SEARCH
0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
PARTS:
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Prev | Current Page 7 | Next

Scott Empson and Hans Roth

"CCNP ISCW Portable Command Guide"


The content must be written, the graphics drawn, each section veri?¬?ed technically, each part
massaged in editing, the presentation layout manipulated and re-edited, and the pre- and
post-press work completed, including the many marketing efforts. Of course, this process
includes the organization and patience of the editor and editorial staff. Certainly, the writing
part is only one effort in a large collection of efforts.
To the Cisco Press team, thank you for your patience and guidance??”especially you, Mary
Beth.
To the technical reviewer, Neil Lovering??”thanks.
Lastly I would like to thank my colleague in education and cowriter, Scott Empson. Scott??™s
boundless energy has helped me refocus when I needed to. Scott??™s positive attitude,
tempered with his vast experience in education and technical areas, was an excellent rudder
to help me stay on course. Finally, Scott??™s experience with the process of writing for Cisco
Press saved me from many of the ???newbie??? writer foibles. Thank you Scott for freely
sharing your experience with me.
viii
Contents at a Glance
Introduction xv
Chapter 1 Network Design Requirements 1
Chapter 2 Connecting Teleworkers 3
Chapter 3 Implementing Frame Mode MPLS 23
Chapter 4 IPsec VPNs 33
Chapter 5 Cisco Device Hardening 71
Chapter 6 Cisco IOS Threat Defense Features 139
Appendix Create Your Own Journal Here 175
ix
Contents
Introduction xv
Chapter 1 Network Design Requirements 1
Cisco Service-Oriented Network Architecture 1
Cisco Enterprise Composite Network Model 2
Chapter 2 Connecting Teleworkers 3
Con?¬?guration Example: DSL Using PPPoE 3
Step 1: Con?¬?gure PPPoE (External Modem) 5
Virtual Private Dial-Up Network (VPDN) Programming 5
Step 2: Con?¬?gure the Dialer Interface 6
For Password Authentication Protocol (PAP) 7
For Challenge Handshake Authentication Protocol
(CHAP) 7
Step 3: De?¬?ne Interesting Traf?¬?c and Specify Default
Routing 7
Step 4a: Con?¬?gure NAT Using an ACL 8
Step 4b: Con?¬?gure NAT Using a Route Map 9
Step 5: Con?¬?gure DHCP Service 10
Step 6: Apply NAT Programming 10
Step 7: Verify a PPPoE Connection 11
Con?¬?guring PPPoA 11
Step 1: Con?¬?gure PPPoA on the WAN Interface (Using
Subinterfaces) 12
Step 2: Con?¬?gure the Dialer Interface 13
For Password Authentication Protocol (PAP) 13
For Challenge Handshake Authentication Protocol
(CHAP) 13
Step 3: Verify a PPPoA Connection 14
Con?¬?guring a Cable Modem Connection 15
Step 1: Con?¬?gure WAN Connectivity 16
Step 2: Con?¬?gure Local DHCP Service 17
Step 3: Con?¬?gure NAT Using a Route Map 18
Step 4: Con?¬?gure Default Routing 18
Step 5: Apply NAT Programming 19
Con?¬?guring L2 Bridging Using a Cisco Cable Modem
HWIC 19
Step 1: Con?¬?gure Global Bridging Parameters 19
Step 2: Con?¬?gure WAN to LAN Bridging 20
x
Con?¬?guring L3 Routing Using a Cisco Cable Modem HWIC 20
Step 1: Remove Bridge Group Programming from All
Interfaces 21
Step 2: Con?¬?gure LAN Connectivity 21
Step 3: Con?¬?gure WAN Connectivity 21
Chapter 3 Implementing Frame Mode MPLS 23
Con?¬?guring Cisco Express Forwarding 23
Verifying CEF 24
Troubleshooting CEF 24
Con?¬?guring MPLS on a Frame Mode Interface 25
Con?¬?guring MTU Size in Label Switching 26
Con?¬?guration Example: Con?¬?guring Frame Mode MPLS 27
R1 Router 27
R2 Router 28
R3 Router 30
Chapter 4 IPsec VPNs 33
Con?¬?guring a Teleworker to Branch Of?¬?ce VPN Using CLI 34
Step 1: Con?¬?gure the ISAKMP Policy (IKE Phase 1) 35
Step 2: Con?¬?gure Policies for the Client Group(s) 35
Step 3: Con?¬?gure the IPsec Transform Sets (IKE Phase 2,
Tunnel Termination) 36
Step 4: Con?¬?gure Router AAA and Add VPN Client
Users 36
Step 5: Create VPN Client Policy for Security Association
Negotiation 37
Step 6: Con?¬?gure the Crypto Map (IKE Phase 2) 37
Step 7: Apply the Crypto Map to the Interface 38
Step 8: Verify the VPN Service 38
Con?¬?guring IPsec Site-to-Site VPNs Using CLI 39
Step 1: Con?¬?gure the ISAKMP Policy (IKE Phase 1) 39
Step 2: Con?¬?gure the IPsec Transform Sets (IKE Phase 2,
Tunnel Termination) 40
Step 3: Con?¬?gure the Crypto ACL (Interesting Traf?¬?c, Secure
Data Transfer) 40
Step 4: Con?¬?gure the Crypto Map (IKE Phase 2) 41
Step 5: Apply the Crypto Map to the Interface (IKE Phase
2) 42
Step 6: Con?¬?gure the Firewall Interface ACL 42
Step 7: Verify the VPN Service 42
Con?¬?guring IPsec Site-to-Site VPNs Using SDM 43
xi
Con?¬?guring GRE Tunnels over IPsec 46
Step 1: Create the GRE Tunnel 46
Step 2: Specify the IPsec VPN Authentication Method 47
Step 3: Specify the IPsec VPN IKE Proposals 47
Step 4: Specify the IPsec VPN Transform Sets 48
Step 5a: Specify Static Routing for the GRE over IPsec
Tunnel 49
Step 5b: Specify Routing with OSPF for the GRE over IPsec
Tunnel 49
Step 6: Enable the Crypto Programming at the Interfaces 50
Con?¬?guring a Static IPsec Virtual Tunnel Interface 50
Step 1: Con?¬?gure EIGRP AS 1 51
Step 2: Con?¬?gure Static Routing 51
Step 3: Create IKE Policies and Peers 52
Step 4: Create IPsec Transform Sets 54
Step 5: Create an IPsec Pro?¬?le 54
Step 6: Create the IPsec Virtual Tunnel Interface 55
Con?¬?guring High Availability VPNs 56
Step 1: Con?¬?gure Hot Standby Routing Protocol Con?¬?guration
on HSRP1 58
Step 2: Con?¬?gure Site-to-Site VPN on HSRP1 59
HSRP1 Con?¬?guration 59
Tunnel Traf?¬?c Filter 59
Key Exchange Policy 60
Addressing, Authentication Credentials, and Transform
Set 60
IPsec Tunnel 60
HSRP2 Con?¬?guration 61
Tunnel Traf?¬?c Filter 61
Key Exchange Policy 61
Addressing, Authentication Credentials, and Transform
Set 61
IPsec Tunnel 61
Step 3: Add Programming for Crypto Redundancy
Con?¬?guration 62
Step 4: De?¬?ne the Interdevice Communication Protocol
(HSRP1 and HSRP) 63
Step 5: Apply the Programming at the Interface 65
Con?¬?guring Easy VPN Server Using Cisco SDM 65
Implementing the Cisco VPN Client 69
xii
Chapter 5 Cisco Device Hardening 71
Disabling Unneeded Services and Interfaces 72
Disabling Commonly Con?¬?gured Management Services 74
Disabling Path Integrity Mechanisms 74
Disabling Features Related to Probes and Scans 75
Terminal Access Security 75
Gratuitous and Proxy Address Resolution Protocol 76
Disabling IP Directed Broadcasts 76
Locking Down Routers with AutoSecure 76
Optional AutoSecure Parameters 82
Locking Down Routers with Cisco SDM 83
SDM Security Audit Wizard 83
One-Step Lockdown 88
Setting Cisco Passwords and Password Security 90
Securing ROMMON 94
Setting a Login Failure Rate 95
Setting Timeouts 97
Setting Multiple Privilege Levels 97
Con?¬?guring Banner Messages 98
Role-Based CLI 100
Secure Con?¬?guration Files 102
Tips for Using Access Control Lists 103
Using ACLs to Filter Network Traf?¬?c to Mitigate Threats 104
IP Address Spoo?¬?ng: Inbound 104
IP Address Spoo?¬?ng: Outbound 106
DoS TCP SYN Attacks: Blocking External Attacks 107
DoS TCP SYN Attacks: Using TCP Intercept 108
DoS Smurf Attacks 109
Filtering ICMP Messages: Inbound 110
Filtering ICMP Messages: Outbound 111
Filtering UDP Traceroute Messages 112
Mitigating Dedicated DoS Attacks with ACLs 113
Mitigating TRIN00 114
Mitigating Stacheldraht 115
Mitigating Trinity v3 117
Mitigating SubSeven 118
Con?¬?guring an SSH Server for Secure Management and
Reporting 121
Con?¬?guring Syslog Logging 122
Con?¬?guring an SNMP Managed Node 123
Con?¬?guring NTP Clients and Servers 125
xiii
Con?¬?guration Example: NTP 127
Winnipeg Router (NTP Source) 127
Brandon Router (Intermediate Router) 128
Dauphin Router (Client Router) 128
Con?¬?guring AAA on Cisco Routers Using CLI 129
TACACS+ 129
RADIUS 130
Authentication 130
Authorization 131
Accounting 131
Con?¬?guring AAA on Cisco Routers Using SDM 132
Chapter 6 Cisco IOS Threat Defense Features 139
Con?¬?guring an IOS Firewall from the CLI 139
Step 1: Choose the Interface and Packet Direction to
Inspect 140
Step 2: Con?¬?gure an IP ACL for the Interface 140
Step 3: Set Audit Trails and Alerts 141
Step 4: De?¬?ne the Inspection Rules 142
Step 5: Apply the Inspection Rules and the ACL to the Outside
Interface 143
Step 6: Verify the Con?¬?guration 144
Troubleshooting the Con?¬?guration 145
Con?¬?guring a Basic Firewall Using SDM 145
Con?¬?guring an Advanced Firewall Using SDM 149
Verifying Firewall Activity Using CLI 158
Verifying Firewall Activity Using SDM 158
Con?¬?guring Cisco IOS Intrusion Prevention System from the
CLI 160
Step 1: Specify the Location of the SDF 161
Step 2: Con?¬?gure the Failure Parameter 161
Step 3: Create an IPS Rule, and Optionally
Apply an ACL 162
Step 4: Apply the IPS Rule to an Interface 162
Step 5: Verify the IPS Con?¬?guration 163
IPS Enhancements 163
Con?¬?guring Cisco IOS IPS from the SDM 165
Viewing Security Device Event Exchange Messages Through
SDM 170
Tuning Signatures Through SDM 171
Appendix Create Your Own Journal Here 175
xiv
Icons Used in This Book
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference.


Pages:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Practical Reporting with Ruby and Rails (page 183) Beginning PHP and MySQL E-Commerce: From Novice to Professional, Second Edition (page 12) Systems Engineering with SysML/UML: Modeling, Analysis, Design (page 451)