 |
 |
 |
|
|
|
Learning Resources
Technical Tips
|
|
|
|
|
PASSWORD ENCRYPTION:
|
|
Service password-encryption:
The service password-encryption command configures the router to encrypt all passwords entered after the command has been issued, as well as all passwords already on the running configuration. Example:
router#show run
enable password cisco
!
no service password-encryption << default
router(config)#line console 0
router(config-line)#password san-fran
router#show run
enable password cisco << not encrypted
!
line console 0
password san-fran << not encrypted
router(config)#service password-encryption
router(config)#line vty 0 4
router(config-line)#password sanjose
router#show run
enable password 7 045802150C2E << password previously configured now encrypted
!
line console 0
password 7 111A180B5A14190D0A << password previously configured now encrypted
!
line vty 0 4
password 7 001712080E541803 << newly configured password encrypted
!
service password-encryption
If the no service password-encryption command is now entered, newly configured passwords are not encrypted but passwords already encrypted on the running configuration remain encrypted, unless overwritten by a new password. Example.
Router(config)#no service password-encryption
router#show run
enable password 7 045802150C2E << still encrypted
!
line console 0
password 7 111A180B5A14190D0A << still encrypted
!
line vty 0 4
password 7 001712080E541803 << still encrypted
!
no service password-encryption
router(config)#line vty 5 10
router(config-line)#password cisco2
router#show run
enable password 7 045802150C2E << still encrypted
!
line console 0
password 7 111A180B5A14190D0A << still encrypted
!
line vty 0 4
password 7 001712080E541803 << still encrypted
!
line vty 5 10
password cisco2 << not encrypted
!
no service password-encryption
router(config)#enable password cisco3
router#show run
enable password cisco3 << not encrypted
!
line console 0
password 7 111A180B5A14190D0A << still encrypted
!
line vty 0 4
password 7 001712080E541803 << still encrypted
!
line vty 5 10
password cisco2 << not encrypted
!
no service password-encryption
Note: the number 7 indicates the password has been encrypted by the service password-encryption feature. This encryption process is weak and therefore the passwords can be easily decrypted.
Enable secret:
When both the enable secret password and the enable password are configured, the enable secret takes precedence over the enable password. In other words, a user needs to enter the enable secret password rather than the enable password to get into privileged mode.
The enable password is subject to the use of the service password-encryption feature as described above. On the other hand, the enable secret is always "encrypted". This password is actually stored as an MD5 hashed value, which makes the password harder to break. In the output of the show running-config command, the hashed password is displayed preceded by a 5 indicating it is a hash value. Example.
enable secret 5 $1$ns9Q$xX2gbQVS9otxZzUVxKqqx1
enable password 7 060506324F41 (with service password-encryption on)
Username passwords:
The password used for local authentication (username name password command) can also be encrypted as the enable password by using the keyword secret instead of password. Example.
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username student1 secret cisco
R1#show run
Building configuration...
username student1 secret 5 $1$QAqq$EvtkeJ6gn0n6bYUv9q3g/.
ACCESS-LIST MONITORING AND ACCOUNTING:
|
|
Access list logging allows recording of ACL violations and can be used to characterize traffic associated with network attacks, by logging the suspect traffic.
Older Cisco IOS software versions only supported logging using the log keyword at the end of an extended ACL command. This option causes logging of the IP addresses and port numbers associated with packets matching an access list entry. Newer versions of IOS also provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it.
Either option causes an informational logging message about the matching packet to be sent to the console (by default). The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
This logging mechanism may drop some messages if either too many messages or more than one message in 1 second need to be displayed. This prevents the router from crashing due to too many logging packets. Therefore, the logging facility cannot be treated as an accurate source of information in terms of number of matches to an access list.
A more accurate tracking tool is accounting on the interface:
ip accounting [access-violations] [output-packets]
To display IP access violations use the following command:
show ip accounting access-violations
which shows information about packets that failed access lists and were not routed. Example:
Router# show ip accounting access-violations
| Source |
Destination |
Packets |
Bytes |
ACL |
| 131.108.19.40 |
192.67.67.20 |
7 |
306 |
77 |
| 131.108.13.55 |
192.67.67.20 |
67 |
2749 |
185 |
| 131.108.2.50 |
192.12.33.51 |
17 |
1111 |
140 |
| 131.108.2.50 |
130.93.2.1 |
5 |
319 |
140 |
Additional note:
Hits on the log will not account for packets discarded by the implicit deny any at the end of the ACL. If tracking of these packets is required, adding an explicit deny any at the end of the ACL will enable the router to track these packets as well.
|
|
ROUTER REDUNDANCY PROTOCOLS (MHSRP, VRRP, AND GLBP):
|
|
The MHSRP (Multiple Hot Standby Routing Protocol) from Cisco and the non-proprietary VRRP (Virtual Router Redundancy Protocol) specified on RFC3768, allow not only redundancy for the Default Gateway used by computers on a VLAN, but also provide load balancing among the multiple routers that might be present in that VLAN.
When using either one of these redundancy protocols, load balancing can be achieved by creating two or more redundancy (HSRP/VRRP) groups, each with a different Virtual Router IP address. Then, different groups of computers within the VLAN are assigned the different virtual addresses as their Default Gateway. The question is: what if the Default Gateway is assigned via DHCP?
First of all, router redundancy can also be implemented using Cisco’s GLBP (Gateway Load Balancing Protocol). This protocol also allows two or more routers to actively participate in the forwarding of traffic coming from users within the same VLAN, but in this case, load balancing is accomplished by alternating the MAC addresses given to users as replies to their ARP requests for the Default Gateway’s MAC address, and not by assigning different Default Gateway IP addresses. Then, the network administrator does not have to worry about answering the above question. It is no longer an issue.
However, in some situations, GLBP is not an option and either MHSRP or VRRP has to be used. In this case, one option is to set up two or more DHCP scopes, each with a different Default Gateway address. When the first scope has assigned all its addresses, the second scope would be used, and so forth.
Another alternative is to divide the scope into two or more blocks and have two or more DHCP servers. Each server gets a portion of the scope and assigns a different Default Gateway address.
|
|
STP PROTECTION:
|
Cisco provides three different mechanisms to protect the STP topology from loops or undesired topology changes caused by addition of switches, misconfiguration of devices or even malicious attempts to override the current Spanning Tree Root Bridge. These three features are:
- Root Guard
- BPDU Guard
- BPDU filtering.
BPDU Guard and BPDU filtering can be used to protect against possible loops created by switches added on ports configured with the STP Port Fast feature. Root Guard can be used to protect against added switches attempting to become the Root Bridge.
The behavior of a port running each feature can be described this way:
BDPU Guard: the port gets error disabled if any BPDU is received; "You cannot talk STP with me; I'll shut you down if you try"
Root Guard: BPDUs are allowed as long as they are inferior BPDUs. If a superior BPDU is received the port is disabled (Root Inconsistent); "We can talk STP as long as you don't try to become the Root Bridge, I'll shut you down if you try"
BPDU filtering:
- When configured globally: The port looses its Port Fast status if a BPDU is received; "We are not supposed to talk STP, but if you want I'll talk to you, you will have to obey the regular STP rules though)”
- When configured on an interface: the port ignores any received BPDU and do not send any BPDU; "I don't want to talk STP with you, I'll just ignore you if you try"
|
|
|
|
|
 |
|
|
Experience the beauty of Paradise Island. Win a trip to the Bahamas!
