CCIEIX.fm Page 1048 Tuesday, June 10, 2003 8:11...
Transcript of CCIEIX.fm Page 1048 Tuesday, June 10, 2003 8:11...
-
CCIEIX.fm Page 1048 Tuesday, June 10, 2003 8:11 AM
-
I
N
D
E
X
Numerics
3DES (Triple DES) 432, 636802.1Q tunneling 881
A
AAA 428, 436, 448–449configuring on PIX Firewall 581, 583, 585–593configuring with RADIUS 569–581user account verification 449–451VPDN configuration 752–761
access attacks 436access control lists.
See
ACLsaccess-list command 756accounting, Tripwire 967accounts
locking 965root account, modifying 964
ACEs (access control entries) 477applying to interfaces 496–497entry order 496implicity deny statement 495
ACLs (access control lists) 428, 443, 477, 480–483.
See also
advanced ACLsACEs 477
entry order 496implicit deny statement 495
applying to interfaces 496, 497, 501assigning to vtys 445Cisco PIX Firewall configuration 824–826configuring 498crypto 477
functions of 477implementing 478–479
defining 495defining criteria 498–500displaying information 514–515IP, testing Layer 4 information 493lock-and-key 506–507
configuring 484–487logging 494–495, 511–512named extended IP ACLs
configuring 482creating 503
time range function 483–484named MAC extended IP ACLs,
configuring 482named standard IP ACLs
configuring 482creating 503
numbered extended IP ACLsconfiguring 481creating 502, 503
numbered standard IP ACLsconfiguring 481creating 502
port, configuring 490, 491reflexive 507–511
configuring 488–489router configuration 490size limitations 517–518time range function
implementing 504–506troubleshooting 516–517TurboACL, configuring on PIX
Firewall 6.2 850unsupported features on
Catalyst 3550 switch 518VLAN map entries
creating 513removing 514
ACS, password recovery 1011active routers (HSRP) 527active state (EIGRP) 250ActiveX objects, filtering 827address mapping, configuring on Frame Relay
105–108address translation, xlates 814addressing, IS-IS 333
NSAP format 333–334requirements 334–335
adjacencies 328configuring on IS-IS 324–325
adjusting MTU packet size 526administrative distance 398
configuring on OSPF networks 300–301advanced ACLs 482–483
defining 495lock-and-key, configuring 484–487, 506–507logging 494–495port ACLs, configuring 490–491
CCIEIX.fm Page 1049 Tuesday, June 10, 2003 8:11 AM
-
1050
reflexive, configuring 488–489, 507–511router ACLs
configuring 490VLAN maps 491–492
size limitations 517–518advanced RIP configuration 233–235advanced security features, practice lab 926–931advanced VPN configuration 718–719
EIGRP 720–724GRE tunnels 720loopback interfaces 720
advanced VPN implementation 715DMVPN 732–735
configuring on hub router 736–738configuring on spokes 739–740IPSec profiles, configuring 735–736verifying configuration 741–745
IPSec VPNs 715DMVPNs 716–718GREs 716
advertising, default routes 209AES (Advanced Encryption Standard) 637aggressive mode (IKE phase 1) 642AH (authentication header) 428, 634application inspection, configuring on PIX Firewall
835–836applying
ACLs to interfaces 496–497, 501patches to Windows 975
applying patches to Solaris 958area authentication, IS-IS configuration 342areas
configuring on OSPF networks 290–292NSSA, configuring on OSPF networks 292
assigningdialer lists to interface 145IP address to PIX Firewall 817–818IS-IS to an interface 325–327privilege levels to Cisco IOS user accounts
447–448ATM (asynchronous transfer mode)
cell headers 183–184multiprotocol encapsulation over AAL5,
configuring 185–191RFC 2225 implemenation
classical IP with PVC 192–193classical IP with SVCs 193–194configuring 191–193
attacks 436DoS
preventing with CAR 879–880preventing with RPF 880, 886
IP spoofing 831audit trails 428auditing, enabling in Windows 976authentication 428
AH 634EIGRP routing updates 263–264IKE phase 1 641–642IKE phase 2 642–643IS-IS
configuring 340–345troubleshooting 345
PPP authentication, ISDN configuration 161–164
PPP multilink, ISDN configuration 165–166RIP 216–218unidirectional PPP authentication, ISDN
configuration 164authentication proxy on TACACS+ 610–615
configuring 615–617authorization 429Auto Update support, configuring on PIX Firewall
6.2 852–853automatic metric translations 398autonomous systems 351
confederations, configuring 372–377configuring BGP through a firewall with
prepend 386–393private, configuring 377–385single-homed, configuring 354–363transit, configuring 363–372
autosense feature(LMI) 95availability 428
B
B channel 134backup interfaces, ISDN configuration 158–159banners (motd), changing 965basic ACLs 480
extended IP ACLs, configuring 481named extended ACLs, configuring 482named MAC extended ACLs, configuring 482named standard ACLs, configuring 482
advanced RIP configuration
CCIEIX.fm Page 1050 Tuesday, June 10, 2003 8:11 AM
-
1051
numbered standard IP ACLs, configuring 481basic OSPF configuration, case study 279–281
administrative distance 300–301area configuration 290–292blocking LSA flooding 304–305configuring interface parameters 282–283creating virtual links 295–297demand circuits 302DNS lookup 298generating default routes 298ignoring MOSPF LSAs 305logging neighbor adjacency changes 303loopback interfaces 298nonbroadcast network configuration 288–289NSSA configuration 292point-to-multipoint broadcast configuration
287–288point-to-multipoint nonbroadcast 284–285route calculation timers 301route summarization 294–295simplex interfaces 301VLSM support 285
Bc (committed burst) 96Be (excess burst) 96BECN (backward explicit congestion
notification) 97BGP (Border Gateway Protocol) 352
autonomous systems 351configuring 353configuring through a firewall with AS prepend
386–393path determination 352updates 353
bgp log-neighbor changes command 357bidirectional end-to-end keepalives 101Bidirectional NAT, configuring on PIX Firewall 6.2
846– 847bits 97black hats 432blocking
LSA flooding 304–305LSP flooding on interfaces 335RIP updates on interfaces 207
BOOTP server, disabling 453break sequences, simulating 1013BRI (basic rate interface) 134
PPP, configuring 160–161broadcast queues, configuring on Frame Relay 119buffer overflow 963
C
C2 security policy, Windows compliance 969 calculating
EIGRP composite metric 247Frame Relay MaxR 97
call setup and teardown, ISDN 138CAR (committed access rate)
configuring 882–883policies, configuring 884–885preventing DoS attacks 879–880
CAs (certificate authorities) 639, 429configuring 695–696
on PIX-to-PIX VPNs 703–710IKE phase 1 696–703
Catalyst 3350 switches 467802.1Q tunneling 881port blocking, configuring 468port security, configuring 469–470port-based traffic control, verifying 470–472protected ports, configuring 468storm control, configuring 467unsupported IOS ACL-related features 518
CatOS 434–435CBAC (content-based access control)
configuring 786–798configuring on two interfaces 803–805debugging 798–799disabling 802DoS attack detection error messages 800FTP error messages 801functionality 784–785intrusion detection 783Java-blocking error messages 801limitations of 783–784PAM 806–808
configuring 808–810SMTP attack detection error messages 800–801syslog messages, interpreting 799traffic filtering 781–782traffic inspection 782with IPSec 791
CC (Common Criteria) certification, Windows 2000 969
CC (Common Criteria) certification, Windows 2000
CCIEIX.fm Page 1051 Tuesday, June 10, 2003 8:11 AM
-
1052
CCIE exam 5–6developing good study habits 15–18lab exam 9–10lab experience versus real-world experience
18–19preparing for 13–14topics covered 6–9
CDP, disabling 452CEF (Cisco Express Forwarding), enabling 886cell headers, ATM 183–184certifications, CCIE Security exam 5, 6
lab exam 9–10topics covered 6–9
CHAP (Challenge Handshake Authentication Protocol) 161
cipher 429CIR (committed information rate) 96Cisco IDS 859–860
configuring 867–870sensors, password recovery 1008–1009
Cisco IOS Firewallfirewalls, creating 776PAM 806–808
configuring 808–810Cisco IOS Software 433
access lists 443FTP administration 449HTTP administration 442limiting connection time 445MNLB Forwarding Agent, configuring
535–537NTP 441
configuring 458–463password management 442
assigning privileges 447–448creating user accounts 446–447enable password 442line passwords 443privilege levels 442
remote access, configuring 446services
BOOTP server 453CDP 452finger server 453ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NTP 453Proxy ARP 453
router name and DNS resolution 451TCP and UDP small servers 452verifying deactivation 455–456
software configuration register, password recovery 995–1003
SSH 443configuring 464–466
TCP interceptconfiguring 776–781
Telnet addresses, hiding 449user accounts, verifying with AAA 449–451vtys, configuring 445–446
Cisco PIX Firewalls 860–861ACLs, configuring 824–826ActiveX objects, filtering 827application inspection, configuring 835–836Auto Update support, configuring 852–853Bidirectional NAT, configuring 846–847Configurable Proxy Pinging 834configuring 815, 870–874DHCP server configuration 844–846Flood Guard 832idle timers, configuring 836–837IDS signatures 861–867
configuring 842–844inbound connections, resetting 832–833interface MTU, configuring 816–817IP address, configuring 817–818IP spoofing attacks, preventing 831–832Java applets, filtering 828logging, configuring 838–840NAT, configuring 818–819NTP, configuring 851options, configuring 837–838password recovery 1010–1011security levels 813
configuring 815SMR, configuring 847–850SNMP functions, configuring 841–842static NAT, configuring 820–822static routes, configuring 822–823TurboACL, configuring 850URLs, filtering 828–831xlates 814
classful routing protocols 398classical IP, implementing
with PVCs 192–193with SVCs 193–194
clearing IP accounting database 557
CCIE exam
CCIEIX.fm Page 1052 Tuesday, June 10, 2003 8:11 AM
-
1053
combining share permissions and NTFS permissions 980
commandsaccess-list 756bgp log-neighbor changes 357debug dialer events 174debug frame-relay lmi 125–126debug isdn events 174–175debug isdn q931 177–178debug ppp authentication 176–177debug ppp multilink 175–176debug vtemplate 760service resetinbound 833show dialer 172–173show frame-relay map 125show frame-relay pvc 123–125show interfaces bri 0/0 169–171show ip accounting 548show ip nhrp 745show isdn active 173show isdn status 171–172show ppp multilink 173show route 823show vpdn tunnel 760sysopt connection 837username password 756virtual template 764vpdn-template 769
commenting out network services 959–960conditions 545confederations, BGP configuration 372–377confidentiality 428–429config-register command, password recovery
999–1002Configurable Proxy Pinging 834configuration files, renaming 1003–1004configuring
AAA 448–449, 569–581on PIX Firewall 581–593
ACLs 498–501logging 494–495, 511–512time range function 483–484
advanced security features, practice lab 926–931
advanced VPNs 718–719EIGRP 720–724GRE tunnels 720loopback interfaces 720
ATMmultiprotocol encapsulation over AAL5
185–191RFC 2225 191–194
authentication proxy 615–617basic security, practice lab 917–920BGP 353
confederations 372–377private autonomous systems 377–385single-homed autonomous systems
354–363through a firewall with AS prepend
386–393transit autonomous systems 363– 372
CAs 695–696Catalyst 3550 switches
port blocking 468port security 469–470protected ports 468storm control 467
CBAC 786–798on two interfaces 803–805
Cisco IDS 867–870Cisco PIX Firewall 815, 870– 874
ACLs 824–826ActiveX object filters 827as DHCP server 844–846Flood Guard 832idle timers 836–837IDS signatures 842–844interface MTU 816–817IP address 817–818IP spoofing prevention 831–832Java applet filters 828logging 838–840NAT 818–819options 837–838resetting inbound connections 832–833security levels 815SNMP functions 841–842static NAT 820–822static routes 822–823URL filters 828–831
Cisco PIX Firewall 6.2Auto Update support 852–853Bidirectional NAT 846–847NTP 851SMR 847–850
configuring
CCIEIX.fm Page 1053 Tuesday, June 10, 2003 8:11 AM
-
1054
TurboACL 850DDR 144
assigning dialer-list to interface 145dialer profiles 147–149legacy DDR 146–147specifying interesting traffic 144
dial backup, practice lab 915–917DMVPN 732–735
IPSec profiles 735–736on hub router 736–738on spokes 739–740verifying configuration 741–745
DRP Server Agent 540–541EIGRP 241–243, 253
default routing 259–261distribute lists 261–262manual route summarization 258–259over GRE tunnels 266–269route authentication 263–264stub routing 264–265WAN connections 254–255
extended ACLs 481Frame Relay 102
address mapping 105–108broadcast queues 119encapsulation 103–05LMI 108–109SVCs 109–113TCP/IP header compression 121–122traffic shaping 114–119
Frame Relay switch, practice lab 904–905HSRP 541, 542–547HTTP servers 456–457ICMP redirects 539IOS-to-IOS VPNs with IKE phase 1 using CA
696–703IP accounting 548IPSec VPNs 724, 725, 726, 727
between two IOS routers 644–662between two PIX firewalls 671–693verifying configuration 728–732
ISDN 142backup interfaces 158–159encapsulation 160floating static routes 152–154interfaces 158ISDN callback 166–168OSPF demand circuits 155–157
passive interfaces 151–152PPP authentication 161–164PPP multilink 165–166SPIDs 143–144static routing 149–151switch type 142–143unidirectional PPP authentication 164
IS-ISauthentication 340–345default routes 337hello timer 339IP 322–327retransmission interval 339route redistribution 337–338
ISP servicesrate limiting 882–885RPF 886
L2VPNon router 887on switches 889–890trunk ports 890–891verifying configuration 891–894
lock-and-key ACLs 484–487, 506–507MAC address accounting 530mesh groups 336named extended ACLs 482named extended IP ACLs 503named MAC extended ACLs 482, 512–513named standard ACLs 482named standard IP ACLs 503NAT 549–50, 554–555
dynamic translation 550–551overlapping addresses 552–553overloading 551TCP load distribution 553–554
NTP 458–459, 460–463numbered extended IP ACLs 502–503numbered standard IP ACLs 502OSPF 278–281
ABR Type 3 LSA filtering 310–311ABR Type 3 LSAs 310–311administrative distance 300–301areas 290–292default routes 298DNS lookup 298external route summarization 308GRE tunnels 312–314inter-area route summarization 306–308
configuring
CCIEIX.fm Page 1054 Tuesday, June 10, 2003 8:11 AM
-
1055
interface parameters 282–283loopback interfaces 298LSA flood blocking 304–305nonbroadcast networks 288–289NSSAs 292on simplex interfaces 301over demand circuits 302point-to-multipoint broadcast 287–288point-to-multipoint nonbroadcast 284–285route calculation timers 301route summarization 294–295, 306virtual l inks 295–297VLSM support 285
PAM 808–810passwords 444PIX Firewall, remote-access VPNs 593–608PIX2, PPTP 766–768PIX-to-PIX VPNs with IKE phase 1 using CA
703–710port ACLs 490
VLAN maps 491PPP 160–161precedence accounting 531redistribution 399–401
between directly connected networks 413–415
between EIGRP and IGRP autonomous systems 409–412
between EIGRP autonomous systems 408–409
between OSPF and RIPv1 407–408between static routes into EIGRP 412–413into OSPF 402NSSAs into BGP 405–407OSPF into BGP 402–405practice lab 915–917
reflexive ACLs 488–489, 507–511remote access on Cisco IOS Software 446remote FTP administration 449RIP 203
advanced techniques 233–235authentication 216–218blocing RIP updates on interfaces 207default route advertisement 209initial setup 204–206over router to PIX 5.2 connection
221–225
over router to PIX 6.2 connection with authentication 225–231
route filtering 208route summarization 212–215specifying version 210–211troubleshooting 218–220
router ACLs 490SSH 464–466standard ACLs 481TACACS+
PPP callback 621–627privilege levels 617–621
TCP intercept 776–781TCP performance parameters 531
connection attempt time 533header compression 532maximum read size 534maximum window 535Path MTU Discovery 533selective acknowledgment 534time stamps 534
VPDNs 752default group template 768–769TACACS+ 761–765with local AAA 752–761
vtys 445–446confreg command, password recovery 999–1002congestion control mechanisms, Frame Relay 96–97
DE 98DLCI priority levels 98end-to-end keepalives 100–101error checking 99ForeSight 99–100notification methods 100
connected networks, redistribution into OSPF 402connection time (Cisco IOS), limiting 445controlling EIGRP routes 261–262CPE (customer premises equipment) 134–135creating
Cisco IOS user accounts 446–447customized firewalls 776VLAN map entries 513
creating baseline security level in Windows operating systems 972–975
crypto access lists 477functions of 477implementing 478–479
cryptography 429
cryptography
CCIEIX.fm Page 1055 Tuesday, June 10, 2003 8:11 AM
-
1056
D
D channel 134DAC (Discretionary Access Control) 969data link layer (OSI), ISDN operation 137DCEs (data circuit-terminating equipment) 85DDR (Dial On-Demand Routing) 141
configuring 144dialer lists 141
asssigning to interface 145dialer profiles, configuring 146–149interesting traffic, configuring 144legacy DDR, configuring 142, 146–147
DE (discard eligibility) bit 96–98debug dialer events command 174debug frame-relay lmi command 125–126debug isdn events command 174–175debug isdn q931 command 177–178debug ppp authentication command 176–177debug ppp multilink command 175–176debug vtemplate command 760debugging
CBAC 798–799EIGRP in production environment 271IS-IS 346–348
decision process, IS-IS state machine 331default group templates, VPDN configuration
768–769default routes 203
advertising 209configuring 337EIGRP 259–261gernerating on OSPF networks 298
default umask setting, modifying 964defining ACLs 495
ACE entry order 496implicit deny statement 495
deleting VLAN map entries 514DES (Data Encryption Standard) 429, 636desktop operating systems, Windows 969devices
CPE 134, 135Frame Relay
DTEs 85FRADs, handshake sequence 92
required equipment for home-based study labs 24–25
resetting for password recovery 1005–1006
DH (Diffie-Hellman) 429, 638DHCP servers, configuring on PIX Firewall
844–846dial backup practice lab 915–917dialer lists 141
assigning to interface 145dialer-group-number 145
dialer maps, configuring legacy DDR 146dialer profiles, configuring 146–149dialer-group-number 145dialup, VPDNs 749–751
configuring 752–765default group templates,
configuring 768–769digital certificates 430, 639digital channels (ISDN) 134digital signatures 430directly connected networks, redistribution between
413–415DIS (Designated IS) 327
election process 331–332disabling
CBAC 802EIGRP route summarization 256–258EIGRP split horizon 269IDENT services 832–833routing on Solaris systems 965services
BOOTP server 453DCP 452finger server 453ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NTP 453Proxy ARP 453router name and DNS resolution 451TCP and UDP small servers 452
startup scripts 961Stop-A abort sequence 965
displayingACL information 514–515
resource usage 515active accounting database 548EIGRP topology table information 248–249IP statistics 556–557OSPF routing process information 315OSPF statistics 315–316
D channel
CCIEIX.fm Page 1056 Tuesday, June 10, 2003 8:11 AM
-
1057
OSPF update packet pacing 317distribute lists, controlling EIGRP routes 261–262DLCI (Data-Link Connection Identifier) 84
priority levels 98DMVPNs 716–718
configuring 732–735IPSec profiles 735–736on hub router 736–738on spokes 739–740
verifying configuration 741–745DNS lookup, configuring on OSPF networks 298domain authentication, IS-IS configuration 343–344“don't care” masks 481DoS attacks 436
half-open sessions 788preventing
with CAR 879–885with RPF 880, 886
DRP (Director Response Protocol) Server Agents 527
configuring 540–541DTEs (data terminal equipment) 85DUAL 240, 251–252Dynamic NHRP 717dynamic PVCs, configuring 189–190dynamic routing
ISDN 152–154over IPSec VPNs 718–724
configuring IPSec parameters 724–727verifying configuration 728–732
E
EBGP (external BGP) 352EEPROM, passwords 966egress filtering 831EIGRP (Enhanced IGRP) 240
composite metric, calculating 247configuring 241–243, 253, 720–724controlling routes 261–262default routing, configuring 259–261DUAL 251–252feasible successors 250features 240IGRP interoperability 251manual route summarization, configuring
258–259
neighbor table 244–246adjacencies, logging 255
“not on common subnet” error message 245over GRE tunnels, configuring 266–269packet format 243redistribution
between autonomous systems 408–409into IGRP autonomous system 409–412into static routes 412–413
route authentication, configuring 263–264route states 250route summarization, disabling 256–258route tagging 251split horizon, disabling 269stub routing, configuring 264–265topology table 246–247
displaying information 248–249troubleshooting 270–272WAN connections, configuring 254–255
election process of DIS 331–332enable password 442enabling
logging 962OSPF 280–281
encapsulationconfiguring on Frame Relay 103–105ISDN options 160
encryptionAES 637DH 638RSA 639
end-to-end keepalives 100–101enhanced distance vector protocols , BGP 352
configuring 353path determination 352updates 353
entry order (ACEs) 496equipment list for routing practice lab 911error checking, CRC 99error codes, ISDN 983–992ESP (Encapsulating Security Payload) 430, 635–636Ethernet, simplex interfaces 527event logs, enabling in Windows 976event window 100exacting 643exploits, buffer overflow 963
exploits, buffer overflow
CCIEIX.fm Page 1057 Tuesday, June 10, 2003 8:11 AM
-
1058
extended ACLsconfiguring 481named MAC extended, configuring 512–513
extensions for LMI 92external route tags, EIGRP 251external routes
OSPF 278summarization, configuring 308
extranet VPNs 435
F
FAT 977FAT32 977feasible successors (EIGRP) 250features of EIGRP 240FECN (forward explicit congestion notification) 97fields
of EIGRP neighbor table 245of Frame Relay frames 84of Frame Relay LMI frames 92–93
file and directory auditing, enabling in Windows 976file systems
FAT 977FAT32 977NTFS 977–978
permissions 978–980share-level security 980
files, world-writeable 966filtering
ActiveX objects 827Java applets 828OSPF ABR Type 3 LSA filtering, verifying 316OSPF ABR Type 3 LSAs 310–311routing information 416–421to OSPF neighbors, configuring 311URLs 828–831
finger server, disabling 453firewalls
Cisco PIX Firewall IDS 860–861configuring 870–874signatures 861–867
creating with Cisco IOS Firewall feature set 776PIX Firewall
application inspection 835–836Auto Update support 852–853Bidirectional NAT 846–847
Configurable Proxy Pinging 834configuring 815–826DHCP server configuration 844–846filtering ActiveX objects 827filtering Java Applets 828filtering URLs 828–831Flood Guard 832idle timers 836–837IDS signatures, configuring 842–844IP spoofing attacks, preventing 831–832logging, configuring 838–840NTP 851options, configuring 837–838resetting inbound connections 832–833security levels 813SMR 847–850SNMP, configuring 841–842TurboACL 850xlates 814
fixup, configuring on PIX Firewall 835–836flapping routes, resolving 157floating static routes, ISDN 152–154Flood Guard 832flooding 328
blocking on IS-IS interfaces 335mesh groups, configuring 336
ForeSight 99–100format
of EIGRP packets 243of NSAP addresses 333–334of practice labs 901–902
forward process, IS-IS state machine 331FRADs, handshake sequence 92fragmentation, IP Path MTU Discovery 525Frame Relay
address mapping 105–108broadcast queues, configuring 119configuring 102congestion control mechanisms 96–97
DE 98DLCI priority levels 98end-to-end keepalives 100–101error checking 99ForeSight 99–100notification methods 100
connectivity, troubleshooting 122–126DCEs 85DTEs 85
extended ACLs
CCIEIX.fm Page 1058 Tuesday, June 10, 2003 8:11 AM
-
1059
encapsulation, configuring 103–105frame fields 84fully meshed topologies 87LMI 91
autosense feature 95configuring 108–109frame format 92–93timers 94–95
NNI 95–96partially meshed topologies 87
subinterfaces 88–89PVCs 91signaling 91–92star topologies 86SVCs 90
configuring 109–113TCP/IP header compression 121–122traffic shaping, configuring 114–119
FTP (file transfer protocol)remote administration 449services 960
fully meshed topologies, Frame Relay 87functional groups 134–135
reference points 135functionality
of CBAC 784–785of IPSec 640
G
gray hats 432GRE (generic routing encapsulation) 716
configuring between OSPF and non-IP networks 312–314
implementing on EIGRP 266–269tunnels, configuring 720
group pacing 303–304
H
half-open sessions 788handshake sequence on FRADs 92hello interval (IS-IS), configuring 339hello packets, EIGRP 243Hfnetchk 971hiding Telnet addresses 449
HMAC (Hashed-based Message Authentication Code) 430
home-based study labs 22planning 23–25
hop count 202hot fixes, Windows resources 971HSRP (Hot Standby Router Protocol) 527
and ICMP redirects 528–530configuring 541–547verifying support for MPLS VPNs 556
HTTP administration 442server configuration 456–457
Hybrid CatOS 434
I
IBGP (interior BGP) 352ICMP (Internet Control Message Protocol)
disabling 454–455mask reply messages 525redirects 524
and HSRP 528–530configuring 539
unreachables 524IDENT services, disabling 832–833idle timers, configuring on PIX Firewall 836–837IDSs (intrusion detection systems) 436
signatures 842configuring on PIX Firewall 842, 843, 844
IEEE 802.1Q tunneling 881ignoring MOSPF LSAs 305IGRP (Interior Gateway Routing Protocol), EIGRP
interoperability 251IIS Lockdown Wizard 971IIS logs, enabling in Windows 976IKE (Internet Key Exchange) 430, 637, 638
aggressive mode 642phase 1 using CA
configuring on IOS-to-IOS VPNs 696–703
configuring on PIX to-PIX VPNs 703–710phase 2 642–643
implementingaccess lists 478– 479advanced VPNs
DMVPNs 716–718GREs 716
implementing
CCIEIX.fm Page 1059 Tuesday, June 10, 2003 8:11 AM
-
1060
IPSec VPNs 715GRE tunnels on EIGRP 266–269NAT 538physical security 967time range function on ACLs 504–506
implicit deny statement (ACEs) 495inbound connections, resetting through Cisco PIX
Firewall 832–833information 742information security policies 430ingress filtering 831inside address, identifying on Cisco PIX Firewall
with NAT 818installing
Solaris 958Windows 970
integrity 427, 430inter-area route summarization, configuring
306–308interesting traffic 141
defining 641dialer lists 141specifying for DDR configuration 144
interfacesCisco PIX Firewallm, security levels 813ISDN configuration 158
internal OSPF routing table entries, displaying 315interoperability of EIGRP and IGRP 251interpreting CBAC syslog messages 799intranet VPNs 435intrusion detection
CBAC 783Cisco IDS, configuring 867–870Cisco IOS software IDS 859–860Cisco PIX Firewall IDS 860–861
configuring 870–874signatures 861–867
IOS.
See
Cisco IOS SoftwareIOS-to-IOS VPNs, IKE phase 1 using CA 696–703IP, IS-IS configuration 322, 324
interface assignment 325–327levels 324–325
IP accountingclearing database 557configuring 548MAC accounting 530precedence accounting 531
IP addresses, configuring on PIX Firewall interfaces 817–818
IP Path MTU Discovery 525IP source routing 526
disabling 454IP spoofing attacks 831IP-directed broadcast, disabling 454IPSec 431
3DES 636AES 637AH 634CAs, configuring 695–696defining interest traffic 641DES 636DH 638encrypted tunnels 643ESP 635, 636functionality 640IKE 637, 638IKE phase 1 641–642IKE phase 2 642–643MD5 638preshared keys 638RSA signatures 638SHA-1 638transport mode 640tunnel mode 640tunnel termination 643VPNs 718–724
configuring between IOS routers 644–662, 696–703
configuring between two PIX firewalls 671–693, 703–710
DMVPNs 716–718GREs 716implementing 715parameters, configuring 724–727PIX-to-PIX, troubleshooting 687–695troubleshooting 662–670verifying configuration 728,–732
with CBAC 791ISDN
backup interface configuration 158–159call stages 138configuring 142CPE 134–135data link layer 137DDR, configuring 144–149
implicit deny statement (ACEs)
CCIEIX.fm Page 1060 Tuesday, June 10, 2003 8:11 AM
-
1061
digital channels 134encapsulation options 160error codes 983–992interface configuration 158ISDN callback, configuring 166–168network layer 138physical layer 136PPP 139
authentication 161–164configuring 160–161LCP 139–140NCP 140PPP multilink 165–166
reference points 135routing
floating static routes 152–154OSPF demand circuits 155–157passive interface 151–152static routes 149–151
SPIDs, configuring 143–144standards support 133–134switch type, configuring 142–143troubleshooting 169–177
IS-ISaddressing 333
NSAP foramt 333–334requirements 334–335
authenticationconfiguring 340–345troubleshooting 345
debugging 346, 348default routes, configuring 337DIS 327hello timer, adjusting 339IP configuration 322–324
interface assignment 325–327levels 324–325
LSPs 328–330blocking flooding on interfaces 335mesh groups, configuring 336
monitoring 346PSNs 331–332retransmission interval, adjusting 339route redistribution, configuring 337–338state machine 330–331
ISOs (information security officers) 432ISP services
rate limiting 882– 885RPF 886
J
Java applets, filtering 828jumper settings
changing with software 1007–1008manually shorting 1006
K-L
keepalives, event window 100
L2 tunneling protocols, PPTP 751L2F (Layer 2 Forwarding) 749L2TP (Layer 2 Tunneling Protocol), LNS 749L2VPNs
802.1Q 881configuring 887–891verifying configuration 891–894
LAN storms 467LAPD (Link Access Procedure on the
D channel) 137Layer 2 protocol tunneling 881Layer 4, matching rules for IP ACLs 493LCP (Link Control Protocol) 139–140legacy DDR 142
configuring 146–147levels, configuring for IS-IS 324, 325limitations
of ACL size 517–518of CBAC 783–784
limiting Cisco IOS connection time 445line passwordsm, Cisco IOS password
management 443link flapping, resolving 157link-state protocols
IS-ISaddressing 333–335authentication 340–345debugging 346–348default routes, configuring 337DIS 327hello timer, adjusting 339IP configuration 322–327LSPs 328–330, 335–336
link-state protocols
CCIEIX.fm Page 1061 Tuesday, June 10, 2003 8:11 AM
-
1062
monitoring 346PSNs 331–332retransmission interval, adjusting 339route redistribution, configuring 337–338state machine 330–331
OSPFadministrative distance, configuring
300–301areas, configuring 290–292blocking LSA flooding 304–305configuring 278–281configuring on simplex interfaces 301creating virtual links 295–297default route generation 298demand circuits 302DNS lookup 298ignoring MOSPF LSAs 305interface parameters, configuring 282–283logging neighbor adjacency changes 303loopback interfaces 298nonbroadcast configuration 288–289NSSA configuration 292point-to-multipoint broadcast
configuration 287–288point-to-multipoint nonbroadcast
configuration 284–285route calculation timers 301route summarization 294–295, 306–308VLSM support 285
LMI (Local Management Interface) 91–92autosense feature 95configuring on Frame Relay 108–109frame format 92–93timers 94–95
LNS (L2TP network server) 749lock-and-key ACLs
configuring 484–487, 506–507source-address spoofing 485
locking user accounts 965logging
ACLs 494–495, 511–512configuring on PIX Firewall 838–840EIGRP neighbor adjacency changes 255enabling 962
on Windows 976OSPF neighbor adjacency changes 303
loopback interfaces, configuring 720on OSPF networks 298
lost passwords, recovering 995–1008LSAs
flood blocking 304–305group pacing, configuring 303–304OSPF
ABR Type 3, configuring 311type codes 278
packet pacing, displaying 317LSPs 328–330
blocking flooding on interfaces 335flooding 328mesh groups 336
M
MAC address accounting 530manual route summarization, EIGRP configuration
258–259manually shorting jumper settings 1006mask reply messages (ICMP) 525masquerading 431master lab 933
prestaging 934–940timed portion 942–951versus CCIE Security Lab exam 902–903
matching rules for testing Layer 4 information on IP ACLs 493
MaxR, calculating 97MBSA (Microsoft Baseline Security Analyzer) 971MD5 638MD5 (Message Digest 5) 431mesh groups, configuring 336messages (ICMP)
mask reply 525redirects 524unreachables 524
metrics 397EIGRP composite metric, calculating 247RIP 202
MLP (Multilink PPP), configuring 165–166MNLB (MultiNode Load Balancing) Forwarding
Agentconfiguring 535–537monitoring 558
modifyingdefault umask setting 964motd file 965
LMI (Local Management Interface)
CCIEIX.fm Page 1062 Tuesday, June 10, 2003 8:11 AM
-
1063
monitoringISDN 169–177IS-IS 346MNLB Forwarding Agent 558NAT 559PVCs 190–191
motd file, modifying 965MPLS VPNs, verifying HSRP support 556MTU packet size
adjusting 526configuring on PIX Firewall interfaces
816–817multihomed autonomous systems 351multipoint subinterfaces 89multiprotocol encapsulation over AAL5, ATM
configuration 185–191
N
named extended ACLsconfiguring 482time range function 483–484
named extended IP ACLs, creating 503named MAC extended ACLs
configuring 482, 512–513named standard ACLs, configuring 482named standard IP ACLs, creating 503NAS (network access server) 749NAT (Network Address Translation) 537
Cisco PIX Firewall configuration 818–819configuring 549–555dynamic translation, configuring 550–551implementing 538monitoring 559overlapping addresses, configuring 552–553overloading, configuring 551TCP load distribution, configuring 553–554
Native CatOS 434NCP (Network Control Protocol) 139–140NCSC (National Computer Security Centre) C2
rating, Windows compliance 969neighbor adjacency changes, logging
EIGRP 255OSPF 303
neighbor table (EIGRP) 244–246logging neighbor adjacency changes 255
NETs (network entity titles) 323
network layer (OSI), ISDN operation 138network services
FTP 960NS 961rlogin 960RPC 961stopping 959–960
NFS services 961NHRP 717NNI (Network-to-Network Interface) 95NNI cell headers 183–184nonbroadcast OSPF configuration 288–290nonrepudiation 431“not on common subnet” error message 245notification methods for Frame Relay congestion
control 100NSAP (network service access point) addresses 333
format 333–334NSSAs (not-so-stubby areas)
OSPF configuration 292redistribution ito BGP 405–407
NT1 (Network Termination 1) 135NT2 (Network Termination 2) 135NTFS 977–978
permissions 978–980share-level security 980
NTP (Network Time Protocol) 441configuring 458–463configuring on PIX Firewall 6.2 851disabling 453
numbered extended ACLs, time range function 483–484
numbered extended IP ACLscreating 502–503
numbered standard ACLs, configuring 481numbered standard IP ACLs, creating 502
O
o/r command, password recovery 1002–1003obtaining equipment for home-based labs 24, 25on-demand circuits, OSPF configuration 302options, configuring on PIX Firewall 837, 838OSI (Open Systems Interconnection) model, ISDN
operationdata link layer 137network layer 138
OSI (Open Systems Interconnection) model, ISDN operation
CCIEIX.fm Page 1063 Tuesday, June 10, 2003 8:11 AM
-
1064
physical layer 136OSPF (Open Shortest Path First)
ABR Type 3 filtering, configuring 310–311administrative distance, configuring 300–301areas, configuring 290–292configuring 278–281default routes, generating 298demand circuits, ISDN configuration 155–157DNS lookup, configuring 298external routes 278GRE, configuring for non-IP traffic 312–314interface parameters, configuring 282–283loopback interfaces, configuring 298LSA flood blocking, configuring 304–305LSAs
group pacing 303–304type codes 278
MOSPF LSAs, ignoring 305neighbor adjacency changes, logging 303nonbroadcast networks, configuring 288–289NSSAs
configuring 292redistribution into BGP 405–407
over demand circuits, configuring 302point-to-multipoint broadcast, configuring
287–288point-to-multipoint nonbroadcast, configuring
284–285redistribution
into BGP 402–405into RIPv1 407–408
route calculation timers, configuring 301route summarization 306
configuring 294–295external 308inter-area 306–308
routing processes, displaying information 315simplex interfaces, configuring 301statistics, displaying 315–316virtual links, creating 295–297VLSM support, configuring 285
P
PAC (PPTP access concentrator) 751
packet filteringACLs 477, 480–483
ACE entry order 496ACEs 477applying to interfaces 496, 497, 501configuring 498crypto 477defining criteria 498–500displaying information 514–515extended ACLs 481implementing 478–479implicit deny statement 495lock-and-key 484–487, 506–507logging 494–495, 511–512named extended ACLs 482named MAC extended ACLs 482
512–513named standard ACLs 482numbered standard IP ACLs 481port 490–491reflexive 488–489, 507–511router 490size limitations 517, 518time range function 483–484time range function, implementing
504–506troubleshooting 516–517VLAN map entries, creating 513
unsupported features on Catalyst 3550 switch 518
packet pacing, displaying information 317packets
EIGRP, format 243IS-IS LSPs 328–330LSAs, OSPF 278NSAPs 333
format 333–334PAM (Port-to-Application Mapping) 806–808
configuring 808–810PAP 161partially meshed topologies, Frame Relay 87
subinterfaces 88–89passive routing, ISDN 151–152passive state (EIGRP) 250passive-reply end-to-end keepalives 101password management (Cisco IOS) 442
enable password 442line passwords 443
OSPF (Open Shortest Path First)
CCIEIX.fm Page 1064 Tuesday, June 10, 2003 8:11 AM
-
1065
privilege levels 442password recovery 995–997
break sequence 997–1002changing jumper settings with software
1007–1008manually shorting jumper settings 1006o/r command 1002, 1003on ACS running Solaris 1011on Cisco IDS sensors 1008–1009on Cisco PIX Firewall 1010–1011on VPN concentrators 1012–1013renaming software 1003–1004replacing software 1005resetting devices 1005–1006
passwordsconfiguring 444EEPROM, configuring 966
patchesapplying to Solaris 958applying to Windows 975
path determination, BGP 352performance, TCP configuration 531–535permissions, NTFS 978–980physical layer (OSI), ISDN operation 136physical security, implementing 967PIX Firewall.
See also
PIX Firewall 6.2AAA configuration 581–593ACLs, configuring 824–826ActiveX objects, filtering 827application inspection, configuring 835–836Configurable Proxy Pinging 834configuring PIX-to-PIX IPSec VPNs
671–693, 815DHCP server configuration 844, 845, 846Flood Guard 832idle timers, configuring 836–837IDS signatures, configuring 842–844inbound connections, resetting 832–833interface MTU, configuring 816–817IP address, configuring 817–818IP spoofing attacks, preventing 831–832Java applets, filtering 828logging 838–840NAT, configuring 818–819options, configuring 837–838PPTP, configuring 766–768remote-access VPNs, configuring 593–608security levels 813–815
SNMP functions, configuring 841, 842static NAT, configuring 820, 822static routes, configuring 822–823troubleshooting PIX-to-PIX IPSec VPNs
687–695URLs, filtering 828–831xlates 814
PIX Firewall 6.2Auto Update support, configuring 852–853Bidrectional NAT, configuring 846–847NTP, configuring 851SMR, configuring 847–850TurboACL, configuring 850
PIX-to-PIX VPNs, IKE phase 1 using CA 703–710PKI (Public Key Infrastructure) 431planning home-based labs 23–25point-to-multipoint broadcast OSPF configuration
287–288point-to-multipoint nonbroadcast OSPF
configuration 284–285point-to-point subinterfaces 89port ACLs
configuring 490VLAN maps, configuring 491
port blocking, configuring on Catalyst 3550 switches 468
port security, configuring on Catalyst 3550 switches 469–470
port-based traffic control, verifying on Catalyst 3550 switches 470–472
PPP (Point-to-Point Protocol) 139configuring 160–161LCP 139–140NCP 140
PPP authenticationISDN configuration 161–164unidirectional, ISDN configuration 164
PPP callbackconfiguring with TACACS+ 621–627
PPP multilink, configuring 165–166PPTP (Point-to-Point Tunneling Protocol) 751
configuring on PIX firewall 766, 767, 768practice labs
bulding layer 2equipment list 903prestaging 904–909timed lab portion 909–911
configuring security
practice labs
CCIEIX.fm Page 1065 Tuesday, June 10, 2003 8:11 AM
-
1066
advanced features 926–931basic features 917–920
dial and application security 921–925format 901–902master lab 933
prestaging 934–940timed portion 942–951
protocol redistribution and dial backup configuration 915–917
routing 911timed portion 913–914
service provider 931–932precedence accounting 531preparing for CCIE exam 13–14
developing good study habits 15–18lab experience versus real-world experience
18–19preparing for lab exam
home-based study labs 22planning 23–25
remote study labs 23work-based study labs 22
preshared keys 638prestaging (practice labs), building layer 2 905–909preventing IP spoofing attacks 831, 832PRI (primary rate interface) 134priority classes of CAR 879 private autonomous systems
BGP configuration 377–385numbering 351
private IP addressing, NAT 537–538configuring 549–555monitoring 559
privilege levelsassigning to Cisco IOS user accounts 447–448Cisco IOS password management 442configuring on TACACS+ 617–621
protected ports, configuring on Catalyst 3550 switches 468
Proxy ARPdisabling 453
PSNs (pseudonodes) 331–332public-key encryption 638PVCs 91
dynamic, configuring 189–190static, configuring 186–189troubleshooting 190–191
Q-R
Q series protocols (ISDN) 134query packets, EIGRP 243
RA (registration authority) 431RADIUS
AAA configuration 569–581packet encryption 568router management 568versus TACACS+ 567
rate limitingCAR 879–885configuring 882
receive process, IS-IS state machine 330reconnaissance attacks 436recovering passwords 995–997
break sequence 997–1002changing jumper settings with software
1007–1008manually shorting jumper settings 1006o/r command 1002–1003on ACS running Solaris 1011on Cisco IDS sensors 1008–1009on Cisco PIX Firewall 1010–1011on VPN concentrators 1012–1013renaming software 1003–1004replacing software 1005resetting devices 1005–1006
redirectsand HSRP 528–530configuring 539ICMP 524MNLB Forwarding Agent, configuring
535–537redistribution 399–401
betweeen directly connected networks 413–415betweeen EIGRP and IGRP autonomous
systems 409–412betweeen EIGRP and static routes 412–413betweeen EIGRP autonomous systems 408–409betweeen OSPF and RIPv1 407–408connected networks into OSPF 402filtering routing information 416–421metrics 397OSPF into BGP
configuring 402–405NSSAs into BGP 405–407
precedence accounting
CCIEIX.fm Page 1066 Tuesday, June 10, 2003 8:11 AM
-
1067
practice lab 915–917troubleshooting 399
redundancy, HSRP 527and ICMP redirects 528–530configuring 541–547
reference points 135reflexive ACLs, configuring 488–511reinitializing EIGRP routing process 270remote access, configuring on Cisco IOS 446remote FTP administration 449remote study labs 23remote-access VPNs 435, 633
configuring on PIX Firewall 593–608removing VLAN map entries 514renaming configuration files 1003–1004replacing software, password recovery 1005reply end-to-end keepalives 101reply packets, EIGRP 243request end-to-end keepalives 101request packets, EIGRP 243required equipment for requirements
home-based study lab equipment 24–25of IS-IS addressing 334–335
resetting devices, password recovery 1005–1006resource usage for ACLs, displaying 515retransmission interval, IS-IS 339RFC 2225 ATM configuration 191–193
classical IP with PVC 192–193classical IP with SVCs 193–194
RIB (Routing Information Base) 330RIP (Routing Information Protocol)
advanced configuration 233–235configuring 203–220
over router to PIX 5.2 connection 221–225
over router to PIX 6.2 connection with authentication 225–231
redistribution into OSPF 407–408structure 201
default routes 203metric 202routing updates and timers 201–202split horizon 202
risk assessment 431rlogin services 960root account, modifying 964route authentication, EIGRP configuration 263–264route calculation timers, OSPF configuration 301
route filtering 208route redistribution, configuring 337–338route states (EIGRP) 250route summarization
configuring on EIGRP 258–259configuring on OSPF networks 294–295disabling on EIGRP 256–258
route tagging (EIGRP) 251router ACLs
configuring 490VLAN maps, configuring 491–492
routingISDN
floating static routes 152–154OSPF demand circuits 155–157passive interfaces 151–152static routes 149–151
practice lab 911timed portion 913–914
routing protocolsclassful 398classless 398ships in the night 321
RPC services 961RPF (Reverse Path Forwarding)
configuring 886preventing attacks
DoS attacks 880IP spoofing attacks 831
RSA (Rivest, Shamir, and Adleman) 432RSA signatures 638
S
SAs (security associations) 637SCEP (CA Server with Simple Certificate
Enrollment Protocol) 695Security Notifications Bulletin 975Security Roll Up Packages 975selective acknowledgment (TCP) 534sername password command 756server operating systems, Windows 969service packs, Windows resources 971service resetinbound command 833services
BOOTP server 453CDP 452
services
CCIEIX.fm Page 1067 Tuesday, June 10, 2003 8:11 AM
-
1068
finger server 453FTP 960HTTP servers
configuring 456–457ICMP messaging 454–455IP source routing 454IP-directed broadcast 454NFS 961NTP 453
configuring 458–463Proxy ARP 453rlogin 960router name and DNS resolution 451RPC 961startup scripts, disabling 961TCP and UDP small servers 452verifying deactivation 455, 456
SHA-1 (Secure Hash Algorithm) 432, 638share-level security, NTFS 980ships in the night 321show dialer command 172–173show frame-relay map command 125show frame-relay pvc command 123–125show interfaces bri 0/0 command 169–171show ip accounting command 548show ip nhrp command 745show isdn active 173show isdn status command 171–172show ppp multilink command 173show route command 823show vpdn tunnel command 760signaling, Frame Relay 91, 92
LMI autosense feature 95LMI frame format 92–93LMI timers 94–95
signatures 842signatures (IDS) 861–867simplex interfaces 527
OSPF configuration 301simulating break sequences 1013single-homed autonomous systems 351
BGP configuration 354–363site-to-site VPNs 631–632SMR (Stub Multicast Routing), configuring on PIX
Firewall 6.2 847–850smurf attacks 454SNMP (Simple Network Message Protocol),
configuring on PIX Firewall 841–842
software configuration register, password recovery 995–998
config-register command 999–1002o/r command 1002–1003
Solarisapplying patches 958default umask setting, changing 964disabling routing 965installing 958network services, stopping 959–960SSH, implementing 967user accounts, locking 965
source routing 526source-address spoofing on lock-and-key ACLs 485specifying RIP version 210, 211SPIDs (service profile identifiers), ISDN
configuration 143–144split horizon 88, 202
disabling on EIGRP 269split tunneling 600SSH (Secure Shell) 443
configuring 464–466implementing on Solaris systems 967
stack-based buffer-overflow, preventing 963standards, ISDN-related protocols 133–134standby routers (HSRP) 527star topologies, Frame Relay 86startup scripts, disabling 961state machine (IS-IS) 330–331static NAT, Cisco PIX Firewall configuration
820–822static PVCs, configuring 186–189static routes
Cisco PIX Firewall configuration 822–823ISDN 149–151redistribution to EIGRP interfaces 412–413
Stop-A abort sequence, disabling 965stopping network services 959–960storm control, configuring on Catalyst 3550
switches 467structure of RIP 201
default routes 203metric 202routing updates and timers 201–202split horizon 202
stub routingm EIGRP configuration 264, 265study labs
home-based 22
SHA-1 (Secure Hash Algorithm)
CCIEIX.fm Page 1068 Tuesday, June 10, 2003 8:11 AM
-
1069
planning 23–25remote 23required equipment 24–25work-based 22
studying for CCIE exam, developing good habits 15–18
summarizationOSPF 306
external 308inter-area 306–308
RIP routes 212–215SVCs 90
configuring on Frame Relay 109–113switch type, ISDN configuration 142, 143switches
Catalyst 3550, unsupported IOS ACL-related features 518
CatOS 434sysopt connection command 837
T
TA (terminal adapter ) 134TACACS+
authentication proxy 610–615configuring 615–617
packet encryption 568PPP callback, configuring 621–627privilege levels, configuring 617–621router management 568versus RADIUS 567VPDN configuration 761–765
TCP 814performance parameters, configuring 531–535settings, securing 964small servers, disabling 452
TCP intercept, configuring 776–781 TCP/IP header compression, configuring on Frame
Relay 121–122TE1 (Terminal equipment 1) 134TE2 (Terminal equipment 2) 134TEI (terminal endpoint identifier) 137Telnet addresses, hiding 449terminal equipment (ISDN) 134–135time range function
configuring on ACLs 483–484implementing on ACLs 504–506
timed portion (practice lab)configuring advanced security features
927–931configuring basic security 919–920building layer 2 909–911master lab 942–951redistribution and dial backup configuration
916–917routing 913–914service provider 932
timersLMI, tuning 94–95RIP 201–202
topics covered on CCIE Security exam 6–9topologies, partially meshed 87
subinterfaces 88–89topology table, EIGRP 246–247
displaying information 248–249DUAL 251–252
ToS classes, CAR rate limiting 879traffic filtering
ACLs 477–483ACE entry order 496ACEs 477applying to interfaces 496–497, 501configuring 498crypto 477defining 495defining criteria 498–500displaying information 514–515extended ACLs 481implementing 478–479implicit deny statement 495lock-and-key 484–487, 506–507logging 494–512named extended ACLs 482named MAC extended 482, 512–513named standard ACLs 482numbered standard IP ACLs 481port 490–491reflexive 488–511router 490size limitations 517–518time range function 483–484time range function, implementing
504–506troubleshooting 516–517
traffic filtering
CCIEIX.fm Page 1069 Tuesday, June 10, 2003 8:11 AM
-
1070
unsupported features on Catalyst 3550 switch 518
VLAN map entries, creating 513CBAC 781–782
traffic inspection, CBAC 782traffic shaping, configuring on Frame Relay
114–119transform sets 651transit autonomous systems 351
BGP configuration 363– 372transitivity 88transparent bridging, split horizon 88transport mode (IPSec) 640Tripwire 967troubleshooting
ACLs 516–517EIGRP 270–272flapping routes 157Frame Relay connectivity 122–126IPSec VPNs 662–670
PIX-to-PIX 687–695ISDN 169–177IS-IS authentication 345PVCs 190–191redistribution 399RIP 218–220
tuning LMI timers 94, 95tunnel mode (IPSec) 640tunnel ports 881tunneling
802.1Q 881L2F 749L2VPN
configuring 887–891verifying configuration 891–894
Layer 2 protocol tunneling 881PPTP 751
PIX2 firewall configuration 766–768TurboACL, configuring on PIX Firewall 6.2 850turning off CBAC 802
U
UDP 814small servers, disabling 452
umask setting, modifying 964
UNI (User-Network Interface) 96cell headers 183–184
unidirectional PPP authentication, configuring 164uninteresting traffic 141UNIX
ACS running Solaris, password recovery 1011EEPROM passwords, configuring 966Solaris
applying patches 958installing 958
unreachables (ICMP) 524update packets
BGP 353EIGRP 243RIP 201–202
blocking on interfaces 207update process, IS-IS state machine 331URLs, filtering 828–831UrlScan 971user accounts
AAA verification 449–451locking 965Windows 970
user accounts (Cisco IOS)assigning privilege levels 447–448creating 446–447
V
VCsPVCs 91SVCs 90
configuring 109–113verifying
DMVPN configuration 741–745HSRP support for MPLS VPNs 556installation information 963–964IPSec VPN configuration 728–732L2VPN configuration 891–894OSPF ABR Type 3 LSA filtering 316port-based traffic control on Catalyst 3550
switches 470–472user accounts with AAA 449–451
verifying service deactivation 455–456virtual links, creating on OSPF networks 295–297virtual templates, creating 759virtual-template command 764
traffic inspection
CCIEIX.fm Page 1070 Tuesday, June 10, 2003 8:11 AM
-
1071
VLAN mapsconfiguring on port ACLs 491configuring on router ACLs 491–492entries
creating 513removing 514
VLSM, OSPF configuration 285VPDNs 749, 750, 751
configuring 752default group templates, configuring 768–769local AAA, configuring 752– 761TACACS+, configuring 761–765
vpdn-template command 769VPN concentrators, password recovery 1012–1013VPNs (Virtual Private Networks) 432
advanced configuration 718–719EIGRP 720–724GRE tunnels 720IPSec VPNs 715–718loopback interfaces 720
IOS-to-IOS, IKE phase 1 using CA 696–703IPSec 718–724
configuring between two IOS routers 644–662
configuring between two PIX firewalls 671–693
parameters, configuring 724–727troubleshooting 662–670, 687–695verifying configuration 728–732
L2VPN802.1Q tunneling 881configuring 887–891verifying configuration 891–894
PIX-to-PIX, IKE phase 1 using CA 703–710remote-access 633site-to-site 631–632
vtys, configuring 445, 446
W-X-Y-Z
WANsconnections, configuring on EIGRP 254–255Frame Relay
configuring 102–122congestion control mechanisms 96–101error checking 99
fully meshed topologies 87NNI 95partially meshed topologies 87–89PVC 91signaling 91–92star topology 86SVCs 90troubleshooting connectivity 122–126UNI 96
white hats 432Windows operating system
auditing, enabling 976file systems
FAT 977FAT32 977NTFS 977–980
installing 970logging, enabling 976MBSA 971patches, applying 975user accounts 970
Windows 2000, creating baseline security level 972–975
Windows NT 4 Server, creating baseline security level 972–975
work-based study labs 22world-writeable files, checking for 966
xlates 814
xlates
CCIEIX.fm Page 1071 Tuesday, June 10, 2003 8:11 AM
-
1072
CCIEIX.fm Page 1072 Tuesday, June 10, 2003 8:11 AM