Cisco networks engineers handbook of routing, switching, and security with IOS, NX OS, and ASA

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (20.44 MB, 856 trang )

T HE E X P ER T ’S VOIC E ® IN NE T WOR K ING

Cisco Networks
Engineers’ Handbook of Routing,
Switching, and Security with
IOS, NX-OS, and ASA
—
Chris Carthern
Will Wilson
Noel Rivera
Richard Bedwell

Cisco Networks
Engineers’ Handbook of Routing,
Switching, and Security with IOS,
NX-OS, and ASA

Chris Carthern
William Wilson
Richard Bedwell
Noel Rivera

Cisco Networks: Engineers’ Handbook of Routing, Switching, and Security with IOS,
NX-OS, and ASA
Copyright © 2015 by Chris Carthern, William Wilson, Richard Bedwell, and Noel Rivera
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now

known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with
reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed
on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or
parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its
current version, and permission for use must always be obtained from Springer. Permissions for use may be
obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under
the respective Copyright Law.
ISBN-13 (pbk): 978-1-4842-0860-1
ISBN-13 (electronic): 978-1-4842-0859-5
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol
with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are
not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director: Welmoed Spahr
Acquisitions Editor: Robert Hutchinson
Developmental Editor: Douglas Pundick
Technical Reviewer: Evan Kwisnek
Editorial Board: Steve Anglin, Pramilla Balan, Louise Corrigan, James DeWolf, Jonathan Gennick,
Robert Hutchinson, Celestin Suresh John, Michelle Lowman, James Markham, Susan McDermott,
Matthew Moodie, Jeffrey Pepper, Douglas Pundick, Ben Renow-Clarke, Gwenan Spearing
Coordinating Editor: Rita Fernando
Copy Editor: Kim Burton-Weisman
Compositor: SPi Global

Indexer: SPi Global
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail
, or visit www.springer.com. Apress Media, LLC is a California LLC and the
sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance
Inc is a Delaware corporation.
For information on translations, please e-mail , or visit www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use.
eBook versions and licenses are also available for most titles. For more information, reference our Special
Bulk Sales–eBook Licensing web page at www.apress.com/bulk-sales.
Any source code or other supplementary materials referenced by the author in this text is available to
readers at www.apress.com. For detailed information about how to locate your book’s source code, go to
www.apress.com/source-code/.

Dedicated to my parents, wife, and sister with love.
—Chris Carthern

Contents at a Glance
About the Authors��xxv
About the Technical Reviewer��xxvii
Acknowledgments��xxix
Introduction��xxxi
■Chapter
■
1: Introduction to Practical Networking�� 1
■Chapter
■
2: The Physical Medium�� 23

■Chapter
■
3: Data Link Layer�� 35
■Chapter
■
4: The Network Layer with IP�� 49
■Chapter
■
5: Intermediate LAN Switching�� 69
■Chapter
■
6: Routing�� 93
■Chapter
■
7: VLANs, Trunking, VTP, and MSTP�� 149
■Chapter
■
8: Basic Switch and Router Troubleshooting�� 187
■■Chapter 9: Network Address Translation and Dynamic
Host Configuration Protocol�� 255
■Chapter
■
10: Management Plane�� 273
■Chapter
■
11: Data Plane�� 297
■Chapter
■
12: Control Plane�� 319
■Chapter

■
13: Introduction to Availability�� 383
■Chapter
■
14: Advanced Switching�� 407
■Chapter
■
15: Advanced Routing�� 425

v

■ Contents at a Glance

■Chapter
■
16: Advanced Security�� 481
■Chapter
■
17: Advanced Troubleshooting�� 555
■Chapter
■
18: Effective Network Management�� 623
■Chapter
■
19: Data Center and NX-OS�� 649
■Chapter
■
20: Wireless LAN (WLAN)�� 689
■Chapter

■
21: ASA and IDS�� 715
■Chapter
■
22: Introduction to Network Penetration Testing�� 759
■Chapter
■
23: Multiprotocol Label Switching�� 773
Index�� 825

vi

Contents
About the Authors��xxv
About the Technical Reviewer��xxvii
Acknowledgments��xxix
Introduction��xxxi
■Chapter
■
1: Introduction to Practical Networking�� 1
Tools of the Trade�� 1
Open Systems Interconnection (OSI) Model�� 2
Physical Layer�� 5
Data Link Layer�� 6
Network Layer�� 7
Transport Layer�� 7
Connection-Oriented�� 8

Session Layer�� 8

Presentation Layer�� 9
Application Layer�� 9
The OSI Model: Bringing It All Together�� 9

TCP/IP Protocol�� 11
TCP/IP Application Layer�� 12
TCP/IP Transport Layer�� 12
TCP/IP Internet Layer�� 13
TCP/IP Network Interface Layer�� 14
Reliability�� 15
Three-Way Handshake and Connection Termination�� 16
User Datagram Protocol�� 17
vii

■ Contents

Port Numbers�� 18
Types of Networks�� 19
Personal Area Network�� 19
Local Area Network�� 19
Campus Area Network�� 19
Metropolitan Area Network�� 19
Wide Area Network�� 20
Wireless Wide Area Network�� 20
Virtual Private Network�� 20

Hierarchical Internetwork Model�� 21
Summary�� 22
■Chapter

■
2: The Physical Medium�� 23
The Physical Medium�� 23
Standards�� 24
Cables�� 25
Twisted Pair Cable�� 25
Coaxial Cable�� 27
Fiber Optical Cabling�� 28
Fiber Optic Transmission Rates�� 28
Wireless Communication�� 29

The Ethernet�� 29
Duplex�� 30
Time-Division Duplexing�� 31
Frequency-Division Duplexing�� 31

Autonegotiation�� 31
Unidirectional Link Detection�� 32
Common Issues�� 33
Duplex Mismatch�� 33
Bad Connector Terminations�� 33

Summary�� 33
viii

■ Contents

■Chapter
■

3: Data Link Layer�� 35
Protocols�� 35
The Address Resolution Protocol (ARP) �� 35
The Reverse Address Resolution Protocol (RARP)�� 38

Link Layer Functions�� 38
Framing�� 38
Addressing�� 38
Synchronizing�� 39
Flow Control�� 39

Link Layer Discovery Protocol (LLDP)�� 40
Class of Endpoints�� 40
LLDP Benefits�� 41

Cisco Discovery Protocol (CDP)�� 44
Summary�� 48
■Chapter
■
4: The Network Layer with IP�� 49
IP Addressing (Public vs. Private)�� 50
Public�� 50
Private�� 50

IPv4�� 50
Class A�� 51
Class B�� 51
Class C�� 51
IPv4 Packet Header�� 52

IPv6�� 53
IPv6 Packet Header�� 54

Classless Inter-Domain Routing�� 55
Subnetting�� 55
Subnet Mask�� 56

Variable Length Subnet Masking�� 59
Classful Subnetting�� 61
ix

■ Contents

Subnetting Exercises�� 62
Subnetting Exercise Answers�� 65
Exercise 1 Answers�� 65
Exercise 2 Answers�� 66
Exercise 3 Answers�� 67
Exercise 4 Answers�� 67

Summary�� 68
■Chapter
■
5: Intermediate LAN Switching�� 69
Configuration Help�� 72
Displaying the Running Configuration�� 73
Configuring the Router�� 74
Switching�� 76
EtherChannel�� 76

Spanning Tree Protocol�� 81
Why Do You Need STP?�� 81
How STP Works�� 81
Bridge Protocol Data Units�� 81
Rapid Spanning Tree Protocol�� 82

Exercises�� 86
Exercise Answers�� 87
Exercise 1�� 87
Exercise 2�� 88
Exercise 3�� 89

Summary�� 91
■Chapter
■
6: Routing�� 93
Static Routing�� 93
The Process of Routing�� 94
Default Routing�� 98
Testing Connectivity�� 98

x

■ Contents

Dynamic Routing Protocols�� 100
Distance-Vector Routing Protocol�� 100
Link-State Routing Protocol�� 101
Hybrid Routing Protocol�� 102

RIP�� 102
Configuration�� 103
Authentication�� 104

EIGRP�� 108
OSPF�� 114
Configuring OSPF�� 117
Router ID�� 123

BGP�� 123
BGP Configuration�� 124

Administrative Distance�� 129
RIP�� 129
EIGRP�� 130
OSPF�� 130
BGP�� 131

Exercises�� 131
Exercise Answers�� 134
Exercise 1�� 134
Exercise 2�� 136
Exercise 3�� 138
Exercise 4�� 141
Exercise 5�� 146

Summary�� 147

xi

■ Contents

■Chapter
■
7: VLANs, Trunking, VTP, and MSTP�� 149
Virtual Logical Network (VLAN)�� 149
VLAN Configuration�� 150

Trunking�� 155
Trunk Configuration�� 157
Routing Between VLANs�� 159
Routing VLANs Configurations�� 160

VLAN Trunking Protocol�� 162
VTP Modes�� 162

Multiple Spanning Tree Protocol�� 165
MSTP Configuration�� 167

Exercises�� 172
Exercise Answers�� 176
Exercise 1�� 176
Exercise 2�� 180
Exercise 3�� 181

Summary�� 185
■Chapter
■

8: Basic Switch and Router Troubleshooting�� 187
Troubleshooting 101�� 187
Documenting Your Network�� 187

First Things First: Identify the Problem�� 188
Top-Down Approach�� 189
Bottom-Up Approach�� 190

Physical Medium and Ethernet�� 191
VLANs and Trunks�� 194
EtherChannel�� 198
VTP�� 200
Spanning Tree�� 202

xii

■ Contents

Routing�� 205
Static Routing�� 205

Dynamic Routing�� 208
RIP�� 208
EIGRP�� 212
OSPF�� 219
BGP�� 227

Exercises�� 232
Exercise Answers�� 239

Exercise 1�� 239
Exercise 2�� 240
Exercise 3�� 243
Exercise 4�� 246
Exercise 5�� 248
Exercise 6�� 250
Exercise 7�� 252

Summary�� 254
■■Chapter 9: Network Address Translation and Dynamic
Host Configuration Protocol�� 255
NAT�� 255
Static Nat�� 256
Dynamic NAT�� 257
Port Address Translation (PAT)�� 258

DHCP�� 261
DHCP Process�� 261
Setting up a Router As a DHCP Client�� 262
Setting up a Router to Send a Request to a DHCP Server�� 262
Setting up a Router As a DHCP Server�� 263

Exercises�� 265

xiii

■ Contents

Exercise Answers�� 267

Exercise 1�� 267
Exercise 2�� 268
Exercise 3�� 269
Exercise 4�� 270

Summary�� 272
■Chapter
■
10: Management Plane�� 273
The Management Plane Defined�� 273
Authentication and Authorization Basics�� 274
User Accounts�� 276

Password Recovery�� 277
Banners�� 279
Management Sessions�� 280
Telnet�� 280
SSH�� 281
Console and Auxiliary Lines�� 282

Disabling Services�� 283
Disabled Services�� 283
Disabled Services on Interfaces�� 284

Authentication, Authorization, and Accounting (AAA)�� 284
RADIUS�� 285
TACACS+�� 287

Monitoring/Logging�� 288
Simple Network Management Protocol�� 288

syslog�� 291

Exercises�� 293
Exercise Answers�� 295
Exercise 1 �� 295
Exercise 2�� 296
Exercise 3�� 296

Summary �� 296
xiv

■ Contents

■Chapter
■
11: Data Plane�� 297
Traffic Protocols�� 297
Filters and Introduction to Data Plane Security�� 299
State Machines�� 302
Stateful Protocols�� 306
Stateless Protocols�� 310
NetFlow and sFlow�� 311
Exercises�� 315
Summary�� 317
■Chapter
■
12: Control Plane�� 319
Layer 2�� 319
Routing Protocols�� 322

Interior Gateway Protocols�� 323
Exterior Gateway Protocols�� 340

Protocol Independent Multicasting �� 347
Domain Name System�� 351
Network Time Protocol�� 354
Exercises�� 358
Preliminary Work�� 358
OSPF�� 360
BGP�� 361
NTP�� 361
EIGRP Named Mode with Authentication�� 362
Multicast�� 362

Exercise Answers�� 362
Preliminary Configuration�� 362
OSPF�� 366
BGP�� 369

xv

■ Contents

NTP�� 375
EIGRP Name Mode with Authentication�� 377
Multicast�� 378

Summary �� 381
■Chapter

■
13: Introduction to Availability�� 383
High Availability�� 383
First Hop Redundancy Protocol (FHRP)�� 384
HSRP�� 384
VRRP�� 388
GLBP�� 390

Multilinks�� 394
Availability Exercises�� 396
Exercise Answers�� 399
Exercise 1�� 399
Exercise 2�� 401
Exercise 3�� 402
Exercise 4�� 405

Summary �� 406
■Chapter
■
14: Advanced Switching�� 407
Port Security�� 407
DHCP Snooping�� 409
HSRP�� 409
VRRP�� 411
Server Load Balancing (SLB)�� 414
TFTP�� 415
IOS Switch Upgrade�� 416
Password Recovery�� 416
Virtual Switching Systems (VSS)�� 418

xvi

■ Contents

Advanced Switching Exercises�� 421
Advanced Switching Exercise Answers�� 422
Exercise 1�� 422
Exercise 2�� 423

Summary�� 423
■Chapter
■
15: Advanced Routing�� 425
Policy-Based Routing Using Route Maps�� 425
Redistribution�� 428
RIP Redistribution Overview�� 429
EIGRP Redistribution Overview�� 429
OSPF Redistribution Overview�� 431
BGP Redistribution Overview�� 432
Avoiding Loops and Suboptimal Routing�� 433

EIGRP�� 434
Unicast�� 435
Summarization�� 435
Load Balancing�� 436
EIGRP Stub�� 436
Traffic Engineering with EIGRP�� 436
Authentication�� 437

Multiarea and Advanced OSPF�� 438
Summarization�� 440
OSPF Stub�� 440
Cost Manipulation�� 441
OSPF Virtual Link�� 441
Authentication�� 443

BGP�� 443
Address Families�� 443
Peer Groups and Templates�� 444
Dynamic Neighbors�� 446

xvii

■ Contents

Next Hop Issues with iBGP�� 448
Anycast�� 448
Traffic Engineering with BGP�� 449

IPv6 Routing�� 451
EIGRPv6�� 453
OSPFv3�� 456

GRE Tunnels�� 458
BGP Issues�� 460

IPSec�� 461
IOU8 Configuration�� 463

IOU9 Configuration�� 465

Advanced Routing Exercises�� 466
Exercise 1: EIGRP and OSFP Redistribution�� 466
Exercise 2: GRE and IPSEC�� 467
Exercise 3: BGP�� 467
Exercise 4: IPv6 OSPF and EIGRP Redistribution�� 468

Exercise Answers�� 469
Exercise 1�� 469
Exercise 2�� 470
Exercise 3�� 473
Exercise 4�� 476

Summary�� 479
■Chapter
■
16: Advanced Security�� 481
Owning Your Spanning Tree�� 482
Securing Your Trunks and Ports�� 499
802.1x (dot1x)�� 506
Examples Using OpenSSL to Generate Signed Certificates�� 520

CDP and LLDP�� 523
ARP the Way to IP�� 530

xviii

■ Contents

Private VLANs�� 536
Use Case�� 536
Promiscuous vs. Community vs. Isolated�� 537
Configuration�� 537
Using Extended ACLs, PACL, and VACL�� 539
VACL�� 540
PACL�� 541

AAA�� 542
Use Case�� 542
Console�� 542
AUX Port�� 542
VTY Ports�� 543
Local Authentication and Authorization�� 543
Remote AAA (TACACS, RADIUS)�� 543
Configuration�� 543

Advanced Security Exercises�� 550
Exercise 1: Extended ACL Exercises�� 550
Exercise 2: AAA Exercises�� 550

Exercise Answers�� 551
Exercise 1�� 551
Exercise 2�� 552

Summary�� 553
■Chapter
■
17: Advanced Troubleshooting�� 555

Access Control List�� 555
VACL�� 558
PACL�� 559
Network Address Translation�� 559
Static NAT�� 560
Dynamic NAT�� 565
Overload�� 569

xix

■ Contents

HSRP, VRRP, and GLBP�� 571
HSRP�� 572
VRRP�� 573

EIGRP�� 576
OSPF�� 580
BGP�� 583
Neighbor Relationships�� 583
Missing Prefixes�� 585

Route Redistribution�� 590
EIGRP�� 590
OSPF�� 593

GRE Tunnels�� 596
Recursive Routing�� 599

IPSec�� 599
IPv6�� 602
Advanced Troubleshooting Exercises�� 611
Exercise Answers�� 616
Exercise 1�� 616
Exercise 2�� 618

Summary�� 621
■Chapter
■
18: Effective Network Management�� 623
Logs�� 623
Simple Network Management Protocol�� 625
Service Level Agreements and Embedded Event Manager�� 631
sFlow and Netflow Tools�� 634
Intrusion Detection and Prevention Systems�� 638
Management and Design of Management Data�� 640

xx

■ Contents

Exercises�� 644
syslog�� 644
SNMP�� 644
Service Policy�� 645

Exercise Answers�� 645
Initial Configuration�� 645

syslog�� 646
SNMP�� 647
Service Policy�� 647

Summary �� 648
■Chapter
■
19: Data Center and NX-OS�� 649
NX-OS�� 649
SSH and Telnet�� 651
User Accounts�� 652

VLAN�� 653
Configuring a Non-Routed VLAN�� 653
Configuring a VLAN As a Routed Switched Virtual Interface (SVI)�� 653

VLAN Trunking Protocol�� 654
EIGRP�� 655
OSPF�� 659
BGP�� 663
Port Channels�� 665
Port Profiles�� 671
FEX�� 671
First Hop Redundancy Protocols�� 672
HSRP�� 672
VRRP�� 674
GLBP�� 675

xxi

■ Contents

Network Virtualization�� 679
Virtual Device Context (VDC)�� 679
Virtual Port Channel (vPC)�� 680
Virtual Routing and Forwarding (VRF) Lite�� 681

NX-OS Exercise�� 685
Exercise Answer�� 686
Summary�� 688
■Chapter
■
20: Wireless LAN (WLAN)�� 689
Wireless LANs (WLANs)�� 689
Wireless Standards�� 689
Wireless Components�� 690
Wireless Access Points�� 690
Wireless Controllers/Switches�� 690
Wireless Bridges�� 691
Wireless Repeaters�� 691
Wireless Antennas�� 691

Installing a WLAN�� 692
Wireless Site Survey�� 692
Range, Signal Strength, and Performance�� 693
Access Point Installation�� 693
Access Point Configuration�� 694
WLAN Controller Installation�� 701
WLAN Controller Configuration�� 702

Security�� 707
Encryption and Authentication�� 707
Threats and Vulnerabilities�� 712

Wireless Exercise�� 713
Exercise Answers�� 713
Summary�� 714

xxii

■ Contents

■Chapter
■
21: ASA and IDS�� 715
Testing Policies in Safe Environment�� 715
Initial Setup�� 716
Baseline the Network�� 725
Access Rules�� 731
Open Services�� 733
Anti-Spoofing�� 735
Fragmentation�� 737
Designing Service Policies�� 738
Passwords�� 739

■Chapter
■
22: Introduction to Network Penetration Testing�� 759

Overview�� 759
Reconnaissance and Scanning�� 760
Vulnerability Assessment�� 763

Exploitation�� 767
Summary�� 772
■Chapter
■
23: Multiprotocol Label Switching�� 773
Multiprotocol Label Switching Basics�� 773
Label Protocols�� 780
LDP Security and Best Practices�� 782
LDP Verification�� 786

MPLS VPN�� 788
Site-to-Site VPN�� 790
Shared Extranet�� 800
Leaking Prefixes�� 803

xxiii

■ Contents

IPv6 over MPLS�� 806
Exercises�� 809
MPLS Backbone�� 810
Site-to-Site VPN�� 811
Leak to Customer B�� 811
Tunneling IPv6�� 812

Exercise Answers�� 812
MPLS Backbone�� 813
Site-to-Site VPN�� 815
Leak to Customer B�� 818
Tunneling IPv6�� 821

Summary�� 823
Index�� 825

xxiv

About the Authors
Chris Carthern (CCNP, CISSP) is a senior network engineer for the US
Department of Defense. He is responsible for analyzing, designing, installing,
configuring, maintaining, and repairing Cisco network infrastructure and
application components, and for training and mentoring junior network
engineers and preparing them for Cisco and CISSP certification exams.
Carthern took his BS (honors) in computer science from Morehouse College
and his MS in system engineering from the University of Maryland, Baltimore
County (UMBC). He holds the following certifications: Cisco Certified
Network Professional (CCNP), Certified Information Systems Security
Professional (CISSP), CompTIA Security+, Brocade Certified Network
Professional (BNCP), and ITIL v3.

William Wilson is a senior network engineer with 20 years of information technology experience. He is
responsible for design, implementation, and maintenance of campus, WAN, and data center networks.
William completed his undergraduate degree in Mathematics at University of Colorado, and obtained his
MS and doctoral degrees in computer science from Colorado Technical University. He holds the following

certifications: Cisco Certified Network Professional (CCNP), Cisco Certified Security Professional (CCSP),
Certified Information Systems Security Professional (CISSP), CompTIA Security+, CompTIA A+, Certified
Ethical Hacker (CEH), Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Solutions
Developer (MCSD), and Microsoft Certified Database Administrator (MCDBA). He passed the written
portion of the CCIE certification and he is studying for the practical lab component.

Richard Bedwell (CCNP, CCDP, JNCIS) has worked for the US
Department of Defense for more than 10 years, supporting network
administration, security, and engineering in multiple environments
and locations throughout the world. He has provided maintenance,
configuration, operational support, and engineering in voice, video, and
data networks using multiple vender solutions for LAN, CAN, MAN, and
WAN networks, primarily using Cisco Devices. Richard has a degree in
business administration (BA), with a focus on Management Information
Systems (MIS), from Tennessee Technological University in Cookeville.
He holds the following certifications: Cisco Certified Network Associate
(CCNA), CCNA Voice, CCNA Security, CCNA Wireless, Cisco Certified
Design Associate (CCDA), Cisco Certified Network Professional (CCNP),
Cisco Certified Design Professional (CCDP), CompTIA Security+,
CompTIA Security+ CE, Juniper Network Certified Internet Specialist
(JNCIS), and ITILv3 Foundations.

xxv

Cisco networks engineers handbook of routing, switching, and security with IOS, NX OS, and ASA

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về