CCNA Security 210-260 (Santos & Stuppi): Ch01 Questions

I have been away from study as well as blogging for sometime due to my on-going health issues. This year alone, I’ve had three operations and have been off the tangent on my study. Actually, two but the last one was a spin-off of the second. The first was in May, embarrassing to say this but the operation was for hemorrhoidectomy and colonoscopy, it brought me down for about 3 weeks. Then 3 weeks ago, I’ve had a Tonsillectomy, I was so glad that I was finally saying good bye to my beloved 40 year old tonsillitis. Post operation, I was almost over the hill, then on the 14th day, a scab came off the operated part and started bleeding crazy. Last Sunday, I went into Emergency and after almost bleeding to death for 8 hours, the ENT specicialist decided to operate on me again under full anesthetics. I was out for another week and looking forward to going back to work tomorrow. Sadly, I felt the pain up the bumb as well as in the mouth this year. Hopefully, I can keep my promise to completed the CCNA Security 210-260 before the year end. ;).

For anyone who is also struggling with their study, keep your forcus and keep going until you see the end of the tunnel. Yes, there are many tunnels to crosss in our industry, if you stop, you might get run over by the traffic behind you, so keep moving. 🙂

To help the exam prep and also make some go to points, I will simply refer the questions from the books. Yes, I did purchased a hard copy to study for this exam, the videos are also also available from safaribooks.com (Santos & Stuppi videos). Older Barker version is available off torrent sites as form of cbtnugget videos. Love watching Keith Barker’s cbtnuggets, he is a true  legend!

1. Which security term refers to a person, property, or data of value to a company?
a. Risk
b. Asset
c. Threat prevention
d. Mitigation technique
B

2. Which asset characteristic refers to risk that results from a threat and lack of a countermeasure?
a. High availability
b. Liability
c. Threat prevention
d. Vulnerability
D

3. Which three items are the primary network security objectives for a company?
a. Revenue generation
b. Confidentiality
c. Integrity
d. Availability
B C D

4. Which data classification label is usually not found in a government organisation?
a. Unclassified
b. Classified but not important
c. Sensitive but unclassified
d. For official use only e. Secret
B
5. Which of the following represents a physical control?
a. Change control policy
b. Background checks
c. Electronic lock
d. Access lists
C

6. What is the primary motivation for most attacks against networks today?
a. Political
b. Financial
c. Theological
d. Curiosity
B

7. Which type of an attack involves lying about the source address of a frame or packet?
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack
D

8. Which two approaches to security provide the most secure results on day one?
a. Role based
b. Defense in depth
c. Authentication
d. Least privilege
B D

9. Which of the following might you find in a network that is based on a defense-in-depth security implementation? (Choose all that apply.)
a. Firewall
b. IPS
c. Access lists
d. Current patches on servers
A B C D

10. In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply.)
a. Ignore it
b. Transfer it
c. Mitigate it
d. Remove it
B C D

Advertisements

CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 4: Fundamentals of IP Security

Source: https://www.safaribooksonline.com/library/view/ccna-security-210-260

Lesson 4: Fundamentals of IP Security
4.1 IPsec Concepts, Components, and Operations
4.2 IKE version 1 Fundamentals
4.3 IKE version 2 Fundamentals

====================================================

4.1 IPsec Concepts, Components, and Operations

The Internet Key Exchange (IKE) Protocol
– IPsec uses IKE protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels.

– IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).

– In IKE Phase 1: IPsec peers negotiate and authenticate each other. In Phase 2, they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Two versions of IKEs.
IKE v1: Defined in RFC 2409
IKE v2: Defined in RFC 4306

IKE Protocol Details:
– IKE v2 enhances the function of performing dynamic key exchange and peer authentication.
– IKE v2 simplifies the key exchange flows and introduces measures to fix vulnerabilities present in IKEv1.
– Both IKEv1 and IKEv2 protocols operate in two phases.
– IKEv2 provides a simpler and more efficient exchange.

 

4-1.jpg
4.2 IKE version 1 Fundamentals

IKEv1: Who begins the negotiation?
– The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those policies to see whether any of its own policies match the ones it just received.
– If there is a matching policy, the recipient of the negotiations sends back information about which received policy matches, and they use that matching policy for the IKE Phase 1 tunnel.

IKEv1 Phase 1
A handy way to recall the five pieces involved in the negotiation of the IKE Phase 1 tunnel, you might want to remember that the two devices HAGLE over IKE Phase 1:

H: Hash
A: Authentication Method
G: DH group (a stretch, but it works)
L: Lifetime of the IKE Phase 1 tunnel
E: Encryption algorithm to use for the IKE Phase 1 tunnel
The DH (Diffie-Hellman) Exchange
– Now having agreed to the IKEv1 Phase 1 policy of the peer, the two devices run the DH key exchange.
– They use the DH group (DH key size for the exchange) they agreed to during the negotiations, and at the end of this key exchange they both have symmetrical keying material (which is a fancy way of saying they both have the same secret keys that they can use with symmetrical algorithms).
– DH allows two devices that do not yet have a secure connection to establish shared secret keying material (keys that can be used with symmetrical algorithms, such as AES).
Authenticating the peer (last step in IKEv1 phase 1)
– The last step of IKE Phase 1 is to validate or authenticate the peer on the other side.
– For Authentication, they use whatever they agreed to in the initial proposal/policy, and if they successfully authenticate with each other, we now have an IKE Phase 1 tunnel in place between the two VPN gateways.
– The authentication could be done either using a PSK or using RSA digital signatures.

4-2a.jpg

Phase 1:
– The next step is to complete the IKEv1 Phase 2 negotiation.
– The entire conversation and negotiation of the IKEv1 Phase 2 tunnel are completely done in private because of the IKEv1 Phase 1 tunnel protection the negotiated traffic.
– The IKE Phase 2 tunnel includes the hashing and encryption algorithms.
– The name of the mode for building the IKE Phase 2 tunnel is called “Quick Mode“.
4.3 IKE version 2 Fundamentals

What’s different in IKEv2?

* IKEv2 does not consume as much bandwidth as IKEv1.
* IKEv2 supports EAP authentication while IKEv1 doesn’t.
* IKEv2 supports the Mobility and Multi-homing (MOBIKE) protocol while IKEv1 doesn’t.
* IKEv2 has built-in NAT traversal while IKEv1 doesn’t.

** UDP port 4500 is used.
*** Protocol 50 (ESP) or 51 (AH)
*** NAT Transversal need to be used on UDP port 4500

IKEv2 Phase 2
* Phase 2 in IKEv2 is CHILD_SA (Child Security Association)
* The first CHILD_SA is the IKE_AUTH message pair.
* This phase is comparable to IKEv1 Phase 2.
* Additional CHILD_SA message pairs can be sent for rekey and informational messages.
* The CHILD_SA attributes are defined in the Data Policy.

 

 

CCNA Security 210-260: Module 1: Fundamentals of Network Security, Lession 1: Networking Security Concepts and Common Principles

Source: CCNA Security 210-260, https://www.safaribooksonline.com/library/view/ccna-security-210-260/

Lesson 1: Networking Security Concepts and Common Principles
1.1 Understanding Network and Information Security Basics
1.2 Confidentiality, Integrity, and Availability
1.3 Classifying Assets
1.4 Types of Security Vulnerabilities
1.5 Classifying Countermeasures
1.6 Attack Methods & Vectors
1.7 Applying Fundamental Security Principles To Network Design
1.8 Understanding the Security Attack Surface in Different Network Typologies

================================================================

1.1 Understanding Network and Information Security Basics
Introduction
– Attacks are more targeted and sophisticated
– Custom malware created even at the victim’s site
– More organized attack campaigns

Every organization, individual or system is a target. Doesn’t matter the size/country/who.
You are a target, attackers are always target to steal:
– Intellectual Property
– Personal Information
– Distributed Development (source code)

Recent evolution of threats:
– Custom malware is being deployed
– Multiple bad actors are present simultaneously
– Attached infrastructure is a platform for the next attack
– Many are blind to network malfeasance
– Some are conceding loss of control
– Denial of Service can be a precursor to damage
– Undetected communication to embargoed countries

Today’s reality:
– Over 75% of attacks start extracting data within minutes.
– Over 50% of attacks are left undetected for months, if at all
– Detection and response capabilities must change
Security professionals must understand what they are trying to protect… and from WHOM?
We need to think like actors and bad guys, try to understand all the threats happening now days.

The Industrialization of hacking: Cyber crime as a business. Often the criminals know about your network that you know.
Threats grow more sophisticated every day.
1990 – 2000 Viruses
1997 – Phishing, low sophistication,
2000 – 2005 Worms
2005 – Hacking becomes an Industry
2005 – today: Spyware and rootkits
2015 – APTs cyber ware
2016 – Sophisticated attacks, attack as service
2020 – ???

“Criminals know more about your network than you do”
Initial malware may remain dormant for months to learn vulnerabilities and network custom malware developed to attack after learning your vulnerabilities.

Typical stages of a data breach:

1-1

What is a vulnerability?
A vulnerability is an exploitable weakness in a system or its design. Vulnerabilities can be found in protocols, operating systems, applications, and system designs.

What is a threat?
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited or, more importantly, it has not yet publicly known, the threat is not yet realized.
If someone is actively launching an attack against your system and successfully accesses something or compromises your security against an asset, the threat is realized.

What is a countermeasure?
A countermeasure is a safeguard that somehow mitigates a potential risk. It does so by either reducing or eliminating the vulnerability, or at least reduces the likelihood of the threat agent to actually exploit the risk.

 

1.2 Confidentiality, Integrity, and Availability

CIA concept:

2-1

Confidentiality means that only the authorized individuals/systems can view sensitive or classified information. This also implies that unauthorized individuals should not have any type of access to the data.

Integrity applies to systems and data. For data means that changes made to data are done only by authorized individuals/systems. Corruption of data is a failure to maintain data integrity.

Availability also applies to systems and to data. If the network or its data is not available to authorized users the impact may be significant to organizations and users who rely on that network as a business tool. The failure of a system, to include data, applications, devices, and networks, generally equates to loss of revenue.

 

1.3 Classifying Assets

What is an Asset?

An asset is an item that is to be protected and can include property, people and information/data that have value to the company.

This includes intangible items such as proprietary information or trade secrets and the reputation of the company.

The data could include company records, client information, proprietary software, and so on.

Asset classifications:

Type of classification Calssification
Governmental classifications * Unclassified
* Sensitive but unclassified (SBU)
* Confidential
* Secret
* Top secret
Private sector classifications * Public
* Sensitive
* Private
* Confidential
Classification criteria * Value
* Age
* Replacement cost
*Useful lifetime
Classification roles * Owner (the Group ultimately responsible for the data, usually senior management of a company)

* Custodian (the group responsible for implementing the policy as dictated by the owner)

* User (those who access the data and abide by the rules of acceptable use for the data)


1.4 Types of Security Vulnerabilities

Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities.

Different types of security vulnerabilities

  • Policy flaws
  • Design errors
  • Protocol weaknesses
  • Misconfiguration
  • Software vulnerabilities
  • Human factors (weakest link, social engineering)
  • Malicious software
  • Hardware vulnerabilities
  • Physical access to network resources

 

Buffer overflows

  • Buffer
    • Data Container
  • Buffer overflow:
    • Stuffing too much data into a data container
    • Data written beyond the container overwrites other data and/or control information

 

Instruction Pointer (EIP)

  • Holds address of next instruction to execute
  • Is impacted by jumps, branches and returns
  • Is only valid if pointing to an executable memory region

 

What is the stack?

  • Holds all local variables and parameters used by any function
  • Remembers the order in which functions are called so the function returns correctly
  • When a function is called, local variables and parameters are “pushed” onto the stack
  • When the function returns, these locals and parameters are “popped” off of the stack

 

What does main’s frame look like on the stack?

What happens when we put more than 512 bytes in mybuffer[]?

What does main’s frame look like on the stack? We overwrite saved EBP, EIP, and more.

 

Target: EIP

Goal: Control execution flow

  • locate saved EIP
  • place a favorable address in the saved EIP
  • Don’t crash

 

Cross Site Scripting (XSS)

  • XSS is the ability to execute Javascript code within the Browser’s Document Object Model (DOM)
    • In non-web-tech-speak: Run scripts in the user’s context
    • The web application does not “taint” the data before it is stored and/or reflected back to the end user
  • Stored SSX:
    • Web application stores the attack in the database for later display
    • Common to attack multiple users on forums, etc
  • Reflected XSS:
    • Immediately attack the user based on input
    • Typically performed with social engineering when an XSS vulnerability is discovered on a trusted website

What is the threat from XSS?

  • Cookie stealing
  • Browser control
  • Forced actions (CSRF)
  • Enhanced social engineering

 

XSS “Cousin”: CSRF

  • Cross site request forgery
  • Exploits the trust a site has in a users browser
    • Typically uses social engineering or XSS to lure a user
  • Some mitigation:
    • Don’t allow “blind submissions” — Use a secret token
    • Check the refer header

<img src=”http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory”&gt;

 

SQL Injection

  • Dynamic web applications require database back ends
  • Developers don’t always sanitize user input before using it in SQL Queries

 

Additional Vulnerability categories

https://www.owasp.org/index.php/Category:Vulnerability

 

1.5 Classifying Countermeasures

        Classifying controls & countermeasures

1-5

Administrative Controls

  • These consist of written policies, procedures, guidelines and standards
    • Examples:
      • written acceptable use policy (AUP)
      • change control process that needs to be followed when making changes to the network
  • Administrative controls could involve items such as background checks for users

 

Physical Controls

Physical security for the network servers, equipment, and infrastructure.

Examples:

  • Door locks, gates, badge access
  • Cameras
  • a redundant system like an uninterruptible power supply

 

Logical Controls

  • These consist of passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on.
  • Logical controls are often referred to as technical controls.

 

1.6 Attack Methods & Vectors

Attack methods

Most attackers do not want to be discovered and so they use a variety of techniques to remain in the shadows when attempting to compromise a network.

Attack methods: Reconnaissance

Used to find information about the network and the victim: Passive or Active

  • Passive: Studying user behaviors, social media etc.
  • Active: scans of the network to find out which IP addresses respond, and further scans to see which ports are open and what vulnerabilities are present.

This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

Attack methods: Social Engineering

  • Targets the weakest link: the user.
  • If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance.

Examples:

  • Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
  • Pharming is used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.

Attack methods: Privilege Escalation

The process of taking some level of access (whether authorized or not) and achieving an even greater level of access.

Example: an attacker who gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access.

Attack methods: Backdoors

An application can be installed to either allow future access or to collect information to use in further attacks.

Many back doors are installed by users clicking something without realizing the link they click or the file they open is a threat. Back doors can be also be implemented as a result of a virus or a worm (often referred to as malware).

Attack methods: Remote code execution

  • One of the most devastating actions available to an attacker is the ability to execute code within a device.
  • Code execution could result in an adverse impact to the confidentiality (attacker can view information on the device), integrity (attacker can modify the configuration of the device), and availability (attacker can create a denial of service through the modification of code) of a device.

Attack methods: Man-in-the-Middle Attacks

  • A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.
  • This can happen at Layer 2 or Layer 3.
  • The main purpose is eavesdropping, so the attacker can see all the traffic.

Attack methods: Denial-of-service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

  • When numerous or hundreds/thousands of systems send traffic to a victim and this produces a denial of service condition where the genuine users cannot access the site and unable to use the service. Covered in depth in lesson 2.

Attack methods: Botnet & Command & Control (CnC)

  • A botnet is group of private computers that are infected by malware and controlled by attacker, performing malicious activities. Some activities include, sending spams, carry on denial of service attacks from these private computers.
  • Bots are controlled by CnC (Command & Control) server. Historically the CnC control is operated over IRC (Internet Relay Chat), in recent times, CnC control can be done through TLS/SSH/IPSec tunnels. Also, twitter is used for CnC control environment. Infected machines are controlled by the bad actors to carry out specific attacks. Sending spam or steal information from victims.

 

1.7 Applying Fundamental Security Principles To Network Design

Examples of guidelines for secure network architecture:

  • Rule of least privilege – give a user or a system just enough privilege to carry out certain tasks
  • Defense in depth –  a layer approach on how to apply security within an organization
  • Separation of duties – a concept of having more than one person completing a task to prevent fraud, malicious activities or errors

 

Improving Security Posture:

1-7

 

1.8 Understanding the Security Attack Surface in Different Network Typologies

  • We need to understand security attack surface in different network typologies and environments, including BYOB (Bring Your Own Device), firewalls, Mobile device Management (MDM), Identity Management Systems (IDS) and other devices within security network environment. Different technologies covered in detail in later chapters.
  • DC environment – it is also important to understand different types of threats in DC’s. Example, The North-South traffic is the traffic carried to and from the data center and other parts of the network. On the other hand, the East-West traffics is referred to as lateral movement within the data center. Whenever there is a security compromise, it is important to know how traffics flow as often the traffic from the compromised machine traverses both from/to North-South and East-West directions.

 

 

 

Chasing Packets in GNS3 & Production Environment, Part 2: IOS Embedded Packet Capture & tee off to a TFTF server

aaa2

IOS Embedded Packet Capture Configuration in a nutshell:

r1#monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

r1#monitor capture point ip cef E0_0 e0/0 both

r1#monitor capture point associate E0_0 PAKCETBUFFER

r1#monitor capture point start E0_0

 

Generate some traffic: example showing ICMP traffic generation

aaa9

Generate some RTP traffic: example showing use of Cisco IP communicator in this lab

aaa11.png

 

r1#monitor capture point stop E0_0

r1#monitor capture buffer PAKCETBUFFER export tftp://172.168.10.10/mycapture.pcap

 

***You must specify the name of the file, otherwise the teeing off to TFTP server will not work!!!

 

aaa8

 

Example of ICMP traffic packet capture:

aaa10.png

 

Example of RTP traffic packet capture.

aaa7

 

 

=======================================================================

Actual configuration:

r1#monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

 

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 0

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Inactive

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

 

r1#mon cap point ip cef E0_0 e0/0 both

*Apr  5 07:30:22.526: %BUFCAP-6-CREATE: Capture Point E0_0 created.

 

r1#show mon cap point all

Status Information for Capture Point E0_0

IPv4 CEF

Switch Path: IPv4 CEF            , Capture Buffer: None

Status : Inactive

 

Configuration:

monitor capture point ip cef E0_0 Ethernet0/0.100 both

 

r1#mon cap point associate E0_0 PAKCETBUFFER

 

r1#show mon cap point all

Status Information for Capture Point E0_0

IPv4 CEF

Switch Path: IPv4 CEF            , Capture Buffer: PAKCETBUFFER

Status : Inactive

 

Configuration:

monitor capture point ip cef E0_0 Ethernet0/0.100 both

 

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 0

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Inactive

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

 

 

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 0

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Active

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 3

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Active

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 4

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Active

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 657

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Active

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

r1#mon cap point stop E0_0

r1#mon cap point stop E0_0

*Apr  5 07:34:11.582: %BUFCAP-6-DISABLE: Capture Point E0_0 disabled.

r1#show mon cap buffer PAKCETBUFFER parameters

Capture buffer PAKCETBUFFER (linear buffer)

Buffer Size : 2097152 bytes, Max Element Size : 128 bytes, Packets : 657

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : E0_0, Status : Inactive

Configuration:

monitor capture buffer PAKCETBUFFER size 2048 max-size 128 linear

monitor capture point associate E0_0 PAKCETBUFFER

 

 

r1#show monitor capture buffer PAKCETBUFFER dump

07:33:16.228 UTC Apr 5 2016 : IPv4 LES CEF    : Et0/0.100 None

 

F4E2C230: AABBCC00 0100000C 2978156D 81000064  *;L…..)x.m…d

F4E2C240: 08004560 0034EE83 40007F06 1959C0A8  ..E`.4n.@….Y@(

F4E2C250: 640B8EC8 400B0570 07D079AA FEBF61F3  d..H@..p.Py*~?as

F4E2C260: 050A5018 FAC0BFD0 00000400 00001100  ..P.z@?P……..

F4E2C270: 00000000 000000                      …….

… Content omitted for brevity

 

 

r1#monitor capture buffer PAKCETBUFFER export ?

disk0:  Location to dump buffer

disk1:  Location to dump buffer

ftp:    Location to dump buffer

http:   Location to dump buffer

https:  Location to dump buffer

pram:   Location to dump buffer

rcp:    Location to dump buffer

scp:    Location to dump buffer

snmp:   Location to dump buffer

tftp:   Location to dump buffer

unix:   Location to dump buffer

 

r1#monitor capture buffer PAKCETBUFFER export tftp://172.168.10.10/mycapture.pcap

!

***You must specify the name of the file, otherwise the teeing off to TFTP server will not work!!!

 

Chasing Packets in GNS3 & Production Environment, Part 1: Capturing packets using built-in Live Wireshark Capture in GNS3 1.4.4

Why do you want to do this lab?

You can capture any interesting packets and analyse for your learning purpose, analyzing packet captures can give you the real inside of how the packets are working on the devices and on different segments of the network. Simply reading the books and learn about how packets work behind the scenes is a little like trying to learn something as if you are three wise monkeys (see no evil, hear no evil, speak no evil).

On the real production, you can use other methods to capture interesting packets. Some examples are IOS Embedded Packet capture and tee off the configuration to a TFTP server, use a sniffer using spanning port or remote spanning port. Also, use more advanced method of Cisco NAM (Network Analyzer).

In this part, I will quickly show you how to whiz up a simple lab and capture some packets on GNS3 and Wireshark live capture within, GNS3. In the next section, I will demonstrate IOS Embedded Packet capture and teeing off to a TFTP server. Lastly, I will demonstrate packet capturing using spanning port and remote span.

Prerequisite 1: GNS3 1.4.4 pre-installed on Windows PC/laptop

Prerequisite 2: IOU VM ova deployed and integrated with GNS3

Prerequisite 3: Familiar with VMware workstation and Windows loopback configuration

 

Topology:

aaa1

Step 1: Add devices as below and make all connections. When you add the devices, your GNS3 topology will look like this. Remember to use dummy switches to make connection between your virtual machines and your host PC loopback to your IOU switches.

aaa2.png

Step 2: Configure your routers and switches similar to the configuration found in  the attached zip file.

r1

r2

sw1

sw2

 

Step 3: Capture packets using various link positions

aaa3

aaa4

If you run into the following error, you will have to go to GNS3 setting and update the path of Wireshark.

aaa5

=> Error: SW3: Could not start the packet capture reader: [WinError 2] The system cannot find the file specified: None

Changing path in GSN3 preferences:

C:\Program Files\Wireshark\wireshark.exe” ==> C:\Program Files (x86)\Wireshark\wireshark.exe

 

Step 4: Wireshark will open automatically and start capturing all the traffic on the link you have selected.

e.g.) TCP/IP packet capture example

aaa6.png

e.g.) Voice packet capture using soft phones (On virtual machines) between two work stations and CUCM.

aaa7

Now you can set up any server and clients and study how TCP/IP, UDP work behind the scenes. Jump straight in and try to enjoy your study!

 

Note: This lab can be completed on a single PC, Save Electricity, save Money, save Time, SAVE THE PLANET.

 

 

 

Notes on Cisco QoS: Clearing the fog – Part 4. Modular QoS Lab

Lab topology:

Module QoS 2

How this lab can be configured in GNS3 on a single PC.

  • SW1 and SW2 is the local GNS3 switches, merely serving as a connector between PC1 and HTTP Server respectively. These dummy switches must be used while connecting virtual machines to GNS3 devices.

Module QoS 1

Step 1: Configure R1 and R2 to allow communication between the networks.

R1 base configuration:

hostname R1

interface FastEthernet0/0
ip address 192.168.30.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
clock rate 2000000
!
router eigrp 1
network 1.0.0.0
network 192.168.30.0
auto-summary

==============================================

R2 base configuration:

hostname R2

interface FastEthernet0/0
ip address 192.168.40.254 255.255.255.0
duplex auto
speed auto

router eigrp 1
network 1.0.0.0
network 192.168.40.0
auto-summary

==============================================

Step 2: Configure R1 with Access List, class-map and policy-map

access-list 200 permit icmp host 192.168.30.30 host 192.168.40.40 echo
access-list 200 permit icmp host 192.168.30.30 host 192.168.40.40 echo-reply
access-list 100 permit tcp any any eq www

class-map match-all WEB_TRAFFIC
match access-group 100
class-map match-all ICMP_TRAFFIC
match access-group 200

policy-map MODULAR
class ICMP_TRAFFIC
bandwidth 256
class WEB_TRAFFIC
bandwidth 128
class class-default

Step 3: Apply policy map to output queue of Serial 0/0

!Apply Service-policy to output interface s0/0

interface Serial0/0
ip address 1.1.1.1 255.255.255.0
clock rate 2000000
 service-policy output MODULAR

==============================================

Step 4: Run quick check on the configuration

R1#show class-map
Class Map match-all WEB_TRAFFIC (id 1)
Match access-group  100

Class Map match-any class-default (id 0)
Match any

Class Map match-all ICMP_TRAFFIC (id 2)
Match access-group  200

R1#show policy-map
Policy Map CCIE
Class ICMP_TR
Bandwidth 128 (kbps) Max Threshold 64 (packets)
Class WEB_TR
Bandwidth 64 (kbps) Max Threshold 64 (packets)
Class class-default

==============================================

Before any ping or http traffic is sent across the WAN link

R1#show policy-map interface s0/0
Serial0/0

Service-policy output: MODULAR

Class-map: ICMP_TRAFFIC (match-all)
    0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 112
Queueing
Output Queue: Conversation 265
Bandwidth 128 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: WEB_TRAFFIC (match-all)
      0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
Queueing
Output Queue: Conversation 266
Bandwidth 64 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
697 packets, 46091 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

==============================================

Step 5: Generate ICMP traffic by pining the server from the client PC

To generate ICMP traffic, from the client PC (192.168.30.30) ping http server at 192.168.40.40.
ICMP pinging

‘show policy-map interface s0/0’ after 8 ping messages have been sent from 192.168.30.30 (client) to 192.168.40.40 (Server)

R1#show policy-map interface s0/0
Serial0/0

Service-policy output: MODULAR

Class-map: ICMP_TRAFFIC (match-all)
8 packets, 512 bytes <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 112
Queueing
Output Queue: Conversation 265
Bandwidth 128 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: WEB_TRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
Queueing
Output Queue: Conversation 266
Bandwidth 64 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
766 packets, 50456 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

==============================================

Step 6: Access web page of http server from the client PC

To generate some http traffic, access http://192.168.40.40/ from the client PC to HTTP Server.
Access IIS

==============================================

show policy-map interface serial0/0 after generating http traffic

R1#show policy-map interface s0/0
Serial0/0

Service-policy output: MODULAR

Class-map: ICMP_TRAFFIC (match-all)
    12 packets, 768 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 112
Queueing
Output Queue: Conversation 265
Bandwidth 128 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: WEB_TRAFFIC (match-all)
13 packets, 2539 bytes <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
Queueing
Output Queue: Conversation 266
Bandwidth 64 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)
878 packets, 57842 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

 

==============================================

R1#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       1.1.1.0/24 is directly connected, Serial0/0
D       1.0.0.0/8 is a summary, 00:59:46, Null0
C    192.168.30.0/24 is directly connected, FastEthernet0/0
D    192.168.40.0/24 [90/2195456] via 1.1.1.2, 00:59:41, Serial0/0

 

R2#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       1.1.1.0/24 is directly connected, Serial0/0
D       1.0.0.0/8 is a summary, 00:04:16, Null0
D    192.168.30.0/24 [90/2195456] via 1.1.1.1, 00:04:11, Serial0/0
C    192.168.40.0/24 is directly connected, FastEthernet0/0

 

All this lab was done on a laptop, go easy on the environment. 🙂

On a single PC

Notes on Cisco QoS: Clearing the fog – Part 2. Quality issues

Quality of Service

QOS = Method of giving priority to some specific traffic as moving over the network.

The basic aim of QoS is to have a consistent and predictable performance on your network.

 

1 qos intro

General characteristics of today’s Converged Network:

  • Small voice packet compete with bursty data packets, many different applications are using network as services
  • Critical traffic must get priority over less critical traffic, without QoS, default behavior is First In First Out (FIFO)
  • Voice and video traffics are time-sensitive
  • Outages are not acceptable

 

Converged Network Quality issues:

  • Lack of Bandwidth
  • Packet Loss
  • Delay
  • Jitter

 

Bandwidth

2 Bandwidth Measure.png

  • Maximum available bandwidth is the slowest link on the traffic paths
  • On the same physical links (traffic paths), multiple flows compete for the same bandwidth, multiple applications sharing the same bandwidth
  • Lack of bandwidth causes performance degradation on network applications

 

 

Packet Loss

3 Tail Drop due to Queue Congestion

Packet loss due to Tail Drop: Queue only can so much packets and once it is full and more packets arrive at the tail end of the queue before the queue is emptied (due to link congestion etc.), the packets will be dropped, and this behavior is called ‘Tail Drop’. If the tail drop occurs to the time sensitive traffics such as voice and video, the effects are immediately felt by the users on the flow. If this happens to data traffic, it may interrupt file transfer and corrupt the file.

 

 

Delay

4 Types of Delay

  • Processing Delay – time taken by router to process packets from an input interface and put them into the output queue of output interface
  • Queuing Delay – time a packet resides in the output queue of a router
  • Serialization Delay – time taken to place bits on the wire
  • Propagation Delay – time taken for packets to cross links from one end to the other end

 

 

Jitter

5 Jitter

  • Packets from a source will reach a destination with different delay times
  • Congestion on the network will cause jitter
  • Congestion can occur at a router interface/Service Provider network if the circuits are not properly provisioned