7/30/2019 WAN CH 4 Security
1/88
CCNA4-1 Chapter 4-1
Chapter 4
Network Security
7/30/2019 WAN CH 4 Security
2/88
CCNA4-2 Chapter 4-1
Introducing Network Security
7/30/2019 WAN CH 4 Security
3/88
CCNA4-3 Chapter 4-1
Introducing Network Security
Increasing Threat to Security: Over the years, attack tools have evolved.
7/30/2019 WAN CH 4 Security
4/88
CCNA4-4 Chapter 4-1
Introducing Network Security
Common Terms: White Hat:
An individual who looks for vulnerabilities in systems and reports
these so that they can be fixed.
Black Hat:
An individual who uses their knowledge to break into systems that
they are not authorized to use.
Hacker:
A general term that has historically been used to describe a computerprogramming expert.
7/30/2019 WAN CH 4 Security
5/88
CCNA4-5 Chapter 4-1
Common Terms: Network Security
Cracker:
Someone who tries to gain unauthorized access to network resources
with malicious intent.
Phreaker:
Individual who manipulates phone network, through a payphone, to make
free long distance calls.
Spammer:
An individual who sends large quantities of unsolicited e-mail messages.
Phisher: Uses e-mail or other means to trick others into providing information.
7/30/2019 WAN CH 4 Security
6/88
CCNA4-6 Chapter 4-1
Types of Computer Crime:
Most commonly reported acts of computer crime fall into four generalcategories, or a combination thereof, that effective and vigilant security
management can address.
Insider Abuse
Denial of Service
System Penetration
Password sniffing
7/30/2019 WAN CH 4 Security
7/88CCNA4-7 Chapter 4-1
Open versus Closed Networks:
The challenge is to find the correct balance.
Networks must be accessible to be of any use.
Networks must be secure to protect corporate and personal information.
7/30/2019 WAN CH 4 Security
8/88CCNA4-8 Chapter 4-1
FIRST STEP: Developing a Security Policy
A Security Policy meets these goals:
1. Informs users, staff, and managers of their requirements for protecting
information assets.
Addresses both acceptable and unacceptable use.
2. Specifies the mechanisms through which these requirements can be
met.
Managing security violations.
3. Provides a baseline to acquire, configure, and audit computer systems
for compliance.
Basis for legal action.
7/30/2019 WAN CH 4 Security
9/88CCNA4-9 Chapter 4-1
The Enterprise Security Policy
A living document: The document is never finished and is continuously updated as
technology and employee requirements change.
Essential Functions:
Protects people and information.
Sets the rules for expected behavior by users, system administrators,
management, and security personnel.
Authorizes security personnel to monitor, probe, and investigate.
Defines and authorizes the consequences of violations.
7/30/2019 WAN CH 4 Security
10/88CCNA4-10 Chapter 4-1
The Enterprise Security Policy
Attributes:1. Provides a means to audit existing network security and compare the
requirements to what is in place.
2. Plan security improvements, including equipment, software, and
procedures.
3. Defines the roles and responsibilities of the company executives,
administrators, and users.
4. Defines which behavior is and is not allowed.
5. Defines a process for handling network security incidents.
6. Enables global security implementation and enforcement by acting as astandard between sites.
7. Creates a basis for legal action if necessary.
7/30/2019 WAN CH 4 Security
11/88CCNA4-11 Chapter 4-1
Common Security Threats
Three common factors - Network Security:
Vulnerability: The degree of weakness which is inherent in every network
and device.
Routers, switches, desktops, and servers.
Threats: The people interested in taking advantage of each security
weakness.
Attack: Variety of tools and programs to launch attacks against networks.
7/30/2019 WAN CH 4 Security
12/88CCNA4-12 Chapter 4-1
Three Primary Vulnerabilities:
1. Technological weaknesses. Computer and network technologies have intrinsic security
weaknesses.
7/30/2019 WAN CH 4 Security
13/88CCNA4-13 Chapter 4-1
Three Primary Vulnerabilities:
2.Configuration weaknesses
Network administrators need to learn what their network
configuration weaknesses are
Correctly configure their computing and network devices to
compensate.
7/30/2019 WAN CH 4 Security
14/88CCNA4-14 Chapter 4-1
Three Primary Vulnerabilities:
Physical Threats - Four classes:1. Hardware Threat:
Physical damage to servers, routers, switches, cabling plant, and
workstations.
Security Measures:
Lock up equipment and prevent
unauthorized access.
Monitor wiring closet
access electronic logs. Security cameras
7/30/2019 WAN CH 4 Security
15/88
CCNA4-15 Chapter 4-1
Threats to Physical Infrastructure
2. Environmental Threat: Temperature or humidity extremes.
Security Measures:
Temperature control. Humidity control.
Positive air flow.
Remote environment alarms.
7/30/2019 WAN CH 4 Security
16/88
CCNA4-16 Chapter 4-1
Threats to Physical Infrastructure
3. Electrical Threat: Voltage spikes, insufficient voltage (brownouts), unconditioned power
(noise), and total power loss.
Security Measures:
UPS systems
Generators
Preventive maintenance
Redundant power supply
Remote alarms
7/30/2019 WAN CH 4 Security
17/88
CCNA4-17 Chapter 4-1
Threats to Physical Infrastructure
4. Maintenance: Poor handling of key electrical components, lack of critical spare
parts, poor cabling, and poor labeling.
Security Measures:
Neat cable runs
Label the cables
Electrostatic discharge procedures
Stock critical spares
Control console port access
7/30/2019 WAN CH 4 Security
18/88
CCNA4-18 Chapter 4-1
Threats to Physical Infrastructure
You probably want to avoid this
7/30/2019 WAN CH 4 Security
19/88
CCNA4-19 Chapter 4-1
Threats to Networks
Network Threats:
Inexperienced individuals
with easily availablehacking tools.
Groups or individuals
highly motivated and
technically competent.
Individuals or groups
outside the company.
Authorized access or
physical access to
the network.
7/30/2019 WAN CH 4 Security
20/88
CCNA4-20 Chapter 4-1
Social Engineering
The easiest hack involves no computer skill. If an intruder can trick a member of an organization into giving over
information, such as the location of files or passwords, the process of
hacking is made much easier.
Phishing: A type of social engineering attack that involves using
e-mail in an attempt to trick others into providing sensitive
information, such as credit card numbers or passwords.
Phishing can be prevented by educating users and implementingreporting guidelines when they receive suspicious e-mail.
7/30/2019 WAN CH 4 Security
21/88
CCNA4-21 Chapter 4-1
Types of Network Attacks
Four primary classes of Attacks: Reconnaissance
Access
Denial of Service
Malicious Code
7/30/2019 WAN CH 4 Security
22/88
CCNA4-22 Chapter 4-1
Reconnaissance:
Reconnaissance - the unauthorized discovery and mapping of systems,services, or vulnerabilities.
In most cases, this precedes another type of attack.
Can consist of:
1. Internet Information Queries
2. Ping Sweeps
3. Port Scans
4. Packet Sniffers
7/30/2019 WAN CH 4 Security
23/88
CCNA4-23 Chapter 4-1
System Access
System access - the ability of an intruder to gain access to a devicefor which the intruder does not have an account or a password.
Usually involves running a hack, script, or tool that exploits a known
vulnerability of the system or application being attacked.
7/30/2019 WAN CH 4 Security
24/88
CCNA4-24 Chapter 4-1
Denial of Service:
Denial of Service (DoS) - when an attacker disables or corrupts networks,systems, or services with the intent to deny services to intended users.
DoS attacks involve either crashing the system or slowing it down to the
point that it is unusable.
DoS -- MOST FEARED!
W Vi d
7/30/2019 WAN CH 4 Security
25/88
CCNA4-25 Chapter 4-1
Worms, Viruses and
Trojan Horses:
Malicious software can be inserted onto a host to damage or corrupt asystem, replicate itself, or deny access to networks, systems, or
services.
7/30/2019 WAN CH 4 Security
26/88
CCNA4-26 Chapter 4-1
Internet Queries:
External attackers can use Internet tools, such as the nslookup andwhois utilities, to easily determine the IP address space assigned to a
given corporation or entity.
7/30/2019 WAN CH 4 Security
27/88
CCNA4-27 Chapter 4-1
Ping Sweeps:
After the IP address space is determined, an attacker can then ping thepublicly available IP addresses to identify the addresses that are active.
To help automate this step, an attacker may use a ping sweep tool, such
as fping or gping.
7/30/2019 WAN CH 4 Security
28/88
CCNA4-28 Chapter 4-1
Port Scans:
After identifying the active IP addresses, the intruder uses aport scanner to determine which network services or ports are
active on the live IP addresses.
A port scanner is software, such as Nmap or Superscan, that is
designed to search a network host for open ports.
7/30/2019 WAN CH 4 Security
29/88
CCNA4-29 Chapter 4-1
Packet Sniffers:
Internal attackers may attempt to "eavesdrop on network traffic.
Wire Shark can be used for this
Two common uses of eavesdropping are:
1. Information Gathering
2. Information Theft
7/30/2019 WAN CH 4 Security
30/88
CCNA4-30 Chapter 4-1
Packet Sniffers:
A common method for eavesdropping is to capture TCP/IP or other protocolpackets and decode the contents.
Methods for counteracting eavesdropping are:
1. Using switched networks instead of hubs so that traffic is not broadcast to
all endpoints or network hosts.
2. Using encryption that meets the data security needs without imposing an
excessive burden on system resources or users.
3. Forbid the use of protocols with known susceptibilities to eavesdropping.
(e.g. SNMP vs SNMP v3)
7/30/2019 WAN CH 4 Security
31/88
CCNA4-31 Chapter 4-1
Types of Network Attacks
Access Attacks: Access attacks exploit vulnerabilities in authentication, FTP, and web
to gain entry to accounts, confidential, and sensitive information.
The more common are:
Password Attacks
Trust Exploitation
Port Redirection
Man-in-the-Middle
7/30/2019 WAN CH 4 Security
32/88
CCNA4-32 Chapter 4-1
General Mitigation Techniques
Device Hardening:1. Default usernames and passwords should be changed.
2. Access to system resources should be restricted to only the
individuals that are authorized.
3. Any unnecessary services should be turned off.
Antivirus Software
Personal Firewalls
OS Patches
7/30/2019 WAN CH 4 Security
33/88
CCNA4-33 Chapter 4-1
General Mitigation Techniques
A Firewall by itself is no longer adequate for securing a network.
An Integrated Approach with a firewall, intrusion prevention, and VPN.
Follows these building blocks:
1. Threat Control: Regulates network access, prevents intrusions, by
counteracting malicious traffic.
2. Secure Communications: Secures network endpoints with a VPN.
3. Network Admission Control (NAC): Provides a roles-based method of
preventing unauthorized access.
7/30/2019 WAN CH 4 Security
34/88
CCNA4-34 Chapter 4-1
The Network Security Wheel
7/30/2019 WAN CH 4 Security
35/88
CCNA4-35 Chapter 4-1
The Role ofRouters in Network Security:
Router security is a critical element in any security deployment becauserouters are definite targets for network attackers.
Roles of the Router in Network Security:
1. Advertise networks and filter who can use them.
2. Provide access to network segments and subnetworks.
7/30/2019 WAN CH 4 Security
36/88
CCNA4-36 Chapter 4-1
Router Security Issues
1. Compromising the access control can expose network configurationdetails, thereby facilitating attacks against other network components.
2. Compromising the route tables can reduce performance, deny network
communication services, and expose sensitive data.
3. Misconfiguring a router traffic filtercan expose internal networkcomponents to scans and attacks, making it easier for attackers to avoid
detection.
7/30/2019 WAN CH 4 Security
37/88
CCNA4-37 Chapter 4-1
Router Security Issues
Securing routers at the network perimeteris an important first step insecuring the network.
7/30/2019 WAN CH 4 Security
38/88
CCNA4-38 Chapter 4-1
Router Security Issues
Physical: Locate the router in a
locked room that is accessible
only to authorized personnel.
UPS.
Updating the Router IOS:
The latest version of an operating system may not be the most stable
version available.
Use the latest, stable release that meets the feature requirements of
your network.
7/30/2019 WAN CH 4 Security
39/88
CCNA4-39 Chapter 4-1
Router Security Issues
Configuration and IOS: Keep a secure copy of the router
IOS and router configuration file
on a TFTP server for backup
purposes.
Unused Services:A router has many services enabled by default.
Harden your router configuration by disabling unnecessary services and
unused ports.
7/30/2019 WAN CH 4 Security
40/88
CCNA4-40 Chapter 4-1
Applying Cisco IOS Security Features
Steps to safeguard a router:
7/30/2019 WAN CH 4 Security
41/88
CCNA4-41 Chapter 4-1
Step 1: Configuring passwords
A strong password is the most fundamental element in controlling secureaccess to a router.
Follow accepted password practices.
Dont write it down.
Avoid dictionary words.
Combine letters, numbers and symbols.
Make password lengthy.
Change passwords frequently.
The commandno passwordon vty lines prevents any login.
7/30/2019 WAN CH 4 Security
42/88
CCNA4-42 Chapter 4-1
Step 1: Configuring passwords
By default, Cisco IOS software leaves passwords in plain text
when they are entered on a router.
service password-encryption
enable secret 2ManY-routEs
security passwords min-length 10
S S
7/30/2019 WAN CH 4 Security
43/88
CCNA4-43 Chapter 4-1
Step 2: Secure Remote Administrative Access
Local access through the console port is the preferred way for anadministrator to connect to a device to manage it because it is secure.
Remote administrative access is more convenient than local access.
Using Telnet can be very insecure because all network traffic is in plaintext.
An attacker could capture network traffic and sniff the administratorpasswords or router configuration.
S 2 S R Ad i i i A
7/30/2019 WAN CH 4 Security
44/88
CCNA4-44 Chapter 4-1
Step 2: Secure Remote Administrative Access
Remote access typically involves allowing Telnet, Secure Shell (SSH),HTTP, HTTP Secure (HTTPS), or SNMP connections to the router from a
computer.
1. Establish a dedicated management network.
2. Secure the administrative lines.
3. Encrypt all traffic between the
administrators computer and
the router.
St 2 S R t Ad i i t ti A
7/30/2019 WAN CH 4 Security
45/88
CCNA4-45 Chapter 4-1
Step 2: Secure Remote Administrative Access
1. Logins may be prevented on any line by configuring the router with thelogin and no password commands.
2. VTY lines should be configured to accept connections only with theprotocols actually needed.
transport input telnet only telnet
transport input telnet ssh telnet or ssh
3. Implement Access Control Lists (ACLs)
4. Configure VTY timeouts using the exec-timeout command.
C fi i SSH S it
7/30/2019 WAN CH 4 Security
46/88
CCNA4-46 Chapter 4-1
Configuring SSH Security
To enable SSH, the following parameters must be configured:
Hostname
Domain Name
Asymmetrical Keys
Local Authentication
C fi i SSH S it
7/30/2019 WAN CH 4 Security
47/88
CCNA4-47 Chapter 4-1
Configuring SSH Security
Step 1: Hostname:
Step 2: Domain Name: Required for SSH.
C fi i SSH S it
7/30/2019 WAN CH 4 Security
48/88
CCNA4-48 Chapter 4-1
Configuring SSH Security
Step 3: Generate the RSA key:This step creates an asymmetrical key that router uses to encrypt the SSH
management traffic.
Cisco recommends a modulus length of1024. A longer length
generates a more secure key but adds some latency.
C fi i SSH S it
7/30/2019 WAN CH 4 Security
49/88
CCNA4-49 Chapter 4-1
Configuring SSH Security
Step 4: Configure local authentication and vty: You must define a local user.
Use the login local command to search the localdatabase and assign ssh to the vty lines.
Makes SSH the
only method.
NO TELNET
C fi i SSH S it
7/30/2019 WAN CH 4 Security
50/88
CCNA4-50 Chapter 4-1
Configuring SSH Security
Step 5: Configure SSH timeouts:
Not absolutely necessary for SSH but probably a good idea.
T t SSH S it
7/30/2019 WAN CH 4 Security
51/88
CCNA4-51 Chapter 4-1
Test SSH Security
To connect to a router configured with SSH, you have to use an SSH clientapplication such as PuTTY orTeraTerm.
Choose the SSH option and use TCP port 22.
Step 3: Log Router Activity
7/30/2019 WAN CH 4 Security
52/88
CCNA4-52 Chapter 4-1
Step 3: Log Router Activity
Logs allow you to verify router is working properly. Routers support 8 levels of logging.
The most important thing to remember about logging is that logs
must be reviewed regularly.
0: Emergencies
1: Alerts
2: Critical
3: Errors
4: Warnings
5: Notification6: Informational
7: Debugging
Step 4 Sec ring Ro ter Net ork Ser ices
7/30/2019 WAN CH 4 Security
53/88
CCNA4-53 Chapter 4-1
Step 4: Securing Router Network Services
Cisco routers support network services at Layers 2, 3, 4, and 7. Some of them areApplication Layer protocols.
Others are automatic processes and settings intended to support legacy
configurations that pose security risks.
Some of these services can be restricted or disabled to improve securitywithout degrading the operational use of the router.
Most of the services listed in this section are usually not required.
Manage Router Security
7/30/2019 WAN CH 4 Security
54/88
CCNA4-54 Chapter 4-1
Manage Router Security
Manage Router Security
7/30/2019 WAN CH 4 Security
55/88
CCNA4-55 Chapter 4-1
Manage Router Security
Step 4: Securing Router Network Services
7/30/2019 WAN CH 4 Security
56/88
CCNA4-56 Chapter 4-1
Step 4: Securing Router Network Services
Turning off a service on the router itself does not mean thatthe service or protocol cannot be used on the network.
For example:
TFTP (Trivial File Transfer Protocol)
DHCP (Dynamic Host Configuration Protocol)
Turning off an automatic network feature usually prevents a
certain type of network traffic.
For example:
IP Source Routing is rarely used but can be used in
network attacks.
Step 4: Securing Router Network Services
7/30/2019 WAN CH 4 Security
57/88
CCNA4-57 Chapter 4-1
Step 4: Securing Router Network Services
SNMP (Simple Network Management Protocol):
1. SNMP is the standard Internet protocol for automated remote monitoringand administration.
2. Versions of SNMP prior to Version 3 shuttle information in clear text.
NTP (Network Time Protocol): Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate.
Network administrators should configure all routers as part of an NTP hierarchy.
One Router is the Master Timer--provides its time to other routers on the
network.
If an NTP hierarchy is not available on the network, you should disable NTP.
Step 4: Securing Router Network Services
7/30/2019 WAN CH 4 Security
58/88
CCNA4-58 Chapter 4-1
Step 4: Securing Router Network Services
DNS (Domain Name System):
Cisco IOS software supports looking up hostnames with the Domain
Name System (DNS).
The basic DNS protocol offers no authentication orintegrity assurance.
By default, name queries are sent to broadcast address 255.255.255.255.
1. Explicitly set the name server addresses using the global configurationcommand ip name-server addresses
OR
2. Turn off DNS name resolution with no ip domain-lookup command.
Step 5: Securing Routing Protocols
7/30/2019 WAN CH 4 Security
59/88
CCNA4-59 Chapter 4-1
Step 5: Securing Routing Protocols
Routing systems can be attacked in 2 ways:
Disruption of peers:
It is the less critical of the two attacks because routing protocols heal
themselves.
Falsification of routing information:
Falsified routing information may generally be used to cause systems to
misinform (lie to) each other, cause a DoS, or cause traffic to follow a
path it would not normally follow.
Step 5: Securing Routing Protocols
7/30/2019 WAN CH 4 Security
60/88
CCNA4-60 Chapter 4-1
Step 5: Securing Routing Protocols
RIPv2, EIGRP, OSPF, IS-IS, and BGP all support various forms of MD5
authentication.
1.Prevent RIP updates from being propagated out ports where there is no other
router.
passive interface command.
2.Prevent unauthorized reception of RIP updates by implementing MD5
authentication with a specific key.
3.Verify RIP routing.
While the commands are different, the same basic process is used for other
protocols.
Locking Down Your Router With Cisco Auto Secure:
7/30/2019 WAN CH 4 Security
61/88
CCNA4-61 Chapter 4-1
Locking Down Your Router With Cisco Auto Secure:
Cisco AutoSecure uses a single command to disable non-essential system
processes and services.
Configure it in privileged EXEC mode using the auto secure command in
one of these two modes:
Interactive mode:
This mode prompts you with options to enable and disable
services and other security features. (default)
Non-interactive mode: Automatically executes the auto secure command with the
recommended Cisco default settings.
Using Cisco SDM (CCNA test questions)
7/30/2019 WAN CH 4 Security
62/88
CCNA4-62 Chapter 4-1
Using Cisco SDM (CCNA test questions)
Using Cisco SDM (CCNA test questions)
7/30/2019 WAN CH 4 Security
63/88
CCNA4-63 Chapter 4-1
Using Cisco SDM (CCNA test questions)
Cisco SDM Overview: The Cisco Security Device Manager (SDM) is a web-based device
management tool designed for configuring LAN, WAN, and security
features on Cisco IOS software-based routers.
It provides:
Easy-to-use smart wizards. Automates router security management.
Assists through comprehensive online help.
SDM files can be installed on router, PC, or both. An advantage of installing SDM on the PC is that it saves router
memory, and allows you to use SDM to manage other routers on the
network.
Cisco Configuration Professional (CCP)
7/30/2019 WAN CH 4 Security
64/88
CCNA4-64 Chapter 4-1
Replacing SDM
Cisco Configuration Professional is a GUI based device management tool for Cisco access
routers.
It simplifies Router, firewall, IPS, VPN, unified communications, WAN, LAN and basic
wireless configuration through easy-to-use wizards.
CCP is a valuable productivity-enhancing tool for network administrators and channel
partners for deploying routers in medium-sized businesses and enterprise branch offices
with increased confidence and ease.
CCP has configuration checks built into the application thereby reducing errors.
The new device manager for Cisco integrated services routers, CCP will replace Cisco
Router and Security Device Manager (SDM) over time.
Like SDM, Cisco Configuration Professional assumes a general understanding of
networking technologies and terms but assists individuals unfamiliar with the Cisco CLI.
http://www.cisco.com/go/ciscocp
Maintaining Cisco IOS Software Images
7/30/2019 WAN CH 4 Security
65/88
CCNA4-65 Chapter 4-1
Maintaining Cisco IOS Software Images
There are certain guidelines that you must follow when changing the Cisco
IOS software on a router.
Updates:
A free update replaces one release with another without upgrading
the feature set. (Bug fixes)
Upgrades:
An upgrade replaces a release with one that has an upgraded
feature set or new technologies.
Upgrades are not free.
Maintaining Cisco IOS Software Images
7/30/2019 WAN CH 4 Security
66/88
CCNA4-66 Chapter 4-1
Maintaining Cisco IOS Software Images
It may not be a good idea to upgrade to the latest version of IOS software.
Many times that release is not stable.
It may include new features or technologies that are not needed in your
enterprise.
Maintaining Cisco IOS Software Images
7/30/2019 WAN CH 4 Security
67/88
CCNA4-67 Chapter 4-1
Maintaining Cisco IOS Software Images
Cisco recommends a four-phase migration process.
1. Plan:
Set goals, identify resources, profile network hardware and software,
and create a schedule for migrating to new releases.
2. Design: Choose new Cisco IOS releases.
3. Implement:
Schedule and execute the migration.
4. Operate: Monitor the migration progress and make backup copies of images
that are running on your network.
Maintaining Cisco IOS Software Images
7/30/2019 WAN CH 4 Security
68/88
CCNA4-68 Chapter 4-1
Maintaining Cisco IOS Software Images
Tools available on Cisco.com to aid in migrating Cisco IOS software.
Some tools do not require a Cisco.com login:
Cisco IOS Reference Guide.
Cisco IOS software technical documents.
Cisco Feature Navigator
Some tools require valid Cisco.com login accounts:
Download Software.
Bug Toolkit.
Software Advisor. Cisco IOS Upgrade Planner.
http://www.cisco.com/en/US/support/tsd_most_requested_tools.html
Managing Cisco IOS Images
7/30/2019 WAN CH 4 Security
69/88
CCNA4-69 Chapter 4-1
Managing Cisco IOS Images
Cisco IOS File Systems and Devices: Integrated File System (IFS)
The directories available depend on the platform
The show file systems command lists all file systems.
It provides information such as the amount of available and free memory,
type of file system and its permissions.
Permissions include read only (ro), write only (wo), and read and write
(rw).
Managing Cisco IOS Images
7/30/2019 WAN CH 4 Security
70/88
CCNA4-70 Chapter 4-1
Managing Cisco IOS Images
Cisco IOS File Systems and Devices:
* = current default
# = bootable disk with
the current IOS file
Managing Cisco IOS Images
7/30/2019 WAN CH 4 Security
71/88
CCNA4-71 Chapter 4-1
Managing Cisco IOS Images
URL Prefixes for Cisco Devices: The copy command is used to move files from one
device to another, such as RAM, NVRAM, or a TFTP
server.
R2#copy run startR2#copy system:running-config nvram:startup-config
R2#copy run tftp:
R2#copy system:running-config tftp:
R2#copy tftp: start
R2#copy tftp: nvram:startup-config
Managing Cisco IOS Images
7/30/2019 WAN CH 4 Security
72/88
CCNA4-72 Chapter 4-1
Managing Cisco IOS Images
Cisco IOS File Naming Conventions: The IOS image file is based on a special naming convention that
contains multiple parts, each with a specific meaning.
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
73/88
CCNA4-73 Chapter 4-1
TFTP Managed Cisco IOS Images
For any network, it is always prudent to retain a backup copy of the IOS
image in case the image in the router becomes corrupted or accidentally
erased.
Using a network TFTP server allows image and configuration
uploads anddownloads over
the network.
The TFTP server
can be anotherrouter or a
workstation.
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
74/88
CCNA4-74 Chapter 4-1
TFTP Managed Cisco IOS Images
Before changing the
Cisco IOS image
complete these tasks:
1. Determine the memory required for the update.
2. Set up and test the file transfer capability.
3. Schedule the required downtime.
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
75/88
CCNA4-75 Chapter 4-1
TFTP Managed Cisco IOS Images
When you are readyto do the update:
1. Shut down all interfaces not needed to perform the update.
2. Back up the current operating systemAND the current configuration file
to a TFTP server.
3. Load the update for either the operating system or the configuration file.
4. Test to confirm that the update works properly.
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
76/88
CCNA4-76 Chapter 4-1
TFTP Managed Cisco IOS Images
Steps to copy flash to a TFTP server:
1. Ping the TFTP serverto make sure you have
access to it.
2. Verify that the TFTP serverhas sufficient disk
space.
3. Use the show flash:command to determine
the name of the files.
4. Copy the file(s) from the router to the TFTPserver using copy flash: tftp:command.
Each file requires a separate command.
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
77/88
CCNA4-77 Chapter 4-1
TFTP Managed Cisco IOS Images
TFTP Managed Cisco IOS Images
7/30/2019 WAN CH 4 Security
78/88
CCNA4-78 Chapter 4-1
g C OS g
Upgrading a system to a newer software version requires a different
system image file to be loaded on the router.
Recovering IOS Software Images
7/30/2019 WAN CH 4 Security
79/88
CCNA4-79 Chapter 4-1
g g
When an IOS on a router is accidentally deleted from flash, the router is still
operational because the IOS is running in RAM.
It is crucial that the router is
not rebooted as a production device
since it would not be able to find avalid IOS in flash.
When the router is rebooted and can
no longer load an IOS it loads in
ROMmon mode by default.
prompt = rommon >
Recovering IOS Software Images
7/30/2019 WAN CH 4 Security
80/88
CCNA4-80 Chapter 4-1
g g
Using tftpdnld:
1. Connect a PC to the console port.
2. Connect the first Ethernet port
on the router to the TFTP
server with a cross-over cable.
3. Configure the TFTP server with a
static IP Address.
4. Boot the router and set the ROMmon variables.
5. Enter the tftpdnldcommand.
Recovering IOS Software Images
7/30/2019 WAN CH 4 Security
81/88
CCNA4-81 Chapter 4-1
g g
Case
Sensitive
Either power cycle the routeror use theresetcommand.
Recovering IOS Software Images
7/30/2019 WAN CH 4 Security
82/88
CCNA4-82 Chapter 4-1
g g
Using xmodem:
Connect a PC to the
console port.
Boot the router and
issue the xmodemcommand.
Recovering IOS Software Images
7/30/2019 WAN CH 4 Security
83/88
CCNA4-83 Chapter 4-1
g g
Using xmodem:
Load a terminal
emulation program
(Hyperterminal)
that supports the
Xmodem protocol.
Once the transfer has
finished, reboot
the router.
Troubleshooting Cisco IOS Configurations
7/30/2019 WAN CH 4 Security
84/88
CCNA4-84 Chapter 4-1
g g
Cisco IOS troubleshooting commands: show configured parameters and their values.
debug trace the execution of a process.
By default, the router sends the output from debug
commands to the console but it can be redirected to alogging server.
RouterPassword Recovery
7/30/2019 WAN CH 4 Security
85/88
CCNA4-85 Chapter 4-1
y
Recovering a password makes use of the routers configuration register.
This register is like the BIOS on a PC.
When a router boots, it will check the register and boot in the manner
specified by the value in the register.
For this course, we will only concern ourselves with two registry values.
0x2102: the default registry value.
0x2142: instructs the router to bypass any startup configuration.
RouterPassword Recovery Basic Steps:
7/30/2019 WAN CH 4 Security
86/88
CCNA4-86 Chapter 4-1
y p
1. Connect to the router console port.
2. Issue the show version command to obtain the current registry value.
RouterPassword Recovery Basic Steps
7/30/2019 WAN CH 4 Security
87/88
CCNA4-87 Chapter 4-1
1. Power cycle the router and press the Break key within 60 seconds.
This puts the router in ROMmon mode.
2. Type confreg 0x2142at the rommon 1 >prompt to specifybypassing the startup configuration.
3. Type reset or power cycle the router.
4. Bypass any default startup questions and type enable.
5. Copy the start up configuration to the running configuration
copy start run (reverse of what we normally do)
RouterPassword Recovery Basic Steps
7/30/2019 WAN CH 4 Security
88/88
6. Change the password(s) to what you want them to be (enable secret,
Console or VTY)
7. Change the configuration registerback to the default using the
following command:
Router(config)#config-register 0x2102
8. Copy the running configuration to the startup configuration and reload or
power cycle the router.
copy run start (what we normally do)
Top Related