Chapter 11 – Sections & Objectives

• 11.1 Network Design
  • Identify the devices used in a small network.
  • Identify the protocols used in a small network.
  • Explain how a small network serves as the basis of larger networks.
• 11.2 Network Security
  • Explain why security measures are necessary on network devices.
  • Identify security vulnerabilities.
  • Identify general mitigation techniques.
  • Configure network devices with device hardening features to mitigate security threats.
  • Apply the commands to back up and restore an IOS configuration file.
• 11.3 Basic Network Performance
  • Use the output of the ping command to establish relative network performance.
  • Use the output of the tracert command to establish relative network performance.
  • Use show commands to verify the configuration and status of network devices.
  • Use host and IOS commands to acquire information about network devices.
• 11.4 Network Troubleshooting
  • Apply troubleshooting methodologies to resolve problems
  • Troubleshoot interface and cable issues
  • Troubleshoot client connectivity issues involving DNS

11.1 Network Design

Network Design Devices in a Small Network

• • Small Network Topologies
    • Comprises one router, a couple of switches, and the user PCs.
    • Access to Internet through a single WAN link, cable or DSL.
    • Management usually by a third party company.

• • Device Selection for a Small Network
    • Security, QoS, VoIP, L3 switching, NAT, and DHCP

• • IP Addressing for a Small Network
    • Address space is a crucial component of a network design.
    • All devices connected to the network require an address.
    • The address scheme must be planned, documented, and maintained.
    • Address space documentation can be very useful for:
    • Troubleshooting and control
    • Address documentation is also very important when controlling resource access.

• Redundancy in a Small Network
  • A network should reliable by design.
  • Network failures are usually very costly.
  • Redundancy increases reliability by eliminating single points of failure.
  • Network redundancy can be achieved by duplicating network equipment and links.
  • A good example is a network’s link to the Internet or to a server farm.

  

• Traffic Management
  • Traffic type and patterns are should also be considered when designing a network.
  • A good network design categorizes traffic according to priority.

  

Small Network Applications and Protocols

• • Common Applications
    • Network Applications
      • Used to communicate over the network.
      • Email clients and web browsers are examples of this type of application.
    • Application Layer Services
      • Programs that interface with the network and prepare the data for transfer.
      • Each service uses protocols, which define the standards and data formats to be used.
  • Common Protocols
    • Processes on either end of a communication session
    • How messages are sent and the expected response
    • Types and syntax of messages
    • Meaning of informational fields
    • Interaction with the next lower layer
  • Voice and Video Applications
    • Infrastructure
    • VoIP
    • IP Telephony
    • Real-time Applications

Scale to Larger Networks

• • Small Network Growth
    • To scale a network, several elements are required:
      • Network documentation
      • Device inventory
      • Budget
      • Traffic analysis

• • Protocol Analysis
    • Understand the protocols in use in the network.
    • Protocol analyzers are tools designed to help in that task.
    • Capture traffic in high-utilization times and in different locations of the network.
    • Analysis results allow for more efficient way to manage traffic.

• Employee Network Utilization
  • Be aware of how network use is changing.
  • A network administrator can create in-person IT snapshots” of employee application utilization.

11.2 Network Security

Security Threats and Vulnerabilities

• Types of Threats
  • Digital intrusion can be costly.
  • Intruders can gain access through software vulnerabilities, hardware attacks, or stolen credentials.
  • Common types of digital threats include those listed in this graphic.
• Physical Security
  • Hardware
  • Environmental
  • Electrical
  • Maintenance
• Types of Vulnerabilities
  • Three primary vulnerabilities: technological, configuration, and security policy
  • Endpoints can be under attack ,such as servers and desktop computers.
  • Any of these three vulnerabilities can be exploited and used in attacks.

Network Attacks

• • Types of Malware
    • Viruses
    • Worms
    • Trojan Horses

• • Reconnaissance Attacks
    • Discovery and mapping of systems and services
    • Acquire enough information on the target system or network to facilitate the search for vulnerabilities.
    • Common tools rely mostly on free and public Internet services, such as DNS and Whois.
    • Port-scanners and packet sniffers are also commonly used in reconnaissance.
  • Access Attacks
    • Password Attacks
    • Trust Exploitation
    • Port Redirection
    • Man-in-the-Middle

• • Denial of Service Attacks
    • Although simple, DoS attacks are still dangerous.
    • Prevent authorized people from using a service by consuming system resources.
    • Prevent DoS attacks by applying the latest security updates.
    • Common DoS Attacks:
      • Ping of Death
      • SYN Flood
      • DDoS
      • Smurf Attack

Network Attack Mitigation

• Backup, Upgrade, Update, and Patch
  • Keeping up-to-date with the latest developments
  • Enterprises need to keep current with the latest versions of antivirus software.
  • Patches for all known vulnerabilities must be applied.
  • A central patch server for managing a large number of servers and systems.
  • Patches should be installed without user intervention.
• Authentication, Authorization, and Accounting
  • AAA services provide access control on a network device.
    • Authentication – access a resource
    • Authorization – what they can do
    • Accounting – actions performed while accessing the resource
  • The AAA framework can be very helpful when mitigating network attacks.
• Firewalls
  • A firewall controls the traffic and helps prevent unauthorized access
  • Techniques for determining what is permitted or denied access to a network include:
    • Packet filtering
    • Application filtering
    • URL filtering
    • Stateful packet inspection (SPI)
• Endpoint Security
  • Common endpoints are laptops, desktops, servers, smartphones, and tablets.
  • Securing endpoint devices is challenging.
  • Employees need to be trained on proper use of the network.
  • Policies often include the use of antivirus software and host intrusion prevention.
  • More comprehensive endpoint security solutions rely on network access control.

Device Security

• Device Security Overview
  • Default settings are dangerous because they are well-known.
  • Cisco routers have the Cisco AutoSecure feature.
  • In addition, the following apply for most systems:
    • Change default usernames and passwords immediately
    • Restrict access to system resources to authorized individuals only.
    • Turn off unnecessary services.
    • Update any software and install any security patches prior to production operation.
• Passwords
  • Use strong passwords. A strong password has/is:
    • At least 8 characters, preferably 10 or more
    • A mix of uppercase and lowercase letters, numbers, symbols, and spaces.
    • No repetition, no common dictionary words, no letter or number sequences, no usernames, relative, or pet names, and no other easily identifiable pieces of information
    • Misspelled words
    • Changed often
  • Cisco routers support the use of a phrase made of many words, which is called a passphrase.
• Basic Security Practices
  • Strong passwords are only as useful as they are secret.
  • The service password-encryption command encrypts the passwords in the configuration.
  • The security passwords min-length command ensures all configured passwords have a minimum specified length.
  • Blocking several consecutive login attempts helps minimize password brute-force attacks.
  • login block-for 120 attempts 3 within 60 will block login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
  • exec timeout automatically disconnect idle users on a line
• Enable SSH
  • Telnet is not secure.
  • It is highly recommended to use SSH for remote shell protocol.
  • To configure a Cisco device to support SSH takes four steps:
    • Step 1. Ensure that the router has a unique hostname and a IP domain name.
    • Step 2. Generate the SSH keys.
    • Step 3. Create a local username.
    • Step 4. Enable vty inbound SSH sessions.
  • The router can now be remotely accessed only by using SSH.

11.3 Basic Network Performance

The ping Command

• Interpreting Ping Results
  • Using the ping command is an effective way to test connectivity.
  • Use the Internet Control Message Protocol (ICMP) to verify Layer 3 connectivity.
  • Help to identify the source of the problem.
  • What do these common ping indicators tell you?
    – !  . U
  • Extended Ping
    – Allows for more options
• Network Baseline
  • Built over a period of time.
  • Saved results from commands, such as ping or trace, along with error messages an response times
  • Time stamped for later comparison.
  • Increased response time could indicate latency issue.

The traceroute and tracert Command

• Interpreting Trace Message
  • Returns a list of hops as a packet is routed through a network.
  • Use tracert for Windows-based systems.
  • Use traceroute for Cisco IOS and UNIX-based systems.
• Extended Traceroute
  • Allows adjustment of parameters
  • Command terminates when:
    • Destination responds with an ICMP echo reply
    • User interrupts the trace with the escape sequence

Show Commands

• • The Cisco IOS CLI show commands are powerful troubleshoot tools.
  • The show commands display configuration files, checking the status of device interfaces and processes, and verifying the device operational status.
  • The status of nearly every process or function of the router can be displayed using a show command.
  • Some of the more popular show commands are:
    • show running-config
    • show interfaces
    • show arp
    • show ip route
    • show protocols
    • show version

Host and IOS Commands

• • The ipconfig Command
    • Display IP and default gateway information on a Windows-based computer.
    • What do these commands display?
      • ipconfig /all
      • ipconfig /displaydns
  • The arp Command
    • The arp –a command lists all devices currently in the ARP cache of the host.
    • The cache can be cleared by using the arp -d command.

• • The show cdp neighbors Command
    • CDP is a Cisco-proprietary protocol that runs at the data link layer.
    • Two or more Cisco network devices can learn about each other even if Layer 3 connectivity does not exist.
    • CDP can be a security risk.
    • To disable CDP globally, use the global configuration command no cdp run.
    • To disable CDP on an interface, use the interface command no cdp enable.
    • What information does the cdp neighbors details command provide?
  • The show ip interface brief Command
    • Displays a summary of the key information for all the network interfaces on a router.
    • Verify the status of the switch interfaces.

Debugging

• The debug Command
  • Allows the administrator to display
    messages generated by the following
    processes in real-time for analysis:
    • IOS processes
    • Protocols
    • Mechanisms
    • Events
  • undebug all turns off all debug commands
  • What are the available debug commands?
  • What can you do to limit the amount of displayed messages?
• The terminal monitor Command
  • Displays the log messages while connected remotely, such as SSH
  • Stop displaying the log message: terminal no monitor

11.4 Network Troubleshooting

Troubleshooting Methodologies

• Basic Troubleshooting Approaches
  • Identify the Problem
  • Establish a Theory of Probable Causes
  • Test the Theory to Determine Cause
  • Establish a Plan of Action to Resolve the Problem and Implement the Solution
  • Verify Full System Functionality and Implement Preventative Measures
  • Document Findings, Actions, and Outcomes
  • Resolve or Escalate?
• Verify and Monitor Solution
• What IOS commands can you use to verify and monitor the solution?

Troubleshoot Cables and Interfaces

• Duplex Operation
  • Direction of data transmission between two devices
  • Two connected Ethernet network interfaces should operate in the same duplex mode for best performance
• Duplex Mismatch
  • Log messages can indicate duplex mismatches.
  • What IOS commands can you use to determine duplex mismatch?

Troubleshooting Scenarios

• IP Addressing Issues on IOS Devices
  • Manual assignment mistakes
  • DHCP-related issues
  • Which show commands?
• IP Addressing Issues on End Devices
  • 169.254.0.0/16 on Windows-based system
  • ipconfig to verify IP addresses assigned to a Windows-based system
• Default Gateway Issues
  • Unable to communicate outside the network
  • ipconfig to verify default gateway assigned to a Windows-based system
• Troubleshooting DNS Issues
  • ipconfig /all to determine DNS server used
  • nslookup to manually place DNS queries and analyze DNS response

11.5 Chapter Summary

Summary

• Explain how a small network can scale into a larger network.
• Configure switches and routers with device hardening features to enhance security.
• Use common show commands and utilities to establish a relative performance baseline for the network.
• Apply troubleshooting methodologies and command host and IOS commands to resolve problems.
• Explain how a small network of directly connected segments is created, configured, and verifies.

Section 11.2 New Terms and Commands

Section 11.3 New Terms and Commands

Download Slide PowerPoint (pptx):