Transcript ONE Spring Hands-On Institute

@ONE Spring Hands-On Institute
Los Medanos College
Introduction to Cisco Network Devices
Mark McGregor, Instructor
April, 2005
1-1
@ONE Spring Hands-On Institute
Introduction to Cisco
Network Devices (ICND)
1-2
@ONE Spring Hands-On Institute
Objectives
• Provide an overview of Cisco IOS
devices
– Focus: Issues faced by IT staff in a
community college environment
• Brainshare
– It’s a time for you (IT) to get away from
them…and talk about what they are doing
to your network
1-3
@ONE Spring Hands-On Institute
Assumed Knowledge
• Some familiar terms:
– Routing
– Switching
– LAN, WAN
– VLANs
– IP addressing, subnets
1-4
@ONE Spring Hands-On Institute
Lab Topology
• Remote lab at:
– telnet://as1.losmedanos.edu
– telnet://as2.losmedanos.edu
• Topology is a secret until tomorrow.
– 2600 routers
– 2950 (EMI) and 3550 (EMI) Catalyst
switches
– Access servers are 2511s
1-5
@ONE Spring Hands-On Institute
Dude, Your Cell Phone!
Vibrate please.
1-6
@ONE Spring Hands-On Institute
Module 1:
Network Theory – OSI and
TCP/IP Models
1-7
@ONE Spring Hands-On Institute
Internetworking:
An Overview
1-8
@ONE Spring Hands-On Institute
What is Networking?
• Networking - the interconnection of
workstations, peripherals, terminals
and other devices*
* I am bound by the Pedagogical Oath to assault you with textbook
definitions for things you must already know!
1-9
@ONE Spring Hands-On Institute
Yesterday’s Networks
• The advent of the desktop PC brought
with it small, closed networks in the
mid-1980s.
An old-school LAN (local-area network)
1-10
@ONE Spring Hands-On Institute
Today’s Computer Networks
• Today, networks are everywhere:
– School, work, home
– Coffee shops, airports, state parks
– Emerging technologies such as EV-DO and WiMAX promise
metro-wide networks in the air.
1-11
@ONE Spring Hands-On Institute
What happened?
• Over the past 20 years, computer
networks have evolved:
Small, proprietary, closed systems
One huge, global, collection of
networks (an internetwork)
The Internet
1-12
@ONE Spring Hands-On Institute
What happened?
• Vendors realized that standardizing
their products would help them make
money.
• Various groups got together and
proposed networking standards.
• The Internet (b.1969) offered an
attractive de facto set of standards.
1-13
@ONE Spring Hands-On Institute
Network Protocols and
Standardization
1-14
@ONE Spring Hands-On Institute
Network Protocols
• Early networks:
– proprietary technologies
– single vendor only
• Today:
– Standards-based technologies
– Macs, PCs, cell phones, watches, toasters, and
earrings can all share data as long as they all
speak to each other according to the same set of
rules, or protocol.
1-15
@ONE Spring Hands-On Institute
Network Protocols
• Protocol - a set of rules, or an agreement,
that determines the format and
transmission of data.
SNA (Systems Network Architecture) = IBM
IPX (Internet Packet eXchange) = Novell
IP (Internet Protocol) = US Department of Defense
XNS (Xerox Network System) = Xerox
NetBEUI (NetBIOS Extended User Interface) = IBM
AppleTalk = Apple
DECnet = Digital Equipment Corporation
VINES = Banyan
1-16
@ONE Spring Hands-On Institute
TCP/IP: Internet Protocol
• One protocol has become the de facto standard for
all computer networks.
• IP v4 = The Internet Protocol (version 4)
• All hosts on the Internet use the IP protocol
• The Internet actually uses a family, or suite, of
protocols called TCP/IP which includes:
– TCP, or Transmission Control Protocol: (adds reliability
and sequencing to Internet conversations)
– HTTP: (web stuff)
– FTP: (file transfer)
– DNS: (naming system that brought us .com and www)
– SMTP: (mail, SPAM, and other delights of the Info Age)
1-17
@ONE Spring Hands-On Institute
TCP/IP: Internet Protocol
TCP/IP’s
developers
never envisioned
that this protocol
could support a
global network of
entertainment
and commerce.
All of these
devices need
an IP Address
to be on the
Internet.
All of these devices use the TCP/IP protocol “stack” to communicate.
In this case, they are using HTTP to browse the web.
1-18
@ONE Spring Hands-On Institute
Reality Check
• In the mid-1980s, Cisco (like all other
vendors) focused on “multi-protocol”
platforms.
• Because TCP/IP has emerged as the
dominant protocol, our focus is entirely
on IP networks.
• So, this is an Introduction to Cisco IP
Network Devices
1-19
@ONE Spring Hands-On Institute
Types of Networks
1-20
@ONE Spring Hands-On Institute
LANs
• Local-Area Networks (LANs) emerged
in the mid 1980s
• LANs
– connects workstations, peripherals, and
other devices in a single building
– LANs made it possible to efficiently share
such things as files and printers
1-21
@ONE Spring Hands-On Institute
Early LANs Isolated
`
`
Seattle
New York
`
San Francisco
1-22
@ONE Spring Hands-On Institute
Wide Area Networks (WANs)
`
`
Seattle
New York
`
San Francisco
1-23
@ONE Spring Hands-On Institute
LAN, CAN, MAN, and WAN
• LAN - limited geographic area
– office, home, small building (enterprise)
• CAN - Campus-Area Network
– University, Company Tech Center (enterprise)
• MAN - Metropolitan-Area Network
– citywide network, (typically involves a service provider)
• WAN - large geographic area
– city-to-city, worldwide, Internet (typical involves a service
provider)
• PAN – personal area network
– Cell phone, watch, PDA, bluetooth stuff (you!)
1-24
@ONE Spring Hands-On Institute
LAN vs WAN
• Early LANs and WANs typically used very different:
–
–
–
–
Protocols
Devices
Signaling
Media (physical connections, wire, RF)
Typical Early LANs
Typical Early WANs
Always “on”
Intermittent, on-demand connectivity
High bandwidth
Low bandwidth
Cheap
Costly
Small geographical area
Large geographical area
1-25
@ONE Spring Hands-On Institute
Early LAN vs WAN
• Different network types, different devices:
Common LAN Devices
Common WAN Devices
Hub, Repeater
Modem, CSU/DSU
Bridge
Switch
LAN Switch
Access Server
Router
Router
1-26
@ONE Spring Hands-On Institute
Early LAN vs WAN
• Emerging technologies and dominance of TCP/IP
spurred widespread adoption of new device types:
Today’s LAN Devices
Switch
Today’s WAN Devices
Wireless (LAN/WAN)
Bridge Access Point
Multilayer Switch
VPN Gateway
DSLAM
IP Telephony (LAN/WAN)
Optical Transport
Firewall
Router
IP Phone
IP PBX
Router
1-27
@ONE Spring Hands-On Institute
Today’s LAN/WAN
• Several factors have blurred the
distinctions between WANs and LANs
and the devices that operate in each.
• However, for the purposes of our
discussions, we will talk about devices
as either “LAN” or “WAN”
1-28
@ONE Spring Hands-On Institute
The OSI Reference Model
1-29
@ONE Spring Hands-On Institute
Enter ISO
• ISO – International Organization for
Standardization (Geneva)
– Voluntary, non-treaty organization charted by the UN
• From the earliest days of networking, it
was clear to ISO that standards were
needed.
• Standardization aids: development,
interoperability, education…
1-30
@ONE Spring Hands-On Institute
ISO’s OSI Model
• ISO looked at existing network
protocols (TCP/IP, XNS, SNA) and
came up with OSI RM.
• OSI RM - Open Systems
Interconnection Reference Model
1-31
@ONE Spring Hands-On Institute
OSI Reference Model
1-32
@ONE Spring Hands-On Institute
7 - Application Layer
• Network processes to
applications
– Provides network services
to user applications
1-33
@ONE Spring Hands-On Institute
6 – Presentation Layer
• Data Representation
– Code Formatting
– Negotiation of data
transfer
– Ensures information sent
by the application can be
transmitted on the network
– Data encryption
1-34
@ONE Spring Hands-On Institute
5 – Session Layer
• Interhost communication
– Establishes, maintains,
and manages sessions
between applications
1-35
@ONE Spring Hands-On Institute
4 – Transport Layer
• End-to-end connections
– Segmentation
– Reassembly into data
stream
– Offers potential of reliable
transport
1-36
@ONE Spring Hands-On Institute
3 – Network Layer
• Addresses and best path
– Logical addressing is used
at this layer
• IP, AppleTalk, IPX, etc.
– Routers reside at this layer
1-37
@ONE Spring Hands-On Institute
2 - Data-Link Layer
• Access to media
– Physical transmission
across the medium
– Error notification, network
topology and flow control
– Uses MAC (physical)
addresses
– Switches and bridges
reside at this layer
1-38
@ONE Spring Hands-On Institute
1 – Physical Layer
• Binary Transmission
– Provides the electrical,
mechanical, procedural
and functional means for
activating and maintaining
the physical link between
systems.
– The media resides at this
layer
1-39
@ONE Spring Hands-On Institute
Data Encapsulation Example
End
System
Intermediate
Systems
1-40
@ONE Spring Hands-On Institute
Data Encapsulation
1-41
@ONE Spring Hands-On Institute
TCP/IP vs OSI Model
1-42
@ONE Spring Hands-On Institute
Cisco Networking
1-43
@ONE Spring Hands-On Institute
Brief(est) History of LANs
1-44
@ONE Spring Hands-On Institute
Early LANs
• In the 1980s, several LAN technologies
competed to offer Layer 1/Layer 2 services:
– Token Ring (IBM)
– Ethernet (Xerox, et al)
– ARCnet (Datapoint)
• Later on:
– FDDI, Fiber Distributed Data Interface
– ATM, Asynchronous Transfer Mode
1-45
@ONE Spring Hands-On Institute
The IEEE Working Groups
802.1 Networking Overview and Architecture
802.2 Logical Link Control
802.3 Ethernet
802.4 Token Bus
802.5 Token Ring
802.6 MANs
802.7 Broadband
802.8 Fiber Optic
802.11 Wireless Ethernet
...and more!
1-46
@ONE Spring Hands-On Institute
Today
• Ethernet is the de facto standard.
• It has crushed its competitors in the
LAN space, and has been adopted for
Wireless networks and Metro WANs.
1-47
@ONE Spring Hands-On Institute
Ethernet and TCP/IP
• Ethernet and TCP/IP are the most pervasive
protocols
Application Layer
Presentation Layer
Session Layer
TCP/IP
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Ethernet
1-48
@ONE Spring Hands-On Institute
Device Functions at Layers
1-49
@ONE Spring Hands-On Institute
Very Quick Survey of WAN
Technologies
1-50
@ONE Spring Hands-On Institute
WANs
Some common WAN technologies are:
•
•
•
•
•
•
•
POTS (plain old tel service) modems
ISDN (Integrated Services Digital Network)
DSL (Digital Subscriber Loop)
Frame Relay, X.25
ATM (Asynchronous Transfer Mode)
T-Carrier Series (in US:T1, T3, etc.)
Optical Carriers (OC-1, OC-3, etc)
– SONET (Synchronous Optical Network)
• MPLS (Multi Protocol Label Switching)
• VPN (Virtual Private Network)
1-51
@ONE Spring Hands-On Institute
Cisco Internetworking Devices
1-52
@ONE Spring Hands-On Institute
Cisco Routers
• The router is the box that made Cisco it’s
fortune
• IOS routing historically done at the edge of
networks
• In the past, network engineers have been
content to let the routers move packets
while specialized security boxes handle
complex filtering, NAT, IDS, etc
1-53
@ONE Spring Hands-On Institute
What is IOS?
• Cisco’s Internetwork
Operating System
(IOS)
– Current version is 12.3.x
– Monolithic, if you want a
feature, such as IDS,
you must load a
complete copy of the
OS (and in the process,
take the device out of
service)
– Originally developed for
the Cisco router
1-54
@ONE Spring Hands-On Institute
Cisco Switches
• Catalyst Series
• “Acquired” by Cisco
• Until about 4 years ago, enterpriseclass switches ran the CatOS.
• While CatOS remains as a legacy
technology, Cisco has migrated the
Catalyst line to IOS
1-55
@ONE Spring Hands-On Institute
Cisco APs
• Cisco “acquired” Aeronet, which made
Wireless Access Points.
• Cisco’s first APs ran code called
vxWorks.
• Today, Cisco APs run IOS
1-56
@ONE Spring Hands-On Institute
IOS Convergence
• Over the past several years, Catalyst
Switches and Cisco (Aeronet) Wireless
Access Points have migrated to IOS.
CatOS
vxWorks
IOS
IOS-XR?
Finesse
Altiga VPN
PIX OS
VPN 3K
IOS is getting hard to avoid…
1-57
@ONE Spring Hands-On Institute
Cisco ISR
• The Integrated Services Routers (ISR) may
drastically change the way IOS is deployed.
– 1800 series
– 2800 series
– 3800 series
• Released fall, 2004
• allows the secure deployment of multiple,
integrated services at wire-speed performance
• provides high performance while running
simultaneous services such as data, security, and
QoS in one integrated routing platform
1-58
@ONE Spring Hands-On Institute
ISR
• With the advent of the ISR platform, more
and more organizations will turn to IOS to
provide integrated
–
–
–
–
–
–
Firewall
Voice over IP (VoIP)
IDS
NAT
QoS
VPN
1-59
@ONE Spring Hands-On Institute
IOS Fundamentals
1-60
@ONE Spring Hands-On Institute
Router Components
• Key Router Components:
–
–
–
–
RAM - typically 4 MB - 256 MB
Non-Volatile RAM (NVRAM) – typically 32K – 256K
Flash – typically 4 MB – 128 MB
ROM, aka boot ROM
1-61
@ONE Spring Hands-On Institute
Router Components
• The 2500 Series
– Venerable, still found in production!
1-62
@ONE Spring Hands-On Institute
Router Components
• The guts of a 2600 series
1-63
@ONE Spring Hands-On Institute
Router Components
• Rear end of a 2600
1-64
@ONE Spring Hands-On Institute
Purpose of Cisco IOS Software
• Basic routing and switching functions
• Reliable and secure access to
networked resources
• Network scalability
1-65
@ONE Spring Hands-On Institute
Router User Interface
1-66
@ONE Spring Hands-On Institute
Router User Interface Modes
1-67
@ONE Spring Hands-On Institute
show flash Command
1-68
@ONE Spring Hands-On Institute
Steps in Router Initialization
1-69
@ONE Spring Hands-On Institute
Using the setup Command
1-70
@ONE Spring Hands-On Institute
User Mode Commands
1-71
@ONE Spring Hands-On Institute
Privileged Mode Commands
1-72
@ONE Spring Hands-On Institute
clock set Command
1-73
@ONE Spring Hands-On Institute
The User Interface Error Indicator
1-74
@ONE Spring Hands-On Institute
The show version Command
1-75
@ONE Spring Hands-On Institute
CLI Command Modes
1-76
@ONE Spring Hands-On Institute
Configuring a Router Name
• A router should be given a unique
name as one of the first configuration
tasks:
Router(config)#hostname Tokyo
Tokyo(config)#
1-77
@ONE Spring Hands-On Institute
Configuring Router Passwords
1-78
@ONE Spring Hands-On Institute
Interface Configuration
1-79
@ONE Spring Hands-On Institute
Cisco Discovery Protocol
1-80
@ONE Spring Hands-On Institute
Cisco Discovery Protocol(CDP)
•
CDP is media and protocol independent, and
runs on virtually all Cisco devices
–
uses Subnetwork Access Protocol (SNAP).
1-81
@ONE Spring Hands-On Institute
CDP
1-82
@ONE Spring Hands-On Institute
show cdp neighbors
1-83
@ONE Spring Hands-On Institute
Creating a Network Map
• The show cdp neighbors [type
number] [detail] command can be used
to obtain the following:
–
–
–
–
–
–
–
Device ID — Address
Port ID — Capabilities
Version — Platform
IP network prefix
VTP management domain name (CDPv2 only)
Native VLAN (CDPv2 only)
Full/Half duplex (CDPv2)
1-84
@ONE Spring Hands-On Institute
CDP output
R1#show cdp neighbor detail
------------------------Device ID: Switch
Entry address(es):
IP address: 10.1.1.2
Platform: cisco WS-C3550-24, Capabilities: Switch IGMP
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/1
Holdtime : 174 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(13)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Mar-03 23:42 by yenanh
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF000000000000000CCEFEB800FF0000
VTP Management Domain: 'CISCO'
Native VLAN: 1
Duplex: full
1-85
@ONE Spring Hands-On Institute
CDP output
R1#
*Mar 1 03:51:39.043: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0
(not half duplex), with Switch FastEthernet0/1 (half duplex).
*Mar 1 03:51:39.047: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0
(not half duplex), with Switch FastEthernet0/1 (half duplex).
*Mar 1 03:51:39.047: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0
(not half duplex), with Switch FastEthernet0/1 (half duplex).
S1#
04:02:31: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/23 (9), with Switch FastEthernet0/24 (1).
1-86
@ONE Spring Hands-On Institute
Disabling CDP
1-87
@ONE Spring Hands-On Institute
Using Telnet
1-88
@ONE Spring Hands-On Institute
Telnet
1-89
@ONE Spring Hands-On Institute
Telnet Operations
1-90
@ONE Spring Hands-On Institute
Establishing Telnet Connections
• A host name table or access to DNS for Telnet must be present for
a name to work. Otherwise, the IP address of the host must be
entered.
Denver>connect paris
Denver>paris
Denver>131.108.100.152
Denver>telnet paris
• Telnet can be used to perform a test to determine whether access
can be obtained from a remote router.
1-91
@ONE Spring Hands-On Institute
Telnet Operations
1-92
@ONE Spring Hands-On Institute
Advanced Telnet Operation
Multiple Telnet sessions can be used and
suspended by using the Ctrl+Shift+6 and x
sequence.
1-93
@ONE Spring Hands-On Institute
AutoSecure
1-94
@ONE Spring Hands-On Institute
AutoSecure
• Available in IOS 12.3
• Allows a user to perform the following
functions:
– Disable common IP services that can be
exploited for network attacks
– Enable IP services and features that can aid in
the defense of a network when under attack.
• This feature also simplifies the security
configuration of a router and hardens the
router configuration.
1-95
@ONE Spring Hands-On Institute
AutoSecure
• Adds:
– The ability to configure a required minimum
password length,
• eliminates common passwords that are prevalent on
most networks, such as "lab" and "cisco."
• security passwords min-length command.
– Syslog messages are generated after the
number of unsuccessful attempts exceeds the
configured threshold.
• To configure the number of allowable unsuccessful
login attempts (the threshold rate), use the security
authentication failure rate command.
1-96
@ONE Spring Hands-On Institute
AutoSecure
• This feature is target towards customers
that don’t have security staff or expertise.
• You can just type “auto secure” and the
router goes into a very friendly dialog that
works to harden the router.
• AutoSecure will even configure a basic
firewall, including ACLs that block bogus IP
ranges (IANA reserved and RFC 1918
private addresses)
1-97
@ONE Spring Hands-On Institute
AutoSecure
Router# auto secure
--- AutoSecure Configuration --*** AutoSecure configuration enhances the security of the router but it will no
t make router absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure will be shown here. For more d
etails of why and how this configuration is useful, and any possible side ef
fects, please refer to Cisco documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:y
Dialog continues from here….
1-98
@ONE Spring Hands-On Institute
AutoSecure
• This feature is probably too generic for
enterprise customers that have InfoSec
staff.
• But, it’s still worth checking out, since this
one feature deals with a significant number
of security issues:
• http://www.cisco.com/univercd/cc/td/doc/pro
duct/software/ios123/123newft/123_1/ftatos
ec.pdf
1-99
@ONE Spring Hands-On Institute
Cisco Security Device
Manager (SDM)
1-100
@ONE Spring Hands-On Institute
Security Device Manager
•
•
•
•
Cisco SDM
web-based GUI security management application
Runs off the device itself, free download from Cisco
simplifies router and security configuration through
intelligent wizards
• Provides security monitoring functions
• http://www.cisco.com/en/US/products/sw/secursw/p
s5318/products_data_sheet09186a008017dc08.ht
ml
1-101
@ONE Spring Hands-On Institute
Security Device Manager
1-102