Configure DHCP

Configuring DHCP Server
a Cisco router running IOS can be configured as a DHCP server. the steps to configure a Cisco router to be a DHCP server are:
  • step 1. Define a range of addresses that should not be used for address allocation. this could be some static ip addresses assigned to servers or printers, switch management IP address and gateway/router address. the command to specify the excluded addresses are
ip dhcp excluded-address low-addess [high-address]

low-address: the (lowest) address of the reserved address that should not be used for DHCP address allocation.
highest-address: optional, if you want to specify a range of reserved address, this should be the highest address of the range.

a best practice is to configure these reserved addresses first at the global configuration level to prevent DHCP assigns these reserved addresses accidentally.

  • step 2. create a DHCP pool. using the command
ip dhcp pool pool-name

pool-name : the name of the pool te be created.

after entering the command, you'll be at the DHCP configuration level. at this configuration level you can configure specifics of the pool

  • step 3. configure the specifics of the pool. here you need to configure the network address the pool is assigned to, and the gateway address of the network. to define the network of the pool use the command
network network-number {mask | /prefix-length}

network-number : the network address
mask : subnet mask of the address

to define a default gateway for the network enter the following command
default-router address {address2 .. address8}

typically the gateway address is the address of the router's LAN interface connected to the network. at least one address is required but you can list up to eight addresses.
there are some optional configurations for the DHCP pool. some of those optional commands are
  •  define DNS server
dns-server address {address2 .. address8}
  • define the domain name
domain-name domain
  • define the duration of the lease
lease { days [hours] [minutes] | infinite }
  • define the NetBIOS WINS server
netbios-name-server address {address2 .. address8}

here is an example to configure DHCP for network with - and addresses should not be used in DHCP address allocation. here we create a DHCP pool named "pool1"

ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool pool1

to verify the DHCP configuration you can use the command "show ip dhcp binding" at privileged EXEC mode. it will show information of current bindings of the addresses in the pool to clients. use the command "show ip dhcp server" to see DHCP statistic and message received/sent by the server. to see information of the pools that have been created use the command "show ip dhcp pool".

administrators can also specify which MAC addresses to service and assign them the same address everytime they boot.

DHCP services can be disabled with the command "no service dhcp". reenable it with the command "service dhcp".

you can also configure a router to be a DHCP server using SDM. click the configure tab, in the task list. click the DHCP folder > DHCP pool and click the add button. a dialog box will appear with some text-fields that you can fill in to specify the pool parameters such as the pool's name, pool network, starting and ending address of the pool, lease time, etc.. when you've finished specifying the parameters, klik the ok button. SDM automatically exclude IP address used by the interface connected to the LAN of the pool.

Configure DHCP Client
sometimes, Cisco routers on a SOHO network needs to get its IP address automatically assigned by the ISP. this could be done, by using the command "ip address dhcp" at the interface that should get its address from a DHCP server.
example, a cisco router is connected to an ISP through the interface Serial0/0/0. ISP will automatically assign this interface an address, so this interface address should not be configured manually. the commands are
interface serial0/0/0
ip address dhcp
no shutdown

DHCP Relay
in most enterprise environments, servers are located in a seperate network (the server farm) including the DHCP server. a problem arise as when a client need an address from a DHCP server on a seperate network. DHCPDISCOVER message is a broadcast message and a router won't forward the message to any other network. (this problem is not specific only to DHCP service, some other services use broadcasts. Cisco routers and other devices use broadcast to locate a TFTP server or an authentication server, eg TACACS server).
the problem can be solve by configuring intervening routers and switches to act as a DHCP relay agent with the Cisco IOS helper address feature. this enable routers to forward DHCP messages to the DHCP servers. to configure a router as a relay agent, use the following command at the interface receiving the broadcast (nearest/directly connected to the client)
ip helper-address forward-address

forward-address : an ip address to which broadcasts will be forwarded.

using that command, broadcasts received at the interface will be forwarded to the specified address as a unicast.

example, host1 on subnet needs to renew its address from a DHCP server on subnet both devices are seperated by a router. host1 (subnet is connected to the router by the FastEthernet0/0 interface. the DHCP server address is assume that you're at the global configuration level of the router. enter the following commands at the router.
interface FastEthernet0/0
ip helper-address

as default, ip helper-address forward the follwoing eight UDP services:
  • Port 37: time
  • Port 49: TACACS
  • Port 53: DNS
  • Port 67: DHCP/BOOTP client
  • Port 68: DHCP/BOOTP server
  • Port 69: TFTP
  • Port 137: NetBIOS name service
  • Port 138: NetBIOS datagram service

to add additional services to be forwarded use the command "ip forward-protocol".

routers, servers and any other devices of which location is usually not te be moved or changed physically/logically may be given static IP address. however, client workstations in an organization are likely to be moved physically/logically. this can be a burden for network administrators having to give a new IP address for those workstations everytime they are moved. DHCP services help network administrator do this task. with DHCP services, IP addressing can be made automatically and transparently. usually network administrators use a seperate server for offering DHCP services. in a small organization or SOHO envinronment, a cisco router can be used as a DHCP server. IOS has a feature set called Easy IP offers full-featured DHCP server.

DHCP servers assign not only IP address to a client but also the subnet mask, a gateway address and also DNS server address. DHCP works in a client/server environment.

The main task of a DHCP server is to provide IP addressess to clients. DHCP includes three different IP address alocation mechanism:
  • Manual allocation. the Administrator assigns a pre-allocation IP address for a corresponding workstation. DHCP will only allocate the address to the specified client.
  • Automatic allocation. DHCP automatically assigns an IP address selected from a pool to a device. there's no lease and the address is permanently assigned to the device
  • Dynamic allocation. DHCP automatically assigns an IP address selected from a pool to a device. the given IP address is leased to the device for a period of time or until the client tells that it's no longer needs the address. this ensures that hosts moved or no longer needs the address don't hold the addresses. when the lease time expires, DHCP server returns the address to the pool for reallocations. clients must contact the DHCP server periodically to extend the lease (when the lease time expires).

DHCP Operations
  • Discover. when a client boots or wants to join a network, it will send a DHCPDISCOVER message to find a DHCP server in the network. because the client doesn't have a valid address. it uses an L2 or L3 broadcast addresses to communicate with the server.
  • Offer. when the DHCP server receives the DHCPDISCOVER message, it will find an available IP address from the pool and try to offer it to the requesting client. the offer will be sent as a DHCPOFFER message to client as a unicast packet (under some circumstances, the packet is broadcasted rather than unicasted) using the L2 MAC address of the server as the source and the L2 MAC address of the requesting client as the destination.
  • Request. after the client receives the DHCPOFFER, it sends back a DHCPREQUEST message. this message has two purposes, it's used as a lease origination and lease renewal and verification. when used as a lease origination, the DHCPREQUEST sent request that the IP information be verified after it has been assigned. this provide error checking so that the assignment is valid. DHCPREQUEST also serves as a binding acceptance notice to the selected server and an implicit decline to any other servers that may have provided the host a binding offer (many organizations use multiple DHCP servers).
  • Acknowledge. after receiving the DHCPREQUEST message, the DHCP server then will send a DHCPACK message to the requesting client. the DHCPACK message is a duplicate of the DHCPREQUEST message with just a simple change in the message type field. when the client receives the DHCPACK message, it will then logs the configuration information and sends an ARP broadcast to the network for the leased IP, if there's no reply then the client knows that it's a valid ip address and start using it. the time that the address is leased is different as network administrators set it at the server, the default time is three days.

BOOTP (RFC 951) is a predecessor of DHCP and share some operational characteristics (both BOOTP and DHCP are client/server based and use UDP ports 67 and 68). BOOTP is a way to download address and boot configurations for diskless workstations (example, automated cash register system at super market). three primary differences between DHCP and BOOTP are:
  • BOOTP is used for manual pre-configuration while DHCP is used for dynamic address allocation. when a client requests an address from a BOOTP server, the server searches the client MAC address, if it exists in the server database, the server will give the address and configuration to the client bound to the client's MAC. this means that, the binding must be configured/entered manually to the server.
  • DHCP uses leasing system. a client is given a leased address for a period of time. when the time is over. the address can be allocated to any other client. while BOOTP has its clients reserved IP address which cannot be allocated to any other client.
  • BOOTP only supports 4 configuration parameters. DHCP supports over 20 configuration parameters (domain name, WINS).

For compatibility reason, DHCP messages have the same format as BOOTP messages. except that DHCP messages have additional fields called DHCP options which varies in length. the fields in a DHCP message are:
  • Operational Code (OP). 1 byte. specifies the general type of the message. 1 indicates a request mesasge, 2 is a reply message.
  • Hardware Type. 1 byte. indicates the type of the hardaware used in the network. example, 1 is ethernet, 15 is frame relay and 20 is a serial line. this is the same code used in ARP messages.
  • Hardware Address legnth. 1 byte. specify the length of the hardware address.
  • Hops. 1 byte. set to 0 by clients before transmitting a request and used by realy agents to control the forwarding of DHCP messages.
  • Transaction Identifier. 4 bytes. generated by a client to match its request with the replies from the server.
  • Seconds. 2 bytes. number of seconds elapsed since a client attempt to request or renew its address. DHCP servers use this to prioritize clients requests.
  • Flags. 2 bytes. only one bit is used, the broadcast bit. the client that doesn't know its address sends a request setting the broadcast bit to 1. the receiving server will send the reply as a broadcast message.
  • Client IP address. 4 bytes. sets by the client when it has a valid and usable address while in the bound state. otherwise it is set to 0. (the client cannot use this during the process of acquiring an address.
  • Your IP Address. 4 bytes. IP address the server offers to the client.
  • Server IP Address. 4 bytes. address of the server, the server always includes its IP address in a field called the Server Identification DHCP Option. the client should set this address it has known the address of the server.
  • Gateway IP Address. 4 bytes. routes DHCP messages between different networks. this facilitate DHCP communication between different subnets or networks.
  • Client Hardware Address. 16 bytes. the Physical layer address of the client.
  • Server Name. 64 bytes. a server sending DHCPACK or DHCPOFFER message may include its name in this field. the name could be its nickname or its DNS domain name.
  • Boot Filename. 128 bytes. optionally, used by a client to request a particular type boot file in a DHCPDISCOVER message. used by a serer to fully specifies a boot file directory and filename in a DHCPOFFER message.
  • Options. variable length. holds some option parameters, used by DHCP. both client and server may use this field.

if a client is configured to acquire its address automatically, it will send a DHCPDISCOVER when it boots or senses an active network connection. because the client has no idea the subnet that it belongs to, it sends the DHCPDISCOVER message as an IP broadcaset (address of the source IP address (the client address) is set to the server notes the Gateway Address of the message sent from the client, if it's undefined then the server knows that the client is on the same subnet as the server. clients send mesages to the server on port 67, servers send messages to the client on port 68.



Tunneling enable users to access private networks from public networks. tunneling encapsulates an entire packet within another packet and sends the new composite packet over a network. three classes of tunneling protocol:
  • Carrier protocol. the protocol over which the information is travelling (Frame-relay, ATM, MPLS)
  • Encapsulating protocol. the protocol that wraps around the original data (GRE, L2F, L2TP)
  • Passenger protocol. the protocol over which the original data was sent over (IPv4, AppleTalk, IPv6, IPX)

Tunneling works as the original data is wrapped by the encapsulating protocol, then as leaving the VPN gateway ("tunnel interfaces"), the data will be encapsulated by the carrier protocol with the source and destination adress are the "tunnel interface"s address, when the data arrived at the other end of the VPN gateway, the original data will be extracted and sent over the destination.

for the message to be private, it must be encrypted. VPN encryption rules include an algorithm and a key. the message will be encrypted using the combination of the algorithm and the key. the result is a cipher text, that's very difficult if not impossible to be decrypted without the correct key. there are two kinds of encryption algorithm, symmetric algorithm which uses the same key for the encryption and decryption process, and asymmetric algorithm that uses different keys for the encryption and decryption process. some common used encryption algorithm are:
  • Data Encryption Standard (DES). a symmetric key encryption. developed by IBM, uses 56-bit key giving high-performance encryption.
  • Triple DES (3DES). developed from DES. a symmetric key cryptosystem. it encrypts a message with one key, decrypts it with another key and finally encrypts it with another different key. this provides more strength than DES.
  • Advanced Encryption Standard (AES). developed by the National Institute of Standards and Technology. replacing DES. it offers more strength than DES and more efficient than 3DES. it offers using three different key-lengths: 128, 192 and 256 bit keys.
  • Rivest, Shamir, and Adleman (RSA). named as its founders. this is an asymmetric cryptosystem. it uses a key bit length of 512, 768, 1024 or larger.

a Hash is a string generated from a text. it's generated using algorithms that there will be no two different texts that will produce the same hash value. the hash is smaller than the text. it can be used to guarantee that a message hasn't been modified. the sender can generate a hash of the message and send it along with the message to the receiver. the receiver then receive the message and will generate a hash value from the message again. the result then will be matched with the hash value sent by the sender. if both hashes are the same, then the message hasn't been changed/modified.

a keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. a HMAC has two parameters: a message input and a secret key known only to the sender and the receiver of the message. two commons HMAC algorithm are:
  • Message Digest 5 (MD5), uses 128-bit shared key. the 128-bit key is combined through the message and produces a 128-bit hash. the hash is appended with the message and sent to the destination.
  • Secure Hash Algorithm 1 (SHA-1), uses 160-bit shared key. the 160-bit key is combined through the message and produces a 160-bit hash. the hash is appended with the message and sent to the destination.

both ends on VPNs connectin must be authenticated. so that a secure connection and communication can be made. two peer authentication in VPNs are:
  • Pre-Shared Key (PSK), a secret key shared between the two parties. a PSK is entered manually at each party and is used to authenticate the peer. it uses symmetric key cryptosystem. the key shared is combined with other information to form the authentication key.
  • RSA signature, exchange digital certificates to authenticate the peers. local device (local end) derives a hash and encrypts it with its private key. the encrypted hash (digital signature) is sent along with the message. the remote end will decrypt the hash using the public key of the local end. if the decrypted hash matched the recomputed hash, the signature is genuine.

Internet is a public network and it reaches almost everwhere in the world. the fact that internet is a worldwide network, makes internet an option for oranizations and corporations to connect their teleworkers with the organization's private network. but the fact that it is a public network, makes it fragile to security risks. with VPN technology, organizations can create a private network from the internet and can safely transfer their private data over the internet from branches and remote teleworkers. instead of using a dedicated layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed over the internet.

the benefits of using VPN are:
  • cost saving. unlike a leased line which requires an expensive cost to establish a connection between sites. VPN uses the public network Internet, which is cheaper.
  • security. VPN encrypts and authenticates its data. protecting the data from unauthorized access.
  • scalability. anyone, anywhere within an ISP area can connect to the VPN. organizations can add new users, big or small organizations without adding significant infrastructure.

Types of VPN:
  • site-to-site VPN. a site-to-site VPN is used to connect between company intranets or a company intranet with a business partner extranet. for example it can connect a branch with the headquarter office. a site-to-site VPN uses a VPN gateway at each site to send and receive TCP/IP traffic. a VPN gateway in a site-to-site VPN could be a router, PIX firewall appliance or an Adaptive Security Appliance (ASA). the VPN gateway is responsible for encrypting outgoing traffic and decrypting incoming traffic.
  • remote access VPN. remote access VPNs are used to connect mobile users and teleworkers as well as extranet consumer-to-business. since most teleworkers have access to the internet, they can establish a remot VPN connection to the company. each host typically has a VPN client software. this software will encrypts/decrypts incoming/outgoing traffic. at the company site, a VPN gateway which could be a PIX firewall, a router, an ASA or a VPN concentrator will do the encrypts and decrypts tasks.

a VPN creates a virtually private network which must maintain confidentiality and security. it must protect data against sniffing activity, sender authentication and message integrity.
typically a VPN would require the following components:
  • a network with servers and workstations.
  • an access to the internet.
  • VPN gateway capable devices, such as routers, firewalls, VPN concentrators and ASAs. at the endpoints that establish and manage VPN connections.
  • appropriate software to create and manage VPN tunnels.

Most VPN can do both
  • Encapsulation. also called as tunneling, this enables data to be transferred between private networks over a shared public network.
  • Encryption. codes data to another format using a secret key. decryption decodes the encrypted data to its original format.

Keypoints of security in VPNs are:
  • data confidentiality. guarantees that data are not stolen as they travel across a shared networks. VPNs achieve this using encapsulation and encryption.
  • data integrity. guarantees that the data received by the receiver are the same as the data sent by the sender. this means that data are not modified. VPNs usually use hashes to ensure data integrity. a hash is like a seal that guarantees that no one has read the content of the message.
  • authentication. this guarantees that only authorized users may participate in the private network. unauthorized users must not be given access to the private network. VPNs achieve this by using passwords, digital certificates or other authenticate mechanisms.

IPsec is a protocol suite for securing communications in IP networks. there are two frameworks for IPsec:
  • Authentication Header (AH), provides authentication and integrity. use this when confidentiality (ecnryption) is not needed or permitted. this makes AH weaker, that's why AH is often used along with ESP.
  • Encapsulation Security Payload (ESP), provides authentication, integrity and confidentiality (encryption). although encryption and and authentication are optional, at a minimum, one of them must be selected.

we can choose and implement standards for encrytion, authentication and key exchange
IPsec Framework Choices

IPsec Protocol - ESP, AH, ESP + AH
Encryption - DES, 3DES, AES
Authentication - MD5, SHA
DH - DH1, DH2, DH5

DH allows two parties to establish a shared secret key used for the encryption and hash algorithm.


Configuring SSH on a Router

How to enable SSH on a router
1. set router hostname
hostname R2

2. set a domain name
enter the following command at the global level to set the domain name to
ip domain-name

3. generate asymmetric keys
to generate a key that the router uses to encrypt its SSH management traffic, enter the command "crypto key generate rsa". you'll be asked to enter the size of the key modulus in range of 360 - 2048. for best practice, cisco recommends a minimum length of 1024. longer means more security. AFTER YOU GENERATE THE KEY, YOU WILL NOTICE THAT SSH HAS BEEN ENABLED.

4. configure local authentication and vty
to simplify the example, we will use local username (you can use third party authentication server such as TACACS+ or RADIUS) first you must create a local user. to create a username student with the encrypted password cisco, enter the command "username student secret cisco" at the global configuration level.  next enter the vty line configuration "line vty 0 4", enable login to look for local "login local", set the transport to ssh "transport input ssh".

5. configure SSH timeouts (optional)
this provides additional security. enter both command at global configuration level
ip ssh time-out 15
ip ssh authentication-retries 2

to connect to the router using SSH then you must connect to it with a SSH client (PuTTY, TeraTerm). you'll be prompted for username and password, enter the password and username you've configured. in the above example you enter the local created username (student with password cisco).

Routers role in security
  • advertise networks and filter who can use them
  • provide access to network segment and subnetworks

Routers can be attacked in these puposes:
  • compromising the access control can expose network configuration details, facilitating attacks against other network components.
  • compromising the route tables can reduce performance, deny network communication services and expose sensitive data.
  • misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

Securing routers at the network perimeter is an important first step in securing a network.
some concerns securing a router:
  • physical security
  • update router IOS whenever possible
  • backup router configuration and IOS
  • harden the router to eliminate the potential abuse of unused ports and services

some steps securing a router
1. manage router security
use strong password, to avoid the expose of passwords use "enable secret" instead of "enable password". secret means the password is encrypted using md5 (type 5). while entering the global command "service password-encryption" will encrypt passwords with simple algorithm, which cisco called type 7. cisco recommends type 5 than type 7.

2. secure remote administrative access to routers
remote access to routers is preffered when there are so many routers and switches. security should be controlled for VTY, TTY (asynchronous access through modem) and AUX lines. ensure that connections through those lines require password.
You can PREVENT CONNECTION to any line by entering the command "login" and "no password".
VTY line can be configured to receive just connections that are using the specified protocol. use the command "transport input". for example to allow VTY connection using SSH only enter the command "transport input ssh".
cisco IOS device has a limit number of VTY lines, usually 5. this can be DoS attacked. to avoid this, you can configure one of the VTY line to be set just accept connection from a single, specific administrative workstation. this is achieved by using ACL and "ip access-class" command at the line configuration. other way is to set VTY timeouts using the "exec-timeout" command. this will close idle connections passed the time configured.
Other concern is to encrypt traffic of the remote connections. to achieve this use SSH instead of telnet. not all cisco images support SSH. cisco routers can act as a SSH client and server, by default both mode are enabled when SSH is enabled.

3. logging router activity
logging can give you records of what has happened to a router. a log can be saved to the router memory or to a log host. a log host is preferable because it provides a central place for logging. logging can be one of eight levels, with level 7 means the system is unstable and will include all router information. logs should be reviewed regularly, this will give you the sense of your usual network activity. you may also want to use the NTP to get the time of the events, this makes troubleshooting easier.

4. sercure vulnerable router services and interfaces
Cisco routers support some network services. these services sometimes are good for nothing. General security practice for routers is to configure the router to only support needed traffic and services. You can entirely disabled a service on a router or restricting its access. if a particular portion of a network segment needs a service but the rest doesn\ not, the restriction features should be employed to limit the scope of the service. Some services that is recommended to be disabled are:
  • TCP small servers
  • UDP small servers
  • CDP (if there are some IP phone, consideration should be taken before turning off this service)
  • Finger
  • HTTP server
  • Proxy ARP
  • IP Mask reply, etc..
commands needed to turn off a service usually started with the "no" command followed by the service name, for example:
no service tcp-small servers
no ip http server
no cdp run

some services that should be secured if needed are:
  • SNMP, use versions 3. version 1 and 2 pass managemenet information and password in clear text
  • NTP, to reject NTP message at a particular interface, use an access-list
  • DNS, name queries are sent to broadcast address, fake name server could reply to a query. Explicitly specify the name server addresses using the command
ip name-server addresses

5. secure routing protocols
Routers are also at risk from attacks. Anyone with a packet sniffer can read information propagating between routers. Two kinds of attack in general:
  • Disruption of peers
  • Falsification of routing information

disruption of peers is less critical, because routing protocol can heal themselves, getting backup route. Falsification of routing information is done by giving false routing update to a router. this can be protected by authenticating routing protocol information. Authentication through MD5 consists of 3 key elements, the key (similar to a password), the data and the signature (result of the combination of the key and the data through MD5 algorythm). RIPv2, EIGRP, OSPF, IS-IS and BGP support various forms of MD5 authentication.

securing RIPv2 routing protocol
step 1. Prevent RIP routing update propagation. First set ALL INTERFACES in a router into passive mode. Then bring up only those interfaces that are required for sending and receiving RIP updates. Passive interface receives updates but does not send them.
passive-interface default

that command entered at the global level configuration will disable routing advertisements on all interfaces. to bring up a particular interface enter the command enter the command
no passive-interface serial0/0/0

that command will bring up interface serial0/0/0 to send routing updates.

step 2. Prevent Unauthorized Reception of RIP Updates. This can be done by setting up MD5 authentication to routing updates. To enable the encryption, first you must create a key for the md5 and then apply each interface participating in routing updates to send encrypted updates. The commands to create MD5 key are:
key chain RIP_KEY
key 1
key-string cisco

"key chain RIP_KEY", will create a key named RIP_KEY. we can create multiple key, but in the example "key 1" is used to create the key 1, "key-string cisco" tells that key 1 is contain a key string "cisco".

the commands to implement MD5 authentication on an interface are (entered at interface level configuration):
ip rip authentication mode md5
ip rip authentication key_chain RIP_KEY

the command "ip rip authentication mode md5" tells that rip will use md5 authentication while "ip rip authentication key_chain RIP_KEY" tells to use the RIP_KEY that has been created.

step 3. Verify the Operation of RIP Routing. this is done to check wether routing updates are propagated properly. This can be done with the "show ip route" command.

securing EIGRP routing protocol. the steps are similar to RIP steps (create key chain, apply authentication mode to interfaces). the difference is on the applying the authentication mode to an interface. the commands to configure md5 authentication in eigrp process 1 are:
key chain EIGRP_KEY
key 1
key-string cisco

interface s0/0/0
ip authentication mode eigrp 1 md5
ip authentication key-chaing eigrp 1 EIGRP_KEY

securing OSPF routing protocol. The logic of the steps is still the same with RIP and EIGRP. But the commands are different. the commands to configure md5 authentication on ospf process 10 area 0 are:
interface s0/0/0
ip ospf message-digest-key 1 md5 cisco
ip ospf authentication message-digest

router ospf 10
area 0 authentication message-digest

6. control and filter network traffic

Cisco provides an auto secure to enable you to use a single command to disable processes and services not needed. you can enter the command "auto secure" at privileged EXEC mode. this command has two modes, interactive mode and non-interactive mode. with interactive mode you'll be asked several question to enable or disable services and other security feature. Non-interactive mode will auto configure the router with the recommended Cisco default settings. default mode is interactive mode.

Three types of vulnerability
  • Technology vulnerability. vulnerability at the design of the technology (HTTP, FTP, ICMP vulnerability)
  • Configuration vulnerability. easy guessed password, misconfiguration, lack of security default setting
  • Policy vulnerability. lack of written policy, bad logical access control

Types of network attacks
  • Reconnaissance. information gathering. precedes another type of attack.Internet Queries (nslookup, whois), ping sweeps (fscan, gscan), port scans (nmap, superscan), packet sniffers (wireshark)
  • Access, getting access. usually involve running a hack, script, tool that exploits vulnerability. Password attacks, brute forcing (cain, l0phtcrack) Trust exploitation, compromise another system by a mean to compromise other system.Port redirection, a type of trust exploitation. using a software to alter traffic to access another system through a system that has been compromised (netcat) Man-in-the-middle,
  • Denial of service. corrupt system, service with the purpose of crashing the system to deny user request. Syn-flood. TCP threeway handshake, attacker floods a server with syn TCP message, the server replies with a SYN-ACK message for each SYN message. the server will provides resources for each request. while the attacker never finish the threeway handshake mechanism, running out the resources of the server DDoS (SMURF, MyDoom, Trible flood network)
  • Malicious scripts/softwares. worms, viruses, trojan horses.  damaging hosts / corrupting a system and replicate itself.

Physical security
  • Hardware. lock access to physical equipment, disallow unauthorized access.
  • Environment. temperature control, humidity
  • Electrical. install UPS and generator in condition of power loss. avoid voltage spikes
  • Maintenance. neat cabling and labeling.

Security should be the main concern whenever designing a network. a firewall alone is not enough. an integrated approach involving firewall, intrusion prevention and VPN.
the PIX has evolved to what is called Cisco Adaptive Security Appliance (ASA). Cisco ASA integrates firewall, void security, SSL and IPsec VPN, IPS and content security services.

Network Security Wheel
Step 1.  Secure
Create the security policy. some concerns:
  • threat defense
  • stateful inspection and packet filtering
  • intrusion prevention system
  • vulnerability patching
  • disable unnecessary services
  • VPN
  • truns and identity, systems on the outside of the firewall should never be absolutely trusted by systems on the inside of a firewall.
  • autehtication
  • policy enforcement, ensure that users and end devices are in compliance with the corporate policy.

step 2. Monitor
active monitor by auditing log files even to the host level (some OS includes auditing functionality). passive monitor by using IDS devices, this requires less attention from network administrator.

step 3. Test
actively test the network. try to penetrate the network, using some tools (Nessus, Nmap).

step 4Improve
analyze the data colected during the monitoring and testing phases. and augment necessary improvement.

to keep the network as secure as possible, the cycle of the security wheel must be continually repeated.


Complex Access List

complex ACL can be based on standard and extended ACLs. complex ACLs provide more functionality. Kinds of complex ACLs are:
  • Dynamic ACL (lock-and-key): create dynamic entries on the run. each user whose traffic wants to be passed through a router, must be authenticated through a telnet connection to the corresponding router.
  • Reflexive ACL: inbound traffic is limited to only traffic in response to sessions that originate from inside the router.
  • Time-based ACL: enable you to control traffic based on the time of day and week.

Dynamic ACL
dynamic ACLs are sometimes called lock-and-key ACLs. Dynamic ACLs are dependant to telnet authentication (local or remote) and extended ACLs. Dynamice ACL starts from an extended ACL applied to block traffic through the router. until users who want their traffic to be passed through the router must telnet to the router and authenticate. then a single-entry dynamic ACL is added to the extended ACL. this entry will exist for a particular period of time (absolute timeouts and idle time are possible). Dynamic ACL is available for IP traffic only.

you can use dynamic ACLs when you want to grant access to a remote host/a group of remote hosts to a host within you network. Before the 'outside' hosts given the permission to access you 'inside' host, they must first authenticate theirselves at the firewall router. it can also be applied when some of your 'inside' hosts want to connect to a remote (outside) host.

the steps of configuring a dynamic ACL are:
  • step 1. create a user, this user can be created at local or on a remote server (RADIUS or TACACS+). username and password of this user will be used to connect to the router using telnet (vty).
  • step 2. create the dynamic ACL. remember that dynamic ACLs are extended ACLs.
  • step 3. apply the ACL at the correct interace.
  • step 4. configure telnet connection. with "login" command to specify where to search for userlist (local/remote) and "autocommand" to enable the dynamic ACL.

example scenario

         H1 ---------------- R1 --------------- R2 -------------- H2                                  

we want to enable H1 to connect to H2 by creating a dynamic ACL. assume that R2 is connected to R1 from interface FastEthernet0/1, then we can apply the dynamic ACL at 'inbound' FastEthernet0/1 of R2 and ip address of FastEthernet0/1 is and for simplicity we use local authentication. enter R2 CLI, the commands are:
  • step 1. create a local user
username joe password 0 cisco

  • step 2. create dynamic ACL
access-list 101 permit any host eq telnet
access-list 101 dynamic testlist timeout 15 permit ip
first entry allow telnet connections to the R2 from Fa0/1. second entry is the dynamic ACL, which allow traffic from network to, and when an authentication is made, it will exist for 15 minutes and will be closed whether in used or not.
  • step 3. apply ACL.
interface FastEthernet0/1
ip access-group 101 in

  • step 4. configure telnet connection
line vty 0 4
login local
autocommand access-enable host timeout 5

the "autocommand" will be executed once a telnet connection is made and the telnet session is dropped. the user can connect to network, if user idle for 5 minutes, the connection is closed.

Reflexive ACL
reflexive ACL used to allow IP traffic for sessions originating from your inside network while denying sessions from outside of your network.this limits inbound IP traffic to only traffic in response to session that originates from inside. even if reflexive ACLs seems to be the same as extended ACLs that use the "established" keyword, the differ in that "established" parameter only work for TCP traffic while a reflexive ACL works for any IP traffic (TCP, UDP, ICMP). "established" option also doesn't work with applications that dynamically alter the source port for the session.

reflexive ACL works by examining the outbound traffic pass a router. when the router sees a new outbound connection, it adds an entry to a temporary ACL that allow replies back in. Reflexive ACLs contain only temporary entries. when the session ends, the entries are removed.

reflexive ACL can only be defined with extended named IP ACLs. it can be used for any other protocols and extended numbered ACLs. reflexive ACLs are not applied directly to an interface but are "nested" within an extended named ACL.

steps to create a reflexive ACL are:
  • step 1. create an extended named ACL, which keeps track of traffic from inside.
  • step 2. create another extended named ACL, which will permit traffic from outside that are in response to sessions initiated from insdie.
  • step 3. apply both ACLs at the correct interface in opposite direction.

example scenario,

               Inside network
       SW1 --------------------- R1 -------------------- Internet

a network administrator wants to allow inside hosts to only browse web, while traffic from internet may enter his network only if the traffic is a reply for a session requested from a host inside his network. assume that R1 is connected to the Internet through the serial0/0/0 interface. and he wants to apply the ACLs in that interface, the commands are:
  • step 1. create ACL, which keeps track traffic from inside
ip access-list extended HTTP_OUTBOUND
permit tcp any reflect TCPTRAFFIC

  • step 2. create ACL, permit traffic from outside in response of sessions from inside
ip access-list HTTP_INBOUND

  • step 3. apply both ACL
interface serial0/0/0
ip access-group HTTP_OUTBOUND out
ip access-group HTTP_INBOUND in

Time-Based ACL
time-based ACL has similar function with extended ACL, except that time-based ACL has the ability to do access control based on time (the time could be time of day and week). Time-based ACLs are implemented by first creating a time range that defines a specific times of day and week. This time range is idientified with a name and we refer to it by a fungction.

steps to implement a time-based ACL are:
  • step 1. Define the time range of when the ACL will operate.
  • step 2. Create the ACL and apply the time range to the corresponding entry.
  • step 3. Apply the ACL to the interface.

example scenario,
a network administrator allow telnet connection from internet to inside network ( only on Sunday at 7:00 to 15:00. this ACL will be implemented at interface serial0/0/0 which is the interface of the firewall router that directly connected to outside network. the commands are
  • step 1. Define the time range
time-range EVERYSUNDAY
periodic Sunday 7:00 to 15:00

  • step 2. create the ACL
access-list 101 permit tcp any eq telnet time-range EVERYSUNDAY

  • step 3. apply the ACL
interface serial0/0/0
ip access-group 101 in

extended ACLs provide a greater range of criteria when filtering packets. while standard ACLs only filter for source IP address. Extended ACLs filter packets from source/destination IP address, source/destination port number (service) and protocol used. extended ACLs are numbered from 100-199 and 2000-2699. extended ACLs can be named as well.

extended ACLs has the ability to filter packets from their source/destination port number. you can specify the port number as a number or the name of a well-known port. for example the following access-lists have the same function
access-list 110 permit tcp any eq 21
access-list 110 permit tcp any eq ftp

both permit packets from network to any host that are destined to port 21 (ftp runs on port 21).

you may notice the "eq" keyword on both of the access-list before the port number. "eq" means equal. the available keywords are:
  • eq : equal, use this to permit/deny packets of which source/destination port number is equal to the specified number
  • lt : lower than, use this to permit/deny packets of which source/destination port number is lower than the specified number
  • gt : greater than, use this to permit/deny packets of which source/destination port number is greater than the specified number
  • neq : not equal, use this to permit/deny packets of which source/destination port number is not equal to the specified number

the complete syntax is
access-list access-list-number {deny|permit|remark} protocol source [source-wildcard][operator operand] [port port-number or name] destination [destination-wildcard][operator operand] [port port-number or name] [established]

access-list-number:a number identifying the access-list. for extended ACL, this could be 100 to 199 or 2000 to 2699.
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read
protocol: the protocol of the packet. name this with one of TCP, UDP, ICMP, etc. to match every internet protocol, fill it with IP.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard and
source-wildcard: wildcard bits for the source IP address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard and
destination: address of the network or host that the packet is destined to, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard and
destination-wildcard: wildcard bits for the destination IP address. two ways to specify destination-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard and
operator: optional, this will be used to compares source or destination ports. fill this with one of eq, gt, lt, neq.
port: optional, the port (source/destination) number or name of the service of the packet.
established: optional for TCP packets only. a match occurs the TCP packet has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.

here is an example of allowing only host in network to allow only web browsing (http).
access-list 110 permit tcp any eq 80
access-list 110 permit tcp any eq 443
access-list 115 permit tcp any established

the "access-list 110 permit tcp any eq 443" is required for https. while the "access-list 115 permit tcp any established" is required because http traffic flows in two direction. you request a page and the server sends you the page. this ACL enables you to receive the page that have been requested by you (this actually pass every tcp packets that belongs to any existing connection, since there can be only http/https traffic going out from the network, theorotically there can be only http/https connection made from inside).

after creating the ACLs, you can apply the extended ACL the same way as you apply a standard ACL to an interface. from the example above, you can apply both ACL in an interface with one at a direction and the other for the opposite direction depends on which interface you are trying to apply those ACLs. assume that we want to apply both ACLs to interface FastEthernet0/1 which is directly connected to network then the commands would be:
interface FastEthernet0/1
ip access-group 110 in
ip access-group 115 out

you can create a named IP extended ACL the same way as you create one for the standard ACL.
the steps are:
  • step 1. at the global configuration level. enter the command "ip access-list extended name" with name is the name of the extended ACL you want to be.
  • step 2. after entering the command you'll be at the ACL configuration level. create statements and conditions as required with the permit/deny/remark keywords. the syntax is the same as creating a statement in extended ACL, except that you don't have to specify the "access-list access-list-number" anymore.
  • step 3. you can verify the ACL that you've created with the command "show access-lists name" at the pivileged EXEC mode.

to create a statement of standard ACL, enter the following command at global configuration level
access-list access-list-number [deny|permit] [remark] source source-wildcard [log]

access-list-number: number of the access list, this can be 1-99 or 1300-1999 (standard ACL)
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard and
source-wildcard: wildcard bits for the source address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard and
log: logs information about packets that match the entry, logs are sent to the console (level of the details the messages shown in the console is controlled by the "logging console" command)

Removing an ACL
enter the following command at the global configuration level
no access-list access-list-number

access-list-number:number of the access list to be removed, this can be 1-99 or 1300-1999 (standard ACL)

Wildcard Mask
wildcard mask and subnet mask are both 32bits long, subnet mask is used to determine parts of the ip address to be the network id and the host id. wildcard mask is used to filter ip adresses to determine whether to permit or deny the pakcets. subnet mask uses binary 1s to make a match while 0s means not a match. wildcard mask uses binary 1s to ignore the corresponding ip address bit while 0s means that the corresponding bit should match.
00000000 -> all address bit should match
00001111 -> matches first four bits, ignores four last bit
11110000 -> ignores first four bits, matches four last bit
11111111 -> ignore all bits in this octet

you can calculate a wildcard mask easily by subtracting the subnet mask from example:
1. say that you want to filter the whole network of because its subnet mask is, you can do -
--------------- -> wildcard mask

2. you want to filter only the first 14 hosts of -

3. you want to filter hosts from network and, because bits of the network part that's the same between and is the first 22bits, you can do -

you can avoid calculating the wildcard mask by using the host and any keyword:
  • host, is a substitute of the means that all bits of the ip address should match. is used when you just want to filter a single host.
  • any, is a substitute of the means to ignore all bits. used when you don't care from which the packet is sent.

access-list 1 permit any
access-list 1 permit host

Applying access-list to an interface
enter the following command at the interface configuration level
ip access-group [access-list-number | access-list-name] [in|out]

access-list-number: the number of the access-list that you want to apply
access-list-name: the name of the access-list that you want to apply
in : apply the access-list at inbound direction
out: apply the access-list at outbound direction

for example, let's say that you want to apply access-list 1 on interface Serial0/0 at outbound direction, you would enter the command
interface serial0/0/0
ip access-group 1 out

in addtion to restricting the remote connection through SSH only, you can also increase security by applying an access-list to the vty lines, the command is
access-class access-list-number [in [vrf-also] | out]

access-list-number: the number of the access-list that you want to apply
in : restricts incoming connection between a particular Cisco device and the addresses in the access-list.
out: restricts outgoing connections between a particular Cisco device and the addresses in the access list.

somethings to note about applying access-list on vty lines are:
  • apply the access-list to all of the lines. users can connect to any of it.
  • only numbered access-list can be applied at the vty lines.

example applying access-list 1 to incoming connection of vty 0-4.
line vty 0 4
password cisco
access-class 1 in

Editing Numbered Access-List
there's no built in editing feature to edit a change in an ACL. you cannot selectively insert or delete lines. to edit a numbered ACL, do the following:
  • step 1. show the ACL to be edited from the running-configuration with the command "show running-configuration | include access-list", the "include access-list" is used to only show access-list configuration.
  • step 2. select all the lines of the ACL that you want to be edited, copy it to a text editor. edit the ACL as required in the text editor.
  • step 3. back to the CLI. in global configuration mode, delete the ACL using "no access-list access-list-number" command. then paste the edited ACL from the text editor to the CLI.

Creating Named Access-List
first, you can create a named ACL with a command entered at the global configuration level, the syntax is:
ip access-list [standard | extended] name

name: the name of the access-list

then you will be in the access list configuration level. you can create statements for the ACL. to create a statement use the "permit" or "deny" command. you can also create a comment for each statment using the "remark" command. the syntax is:
[permit | deny | remark] {source [source-wildcard]} [log]

then you can apply the ACL to an interface by first enter the corresponding interface configuration level and enter the following command:
ip access-group name [in | out]

name: the name of the access-list

after you create an ACL (numbered or named) you can verify the ACL by using the command "show access-list" at the privileged EXEC mode.

Editing Named Access List
since Cisco IOS Software Realese 12.3, named ACLs are easier to be edited. you can edit individual entries in a named ACL. when you use the "show access-list" command, you can see that each entry in a named ACL, has a sequence number in front of it (the number usually starts from 10 and has an interval of 10 for the next entry). you can delete an entry or insert an entry without remaking the whole ACL.

let's say you want to insert an entry between the first entry and the second entry. you can enter the ACL configuration level using the command "ip access-list [standard | extended] name" command, and then enter the following
sequence-number [permit | deny] {source [source-wildcard]} [log]

sequence-number: a number that will determine the order of the statement in the list. if you want this entry to be between the first and the second entry, enter a number between 10 and 20.

Access-List is a router configuration script that controls whether a router should permit or deny packets based on the information found in the packet header. ACLs are also used for selecting some types of traffic to be analyzed, forwarded or processed in other ways.

Access List enables you to control traffic flowing into or out of your network. it can permit or deny traffic from or destined to certain host/network, or it can even deny or permit traffic from or destined to certain port. and in addition to permitting or denying, access list can be used to classify traffic to enable priority processing.

Packet filtering controls access to a network by analyzing incoming or outgoing packets and decide to pass or to drop them based on some filter rules. these filter rules are defined using Access-List. a router can act as a packet filter. when a packet arrives at the router, the router extracts information from the packet header and decides according to the filter rules wether to pass or to halt the packet. Access-List works on layer 3 of the OSI layer model. but recall that, ACL can also use upper layer information such as the protocol used and the source/destination port number (service).

you can have one access-list per protocol, per direction (inbound and outboundand) and per interface (the three Ps). each interface has two direction which are in and out direction, while each direction may receive packets from different protocols (IP, IPX, AppleTalk). you can apply an ACL on interface FastEthernet0/0 at inbound direction for IP, and also an ACL for FastEthernet0/0 at inbound direction for IPX, because both are applied for different protocols.

Some guidelines on using ACLs:
  • use ACL in the firewall to control traffic flowing between you internal network and the external network.
  • use ACL on a router between certain parts of your internal network. this could be between a less controlled area in your network and a network that has more sensitive data.
  • use ACL for each network protocol at the border router interfaces.

How Access-List Works
you can set ACLs in inbound or outbound direction, the difference is:
  • inbound, incoming packets is checked for a match in the ACL before the packets are routed. therefore, an inbound ACL is efficient because a dropped packet need not to be routed.
  • outbound, packet has been routed from incoming interface to the outgoing interface. then the packet is checked for a match in ACL if the outgoing interface has an outgoing ACL applied to it. this is less efficient, imagine a packet has been routed just to be dropped at the outgoing interface.

ACL works in a sequential manner. it reads each statement one-by-one from top to down. when it reads a statement, it checks whether it mathes the information extracted from the packet header. if it matches, it decides to permit or to deny the packet based on the statement. if it doesn't, it reads the next statement if there's any (that's why you should put the most frequent used ACL at the top of the list). if that is the last statement of the list, then the packet will be dropped. this should be kept in mind, that if a packet doesn't match any statement in the ACL, then it will be dropped. this is often called "implicit deny any statement".

because of the "implicit deny any statement", when you define an inbound ACL for traffic filtering, you should include explicit access-list criteria statements to permit routing updates. if not, communication of the routing protocol could also be blocked.

Two types of cisco ACLs,
  • Standard ACL, filter packets based on source IP address only. the destination address or the port destination doesn't matter. (numbered 1 to 99 and 1300 to 1999 are standard IP ACL)
  • Extended ACL, filter packets based on some attributes, the source/destination address, source/destination port (service) and the protocol used. (numbered 100 to 199 and 2000 to 2699 are extended IP ACL)

NOTE: since Cisco IOS Software Reales 12.0.1, the standard and extended ACL numbers has been extended to 1300 to 2700.

Numbered and Named ACL
numbering access-list can give you the idea whether the ACL is a standard or an extended ACL. this can be used in a small network where the traffic generally homogeneous. But numbered ACL doesn't give you the purpose of the ACL, because of this since Cisco IOS version 11.2, you can give a name to an ACL to identify an ACL.

Numbered ACL
  • Standard IP ACL, numbered from 1 to 99 and 1300 to 1999
  • Extended IP ACL, numbered from 100 to 199 and 2000 to 2699
  • ACL numbered 200 to 1299 are used for other protocols than IP. for example, ACL numbered 600 to 699 are used for AppleTalk and ACL numbered 800 to 899 are used for IPX.

Named ACL
certain rules in naming an ACL:
  • names can contain alphanumeric characters
  • suggested to use CAPITAL LETTERS for the name
  • names cannot contain any spaces or punctual characters, and must begin with a letter
  • entries in named ACL can be edited

the placement of ACLs plays an important role in the network performance. the place you apply ACLs can reduced unwanted traffic. imagine packets that has been routed just to be dropped at the last router. the basic rule in placing ACLs are:
  • Extended ACL, place as close as possible to the source of the traffic to be denied.
  • Standard ACL, place as close as possible to the destination of traffic to be denied. because standard ACL only cares about the source of the traffic, if you put it near the source, some other traffic destined to other network that should be allowed, could be blocked also.

ACL best practices
  • Create ACLs based on the organization security policy.
  • Prepare a description of the ACLs that you want to create (this will avoid creating potential problems).
  • Use a text editor to create, edit and save ACLs (this way, you can create a library of ACL that is reusable).
  • Test ACLs created on a Lab environment before deploying it on the production network (avoid costly errors).


Password Recovery

enable password and enable secret are used to control access to the privileged EXEC mode. lost password can be recovered while lost secret should be replaced by a new one because it's encrypted. for security reason, you recover lost password or secret by connectring your PC to the device through a console cable. the configuration register, is something similar to the BIOS configuration in a PC. for example, BIOS determine from which hard disk should the PC boot. for a router, the configuration register, which is represented by a single hexadecimal value, tells the router what steps to take when booting. configuration register has many uses, password recovery might be the most used one.

the steps are:
  • step 1. connect your PC to the router.
  • step 2. record the configuration register by entering the command "show version" (the configuration register information usually will be at the last line). if you don't have access to the user EXEC mode anymore. you can safely assume that the configuration register value is 0x2102 (the configuration register is usually set to 0x2102 or 0x102).
  • step 3. turn off the router and then turn it back on.
  • step 4. press Break on the keyboard, within 60 seconds of power up to put router into ROMmon.
  • step 5. change the configuration register value to 0x2142 in ROMmon by entering the command "confreg 0x2142". this will cause the boot process to bypass the startup-configuration where the forgotten password is stored.
  • step 6. reboot the router by entering the command "reset" in ROMmon. the router will then reboot and ignores the saved configuration.
  • step 7. ignore the initial setup procedure by typing "no" at boot process.
  • step 8. go to the privileged EXEC mode with the command "enable".
  • step 9. copy your startup-configuration to running-configuration with the command "copy startup-config running-config".
  • step 10. now you use "show running-config" to see the password. if your password is encrypted, then you have to set a new password. (you will also see that all interfaces are on shutdown state).
  • step 11. to set a new password go into the global configuration level with the command "configure terminal".
  • step 12. set a new secret with the command "enable secret password". for example if you want to set the password to cisco then type "enable secret cisco".
  • step 13. because all interfaces are in shutdown state, issue "no shutdown" on every interface that should be up. issue "show interface brief" to confirm it.
  • step 14. reset the configuration register to the its value (that you've recorded) with the command "config-register confreg-value". enter the command "config-register 0x2102", if you want to set it to 0x2102.
  • step 15. all is set, then you might want to copy the running-configuration to the startup-configuration so that your new password is stored in startup-configuration.

IOS Image is crucial for a router to run. However if the IOS Image is accidentally deleted from the flash, the router can still operate as long as it's not rebooted, because it's running IOS from RAM. If somehow it's rebooted or you have to reboot it for some reason, then the router won't be able to run IOS anymore, it will boot into ROMmon. You can recover from this state by copying IOS Image that has been backup previously to an TFTP server. But the steps/commands are different because we are dealing with ROMmon (you still can type "?" to see available commands in ROMmon). the steps are:
  • step 1. Connect the router directly to the TFTP server. first you have to connect the router to the TFTP server from the first ethernet port of the router (this depends on the router, some router is FastEthernet0/0). And give the TFTP server a static IP address, for example
  • step 2. Set ROMmon variables. turn on the router then you'll see ROMmon prompt. some notes about variables in ROMmon:
  • Variable names are case sensitive
  • Don't include any spaces before and after the = symbol
  • Navigational key are not operatable
enter the following variables to the ROMmon, the value for each variable is just an example, you can change it like you need.
  • step 3. enter the "tftpdnld" command. this will download the specified file from the TFTP server. before the transfer begin you'll be warned that all existing data in flash will be deleted. type "y" to continue. then you will see some exclamation marks "!", one exclamation mark shows you that a UDP packet has been successfully transferred. after it finished, use the "reset" command to reboot the router with the IOS Image in the flash.

Recovering Using Xmodem
there's also another way for recovering a IOS Image to a router. another way is using xmodem (ROMmon supports Xmodem), but the transfer progress is slower than using the "tftpddnld" command because the transfer is accomplished using the console cable. that is, copy of the IOS Image is not taken from a TFTP server but might be from an Administrator PC. the steps are:
  • step 1. connect a PC that has the IOS Image to the router. Open connection with the router to enter the ROMmon command prompt.
  • step 2. use the "xmodem" command at the ROMmon command prompt. the syntax is
xmodem [-cyr] [filename]

c : specifies CRC-16
y : specifies the Ymodem protocol
r : copies the image to RAM
xmodem -c c1841-ipbase-mx.123-14.T7.bin
by entering this command at the router, will make the router ready to receive the specified file.
  • step 3. from the software that you use to make a connection to the router through the console cable, choose to send a file. Depends on the software that you use, there should be a menu to send a file. if you use HyperTerminal the menu is Transfer > Send File.
  • step 4. browse for the file that you want to transfer, specify the protocol to be used to xmodem, then send the file. after the transfer has been done the router will reload automatically with the new IOS Image.

Over time, a router will need update or updgrade. Either an update or updgrade for the IOS image or the configuration file. an update replaces one release with another without upgrading the feature set. it may fix a bug or replace a release that is no longer supported. an upgrade replaces one release with another with an upgraded feature set. the upgrade might include additional technologies or new features. updates are free while updgrades are not.


Cisco provides guidelines on updating/upgrading IOS version. Following the guideline can

reduce operational, planning and management cost. The phases that cisco reccomends are:
  • Plan, set goals, resources, hardware and software and create schedule
  • Design, choose IOS releases to be used and the migrating strategy.
  • Implement, execute the migration plan.
  • Operate, monitor the migration progress and backup copies of old images and configuration.

Cisco also provides a number of tools on some of the tools are:
  • Cisco IOS reference guide, cover basics of cisco IOS software family.
  • Cisco IOS software technical documents, documentation of each IOS release.
  • Software Center, place to download IOS images.

an attacker who has compromised a router can delete its IOS image or configuration file. to mitigate from this attack, a network administrator must know how to maintain a device file systems.

each Cisco IOS device has a feature called the Cisco IOS IFS (Integrated File System) which can be used to see, navigate and manipulate directories in a Cisco device. you can enter the command "show file systems" at privileged EXEC mode to see available directories in the device. each directory and files in the file system has its own permission mode, read only (ro), write only (wo) and read and write (rw). Then you can see files in each directory ("dir"), change working directory ("cd dir_name") and print current working directory("pwd").

if you want to copy a file in IOS, you can specify the file that you want to copy. File location in IOS devices is specified using the URL convention. in my opinion, as like other OS, IOS has as much the same way to locate a file except that in IOS you first specify the prefix of the file location. the prefix can be tftp, flash, system (RAM) and nvram. for example if you want to specify the "backup-config" file which is located in the "configs" folder in a tftp server of which ip address is you enter "tftp://", file in flash memory you enter "flash:configs/backup-config", in ram "system:running-config", while in nvram "nvram:startup-config".

after specifying the file location, then you can copy the file using the command
copy source-url destination-url

instead of providing the full url, we can also use the simple syntax to copy a file. for example to copy running-configuration in RAM to startup-configuration in NVRAM
copy running-config startup-config
instead of
copy system:running-config nvram:startup-config

to copy running-configuration to a remote location
copy running-config tftp:

to copy a configuration file from a remote location to the ram
copy tftp: running-config

Cisco IOS Naming Convetion
knowing the convention of the file can help a network administrator in upgrading and selecting new IOS images. let's see an example of an IOS image name

the name can be divided into some parts.
  • the first part is "c1841", this means that the image runs on 1841 seri platform.
  • the second part contains the feature set. in this case is "ipbase", this means basic IP internetworking. some other possibilities are:
- "i", ip feature set.
                    - "j", enterprise feature set (all protocols), PLUS feature set (extra queueing, manipulation or translations).
                    - "56i", 56-bit IPSec DES encryption.
                    - "k2", 3DES IPSec encryption (168 bit)                                
  • the third part indicates where the image run and wether it's compressed or not. in this case "mz" means that the file runs on RAM and is compressed.
  • the fourth part is the version number, "123-14.T7".
  • the last part is the file extention. "bin" indicates that the file is binary executable.

you can use TFTP to maintain IOS images and configuration files for routers in a network.  with TFTP you can have a central place to upload and download IOS images and configuration files. The TFTP server can be another router, a workstation or a host.

things to do before changing IOS image on a router:
  • Determine memory required for the update, install additional memory if current one is not enough
  • Set up and test file transfer capability between the router and the file server
  • Schedule the update/upgrade, because it needs some downtime. usually updates are performed out of peak hour.

When you are ready to perform the update:
  • shutdown all interface not participating in the update process.
  • backup old IOS image and configuration file.
  • Load the update and neccessary configuraiton file to the router.
  • Test the update to confirm that it has been done successfully. if Test failed, check what went wrong and start over again.

Backing up IOS Image
it's recommended the you follow the step bellow if you want to back up an IOS image to an TFTP server.
  • step 1. ping the TFTP server to determine there's a connectivity between router and the TFTP server, and that the server is alive.
  • step 2. Check wether the TFTP server has sufficient memory for the IOS image. you must know the available memory in the TFTP server, and you can check the size of the router's IOS image by entering the command "show flash:".
  • step 3. Copy the current IOS image to the TFTP server using the command "copy flash: tftp:". during the progress there will be some exclamation marks "!", one exclamation mark shows you that a UDP packet has been successfully transferred.

Upgrading IOS Image
you can update a router's IOS image by transferring the new one from the TFTP server to the router. this can be done with the command "copy tftp: flash:". after entering this command you'll be prompted for TFTP ip address, and the new IOS file name (you're required to enter the appropriate file name). Once this is done, you'll be prompted wether you want to erase flash memory. erase flash memory when the router doesn't have enough memory fot the new IOS
image. during the progress there will be some exclamation marks "!", one exclamation mark
shows you that a UDP packet has been successfully transferred.

TroubleShooting Cisco IOS Configuration
after having all devices in a network the right IOS Image and configuration, we can tune configuration for individual devices to improve their performance in the network. There two common commands that most used in daily activity, "show" and "debug". "show" will lists the
parameter onfiguration while "debug" will show you traffic flow through interface, that is allowing you to trace the execution of process.

we use the "debug" command when troubleshooting, finding bugs, etc. when you enter a command to a router, actually there you initiate many more process than just the command you've just entered. therefore just tracing the configuration line by line sometimes won't help finding the error. using the "debug" command will help you to show the flow of packets, and check wether everything is working properly. all "debug" commands are entered at the privileged EXEC mode. some note on using "debug" command:
  • plan debugging properly. without proper precautions, debugging can make things worse
  • debugging can generate too much output. Know what you're looking for before start debugging things.
  • debugging's output can vary between each protocol. some generate a single output for a single packet, while others may generate multiline output for a packet. a basic understanding of how the protocol works usually needed on debugging the protocol.

some other tools that can help to optimize the usage of "debug" are:
  • "service timestamps" command will give a timestamp to each debug messages or log messages. this can give you the idea of when an event happened and the duration between events.
  • "show processes" will show you the CPU used for each process. this information can help you determine wether the CPU has the sufficient process time for debugging or not.
  • "no debug all" this will turn of every debugging process that has been started.
  • "terminal monitor", displays debug outputs and system error messages for the current terminal and session. when you telnet to a device, and use the "debug" command, you won't see the debug output unless you've entered this command.

NOTE:output from debugging is given high priority by the CPU. it's a good choice to use "debug"during quiet hours so that is doesn't interfere with the production traffic. and always turn off debugging by entering the command "no debug all" when debuggin process has been finished



AAA stands for Authentication (verifying user's identity), Authorization (limiting access to certain feature) and Auditing (recording actions taken by a user).

normal authentication examples enable secret, enabling password for line connection (console, vty)

normal authentication (non-AAA) is usually used in small environment or as backup to AAA

creating user locally in a device with the command username. if you want to add a user name joe with password cisco, the command would be like this
username joe password cisco

each user can be assigned different privilege level (1-15). higher number means more privilege.

AAA uses an external server to store user name and password

RADIUS and TACACS+ are two protocols used for authentication and authorization. both are widely used. cisco generally recommends TACACS+ over RADIUS as it's cisco proprietary. RADIUS couldn't limit the commands a user can execute

to configure RADIUS / TACACS+ authentication. first enter this command
aaa new-model
then specify the host located
example for tacacs server:
tacacs-server host key password

example for radius server:
radius-server host key password
radius-server host key password

you can specify more than one server. they will be queried depends on the order (if the server is unavailable, the next server will be queried). key is the password for connecting to the server itself, if required.

then create method-lists as needed. method-list will specify how AAA should treat users. should it challenge users for password and where to look for the password. there are some method i don't cover here (local, tacacs+, radius, krb5, line, none). AAA can authenticate not only login but also ppp, ARAP, etc.. Here an example of method list:
aaa authentication login My-Method group tacacs+ local

My-Method is the name of the method list.

here there are two metods tacacs+ and local. should the tacacs+ guery failed (incorrect password is not concerned as a failure) the local password list will be used.
then apply the method list to interface / line as needed. here an example
line vty 0 4
login authentication My-Login

here, i'm applying the GAD-Login method list created earlier to VTY lines 0-4. this
will have the effect challenging telnet sessions to the router with whatever authentication methods exist in the GAD-Login method list.

*be carefull when configuring AAA for the first time. You can easily lock yourself out of the router by enabling AAA authentication without configuring any users.

Multilayer switch is a switch with the ability to do the task of layer 3 routing and some task of the above layer.

Layer 3 switching means routing approximately at the speed of switching. High-end Cisco Layer 3 switches are now able to perform this second function, at the same speed as the Layer 2 switching function

most multilayer switch today doesn't have any visible router module. its ability is contained in its supervisor (CPU). but older chasis based switch can be a multilayer switch with a multi layer switch function card (MSFC) module. in this kind of multilayer switch you go to the router OS with the 'session slot-number' command where the slot-number is the number of the slot where the module is installed you can obtain this number by executing show module command.

with multilayer switch, routing inter vlan can be done by the swithc itself. this is done by creating an Switched Virtual Interface (SVI) for each vlan. with the command
interface vlan vlan-number

different series of cisco multilayer switch give different feature and flexibility. you must choose either a switch with limited routing capabilities, or a router with limited switching capabilities. 6500 switches has become the widley deployed in enterprise environment.

6500 switches come in different sizes from 3 slots up to 13 slots. 6500 has many modules that makes it very expandable Firewall Services Modul (FWSM - firewall and security), Content Switching Module (CSM - load balancing) and Network Analysis Modules (NAM - network monitoring) all in one chassis.

6500 switches is highly redundant. they support dual power supply and dual supervisor.
enhanced chasis type is recognized with the letter e in the end of the series number(6500e).
enhanced chasis use high-speed fans to cool these power-hungry modules.

Supervisor - over the years, different supervisor models have been introduced to offer greater speed and versatility. increased functionality has also been made available via a add-on daughter cards.

daughter card is an add-on for a module.
there are fabric-enabled module and nonfabric-enabled module
line cards (offers connectivity, such as copper or fiber ethernet) and service module (offers functionality such as FWSM, CSM)

Ethernet Module, provide connectivity for ethernet (RJ42, GBIC) available from 4 ports. 48 ports with speed up to 1000 mbps.and even 96 port RJ-21 connector module supporting 10/100 mbps.

*Firewall Services Module (FWSM), provide firewall services just like PIX.

*Content Switch Module (CSM).

Network Analysis Module, packet capturing, monitoring traffic. controlled through a web-browser which can be tedious when seeing a large scale of traffic.

*Intrusion Detection System Module (IDSM), act like an IDS appliance.

*FlexWAN Module, allow the connection of WAN links such as T1, DS3, OC3.

Communication Media Module (CMM), provide telephony integration (analog telephone, fax machines, modem)

3750 switches
3750 switches, successor of 3550 switches. have the ability of stacking (the ability to link together some switches, usually of the same type to form a single logical switch with a single management IP address. once you telnet or SSH to the IP address, you can control the stack as if it were a single device).

FlexLink support failover (a pair of link, where one is the primary link and the other is the backup link). flexlink is used on switches where you don't want to run STP.

Port Security. you can specify certain MAC addresses that you allow or deny the right to use the port.


Serial PPP

Computer make use of relatively short parallel connections between interior components, but use a serial bus to convert signals for most external communications

Serial : sends information accross one wire, one data bit at a time. the 9-pin serial connector on most PCs uses two loops of wire, one in each direction for data communication, plus additional wires to control the flow of information.
Parallel : sends the bits over more wire simultaneosly. 25-pin parallel on your PC, eight data-carrying wires to carry 8 bits simultaneously.

theoritically parallel is faster 8 times than serial connections, in reality there are some problems with parallel connection such as:
Clock Skew : all the bits in parallel connections don't leave the transmitter and received at the receiver at the same time. some bits get there later. the receiver must wait until the bits have arrived and synchronize itself with the transmitter.
Cross Talk : because paralles use more wires, there is much probability of having a corrupted data through cross talks.

three key serial communication standard:
RS-232 - uses 9 pins. RJ-45 conform to the RS-232 standard.
RS-232 pins:
pin 1 - Data Carrier Detect (DCD)
pin 2 - Receive pin (RxD). used to carries data from the serial device to the computer
pin 3 - Transmit pin (TxD). used to carries data from the computer to the serial device
pin 4 - Data Terminal Ready (DTR) indicates the modem that the computer is ready
pin 5 - ground
pin 6 - Data Set Ready (DTS) indicates that the dataset is on
pin 7 - Request to Send (RTS) requests clearance to send data to a modem
pin 8 - Clear to Send (CTS) acknoledge the RTS signal of the computer.
pin 9 - Ring Indicater (RI) receipt of a telephone ring signal
V.35 - typically used for modem-to-multiplexer communication. ITU standard for high-speed, synchronous data exchange combines the bandwidth of several telephone circuits. in US V.35 is the interface standard used by most routers and DSUs that connect to T1 carriers.
HSSI - High-Speed Serial Interface (HSSI) support transmission rates up to 52Mb/s. commonly used for connecting routers on LANs with WANs over high-speed lines such as T3 lines.

TDM. slices time into smaller intervals so that the link carries the bits from multiple input sources.
T1/E1 and ISDN telephone lines are common example of synchronous TDM

Statistical time-division multiplexing (STDM). channels compete for free slot (int TDM when a channel has nothing to send then the slot is empty, wasting resources). STDM requires each transmission to carry identification information.
SONET is an example of STDM

Telco (24 Ds0 is multiplexed int one Ds1/T1)
Ds0 - 64 kb/s
Ds1 - 1.544 mb/s (24 DS0)
Ds2 - 6.312 mb/s (96 Ds0, 2T1c - T1c = 2 T1)
Ds3 - 45 Mb/s (7 T2)

DTE : end of CPE, usually a router
DCE : end of the WAN provider's side. usually a modem or CSU/DSU. the device that convert user data received from DTE to the form acceptable to the WAN. responsible for providing clocking signal.

there are times when you want to connect two DTE devices (such as routers, computers, terminals or printers) directly without the DCE. a special cable called null modem eliminates the needs of a DCE. with a null modem connection, Tx and Rx lines are crosslinked (crosslinked at the DCE cable). remember that one of the device must provide the clocking signal, one of the device must be the DCE (DCE is the device with the female interface connector).

Universal Asynchronous Receiver/Transmitter (UART) is a chip on a PC motherboard that converts the parallel stream bits to the serial stream bits and vice-versa to support communication with external device such as modem. because mose data flow in a PC is in parallel form.

cisco has introduced a smart serial cable (serial interfaces on most cisco routers). smart serial interface is smaller (thinner) which has 26-pin than the DB-60 connector.

WAN Encapsulation
on each wan connection, data is encapsulated. the encapsulation depends on the technology used for wan connection
HDLC - the default encapsulation for point-to-point, dedicated links and circuit-swicthed connections when the link uses two cisco devices.
PPP - provides router-to-router and host-to-host networkc connections over synchronous and asynchronous circuits. PPP can work with several layer 3 protocol (IP, IPX) and has some authentication mechanism (CHAP, PAP).
SLIP - Standard Line Internet Protocol. standard point-to-point protocol for serial connections using TCP/IP. SLIP has been largely replaced by PPP.
X.25 - uses LAPB (Link Access Procedure, Balanced) encapsulation.
Frame Relay - industry standard form packet switched wan connection. successor of X.25
ATM - international standard for cell relay. data is sent on fixed length. ATM takes advanages of high-speed transmission, such as E2, SONET and T3.

HDLC - bit-oriented synchronous data link layer protocol developed by the ISO (current standard for HDLC is ISO 13239). HDLC defines layer 2 framing standard that allows flow control and error control through the use of acknowledgements (sequence number).
When you want to transmit frames over synchronous or asynchronous links, you must remember that those links have no mechanism to mark the beginnings or ends of frames. HDLC uses a frame delimiter, or flag, to mark the beginning and the end of each frame.
You use Cisco HDLC as a point-to-point protocol on leased lines between two Cisco devices. If you are connecting to a non-Cisco device, use synchronous PPP.