Part Ⅰ The CCIE Program and Your Lab Environment 3
Chapter 1 The CCIE Security Program 5
The Cisco CCIE Program 5
The CCIE Security Exam 5
Qualification Exam 6
Lab Exam 9
Summary 10
Chapter 2 Building a CCIE Mind-Set 13
What It Takes to Become a CCIE 13
Developing Proper Study Habits 14
Good Study Habits 15
Common Study Traps 16
Lab Experience Versus Real-World Experience 18
Summary 19
Chapter 3 Building the Test Laboratory 21
Study Time on a Lab 21
Work-Based Study Lab 22
Home-Based Study Lab 22
Remote Lab 23
Planning Your Home Lab 23
Sourcing the Lab Equipment 24
Windows-based Products and UNIX 26
Designing Your Practice Lab for This Book 26
Summary 27
Part Ⅱ Connectlvity 29
Chapter 4 Layer 2 and Layer 3 Switching and LAN Connectivity 31
Catalyst Operating System 31
Switching Overview 32
Switching Technologies 32
Transparent Bridging 33
Spanning Tree Overview 34
Bridge Protocol Data Unit 35
Election Process 37
Spanning-Tree Interface States 38
Spanning-Tree Address Management 40
STP and IEEE 802.1q Trunks 40
VLAN-Bridge STP 41
STP and Redundant Connectivity 41
Accelerated Aging to Retain Connectivity 41
RSTP and MSTP 42
Layer 3 Switching Overview 42
Virtual LAN Overview 42
Assigning or Modifying VLANs 44
Deleting VLANs 45
Configuring Extended-Range VLANs 46
VLAN Trunking Protocol Overview 46
The VTP Domain 46
VTP Modes 46
VTP Passwords 47
VTP Advertisements 47
VTP Version 2 48
VTP Pruning 49
VTP Configuration Guidelines 50
Displaying VTP 50
Switch Interface Overview 51
Access Ports 51
Trunk Ports 51
Routed Ports 52
EtherChannel Overview 53
Port-Channel Interfaces 54
Understanding the Port Aggregation Protocol 54
EtherChannel Load Balancing and Forwarding Methods 55
EtherChannel Configuration Guidelines 56
Creating Layer 2 EtherChannels 57
Optional Configuration Items 57
BPDU Guard 57
BPDU Filtering 58
UplinkFast 58
BackboneFast 59
Loop Guard 59
Switched Port Analyzer Overview 59
SPAN Session 60
Configuring SPAN 60
Basic Catalyst 3550 Switch Configuration 63
Case Study 4-1: Basic Network Connectivity 63
Case Study 4-2: Configuring Interfaces 70
Case Study 4-3: Configuring PortFast 72
Case Study 4-4: Creating a Layer 2 EtherChannel 72
Case Study 4-5: Creating Trunks 73
Case Study 4-6: Configuring Layer 3 EtherChannels 74
Case Study 4-7: EtherChannel Load Balancing 76
Case Study 4-8: Configuring a Routed Port 77
Case Study 4-9: Configuring SPAN 78
Summary 80
Review Questions 80
FAQs 81
Chapter 5 Frame Relay Connectivity 83
Frame Relay Overview 83
Frame Relay Devices 85
Frame Relay Topologies 86
Star Topologies 86
Fully Meshed Topologies 87
Partially Meshed Topologies 87
Frame Relay Subinterfaces 88
Frame Relay Virtual Circuits 89
Switched Virtual Circuits 90
Permanent Virtual Circuits 91
Frame Relay Signaling 91
LMI Frame Format 92
LMI Timers 93
LMI Autosense 95
Network-to-Network Interface 95
User-Network Interface 96
Congestion-Control Mechanisms 96
Frame Relay Discard Eligibility 98
DLCI Priority Levels 98
Frame Relay Error Checking 99
Frame Relay ForeSight 99
Frame Relay Congestion Notification Methods 100
Frame Relay End-to-End Keepalives 100
Configuring Frame Relay 102
Case Study 5-1: Configuring Frame Relay 102
Case Study 5-2: Configuring Frame Relay SVCs 109
Case Study 5-3: Frame Relay Traffic Shaping 114
Creating a Broadcast Queue for an Interface 119
Transparent Bridging and Frame Relay 120
Configuring a Backup Interface for a Subinterface 120
TCP/IP Header Compression 121
Configuring an Individual IP Map for TCP/IP Header Compression 121
Configuring an Interface for TCP/IP Header Compression 122
Disabling TCP/IP Header Compression 122
Troubleshooting Frame Relay Connectivity 122
The show frame-relay lmi Command 122
The show frame-relay pvc Command 123
The show frame-relay map Command 125
The debug frame-relay lmi Command 125
Summary 126
Review Questions 127
FAQs 128
Chapter 6 ISDN Connectivity 133
ISDN Overview 133
ISDN Standards Support 133
ISDN Digital Channels 134
ISDN Terminal Equipment and Network Termination Devices 134
Reference Points 135
ISDN Layers and Call Stages 136
Point-to-Point Protocol (PPP) Overview 139
Link Control Protocol (LCP) 139
Network Control Protocol (NCP) 140
Dial-on-Demand Routing (DDR) Overview 141
Configuring ISDN 142
Lesson 6-1: Beginning ISDN Configuration 142
Lesson 6-2: Configuring DDR 144
Lesson 6-3: Routing Over ISDN 149
Lesson 6-4: Configuring the Interface and Backup Interface 157
Lesson 6-5: Configuring PPP Options 160
Lesson 6-6: Configuring Advanced Options 161
Lesson 6-7: Monitoring and Troubleshooting ISDN 169
Summary 178
Review Questions 178
FAQs 180
Chapter 7 ATM Connectivity 183
ATM Overview 183
Configuring ATM 184
Lesson 7-1: RFC 2684: Multiprotocol Encapsulation over AAL5 185
Lesson 7-2: RFC 2225: Classical IP and ARP over ATM 191
Summary 195
Review Questions 195
FAQs 196
Part Ⅲ IP Routing 199
Chapter8 RIP 201
RIP Structure 201
Routing Updates and Timers 201
Routing Metric 202
Split-Horizon Issues 202
RIP and Default Routes 203
RIPvl Versus RIPv2 203
Configuring RIP 203
Case Study 8-1: Basic RIP Configuration 204
Case Study 8-2: RIPv1 over Router to PIX 5.2 Connection 221
Case Study 8-3:RIPv2 over Router to PIX 6.2 Connection withAuthentication 225
Lesson 8-1: Advanced RIP Configuration 233
Summary 235
Review Questions 235
FAQs 236
Chapter9 EIGRP 239
An EIGRP Overview 240
Configuring EIGRP 241
Lesson 9-1: Configuring Simple EIGRP 241
EIGRP Building Blocks 243
Packet Formats 243
EIGRP Tables 244
Feasible Successors 250
Route States 250
Route Tagging 251
IGRP and EIGRP Interoperability 251
An Example of DUAL in Action 251
Configuring EIGRP Options 253
Lesson 9-2: Adding a WAN Connection 253
Lesson 9-3: Logging Neighbor Adjacency Changes 255
Lesson 9-4: Disabling Route Summarization 256
Lesson 9-5: Configuring Manual Route Summarization 258
Lesson 9-6: Configuring Default Routing 259
Lesson 9-7: Controlling EIGRP Routes 261
Lesson 9-8: Redistributing EIGRP with Route Controls 263
Lesson 9-9: Configuring EIGRP Route Authentication 263
Lesson 9-10: Configuring EIGRP Stub Routing 264
Lesson 9-11: Configuring EIGRP Over GRE Tunnels 266
Lesson 9-12: Disabling EIGRP Split Horizon 269
Troubleshooting EIGRP 270
Summary 272
Review Questions 272
FAQs 273
Chapter 10 OSPF 277
Configuring OSPF 278
Case Study 10-1: Basic OSPF Configuration 279
Case Study 10-2: OSPF and Route Summarization 306
Case Study 10-3: OSPF Filtering 310
Case Study 10-4: OSPF and Non-IP Traffic over GRE 312
Monitoring and Maintaining OSPF 315
Verifying OSPF ABR Type 3 LSA Filtering 316
Displaying OSPF Update Packet Pacing 317
Summary 317
Review Questions 317
FAQs 318
Chapter 11 IS-IS 321
Integrated IS-IS Overview 321
Configuring IS-IS 322
Case Study 11-1: Configuring IS-IS for IP 322
IS-IS Building Blocks 328
The IS-IS State Machine 330
The Receive Process 330
The Update Process 331
The Decision Process 331
The Forward Process 331
Pseudonodes 331
IS-IS Addressing 333
The Simplified NSAP Format 333
Addressing Requirements 334
Limiting LSP Flooding 335
Blocking Flooding on Specific Interfaces 335
Configuring Mesh Groups 336
Generating a Default Route 336
Route Redistribution 337
Setting IS-IS Optional Parameters 338
Setting the Advertised Hello Interval 339
Setting the Advertised CSNP Interval 339
Setting the Retransmission Interval 339
Setting the LSP Transmission Interval 339
Configuring IS-IS Authentication 340
Case Study 11-2: IS-IS Authentication 340
Authentication Problems 345
Using show and debug Commands 346
Monitoring IS-IS 346
Debugging IS-IS 346
Summary 348
Review Questions 348
FAQs 349
Chapter12 BGP 351
Understanding BGP Concepts 351
Autonomous Systems 351
BGP Functionality 352
EBGP and IBGP 352
BGP Updates 353
Configuring BGP 353
Case Study 12-1: Single-Homed Autonomous System Setup 354
Case Study 12-2: Transit Autonomous System Setup 363
Case Study 12-3: BGP Confederations 372
Case Study 12-4: BGP Over a Firewall with a Private Autonomous System 377
Case Study 12-5: BGP Through a Firewall with Prepend 386
Summary 394
Review Questions 394
FAQ 395
Chapter13 Redistribution 397
Metrics 397
Administrative Distance 398
Classless and Classfui Capabilities 398
Avoiding Problems Due to Redistribution 399
Configuring Redistribution of Routing Information 399
Redistributing Connected Networks into OSPF 402
Lesson 13-1: Redistributing OSPF into Border Gateway Protocol 402
Lesson 13-2: Redistributing OSPF Not-So-Stubby Area External Routes into BGP 405
Lesson 13-3: Redistributing Routes Between OSPF and RIP Version 1 407
Lesson 13-4: Redistributing Between Two EIGRP Autonomous Systems 408
Lesson 13-5: Redistributing Routes Between EIGRP and IGRP in Two Different Autonomous Systems 409
Lesson 13-6: Redistributing Routes Between EIGRP and IGRP in the Same Autonomous System 411
Redistributing Routes to and from Other Protocols from EIGRP 412
Lesson 13-7: Redistributing Static Routes to Interfaces with EIGRP 412
Lesson 13-8: Redistributing Directly Connected Networks 413
Lesson 13-9: Filtering Routing Information 416
Summary 421
Review Questions 422
FAQs 423
Part Ⅳ Security Practices 425
Chapter 14 Security Primer 427
Important Security Acronyms 428
White Hats Versus Black Hats 432
Cisco Security Implementations 432
Cisco IOS Security Overview 433
CatalystOS Security Overview 434
VPN Overview 435
AAA Overview 436
IDS Fundamentals 436
Summary 437
Review Questions 437
FAQs 438
Chapter 15 Basic Cisco IOS Software and Catalyst 3550 Series Security 441
Cisco IOS Software Security 441
Network Time Protocol Security 441
HTTP Server Security 442
Password Management 442
Access Lists 443
Secure Shell 443
Basic IOS Security Configuration 443
Lesson 15-1: Configuring Passwords, Privileges, and Logins 444
Lesson 15-2: Disabling Services 451
Lesson 15-3: Setting up a Secure HTTP Server 456
Case Study 15-1: Secure NTP Configuration 458
Case Study 15-2: Configuring SSH 464
Catalyst 3550 Security 467
Lesson 15-4: Port-Based Traffic Control 467
Summary 472
Review Questions 473
FAQs 474
Chapter 16 Access Control Lists 477
Overview of Access Control Lists 477
Where to Configure an ACL 478
When to Configure an ACL 479
ACLs on the IOS Router and the Catalyst 3550 Switch 480
Basic ACLs 480
Advanced ACLs 482
Time-of-Day ACLs 483
Lock-and-Key ACLs 484
Why You Should Use Lock-and-Key 485
When You Should Use Lock-and-Key 485
Source-Address Spoofing and Lock-and-Key 485
Lock-and-Key Configuration Tips 485
Verifying Lock-and-Key Configuration 487
Maintaining Lock-and-Key 487
Manually Deleting Dynamic Access List Entries 487
Reflexive ACLs 488
Reflexive ACL Benefits and Restrictions 489
Reflexive ACL Design Considerations 489
Router ACLs 490
Port ACLs 490
VLAN Maps 491
Using VLAN Maps with Router ACLs 491
Fragmented and Unfragmented Traffic 493
Logging ACLs 494
Defining ACLs 495
The Implied “Deny All Traffic” ACE Statement 495
ACE Entry Order 496
Applying ACLs to Interfaces 496
Lesson 16-1: Configuring an ACL 498
Lesson 16-2: Creating a Numbered Standard IP ACL 502
Lesson 16-3: Creating a Numbered Extended IP ACL 502
Lesson 16-4: Creating a Named Standard IP ACL 503
Lesson 16-5: Creating a Named Extended IP ACL 503
Lesson 16-6: Implementing Time of Day and ACLs 504
Lesson 16-7: Configuring Lock-and-Key 506
Lesson 16-8: Configuring Reflexive ACLs 507
Lesson 16-9: Logging ACLs 511
Lesson 16-10: Configuring a Named MAC Extended ACL 512
Creating a VLAN Map 513
Lesson 16-11: Using ACLs with VLAN Maps 513
Maintaining ACLs 514
Displaying ACL Resource Usage 515
Troubleshooting Configuration Issues 516
ACL Configuration Size 517
Unsupported Features on the Catalyst 3550 Switch 518
Summary 519
Review Questions 519
FAQs 520
Chapter 17 IP Services 523
Managing IP Connections 523
ICMP Unreachable Messages 524
ICMP Redirect Messages 524
ICMP Mask Reply Messages 525
IP Path MTU Discovery 525
MTU Packet Size 526
IP Source Routing 526
Simplex Ethernet Interfaces 527
DRP Server Agents 527
Filtering IP Packets Using Access Lists 527
Hot Standby Router Protocol Overview 528
HSRP and ICMP Redirects 528
IP Accounting Overview 530
IP MAC Accounting 530
IP Precedence Accounting 531
Configuring TCP Performance Parameters 531
Compressing TCP Packet Headers 532
Setting the TCP Connection Attempt Time 533
Using TCP Path MTU Discovery 533
Using TCP Selective Acknowledgment 534
Using TCP Time Stamps 534
Setting the TCP Maximum Read Size 534
Setting the TCP Window Size 535
Setting the TCP Outgoing Queue Size 535
Configuring the MultiNode Load Balancing Forwarding Agent 535
Configuring the MNLB Forwarding Agent 536
Network Address Translation Overview 537
When to Use NAT 539
Configuring IP Services 539
Lesson 17-1: Configuring ICMP Redirects 539
Lesson 17-2: Configuring the DRP Server Agent 540
Lesson 17-3: Configuring HSRP 541
Lesson 17-4: Configuring IP Accounting 548
Lesson 17-5: Configuring NAT 549
Monitoring and Maintaining IP Services 555
Verifying HSRP Support for MPLS VPNs 556
Displaying System and Network Statistics 556
Clearing Caches, Tables, and Databases 557
Monitoring and Maintaining the DRP Server Agent 558
Clearing the Access List Counters 558
Monitoring the MNLB Forwarding Agent 558
Monitoring and Maintaining HSRP Support for ICMP Redirect Messages 558
Monitoring and Maintaining NAT 559
Summary 559
Review Questions 560
FAQs 561
Part V Authentication and Virtual Private Networks 565
Chapter 18 AAA Services 567
TACACS+ Versus RADIUS 567
Underlying Protocols 567
Packet Encryption 568
Authentication, Authorization, and Accounting Processes 568
Router Management 568
Interoperability 568
Traffic 569
Configuring AAA 569
Case Study 18-1: Simplified AAA Configuration Using RADIUS 569
Case Study 18-2: Configuring AAA on a PIX Firewall 581
Case Study 18-3: Configuring VPN Client Remote Access 593
Case Study 18-4: Authentication Proxy with TACACS+ 610
Case Study 18-5: Privilege Levels with TACACS+ 617
Case Study 18-6: Configuring PPP Callback with TACACS+ 621
Summary 627
Review Questions 627
FAQs 628
Chapter 19 Virtual Private Networks 631
Virtual Private Network (VPN) Overview 631
Site-to-Site VPNs 631
Remote-Access VPNs 633
IPSec Overview 633
Authentication Header (AH) 634
Encapsulating Security Payload (ESP) 635
IPSec Protocol Suite 636
Tunnel and Transport Modes 639
IPSec Operation 640
Defining Interesting Traffic 641
IKE Phase 1 641
IKE Phase 2 642
IPSec Encrypted Tunnel 643
Tunnel Termination 643
Configuring IPSec in Cisco IOS Software and PIX Firewalls 643
Case Study 19-1: Configuring a Basic IOS-to-IOS IPSec VPN 644
Case Study 19-2: Configuring a Basic PIX-to-PIX IPSec VPN 671
Certificate Authority (CA) Support 695
Configuring CA 696
IOS-to-IOS VPN Using CA 696
PIX-to-PIX VPN Using CA 703
Summary 710
Review Questions 711
FAQs 712
Chapter 20 Advanced Virtual Private Networks 715
Issues with Conventional IPSec VPNs 715
Solving IPSec Issues with GREs 716
Solving IPSec Issues with DMVPNs 716
Configuring Advanced VPNs 718
Case Study 20-1: Using Dynamic Routing Over IPSec-Protected VPNs 718
Case Study 20-2: Configuring DMVPN 732
Summary 745
Review Questions 746
FAQs 747
Chapter 21 Virtual Private Dialup Networks 749
L2F and L2TP Overview 749
VPDN Process Overview 749
PPTP Overview 751
Configuring VPDNs 752
Case Study 21-1: Configuring the VPDN to Work with Local AAA 752
Case Study 21-2: Configuring TACACS+ Authentication and Authorization for VPDN 761
Case Study 21-3: Configuring the PIX Firewall to Use PPTP 766
Lesson 21-1: Configuring the Default VPDN Group Template 768
Summary 769
Review Questions 770
FAQs 771
Part Ⅵ Firewalls 773
Chapter 22 Cisco IOS Firewall 775
Creating a Customized Firewall 776
Configuring TCP Intercept 776
Lesson 22-1: Configuring TCP Intercept 778
CBAC Overview 781
Traffic Filtering 781
Traffic Inspection 782
Alerts and Audit Trails 782
Intrusion Detection 783
CBAC Limitations and Restrictions 783
CBAC Operation 784
When and Where to Configure CBAC 790
CBAC-Supported Protocols 790
Using IPSec with CBAC 791
Lesson 22-2: Configuring CBAC 791
Monitoring and Maintaining CBAC 798
Turning Off CBAC 802
Case Study 22-1: Configuring CBAC on Two Interfaces 802
Port-to-Application Mapping (PAM) 806
How PAM Works 806
When to Use PAM 808
Lesson 22-3: Configuring PAM 808
Monitoring and Maintaining PAM 810
Summary 810
Review Questions 810
FAQs 811
Chapter23 Cisco PIX Firewall 813
Security Levels and Address Translation 813
TCP and UDP 814
Configuring a Cisco PIX Firewall 814
Lesson 23-1: Configuring the PIX Firewall Basics 815
Lesson 23-2: Configuring Network Protection and Controlling Its Access and Use 824
Lesson 23-3: Supporting Specific Protocols and Applications 834
Lesson 23-4: Monitoring the PIX Firewall 838
Lesson 23-5: Using the PIX Firewall as a DHCP Server 844
Lesson 23-6: New Features in PIX Firewall Version 6.2 846
Summary 854
Review Questions 854
FAQs 855
Part Ⅶ Intrusion Detection 857
Chapter 24 IDS on the Cisco PIX Firewall and lOS Software 859
Cisco IOS Software Intrusion Detection 859
Cisco PIX Firewall Intrusion Detection 860
Cisco IOS Software and PIX IDS Signatures 861
Configuring Cisco IDS 867
Case Study 24-1: Configuring the Cisco IOS Software IDS 867
Case Study 24-2: Configuring the Cisco Secure PIX Firewall IDS 870
Summary 874
Review Questions 874
FAQs 876
Chapter 25 Internet Service Provider Security Services 879
Preventing Denial-of-Service Attacks 879
Committed Access Rate (CAR) 879
Reverse Path Forwarding (RPF) 880
Layer 2 VPN (L2VPN) 880
802.1Q 881
Layer 2 Protocol Tunneling 881
Configuring ISP Services 881
Case Study 25-1: DoS Prevention Through Rate Limiting 882
Case Study 25-2: DoS Prevention Through RPF 886
Case Study 25-3: Configuring L2VPN 887
Summary 895
Review Questions 895
FAQs 896
Part Ⅷ Sample Lab Scenarios 899
Chapter 26 Sample Lab Scenarios 901
Practice Lab Format 901
How the Master Lab Compares to the CCIE Security Lab Exam 902
CCIE Practice Lab 1: Building Layer 2 903
Equipment List 903
Prestaging: Configuring the Frame Relay Switch 904
Prestaging: Configuring the First Backbone Router, R9-BB 1 905
Prestaging: Configuring the Second Backbone Router, R7-BB2 907
Lab Rules 909
Timed Portion 909
CCIE Practice Lab 2: Routing 911
Equipment List 911
Lab Rules 912
Timed Portion 913
CCIE Practice Lab 3: Configuring Protocol Redistribution and Dial Backup 915
Equipment List 915
Lab Rules 915
Timed Portion 916
CCIE Practice Lab 4: Configuring Basic Security 917
Equipment List 917
Lab Rules 919
Timed Portion 919
CCIE Practice Lab 5: Dial and Application Security 921
Equipment List 921
Lab Rules 921
Timed Portion 922
CCIE Practice Lab 6: Configuring Advanced Security Features 926
Equipment List 926
Lab Rules 926
Timed Portion 927
CCIE Practice Lab 7: Service Provider 931
Equipment List 931
Lab Rules 932
Timed Portion 932
CCIE Practice Lab 8: All-Inclusive Master Lab 933
Equipment List 933
Prestaging: Configuring the Frame Relay Switch 934
Prestaging: Configuring the First Backbone Router, R7-BB1 936
Prestaging: Configuring the Second Backbone Router, R7-BB2 937
Prestaging: Configuring the Reverse Telnet Router 940
Lab Rules 941
Timed Portion 942
Summary 952
Part Ⅸ Appendixes 955
Appendix A Basic UNIX Security 957
Appendix B Basic Windows Security 969
Appendix C ISDN Error Codes and Debugging Reference 983
Appendix D Password Recovery on Cisco IOS, Catalystos, and PIX 995
Appendix E Security-Related RFCs and Publications 1017
Appendix F Answers to the Review Questions 1029