142 Chapter 4 Cisco Perimeter Router Problems and Solutions

Answers to Written Lab

1.The Intercept mode will proxy-answer incoming SYN requests and not notify the server until the originating host is verified.

2.You configure the no ip unreachables command on the perimeter router to prevent the router from announcing to external hosts which subnets are not configured.

3.The command no service finger disables Finger replies on a perimeter router.

4.You use the no tcp-small-servers and no udp-small-servers commands on your router to prevent a chargen attack.

5.To prevent eavesdropping, IPSec can be used to encrypt data between two networks.

6.The routing table is modified or prevented from being updated in a rerouting attack.

7.The no cdp run command disables Cisco Discovery Protocol on a perimeter router.

8.To enable an HTTP server on a router for AAA, use the ip http server command.

9.The no cdp enable command disables Cisco Discovery Protocol on a perimeter router interface.

10.To disable proxy ARP on a perimeter router, use the no ip proxy-arp command.

Answers to Review Questions

1.A, B, C. EIGRP, BPG, and OSPF are three routing protocols that can be configured to support MD5 authentication. RIPv2 can also use MD5 authentication.

2.B. PAT (Port Address Translation) allows up to 64,000 hosts to share a single IP address.

3.C. By using MD5 authentication, routers can verify that received routing updates are valid.

4.A. NAT (Network Address Translation) can be used to extend the utility of available IP address space.

5.D. By using ACLs (access control lists) at the perimeter, you can deny many of these types of attacks.

6.A. TCP Intercept is used to prevent DoS (denial-of-service) attacks, specifically SYN flood attacks.

7.E. IPSec can be used to encrypt data between two networks, which prevents eavesdropping.

8.D. ACLs are used to stop unauthorized access, data manipulation, and malicious destruction problems.

9.B. PAT (Port Address Translation) can support up to 64,000 hosts using a single IP address.

10.A. The TCP Intercept function will not forward SYN requests until the originating host is verified when running in Intercept mode.

11.B. By default, a Cisco router will send an IP unreachable message when a packet is destined for a subnet that is not listed in the routing table. By using the no ip unreachables command, you can stop the announcements to external hosts about which subnets are not configured.

12.C. The global configuration command no service finger disables the Finger service on the router.

13.B, E. To prevent a chargen attack, disable the TCP and UDP small servers.

14.C. IPSec can be used to encrypt data between two networks, which prevents eavesdropping.

15.C. When your problem is rerouting attacks, your routing table is being modified or prevented from being updated.

16.D. You can turn CDP off completely on a Cisco router or switch with the global command no cdp run. To turn CDP off on an individual interface, use the interface command no cdp enable.

17.C. The command to enable an HTTP server on a router is ip http server in global configuration mode.

144 Chapter 4 Cisco Perimeter Router Problems and Solutions

18.A. To turn CDP off on an individual interface, use the interface command no cdp enable. You can turn CDP off completely on a Cisco router or switch with the global command no cdp run.

19.D. Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. To disable proxy ARP on a router interface, use the command no ip proxy-arp.

20.B. ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination. To disable the sending of redirect messages, use the interface command no ip redirects.