![](/user_photo/1438_p9ksI.png)
- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi163x1.jpg)
140 Chapter 3: Application Protocols
Scenario
Scenario 3-1: Configuring DNS, TFTP, NTP, and SNMP
This scenario uses a configuration taken from a working Cisco IOS router and tests your skills with DNS, TFTP, NTP, and SNMP. Example 3-12 displays the configuration of a Cisco router named R1.
Example 3-12 R1 Running Configuration
version 12.1 hostname R1
clock timezone UTC 10
!
no ip domain-lookup
ip domain-name cisco.com ip host CCIE 131.108.1.1 ip host Router3 131.108.1.3 ip host Router2 131.108.1.2 ip host Router1 131.108.1.1
ip name-server 131.108.255.1 ip name-server 131.108.255.2 interface Ethernet0/0
ip address 131.108.1.1 255.255.255.0
!
interface Serial0/0
ip address 131.108.255.1 255.255.255.252 ntp broadcast
!
no ip http server
snmp-server community public RO snmp-server community publiC RW snmp-server host 131.108.255.254 isdn line con 0
!
ntp authentication-key 1 md5 121A061E17 7 ntp authenticate
ntp trusted-key 1 ntp master 1
ntp peer 131.108.2.1 key 1 end
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi164x1.jpg)
Scenario 3-1: Configuring DNS, TFTP, NTP, and SNMP 141
1What happens when a network administrator types the host name Router1 at the router prompt? (Select the best two answers.)
a.DNS queries are disabled; nothing will be translated.
b.The name Router1 is mapped to the IP address 131.108.1.1.
c.The administrator could also type CCIE to reach the same IP address (131.108.1.1).
d.Because DNS is disabled with the command no ip domain-lookup, the router assumes this is an invalid IOS command and returns the error “% Unknown command or computer name, or unable to find computer address.”
e.Local DNSs are case-sensitive so you can only type Router1 to map to 131.108.1.1.
2The following commands are entered on the router named R1. What are the TFTP server address and TFTP filename stored on the router on board flash?
R1#copy tftp flash
Address or name of remote host []? 150.100.1.253
Source filename []? c2600-jo3s56i-mz.121-5.T10.bin
Destination filename [c2600-jo3s56i-mz.121-5.T10.bin]? c2600-c1
3R1 supplies an NTP clock source to a remote router. What is the NTP’s peer IP address, and what is the MD5 password used to ensure that NTP sessions are authenticated?
4What is the SNMP read-write access community string for the following configuration?
snmp-server community public RO snmp-server community publiC RW
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi165x1.jpg)
142 Chapter 3: Application Protocols
Scenario Answers
Scenario 3-1 Solutions
1Answers: b and c. The host name Router1 (not case-sensitive) is mapped to 131.108.1.1 with the command ip host Router1 131.108.1.1. Also, the IOS command CCIE is mapped to the same name with the IOS command ip host CCIE 131.108.1.1. If you look at the IP address assigned to the Ethernet 0/0, it’s the local IP address. Therefore, if a user types Router1 or CCIE, they will be return to the same router. The following sample display demonstrates this fact:
R1#router1
Translating "router1"
Trying Router1 (131.108.1.1)... Open
User Access Verification
Password:
R1>quit
!quit commands exit Telnet session and you return
!to the first Telnet connection on R1
[Connection |
to router1 closed by foreign host] |
|
R1#ccie |
|
|
Translating |
"ccie" |
|
Trying CCIE |
(131.108.1.1)... Open |
|
User Access |
Verification |
|
Password: |
|
|
R1> |
|
|
Both the DNS names, CCIE and Router1, are translated to the same IP address, 131.108.1.1.
2Answer: The TFTP server address is 150.100.1.253 and the filename requested is c2600-jo3s56i-mz.121-5.T10.bin. However, the last command entered is the destination filename, which defines the names stored locally on the system flash. In this case, the network administrator types the filename c2600-c1.
3Answer: R1 is configured statically to peer to the remote NTP IP address, 131.108.2.1 (ntp peer 131.108.2.1 key 1). The MD5 password is configured but, unfortunately, the configuration will not display the MD5 passwords (encrypted), so it cannot be derived.
4Answer: The read-only (RO) community string is named public, and the read-write (RW) community string is set to publiC. Community strings are case-sensitive.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi166x1.jpg)
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi167x1.jpg)
Exam Topics in this Chapter
58 IOS Specifics