Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco networking CNET-448

Published byIsabel Sintra Peixoto Modified over 5 years ago

Similar presentations

Presentation on theme: "Cisco networking CNET-448"— Presentation transcript:

1 Cisco networking CNET-448
Chapter Introduction Cisco networking CNET-448 Chapter 2 Network Device Management and Security Prepared by: Sikandar Shah

2 Objectives The ICND2 Topics Covered in this chapter include:
Chapter Introduction Objectives The ICND2 Topics Covered in this chapter include: Describe common access layer threat mitigation techniques a 802.1x b DHCP snooping Infrastructure Services Configure, verify, and troubleshoot basic HSRP a Priority b Preemption c Version Infrastructure Maintenance Configure and verify device-monitoring protocol a SNMPv2 b SNMPv3 Describe device management using AAA with TACACS+ and RADIUS

3 Mitigating Threats at the Access Layer
Load Balancing Mitigating Threats at the Access Layer

4 Load Balancing Port security: Restricting a port to a specific set of MAC addresses is the most common way to defend the access layer. DHCP snooping: DHCP snooping is a layer 2 security feature that validates DHCP messages by acting like a firewall between untrusted hosts and trusted DHCP servers. Switch builds a DHCP snooping binding database, where each entry includes the MAC and IP address of the host. Dynamic ARP inspection (DAI): It is used with DHCP snooping, tracks IP-to-MAC bindings from DHCP transactions to protect against ARP poisoning. Identity-based networking: It ties together several authentication, access control, and user policy components in order to provide users with the network services. The IEEE 802.1x standard allows you to implement identity-based networking on wired and wireless hosts.

5 External Authentication Options
Load Balancing External Authentication Options RADIUS (Remote Authentication Dial-In User Service) It combines authentication and authorization services into a single process. RADIUS implements a client/server architecture. The authentication process has three distinct stages: The user is prompted for a username and password. The username and encrypted password are sent over the network to the RADIUS server. The RADIUS server replies with Accept, Reject, Challenge or change password.

6 External Authentication Options
Load Balancing External Authentication Options 2. Terminal Access Controller Access Control System (TACACS+) is also a security server that’s Cisco proprietary and uses TCP. It handles each security aspect separately: Authentication includes messaging support in addition to login and password functions. Authorization enables explicit control over user capabilities. Accounting supplies detailed information about user activities.

7 SNMP Network Management
It defines a method of communication between various networking devices and a central manager. SNMP provides a message format for agents on a variety of devices to communicate with network management stations (NMSs). These agents send messages to the NMS station which then either reads or writes information in the database stored on the NMS that’s called a Management Information Base (MIB). The NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. End devices running SNMP agents would send an SNMP trap to the NMS if a problem occurs. To configure agents SET messages are used. SNMPv3 Supports strong authentication and encryption with MD5 or SHA. The INFORM operation is the same as a trap, but it adds an acknowledgment that a trap does not provide

8 Syslog SNMP

9 Management Information Base (MIB)
SNMP Management Information Base (MIB) A management information base (MIB) is a collection of information that’s organized hierarchically. Organizational IDs (OIDs) are laid out as a tree with different levels assigned by different organizations.

10 SNMP Proxy ARP It enables hosts to obtain the MAC address of a gateway router that can forward packets for them. The host device sends traffic as if the destination device were located on its own network segment.

11 First Hop Redundancy Protocols (FHRPs)
Load Balancing First Hop Redundancy Protocols (FHRPs) It is a group of protocols that allow a router on a LAN network to automatically take over if primary default gateway router fails. It works by presenting a virtual router to all of the clients. The virtual router has its own IP and MAC addresses. The virtual IP address is the address that’s configured on each of the host machines as the default gateway. The virtual MAC address is the address that will be returned when an ARP request is sent by a host.

12 First hop redundancy protocols (FHRPs)

13 Redundancy Protocols Types
FHRPs Redundancy Protocols Types Hot Standby Router Protocol (HSRP): HSRP is a Cisco proprietary protocol that provides a redundant gateway for hosts on a local subnet, but this isn’t a load-balanced solution. Up-to eight routers can be grouped. Virtual Router Redundancy Protocol (VRRP): It’s an open standard protocol that functions almost identically to HSRP. Gateway Load Balancing Protocol (GLBP): It provides a redundant gateway and true load-balancing solution for routers. GLBP allows a maximum of four routers in each forwarding group. By default, the active router directs the traffic from hosts to each successive router in the group using a round-robin algorithm.

14 Hot Standby Router Protocol (HSRP)
CISCO HSRP Hot Standby Router Protocol (HSRP) It defines a standby group, and each standby group that you define includes the following routers: Active router Standby router Virtual router Any other routers that maybe attached to the subnet The standby group will always have at least two routers, one active router and one standby router that communicate to each other using multicast Hello messages.

15 Virtual MAC Address Virtual IP & MAC address
A virtual router in an HSRP group has a virtual IP address and a virtual MAC address. The 48 bits of MAC address are divided as follows, The first 24 bits still identify the vendor who manufactured the device (the organizationally unique identifier, or OUI). The next 16 bits in the address tell us that the MAC address is a well-known HSRP MAC address. The last 8 bits of the address are the hexadecimal representation of the HSRP group number. 0000.0c07.ac0a 0000.0c ---- OUI 07.ac  HSRP ID 0a  HSRP Group no

16 HSRP Detail HSRP Timers Hello Timer: The interval during which each of the routers send out Hello messages. Their default interval is 3 seconds and they identify the state that each router is in. Hold timer: The interval the standby router uses to determine whether the active router is offline or out of communication. By default, the hold timer is 10 seconds. Active timer: The active timer monitors the state of the active router. The timer resets each time a router in the standby group receives a Hello packet from the active router. Standby timer: The standby timer is used to monitor the state of the standby router.

17 HSRP Interface Tracking It provides information about the links to the upstream network or the Internet connection of those HSRP-enabled routers. If the outside link of the active router goes down, the standby router will take over and become the active router. There is a default priority of 100 on routers configured with an HSRP interface.

18 HSRP Interface Tracking

19 HSRP HSRP States This state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first becomes available. Initial (INIT In this state, the router still waits to hear from the active router. Not yet determined the virtual IP address and has not yet seen an .authenticated Hello message Learn The router knows the virtual IP address, but the router is neither the active router nor the standby router. Listen The router sends periodic Hello messages and actively participates in the election of the active and/or standby router. Speak The router is a candidate to become the next active router and sends periodic Hello messages. Standby The router currently forwards packets that are sent to the group virtual MAC address. Active

20 HSRP HSRP Load Balancing HSRP can be configured to use more than one router at a time for use with different VLANs. This means that each router can be the default gateway for different VLANs, but you still can have only one active router per VLAN.

21 HSRP HSRP Troubleshooting In the output of show standby command you can see the active IP and the MAC address, the timers, the active router. Different HSRP virtual IP addresses configured on the peers Different HSRP groups configured on the peers Different HSRP versions configured on the peers or ports blocked HSRPv1 use multicast address of , UDP Port no. 1985 HSRPv2 use multicast address of , UDP Port no. 1985

22 STUDY RESOUCES Further Study Links Read through the Exam Essentials section together in class Open your books and go through all the written labs and the review questions. Review the answers in class. on-a-cisco-router-or-switch/ vice/7_1_2/admin/Serviceability/sasnmdes.pdf

Download ppt "Cisco networking CNET-448"

Similar presentations

To Infinity & Beyond If you use HSRP Modified from the instructor bridge materials and covered in “Scaling Networks” chapter 2 curriculum - by Mark Anderson.

To Infinity & Beyond If you use HSRP Modified from the instructor bridge materials and covered in “Scaling Networks” chapter 2 curriculum - by Mark Anderson.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Implementing Layer 3 High Availability

Implementing Layer 3 High Availability
Instructor & Todd Lammle

Instructor & Todd Lammle
Implementing a Highly Available Network

Implementing a Highly Available Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.
HSRP Redundancy & Failover:

HSRP Redundancy & Failover:
Network Security Principles & Practices

Network Security Principles & Practices
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
© 2015 Mohamed Samir YouTube channel All rights reserved. www.mohamedsamir.comMohamed Samir Part V: Monitoring Campus Networks.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Similar presentations

Ads by Google