network device management

www.professordkinney.com

04/10/23Instructional Design-Computer Networking - Bridges Educational Group


Network Device Management

Lessons Summary:Configuring Network Devices Enterprise Network Security Managing Cisco Devices Some Bonus Cheat Sheets



Configuring Network Devices ISR (Integrated Services Router combines routing,

LAN switching, security, voice, & WAN connectivity features.

Ideal for small to medium-sized businesses & ISP managed customers.



Cisco IOS – offered in modules called imagesIP Base image: entry-level Cisco IOSImages are specific to models of devices



CISCO IOS Image: Types of ImagesTwo main types of image your router may use:

System image - complete Cisco IOS software. This image is loaded when your router boots and is used most of the time.

On most platforms, the image is located in Flash memory.

Boot image - A subset of the Cisco IOS software. This image is used to perform network booting or to load Cisco IOS images onto the router. This image is also used if the router cannot find a valid system image. Depending on your platform, this image may be called xboot image, rxboot image, bootstrap image, or boot loader/helper image.

On some platforms, the boot image is contained in ROM. In others, the boot image can be stored in Flash memory. On these platforms, you can specify which image should be used as the boot image using the boot bootldr global configuration command. Refer to your hardware documentation for information about the boot image used on your router.



Image Naming ConventionYou can identify the platform, features and

image location by the image name.Naming convention is: platform – features –

typeExample: c2600-js-l_121-3.bin

• c2600 - hardware platform• js - features set (enterprise)• l - file format (relocatable, not compressed)

• 121-3 - version & release # (version 12.1 release 3)



Platform – variable platform that can use imageFor example c1700, c2600, c7000

Features –feature sets supported by image.Type – can contain following characters

• f—The image runs from Flash memory.

• m—The image runs from RAM. • r—The image runs from ROM. • l—The image is relocatable. • z—The image is zip compressed. • x—The image is mzip compressed.



Tools and equipment required for setup:



Three-stage bootup process:Power-on self test (POST)Locate and load Cisco IOS Locate startup configuration file or enter

setup mode



POST (Power On Self Test) – test hardwareAfter POST, the bootstrap program is loadedBootstrap locates IOS and loads it into RAM

– IOS can be located – flash memory, TFTP server, or another location

– By default, IOS loads from flashAfter IOS is loaded, bootstrap locates startup

configuration file in NVRAM (non-volatile random access memory)

Startup configuration – when loaded into RAM (working memory), it become the “running” configuration.



Loading Cisco IOS



Show version command outputRouter>show version

• IOS version• Bootstrap program stored in ROM• Complete filename of IOS• Type of CPU; amount of RAM• Number & type of interfaces• Amount of NVRAM (used to store startup

config)• Amount of Flash (used to store IOS• Configuration register in hex



Configuration registerDefault setting – 0x2102 (remember

this?)– Loads IOS from flash – Loads startup-config from NVRAM

Most common settings• 0x2142 –ignores contents of NVRAM/configuration

• 0x2120 – The router into ROMmon mode



Initial ISR Router ConfigurationVerifying and troubleshooting bootup process:View output from the show version commandUse dir flash: and boot flash: in ROMmon modeView boot system commands [see miage below on next

slide]



Out-of-band management for initial configurationIn-band management over a network connection



Command Line Interface (CLI): text-based program

Can be used in both in-band or out-of-band



SDM Security Device Manager (SDM): web-based

GUIIn-Band onlySDM Express (Basic) or Full package (Advanced

configuration)Comes preinstalled in flash



CLI vs. SDM



Using Cisco SDM Express and SDMFollow best practices for installing a new device to

ensure correct functions





Eight SDM Express configuration screens:• Overview• Basic configuration• LAN IP address• DHCP• Internet (WAN)• Firewall• Security settings• Summary

Use Basic NAT Wizard to configure dynamic NAT with PAT



Use Cisco IOS CLI to perform an initial router configuration



Configure serial and Ethernet interfaces on a router



(DTE) Data Terminal Equipment endpoint of user’s device on the WAN link; Cisco routers

(DCE) Data Communications Equipment; provides clock rate; modem; converts data from router to acceptable format to cross the WAN

If back-to-back router scenario, one of the routers will be DCE and one DTE.



Configure a default route for the Cisco routerDefault route used when router does not

know where to send a packet. IP address of next-hop router

Or

port number

Configure a Cisco router to function as a DHCP server



Configure static NAT on a Cisco router to enable Internet access for an internal server



Back up and restore configuration files using a TFTP server



Capture and save configuration file output from a terminal session




Network Device ManagementCustomer Premise Equipment (CPE) – network devices

installed at customer location.Configuration checklists ensure that all configuration

requirements are met

Use inventory and configuration checklists and an installation plan to ensure successful installation



Types of customer connections over a WAN:Point-to-point: often called leased lines; typically

most expensive; price based on bandwidth & distance between 2 points

Circuit-switched – similar to a phone call made over a phone network; example is ISDN or dialup connection; physical circuit reserved from source to destination

Packet-switched – each customer has a virtual circuit; example is Frame Relay



Customer Connections over WANBandwidth and cost influence WAN choices



Connecting the CPE to the ISP Clock rate and serial encapsulation are needed when configuring

serial WAN connections– Clock rate is set by DCE– DTE accepts clock rate

Leased WAN connections use serial connection & require Channel Service Unit/Data Service Unit (CSU/DSU



Initial Cisco 2960 Switch Configuration Fixed-configuration, standalone devices – does not use modules or

flash card slots. Physical configuration can’t be changed. Layer 2 device that directs stream of message coming in from one

port, our of another based on destination MAC address.Configured using GUI or CLI



Cisco 2960 switchComes preconfiguredNeeds to be assigned basic security infoBasic commands (ex: hostname, passwords)

sames as ISR switch.Configure management IP addressOne virtual local area network, VLAN 1 is

preconfigured to provide access to management functions.




Network Device ManagementSwitch settings can be configured using

the Cisco IOS CLIAssign an IP address to the default

management virtual local area network, VLAN1

Check switch componentsConnect cables to the switchPower up the switch and observe POST



Connect the stand-alone LAN switch to the router and verify connectivity

Configure port security to prevent unauthorized use

Shut down unused ports



Switch port securityPort security limits the # of MAC addresses

allowed per port.Set port to access mode using switchport mode

access command3 ways to configure port security:Static – MAC addresses are manually assigned

using switchport port-security mac-address [mac-address] interface config command.

S1# configure terminalS1(config-if)#interface fastethernet 0/20 S1(config-if)#switchport mode access S1(config-if)#switchport port-security mac-address 1000.2000.3000 S1(config-if)#end



Dynamic MAC addresses are dynamically learned & stored in address table

# of addresses stored can be controlled; default is one address.

If port is shut down or switch is restarted, address learned are cleared from the table

S1# configure terminal S1(config-if)#interface fastethernet 0/20 S1(config-if)#switchport mode access S1(config-if)#switchport port-security S1(config-if)#end



Sticky – similar to dynamicAddresses learned are saved to the running-config

S1# configure terminal S1(config-if)#interface fastethernet 0/20 S1(config-if)#switchport mode access S1(config-if)#switchport port-security S1(config-if)#switchport port-security

maximum 50 S1(config-if)#switchport port-security

mac-address sticky S1(config-if)#end



Cisco Discovery Protocol (CDP) gathers information about directly-connected Cisco network devices

Two Cisco devices directly connected on the same local network are called neighbors



Describe the most common security threats and how they impact enterprises





Common Attacks

Describe the common mitigation techniques that enterprises use to protect themselves against threats



Explain the concept of the Network Security Wheel



Explain the goals of a comprehensive security policy in an organization



Explain why the security of routers and their configuration settings is vital to network operation



Describe the recommended approach to applying Cisco IOS security features on network routers



Lessons Learned:Cisco Device Management.Enterprise SecuritySome bonus Sheets and Tables



network device management

Technology

bootstrap image

rxboot image

lthe image

image location

rthe image

mthe image

zthe image

xthe image