Cisco Ccna (640-553) security Exam Training - Using the "Clear Crypto Datapath" Command
cisco router 2800
Tuesday, November 1, 2011
Saturday, October 8, 2011
Cisco Ccna 640-802, Ccent, Ccnp institution Exam Questions On Static Routing & Redundancy Protocols
Cisco Ccna 640-802, Ccent, Ccnp institution Exam Questions On Static Routing & Redundancy Protocols
Ccna 640-802 And Ccent Certification:
According to the Cisco routing code table, which of the following indicates a static default route?
A. S
B. S*
C. D
D. D*
Answer: B. A static route is indicated by the letter "S"; a default route will have an asterisk next to it, so "S*" is the faultless strict answer.
Ccnp Certification / Bsci Exam:
Which two protocols are designed to expedite network cutover to a working router when the primary router goes down?
A. Snmp
B. Smtp
C. Irdp
D. Hsrp
E. Harp
Answers: C, D. Both the Icmp Router Discovery Protocol (Irdp) and Hot Standby Routing Protocol (Hsrp) achieve this, although in dissimilar ways!
Ccnp Certification / Bcmsn Exam:
Which statements are true with regard to a Cisco multilayer switch?
A. Ip is enabled by default.
B. Ip is not enabled by default.
C. All ports are in L2 mode by default.
D. All ports are in L3 mode by default.
E. The switch ports are in neither L2 nor L3 mode by default.
F. The switch ports are in both L2 and L3 mode by default.
Answers: B, C. A multilayer switch will not have Ip routing enabled by default, and all ports on the L3 switch will be in L2 mode by default.
Ccnp Certification / Iscw Exam:
Identify the true statements with regard to Ipsec modes.
A. Vehicle mode retains the primary Ip header.
B. Vehicle mode does not support the primary Ip header.
C. Tunnel mode retains the primary Ip header.
D. Tunnel mode does not support the primary Ip header.
Answers: A, D. Vehicle mode retains the primary Ip header, tunnel mode does not.
Ccnp Certification / Ont Exam:
The terms "campus backbone", "server farm", and "building access" are associated with which component of the company Composite Network Model?
A. company Campus
B. Service provider Edge
C. company Edge
D. company Core
Answer: A. The company Campus legitimately has six dissimilar parts - Campus Backbone, construction Access, construction Distribution, Management, Edge Distribution, and Server Farm.
Monday, September 12, 2011
Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers
A site-to-site virtual secret network (Vpn) allows you to voice a derive "always-on" association in the middle of two physically cut off sites using an existing non-secure network such as the collective Internet. Traffic in the middle of the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.
This configuration requires an Ios software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
Cisco Router
There are several protocols used in creating the Vpn along with protocols used for a key replacement in the middle of the peers, those used to encrypt the tunnel, and hashing technologies which furnish message digests.
Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers
Vpn Protocols
Ipsec: Internet Protocol security (Ipsec) is a suite of protocols that are used to derive Ip communications. Ipsec involves both key exchanges and tunnel encryption. You can think of Ipsec as a framework for implementing security. When creating an Ipsec Vpn, you can select from a variety of security technologies to implement the tunnel.
Isakmp (Ike): Internet security association and Key supervision Protocol (Isakmp) provides a means for authenticating the peers in a derive communication. It typically uses Internet Key replacement (Ike), but other technologies can also be used. collective keys or a pre-shared key are used to authenticate the parties to the communication.
Md5: Message-Digest algorithm 5 (Md5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a change to the data will also change the hash value. The hash value is also called the message digest.
Sha: derive Hash Algorithm (Sha) is a set of cryptographic hash functions designed by the National security agency (Nsa). The three Sha algorithms are structured differently and are remarkable as Sha-0,Sha-1, and Sha-2. Sha-1 is a commonly used hashing algorithm with a proper key length of 160 bits.
Esp: Encapsulating security Payload (Esp) is a member of the Ipsec protocol suite that provides origin authenticity, integrity, and confidentiality security of packets. Esp also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other Ipsec protocol, Authentication Header (Ah), Esp does not protect the Ip packet header. This divergence makes Esp preferred for use in a Network Address Translation configuration. Esp operates directly on top of Ip, using Ip protocol whole 50.
Des: The Data Encryption proper (Des) provides 56-bit encryption. It is no longer thought about a derive protocol because its short key-length makes it vulnerable to brute-force attacks.
3Des: Three Des was designed to overcome the limitations and weaknesses of Des by using three distinct 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3Des keys are 168 bits in length. When using 3Des, the data is first encrypted with one 56-bit key, then decrypted with a distinct 56-bit key, the yield of which is then re-encrypted with a third 56-bit key.
Aes: The industrialized Encryption proper (Aes) was designed as a replacement for Des and 3Des. It is available in varying key lengths and is commonly thought about to be about six times faster than 3Des.
Hmac: The Hashing Message Authentication Code (Hmac) is a type of message authentication code (Mac). Hmac is calculated using a exact algorithm intriguing a cryptographic hash function in mixture with a secret key.
Configuring a Site-to-Site Vpn
The process of configuring a site-to-site Vpn involves several steps:
Phase One configuration involves configuring the key exchange. This process uses Isakmp to recognize the hashing algorithm and authentication method. It is also one of two places where you must recognize the peer at the opposite end of the tunnel. In this example, we chose Sha as the hashing algorithm due to its more robust nature, along with its 160-bit key. The key "vpnkey" must be selfsame on both ends of the tunnel. The address "192.168.16.105" is the covering interface of the router at the opposite end of the tunnel.
Sample phase one configuration:
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the derive tunnel. You must also create a crypto map in which you recognize the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which access operate list will recognize permitted traffic flows. In this example, we chose Aes due to its heightened security and enhanced performance. The statement "set peer 192.168.16.25" identifies the covering interface of the router at the opposite end of the tunnel. The statement "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "match address 100" statement is used to associate the tunnel with access-list 100 which will be defined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% Note: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
The crypto map must be applied to your covering interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You must create an access operate list to explicitly allow traffic from the router's inside Lan across the tunnel to the other router's inside Lan (in this example, the router tukwila's inside Lan network address is 10.10.10.0/24 and the other router's inside Lan network address is 10.20.0.0/24):
tukwila(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For more facts about the syntax of access-control lists, see my other articles on creating and managing Cisco router access-control lists.)
You must also create a default gateway (also known as the "gateway of last resort"). In this example, the default gateway is at 192.168.16.1:
tukwila(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.1
Verifying Vpn Connections
The following two commands can be used to verify Vpn connections:
Router#show crypto ipsec sa
This command displays the settings used by the current security Associations (Sas).
Router#show crypto isakmp sa
This command displays current Ike security Associations.
Troubleshooting Vpn Connections
After confirming physical connectivity, audit both ends of the Vpn association to ensure they mirror each other.
Use debugging to analyze Vpn association difficulties:
Router#debug crypto isakmp
This command allows you to examine Phase 1 Isakmp negotiations.
Router#debug crypto ipsec
This command allows you to examine Phase 2 Ipsec negotiations.
Copyright (c) 2008 Don R. Crawley
Configuring a Site-to-Site Vpn in the middle of Two Cisco RoutersSaturday, September 10, 2011
Cisco vs Nortel vs ? - Who Would You choose And Why?
Here's the scenario..... You've been tasked with a found and premise of the network infrastructure for a new location in your company. For the purposes of this query your choices for equipment at the new site are between Cisco and Nortel and ?? (routers, switches, hubs, etc.) .... And the network backbone will be Ds3 bandwidth with connectivity to other business locations (Wan). Note: you can substitute Oc3 bandwidth if it's more applicable to you .... But realize it changes the network equipment configurations for the scenario somewhat due to the application of Sonet technology.
For a general religious doctrine ..... When you need business valuable spend the money and make it excellent (Cisco). When at the edge and not business critical, (e.g. You can afford a itsybitsy downtime if needed) buy solid products that compete directly with Cisco but cost a bit less.
Cisco Router
In one case a friend uses Hp at the edge and in wireless situations where uptime is not critical. They use Cisco at the core and with wireless where uptime is essential. All that being said, the Hp performs just as well, costs about 25%-50% less and has a lifetime guarantee. So to reply the question, in this case I would recommend seller three (Hp) for all the switches, hubs, etc... And Cisco at the core, but if you only have two choices, then no ifs ands or buts I think you only have one, Cisco. They're the biggest in the U.S. For a reason.
Cisco vs Nortel vs ? - Who Would You choose And Why?
Here's a tip ..... Take a look at the ProCurve goods line from Hp. Someone else friend recently switched from a mix of Cisco and Netgear to all Hp and had no failures. When they needed support, their query was answered the same day from a very knowledgeable aid representative. They did have one piece of equipment that was Doa but had a transfer the next day.
As far as backbone connectivity - the Cisco Mgx 8800 Series switch is a superior goods to the Nortel 15K Wan switch,.but that is only aplicable if you are using Atm or Fr as a layer 2 converyance protocol in the core. If you are using Mpls or some other protocol over Ip I would recommend one of the Cisco 12 K routers running Ios Xr - Nortel dosent even have a comptable goods (Juniper any way does but that is face the scope of this discussion.
The difference between Cisco Htts support and Nortel support is night and day - that should work on your decision right there.
As far as Lan switching - the Cisco 6500 Catalyst platform is the winner hands down against the Nortel 8600. Thee 8600 is easier to configure but is simply not for the business never mind a carrier class soloution. The 6500 is faster, but much more complex, but out performs the 8600 and is infinitely more flexible as far as module options. The 6500 series also has the edge as far as max number of Gig-E ports.
As far as hubs - get a switch or otherwise segment the broadcast domain.
If I were seeing for a voice switch or anything capable of interfacing with the world of Tdm voice, I would go Nortel over Cisco...If those were my only two choices.
While Nortel makes great voice equipment, their policies and procedures are not very customer friendly.
Cisco has great support, and for any data-centric needs, I would certainly go with Cisco.
If I were building a Voip network, I would use Cisco for my core routing, but I would use Nortel over Cisco for my softswitching and media gateway.
Now, Nortel supports Mpls networks and has been engaged in supporting standardization in Mpls before 1998.
A new narrative shows that the Nortel Ers 8300 bests the Cisco 4500 ...... Showing between 75%-301% higher forwarding rate and 12% greater power efficiency.
Of course, there's the fact that the New York Stock transfer runs on a Nortel data network (4 year old Nortel press release).
While I feel I could probably spec out a dozen network designs that would lean towards Nortel, there are clearly good reasons to go Cisco, such as if you implement a Cisco Call Manager. Likewise, there are reasons for which you would clearly pick Nortel (being power effective is one of them).
I will opine that you well all the time get a sub-optimum outcome if you plump a seller first and sort out the goods selections and configurations subsequently. Unless you have practically no time to do so, write up a specification which every person except Americans know as a request for tender and issue it to the suppliers concerned, and I don't see why you wouldn't contain Avaya and others in there as well. Word the specifics definitively (e.g. The principles shall be able to control for a minimum of four hours following the loss of mains power. Comply/does not comply/partially complies), contain a scope of works and get vendors to reply with yielding statements, warranties (i.e. Free maintenance for six months), maintenance covenant proposals and pricing. Not only can you compare the various systems highlight by highlight (features you have listed because they are important for your business) but it's phenomenal how much pricing tends to be reduced when vendors know there's genuine competition.
Regarding these two, part of Cisco's strategy is to make it very inconvenient to endeavor to consolidate any non-Cisco components into a Cisco network. One of your requirements could be interworkability.
Cisco is the best and the least risk for you from a long-term perspective. I have found Cisco switches to be extremely stable, some switches I have seen had been up since 4+ years without a reboot. With Cisco you also have the advantage of excellent documentation, and plenty of skilled people to support your or share information online. Also, at the L3 switch level Cisco has no peer as the code used on the switches is based on their legendary routing platforms.
If Cisco is too costly or you would like to diversify, look at Foundry or Hp. Or great yet use Cisco at your L3 and core, and deploy Hp chassis switches for your user connections. Hp chassis switches are priced similarly to other vendor's stacking solutions, and they come with a lifetime warranty and free software updates. The Cli is also quite Cisco-like.
Given the choice of two, I would have to say Cisco, purely from a support angle - both from a seller support perspective and from recruiting distinguished staff (permanent or contract) for in-house support. Ccna/Da, Ccnp/Dp, Ccie - the streets are littered with them, but Nortel-accredited engineers are few and far between, and consequently a more costly commodity.
In terms of features, functionality and performance, I would say it was too close to call, that definite model ranges would have to compared directly (port densities, PoE and multi-Gbps support for example). Besides Cisco, Nortel, and Hp you could also make various cases for more cost-effective solutions from the likes of Alcatel-Lucent, Huawei, Foundry etc.....
To boil it all down ..... This is a religious question. Those of us who have been around long adequate remember this "No one was ever fired for buying Ibm". This was a marketing strategy that Ibm used for quite a while. It worked! Cisco is using this same strategy now.
Cisco makes some phenomenal products, and they support them amazingly well. There are any other manufacturers of phenomenal equipment on the shop too though. Hp, 3com, Extreme, and Nortel are a few. Here is what I believe. 3com and Hp both make great equipment, extreme equipment is on par with Cisco as far as capabilities, and Nortel is good.
I love the 3com 5500 series stackable switches, and they are only about ½ the price of comparable Cisco switches. Hp also has great stackables, but I don't feel the quality is quit up to par with 3com. extreme isn't Cisco but is thought about to be very high end. I believe Nortel to be an also ran.
If you need to call the premise for tech support often, Buy Cisco period. The tech support is the best in the industry. If you are capable of designing and maintaining a network based on commerce suitable protocols, and are good at figuring things out on your own, buy 3com or Hp.
No one was ever fired for buying Cisco. (I hope that someday this changes just as it did for Ibm. But today it is still true).
Whatever direction you decide to go for similar situations with Your business ..... Or if you've decided and are seeing for a local seller ..... You can get help seeing the right fit for local support from multiple vendors along with Cisco, Nortel, Hp et al at Broadband Nation.
Cisco vs Nortel vs ? - Who Would You choose And Why?Thursday, August 18, 2011
Cisco Ccna (640-553) security Exam Training - Using the "Clear Crypto Isakmp" Command
In today's article, I'm going to familiarize you about the Cisco Ios privileged Exec mode command named "clear crypto isakmp." Ccna's (like you) use this command to clear active Internet Key change (Ike) connections.
Below is the command's syntax:
Cisco Router
clear crypto isakmp [connection-id] [active | standby]
Cisco Ccna (640-553) security Exam Training - Using the "Clear Crypto Isakmp" Command
connection-id-This (optional) argument is the Id of the association that is to be cleared. If this argument is not used with the command, all existing connections will be cleared by default.
active-This (optional) keyword is used to only clear (remove) Ike safety associations (Sas) that are in the active state.
standby - And, this (optional) keyword is used to only clear Ike Sas that are in the standby (secondary) state. Remember, if the router is in standby mode, the router will immediately resynchronize the standby Sas; thus, it may appear as if the standby Sas were not cleared.
In the example below, all existing Ike connections are being cleared:
Router#clear crypto isakmp
Note: You can use the privileged Exec mode command named "show crypto isakmp sa" to display (view) current Ike Sas.
And, if you conclude to use the command, make sure your router(s) is running Cisco Ios 12.3(11)T or higher.
I hope this narrative was very informative and helped you fast understand the usage of clear crypto isakmp command. If you need to learn more; I recommend you visit my website, were you'll find the most recent data regarding the Cisco Ccna (640-553) safety exam techniques to help you make your day a minuscule brighter.
To your success,
Cisco Ccna (640-553) security Exam Training - Using the "Clear Crypto Isakmp" CommandWednesday, August 17, 2011
Linksys E1000 Router Set Up and Troubleshooting
All Linksys E series routers work on the N technology. You can get wireless speed up to 300 Mbps. You can associate wireless computers, wireless printers and other Wi-Fi devices up to 300 Mbps. Linksys E1000 is nothing but Linksys Wrt160N router with a new Cisco associate software.
All the E series routers have Gigabit Ethernet ports which can give you speed up to 1000 Mbps wired relationship speed. E1000 router works on 2.4 Ghz wireless signal. E2100L router also works on 2.4 Ghz wireless signal. This router has a Usb port on it. You can associate the Usb hard drive to the router and share the hard drive with all the computers associated in the network. E2000 and E3000 routers work on 2.4 Ghz as well as 5 Ghz remarkable wireless signal. You can associate your gaming devices, blue ray players, Dvr ideas to this router for smoother and faster video streaming.
Cisco Router
Linksys E1000 router setup:
Linksys E1000 Router Set Up and Troubleshooting
All the E series routers come with the great Cisco associate software for the easy installation. Before installing the router, make sure that your Internet is working properly through the modem. associate your computer directly to the modem and try to go on line. If you are able to passage the Internet from the modem, then your Internet is working properly. Now insert the Cd in to the same computer. Do not run the Cd on any other computer. Use the same computer that you used to associate to the modem. Follow the steps of the Cd. It may not ask you to associate the computer to the router. But it is recommended that you should associate your computer to the router for the introductory set up of the router. You will need to associate the computer to one of the Ethernet port on the router and the modem to the Internet port on the router. That means there will be 2 connections to the router. Now go to the next step on the set up Cd. It will take up to 5 minutes to set up the router.
Definitely you can setup the router without Cd also. You just need to open the setup page of the router and turn the settings manually.
The Cisco associate software is a very spicy tool. It will check your Internet relationship settings and it will try to set up your router automatically agreeing to those settings. It will also originate wireless network automatically with the unique network name and password. On the final step you will see that the router is set up successfully. It will open the window where you can check the settings of the router. It will originate an selection on your computer in the all agenda list. If you want to turn the settings of the wireless network, you can open the Cisco associate software and turn the settings.
The Cisco associate software will run only on Windows Xp with assistance Pack 3, Windows Vista with assistance Pack 1 or better, Windows 7, Mac Os X Tiger 10.4.9, Mac Os X Tiger 10.4.11, Mac Os X Leopard 10.5.8, Mac Os X Snow Leopard 10.6.1.
This software will also give you selection of parental control where you can limit the passage to the Internet agreeing to time as well as websites. This software is capable of creating a guest network access. You can limit the number of guest computers. The guest wireless network will be totally a different wireless network. This guest network works on different Ip address range so that the guest citizen can not share your main wireless network. The guest will not be able to passage the router settings or the computers in the main network. But you can set up the Guest network only if you run the Cisco associate software.
Once you have the main computer up and running through the router. You can use a small flash drive to originate a set up key. On your other wireless computer, associate this Usb set up key and run the program. It will associate your computer to the wireless network automatically. It will quest for the wireless network and it will associate on its own. You don't need to do anything. You can run the Usb set up key only if the wireless relationship is managed by the windows relationship manager. If you turn the wireless settings of the router using the set up page of the router, the Cisco associate software will stop working.
If you are not able to set up the router using the Cisco associate software, you can set up the router manually. But you will not be able to use the advantages of Cisco associate software like Usb set up key or Guest network access. You can open the set up page of the router and turn the Internet relationship settings manually agreeing to the Internet assistance provider.
The hardware warranty for Linksys E series router is 1 year but the free technical retain is only for 90 days.
Linksys E1000 Router Set Up and TroubleshootingCisco Ccna Exam Tutorial: Loopback Interfaces
As a Ccna candidate, you most likely have some background in Pc hardware and workstation support. If so, you're already familiar with loopback interfaces, particularly 127.0.0.1, the loopback address assigned to a Pc.
When you're studying all about the separate physical interfaces for your Ccna exam - serial, ethernet, and Bri, among others - there's one logical interface you need to know about, and that is - you guessed it! - the loopback interface.
Cisco Router
What isn't as immediately apparent is why we use loopback interfaces on routers and switches to begin with. Many of the Cisco router features that can use loopbacks are intermediate and advanced features that you'll learn about in your Ccnp and Ccie studies, but these features all come back to one basic concept: If the loopback interface on a router is down, that means the router is unavailable as a whole.
Cisco Ccna Exam Tutorial: Loopback Interfaces
In contrast, a physical interface being down does not mean the router itself is out of commission. A router's ethernet port can go down, but the other physical interfaces on that router are still operational. Since a loopback interface is logical, there's nothing physical that can go wrong with it.
As I mentioned, you'll learn separate Cisco router and switch features that use loopback interfaces as you climb the Cisco certification ladder. There's one misconception about Cisco loopback interfaces that you want to get clear on now, though. You're probably familiar with loopback interfaces on a Pc, and may even know that the address range 127.0.0.0 is reserved for loopback addressing.
Note that this reserved address range does not apply to loopbacks on Cisco devices, however. If you exertion to assign an address from this range to a Cisco loopback interface, you get this result:
R1#conf t
Enter configuration commands, one per line. End with Cntl/Z.
R1(config)#interface loopback0
R1(config-if)#ip address 127.0.0.2 255.255.255.0
Not a valid host address - 127.0.0.2
R1(config-if)#ip address 127.1.1.1 255.255.255.0
Not a valid host address - 127.1.1.1
The range 127.0.0.0 is reserved for host loopbacks (such as Pcs), not routers or switches. The most commonly used address from this range is 127.0.0.1 - if you can't ping that on a workstation, that means you can't ping yourself, which means there's a qoute with the Tcp/Ip install itself.
Keep these details in mind on the exam and in the workplace, and you're on your way to Ccna exam success!
Subscribe to:
Posts (Atom)