CCNA Certification

CCNA, CCNP, CCIE Certification News

The 10 Cisco IOS Router file management commands you must know

Just like a Windows or Linux operating system, the Cisco IOS has its own list of commands to manipulate files, very similar to DOS/Windows commands. These files could be your IOS router operating system, configuration file, or other type of IOS file. Knowing these file commands is a critical requirement for any Cisco admin.

Let’s look at 10 Cisco IOS file management commands you must know.

#1 dir

This shows a directory list of files on a filesystem. To see the options, type dir ?

Router#dir ?

  /all             List all files
  /recursive       List files recursively
  all-filesystems  List files on all filesystems
  archive:         Directory or file name
  cns:             Directory or file name
  flash:           Directory or file name
  null:            Directory or file name
  nvram:           Directory or file name
  system:          Directory or file name
  tar:             Directory or file name
  tmpsys:          Directory or file name
  xmodem:          Directory or file name
  ymodem:          Directory or file name
  <cr>

Router#

You can think of each of these filesystems almost like disk drives in DOS, where you have to put a colon after the name. So, the nvram is called nvram:. The default is to show a directory of the router’s flash as your default current directory is flash:

Router# dir
Directory of flash:/

    2  -rwx    18929780  Aug 29 2006 15:49:57 +00:00  c870-advipservicesk9-mz.124-15.T5.bin
    3  -rwx        2143  Aug 29 2006 16:42:14 +00:00  running-config

23482368 bytes total (4544512 bytes free)
Router#

Every router will have at least flash memory and nvram (non-volatile random access memory).

#2 cd

Change directory: Use cd to change your current directory to a different device or subdirectory on that device. In the following, when I change my directory to the nvram: filesystem and do a dir, I get a list of nvram. I could also cd to a subdirectory after I have created a directory with mkdir.

Router#cd nvram:
Router#dir
Directory of nvram:/

  126  -rw-        2143                    <no date>  startup-config
  127  ----           5                    <no date>  private-config
  128  -rw-        2143                    <no date>  underlying-config
    1  ----          49                    <no date>  persistent-data
    2  -rw-           0                    <no date>  ifIndex-table
131072 bytes total (116584 bytes free)
Router#

#3 copy

This is used to copy the IOS or a config file from and to somewhere. You would use this to copy the router’s configuration off the router to a TFTP server or just make a local backup of it on the router. You would also use the copy command to upgrade the router with a new IOS from a TFTP server.

Here, I am making a local backup of the router’s running configuration:

Router#copy running-config davids-backup-before-upgrade
Destination filename [davids-backup-before-upgrade]?
2181 bytes copied in 3.052 secs (715 bytes/sec)
Router#

#4 delete and rm

Very simply, you will use delete to delete files and rm to remove folders/directories. Here, I use delete to delete the backup of my config that I just created:

Router#delete davids-backup-before-upgrade
Delete filename [davids-backup-before-upgrade]?
Delete flash:/davids-backup-before-upgrade? [confirm]
Router#

#5 show flash

This is used to show the files in your flash. The command show flash is similar to dir flash: but it provides a little more information on the size and type of flash memory in your router.

Router#show flash
24576K bytes of processor board System flash (Intel Strataflash)
Directory of flash:/
    2  -rwx    18929780  Aug 29 2006 15:49:57 +00:00  c870-advipservicesk9-mz.124-15.T5.bin
    3  -rwx        2181   Oct 4 2006 04:03:00 +00:00  mybackup-today
23482368 bytes total (4544512 bytes free)
Router#

#6 erase and format

It can be a bit confusing why you would erase one type of filesystem, but format another. What you really need to know is that you format flash devices and erase nvram. There are other types of filesystems, and you may erase or format them, depending on their type. The erase command is most used when you want to wipe out the router’s configuration and start with a default configuration. This is done with erase startup-configuration.

Router# erase ?
  /all                       Erase all files(in NVRAM)
  /no-squeeze-reserve-space  Do not reserve space for squeeze operation
  flash:                     Filesystem to be erased
  nvram:                     Filesystem to be erased
  startup-config             Erase contents of configuration memory

Router# format ?
  flash:  Filesystem to be formatted

Router#

#7 more

This shows a text / configuration file. Let’s say that you want to view a backup configuration file that you created. Just use the more command to view it:

Router# more my-backup-config
!
version 12.4
parser config cache interface
parser config interface
{config truncated}

#8 verify

This is used to verify the checksum or compute a MD5 signature for a file.

Router#verify flash:c870-advipservicesk9-mz.124-15.T5.bin
Verifying file integrity of flash:c870-advipservicesk9-mz.124-15.T5.bin.......{truncated}............ Done!
Embedded Hash   MD5 : CA8AEC573B197AEC6BD5892DE23C4754
Computed Hash   MD5 : CA8AEC573B197AEC6BD5892DE23C4754
CCO Hash        MD5 : 9D39672246853C0F31533B6BCB21DFE5
Embedded hash verification successful.
File system hash verification failed for file flash:c870-advipservicesk9-mz.124-15.T5.bin(No such file or directory).
Router#

#9 mkdir

Just like in DOS, you use mkdir to create a directory/folder. I would do this to perhaps create an archive folder for backup configurations or old IOS files.

Router# mkdir backup-configs
Create directory filename [backup-configs]?
Created dir flash:backup-configs
Router#

#10 fsck

FAT filesystem check is typically used to check your flash filesystem integrity. You may do this if you have experienced some corruption of your IOS files in flash.

Router# fsck
Fsck operation may take a while. Continue? [confirm]
.....{truncated}.......
Fsck of flash: complete
Router#

While there are so many reasons to use file system commands like these, if I had to select three of the most practical uses for some of the commands listed above, here is my list:

  1. Navigating the Cisco IOS filesystems — knowing what configuration files and what IOS files are on the router, perhaps before performing an upgrade.
  2. Back up your configuration to the local router or off to a TFTP server, again, perhaps before a backup
  3. Performing an upgrade of the Cisco IOS by copying the IOS from a TFTP server to the router.

It’s very important to understand IOS file management commands, what those commands are, and how you can use them in the real world. You don’t want to be stumbling to restore your IOS when the primary IOS is corrupt!

Technorati Tags: ,

April 1, 2009 Posted by | BCMSN, CCNA, CCNP, CCSP, Tech, Technology | 1 Comment

CCVP GETS A FACELIFT

With all the changes and advances in IP telephony, Cisco announced that it’s “enhancing” its Cisco Certified Voice Professional (CCVP) certification.

This certification requires five exams beyond the Cisco Certified Network Associate (CCNA) and focuses on integrating IP telephony solutions into underlying network architectures, as well as the ability to implement, configure and troubleshoot. Those who earn the certification are expected to know PSTN, VoIP, signaling protocols, voice gateways, gatekeepers and the Cisco Unified Border Element (CUBE).

Read the full article here.

March 27, 2008 Posted by | CCNA, CCNP, CCSP, Education, News, Tech, Technology | , , | Leave a comment

Securing Cisco Network Devices (642-551)

Cisco’s newest version of this exam for aspiring CCSPs requires a foundation of security knowledge with some hands-on experience.

A Cisco Certified Security Professional (CCSP) requires knowledge and hands-on experience with many Cisco network security technologies. Unlike most of the other exams required for CCSP certification, which are focused more on particular areas of security, the SND exam covers these from a high-level identification, implementation and configuration point-of-view. I’ll address some of the main areas to study for this new exam by mapping to the official exam objectives.

Much of the exam tested my general knowledge of how to identify, secure against and mitigate common network attacks, as well as technologies like IPSec, VPN, and authentication, authorization and accounting (AAA). There were, however, a few product-specific questions asking, for example, how to configure a Cisco PIX firewall and how to secure Cisco Layer 2 devices.

For the 90-minute exam period, I was given 62 questions, including two simulation questions. The passing score was 825 on a scale of 300 to 1,000 points. Like all the Cisco exams I’ve ever taken, you can’t move back through the question set or mark or review your answers like you can on most other certification exams. But I find Cisco exams easier overall, with many of the questions in the form of one or two lines with only one correct answer to choose from.

Although this exam does include simulation-based questions, they seem easier than those I’ve had on the new CCSP SNRS and retired CSPFA exams. The simulation questions present a company’s network scenario, topology and usually a partial configuration. You’re required to complete the remaining configuration by navigating the Cisco device command-line environment. The opening screen of the simulation-based exams warns you about spending too much time on any one simulation question; it recommends no more than 10 minutes each. Running short of time on this exam shouldn’t be an issue for most candidates, but you’ll need to pace yourself during the simulators.

Naturally, there are questions that pop up about the simulation problems: Is there partial credit? If you don’t save your configuration, will it be marked incorrect? I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or firewall; show the configuration; save; and verify my work. Many times the question-mark command is available and limited help is there if you need it. The simulation questions are generally more difficult than the more common multiple-choice questions. This exam also includes a number of pick-and-place type questions.

Exam Preparation
While there’s currently an official Cisco instructor-led SND course available, no exam-specific self-study guides have yet been published. On its Web site, Cisco usually includes a link to Cisco Press with recommended reading for each exam. For the SND exam, I found most everything I needed to learn in the Cisco Press book “Network Security Fundamentals” (ISBN 1578051672). Cisco Press also offers the CCSP Flash Cards and Exam Practice Pack, which can help you prepare for all five of the CCSP exams. I also highly recommend you read the free online chapter from “Cisco Access Control Security: AAA Administration Services.” Generally, for self-study I prefer Cisco Press’ books, but nothing made a better resource for the CCSP exams than the popular Sybex self-study guide written by Todd Lammle. (Note: This guide covers the CCSP’s previous series of exams.)

Exam Objectives
The main objectives of the SND exam are to identify Cisco security products, implement security, describe and configure IPS and HIPS, and deploy a PIX security appliance. Since a valid Cisco Certified Network Associate (CCNA) is a prerequisite, that’s where you should start to obtain the fundamental knowledge about how to configure and troubleshoot Cisco devices. The CCNA will also introduce you to the wonderful world of LANs, WANs, ACLs and many other fundamentals that are essential to your understanding before taking this exam.

The core topics of the SND exam include:

  • Describe the products in the Cisco security portfolio and explain how they mitigate security threats to a network.
  • Describe the security features available for a Cisco Layer 2 device in a secure network.
  • Implement security on a Cisco IOS Router.
  • Describe and configure Cisco IPS and HIPS.
  • Configure and verify basic remote access on a Cisco VPN 3000 Concentrator.
  • Implement a Cisco PIX security appliance.

Although I didn’t receive any specific questions on my exam regarding configuration and management of the Cisco VPN 3000, I’ll provide a link to information you should know.

Cisco’s Security Products
Cisco routers, switches and firewalls all include many technologies to secure them and today’s networks. Securing a network starts with a security policy — without it, it would be hard to follow the Cisco security wheel of secure, monitor, test and improve. Cisco routers can be used to secure the network to a point. And they also need to be secured.

Starting with access lists, where more specific checks should be at the top, packet filtering can be used to limit traffic to secure hosts and networks. The Cisco PIX firewall includes the adaptive security algorithm (ASA), which can inspect network traffic all the way up to Layer 7 (i.e., Application).

Tip: The reload command can be used to restart a Cisco router or firewall.

Ensuring proper time-of-day configuration using network time protocol (NTP) and external logging can be just as important. The commands for configuring logging are logging on and logging host.

Tip: CDP operates at Layer 2 and can be disabled on a device with the command no cdp run.

The PIX also supports Turbo ACLs just as Cisco routers 7200 and 7500 do. Configuring a Cisco router or firewall for SSH is another method of defense and security. The device acts as an SSH server.

Tip: Reflexive ACLs allow packets to filtered based on upper-layer protocol session information.

Mitigating Security Threats
To identify security issues, threats to a network and how to deal with them, start with identifying targets, attackers and your security policy. Reconnaissance or fingerprinting is the technique of identifying targets through ping and port scans. Once an attacker identifies a target, he can then start such things as dictionary or brute force password attacks. As previously mentioned, securing device passwords is crucial! Securing data as it moves across the network is also important in secure environments. DES, 3DES, AES, MD5 and Diffie-Hellman are all acronyms and technologies you should be familiar with for this exam. The first three are encryption algorithms for message confidentiality; MD5 is a hashing algorithm for message integrity; and Diffie-Hellman is used for IPSec peer authentication.

Tip: DES uses a 56-bit key for encryption.

For more information on IPSec encryption, go here.

Tip: IPSec prevents against replay detection.

Mitigating security threats to a network also includes fighting worms. The primary steps are:

  • Containment – limiting the spread of a worm infection to areas of the network that are already affected.
  • Inoculation – patching uninfected systems with the appropriate vendor patch for the vulnerability.
  • Quarantine – tracking down and identifying infected machines within the contained areas and disconnecting, blocking or removing them.
  • Treatment – the process of removing the worm from actively infected systems.

Security Features of Cisco Layer 2 Devices
Layer 2 security is implemented within the network’s switches. Here you can use port filtering and 802.1X authentication to prevent CAM table overflow and MAC address spoofing. You’ll most certainly want to read and study this Cisco SAFE white paper.

Tip: CAM table overflow can be mitigated with the command port security.

VLANs provide a robust method of security at Layer 2. Private virtual local area networks (PVLANs) are defined by two main types of ports:

  • Promiscuous – a port that can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated – a port that has complete Layer 2 separation from the other ports within the same PVLAN but not from the promiscuous ports.

PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.

A host-based intrusion detection system (HIDS) can detect attacks occurring on a host. It works by intercepting OS and application calls, securing the OS and applications, validating incoming requests and analyzing log files in response to an attack. A network-based intrusion detection system (NIDS) is usually first at detecting an attack occurring at the network level and then either taking corrective action or notifying a management system where an administrator can take action. Attacks are discovered by looking for their signatures in traffic flows in the network.

Tip: A DoS attack can occur at a network device, host or the entire network.

Securing Cisco IOS Routers
Securing Cisco routers can be done by choosing secure passwords and ensuring they are encrypted. The IOS command service password-encryption will make this happen. You can also configure the router for password length with the command security passwords min-length.

Configuring Cisco IPS and HIPS
Intrusion prevention system (IPS) is the latest in the Cisco arsenal for detecting and reacting to network and device-based attacks. Similar to an IDS, IPS uses the attack signature database to send alarms, drop packets or reset the connection when an active attack is detected. For more information on IDS and IPS, study SAFE document “IDS Deployment, Tuning, and Logging in Depth.”

You may be required to configure a Cisco router for AAA on the exam. Be sure and review the guide “Configuring Basic AAA on an Access Server,” paying particular attention to the commands for TACACS servers.

Tip: The command aaa new-model enables AAA on a Cisco device and erases all previous AAA configuration.

Cisco VPN 3000 Concentrator
The two basic types of VPN services are access VPNs and site-to-site VPNs. Their three main applications are remote access, intranet and extranet connectivity. The basics of configuring these using the Cisco VPN 3000 concentrator could be covered in your exam. I recommend you read and understand this Getting Started guide.

Firewalls come in a variety of configurations and implementations. Packet-filtering firewalls limit the information transmitted into a network based on static packet-header information (routers with access-control lists). Proxy server firewalls control the connections between a client on the inside network and the Internet. Finally, stateful packet filtering firewalls combine the best of both worlds.

Cisco PIX Firewall
The Cisco PIX provides command-line modes and an Unprivileged mode, referred to as the user mode, which is available when you first access the PIX through a console or telnet session. After typing enable and the correct password, you enter the privileged mode. From here you can issue most write, show and even copy commands. You must enter the configuration mode with configuration terminal to perform any device configuration.

Tip: The PIX command write memory saves all configurations.

There are six basic commands to configure a PIX:

  • nameif
  • interface
  • ip address
  • nat
  • global
  • route

The nameif command is used to assign the names inside, outside, dmz and so on to the physical ports of the PIX. It’s also used to assign interface ASA security levels. For example, nameif ethernet2 dmz sec50 assigns a name of dmz and security level of 50 to the third physical interface in the PIX. Interface numbering starts with E0 security level 0, which is the default for the outside interface, and E1 security level 100 for the inside.

Tip: Network traffic cannot flow by default from a lower-level security interface to a higher level.

The interface command identifies hardware, sets the speed, and administratively enables an interface. For example, interface e0 100full enables the outside interface and configures it for 100Mbps, full duplex.

The ip address command assigns an address to a specified interface. For example, ip address dmz 172.16.0.1 255.255.255.0.

The PIX Firewall Management Console centralizes the management of multiple PIX firewalls. And the PIX can be configured to use both RADIUS and TACACS servers for AAA. Finally, the PIX firewall switching module (FWSM) can be installed in Cisco Catalyst 6500 or 7200 switches for greater throughput.

Perimeter Secured
Well, that’s that. If you’re confident in your knowledge of Cisco’s portfolio of security products and their related technologies, you should be good to go. Next month, I’ll review the new CCSP exam 642-511 Cisco Secure Virtual Private Networks (CSVPN). Good luck!

January 18, 2006 Posted by | CCSP | Leave a comment