Cisco router Planes

Feb 18, 2009

The router is typically segmented into three planes, each with a clearly identified objective. The dataplane allows the ability to forward packets; the control plane allows the ability to route data correctly; and the management plane allows the ability to manage network elements.

  • Management Plane—The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as SSH and SNMP.
  • Control Plane—The control plane of a network device processes the traffic that is paramount to maintaining the functionality of the network infrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).
  • Data Plane—The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOS device.


READ MORE - Cisco router Planes

Cisco Technologies to Secure Router Planes

Data Plane:

  • Technologies
  • NetFlow
  • Access Control List
  • Unicast Reverse Path Forwarding (uRPF)
  • Remote Triggered Black Hole (RTBH)
  • QoS Tools

Management Plane:

  • CPU/Memory Threshold Notification
  • Management Plane Protection (MPP)
  • Role Based Access Control (RBACL)
  • Secure Access
  • Image Verification
  • Configuration Logger

Control Plane:

  • Control Plane Protection (CPPr)
  • Routing Protection
  • Receive ACLs
  • BGP TTL Security Check


READ MORE - Cisco Technologies to Secure Router Planes

Understand Cisco New IOS Packaging

Cisco IOS® Packaging simplifies the image selection process by consolidating the number of packages and using consistent package names across platforms.Cisco has begun repackaging all IOS versions with its new naming conventions, starting with IOS version 12.3 specifically designed for Cisco 1700, Cisco 2600XM, Cisco 2691, the Cisco 3700 Series Access Routers, and the Cisco 1800, 2800, and 3800 Integrated Services Router family. It is available in Cisco IOS Software Major Release 12.3M/T, with additional enhancements in 12.4M/T.

CISCO IOS new packages are as fellows

  1. I P Base
  2. IP Voice
  3. Enterprise Base
  4. Advanced Security
  5. SP Services
  6. Advanced IP Services
  7. Enterprise Services
  8. Advanced Enterprise Services

newios

Each group contains large number of features inside the package For example, the Advanced Security package contains the Cisco IOS Firewall, IPSEC, 3DES, VPN, and SSH. So

IP Base or IP Base without Crypto-Entry level Cisco IOS Software image (Classic IP Data + trunking and DSL)

IP VoiceText Box or IP Voice without CryptoText Box-Adds VoIP, VoFR to IP Base (Adds Voice to Data)

SP Services-Adds SSH/SSL, ATM, VoATM, MPLS, etc. to IP Voice (Adds SP Services to Voice & Data)

Advanced Security-Adds Cisco IOS FW, IDS/IDP, NAC, SSH/SSL, IPsec VPN, etc. to IP Base (Add Security/VPN to Data)

Enterprise BaseText Box or Enterprise Base without CryptoText Box:-Adds Enterprise Layer 3 routed protocols (AT, IPX, etc.) and IBM support to IP Base (Add Multiprotocol Services to Data)

Enterprise Services or Enterprise Services without Crypto-Adds full IBM support, Service Provider Services to Enterprise Base (Merge Enterprise Base & SP Services)

Advanced IP Services-Adds IPv6, Advanced Security to SP Services (Merge Advanced Security & SP Services)

Advanced Enterprise Services-Full Cisco IOS Software (Merge Advanced IP Services & Enterprise Services)

READ MORE - Understand Cisco New IOS Packaging

VLANs Basics

VLANs are broadcast domains in a Layer 2 network. Each broadcast domain is like a distinct virtual bridge within the switch. Each virtual bridge you create in a switch defines a broadcast domain. By default, traffic from one VLAN cannot pass to another VLAN. Each of the users in a VLAN is also in the same IP subnet, and each switch port can belong to only one VLAN.The three characteristics of a typical VLAN setup are:

  • Each logical VLAN is like a separate physical bridge.
  • VLANs can span multiple switches.
  • Trunks carry traffic for multiple VLANs.

By default, each port on a switch can belong to only one VLAN. For devices that are in VLANs (that span multiple switches) to talk to other devices in the same VLAN, you must use trunking or have a dedicated port per VLAN. Trunk links allow the switch to carry multiple VLANs across a single link.

vlan


READ MORE - VLANs Basics

Cisco Career Certifications Path

General Certifications: Three Levels of Certification

  • Associate: The first step in Cisco networking begins at the Associate level, which also includes CCENT, an interim step to Associates for those with little job experience. Think of the Associate level as the apprentice or foundation level of networking certification.
  • Professional. This is the advanced or journeyman level of certification.
  • Expert. This is CCIE, the highest level of achievement for network professionals, certifying an individual as an expert or master.

General Certifications: Six Different Paths

  • Routing and Switching: This path is for professionals who install and support Cisco technology-based networks in which LAN and WAN routers and switches reside.
  • Design: This path is aimed at professionals who design Cisco technology-based networks in which LAN and WAN routers and switches reside.
  • Network Security: This path is directed toward network professionals who design and implement Cisco Secure networks.
  • Service Provider: This path is aimed at professionals working with infrastructure or access solutions in a Cisco end-to-end environment primarily within the telecommunications arena.
  • Storage Networking: This path is for professionals who implement storage solutions over extended network infrastructure using multiple transport options.
  • Voice: This path is directed toward network professionals who install and maintain Voice solutions over IP networks.

Certification Paths: Routing & Switching

Associate: CCNA

Professional: CCNP

Expert: CCIE Routing & Switching

Certification Paths: Design

Associate: CCNA & CCDA

Professional: CCDP

Expert: CCDE

Certification Paths: Network Security

Associate: CCNA Security

Professional: CCSP

Expert: CCIE Security

Certification Paths: Service Provider

Associate: CCNA

Professional: CCIP

Expert: CCIE Service Provider

Certification Paths: Storage Networking

Associate: CCNA

Professional: CCNP

Expert: CCIE Storage Networking

Certification Paths: Voice

Associate: CCNA Voice

Professional: CCVP

Expert: CCIE Voice

Certification Paths: Wireless

Associate: CCNA Wireless

Professional: Coming Soon

Expert: CCIE Wireless

careers-graph


READ MORE - Cisco Career Certifications Path

Difference between IGP(Interior Gateway Protocols) & EGP(Exterior Gateway Protocols)

IGP:

  • Within a single autonomous system
  • Single network administration
  • Unique routing policy
  • Make best use of network resource
  • An IGP (Interior Gateway Protocol) is a protocol for exchanging routing information between gateways (hosts with routers) within an autonomous network (for example, a system of corporate local area networks).
  • IGP’s fall into two categories:
    • Distance Vector Protocols
      • Routing Information Protocol (RIP)
      • Interior Gateway Routing Protocol (IGRP)
    • Link State Protocols
      • Open Shortest Path First (OSPF)
      • Intermediate System to Intermediate System (IS-IS)

EGP:

  • Among different autonomous systems
  • Independent administrative entities
  • Communication between independent network infrastructures
  • Exterior Gateway Protocol (EGP) is a protocol for exchanging routing information between two neighbor gateway hosts (each with its own router) in a network of autonomous systems.
  • EGP is commonly used between hosts on the Internet to exchange routing table information.
  • Examples of an EGP:
    • Border Gateway Protocol (BGP)
    • Exterior Gateway Protocol (Replaced by BGP)
READ MORE - Difference between IGP(Interior Gateway Protocols) & EGP(Exterior Gateway Protocols)

Why to use the Cisco Enterprise Composite Model

  • Cisco has used the three-level hierarchical network design model for years. This older model (also referred to as the switch block model) provided a high-level idea of how a reliable network could be conceived but was largely conceptual, because it did not provide specific guidance.
  • Cisco therefore developed a newer design model-the enterprise composite model-that is significantly more complex.
  • This model attempts to address the major shortcomings of the hierarchical model by expanding the older version and making specific recommendations about how and where certain network functions should be implemented.

The enterprise composite model is broken up into three areas :

  • Enterprise campus
  • Enterprise edge
  • Service provider edge

The Enterprise Campus module deals with the campus, defined as one or more buildings on a local area connected with a high speed network. The campus does not provide remote/Internet access. The campus is broken into functional areas, described below.

  • Campus backbone (core layer)
  • Building distribution
  • Building access
  • Management
  • Server farm (for enterprise services)

The Enterprise Edge module connects the Enterprise Campuses, and other internal resources such as the WAN.

  • E-Commerce
  • Internet connectivity
  • Remote access (dial-up and VPN)
  • WAN (internal links)

The Service Provider edge is the demarcation to the Internet and other remote access services.

  • Internet service provider (ISP)
  • Public Switched Telephone Network (PSTN) for dialup
  • Frame Relay, ATM, and PPP for private connectivity

safe_wp2


READ MORE - Why to use the Cisco Enterprise Composite Model

Cisco CCNA Security 640-553 IINS Tutorials Part-16

Rivest, Shamir, and Adleman (RSA) Invented by Ron Rivest, Adi Shamir, and Len Adleman in 1977, RSA is one of the most common asymmetric algorithms in use today. This public-keyalgorithm was patented until September 2000, when the patent expired, making the algorithm part of the public domain. RSA has been widely embraced over the years, in part because of its ease of implementation and its flexibility.

role-based command-line interface (CLI) views Can be used to provide different sets of configuration information to different administrators. However, unlike making commands available via privilege levels, using role-based CLI views you can control exactly what commands an administrator has access to.

RTP Control Protocol (RTCP) Provides information about an RTP flow, such as information about the quality of the call. In a Cisco environment, RTCP typically uses odd-numbered UDP ports in the range 16,384 to 32,767.

salami attack A collection of small attacks that result in a larger attack when combined.

salt A series of random bits added to a password. When the password is hashed, and that hash is stored in a database, two identical passwords do not create the same hash. This also protects the passwords from attacks involving rainbow tables.

Secure RTP (SRTP) Secures the transmission of voice via Real-time Transport Protocol (RTP). Specifically, SRTP adds encryption, authentication, integrity, and antireplay mechanisms to voice traffic.

Secure Shell (SSH) A protocol that provides encryption and authentication functions for remote terminal sessions. This allows an administrator to securely attach to and exchange information with a router, for example. Cisco recommends that SSH be used instead of Telnet because Telnet sends data in plain text.

Security level Defines the type of security algorithm performed on SNMP packets. Examples of security levels are noAuthNoPriv, authNoPriv, and authPriv.

Security model Defines an approach for user and group authentication. Cisco IOS supports the SNMPv1, SNMPv2c, and SNMPv3 security models.

Security policy A continually changing document that dictates a set of guidelines for network use. These guidelines complement organizational objectives by specifying rules for how the network is used.

READ MORE - Cisco CCNA Security 640-553 IINS Tutorials Part-16

Cisco CCNA Security 640-553 IINS Tutorials Part-17

Security zone Consists of a group of interfaces to which a policy can be applied. Grouping interfaces into zones involves two steps. First, a zone must be created so that interfaces may be attached to it. Second, an interface must be configured to be a member of a given zone.

SHA-1 Secure Hash Algorithm 1. One of five cryptographic hash functions known as SHA hash functions. They were designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard. SHA-1 computes a fixed-length digital representation (a message digest) from an input data sequence (the message) of any length.

Signature definition file (SDF) A database of signatures used to identify malicious traffic. Modern routers typically ship with an SDF file installed in flash memory. However, the administrator usually needs to periodically update the router’s SDF, because Cisco routinely updates these files to address emerging threats.

Simple Network Management Protocol (SNMP) A management protocol that allows an SNMP manager to collect information from an SNMP agent.

Skinny Client Control Protocol (SCCP) A Cisco-proprietary signaling protocol often called Skinny protocol. SCCP is often used for signaling between Cisco IP Phones and Cisco Unified Communications Manager servers. However, some Cisco gateways also support SCCP. SCCP is considered a client/server protocol, such as MGCP and H.248.

Small Computer Systems Interface (SCSI) In terms of SAN networking, the SCSI communications model serves as the basis for all the major SAN transport technologies. In fact, you could say that a SAN can best be described as the merging of SCSI and networking.

SNMP agent A piece of software that runs on a managed device (such as a server, router, or switch).

SNMP GET A message that is used to retrieve information from a managed device

SNMP manager Runs a network management application. Sometimes called a Network Management Server (NMS).

SNMP SET A message that is used to set a variable in a managed device or to trigger an action on the managed device.

READ MORE - Cisco CCNA Security 640-553 IINS Tutorials Part-17

Cisco CCNA Security 640-553 IINS Tutorials Part-18

SNMP trap An unsolicited message sent from the managed device to an SNMP manager. It can be used to notify the SNMP manager about a significant event that occurred on a managed device.

Snooping Broadly defines a class of attacks focused on compromising the confidentiality of data. In terms of SAN deployments, these attacks seek to give an attacker access to data that would otherwise be confidential.

Software Encryption Algorithm (SEAL) This kind of encryption uses a 160-bit encryption key. It offers the benefit of having less of an impact on the CPU compared to other software-based algorithms. It is an alternative to software-based DES, 3DES, and AES.

Spam over IP telephony (SPIT) VoIP spam. A SPIT attack on your Cisco IP Phone could, for example, make unsolicited messages periodically appear on the phone’s LCD screen or make the phone ring periodically.

Spoofing Imitating a given resource by alternative means. In network terms this might represent the spoofing of an IP address, where an attacker poses as the valid recipient at a given IP address to intercept traffic.

Standard access control list (ACL) Standard ACLs allow traffic to be permitted or denied from only specific IP addresses. With these ACLs, the packet’s destination and the ports involved are not taken into account.

Static firewall This first-generation firewall technology analyzes network traffic at the transport protocol layer. IP packets are examined to see if they match one of a set of rules defining which data flows are allowed. These rules specify whether communication is allowed based on information contained in the network and transport layer headers as well as the direction of the packet flow.

Storage-area network (SAN) In a SAN, storage devices are shared among all networked servers as peer resources. A SAN may be used to connect servers to storage, servers to each other, and storage to storage.

Stream cipher Uses smaller units of plain text than what are used with block ciphers. Typically they work with bits. Transformation of these smaller plain-text units also varies, depending on when during the encryption process they are encountered. One of the great benefits of stream ciphers as compared to block ciphers is that they are much faster. Generally they do not increase the message size because they can encrypt an arbitrary number of bits.

Supplicant A user device (such as a PC) that requests permission to access the network. This device must support the 802.1x standard. For example, a PC running the Microsoft Windows XP operating system supporting 802.1x could act as a supplicant.

READ MORE - Cisco CCNA Security 640-553 IINS Tutorials Part-18

Cisco CCNA Security 640-553 IINS Tutorials Part-20

Transparent firewall A Layer 2 firewall that behaves like a “stealth firewall.” In other words, it is not seen as a router hop to connected devices. In this implementation, the security appliance connects the same network on its inside and outside ports. However, each interface resides on a separate VLAN.

Transport mode Uses a packet’s original IP header, as opposed to adding a tunnel header for packets traveling over an IPsec-protected VPN. This approach works well in networks in which increasing a packet’s size could cause an issue.

Triple Data Encryption Standard (3DES) Applies the DES algorithm three times in a row to a plain-text block, but each application uses a different key. Applying DES three times with different keys makes brute-force attacks on 3DES unfeasible. This stems from the fact that the basic algorithm has stood the test of time, weathering 35 years in the field, proving quite trustworthy.

Trojan horse A piece of software that appears to perform a certain action but in fact performs another action, such as a computer virus. This action, generally encoded in a hidden payload, may or may not be malicious in nature.

Tunnel mode Unlike transport mode, tunnel mode encapsulates an entire packet traveling over an IPsec-protected VPN. As a result, the encapsulated packet has a new IPsec header. This new header has source and destination IP address information that reflects the two VPN termination devices at two different sites. Therefore, tunnel mode is frequently used in an IPsec site-to-site VPN.

Turbo access control list (ACL) Processes ACLs into lookup tables for greater efficiency. Turbo ACLs use the packet header to access these tables in a small, fixed number of lookups, independent of the existing number of ACL entries.

User datagram protocol (UDP) A communications protocol that has no error recovery features and is mostly used to send streamed material over the Internet.

VACL VLAN access control list. An ACL applied within a VLAN, as opposed to an ACL applied when traffic travels from one VLAN, or subnet, to another (as typically seen on a router).

virtual private network (VPN) A logical connection (sometimes called a tunnel) that can be established over an “untrusted” network (such as the Internet). An IPsec VPN can use a series of security protocols and algorithms to protect the traffic flowing over a VPN tunnel.

virtual SAN (VSAN) Created from a collection of ports that are part of a set of connected Fibre Channel switches. Together these ports form a virtual fabric. Ports within a single switch may be partitioned off to form multiple VSANs. Conversely, multiple switches may be used together, and any number of their ports may be joined to form a single VSAN.

READ MORE - Cisco CCNA Security 640-553 IINS Tutorials Part-20

CCNA Security Certification Overview

640-553 IINS IINS - Implementing Cisco IOS Network Security

CCNA Security is a new Associate Level certification designed to build upon the CCNA certification and as a prerequisite for the CCSP - Cisco Certified Security Professional certification. The Cisco CCNA Security certification validates the knowledge required to install, troubleshoot, and monitor Cisco security network devices. In addition, CCNA Security confirms an individual’s skills for job roles such as network security specialist, security administrator, and network security support engineer.


READ MORE - CCNA Security Certification Overview

 
 
 
free counters 
HTML Hit Counter