Table of Contents
Part I The CCIE Program and Your Lab Environment 3
Chapter 1 The CCIE Security Program 5
* The Cisco CCIE Program 5
* The CCIE Security Exam 5
·Qualification Exam 6
·Lab Exam 9
* Summary 10
Chapter 2 Building a CCIE Mind-Set 13
* What It Takes to Become a CCIE 13
* Developing Proper Study Habits 14
·Good Study Habits 15
·Common Study Traps 16
* Lab Experience Versus Real-World Experience 18
* Summary 19
Chapter 3 Building the Test Laboratory 21
* Study Time on a Lab 21
·Work-Based Study Lab 22
·Home-Based Study Lab 22
·Remote Lab 23
* Planning Your Home Lab 23
·Sourcing the Lab Equipment 24
·Windows-based Products and UNIX 26
* Designing Your Practice Lab for This Book 26
* Summary 27
Part II Connectivity 29
Chapter 4 Layer 2 and Layer 3 Switching and LAN Connectivity 31
* Catalyst Operating System 31
* Switching Overview 32
·Switching Technologies 32
·Transparent Bridging 33
* Spanning Tree Overview 34
·Bridge Protocol Data Unit 35
·Election Process 37
·Spanning-Tree Interface States 38
·Spanning-Tree Address Management 40
·STP and IEEE 802.1q Trunks 40
·VLAN-Bridge STP 41
·STP and Redundant Connectivity 41
·Accelerated Aging to Retain Connectivity 41
·RSTP and MSTP 42
* Layer 3 Switching Overview 42
* Virtual LAN Overview 42
·Assigning or Modifying VLANs 44
·Deleting VLANs 45
·Configuring Extended-Range VLANs 46
* VLAN Trunking Protocol Overview 46
·The VTP Domain 46
·VTP Modes 46
·VTP Passwords 47
·VTP Advertisements 47
·VTP Version 2 48
·VTP Pruning 49
·VTP Configuration Guidelines 50
·Displaying VTP 50
* Switch Interface Overview 51
·Access Ports 51
·Trunk Ports 51
·Routed Ports 52
* EtherChannel Overview 53
·Port-Channel Interfaces 54
·Understanding the Port Aggregation Protocol 54
·EtherChannel Load Balancing and Forwarding Methods 55
·EtherChannel Configuration Guidelines 56
·Creating Layer 2 EtherChannels 57
* Optional Configuration Items 57
·BPDU Guard 57
·BPDU Filtering 58
·UplinkFast 58
·BackboneFast 59
·Loop Guard 59
* Switched Port Analyzer Overview 59
·SPAN Session 60
·Configuring SPAN 60
* Basic Catalyst 3550 Switch Configuration 63
·Case Study 4-1: Basic Network Connectivity 63
·Case Study 4-2: Configuring Interfaces 70
·Case Study 4-3: Configuring PortFast 72
·Case Study 4-4: Creating a Layer 2 EtherChannel 72
·Case Study 4-5: Creating Trunks 73
·Case Study 4-6: Configuring Layer 3 EtherChannels 74
·Case Study 4-7: EtherChannel Load Balancing 76
·Case Study 4-8: Configuring a Routed Port 77
·Case Study 4-9: Configuring SPAN 78
* Summary 80
* Review Questions 80
* FAQs 81
Chapter 5 Frame Relay Connectivity 83
* Frame Relay Overview 83
* Frame Relay Devices 85
* Frame Relay Topologies 86
·Star Topologies 86
·Fully Meshed Topologies 87
·Partially Meshed Topologies 87
·Frame Relay Subinterfaces 88
* Frame Relay Virtual Circuits 89
·Switched Virtual Circuits 90
·Permanent Virtual Circuits 91
* Frame Relay Signaling 91
·LMI Frame Format 92
·LMI Timers 93
·LMI Autosense 95
* Network-to-Network Interface 95
* User-Network Interface 96
* Congestion-Control Mechanisms 96
·Frame Relay Discard Eligibility 98
·DLCI Priority Levels 98
·Frame Relay Error Checking 99
·Frame Relay ForeSight 99
·Frame Relay Congestion Notification Methods 100
·Frame Relay End-to-End Keepalives 100
* Configuring Frame Relay 102
·Case Study 5-1: Configuring Frame Relay 102
·Case Study 5-2: Configuring Frame Relay SVCs 109
·Case Study 5-3: Frame Relay Traffic Shaping 114
* Creating a Broadcast Queue for an Interface 119
* Transparent Bridging and Frame Relay 120
* Configuring a Backup Interface for a Subinterface 120
* TCP/IP Header Compression 121
·Configuring an Individual IP Map for TCP/IP Header Compression 121
·Configuring an Interface for TCP/IP Header Compression 122
·Disabling TCP/IP Header Compression 122
* Troubleshooting Frame Relay Connectivity 122
·The show frame-relay lmi Command 122
·The show frame-relay pvc Command 123
·The show frame-relay map Command 125
·The debug frame-relay lmi Command 125
* Summary 126
* Review Questions 127
* FAQs 128
Chapter 6 ISDN Connectivity 133
* ISDN Overview 133
·ISDN Standards Support 133
·ISDN Digital Channels 134
·ISDN Terminal Equipment and Network Termination Devices 134
·Reference Points 135
·ISDN Layers and Call Stages 136
* Point-to-Point Protocol(PPP) Overview 139
·Link Control Protocol(LCP) 139
·Network Control Protocol(NCP) 140
* Dial-on-Demand Routing(DDR) Overview 141
* Configuring ISDN 142
·Lesson 6-1: Beginning ISDN Configuration 142
·Lesson 6-2: Configuring DDR 144
·Lesson 6-3: Routing Over ISDN 149
·Lesson 6-4: Configuring the Interface and Backup Interface 157
·Lesson 6-5: Configuring PPP Options 160
·Lesson 6-6: Configuring Advanced Options 161
·Lesson 6-7: Monitoring and Troubleshooting ISDN 169
* Summary 178
* Review Questions 178
* FAQs 180
Chapter 7 ATM Connectivity 183
* ATM Overview 183
* Configuring ATM 184
·Lesson 7-1: RFC 2684: Multiprotocol Encapsulation over AAL5 185
·Lesson 7-2: RFC 2225: Classical IP and ARP over ATM 191
* Summary 195
* Review Questions 195
* FAQs 196
Part III IP Routing 199
Chapter 8 RIP 201
* RIP Structure 201
·Routing Updates and Timers 201
·Routing Metric 202
·Split-Horizon Issues 202
·RIP and Default Routes 203
·RIPv1 Versus RIPv2 203
* Configuring RIP 203
·Case Study 8-1: Basic RIP Configuration 204
·Case Study 8-2: RIPv1 over Router to PIX 5.2 Connection 221
·Case Study 8-3: RIPv2 over Router to PIX 6.2 Connection with Authentication 225
·Lesson 8-1: Advanced RIP Configuration 233
* Summary 235
* Review Questions 235
* FAQs 236
Chapter 9 EIGRP 239
* An EIGRP Overview 240
* Configuring EIGRP 241
·Lesson 9-1: Configuring Simple EIGRP 241
* EIGRP Building Blocks 243
·Packet Formats 243
·EIGRP Tables 244
·Feasible Successors 250
·Route States 250
·Route Tagging 251
·IGRP and EIGRP Interoperability 251
·An Example of DUAL in Action 251
* Configuring EIGRP Options 253
·Lesson 9-2: Adding a WAN Connection 253
·Lesson 9-3: Logging Neighbor Adjacency Changes 255
·Lesson 9-4: Disabling Route Summarization 256
·Lesson 9-5: Configuring Manual Route Summarization 258
·Lesson 9-6: Configuring Default Routing 259
·Lesson 9-7: Controlling EIGRP Routes 261
·Lesson 9-8: Redistributing EIGRP with Route Controls 263
·Lesson 9-9: Configuring EIGRP Route Authentication 263
·Lesson 9-10: Configuring EIGRP Stub Routing 264
·Lesson 9-11: Configuring EIGRP Over GRE Tunnels 266
·Lesson 9-12: Disabling EIGRP Split Horizon 269
* Troubleshooting EIGRP 270
* Summary 272
* Review Questions 272
* FAQs 273
Chapter 10 OSPF 277
* Configuring OSPF 278
·Case Study 10-1: Basic OSPF Configuration 279
·Case Study 10-2: OSPF and Route Summarization 306
·Case Study 10-3: OSPF Filtering 310
·Case Study 10-4: OSPF and Non-IP Traffic over GRE 312
* Monitoring and Maintaining OSPF 315
·Verifying OSPF ABR Type 3 LSA Filtering 316
·Displaying OSPF Update Packet Pacing 317
* Summary 317
* Review Questions 317
* FAQs 318
Chapter 11 IS-IS 321
* Integrated IS-IS Overview 321
* Configuring IS-IS 322
·Case Study 11-1: Configuring IS-IS for IP 322
* IS-IS Building Blocks 328
* The IS-IS State Machine 330
·The Receive Process 330
·The Update Process 331
·The Decision Process 331
·The Forward Process 331
* Pseudonodes 331* IS-IS Addressing 333
·The Simplified NSAP Format 333
·Addressing Requirements 334
* Limiting LSP Flooding 335
·Blocking Flooding on Specific Interfaces 335
·Configuring Mesh Groups 336
* Generating a Default Route 336
* Route Redistribution 337
* Setting IS-IS Optional Parameters 338
·Setting the Advertised Hello Interval 339
·Setting the Advertised CSNP Interval 339
·Setting the Retransmission Interval 339
·Setting the LSP Transmission Interval 339
* Configuring IS-IS Authentication 340
·Case Study 11-2: IS-IS Authentication 340
·Authentication Problems 345
* Using show and debug Commands 346
·Monitoring IS-IS 346
·Debugging IS-IS 346
* Summary 348
* Review Questions 348
* FAQs 349
Chapter 12 BGP 351
* Understanding BGP Concepts 351
·Autonomous Systems 351
·BGP Functionality 352
·EBGP and IBGP 352
·BGP Updates 353
* Configuring BGP 353
·Case Study 12-1: Single-Homed Autonomous System Setup 354
·Case Study 12-2: Transit Autonomous System Setup 363
·Case Study 12-3: BGP Confederations 372
·Case Study 12-4: BGP Over a Firewall with a Private Autonomous System 377
·Case Study 12-5: BGP Through a Firewall with Prepend 386
* Summary 394
* Review Questions 394
* FAQ 395
Chapter 13 Redistribution 397
* Metrics 397
* Administrative Distance 398
* Classless and Classful Capabilities 398
* Avoiding Problems Due to Redistribution 399
* Configuring Redistribution of Routing Information 399
·Redistributing Connected Networks into OSPF 402
·Lesson 13-1: Redistributing OSPF into Border Gateway Protocol 402
·Lesson 13-2: Redistributing OSPF Not-So-Stubby Area External Routes into BGP 405
·Lesson 13-3: Redistributing Routes Between OSPF and RIP Version 1 407
·Lesson 13-4: Redistributing Between Two EIGRP Autonomous Systems 408
·Lesson 13-5: Redistributing Routes Between EIGRP and IGRP in Two Different Autonomous Systems 409
·Lesson 13-6: Redistributing Routes Between EIGRP and IGRP in the Same Autonomous System 411
·Redistributing Routes to and from Other Protocols from EIGRP 412
·Lesson 13-7: Redistributing Static Routes to Interfaces with EIGRP 412
·Lesson 13-8: Redistributing Directly Connected Networks 413
·Lesson 13-9: Filtering Routing Information 416
* Summary 421
* Review Questions 422
* FAQs 423
Part IV Security Practices 425
Chapter 14 Security Primer 427
* Important Security Acronyms 428
* White Hats Versus Black Hats 432
* Cisco Security Implementations 432
·Cisco IOS Security Overview 433
·CatalystOS Security Overview 434
* VPN Overview 435
* AAA Overview 436
* IDS Fundamentals 436
* Summary 437
* Review Questions 437
* FAQs 438
Chapter 15 Basic Cisco IOS Software and Catalyst 3550 Series Security 441
* Cisco IOS Software Security 441
·Network Time Protocol Security 441
·HTTP Server Security 442
·Password Management 442
·Access Lists 443
·Secure Shell 443
* Basic IOS Security Configuration 443
·Lesson 15-1: Configuring Passwords, Privileges, and Logins 444
·Lesson 15-2: Disabling Services 451
·Lesson 15-3: Setting up a Secure HTTP Server 456
·Case Study 15-1: Secure NTP Configuration 458
·Case Study 15-2: Configuring SSH 464
* Catalyst 3550 Security 467
·Lesson 15-4: Port-Based Traffic Control 467
* Summary 472
* Review Questions 473
* FAQs 474
Chapter 16 Access Control Lists 477
* Overview of Access Control Lists 477
·Where to Configure an ACL 478
·When to Configure an ACL 479
* ACLs on the IOS Router and the Catalyst 3550 Switch 480
·Basic ACLs 480
·Advanced ACLs 482
* Time-of-Day ACLs 483
* Lock-and-Key ACLs 484
·Why You Should Use Lock-and-Key 485
·When You Should Use Lock-and-Key 485
·Source-Address Spoofing and Lock-and-Key 485
·Lock-and-Key Configuration Tips 485
·Verifying Lock-and-Key Configuration 487
·Maintaining Lock-and-Key 487
·Manually Deleting Dynamic Access List Entries 487
* Reflexive ACLs 488
·Reflexive ACL Benefits and Restrictions 489
·Reflexive ACL Design Considerations 489
* Router ACLs 490
* Port ACLs 490
·VLAN Maps 491
·Using VLAN Maps with Router ACLs 491
* Fragmented and Unfragmented Traffic 493
* Logging ACLs 494
* Defining ACLs 495
·The Implied “Deny All Traffic” ACE Statement 495
·ACE Entry Order 496
·Applying ACLs to Interfaces 496
·Lesson 16-1: Configuring an ACL 498
·Lesson 16-2: Creating a Numbered Standard IP ACL 502
·Lesson 16-3: Creating a Numbered Extended IP ACL 502
·Lesson 16-4: Creating a Named Standard IP ACL 503
·Lesson 16-5: Creating a Named Extended IP ACL 503
·Lesson 16-6: Implementing Time of Day and ACLs 504
·Lesson 16-7: Configuring Lock-and-Key 506
·Lesson 16-8: Configuring Reflexive ACLs 507
·Lesson 16-9: Logging ACLs 511
·Lesson 16-10: Configuring a Named MAC Extended ACL 512
·Creating a VLAN Map 513
·Lesson 16-11: Using ACLs with VLAN Maps 513
* Maintaining ACLs 514
·Displaying ACL Resource Usage 515
·Troubleshooting Configuration Issues 516
·ACL Configuration Size 517
* Unsupported Features on the Catalyst 3550 Switch 518
* Summary 519
* Review Questions 519
* FAQs 520
Chapter 17 IP Services 523
* Managing IP Connections 523
·ICMP Unreachable Messages 524
·ICMP Redirect Messages 524
·ICMP Mask Reply Messages 525
·IP Path MTU Discovery 525
* MTU Packet Size 526
·IP Source Routing 526
·Simplex Ethernet Interfaces 527
·DRP Server Agents 527
* Filtering IP Packets Using Access Lists 527
* Hot Standby Router Protocol Overview 528
·HSRP and ICMP Redirects 528
* IP Accounting Overview 530
·IP MAC Accounting 530
·IP Precedence Accounting 531
* Configuring TCP Performance Parameters 531
·Compressing TCP Packet Headers 532
·Setting the TCP Connection Attempt Time 533
·Using TCP Path MTU Discovery 533
·Using TCP Selective Acknowledgment 534
·Using TCP Time Stamps 534
·Setting the TCP Maximum Read Size 534
·Setting the TCP Window Size 535
·Setting the TCP Outgoing Queue Size 535
* Configuring the MultiNode Load Balancing Forwarding Agent 535
·Configuring the MNLB Forwarding Agent 536
* Network Address Translation Overview 537
·When to Use NAT 539
* Configuring IP Services 539
·Lesson 17-1: Configuring ICMP Redirects 539
·Lesson 17-2: Configuring the DRP Server Agent 540
·Lesson 17-3: Configuring HSRP 541
·Lesson 17-4: Configuring IP Accounting 548
·Lesson 17-5: Configuring NAT 549
* Monitoring and Maintaining IP Services 555
·Verifying HSRP Support for MPLS VPNs 556
·Displaying System and Network Statistics 556
·Clearing Caches, Tables, and Databases 557
·Monitoring and Maintaining the DRP Server Agent 558
·Clearing the Access List Counters 558
·Monitoring the MNLB Forwarding Agent 558
·Monitoring and Maintaining HSRP Support for ICMP Redirect Messages 558
·Monitoring and Maintaining NAT 559
* Summary 559
* Review Questions 560
* FAQs 561
Part V Authentication and Virtual Private Networks 565
Chapter 18 AAA Services 567
* TACACS+ Versus RADIUS 567
·Underlying Protocols 567
·Packet Encryption 568
·Authentication, Authorization, and Accounting Processes 568
·Router Management 568
·Interoperability 568
·Traffic 569
* Configuring AAA 569
·Case Study 18-1: Simplified AAA Configuration Using RADIUS 569
·Case Study 18-2: Configuring AAA on a PIX Firewall 581
·Case Study 18-3: Configuring VPN Client Remote Access 593
·Case Study 18-4: Authentication Proxy with TACACS+ 610
·Case Study 18-5: Privilege Levels with TACACS+ 617
·Case Study 18-6: Configuring PPP Callback with TACACS+ 621
* Summary 627
* Review Questions 627
* FAQs 628
Chapter 19 Virtual Private Networks 631
* Virtual Private Network(VPN) Overview 631
·Site-to-Site VPNs 631
·Remote-Access VPNs 633
* IPSec Overview 633
·Authentication Header(AH) 634
·Encapsulating Security Payload(ESP) 635
·IPSec Protocol Suite 636
* Tunnel and Transport Modes 639
* IPSec Operation 640
·Defining Interesting Traffic 641
·IKE Phase 1 641
·IKE Phase 2 642
·IPSec Encrypted Tunnel 643
·Tunnel Termination 643
* Configuring IPSec in Cisco IOS Software and PIX Firewalls 643
·Case Study 19-1: Configuring a Basic IOS-to-IOS IPSec VPN 644
·Case Study 19-2: Configuring a Basic PIX-to-PIX IPSec VPN 671
* Certificate Authority(CA) Support 695
·Configuring CA 696
·IOS-to-IOS VPN Using CA 696
·PIX-to-PIX VPN Using CA 703
* Summary 710
* Review Questions 711
* FAQs 712
Chapter 20 Advanced Virtual Private Networks 715
* Issues with Conventional IPSec VPNs 715
·Solving IPSec Issues with GREs 716
·Solving IPSec Issues with DMVPNs 716
* Configuring Advanced VPNs 718
·Case Study 20-1: Using Dynamic Routing Over IPSec-Protected VPNs 718
·Case Study 20-2: Configuring DMVPN 732
* Summary 745
* Review Questions 746
* FAQs 747
Chapter 21 Virtual Private Dialup Networks 749
* L2F and L2TP Overview 749
* VPDN Process Overview 749
* PPTP Overview 751
* Configuring VPDNs 752
·Case Study 21-1: Configuring the VPDN to Work with Local AAA 752
·Case Study 21-2: Configuring TACACS+ Authentication and Authorization for VPDN 761
·Case Study 21-3: Configuring the PIX Firewall to Use PPTP 766
·Lesson 21-1: Configuring the Default VPDN Group Template 768
* Summary 769
* Review Questions 770
* FAQs 771
Part VI Firewalls 773
Chapter 22 Cisco IOS Firewall 775
* Creating a Customized Firewall 776
* Configuring TCP Intercept 776
·Lesson 22-1: Configuring TCP Intercept 778
* CBAC Overview 781
·Traffic Filtering 781
·Traffic Inspection 782
·Alerts and Audit Trails 782
·Intrusion Detection 783
·CBAC Limitations and Restrictions 783
·CBAC Operation 784
·When and Where to Configure CBAC 790
·CBAC-Supported Protocols 790
·Using IPSec with CBAC 791
·Lesson 22-2: Configuring CBAC 791
·Monitoring and Maintaining CBAC 798
·Turning Off CBAC 802
·Case Study 22-1: Configuring CBAC on Two Interfaces 802
* Port-to-Application Mapping(PAM) 806
·How PAM Works 806
·When to Use PAM 808
·Lesson 22-3: Configuring PAM 808
·Monitoring and Maintaining PAM 810
* Summary 810
* Review Questions 810
* FAQs 811
Chapter 23 Cisco PIX Firewall 813
* Security Levels and Address Translation 813
* TCP and UDP 814
* Configuring a Cisco PIX Firewall 814
·Lesson 23-1: Configuring the PIX Firewall Basics 815
·Lesson 23-2: Configuring Network Protection and Controlling Its Access and Use 824
·Lesson 23-3: Supporting Specific Protocols and Applications 834
·Lesson 23-4: Monitoring the PIX Firewall 838
·Lesson 23-5: Using the PIX Firewall as a DHCP Server 844
·Lesson 23-6: New Features in PIX Firewall Version 6.2 846
* Summary 854
* Review Questions 854
* FAQs 855
Part VII Intrusion Detection 857
Chapter 24 IDS on the Cisco PIX Firewall and IOS Software 859
* Cisco IOS Software Intrusion Detection 859
* Cisco PIX Firewall Intrusion Detection 860
* Cisco IOS Software and PIX IDS Signatures 861
* Configuring Cisco IDS 867
·Case Study 24-1: Configuring the Cisco IOS Software IDS 867
·Case Study 24-2: Configuring the Cisco Secure PIX Firewall IDS 870
* Summary 874
* Review Questions 874
* FAQs 876
Chapter 25 Internet Service Provider Security Services 879
* Preventing Denial-of-Service Attacks 879
·Committed Access Rate(CAR) 879
·Reverse Path Forwarding(RPF) 880
* Layer 2 VPN(L2VPN) 880
·802.1Q 881
·Layer 2 Protocol Tunneling 881
* Configuring ISP Services 881
·Case Study 25-1: DoS Prevention Through Rate Limiting 882
·Case Study 25-2: DoS Prevention Through RPF 886
·Case Study 25-3: Configuring L2VPN 887
* Summary 895
* Review Questions 895
* FAQs 896
Part VIII Sample Lab Scenarios 899
Chapter 26 Sample Lab Scenarios 901
* Practice Lab Format 901
* How the Master Lab Compares to the CCIE Security Lab Exam 902
* CCIE Practice Lab 1: Building Layer 2 903
·Equipment List 903
·Prestaging: Configuring the Frame Relay Switch 904
·Prestaging: Configuring the First Backbone Router, R9-BB1 905
·Prestaging: Configuring the Second Backbone Router, R7-BB2 907
·Lab Rules 909
·Timed Portion 909
* CCIE Practice Lab 2: Routing 911
·Equipment List 911
·Lab Rules 912
·Timed Portion 913
* CCIE Practice Lab 3: Configuring Protocol Redistribution and Dial Backup 915
·Equipment List 915
·Lab Rules 915
·Timed Portion 916
* CCIE Practice Lab 4: Configuring Basic Security 917
·Equipment List 917
·Lab Rules 919
·Timed Portion 919
* CCIE Practice Lab 5: Dial and Application Security 921
·Equipment List 921
·Lab Rules 921
·Timed Portion 922
* CCIE Practice Lab 6: Configuring Advanced Security Features 926
·Equipment List 926
·Lab Rules 926
·Timed Portion 927
* CCIE Practice Lab 7: Service Provider 931
·Equipment List 931
·Lab Rules 932
·Timed Portion 932
* CCIE Practice Lab 8: All-Inclusive Master Lab 933
·Equipment List 933
·Prestaging: Configuring the Frame Relay Switch 934
·Prestaging: Configuring the First Backbone Router, R7-BB1 936
·Prestaging: Configuring the Second Backbone Router, R7-BB2 937
·Prestaging: Configuring the Reverse Telnet Router 940
·Lab Rules 941
·Timed Portion 942
* Summary 952
Part IX Appendixes 955
Appendix A Basic UNIX Security 957
Appendix B Basic Windows Security 969
Appendix C ISDN Error Codes and Debugging Reference 983
Appendix D Password Recovery on Cisco IOS, CatalystOS, and PIX 995
Appendix E Security-Related RFCs and Publications 1017
Appendix F Answers to the Review Questions 1029