![](/user_photo/1438_p9ksI.png)
- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi106x1.jpg)
|
|
IP Multicast 83 |
|
|
|
Table 2-15 ISDN Commands |
|
|
|
|
|
|
IOS Command |
Description |
|
|
|
|
isdn caller phone-number |
The number called by the router. The phone-number is the |
|
|
remote router’s ISDN number. |
|
|
|
|
isdn calling-number calling-number |
The number of the device making the outgoing call; only one |
|
|
entry is allowed. |
|
|
|
|
isdn switch-type |
ISDN service provider switch type. |
|
|
|
NOTE Frame Relay is a Layer 2 protocol that provides connectionless delivery between devices.
Frame Relay, although not listed in the official blueprint for the CCIE Security written exam, has a few terms you should be aware of for the exam:
•Forward explicit congestion notification (FECN)—A bit set by a Frame Relay network to inform DTE receiving the frame that congestion was experienced in the path from source to destination. DTE receiving frames with the FECN bit set can request that higher-level protocols take flow-control action, as appropriate.
•Backward explicit congestion notification (BECN)—A bit set by a Frame Relay network in frames traveling in the opposite direction of frames encountering a congested path. DTE receiving frames with the BECN bit set can request that higher-level protocols take flow-control action, as appropriate. The ISP or WAN switches typically set FECN/BECN.
•Data-link connection identifier (DLCI)—A value that specifies a PVC or SVC in a Frame Relay network. DLCIs are locally significant. Globally significant DLCIs are used for LMI communication between Frame Relay switches.
IP Multicast
This section briefly covers the IP multicast areas of interest for the CCIE written test.
The multicasting protocol was designed to reduce the high bandwidth requirements of technologies, such as video on demand, to a single stream of information to more than one device. Applications include electronic learning, company share meetings (video on demand), and software distribution.
Multicasting can be defined as unicast (one to one), multicast (one to many), and broadcast (one to all).
Multicasting transmits IP packets from a single source to multiple destinations. The network copies single packets, which are sent to a subset of network devices. In IPv4, the Class D addresses ranging from 224.0.0.0 to 239.255.255.255 are reserved for multicast. Routing protocols, for example, use multicasting to send hello packets and establish neighbor adjacencies.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi107x1.jpg)
84 Chapter 2: General Networking Topics
Table 2-16 displays some common multicast addresses and their uses.
Table 2-16 Class D Multicast Address Examples
Multicast Address |
Use |
224.0.0.1 |
All hosts on subnets |
|
|
224.0.0.2 |
All multicast routers |
|
|
224.0.0.5 |
All OSPF-enabled routers |
|
|
224.0.0.6 |
All OSPF DR routers |
|
|
224.0.0.9 |
RIPv2-enabled routers |
224.0.0.10All EIGRP-enabled routers
TIP |
The Class D addresses used in multicast traffic range from 224.0.0.0 to 239.255.255.255. |
|
|
Asynchronous Communications and Access Devices
An asynchronous (async) communication is a digital signal that is transmitted without precise clocking. The RS-232 session between a router and PC through the console connection is an example of async communications. Such signals generally have different frequencies and phase relationships. Asynchronous transmissions usually encapsulate individual characters in control bits (called start and stop bits) that designate the beginning and the end of each character.
For example, the auxiliary port on Cisco routers can be used to connect a modem and allow out of band (not via the network) management.
The Cisco AS5300 is an example of a device that supports both synchronous and async communication, such as voice, digital, and modem-based traffic (via a Public Switch Telephone Network [PSTN]).
The AS5300, or universal Access Server (AS), is a versatile data communications platform that provides the functions of an access server, router, and digital modem in a single modular chassis. The access server is intended for ISPs, telecommunications carriers, and other service providers that offer managed Internet connections. The AS5300 provides both digital (for example, ISDN) and analog access (dialup users using PSTN) to users on a network.
Figure 2-20 displays a typical scenario where clients, such as Internet dialup users with ISDN and analog phone lines (PSTN), can connect to the Internet using PPP.
Clients are supplied one number to call, and the AS5300 makes intelligent decisions based on the incoming call type, whether it be digital (ISDN) or analog (PSTN).
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi108x1.jpg)
Asynchronous Communications and Access Devices 85
Figure 2-20 AS5300 Typical Design Scenario
WWW
|
|
|
|
|
|
AS1 1.1.1.1/24 |
AS2 1.1.1.2/24 |
AS3 1.1.1.3/24 |
AS4 1.1.1.4/24 |
|
|
|
|
|
|
|
|
AS5300
ASI SGBP configuration Hostname ASI
!
username CCIE password CCIE sgbp group CCIE
sgbp member AS2 1.1.1.2 sgbp member AS3 1.1.1.3 sgbp member AS4 1.1.1.4
ISDN Call
ISDN |
ISDN |
PSTN |
PSTN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ISDN Call |
PSTN Call |
ISDN/PSTN
calls come in using PPP encapsullation.
PSTN Call
Users, such as clients with ISDN, call the dedicated number supplied by the ISP. The four AS5300s in Figure 2-20 can also share the load of incoming calls using Stack Group Bidding Protocol (SGBP), which is used when multiple PPP, or multilink PPP (MPPP), sessions are in use. When SGBP is configured on each Cisco AS5300, each access server sends a query to each stack group member. A stack group member is a router running the SGBP protocol.
Each router participating in SGBP then bids for the right to terminate the call. The router with an existing PPP session, for example, will win the bid; this allows the best bandwidth allocation to the end client, as both PPP sessions are terminated on the same router. If the PPP call is the first session to be terminated on the AS5300, the AS5300 with the lowest CPU usage will have a higher probability of terminating the call. Example 2-21 displays a typical IOS configuration when SGBP is enabled on the four AS5300 routers in Figure 2-21.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi109x1.jpg)
86 Chapter 2: General Networking Topics
Example 2-21 SGBP Configuration Example
Hostname AS1
!
username CCIE password CCIE sgbp group CCIE
sgbp member AS2 1.1.1.2 sgbp member AS3 1.1.1.3 sgbp member AS4 1.1.1.4
The following list explains the IOS commands used in Example 2-21.
•username CCIE password CCIE—Defines the username and password used for authenticating SGBP members. If the password is wrong, an error such as the following is presented on the console:
%SGBP-1-AUTHFAILED: Member [chars] failed authentication
•sgbp group CCIE—Defines a named stack group and makes this router a member of that stack group. Use the sgbp group command in global configuration mode. To remove the definition, use the no form of this command.
•sgbp member ip-address—Specifies the host name and IP address of a router or access server that is a peer member of a stack group. Use the sgbp member command in global configuration mode.