NETWORK ENVIRONMENT MANAGEMENT Discovering Neighbors on the Network

CISCO DISCOVERY PROTOCOL Note: CDP is sent using multicast frames with the MAC address 0100.0ccc.cccc.

CDP continue Cisco Discovery Protocol is a proprietary utility that provides a summary of directly connected switches, routers, and other Cisco devices. Cisco Discovery Protocol discovers neighboring devices, regardless of which protocol suite they are running Physical media must support the SNAP encapsulation.

DISCOVERING NEIGHBORS WITH CISCO DISCOVERY PROTOCOL Cisco Discovery Protocol runs on Cisco IOS devices. Summary information includes: Device identifiers Address list Port identifier Capabilities list Platform Emphasize: CDP is media- and protocol-independent and runs on all Cisco-manufactured equipment including routers, access servers, switches, and some managed hubs. With CDP, network management applications can retrieve the device type and SNMP agent address of neighboring devices. This capability enables applications to send SNMP queries to neighboring devices. CDP allows network management applications to dynamically discover Cisco devices that are neighbors. CDP runs on all media that support the Subnetwork Access Protocol, including LAN and Frame Relay. CDP runs over the data link layer only, not the network layer. Therefore, two systems that support different network-layer protocols can learn about each other. Cached CDP information is available to network management applications. Cisco devices never forward a CDP packet. When new information is received, old information is discarded. The holdtime determines how long to keep existing information from a neighbor.

USING CISCO DISCOVERY PROTOCOL RouterA#show cdp ? entry Information for specific neighbor entry interface CDP interface status and configuration neighbors CDP neighbors entries traffic CDP statistics <cr> RouterA(config)#no cdp run RouterA(config)#interface serial0/0/0 RouterA(config-if)#no cdp enable Note: Some of the CDP commands are not available on the Catalyst 1900 switch, like cdp run, show cdp traffic, and show cdp entry.

USING CISCO DISCOVERY PROTOCOL RouterA# show cdp ? entry Information for specific neighbor entry interface CDP interface status and configuration neighbors CDP neighbor entries traffic CDP statistics … RouterA(config)# no cdp run ! Disable CDP Globally RouterA(config)# interface serial0/0/0 RouterA(config-if)# no cdp enable ! Disable CDP on just this interface Note: Some of the CDP commands are not available on the Catalyst 1900 switch, like cdp run, show cdp traffic, and show cdp entry.

USING THE SHOW CDP NEIGHBORS COMMAND RouterA# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID SwitchA fa0/0 122 S I WS-C2960- fa0/2 RouterB s0/0/0 177 R S I 2811 s0/0/1 Emphasize: This graphic shows the show cdp neighbors command initiated from a router, which displays a summary of the capabilities and access details for the CDP neighbors. The show cdp neighbors detail command shows detailed information about the same devices. Note: If the neighbor is a Catalyst 1900 switch, the switch MAC address is also displayed. If the switch is a 2900xl, its MAC address is not displayed.

USING THE SHOW CDP ENTRY COMMAND Device ID: RouterB Entry address(es): IP address: 10.1.1.2 Platform: Cisco 2811, Capabilities: Router Switch IGMP Interface: Serial0/0/0, Port ID (outgoing port): Serial0/0/1 Holdtime : 155 sec Version : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team Emphasize: The example shows what information can be obtained about RouterA’s neighbor. CDP is one way to learn about other Cisco devices on the network.

ADDITIONAL CISCO DISCOVERY PROTOCOL COMMANDS RouterA# show cdp traffic CDP counters : Total packets output: 8680, Input: 8678 Hdr syntax: 0, Chksum error: 0, Encaps failed: 5 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 8680, Input: 8678 RouterA# show cdp interface s0/0/0 Serial0/0/0 is up, line protocol is up Encapsulation PPP Sending CDP packets every 60 seconds Holdtime is 180 seconds Note: The holdtime indicates how long the neighbor information will be kept in the local CDP table.

CREATING A NETWORK MAP

SUMMARY Cisco Discovery Protocol is an information-gathering tool used by network administrators to obtain information about directly connected devices. Cisco Discovery Protocol exchanges hardware and software device information with its directly connected Cisco Discovery Protocol neighbors. Cisco Discovery Protocol on a router can be enabled or disabled as a whole or on a port-by-port basis. Purpose: This slide discuss the initial configurations on the routers and switches. Note: There is no setup mode on the Catalyst 1900 switch.

Summary cont. The show cdp neighbors command displays information about the Cisco Discovery Protocol neighbors of a router. The show cdp entry, show cdp traffic, and show cdp interface commands display detailed Cisco Discovery Protocol information on a Cisco device. Using the information obtained from the show cdp command output, a network topology map can be created to aid troubleshooting.

MANAGING ROUTER STARTUP AND CONFIGURATION

ROUTER POWER-ON BOOT SEQUENCE Perform power-on self-test (POST). Load and run bootstrap code. Find the Cisco IOS Software. Load the Cisco IOS Software. Find the configuration. Load the configuration. Run the configured Cisco IOS Software. Emphasize: In a later slide, there is a very detailed flowchart of the router startup process.

ROUTER INTERNAL COMPONENTS Note: RAM—Packet buffers, running configurations, running Cisco IOS ROM—POST, ROM monitor, baby Cisco IOS (Rxboot) NVRAM—Backup configurations, config register Flash—Cisco IOS Flash memory is nonvolatile. It behaves like a file system. It is more expensive than NVRAM. It is readable and writeable. The 2500 routers run from Flash. If it is running Cisco IOS from Flash, then the Flash is in the readable state. Use the boot system command to boot Cisco IOS from a TFTP server so the 2500 can run from RAM if you need to write or erase Flash online.

Contains microcode for basic functions ROM FUNCTIONS Note: Mini Cisco IOS is the Rxboot mode. One use of the ROM monitor is for password recovery. From ROM monitor, you can set the config register to 0x2142 so the NVRAM will be ignored during startup. Contains microcode for basic functions

FINDING THE CISCO IOS IMAGE Order of search: 1. Checks configuration register 2. Parses configuration for boot system command 3. Defaults to first file in flash memory 4. Attempts to boot from network server 5. Boot helper image 6. ROMMON Note: There is a detailed flowchart of the router startup process on the next slide.

LOADING THE CISCO IOS IMAGE FROM FLASH MEMORY Note: The 2500 series routers do not operate this way. The 2500 series routers normally run Cisco IOS from Flash. The Cisco IOS in Flash is not compressed but it is relocatable. Relocatable means the Cisco IOS image can be run from Flash or from RAM. The 2500 can run from RAM if you use the boot system tftp command to boot the Cisco IOS image. The Rxboot mode is also run from RAM on the 2500 routers. The flash memory file is loaded into RAM.

LOADING THE CONFIGURATION Emphasize: Using the default config register value (0x2102), the router will load the config from NVRAM at startup. Load and execute the configuration from NVRAM If no configuration is present in NVRAM, enter setup mode

SHOW RUNNING-CONFIG AND SHOW STARTUP-CONFIG COMMANDS Purpose: This slide is a repeated slide from Chapter 4, “Operating and Configuring a Cisco IOS Device.” Displays the current and saved configuration

DETERMINING THE CURRENT CONFIGURATION REGISTER VALUE Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(5a), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Sat 14-Jan-06 03:19 by alnguyen ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) RouterX uptime is 1 week, 5 days, 21 hours, 30 minutes System returned to ROM by reload at 23:04:40 UTC Tue Mar 13 2007 System image file is "flash:c2800nm-ipbase-mz.124-5a.bin" Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory. Processor board ID FTX1013A1DJ 2 FastEthernet interfaces 2 Serial(sync/async) interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 Emphasize: Use the show version command to display the value of the config register setting. When you change the config register, you will see the change from the show version output: Configuration register is 0x2102 (will be 0x2142 at next reload). The new config register value will be used at the next reload.

CONFIGURATION REGISTER VALUES Layer 4 of 4 Emphasize: Layer 4—Finishes with the third case, a boot field setting in the range of 0x2 to 0xF. The entry of a configuration register value in the 0x2 to 0xF range is significant. When the router attempts to boot from the net (Netboot), the bootstrap program generates a Cisco IOS filename based on the value of the boot field. For example, with the setting 0x2, the default Cisco IOS filename generated will be cisco2-xxxx, where xxxx refers to a processor name (for example, 2500). Again, refer students to the IMCR course for details. You use the config-register command to change the value. Notice that the bottom lines of the show version output indicates what value the config register will be on the next reload. Configuration register bits 3, 2, 1, and 0 set boot option Check the configuration register value with the show version command

SHOW VERSION COMMAND Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(5a), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Sat 14-Jan-06 03:19 by alnguyen ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) RouterX uptime is 1 week, 5 days, 21 hours, 30 minutes System returned to ROM by reload at 23:04:40 UTC Tue Mar 13 2007 System image file is "flash:c2800nm-ipbase-mz.124-5a.bin" Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory. Processor board ID FTX1013A1DJ 2 FastEthernet interfaces 2 Serial(sync/async) interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 (will be 2104 at next reload) Note: The current state of the Flash memory is in read-only mode. It is running Cisco IOS from Flash. This router has a total of 16 MB of Flash memory. The Flash contains one Cisco IOS image and there is 6.69 MB of available space left in Flash.

SHOW FLASH COMMAND RouterX#sh flash -#- --length-- -----date/time------ path 1 14951648 Feb 22 2007 21:38:56 +00:00 c2800nm-ipbase-mz.124-5a.bin 2 1823 Dec 14 2006 08:24:54 +00:00 sdmconfig-2811.cfg 3 4734464 Dec 14 2006 08:25:24 +00:00 sdm.tar 4 833024 Dec 14 2006 08:25:38 +00:00 es.tar 5 1052160 Dec 14 2006 08:25:54 +00:00 common.tar 6 1038 Dec 14 2006 08:26:08 +00:00 home.shtml 7 102400 Dec 14 2006 08:26:22 +00:00 home.tar 8 491213 Dec 14 2006 08:26:40 +00:00 128MB.sdf 41836544 bytes available (22179840 bytes used) Note: The current state of the Flash memory is in read-only mode. It is running Cisco IOS from Flash. This router has a total of 16 MB of Flash memory. The Flash contains one Cisco IOS image and there is 6.69 MB of available space left in Flash.

SUMMARY When a router boots, it performs tests, finds, and loads software, finds and loads configurations, and finally runs the software. The major internal components of a router include RAM, ROM, flash memory, NVRAM, and the configuration register. When a router boots, it searches for the Cisco IOS Software image in a specific sequence: location specified in the configuration register, flash memory, a TFTP server, and ROM. The configuration register includes boot information specifying where to locate the Cisco IOS Software image. The register can be examined with a show command and change the register value with the config-register global configuration command. Purpose: This slide discuss the initial configurations on the routers and switches. Note: There is no setup mode on the Catalyst 1900 switch.

MANAGING CISCO DEVICES

CISCO IOS FILE SYSTEM AND DEVICES Emphasize: In Cisco IOS Release 12.0, there are new copy commands. These new commands treat the RAM, Flash, NVRAM, TFTP, FTP, and so on as a file system. Since this class was developed when the most common Cisco IOS in the field is pre-12.0, these 12.0 commands are not covered in detail in this class.

MANAGING CISCO IOS IMAGES Emphasize: This section introduces topics on managing your configuration file and Cisco IOS image.

VERIFYING MEMORY AND DECIPHERING IMAGE FILENAMES RouterX# sh flash -#- --length-- -----date/time------ path 1 14951648 Feb 22 2007 21:38:56 +00:00 c2800nm-ipbase-mz.124-5a.bin 2 1823 Dec 14 2006 08:24:54 +00:00 sdmconfig-2811.cfg 3 4734464 Dec 14 2006 08:25:24 +00:00 sdm.tar 4 833024 Dec 14 2006 08:25:38 +00:00 es.tar 5 1052160 Dec 14 2006 08:25:54 +00:00 common.tar 6 1038 Dec 14 2006 08:26:08 +00:00 home.shtml 7 102400 Dec 14 2006 08:26:22 +00:00 home.tar 8 491213 Dec 14 2006 08:26:40 +00:00 128MB.sdf 41836544 bytes available (22179840 bytes used) Emphasize: The show flash command is an important tool to use to gather information about your router memory and image file. Caution students that they must know that they are loading the correct and appropriate image. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning: The first part of the image name contains the platform on which the image runs. In this example, the platform is C2500. The second part of the name identifies the special capabilities of the image file. A letter or series of letters identifies the feature sets supported in that image. In this example, the “j” indicates this is an enterprise image, and the “s” indicates it contains extended capabilities. The third part of the name specifies where the image runs and if the file is compressed. In this example, “l” indicates the file is relocatable and not compressed. Relocatable means the Cisco IOS can be run from Flash or from RAM. You should be careful in reading the Cisco IOS image filename. Some fonts display the lowercase letter “l” and the number 1 as the same character. How you enter the characters will impact the ability of the router to load the files correctly. The fourth part of the name indicates the version number. In this example, the version number is 12.0 (3). The final part of the name is the file extension. The .bin extension indicates this file is a binary executable file. The Cisco IOS software naming conventions, name part field meaning, image content, and other details are subject to change. Refer to Cisco Connection Online (CCO) for updated details. Verify that flash memory has room for the Cisco IOS image.

CREATING A SOFTWARE IMAGE BACKUP RouterX# copy flash tftp: Source filename []? c2800nm-ipbase-mz.124-5a.binAddress or name of remote host []? 10.1.1.1 Destination filename [c2800nm-ipbase-mz.124-5a.bin] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<output omitted> 12094416 bytes copied in 98.858 secs (122341 bytes/sec) RouterX# Purpose: This slide discusses how to create a backup version of a Cisco IOS software image to a TFTP server. Emphasize: Routers by default come with Flash memory that has a preloaded copy of the Cisco IOS software. Although Flash is extremely reliable—good for 65 years and 100,000 rewrites—it is a good idea to make a backup copy of the Cisco IOS software if you have a TFTP server available. If you have to replace Flash memory for some reason, you will have a backup copy at the revision level currently running on your network. The copy command screen output varies depending on the Cisco IOS software level. Determine the platform type of your TFTP server prior to beginning the backup procedure. The TFTP server may be running Windows, UNIX, Mac, or other OS. Filename and directory access procedures may vary depending on the TFTP server platform and platform version. Back up current files prior to updating flash memory.

UPGRADING THE IMAGE FROM THE NETWORK RouterX#copy tftp flash: Address or name of remote host [10.1.1.1]? Source filename []? c2800nm-ipbase-mz.124-5a.bin Destination filename [c2800nm-ipbase-mz.124-5a.bin] Accessing tftp://10.1.1.1/c2600-js-mz.122-21a.bin... Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... eeeeeeeeee (output omitted) ...erased Erase of flash: complete Loading c2800nm-ipbase-mz.124-5a.bin from 10.1.1.1 (via Ethernet0/0): !!!!!!!!!!!!!!! (output omited) [OK - 12094416 bytes] Verifying checksum... OK (0x45E2) 12094416 bytes copied in 120.465 secs (100398 bytes/sec) RouterX Purpose: This slide describes how to load a backup version of a Cisco IOS software image from a TFTP server to the router. Emphasize: If you need more Flash space to load a copy of the Cisco IOS software, you must first erase the Flash memory. You cannot erase a single image—you must erase all copies of Cisco IOS software from Flash. However, if Flash memory on the router is partitioned, you can erase one or more of the parts. After the TFTP transfer is completed, use the show flash command to view the file size to compare its size with that of the original on the server. If the Cisco IOS is running from Flash, then the Flash is in the read-only state. To change the Flash to a writeable state, you can use the boot system TFTP command to boot a Cisco IOS from a TFTP server and the Cisco IOS will be run from RAM, or you can go to the Rxboot mode to perform the copy.

DEVICE CONFIGURATION FILES

CISCO IOS COPY COMMAND NVRAM Terminal TFTP server Erase start Layer 4 of 4 NVRAM Terminal TFTP server Erase start

CISCO IOS COPY COMMAND EXAMPLE Note: Cisco IOS Release 12.0 supports a new syntax for the copy command.

COPY RUN TFTP AND COPY TFTP RUN COMMANDS RouterX#copy running-config: tftp: Address or name of remote host []? 10.1.1.1 Destination filename [running-config]? wgroa.cfg .!! 1684 bytes copied in 13.300 secs (129 bytes/sec) RouterX#copy tftp: running-config: Source filename []? wgroa.cfg Destination filename [running-config]? Accessing tftp://10.1.1.1/wgroa.cfg... Loading wgroa.cfg from 10.1.1.1 (via Ethernet0): ! [OK - 1684/3072 bytes] 1684 bytes copied in 17.692 secs (99 bytes/sec) Note: Cisco IOS Release 12.0 supports a new syntax for the copy command.

SHOW AND DEBUG COMMANDS

CONSIDERATIONS WHEN USING DEBUG COMMANDS May generate output in a variety of formats that may not identify the problem Require high overhead, possibly disrupting network device operation Useful for obtaining information about network traffic and router status

COMMANDS RELATED TO DEBUG RouteX(config)# service timestamps debug datetime msec Adds a time stamp to a debug or log message RouteX# show processes Displays the CPU utilization for each process RouteX# no debug all Disables all debug commands RouteX# terminal monitor Displays debug output on your current vty session

SUMMARY The Cisco IFS feature provides a single interface to all the file systems (NVRAM, RAM, TFTP, flash) that a router uses. As a network grows, storage of the Cisco IOS Software and configuration files on a central server enables control of the number and revision level of software images and configuration files that must be maintained. Having proper backup of the current device configuration stored in a TFTP server can help reduce device downtime. Purpose: This slide discuss the initial configurations on the routers and switches. Note: There is no setup mode on the Catalyst 1900 switch.

SUMMARY (CONT.) The Cisco IOS Software copy commands can be used to move configurations from one component or device to another, such as RAM, NVRAM, or a file server. The show and debug commands are built-in tools for troubleshooting. The show command is used to display static information, while the debug command is used to display dynamic data.

SECURING THE NETWORK

Attacks from inside the network remain a threat. CLOSED NETWORKS Attacks from inside the network remain a threat.

OPEN NETWORKS

THREAT CAPABILITIES— MORE DANGEROUS AND EASIER TO USE

E-BUSINESS CHALLENGE

ADVERSARIES, ADVERSARY MOTIVATIONS, AND CLASSES OF ATTACK Nation-states Terrorists Criminals Hackers Crackers Competitors “Script kiddies” Disgruntled employees Government Intelligence Theft DoS Embarrassment Challenge Passive Active Close-in Insider Distributed

COMMON THREATS Physical installations Hardware threats Environmental threats Electrical threats Maintenance threats Reconnaissance attacks—Learning information about a target network by using readily available information and applications Access attacks—Attacks on networks or systems for these reasons: Retrieve data Gain access Escalate their access privileges Password attacks—Tools used by hackers to compromise passwords

PASSWORD ATTACK THREAT MITIGATION Here are password attack threat-mitigation techniques: Do not allow users to use the same password on multiple systems. Disable accounts after a certain number of unsuccessful login attempts. Do not use cleartext passwords. Use “strong” passwords; for example, “mY8!Rthd8y” rather than “mybirthday.”

SUMMARY Sophisticated attack tools and open networks continue to generate an increased need for network security policies and infrastructure to protect organizations from internally and externally based attacks. Organizations must balance network security needs against e-business processes, legal issues, and government policies. Establishing a network security policy is the first step in changing a network over to a secure infrastructure. Network adversaries come in many shapes and sizes and with multiple motivations.

SUMMARY (CONT.) It is very important to provide physical installation security for enterprise network devices. Password attack threats can be mitigated. Restrict password use. Disable accounts after unsuccessful logins. Do not use cleartext passwords; use strong passwords.

Managing the Configuration Register You can change the configuration register value to modify how the router boots and runs. These are the main reasons you would want to change the configuration register: To force the system into the ROM monitor mode To select a boot source and default boot filename To enable or disable the Break function To control broadcast addresses To set the console terminal baud rate To load operating software from ROM To enable booting from a Trivial File Transfer Protocol (TFTP) server

Configuration Register 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0x0 0x1 1 0x2102 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xA

Boot Field Configuration Register Bit Descriptions 0000 (0x0) At the next power cycle or reload, the router boots to the ROM monitor (bootstrap program). To use the ROM monitor, you must use a terminal or PC that is connected to the router console port. For information about connecting the router to a PC or terminal, see the hardware installation guide for your router. In ROM monitor mode, you must manually boot the system image or any other image by using the boot ROM monitor command. 0001 (0x01) Boots the first image in flash memory as a system image 0010 – 1111 (0x0 – 0xF) At the next power cycle or reload, the router sequentially processes each boot system command in global configuration mode that is stored in the configuration file until the system boots successfully. If no boot system commands are stored in the configuration file, or if executing those commands is unsuccessful, then the router attempts to boot the first image file in flash memory.

Boot fields of the Configuration Resister 0–3 0x0000–0x000F Boot field (see Table 5.4). 6 0x0040 Ignore NVRAM contents. 7 0x0080 OEM bit enabled. 8 0x101 Break disabled. 10 0x0400 IP broadcast with all zeros. 5, 11–12 0x0800–0x1000 Console line speed. 13 0x2000 Boot default ROM software if network boot fails. 14 0x4000 IP broadcasts do not have net numbers. 15 0x8000 Enable diagnostic messages and ignore NVRAM contents.

Password Recovery Boot the router and interrupt the boot sequence by performing a break, which will take the router into ROM monitor mode. Change the configuration register by turning on bit 6 (with the value 0x2142). Reload the router. Enter privileged mode.

Password Recovery (cont) Copy the startup-config file to running-config. Change the password. Reset the configuration register to the default value. Save the router configuration. Reload the router (optional).

END Questions