CCIE Security - CCIE Test

Archive for the ‘CCIE Security’ Category

related to CCIE Bootcamp.

February 7th, 2012 by Daniel

It is really aimed to pick the professionals in the networking organization for that famend company providing possibilities to your technical departments. By having a purpose to get CCIE certification the applicants should transfer by two required choice assessments. To begin with, the penned exam should be to be handed after which the candidates can sit for that Lab examination. The brief-listed candidates can exclusively have CCIE certification. In an effort to get ready for the CCIE exams, CCIE Bootcamp is produced.

CCIE Bootcamps produce fundamentally essentially the most simple technique of passing out the checks of CCIE. You can find quite a lot of companies reasonably institutes which provide CCIE Bootcamp instruction comparable to Cathay College. Using a watch to mature for being qualified for the bootcamps the institutes often existing a prerequisite. It may help to spice up the prospect within the applicants to move the CCIE exams in a very increased way than most people. This prerequisite known as CCNP standing.

The related fee for taking the CCIE Security examination is huge, so most candidates go for the planning training course to cross it in one sitting. Some impartial organizations and institutions supply courses and workshop to these finding CCIE Safety exercise. However, most candidates prefer to make the most of the instructor-led and on-line workshops, which Cisco provide you with, as a element of Approved Mastering Companions plan. The exercise opportunities are furnished and then the educators are accepted by Cisco.

For that CCIE Stability certification, you ought to sign-up for your composed examination inside of your area of specialization. All of the exams are done on the Cisco approved facility, which also accepts expense for that exam. The price of using a CCIE composed examination is from $80 to $325. The written test is supervised and executed on the machine. It is of one or two hours paper made up of a variety of choices, drag and drop issues and fill from the blanks. Apart from white boards and markers for calculations, for a applicant for CCIE Security coaching examination, you aren't authorized to hold almost every other merchandise on the examination corridor.

CCIE Bootcamp is accompanied which includes a variety of methods to provide the best preparing content into the college students. They largely furnish some must-have publications to get ready them for your composed CCIE get a look at with each other with some on-line access for your Lab examination. Counting on these two categories the CCIE Bootcamps is divided into two sections. The divisions are class construction along with the Lab simulation. The category construction entails two phases and they're fingers-on coaching and lectured-based mainly classes. Inside the category framework the students are provided along with the data of Bit splitting, VLSM etcetera. Nevertheless the lab simulation is important element of CCIE Bootcamp. Here the students are subjected to deal with a couple of real-life situations as well as the troubleshooting abilities are checked accordingly. That is the supreme phase of CCIE Bootcamps the put the scholars are nicely-prepared for the Blueprintv4, MPLS and so on. These methodologies guide students to troubleshoot any real-life concerns and boost the facility to learn the right answers.

But you can find couple of trusted institutes obtainable accessible inside the promote which provides total CCIE Bootcamps. Considered one of a number of properly-renowned institutes is Cathay College which renders especially decent enterprises in the event of bootcamps for CCIE. They supply bootcamp facilities to pretty substantial number of school college students from a range of corners of the world like Australia, Norway, United kingdom, Sweden, USA and a multitude of a lot of. In accordance along with the data of this institute from 2005, they are sustaining document selection of proportion of passing amount in CCIE test. This file is itself a form of assure for them. There are many will cause to select out Cathay School for CCIE Bootcamps. The report quantity of passing price of nearly 90% is considered the most attractive functionality of it. Aside from it, one other remarkable characteristic stands out as the one-to-one lab coaching which guide the college students to filter out most of the doubts with regards to any draw back from the instructors.

The demanded detail regarding the bootcamp is available to the trustworthy business enterprise internet page that's cathayschool.com. It is a exceedingly effortless blog which offers quite a few putting facilities like on-line Self-Study CCIE Lab Workbooks, one-on-one internet based coaching, Instructor Led exercise etc. All the services in addition to the study course durations collectively along with the money are effectively-described right here such the consumers need to not really need to encounter any form of headache pertaining to CCIE Bootcamps.

Post in CCIE Security | No Comments »

Tags: CCIE,CCIE Bootcamps,CCIE Labs

CCIE Lab Examination - Some Advantageous Recommendations and Steerage

January 10th, 2012 by Daniel

CCIE Lab Examination - Some Advantageous Recommendations and Steerage

Implementing CCIE, experts have a chance to determine on their own inside the discipline of networking. Only a few thousand consumers are believed to clear the CCIE exam. CCIE labs are viewed as to impart huge stage of training environment, which acts for a sizeable revenue for candidates.

CCIE examination entails two assessments, which are a CCIE prepared check out and also a CCIE lab exam. In order to attempt the lab test, you ought to apparent the created test. When you are not inside a situation to distinct the developed examination the 1st time, you'll want to view for the hundred and eighty days for retaking it. Soon after clearing the developed look at, it is really most desirable to make an try for that CCIE lab test inside of eighteen months. It you're not able to crystal clear the lab examination, then you definately could re-try inside of twelve months having a view to maintain the written examination outcome legitimate.

It's a time limit of two hrs and it is completed in various sorts of have a look at centers internationally. The topics lined within the authored examination rely upon the specialization or monitor you select. For provider supplier, you may opt for from classes like Cable, DSL, IP Telephony, Dial, Articles and other content materials Networking, Optical, WAN switching, and Metro Ethernet. Just about every penned test is designed available throughout the beta style at a price of $50 USD.

The CCIE lab examination is unique in nature, as you'll find it an eight-hour examination, which exams the facility within the candidate to configure and troubleshoot networking gear. Cisco has great degree of kit in its CCIE labs for use inside the lab exams. The blue print from the lab test is available on its web pages. The lab examination is just not obtainable whatsoever Pearson VUE or Prometric testing centers.

A common CCIE R&S lab examination contains a two-hour hassle-taking pictures section by which you could be presented a collection of tickets for preconfigured networks inside the CCIE labs. You'll want to have the ability to identify and resolve the faults. You can proceed towards the configuration part just after you end the troubleshooting part.

A sound passing score is critical to try a CCIE lab examination. Cisco uses the help of proctors to guage the candidates with the preliminary rounds in its CCIE Lab Exam located worldwide. Factors are awarded when a criterion is met and grading is completed making use of some computerized tools. The outcomes of a lab examination are mirrored within forty 8 hrs. A move/fail is projected throughout the end outcome and in case of a fail, the areas where you happen to be lacking behind are talked about so as to put together properly earlier than a re-try.

Cisco stands out in the subject of networking by providing a CCIE certification so that you can pursue your education as well as get acknowledged by a reputed organization. The CCIE Labs test can be utilized like a platform to challenge your capability in varied tracks provided by Cisco. Attempting a lab exam requires rigorous schooling and significant sense of understanding. The CCIE labs style step one to your great potential career.

Post in CCIE Security | Comments Closed

Tags: CCIE Bootcamp,CCIE Bootcamps,CCIE RS Training,CCIE training

CCIE Bootcamp and so are the Bootcamp Coaching affords provided by CathaySchool?

January 9th, 2012 by Daniel

Post in CCIE Security | Comments Closed

Tags: CCIE Bootcamp,CCIE lab exam,CCIE RS Training

Recommended CCIE Instruction

January 7th, 2012 by Daniel

There just isn't a have to have one additional expert coaching or study course certificates to qualify. The CCIE Safety education includes a authored examination to qualify and then the lab test. You're suggested to get with the minimum 3-5 many years of job skills previously than seeking this certification.

The examination for that CCIE Safety is of two-hour length with different alternatives. This is made up of hundred queries, that can cover matters equal to software programs protocols, operating devices, basic safety technologies, safety protocols, and Cisco basic safety programs. The test materials are supplied around the spot so you aren't permitted to usher in exterior reference elements.

Network engineers possessing a CCIE certificates are considered because the qualified with the local community engineering self-discipline and also the masters of CISCO items. The CCIE has introduced revolution in the group field when considering technically difficult assignments and options with all the mandatory instruments and methodologies. There is certainly a application which updates and reorganizes the instruments to provide superior support. You will discover many modes of CCIE Exercise like authored examination preparation and efficiency primarily based lab. This can help to bolster the effectivity and usual on the trade. CISCO has launched this certification coverage in 1993 with a watch to tell apart the very best professionals with the relaxation.

To be able to be certified, initial prepared examination needs to be handed soon after which must cross the lab exam. CISCO in the slightest degree instances tries to apply 100 % varied CCIE Education methods for increased efficiency. There are a number of procedures for the CCIE certification. The first move for certification could be to move a two hrs lasting computer primarily based largely MCQ oriented prepared examination. For this examination crucial payments need to be finished through web-based. This examination is related with exam vouchers and promotional codes. The authenticity of this voucher giving organization should be very well well-known into the candidates. The promotional code need to be accessed appropriately and in case of fraudulent vouchers coupled with promotional codes shouldn't satisfactory and CISCO is not going to repay the value. The candidates really need to wait five days for your developed examination just after payment and so they can't sit for your exact exam for your subsequent 100 eighty days in case of recertification.

With a view to obtain certified and eligible for the CCIE Schooling some components are to become remembered properly. Subsequent to passing the authored examination the candidates possess a most of 18 months time for trying the lab exam. If your period of time exceeds then the authenticity on the authored exam will undoubtedly be invalid. For the to start with timer used to possess CCIE certification the prepared test is obtainable within just the sort of Beta examination with discount rates accessible. Inside the Beta period the candidates can sit only when for the examination. The outcomes will occur within six to eight weeks right after the examination is more than.

Another step for the CCIE certification could be the Lab test. The shortlisted candidates on the created examination can exclusively utilize for your fingers-on lab examination. However there are several created examination centers of CISCO on the other hand Lab exam facilities are limited. It really is an 8 hour fingers-on functional based generally examination whereby the power of troubleshooting and configuring neighborhood generally dependent troubles and application are checked. For that scheduling of Lab examination the shortlisted candidates belonging to the earlier authored exam ought to existing the identification amount coupled with passing ranking along with the date of passing.

The price for Lab examination needs to be cleared earlier than ninety days within the scheduled exam. With out the price the reservation might be cancelled. Once passing the Lab examination combined aided by the published exam the candidates can apply for your CCIE certification. By considering most of the information associated while using outlined guidelines, it's possible to get the CISCO certification in hand and be experienced for that CCIE Schooling. CCIE Training

Post in CCIE Security | Comments Closed

Tags: CCIE Bootcamp,CCIE Bootcamps,CCIE RS Training,CCIE Voice Training

Environment the DSCP or TOS Discipline

January 6th, 2012 by Daniel

The answer to this trouble varies according to the type of site visitors distinctions you are looking for to produce, also the edition of IOS that you are running on your routers.

There should be something that defines the different forms of page views which you wish to prioritize. Generally speaking, the less complicated the distinctions are in making, the higher. It is because all of the checks get router sources and introduce processing delays. The most typical policies for distinguishing in between page views forms utilize the packet's input interface and uncomplicated IP header answers these as TCP port numbers. The next examples present tips to set an IP Precedence price of quick (2) for all FTP management targeted traffic that arrives by the serial0/0 interface, and an IP Precedence of concern (one) for all FTP info traffic. This distinction is possible on the grounds that FTP command targeted visitors works by using TCP port 21, and FTP data makes use of port twenty.

The brand new methodology for configuring this takes advantage of course maps. Cisco 1st introduced this function in IOS Version 12.0(five)T. This process initially defines a class-map that specifies how the router will establish this kind of customers. It then defines a policy-map that truly helps make the modifications to the packet's TOS area:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#class-map match-all ser00-ftpcontrol
Router(config-cmap)#description branch ftp control traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#class-map match-all ser00-ftpdata
Router(config-cmap)#description branch ftp data traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 102
Router(config-cmap)#exit
Router(config)#policy-map serialftppolicy
Router(config-pmap)#description branch ftp traffic policy
Router(config-pmap)#class ser00-ftpcontrol
Router(config-pmap-c)#set ip precedence immediate
Router(config-pmap-c)#exit
Router(config-pmap)#class ser00-ftpdata
Router(config-pmap-c)#set ip precedence priority
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface serial0/0
Router(config-if)#ip route-cache policy
Router(config-if)#service-policy input serialftppolicy
Router(config-if)#exit
Router(config)#end
Router#

For previously IOS versions, just where class-maps have been not out there, you may have to implement policy-based routing to alter the TOS subject within a packet. Making use of this policy with the interface tells the router make use of this coverage to check all incoming packets on this interface and rewrite the ones that match the route map:Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 101
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#exit
Router(config)#route-map serialftp-rtmap permit 20
Router(config-route-map)#match ip address 102
Router(config-route-map)#set ip precedence priority
Router(config-route-map)#exit
Router(config)#interface serial0/0
Router(config-if)#ip policy route-map serialftp-rtmap
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#end
Router#

In the past you can still tag a packet for wonderful remedy, you have got to possess an especially obvious concept of what different types of potential customers have particular cure, along with precisely what kind of particular treatment they may would need. Around the case in point, we've decided to give a particular concern to FTP targeted traffic obtained on the precise serial interface. We demonstrate techniques to do that making use of both the aged and new configuration procedures.
This will likely seem to get a fairly synthetic case in point. Soon after all, why would you care about tagging inbound page views that you simply have definitely obtained from a low-speed interface? In actual fact, one of several most significant rules for applying QoS in a very network is always that you ought to almost always tag the packet as early as you possibly can, ideally on the edges with the network. Then, because it passes throughout the network, each and every router only needs to look at the tag, and does not must do any increased classification. In this case, we would assure that the FTP site visitors returning inside the other gestion is tagged with the very first router that receives it. Therefore the outbound visitors has already been tagged, and this is a waste of router assets to reclassify the outbound packets.

A large number of organizations definitely take this concept of marking in the edges a person action additional, and remark all acquired packet. This helps to be sure that people are not requesting unique QoS privileges that they aren't permitted to have. In spite of this, you should be thorough of this considering that it might oftentimes disrupt reputable markings. For instance, a real-time software may use RSVP to reserve bandwidth with the network. It is usually necessary that the packets for this software possess the ideal Expedited Forwarding (EF) DSCP marking or even the network may not take care of them accordingly. On the other hand, you also do not desire to let other non-real-time programs from this similar resource have the exact EF concern amount. So, for anyone who is heading to configure your routers to remark all incoming packets on the edges, ensure that you know what incoming markings are reliable.

In that circumstance, the routers are running DLSw to bridge SNA potential customers through an IP network. So the routers their selves ultimately construct the IP packets. This results in an additional challenge as there is no incoming interface. To make sure that recipe works by using local policy-based routing. The actual fact that the router results in the packets also offers it an essential edge considering that it does not have to consider any DLSw packets that may just transpire to go through.

The benefits of the more recent class-map methodology are not clear within this illustration, but among the many primary large positive aspects appears if you need to implement the greater fashionable DSCP tagging scheme. Because the more mature policy-based routing procedure won't specifically assistance DSCP, you might have to faux it by environment both the IP Precedence and then the TOS separately as follows.

Router(config)#route-map serialftp-rtmap permit 10
Router(config-route-map)#match ip address 115
Router(config-route-map)#set ip precedence immediate
Router(config-route-map)#set ip tos max-throughput

In this case, the packet will wind up with an IP Precedence value of immediate, or 2 (010 in binary), and TOS of max-throughput, or 4 (0100 in binary).

Doing the same thing with the class-map method is much more direct:

Router(config)#policy-map serialftppolicy
Router(config-pmap)#class serialftpclass
Router(config-pmap-c)#set ip dscp af21

Class-maps may also be practical later within this chapter once we speak about class-based weighted fair queuing and class-based page views shaping.
It will be important to note that throughout this entire instance, we've got only put a particular value into the packet's TOS or DSCP discipline. This, by alone, doesn't have an affect on how the packet is forwarded through the network. To carry out that, you should guarantee that as each and every router inside the network forwards these marked packets, the interface queues will react appropriately to this details.

At last, we must always note that whilst this recipe shows two beneficial ideas of marking packets, making use of Dedicated Entry Rate (Auto) features. Car or truck tends to get additional successful on higher speed interfaces.

Post in CCIE Security | Comments Closed

Tags: CCIE Bootcamps,CCIE in Security,CCIE SP

CCIE Lab Exam - Setting the OSPF RID

December 30th, 2011 by Daniel

There are several ways to set the OSPF Router ID (RID). The easiest is to create and configure a Loopback interface:
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Loopback0
Router5(config-if)#ip address 172.25.25.6 255.255.255.255
Router5(config-if)#exit
Router5(config)#end
Router5#
If you don't want to use a Loopback interface, you can still force the router ID to use a particular IP address with the router-id configuration command:
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#router ospf 87
Router5(config-router)#router-id 172.25.1.7
Router5(config-if)#exit
Router5(config)#end
Router5#
If you don't use either of these methods, the router will select the highest IP address from its interfaces and use this as the OSPF RID. The trouble with doing this is that you might add a new IP address to the router at some point. If this new address is higher than the previous RID, the router will change its RID the next time OSPF restarts. This could have strange consequences because if the interface priorities are the same, OSPF uses the highest RID to select the DR.
We recommend using the Loopback interface method. Loopback interfaces ensure there is a single unique IP address for every router in the network, which is extremely useful for network management. Further, it is common to configure your loopback addresses in DNS, but not to necessarily include all of your interfaces.
In IOS level 12.0, Cisco introduced a new way to select the RID by using the router-id command. This command allows you to set the RID to any IP address. You can even set the RID to be an address that is not configured on any of the router's interfaces, or even an address that is not in the routing tables. However, this is not a very wise thing to do because it makes troubleshooting much more difficult.
In some cases, you might have both a router ID and a loopback address set. The rule is that OSPF will use the router-id command first, if one exists. If there is no router-id command, then it uses the highest IP address on any of the loopback interfaces. Bear in mind that you can configure as many loopback interfaces as you like (although this is somewhat unusual in production networks, there are special situations when additional loopback interfaces can be useful). Finally, if there is no router-id command and no loopback interface, the OSPF process will use the highest IP address on the router for the RID.
You can see what the RID for your router is with the following command:
Router5#show ip ospf
Routing Process "ospf 87" with ID 172.25.1.7
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x28868
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 47 times
Area ranges are
Number of LSA 36. Checksum Sum 0xEEAA1
Number of DCbitless LSA 9
Number of indication LSA 0
Number of DoNotAge LSA 0
Router5#
The router continues to use the same RID address even if you subsequently add a router-id command or a loopback interface. To force OSPF to update the RID, either reload the router or restart the OSPF process using the clear ip ospf process command:
Router5#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
Router5#

Post in CCIE Security | Comments Closed

Tags: CCIE EXAM,CCIE Security,CCIE Service Provider

A valid passing score is critical to aim a CCIE Lab Exam

December 28th, 2011 by Daniel

The CCIE lab exams are a part of the certification programs implemented by Cisco to guage candidates based on the difficulty taking pictures and configuration abilities. This CCIE certification is awarded after successful clearance of the written and the lab exam. It is thought of as one of the highest diploma of certifications within the world.

The CCIE lab exam is part of the Cisco Licensed Internetwork Knowledgeable (CCIE) certification program. It's thought of to qualify the very best stage of technical experience in the industry. Using CCIE, professionals have an opportunity to ascertain themselves within the subject of networking. Just a few thousand people are believed to clear the CCIE exam. CCIE labs are thought-about to impart high stage of coaching environment, which acts as a serious profit for candidates.

CCIE examination is performed in five different tracks. They're routing and switching, safety, service supplier, storage networking and voice. CCIE examination entails two checks, that are a CCIE written test and a CCIE lab exam. With a purpose to attempt the lab examination, you need to clear the written exam. If you're not in a position to clear the written exam the first time, you must anticipate 180 days for retaking it. After clearing the written check, you should make an attempt for the CCIE lab exam inside 18 months. It you might be unable to clear the lab examination, then you have to re-attempt inside 12 months as a way to hold the written examination end result valid.

The written exam is computed based, which includes one hundred multiple-selection questions. It has a time limit of two hours and is conducted in numerous test facilities across the world. The topics covered in the written examination rely upon the specialization or monitor you choose. For service provider, you may select from classes like Cable, DSL, IP Telephony, Dial, Content Networking, Optical, WAN switching, and Metro Ethernet. Every written examination is made accessible in the beta form at a cost of $50 USD.

It you'll be able to clear the written examination in whatsoever track chosen, you may be known as for the CCIE lab exam. The CCIE lab examination is unique in nature, as it is an eight-hour examination, which exams the power of the candidate to configure and troubleshoot networking equipment. Cisco has excessive degree of equipment in its CCIE labs to be used within the lab exams. The blue print of the lab exam is available on its website. The lab examination is not out there in any respect Pearson VUE or Prometric testing centers.

A typical CCIE R&S lab exam contains a two-hour hassle-shooting part by which you might be presented a sequence of tickets for preconfigured networks within the CCIE labs. It is best to have the ability to determine and resolve the faults. You can proceed in the direction of the configuration section after you end the troubleshooting part.

A valid passing score is critical to aim a CCIE Lab Exam. Cisco uses the assistance of proctors to evaluate the candidates in the preliminary rounds in its CCIE labs situated worldwide. Points are awarded when a criterion is met and grading is performed using some automated tools. The results of a lab examination are mirrored inside forty eight hours. A move/fail is projected in the outcome and in case of a fail, the areas the place you might be missing behind are talked about as a way to put together effectively earlier than a re-try.

Cisco stands out within the subject of networking by offering

Post in CCIE Security | Comments Closed

Tags: CCIE Bootcamp,CCIE Labs,CCIE RS Training,CCIE Security Training,CCIE Voice Training

Creating a Default Route in OSPF

December 26th, 2011 by Daniel

To propagate a default route with OSPF, use the default-information originate configuration command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.25.1.1
Router1(config)#router ospf 55
Router1(config-router)#default-information originate metric 30 metric-type 1
Router1(config-router)#exit
Router1(config)#end
Router1#

Unlike RIP and EIGRP, you cannot create a default route in OSPF by simply redistributing a static route. Even if there is a default route in the routing table, by default Cisco's OSPF implementation will not forward it to the rest of the network. This is because OSPF uses a link state algorithm that keeps track of links rather than routes. So summary routes are very special elements in OSPF, and it's important to be careful when distributing them. The default route, 0.0.0.0/0, is the ultimate summary of summaries, and it has the potential to cause serious confusion if it isn't handled properly.
So Cisco forces you to be sure that you really want to source a default route into OSPF by requiring you to specifically enable it with the default-information originate command. This command also allows you to specify precisely the metric of this default route and, since a default route is implicitly external to the AS, the type of external route. This has the added advantage of giving finer granularity of control over default route propagation.
You can look at the external routes in the OSPF database with the following command:
Router1#show ip ospf database external
OSPF Router with ID (172.25.25.1) (Process ID 55)
Type-5 AS External Link States
LS age: 163
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 172.25.25.1
LS Seq Number: 80000002
Checksum: 0x18E6
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
TOS: 0
Metric: 30
Forward Address: 0.0.0.0
External Route Tag: 55
Router1#
In this example, you can see that the default route is advertised by the router 172.25.25.1 with a metric of 30 and a metric type of 1. The metric type in this case refers to whether this route is considered by OSPF to be a Type 1 or Type 2 external route. It is a Type 1 route because we configured it this way in the default-information command:
Router1(config-router)#default-information originate metric 30 metric-type 1
As we mentioned in the Introduction to this chapter, the cost of a Type 1 external route is the cost shown by the external metric, which is 30 in this case, plus the internal cost to reach the router that advertises the external route (the ASBR).
Then, on another router in the same area, you can see that the default route's cost is 40, because the cost to reach the ASBR is 10. All of the internal routers can see that this is a Type 1 external route, as well as other important attributes, such as the administrative distance and the ASBR that originated this route:
Router5#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "ospf 87", distance 110, metric 40, candidate default path
Tag 55, type extern 1
Redistributing via ospf 87
Last update from 172.25.1.5 on Ethernet0, 00:01:24 ago
Routing Descriptor Blocks:
* 172.25.1.5, from 172.25.25.1, 00:01:24 ago, via Ethernet0
Route metric is 40, traffic share count is 1
Router5#
With default routes in particular, you sometimes want to ensure that that ASBR continues to advertise the external route, even if it disappears from its routing table. You can do this by adding the keyword always to the default-information command as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.25.1.1
Router1(config)#router ospf 55
Router1(config-router)#default-information always metric-type 1
Router1(config-router)#exit
Router1(config)#end
Router1#
You can also create a default route using a stub area. In this case, you can configure your ABR routers to advertise only a simple default route into the area. CCIE Workbook

Post in CCIE Security | Comments Closed

Tags: CCIE R&S,CCIE Routing and Switching,CCIE Security

Applying Offsets to Routes

December 22nd, 2011 by Daniel

You can modify the RIP metrics for a list of routes learned through a particular interface with the offset-list configuration command:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 22 permit 192.168.20.0
Router2(config)#router rip
Router2(config-router)#offset-list 22 in 5 Serial0.1
Router2(config-router)#exit
Router2(config)#end
Router2#
A similar command changes the metrics for a list of routes as they are sent out through a specified interface:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 33 permit 192.168.30.0
Router2(config)#router rip
Router2(config-router)#offset-list 33 out 10 Serial0.1
Router2(config-router)#exit
Router2(config)#end
Router2#
The offset-list command is most useful when you need RIP to take account of the costs of different links. By default, RIP only looks at the number of hops to the destination. But sometimes the longer path is significantly faster. For example, you might have a primary link that uses a T1 to get to a router in another building, and an Ethernet segment to get from there to another router that connects to a server. It's probably better to take this primary link than a backup 56Kbps circuit that happens to connect directly to the last hop router.
Other routing protocols, such as OSPF, address this problem by assigning a cost to each link and adding up the costs to find the best path. But RIP only has a simple hop count metric. So if you want to ensure that one path is preferred over another, shorter one, you have to modify the metrics so that slower links actually appear to be more than one hop long.
Cisco routers give considerable flexibility in changing metrics by adding an offset. This allows you to change each route independently as it is received or sent. You can even affect routes according to which interface the router receives them through. But you need to be extremely careful because you can only increase a metric; you can never decrease it, and the maximum metric value is only 16. When the metric reaches a value of 16, RIP considers the network to be unreachable.
Sometimes you want to ensure that a particular path is never used to reach a certain destination. In this case, you can apply an offset of 16, and the router will have to find a different path. The router also allows you to apply an offset of 0, but this has no effect.
The show ip protocols command lists all of the offsets that are configured, including information about the access-lists, interfaces, and the size of the offset that is applied:
Router2#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 25 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Outgoing routes in Serial0.1 will have 10 added to metric if on list 33
Incoming routes in Serial0.1 will have 5 added to metric if on list 22
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Ethernet0 1 1 2
Loopback0 1 1 2
Serial0.1 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
172.25.0.0
192.168.30.0
Routing Information Sources:
Gateway Distance Last Update
172.25.2.1 120 00:00:12
Distance: (default is 120)
Router2#

A debug trace shows the incoming and outgoing routes. Note that the trace always shows the metric values after applying the offset for both inbound and outbound updates:
Router2#debug ip rip
RIP protocol debugging is on
Aug 10 23:24:36: RIP: sending v1 update to 255.255.255.255 via Serial0.1
Aug 10 23:24:36: RIP: build update entries
Aug 10 23:24:36: subnet 172.25.25.2 metric 1
Aug 10 23:24:36: network 192.168.30.0 metric 11
Aug 10 23:24:48: RIP: received v1 update from 172.25.2.1 on Serial0.1
Aug 10 23:24:48: 0.0.0.0 in 1 hops
Aug 10 23:24:48: 172.22.0.0 in 1 hops
Aug 10 23:24:48: 172.25.1.0 in 1 hops
Aug 10 23:24:48: 192.168.20.0 in 7 hops
Router2#
CCIE Security Training

Post in CCIE Security | Comments Closed

Tags: CCIE,CCIE Bootcamps,CCIE RS Training,CCIE training,CCIE Voice Training

Setting Up User IDs

December 15th, 2011 by Daniel

To enable locally administered user IDs, use the following set of configuration commands:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username ijbrown password oreilly
Router1(config)#username kdooley password cookbook
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#exit
Router1(config)#end
Router1#
The username command also allows you to create usernames without passwords by specifying the nopassword keyword:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username weak nopassword
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#end
Router1#
However, we strongly recommend against doing this because it can severely weaken the router's security.
Enabling locally administered usernames overrides the default VTY password-based authentication system. When you enable the aaa new-model command, as shown in this recipe, the router will immediately begin to prompt for usernames as well as passwords. Assigning unique usernames to individuals or groups provides accountability, as we will show later. The following example shows the login prompt for a router using local authentication:
Freebsd%telnet Router1
Trying 172.25.1.5...
Connected to Router1.
Escape character is '^]'.

User Access Verification

Username: ijbrown
Password:

Router1>

The router prompts for the username as well as the password. Compare this to how the router behaves when just a password is set on the VTY lines:
Freebsd%telnet Router2
Trying 172.25.1.6...
Connected to Router2.
Escape character is '^]'.

User Access Verification

Password:

Router2>
When you configure locally administered usernames, the router will prompt for usernames on all lines, including the console and AUX ports, as well as the VTY ports used for Telnet sessions. To avoid locking yourself out of the router, you should always configure a username command before entering the AAA commands. It also is a good idea to use another session terminal to test the new authentication system before logging out of your original session. If you do accidentally lock yourself out of the router, you will need to follow the normal password-recovery procedures for your router type.
Locally administered usernames work well in a small environment with a limited number of administrators. However, this method does not scale well to a large network with many administrators. Keeping usernames synchronized across an entire network can become quite daunting. AAA provides a centralized server that administers usernames and passwords (among other features).
Enabling username support causes the router to associate certain functions with usernames. This provides accountability for each username by showing exactly who is doing what. For instance, the output of the show users command will include active usernames:
Router1>show users
Line User Host(s) Idle Location
66 vty 0 ijbrown idle 00:36:21 freebsd.oreilly.com
67 vty 1 kdooley idle 00:00:24 server1.oreilly.com
* 68 vty 2 weak idle 00:00:00 freebsd.oreilly.com

Interface User Mode Idle Peer Address

Router1>
More importantly, log messages will capture the username of the individual who invoked certain high-profile commands, such as configuration changes, the clearing of counters, and reloads. For example:
Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty2 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by weak on vty2 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0 (172.25.1.1).
Notice that these log messages now include the username associated with each action. So instead of just knowing that somebody changed the configuration or reloaded the router, you can see exactly who did it.
In addition, the router captures the username of the last person to modify its configuration or save the configuration to NVRAM, which is visible using the show running-config:
Router1#show running-config
Building configuration...

Current configuration : 4285 bytes
!
! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown
! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley
!
version 12.2
The username command also has an autocommand keyword, which you can use to assign an EXEC level command to a particular username. This is useful when you want to provide limited access to a particular command, while restricting access to everything else on the router. For example, you might want to set up a special username that anybody could use to run a single router command, and then terminate the session:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username run nopassword noescape
Router1(config)#username run autocommand show ip interface brief
Router1(config)#end
Router1#
In this example, we defined the username run without a password and assigned it an autocommand of show ip interface brief. When you log in to the router with this username, the router will not prompt for a password. It will just automatically execute the command and then terminate the session:
Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.

User Access Verification

Username: run
Interface IP-Address OK? Method Status Protocol
BRI0/0 unassigned YES NVRAM administratively down down
Ethernet0/0 172.25.1.8 YES NVRAM administratively down down
BRI0/0:1 unassigned YES unset administratively down down
BRI0/0:2 unassigned YES unset administratively down down
FastEthernet1/0 172.22.1.4 YES NVRAM up up
Loopback0 192.168.20.1 YES NVRAM up up Connection closed by foreign host.
Freebsd%
Notice how the router issued the command and then terminated the session without providing the opportunity to issue another command.
The noescape keyword prevents the user from issuing an escape sequence to access the router EXEC. We strongly recommend using this keyword whenever you use autocommands.

Post in CCIE Security | Comments Closed

Tags: CCIE,CCIE Security

CCIE Test

Archive for the ‘CCIE Security’ Category

related to CCIE Bootcamp.

CCIE Lab Examination - Some Advantageous Recommendations and Steerage

CCIE Bootcamp and so are the Bootcamp Coaching affords provided by CathaySchool?

Recommended CCIE Instruction

Environment the DSCP or TOS Discipline

CCIE Lab Exam - Setting the OSPF RID

A valid passing score is critical to aim a CCIE Lab Exam

Creating a Default Route in OSPF

Applying Offsets to Routes

Setting Up User IDs

Archives

Categories