CCNA 1 Chapter 11 Build a Small Network
Six steps of troubleshooting methodology
1. Identify the problem. The first thing that you need to be aware of when troubleshooting a problem is that the symptoms are not the problem. When troubleshooting, it is critical that you actually identify the underlying problem—what's actually causing the symptoms to manifest themselves. To do that, you should question the user. Ask detailed questions about when the symptoms occurred and why they may have occurred. If the user can re-create the issue for you, this can be extremely helpful. Determine what, if anything, has changed, which may have caused the problem. Importantly, before you take any action, make a backup copy of the system, so that you can preserve everything as it is. Highlights: ● Question the user. ● Remember that the symptoms are not the underlying problem. ● Determine what has changed. ● Make a backup of the system before moving on. 2. Establish a theory of probable cause. Once you have identified the base problem that is causing the symptoms, you will establish a list of probable causes. Once you have a list of all of the probable causes, use your technical knowledge to prioritize that list. Your list should have the probable causes listed from most likely to least likely. Incidentally, be sure to question the obvious. For instance, if the symptom is a power situation at the workstation, is the power cord plugged in and, if it is plugged in, is the outlet actually getting power? Additionally, if no probable cause can be determined, you will need to escalate the problem to a higher level. Highlights: ● Make a list of probable causes. ● Using your knowledge, prioritize the list. ● Question the obvious (i.e., if the symptom is a power issue at the workstation, first check to make sure that the power cord is plugged in). ● Escalate to a higher level if a probable cause cannot be determined. 3. Test probable cause theory to determine actual cause. Once you have established your theory of probable cause, you should take a moment to consider whether or not you can troubleshoot the issue on your own, or if escalating it to a higher authority is called for. If it falls within your capabilities, you will need to test your theory to determine if it is, indeed, the actual cause. Your theory was created from the most likely probable cause, so you need to determine how best to test it. If your theory is confirmed, you will move on to the next step. If the theory is disproved, you will need to go back to step two or step one, as needed, and work your way through the troubleshooting methodology. Highlights: ● Create your theory from the most likely probable cause. ● If the theory is confirmed, move on to the next step. ● If the theory is not confirmed, go back to step two or step one (if needed). 4. Establish an action plan and execute the plan. Once you have determined the actual cause by testing your probable cause, you will need to establish an action plan and then execute that plan. Simple problems will probably only need simple plans. However, if it is a complex problem, you may need to write out the plan so that you can be sure to execute it correctly. This is another opportunity to escalate the problem to a more senior level if necessary. Highlights: ● Simple problems probably just need simple plans. ● Complex problems may need written out action plans. ● Escalate to a higher level if required. 5. Verify full system functionality. After you have executed your plan, you will need to verify that the system is fully functional. If everything works—that's great. Based on your findings and the issue, you may find that you have the opportunity to implement preventative measures so that the problem does not occur again. If full system functionality has not occurred, you will need to go back to step one and continue to work through the troubleshooting methodology. Highlights: ● If everything works, great! If applicable, use your findings to implement preventative measures. ● If not everything works, go back to step one. 6. Document the process. Once everything is fully functional, documenting the process becomes important. This is where you document findings, actions, and outcomes. When the problem occurs again, there will be information available to walk someone through the means of troubleshooting and resolving the issue. This documentation also captures a history of equipment and users so that perpetual issues become known and recorded. An important aspect of this is that both positive and negative outcomes should be documented. This can save time during future troubleshooting and prevent others from taking the same missteps you may have taken. Highlights: ● Capture your findings, actions, and outcomes. ● Issues that need to be troubleshot may occur again. ● Documentation provides a history of equipment and users so that problem issues are known.
Resolve or Escalate?
In some situations, it may not be possible to resolve the problem immediately. A problem should be escalated when it requires a manager's decision, some specific expertise, or network access level unavailable to the troubleshooting technician. For example, after troubleshooting, the technician concludes a router module should be replaced. This problem should be escalated for manager approval. The manager may have to escalate the problem again as it may require the financial department's approval before a new module can be purchased. A company's policy should clearly state when and how a technician should escalate a problem.
Types of Firewalls
-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall
FTP Server
A server using the FTP or Secure FTP protocol that downloads or uploads files to remote computers.
Interpreting Trace Messages
A trace returns a list of hops as a packet is routed through a network. The form of the command depends on where the command is issued. When performing the trace from a Windows computer, use tracert. When performing the trace from a router CLI, use traceroute, as shown in Figure 1. Figure 2 shows example output of the tracert command entered on Host 1 to trace the route to Host 2. The only successful response was from the gateway on Router A. Trace requests to the next hop timed out, meaning that the next hop router did not respond. The trace results indicate that there is either a failure in the internetwork beyond the LAN, or that these routers have been configured to not respond to echo requests used in the trace.
Denial of Service Attacks
Flooding server with thousands of false requests to crash the network
Web Server
HTTP Hypertext markup language used to transfer information between web clients and web servers. most web pages are are associated with HTTP
redundancy
Occurs when a task or activity is unnecessarily repeated
Types of threats
-information theft -identity theft -data loss/manipulation -disruption of service Whether wired or wireless, computer networks are essential to everyday activities. Individuals and organizations alike depend on their computers and networks. Intrusion by an unauthorized person can result in costly network outages and loss of work. Attacks on a network can be devastating and can result in a loss of time and money due to damage or theft of important information or assets. Intruders can gain access to a network through software vulnerabilities, hardware attacks or through guessing someone's username and password. Intruders who gain access by modifying software or exploiting software vulnerabilities are often called hackers. After the hacker gains access to the network, four types of threats may arise, as shown in the figure. Click each image for more information.
network baseline
A baseline that documents the network's current performance level and provides a quantitative basis for identifying abnormal or unacceptable performance. One of the most effective tools for monitoring and troubleshooting network performance is to establish a network baseline. Creating an effective network performance baseline is accomplished over a period of time. Measuring performance at varying times and loads will assist in creating a better picture of overall network performance. The output derived from network commands contributes data to the network baseline. One method for starting a baseline is to copy and paste the results from an executed ping, trace, or other relevant commands into a text file. These text files can be time stamped with the date and saved into an archive for later retrieval and comparison. Among items to consider are error messages and the response times from host to host. If there is a considerable increase in response times, there may be a latency issue to address. Corporate networks should have extensive baselines; more extensive than we can describe in this course. Professional-grade software tools are available for storing and maintaining baseline information. In this course, we cover a few basic techniques and discuss the purpose of baselines. Best practices for baseline processes can be found here.
identity theft
A crime that involves someone pretending to be another person in order to steal money or obtain benefits
brute force attack
A password-cracking program that tries every possible combination of characters.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack allows an individual to gain unauthorized access to information that they have no right to view. Access attacks can be classified into four types: Password attacks Trust Exploitation Port Redirection Man-in-the-Middle
Basic Security Practices
Additional Password Security Strong passwords are only as useful as they are secret. There are several steps that can be taken to help ensure that passwords remain secret. Using the global configuration command service password-encryption prevents unauthorized individuals from viewing passwords in plain text in the configuration file, as shown in the figure. This command causes the encryption of all passwords that are unencrypted. Additionally, to ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length command in global configuration mode. Another way hackers learn passwords is simply by brute-force attacks, trying multiple passwords until one works. It is possible to prevent this type of attack by blocking login attempts to the device if a set number of failures occur within a specific amount of time. Router(config)# login block-for 120 attempts 3 within 60 This command will block login attempts for 120 seconds if there are three failed login attempts within 60 seconds. Exec Timeout Another recommendation is setting executive timeouts. By setting the exec timeout, you are telling the Cisco device to automatically disconnect users on a line after they have been idle for the duration of the exec timeout value. Exec timeouts can be configured on console, VTY, and aux ports using the exec-timeout command in line configuration mode. Router(config)# line vty 0 4 Router(config-line)# exec-timeout 10 This command configures the device to disconnect idle users after 10 minutes.
Endpoint Security
An endpoint, or host, is an individual computer system or device that acts as a network client. Common endpoints, as shown in the figure, are laptops, desktops, servers, smartphones, and tablets. Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves human nature. A company must have well-documented policies in place and employees must be aware of these rules. Employees need to be trained on proper use of the network. Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.
Physical Security
An equally important vulnerability is the physical security of devices. An attacker can deny the use of network resources if those resources can be physically compromised. The four classes of physical threats are: Hardware threats - physical damage to servers, routers, switches, cabling plant, and workstations Environmental threats - temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) Electrical threats - voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss Maintenance threats - poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling These issues must be dealt with in an organizational policy
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting (AAA, or "triple A") network security services provide the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and what actions they perform while accessing the network (accounting). The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on, as shown in the figure.
Data Loss and Manipulation
Breaking into a computer to destroy or alter data records.
ARP command
Can be used in either the Microsoft Windows ® or UNIX environment to see what a Layer 2 MAC address corresponds to a Layer 3 IP address. The arp command is executed from the Windows command prompt, as shown in the figure. The arp -a command lists all devices currently in the ARP cache of the host, which includes the IPv4 address, physical address, and the type of addressing (static/dynamic), for each device. The cache can be cleared by using the arp -d* command in the event the network administrator wants to repopulate the cache with updated information. Note: The ARP cache contains information only from devices that have been recently accessed. To ensure that the ARP cache is populated, ping a device so that it will have an entry in the ARP table.
Verify and Monitor Solution
Cisco IOS includes powerful tools to with help troubleshooting and verification. When a problem has been solved and a solution implemented, it is important to verify the system operation. Verification tools include the ping, traceroute and show commands. The ping command can be used to verify successful network connectivity. If a ping is successful, it is safe to conclude packets are being routed from source to destination. Note: A failed ping usually does not provide enough information to draw any conclusions. It could be the result of an ACL or firewall blocking ICMP packets, or the destination device may be configured to not respond to pings. A failed ping is usually indication that further investigation is required. The traceroute command, , is useful for displaying the path that packets are using to reach a destination. While output from the ping command shows whether a packet has arrived at the destination, output from the traceroute command shows what path it took to get there, or where the packet was stopped along the path. The Cisco IOS show commands are some of the most useful troubleshooting and verification tools included the Cisco IOS. Taking advantage of a large variety of options and sub-options, the show command can be used to narrow down and display information about practically any specific aspect of IOS. show ip interface brief command. Notice that the two interfaces configured with IPv4 addresses are both "up" and "up". These interfaces can send and receive traffic. The other three interfaces have no IPv4 addressing and are administratively down.
information theft
Computer security risk that occurs when someone steals personal or confidential information.
The terminal monitor Command
Connections to grant access to the IOS command line interface can be established locally or remotely. Local connections require physical access to the router or switch; therefore, a cable connection is required. This connection is usually established by connecting a PC to the router or switch console port using a rollover cable. In this course, we refer to a local connection as a console connection. Remote connections are established over the network; therefore, they require a network protocol such as IP. No direct physical access is required for remote sessions. SSH and Telnet are two common connection protocols used for remote sessions. In this course, we use the protocol when discussing a specific remote connection, such as a Telnet connection or an SSH connection. While IOS log messages are sent to the console by default, these same log messages are not sent to the virtual lines by default. Because debug messages are log messages, this behavior prevents any debug-related messages from being displayed on VTY lines. To display log messages on a terminal (virtual console), use the terminal monitor privileged EXEC command. To stop logging messages on a terminal, use the terminal no monitor privileged EXEC command. User the Syntax Checker to practice using terminal monitor and debug for troubleshooting.
Redundancy to a data center
Data Center if one server fails another is there to hand customer requests Links If the link to switch fails, the link to the second switch is still available. Switches Redundant switches are present in case of failing switch Routers routers Redundancy can help ensure application transactions received from eternal traffic can be handled in event of a router or route failure.
packet sniffer
Denial of Service (DoS) attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. To help prevent DoS attacks it is important to stay up to date with the latest security updates for operating systems and applications. For example, the ping of death is no longer a threat because updates to operating systems have fixed the vulnerability that it exploited.
Extended Traceroute
Designed as a variation of the traceroute command, the extended traceroute command allows the administrator to adjust parameters related to the command operation. This is helpful when troubleshooting routing loops, determining the exact next-hop router, or to help determine where packets are getting dropped by a router, or denied by a firewall. While the extended ping command can be used to determine the type of connectivity problem, the extended traceroute command is useful in locating the problem. Similar to ping, the Windows implementation of traceroute (tracert) sends ICMP Echo Requests. Unlike ping, the first IPv4 packet has a TTL value of one. Routers decrement TTL values by one before forwarding the packet. If the TTL value is decremented to zero, the router will drop the packet and return an ICMP Time Exceeded message back to the source. Each time the source of the traceroute receives an ICMP Time Exceeded message, it displays the source IPv4 address of the ICMP Time Exceeded message, increments the TTL by one and sends another ICMP Echo Request. As each new ICMP Echo Request is sent, it makes it to one router more than the last Echo Request before receiving another ICMP Time Exceeded message. Traceroute uses the returned ICMP Time Exceeded messages to display a list of routers that the IPv4 packets traverse on their way to the final destination, the destination IPv4 address of the traceroute. When the packet reaches the final destination, the source returns an ICMP Echo Reply. Cisco IOS uses a slightly different approach with traceroute, which does not use ICMP Echo Requests. Instead, IOS sends out a sequence of UDP datagrams, each with incrementing TTL values and destination port numbers. The port number is an invalid port number (Cisco uses a default of 33434), and is incremented along with the TTL. Similar to the Windows implementation, when a router decrements the TTL to zero, it will return an ICMP Time Exceeded message back to the source. This informs the source of the IPv4 address of each router along the path. When the packet reaches the final destination, because these datagrams tried to access an invalid port at the destination host, the host responds with an ICMP type 3, code 3 message that indicates the port was unreachable. This event signals to the source of the traceroute that the traceroute program has reached its destination. Note: The user can interrupt the trace by invoking the escape sequence Ctrl+Shift+6. In Windows, the escape sequence is invoked by pressing Ctrl+C. To use extended traceroute, simply type traceroute, without providing any parameters, and press ENTER. IOS will guide you through the command options by presenting a number of prompts related to the setting of all the different parameters. Figure 1 shows the IOS extended traceroute options and their respective descriptions. While the Windows tracert command allows the input of several parameters, it is not guided and must be performed through options in the command line. Figure 2 shows the available options for tracert in Windows. Note: Traceroute in IPv6 has similar implementations. The only difference in IPv6 the TTL field was renamed to Hop Limit. ICMPv6 Time Exceeded messages are sent by the router when this field is decremented to zero. Note: Unix/Linux operating systems use an approach similar to Cisco IOS.
Troubleshooting DNS Issues
Domain Name Service (DNS) defines an automated service that matches names, such as www.cisco.com, with the IP address. While DNS resolution is not crucial to device communication, it is very important to the end user. It is common for users to mistakenly relate the operation of an Internet link to the availability of the DNS service. User complaints such as "the network is down" or "the Internet is down" are often caused by an unreachable DNS server. While packet routing and all other network services are still operational, DNS failures often lead the user to the wrong conclusion. If a user types in a domain name such as www.cisco.com in a web browser and the DNS server is unreachable, the name will not be translated into an IP address and the website will not display. DNS server addresses can be manually or automatically assigned. Network administrators are often responsible for manually assigning DNS server addresses on servers and other devices, while DHCP is used to automatically assign DNS server addresses to clients. Although it is common for companies and organizations to manage their own DNS servers, any reachable DNS server can be used to resolve names. Small office and home office (SOHO) users often rely on the DNS server maintained by their ISP for name resolution. ISP-maintained DNS servers are assigned to SOHO customers via DHCP. For example, Google maintains a public DNS server that can be used by anyone and it is very useful for testing. The IPv4 address of Google's public DNS server is 8.8.8.8 and 2001:4860:4860::8888 for its IPv6 DNS address. Use the ipconfig /all, as shown in Figure 1, to verify which DNS server is in use by the Windows computer. The nslookup command is another useful DNS troubleshooting tool for PCs. With nslookup a user can manually place DNS queries and analyze the DNS response. Figure 2 shows the output of nslookup when placing a query for www.cisco.com.
duplex mismatch
Duplex mismatches may be difficult to troubleshoot as the communication between devices still occurs. A duplex mismatch may not become apparent even when using tools such as ping. Single small packets may fail to reveal a duplex mismatch problem. A terminal session which sends data slowly (in very short bursts) could also communicate successfully through a duplex mismatch. Even when either end of the connection attempts to send any significant amount of data and the link performance drops considerably, the cause may not be readily apparent because the network is otherwise operational. CDP, the Cisco proprietary protocol, can easily detect a duplex mismatch between two Cisco devices. Consider the topology and log messages in Figure 1 where the G0/0 interface on R1 has been erroneously configured to operate in half-duplex mode. CDP will display log messages about the link with the duplex mismatch. The messages also contain the device names and ports involved in the duplex mismatch, which makes it much easier to identify and fix the problem. Note: Because these are log messages, they are only displayed on a console session by default. You would only see these messages on a remote connection if the terminal
Small Network Growth
Growth is a natural process for many small businesses, and their networks must grow accordingly. Ideally, the network administrator has enough lead time to make intelligent decisions about growing the network in-line with the growth of the company. To scale a network, several elements are required: Network documentation - physical and logical topology Device inventory - list of devices that use or comprise the network Budget - itemized IT budget, including fiscal year equipment purchasing budget Traffic analysis - protocols, applications, and services and their respective traffic requirements, should be documented These elements are used to inform the decision-making that accompanies the scaling of a small network.
IP Addressing Issues on IOS Devices
IP address-related problems will likely keep remote network devices from communicating. Because IP addresses are hierarchical, any IP address assigned to a network device must conform to that network's range of addresses. Wrongly assigned IP addresses create a variety of issues, including IP address conflicts and routing problems. Two common causes of incorrect IPv4 assignment are manual assignment mistakes or DHCP-related issues. Network administrators often have to manually assign IP addresses to devices such as servers and routers. If a mistake is made during the assignment, then communications issues with the device are very likely to occur. On an IOS device, use the show ip interface or show ip interface brief commands to verify what IPv4 addresses are assigned to the network interfaces. The figure displays the output of the show ip interface command issued on a R1. Notice that the output displays IPv4 information (OSI Layer 3), while the previously mentioned show interfaces command displays the physical and data link details of an interface.
IP Addressing Issues on End Devices
In Windows-based machines, when the device cannot contact a DHCP server, Windows will automatically assign an address belonging to the 169.254.0.0/16 range. This process is designed to facilitate communication within the local network. Think of it as Windows saying "I will use this address from the 169.254.0.0/16 range because I could not get any other address". More often than not, a computer with a 169.254.0.0/16 will not be able to communicate with other devices in the network because those devices will most likely not belong to the 169.254.0.0/16 network. This situation indicates an automatic IPv4 address assignment problem that should be fixed. Note: Other operating systems, such Linux and OS X, will not assign an IPv4 address to the network interface if communication with a DHCP server fails. Most end devices are configured to rely on a DHCP server for automatic IPv4 address assignment. If the device is unable to communicate with the DHCP server, then the server cannot assign an IPv4 address for the specific network and the device will not be able to communicate. To verify the IP addresses assigned to a Windows-based computer, use the ipconfig command
Employee Network Utilization
In addition to understanding changing traffic trends, a network administrator must also be aware of how network use is changing. As shown in the figure, a small network administrator has the ability to obtain in-person IT "snapshots" of employee application utilization for a significant portion of the employee workforce over time. These snapshots typically include information such as: OS and OS Version Non-Network Applications Network Applications CPU Utilization Drive Utilization RAM Utilization Documenting snapshots for employees in a small network over a period of time will go a long way toward informing the network administrator of evolving protocol requirements and associated traffic flows. A shift in resource utilization may require the network administrator to adjust network resource allocations accordingly.
Duplex Operation
In data communications, duplex refers to the direction of data transmission between two devices. If the communications are restricted to the exchange of data in one direction at a time, this connection is called half-duplex. Full-duplex allows the sending and receiving of data to happen simultaneously. For best communication performance, two connected Ethernet network interfaces must operate in the same duplex mode to avoid inefficiency and latency on the link. Ethernet autonegotiation was designed to facilitate configuration, minimize problems and maximize link performance. The connected devices first announce their supported capabilities and then choose the highest performance mode supported by both ends. For example, the switch and router in in the figure successfully autonegotiated full-duplex mode. If one of the two connected devices is operating in full-duplex and the other is operating in half-duplex, a duplex mismatch occurs. While data communication will occur through a link with a duplex mismatch, link performance will be very poor. Duplex mismatch may be caused by incorrect manual configuration, which is manually setting the two connected devices to different duplex modes. Duplex mismatch can also occur by connecting a device performing auto-negotiation to another that is manually set to full-duplex. Although rare, duplex mismatch can also occur due to failed autonegotiation.
"show ip interface brief" command
In the same way that commands and utilities are used to verify a host configuration, commands can be used to verify the interfaces of intermediate devices. The Cisco IOS provides commands to verify the operation of router and switch interfaces. Verifying Router Interfaces One of the most frequently used commands is the show ip interface brief command. This command provides a more abbreviated output than the show ip interface command. It provides a summary of the key information for all the network interfaces on a router. Figure 1 shows the topology that is being used in this example. On Figure 2, click the R1 button. The show ip interface brief output displays all interfaces on the router, the IP address assigned to each interface, if any, and the operational status of the interface. Verifying the Switch Interfaces On Figure 2, click the S1 button. The show ip interface brief command can also be used to verify the status of the switch interfaces. The VLAN1 interface is assigned an IPv4 address of 192.168.254.250 and has been enabled, and is operational. The output also shows that the FastEthernet0/1 interface is down. This indicates that either no device is connected to the interface or the device that is connected has a network interface that is not operational. In contrast, the output shows that the FastEthernet0/2 and FastEthernet0/3 interfaces are operational. This is indicated by both the Status and Protocol being shown as up.
Voice and Video Applications
Infrastructure To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic. The network designer must determine whether the existing switches and cabling can support the traffic that will be added to the network. VoIP VoIP devices convert analog into digital IP packets. The device could be an analog telephone adapter (ATA) that is attached between a traditional analog phone and the Ethernet switch. After the signals are converted into IP packets, the router sends those packets between corresponding locations. VoIP is much less expensive than an integrated IP telephony solution, but the quality of communications does not meet the same standards. Voice and video over IP solutions for small businesses can be realized, for example, with Skype and non-enterprise versions of Cisco WebEx. IP Telephony In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling. There are now many vendors with dedicated IP telephony solutions for small networks. Real-time Applications To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement. RTP and RTCP enable control and scalability of the network resources by allowing Quality of Service (QoS) mechanisms to be incorporated. These QoS mechanisms provide valuable tools for minimizing latency issues for real-time streaming applications.
Backup, Upgrade, Update, and Patch
Keeping up-to-date with the latest developments can lead to a more effective defense against network attacks. As new malware is released, enterprises need to keep current with the latest versions of antivirus software. The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems. Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on client systems) that is deployed on new or upgraded systems. However, security requirements change and already deployed systems may need to have updated security patches installed. One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time, as shown in the figure. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.
ipconfig command
Microsoft Windows command that can be used to display IP address configuration parameters on a PC. In addition, if DHCP is used by the PC, the ipconfig command can be used to release and renew a DHCP lease, which is often useful during troubleshooting. the IP address of the default gateway of a host can be viewed by issuing the ipconfig command at the command line of a Windows computer. use the ipconfig /all command to view the MAC address, as well as a number of details regarding the Layer 3 addressing of the device. The DNS Client service on Windows PCs also optimizes the performance of DNS name resolution by storing previously resolved names in memory. the ipconfig /displaydns command displays all of the cached DNS entries on a Windows computer system.
Redundancy in small networks
Mitigate single points of failure Improves reliability Another important part of network design is reliability. Even small businesses often rely heavily on their network for business operation. A failure of the network can be very costly. In order to maintain a high degree of reliability, redundancy is required in the network design. Redundancy helps to eliminate single points of failure. There are many ways to accomplish redundancy in a network. Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas, as shown in the figure. Small networks typically provide a single exit point toward the Internet via one or more default gateways. If the router fails, the entire network loses connectivity to the Internet. For this reason, it may be advisable for a small business to pay for a second service provider as backup.
Common Protocols
Most of a technician's work, in either a small or a large network, will in some way be involved with network protocols. Network protocols support the applications and services used by employees in a small network. Common network protocols are shown in the figure. Click each server for a brief description. These network protocols comprise the fundamental toolset of a network professional. Each of these network protocols define: Processes on either end of a communication session Types of messages Syntax of the messages Meaning of informational fields How messages are sent and the expected response Interaction with the next lower layer Many companies have established a policy of using secure versions of these protocols whenever possible. These protocols are HTTPS, SFTP, and SSH.
Common Applications
Network Applications Applications are the software programs used to communicate over the network. Some end-user applications are network-aware, meaning that they implement application layer protocols and are able to communicate directly with the lower layers of the protocol stack. Email clients and web browsers are examples of this type of application. Application Layer Services Other programs may need the assistance of application layer services to use network resources like file transfer or network print spooling. Though transparent to an employee, these services are the programs that interface with the network and prepare the data for transfer. Different types of data, whether text, graphics or video, require different network services to ensure that they are properly prepared for processing by the functions occurring at the lower layers of the OSI model. Each application or network service uses protocols, which define the standards and data formats to be used. Without protocols, the data network would not have a common way to format and direct data. In order to understand the function of various network services, it is necessary to become familiar with the underlying protocols that govern their operation.
Basic Troubleshooting Approaches
Network problems can be simple or complex, and can result from a combination of hardware, software, and connectivity issues. Technicians must be able to analyze the problem and determine the cause of the error before they can resolve the network issue. This process is called troubleshooting. A common and efficient troubleshooting methodology is based on the scientific method and can be broken into the six main steps shown in the figure. To assess the problem, determine how many devices on the network are experiencing the problem. If there is a problem with one device on the network, start the troubleshooting process at that device. If there is a problem with all devices on the network, start the troubleshooting process at the device where all other devices are connected. You should develop a logical and consistent method for diagnosing network problems by eliminating one problem at a time.
The debug Command
OS processes, protocols, mechanisms and events generate messages to communicate their status. These messages can provide valuable information when troubleshooting or verifying system operations. The IOS debug command allows the administrator to display these messages in real-time for analysis. It is a very important tool for monitoring events on a Cisco IOS device. All debug commands are entered in privileged EXEC mode. The Cisco IOS allows for narrowing the output of debug to include only the relevant feature or sub-feature. This is important because debugging output is assigned high priority in the CPU process and it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems. To monitor the status of ICMP messages in a Cisco router, use debug ip icmp, as shown in the figure. To list a brief description of all the debugging command options, use the debug ? command in privileged EXEC mode at the command line. To turn off a specific debugging feature, add the no keyword in front of the debug command: Router# no debug ip icmp Alternatively, you can enter the undebug form of the command in privileged EXEC mode: Router# undebug ip icmp To turn off all active debug commands at once, use the undebug all command: Router# undebug all Some debug commands such as debug all and debug ip packet generate a substantial amount of output and use a large portion of system resources. The router would get so busy displaying debug messages that it would not have enough processing power to perform its network functions, or even listen to commands to turn off debugging. For this reason, using these command options is not recommended and should be avoided.
Disruption of service
Preventing legitimate users from accessing services to which they should be entitled
The terminal monitor Command
R1# debug ip icmp R1# ping 10.0.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms *Nov 13 12:56:08.147: ICMP: echo reply rcvd, src 10.0.0.10, dst 10.0.0.1, topology BASE, dscp 0 topoid 0 *Nov 13 12:56:08.151: ICMP: echo reply rcvd, src 10.0.0.10, dst 10.0.0.1, topology BASE, dscp 0 topoid 0 *Nov 13 12:56:08.151: ICMP: echo reply rcvd, src 10.0.0.10, dst 10.0.0.1, topology BASE, dscp 0 topoid 0 *Nov 13 12:56:08.151: ICMP: echo reply rcvd, src 10.0.0.10, dst 10.0.0.1, topology BASE, dscp 0 topoid 0 *Nov 13 12:56:08.151: ICMP: echo reply rcvd, src 10.0.0.10, dst 10.0.0.1, topology BASE, dscp 0 topoid 0 R1# R1# undebug all All possible debugging has been turned off R1#
DNS server
Service that provides the ip address of a website or domain name so a host can connect
Enable SSH
Telnet is not secure. Data contained within a Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to enable SSH on devices for secure remote access. It is possible to configure a Cisco device to support SSH using four steps, as shown in the figure. Step 1. Ensure that the router has a unique hostname, and then configure the IP domain name of the network using the ip domain-name command in global configuration mode. Step 2. One-way secret keys must be generated for a router to encrypt SSH traffic. To generate the SSH key, use the crypto key generate rsa general-keys command in global configuration mode. The specific meaning of the various parts of this command are complex and out of scope for this course. Just note that the modulus determines the size of the key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the key, but the longer it takes to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits. Step 3. Create a local database username entry using the username global configuration command. Step 4. Enable inbound SSH sessions using the line vty commands login local and transport input ssh. The router can now be remotely accessed only by using SSH.
The Extended ping Command
The Cisco IOS offers an "extended" mode of the ping command. This mode is entered by typing ping in privileged EXEC mode, without a destination IP address. As shown in the figure, a series of prompts are then presented. Pressing Enter accepts the indicated default values. The example illustrates how to force the source address for a ping to be 10.1.1.1 (see R2 in the figure); the source address for a standard ping would be 209.165.200.226. By doing this, the network administrator can verify from R2 that R1 has a route to 10.1.1.0/24. Note: The ping ipv6 command is used for IPv6 extended pings.
Default Gateway Issues
The default gateway for an end device is the closest networking device that can forward traffic to other networks. If a device has an incorrect or nonexistent default gateway address, it will not be able to communicate with devices in remote networks. Because the default gateway is the path to remote networks, its address must belong to the same network as the end device. The address of the default gateway can be manually set or obtained from a DHCP server. Similar to IPv4 addressing issues, default gateway problems can be related to misconfiguration (in the case of manual assignment) or DHCP problems (if automatic assignment is in use). To solve misconfigured default gateway issues, ensure that the device has the correct default gateway configured. If the default address was manually set but is incorrect, simply replace it with the proper address. If the default gateway address was automatically set, ensure the device can properly communicate with the DHCP server. It is also important to verify that the proper IPv4 address and subnet mask were configured on the router's interface and that the interface is active. To verify the default gateway on Windows-based computers, use the ipconfig command, as shown in Figure 1. On a router, use the show ip route command to list the routing table and verify that the default gateway, known as a default route, has been set. This route is used when the destination address of the packet does not match any other routes in its routing table. Figure 2 shows that R2 is the default route for R1 and the output of the show ip route command shows that the default gateway has been set with a default route of 10.1.0.2.
Traffic Management
The network administrator should consider the various types of traffic and their treatment in the network design. The routers and switches in a small network should be configured to support real-time traffic, such as voice and video, in a distinct manner relative to other data traffic. In fact, a good network design will classify traffic carefully according to priority, as shown in the figure. In the end, the goal for a good network design, even for a small network, is to enhance the productivity of the employees and minimize network downtime.
The show cdp neighbors Command
There are several other IOS commands that are useful. For example, the Cisco Discovery Protocol (CDP) is a Cisco-proprietary protocol that runs at the data link layer. Because CDP operates at the data link layer, two or more Cisco network devices, such as routers that support different network layer protocols, can learn about each other even if Layer 3 connectivity does not exist. Compare the output from the show cdp neighbors commands in Figure 1 with the topology in Figure 2. Notice that R3 has gathered some detailed information about R2 and the switch connected to the Fast Ethernet interface on R3. When a Cisco device boots, CDP starts by default. CDP automatically discovers neighboring Cisco devices running CDP, regardless of which Layer 3 protocol or suites are running. CDP exchanges hardware and software device information with its directly connected CDP neighbors. CDP provides the following information about each CDP neighbor device: Device identifiers - For example, the configured host name of a switch Address list - Up to one network layer address for each protocol supported Port identifier - The name of the local and remote port in the form of an ASCII character string, such as FastEthernet 0/0 Capabilities list - For example, whether this device is a router or a switch Platform - The hardware platform of the device; for example, a Cisco 1841 series router The show cdp neighbors detail command reveals the IP address of a neighboring device. CDP will reveal the neighbor's IP address regardless of whether or not you can ping that neighbor. This command is very helpful when two Cisco routers cannot route across their shared data link. The show cdp neighbors detail command will help determine if one of the CDP neighbors has an IP configuration error. As helpful as CDP is, it can also be a security risk because it can provide useful network infrastructure information to attackers. For example, by default many IOS versions send CDP advertisements out all enabled ports. However, best practices suggest that CDP should be enabled only on interfaces that are connecting to other infrastructure Cisco devices. CDP advertisements should be disabled on user-facing ports. Because some IOS versions send out CDP advertisements by default, it is important to know how to disable CDP. To disable CDP globally, use the global configuration command no cdp run. To disable CDP on an interface, use the interface command no cdp enable.
Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow: Use a password length of at least 8 characters, preferably 10 or more characters. A longer password is a better password. Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed. Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information. Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty. Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited. Do not write passwords down and leave them in obvious places such as on the desk or monitor.
Interpreting Ping Results
Using the ping command is an effective way to test connectivity. The ping command uses the Internet Control Message Protocol (ICMP) and verifies Layer 3 connectivity. The ping command will not always pinpoint the nature of a problem, but it can help to identify the source of the problem, an important first step in troubleshooting a network failure. IOS Ping Indicators A ping issued from the IOS will yield one of several indications for each ICMP echo request that was sent. The most common indicators are: ! - indicates receipt of an ICMP echo reply message, as shown in Figure 1 . - indicates a time expired while waiting for an ICMP echo reply message U - an ICMP unreachable message was received The "." (period) may indicate that a connectivity problem occurred somewhere along the path. It may also indicate that a router along the path did not have a route to the destination and did not send an ICMP destination unreachable message. It also may indicate that the ping was blocked by device security. When sending a ping on an Ethernet LAN, it is common for the first echo request to timeout if the ARP process is required. The "U" indicates that a router along the path responded with an ICMP unreachable message. The router either did not have a route to the destination address, or that the ping request was blocked. Testing the Loopback The ping command can also be used to verify the internal IP configuration on the local host by pinging the loopback address, 127.0.0.1, as shown in Figure 2. This verifies the proper operation of the protocol stack from the network layer to the physical layer, and back, without actually putting a signal on the media.
Types of Vulnerabilities
Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers. There are three primary vulnerabilities or weaknesses: Technological Configuration Security policy All three of these vulnerabilities or weaknesses can lead to various attacks, including malicious code attacks and network attacks.
Device Security Overview
When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system, as shown in the figure. In addition, there are some simple steps that should be taken that apply to most operating systems: Default usernames and passwords should be changed immediately. Access to system resources should be restricted to only the individuals that are authorized to use those resources. Any unnecessary services and applications should be turned off and uninstalled when possible. Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time and do not have the most up-to-date patches installed. It is important to update any software and install any security patches prior to implementation.
IP Addressing for a Small Network
When implementing a small network, it is necessary to plan the IP addressing space. All hosts within an internetwork must have a unique address. The IP addressing scheme should be planned, documented and maintained based on the type of device receiving the address. Examples of different types of devices that will factor into the IP design are: • End devices for users • Servers and peripherals • Hosts that are accessible from the Internet • Intermediary devices Planning and documenting the IP addressing scheme helps the administrator track device types. For example, if all servers are assigned a host address between the range of 50-100, it is easy to identify server traffic by IP address. This can be very useful when troubleshooting network traffic issues using a protocol analyzer. Additionally, administrators are better able to control access to resources on the network based on IP address when a deterministic IP addressing scheme is used. This can be especially important for hosts that provide resources to the internal network as well, as to the external network. Web servers or e-commerce servers play such a role. If the addresses for these resources are not planned and documented, the security and accessibility of the devices are not easily controlled. If a server has a random address assigned, blocking access to this address is difficult, and clients may not be able to locate this resource. Each of these different device types should be allocated to a logical block of addresses within the address range of the network.
protocol analysis
When trying to determine how to manage network traffic, especially as the network grows, it is important to understand the type of traffic that is crossing the network as well as the current traffic flow. If the types of traffic are unknown, a protocol analyzer will help identify the traffic and its source. To determine traffic flow patterns, it is important to: Capture traffic during peak utilization times to get a good representation of the different traffic types. Perform the capture on different network segments; some traffic will be local to a particular segment. Information gathered by the protocol analyzer is evaluated based on the source and destination of the traffic, as well as the type of traffic being sent. This analysis can be used to make decisions on how to manage the traffic more efficiently. This can be done by reducing unnecessary traffic flows or changing flow patterns altogether by moving a server, for example. Sometimes, simply relocating a server or service to another network segment improves network performance and accommodates the growing traffic needs. At other times, optimizing the network performance requires major network redesign and intervention.
Firewalls
firewall is one of the most effective security tools available for protecting users from external threats. Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. Host-based firewalls or personal firewalls are installed on end systems. Firewall products use various techniques for determining what is permitted or denied access to a network. These techniques are: Packet filtering - Prevents or allows access based on IP or MAC addresses Application filtering - Prevents or allows access by specific application types based on port numbers URL filtering - Prevents or allows access to websites based on specific URLs or keywords Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS) Firewall products may support one or more of these filtering capabilities. Firewall products come packaged in various forms
Small Network Topologies
he majority of businesses are small. It is not surprising then that the majority of networks are also small. A typical small-business network is shown in the figure. With small networks, the design of the network is usually simple. The number and type of devices included are significantly reduced compared to that of a larger network. The network topologies typically involve a single router and one or more switches. Small networks may also have wireless access points (possibly built into the router) and IP phones. As for connection to the Internet, normally a small network has a single WAN connection provided by DSL, cable, or an Ethernet connection. Managing a small network requires many of the same skills as those required for managing a larger one. The majority of work is focused on maintenance and troubleshooting of existing equipment, as well as securing devices and information on the network. The management of a small network is either done by an employee of the company or a person contracted by the company, depending on the size and type of the business.
Trojan Horse Virus
hides inside other software, usually as an attachment or a downloadable file A type of malware disguised as legitimate software.
Reconnaissance Attacks
n addition to malicious code attacks, it is also possible for networks to fall prey to various network attacks. Network attacks can be classified into three major categories: Reconnaissance attacks - the discovery and mapping of systems, services, or vulnerabilities Access attacks - the unauthorized manipulation of data, system access, or user privileges Denial of service - the disabling or corruption of networks, systems, or services For reconnaissance attacks, external attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, an attacker can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, an attacker may use a ping sweep tool, such as fping or gping, which systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.
Device Selection for a Small Network
n order to meet user requirements, even small networks require planning and design. Planning ensures that all requirements, cost factors, and deployment options are given due consideration. When implementing a small network, one of the first design considerations is the type of intermediate devices to use to support the network. When selecting the type of intermediate devices, there are a number of factors that need to be considered, as shown in the figure. Cost The cost of a switch or router is determined by its capacity and features. The device capacity includes the number and types of ports available and the backplane speed. Other factors that impact the cost are network management capabilities, embedded security technologies, and optional advanced switching technologies. The expense of cable runs required to connect every device on the network must also be considered. Another key element affecting cost considerations is the amount of redundancy to incorporate into the network. Speed and Types of Ports/Interfaces Choosing the number and type of ports on a router or switch is a critical decision. Newer computers have built-in 1 Gb/s NICs. 10 Gb/s ports are already included with some workstations and servers. While it is more expensive, choosing Layer 2 devices that can accommodate increased speeds allows the network to evolve without replacing central devices. Expandability Networking devices come in both fixed and modular physical configurations. Fixed configurations have a specific number and type of ports or interfaces. Modular devices have expansion slots that provide the flexibility to add new modules as requirements evolve. Switches are available with additional ports for high-speed uplinks. Routers can be used to connect different types of networks. Care must be taken to select the appropriate modules and interfaces for the specific media. Operating System Features and Services Depending on the version of the operating system, a network device can support certain features and services, such as: Security Quality of Service (QoS) Voice over IP (VoIP) Layer 3 switching Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP)
SSH server
service that allows administrators to login to host from remote location and control the host as though they were logged in locally.
DCHP sever
service that assigns IP Address, Subnet mask and Default Gateway and other information to clients.
show ip interface brief
show start-config- displays the backup configuration file show verstion - Lists the version of IOS currently running in the router, plus a variety of other facts about the currently installed hardware and software in the router. Show ip route - Displays the contents of the IPv4 routing table stored in RAM. show ip protocols - Lists information about the RIP configuration, plus the IP addresses of neighboring RIP routers from which the local router has learned routes. show arp - displays the entries in the ARP table show ip interface brief - Lists a single line of information about each interface, including the IP address, line and protocol status, and the method with which the address was configured (manual or DHCP).
email server
uses Simple Mail Transfer Protocol (SMTP)m, Post Office Protocol (POP), Internet Message Access Protocol (IMAP). used to send emails over the internet to clients to servers over the internet. Recipients are specified using a email address example [email protected].
Types of Malware
virus, worm, trojan horse, rootkit, spyware, adware Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or inflict "bad" or illegitimate action on data, hosts, or networks. Viruses, worms, and Trojan horses are types of malware. Click Play to view an animation on these three threats. Viruses A computer virus is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments. Worms Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system. Worms take advantage of system features to travel through the network unaided. Trojan Horses A Trojan horse is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojan horses do not reproduce by infecting other files, nor do they self-replicate. Trojan horses must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.