CCIE Security written: 2– Application Protocols

Highlights of CCIE Security written Study Guide

Active FTP is less secure than passive mode because the FTP server, which, in theory, could be any host, initiates the data channel.

In passive mode, the second connection for the FTP data connection is also initiated from the client to the server (the reverse of active FTP).

In passive FTP, the client initiates both the control connection and the data connection. In active mode, the FTP server initiates the FTP data channel. When using passive FTP, the probability of compromising data is less because the FTP client initiates both connections.

If the snmp-server community command is not used during the SNMP configuration session, it will automatically be added to the configuration after the snmp-server host command is used. In this case, the default password ( string) for the  snmp-server community is taken from the  snmp-server host command. You must always set the community string manually; otherwise, your router could be left vulnerable to SNMP  get commands.

snmp-server host  host-addr [traps | informs] [ version {1 | 2c | 3    [auth | noauth  | priv]}]  community-string    [udp-port  port] [notification-type ]
  • SNMP Version 3 is the most secure model because it allows packet encryption with the priv keyword.
  • auth —(Optional) Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication.
  • priv —(Optional) Enables Data Encryption Standard (DES) packet encryption (also called privacy).

NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached; a stratum 2 time server receives its time via NTP from a stratum 1 time server, and so on. Cisco routers cannot support stratum 1 (in other words, you cannot connect a Cisco router to an atomic clock source)

To ensure that R1 sends R2 a clock source via NTP, R1 must be configured to send NTP traffic over the Frame Relay cloud with the command ntp broadcast. To specify that a specific interface should send NTP broadcast packets, use the  ntp broadcast  interface configuration command. Similarly, R2 must receive NTP traffic and is considered an NTP client with the IOS command ntp broadcast client.

Share this!

CCIE Security written: 1 – General Networking

Highlights of CCIE Security written Study Guide

Cisco switches have VLAN 1 already configured which cannot be removed for management purposes, because protocols such as CDP and spanning tree will be active.

Telnet (TCP) Packet Flow

Step 3: The PC sends a segment that acknowledges (ACK) the router’s reply. The first three steps are commonly known as the  TCP three-way handshake . It is possible for four packets to start a session if a parameter needs to be negotiated. 

A gratuitous ARP is an ARP request with its own IP address as the target address. It refreshes a device’s ARP table entries and also looks up duplicate IP addresses. Routers are devices that can send a gratuitous ARP. Continue reading “CCIE Security written: 1 – General Networking”

Share this!

VTP

CDP v2 advertises VTP domain too. To disable this, no cdp  advertise-v2

VTP version can’t be changed on Client mode.

VTP Pruning is only implemented on VTP Server nodes.

VTP Pruning eligible-list is configured on TRUNK interfaces (switchport trunk pruning … )

VLANs which are not mentioned in the pruning eligible-list, will be never pruned.

VTP pruning can be only modified in server mode.

VTP pruning is propagated to clients too.

VTP mode can’t be server when existing VLANs exists.

Version-dependent transparent mode

In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because only one domain is supported

in the Supervisor engine software, VTP version 2 forwards VTP messages in transparent mode without checking the version.

Share this!

802.1Q Tunneling (Q-in-Q)

interface FastEthernet0/1
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 no cdp enable

The access VLAN which is here called Tunnel-Tag, must exist in the transit path.

In a scenario where EtherChannel is implemented between two 802.1q customers and there are more than 1 switch in the transit path, and each CE switch has for example 3 different links to CE node, each PE-to-CE should be assigned to a different VLAN.

Also, the transit path should be in form of TRUNK links, and informed of the Tunnel-Tag VLANs.

Share this!

OSPF Design: 3 – Fundamentals

OSPF benefits
  • Fast convergence
  • Variable-length subnet masking (VLSM)
  • Authentication
  • Hierarchical segmentation
  • Route summarization
  • Aggregation

Routing Summarization is a major factor in the success of designing your network. To ensure that your network can scale properly, route summarization is the biggest factor against which to measure your success. Without summarization, you have a flat address design with specific route information for every subnet being transmitted across the network—a bad thing in large networks.

The six time-proven steps to designing a network are as follows:

  1. Analyze the requirements.
  2. Develop the network topology.
  3. Determine the addressing and naming conventions.
  4. Provision the hardware.
  5. Deploy protocol and Cisco IOS Software features.
  6. Implement, monitor, and maintain the network.

Consider the following issues when working through the network design process: Continue reading “OSPF Design: 3 – Fundamentals”

Share this!