Escolar Documentos
Profissional Documentos
Cultura Documentos
Manual
On
Prepared by,
Er. Kumar Pudashine
(CCNP Security, ITIL Certified, ActivIdentity Certified)
July 2014
Page No 1
Page No 2
CHAPTER I
STANDARDS AND GUIDELINES
ITIL
ITIL stands for the Information Technology Infrastructure Library. ITIL is the international de
facto management framework describing good practices for IT Service Management. The
ITIL framework evolved from the UK governments efforts during the 1980s to document how
successful organizations approached service management. By the early 1990s they had
produced a large collection of books documenting the best practices for IT Service
Management. This library was eventually entitled the IT Infrastructure Library. The Office of
Government Commerce in the UK continues to operate as the trademark owner of ITIL.
ITIL has gone through several evolutions and was most recently refreshed with the release of
version 3 in 2007. Through these evolutions the scope of practices documented has increased
in order to stay current with the continued maturity of the IT industry and meet the needs and
requirements of the ITSM professional community.
Five volumes make up the IT Infrastructure Library (Version 3):
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
A central concept to keep in mind when discussing the benefits of IT Service Management is the
goal of business and IT alignment. When staff members of an IT organization have an internal
focus on the technology being delivered and supported, they lose sight of the actual purpose
and benefit that their efforts deliver to the business. A way in which to communicate how IT
supports the business is using Figure 1.B, demonstrating business and IT alignment.
Figure 1.B divides an organization into a number of supporting layers that work towards
meeting a number of organizational goals. These layers are communicated by the following:
Page No 3
Page No 4
Web site, email, automatic procurement system for buying products, Point of Sale
Services
R Responsibility (actually does the work for that activity but reports to the function or
position that has an A against it).
A Accountability (is made accountable for ensuring that the action takes place, even if they
might not do it themselves). This role implies ownership.
C Consult (advice/ guidance / information can be gained from this function or position prior
to the action taking place).
I Inform (the function or position that is told about the event after it has happened).
Page No 6
FCAPS
FCAPS is the ISO Telecommunications Management Network model and framework or network
management. FCAPS is an acronym for fault, configuration, accounting, performance, security.
In the 1990s the ITU-T, as part of their work on Telecommunications Management
Network (TMN), further refined the FCAPS as part of the TMN recommendation on
Management Functions (M.3400).
Page No 7
Page No 8
a) Cold Site
An empty facility located offsite with necessary infrastructure ready for installation in the event
of a disaster.
b) Mutual Backup
Two organizations with similar system configuration agreeing to serve as a backup site to each
other.
Page No 9
c) Hot Site
A site with hardware, software and network installed and compatible to production site.
d) Remote Journaling
Online transmission of transaction data to backup system periodically (normally a few hours) to
minimize loss of data and reduce recovery time.
e) Mirrored Site
A site equips with a system identical to the production system with mirroring facility. Data is
mirrored to backup system immediately. Recovery is transparent to users.
2. Business Analysis
- Perform Risk Analysis and Business Impact Analysis.
- Consider Alternative Business Continuity Strategies.
- Carry out Cost-Benefit Analysis and select a Strategy.
- Develop a Business Continuity Budget.
Page No 11
Page No 12
POP Zone
This area of the data center is sometimes referred to as the meet me room. It is typically the
area where the service provider enables access to their networks. This area contains many
routers and core switches.
Server Zone
This area of the data center provides the front-end connection to the servers. This area
contains many switches and servers. The protocols used to communicate in this area are
Gigabit and 10 Gigabit Ethernet.
Storage Zone
This area of the data center provides the back-end connection to data. This area contains many
types of storage devices. The protocols used to communicate in this area are Fiber Channel
Ethernet and small computer system interface (SCSI)
Page No 13
Page No 14
Scalability
A scalable network can expand quickly to support new users and applications without impacting
the performance of the service being delivered to existing users. Thousands of new users and
service providers connect to the Internet each week. The ability of the network to support
these new interconnections depends on a hierarchical layered design for the underlying
physical infrastructure and logical architecture. The operation at each layer enables users or
service providers to be inserted without causing disruption to the entire network. Technology
developments are constantly increasing the message carrying capabilities and performance of
the physical infrastructure components at every layer. These developments, along with new
methods to identify and locate individual users within an internetwork, are enabling the
Internet to keep pace with user demand.
Quality of Service
The Internet is currently providing an acceptable level of fault tolerance and scalability for its
users. But new applications available to users over internetworks create higher expectations for
the quality of the delivered services. Voice and live video transmissions require a level of
consistent quality and uninterrupted delivery that was not necessary for traditional computer
applications. Quality of these services is measured against the quality of experiencing the same
audio or video presentation in person. Traditional voice and video networks are designed to
support a single type of transmission, and are therefore able to produce an acceptable level of
quality. New requirements to support this quality of service over a converged network are
changing the way network architectures are designed and implemented.
Page No 15
Security
The Internet has evolved from a tightly controlled internetwork of educational and government
organizations to a widely accessible means for transmission of business and personal
communications. As a result, the security requirements of the network have changed. The
security and privacy expectations that result from the use of internetworks to exchange
confidential and business critical information exceed what the current architecture can deliver.
Rapid expansion in communication areas that were not served by traditional data networks is
increasing the need to embed security into the network architecture. As a result, much effort is
being devoted to this area of research and development. In the meantime, many tools and
procedures are being implemented to combat inherent security flaws in the network
architecture.
Description
Branch Router
Branch Switch
6
7
8
Faceplate
Specification
Cisco 1841/Cisco 892 Series Router with 8 Integrated
Switch ports.
Cisco 2960 Switch with Gigabit/ Fiber Uplink
Bold Port Numbering for Quick Identification of Outlets
Supports both T568A and T568B Wiring Pattern
Easy Front & Back Access of Horizontal Cables, Re-terminable
and no Punch down Tool Required.
Factory-Crimped
Factory-Crimped
Network Rack
Page No 17
CHAPTER II
ENTERPRISE ROUTING AND PACKET FORWARDING
Static Routing with Failover
Routers forward packets using either route information from route table entries that you
manually configure or the route information that is calculated using dynamic routing
algorithms.
Static routes, which define explicit paths between two routers, cannot be automatically
updated; you must manually reconfigure static routes when network changes occur. Static
routes use less bandwidth than dynamic routes. No CPU cycles are used to calculate and
analyze routing updates.
You can supplement dynamic routes with static routes where appropriate. You can redistribute
static routes into dynamic routing algorithms but you cannot redistribute routing information
calculated by dynamic routing algorithms into the static routing table.
You should use static routes in environments where network traffic is predictable and where
the network design is simple. You should not use static routes in large, constantly changing
networks because static routes cannot react to network changes. Most networks use dynamic
routes to communicate between routers but might have one or two static routes configured for
special cases. Static routes are also useful for specifying a gateway of last resort (a default
router to which all unroutable packets are sent).
By default, static routes have an administrative distance of one, which gives them precedence
over routes from dynamic routing protocols. When you increase the administrative distance to
a value greater than that of a dynamic routing protocol, the static route can be a safety net in
the event that dynamic routing fails. For example, Enhanced Interior Gateway Routing Protocol
(EIGRP) routes have a default administrative distance of 90. In order to configure a static route
that is overridden by an EIGRP route, specify an administrative distance greater than 90 for the
static route.
Example of Static Routing with Failover
Router_Pokhara (config)#ip route 192.168.1.0 255.255.255.0 10.10.1.2 1
Router_Pokhara (config)#ip route 192.168.1.0 255.255.255.0 10.10.2.2 2
Page No 19
Jitter (directional)
Connectivity (directional)
In this article, ICMP Echo operation will be used to measures end-to-end response time
between a Cisco router and a web server using IP. Response time is computed by measuring the
time taken between sending an ICMP Echo request message to the destination and receiving an
ICMP Echo reply.
Example
Suppose that the Ciscozine router has two different links, one is the main connection (red link)
and the other one (blue link) is the backup connection; the question is: how can I enable the
backup link if the main connection goes down? In general, the best solution for this scenario is
to use the dynamic routing protocol, but what can I do if I cant use them? The solution is the IP
SLA.
Page No 20
1. Define the ip sla operation. The Ciscozine router will send an ICMP request to 172.16.255.2
(the Ciscozine default gateway) every 10 second with a timeout of 5000ms and a threshold
value of 500ms.
Ciscozine(config)#ip sla 1
Ciscozine(config-ip-sla)#icmp-echo 172.16.255.2 source-interface FastEthernet1/0
Ciscozine(config-ip-sla-echo)#timeout 5000
Ciscozine(config-ip-sla-echo)#frequency 10
Ciscozine(config-ip-sla-echo)#threshold 500
2. Start the ip sla. It is possible schedule the SLA operation in different ways but in this tutorial I
want to start the ip SLA operation immediately and forever. Notice that the 1 refers to ip sla
1 command.
Page No 21
3. Track the state of IP SLA. Every IP SLAs operation maintains an operation return-code value.
This return code is interpreted by the tracking process. The return code may return OK, Over
Threshold, and several other return codes. Two aspects of an IP SLAs operation can be tracked:
state and reach ability
.
Tracking
Return Code
Track State
State
OK
Up
(all other return codes) Down
Reachability
OK or over threshold Up
(all other return codes) Down
In this case, it is preferred to use the reachability, so the track state will be down only in
case of a ICMP timeout.
4. Define the tracked route. At the end, I must delete the old default gateway entry, add the
default gateway with the track feature (notice that the number 10 represents the track object
defined in the previous step) and insert a default route with a distance administrative less
strong . Hence if the track status is down the last route will be used to forward all the traffic
(notice that the number 5 define the administrative distance).
Ciscozine#
Ciscozine#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Page No 23
Ciscozine#
Ciscozine#
Ciscozine#show track
Page No 24
Track 10
IP SLA 1 reachability
Reachability is Up
12 changes, last change 00:33:48
Latest operation return code: OK
Latest RTT (millisecs) 24
Tracked by:
STATIC-IP-ROUTING 0
Ciscozine#
Page No 25
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (195/200), round-trip min/avg/max = 20/66/248 ms
Ciscozine#
As you can see, when the cable is unplugged there are three different events:
1. there are some timeout
2. the tracking state goes down (May 8 03:23:30.082: %TRACKING-5-STATE: 10 ip sla 1
reachability Up->Down)
3. the route tracked goes down and the backup default route (ip route 0.0.0.0 0.0.0.0
172.16.255.6 5) is up.
So the output of the previous show commands will be:
The track object is down:
Ciscozine#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
Page No 26
Ciscozine#
Number of successes: 8
Number of failures: 3
Operation time to live: Forever
Ciscozine#
Ciscozine#show track
Track 10
IP SLA 1 reachability
Reachability is Down
13 changes, last change 00:00:22
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
Ciscozine#
Page No 28
Page No 29
Ciscozine#
As you can see, when the main line comes up (now the default gateway is again 172.16.255.2),
there isnt a packet lost.
References:
http://www.cisco.com//configuration/guide/swipsla.html
Tags: Advanced configuration, Routing, SLA, Tracking
Page No 30
numbers. Prior to 2007, AS numbers were 16-bit numbers, ranging from 0 to 65535. Now 32-bit
AS numbers are assigned, increasing the number of available AS numbers to over 4 billion.
Based on AS, routing protocols are classified into two they are: Interior Gateway Protocols (IGP)
and Exterior Gateway Protocols (EGP).
IGP are used for intra-autonomous system routing - routing inside an autonomous system.
EGP are used for inter-autonomous system routing - routing between autonomous systems.
Page No 32
The second significant extension to the RIPv2 message format is the addition of the Next Hop
address. The Next Hop address is used to identify a better next-hop address - if one exists - than
the address of the sending router. If the field is set to all zeros (0.0.0.0), the address of the
sending router is the best next-hop address.
"RFC 1723: RIP Version 2," http://www.ietf.org/rfc/rfc1723.txt
EIGRP
Cisco developed the proprietary IGRP in 1985, in response to some of the limitations of RIPv1,
including the use of the hop count metric and the maximum network size of 15 hops.
Instead of hop count, both IGRP and EIGRP use metrics composed of bandwidth, delay,
reliability, and load. By default, both routing protocols use only bandwidth and delay. However,
because IGRP is a classful routing protocol that uses the Bellman-Ford algorithm and periodic
updates, its usefulness is limited in many of today's networks.
Therefore, Cisco enhanced IGRP with a new algorithm, DUAL and other features. The
commands for both IGRP and EIGRP are similar, and in many cases identical. This allows for
easy migration from IGRP to EIGRP. Cisco discontinued IGRP starting with IOS 12.2(13)T and
12.2(R1s4)S.
Diffusing Update Algorithm (DUAL) is the convergence algorithm used by EIGRP instead of the
Bellman-Ford or Ford Fulkerson algorithms used by other distance vector routing protocols, like
RIP. DUAL is based on research conducted at SRI International, using calculations that were first
proposed by E.W. Dijkstra and C.S. Scholten. The most prominent work with DUAL has been
done by J.J. Garcia-Luna-Aceves.
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that was developed as a
replacement for the distance vector routing protocol RIP. RIP was an acceptable routing
protocol in the early days of networking and the Internet, but its reliance on hop count as the
only measure for choosing the best route quickly became unacceptable in larger networks that
needed a more robust routing solution. OSPF is a classless routing protocol that uses the
concept of areas for scalability. RFC 2328 defines the OSPF metric as an arbitrary value called
cost. The Cisco IOS uses bandwidth as the OSPF cost metric.
The initial development of OSPF began in 1987 by the Internet Engineering Task Force (IETF)
OSPF Working Group. At that time the Internet was largely an academic and research network
funded by the U.S. government.
In 1989, the specification for OSPFv1 was published in RFC 1131. There were two
implementations written: one to run on routers and the other to run on UNIX workstations. The
Page No 33
latter implementation later became a widespread UNIX process known as GATED. OSPFv1 was
an experimental routing protocol and never deployed.
In 1991, OSPFv2 was introduced in RFC 1247 by John Moy. OSPFv2 offered significant technical
improvements over OSPFv1. At the same time, ISO was working on a link-state routing protocol
of their own, Intermediate System-to-Intermediate System (IS-IS). Not surprisingly, IETF chose
OSPF as their recommended IGP (Interior Gateway Protocol).
In 1998, the OSPFv2 specification was updated in RFC 2328 and is the current RFC for OSPF.
Each OSPF router maintains a link-state database containing the LSAs received from all other
routers. Once a router has received all of LSAs and built its local link-state database, OSPF uses
Dijkstra's shortest path first (SPF) algorithm to create an SPF tree. The SPF tree is then used to
populate the IP routing table with the best paths to each network.
iBGP Configuration (Both Routers should be in same AS. Assume AS of Both Routers = 400)
R1-AGS
R1-AGS(config) # router bgp 400
R1-AGS(config) # neighbor 10.10.10.2 remote-as 400
R6-2500
R6-2500(config) # router bgp 400
R6-2500(config) # neighbor 10.10.10.1 remote-as 400
Page No 34
eBGP Configuration (Assume Router R1-AGS is in AS 300 and Router R6-2500 is in AS 400)
R1-AGS
R1-AGS (config) # router bgp 300
R1-AGS (config) # neighbor 10.10.10.2 remote-as 400
R6-2500
R6-2500 (config) # router bgp 400
R6-2500 (config)# neighbor 10.10.10.1 remote-as 300
Page No 35
EIGRP router redistributing static, Open Shortest Path First (OSPF), RIP, and Intermediate
System-to-Intermediate System (IS-IS) routes.
router eigrp 100
network 131.108.0.0
redistribute static
redistribute ospf 1
redistribute rip
redistribute isis
default-metric 10000 100 255 1 1500
EIGRP need five metrics when redistributing other protocols: bandwidth, delay, reliability, load,
and MTU, respectively.
RIP router redistributing static, IGRP, EIGRP, OSPF, and IS-IS routes.
router rip
version 2
network 131.108.0.0
redistribute static
redistribute igrp 1
redistribute eigrp 1
redistribute ospf 1
redistribute isis
default-metric 1
The unfriendly party could analyze the diverted traffic to learn confidential information about
your organization or merely use it to disrupt your organization's ability to communicate
effectively using the network. Hence, it prevents your router from receiving any such fraudulent
routing updates.
MD5 authentication works much like plain text authentication, except that MD5 never sends
the key over the wire. Instead, the router uses the MD5 algorithm to produce a message digest
of the key (also called a hash). The router sends the message digest instead of the key itself,
which ensures that no one can eavesdrop on the line and learn keys during transmission.
OSPF Authentication
interface fa 0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO
EIGRP Authentication
key chain eigrpchain
key 1
key-string CISCO
int fa 0/1
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrpchain
Page No 37
CHAPTER III
ENTERPRISE LAN SWITCHING AND LOAD BALANCING PROTOCOLS
VLAN ID Ranges
Access VLANs are divided into either a normal range or an extended range.
Page No 40
Verify VLAN
Page No 41
VTP
VTP allows a network manager to configure a switch so that it will propagate VLAN
configurations to other switches in the network. The switch can be configured in the role of a
VTP server or a VTP client. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005).
Extended-range VLANs (IDs greater than 1005) are not supported by VTP.
VTP allows a network manager to makes changes on a switch that is configured as a VTP server.
Basically, the VTP server distributes and synchronizes VLAN information to VTP-enabled
switches throughout the switched network, which minimizes the problems caused by incorrect
configurations and configuration inconsistencies. VTP stores VLAN configurations in the VLAN
database called vlan.dat.
VTP Components
There are number of key components that you need to be familiar with when learning about
VTP. Here is a brief description of the components, which will be further explained as you go
through the chapter.
VTP Domain-Consists of one or more interconnected switches. All switches in a domain share
VLAN configuration details using VTP advertisements. A router or Layer 3 switch defines the
boundary of each domain.
Page No 42
Page No 43
Page No 44
Page No 45
Page No 46
Port Security
Port security allows an administrator to statically specify MAC addresses for a port or to permit
the switch to dynamically learn a limited number of MAC addresses. By limiting the number of
permitted MAC addresses on a port to one, port security can be used to control unauthorized
expansion of the network.
When MAC addresses are assigned to a secure port, the port does not forward frames with
source MAC addresses outside the group of defined addresses. When a port configured with
port security receives a frame, the source MAC address of the frame is compared to the list of
secure source addresses that were manually configured or auto configured (learned) on the
port. If a MAC address of a device attached to the port differs from the list of secure addresses,
the port either shuts down until it is administratively enabled (default mode) or drops incoming
frames from the insecure host (restrict option). The behavior of the port depends on how it is
configured to respond to a security violator.
It is recommended that an administrator configure the port security feature to issue a
shutdown rather than dropping frames from insecure hosts with the restrict option. The restrict
option might fail under the load of an attack.
Page No 47
Page No 48
Page No 49
Page No 50
Page No 51
To configure a GLBP routers priority to 150, and enable preempt (preemption is not enabled by
default):
Switch(config)# int fa0/10
Switch(config-if)# glbp 1 priority 150
Switch(config-if)# glbp 1 preempt
To track an interface, to reduce a routers weight if that interface fails:
Switch(config)# track 10 interface fa0/12
Switch(config-if)# glbp 1 weighting track 10 decrement 50
The first command creates a track object 10, which is tracking interface fa0/12. The second
command assigns that track object to glbp group 1, and will decrease this routers weight by 50
if interface fa0/12 fails. Another router cannot become an AVF unless it is configured to
preempt.
Page No 52
Page No 53
CHAPTER IV
ENTERPRISE INFORMATION SECURITY
Page No 54
In the simplest sense, a VPN connects two endpoints over a public network to form a logical
connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model.
VPN technologies can be classified broadly on these logical connection models as Layer 2 VPNs
or Layer 3 VPNs. Establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the
same. A delivery header is added in front of the payload to get it to the destination site. This
chapter focuses on Layer 3 VPN technology.
Common examples of Layer 3 VPNs are GRE, MPLS, and IPsec. Layer 3 VPNs can be point-topoint site connections such as GRE and IPsec, or they can establish any-to-any connectivity to
many sites using MPLS.
Generic routing encapsulation (GRE) was originally developed by Cisco and later standardized as
RFC 1701. An IP delivery header for GRE is defined in RFC 1702. A GRE tunnel between two sites
that have IP reachability can be described as a VPN, because the private data between the sites
is encapsulated in a GRE delivery header.
Pioneered by Cisco, MPLS was originally known as tag switching and later standardized via the
IETF as MPLS. Service providers are increasingly deploying MPLS to offer MPLS VPN services to
customers. MPLS VPNs use labels to encapsulate the original data, or payload, to form a VPN.
Page No 55
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
2. Define the tunnel source and destination under each tunnel interface.
The router uses its local interface that connects to the internet as its tunnel source. The tunnel
destination corresponds to the remote routers publicly routable IP address.
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source FastEthernet0/0
tunnel destination 204.20.20.2
Note that the tunnel source and destination can both be IP addresses. For example, tunnel
source 201.20.20.1 could have been used instead of tunnel source FastEthernet0/0.
3. Testing Connectivity
The configuration above is from the perspective of RouterA. The same configuration template
would need to be applied to RouterB for the tunnel to begin passing traffic (with
source/destination IPs swapped of course).
Now that both endpoint routers have been configured, they should be reachable via pings.
ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
4. Add Routes to Remote Networks
This confirms that we can pass traffic inside the GRE tunnel, but hosts on the Branch LAN
networks will not be able to send packets to each other without some routes added. We can
use a simple static route for this purpose.
RouterA (config)# ip route 10.0.20.0 255.255.255.0 172.16.1.2
RouterB (config)# ip route 10.0.10.0 255.255.255.0 172.16.1.1
Now when RouterA receives a packet destined for the East Branch LAN (10.0.20.0/24), it knows
its next-hop interface is the tunnel endpoint, so it will forward the packet through the GRE
tunnel.
Thats it for the GRE tunnel configuration. Now onto adding IPSec.
Page No 57
Page No 58
Page No 59
ip virtual-reassembly
!
interface Loopback1
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
!
interface FastEthernet0/0
ip address 47.47.47.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
!
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip route 0.0.0.0 0.0.0.0 47.47.47.1
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.47.0 0.0.0.255 1.1.1.0 0.0.0.255
Page No 62
Page No 63
Page No 64
Page No 65
9. In the Security tab, make sure type of VPN is L2TP/IPSEC. Then Click on advance
settings and add pre-share key:
Page No 66
10. Then select Allow these protocol and make sure MS-CHAP v2 is selected:
Page No 67
11. To connect, left click on the network icon in the task bar:
12. You will see the following, type in your user name and
Page No 68
Page No 69
Page No 70
Cryptographic Systems
The first goal for network administrators is to secure the network infrastructure, including
routers, switches, servers, and hosts. This is accomplished using hardening, AAA access control,
ACLs, firewalls, and monitoring threats using IPS.
The next goal is to secure the data as it travels across various links. This may include internal
traffic, but of greater concern is protecting the data that travels outside of the organization to
branch sites, telecommuter sites, and partner sites.
Secure communications involves a few primary tasks:
Authentication - Guarantees that the message is not a forgery and does actually come from
who it states it comes from.
Integrity - Similar to a checksum function in a frame, guarantees that no one intercepted the
message and altered it.
Confidentiality - Guarantees that if the message is captured, it cannot be deciphered.
Page No 71
Authentication
Authentication guarantees that a message comes from the source that it claims to come from.
Authentication is similar to entering a secure personal information number (PIN) for banking at
an ATM. The PIN should only be known to the user and the financial institution. The PIN is a
shared secret that helps protect against forgeries.
Authentication can be accomplished with cryptographic methods. This is especially important
for applications or protocols, such as email or IP, that do not have built-in mechanisms to
prevent spoofing of the source.
Data nonrepudiation is a similar service that allows the sender of a message to be uniquely
identified. With non repudiation services in place, a sender cannot deny having been the source
of that message. It might appear that the authenticity service and the nonrepudiation service
are fulfilling the same function. Although both address the question of the proven identity of
the sender, there is a difference between the two.
The most important part of no repudiation is that a device cannot repudiate, or refute, the
validity of a message sent. Nonrepudiation relies on the fact that only the sender has the
unique characteristics or signature for how that message is treated. Not even the receiving
device can know how the sender treated this message to prove authenticity, because the
receiver could then pretend to be the source.
Integrity
Data integrity ensures that messages are not altered in transit. With data integrity, the receiver
can verify that the received message is identical to the sent message and that no manipulation
occurred.
European nobility ensured the data integrity of documents by creating a wax seal to close an
envelope. The seal was often created using a signet ring. These bore the family crest, initials, a
portrait, or a personal symbol or motto of the owner of the signet ring. An unbroken seal on an
envelope guaranteed the integrity of its contents. It also guaranteed authenticity based on the
unique signet ring impression.
Confidentiality
Data confidentiality ensures privacy so that only the receiver can read the message. Encryption
is the process of scrambling data so that it cannot be read by unauthorized parties.
When enabling encryption, readable data is called plaintext, or cleartext, while the encrypted
version is called ciphertext. The plaintext readable message is converted to ciphertext, which is
the unreadable, disguised message. Decryption reverses the process. A key is required to
encrypt and decrypt a message. The key is the link between the plaintext and ciphertext.
Page No 72
Page No 73