Cisco Networks Engineers' Handbook of Routing, Switching, and Security with IOS, NX OS, and ASA pdf pdf
T HE E X P ER T ’ S VO I C E ® IN NE T WO R K ING Cisco Networks
Engineers’ Handbook of Routing, Switching, and Security with
IOS, NX-OS, and ASA — Chris Carthern Will Wilson Noel Rivera Richard Bedwell
Cisco Networks Engineers’ Handbook of Routing, Switching, and Security with IOS,
NX-OS, and ASA Chris Carthern William Wilson Richard Bedwell Noel Rivera
Cisco Networks: Engineers’ Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA Copyright © 2015 by Chris Carthern, William Wilson, Richard Bedwell, and Noel Rivera This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection withreviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed
on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in itscurrent version, and permission for use must always be obtained from Springer. Permissions for use may be
obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under
the respective Copyright Law.ISBN-13 (pbk): 978-1-4842-0860-1
ISBN-13 (electronic): 978-1-4842-0859-5 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are
not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.Managing Director: Welmoed Spahr Acquisitions Editor: Robert Hutchinson Developmental Editor: Douglas Pundick Technical Reviewer: Evan Kwisnek
Editorial Board: Steve Anglin, Pramilla Balan, Louise Corrigan, James DeWolf, Jonathan Gennick,
Robert Hutchinson, Celestin Suresh John, Michelle Lowman, James Markham, Susan McDermott,
Matthew Moodie, Jeffrey Pepper, Douglas Pundick, Ben Renow-Clarke, Gwenan Spearing
Coordinating Editor: Rita Fernando Copy Editor: Kim Burton-Weisman Compositor: SPi Global Indexer: SPi Global Distributed to the book trade worldwide by Springer Science+Business Media New York,233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail
, or visit press Media, LLC is a California LLC and the
sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance
Inc is a Delaware corporation. For information on translations, please e-m . Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use.eBook versions and licenses are also available for most titles. For more information, reference our Special
Any source code or other supplementary materials referenced by the author in this text is available to readers at or detailed information about how to locate your book’s source code, go to
Dedicated to my parents, wife, and sister with love.
—Chris Carthern
Contents at a Glance
About the Authors
Acknowledgments ................................................................................................
Chapter 1: Introduction to Practical Networking...................................................
■
Chapter 2: The Physical Medium .........................................................................
■
Chapter 3: Data Link Layer ..................................................................................
■
Chapter 4: The Network Layer with IP .................................................................
■
Chapter 5: Intermediate LAN Switching
■
Chapter 6: Routing ...............................................................................................
■
Chapter 7: VLANs, Trunking, VTP, and MSTP ......................................................
■
Chapter 8: Basic Switch and Router Troubleshooting .......................................
■Chapter 9: Network Address Translation and Dynamic ■
Host Configuration Protocol ..............................................................................
Chapter 10: Management Plane ........................................................................
■
Chapter 11: Data Plane
■
Chapter 12: Control Plane
■
Chapter 13: Introduction to Availability ............................................................
■
Chapter 14: Advanced Switching ......................................................................
■
Chapter 15: Advanced Routing ..........................................................................
■■
Chapter 16: Advanced Security .........................................................................
■
Chapter 17: Advanced Troubleshooting
■
Chapter 18: Effective Network Management
■
Chapter 19: Data Center and NX-OS
■
Chapter 20: Wireless LAN (WLAN) .....................................................................
■
Chapter 21: ASA and IDS ...................................................................................
■
Chapter 22: Introduction to Network Penetration Testing .................................
■
Chapter 23: Multiprotocol Label Switching .......................................................
Contents
About the Authors
Acknowledgments ................................................................................................
■Chapter 1: Introduction to Practical Networking...................................................
The OSI Model: Bringing It All Together...................................................................................................
User Datagram Protocol........................................................................................................................
Three-Way Handshake and Connection Termination ............................................................................
Reliability ..............................................................................................................................................
TCP/IP Network Interface Layer ............................................................................................................
TCP/IP Internet Layer ............................................................................................................................
TCP/IP Transport Layer .........................................................................................................................
TCP/IP Application Layer .......................................................................................................................
TCP/IP Protocol ...............................................................................................................
Application Layer ..............................................................................................................
Tools of the Trade .............................................................................................................
Presentation Layer ...........................................................................................................
Connection-Oriented ...............................................................................................................................
Transport Layer ................................................................................................................
Port Numbers .................................................................................................................
Coaxial Cable ....................................................................................................................................... Fiber Optic Transmission Rates ...........................................................................................................
Summary ........................................................................................................................
Bad Connector Terminations .................................................................................................................
Duplex Mismatch ..................................................................................................................................
Common Issues ..............................................................................................................
Unidirectional Link Detection .........................................................................................
Autonegotiation ..............................................................................................................
Frequency-Division Duplexing ..............................................................................................................
Time-Division Duplexing .......................................................................................................................
Duplex ............................................................................................................................
The Ethernet ...................................................................................................................
Cables.............................................................................................................................
Types of Networks ..........................................................................................................
Standards .......................................................................................................................
The Physical Medium .....................................................................................................
■
Chapter 2: The Physical Medium
Summary ........................................................................................................................
Hierarchical Internetwork Model ....................................................................................
Wide Area Network ...............................................................................................................................
Metropolitan Area Network ...................................................................................................................
Local Area Network ..............................................................................................................................
Personal Area Network .........................................................................................................................
■
Chapter 3: Data Link Layer ..................................................................................
Public ....................................................................................................................................................
Classful Subnetting...............................................................................................................................
Variable Length Subnet Masking ....................................................................................
Subnet Mask .........................................................................................................................................
Subnetting ......................................................................................................................
Classless Inter-Domain Routing .....................................................................................
IPv6 Packet Header...............................................................................................................................
IPv4 Packet Header...............................................................................................................................
Class C ..................................................................................................................................................
Class B ..................................................................................................................................................
Class A ..................................................................................................................................................
IPv4 ................................................................................................................................
IP Addressing (Public vs. Private) ...................................................................................
Protocols ........................................................................................................................
■
Chapter 4: The Network Layer with IP .................................................................
Summary ........................................................................................................................
Cisco Discovery Protocol (CDP) ......................................................................................
LLDP Benefits .......................................................................................................................................
Class of Endpoints ................................................................................................................................
Link Layer Discovery Protocol (LLDP) .............................................................................
Flow Control..........................................................................................................................................
Synchronizing .......................................................................................................................................
Addressing ............................................................................................................................................
Framing ................................................................................................................................................
Link Layer Functions ......................................................................................................
Subnetting Exercises ......................................................................................................
How STP Works ....................................................................................................................................
Testing Connectivity..............................................................................................................................
Default Routing .....................................................................................................................................
Static Routing .................................................................................................................
■
Chapter 6: Routing ...............................................................................................
Summary ........................................................................................................................
Exercise 2 .............................................................................................................................................
Exercise 1 .............................................................................................................................................
Exercise Answers ...........................................................................................................
Exercises ........................................................................................................................
Bridge Protocol Data Units ....................................................................................................................
Why Do You Need STP?.........................................................................................................................
Subnetting Exercise Answers .........................................................................................
Spanning Tree Protocol ..................................................................................................
EtherChannel ..................................................................................................................
Switching .......................................................................................................................
Displaying the Running Configuration ............................................................................
Configuration Help ..........................................................................................................
■
Chapter 5: Intermediate LAN Switching ..............................................................
Summary ........................................................................................................................
Exercise 4 Answers ..............................................................................................................................
Exercise 3 Answers ..............................................................................................................................
Exercise 2 Answers ..............................................................................................................................
Exercise 1 Answers ..............................................................................................................................
Dynamic Routing Protocols ..........................................................................................
Distance-Vector Routing Protocol ....................................................................................................... Hybrid Routing Protocol ......................................................................................................................
RIP ................................................................................................................................
Configuration ......................................................................................................................................
EIGRP ............................................................................................................................
Configuring OSPF ................................................................................................................................
BGP ...............................................................................................................................
BGP Configuration ...............................................................................................................................
Administrative Distance ...............................................................................................
RIP
Exercises ......................................................................................................................
Exercise 1 .......................................................................................................................................... Exercise 3 ........................................................................................................................................... Exercise 5 ...........................................................................................................................................
Summary ......................................................................................................................
■
Chapter 7: VLANs, Trunking, VTP, and MSTP ......................................................
■
Chapter 8: Basic Switch and Router Troubleshooting .......................................
Routing .........................................................................................................................
Static Routing .....................................................................................................................................
Dynamic Routing ..........................................................................................................
RIP ......................................................................................................................................................
Exercises ......................................................................................................................
Exercise 1 Exercise 3 ........................................................................................................................................... Exercise 5 Exercise 7
Summary ......................................................................................................................
■Chapter 9: Network Address Translation and Dynamic Host Configuration Protocol
Exercise Answers .........................................................................................................
Exercise 1 Exercise 3
Summary
■
Chapter 10: Management Plane ........................................................................ syslog .................................................................................................................................................
Exercises ......................................................................................................................
Exercise 1 Exercise 3 ...........................................................................................................................................
Summary .....................................................................................................................
■
Chapter 11: Data Plane ......................................................................................
■
Chapter 12: Control Plane ..................................................................................
NTP ..................................................................................................................................................... Multicast
Summary .....................................................................................................................
■
Chapter 13: Introduction to Availability ............................................................
■
Chapter 14: Advanced Switching
Advanced Switching Exercises.....................................................................................
Exercise 1 ...........................................................................................................................................
Summary ......................................................................................................................
■
Chapter 15: Advanced Routing ..........................................................................
Next Hop Issues with iBGP ................................................................................................................. Traffic Engineering with BGP
IPv6 Routing .................................................................................................................
EIGRPv6 ..............................................................................................................................................
GRE Tunnels
BGP Issues
IPSec
IOU8 Configuration ..............................................................................................................................
IOU9 Configuration
Advanced Routing Exercises
Exercise 1: EIGRP and OSFP Redistribution ........................................................................................ Exercise 3: BGP
Exercise Answers .........................................................................................................
Exercise 1 Exercise 3 ...........................................................................................................................................
Summary ......................................................................................................................
■
Chapter 16: Advanced Security .........................................................................
Examples Using OpenSSL to Generate Signed Certificates ................................................................
CDP and LLDP ...............................................................................................................
Private VLANs ...............................................................................................................
Use Case ............................................................................................................................................. Configuration ......................................................................................................................................VACL....................................................................................................................................................
Use Case ............................................................................................................................................. AUX PortVTY Ports ............................................................................................................................................ Remote AAA (TACACS, RADIUS)
Advanced Security Exercises
Exercise 1: Extended ACL Exercises ..................................................................................................
Exercise Answers .........................................................................................................
Exercise 1 ...........................................................................................................................................
Summary ......................................................................................................................
■
Chapter 17: Advanced Troubleshooting .............................................................
HSRP, VRRP, and GLBP
HSRPVRRP ...................................................................................................................................................
Neighbor Relationships.......................................................................................................................
Route Redistribution .....................................................................................................
EIGRP ..................................................................................................................................................
GRE Tunnels ..................................................................................................................
Recursive Routing...............................................................................................................................
IPSec
IPv6 ..............................................................................................................................
Exercise Answers .........................................................................................................
Exercise 1
Summary ......................................................................................................................
■
Chapter 18: Effective Network Management
Intrusion Detection and Prevention Systems ...............................................................
Exercises ......................................................................................................................
syslog ................................................................................................................................................. Service Policy
Exercise Answers .........................................................................................................
Initial Configuration ............................................................................................................................ SNMP
Summary .....................................................................................................................
■
Chapter 19: Data Center and NX-OS
Network Virtualization ..................................................................................................
Virtual Device Context (VDC) ............................................................................................................... Virtual Routing and Forwarding (VRF) Lite ..........................................................................................
NX-OS Exercise ............................................................................................................
Summary ......................................................................................................................
■
Chapter 20: Wireless LAN (WLAN) .....................................................................
■
Chapter 21: ASA and IDS ................................................................................... ■
Chapter 22: Introduction to Network Penetration Testing .................................
■
Chapter 23: Multiprotocol Label Switching .......................................................
IPv6 over MPLS ............................................................................................................
MPLS Backbone .................................................................................................................................. Leak to Customer B
Exercise Answers .........................................................................................................
MPLS Backbone .................................................................................................................................. Leak to Customer B ............................................................................................................................
Summary ......................................................................................................................
About the Authors Chris Carthern (CCNP, CISSP) is a senior network engineer for the US Department of Defense. He is responsible for analyzing, designing, installing, configuring, maintaining, and repairing Cisco network infrastructure and application components, and for training and mentoring junior network engineers and preparing them for Cisco and CISSP certification exams. Carthern took his BS (honors) in computer science from Morehouse College and his MS in system engineering from the University of Maryland, Baltimore County (UMBC). He holds the following certifications: Cisco Certified Network Professional (CCNP), Certified Information Systems Security Professional (CISSP), CompTIA Security+, Brocade Certified Network Professional (BNCP), and ITIL v3.
William Wilson is a senior network engineer with 20 years of information technology experience. He is responsible for design, implementation, and maintenance of campus, WAN, and data center networks.
William completed his undergraduate degree in Mathematics at University of Colorado, and obtained his
MS and doctoral degrees in computer science from Colorado Technical University. He holds the following
certifications: Cisco Certified Network Professional (CCNP), Cisco Certified Security Professional (CCSP), Certified Information Systems Security Professional (CISSP), CompTIA Security+, CompTIA A+, Certified Ethical Hacker (CEH), Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Solutions Developer (MCSD), and Microsoft Certified Database Administrator (MCDBA). He passed the written portion of the CCIE certification and he is studying for the practical lab component.Richard Bedwell (CCNP, CCDP, JNCIS) has worked for the US Department of Defense for more than 10 years, supporting network administration, security, and engineering in multiple environments and locations throughout the world. He has provided maintenance, configuration, operational support, and engineering in voice, video, and data networks using multiple vender solutions for LAN, CAN, MAN, and WAN networks, primarily using Cisco Devices. Richard has a degree in business administration (BA), with a focus on Management Information Systems (MIS), from Tennessee Technological University in Cookeville.
He holds the following certifications: Cisco Certified Network Associate (CCNA), CCNA Voice, CCNA Security, CCNA Wireless, Cisco Certified Design Associate (CCDA), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP), CompTIA Security+, CompTIA Security+ CE, Juniper Network Certified Internet Specialist (JNCIS), and ITILv3 Foundations.
Noel Rivera is an IP lead analyst at CACI International, Inc. He was formerly a network systems engineer
at Lockheed Martin and the US Department of Defense. Rivera has a bachelor’s degree in electrical and computing engineering from the University of Puerto Rico—Mayaguez, and master’s degrees in electrical,electronics and communications engineering and in computer science, both from John Hopkins University.
He holds the following certifications: Cisco Certified Network Professional Routing and Switching/Security(CCNP), Certified Information Systems Security Professional (CISSP), VMWare Certified Professional 5—Data
Center Visualization (VCP5-DC), CompTIA Security+, Certified Ethical Hacker (CEH), Cisco Certified Design
Professional (CCDP), and Cisco ASA Specialist.About the Technical Reviewer Evan Kwisnek currently works as a senior IT instructor for Wavefront Technologies, Inc. He is responsible for training and preparing DoD and military personnel to install, configure, and maintain global enterprise networks. He specializes in training individuals to integrate Voice over IP, video, and data networks with global reach-back capabilities. When not actively training, Evan provides technical and developmental support for training and documentation efforts. Evan previously served in the United States Army, where he was an electronics technician. Evan holds numerous certifications from vendors such as Cisco, CompTIA, VMware, and Microsoft.
Acknowledgments
First, I would like to thank God for giving me the strength to complete the large task of writing a book. I would
like to thank my loving wife, Genna, for the support while I spent countless hours writing this book. Many thanks also must go out to my co-authors for contributing to this work. Thanks must also be given to myparents, Taylor and Lisa, and sister, Breanna, for all the support you have given me and importance you have
placed on higher education. To my colleague Kelvin “KJ” Johnson, thanks for testing my labs and providing
feedback, and Dieter, thanks for the support. And to my technical reviewer, Evan Kwisnek, thank you for all
the feedback on the content and exercises in the book; this book is better because of your diligent reviews.
I would like to send a big thanks to my publisher, Apress, for taking my book proposal and guiding methrough the writing process. For anyone I missed, thank you all for your support and helping me become a
better engineer! Last but not least, I can’t forget Bowman.—Chris Carthern
Introduction
Do you want to become a better and more efficient network engineer? If you answered yes to that question,
then Cisco Networks: Engineers’ Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA is
for you. You will learn intermediate and advanced concepts of configuring, managing, and troubleshooting
Cisco networks. Most chapters provide examples of configuring network devices and include exercises toreinforce the concepts that were covered. Each exercise also includes a step-by-step solution to the question,
in the event you are not able to solve the problem.
This book is meant to be a configuration guide, not geared toward certifications, with an emphasis on
solving real-world day-to-day challenges. Although this book is not focused on certifications, readers will learn the skills and concepts needed to pass Cisco CCENT, CCNA, and CCNP certification exams. Readerswill also learn how to build and configure at-home labs using virtual machines and lab exercises to practice
advanced Cisco commands.
This book differentiates itself from other Cisco books on the market by approaching network security
from a hacker’s perspective. Not only does it provide network security recommendations but it teaches you how to use such tools as oclHashcat, Loki, Burp Suite, Scapy, Metasploit, and Kali to actually test thesecurity concepts learned. The book combines a black-hat perspective that most network engineers have a
disconnect with unless they are network penetration testers. Cisco Networks not only discusses security but
also provides the how-to on using the black-hat tools for network security testing.
The goal of this book is to eliminate the need to have three or four books in your library. The book
covers commands related to Cisco IOS, NX-OS for datacenter installations, and ASA configurations. If you are a network engineer, or aspiring to be one, this book is for you.Now on to Chapter 1.
CHAPTER 1 Introduction to Practical Networking Chapter
begins by discussing a few of the tools that you will use throughout the book. Next, we cover the
beloved OSI model and discuss how it relates to networking. We talk about all seven layers of the OSI model.
Then we move on to the TCP/IP model and show its relation to the OSI model. We end the chapter discussing
well-known port numbers, the different types of networks, and Cisco’s hierarchical internetwork model.So you want to become a good network engineer? Let us give you some advice: do not believe that you
know everything there is to know about networking. No matter what certifications or years of experience you
have, there will always be gaps in knowledge, and people that know or have experienced issues that you may
not have. Troubleshoot issues systematically from layer to layer. Use your resources—such as this book! You
can never have too many resources at your disposal in your toolbox. Do not be afraid to ask for help. Do not
be ashamed because you cannot resolve a problem. That is why we have teams of engineers. Everyone has
their expertise and we must use each to our advantage. Remember when dealing with networks it is always
better to have a second pair of eyes and another brain to help resolve issues quickly. This will help you save
time and stop you from working in circles. You want to know how you can become a good network engineer?
Start by reading this book and complete the lab exercises to reinforce what you have learned. The rest will come from experience on the job. Practice makes perfect! Tools of the Trade How do you practice in a lab setting? We all cannot go around buying our own network equipment and creating our own lab environment. The best thing is to configure and test with real equipment that can be bought secondhand on eBay. There are also many tools that can be used to simulate routers in a virtual environment. Because all of the devices are virtual, they come with limitations on what you can do with them. These limitations are discussed in Appendix A.