisco PIX firewall, IOS Firewall, and other methods

- Enable wireless internetworking using the Cisco Aironet and Airespace products

- Deploy VoIP via Cisco Unified Communications

- Implement Cisco storage area network (SAN) and content delivery network (CDN) solutions

- Use both open standard routing protocols (RIP, OSPF, BGP) and Cisco-proprietary protocols (IGRP and EIGRP)

- Design, manage, and troubleshoot a robust Cisco network

Download:

Code: http://depositfiles.com/files/805958

http://rapidshare.com/files/28266821/0072263830.zip

CBT Cisco CCNA Vol.1 - Vol.3 CD

2007-09-01T11:53:00.000-07:00

CBT Cisco CCNA Vol.1 - Vol.3 CD 810 MB
--------------------------------------------

The CCNA certification (Cisco Certified Network Associate) indicates a foundation in and apprentice knowledge of networking. CCNA certified professionals can install, configure, and operate LAN, WAN, and dial access services for small and medium networks, including but not limited to use of these protocols: IP, IGRP, Serial, Frame Relay, IP RIP, VLANs, RIP, Ethernet, Access Lists.
All courses are distributed on CD-ROM so there is no need for an internet connection. Just install the courses to your personal computer or laptop and let the learning begin. All trainers are certified professionals with an average of 8-12 years of experience in their field.

Download:

http://www.filefactory.com/file/c709bd

Download CertExams Router Simulator 3.0

2007-09-01T10:58:00.000-07:00

Provides lab exercises and Cisco IOS router console simulation with advanced features like RIP, EIGRP, OSPF routing, telnet, and ping support. Lab exercises -currently 40+ labs are included. Router console simulator Simulate up to 3 Cisco® IOS routers 60+ router commands supported Labs for 1900 and 2950 switches included Detailed help files The router labs made available in the Router Simulator are given below. Please note that we add and/modify the labs from time to time. Available Labs 1.0 Switch Fundamentals: 1.1 switch 1900 password assignment 1.2 switch 2950 console password assignment 1.3 switch 2950 vty password assignment 1.4 switch 2950 setting privileged EXE password 1.5 2950 enable interface 1.6 Basic switch interface configuration 2.0 IOS Fundamentals Lab 2.1 Logging to the router 2.2 Router banner MOTD 2.3 Setting host name 2.4 Interface configuration 2.5 Setting bandwidth 2.6 Setting console password 2.7 Setting telnet password 2.8 Copy active configuration 2.9 CDP configuration 2.10 Show CDP 2.11 Show CDP neighbors 2.12 Shutdown an interface 2.13 Set keepalive 2.14 Show commands 2.15 Setting password 2.16 Setting Hostname and Banner 2.17 Configuring Router Console and Line Passwords 3.0 Switch Configuration and VLAN 3.1 Basic switch IP configuration 3.2 Troubleshooting 1900 series switch 3.3 Configuring 2950 series switch 3.4 Troubleshooting 2950 switch 3.5 Configuring VLANs on 1900 and 2950 switches 4.0 Access Lists 4.1 Creating access-list 4.2 Applying access-list to an interface 4.3 View access-list entries 4.4 Standard access-lists: Scenario lab 1 4.5 Standard access-lists: Scenario lab 2 4.6 Extended access-lists: Scenario lab 1 4.7 Router Access-List Configuration 5.0 Routing Fundamentals Labs 5.1 Configuring RIP 5.2 Configuring static routes 5.3 Configuring default routes 5.4 Viewing IP RIP information 5.5 Basic IGRP routing 6.0 Wide Area Networking 6.1 PPP configuration

Download :

http://rapidshare.de/files/23870647/RoutSim.rarhttp://depositfiles.com/files/322272

Password/Crack CCNA

Router Troubleshooting 2

2007-09-01T10:40:00.000-07:00

Q.You want to clear an old configuration out of your router and return it to a factory default configuration.

Ans.You can delete the current startup configuration files and return the router to its factory default settings with the erase nvram: command:

Router1#erase nvram:
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router1#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
You can achieve the same result with the erase startup-config command:
Router1#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router1#reload
Proceed with reload? [confirm]

Q.You want to upgrade the IOS image that your router uses.

Ans. The copy tftp command allows you to use TFTP to download a new IOS version into the router's Flash memory:

Router1#copy flash:
Destination filename [c2600-ik9o3s-mz.122-12a.bin]?
Accessing ..
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing
device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...
erased
Erase of flash: complete
Loading c2600-ik9o3s-mz.122-12a.bin from 172.25.1.1 (via Fastethernet0/0.1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 11135588 bytes]
Verifying checksum... OK (0xE643)
11135588 bytes copied in 82.236 secs (135410 bytes/sec)
Router1# reload
Proceed with reload? [confirm]

Q.You want to save a backup copy of your IOS image on a TFTP server.

Ans. You can upload a copy of your router's IOS image to a TFTP server with the following set of commands:

Freebsd% touch /tftpboot/c2600-ik9o3s-mz.122-12a.bin
Freebsd% chmod 666 /tftpboot/c2600-ik9o3s-mz.122-12a.bin
Freebsd% telnet Router1
Trying 172.25.1.5...
Connected to Router1.Escape character is '^]'.
User Access Verification
Password:
Router1>enPassword:
Router1#copy flash:c2600-ik9o3s-mz.122-12a.bin tftp
Address or name of remote host [ ]? 172.25.1.1
Destination filename [c2600-ik9o3s-mz.122-12a.bin]? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11135588 bytes copied in 52.588 secs (211752 bytes/sec)
Router1#

Q.You want to load an IOS image into your router through a serial connection to the console or AUX ports.

Ans. You can use the following set of commands to copy an IOS image onto a router through the console or the AUX port:

Router1#copy xmodem: slot1:
**** WARNING ****
x/ymodem is a slow transfer protocol limited to the current speedsettings of the auxiliary/console ports. The use of the auxilaryport for this download is strongly recommended.During the course of the download no exec input/output will be available.
---- ******* ----
Proceed? [confirm]
Destination filename [ ]? c3620-ik9s-mz.122-12a.bin
Erase slot1: before copying? [confirm]
Use crc block checksumming? [confirm]
Max Retry Count [10]:
Perform image validation checks? [confirm]
Xmodem download using crc checksumming with image validationContinue? [confirm]
Ready to receive file...........CC
4294967295 bytes copied in 1450.848 secs (1271445669961 bytes/sec)
Router1#

Q.You want to configure and monitor your router using a browser interface.

Ans. Cisco includes an HTTP server in the IOS. You can enable this feature on a router and then use any standard web browser instead of Telnet to access the router:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http server
Router1(config)#ip http access-class 75
Router1(config)#end
Router1#

Q.You want to set the router to automatically reload at a specified time.

Ans.You can set the router to reload after waiting a particular length of time with the reload in command:

Router1#reload in 20
Reload scheduled for 11:33:53 EST Sat Feb 1 2003 (in 20 minutes)
Proceed with reload? [confirm]
Router1#
The reload at command lets you specify a particular time and date when you want the router to reload:
Router1#reload at 14:00 Feb 2
Reload scheduled for 14:00:00 EST Sun Feb 2 2003 (in 26 hours and 44 minutes)
Proceed with reload? [confirm]
Router1#

Router Troubleshooting

2007-09-01T09:46:00.000-07:00

Q.Restore the Cisco IOS to a router

Ans.Have you ever accidentally wiped out the IOS on your router? If you're working quickly and not paying attention, it can be an easy mistake to make. All it takes is making a typo in the destination filename when you're trying to save a change.
Here's an example:

router# copy running-config startp-config
Destination filename [startp-config]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]Hitting [Enter] a couple of times out of habit can all too quickly wipe out the IOS. If you don't realize the mistake in time, rebooting the router means the IOS is gone for good, and the router won't boot up.

Losing the IOS can also happen when upgrading the flash on the router. As the Cisco IOS grows larger, having to upgrade your flash is a very common task. But when you install the new flash, it has no IOS, leaving you in the same position as if you had accidentally erased the flash.

Unfortunately, if you're like many people, when you wipe out the IOS, you may not have a backup copy of the IOS. Or, you may not have access to the Cisco IOS download site or have the time to download the somewhat large IOS file.

And if you're looking for the same IOS on all of your routers, it can be difficult to locate it on the Cisco IOS download site. Many times, it's much easier to take the IOS from an existing router and restore it on the router that's missing its IOS.

Let's look at the step-by-step process for restoring the Cisco IOS to a router using this method.

Install a TFTP server

First you need to install a (TFTP) server. I recommend the Tftpd32 server, which you can download from the Web. This is a great TFTP server, without a lot of the fluff that most of the others have. At less than 1 MB, it's very small and has no install application.

Run the TFTP server on a PC

If you've just pulled the working router off a shelf, you can connect the PC to the router with a reverse Ethernet cable. Configure the router and PC on the same network. Make sure that you can ping the router and that the router can ping you.

If your working router is up on your network, you can just download the IOS over the network directly using instructions in the next section

Copy the IOS from the working router to the PC
Here's an example of how to accomplish this:

copy c2600-12-3.xxxx.bin tftp://10.253.15.72 Replace 10.253.15.72 with the IP address of your PC, and replace c2600 with the name of your IOS. (You can locate the name of the IOS on the working router using the show flash command.)

This saves the IOS on the PC in the directory configured by the TFTP server. Figure A shows an example of what it looks like while downloading. Make sure to note the directory in which you'll save the IOS.

Download the IOS to the nonworking router

The best way to accomplish this is via Ethernet. The alternative—using XMODEM through the console—will be very slow, even if you increase the serial port baud rate to the maximum. So, instead, connect the PC's reverse Ethernet cable to the nonworking router (or use two normal/straight-through Ethernet cables and a switch).

Without an IOS, the nonworking router will boot up in ROMmon mode. The prompt will look like this:

rommon>Verify the necessary settings

On the console of the nonworking router while in ROMmon mode, use the set command to display the current settings, which the program will use to download the IOS via TFTP. (For a Cisco example of these steps, check out this Cisco documentation.)

For example, here are the settings you must set for the tftpdnld command to work:

rommon> setIP_ADDRESS=10.253.100.126
IP_SUBNET_MASK=255.255.0.0
TFTP_SERVER=10.253.15.72
DEFAULT_GATEWAY=10.253.1.1
TFTP_FILE={the name of the IOS that is saved on the PC}
However, your settings may not contain any of the required variables for the tftpdnld command. By default, it may look something like this:

rommon 9 > set
PS1=rommon ! >
BSI=0
RET_2_RUTC=0
RET_2_RTS=?=1
If this is the case, set the required variables. While it might seem obvious to use the set command to set the variables, you can actually set the variables simply by entering the name of the variable, the equal sign [=], and the value.

For example, to set the IP address of the broken router, you would use the following:For example, to set the IP address of the broken router, you would use the following:

IP_ADDRESS=10.253.100.126Final steps

After setting your values, run the tftpdnld command, which will replace the IOS. Listing A provides an example of how I restored a router

An alternate approach to the tftpdnld command

However, if the tftpdnld command doesn't work for some reason, you can use the xmodem command to send the IOS over the serial console line. (For instructions for this process, check out this Cisco documentation.) However, if you decide to take this route, it's a good idea to change the baud rate on the console and your PC to 115,200 so it doesn't take more than four hours for an 8-MB IOS file to transfer over the 9600-baud console.

On a final note, keep in mind that different models of Cisco routers and different Cisco firmware versions respond differently. For example, these commands performed on a 2600 series router may not work on a 3600 series router. However, the basic process remains the same

Q.You want to load configuration commands via the Trivial File Transfer Protocol (TFTP).

Ans. You can use the copy tftp: command to configure the router via the TFTP:
Router1#copy tftp://172.25.1.1/NEWCONFIG
running-configDestination filename [running-config]?
Accessing tftp://172.25.1.1/NEWCONFIG...
Loading NEWCONFIG from 172.25.1.1 (via FastEthernet0/0.1): !
[OK - 24 bytes] 24 bytes copied in 0.192 secs (125 bytes/sec)
Router1#

Q,You want to store a backup copy of your router's configuration on a TFTP server.
Ans. This example shows how to use TFTP to upload a copy of the router's active configuration to a remote server:
router#telnet Router1
Trying 172.25.1.5...
Connected to Router1.Escape character is '^]'.
User Access Verification
Password:
Router1>enPassword:
Router1#copy running-config tftp://172.25.1.1/router1-confg
Address or name of remote host [172.25.1.1]? Destination filename [router1-confg]? !!!9640 bytes copied in 3.956 secs (2437 bytes/sec)
Router1#

Q.You want to boot the router using an alternate configuration.

Ans. The following set of commands allows you to automatically load a configuration file located on a remote TFTP server when the router boots:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service config
Router1(config)#boot network tftp Network-auto 172.25.1.1
Router1(config)#boot host tftp Router8-auto 172.25.1.1
Router1(config)#end
Router1#

Q.Your configuration file has become larger than the router's available NVRAM.

Ans.You can compress your router's configuration file before saving it to NVRAM to allow you to save more configuration information. The command service compress-config will compress the configuration information when the router saves the file, and uncompress it when it is required:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service compress-config
Router1(config)#end
Router1#

ISDN Message Codes

2007-09-01T09:40:00.000-07:00

Decimal Value
Hex Value
Cause
Diagnostics
Explanation
--------------------------------------------------------------------------------------

1
01
Unallocated (unassigned) number
Note 10
The ISDN number was sent to the switch in the correct format; however, the number is not assigned to any destination equipment.

2
02
No route to specified transit network
Transit network identity (Note 9)
The ISDN exchange is asked to route the call through an unrecognized intermediate network.

3
03
No route to destination
Note 10
The call was routed through an intermediate network that does not serve the destination address.

6
06
Channel unacceptable

The service quality of the specified channel is insufficient to accept the connection.

7
07
Call awarded and being delivered in an established channel

The user is assigned an incoming call that is being connected to an already-established call channel.

16
10
Normal call clearing
Note 10
Normal call clearing has occurred.

17
11
User busy

The called system acknowledges the connection request but is unable to accept the call because all B channels are in use.

18
12
No user responding

The connection cannot be completed because the destination does not respond to the call.

19
13
No answer from user (user alerted)

The destination responds to the connection request but fails to complete the connection within the prescribed time. The problem is at the remote end of the connection.

21
15
Call rejected
Note 10. User supplied diagnostic (Note 4)
The destination is capable of accepting the call but rejected the call for an unknown reason.

22
16
Number changed

The ISDN number used to set up the call is not assigned to any system.

26
1A
Non-selected user clearing

The destination is capable of accepting the call but rejected the call because it was not assigned to the user.

27
1B
Designation out of order

The destination cannot be reached because the interface is not functioning correctly, and a signaling message cannot be delivered. This might be a temporary condition, but it could last for an extended period of time. For example, the remote equipment might be turned off.

28
1C
Invalid number format

The connection could be established because the destination address was presented in an unrecognizable format or because the destination address was incomplete.

29
1D
Facility rejected
Facility identification (Note 1)
The facility requested by the user cannot be provided by the network.

30
1E
Response to STATUS ENQUIRY

The status message was generated in direct response to the prior receipt of a status enquiry message.

31
1F
Normal, unspecified

Reports the occurrence of a normal event when no standard cause applies. No action required.

34
22
No circuit/channel available

The connection cannot be established because no appropriate channel is available to take the call.

38
26
Network out of order

The destination cannot be reached because the network is not functioning correctly, and the condition might last for an extended period of time. An immediate reconnect attempt will probably be unsuccessful.

41
29
Temporary failure

An error occurred because the network is not functioning correctly. The problem will be resolved shortly.

42
2A
Switching equipment congestion

The destination cannot be reached because the network switching equipment is temporarily overloaded.

43
2B
Access information discarded
Discarded information element identifier(s) (Note 5)
The network cannot provide the requested access information.

44
2C
Requested circuit/channel not available

The remote equipment cannot provide the requested channel for an unknown reason. This might be a temporary problem.

47
2F
Resources unavailable, unspecified

The requested channel or service is unavailable for an unknown reason. This might be a temporary problem.

49
31
Quality of service unavailable
Table B-2
The requested quality of service cannot be provided by the network. This might be a subscription problem.

50
32
Requested facility not subscribed
Facility identification (Note 1)
The remote equipment supports the requested supplementary service by subscription only.

57
39
Bearer capability not authorized
Note 3
The user requested a bearer capability that the network provides, but the user is not authorized to use it. This might be a subscription problem.

58
3A
Bearer capability not presently available
Note 3
The network normally provides the requested bearer capability, but it is unavailable at the present time. This might be due to a temporary network problem or to a subscription problem.

63
3F
Service or option not available, unspecified

The network or remote equipment was unable to provide the requested service option for an unspecified reason. This might be a subscription problem.

65
41
Bearer capability not implemented
Note 3
The network cannot provide the bearer capability requested by the user.

66
42
Channel type not implemented
Channel Type (Note 6)
The network or the destination equipment does not support the requested channel type.

69
45
Requested facility not implemented
Facility Identification (Note 1)
The remote equipment does not support the requested supplementary service.

70
46
Only restricted digital information bearer capability is available

The network is unable to provide unrestricted digital information bearer capability.

79
4F
Service or option not implemented, unspecified

The network or remote equipment is unable to provide the requested service option for an unspecified reason. This might be a subscription problem.

81
51
Invalid call reference value

The remote equipment received a call with a call reference that is not currently in use on the user-network interface.

82
52
Identified channel does not exist
Channel identity
The receiving equipment is requested to use a channel that is not activated on the interface for calls.

83
53
A suspended call exists, but this call identity does not

The network received a call resume request. The call resume request contained a Call Identify information element that indicates that the call identity is being used for a suspended call.

84
54
Call identity in use

The network received a call resume request. The call resume request contained a Call Identify information element that indicates that it is in use for a suspended call.

85
55
No call suspended

The network received a call resume request when there was not a suspended call pending. This might be a transient error that will be resolved by successive call retries.

86
56
Call having the requested call identity has been cleared
Clearing cause
The network received a call resume request. The call resume request contained a Call Identity information element, which once indicated a suspended call. However, the suspended call was cleared either by timeout or by the remote user.

88
58
Incompatible destination
Incompatible parameter (Note 2)
Indicates that an attempt was made to connect to non-ISDN equipment. For example, to an analog line.

91
5B
Invalid transit network selection

The ISDN exchange was asked to route the call through an unrecognized intermediate network.

95
5F
Invalid message, unspecified

An invalid message was received, and no standard cause applies. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.

96
60
Mandatory information element is missing
Information element identifier(s) (Note 5)
The receiving equipment received a message that did not include one of the mandatory information elements. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.

97
61
Message type non-existent or not implemented
Message type
The receiving equipment received an unrecognized message, either because the message type was invalid or because the message type was valid but not supported. The cause is due to either a problem with the remote configuration or a problem with the local D channel.

98
62
Message not compatible with call state or message type non-existent or not implemented
Message type
The remote equipment received an invalid message, and no standard cause applies. This cause is due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.

99
63
Information element non-existent or not implemented
Information element identifier(s) (Notes 5, 7)
The remote equipment received a message that includes information elements, which were not recognized. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.

100
64
Invalid information element contents
Information element identifier(s) (Note 5)
The remote equipment received a message that includes invalid information in the information element. This is usually due to a D-channel error.

101
65
Message not compatible with call state
Message type
The remote equipment received an unexpected message that does not correspond to the current state of the connection. This is usually due to a D-channel error.

102
66
Recovery on timer expires
Timer number (Note 8)
An error-handling (recovery) procedure was initiated by a timer expiry. This is usually a temporary problem.

111
6F
Protocol error, unspecified

An unspecified D-channel error when no other standard cause applies.

127
7F
Internetworking, unspecified

An event occurred, but the network does not provide causes for the action that it takes. The precise problem is unknown.

Deploying Cisco Voice over IP Solutions

2007-09-01T09:21:00.000-07:00

Book Description:
============

Learn real-world voice-over-IP deployment solutions and strategies from the Cisco experts
Deploying Cisco Voice over IP Solutions covers:

Definitive guidelines on real-world VoIP deployments, the fundamentals of the latest VoIP solutions, and a look into the future of VoIP services

Different techniques for engineering and properly sizing traffic-sensitive voice networks

Basic concepts applicable to echo analysis, echo cancellation, and locating and eliminating echoes

Various QoS features applicable to voice

Detailed information on call admission control (CAC)

Dial plan configuration recommendations on Cisco H.323 gateways and gatekeepers used to support large dial plans

Basic tasks of designing a long-distance VoIP network

The two classes of hosted voice networks: Managed Multiservice (MMS) networks and packet voice VPNs

Fax services store and forward as well as real-time relay fax services

Sample configurations and step-by-step examples to help you learn how to build a VoIP network

Deploying Cisco Voice over IP Solutions provides networking professionals the knowledge,
advice, and insight necessary to design and deploy voice over IP (VoIP) networks that meet customers' needs for scalability, services, and security. Beginning with an introduction to the important preliminary design elements that need to be considered before implementing VoIP, Deploying Cisco Voice over IP Solutions also demonstrates the basic tasks involved in designing an effective service provider-based VoIP network. You'll conclude with design and implementation guidelines for some of the more popular and widely requested VoIP services, such as prepaid services, fax services, and virtual private networks (VPNs).

This book is a collaboration of Cisco Systems CCIE(r) engineers, technical marketing engineers, and systems engineers. You'll find design experience from people who have designed some of the world's largest VoIP networks.

Download :

http://rapidshare.com/files/12112950/1587050307.zip

Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions

2007-08-18T15:44:00.000-07:00

Defend against the sneakiest attacks by looking at your Cisco network and devices through the eyes of the intruder. Hacking Exposed Cisco Networks shows you, step-by-step, how hackers target exposed systems, gain access, and pilfer compromised networks. All device-specific and network-centered security issues are covered alongside real-world examples, in-depth case studies, and detailed countermeasures. ItÃ¢€™s all here--from switch, router, firewall, wireless, and VPN vulnerabilities to Layer 2 man-in-the-middle, VLAN jumping, BGP, DoS, and DDoS attacks. YouÃ¢€™ll prevent tomorrowÃ¢€™s catastrophe by learning how new flaws in Cisco-centered networks are discovered and abused by cyber-criminals. Plus, youÃ¢€™ll get undocumented Cisco commands, security evaluation templates, and vital security tools.
Use the tried-and-true Hacking Exposed methodology to find, exploit, and plug security holes in Cisco devices and networks
Locate vulnerable Cisco networks using Google and BGP queries, wardialing, fuzzing, host fingerprinting, and portscanningAbuse Cisco failover protocols, punch holes in firewalls, and break into VPN tunnelsUse blackbox testing to uncover data input validation errors, hidden backdoors, HTTP, and SNMP vulnerabilitiesGain network access using password and SNMP community guessing, Telnet session hijacking, and searching for open TFTP serversFind out how IOS exploits are written and if a Cisco router can be used as an attack platformBlock determined DoS and DDoS attacks using Cisco proprietary safeguards, CAR, and NBARPrevent secret keys cracking, sneaky data link attacks, routing protocol exploits, and malicious physical access .

download

http://rapidshare.com/files/10750450/0072259175.rar

Cisco IOS Access Lists

2007-08-18T15:41:00.001-07:00

Book Description:

Cisco routers are used widely both on the Internet and in corporate intranets. At the same time, the Cisco Internet Operating System (IOS) has grown to be very large and complex, and Cisco documentation fills several volumes. Cisco IOS Access Lists focuses on a critical aspect of the Cisco IOS--access lists. Access lists are central to the task of securing routers and networks, and administrators cannot implement access control policies or traffic routing policies without them. Access lists are used to specify both the targets of network policies and the policies themselves. They specify packet filtering for firewalls all over the Internet. Cisco IOS Access Lists covers three critical areas:
Intranets. The book serves as an introduction and a reference for network engineers implementing routing policies within intranet networking.
Firewalls. The book is a supplement and companion reference to books such as Brent Chapman's Building Internet Firewalls. Packet filtering is an integral part of many firewall architectures, and Cisco IOS Access Lists describes common packet filtering tasks and provides a "bag of tricks" for firewall implementers. The Internet. This book is also a guide to the complicated world of route maps. Route maps are an arcane BGP construct necessary to make high level routing work on the Internet.Cisco IOS Access Lists differs from other Cisco router titles in that it focuses on practical instructions for setting router access policies. The details of interfaces and routing protocol settings are not discussed.

Download

http://mihd.net/1uy3k5

Securing and Controlling Cisco Routers

2007-08-18T15:33:00.000-07:00

Securing and Controlling Cisco Routers demonstrates proven techniques for strengthening network security. The book begins with an introduction to Cisco technology and the TCP/IP protocol suite, and the subsequent chapters cover subjects such as routing, routing protocols, IP addressing, and Cisco Authentication, Authorization, and Accounting services (AAA). The text then addresses standard, extended, time-based, dynamic, and reflexive access lists, as well as context-based control and Cisco Encryption Technology. In order to practice the material taught, the reader can log on to a real router and perform the commands.

Download:

http://rapidshare.com/files/9446121/Securing_and_Controlling_Cisco_Routers_KINGDWARF.zip

Managing Cisco Network Security

2007-08-18T15:19:00.000-07:00

This book is intended primarily for network managers and network administrators who are responsible for implementing IP network security in a Cisco environment. However, it is also useful for people who are interested in knowing more about the security features available in Cisco products in general. The book is designed to be read from beginning to end, but each chapter can stand alone as a useful reference should you want detailed coverage of a particular topic. Readers who want a quick understanding of the information contained in the bookcan read Chapter 9 first.This book will give the reader a good understanding of what security solutions are available from Cisco and how to apply those solutions in real-world cases. These solutions will give the security managers and administrators the necessary tools and knowledge to provide the best protection for their network and data.

Download:

http://rapidshare.com/files/39575376/Managing.Cisco.Net.Sec.rar

Improving Security on Cisco Routers

2007-06-12T13:27:00.000-07:00

Introduction:

This document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. This document is about basic boilerplate configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware.

Cisco IOS software has many security-specific features, such as packet-filtering access lists, the Cisco IOS Firewall Feature Set, TCP Intercept, AAA, and encryption. Many other features, such as packet logging and quality of service (QoS) features, can be used to increase network security against various attacks. None of these are discussed, except in passing. This is not a document about firewall configuration. For the most part, this is a document about how to secure the router itself, and ignores the equally important issue of the protection of other network devices.

Password Management
Passwords and similar secrets, such as Simple Network Management Protocol (SNMP) community strings, are the primary defense against unauthorized access to your router. The best way to handle most passwords is to maintain them on a TACACS+ or RADIUS authentication server. However, almost every router still has a locally configured password for privileged access, and can also have other password information in its configuration file.

enable secret
The enable secret command is used to set the password that grants privileged administrative access to the IOS system. An enable secret password must always be set. Use the enable secret command, not the older enable password command. The enable password command uses a weak encryption algorithm. If no enable secret is set, and a password is configured for the console TTY line, the console password can be used to receive privileged access, even from a remote VTY session. This is almost certainly not what you want, and is another reason to be certain to configure an enable secret.

service password-encryption (and limitations)
The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful to prevent casual observers from reading passwords, such as when they look at the screen over the shoulder of an administrator.

However, the algorithm used by the service password-encryption command is a simple Vigenere cipher. Any competent amateur cryptographer can easily reverse it in a few hours. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers, and should not be used for this purpose. Any Cisco configuration file that contains encrypted passwords must be treated with the same care used for a cleartext list of those same passwords.

This weak encryption warning does not apply to passwords set with the enable secret command, but it does apply to passwords set with the enable password command.

The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible as far as Cisco knows. It is, however, subject to dictionary attacks. A dictionary attack is when a computer tries every word in a dictionary or other list of candidate passwords. Therefore, remember to keep your configuration file out of the hands of untrusted people, especially if you are not sure your passwords are well chosen.

Control Interactive Access
Anyone who can log in to a Cisco router can display information which you probably do not want to make available to the general public. A user who can log in to the router might be able to use it as a relay for further network attacks. Anyone who can get privileged access to the router can reconfigure it. You need to control interactive logins to the router in order to prevent inappropriate access.
Although most interactive access is disabled by default, there are exceptions. The most obvious exception is the interactive sessions that are from directly connected asynchronous terminals, such as the console terminal, and from integrated modem lines.

Console Ports
It is important to remember that the console port of a Cisco IOS device has special privileges. In particular, if a BREAK signal is sent to the console port during the first few seconds after a reboot, the password recovery procedure can easily be used to take control of the system. This means that attackers who interrupt power or induce a system crash, and who have access to the console port via a hardwired terminal, a modem, a terminal server, or some other network device, can take control of the system, even if they do not have physical access to it or the ability to log in to it normally.
Any modem or network device that gives access to the Cisco console port must be secured to a standard comparable to the security used for privileged access to the router. At a bare minimum, any console modem should be of a type that can require the dialup user to supply a password for access, and the modem password must be carefully managed.

General Interactive Access
There are more ways to get interactive connections to routers than users realize. Cisco IOS software, which depends on the configuration and software version, can support these connections:
via Telnet
rlogin
SSH
non IP-based network protocols, such as LAT, MOP, X.29, and V.120
possibly other protocols
via local asynchronous connections and modem dial-ins

More protocols for interactive access are always being added. Interactive Telnet access is available not only on the standard Telnet TCP port (port 23), but on a variety of higher-numbered ports as well.

All interactive access mechanisms use the IOS TTY abstraction (in other words, they all involve sessions on lines of one sort or another). Local asynchronous terminals and dialup modems use standard lines, known as TTYs. Remote network connections, regardless of the protocol, use virtual TTYs (VTYs). The best way to protect a system is to make certain that appropriate controls are applied on all lines, which includes both VTY lines and TTY lines.

Because it is difficult to make certain that all possible modes of access have been blocked, administrators should use some sort of authentication mechanism in order to make sure that logins on all lines are controlled, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices.

The login and no password commands can be configured in order to completely prevent interactive logins. This is the default configuration for VTYs, but not for TTYs. There are many ways to configure passwords and other forms of user authentication for TTY and VTY lines. Refer to the Cisco IOS software documentation for more information.

control TTYs

Local asynchronous terminals are less common than they once were, but they still exist in some installations. Unless the terminals are physically secured, and usually even if they are, the router should be configured to require users on local asynchronous terminals to log in before they use the system. Most TTY ports in modern routers are either connected to external modems, or are implemented by integrated modems. The security of these ports is obviously even more important than securing local terminal ports.

By default, a remote user can establish a connection to a TTY line over the network. This is known as reverse Telnet. This allows the remote user to interact with the terminal or modem connected to the TTY line. It is possible to apply password protection for such connections. Often, it is desirable to allow users to make connections to modem lines, so that they can make outgoing calls. However, this feature can allow a remote user to connect to a local asynchronous terminal port, or even to a dial-in modem port, and simulate the login prompt of the router to steal passwords. This feature can also do other things that can trick local users or interfere with their work.

Issue the transport input none configuration command in order to disable this reverse Telnet feature on any asynchronous or modem line that should not receive connections from network users. If possible, do not use the same modems for both dial-in and dial-out, and do not allow reverse Telnet connections to the lines you use for dial-in.

Control VTYs and Ensure VTY Availability
Any VTY must be configured to accept connections only with the protocols actually needed. This is performed with the transport input command. For example, a VTY that is expected to receive only Telnet sessions is configured with the transport input telnet command, while a VTY that permits both Telnet and SSH sessions has the transport input telnet ssh command. If your software supports an encrypted access protocol such as SSH, then enable only that protocol, and disable cleartext Telnet. Also, issue the ip access-class command in order to restrict the IP addresses from which the VTY accepts connections.

A Cisco IOS device has a limited number, usually five, of VTY lines. When all of the VTYs are in use, no more remote interactive connections can be established. This creates the opportunity for a denial-of-service attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator might not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.

One way to reduce this exposure is to configure a more restrictive ip access-class command on the last VTY in the system than on the other VTYs. The last VTY, usually VTY 4, can be restricted to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network.

Another useful tactic is to issue the exec-timeout command in order to configure VTY timeouts. This prevents an idle session from consuming a VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it also provides some protection against sessions accidentally left idle. Similarly, if

you enable TCP keepalives on incoming connections with the service tcp-keepalives-in command, this can help to guard against both malicious attacks and orphaned sessions caused by remote system crashes.

You can disable all non IP-based remote access protocols and use IPSec encryption for all remote interactive connections to the router in order to provide complete VTY protection. IPSec is an extra-cost option, and its configuration is beyond the scope of this document.

Warning Banners
In some jurisdictions, civil and criminal prosecution of crackers who break into your systems is made much easier if you provide a banner that informs unauthorized users that their use is unauthorized. In other jurisdictions, you can be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent. One method to provide this notification is to put it into a banner message configured with the Cisco IOS banner login command.
Legal notification requirements are complex, and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you must consider what information is put into your banner:

A notice that the system is to be logged in to or used only by specifically authorized personnel, and perhaps information about who can authorize use.
A notice that any unauthorized use of the system is unlawful, and can be subject to civil and/or criminal penalties.
A notice that any use of the system can be logged or monitored without further notice, and that the resulting logs can be used as evidence in court.
Specific notices required by specific local laws.
From a security, rather than a legal point of view, your login banner must not contain any specific information about your router, its name, its model, what software it runs, or who owns it. This information can be abused by crackers.

Commonly Configured Management Services
Many users use protocols other than interactive remote login in order to manage their networks. The most common protocols for this purpose are SNMP and HTTP.
Neither of these protocols is enabled by default, and, as for any other service, the most secure option isto not enable them at all. However, if they are enabled, they must be secured as described in this section.

SNMP
SNMP is very widely used for router monitoring, and frequently for router configuration changes. Unfortunately, version 1 of the SNMP protocol, which is the most commonly used, uses a very weak authentication scheme based on a community string. This amounts to a fixed password transmitted over the network without encryption. If possible, use SNMP version 2, which supports an MD5-based digest authentication scheme and allows for restricted access to various management data.

If you must use SNMP version 1, choose inobvious community strings. Do not choose, for example, "public" or "private". If possible, avoid the use of the same community strings for all network devices. Use a different string or strings for each device, or at least for each area of the network. Do not make a read-only string the same as a read-write string. If possible, periodic SNMP version 1 polling should be done with a read-only community string. Read-write strings should be used only for actual write operations.

SNMP version 1 is not suited to use across the public Internet for these reasons:

It uses cleartext authentication strings.
Most SNMP implementations send those strings repeatedly as part of periodic polling.
It is an easily spoofable, datagram-based transaction protocol.

You must carefully consider the implications before you use it that way.
In most networks, legitimate SNMP messages come only from certain management stations. If this is true in your network, you should probably use the access list number option on the snmp-server community command in order to restrict SNMP version 1 access to only the IP addresses of the management stations. Do not use the snmp-server community command for any purpose in a pure SNMP version 2 environment. This command implicitly enables SNMP version
For SNMP version 2, configure digest authentication with the authentication and md5 keywords of the snmp-server party configuration command. If possible, use a different MD5 secret value for each router.

SNMP management stations often have large databases of authentication information, such as community strings. This information can provide access to many routers and other network devices. This concentration of information makes the SNMP management station a natural target for attack, and it must be secured accordingly.

HTTP
Most recent Cisco IOS software versions use the World Wide Web HTTP protocol in order to support remote configuration and monitoring. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network. Unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet.

If you choose to use HTTP for management, issue the ip http access-class command in order to restrict access to appropriate IP addresses. Also, issue the ip http authentication command in order to configure authentication. As with interactive logins, the best choice for HTTP authentication is to use a TACACS+ or RADIUS server. Avoid the use of the enable password as an HTTP password.

Management and Interactive Access via the Internet (and Other Untrusted Networks)
Many users manage their routers remotely, and sometimes this is done over the Internet. Any unencrypted remote access carries some risk, but access over a public network such as the Internet is especially dangerous. All remote management schemes, which includes interactive access, HTTP, and SNMP, are vulnerable.

The attacks discussed in this section are relatively sophisticated ones, but they are not out of the reach of crackers today. These attacks can often be thwarted if the public network providers involved have taken proper security measures. You need to evaluate your level of trust in the security measures used by all the providers that carry your management traffic. Even if you trust your providers, it is recommended to take at least some steps to protect yourself from the results of any mistakes that might occur.
All the cautions here apply as much to hosts as to routers. This document discusses the protection of router login sessions, but you should use analogous mechanisms to protect your hosts if you administer those hosts remotely.
Remote Internet administration is useful, but requires careful attention to security.

Packet Sniffers
Crackers frequently break into computers owned by Internet service providers (ISPs), or into computers on other large networks, and install packet sniffer programs. These programs monitor the traffic that passes through the network and steal data, such as passwords and SNMP community strings. Although this has become more difficult as network operators improve their security, it is still relatively common. In addition to the risk from outside crackers, it is not unheard of for rogue ISP personnel to install sniffers. Any password sent over an unencrypted channel is at risk. This includes the login and enable passwords for your routers.

If possible, avoid logging in to your router that uses any unencrypted protocol over any untrusted network. If your router software supports it, use an encrypted login protocol such as SSH or Kerberized Telnet. Another possibility is to use IPSec encryption for all router management traffic, which includes Telnet, SNMP, and HTTP. All of these encryption features are subject to certain export restrictions imposed by the United States Government, and are special-order, extra-cost items on Cisco routers.

If you do not have access to an encrypted remote access protocol, another possibility is to use a one-time password system such as S/KEY or OPIE, together with a TACACS+ or RADIUS server. This controls both interactive logins and privileged access to your router. The advantage here is that a stolen password is of no use, because it is made invalid by the very session in which it is stolen. Non-password data transmitted in the session remains available to eavesdroppers, but many sniffer programs are set up to concentrate on passwords.

If you absolutely must send passwords over cleartext Telnet sessions, change your passwords frequently, and pay close attention to the path traversed by your sessions.

Other Internet Access Dangers
In addition to packet sniffers, remote Internet management of routers presents these security risks:

1.In order to manage a router over the Internet, you must permit at least some Internet hosts to have access to the router. It is possible that these hosts can be compromised, or that their addresses can be spoofed. By permitting interactive access from the Internet, you make your security dependent not only on your own anti-spoofing measures, but on those of the service providers involved.

2.You can make sure that all the hosts that are permitted to log into your router are under your own control in order to reduce dangers. Also, use encrypted login protocols with strong authentication.
It is sometimes possible to hijack an unencrypted TCP connection (such as a Telnet session), and actually take control away from a user who is logged in. Although such hijack attacks are not as common as simple packet sniffing and can be complex to mount, these attacks are possible, and might be used by an attacker who has your network specifically in mind as a target. The only real solution to the problem of session hijack is to use a strongly authenticated encrypted management protocol.

3.Denial of service attacks are relatively common on the Internet. If your network is subjected to a denial of service attack, you might not be able to reach your router to collect information or take defensive action. Even an attack on a network of another person can impair your management access to your own network. Although you can take steps to make your network more resistant to denial of service attacks, the only real defense against this risk is to have a separate, out-of-band management channel, such as a dialup modem, for use in emergencies.

Logging
Cisco routers can record information about a variety of events, many of which have security significance. Logs can be invaluable to characterize and respond to security incidents. These are the main types of logging used by Cisco routers:

AAA logging—Collects information about user dial-in Connections,Logins, logouts, HTTP accesses, privilege level changes, commands executed, and similar events. AAA log entries are sent to authentication servers that use the TACACS+ and/or RADIUS protocols, and are recorded locally by those servers, typically in disk files. If you use a TACACS+ or RADIUS server, you can enable AAA logging of various sorts. Issue AAA configuration commands, such as aaa accounting, in order to enable this. Detailed description of AAA configuration is beyond the scope of this document.

SNMP trap logging—Sends notifications of significant changes in system status to SNMP management stations. Use SNMP traps only if you have an SNMP management infrastructure that already exists.

System logging—Records a large variety of events, which depends on the system configuration. System logging events can be reported to a variety of destinations, which include these:

1.The system console port (logging console).
2.Servers that use the UNIX syslog protocol (logging ip-Address, logging trap).
3.Remote sessions on VTYs and local sessions on TTYs (logging monitor, terminal monitor).
4.A local logging buffer in router RAM (logging buffered).

From a security point of view, the most important events usually recorded by system logging are interface status changes, changes to the system configuration, access list matches, and events detected by the optional firewall and intrusion detection features.

Each system logging event is tagged with an urgency level. The levels range from debugging information (at the lowest urgency), to major system emergencies. Each logging destination can be configured with a threshold urgency, and receives logging events only at or above that threshold.

Save Log Information
By default, system logging information is sent only to the asynchronous console port. Because many console ports are unmonitored, or are connected to terminals without historical memory and with relatively small displays, this information might not be available when it is needed, especially when a problem is debugged over the network.

Almost every router must save system logging information to a local RAM buffer. The logging buffer is of a fixed size, and retains only the newest information. The contents of the buffer are lost whenever the router is reloaded. Even so, a moderately-sized logging buffer is often of great value. On low-end routers, a reasonable buffer size might be 16384 or 32768 bytes. On high-end routers with lots of memory (and many logged events), even 262144 bytes might be appropriate. You can issue the show memory command to make sure that your router has enough free memory to support a logging buffer. Issue the logging buffered buffer-size configuration command in order to create the buffer.

Most larger installations have syslog servers. You can send logging information to a server with the logging server-ip-address, and you can control the urgency threshold for logging to the server with the logging trap urgency command. Even if you have a syslog server, you should still enable local logging.

If your router has a real-time clock or runs NTP, issue the service timestamps log datetime msecs command in order to time-stamp log entries.

Record Access List Violations
If you use access lists to filter traffic, you might want to log packets that violate your filtering criteria. Earlier Cisco IOS software versions use the log keyword in order to support logging. This causes logging of the IP addresses and port numbers associated with packets that match an access list entry. Later versions provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it.

It is not a good idea to configure logging for access list entries that match very large numbers of packets. This causes log files to grow excessively large, and can cut into system performance. However, access list log messages are rate-limited, so the impact is not catastrophic.

Access list logging can also be used to log the suspect traffic in order to characterize traffic associated with network attacks.

Secure IP Routing
This section discusses some basic security measures related to the way in which the router forwards IP packets.

Anti-Spoofing
Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible.

Anti-spoofing must be done at every point in the network where it is practical. It is usually both easiest and most effective at the borders between large address blocks, or between domains of network administration. It is usually impractical to perform anti-spoofing on every router in a network, because of the difficulty to determine which source addresses might legitimately appear on any given interface.

If you are an ISP, you might find that effective anti-spoofing along with other effective security measures, causes expensive, annoyed problem subscribers to take their business to other providers. ISPs must apply anti-spoofing controls at dialup pools and other end-user connection points (refer to RFC 2267 ).

Administrators of corporate firewalls or perimeter routers sometimes install anti-spoofing measures to prevent hosts on the Internet from assuming the addresses of internal hosts, but do not take steps to prevent internal hosts from assuming the addresses of hosts on the Internet. Try to prevent spoofing in both directions. There are at least three good reasons to perform anti-spoofing in both directions at an organizational firewall:

1.Internal users are less tempted to launch network attacks and less likely to succeed if they do try.

2.Accidentally misconfigured internal hosts are less likely to cause trouble for remote sites. Therefore, these are less likely to generate angry telephone calls or damage the reputation of your organization.

3.Outside crackers often break into networks as launching pads for further attacks. These crackers might be less interested in a network with outgoing spoofing protection.

Anti-Spoofing with Access Lists
Unfortunately, it is not practical to give a simple list of commands that provide appropriate spoofing protection. The access list configuration depends too much on the individual network. The basic goal is to discard packets that arrive on interfaces that are not viable paths from the supposed source addresses of those packets. For example, on a two-interface router that connects a corporate network to the Internet, any datagram that arrives on the Internet interface, but whose source address field claims that it came from a machine on the corporate network, should be discarded.
Similarly, any datagram that arrives on the interface connected to the corporate network, but whose source address field claims that it came from a machine outside the corporate network, should be discarded. If CPU resources allow it, anti-spoofing should be applied on any interface where it is feasible to determine what traffic can legitimately arrive.
ISPs that carry transit traffic can have limited opportunities to configure anti-spoofing access lists, but such an ISP can usually at least filter outside traffic that claims to originate within the address space of the ISP.
In general, anti-spoofing filters must be built with input access lists. This means that packets must be filtered at the interfaces through which they arrive at the router, not at the interfaces through which they leave the router. This is configured with the ip access-group list in interface configuration command. You can use output access lists in some two-port configurations in order to anti-spoof, but input lists are usually easier to understand even in those cases. Furthermore, an input list protects the router itself from spoofing attacks, whereas an output list protects only devices behind the router.

When anti-spoofing access lists exist, they should always reject datagrams with broadcast or multicast source addresses, and datagrams with the reserved loopback address as a source address. It is usually appropriate for an anti-spoofing access list to filter out all ICMP redirects, regardless of source or destination address. These are the appropriate commands:

access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any

The fourth command filters out packets from many BOOTP/DHCP clients. Therefore, it is not appropriate in all environments.

Path Integrity
Many attacks depend on the ability to influence the paths datagrams take through the network. If they control routing, crackers can spoof the address of another user machine and have the return traffic sent to them, or they can intercept and read data intended for someone else. Routing can also be disrupted purely for denial of service purposes.

IP Source Routing
The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram takes toward its ultimate destination, and generally the route that any reply takes. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it is possible to send them datagrams with source routing options in order to crash machines that run these implementations.

A Cisco router with the no ip source-route command set never forwards an IP packet which carries a source routing option. You should use this command, unless your network needs source routing.

ICMP Redirects
An ICMP redirect message instructs an end node to use a specific router as its path to a particular destination. In an IP network that functions properly, a router sends redirects only to hosts on its own local subnets. No end node ever sends a redirect, and no redirect is ever traversed more than one network hop. However, an attacker can violate these rules. Some attacks are based on this. Filter out incoming ICMP redirects at the input interfaces of any router that lies at a border between administrative domains. Also,It is not unreasonable for any access list that is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This causes no operational impact in a correctly configured network.

This filter prevents only redirect attacks launched by remote attackers. It is still possible for attackers to cause significant trouble using redirects if their host is directly connected to the same segment as a host that is under attack.

Routing Protocol Filter and Authentication
If you use a dynamic routing protocol that supports authentication, enable that authentication. This prevents malicious attacks on the routing infrastructure, and can also help to prevent damage caused by misconfigured rogue devices on the network.

For the same reasons, service providers and other operators of large networks are generally well advised to use route filtering (with the distribute-list in command) to prevent their routers from accepting clearly incorrect routing information. Although excessive use of route filtering can destroy the advantages of dynamic routing, judicious use often helps to prevent unpleasant results. For example, if you use a dynamic routing protocol to communicate with a stub customer network, you should not accept any routes from that customer other than routes to the address space you have actually delegated to the customer.

Detailed instruction on how to configure routing authentication and route filtering is beyond the scope of this document. Documentation is available on the Cisco website and elsewhere. Because of the complexity involved, novices are advised to seek experienced advice before configuring these features on important networks.

Flood Management
Many denial of service attacks rely on floods of useless packets. These floods congest network links, slow down hosts, and can overload routers as well. Careful router configuration can reduce the impact of such floods.
An important part of flood management is to be aware of where performance bottlenecks lie. If a flood overloads a T1 line, then filtering out the flood on the router at the source end of the line is effective, whereas filtering at the destination end has little or no effect. If the router itself is the most overloaded network component, then filtering protections that place heavy demands on the router can make matters worse. Keep this in mind when you consider the implementation of the suggestions in this section.

Router Self-Protection
Before a router can protect other parts of the network from the effects of floods, the router itself must be protected from overload.

Switching Modes and Cisco Express Forwarding
The CEF switching mode, available in Cisco IOS Software Releases 11.1CC, 11.1CT, 11.2GS, and 12.0, replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts to arrive for new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.

Although most flooding denial of service attacks send all of their traffic to one or a few targets and do not tax the traditional cache maintenance algorithm, many popular SYN flooding attacks use randomized source addresses. The host under attack replies to some fraction of the SYN flood packets, which creates traffic for a large number of destinations. Therefore, routers configured for CEF perform better under SYN floods (directed at hosts, not at the routers themselves) than routers that use the traditional cache. CEF is recommended when available.

Scheduler Configuration
When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so much time in response to interrupts from the network interfaces that no other work is done. Some very fast packet floods can cause this condition. Issue the scheduler interval command, which instructs the router to stop handling interrupts and attend to other business at regular intervals, in order to reduce the effect. A typical configuration might include the scheduler interval 500 command, which indicates that process-level tasks are to be handled no less frequently than every 500 milliseconds. This command rarely has any negative effects, and should be a part of your standard router configuration unless you know of a specific reason to leave it out.

Many newer Cisco platforms use the scheduler allocate command instead of the scheduler interval command. The scheduler allocate command takes two parameters: a period in microseconds for the system to run with interrupts enabled, and a period in microseconds for the system to run with interrupts masked. If your system does not recognize the scheduler interval 500 command, issue the scheduler allocate 3000 1000 command. These values were chosen to represent the midpoints of the ranges. The range for the first value is 400 to 60000, and the range for the second value is 100 to 4000. These parameters can be tuned.

Finger
Cisco routers provide an implementation of the finger service, which is used to find out which users are logged into a network device. Although this information is not usually sensitive, it is sometimes useful to an attacker. The finger service can be disabled with the no service finger command.

NTP
The Network Time Protocol (NTP) is not especially dangerous, but any unneeded service can represent a path for penetration. If NTP is actually used, it is important to explicitly configure trusted time source, and to use proper authentication. This is because the corruption of the time base is a good way to subvert certain security protocols. If NTP is not used on a particular router interface, it can be disabled with the ntp disable interface command.

CDP
Cisco Discovery Protocol (CDP) is used for some network management functions, but is dangerous because it allows any system on a directly-connected segment to learn that the router is a Cisco device, and to determine the model number and the Cisco IOS software version that is run. This information can be used to design attacks against the router. CDP information is accessible only to directly-connected systems. The CDP protocol can be disabled with the no cdp running global configuration command. CDP can be disabled on a particular interface with the no cdp enable command.

Stay Up To Date
Like all software, Cisco IOS software has bugs. Some of these bugs have security implications. In addition, new attacks are always invented, and behavior that might have been considered correct when a piece of software was written can have bad effects when deliberately exploited.

Router Security

2007-06-12T13:20:00.000-07:00

It's incomprehensible that many routers -- the most critical element of any network -- still lack the physical and logical controls to prevent miscreants from easily owning them. Yet, routers continue to use default access passwords, such as the device vendor's name or some other easily guessable code. Imagine buying a Ford Explorer and configuring the nifty keyless entry code to 3673. It's easy to remember, but it's also the first combination a car thief will try. Why? That numeric code maps to "F-O-R-D" on a telephone keypad.

The key to securing the core routing infrastructure is access control. At a minimum, the following controls should be deployed:

Limit physical access to routers to authorized personnel.
Use encrypted access, such as SSH, to communicate with routers.
If there's a reason to use unencrypted access, such as Telnet,
limit the access to specific trusted hosts. If possible, authentication should be based on a one-time password scheme.
Have a generic login prompt with no information pertaining to system type or vendor name so a potential attacker won't easily be able to exploit a known vulnerability against a specific operating system or vendor.
Log all activity, such as configuration changes and image upgrades, to help detect illegal activity.
Disable HTTP and SNMP access if they aren't used

Cisco Practice Tools download

2007-06-12T13:09:00.000-07:00

Practice for the CCNA exam by using a router simulator

Download Now:

http://www.download.com/Sem-Sim-Cisco-CCNA-Exam-Router-Simulator/3000-2051_4-10219362.html?

Cisco Practice Tests from Boson 5.0

Download Now:

http://www.download.com/Cisco-Practice-Tests-from-Boson/3000-2051_4-7705228.html?tag=lst-0-2

Cisco CDP Monitor 3.01

Download now:
http://www.download.com/Cisco-CDP-Monitor/3000-2085_4-10587259.html?tag=lst-0-6

PrepLogic Practice Exam Cisco CCNA (640-801) 3.1.11

Download now:
http://www.download.com/PrepLogic-Practice-Exam-Cisco-CCNA-640-801-/3000-2051_4-10483274.html

Boson NetSim for CCNP 6.0

2007-06-12T12:22:00.001-07:00

Description:

The Boson NetSim emulates both switching bridge tables and routing protocol tables to allow you to go OUTSIDE the labs.

Download:

http://rapidshare.com/files/26557869/BosonCCNPv6.0Beta3b.rar

Cisco Voice Gateways and Gatekeeper

2007-06-12T12:07:00.000-07:00

Cisco Voice Gateways and Gatekeepers provides detailed solutions to real-world problems encountered when implementing a VoIP network. This practical guide helps you understand Cisco gateways and gatekeepers and configure them properly. Gateway selection, design issues, feature configuration, and security and high-availability issues are all covered in depth. The abundant examples, screen shots, configuration snips, and case studies make this a truly practical and useful guide for anyone interested in the proper implementation of gateways and gatekeepers in a VoIP network. Emphasis is placed on the accepted best practices and common issues encountered in real-world deployments.

Download

http://rapidshare.com/files/9838517/Cisco.Voice.Gateways.and.Gatekeepers.rar

Download Free Cisco Books

2007-06-12T11:52:00.000-07:00

Cisco Press - Penetration Testing and Network Defense

download
http://austin.youareinferior.net/books/Cisco%20Press%20-%20Penetration%20Testing%20and%20Network%20Defense.chm

The Complete Cisco VPN Configuration Guide (Networking Technology)

2007-06-12T11:29:00.001-07:00

The Complete Cisco VPN Configuration Guide (Networking Technology)

With increased use of Internet connectivity and less reliance on private WAN networks, virtual private networks (VPNs) provide a much-needed secure method of transferring critical information. As Cisco Systems® integrates security and access features into routers, firewalls, clients, and concentrators, its solutions become ever more accessible to companies with networks of all sizes. The Complete Cisco VPN Configuration Guide contains detailed explanations of all Cisco® VPN products, describing how to set up IPsec and Secure Sockets Layer (SSL) connections on any type of Cisco device, including concentrators, clients, routers, or Cisco PIX® and Cisco ASA security appliances. With copious configuration examples and troubleshooting scenarios, it offers clear information on VPN implementation designs.
Part I, “VPNs,” introduces the topic of VPNs and discusses today’s main technologies, including IPsec. It also spends an entire chapter on SSL VPNs, the newest VPN technology and one that Cisco has placed particular emphasis on since 2003. Part II, “Concentrators,” provides detail on today’s concentrator products and covers site-to-site and remote-access connection types with attention on IPsec and WebVPN. Part III covers the Cisco VPN Client versions 3.x and 4.x along with the Cisco3002 Hardware Client. Cisco IOS® routers are the topic of Part IV, covering scalable VPNs with Dynamic Multipoint VPN, router certificate authorities, and router remote access solutions. Part V explains Cisco PIX and Cisco ASA security appliances and their roles in VPN connectivity, including remote access and site-to-site connections. In Part VI, a case study shows how a VPN solution is best implemented in the real world using a variety of Cisco VPN products in a sample network.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Download

http://rapidshare.com/files/3788359/1587052040.zip

Cables and Connectors

2007-06-12T11:14:00.000-07:00

Ethernet interface specifications

The base unit of a MAX has an Ethernet interface that supports the physical specifications of IEEE 802.3 and IEEE 802.14 with Ethernet 2 (Ethernet/DIX) framing. It provides a single Ethernet interface that auto-senses the Ethernet type to which it is connected. The following types are supported:

10Base-T (Unshielded Twisted Pair): Twisted pair Ethernet and IEEE 802.3 (10Base-T) with an RJ-45 connector, labeled LAN UTP.
100 Base-T: 100 Mbits/s Baseband Modulation on Twisted Pair
The Ethernet address used to identify the Ethernet interface resides in the MAX unit's motherboard.

Required equipment
To install the Ethernet interface, you must have either of the equipment described in the sections below.
10Base-T You need a twisted-pair Ethernet cable and a dual twisted-pair cable terminated with RJ-45 modular jacks.
Use an EIA/TIA 568 or IEEE 802.3 10Base-T cable.

100Base-T You need a twisted-pair Ethernet cable and a dual twisted-pair cable terminated with RJ-45 modular jacks.
Use one of the following cables:100BASE-T2, 100BASE-T4 (not very popular), 100BASE-TX, or 100BASE-FX.

Improving Security on Cisco Routers

2007-06-12T10:28:00.000-07:00

This document is an informal discussion of some Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, in order to improve security. This document is about basic boilerplate configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware.

For more details see

http://www.cisco.com/warp/public/707/21.html

Cisco Router Configuration Backups

2007-06-12T10:18:00.000-07:00

Cisco router products allow using TFTP ("Trivial File Transfer Protocol") on a network server to read and write configuration files. Whenever a router configuration is changed, it is important to save the configuration file on the Linux server so that a backup is maintained.
Red Hat disables the TFTP service by default, because it can be a real security hole if not configured properly. The TFTP daemon allows anyone to read and write files without performing authentication. The way I personally set things up is to create a ``/tftpboot/'' directory, owned by root, and then modify the existing configuration line in the ``/etc/inetd.conf'' file to specify the file location:

tftpd dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot

Adding the ``/tftpboot'' path at the end of the above line specifically indicates where the TFTP daemon is allowed to access files. Although you can actually leave this part out and allow TFTP to access files anywhere on your system, as TFTP is considered somewhat of a security risk, this would probably be a very bad idea.
Once you have enabled the TFTP service, don't forget to type:

killall -HUP inetd

The above command restarts the INETD daemon to recognize whatever changes you have made to the inetd.conf file.
Creating a backup of a router configuration file involves a 3-step process: setting permissions on an existing file (or creating a new one) to allow writes, writing the backup file, and then resetting permissions to restrict access to the file.

An example router backup session follows:
mail:~# cd /tftpboot
mail:/tftpboot# chmod a+w xyzrouter-confg
chmod: xyzrouter-confg: No such file or directory
mail:/tftpboot# touch xyzrouter-confg
mail:/tftpboot# chmod a+w loyola-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# write network
Remote host []? 123.12.41.41
Name of configuration file to write [xyzrouter-confg]?
Write file xyzrouter-confg on host 123.12.41.41? [confirm]
Building configuration...
Writing xyzrouter-confg !! [OK]
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit

In case of router failure (caused, for example, by a power surge during a lightning storm), these backup files can be helpful to reload the router configuration. Again, restoring from a configuration file involves a 3-step process: setting permissions on the existing file, loading the file, and then resetting permissions to restrict access to the file. An example router restoration session follows.

mail:~# cd /tftpboot
mail:/tftpboot# chmod a+r xyzrouter-confg
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config network
Host or network configuration file [host]?
Address of remote host [255.255.255.255]? 123.12.41.41
Name of configuration file [xyzrouter-confg]?
Configure using loyola-confg from 123.12.41.41? [confirm]
Loading xyzrouter-confg from 123.12.41.41 (via BRI0): !
[OK - 1265/32723 bytes]
xyzrouter# write
xyzrouter# exit
Connection closed by foreign host.
mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit

Password Recovery Procedure for the Cisco VPN 3000 Series

2007-06-12T10:06:00.000-07:00

The password recovery procedure for the following Cisco Virtual Private Network (VPN) products running version 2.5.1 or later.
Cisco VPN 3002
Cisco VPN 3015
Cisco VPN 3060
Cisco VPN 3005
Cisco VPN 3030
Cisco VPN 3080

Note: For concentrators running code version 2.5 or earlier, contact the Cisco TAC for password recovery assistance.
Default Password
The factory default passwords for the Cisco VPN 3000 Series are:
username: admin
password: admin

Follow the steps below to recover a password

Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable between the console port on the VPN Concentrator and the COM1 or serial port on the PC (Cisco supplies the cable with the system).
Start a terminal emulator (HyperTerminal) on the PC. Configure a connection on COM1 with port settings of: 9600 bits per second 8 data bits no parity 1 stop bit hardware flow control Set the emulator for VT100 emulation, or let it auto-detect the emulation type.
When the Concentrator boots, and after the diagnostics check is complete, a line of three dots (...) appears on the console, a sample of which is shown below for reference. Press Ctrl-C within 3 seconds after seeing these dot. This displays a menu that lets you reset the system passwords to their defaults.
Boot-ROM Initializing...
Boot configured 128Mb of RAM. ...
!--- At this second set of three dots, press Ctrl-C

Loading image ..........
Verifying image checksum ...........
Active image loaded and verified...
Starting loaded image...
Starting power-up diagnostics...
...
Main Menu Options
-----------------
1 - Reset Passwords
Q - Quit Main Menu

Set-up and usage of a Virtual Private Network using the Cisco VPN Client

2007-06-12T10:03:00.000-07:00

Creating your VPN password

In order to use a VPN connection, you need a VPN password. This password is not the same as your UGent password. If you do not have a VPN/dial-in password or if you forgot it, then you can easily create a new VPN password via: https://password.ugent.be Please note that you can only create or change a VPN password from a host on the UGent Network and not via another provider.

Installation and configuration of the Cisco VPN client on PC

You can download the latest version of the VPN client software (9 Mb). After agreeing with the Statement concerning the use of Cisco VPN client, click on the link that apllies to your system, then click on "execute" (possibly twice).
In the window WinZip Self-Extractor, choos 'unzip'.
In the following window (language choice), click 'ok'.
Click 'next' in the welcoming screen.
Accept, when desired, the licence agreement by checking the option 'I accept the licence agreement', and then choose 'Next'.
Choose 'Next' if you accept the standard location for installation of your files.
Choose 'Next' to proceed with the installation.
Click 'Finish' to complete the installation procedure.
Click 'Yes' to reboot your PC.
After rebooting, open the Cisco VPN Client via 'Start'- Programs - Cisco Systems VPN Client, VPN Client.
Download the UGent VPN client config file to the folder VPN Client. Click 'Save'.
Save in: choose to save the file to your desktop
In the window Download Complete, choose 'close'.
In the VPN Client (via 'Start - Programs - Cisco Systems VPN Client - VPN Client'), choose 'import' (icon).
In the appearing dialogue box select the folder VPNClient and then the file 'UGent.pcf'
Choose OK to complete the import.
In order to use the VPN-connection, follow the steps under Use of the VPN-connection
Installation of Cisco VPN client on Mac
The software is only suitable for MacOS X 10.1.5 or higher
The latest version of the vpnclient-software can be downloaded here (9MB).
This can only be done after agreeing to the Declaration on the use of the Cisco VPN-cient. Once accepted, the download can be done time and again, without ever having to agree again.
The software is available as a .hqx file. This contains these files after unpacking:
vpnclient-darwin-4.9.00.0050-universal-k9.dmg
By double-clicking the .dmg file (disk image), it is mounted as an extra device called CiscoVPNClient. In some cases it might happen, that after unpacking the archive, the file vpnclient-darwin-4.0.2.C-GUI-k9.dmg does not have the extension .dmg. This means it can not be opened by double-clicking. Rename the file manually, by adding .dmg, after that, you should be able to open the file.
On this device you should find the installation as "Cisco VPN client.mpkg"
Double-click and follow the instructions. Click on the padlock if the message "You need an Administrator password to install the
software" and enter a login/password of your own Mac with administrator privileges.
Keep on following the instructions on the screen, among other things agree with the licence and the picking of the harddisk
where the software should be installed.
If the installation was successful, you'll find the programm under
Applications - VPNclient. Start thee client.
To configure it, import the configuration file will suffice.
Choose the button Import and choose the file UGent.pcf that was also in the downloaded file.
After importing the file, the connection can be be made immediately.

Use of a VPN-connection
When a VPN is needed, you can start it as follows:
Start the VPN via Start, Programs, Cisco Systems VPN Client, VPN Client. Select UGent and choose Connect. Enter your log-in name and corresponding VPN-password. For Mac, start the VPN with Applications - VPNclient.
Select UGent and choose Connect.
Enter your login name and corresponding VPN-passwordSince December 16th 2003, restrictions have been introduced concerning the used volume over a VPN. More info can be found on the webpage concerning the volume restriction.

Possible problems
If you have a firewall installed, then it is possible that the firewall has not been configured well. In that case, you will get an error message even before the verification of your log-in and password. Turn off the firewall and firts try to set up the VPN connection withou the firewall. After that you can adjust the firewall settings.
An update of F-Secure Anti-Virus for example could be the cause of the fact that your computer is restarting every time you want to use the VPN connection (Cisco).
Other programmaes as well, such as Skype can cause problems as well when using the VPN connection.

More Detail are in

http://www.helpdesk.ugent.be/vpn/en/cisco.php

2007-06-12T09:42:00.000-07:00

Cisco Routing & Switching TrainingCisco Internetwork Troubleshooting (CIT)
Who Should Attend
CIT provides advanced training for senior-level network support professionals. The target audience is expected to be highly educated, with a background in engineering.Cisco Career CertificationsThis course is part of the following Certifications:

1.CCNP (Cisco Certified Network Professional)
2.CCIE (Cisco Certified Internetwork Expert) Routing & Switching
3.CCIE (Cisco Certified Internetwork Expert) Service Provider
4.CCIE (Cisco Certified Internetwork Expert) Security
5.CCIE (Cisco Certified Internetwork Expert) Voice

Prerequisites
Interconnecting Cisco Network Devices (ICND)
Building Scalable Cisco Internetworks (BSCI)
Building Cisco Multilayer Switched Networks (BCMSN)
Building Cisco Remote Access Networks (BCRAN) or equivalent field experience

Course Objectives
The goal of CIT is to provide learners with hands-on experience in troubleshooting sub-optimal performance in a converged network and is an integral part of any approach to obtain the technical proficiency of Cisco Certified Network Professional (CCNP). CIT deepens the learner's technical ability rather than introducing new baseline technology. After completing this course, the student should be able to:

Given a fully operational internetwork, interconnecting end systems using Cisco systems routers and switches, administrative access to the network, and access to Cisco IOS commands and applications that are used to discover baseline configuration information, students will establish a baseline, so that the topology and configuration is diagrammed and tabulated.
Given interconnecting end systems using Cisco systems routers and switches, and the principles of a layered model troubleshooting approach, students will determine and document a troubleshooting strategy so that internetwork problems can be detected and corrected consistently.

Given the sub-optimal operation of an internetwork at the physical or data link layer, a list of user-reported symptoms, and a network baseline, students will use Cisco IOS commands and applications to resolve optimization and failure problems at the physical or data link layer, so that the framed data moves from one end of a data link to another at the expected data error rate determined in the network baseline

Given the sub-optimal operation of an internetwork at the network layer, a network baseline, and a list of user-reported and system-gathered symptoms, students will use Cisco IOS commands and applications to resolve optimization and failure problems at the network layer, so that students can verify connectivity at Layer 3, the routing tables show reachability to all expected network devices specified in the baseline, and traffic is flowing over the correct path detailed in the baseline

Course Content
Establishing a Baseline
Determining an effective troubleshooting strategy
Resolving Problems at the Physical and Data Link layers
Resolving Problems at the Network Layer
Resolving Problems at the Transport and Application Layers

CCNP Self-Study:

2007-06-12T09:33:00.000-07:00

CCNP Self-Study:
Building Cisco Multilayer Switched Networks (BCMSN)

Building Cisco Multilayer Switched Networks (BCMSN), 2nd Edition, is a self-study learning resource for CCNP and CCDP certification candidates preparing for the BCMSN 642-811 exam. This self-study resource includes sample questions and answers and lab excercises in each chapter. Including coverage of intermediate to advance networking switching technologies, this book helps CCNP candidates, as well as networking professionals, gain an understanding of switching fundamentals and best practices. Switching topics found in this book include Layer 2 and 3 switching, AVVID deployments in multilayer switching networks, QoS, CEF-based MLS, Catalyst switching architectures, and an introduction to Metro Ethernet. This is the only book authorized by Cisco Systems for early-stage, self-study learning of the BCMSN topics.

The CCNP certification indicates advanced or journeyman knowledge of networks. One of the four requirements to achieve CCNP certification is passing the BCMSN exam. Focused on intermediate-level switching issues, the BCMSN exam assesses a candidate's skill at building campus networks using multilayer switching technologies over high speed Ethernet. The exam addresses both routing and switching concepts, covering both Layer 2 and Layer 3 technologies including IP multicast. The BCMSN exam is also a requirement for CCDP certification.

Introduction to Building Cisco Multilayer Switched Networks.

Hardware-Switching and Software-Switching Terminology. Multilayer Switching Overview. Enterprise Composite Network Model for Building Cisco Multilayer Switched Networks. Introducing the Cisco Catalyst Switches. Summary. Review Questions.

2. The Roles of Switches in Designing Cisco Multilayer Switched Networks.

Data-Link Technologies. Designing Cisco Multilayer Switched Networks Using the Cisco Catalyst Switches and Data-Link Technologies. Using the Cisco Catalyst Switches and Data-Link Technologies. Case Study: Designing a Cisco Multilayer Switched Network. Summary. Review Questions.

3. Initial Configuration and Troubleshooting of Cisco Multilayer Switches.

Comparing Cisco CatOS and Cisco IOS (Native Mode). Initial Configuration of Management Parameters of Cisco Catalyst Switches. Managing Catalyst Switch Configurations. Understanding the Cisco IOS File System and Software Images on Catalyst Switches. Upgrading Software Versions on Catalyst Switches. Overview of Converting Cisco CatOS to Cisco Native IOS. Basic Troubleshooting Practices. Initial Configuration Troubleshooting Tips. Summary. Configuration Exercise: Configuring a Cisco IOS-Based Catalyst Switch. Review Questions.

4. Implementing and Configuring VLANs.

VLANs. Troubleshooting VLANs. Private VLANs. VLAN Trunking. Configuring ISL and 802.1Q Trunking. VLAN Trunking Protocol. Summary. Configuration Exercise: Configuring VLAN, Trunking, and VTP in Multilayer Switched Networks. Review Questions.

5. Understanding and Configuring the 802.1D, 802.1s, and 802.1w Spanning-Tree Protocols.

Overview of the Spanning Tree Protocol. Bridging Loop. STP (IEEE 802.1D). STP Operation. Sample Scenario of STP Election Process. STP Topology Changes. Per VLAN Spanning Tree Plus. STP and IEEE 802.1Q Trunks. Configuring the Basic Parameters of PVST+. Verifying the STP Configuration. Rapid Spanning Tree Protocol. Multiple Spanning Tree. Configuring Basic Parameters of MST. Summary. Configuration Exercise: Configuring and Verifying Spanning-Tree Bridge Priorities and Spanning-Tree Port Cost. Configuration Exercise: Configuring and Verifying Spanning-Tree Bridge Priorities. Review Questions.

6. Understanding and Configuring Cisco-Specific Spanning Tree Protocol Features and Troubleshooting STP.

Enhancements to 802.1D Spanning Tree Protocol. Improving Spanning-Tree Resiliency. Preventing Forwarding Loops and Black Holes. Troubleshooting STP. Summary. Configuration Exercise: Configuring BackboneFast, UplinkFast, and Root Guard. Review Questions.

7. Configuring Layer 2 and Layer 3 Features.

EtherChannel. CDP. Port Security. Multiple Default Gateways. MAC Address Notification. Layer 3 Protocol Filtering. DHCP for Management IP Configuration. Debounce Timer Feature. Broadcast and Multicast Suppression. DHCP Snooping. Baby Giants and Jumbo Frame. UDLD and Aggressive Mode UDLD. Case Study: Function of Aggressive Mode UDLD. Summary. Configuration Exercise. Review Questions.

8. Understanding and Configuring Inter-VLAN Routing.

Introduction to Inter-VLAN Routing. IP Broadcast Forwarding. Summary. Configuration Exercise: Configuring Inter-VLAN Routing on Cisco IOS-Based Catalyst Switches. Review Questions.

9. Understanding and Configuring Multilayer Switching.

Understanding Traditional MLS. Understanding CEF-Based MLS. CEF-Based MLS Configuration, Verification, and Troubleshooting. Summary. Configuration Exercise: Troubleshooting CEF-Based MLS. Review Questions.

10. Understanding and Implementing Quality of Service in Cisco Multilayer Switched Networks.
The Need for QoS. QoS Service Models. Catalyst QoS Fundamentals. WAN QoS. QoS in the Multilayer Switched Network. Summary. Configuration Exercise: Configuring QoS on Cisco IOS-Based Catalyst Switches. Review Questions.

11. Deploying Multicast in the Multilayer Switched Network.

Introduction to Multicast. IP Multicast Protocol. Multicast Hardware-Based Switching Methods. Layer 2 Multicast Protocols. IP Multicast in the Multilayer Switched Network. Configuring Multicast. Monitoring and Verifying IP Multicast Traffic. Summary. Configuration Exercise: Configuring and Verifying Multicast in the Multilayer Switched Network. Review Questions.

12. Implementing High Availability Options in Multilayer Switches.

Achieving High Availability in Multilayer Switches. Implementing Redundant Supervisor Engines in Catalyst Switches. Router Redundancy Using Single Router Mode on the Catalyst 6500 Series of Switches. Implementing Redundant Supervisor Uplink Modules in Catalyst Switches. Implementing Redundant Power Supplies. Implementing Default Gateway Router Redundancy in Multilayer Switched Networks. Cisco IOS Server Load Balancing. Summary. Configuration Exercise: Configuring and Verifying RPR+ and HSRP. Review Questions.

13. Introduction to Deploying Cisco IP Telephony.

Network Design Recommendations for IP Telephony. Best Practices for Deploying IP Telephony in the Enterprise Composite Network Model. Summary. Configuration Exercise: Configuring Voice VLANs on a Catalyst Switch. Review Questions.

14. Implementing Management and Data Plane Security Features on Cisco Catalyst Switches.

Catalyst Switch Configurations for Security in Multilayer Switched Networks. Configuring AAA. Network Access Security Using IEEE 802.1X. Applying Security Using Access Control Lists. Understanding the Role of Private VLANs as a Security Feature. Understanding the Role of QoS as a Security Feature. Summary. Configuration Exercise: AAA, 802.1X, and VACLs. Review Questions.

15. Introduction to the Catalyst Switching Architectures.

Catalyst 6500. Catalyst 4500. Catalyst 3750. Catalyst 3550. Catalyst 2950. Summary. Review Questions.

16. Introduction to Storage Networking.

Storage Networking Overview. Storage Networking Protocols. Campus Network Integration. Cisco Storage Solutions. Summary. Review Questions.

17. Designing, Building, and Connecting Cisco Multilayer Switched Networks Using Metro Solutions.

Introduction to Cisco Metro Solutions. Metro Ethernet. Examining Metro Ethernet Tunneling. EoMPLS Implementation. Summary. Review Questions.

18. Performance and Connectivity Troubleshooting Tools for Multilayer Switches.

Techniques to Enhance Performance. Monitoring Performance with SPAN and VSPAN. Monitoring Performance with RSPAN. Monitoring Performance Using VACLs with the Capture Option. Troubleshooting Using L2 Traceroute. Performance Monitoring Using the Network Analysis Module in the Catalyst 6500 Family of Switches.

How to Choose a Cisco IOS Software Release

2007-06-12T09:06:00.000-07:00

Introduction
This document provides guidelines to help you choose the most appropriate Cisco IOS® Software release to meet your needs, and provides suggestions and tools to aid you in your choice.

Note: In order to use the troubleshooting tools described in this document, you must be a registered customer and you must be logged in.

Prerequisites
Requirements
There are no specific requirements for this document.

Components Used
This document is not restricted to specific software and hardware versions.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

How Do I Choose a Cisco IOS Software Release?
The most important factors to take into account are:

Hardware Support

Feature Support

Cisco IOS Software Release Version

Memory Requirements

Hardware Support
The first thing to check when you choose a Cisco IOS Software release is hardware support. You can find the software requirements of your hardware in the Cisco Product Documentation section of the Documentation CD, but Cisco recommends that you use the Cisco Software Advisor ( registered customers only) , which allows you to search for Cisco IOS Hardware Support.

Note: In order to use the tools, you must:

Compile a list of the different software versions that support all your hardware.

Determine which features have to be deployed within your network.

Feature Support
If you have the output of a show version command from your Cisco device, you can use the Output Interpreter Tool ( registered customers only) to display potential issues and fixes. In order to use this tool, you must be a registered customer, be logged in, and have JavaScript enabled.

It is important to check for feature support, especially if you plan to use recent software features. If you want to keep the same features as the version that currently runs on your router, and you are not sure which feature set you use, issue the show version command on your router.

The second line of the show version command looks like this:

IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(9), RELEASE SOFTWARE (fc1)The "JS" is the feature set. In this example, J stands for "Enterprise" and S stands for "Plus". With this knowledge, you can choose a similar feature set.

In order to find out which Cisco IOS Software supports all of the features you plan to use, it is best to use the Cisco Software Advisor ( registered customers only) , which allows you to search by feature(s) or by release, and it even allows you to compare two releases. Write down the different software versions that meet your requirements and that are compatible with your hardware.

Cisco IOS Software Release Version
You still have to choose the particular Cisco IOS Software release you want to run. All of them are fine as long as they support your hardware, contain the features you want, and are compatible with the memory of your router (see Memory Requirements). Here are some general recommendations and guidelines to make it easier for you:

Release Format
Cisco IOS Software releases use the format A.B(C)D where:

A, B, and C are numbers.

D (if present) is a letter.

A.B is a major release.

C is the maintenance version. A higher maintenance number means more bug fixes. Any feature, bug fix, and hardware support available in a particular maintenance version are also available in the next one.

D, if present, indicates that the release is not a major release, but an extension of a major release. These extensions usually provide new features and new hardware support.

Note: Older releases are often more stable than new ones, but also contain fewer features.

Cisco IOS Software Image
The Cisco IOS Software image is either ED, LD, GD, or DF:

ED stands for "Early Deployment." Early Deployment releases offer new feature, platform, or interface support. Most non-major releases contain ED releases.

GD stands for "General Deployment." A major release of Cisco IOS Software reaches the "General Deployment" milestone when Cisco feels it is suitable for deployment anywhere in customer networks where the features and functionality of the release are required. Criteria for reaching the "General Deployment" milestone are based on, but not limited to, customer feedback surveys from production and test networks using the releases, Customer Engineer bug reports, and reported field experience. Only major releases are candidates for the General Deployment milestone.

LD stands for "Limited Deployment." A major release of Cisco IOS Software is said to be in the "Limited Deployment" phase of its life cycle during the period between its first shipment and the GD milestone.

DF stands for "Deferred." DF releases are not available for downloading because of known defects. These should not be installed on your router.

When choosing a release, Cisco recommends a GD release when possible. Only choose an ED release if your hardware and software features leave you no other choice.

Memory Requirements
Before you install a new Cisco IOS Software image on your router, check if your router meets the memory requirements for that image. For this, issue the show version command on your router, and look for these lines:

...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...
16384K bytes of processor board System flash (Read ONLY)The first line tells you how much Dynamic RAM (DRAM) and Packet memory are installed in your router. Some platforms use a fraction of their DRAM as Packet memory. The memory requirements take this into account, so you have to add both numbers to find the amount of DRAM available on your router (from a memory requirement point of view).

Example 1: Separate DRAM and Packet Memory
...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...The 4000, 4500, 4700, and 7500 routers have separate DRAM and Packet memory, so you only need to look at the first number. This shows that the router has 65536 K (or 64 M) of DRAM.

Example 2: Combined DRAM and Packet Memory
...
cisco 2611 (MPC860) processor (revision 0x202) with 29696K/3072K bytes of memory
...The 1000, 1600, 2500, 2600, 3600, and 7200 routers use a fraction of DRAM as Packet memory, so you need to add both numbers to find out the real amount of DRAM. In this example, the router has 2969 K + 3072 K = 32768 K (or 32 M) of DRAM.

Example 3: Available Flash Memory
...
cisco RSP4 (R5000) processor with 65536K/2072K bytes of memory
...
16384K bytes of processor board System flash (Read ONLY)The bottom line tells you how much Flash memory is available. Some of it might already be in use. In order to find out the amount of free Flash memory, issue a show flash command:

Router#show flash

System flash directory:
File Length Name/status
1 8407884 c2600-io3s56i-mz.121-6
[8407948 bytes used, 8369268 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)Variants of the show flash command can be used to inspect different specific Flash devices on the platform. Refer to the show flash command definition for information on how to use these variants.

Example 4: Memory Available in Cisco Catalyst 6500/6000 Switches
For Catalyst 6500/6000 Series Switches that run in Hybrid mode, the DRAM must be calculated separately for the Supervisor and Multilayer Switch Feature Card (MSFC).

This is show version command output from the Supervisor module:

Console>show version

WS-C6009 Software, Version NmpSW: 6.2(0.11)KEY

Copyright (c) 1995-2000 by Cisco Systems

NMP S/W compiled on Oct 5 2000, 01:18:33

!--- Output suppressed.

DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1 65408K 45402K 20006K 16384K 8683K 7701K 512K 253K 259K

Uptime is 1 day, 19 hours, 54 minutes

Console> (enable) The Supervisor module has 64 MB (65408 KB) of DRAM present.

This is output of the show version command from the MSFC card:

MSFC#show version

Cisco Internetwork Operating System Software
IOS (tm) MSFC Software (C6MSFC-JSV-M),
Version 12.1(8a)E2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

!--- Output suppressed.

cisco Cat6k-MSFC (R5000) processor with 57344K/8192K bytes of memory.

!--- Output suppressed.

The MSFC card has a DRAM of 64 MB (57344 KB + 8192 KB).

For Catalyst 6500/6000 Series Switches that run in Native IOS mode, the show version command displays the combined DRAM memory from the Supervisor and MSFC.

Router#show version

Cisco Internetwork Operating System Software

!--- Output suppressed.

System image file is "sup-bootflash:c6sup22-jsv-mz"

cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory.

!--- Output suppressed.

The combined DRAM memory present in the switch is 128 MB (112640 KB + 18432 KB).

You need to satisfy both the DRAM and the Flash requirements to be able to use the software you choose. If you do not meet the requirements, you can either add more Flash or more DRAM in the router, or choose another Cisco IOS Software release. You may also consider a reduced feature set or an older release, since they have less features, and therefore fewer requirements.

To find the memory requirements for a particular release, you can use the Cisco IOS Upgrade Planner ( registered customers only) or the Release notes. To access the release notes for a Cisco IOS Software release:

Go to the Cisco IOS Upgrade Planner ( registered customers only) .

Select the major release in which you are interested.

Select Platform Specific Release Notes (or just Release Notes prior to Cisco IOS Software Release 11.2).

Select Cross-Platform Release Notes for the main release (for example, Cisco IOS Software Release 12.0 or 11.3), or choose the correct platform for other releases (such as Cisco IOS Software Release 12.1T or 12.0S).

Select Memory Requirements (or System Requirements, depending on the Cisco IOS Software release) and look for the memory requirements for your Cisco IOS Software image.

For Cisco 3600 and 2600 routers, the number of interfaces also influences the amount of memory necessary. Use the 2600/3600/3700 Memory Calculator ( registered customers only) to verify the requirements. Note that the tool and the release notes provide minimum requirements for normal utilization of the router. If you plan to have, for example, large routing tables on your router, consider installing additional memory.

Download the Cisco IOS Software Image
You should now be ready to go to the Cisco IOS Upgrade Planner ( registered customers only) . Follow these steps:

Select the major release in which you are interested.

Select the platform.

Select the exact version you want to download. (At this point, you can see which versions are GD, LD, or ED [DF releases are not available for downloading]).

Select the feature set you want.

The memory requirements for that feature set are displayed. If your router matches them, go ahead and download the image.

Cisco IOS Debug Troubleshooting Tool

2007-06-12T08:54:00.001-07:00

Handling the Cisco IOS Debug Troubleshooting Tool

Debug is a troubleshooting command that is available from the privileged exec mode (of Cisco IOS). This command can be used to display information about various router operations and the related traffic generated or received by the router, as well as any error messages. This tool is very useful and informative, but you must be aware of the following facts regarding its use: Debug is treated as a very high priority task. It can consume a significant amount of resources, and the router is forced to process-switch the packets being debugged. Debug must not be used as a monitoring tool—it is meant to be used for a short period of time and as a troubleshooting tool. By using it you discover significant facts about the working and faulty software and/or hardware components. The following is a list of recommendations on proper usage of the debug command:

If you are interested to see a timestamp with each line of the debug output, you must load the timestamp service using this command:

router(config)#service timestamps debug [datetime | uptime)
If you plan to see the debug output from within a Telnet session, you need to enter the terminal monitor command.

Usually, the debug command is used to diagnose a specific facility, task, or protocol. Sometimes a protocol suite has a specific member (e.g., TCP from among the TCP/IP protocol suite members) that you may want to focus on. When you choose the protocol you want to debug, then you usually have a choice to use the events option or the packets option of the debug command for that specific protocol. Event debugging is less resource intensive than packet debugging, but packet debugging produces more information.

Turning debugging on for everything (using the debug all command) is seriously discouraged in production networks. You get a tremendous amount of information, very fast, but it can severely diminish the router's performance or even render it unusable. The debug all command is also quite useless since it presents overlapping information that is difficult if not impossible to interpret.

Before using the debug command, see the CPU utilization of your router (using the show processes cpu command). If your router's CPU utilization is consistently at 50% or more, you are advised to debug events instead of packets.

If possible, use the debug command during periods when network traffic is not at its peak and fewer critical business applications are active. Cisco routers give the debug command higher priority (with respect to CPU cycles) than network traffic.

Always remember to undo debug as soon as possible. You can use the no debug {argument} to turn off a specific debugging type. The no debug all or undebug all commands can be used to turn off all types of debugging that may be on.

For troubleshooting, also consider using protocol analyzers to capture and display network traffic. These have little or no impact on your network performance, yet they provide valuable information. I also recommend capturing debug info to a file for offline perusal and training.

Using an access list with your debug command helps you focus the debug output on the task you are troubleshooting. See the next section for more information on this technique.

Download software upgrades and patches

2007-06-12T08:47:00.000-07:00

Download software upgrades and patches

http://www.cisco.com/en/US/support/tsd_downloads.html

Download software

http://www.cisco.com/en/US/support/tsd_downloads.html

Cisco Security Manager

2007-06-12T08:36:00.000-07:00

Introduction

Cisco Security Manager is a powerful but very easy-to-use solution to centrally provision all aspects of device configuration and security policies for Cisco firewalls, virtual private networks (VPNs), and Intrusion Prevention Systems (IPS). The solution effectively manages even small networks consisting of fewer than ten devices, but also scales to efficiently manage large-scale networks composed of thousands of devices. Scalability is achieved through intelligent policy-based management techniques that can simplify administration.Product Highlights
Supports provisioning for Cisco router platforms running a Cisco IOS security software image, Cisco ASA 5500 Series adaptive security appliances, Cisco PIX security appliances, Cisco IPS 4200 Series sensors, and Cisco Catalyst 6500 Series security services modules
Respond faster to threats: define and assign new security policies to thousands of devices in a few simple steps
Rich graphical user interface provides superior ease-of-use
Multiple views that provide flexible methods to manage devices and policies, including the ability to manage the security network visually on a topology map
Extensive animated help for the new user to reduce the learning time
Centrally specify which policies are shared and automatically inherited by new devices to ensure corporate policies are implemented consistently, while providing optional flexibility to customize policies at the local device level
Ability to create a single firewall rule table for all Cisco platforms with intelligent analysis of firewall policies to determine anomalies in the rule base
Easily configure site-to-site, hub-spoke full mesh or extranet VPN connections with a few mouse clicks
Integration with Cisco ACS for granular role based access control to devices and management functions
Integration with Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) to correlate events with the associated firewall rules to help with quicker decision making and increased network up time
Ability to assign specific tasks to each administrator during the deployment of a policy, with formal change control and tracking; allows the security and network operations staff to work together as a single team with effective coordination

The Cisco Security Manager is part of the Cisco Security Management Suite which delivers comprehensive policy administration and enforcement for the Cisco Self-Defending Network The suite also includes the world-class Cisco Security MARS for monitoring and mitigation which can be purchased separately.

CiscoWorks LAN Management Solution

2007-06-11T13:27:00.000-07:00

Introduction:

Simplify LAN ManagementCiscoWorks LAN Management Solution (LMS) is a suite of powerful management tools that simplify the configuration, administration, monitoring, and troubleshooting of Cisco networks. It integrates these capabilities into a best-in-class solution for:
Improving the accuracy and efficiency of the network operations staff
Increasing the overall availability of the network by simplifying configuration and quickly identifying and fixing network problem
Maximizing network security through integration with access control services and audit of network-level changes
CiscoWorks LMS provides:
A centralized system for sharing device information across all LAN management applications, improving manageability, and increasing systemwide awareness of network changes
Network discovery, topology views, end-station tracking, and VLAN management
Real-time network fault analysis with easy-to-deploy, device-specific, best-practice templates
Hardware and software inventory management, centralized configuration tools, and syslog monitoring
Monitoring and tracking of network response time and availability
Real-time device and link management, as well as port traffic management, analysis, and reporting
A flexible Web portal for launching and navigating network management functionality
A workflow engine that provides step-by-step wizards for system setup and device troubleshooting