R&S, Asa, Checkpoint, VPN PDF

OSI Model
Protocol Numbers
Port Numbers
Repeater
Hub
L2 Switch
L3 Switch
Router
Differences Between
Switching Modes
VLAN
Management VLAN
DTP
VTP
Etherchannel
STP
FHRP
RIP v1 & v2
EIGRP
OSPF
BGP
The Routing Table

Classful vs. Classless Routing
Static vs. Dynamic Routing
Route Filtering and Route-Maps
IPv4 Protocol Numbers
ACL
NAT
DHCP
DNS
FTP
SMTP
Syslog
HTTP
Telnet
SSH
Ping Process
Trace route Process
Router Password Recovery
Switch Password Recovery
TCP
UDP
ASA
Checkpoint
Palo Alto
F5 (245)
Layer 7 – Application layer
∑ This is the closest layer to the end user.
∑ It provides the interface between the user application and the network.
∑ Web browser – IE, Firefox or Opera do not belong to Application layer.
∑ The Protocols reside in Application layer
∑ Telnet, FTP, HTTP, SMTP are examples of Application layer.
Layer 6 – Presentation layer

It is responsible for defining a standard format for the data.
It acts as a translator of the network. For example, if you want to send an email
and the Presentation will format your data into email format. Or you want to send
photos; the Presentation layer will format your data into GIF, JPG or PNG format.
Layer 5 – Session layer

It is responsible for establishing, maintaining, and ultimately terminating sessions
between devices. If a session is broken, this layer can attempt to recover the
session.
Sessions communication falls under one of three categories:
∑ Full-Duplex – simultaneous two-way communication
∑ Half-Duplex – two-way communication, but not simultaneous
∑ Simplex – one-way communication
Layer 4 – Transport layer

It is responsible for the reliable transfer of data, by ensuring that data is error-free
and in order.
It falls under two categories
∑ Connection-oriented- require a 3 way handshake
∑ Connectionless- it doesn't require a connection
There are Two Transport Layer Protocols
∑ Transmission Control Protocol (TCP)- connection-oriented
∑ User Datagram Protocol (UDP)- connectionless
UDP is fast, TCP is more reliable, but it is slower.

Applications that require speed and can stand some packet loss will use UDP.
Those who don't need speed, and can't tolerate loss as much, will use TCP.
TCP FTP SSH Telnet SMTP HTTP POP3 BGP 179 HTTPS 443
20/21 22 23 25 80 110
UDP DHCP 67/68 TFTP 69 NTP 123 RIP 520
TCP/UDP DNS 53 SNMP 161/162 LDAP 389
Layer 3 – Network layer
This layer provides logical addresses which routers will use to determine the path
to the destination.
∑ Logical addressing – provides a unique address that identifies both the
host, and the network that host exists on.
∑ Routing – determines the best path to a particular destination network,
and then routes data accordingly.
Layer 2 – Data Link Layer

It is responsible for transporting data within a network.
The Data Link layer formats the message into a data frame, and adds a header
containing the hardware destination and source address to it. This header is
responsible for finding the next destination device on a local network.
It consists of two sublayers:
∑ Logical Link Control (LLC) sublayer
∑ Media Access Control (MAC) sublayer
It packages the higher-layer data into frames, so that the data can be put onto the
physical wire. This packaging process is referred to as framing or encapsulation.
∑ Ethernet – the most common LAN data-link technology
Layer 1 – Physical layer

It controls the signaling and transferring of raw bits onto the physical medium.
The Physical layer is closely related to the Data-link layer, as many technologies
(such as Ethernet) contain both datalink and physical functions.
The Physical layer provides specifications for a variety of hardware:
∑ Cabling
∑ Connectors and transceivers
∑ Network interface cards (NICs)
∑ Hubs
Collision Domain
∑ It is a part of a network where packet collisions can occur.
∑ In a half duplex Ethernet network, A collision occurs when two devices
send a packet at the same time
∑ Collisions are often in a hub environment, because each port on a hub is in
the same collision domain.
Broadcast Domain
∑ A broadcast domain is a domain in which a broadcast is forwarded.
∑ A broadcast domain contains all devices that can reach each other at the
data link layer (OSI layer 2) by using broadcast.
∑ All ports on a hub or a switch are by default in the same broadcast domain.
All ports on a router are in the different broadcast domains and routers
don’t forward broadcasts from one broadcast domain to another.
Repeater
∑ It is used to regenerate the signal
∑ When the signal travels over long distances, its clarity degrades, so repeater
regenerates the signal and enables them to travel to long distance.
∑ No memory
∑ Only 2 ports are available
Hub
∑ It is a physical layer of the OSI model
∑ It is used to connect the network device in a LAN
∑ Half duplex device
∑ When a frame is received, it will send to all ports
∑ it doesn't inspect the frame before forwarding
∑ 1 Collision domain and 1 Broadcast Domain
Bridge
∑ It is a Layer 2 device
∑ Half duplex device
∑ Frames are forwarded based on destination Layer 2 MAC Address
∑ Frame forwarding method is Store & Forward
∑ Multiple Collision domain and 1 Broadcast Domain
Switch
∑ It is used to connect the devices in a same LAN
∑ Full duplex device
∑ Learning of MAC Address & forwarding frame is based on ASIC
∑ Frames are forwarded based on the destination Layer 2 MAC Address
∑ It uses a CAM/MAC Address table to forward the frames
∑ Frame forwarding method is Store & Forward, cut-through, fragment free
∑ Multiple Collision & 1 Broadcast domain
Router
∑ It connects 2 or more diriment networks and forward the packet from one
network to another network
∑ Full duplex
∑ Packets are forwarded based on the destination Layer 3 IP Address
∑ It will never forward the Broadcast
∑ Multiple Collision & Broadcast domain
ASIC
Application Specific Integrated Circuit
A switch is a layer 2 device that makes a decision based on the layer 2 destination
MAC address. As the number of switch ports increase, the general purpose CPU
using software solution can't keep up. The ASIC is basically a CPU that is not a
general purpose CPU but is a CPU for making switching decisions very quickly. This
is similar to a high-end graphics card that has a special CPU for graphics
processing that wouldn't be good for general applications.
Difference between Layer 2 and Layer 3 devices?

Switching operates at layer 2 of the OSI model, where packets are sent to a
specific switch port based on destination MAC addresses. Routing operates at
layer 3, where packets are sent to a specific next-hop IP address, based on
destination IP address.
When a router gets a packet, it decides on the basis of

1. Longest prefix match
2. Administrative Distance
3. Metric value
AD value is a believability of the Routing Protocol. Lower AD value is preferred.
Metric value lower is preferred.
On the base of these things decision is made, where to route the packets.
How does router build the Routing Table for first time?
Router builds the routing table, from its active interface that has IP Address. It
should be up and active.
What happens when a Switch receives the Frame?

It checks the source MAC Address in CAM Table, if not found it adds that address
in cam table then it checks for the destination MAC Address table in CAM Table, if
it is not found it will do the broadcast. Once it gets the response that
corresponding port is updated with that MAC Address.
What happens when a router receives the packet?
It removes the L2 header information present on the packet and check for the
destination IP address, it finds for the routes for destination prefix in routing
table, if it matches then it attach its own exit interface MAC Address as source
and connected device MAC Address as destination and forward the packet.
If no routes found in routing table, it drops the packet.
Static Route: It is a route that is manually configured in the routing table by the
administrator.
Default Route: if a router doesn’t have a route for the destination IP address. If
nothing is matching. Then it will use this; this is also called Gateway of last resort.
Default gateway: A gateway is the entrance point to another network. A default

gateway is the address to which packets are sent if there is no specific gateway
for a given destination listed in the routing table.
Router has to follow 3 generic steps before it routes the Packet

∑ Routing
∑ Forwarding (Switching)
∑ Encapsulation
NIC (Network Interface Controller) Address

∑ Physical Address
∑ Logical Address
Physical Address Logical Address

- Media Access Control (MAC) -Internet Protocol (IP)
- Layer 2 Address -Layer 3 Address
- 48 Bit Hexadecimal -32 bit Dotted Decimal
MAC Address
-It allow devices to uniquely identify themselves on network
-First 24 bits in MAC Address is called OUI (Organizationally Unique Identifier)
System Communication
∑ Simplex
∑ Half-Duplex
∑ Full-Duplex
Simplex
- One device can send the data and other device can receive the data
Ex: Radio, Pager
Half-Duplex
-Two-way Communication, but not at the same time
-At a time only one device can send data or receive the data
-Collisions happen
Ex: Hub, Walky-talky
Full-Duplex
-Two-way communication at same time
-Both the devices can send & receive data at same time
Ex: Telephone
HTTP HTTPS
It uses a port no 80 for communication It uses a port no 443 for communication
Unsecured Secured
There is no encryption Encryption is there
No Certificates required Certificates Required
RIPV1 RIPV2
Supports only Classful network Supports only Classless network (subnet/VLSM)
Works on contiguous network Works on discontiguous network
Doesn’t support triggered updates Supports triggered updates
Forwards updates as Broadcast Forwards updates as multicast using 224.0.0.9
255.255.255.255
Doesn’t support VLSM Supports VLSM
RIP v1 can accept by default V1 and V2 update but only forward V1 updates
RIP v2 will only send and receive version 2 updates
RIPv1 can send v1 packet but receive v1 and v2 packet
Manual RIPv1 can only send and receive v1 packet
OSPF EIGRP
Open shortest path First Enhanced Interior Gateway Routing protocol
OSPF is able to load balance in equal EIGRP can load balance between unequal cost
cost paths paths
OSPF is merely a link state protocol. EIGRP shows characteristics of both link state
and distance vector protocol
It supports Maximum 255 Routers in The
Network
OSPF calculates the metric using cost EIGRP uses bandwidth, load, delay and reliability
to calculate the metric.
OSPF converges quickly than EIGRP; Not widely used
also OSPF can be used in larger
networks.
Main Mode Aggressive Mode

There are 6 message exchange There are 3 message exchange
Main mode is secure as it negotiates the It is not secure
SA parameters first before authenticating
Tries to protect all information during the It takes less time to negotiate, and it is not
negotiation, the identities of the two sides secure
are hidden. It takes more time to
negotiate. default mode
Router Main mode is enabled by default ASA Aggressive mode in enabled by default
It is slower, using more exchanges, but it Aggressive mode is faster, but does not
protects the identities of the protect the identities of the peers
communicating peers
Tunnel Mode Transport Mode

Tunnel mode provides the protection for In transport mode original IP address is
the original source and destination visible because in it only data is
address by encapsulating it under ESP encapsulated.
IPSec tunnel mode is the default mode.
With tunnel mode, the entire original IP
packet is protected by IPSec. This means
IPSec wraps the original packet, encrypts
it, adds a new IP header and sends it to the
other side of the VPN tunnel (IPSec peer).
IPSec Tunnel mode is used to secure IPSec Transport mode is used to secure host-
gateway-to-gateway traffic to-host traffic
IPSec SSL
It works on Layer 3 (Network Layer) of OSI It works on Layer 7 (Application Layer) of
Model. OSI Model.
it works on Network Layer; it secures all It's used for secure web-based
data communication over the Internet.
It defines how to provide data integrity, authenticity It uses encryption and authentication to keep
and confidentiality over insecure network like communications private between two devices, typically,
Internet. web server and user machine.
It defines how to provide data integrity, authenticity - Like IPSec, SSL also provides flexibility by providing
and confidentiality over insecure network level of security.
Like Internet. - Unlike IPSec, SSL helps to secure one application at a
- It completes its goal through tunneling, Encryption time and each application is supported via web browser.
and Authentication.
TCP UDP
Connection-oriented Connectionless
It uses a 3-way handshake to establish the No 3-Way Handshake
connection SYN, ACK, SYN+ACK
VLAN VPN
It is group of computers that can have same broadcast VPN or Virtual Private Network can be defined as a
domain. So the group of computers in that particular secured means of connecting to the private
VLAN can directly talk to each other. It is generally network through a public network that is not very
used when you need to have separate set of much safe.
computers to whom you can't directly talk from
outside the VLAN and need special permission to get
access to the resources in the VLAN generally via ACL
(access control list).
A VLAN helps to group workstations that are not VPN is related to remote access to the network of a
within the same locations into the same company
broadcast domain
VLAN is a subcategory of VPN It means of creating a secured network for safe data
transmission.
VLAN is generally used when it is necessary for a VPN is used to communicate in a secured manner
person to connect with someone whom you cannot in an unsecured environment.
connect from outside the VLAN. It requires a
special permission before access.
Switching Modes
1. Store and Forward Switching
2. Cut-through Switching
3. Fragment-Free Switching
1. Store and Forward Switching

Switch copies each complete frame into the switch memory and do a Cyclic
Redundancy Check (CRC) for errors. If an error is found, the frame is dropped and
if there is no error, the switch forwards the frame to the destination device. Store
and Forward switching can cause delay in switching since Cyclic Redundancy
Check (CRC) is calculated for each frame.
2. Cut-through Switching
Switch copies the destination MAC address (first 6 bytes of the frame) of the
frame before making a switching decision into its memory. It reduces delay
because the switch starts to forward the frame as soon as it reads the destination
MAC address and determines the outgoing switch port. Switch may forward bad
frames.
3. Fragment-Free Switching
The switches operating in fragment-free switching read at least 64 bytes of the
Ethernet frame before switching it to avoid forwarding Ethernet runt frames
(Ethernet frames smaller than 64 bytes).
Switching Functions
1. Learning
2. Aging
3. Flooding
4. Filtering
5. Forwarding
VLAN
∑ It is used to divide a single Broadcast domain into multiple Broadcast
domains
∑ By default all ports of the switch is in VLAN 1
∑ It provides a Layer 2 security
2 Types of VLAN Configuration

∑ Static VLAN
∑ Dynamic VLAN
Static VLAN
∑ Static VLAN'S are based on port numbers
∑ Need to manually assign a port on a switch to a VLAN
∑ Also called Port-Based VLANs
∑ One port can be a member of only one VLAN
Dynamic VLAN
∑ Switch automatically assigns the port to a VLAN
∑ Each port can be a member of multiple VLAN's
∑ A VMPS (VLAN Membership Policy Server) software is needed
Advantages of VLAN
∑ Broadcast Control: Flooding of a packet is limited to the switch ports that
belong to a VLAN.
∑ Reduce the size of broadcast domains: VLAN increase the numbers of
broadcast domain while reducing their size.
∑ Layer 2 Security – VLANs gives us total control over each port and users.
With VLANs, you can control the users from gaining unwanted access over
the resources.
∑ Cost: Dividing a large VLAN to smaller VLANs is cheaper than creating a
routed network with routers because normally routers costlier than
switches.
VLAN Frame tagging

∑ VLAN Tagging is the Technology of inserting a VLAN ID into a packet header
in order to identify that from which VLAN the frame is arriving.
Native VLAN
∑ It is an untagged VLAN on 802.1Q trunked Switchport.
∑ If a switch receives untagged frame, they are forwarded to the Native VLAN
∑ By default native VLAN is 1
∑ Both side of a trunk link must be configured to be in same VLAN
Switch-Port Security
∑ Port security features add additional layer of security in LAN network.
∑ It is used to secure the switch port.
∑ It is necessary because anyone can access unsecure network resources by
simply plugging his host into one of the available switch ports.
Enabling Port Security

Port security can be enabled with default parameters by issuing a single command
on an interface:
# interface f0/13
# switchport port-security
Switchport port-security violation

Shutdown (default): The interface is placed into the error-disabled state, blocking
all traffic.
Protect: Frames from MAC addresses other than the allowed addresses are
dropped; traffic from allowed addresses is permitted to pass normally.
Restrict: Like protect mode, but generates a syslog message and increases the
violation counter.
Maximum MAC Addresses

By default, port security limits the ingress MAC address count to one. This can be
modified, for example, to accommodate both a host and an IP phone connected
in series on a switch port:
# switchport port-security maximum 2
MAC Address Learning

An administrator has the option of statically configuring allowed MAC addresses
per interface. MAC addresses can optionally be configured per VLAN (access or
voice).
#switchport port-security mac-address 001b.d41b.a4d8
This command is used the port to learn the MAC Address dynamically and
automatically configure the MAC address as a static MAC address associated with
the port
# switchport port-security mac-address sticky
MAC Address Aging

By default, secure MAC addresses are learned permanently. Aging can be
configured so that the addresses expire after a certain amount of time has
passed. This allows a new host to take the place of one which has been removed
#switchport port-security aging time 5
#switchport port-security aging type inactivity
DTP
∑ Dynamic Trunking Protocol
∑ It is a Layer 2 Protocol
∑ It is a Cisco proprietary Trunking Protocol, which is used to automatically
negotiate trunks between Cisco switches
∑ It can be used negotiate and form trunk connection between Cisco switches
dynamically.
∑ It is enabled on each port by default
Trunk can be made by two ways

1. Manually
2. Dynamically
DTP sends Hello packets every 30 seconds

Dynamic Trunk time-out is 300 seconds
Switchport Modes
Access - Always forces that port to be an access port with no VLAN tagging
allowed EXCEPT for the voice vlan. DTP is not used and a trunk will never be
formed.
#switchport mode access
#switchport access vlan 10
Trunk: This interface will always be a trunk no matter what happens on the other
side. It will also use DTP to negotiate a neighboring interface that is set to
dynamic desirable or dynamic auto into a trunk.
#switchport encapsulation dot1q
#switchport mode trunk
Dynamic desirable - pro-active DTP negotiation will begin and if the other-side is
set to trunk, desirable, or auto. The interface will become a trunk. Otherwise the
port will become an access port.
Dynamic auto - allows the port to negotiate DTP if the other side is set to trunk or
desirable. Otherwise it will become an access port.
Nonegotiate - turns off DTP and forces the interface into a trunk.
VTP
∑ VLAN Trunking Protocol
∑ It is a Cisco proprietary protocol that propagate VLAN configurations to
other switches in the network
How VTP Works

To exchange the VLAN information with each other, they need to configure with
same VTP Domain.
Only switches belonging to the same domain share their VLAN information.
When a change is made to the VLAN database, it is propagated to all switches via
VTP advertisements.
There are 3 modes

1. Server Mode
2. Client Mode
3. Transparent Mode
1. Server Mode:
This is also the default mode.
When you make a change to the VLAN configuration on a VTP server, the change
is propagated to all switches in the VTP domain.
VTP messages are transmitted out of all the trunk connections.
In Server mode we can create, modify and delete VLANs.
2. Client Mode
In this mode switches are only allowed to receive and forward updates from the
"Server" switch. It cannot make changes to the VLAN configuration when in this
mode; however, a VTP client can send any VLANs currently listed in its database
to other VTP switches. VTP client also forwards VTP advertisements (but cannot
create VTP advertisements).
3. Transparent Mode
In this mode, a switch maintains its own VLAN database and never learns any VTP
information from other switches (even from the switch in VTP server mode). It
still forwards VTP advertisements from the server to other switches .It can add,
delete and modify VLAN database locally.
VTP Advertisement Messages

1. Client advertisement request:
A client advertisement request message is a VTP message which a client
generates for VLAN information to a server. Servers respond with both summary
and subset advertisements.
2. Summary advertisement:
Summary advertisements are sent out every 300 seconds (5 minutes) by default
or when a configuration change occurs, which is the summarized VLAN
information.
3. Subset advertisement:
Subset advertisements are sent when a configuration change takes place on the
server switch. Subset advertisements are VLAN specific and contain details about
each VLAN.
Three types of versions

1. VTPv1
2. VTPv2
3. VTPv3
1. VTPv1
It is default on Catalyst Switches
It supports the standard VLAN range 1-1005
A transparent switch using VTP version 1 will check the domain and version
before if forwards the frame.
2. VTPv2
If a switch is in transparent mode, it will forward the message without checking
version information.
3. VTPv3
Support for extended VLANs (4094).
Support for the creation and advertising of private VLANs.
Interaction with VTP version 1 and VTP version 2
Provides the ability to be configured on a per-port basis
VTP Pruning
∑ It cut down the unnecessary VLAN traffic on certain trunk port.
∑ VTP pruning is disabled by default in Cisco switches.
∑ By default, VLANs 2 – 1001 are pruning eligible
∑ VLAN 1 can’t be pruned because it’s an Administrative VLAN.
∑ Both VTP versions 1 and 2 supports pruning.
VLAN Port Types
1. Access ports
2. Trunk ports
Access link: An access link is a link that is part of only one VLAN, and normally
access links are for end devices.
Trunk link: A Trunk link can carry multiple VLAN traffic and normally a trunk link is
used to connect switches to other switches or to routers.
Frame Tagging Protocols

Cisco switches support two frame tagging protocols:
1. Inter-Switch Link (ISL)
2. IEEE 802.1Q
Inter-Switch Link (ISL)

∑ It is Cisco’s proprietary frame tagging protocol.
∑ It encapsulates a frame with an additional header (26 bytes) and trailer (4
bytes).
∑ It increases the size of a frame by 30 bytes.
∑ The header contains several fields, including a 15-bit VLAN ID.
∑ The trailer contains an additional 4-byte CRC to verify data integrity.
∑ Maximum Transmission Unit (MTU) is 1518 bytes.
∑ It supports a maximum of 1000 VLANs on a trunk port.
∑ It doesn't support untagged frames, and will always tag frames from all
VLANs.
IEEE 802.1Q
∑ It is an open standard
∑ It inserts a 4-byte VLAN tag directly into the Layer-2 frame header.
∑ The VLAN tag includes a 12-bit VLAN ID.
∑ This tag increases, from its default of 1514 bytes to 1518 bytes.
∑ It supports a maximum of 4096 VLANs on a trunk port.
∑ It supports Native VLANS on trunk ports.
Management VLAN and configuration of Management VLAN

Management VLAN is used for managing the switch from a remote location by
using protocols such as telnet, SSH, SNMP, syslog etc.
Normally the Management VLAN is VLAN 1, but you can use any VLAN as a
management VLAN.
Configuration
#interface vlan 1
#ip address 192.168.100.28 255.255.255.0
#no shutdown
#ip default-gateway 192.168.100.1
Etherchannel
The issue with using only a single physical port is a single point of failure. If the
port goes down, the trunk connection is lost.
Etherchannel is a technology that lets you bundle multiple physical links into a
single logical link. If we connect 2 or more cables between two Switches, There
will be a change of loops. STP will run and prevent the loop and blocks the Ports,
we can't add redundancy between switches.
Spanning tree sees Etherchannel as one logical link so there are no loops.
Etherchannel will do load balancing among the different links that we have and it
takes care of redundancy. A maximum of 8 active ports are supported in a single
Etherchannel.
The maximum number of supported Etherchannel on a single switch is platform-

dependent, though most support up to 64 or 128 Etherchannel.
Cisco’s implementation of port aggregation is called Etherchannel.
Etherchannel are also supported on Layer-3 interfaces.

Port settings that must be identical include the following:
∑ Speed settings
∑ Duplex settings
∑ STP settings
∑ VLAN membership (for access ports)
∑ Native VLAN (for trunk ports)
∑ Allowed VLANs (for trunk ports)
∑ Trunking encapsulation protocol (for trunk ports)
Port-security has not been supported on an Etherchannel.
Etherchannel Load-Balancing
∑ Source IP address - src-ip

∑ Destination IP address - dst-ip
∑ Source and destination IP address - src-dst-ip
∑ Source MAC address - src-mac
∑ Destination MAC address - dst-mac
∑ Source and Destination MAC address - src-dst-mac
∑ Source TCP/UDP port number - src-port
∑ Destination TCP/UDP port number - dst-port
∑ Source and destination port number - src-dst-port
The default load-balancing method for a Layer-2 EtherChannel is either srcmac or

src-dst-mac, depending on the platform. The default method for a Layer-3
EtherChannel is src-dst-ip.
#port-channel load-balance src-dst-mac

#show etherchannel load-balance
There are two methods of configuring an Etherchannel:

∑ Manually
∑ Dynamically, using an aggregation protocol
Manual Configuration
#interface range f0/22 - 24
#channel-group 1 mode on
Adding switch ports to a channel-group creates a logical port-channel interface.

#interface port-channel 1
#switchport mode trunk
#switchport trunk allowed vlan 50-100
To configure a port-channel as a Layer-3 interface:

#no switchport
#ip address 192.168.10.1 255.255.255.0
By default, a port-channel interface is administratively shutdown.

#no shut
Dynamic Configuration
Cisco switches support two dynamic aggregation protocols:
∑ PAgP (Port Aggregation Protocol) – Cisco proprietary aggregating protocol.
∑ LACP (Link Aggregation Control Protocol) – IEEE standardized aggregation
protocol, originally defined in 802.3ad.
PAgP and LACP are not compatible – both sides of an Etherchannel must use the
same aggregation protocol.
EthernChannel - PAgP
It supports 2 Modes
∑ Desirable – actively attempts to form a channel
∑ Auto – waits for the remote switch to initiate the channel
A PAgP channel will form

∑ desirable <- -> desirable
∑ desirable <- -> auto

#channel-protocol pagp
#channel-group 1 mode desirable / auto
EtherChannel - LACP
It has 2 Modes
∑ Active – actively attempts to form a channel
∑ Passive – waits for the remote switch to initiate the channel
An LACP channel will form

∑ active <- -> active
∑ active <- -> passive

#channel-protocol lacp
#channel-group 1 mode active / passive
Maximum of 8 active ports are supported in a single Etherchannel. LACP supports

adding an additional 8 ports into the bundle in a standby state, to replace an
active port if it goes down.
LACP assigns a numerical port-priority to each port, to determine which ports

become active in the Etherchannel. By default, the priority is set to 32768, and a
lower priority is preferred. If there is a tie in system-priority, the lowest switch
MAC address is preferred.
#lacp port-priority 100
#lacp system-priority 500
#show etherchannel summary

#show port-channel summary
Spanning Tree Protocol (STP)

Without STP
∑ Broadcast Storms
∑ Duplicate Frame copies
∑ Unstable MAC Table
Broadcast Storms
Without any loop removing mechanism, switches will flood broadcasts endlessly
throughout the network. This is known as broadcast storm.
Duplicate Frame copies

A device could receive duplicate copies of same frame from different switches. It
creates additional overhead on the network.
Unstable MAC Table

When switch receives a frame, it checks source MAC address in frame and
associate that interface with finding MAC address. Next time when switch
receives a frame for this MAC address, it will forward that frame from this
interface. These entries are stored in MAC Address Table. Switch uses MAC
Address Table to forward the frame. Looped network can make MAC Address
Table unstable.
What is Spanning tree?

∑ STP is used to prevent the Layer 2 loops when we have redundant paths in
our network.
∑ STP is enabled by default on all VLANs on Catalyst switches.
∑ IEEE 802.1D
STP switches exchange Bridge Protocol Data Units (BPDU’s) to build the topology
database.
BPDU’s are forwarded out all ports every 2 seconds, to a dedicated MAC multicast
address of 0180.c200.0000.
The STP Process

1. Root Bridge is elected
2. Root Ports are identified
3. Designated Ports are identified
4. Ports are placed in Block state.
1. Electing a Root Bridge

A Root Bridge is elected based on its Lowest Bridge ID.
Bridge ID = 16-bit Bridge priority + 48-bit MAC address
The default priority is 32,768, and the lowest priority wins. If there is a tie in
priority, the lowest MAC address is used as the tie-breaker.
NOTE: We know default bridge priority is 32768.But in real environment, when

you type command "show spanning-tree" you may see like below
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
The sys-id-ext value that you see is the VLAN number. The priority is 32768 but
spanning-tree will add the VLAN number 1 so we end up with priority value
32769(32768+ 1).if it's for VLAN 10 it may be like 32778 (32768 +10)
2. Root Ports are identified

After finding the Root Bridge, every non-root bridges have to find the shortest
path to the root bridge by calculating the path cost. Lowest path cost is preferred.
Note: Root port always forward traffic to the root bridge Each switch has only one
Root Port, and the Root Bridge cannot have a Root Port.
Cost
Bandwidth
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
1 Gbps 4
10 Gbps 2
3. Designated Ports are identified
A single designated port is identified for each network segment and it is
responsible for forwarding BPDUs and frames to that segment. It has the lowest
path cost leading to the Root Bridge. This port will not be placed in a blocking
state.
Port ID
When electing root and designated ports, it is possible to have a tie in both path
cost and Bridge ID.
If the bandwidth of both links are equal, then both of Switch 2’s interfaces have
an equal path cost to the Root Bridge. The tiebreaker should be the lowest Bridge
ID, but that cannot be used in this circumstance
Port ID is used as the final tiebreaker, and consists of two components:
∑ 4-bit port priority
∑ 12-bit port number, derived from the physical port number
By default, the port priority of an interface is 128, and a lower priority is

preferred. If there is a tie in priority, the lowest port number is preferred. The
sender port ID determines the tie break, and not the local port ID.
To change the priority

#int fa0/10
#spanning-tree port-priority 60
Port priority is the last tiebreaker. STP decides Root and Designated Ports based
on
∑ Lowest Path Cost to the Root Bridge
∑ Lowest Bridge ID
∑ Lowest Port ID
4. Ports are placed in Block state.

If two ports are eligible to become the designated port, then there is a loop.
One of the ports will be placed in a blocking state to eliminate the loop.
STP Port Roles:

1. Root Port: Used to reach the root bridge. Best way to get to the root bridge.
2. Designated Port: Forwarding port, one per link.
3. Blocking / Non-Designated Port: Where the tree fell. [Block redundant link]
Spanning Tree Election Criteria:
-It selects paths according to the following criteria or
1. Lowest root bridge ID (BID)
2. Lowest cost path to the root
3. Lowest sender bridge ID
4. Lowest sender port ID (PID)
Port States
∑ Disable
∑ Blocking
∑ Listening
∑ Learning
∑ Forwarding
Disable: It is considered as non-operational, it will not participate in frame

forwarding
Blocking: It will not forward frames or learn MAC Address
Listening: In this state a port may become Root or designated port
Learning: the port is listening for and processing BPDUs .
Forwarding: This port is fully functional, it will send and listen for BPDUs, learn
MAC Addresses and Forward Frames, Root and designated Ports will move to
Forwarding State.
Timers
∑ Hello Timer
∑ Forward delay Timer
∑ Max-age Timer
Hello Timer: How often switches send BPDU's by default every 2 seconds
Forward delay Timer: how much long a port must spend time in both learning
and listening state. By default 15 seconds
Max-age Timer: How long a switch will retain BPDU information from a neighbor
switch before discarding it. By default 20 seconds
Improving STP Convergence

In many environments, a 30 second outage for every topology change is
unacceptable. Cisco developed three proprietary features that improve STP
convergence time:
∑ PortFast
∑ UplinkFast
∑ BackboneFast
PortFast
UplinkFast
BackboneFast
Protecting STP
∑ Root Guard
∑ BPDU Guard
∑ BPDU Filtering
∑ Unidirectional Link Detection (UDLD)
∑ Loop Guard
Root Guard
BPDU Guard
BPDU Filtering
UDLD
Loop Guard
Rapid Spanning Tree Protocol (RSTP)

One big disadvantage of STP is the low convergence which is very important in
switched network. To overcome this problem, in 2001, the IEEE with document
802.1w introduced an evolution of the Spanning Tree Protocol: Rapid Spanning
Tree Protocol (RSTP);
It reduces the convergence time after a topology change occurs in the network.
While STP can take 30 to 50 seconds to transit from a blocking state to a
forwarding state, RSTP is normally able to respond less than 10 seconds of a
physical link failure.
Port States
Discarding State:
A discarding port will not forward frames or learn MAC addresses.
A discarding port will listen for BPDUs.
Alternate and backup ports will remain in a discarding state.
Learning State:
A learning port will begin to add MAC addresses to the CAM table.
It cannot forward frames quite yet.
Forwarding State:
A forwarding port is fully functional – it will send and listen for BPDUs, learn MAC
addresses, and forward frames.
Root and designated ports will eventually transition to a forwarding state.
RSTP works by adding an alternative port and a backup port compared to STP.
These ports are allowed to immediately enter the forwarding state rather than
passively wait for the network to converge.
Port Roles:
Root port – A forwarding port that is the closest to the root bridge in terms of
path cost
Designated port – A forwarding port for every LAN segment
Alternate port – A best alternate path to the root bridge. This path is different
than using the root port. The alternative port moves to the forwarding state if
there is a failure on the designated port for the segment.
Backup port – A backup/redundant path to a segment where another bridge port
already connects. The backup port applies only when a single switch has two links
to the same segment (collision domain). To have two links to the same collision
domain, the switch must be attached to a hub.
Disabled port – Not strictly part of STP, a network administrator can manually
disable a port
Suppose all the switches have the same bridge priority so the switch with lowest
MAC address will become Root Bridge -> Sw1 is the root bridge and therefore all
of its ports will be Designated ports (forwarding).
Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in terms of path
cost) so they will become Root ports.
On the segment between Sw2 and Sw3, because Sw2 has lower MAC than Sw3 so
it will advertise better BPDU on this segment -> fa0/1 of Sw2 will be Designated
port and fa0/1 of Sw3 will be Alternative port.
Now for the two ports connecting to the hub, we know that there will have only
one Designated port for each segment (notice that the two ports fa0/2 & fa0/3 of
Sw2 are on the same segment as they are connected to a hub). The other port will
be Backup port according to the definition of Backup port above. But how does
Sw2 select its Designated and Backup port? The decision process involves the
following parameters inside the BPDU:
∑ Lowest path cost to the Root

∑ Lowest Sender Bridge ID (BID)
∑ Lowest Port ID
Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the root” and “sender
bridge ID” so the third parameter “lowest port ID” will be used. Because fa0/2 is
inferior to fa0/3, Sw2 will select fa0/2 as its Designated port.
Note: Alternative Port and Backup Port are in discarding state.
RSTP Port States:

There are only three port states left in RSTP that correspond to the three possible
operational states. The 802.1D disabled, blocking, and listening states are merged
into the 802.1w discarding state.
* Discarding – the port does not forward frames, process received frames, or
learn MAC addresses – but it does listen for BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC addresses but does
not yet forward frames (same as STP).
* Forwarding – receives and sends data, normal operation, learns MAC address,
receives and transmits BPDUs (same as STP).
STP State (802.1d) RSTP State (802.1w)

Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Disabled Discarding
Although the learning state is also used in RSTP but it only takes place for a short
time as compared to STP. RSTP converges with all ports either in forwarding state
or discarding state.
RSTP Quick Summary:

RSTP provides faster convergence than 802.1D STP when topology changes occur.
* RSTP defines three port states: discarding, learning, and forwarding.
* RSTP defines five port roles: root, designated, alternate, backup, and disabled.
Note: RSTP is backward compatible with legacy STP 802.1D. If a RSTP enabled port
receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave
like a legacy port. It sends and receives 802.1d BPDUs only.
EIGRP
∑ Standard Protocol (initially was Cisco proprietary)
∑ Maximum Hop-Count is 255[ 100 by default]
∑ It is a classless protocol
∑ EIGRP having internal Administrative distance as 90 and external AD as 170
∑ EIGRP summary route AD value is 5
∑ All EIGRP routing information are exchanged between neighbors via
multicast using the address 224.0.0.10
∑ Hello packets are sent every 5 seconds
∑ Supports equal coast and unequal cost load balancing
∑ K-Values are used for calculating metric. By default EIGRP consider k1 and
k3 only
∑ In EIGRP Summarization is enabled by default."No auto-summary"
command is needed because by default EIGRP will behave like a classfull
routing protocol.
∑ EIGRP can load balance on both equal and unequal cost paths.”Variance”
command is used to configure load balancing. By default EIGRP supports 4
load balancing path. It can be extended to 6 paths
EIGRP maintain 3 tables

∑ Neighbor table – it contains directly connected routers.
#show ip eigrp neighbor
∑ Topology table – contains all best routes learned from each neighbor.
#show ip eigrp topology
∑ Routing table – it contains the best route to the destination.
#show ip route
EIGRP an Advanced Distance Vector or Hybrid Routing Protocol

It shares features of both distance vector and link state protocols. For
example EIGRP advertise routes to directly connected neighbors like a distance
vector protocols and it uses a series of tables like link state protocols
EIGRP Packet types

∑ Hello Packet: sent 5 seconds between directly connected neighbors as
Multicast
∑ Update: It won't send periodic updates triggered updates sent when a
change
∑ Query: Sent when the successor path is failed and there is no feasible
successor
∑ Reply: Reply for query packets
∑ ACK : it is sent for update and Reply packet
Successor
∑ The best path from the topology table will be copied in the routing table
∑ It is the best route used to forward packet to destination network.
∑ Present in routing table and topology table
∑ Metric of the successor path is called Feasible distance.
Feasible Successor
∑ A feasible successor is a second best route to a destination network
∑ It gives redundancy
∑ It is considered a backup route
∑ Present in Topology table
∑ Used when the primary route (Successor) goes down
∑ Metric of the successor is called Advertised distance (AD) or Reported
distance (RD).
Advertised distance: How far the destination is away for your neighbor.
Feasible distance: The total distance to the destination.
Successor: The best path to the destination
Condition for choosing Feasible successor

Advertised distance (AD) must be less than the metric of successor path
Advertised distance of feasible successor < Feasible distance of successor.
EIGRP Route States
An EIGRP route can exist in one of two states, in the topology table:
• Active state
• Passive State
A Passive state indicates that a route is reachable, and that EIGRP is fully
converged. A stable EIGRP network will have all routes in a Passive state.
A route is placed in an Active state when the Successor and any Feasible
Successors fail, forcing the EIGRP to send out Query packets and re-converge.
Multiple routes in an Active state indicate an unstable EIGRP network. If a
Feasible Successor exists, a route should never enter an Active State.
You can check the status of states by using

Router# show ip eigrp topology
To view only active routes in the topology table:
Router# show ip eigrp topology active
R1- R5
Feasible Distance =100 (10+20+30+40);
Advertise Distance =90 (20+30+40);
Verification
#show ip eigrp topology
[FD/AD]
By default EIGRP can provide equal-cost load balancing of up to 4 links
We can have EIGRP load-balance across up to 6 links (equal or unequal)
Command
#router eigrp 10
#maximum-paths 6
#router eigrp 100

#metric maximum-hops 255
EIGRP Stub
It is to limit the number of queries
Router will never send Stuck in Active query messages to a Stub router.
Stuck in Active: When a route (current successor) goes down, the router first
checks its topology table for a feasible successor; If backup path (feasible
successor) is not present, it goes active (actively checking to find new route) on
the that route to find a new successor by sending queries out to its neighbors
requesting a path to the lost route. Such state of router while waiting for a reply
for a query packet is called Stuck in Active; In normal working condition router
running EIGRP protocols is in passive state(P).If there is a failure in successor path
and there is no back up path, then router will be in Active state(A).
EIGRP Load Balancing

1. Equal-cost load balancing 2. Unequal-cost load balancing
Load balancing happens between two Even though they are not equal (1000,
routes which has a same cost. RIPv2, 1500), can do the load balancing, it has
OSPF, EIGRP supports this; to do manually (variance)
Least cost is the best route (1000) we got 2 routes it is going to load-balance
between both the routes. Means
Best route is 1000, if we want to do load balancing between 2 routes,
EIGRP Metrics
EIGRP can utilize 5 separate metrics to determine the best route to a destination:
1. Bandwidth (K1)
2. Load (K2)
3. Delay of the Line (K3)
4. Reliability (K4)
5. MTU (K5)
By default, only Bandwidth and Delay of the Line are used

K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0
EIGRP Metric (32 bit)

RIPv2- calculate the best route based on the Hop count
Eigrp calculate the best route based on Bandwidth, Delay, load, MTU, reliability
K1= Bandwidth- speed of the link (serial link -1544 KBPS, fastEthernet- 100 MBPS)
#interface serial0/0
#bandwidth <kilobits>
When we change the bandwidth, cost also changes;
K3= Delay-define as the amount of time (how long it is going to take to forward
the traffic)
(Serial 20,000 Microseconds, fastEthernet 100 Microseconds, gigabitEthernet 10
Microseconds)
More Bandwidth- less delay
K5= MTU- 1500 bits
K4= Reliability- calculated based on the Status of the link, it is calculated between
1 and 255
1- Less reliable; 255 –More reliable (default)
K2= Load- calculated based on 1 and 255

1- Less; 255 –More;
By default only uses Bandwidth and delay (K1 and K3) are used for metric
calculation;
Means K1=1, K2=0, K3=1, K4=0, K5=0
Because (reliability and load) are variables they may change every second.
Bandwidth and Delay are fixed values; once we change it will be fixed.
OSPF
∑ Open Shortest Path First is a Link-State routing protocol, designed for larger
networks.
∑ OSPF will form neighbor relationships with adjacent routers in the same
Area.
∑ advertises the status of directly connected links using Link-
State Advertisements
∑ LSAs are additionally refreshed every 30 minutes.
∑ OSPF traffic is multicast either to address 224.0.0.5 (all OSPF routers) or
224.0.0.6 (all Designated Routers).
∑ Uses the Dijkstra Shortest Path First algorithm to determine the shortest
path.
∑ OSPF routes have an administrative distance is 110.
∑ OSPF uses cost as its metric, which is computed based on the bandwidth of
the link.
∑ OSPF COST = Reference bandwidth/Link Bandwidth
DR and BDR election Process

∑ On broadcast and NBMA networks a Designated Router (DR) is elected.
∑ The router with the highest priority will be elected the DR.
∑ If we set Router priority is 0, that router will not participate in DR/BDR
election
∑ The priority can range from 0 to 255
∑ A Backup DR (BDR) will be elected and it will be having the second highest
priority.
∑ The election is not preemptive which means if a router is setup later with a
higher priority it will not become the DR unless clearing the OSPF process.
The DR has two main functions

Generate a network LSA that lists the set of routers connected to the network.
It is also responsible for maintaining adjacencies. The DR and BDR uses the
AllDRRouters address of 224.0.0.6. They send updates to the 224.0.0.5
AllSPFRouters address.
Router ID
∑ It is used to provide a unique identity to the OSPF Router.
∑ It can be add statically
∑ If there is no OSPF Router ID configured, highest IP of Loopback Interfaces
is selected
∑ If there is no loopback, the highest IP address of physical interface is
selected
AREA
Areas means logical grouping of the routers
If you got more than 200+ networks in organization
The problem in OSPF is all routers will maintain the same database and when we
have a common database, there is a problem they don't have enough memory to
maintain database (routing table) (1800, 2500 series routers). And there is a rule
in OSPF that every router should have a common database.
Tables
∑ Neighbor Table – contains a list of all neighboring routers.
∑ Topology Table – contains a list of all possible routes within an area.
∑ Routing Table – contains the best route for each known network.
Types of Routers
Internal (IR) – all OSPF interfaces must belong to the same OSPF area.
Backbone – at least one OSPF interface must belong to area 0 (backbone area)
Area Border Router (ABR) – at least one OSPF interface must belong to area 0
(backbone area) and at least one OSPF interface must belong to a non-backbone
(area 0) area.
Autonomous System Boundary Router (ASBR) – an OSPF router that performs
route injection (redistribution) from another route source (RIP, EIGRP, IS-IS, BGP,
another OSPF process, etc.).
Packet Types
Hello- Discovers neighbors and works as a keepalive
Link State Request (LSR)- Requests a Link State Update (LSU), see below
Database Description (DBD)- Contains summary of LSDB, includes RIDs &
sequence number
Link State Update (LSU)- Contains one or more complete LSAs
Link State Acknowledgement (LSAck)- Acknowledges all other OSPF packets
(except hellos)
States
There are 8 different OSPF states when forming neighbor relationships.
1. Down State: This is the first OSPF neighbor state. In this state router first
startup the OSPF process but there is no communication. No hellos have been
received;
2. Attempt: This is used only for manually configured neighbors in a Non-

Broadcast MultiAccess (NBMA) network, it indicates that the router is sending
Hello packets to its neighbor in a NBMA environment via unicast but no reply is
received within the Dead Interval (4 x Hello Interval).
Ex: NBMA network is a Frame Relay network where there are no broadcast and
multicast capabilities.
3. Init State: It specifies that the Router has received a hello from its neighbor,
but it didn't find receiving Router's ID in Hello Packet.
4. Two-way State
A hello is received from another router with its own RID in the neighbor field. All
other required elements match and the routers become neighbors.
5. Exstart State
The router and its neighbors will establish master/slave relationship and
determine the database description sequence number for exchange of database
description packets. The router with the highest router id becomes the master.
6. Exchange State
Routers exchange DBDs that describes its entire link state database to neighbors
that are in exchange state; the router may also send link state request packets to
neighbors to request more recent LSA.
7. Loading State
Routers compare the DBD to their LS database. LSRs are sent out for missing or
outdated LSAs. Each router then responds to the LSRs with a Link State Update.
Finally, the LSUs are acknowledged.
8. Full State
The LSDB is completely synchronized with the OSPF neighbor. The routers are
fully adjacent. The adjacencies appear in router LSA and network LSA.
LSDB Overload
In large OSPF networks, if major network changes occur, a flood of LSAs will
immediately hit the entire network. The number of incoming LSAs to each router
could be substantial and bring the CPU and memory to its knees.
To mitigate that scenario, Cisco offers what it refers to as Link Sate Database
Overload Protection. Once enabled, if the defined threshold is exceeded over
one-minute time period, the router will enter the ignore state – dropping all
adjacencies and clearing the OSPF database. (# max-lsa number)
OSPF Stub Limitations

∑ Virtual links cannot be included
∑ Cannot include an ASBR
∑ The stub configuration must be applied to every router within the stubby
area
∑ Area 0 cannot be a stub
Virtual Link
A virtual link is not a physical link. It is a logical link using the least cost path
between the ABR of the non-backbone connected area and the backbone ABR of
the transit area. A virtual adjacency across the virtual link is formed, and routing
information is exchanged.
OSPF Authentication
∑ Simple Authentication (using plaintext keys)
∑ MD5 Authentication
Matching authentication methods and keys must configured on each interface on

a segment. Theoretically, different passwords could be applied to different router
interfaces – the routers on the other ends of those links would just be required to
have matching information.
Simple Authentication Example

R1(config)# int fa0/1 R1(config-if)# ip ospf authentication-key KEY123
R1(config-if)# ip ospf authentication
R1(config-if)# exit R1(config)# router ospf 10
R1(config-router)# area 0 authentication
MD5 Authentication Example

R1(config)# int fa0/1
R1(config-if)# ip ospf message-digest-key 1 md5 KEY123
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# exit
R1(config)# router ospf 10
R1(config-router)# area 0 authentication message-digest
Each OSPF router is identified by a unique Router ID. The Router ID can be
determined in one of three ways:
∑ The Router ID can be manually specified.

∑ If not manually specified, the highest IP address configured on any
Loopback interface on the router will become the Router ID.
∑ If no loopback interface exists, the highest IP address configured on any
Physical interface will become the Router ID
Hello / Dead Interval

∑ OSPF hello/Dead Interval time for non-broadcast and point-to-multipoint
interfaces. : 30/120 seconds
∑ OSPF hello/Dead Interval time for broadcast and point-to-point interfaces.
: 10/40 seconds
∑ Notice that, by default, the dead interval timer is four times the Hello
interval.
Area Types
∑ Standard area
∑ Backbone area (area 0)
∑ Stub area
∑ Totally stubby area
∑ Not-so-stubby area (NSSA)
∑ Totally NSSA
Stub Area (area <area> stub)

It contain type 1, 2, and 3 LSAs
No LSA type 4 and 5 (E1 or E2) is allowed
Routers can connect to the External routes via the default route that is injected by
the ABR
It can't have an ASBR
The Backbone area can't be configured as a Stub area
Totally Stub Area (area <area> stub no-summary)

Cisco proprietary
It contain type 1, 2 LSAs
LSA Type 3, 4 and 5 are stopped
A default route is injected by the ABR.
Only ABR has to be configured with the "no-summary" command
Intra area routers in the Totally Stubby area should have "area <area> stub"
command
∑ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain
an ASBR. The backbone is considered a standard area.
∑ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted
for external routes.
∑ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3
LSA. The type 3 LSA describes a default route, substituted for all external
and inter-area routes.
∑ Not-so-stubby areas implement stub or totally stubby functionality yet
contain an ASBR. Type 7 LSAs generated by the ASBR are converted to type
5 by ABRs to be flooded to the rest of the OSPF domain.
Network Types
- An OSPF router maintains a data structure for each OSPF-enabled interface.
- If the network type is changed, the hello and dead timers will be adjusted
accordingly.
- OSPF defines six network types
Broadcast Network
The default network type on Ethernet interfaces.
Will elect a DR and a BDR.
Uses the multicast MAC 224.0.0.5 (0100.5E00.0005) for All SPFRouters and
224.0.0.6 (0100.5E00.0006) for
All DRouters.
There is NO next-hop modification. The next-hop IP remains that of the
originating router.
Layer3 to layer2 resolution is required.
Broadcast networks can't have unicast neighbours configured.
10 hello / 40 dead-interval.
Non-Broadcast Network
Can connect more than two routers but has no native broadcast capability.
Non-Broadcast is the default network type on multipoint frame-relay interfaces,
e.g. a main interface.
OSPF routers on NBMA networks elect a DR and BDR, but all OSPF packets are
unicast between each manually specified neighbour with the "neighbour"
command.
The next-hop IP is not changed and remains the IP address of the originating
router.
The default priority is 1, and should be disabled (=0) on ALL SPOKES, to prevent a
spoke from becoming a blackhole DR/BDR.
30 hello / 120 dead-interval.
Point-to-Point Network
Default on T1, DS-3, SONET links and on point-to-point sub-interfaces on frame-
relay.
Has no DR/BDR election, OSPF configured is as per normal.
Uses the multicast destination to AllSPFRouters (224.0.0.5), except for
retransmitted LSAs, which are unicast.
The next-hop IP is that of the advertising router.
OSPF ignores subnet mask mismatch on point-to-point links.
10 hello / 40 dead-interval
Points to Remember:
∑ When priority is set to 0, that router won’t participate in DR/BDR election

∑ When other routing protocol routes are being redistributed into OSPF,
Make sure "Subnet" option is added
∑ If ping to 224.0.0.5 fails, it means Router have no OSPF neighbors
∑ When OSPF is enabled across an NBMA network -- DR BDR election will
occur. We need to configure neighbor command to build adjacencies
∑ If no Loopback is configured, Highest IP address will be the DR
∑ OSPFv3 for IPv6 authentication is supported by IPv6 IPSec.
∑ By default, redistribution of routes from other routing protocols into OSPF
will appear as type E2 routes in OSPF routing table
∑ In OSPF, Router will only establish full adjacency with the DR and BDR on
broadcast multi-access networks.
∑ OSPF Network LSAs are originated by the DR on every multi-access
network. They include all attached routers including the DR itself
∑ In OSPF, If a router is stuck in INIT STATE means that router didn’t receive
hello packets from neighboring router
Advantages of creating multiple areas in OSPF

∑ Less frequent SPF calculation
∑ Smaller routing table
∑ Reduced LSU overhead
Three restrictions apply to OSPF stub areas?

∑ No virtual links are allowed.
∑ The area cannot be a backbone area.
∑ No Autonomous System Boundary Routers (ASBR) are allowed.
Two statements about route redistribution when implementing OSPF

∑ OSPF can import routes learned using EIGRP, RIP
∑ OSPF routes can be exported into BGP
· 3 statements about OSPF areas

o Areas introduce a boundary on the link-state updates.
o All routers within an area have the exact link-state database.
o The calculation of the Dijkstra algorithm on a router is limited to changes within

an area.
R2 belongs to both Area 0 and Area 1. R5 belongs to both Area 0 and Area 2.
These routers are known as Area Border Routers (ABRs).
Area 0 is known as Backbone Area. Every router which has an interface in Area 0
can be considered a Backbone Router. All other areas must have a connection to
Area 0 (except using virtual-link). Without Area 0, routers can only function within
that area.
OSPF has 11 LSA Types from 1 to 11 but some of them are not used like Type 6
(Multicast LSA), 8 (used for BGP), 9, 10, 11 (Opaque LSAs).
R7: Have Type1, Type2 and Type 3 LSA;

If you check in R2 (ABR) it has Type1, Type2 and Type 3 for both Area 0 as well as
Area 1;
If you check in R5 (ABR) it has Type1, Type2 and Type 3 for both Area 0 as well as
Area 2;
Router link LSA (Type 1) – Each router generates a Type 1 LSA that lists its active
interfaces, IP addresses, neighbors and the cost to each. LSA Type 1 is only
flooded inside the router’s area, it does not cross ABR.
Network link LSA (Type 2) – is sent out by the designated router (DR) and lists all
the routers on the segment it is adjacent to. Types 2 are ﬂooded within its area
only; does not cross ABR. Type 1 & type 2 are the basis of SPF path selection.
Summary link LSA (Type 3) – ABRs generate this LSA to send between areas (so
type 3 is called inter-area link). It gathers information it has learned on one of its
attached areas and summarizes them before sending out to another area. LSAs
Type 3 is injected by the ABR from the backbone area into other areas and from
other areas into the backbone area.
“ADV router” is the router that is advertising that information.
R3#
router ospf 1
redistribute eigrp 100 subnets
Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to

routers in other areas so that routers in other areas know how to get to external
routes through that ASBR;
LSA Type 4 is used so routers in other areas can find the ASBR, since R1 and R2 are
in the same area (R1 already knows the router ID of R2 btw) there is no need to
install LSA type 4 in the LSDB of R1.
External Link LSA (LSA 5) – Generated by ASBR to describe routes redistributed

into the area and point the destination for these external routes to the ASBR;
These routes appear as O E1 or O E2 in the routing table. In the topology below,
R3 generates LSAs Type 5 to describe the external routes redistributed from R8
and floods them to all other routers and tell them “hey, if you want to reach these
external routes, send your packets to me!”. But other routers will ask “how can I
reach you? You didn’t tell me where you are in your LSA Type 5!”. And that is
what LSA Type 4 do – tell other routers in other areas where the ASBR is!
Multicast LSA (Type 6) is specialized LSAs that are used in multicast OSPF
applications. Cisco does not support it.
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area
(NSSA) to describe routes redistributed into the NSSA; LSA 7 is translated into LSA
5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table
inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost
that includes the cost upto the ASBR.
LSA Type 8 (External attributes LSA for Border Gateway Protocol (BGP))
Used to work with BGP
LSA Type 9, 10, 11 (Opaque LSAs)-For future use
BGP (Border Gateway Protocol)

Within an autonomous System we use an IGP Protocol like OSPF, EIGRP.
For Routing Between different Autonomous System we use EGP i.e. BGP
Internet is a bunch of AS that is connected to each other. We need to register AS

Number for BGP just like Public IP Address
AS Numbers is 16 bit from 1-65535
Private Range 64512-65535
There are 2 Types of BGP

∑ EBGP
∑ IBGP
EBGP: It is used for routing between two different Autonomous Systems.

IBGP: It is used for routing within same Autonomous Systems
Features:
∑ It is Open Standard
∑ Exterior Gateway Protocol
∑ It is the routing protocol we use to route between autonomous systems:
∑ It guarantees loop-free routing information.
∑ It avoids loops by using path vector routing protocol [BGP saves path when
they enter inside a AS]
∑ It doesn't use metrics but a rich set of BGP attributes.
∑ It uses TCP port 179
∑ Administrative distance of EBGP is 20
∑ Administrative distance of IBGP is 200
∑ Authentication used in BGP is MD5
∑ Currently using BGP v4
∑ BGP saves paths to all destination in a table called forwarding table. Best
path from forwarding table is saved in routing table
∑ Routers running BGP is termed as BGP speakers
∑ Its neighbor is called Peers. Peers must be configured statically
∑ It was built for reliability and Control but not for speed.
∑ Once BGP peers form a neighbor relationship, they share their full routing
table. Afterwards, only changes to the routing table are forwarded to peers.
ASA
(ADAPTIVE SECURITY APPLIANCE)
ASA
Firewall & types of firewall
A firewall is a network security device; it is used to secure the network. It permits
or denies traffic between an untrusted zone (Internet) and a trusted zone (a
private or corporate network). By default all the traffic in blocked in firewall.
Type of Firewall
Packet Filtering Firewall
Application Gateway Firewall
Stateful Inspection
Stateful firewall & stateful inspection

Stateful firewall keeps track of the state of the network connections travelling
across it.
Stateful inspection is a technology used in stateful firewall. It is also referred as

dynamic packet filtering
Security Context & types of context

Virtually dividing the firewall into more than one firewall is called Security
Context.
Context Types
System Context
Admin Context
User-defined Context
admin-context admin context C1

context Admin config-url C1.cfg
config-url Admin.cfg allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/2 allocate-interface GigabitEthernet0/0
How many Virtual Firewalls can be configured?

Mode No of Firewalls Supported
5505 None
5510 2
5520 20
5540 50
5550 50
5580 50
How to active the license
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Cluster ASA & high availability
Active / Standby: One-forwarding path and active ASA. The standby forwards
traffic when the active device fails over. Traffic is not evenly distributed over both
units. Active / Standby uses single or multiple context mode.
Active / Active for groups of context: Not supported in single context mode. Only
available in multiple context mode; Both ASAs forward at the same time by
splitting the context into logical failover groups.
Active-Active failover
Available multiple context mode, both security appliances can pass network
traffic.
Configuration:
mac-address auto
ASA1(config)# failover group 1

ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config)# failover group 2

ASA1(config-fover-group)# secondary
ASA1(config)# context CTX-1

ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX-2

ASA1(config-ctx)# join-failover-group 2
failover lan unit primary

failover lan interface FOVER GigabitEthernet 0/1
failover link FOVER GigabitEthernet 0/1
failover interface ip FOVER 7.7.100.100 255.255.255.0 standby 7.7.100.101
packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 eq 23
Redundant interface & Ether channel
Redundant Interface
Interface Redundant 1
Member-interface g0/1
Member-interface g0/2
Nameif Inside
No shut
Ip address 10.1.1.1 255.255.255.0
ASA can have a maximum of 48 EtherChannels

SLA Route monitoring
If ASA is the border router, and if the ISP link fails after a Switch [ASA <-> Switch
<-> ISP], ASA will not get to know about the link failure. To overcome this, we
make use of IP Route Tracking.
This is done by sending ICMP Echos to the ISP, which the ISP router keeps replying
to. If the ISP router fails, it will not send the reply.
As a backup, we need to have ISP2 configured and ASA will automatically update
its routing table to the ISP2.
Syntax:
sla monitor < Number>
type echo protocol ipIcmpEcho <IP address> interface <interface name>
timeout <0-604800000> in milliseconds
frequency <<1-604800> in seconds
sla monitor schedule < Number > start-time now life < Life seconds/forever>
track <1-500 Tracked object> rtr < Number > reachability
Configuration:
sla monitor 100
type echo protocol ipIcmpEcho 7.7.6.6 interface outside
timeout 100
frequency 1
sla monitor schedule 100 start-time now life forever
track 1 rtr 100 reachability
RTR- Response Time Reporter
Routed firewall & transparent firewall

Routed Firewall Transparent Firewall
Default mode for an ASA firewall. Known as Bumps in the Wire
It acts as a layer 3 device It acts as a layer 2 device
It uses routing protocols and static routes.
Forwarding is based on destination IP Forwarding is based on destination
addresses. MAC add
stateful Adaptive Security Device Manager (ASDM) installation
Telnet:
ASA(config)# telnet <IP Address> <subnet mask> <Interface Name>
SSH:
ASA(config)# crypto key generate rsa modulus 1024
ASA(config)# ssh <IP Address> <subnet mask> <Interface Name>
ASA(config)# username cisco password cisco
ASA(config)# aaa authentication ssh console LOCAL
HTTP:
ASA(config # http server enable
ASA(config)# http <IP Address> <subnet mask> <Interface Name>
ASA(config)# aaa authentication http console LOCAL
Static Route
ASA(config)# route <Interface Name> <Dest Network> <Net Mask> <Next Hop Ip>
Default Route
ASA(config)# route <Interface-Name> 0.0.0.0 0.0.0.0 <Next Hop Ip>
EIGRP
router eigrp <AS>
network <____________> <Subnet Mask>
no auto-summary
OSPF
router ospf <process No.>
network <_________> <Subnet Mask>
Authentication in ASA Routing Protocols

RIP
rip authentication mode md5
rip authentication key cisco key_id 1
EIGRP
authentication mode eigrp 100 md5
authentication key eigrp 100 cisco key-id 1
Bypass traffic through SAME SECURITY LEVEL
same-security-traffic permit inter-interface
Hair Pinning in ASA

same-security-traffic permit intra-interface
Access Control List

Access lists can be configured to filter network traffic as it passes through the
firewall.
ASA supports the following types of access control lists: -

1. Standard access lists
2. Extended access lists
3. Webtype access lists
4. IPv6 ACL
5. Ethertype ACL
1. Standard access lists:

Identify the destination IP addresses of OSPF routes and can be used in a route
map for OSPF redistribution. Standard access lists cannot be applied to interfaces
to control traffic.
2. Extended access lists:

Use one or more access control entries (ACE) in which you can specify the line
number to insert the ACE, the source and destination addresses, and. depending
upon the ACE type, the protocol, the ports (for TCP or UDP) Or the ICMP type (for
ICMP).
An extended access list is made up of one or more access control entries (ACE) in
which you can specify the line number to insert the ACE, the source and
destination addresses. and, depending upon the ACE type, the protocol, the ports
(for TCP or UDP), or the ICMP type.
3. Webtype access lists:

Webtype access lists are added to a configuration that supports filtering for
clientless SSL VPN.
4. EtherType access lists:

An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal
number. You can apply only one access list of each type (extended and EtherType)
to each direction of an interface. You can also apply the same access lists on
multiple interfaces.
ASA in Transparent Mode supports two types of access lists: IPv4 Extended ACLs
used for Layer 3 traffic filtering and Ethertype ACLs used for Layer 2 traffic
filtering.
Properties of Transparent Mode

∑ ASA can be used in Transparent Firewall mode
∑ This is done, if you do not want the subnet or next hop to change in the
network
∑ It is a Layer 2 Firewall
∑ Also known as Bump in the wire/ stealth firewall
∑ Works on the Mac - Address instead of Routing Table
∑ QoS not supported in Transparent
∑ Not counted as router hop
∑ By default ARP traffic is allowed from ANY to ANY
∑ ARP can be controlled via ARP inspection
Limitations of Transparent Mode

∑ VPN cannot be terminated, but can pass through
∑ Cannot configure routing protocol
∑ Can be a DHCP Server but cannot be a DHCP relay agent
∑ Ether-type ACLs can only be configured in Transparent Mode
∑ CDP cannot pass through in ASA unless Ether-Type value is greater than
0x600
∑ Can filter All IP and Non IP traffic
There are 2 types of failover:

Stateless Failover
∑ When a failover occurs, all active connections are dropped.
∑ The end user/clients will need to re-establish connections when the new
active unit takes over
Stateful Failover
∑ When a stateful failover is enabled, the active unit will continuously pass
per connection state information to the standby unit.
∑ When a failover occurs, the same connection information would be
available at the new active unit thus the failover happens seamlessly.
∑ Supported end user applications are not required to reconnect to keep the
same communication sessions
Failover Requirements
∑ Both ASA pairs should be the same model
∑ Both ASA should have the same number and type of interfaces
∑ Both ASA should have the same amount of RAM
∑ Should be in the same operating mode (Transparent/Router &
Single/Multiple)
∑ Major and Minor version of the OS should be same but patch no. can be
different
Failover Link
∑ Failover link is a link connecting between the ASA unit in failover pair.
∑ They constantly communicate over the failover link to determine the
operating state of each unit.
∑ They are NEVER a data link and will never participate in data traffic!
∑ Cisco recommends using a Switch between a failover link, to find out which
side is faulty if the failover connection is down.
There are 2 types of failover links:

LAN failover link (Used for Stateless Failover)
∑ Message 1: Unit State (Active/Standby)
∑ Message 2: Hello Message (Keep Alives - Every 15 seconds)
∑ Message 3: Network Link Status
∑ Message 4: Mac-Address Exchange
∑ Message 5: Configuration Replication & Synchronization
Stateful failover link (Both together used for Stateful Failover)

∑ Table 1: NAT Translation Table (Xlate)
∑ Table 2: TCP Connection Table
∑ Table 3: UDP Connection Table
∑ Table 4: ARP Entries
∑ Table 5: Layer 2 Bridge Table (Transparent)
∑ Table 6: HTTP Connections Table (if http replication is enabled)
∑ Table 7: ISAKMP & IPsec Table (VPN)
Health Monitoring
Unit Monitoring: The failover link determines the health of the overall unit.
HELLO packets are sent over the failover link. Lack of three consecutive
HELLO’s cause ASA to send an additional HELLO packet out ALL data interfaces,
including the failover link.
Upgrade ASA 8.2 to 9.1 Zero downtime steps

For CLI
Step 1 Back up your configuration either by TFTP or using command and copy
the output:
ASA# more system:running-config
Step 2 Copy ASA software to the active unit flash memory

ASA# copy tftp://192.168.100.100/asa901-smp-k8.bin disk0:/asa901-smp-k8.bin
Step 3 Copy the software to the standby unit. Use the same path as the active
unit
ASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asa901-smp-
k8.bin disk0:/asa901-smp-k8.bin
Step 4 Copy ASDM image to the active ASA unit’s flash memory
ASA# copy tftp://192.168.100.100/asdm-711.bin disk0:/asdm-711.bin
Step 5 Copy ASDM image to the standby ASA unit; Use the same path as the
active unit
ASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asdm-711.bin
disk0:/asdm-711.bin
Step 6 Enter global configuration mode

ASA# conf t
asa(config)#
Step 7 Verify current boot images configured. ASA uses these images in order.
To make the ASA boot to the new image, remove the existing entries and enter
the image URLs in the order desired.
asa(config)#show running-config boot system
Step 8 Remove any existing boot image.

asa(config)#no boot system disk0:/asa861-smp-k8.bin
Step 9 Set the ASA image to boot. Repeat command for backup images.
asa(config)#boot system disk0:/asa901-smp-k8.bin
asa(config)#boot system disk0:/asa861-smp-k8.bin
Step 10 Set the ASDM image to use. Only one can be configured.
asa(config)#asdm image disk0:/asdm-711.bin
Step 11 Save settings to startup config.

wr mem
Step 12 Reload the standby unit to boot the new image. Wait for the standby to
finish loading and use show failover command to verify the standby unit is in
Standby Ready state.
ASA# failover reload-standby
Step 13 Force the active unit to fail over to the standby unit.
ASA# no failover active
Step 14 Reload the former active unit. Log into active unit
ASA# reload
State Information Passed:

∑ NAT Table
∑ TCP Connection States
∑ UDP Connection States
∑ ARP Table
∑ HTTP Connection States
∑ ISAKMP and IPSec SA table
∑ SIP signaling sessions
State Information Not Passed:

∑ User authentication (uauth) table.
∑ Routing tables.
∑ State information for Security Service Modules.
∑ DHCP server address leases.
Short:
∑ Load the image on both units' disk0:
∑ Change the boot variable
∑ Save the config with that change
∑ From the active unit, "failover reload-standby"
∑ Wait for successful reload and verify configuration is synced OK. You should
expect a message that mate software version is different.
∑ "no failover active" on active unit
∑ Log into newly active unit and "failover reload-standby"
∑ Wait for successful reload and verify configuration is synced OK. Both units
are now on 9.1(1)
How switch divert traffic to standby ASA when link to active ASA is
down?
Switches only forward frames based MAC address. The secondary ASA takes over
the MAC address of the failed ASA.
Active/Standby Failover Overview

Active/Standby failover enables you to use a standby ASA to take over the
functionality of a failed unit. When the active unit fails, it changes to the standby
state while the standby unit changes to the active state. The unit that becomes
active assumes the IP addresses (or, for transparent firewall, the management IP
address) and MAC addresses of the failed unit and begins passing traffic. The unit
that is now in standby state takes over the standby IP addresses and MAC
addresses. Because network devices see no change in the MAC to IP address
pairing, no ARP entries change or time out anywhere on the network.
ASA 5505
Maximum throughput 150 Mbps
Maximum connections 10,000 (Security Plus -25,000)
Maximum connections/sec 4,000
Maximum 3DES/AES (VPN) throughput 100 Mbps
Maximum VPN sessions 10 (Security Plus -25)
Maximum SSL VPN sessions 25
Interface 8 Ethernet
ASA 5510
Maximum connections 50,000 (Security Plus -130,000)
Maximum VPN sessions 250
Interface 5 FastEthernet (2 Gigabit Ethernet + 3 Fast Ethernet)
ASA 5520
Maximum connections 280,000
Maximum VPN sessions 750
Interface 4 Gigabit Ethernet + 1 Fast Ethernet
ASA 5540
Maximum VPN sessions 5,000
Maximum SSL VPN sessions 2,500
ASA 5550
Maximum throughput 1.2 Gbps
Maximum 3DES/AES throughput 425 Mbps
ASA 5580
Maximum throughput 10 Gbps
Maximum connections 2000000
Maximum 3DES/AES throughput 1 Gbps
NAT ASA
Static NAT
Static PAT
Dynamic NAT
Dynamic PAT
Bypass NAT
- Identity NAT (nat 0)
- Static Identity NAT
- NAT Exemption
Policy NAT
- Static policy NAT
- Dynamic Policy NAT
Static NAT
static (inside,outside) <Mapped IP> <Real IP> <netmask> <Subnet Mask>
static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
Static PAT
static(inside,outside) <tcp|udp> <Mapped_IP> <Map_port> <real_IP> <real_port> netmask
<mask>
static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
DYNAMIC NAT
nat (interface) <nat_id> <Network ID> <Subnet Mask>
global (interface) <nat_id> <StartIP>-<EndIP> netmask <Subnet Mask>
nat (inside) 1 1.1.1.0 255.255.255.0
global (outside) 1 5.5.5.1-5.5.5.3 netmask 255.255.255.0
Dynamic PAT
nat (inside) <nat_id> 2.2.2.0 255.255.255.0
global (outside) <nat_id> interface
global (outside) 1 20.1.1.1
NAT BYPASS
Identity NAT
nat (interface) 0 <network> <mask>
nat (inside) 0 1.1.1.0 255.255.255.0
Static Identity NAT

static (inside,outside) <mapped IP> <Real IP> netmask <Subnet Mask>
static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0
NAT Exemption (Policy Based Identity NAT)

access-list <acl no> permit ip host < Source IP> host < Destination IP>
nat (inside) 0 access-list <ACL Name>
access-list 101 permit ip host 2.2.2.2 host 20.1.1.1

nat (inside) 0 access-list 101
Policy Based Dynamic NAT
access-list <ACL_Name2> permit ip 1.1.1.0 255.255.255.0 host 20.1.1.1
nat (interface) <nat_id> access-list <ACL>
global (interface) <nat_id> <mapped IP range>
Policy based Static NAT

access-list <aclno > permit ip host 2.2.2.1 host 3.3.3.1
static (INSIDE, OUTSIDE) 22.22.22.22 access-list <Name>
Dynamic Policy PAT

nat (interface) <ID> access-list <ACL>
global (interface) <ID> <mapped IP|interface>
IPSEC VPN ASA
Step 1: enable
crypto isakmp enable outside
Step 2: ISAKMP Policy

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Step 3: IPsec Transform Set

crypto ipsec transform-set TSET esp-aes-256 esp-sha-hmac
Step 4: Create an ACL to Match Traffic

access-list LAN_Traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0
255.255.255.0
Step 5: Create a Tunnel Group
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
pre-shared-key cisco
Step 6: Create and Apply a Crypto Map

crypto map IMAP 1 match address LAN_Traffic
crypto map IMAP 1 set peer 172.16.2.2
crypto map IMAP 1 set transform-set L2L
Step 7: Apply a Crypto Map

crypto map IMAP interface outside
Types of Attack
∑ Cryptographic Attacks
∑ Injection Attacks
∑ Privilege escalation
∑ Phishing
∑ DoS
∑ Spoofing
∑ Malwares
Password guessing attack

Unauthorized user repeatedly tries to log on to a computer or network by
guessing usernames and passwords.
∑ BruteForce Attack
∑ Dictionary attack
Brute force attack

Brute force attack is a type of password guessing attack. In this type of attack,
attackers systematically try every conceivable combination to find out the
password of a user.
Dictionary attack
This type of attack uses a dictionary of common words to find out the password of
a user. It can also use common words in either upper or lower case to find a
password. There are many programs available on the Internet to automate and
execute dictionary attacks.
Man in the middle attack
Occur when an attacker successfully inserts an intermediary software or program
between two communicating systems.
Phishing
ó Phishing is a type of deception designed to steal your valuable personal
data, such as credit card numbers, passwords, account data, or other
information.
ó Con artists might send millions of fraudulent e-mail messages that appear
to come from Web sites you trust, like your bank or credit card Company,
and request that you provide personal information.
DoS attack
ó It is also known as “network saturation attack” or “bandwidth consumption
attack”.
ó Attackers make Denial-of-Service attacks by sending a large number of
protocol packets to a network.
Common DoS Attacks

1. SYN attack
2. PING flood
3. Ping of death
4. Teardrop attack
5. Smurf attack
SYN attack/SYN flooding

ó A SYN attack affects computers running on the TCP/IP protocol.
ó an attacker sends multiple SYN packets to the target computer.
ó For each SYN packet received, the target computer allocates resources and
sends an acknowledgement (SYN-ACK) to the source IP address. Since the
target computer does not receive a response from the attacking computer,
it attempts to resend the SYN-ACK.
ó This leaves TCP ports in a half-open state. When an attacker sends TCP
SYNs repeatedly, the target computer eventually runs out of resources and
is unable to handle any more connections, thereby denying services to
legitimate users.
PING flood
ó It relies on the ICMP echo command, more popularly known as ping .
ó In legitimate situations the ping command is used by network
administrators to test connectivity between two computers.
ó In the ping flood attack, it is used to flood large amounts of data packets to
the victim’s computer in an attempt to overload it.
Ping of death
ó The maximum size for a packet is 65,535 bytes. If one were to send a
packet larger than that, the receiving computer would ultimately crash
from confusion.
ó Sending a ping of this size is against the rules of the TCP/IP protocol, but
hackers can bypass this by cleverly sending the packets in fragments. When
the fragments are assembled on the receiving computer, the overall packet
size is too great. This will cause a buffer overflow and crash the device.
Teardrop attack
ó Teardrop attacks exploit the reassembly of fragmented IP packets.
Fragment offset indicates the starting position of the data contained in a
fragmented packet relative to the data of the original unfragmented
packet.
Smurf attack
ó The attacker sends a large amount of ICMP traffic to a broadcast address
and uses a victim’s IP address as the source IP so the replies from all the
devices that respond to the broadcast address will flood the victim.
Spoofing
ó Spoofing is a technique that makes a transmission appears to have come
from an authentic source by forging the IP address.
ó In IP spoofing, a hacker modifies packet headers by using someone else’s IP
address to hide his identity.
VPN
VPN:
A VPN connection is the extension of a private network that includes links across shared
or public networks, such as the Internet. VPN connections (VPNs) enable organizations to send
data between two computers across the Internet in a manner that emulates the properties of a
point-to-point private link.
Types of VPN
1. Site-To-Site VPN- Between two Branches
2. Remote-Access VPN- Accessing or forming VPN from Remote Locations.
Phase 1 Tunnel only 6 packets go through. Known as ISAKMP Tunnel;

Phase 2 Tunnel Only DATA goes through this tunnel, No negotiation
Control traffic goes through Phase 1 tunnel

Data traffic goes through Phase 2 tunnel
Phase 1 is called ISAKMP Tunnel

Phase 2 is called IPSEC Tunnel
-> 1st packet is ISAKMP Policy exchange

[Encryption: 3des; Hash: sha; Authentication: PSK; Group: 2]
<- 2st packet is ISAKMP Policy exchange
It is to protect the 1st tunnel (Phase 1 tunnel) because through the 1st tunnel
we are going to exchange pre-shared key. Policy exchange takes place before
the 1st tunnel is created.
-> 3rd packet DH Public Key+ nonce

<- 4th packet DH Public Key+ nonce
[A nonce is a random number that may only be used once. It is issued in an
authentication protocol to ensure that old communications cannot be reused in
replay attacks.]
->5th SSK (Shared Secret Key is generated) Pre shared Key (PSK) is encrypted with
SSK
<-6th Pre shared Key (PSK)
->7th Packet Transform-Set (AES, MD5)

<-8th Packet Transform-Set (AES, MD5)
->9th Packet is an Acknowledgment (ACK)
Phase 1 Exchange (Main mode) [Control Plane]
If the exchange is get stopped in 1st and 2nd packet that means ISAKMP policy
mismatch.
Packet 3rd & 4th is DH Public + Nonce
Packet 5th & 6th PSK (PreShared Key)
Phase 2 Exchange (Quick mode) [Data Plane]

th th
7 & 8 Transform-set (SA(Security Association Polices) exchange AES, MD5)
9th packet Acknowledgment
Main Mode
MM_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
MM_SA_SETUP The devices have negotiated a set of parameters for the SA, but
have not yet exchanged any key information.
MM_KEY_EXCH The devices have used DH algorithm to create a common key,

but they have not yet authenticated the session.
Aggressive Mode
AG_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
AG_INIT_EXCH The devices have initiated an Aggressive Mode exchange
AG_AUTH The devices have completed an Aggressive Mode exchange and

authenticated the SA. They can now proceed to Quick Mode.
Quick Mode
QM_IDLE The SA is authenticated and ready for use.
Troubleshooting
MM_NO_STATE - Policy mismatch
MM_KEY_EXCH - DH-Key Mismatch
QM_Idle but Phase 2 tunnel not formed - Policy mismatch in Phase 2 (Transform-
set)
What is tunnel and how it is secure?

Two protocols support tunneling
1. IPSEC
2. SSL
SSL is widely used then IPSEC because it is easy to implement. But it is less secure
than IPSec. It’s widely supported it’s openly supported by lot of vendors.
IPSEC was a L3 VPN, because it was protecting the packet from Layer 3 (IP
Address) onwards.
SSL VPN
SSL VPN is a L7 VPN, because Encryption happens on Layer 7;
TCP Port no 443 (HTTPS)
SSL Handshake
Remote access VPN always the Client first initiates the connection;
1. Client Hello
2. Server Hello
3. PKI Certificate
4. Server Hello Done
5. Pre_Master Key
6. Change CIPHER Suite
7. Client handshake Done
8. Change CIPHER Suite
9. Server Handshake Done
Client Hello Server Hello

PKI Certificate
Server Hello Done
Pre_Master Key
Change CIPHER Suite
Client handshake Done
Change CIPHER Suite
Server handshake Done
Quick Overview:
1st packet is originate from the client, client Hello with all the policies,
2nd Packet The server replies with his Hello as Server Hello
3rd Packet Server sends the Certificate, Public key sometimes it might ask another
certificate from client
4th packet is Server Hello Done;
5th Client sends a Pre-master key, encrypted using the public
6th sends a Change Cipher Suite
7th Client Hello Done
8th Packet Change Cipher Suite
9th Packet Server Done
3 Main implementations of SSL VPN

1. Clientless
2. Thin Client
3. Thick Client
Clientless: a way to configure the VPN where the client doesn't have to do
anything, all the client would require to connect up with the VPN gateway is a
Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec
VPN but it is easier on the client, and we can send traffic like http, ftp, through
that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these
protocols. Telnet, SMTP, and all the protocols that require well known port no we
can use them. It gives a very good flexibility. L4-L7
Think Client: gives the complete control just like IPSec VPN. Protecting from
Layer3 onwards, gives full control over private IPS, Public IPS etc.
webvpn gateway ROB generates 1024 bit keys

ssl trustpoint <CA Server> verify; pointed to the ca server it will go and itself signed; If
you leave it will be self signed
ip address 150.1.20.2 port 443
Inservice it’s like no shutdown; Gateway is enabled
ssl encryption
username gdwn@Admin password cisco
username Rob@Sales password cisco
aaa new-model
aaa authentication login Paris local Local database because user name and password are
saved on the local database. if it was a AAA server, you
be pointing into that;
Domain name: On a router for every different domain, we have different SSL VPN
page, like admin, sales, marketing they will have a separate page; and the users
will also be different.
Username and password will be stored in Lightweight Directory Access Protocol
(LDAP) AAA server;
Handshake is done when we open the page.
1.
webvpn gateway ROB
inservice
2.
username Gdwn@Admin password cisco
aaa new-model
aaa authentication login Paris local
3.
webvpn context Admin-context
!
policy group Admin-Policy
functions file-access
functions file-browse
default-group-policy Admin-Policy
aaa authentication list Paris
aaa authentication domain @Admin
gateway ROB domain Admin
inservice
Upgrading Cisco Routers, Switches using TFTP Server

Backup of IOS
∑ #Copy flash tftp
Restore or Upgrade IOS

∑ #copy TFTP Flash
Backup of Configs
∑ #copy startup-config TFP
Restore Configs
∑ # copy TFTP running-config
Show version or show flash command we can see the router IOS file
R1#show version
R1#show flash
Backup of router IOS on tftp Server

R1#copy flash tftp
Source filename []? c1841-advipservicesk9-mz.124-15.T1.bin
Address or name of remote host []? 1.0.0.2
Destination filename [c1841-advipservicesk9-mz.124-15.T1.bin]?
Now copy running-config to startup-config

R1#copy run start
Then copy the startup-config file to tftp server machine so that we can get it
back from there whenever we need.
R1#copy startup-config tftp
Destination filename [R1-confg]? R1-config
Testing recovery or restore router configuration

R1#erase startup-config
R1#show startup-config
startup-config is not present
R1#reload
Router(config)#int fa0/0
Router(config-if)#ip address 1.0.0.1 255.0.0.0
Router(config-if)#no shut
Router#copy tftp running-config

Source filename []? R1-config
Destination filename [running-config]?
Password Reverting on Cisco Routers

1. Power on the Router
2. Press CRTL+SHIFT+BREAK
3. Modular routers
∑ Rommon1>config 0x2142
∑ Rommon2>reset
Now router boots without any password and enters into setup mode
Router>Enable
Router#copy start-config running-config
(very imp if we don't want to lose the configs i the NVRAM)
Change the password (overwrite with new password)
Router(cionfig)#config-register 0x2102
Router#write
Router#reload
First Hop Redundancy Protocols (Gateway Redundancy Protocol: HSRP, VRRP,
GLBP)
Protocol HSRP VRRP GLBP
Features
Scope Cisco Propriety IEEE Standard Cisco Propriety
Load Balancing No No Yes
Multicast 224.0.0.2 224.0.0.18 224.0.0.102
Port Number UDP 1985 UDP 112 UDP 3222
Timers Hello- 3sec Advertisement- Hello- 3sec
Hold- 10sec 1sec Hold- 10sec
Downtime- 3*Ad
Election Active Master Active Virtual
1. Highest Priority 1. Highest Priority Gateway
2. Highest IP add 2. Highest IP add 1. Highest Priority
2. Highest IP add
Router Role ∑ Active Master Active
∑ Standby Backup Virtual Forwarder
∑ Listening (AVF)
Secondary
Virtual Forwarder
(SVF)
States Disabled
Initial
Learn
Listen
Speak
Standby
Active
Preempt By default By default Preempt By default Preempt
Preempt is is ON in VRRP, If is disabled, If Active
disabled, If Active Active Router is Router (Highest
Router (Highest down and up again, Priority) is down and
Priority) is down It will automatically up again, Preempt
and up again, become a Master should be
Preempt should be Router configured to
configured to become a Active
become a Active Router again.
Router again.
Virtual MAC 0000.0c07.acxx 0000.5e00.01xx 0007.b4xx.xxxx
Configuration
Troubleshooting VLAN Issues

Physical Connectivity
Show interface status
Show ip interface brief
Show mac-address-table
Show vlan
Port security (err disable state)
Same network
Devices on the same VLAN
SSL VPN
SSL (Secure Sockets Layer) is a standard security technology for establishing an
encrypted link between a server and a client—typically a web server (website)
and a browser
How it works?
A consumer's browser begins the SSL handshake process by requesting a secure
Web page using the HTTPS protocol. Pot no 443,
Why Do I Need SSL?

One of the most important components of online business is creating a trusted
environment where potential customers feel confident in making purchases.
Browsers give visual cues, such as a lock icon or a green bar, to help visitors know
when their connection is secured.
SSL Handshake
1. Client Hello
It has all the policies, the client is going to use; for encryption, hashing etc
[3des,SHA] SSL verion that is using;[SSL V 1.0, 2.0,3.0; TLS V 1.1, 1.2,1.3]
[3des,sha],[TLS v 1.0,1.1]
2. Server Hello
Server will accept the Client hello chooses the highest one its supports among the
one which the client supports, if the client supports 1.0 and 1.2 the server only
has 1.0 they both will go down to 1.0;they will choose Whichever is the most
highest compatible between them. Sever will reply with [3des,sha],[TLS v 1.0]
3. Server PKI Certificate

now the server sends PKI certifaicate, its a public key signed by the CA server.
Once we have that keys we can use it for identification;
4. Server Hello Done

Im done, you accepted my certificate.
5. Client Pre_Master Key

They both agreed on encryption, hashing (3des,sha) but they still need the key, In
ipsec DH exchange automatically provided the Key, here a client creates a key not
the complete key but half of the key with some random numbers, encrypted using
public key 1024 bit which received earlier from server and send it back to the
Server. now we use 2048 bit key;
6. Client Change CIPHER Suite

Change Cipher Suite means after this whatever message is sending is going to be
encrypted, since both of them have the Key;
7. Client handshake done
8. Server Change CIPHER Suite

Last message is encrypted saying that Handshake is done.
9. Server Handshake Done

The server recives this and sends change cipher suite and Server done.
Brief
1. Client Hello
This initiates a secure session with the website by sending a Client Hello message
to the Web server. The Client Hello message contains information about which
encryption and compression algorithms the browser supports;
2. Server Hello
The Web server responds with a Server Hello message, which also includes
information about supported algorithms; The Web server chooses the strongest
cipher that both the browser and server support.
3. Server PKI Certificate

The server also sends its digital certificate to the browser to guarantee for the
identity of an individual or a computer system.
3. The Web server then sends a Server Hello Done message indicating that it is
finished and awaiting a response from the browser.
Once the browser receives the server's message, it checks the certificate against a
list of known Certificate Authorities to ensure the certificate is valid. The server's
certificate contains its public key and the name of the server, which must match
the name of the server the browser requested. For example, if the user typed the
URL "https://www.secureserver.com" in the browser, the certificate should
contain a subject name of "www.secureserver.com" or "*.secureserver.com."
4. Client Pre_Master Key

The client then computes a premaster secret using the two random values that
were generated during the Client and Server Hello messages. This premaster
secret is encrypted using the public key from the server's certificate and sent in a
Client Key Exchange message to the server. If the server can decrypt this data, the
client is assured that the server has the correct private key. A message encrypted
with a public key can only be decrypted by the matching private key, and visa
versa. This step is crucial to proving the authenticity of the server. Only the server
with the private key that matches the public key in the certificate can decrypt this
data and continue to the protocol negotiation.
The SSL handshake process securely exchanges data that is then used by both the
client and the server to calculate a Master Secret key. Because both the server
and the client can calculate the Master Secret key, it does not need to be
exchanged. The server can now respond to the browser with a request to begin
communicating using the established keys and parameters. Thus, by combining
SSL with a Web server's digital certificate, a consumer can establish a secure
connection to a website without having to pass secret encryption keys in the
clear.
3 Main implementations of SSL VPN

∑ Clientless
∑ Thin Client
∑ Thick Client
Clientless: a way to configure the VPN where the client doesn't have to do
anything, all the client would require to connect up with the VPN gateway is a
Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec
VPN but it is easier on the client, and we can send traffic like http, ftp, through
that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these
protocols. Telnet, SMTP, and all the protocols that require well known port no we
can use them. It gives a very good flexibility. L4-L7
Think Client: gives the complete control just like IPSec VPN. Protecting from
Layer3 onwards, gives full control over private IPS, Public IPS etc.
Steps to configure SSL VPN

1.
webvpn gateway ROB
inservice
2.
username Gdwn@Admin password cisco
aaa new-model
aaa authentication login Paris local
3.
webvpn context Admin-context
!
policy group Admin-Policy
functions file-access
functions file-browse
default-group-policy Admin-Policy
aaa authentication list Paris
aaa authentication domain @Admin
gateway ROB domain Admin
inservice
CP
(CHECKPOINT FIREWALL)
Check Point Firewall
This is a software firewall and one of the earliest firewalls to use Stateful
inspection.
Checkpoint Firewall Components

∑ Management Server
∑ Firewall Module
∑ Graphical User Interface (GUI)
Checkpoint Three Tier Architecture

∑ SmartConsole
∑ SmartCenter Server
∑ Enforcement Module
Firewall Models
∑ Single Gateway product
∑ Enterprise Gateway product (Distributed Setup)
Rules
∑ Stealth Rule
∑ Cleanup Rule
Stealth Rule
Cleanup Rule
Creating Administrative Profiles

Administrator
New Administrator
Username: ReadOnly
Email: readonly@abc.com
Authentication
Password: 12345
NAT
∑ Hide NAT
∑ Static NAT
NAT
Hide NAT
LAN_Network Object is created
Add 2 Rules
Name Source Dst VPN Service Action Track Install On Time
Hide LAN_Network Any Any Traffic Any Accept Log Gateway
Hide Any Any Any Traffic TCP http Accept Log Gateway
Policy
∑ Install
Static NAT
Two nodes
1. Available public IP Address
2. Internal private IP of the Server
1. Network Objects
∑ Nodes
Node
Host
2. Network Objects
∑ Nodes
Node
Host
Add 2 Rules
Name Source Dst VPN Service Action Track Install On
Static Private_Server_IP Any Any Any Accept Log Gateway
Static Any Public_Server_IP Any Any Accept Log Gateway
User Authentication
1. Checkpoint Password
2. OS password
3. RADIUS
4. TACACS
5. SecurID
Types of Clusters
∑ HIGH AVAILABILITY
∑ LOAD BALANCING
Checkpoint
∑ Installation
∑ Install Secure Platform on the Branch Gateway
∑ Perform Backup and restore
∑ Configuring DMZ
∑ Configuring NAT
∑ Monitoring with Smartview Tracker
∑ Client Authentication
∑ Identity Awareness
∑ Site-to-Site VPN between Corporate and Branch Office
Difference between Checkpoint and ASA

SIC Secure Internal Communication
It stands for Secure Internal Communication and it is a Checkpoint Proprietary
Protocol. It creates a secured tunnel between Security Gateways, Security
Management Servers that can communicate freely and securely using a simple
communication-initialization process.
SIC Reset
cpfw[admin]# cpconfig
(6) Secure Internal Communication
Checkpoint supports 3 types of Backups and Recovery, Those are:

1. Snapshot
2. CPBackup
3. Upgrade_Tools
Snapshot
[Expert@cpModule]# snapshot
[Expert@cpModule]# revert
CPBackup
[Expert@cpModule]# backup
[Expert@cpModule]# restore
Upgrade_Tools
cd $FWDIR/bin/upgrade_tools
Smart Dashboard Object Tree

1. Network Objects 2. Services 3. Resources
∑ Checkpoint TCP
∑ Nodes UDP
∑ Networks ICMP
∑ Groups
∑ Address Ranges
∑ Dynamic Objects
4. Servers and OPSEC 5. Users and Administrators 6. VPN Communities

Site To Site
Remote Access
Processes
CPD – CPD is a high in the hierarchical chain and helps to execute many services,
such as Secure Internal Communication (SIC), Licensing and status report.
FWM – The FWM process is responsible for the execution of the database
activities of the SmartCenter server. It is; therefore, responsible for Policy
installation, Management High Availability (HA) Synchronization, saving the
Policy, Database Read/Write action, Log Display, etc.
FWD – The FWD process is responsible for logging. It is executed in relation to

logging, Security Servers and communication with OPSEC applications
cpstart/cpstop utilities : Allow you to stop and start Check Point component
services.
Check Point registry : Common cross-platform registry for Check Point and
OPSEC products.
Check Point daemon (cpd): Cross-platform manager for all Check Point internal
communications.
OPSEC
OPSEC stands for Open Platform for Security, which is designed to extend the SVN
framework to include third-party products and services
AntiSpoofing
Anti-spoofing is a security feature that enables a firewall to determine whether
traffic is legitimate or if it is being used for malicious purposes.
EX: If the firewall is configured that the 192.168.1.1 address is an internal network
address, the firewall can drop the traffic, because there is no legitimate reason
why any traffic received on the Internet interface should contain a source IP
address of an internal system. Any traffic containing a source IP address of an
internal system should only ever be received on the internal interface.
Common Command Explanation
cpstart The cpstart CLI utility starts all the Check Point applications installed on a
machine, excluding the cprid daemon, which is started separately during machine
boot up. In a VPN-1/FireWall-1 installation, this starts the VPN-1/ FireWall-1
components, as well as the SVN foundation.
fwstart The fwstart CLI utility starts all VPN-1/FireWall-1 components installed on
a machine. VPN-1/FireWall-1 components including the enforcement module
(fwd), the SmartCenter server (fwm), the VPN-1/FireWall-1 NG SNMP daemon
(snmpd), and authentication daemons (such as in.httpd, which is used to provide
an HTTP application-layer gateway daemon for authenticating HTTP access).
cplic print The cplic print CLI utility prints information about Check Point product
licenses.
fwm load The fwm load CLI utility instructs a SmartCenter server to install the
current security policy to one or more enforcement modules. This command has
the following syntax: fwm load [filter-file | rule-base] targets
fwm unload The fwm unload CLI utility instructs a SmartCenter server to uninstall
the current security policy from one or more enforcement modules. This
command has the following syntax: fwm unload targets
What is a Default rule?
This rule will default to any drop, do not log
What is a Stealth rule?

Stealth rule should prevent all direct connections to the Security gateway
It is the first rule in the Rule Base that prevents traffic from directly accessing the
firewall itself.
Source Destination Service Action Track Install On Time
Any Firewalls Any Drop Log Policy Targets Any
What is the purpose of clean up rule?

Clean up is a explicit deny rule with logging enabled, this needs to be the last rule
in the rule base
Source Destination Service Action Track Install On Time
Any Any Any Drop Log Policy Targets Any
Firewall Clustering
A cluster is a group of devices and other resources that act like a single device and
enable high availability and load balancing.
High Availability
Active-Standby
It gives us the Redundancy, if one device fails other device comes up.
Load Balancing
Active-Active
Both the devices up and they will share the data
Site-to-Site
∑ VPN Domain
∑ VPN Community
∑ Creating VPN Rule
∑ Troubleshooting a VPN
4 Steps
1. Create objects for the network or gateway
2. Configure the VPN Community
3. Defining VPN Domains
4. Finishing the VPN Configuration
Creating the Objects

Network Objects --> Networks
1. Create 2 Objects
1. Local LAN 2. Remote LAN
Name: Local_LAN Name: Remote_LAN
IPV4 Address: 10.10.1.0 IPV4 Address: 10.10.2.0
Net Mask: 255.255.255.0 Net Mask: 255.255.255.0
Network Objects
Others
Externally Managed VPN Gateway
Local LAN Remote LAN
General Properties General Properties
Name: Local_Firewall Name: Remote_Firewall
IP Address: 192.168.0.10 IP AddresS: 192.168.0.11
Platform: Gaia Platform: Gaia
Network Security Tab Network Security Tab

Enable IPSec VPN Enable IPSec VPN
Topology Tab Topology Tab

VPN Domain VPN Domain
Manually defined: Local_LAN Manually defined: Remote_LAN
OK OK
VPN Community
∑ Meshed
General
∑ Name: Site-to-Site
Participating Gateways
∑ Add
Encryption
∑ Encryption Method
∑ IKEv1 Only
Encryption Suite
∑ Custom
Phase 1 Properties
∑ Encryption AES-256
∑ Data integrity: SHA1
Phase 2 Properties
∑ Encryption: AES-128
∑ Data integrity: SHA1
Tunnel Management
∑ On all Tunnels in the community
∑ VPN Tunnel Sharing
∑ One VPN tunnel per subnet pair
Shared Secret
∑ Enter Secret: Checkpoint
Advaced VPN Properties

IKE Phase 1
∑ Diffie helman Group
∑ Group 2 (1024), 1 (768 bit), 5 (1536), 14 (2048)
IPSec Phase 2
∑ Regenerate IPSec security association 3600 Seconds
NAT
∑ Disable NAT inside the VPN community
OK
Rule Tab
∑ Add Rule
∑ Top

VPN Local LAN RemoteLAN Site-to-Site Any Accept Log Gateway
VPN RemoteLAN Local LAN Site-to-Site Any Accept Log Gateway
Remote Access SSL VPN
∑ Network Objects
o Checkpoint
ß CPModule
∑ Edit
Network Security tab
∑ Enable Mobile Access
2 Rules
SSL Local_LAN CPModule Any Traffic TCP https accept Log Gateway
Stealth Any CPModule Any Traffic Any drop Log Gateway
Firewall Clustering
Clustering on the SPLAT Firewall Modules can be enabled by two ways as shown
below,
At the Initial Setup in CLI wizard
Login to Firewall SPLAT CLI, run the command cpconfig. Under the menu options,
select option 6
[FW-2]# cpconfig
(6) Enable cluster membership for this gateway
To proceed with Configuration, connect to the Management Server (Smartcenter
Server) as an Administrator
Under Network Objects

∑ Checkpoint Module
∑ Security Cluster
Wizard mode configuration
Specify the Cluster Object name and it IP address. IP address with be the
Internal VIP. In the below example we are going by clusterXL technology and
High Availability cluster configuration mode
Once the SIC key is entered Trust is established in between Management Server
and Firewall Module
Add both the Firewall Modules under the Cluster object and click next
Specify the Sync network as the Sync Interface, in this example we go by

Primary Sync Interface
Specify other two networks as Private and non monitored for each member
Once done with the above wizard setup, both the firewalls will be listed under
the Cluster object container. Right click on the cluster object and click on edit
Make sure that clusterXL is enabled, and in this example we also uncheck IPSec
VPN and IPS software blades
Cluster Members option will list the existing members of the cluster. The
priority of a member can be increased or decreased if required
In this configuration we go by HA mode cluster configuration, wherein One

Firewall will be Active and another in Standby mode
Under the Topology container, click on the edit topology and add interfaces for
the Cluster object. One Internal and one external interface have to be added for
the cluster object. There IP’s are referred as Internal VIP and External VIP
Specify the Internal VIP details
Specify the External VIP details

Topology configuration should look as shown below
Write the Firewall rules by specifying the cluster object as shown below
Make sure the Gateway for the LAN Network machines is the Internal VIP of the
Cluster.
Once the setup is complete, you should be able to ping out to router’s interface
through Firewall Cluster
Firewall clustering can also be setup in the Load sharing mode wherein both the
Firewalls will be in Active state.
Login to Smartview Monitor to verify the Cluster Configuration
COMMAND FOR CLI R76 and R75
1. comp_init_policy : by using this command we can generate and load or to
remove the initial policy. This initial policy offers protection to the gateway
before the administrator has installed a policy on the gateway.
fwdir/bin/comp_init_policy [-u] [-g]
comp_init_policy -g
U:> for remove the current initial policy and ensures that it will not be
generated in future when cpconfig is run.
-g :> can be used if there is no initial policy. If there is make sure that after
removing the policy.
2. cp_admin_convert : to export automatically export administrator definitions
which are configured in smartdashboard.
3. cpca_client : This commands exexute oprations on ICA (Internal Certificate
Authority). Eg : cpca_client revoke_cert, cpca_client iscert.
CP_CONF: to use configure/reconfigure a security gateway installation.
Cp_conf sic : to manage SIC on the security management server

Cp_conf sic state: shows sic trust state.
Cp_conf sic init (key) : restarts SIC with the activation key.
Cp_conf admin : manage check point system administrators for the security
management server.
cp_conf admin get # Get the list of administrators.
cp_conf admin add <user> <pass> {a|w|r}
cp_conf admin del
cp_conf lic: shows the installed licenses and lets you manually add new ones.
> cp_conf lic get
> cp_conf lic add -f <file>
> cp_conf lic add -m <Host> <Date> <Key> <SKU>
> cp_conf lic del <Signature Key>
cp_conf client: maage the GUI clients that can use SmartConsoles to connect to
the security Management Server.
> cp_conf client get # Get the GUI clients list

> cp_conf client add <GUI client> # Add one GUI Client
> cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients
> cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new
Cpconfig
Description Run a command line version of the Check Point Configuration Tool.
This tool is used to configure an installed Check Point product. The options shown
depend on the installed configuration and products. Amongst others, these
options include:
Licenses and contracts - Modify the necessary Check Point licenses and contracts.
Administrator - Modify the administrator authorized to connect to the Security
Management server.
GUI Clients - Modify the list of SmartConsole Client machines from which the
administrators are authorized to connect to a Security Management server.
Security Management Server and Firewall Commands Command Line Interface
Reference Guide R76 | 16
SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables
SecurePlatform to
export its status to external network management tools.
PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see
details of the token, and test its functionality.
Random Pool - Configure the RSA keys, to be used by SecurePlatform.
Certificate Authority - Install the Certificate Authority on the Security
Management server in a first-time installation.
Secure Internal Communication - Set up trust between the gateway on which this
command is being run and the Security Management server.
Certificate's Fingerprint - Display the fingerprint which will be used on first-time
launch to verify the identity of the Security Management server being accessed by
the SmartConsole. This fingerprint is a text string derived from the Security
Management server's certificate.
Automatic Start of Check Point Products - Specify whether Check Point Security
Gateways will start automatically at boot time.
Cpinfo: It is a utility that collects data on a machine at the time of execution. The
CPinfo output file enables Check Point's support engineers to analyze setups from
a remote location. Engineers can open the CPinfo file in demo mode, while
viewing real Security Policies and objects. This allows for in-depth analysis of all of
configuration options and environment settings.
cpinfo [-v] [-l] [-n] [-o ] [-r | -t:

V : prints version.
-l: enables log record.
-n: does not resolve network address.
-o: output to a file and on the screen.
-t : output consists of table onle
-r: includes the registry.
Cplic : to check point license management.

Cplic check: use to check license at local machine, -p(product), -v (version), -
c(count), -t(date), -r(router), -s(srusers).
Cplic db_add : use to add one or more licenses to the license repository on the
Security Management server.
Cplic db_print : details of check point licenses stored in the license stored in the
license repository on the security management server.
Cplic db_rm: removes a license from the license repository on the security
management server. It can be executed only after the license was detached using
the cplic del command.
Cplic del : delete a single check point license on a host, including unwanted
evaluation, expired and other licenses. Used for both local and remote machines.
Cplic get : the cplic get command retrieves all licenses from a security gateway.
This command helps you to synchronize the repository with the checkpoint
security gateway.
Cplic put : install one or more local license on a local machine
Cpilc print : prints details of check point licenses on the local machine.
Cplic upgrde : to upgrade licenses in the license repository using licenses in a
license file obtained from the user center
Process for up gradation of License

1. Import all licenses into the license repository.
2. For that run the command : cplic get –all.
3. Download a file containing the upgraded licenses. Only download licenses
for the product that were upgraded from versin NGX to software blades.
4. Run the license upgrade command : cplic upgrade –l (inputfiile).
Cppkg : manage the product repository. It always executed on the Security
Management Srervr.
Cppkg add : add a product to the product repository. Only SmartUpdate packages
can be added to the product repository.
Cppkg delete: delete a product from the repository. To delete a product package
you must specify a number of options.
Cppkg get : synchronizes the packages repository database with the content of
the actual package repository under.
Cppkg getroot : find out the location of the product repository.
Cppkg print : list the contents of the product repository.
Cppkg setroot: create a new repository root directory location.
When changing repository root directory:
The contents of the old repository is copied into the new repository.
The $SUROOT environment variable gets the value of the new root path.
A product package in the new location will be overwritten by a package in the old
location, if the packages are the same (that is, they have the same ID strings).The
repository root directory should have at least 200 Mbyte of free disk space.
Cpridrestart : stops and starts the check point remote installation Daemon.
Cpridstart : starts the check point remote installation Daemon.
This is the service that allows for the remote upgrade and installation of products.
Cpridstop: stop starts the check point remote installation Daemon.
Cprinstall: perform remote installation of product packages and associated
operations.
On the remote Check Point gateways the following are required:
Trust must be established between the Security Management server and the
Check Point gateway.
cpd must run.
cprid remote installation daemon must run.
Cpstart : Start all Check Point processes and applications running on an appliance
or server.
Cpstat: displays the status of Check Point applications, either on the local or on
another appliance or server, in various formats.
Cpstop: Terminate all Check Point processes and applications, running on an
appliance or server.
Cpwd_admin: cpwd (also known as WatchDog) is a process that invokes and
monitors critical processes such as Check Point daemons on the local machine,
and attempts to restart them if they fail. Among the processes monitored by
Watchdog are cpd, fwd, fwm.
fwd does not work in a Security Management Only machine. To work with fwd in
a Security Management Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In
addition, monitoring information is written to the console on UNIX platforms, and
to the Windows Event Viewer. The cpwd_admin utility is used to show the status
of processes, and to configure cpwd.
Cpwd_admin start: start a new process by cpwd.
Cpwd_admin stop: stop a process which is being monitored by cpwd.
Cpwd_admin list: print a status of the selected processes being monitored by
cpwd.
disconnect_client: SmartDashboard can connect to a Security Management
Server using one of these modes:
Read/Write - Administrators have full permissions to create or change all objects,
settings and policies.
Read Only - Administrators can see all objects, settings and policies, but cannot
add, change or delete
them.
Only one administrator can use SmartDashboard to connect to a Security
Management Server in the read/write mode at one time. When an administrator
connects in the Read/Write mode, this prevents other administrators from doing
these actions:
Connecting to the same management in the read/write mode
Creating or changing objects, settings and policies
Backing up the management server database
Installing a Security Policy
You can use a special command line utility to disconnect a different
SmartDashboard client that is open in the Read/Write mode.
Dbedit: Edit the objects file on the Security Management server. Editing the
objects.C file on the gateway is not required or desirable, since it will be
overwritten the next time a Policy is installed.
Dbver: The dbver utility is used to export and import different revisions of the
database. The properties of the revisions (last time created, administrator
responsible for, etc) can be reviewed. The utility can be found in $FWDIR/bin. Run
these commands from Expert mode.
dbver create: Create a revision from the current state of $fwdir/conf, including
current objects, rule bases, and so on.
Syntax
dbver> create <version_name> <version_comment>
dbver export Description Archive the revision as an archive file in the revisions
repository: $fwdir/conf/db_versions/export.
Syntax
dbver> export <version_numbers> <delete|keep>
dbver import Description Add an exported revision to the repository a version

from
$fwdir/conf/db_versions/export. Give filename of revision as input.
Syntax
dbver> import <exported_version_in_server>
dbver print Description Print the properties of the revision.

Syntax
dbver> print <version_file_path>
dbver print_all Description Print the properties of all revisions to be found on the
server side: $fwdir/conf/db_versions Syntax dbver> print_all
fw: All fw commands are executed on the Check Point Security Gateway. Typing
fw at the command prompt sends a list of available fw commands to the standard
output.
Syntax
> fw
fw –i: Generally, when Check Point Security gateway commands are executed on
a Security gateway they will relate to the gateway as a whole, rather than to an
individual kernel instance. For example, the fw tab command will enable viewing
or editing of a single table of information aggregated for all kernel instances. This
command specifies that certain commands apply to an individual kernel instance.
By adding –I <kern> after fw in the command, where <kern> is the kernel
instance's number.
fw ctl Description The fw ctl command controls the Firewall kernel module.
Syntax
fw ctl {install|uninstall}
fw ctl debug [-m <module>] [+|-] {options | all | 0}
fw ctl debug -buf [buffer size]
fw ctl kdebug
fw ctl pstat [-h][-k][-s][-n][-l]
fw ctl iflist
fw ctl arp [-n]
fw ctl block {on|off}
fw ctl chain
fw ctl conn
fw ctl debug
Description Generate debug messages to a buffer.
Syntax A number of debug options are available:
fw ctl debug -buf [buffer size]: Allocates a buffer of size kilobytes (default 128)
and starts collecting messages there.
fw ctl debug [-m <module>] [+ | -] {options|all|0} : Specify the Security Gateway
module you wish to debug.
fw ctl debug 0 : Returns all flags in all gateways to their default values, releases
the debug buffer (if there was one).
fw ctl debug [-d <comma separated list of strings>]: Only lines containing these
strings are included in the output
fw ctl debug [-d <comma separated list of ^strings>]: Lines containing these
strings are omitted from the output
fw ctl debug [-s <string>]
fw ctl debug -h
fw ctl debug –x
fw ctl affinity : Sets CoreXL affinities when using multiple processors. For an
explanation of kernel, daemon and interface affinities.
The fw ctl affinity command is different for a VSX Gateway and a Security
Gateway: VSX Gateway - Use the -d parameter to save the CoreXL affinity settings
after you reboot it
Security Gateway - The CoreXL affinity settings are not saved after you reboot it
Syntax
> fw ctl affinity -s <proc_selection> <cpuid>
<proc_selection>
fw ctl affinity –l: Lists existing CoreXL affinities when using multiple processors.
Syntax
> fw ctl affinity -l [<proc_selection>] [<listtype>]
fw ctl engine Description Enables the INSPECT2C engine, which dynamically

converts INSPECT code to C code. Run the command on the Check Point Security
Gateway.
Syntax
> fw ctl engine {on|off|stat|setdefault}
fw fetch : Fetches the Inspection Code from the specified host and installs it to
the kernel.
Syntax
> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...
fw fetchlogs; fw fetchlogs fetches Log Files from a remote machine. You can use
the fw fetchlogs command to transfer Log Files to the machine on which the fw
fetchlogs command is executed. The Log Files are read from and written to the
directory $FWDIR/log.
fw hastat The fw hastat command displays information about High Availability
machines and their states.
Syntax
> fw hastat [<target>]
fw isp_link: Takes down (or up) a redundant ISP link.

Syntax
> fw isp_link [<target>] <link-name> {up|down}
fw kill: Prompts the kernel to shut down all firewall daemon processes. The
command is located in the $FWDIR/bin directory on the Security Management
server or gateway machine.
The firewall daemons and Security servers write their pids to files in the
$FWDIR/tmp directory upon startup. These files are named
$FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the
firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.
Syntax
> fw kill [-t <sig_no>] <proc-name>
fw lichosts: Print a list of hosts protected by Security Gateway products. The list
of hosts is in the file $fwdir/database/fwd.h
Syntax
> fw lichosts [-x] [-l]
fw log: fw log displays the content of Log files.

Syntax
> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-
e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m
{initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]
-f [-t]: The -t parameter indicates that the display is to begin at the end of the file,
-n: Do not perform DNS resolution of the IP addresses in the Log file.
-l: Display both the date and the time for each log record.
-o: Show detailed log chains (all the log segments a log record consists of).
-C: Display only events whose action is action, that is, accept, drop,
reject, authorize, deauthorize, encrypt and decrypt.
-h: Display only log whose origin is the specified IP address or name.
Logfile: Use logfile instead of the default Log file. The default Log File is
$FWDIR/log/fw.log.
fw logswitch: fw logswitch creates a new active Log File. The current active Log
File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log
unless you define an alternative name that is unique. A Security Management
server can use fw logswitch to change a Log File on a remote machine and\
transfer the Log File to the Security Management server. This same operation can
be performed for a remote machine using fw lslogs
fw monitor: fw monitor is a powerful built-in tool to simplify the task of capturing

network packets at multiple capture points within the firewall chain. These
packets can be inspected using industry-standard tools later on. In many
deployment and support scenarios capturing network packets is an essential
functionality. tcpdump or snoop are tools normally used for this task. fw monitor
provides an even better functionality but omits many requirements and risks of
these tools.
> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l
<len>] [-m <mask>]
[-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO
<pos>] | -p all]] [-a]
[-ci <count>] [-co <count>] [-h] –T
-u|s : Printing the UUID or the SUUID:

-I : Flushing the standard output:
[-d] [-D]: Debugging fw monitor:
{-e <expr>|{-f <filter-file>|-}} : Filtering fw monitor packets
-l <len> : Limiting the packet length:
-m <mask> : Setting capture masks:
-x <offset>[,<len>] : Printing packet/payload data:
-o <file>: Write output to file:
fw lslogs: Display a list of Log Files residing on a remote or local machine. You
must initialize SIC between the Security Management server and the remote
machine.
Syntax
> fw lslogs [[-f <filename>] ...] [-e] [-s{<name>|<size>|<stime>|<etime>}] [-r]
[<machine
fw putkey: Install a Check Point authentication password on a host. This password

is used to authenticate internal communications between Security Gateways and
between a Check Point Security Gateway and its Security Management server. A
password is used to authenticate the control channel the first time
communication is established. This command is required for backward
compatibility scenarios.
Syntax
> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p
<pswd>] <host>...
fw repairlog: fw repairlog rebuilds a Log file's pointer files. The three files:
name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from
data in the specified Log file. The Log file itself is modified only if the -u flag is
specified.
Syntax
fw repairlog [-u] <logfile>
fw stat: Use fw stat to view the policy installed on the gateway, and which
interfaces are being protected.
Note - The cpstat command is an enhanced version of fw stat
Syntax
> fw stat -l
> fw stat –s
fw tab: The fw tab command shows data from the kernel tables, and lets you
change the content of dynamic kernel tables. You cannot change the content of
static kernel tables.
Kernel tables (also known as State tables) store data that the Firewall and other
modules in the Security\Gateway use to inspect packets. These kernel tables are
the "memory" of the virtual computer in the kernel and are a critical component
of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel
memories.
Syntax
fw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-
a|-x} -e <entry>] [-y] [<hostname>]
-t : Specifies a table for the command.
-s: Shows a short summary of the table (s) data.
-c: Shows formatted table information in common format.
-f: Shows a formatted version of the table data. Each table can use a different
style.
-o: Outputs CL formatted file called.
-r: Resolves IP addresses in formatted output.
-u: Show unlimited table entries.
-m: Sets the maximum table entries that are shown to <maxval>.
-a|-x: Adds (-a) or removes (-x) an entry from the specified table.
-e: One or more entries that you add or remove from the table.
-y: Do not show a prompt to users before they run commands.
fw ver: Display the Security Gateway major and minor version number and build
number.
Syntax
> fw ver [-k][-f <filename>]
Fwm: management operations on the Security Gateway. It controls fwd and all
Check Point daemons.
Syntax
> fwm
fwm dbimport: Imports users into the Check Point User Database from an
external file. You can create thisfile yourself, or use a file generated by fwm
dbexport.
Syntax
> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <del]
-m: If an existing user is encountered in the import file, the user's default values
will be replaced by the values in the template
-s: Suppress the warning messages issued when an existing user's values are
changed by
values in the import file.
-v: verbose mode
-r: fwm dbimport will delete all existing users in the database.
-k: Continue processing until nerror errors are encountered. The line count in the
error messages starts from 1 including the attributes line and counting empty or
commented out lines.
-f: The name of the import file. The default import file is
$FWDIR/conf/user_def_file
-d: Specifies a delimiter different from the default value (;).
fwm expdate: Modify the expiration date of all users and administrators.
Syntax
> fw expdate dd-mmm-1976
fwm dbexport: Export the Check Point User Database to a file. The file may be in
one of the following
formats:
The same syntax as the import file for fwm dbimport
LDIF format, which can be imported into an LDAP server using ldapmodify
To export the User Database to a file that can be used with fwm dbimport:
> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ]
[-f file] ]
To export the User Database as an LDIF file:
> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]
fwm dbload : Download the user database and network objects information to
selected targets. If no target is specified, then the database is downloaded to
localhost.
Syntax
> fwm dbload {-all|-conf <conffile>} [<targets>]
fwm load: Compile and install a Security Policy or a specific version of the Security
Policy on the target's Security Gateways. This is done in one of two ways:
fwm load compiles and installs an Inspection Script (*.pf) file on the designated
Security Gateways.
fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection
Script (*.pf) file then installs it to the designated Security Gateways.
Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>
-s ; The targets are UTM-1 Edge gateways
-p : Specifies the product name <plug-in> if applicable.
Rulebase : A Rule Base created by the GUI. Specify the name of the rulebase, such
as Standard (case sensitive).
fwm lock_admin: View and unlock locked administrators.

Syntax >fwm lock_admin [-v][-u <administrator>][-ua]
fwm logexport: fwm logexport exports the Log file to an ASCII file.
Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n]
[-p]
[-f] [-m {initial|semi|raw}] [-a]
fwm sic_reset: Reset the Internal CA and delete all the certificates from the
Internal CA and the Internal CA itself. After running sic_reset, the ICA should be
initialized through the cpconfig command. If this command is run all the certified
IKE from the Internal CA should be removed (using the SmartConsole).
Syntax > fwm sic_reset
fwm unload <targets>: Uninstall the currently loaded Inspection Code from
selected targets.
Syntax > fwm unload <targets> [-all|-c <conffile>]
fwm ver: fwm ver shows the build number.

Syntax > fwm ver [-f <filename>]
Ldapcmd: ldapcmd is used to manage processes running on the Security Gateway

collectively or
individually. It includes:
Cache
Cache operations, such as emptying the cache, as well as providing debug
information.
Statistics
Lookup statistics such as:
All user search
Logging
View the alert and warning log regarding debug.
Syntax
# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]
Ldapcompare : ldapcompare is used to perform compare queries that prints a

message whether the result returned a match or not. ldapcompare opens a
connection to an LDAP directory server, binds, and performs the comparison
specified on the command line or from a specified file.
Syntax
# ldapcompare -d [<options>] dn <attribute> <value>
Ldapconvert : ldapconvert is a utility program to port from Member mode to
MemberOf mode. This is done by searching all specified group/template entries
and fetching their Member attribute values.
Each value is the DN of a member entry. The entry identified by this DN will be
added the MemberOf attribute value of the group/template DN at hand. In
addition, those Member attribute values will be deleted from the group/template
unless Both mode is specified.
While running the program, a log file, named ldapconvert.log, is generated in the
current directory, logging all modifications done and errors encountered.
Syntax
> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f
<file>]
-m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]
Ldapmodify: ldapmodify imports users to an LDAP server. The input file must be
in the LDIF format.
Syntax
# ldapmodify -a -c -d -h <host> -p <port> -D <LDAPadminDN> -p
<LDAPadminPassword> -f <exportfilename>.ldif –d
Ldapsearch ldapsearch queries an LDAP directory and returns the results.

Syntax
ldapsearch [options] filter [attributes] –d
log_export: log_export is a utility that allows you to transfer Log data to an

external database. This utility behaves as a LEA client. LEA (Log Export API)
enables Security Gateway Log data to be exported to third-party applications.
log_export receives the Logs from the Security Management server via LEA so it
can be run from any host that has a SIC connection with the Security
Management server and is defined as an OPSEC host. To run log_export, you need
a basic understanding and a working knowledge of:
Oracle database administration
LEA
Syntax
# log_export [-f <conf_file>] [-l <lea_server_ip_address>] [-g
<log_file_name>,<log_file_name>,...]
[-t <database_table_name>] [-p <database_password>][-h] [-d]
rs_db_tool: rs_db_tool is used to manage DAIP gateways in a DAIP database.

Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >
sam_alert: This tool executes FW-1 SAM (Suspicious Activity Monitoring) actions
according to information received through Standard input. This tool is for
executing FW-1 SAM actions with the FW-1
User Defined alerts mechanism.
Syntax
sam_alert [-o] [-v] [-s <sam_server>] [-t <timeout>] [-f <fw_host1>
<fw_host2>...]
[-C] [-n|-i|-I -src|-dst|-any|-srv]
svr_webupload_config: This utility is used to configure the SmartReporter web

upload script.
Syntax
# svr_webupload_config [-i <perl_int_loc>]
[-p <rep_dir_root>]
VPN Commands
vpn crl_zap: Erase all Certificate Revocation Lists (CRLs) from the cache.
Usage vpn crl_zap
Return Value 0 for success; any other value equals failure.
vpn crlview: Retrieve the Certificate Revocation List (CRL) from various
distribution points and displays it for the user. The command comes in three
flavors:
vpn crlview -obj <MyCA> -cert <MyCert>. The VPN daemon contacts the
Certificate Authority called MyCA and locates the certificate called MyCert. The
VPN daemon extracts the certificate distribution point from the certificate then
goes to the distribution point, which might be an LDAP or HTTP server. From the
distribution point, the VPN daemon retrieves the CRL and displays it to the
standard output.
vpn crlview -f d:\temp\MyCert. The VPN daemon goes to the specified
directory, extracts the certificate distribution point from the certificate, goes to
the distribution point, retrieves the CRL, and displays the CRL to the standard
output.
vpn crlview -view <lastest_CRL>. If the CRL has already been retrieved, this
command instructs the VPN daemon to display the contents to the standard
output.
Usage vpn crlview -obj <object name> -cert <certificate name>
vpn crlview -f <filename
vpn crlview -view
vpn debug: Instruct the VPN daemon to write debug messages to the VPN log file.
To debug all available topics, use: ALL for the debug topic.
IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elg
Usage Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff |
trunc | timeon <SECONDS>|
timeoff
vpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoff
vpn debug ikeon | ikeoff timeon|timeoff
vpn debug trunk
vpn drv: Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk),
attaching the VPN driver to the Firewall driver.
Usage vpn drv on|off
vpn drv stat
vpn tu: Launch the TunnelUtil tool which is used to control VPN tunnels.
Usage vpn tu
vpn tunnelutil
Output
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
vpn ver: Display the VPN major version number and build number.
Usage vpn ver [-k] -f <filename>
SmartView Monitor Commands
rtm debug: Send debug printouts to the $FWDIR/log/rtmd.elg file.

Usage rtm debug <on | off> [OPSEC_DEBUG_LEVEL |
TDERROR_<AppName>_<Topic>=<ErrLevel>]
rtm drv: Start, stop or check the status of the SmartView Monitor kernel driver.
Usage rtm drv <on | off | stat>
rtm monitor <module_name>{<interface_name>|-filter

"<complex filter>"}: Starts the monitoring process and specify parameters for
monitoring an interface.
Usage rtm monitor <module_name><interface_name>[options]-g<grouping>
[entity-1...entity-n]
or
rtm monitor <module_name>-filter["complex filter"][options]-g<grouping>
[entity-1...entity-n]
-a: <aggregate|individual>
-w : <bandwidth|loss|rtt>
-t : <wire|application>
-i: <number of seconds>
@@: specifies subrule (for example, 'rule@@subrule
-d : Specifies one of the following monitor directions:inbound.outbound,
eitherbound
-y Specifies one of the following measurement units:- bytes, pkts, line
C : Average concurrent connections
-a : Aggregate - displays a specific type of connections as an aggregate.
-g : Specifies one of the following grouping options for monitored traffic:
Src : Monitors according to a network object (source only).
Dst : Monitors according to a network object (destination only).
Ip; Monitors according to a network object (source and destination).
rtm monitor <module_name>-v<virtual_link_name>:Start the monitoring

process and specifies parameters for monitoring a Virtual Link.
Usage rtm monitor <module_name> v<virtual_link_name>[options]entity-1...
entity-n
rtm rtmd: Start the SmartView Monitor daemon manually. This also occurs
manually when rtmstart is run.
Usage rtm rtmd
rtm stat Display the general SmartView Monitor status. In addition, it displays the
status of the daemon, driver, opened views and active virtual links.
Usage rtm stat [flavor(s)] [-h] [-v[v][v]]
rtm ver Display the SmartView Monitor version.

Usage rtm ver [-k]
Rtmstart Load the SmartView Monitor kernel module and starts the SmartView
Monitor daemon.
Usage rtmstart
Rtmstop Kill the SmartView Monitor daemon and unloads the SmartView Monitor
kernel module.
Usage rtmstop
ClusterXL Commands
Cphaprob: The cphaprob command verifies that the cluster and the cluster
members are working properly.
Cphastart: Running cphastart on a cluster member activates ClusterXL on the

member. It does not initiate full synchronization. cpstart is the recommended way
to start a cluster member.
Cphastop : cphastop on a cluster member stops the cluster member from passing
traffic. State synchronization also stops. It is still possible to open connections
directly to the cluster member. In High Availability Legacy mode, running
cphastop may cause the entire cluster to stop functioning.
Identity Awareness Commands:

PDP - The process on the Security Gateway responsible for collecting and
sharing identities.
PEP - The process on the Security Gateway responsible for enforcing network
access restrictions. Decisions are made according to identity data collected from
the PDP.
AD Query - AD Query is the module responsible for acquiring identities of
entities (users or computers) from the AD (Active Directory). AD Query was called
Identity Logging in previous versions and in some cases is also referenced as AD
Log. The adlog is the command line process used to control and monitor the AD
Query feature.
test_ad_connectivity - A utility that runs connectivity tests from the Security
Gateway to an AD domain controller. The PEP and PDP processes are key
components of the system. Through them, administrators control user access and
network protection.
AD Query can run either on a Security Gateway that has been enabled with
Identity Awareness or on a Log Server. When it runs on a Security Gateway, AD
Query serves the Identity Awareness feature, and giveslogging and policy
enforcement. When it runs on a Log Server, AD Query gives identity logging. The
command line tool helps control users’ statuses as well as troubleshoot and
monitor the system.
The test_ad_connectivity utility runs over both the LDAP and WMI protocols. It is
usually used by the SmartDashboard Identity Awareness first time wizard, but you
can run it manually on the Security Gateway.
Pdp: These commands control and monitor the PDP process.

Syntax # pdp [command]... <parameter>
<none> Display available options for this command and exit
debug Control debug messages
tracker Tracker options
connections pdp connections information
network :pdp network information
status :pdp status information
control :pdp control commands
monitor : Display monitoring data
update : Recalculate users and computers group membership (deleted accounts
will not be updated)
ad :Operations related to AD Query
timers :Show pdp timers information
pdp connections These commands assist in monitoring and synchronizing the
communication between the PDP and the PEP.
Syntax # pdp connections <parameter>
pdp control Provides commands to control the PDP process.

Syntax # pdp control <parameter> <option>
pdp network Shows information about network related features.
Syntax # pdp network <parameter>
pdp debug Activates and deactivates the debug logs of the PDP daemon.
Syntax # pdp debug <parameter> <option>
pdp tracker Adds the TRACKER topic to the PDP logs (on by default). This is very
useful when monitoring the PDP-PEP identity sharing and other communication
on distributed environments. This can be set manually by adding the TRACKER
topic to the debug logs.
Syntax # pdp tracker <parameter>(on/off)
pdp update Initiates a recalculation of group membership for all users and
computers. Note that deleted accounts will not be updated.
Syntax # pdp update <parameter>
pdp ad associate For AD Query, adds an identity to the Identity Awareness
database on the Security Gateway. The group data must be in the AD.
Syntax # pdp ad associate ip <ip> u <username> d <domain> [m <machine>] [t
<timeout>] [s]
pdp ad disassociate Removes the identity from the Identity Awareness database
on the Security Gateway. Identity Awareness does not authenticate a user that is
removed.
Syntax # pdp ad disassociate ip <ip> {u <username>|m <machine>} [r
{probed|override|timeout}]
Pep:
Provides commands to control and monitor the PEP process.
Syntax # pep [command]... <argument>
Parameter Description
Tracker: Tracker options.
Show: Display PEP information.
pep show
Description Displays information regarding pep status.
Syntax # pep show <parameter> <option>
pep show: user Enables monitoring the status of sessions that are known to the
PEP. You can perform varied queries according to the usage below to get the
output you are interested in.
Syntax # pep show user all
pep show pdp:

Enables monitoring the communication channel between the PEP and the PDP.
The output displays the connect time and the number of users that were shared
through the connection.
Syntax # pep show pdp <parameter>
pep show stat Shows the last time the daemon was started and the last time a
policy was received. Important - Each time the daemon starts, it loads the policy
and the two timers (Daemon start time and Policy fetched at) will be very close.
Syntax # pep show stat
pep show network Shows network related information.

Syntax # pep show network <parameter>
IPS Commands:
ips bypass stat

Description Usage- ips bypass stat
Comments - Shows this information:
IPS bypass mode - on or off
CPU thresholds
Memory thresholds.
ips bypass on|off

- Manages IPS bypass. When IPS bypass is enabled:
and is
automatically disabled.
he CPU or memory goes below the low threshold, IPS exits bypass
mode and is
automatically enabled.
Usage - ips bypass {on|off}
ips bypass set Configures the thresholds for the ips bypass command.
Usage - ips bypass set {cpu|mem} {low|high} <th>
Cpu :Configure the CPU threshold
Mem :Configure the memory threshold.
Low :Configure the lower threshold to exit bypass mode.
High :Configure the higher threshold to enter bypass mode.
<th> :The CPU or memory threshold value.
ips debug Shows the IPS debug information.
Usage - ips debug [-e <filter>] -o <outfile>
INTERVIEW QUESTIONS
KPIT HP
1. What is vlan?
2. How to configure vlan in L2 switch?
3. What is Layer 3 vlan?
4. How many tcp flags? Name them.
5. What is Window size?
6. What is fragmentation?
7. OSPF LSA types.
8. Explain LSA 5.
9. Both HSRP routers become active during bootup. How will you
troubleshoot?
10.What are the changes that occur in a packet when it goes from a host to
another host traversing a switch and two routers?
11.What is NAT and PAT? Explain with example.
12.Why do we apply acl from inside to outside for icmp even though traffic
from inside to outside is allowed by default in asa?
13.How will a switch connected to failover firewalls know when FW1 fails and
FW2 becomes active?
14.VPN 9 packet negotiation
15.IPSEC parameters.
16.What is firewall? What is statefull firewall?
17.Natting definition, Static Nat, Dynamic Nat, Identity Nat, Nat exemption,
Nat-Control
18.Mechanism of NAT and how nat works
19.Nat Order
20.How does packet flow works. If from inside, packet is getting dropped while
going outside, than how will be trace
21.Active ftp and passive ftp concept in ASA
22.What is inspection and MPF
23.How we can know whether our inspection is working on nat. Tell command.
24.IPSEC : i phase and modes
a. ii Tshoot on tunnel down ( phase I is up)
b. iii Aggressive mode
25.SSL VPN.
26.Same security level ping will happen or not?
Same-security-traffic permit intra-interface (to allow U-turning traffic)
Same-security-traffic permit inter-interface (for communication between
DMZ and DMZ-2 having same security level)
27.IP spoofing
28.DNS Doctoring.
29.Site-to-Site vpn configuration on ASA
30.On which port SSL VPN works.
31.Difference between SSL VPN and WEB VPN
32. Statefull firewall
33.What is packet tracer
34.What is ip add? Private ip address
35.Does switch works on mac-address/ ip address.
36.10.1.1.0/24 which class it belongs.
37.FWSM (ASA- Firewall service module)
Q1. Tell me about yourself

Q2. How does a ping/ traceroute / tracert window works ?
Q3. How does routing loop/ switch loop occurs in a router/ switch
Q4. TCP handshake? Give some ex. Of troubleshooting. You did in your company?
Q5. Why there is requirement first needed to set up 3-way handshake: Q6. What
does SSL mean?
Q7. Modes of IPSEC
Q8. Hashing mechanism, Encryption Mechanism, ESP
Q9. In TCP 3-way handshakes What are the contents present in the Syn packet.
Q10. Basic function of firewall
Q11. STP, PVST+
Q12. OSPF
Q13. Troubleshooting on firewall
Q14. Proxy firewall/ cluster firewall
Q15. Types of NAT & basic diff of NAT & PAT
Q16. Why we need DMZ in firewall?
Q17. What do you know about IPSEC?
Q18. Network Architecture; how much you big was the N/W on which you have
worked?
NET-APP
Q1. Transparent firewall
Q2. Same security level; how they can communicate with each other.
Q3. IPSEC/ SSLVPN
Q4. Types of NAT (Order of NAT), STATIC NAT configuration
Q5. IPSEC troubleshoot phase I and II.
Q6. External client want to communicate then web server situated inside in
company.
Q7. Frame (preamble).
Q8 Tell us about your company project.
Q9 DNS
First Stage in NAT-APP test

Q1. Stuck in Active
Q2. FTP definition.
Q3. What is subnet mask? Why we are using subnet mask.
Q4. OSI Layer
Q5. TCP/IP Layer.
Q6. What is DOS?
Q7. What is private IP and range?
Q8. What is VPN?
Q9. What is the use of tunnel in VPN?
IBM
Q1. What is VLAN?
Q2. Function of HSRP
Q3. Stuck in Active
Q4. AD of OSPF
Q5. A.D. and F.D. of EIGRP
Q6. Role of area 0
Q7. In this scenario, Host should be communicating with server. What will be
routing.
Q8. Downtime zero, in ASA firewall
Q9. Site –to – site VPN (Modes and 9 packet negotiation)
Q10. SSL VPN packets transfer.
Q11. In Below scenario PC wants to ping internet but it is dropping. What will be
tshoot. Scenario is below
Q12. Difference between ABR and ASBR

Q13. What is AD value of OSPF?
Q14. In below scenario How PC A will communication with PCB
Q15. In this scenario will inside communicate or ping to outside.
CSS CORP
Q1. TCP Windowing
Q2. MTU and MSS
Q3. DHCP DORA
Q4. TCP sequence number
Q5. VPN 9 packets
Q6. DORA Packets type
Q7. Does UDP packet have sequence number?
Q8. After windowing. If one segment gets dropped from the receiver end then
what does the receiver send to the sender so as to get the dropped packet.
Q9. In this scenario PC-3 getting APIPA address. What will be tshoot
Q10. Difference between NACK and ACK
Q11. Difference between Main Mode and Aggressive Mode
Q12. SSL Handshake
Q13. Why do we use VPN?
Q14. In this Scenario how C does comes to know that each fragment put has been
reject and how C will come to know which one is first bit/last bit
IBM
Q1. Tell me about yourself and day by day job responsibility.
Q2. What is the difficult troubleshoot u faced in previous company.
Q3. One site is India and other site s USA. Create site to site tunnel and tell us the
configuration part.
Q4. How to check the command that the tunnel is up
Q5. VPN:=> show vpn connected session.
Q6. In firewall how to check the configuration of cluster i.e. context
Q7. There are two firewall ASA 5520 and ASA 5510. We are trying to make these
cluster but it is not done. What will be tshoot
Q8. Why are you leaving this job?
Q9. Difference between 5505 and 5510 firewall
ACCENTURE
Q1 In this scenario, Before I was able to work with printer. I updated firmware of
printer. After this task now I am not able to work with printer. Condition is that I
am able to ping ip address of printer.
Q2. What is packet capture command?
Q3. What is Hair pinning.
Q4. In this scenario, my ip 10.10.10.1 and 20.20.20.1 is natted. And I want to
communicate with destination ip 30.30.30.1 and 40.40.40.1. What will type of
natting I will use?
Q5. What is DNS DOCTORING?

Q6. What is nat exemption?
Q7. Identity NAT
Q8. Types of NAT and NAT order.
Q9. OSPF LSA.
Q10. F5 –Load Balancer (i-rule, static load balancing, dynamic load balancing, http
and https i-rule).
CGI
Q1. EIGRP, OSPF, STP, VLAN, RSTP.
Q2. Firewall hardening
Q3. Difference between L3 and L2 switch
Q4. Difference between MPLS and L2
Q5. Site to Site VPN and IPSEC VPN
Q6. Failover is running between two firewall. These two firewall connected with
switch. How will switch find out that which firewall is in active and standby?
Q7. 3 tier architecture of checkpoint
Q8. How to add policy in checkpoint
Q9. Packet flow of checkpoint
WIPRO
Q1. Day to day job responsibilities
Q2. Cisco ASA:- Difference (8.2,8.4,8.6)
Q3. Checkpoint version
Q4. What is SIC? Why we need SIC. Where we configure SIC in checkpoint? How
many SIC can form.
Q5. Difference between OSI model s vs TCP/IP models
Q6. TCP flags and 3 way handshake
Q7. What is proxy server
Q8. What is forward proxy and reverse proxy.
Q9 What is DNS and how does it work.
Q10 Password recover on router.
Q11. Chassis of nexsus switch.
UNKNOWN
Q1. Pcket flow between PC and Internet
Q2. Packet flow in checkpoint firewall
Q3. Packet flow in cisco ASA
Q4. TCP states
Q5. Example of session layer
Q6. Which OSI model decides? When a packets to move outside or to remain
inside
Q7 How will you triubleshoot if your PC is not getting connected with internet.
TEK SYSTEMS
Q1. Tell me about yourself and day by day job resposiblity.
Q2. In 8.2 we want to upgrade to 9.0 with zeo downtime.
Q3. Difference between Site to Site Vpn and Ipsec VPN
Q4. How does phase 1 works.
Q5. What will be tshoot when we will get MM_MO_ACTIVE in VPN?
Q6. Is it necessary to create phase-1 for phase-2.
Q7. In my network, duplicate ip address is detecting. What will be tshoot for it?
Q8. When does you felt offended in your previous organization.
Q9. How does network know that router is in stuck in active?
Q10. LSA 7
Q11. In our network BPDU Guard is enable. IF we add a new switch in our
network what type of massage display on switch.
Q12. In this scenario, One hour ago my PC was able to get internet. After one
hour PC is not able to access yahoo.com. What will be tshoot
Q13. What are the phase of Site-to-site VPN

Q14. What are the modes of IPSec VPN?
Q15. What are the parameter of Phase I
Q16. What is MDS?
Q17. Three important things to run a network of company
Q18. What is ip spoofing? And what is spoof attack.
Q19. How can we use spoofing in ASA?
Q20. What is stealth rule? Why we need and purpose of stealth rule.
Q21. Packet tracer command inASA
HP (KPIT)
Q1. Failover is running between two firewall. These two firewall connected with
switch. How will switch find out that which firewall is in active and standby?
Q2. Packet flow of checkpoint
Q3. In Automatic nat how many rules will be created
Q4. By using CLI how we will make backup.
Q5. When a packet enters in router, than how works router with a packet
BAR
Q1. TCP 3 way handshake
Q2. Packet level – which bit is getting set
Q3. Difference between push and urgent
Q4. Packet flow between two PCs
Q5. Arp header size
Q6. DHCP
Q7. Ipsec packet level
Q8. Difference between ASA and router
Q9. SSL how SSL VPN works in application layer
Q10. Proxy arp.
Q11. NAT-ASA
Q12. DNS Doctoring
Q13. FTP
Q14. Where will we implement this is firewall i.e. active ftp and passive ftp and
what are the problems.
Q15. Ip fragmentation
Q16. Ip header- identification, offset fied.
Q17. CSR- SSL vpn
Q18. HTTP
Q19. DHCP relay agent
Q20.Configuration parameter DHCp
Q21 what will indicate phase I failure on an IOS device.
Q22. What can be various reason for IPSEC negotiation
Q23. What is NAT T?
FNF
Q1. How to change or reset pwd in Cisco switches.
Q2. How to tshoot when smartview tracker is not showing log by cli
Q3. How to make backup from checkpoint cli
Q4. Where log store?
Q5. Where Backup file will be store
Q6. What is HSRP (All Discuss?)
Q7. What is the Etherchannel, why we need Etherchannel?
Q8. What are protocols of Etherchannel?
Q9. How can we configure Etherchannel?
Q10. Command for port-security
Q11. What is AD value of Eigrp and OSPF?
Q12. What are values of AD in EIGRP?
Q13. What is OSPF?
Q14. What is difference between OSPF and EIGRP?
Q15. What is different between ABR and ASBR?
Q16. What are the states of OSPF? Explain.
Q17. What is multicast ip address of OSPF?
Q18. What is ACL?
Q19. Difference between Standard and extended acl.
Q20. What are types of ACL?
Q21. Configuration of Switch ACL
TTNI
Q1. What is difference between Cisco ASA and Checkpoint?
Q2. What is SIC? What is the purpose of it's?
Q3. Process for backup
Q4. Difference between snapshot and backup
Q5. What is stealth rule and what Is purpose of its.
Q6. What is cleanup rule and what is purpose of its.
Q7. What is FWM?
Q8. What is PDP?
Q9. What is RTM
Q10. What is tcpdump.
Q11. How can we check the log between two gateways.
Q12. What is mode of firewall.
Q13. What is context.
Q14. How we create context.
Q15. Where we create context in routed firewall or transparent firewall?
Q16. What is transparent firewall?
Q17. What is difference between switch and transparent firewall?
Q18. Can we create context in routed mode.
Q19. What is ipsec.
Q20. By default which mode is available in IPSec
MIND TREE
Q1. Suppose a switch is connected to a router and two PC are connected to
switch. How will Communicate PCA and PCB. Here is Scenario
Q2. Suppose four pc (A, B, C, D) are connected to a switch1 and four PCs(E,F,G,H)
are connected to Switch 2. In this scenario I want to communicate PCA to PCE.
What will be steps for this task?
Q3. In this Scenario Router R1 and Router R2 connected to Sw1 and Sw2. PC1 and
PC2 are connected to SW1 and Sw2. Pc1 and Pc2 want to communicate with each
other. What will be Steps? Scenario is below.
Q4. What is dynamic configuration of Vlan?
Q5. What is ipv4 and discuss in detail.
Q6. What is tcp flags?
Q7. What is reset flag and what is purpose of Reset flag.
Q8. What is three way handshake?
Q9. What is four way handshake?
Q10. What I nat.
Q11. What is the order of NAT?
Q12. What is dynamic NAT and Dynamic PAT and syntax.
Q13. What is packet tracer command?. How it check the packet.
Q14. What are the security parameter of ipsec phase1.
Q15. By default which mode available in phase 1 mode.
Q16. Phase 1 and phase 2 are active, data is encrypting but data not decrypting.
What is tshoot for that?
CAPGEMINI
Q1. In network there are two router. At router R1 protocol Eigrp is running and at
router R2 protocol OPSF is running. Pc which are connected to router R1 and R2.
PC1 and PC2 are want to communicate with internet. Which protocol PCs will
prefer. Scenario is below
Q2. Now in this scenario network of R1 is 192.1.1.0/24 and network of R2
192.1.1.0/28. Now which protocol will pc prefer.
Q3 In this scenario PC1 is connect to sw1 and there is vlan 10 on pc and PC2 is
connected to SW2 and vlan is 20. How these PC will communicate.
Q4 what is difference between NAT and PAT.
HR Interview Questions
How long would you expect to work for us if hired?
As far as I can tell, this company has everything I’m looking for. I enjoy this type of
work and the benefits at this company are great. I am looking for a long term
position and if there are opportunities for advancement and growth here, then I
want to stay for a long time.
Are you willing to travel or relocate, if necessary?

YES, I am OK with the relocation as it is an opportunity to learn something new
and visit new places. I love to travel and I can easily adapt to new environment.
What is more important to you money or work?

Work is more important because without doing work we can't earn money.
Where do you see yourself after 5 years?

After 5 Years from now I would like to see myself at a respectable position in the
company where I can take the decisions for the welfare of the company.
How did you handle work criticism?

Describe a time when your work was criticized and how you handled it?
I don't remember such incident of criticism in my work career but I always use to
take feedback from my Colleagues and Managers, so that I can correct my
mistakes, improve way of communication and working style and never repeat
those mistakes again in future.
What are some of your achievements or accomplishments?
Why did you resign from your previous job?

I would like to thank my current company which gave me a platform to start my
professional career, and where I learned more professional skills.
I decided for a change looking for better opportunities and more challenging to
grow professionally and financially.
What was the toughest challenge you have ever faced?

Tell me honestly about the strong points and weak points of your boss (company,
management team, etc.)
Strong point: Good time management, good listener, and wickedness: repeating
one thing so often which is annoying?
Because of weak points only our good points can be recognized. So my boss is
leading a team of talented people, he is expert in handling pressure in tricky
situations, energetic and he always took part in extracurricular activities with his
team either organizing team fun or holidays outside town. I never noticed his
weak points. He is very helpful in every step of work whenever anyone needed.
Why should I hire you from the outside when I could promote someone from
within?
In my own perspective point of view, a new employer is someone that can give
fresh ideas that can improve to the company which I think every company needed
so I think your company deserves more interesting and new ideas and I think I am
the best person that suit to it.
How do you feel about reporting to a younger person?

Knowledge is the only thing which matters for me not age I would like to respect
his/her position tries to learn from him or her. I will take him as my inspiration to
grow thoroughly and work hard for it.
Why should I hire you?
What are your strengths and weaknesses?

MY STRENGTHS:
1. Dedication
2. Hard work
3. I like to work with team spirit
4. Punctuality is also one of the strength for me
5. I also believe that success is achieved only with perfection
WEAKNESS:
1. I can't easily say no to the task. I don't matter what the task is!
What is the difference between confidence and over confidence?

Confidence is true trust on yourself that you can do it.
While overconfidence is truth on yourself beyond your ability and capability i.e.
you shall do it in every condition.
If someone says, "I have the ability to complete this job" is confidence while
someone says, "I'm the only one person to complete this job and don't dare to
others", is overconfidence.
What is the difference between hard work and smart work?
For example, teacher ask two students they are,
1. Hard work
2. Smart work
Question: Tell me the answer to "what are the even numbers?

1: He told like that "2, 4, 6, 8, 10, 12, 14, 16, 18, 20
2: He told like that "divisible by 2 all are even no's".
How do you feel about working nights and weekends?
Be truthful,
nobody wants to work in night & weekends. But if the company give growth &
provide full facilitate then everyone want to work in night & weekends according
to company needs. And I am one of them.
Can you work under pressure?

I know working under pressure is a difficult one but I will try my level best to
complete the project assigned to me within a specific time by time management
and schedules.
What are your goals?

My short term goal is to work in reputed company like yours and want to see
myself on improving the way of doing work.
My long term goal is that to see myself at the respectable position and make
parents happy.
Give me an example of your creativity.

Creativity is that which show how we do the work smartly and extraordinary way
with the help of over brain.
Eg:- we can use punching machine for cutting the sheets if we don't have scissor.
How long would you expect to work for us if hired?
This is the job opportunity I have been looking for. This is the career path I've
been waiting for. I ready to serve you as long as the company needs me.
What was the toughest decision you ever had to make?
Nothing is tough. It all lies in how you can convince yourself. Be practical, logical
and most importantly, be positive of whatever decision you take.
Where do you see yourself five years from now?
On a scale of one to ten, rate me as an interviewer.
First of all thank you, sir/ mam, for giving me this opportunity. I think I am not the
right person to rate you but still it's an interviews question. So I will 9/10 because
nobody is perfect in the world everybody needs improvement.
Thank you.
Do you have any questions for me?

∑ I would like to know about job responsibility and training would you be
providing?
∑ And how this profile will improve my growth in my career?
∑ What type of projects going on?
∑ What is the main target of this company?

R&S, Asa, Checkpoint, VPN PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

R&S, Asa, Checkpoint, VPN PDF

Enviado por

Direitos autorais:

Formatos disponíveis

OSI Model

The Routing Table

Layer 6 – Presentation layer

Layer 5 – Session layer

Layer 4 – Transport layer

UDP is fast, TCP is more reliable, but it is slower.

Layer 2 – Data Link Layer

Layer 1 – Physical layer

Difference between Layer 2 and Layer 3 devices?

When a router gets a packet, it decides on the basis of

What happens when a Switch receives the Frame?

Default gateway: A gateway is the entrance point to another network. A default

Router has to follow 3 generic steps before it routes the Packet

NIC (Network Interface Controller) Address

Physical Address Logical Address

Main Mode Aggressive Mode

Tunnel Mode Transport Mode

1. Store and Forward Switching

2 Types of VLAN Configuration

VLAN Frame tagging

Enabling Port Security

Switchport port-security violation

Maximum MAC Addresses

MAC Address Learning

MAC Address Aging

Trunk can be made by two ways

DTP sends Hello packets every 30 seconds

How VTP Works

There are 3 modes

VTP Advertisement Messages

Three types of versions

Frame Tagging Protocols

Inter-Switch Link (ISL)

Management VLAN and configuration of Management VLAN

The maximum number of supported Etherchannel on a single switch is platform-

Cisco’s implementation of port aggregation is called Etherchannel.

Etherchannel are also supported on Layer-3 interfaces.

Port-security has not been supported on an Etherchannel.

∑ Source IP address - src-ip

The default load-balancing method for a Layer-2 EtherChannel is either srcmac or

#port-channel load-balance src-dst-mac

There are two methods of configuring an Etherchannel:

Adding switch ports to a channel-group creates a logical port-channel interface.

To configure a port-channel as a Layer-3 interface:

By default, a port-channel interface is administratively shutdown.

A PAgP channel will form

#interface range f0/22 - 24

An LACP channel will form

#interface range f0/22 - 24

Maximum of 8 active ports are supported in a single Etherchannel. LACP supports

LACP assigns a numerical port-priority to each port, to determine which ports

#show etherchannel summary

Spanning Tree Protocol (STP)

Duplicate Frame copies

Unstable MAC Table

What is Spanning tree?

The STP Process

1. Electing a Root Bridge

NOTE: We know default bridge priority is 32768.But in real environment, when

2. Root Ports are identified

By default, the port priority of an interface is 128, and a lower priority is

To change the priority

4. Ports are placed in Block state.