On the journey to CCNA Security (210-260)
- Option 1: Try to login
- Option 2: Do not login for 45 days…. because you forgot you had an ISE lab running
- Double or nothing: Do not login for 45 days because you forgot the password scribbled somewhere on your labnotes
- Protip: The admin password can vary for the cli and web gui, however, this can be a double edged sword – also might want to change the default password expiry
Correlating Log files are an important aspect when responding to incidents/attacks/outages regarding your Cisco devices.
However I have noticed for a while that my logging timestamps are off an hour from the actual clock synced by NTP.
After some digging I realized that Cisco devices use
service timestamps log datetime
as a default. You can check the default values using the command:
sh run all | inc timestamp
In order for your logs to use the local clock time you need to issue the command
device(config)# service timestamp log datetime localtime
From now on, your logging timestamp should be identical to your local time on the device.
Great PBS documentary on the NSA surveillance “program”
Part 1 mainly focuses on the NSA program post 9/11 and the events that lead people like Thomas Drake, William Binney and Edward Snowden to blow the whistle.
Part 2 covers the ties between the US government and Data Mining companies like Google, Facebook and Apple.
Internet censorship is bad – especially when it is abused to censor media reports about potentially corrupt government officials. Luckily a lot of incompetent people try to implement censorship via DNS.
Censorship via DNS is a method which is pretty easy to bypass and some people have responded to this this:
And no, I will not go into detail here on how to do it right – for obvious reasons….
Managing Access Lists on Cisco IOS devices can be a real headache. Copying ACLs and Editing them in a Text Editor was a widely spread method until extended ACLs implemented Named Access Lists (nacls) with featured sequence numbers.
Extended IP access list my_acl_in 2 permit icmp ..... (1234 matches) 3 permit ip any host x.x.x.x 10 permit ip .... 11 permit ip .... 12 permit ip .... 13 permit ip .... 14 permit tcp any host ...... eq 443 15 permit tcp any host ...... eq www
Btw. the IPv6 Access list sequence numbers are placed at the end
permit tcp host 2001:DB8:1::32 host 2001:DB8:2::32 eq ssh sequence 1
Sequence Numbers allow for quick changes to an ACL without the copy&paste foo. A growing and ever changing ACL however can post a challange to your sequencing once the gaps are filled. In order to realign your Access Control Entries you can use the resequence command to put your ACEs in order again.
r1(config)#ip access-list resequence ? <1-99> Standard IP access-list number <100-199> Extended IP access-list number <1300-1999> Standard IP access-list number (expanded range) <2000-2699> Extended IP access list number (expanded range) WORD Access-list name r1(config)#ip access-list resequence my_acl_in ? <1-2147483647> Starting Sequence Number r1(config)#ip access-list resequence my_acl_in 5 ? <1-2147483647> Step to increment the sequence number r1(config)#ip access-list resequence my_acl_in 5 5
will resequence your ACEs to look something like this:
Extended IP access list my_acl_in 5 permit icmp ..... (1234 matches) 10 permit ip any host x.x.x.x 15 permit ip .... 20 permit ip .... 25 permit ip .... 30 permit ip .... 35 permit tcp any host ...... eq 443 40 permit tcp any host ...... eq www
This feature will definitely help to keep your sanity.
I find it quite a bit strange that this fuction is not mentioned on neither the 640-802 CCNA nor the 640-554 CCNA Security Cert Guides.
For more infos, check out the Cisco ACL sequence numbering guide
Read in a book, explanation of PEAP, the Protected Extensible Authentication Protocol:
This EAP method was developed in a rare moment of enlightened cooperation between Microsoft, Cisco and RSA Security
With Switched Virtual Interfaces, a Layer 3 Switch can forward packets between networks on its own – no external Router required.
Compared to a normal Router with FastEthernet or GigabitEthernet Interfaces, Layer 3 Switches using SVI can forward packets between VLANS at backplane speed! To get an idea how SVI works, take a look at this graphic:
In this example we have 3 VLAN on the Layer 3 Switch: Vlan 20, 30 and 40. To be able to forward packets, IP Routing first needs to be enabled on a Layer 3 Switch:
As we need a gateway for each VLAN, we simply assign the gateway IP address to the equivalent VLAN Interface. Note that I left out the subnet mask in the image due to space restrictions. After that we put the VLAN interface online using the
no shut command. You should see IP Addresses assigned to your VLAN Interfaces when using the
sh ip int brief command.
Once your VLAN Interfaces are up and running with an assigned IP Adress, your switch is ready to forward packets.
Note: SVIs are also used to provide Layer 3 connectivity to a switch – for example if you want to access the switch via SSH or
Telnet (seriously, do no use Telnet if you can use SSH).
The advantages of using SVIs to forward packets between your VLANs compared to using a Router or Router on a Stick are pretty obvious: Speed and Port density.
The disadvantage of this method is pretty obvious as well: It requires a Layer Switch such as the 3750 im using in my lab.