Dynamic ACLs ( Networking-Forum.com )

Over at www.networking-forum.com, Infinite is studying for his CCIE. I an attempt to cover everything down to the last detail, He has shared his experience with Lock-and-Key security. This is achieved with access-lists.

As he mentions, unsure of it’s Enterprise application but nonetheless an important feature of the IOS software.

Enjoy the link. I thoroughly support this community. Great people and very knowledgable.

References

Cisco Configuration Guide

Advertisements

$9.99 – eBook of the Day – CCNA Portable Command Guide

Get on this one. Handy resource for home labbing or pushing your skills further.

www.ciscopress.com/deals

Stumped. Frame Relay.

Frame Relay. Important Topic within the network world. I am a little overwhelmed with its operational modes, especially surrounding OSPF and Frame Relay. I am getting there but it is definitely slowing my progress down. Had hoped to be into Route Redistribution/Manipulation and making head way into BGP.

Anyone found a good way to help remember Frame Relay concepts?

Ciscopress eBook Dead of the Day ROUTE OCF $9.99

Ciscopress.com offer the book of the day. Digital copies of their books for $9.99. Massively reduced, these e-books come personalized with your name. Winking smile

 

image

 

For the past couple of days, the CCNP ROUTE 642-902 OCF has been up for sale. Good price for a good book. Great for the iPad or Laptop.

OSPF Authentication– Clear Text vs MD5. What is the difference?

 

 

Grimnar’s Black Fangs. Magingald IV.

 

<<<.//TRNMSN.SEC.CH.412-a.\\>>>

…buffering…

 

“The importance of security is paramount, Brother Captain. You must implement the right type of Authentication on our OSPF links. Our secure channels must stay open while we are besieged or all will be lost. The heretics will attempt to compromise your network and you must strengthen our defenses. Praise the Emperor and see you on the other side. Fang Leader Grimnar out”

 

image

 

OSPF authentication is setup under the interface. The command ip ospf authentication enables clear text authentication. Next command specifies the key, in this case cisco. The neighbors with expire due to authentication mismatch.

 

image

 

Now the same is configured on the opposite link and the neighbors agree on authentication and establish a neighbor relationship.

 

image

 

The command show ip ospf interface serial 0/0 shows that Simple password authentication is enabled.

 

image

 

Dangers lurk from beyond the void. If heretics manage to infiltrate the network a simple packet capture could be all that stops them from joining the OSPF process and tampering with your links. This capture of a OSPF hello packet shows the Auth Type: Simple Password. Also shows the Auth Data: cisco captured from the Hex information. 636973636f000000 translates into cisco. This is bad and a major security flaw that Fang Leader Grimnar wanted addressed.

 

image

The ip ospf authentication message-digest command initiates MD5 hashing on the pass key.

The passkey of cisco is set below with the ip ospf message-digest-key 1 md5 cisco

 

image

This is replicated on the other end of the link. The link expires and then comes back online using the MD5 key.

 

image

Above is verification of the implementation of the MD5 key.

 

image

 

Show above is the packet capture of the MD5 key in use. Before it had the plain text key of cisco clearly visible. Now there is Auth Type : Cryptographic which states cryptography is being used. Auth Data this time is hashed. No easy password extraction this time.

 

image

Here is the show running config of the router. Look there. Although we are using MD5 authentication out password is still visible. If the heretics broke into our config our Chapters passwords would be compromised.

 

image

This command will hash and ‘hide’ the passwords we using throughout our routers. Any password stored in clear text will be hashed.

 

image

As mentioned prior, the clear text passwords are now stored in a more secure fashion.

 

As our landing party has made it’s beachhead we now have established secure communication between our landing craft and the landing zone. Well done Brothers. This day is for the Emperor.

Weekend Labbing

This weekend I have finished reading over EIGRP (more study notes to come) and started to lab and put into practice the theory.

I have at my disposal the GNS3 Labs from CBT Nuggets ROUTE track, the Network Academy ROUTE Lab book.

These two resources provide a solid foundation to my practical studies. I have found that they give me directions when trying to lab a new concept. This then gets me rolling and then I can make my own to ensure the topic is firmly embedded in my brain and not leaking out my other ear.

I believe the best way to make it stick is blog examples of my configurations with an imaginary company.

Not sure of the name just yet but I do believe it will help.

2011. CCNA Certified and looking to the future.

December 2010 was when I finally went from “I would like to be a Cisco Certified Network Guru” to taking my first step towards my CCIE. Networking isn’t a job for me, it isn’t something that I *have* to do. For me it is a passion. I work in a heavily switched enterprise environment and want to bring my routing skills up to where my Switching knowledge is.

Follow me as I head along the path of Cisco Certification to CCIE, starting with CCNP ROUTE. The aims this year for 2011 are SWITCH, ROUTE and TSHOOT. Let’s begin.