OSI ModelProtocol NumbersPort NumbersRepeaterHubL2 SwitchL3 SwitchRouterDifferences Between
Switching Modes
VLANManagement VLANDTPVTPEtherchannelSTPFHRP
RIP v1 & v2EIGRPOSPFBGP
The Routing TableClassful vs. Classless RoutingStatic vs. Dynamic RoutingRoute Filtering and Route-MapsIPv4 Protocol Numbers
ACLNATDHCPDNSFTPSMTPSyslog
HTTPTelnetSSHPing ProcessTrace route ProcessRouter Password RecoverySwitch Password Recovery
TCP
UDP
ASA
Checkpoint
Palo Alto
F5 (245)
Layer 7 – Application layer∑ This is the closest layer to the end user. ∑ It provides the interface between the user application and the network. ∑ Web browser – IE, Firefox or Opera do not belong to Application layer. ∑ The Protocols reside in Application layer ∑ Telnet, FTP, HTTP, SMTP are examples of Application layer.
Layer 6 – Presentation layerIt is responsible for defining a standard format for the data. It acts as a translator of the network. For example, if you want to send an email and the Presentation will format your data into email format. Or you want to send photos; the Presentation layer will format your data into GIF, JPG or PNG format.
Layer 5 – Session layerIt is responsible for establishing, maintaining, and ultimately terminating sessions between devices. If a session is broken, this layer can attempt to recover the session.Sessions communication falls under one of three categories:
∑ Full-Duplex – simultaneous two-way communication∑ Half-Duplex – two-way communication, but not simultaneous∑ Simplex – one-way communication
Layer 4 – Transport layerIt is responsible for the reliable transfer of data, by ensuring that data is error-free and in order.It falls under two categories
∑ Connection-oriented- require a 3 way handshake∑ Connectionless- it doesn't require a connection
There are Two Transport Layer Protocols∑ Transmission Control Protocol (TCP)- connection-oriented∑ User Datagram Protocol (UDP)- connectionless
UDP is fast, TCP is more reliable, but it is slower. Applications that require speed and can stand some packet loss will use UDP. Those who don't need speed, and can't tolerate loss as much, will use TCP.
TCP FTP 20/21
SSH 22
Telnet 23
SMTP 25
HTTP 80
POP3 110
BGP 179 HTTPS 443
UDP DHCP 67/68 TFTP 69 NTP 123 RIP 520TCP/UDP DNS 53 SNMP 161/162 LDAP 389
Layer 3 – Network layerThis layer provides logical addresses which routers will use to determine the path to the destination.
∑ Logical addressing – provides a unique address that identifies both the host, and the network that host exists on.
∑ Routing – determines the best path to a particular destination network, and then routes data accordingly.
Layer 2 – Data Link LayerIt is responsible for transporting data within a network.The Data Link layer formats the message into a data frame, and adds a header containing the hardware destination and source address to it. This header is responsible for finding the next destination device on a local network.It consists of two sublayers:
∑ Logical Link Control (LLC) sublayer∑ Media Access Control (MAC) sublayer
It packages the higher-layer data into frames, so that the data can be put onto the physical wire. This packaging process is referred to as framing or encapsulation.
∑ Ethernet – the most common LAN data-link technology
Layer 1 – Physical layerIt controls the signaling and transferring of raw bits onto the physical medium. The Physical layer is closely related to the Data-link layer, as many technologies (such as Ethernet) contain both datalink and physical functions.The Physical layer provides specifications for a variety of hardware:
∑ Cabling∑ Connectors and transceivers∑ Network interface cards (NICs)∑ Hubs
Collision Domain∑ It is a part of a network where packet collisions can occur.∑ In a half duplex Ethernet network, A collision occurs when two devices
send a packet at the same time ∑ Collisions are often in a hub environment, because each port on a hub is in
the same collision domain.
Broadcast Domain∑ A broadcast domain is a domain in which a broadcast is forwarded.
∑ A broadcast domain contains all devices that can reach each other at the data link layer (OSI layer 2) by using broadcast.
∑ All ports on a hub or a switch are by default in the same broadcast domain. All ports on a router are in the different broadcast domains and routers don’t forward broadcasts from one broadcast domain to another.
Repeater∑ It is used to regenerate the signal∑ When the signal travels over long distances, its clarity degrades, so repeater
regenerates the signal and enables them to travel to long distance.∑ No memory∑ Only 2 ports are available
Hub∑ It is a physical layer of the OSI model∑ It is used to connect the network device in a LAN∑ Half duplex device∑ When a frame is received, it will send to all ports∑ it doesn't inspect the frame before forwarding∑ 1 Collision domain and 1 Broadcast Domain
Bridge∑ It is a Layer 2 device∑ Half duplex device∑ Frames are forwarded based on destination Layer 2 MAC Address∑ Frame forwarding method is Store & Forward∑ Multiple Collision domain and 1 Broadcast Domain
Switch∑ It is a Layer 2 device∑ It is used to connect the devices in a same LAN∑ Full duplex device∑ Learning of MAC Address & forwarding frame is based on ASIC∑ Frames are forwarded based on the destination Layer 2 MAC Address∑ It uses a CAM/MAC Address table to forward the frames∑ Frame forwarding method is Store & Forward, cut-through, fragment free∑ Multiple Collision & 1 Broadcast domain
Router∑ It is a Layer 3 device∑ It connects 2 or more diriment networks and forward the packet from one
network to another network∑ Full duplex∑ Packets are forwarded based on the destination Layer 3 IP Address∑ It will never forward the Broadcast ∑ Multiple Collision & Broadcast domain
ASICApplication Specific Integrated CircuitA switch is a layer 2 device that makes a decision based on the layer 2 destination MAC address. As the number of switch ports increase, the general purpose CPU using software solution can't keep up. The ASIC is basically a CPU that is not a general purpose CPU but is a CPU for making switching decisions very quickly. This is similar to a high-end graphics card that has a special CPU for graphics processing that wouldn't be good for general applications.
Difference between Layer 2 and Layer 3 devices?Switching operates at layer 2 of the OSI model, where packets are sent to a specific switch port based on destination MAC addresses. Routing operates at layer 3, where packets are sent to a specific next-hop IP address, based on destination IP address.
When a router gets a packet, it decides on the basis of 1. Longest prefix match2. Administrative Distance3. Metric valueAD value is a believability of the Routing Protocol. Lower AD value is preferred.Metric value lower is preferred. On the base of these things decision is made, where to route the packets.
How does router build the Routing Table for first time?Router builds the routing table, from its active interface that has IP Address. It should be up and active.
What happens when a Switch receives the Frame?It checks the source MAC Address in CAM Table, if not found it adds that address in cam table then it checks for the destination MAC Address table in CAM Table, if it is not found it will do the broadcast. Once it gets the response that corresponding port is updated with that MAC Address.
What happens when a router receives the packet?It removes the L2 header information present on the packet and check for the destination IP address, it finds for the routes for destination prefix in routing table, if it matches then it attach its own exit interface MAC Address as source and connected device MAC Address as destination and forward the packet.If no routes found in routing table, it drops the packet.
Static Route: It is a route that is manually configured in the routing table by the administrator.
Default Route: if a router doesn’t have a route for the destination IP address. If nothing is matching. Then it will use this; this is also called Gateway of last resort.
Default gateway: A gateway is the entrance point to another network. A default gateway is the address to which packets are sent if there is no specific gateway for a given destination listed in the routing table.
Router has to follow 3 generic steps before it routes the Packet∑ Routing∑ Forwarding (Switching)∑ Encapsulation
NIC (Network Interface Controller) Address∑ Physical Address∑ Logical Address
Physical Address- Media Access Control (MAC)- Layer 2 Address- 48 Bit Hexadecimal
Logical Address-Internet Protocol (IP)-Layer 3 Address-32 bit Dotted Decimal
MAC Address-It allow devices to uniquely identify themselves on network-First 24 bits in MAC Address is called OUI (Organizationally Unique Identifier)
System Communication∑ Simplex∑ Half-Duplex∑ Full-Duplex
Simplex- One device can send the data and other device can receive the dataEx: Radio, Pager
Half-Duplex-Two-way Communication, but not at the same time-At a time only one device can send data or receive the data-Collisions happenEx: Hub, Walky-talky
Full-Duplex-Two-way communication at same time-Both the devices can send & receive data at same timeEx: Telephone
HTTP HTTPSIt uses a port no 80 for communication It uses a port no 443 for communicationUnsecured SecuredThere is no encryption Encryption is thereNo Certificates required Certificates Required
RIPV1 RIPV2Supports only Classful network Supports only Classless network (subnet/VLSM)Works on contiguous network Works on discontiguous networkDoesn’t support triggered updates Supports triggered updatesForwards updates as Broadcast 255.255.255.255
Forwards updates as multicast using 224.0.0.9
Doesn’t support VLSM Supports VLSMRIP v1 can accept by default V1 and V2 update but only forward V1 updatesRIP v2 will only send and receive version 2 updatesRIPv1 can send v1 packet but receive v1 and v2 packetManual RIPv1 can only send and receive v1 packet
OSPF EIGRPOpen shortest path First Enhanced Interior Gateway Routing protocolOSPF is able to load balance in equal cost paths
EIGRP can load balance between unequal cost paths
OSPF is merely a link state protocol. EIGRP shows characteristics of both link state and distance vector protocolIt supports Maximum 255 Routers in The
NetworkOSPF calculates the metric using cost EIGRP uses bandwidth, load, delay and reliability
to calculate the metric.OSPF converges quickly than EIGRP; also OSPF can be used in larger networks.
Not widely used
Main Mode Aggressive ModeThere are 6 message exchange There are 3 message exchangeMain mode is secure as it negotiates the SA parameters first before authenticating
It is not secure
Tries to protect all information during the negotiation, the identities of the two sides are hidden. It takes more time to negotiate. default mode
It takes less time to negotiate, and it is not secure
Router Main mode is enabled by default ASA Aggressive mode in enabled by defaultIt is slower, using more exchanges, but it protects the identities of the communicating peers
Aggressive mode is faster, but does not protect the identities of the peers
Tunnel Mode Transport ModeTunnel mode provides the protection for the original source and destination address by encapsulating it under ESP
In transport mode original IP address is visible because in it only data is encapsulated.
IPSec tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).IPSec Tunnel mode is used to secure gateway-to-gateway traffic
IPSec Transport mode is used to secure host-to-host traffic
IPSec SSLIt works on Layer 3 (Network Layer) of OSI Model.
It works on Layer 7 (Application Layer) of OSI Model.
it works on Network Layer; it secures all data
It's used for secure web-based communication over the Internet.
It defines how to provide data integrity, authenticity and confidentiality over insecure network like
It uses encryption and authentication to keep communications private between two devices, typically,
Internet.It defines how to provide data integrity, authenticity
and confidentiality over insecure network Like Internet.- It completes its goal through tunneling, Encryption and Authentication.
web server and user machine.- Like IPSec, SSL also provides flexibility by providing level of security.- Unlike IPSec, SSL helps to secure one application at a time and each application is supported via web browser.
TCP UDPConnection-oriented ConnectionlessIt uses a 3-way handshake to establish the connection SYN, ACK, SYN+ACK
No 3-Way Handshake
VLAN VPNIt is group of computers that can have same broadcast domain. So the group of computers in that particular VLAN can directly talk to each other. It is generally used when you need to have separate set of computers to whom you can't directly talk from outside the VLAN and need special permission to get access to the resources in the VLAN generally via ACL (access control list).
VPN or Virtual Private Network can be defined as a secured means of connecting to the private network through a public network that is not very much safe.
A VLAN helps to group workstations that are not within the same locations into the same broadcast domain
VPN is related to remote access to the network of a company
VLAN is a subcategory of VPN It means of creating a secured network for safe data transmission.
VLAN is generally used when it is necessary for a person to connect with someone whom you cannot connect from outside the VLAN. It requires a special permission before access.
VPN is used to communicate in a secured manner in an unsecured environment.
Switching Modes1. Store and Forward Switching2. Cut-through Switching3. Fragment-Free Switching
1. Store and Forward SwitchingSwitch copies each complete frame into the switch memory and do a Cyclic Redundancy Check (CRC) for errors. If an error is found, the frame is dropped and if there is no error, the switch forwards the frame to the destination device. Store and Forward switching can cause delay in switching since Cyclic Redundancy Check (CRC) is calculated for each frame.
2. Cut-through SwitchingSwitch copies the destination MAC address (first 6 bytes of the frame) of the frame before making a switching decision into its memory. It reduces delay because the switch starts to forward the frame as soon as it reads the destination MAC address and determines the outgoing switch port. Switch may forward bad frames.
3. Fragment-Free SwitchingThe switches operating in fragment-free switching read at least 64 bytes of the Ethernet frame before switching it to avoid forwarding Ethernet runt frames(Ethernet frames smaller than 64 bytes).
Switching Functions1. Learning2. Aging3. Flooding4. Filtering5. Forwarding
VLAN∑ It is used to divide a single Broadcast domain into multiple Broadcast
domains∑ By default all ports of the switch is in VLAN 1∑ It provides a Layer 2 security
2 Types of VLAN Configuration∑ Static VLAN∑ Dynamic VLAN
Static VLAN∑ Static VLAN'S are based on port numbers∑ Need to manually assign a port on a switch to a VLAN∑ Also called Port-Based VLANs∑ One port can be a member of only one VLAN
Dynamic VLAN∑ Switch automatically assigns the port to a VLAN∑ Each port can be a member of multiple VLAN's∑ A VMPS (VLAN Membership Policy Server) software is needed
Advantages of VLAN∑ Broadcast Control: Flooding of a packet is limited to the switch ports that
belong to a VLAN.∑ Reduce the size of broadcast domains: VLAN increase the numbers of
broadcast domain while reducing their size.∑ Layer 2 Security – VLANs gives us total control over each port and users.
With VLANs, you can control the users from gaining unwanted access over the resources.
∑ Cost: Dividing a large VLAN to smaller VLANs is cheaper than creating a routed network with routers because normally routers costlier than switches.
VLAN Frame tagging∑ VLAN Tagging is the Technology of inserting a VLAN ID into a packet header
in order to identify that from which VLAN the frame is arriving.
Native VLAN∑ It is an untagged VLAN on 802.1Q trunked Switchport.∑ If a switch receives untagged frame, they are forwarded to the Native VLAN∑ By default native VLAN is 1∑ Both side of a trunk link must be configured to be in same VLAN
Switch-Port Security∑ Port security features add additional layer of security in LAN network. ∑ It is used to secure the switch port. ∑ It is necessary because anyone can access unsecure network resources by
simply plugging his host into one of the available switch ports.
Enabling Port Security
Port security can be enabled with default parameters by issuing a single command on an interface:# interface f0/13# switchport port-security
Switchport port-security violationShutdown (default): The interface is placed into the error-disabled state, blocking all traffic.Protect: Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally.Restrict: Like protect mode, but generates a syslog message and increases the violation counter.
Maximum MAC AddressesBy default, port security limits the ingress MAC address count to one. This can be modified, for example, to accommodate both a host and an IP phone connected in series on a switch port:# switchport port-security maximum 2
MAC Address LearningAn administrator has the option of statically configuring allowed MAC addresses per interface. MAC addresses can optionally be configured per VLAN (access or voice).#switchport port-security mac-address 001b.d41b.a4d8
This command is used the port to learn the MAC Address dynamically and automatically configure the MAC address as a static MAC address associated with the port# switchport port-security mac-address sticky
MAC Address AgingBy default, secure MAC addresses are learned permanently. Aging can be configured so that the addresses expire after a certain amount of time has passed. This allows a new host to take the place of one which has been removed#switchport port-security aging time 5#switchport port-security aging type inactivity
DTP∑ Dynamic Trunking Protocol ∑ It is a Layer 2 Protocol
∑ It is a Cisco proprietary Trunking Protocol, which is used to automatically negotiate trunks between Cisco switches
∑ It can be used negotiate and form trunk connection between Cisco switches dynamically.
∑ It is enabled on each port by default
Trunk can be made by two ways1. Manually2. Dynamically
DTP sends Hello packets every 30 secondsDynamic Trunk time-out is 300 seconds
Switchport ModesAccess - Always forces that port to be an access port with no VLAN tagging allowed EXCEPT for the voice vlan. DTP is not used and a trunk will never be formed.#switchport mode access#switchport access vlan 10
Trunk: This interface will always be a trunk no matter what happens on the other side. It will also use DTP to negotiate a neighboring interface that is set to dynamic desirable or dynamic auto into a trunk.#switchport encapsulation dot1q#switchport mode trunk
Dynamic desirable - pro-active DTP negotiation will begin and if the other-side is set to trunk, desirable, or auto. The interface will become a trunk. Otherwise the port will become an access port.
Dynamic auto - allows the port to negotiate DTP if the other side is set to trunk or desirable. Otherwise it will become an access port.
Nonegotiate - turns off DTP and forces the interface into a trunk.
VTP∑ VLAN Trunking Protocol∑ It is a Cisco proprietary protocol that propagate VLAN configurations to
other switches in the network
How VTP WorksTo exchange the VLAN information with each other, they need to configure with same VTP Domain.Only switches belonging to the same domain share their VLAN information. When a change is made to the VLAN database, it is propagated to all switches via VTP advertisements.
There are 3 modes1. Server Mode2. Client Mode3. Transparent Mode
1. Server Mode: This is also the default mode.When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP messages are transmitted out of all the trunk connections. In Server mode we can create, modify and delete VLANs.
2. Client ModeIn this mode switches are only allowed to receive and forward updates from the "Server" switch. It cannot make changes to the VLAN configuration when in this mode; however, a VTP client can send any VLANs currently listed in its database to other VTP switches. VTP client also forwards VTP advertisements (but cannot create VTP advertisements).
3. Transparent ModeIn this mode, a switch maintains its own VLAN database and never learns any VTP information from other switches (even from the switch in VTP server mode). It still forwards VTP advertisements from the server to other switches .It can add, delete and modify VLAN database locally.
VTP Advertisement Messages1. Client advertisement request:
A client advertisement request message is a VTP message which a client generates for VLAN information to a server. Servers respond with both summary and subset advertisements.
2. Summary advertisement: Summary advertisements are sent out every 300 seconds (5 minutes) by default or when a configuration change occurs, which is the summarized VLANinformation.
3. Subset advertisement: Subset advertisements are sent when a configuration change takes place on the server switch. Subset advertisements are VLAN specific and contain details about each VLAN.
Three types of versions1. VTPv12. VTPv23. VTPv3
1. VTPv1It is default on Catalyst SwitchesIt supports the standard VLAN range 1-1005A transparent switch using VTP version 1 will check the domain and version before if forwards the frame.
2. VTPv2If a switch is in transparent mode, it will forward the message without checking version information.
3. VTPv3Support for extended VLANs (4094).Support for the creation and advertising of private VLANs.Interaction with VTP version 1 and VTP version 2Provides the ability to be configured on a per-port basis
VTP Pruning∑ It cut down the unnecessary VLAN traffic on certain trunk port.∑ VTP pruning is disabled by default in Cisco switches.∑ By default, VLANs 2 – 1001 are pruning eligible ∑ VLAN 1 can’t be pruned because it’s an Administrative VLAN. ∑ Both VTP versions 1 and 2 supports pruning.
VLAN Port Types1. Access ports2. Trunk ports
Access link: An access link is a link that is part of only one VLAN, and normally access links are for end devices.
Trunk link: A Trunk link can carry multiple VLAN traffic and normally a trunk link is used to connect switches to other switches or to routers.
Frame Tagging ProtocolsCisco switches support two frame tagging protocols:
1. Inter-Switch Link (ISL)2. IEEE 802.1Q
Inter-Switch Link (ISL) ∑ It is Cisco’s proprietary frame tagging protocol.∑ It encapsulates a frame with an additional header (26 bytes) and trailer (4
bytes). ∑ It increases the size of a frame by 30 bytes.∑ The header contains several fields, including a 15-bit VLAN ID. ∑ The trailer contains an additional 4-byte CRC to verify data integrity.∑ Maximum Transmission Unit (MTU) is 1518 bytes.∑ It supports a maximum of 1000 VLANs on a trunk port.∑ It doesn't support untagged frames, and will always tag frames from all
VLANs.
IEEE 802.1Q∑ It is an open standard∑ It inserts a 4-byte VLAN tag directly into the Layer-2 frame header.∑ The VLAN tag includes a 12-bit VLAN ID. ∑ This tag increases, from its default of 1514 bytes to 1518 bytes.∑ It supports a maximum of 4096 VLANs on a trunk port.∑ It supports Native VLANS on trunk ports.
Management VLAN and configuration of Management VLANManagement VLAN is used for managing the switch from a remote location by using protocols such as telnet, SSH, SNMP, syslog etc.Normally the Management VLAN is VLAN 1, but you can use any VLAN as a management VLAN.
Configuration#interface vlan 1#ip address 192.168.100.28 255.255.255.0#no shutdown#ip default-gateway 192.168.100.1
EtherchannelThe issue with using only a single physical port is a single point of failure. If the port goes down, the trunk connection is lost.
Etherchannel is a technology that lets you bundle multiple physical links into a single logical link. If we connect 2 or more cables between two Switches, There will be a change of loops. STP will run and prevent the loop and blocks the Ports, we can't add redundancy between switches.
Spanning tree sees Etherchannel as one logical link so there are no loops.
Etherchannel will do load balancing among the different links that we have and it takes care of redundancy. A maximum of 8 active ports are supported in a single Etherchannel.
The maximum number of supported Etherchannel on a single switch is platform-dependent, though most support up to 64 or 128 Etherchannel.
Cisco’s implementation of port aggregation is called Etherchannel.
Etherchannel are also supported on Layer-3 interfaces.Port settings that must be identical include the following:
∑ Speed settings∑ Duplex settings∑ STP settings∑ VLAN membership (for access ports)∑ Native VLAN (for trunk ports)∑ Allowed VLANs (for trunk ports)∑ Trunking encapsulation protocol (for trunk ports)
Port-security has not been supported on an Etherchannel.
Etherchannel Load-Balancing
∑ Source IP address - src-ip
∑ Destination IP address - dst-ip∑ Source and destination IP address - src-dst-ip∑ Source MAC address - src-mac∑ Destination MAC address - dst-mac∑ Source and Destination MAC address - src-dst-mac∑ Source TCP/UDP port number - src-port∑ Destination TCP/UDP port number - dst-port∑ Source and destination port number - src-dst-port
The default load-balancing method for a Layer-2 EtherChannel is either srcmac or src-dst-mac, depending on the platform. The default method for a Layer-3 EtherChannel is src-dst-ip.
#port-channel load-balance src-dst-mac#show etherchannel load-balance
There are two methods of configuring an Etherchannel:∑ Manually∑ Dynamically, using an aggregation protocol
Manual Configuration#interface range f0/22 - 24#channel-group 1 mode on
Adding switch ports to a channel-group creates a logical port-channel interface.#interface port-channel 1#switchport mode trunk#switchport trunk allowed vlan 50-100
To configure a port-channel as a Layer-3 interface:#interface port-channel 1#no switchport#ip address 192.168.10.1 255.255.255.0
By default, a port-channel interface is administratively shutdown.#interface port-channel 1#no shut
Dynamic ConfigurationCisco switches support two dynamic aggregation protocols:
∑ PAgP (Port Aggregation Protocol) – Cisco proprietary aggregating protocol.
∑ LACP (Link Aggregation Control Protocol) – IEEE standardized aggregation protocol, originally defined in 802.3ad.
PAgP and LACP are not compatible – both sides of an Etherchannel must use the same aggregation protocol.EthernChannel - PAgPIt supports 2 Modes
∑ Desirable – actively attempts to form a channel∑ Auto – waits for the remote switch to initiate the channel
A PAgP channel will form∑ desirable <- -> desirable∑ desirable <- -> auto
#interface range f0/22 - 24#channel-protocol pagp#channel-group 1 mode desirable / auto
EtherChannel - LACPIt has 2 Modes
∑ Active – actively attempts to form a channel∑ Passive – waits for the remote switch to initiate the channel
An LACP channel will form∑ active <- -> active∑ active <- -> passive
#interface range f0/22 - 24#channel-protocol lacp#channel-group 1 mode active / passive
Maximum of 8 active ports are supported in a single Etherchannel. LACP supports adding an additional 8 ports into the bundle in a standby state, to replace an active port if it goes down.
LACP assigns a numerical port-priority to each port, to determine which ports become active in the Etherchannel. By default, the priority is set to 32768, and a lower priority is preferred. If there is a tie in system-priority, the lowest switch MAC address is preferred.#interface range f0/22 - 24#lacp port-priority 100
#lacp system-priority 500
#show etherchannel summary#show port-channel summary
Spanning Tree Protocol (STP)Without STP
∑ Broadcast Storms∑ Duplicate Frame copies∑ Unstable MAC Table
Broadcast StormsWithout any loop removing mechanism, switches will flood broadcasts endlessly throughout the network. This is known as broadcast storm.
Duplicate Frame copiesA device could receive duplicate copies of same frame from different switches. It creates additional overhead on the network.
Unstable MAC TableWhen switch receives a frame, it checks source MAC address in frame and associate that interface with finding MAC address. Next time when switch receives a frame for this MAC address, it will forward that frame from this interface. These entries are stored in MAC Address Table. Switch uses MACAddress Table to forward the frame. Looped network can make MAC Address Table unstable.
What is Spanning tree?∑ STP is used to prevent the Layer 2 loops when we have redundant paths in
our network. ∑ STP is enabled by default on all VLANs on Catalyst switches. ∑ IEEE 802.1D
STP switches exchange Bridge Protocol Data Units (BPDU’s) to build the topology database.BPDU’s are forwarded out all ports every 2 seconds, to a dedicated MAC multicast address of 0180.c200.0000.
The STP Process1. Root Bridge is elected 2. Root Ports are identified 3. Designated Ports are identified
4. Ports are placed in Block state.
1. Electing a Root BridgeA Root Bridge is elected based on its Lowest Bridge ID.Bridge ID = 16-bit Bridge priority + 48-bit MAC address
The default priority is 32,768, and the lowest priority wins. If there is a tie in priority, the lowest MAC address is used as the tie-breaker.
NOTE: We know default bridge priority is 32768.But in real environment, when you type command "show spanning-tree" you may see like belowBridge ID Priority 32769 (priority 32768 sys-id-ext 1)
The sys-id-ext value that you see is the VLAN number. The priority is 32768 but spanning-tree will add the VLAN number 1 so we end up with priority value 32769(32768+ 1).if it's for VLAN 10 it may be like 32778 (32768 +10)
2. Root Ports are identified After finding the Root Bridge, every non-root bridges have to find the shortest path to the root bridge by calculating the path cost. Lowest path cost is preferred.
Note: Root port always forward traffic to the root bridge Each switch has only one Root Port, and the Root Bridge cannot have a Root Port.
Bandwidth Cost
4 Mbps 25010 Mbps 10016 Mbps 6245 Mbps 39100 Mbps 19155 Mbps 141 Gbps 410 Gbps 23. Designated Ports are identified A single designated port is identified for each network segment and it is responsible for forwarding BPDUs and frames to that segment. It has the lowest path cost leading to the Root Bridge. This port will not be placed in a blocking state.
Port IDWhen electing root and designated ports, it is possible to have a tie in both path cost and Bridge ID.
If the bandwidth of both links are equal, then both of Switch 2’s interfaces have an equal path cost to the Root Bridge. The tiebreaker should be the lowest Bridge ID, but that cannot be used in this circumstance Port ID is used as the final tiebreaker, and consists of two components:
∑ 4-bit port priority∑ 12-bit port number, derived from the physical port number
By default, the port priority of an interface is 128, and a lower priority is preferred. If there is a tie in priority, the lowest port number is preferred. The sender port ID determines the tie break, and not the local port ID.
To change the priority#int fa0/10#spanning-tree port-priority 60
Port priority is the last tiebreaker. STP decides Root and Designated Ports based on
∑ Lowest Path Cost to the Root Bridge ∑ Lowest Bridge ID ∑ Lowest Port ID
4. Ports are placed in Block state.If two ports are eligible to become the designated port, then there is a loop.One of the ports will be placed in a blocking state to eliminate the loop.
STP Port Roles:1. Root Port: Used to reach the root bridge. Best way to get to the root bridge.2. Designated Port: Forwarding port, one per link.3. Blocking / Non-Designated Port: Where the tree fell. [Block redundant link]
Spanning Tree Election Criteria:-It selects paths according to the following criteria or1. Lowest root bridge ID (BID)2. Lowest cost path to the root3. Lowest sender bridge ID4. Lowest sender port ID (PID)
Port States∑ Disable∑ Blocking∑ Listening∑ Learning∑ Forwarding
Disable: It is considered as non-operational, it will not participate in frame forwardingBlocking: It will not forward frames or learn MAC AddressListening: In this state a port may become Root or designated portLearning: the port is listening for and processing BPDUs .Forwarding: This port is fully functional, it will send and listen for BPDUs, learn MAC Addresses and Forward Frames, Root and designated Ports will move to Forwarding State.
Timers∑ Hello Timer∑ Forward delay Timer∑ Max-age Timer
Hello Timer: How often switches send BPDU's by default every 2 secondsForward delay Timer: how much long a port must spend time in both learning and listening state. By default 15 secondsMax-age Timer: How long a switch will retain BPDU information from a neighbor switch before discarding it. By default 20 seconds
Improving STP ConvergenceIn many environments, a 30 second outage for every topology change is unacceptable. Cisco developed three proprietary features that improve STP convergence time:
∑ PortFast∑ UplinkFast∑ BackboneFast
PortFast
UplinkFast
BackboneFast
Protecting STP∑ Root Guard∑ BPDU Guard∑ BPDU Filtering∑ Unidirectional Link Detection (UDLD)∑ Loop Guard
Root Guard
BPDU Guard
BPDU Filtering
UDLD
Loop Guard
Rapid Spanning Tree Protocol (RSTP)One big disadvantage of STP is the low convergence which is very important in switched network. To overcome this problem, in 2001, the IEEE with document 802.1w introduced an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol (RSTP);It reduces the convergence time after a topology change occurs in the network. While STP can take 30 to 50 seconds to transit from a blocking state to a forwarding state, RSTP is normally able to respond less than 10 seconds of a physical link failure.
Port StatesDiscarding State:A discarding port will not forward frames or learn MAC addresses.A discarding port will listen for BPDUs.Alternate and backup ports will remain in a discarding state.
Learning State:
A learning port will begin to add MAC addresses to the CAM table.It cannot forward frames quite yet.
Forwarding State:A forwarding port is fully functional – it will send and listen for BPDUs, learn MAC addresses, and forward frames.Root and designated ports will eventually transition to a forwarding state.
RSTP works by adding an alternative port and a backup port compared to STP. These ports are allowed to immediately enter the forwarding state rather than passively wait for the network to converge.
Port Roles:Root port – A forwarding port that is the closest to the root bridge in terms of path costDesignated port – A forwarding port for every LAN segmentAlternate port – A best alternate path to the root bridge. This path is different than using the root port. The alternative port moves to the forwarding state if there is a failure on the designated port for the segment.Backup port – A backup/redundant path to a segment where another bridge port already connects. The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub.Disabled port – Not strictly part of STP, a network administrator can manually disable a port
Suppose all the switches have the same bridge priority so the switch with lowest MAC address will become Root Bridge -> Sw1 is the root bridge and therefore all of its ports will be Designated ports (forwarding).
Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in terms of path cost) so they will become Root ports.
On the segment between Sw2 and Sw3, because Sw2 has lower MAC than Sw3 so it will advertise better BPDU on this segment -> fa0/1 of Sw2 will be Designated port and fa0/1 of Sw3 will be Alternative port.
Now for the two ports connecting to the hub, we know that there will have only one Designated port for each segment (notice that the two ports fa0/2 & fa0/3 of Sw2 are on the same segment as they are connected to a hub). The other port will be Backup port according to the definition of Backup port above. But how does Sw2 select its Designated and Backup port? The decision process involves the following parameters inside the BPDU:
∑ Lowest path cost to the Root∑ Lowest Sender Bridge ID (BID)∑ Lowest Port ID
Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the root” and “sender bridge ID” so the third parameter “lowest port ID” will be used. Because fa0/2 is inferior to fa0/3, Sw2 will select fa0/2 as its Designated port.
Note: Alternative Port and Backup Port are in discarding state.
RSTP Port States:There are only three port states left in RSTP that correspond to the three possible operational states. The 802.1D disabled, blocking, and listening states are merged into the 802.1w discarding state.
* Discarding – the port does not forward frames, process received frames, or learn MAC addresses – but it does listen for BPDUs (like the STP blocking state)* Learning – receives and transmits BPDUs and learns MAC addresses but does not yet forward frames (same as STP).* Forwarding – receives and sends data, normal operation, learns MAC address, receives and transmits BPDUs (same as STP).
STP State (802.1d) RSTP State (802.1w)
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Disabled Discarding
Although the learning state is also used in RSTP but it only takes place for a short time as compared to STP. RSTP converges with all ports either in forwarding state or discarding state.
RSTP Quick Summary:
RSTP provides faster convergence than 802.1D STP when topology changes occur.* RSTP defines three port states: discarding, learning, and forwarding.* RSTP defines five port roles: root, designated, alternate, backup, and disabled.
Note: RSTP is backward compatible with legacy STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.
EIGRP∑ Standard Protocol (initially was Cisco proprietary)∑ Maximum Hop-Count is 255[ 100 by default]∑ It is a classless protocol ∑ EIGRP having internal Administrative distance as 90 and external AD as 170∑ EIGRP summary route AD value is 5∑ All EIGRP routing information are exchanged between neighbors via
multicast using the address 224.0.0.10∑ Hello packets are sent every 5 seconds∑ Supports equal coast and unequal cost load balancing∑ K-Values are used for calculating metric. By default EIGRP consider k1 and
k3 only∑ In EIGRP Summarization is enabled by default."No auto-summary"
command is needed because by default EIGRP will behave like a classfull routing protocol.
∑ EIGRP can load balance on both equal and unequal cost paths.”Variance”command is used to configure load balancing. By default EIGRP supports 4 load balancing path. It can be extended to 6 paths
EIGRP maintain 3 tables∑ Neighbor table – it contains directly connected routers.
#show ip eigrp neighbor∑ Topology table – contains all best routes learned from each neighbor.
#show ip eigrp topology∑ Routing table – it contains the best route to the destination.
#show ip route
EIGRP an Advanced Distance Vector or Hybrid Routing ProtocolIt shares features of both distance vector and link state protocols. For example EIGRP advertise routes to directly connected neighbors like a distance vector protocols and it uses a series of tables like link state protocols
EIGRP Packet types∑ Hello Packet: sent 5 seconds between directly connected neighbors as
Multicast∑ Update: It won't send periodic updates triggered updates sent when a
change∑ Query: Sent when the successor path is failed and there is no feasible
successor∑ Reply: Reply for query packets ∑ ACK : it is sent for update and Reply packet
Successor∑ The best path from the topology table will be copied in the routing table∑ It is the best route used to forward packet to destination network.∑ Present in routing table and topology table∑ Metric of the successor path is called Feasible distance.
Feasible Successor∑ A feasible successor is a second best route to a destination network∑ It gives redundancy∑ It is considered a backup route∑ Present in Topology table∑ Used when the primary route (Successor) goes down∑ Metric of the successor is called Advertised distance (AD) or Reported
distance (RD).
Advertised distance: How far the destination is away for your neighbor. Feasible distance: The total distance to the destination.Successor: The best path to the destination
Condition for choosing Feasible successorAdvertised distance (AD) must be less than the metric of successor pathAdvertised distance of feasible successor < Feasible distance of successor.
EIGRP Route StatesAn EIGRP route can exist in one of two states, in the topology table: • Active state • Passive State
A Passive state indicates that a route is reachable, and that EIGRP is fully converged. A stable EIGRP network will have all routes in a Passive state.
A route is placed in an Active state when the Successor and any Feasible Successors fail, forcing the EIGRP to send out Query packets and re-converge. Multiple routes in an Active state indicate an unstable EIGRP network. If a Feasible Successor exists, a route should never enter an Active State.
You can check the status of states by using Router# show ip eigrp topology
To view only active routes in the topology table: Router# show ip eigrp topology active
R1- R5 Feasible Distance =100 (10+20+30+40); Advertise Distance =90 (20+30+40);
Verification#show ip eigrp topology[FD/AD]By default EIGRP can provide equal-cost load balancing of up to 4 linksWe can have EIGRP load-balance across up to 6 links (equal or unequal)
Command#router eigrp 10#maximum-paths 6
#router eigrp 100#metric maximum-hops 255EIGRP Stub It is to limit the number of queries Router will never send Stuck in Active query messages to a Stub router.
Stuck in Active: When a route (current successor) goes down, the router first checks its topology table for a feasible successor; If backup path (feasible successor) is not present, it goes active (actively checking to find new route) on the that route to find a new successor by sending queries out to its neighbors requesting a path to the lost route. Such state of router while waiting for a reply for a query packet is called Stuck in Active; In normal working condition router running EIGRP protocols is in passive state(P).If there is a failure in successor path and there is no back up path, then router will be in Active state(A).
EIGRP Load Balancing1. Equal-cost load balancing 2. Unequal-cost load balancing
Load balancing happens between two routes which has a same cost. RIPv2, OSPF, EIGRP supports this;
Even though they are not equal (1000, 1500), can do the load balancing, it has to do manually (variance)
Least cost is the best route (1000) we got 2 routes it is going to load-balance between both the routes. Means
Best route is 1000, if we want to do load balancing between 2 routes,
EIGRP MetricsEIGRP can utilize 5 separate metrics to determine the best route to a destination:
1. Bandwidth (K1)2. Load (K2)3. Delay of the Line (K3)4. Reliability (K4)5. MTU (K5)
By default, only Bandwidth and Delay of the Line are usedK1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0
EIGRP Metric (32 bit)RIPv2- calculate the best route based on the Hop countEigrp calculate the best route based on Bandwidth, Delay, load, MTU, reliability
K1= Bandwidth- speed of the link (serial link -1544 KBPS, fastEthernet- 100 MBPS)#interface serial0/0#bandwidth <kilobits>
When we change the bandwidth, cost also changes;
K3= Delay-define as the amount of time (how long it is going to take to forward the traffic)(Serial 20,000 Microseconds, fastEthernet 100 Microseconds, gigabitEthernet 10 Microseconds)
More Bandwidth- less delay
K5= MTU- 1500 bits
K4= Reliability- calculated based on the Status of the link, it is calculated between 1 and 255 1- Less reliable; 255 –More reliable (default)
K2= Load- calculated based on 1 and 2551- Less; 255 –More;
By default only uses Bandwidth and delay (K1 and K3) are used for metric calculation;
Means K1=1, K2=0, K3=1, K4=0, K5=0
Because (reliability and load) are variables they may change every second.
Bandwidth and Delay are fixed values; once we change it will be fixed.
OSPF∑ Open Shortest Path First is a Link-State routing protocol, designed for larger
networks.∑ OSPF will form neighbor relationships with adjacent routers in the same
Area.∑ advertises the status of directly connected links using Link-
State Advertisements∑ LSAs are additionally refreshed every 30 minutes.
∑ OSPF traffic is multicast either to address 224.0.0.5 (all OSPF routers) or 224.0.0.6 (all Designated Routers).
∑ Uses the Dijkstra Shortest Path First algorithm to determine the shortest path.
∑ OSPF routes have an administrative distance is 110.∑ OSPF uses cost as its metric, which is computed based on the bandwidth of
the link.∑ OSPF COST = Reference bandwidth/Link Bandwidth
DR and BDR election Process∑ On broadcast and NBMA networks a Designated Router (DR) is elected.∑ The router with the highest priority will be elected the DR.∑ If we set Router priority is 0, that router will not participate in DR/BDR
election∑ The priority can range from 0 to 255∑ A Backup DR (BDR) will be elected and it will be having the second highest
priority. ∑ The election is not preemptive which means if a router is setup later with a
higher priority it will not become the DR unless clearing the OSPF process.
The DR has two main functionsGenerate a network LSA that lists the set of routers connected to the network. It is also responsible for maintaining adjacencies. The DR and BDR uses the AllDRRouters address of 224.0.0.6. They send updates to the 224.0.0.5AllSPFRouters address.
Router ID∑ It is used to provide a unique identity to the OSPF Router.∑ It can be add statically ∑ If there is no OSPF Router ID configured, highest IP of Loopback Interfaces
is selected∑ If there is no loopback, the highest IP address of physical interface is
selected
AREAAreas means logical grouping of the routersIf you got more than 200+ networks in organization The problem in OSPF is all routers will maintain the same database and when we have a common database, there is a problem they don't have enough memory to maintain database (routing table) (1800, 2500 series routers). And there is a rule in OSPF that every router should have a common database.
Tables∑ Neighbor Table – contains a list of all neighboring routers.∑ Topology Table – contains a list of all possible routes within an area.∑ Routing Table – contains the best route for each known network.
Types of RoutersInternal (IR) – all OSPF interfaces must belong to the same OSPF area.Backbone – at least one OSPF interface must belong to area 0 (backbone area)Area Border Router (ABR) – at least one OSPF interface must belong to area 0 (backbone area) and at least one OSPF interface must belong to a non-backbone (area 0) area.Autonomous System Boundary Router (ASBR) – an OSPF router that performs route injection (redistribution) from another route source (RIP, EIGRP, IS-IS, BGP, another OSPF process, etc.).
Packet TypesHello- Discovers neighbors and works as a keepaliveLink State Request (LSR)- Requests a Link State Update (LSU), see belowDatabase Description (DBD)- Contains summary of LSDB, includes RIDs & sequence numberLink State Update (LSU)- Contains one or more complete LSAsLink State Acknowledgement (LSAck)- Acknowledges all other OSPF packets (except hellos)
StatesThere are 8 different OSPF states when forming neighbor relationships. 1. Down State: This is the first OSPF neighbor state. In this state router first startup the OSPF process but there is no communication. No hellos have been received;
2. Attempt: This is used only for manually configured neighbors in a Non-Broadcast MultiAccess (NBMA) network, it indicates that the router is sending Hello packets to its neighbor in a NBMA environment via unicast but no reply is received within the Dead Interval (4 x Hello Interval).Ex: NBMA network is a Frame Relay network where there are no broadcast and multicast capabilities.
3. Init State: It specifies that the Router has received a hello from its neighbor, but it didn't find receiving Router's ID in Hello Packet.
4. Two-way State A hello is received from another router with its own RID in the neighbor field. All other required elements match and the routers become neighbors.
5. Exstart State The router and its neighbors will establish master/slave relationship and determine the database description sequence number for exchange of database description packets. The router with the highest router id becomes the master.
6. Exchange State Routers exchange DBDs that describes its entire link state database to neighbors that are in exchange state; the router may also send link state request packets to neighbors to request more recent LSA.
7. Loading State Routers compare the DBD to their LS database. LSRs are sent out for missing or outdated LSAs. Each router then responds to the LSRs with a Link State Update. Finally, the LSUs are acknowledged.
8. Full State The LSDB is completely synchronized with the OSPF neighbor. The routers are fully adjacent. The adjacencies appear in router LSA and network LSA.
LSDB OverloadIn large OSPF networks, if major network changes occur, a flood of LSAs will immediately hit the entire network. The number of incoming LSAs to each router could be substantial and bring the CPU and memory to its knees.
To mitigate that scenario, Cisco offers what it refers to as Link Sate Database Overload Protection. Once enabled, if the defined threshold is exceeded over one-minute time period, the router will enter the ignore state – dropping all adjacencies and clearing the OSPF database. (# max-lsa number)
OSPF Stub Limitations∑ Virtual links cannot be included∑ Cannot include an ASBR∑ The stub configuration must be applied to every router within the stubby
area∑ Area 0 cannot be a stub
Virtual LinkA virtual link is not a physical link. It is a logical link using the least cost path between the ABR of the non-backbone connected area and the backbone ABR of the transit area. A virtual adjacency across the virtual link is formed, and routing information is exchanged.
OSPF Authentication∑ Simple Authentication (using plaintext keys)
∑ MD5 Authentication
Matching authentication methods and keys must configured on each interface on a segment. Theoretically, different passwords could be applied to different router interfaces – the routers on the other ends of those links would just be required to have matching information.
Simple Authentication ExampleR1(config)# int fa0/1 R1(config-if)# ip ospf authentication-key KEY123 R1(config-if)# ip ospf authentication R1(config-if)# exit R1(config)# router ospf 10 R1(config-router)# area 0 authentication
MD5 Authentication ExampleR1(config)# int fa0/1 R1(config-if)# ip ospf message-digest-key 1 md5 KEY123 R1(config-if)# ip ospf authentication message-digest R1(config-if)# exit R1(config)# router ospf 10 R1(config-router)# area 0 authentication message-digest
Each OSPF router is identified by a unique Router ID. The Router ID can be determined in one of three ways:
∑ The Router ID can be manually specified.∑ If not manually specified, the highest IP address configured on any
Loopback interface on the router will become the Router ID.∑ If no loopback interface exists, the highest IP address configured on any
Physical interface will become the Router ID
Hello / Dead Interval
∑ OSPF hello/Dead Interval time for non-broadcast and point-to-multipoint interfaces. : 30/120 seconds
∑ OSPF hello/Dead Interval time for broadcast and point-to-point interfaces.: 10/40 seconds
∑ Notice that, by default, the dead interval timer is four times the Hello interval.
Area Types∑ Standard area∑ Backbone area (area 0)∑ Stub area∑ Totally stubby area∑ Not-so-stubby area (NSSA)∑ Totally NSSA
Stub Area (area <area> stub)It contain type 1, 2, and 3 LSAsNo LSA type 4 and 5 (E1 or E2) is allowedRouters can connect to the External routes via the default route that is injected by the ABRIt can't have an ASBR The Backbone area can't be configured as a Stub area
Totally Stub Area (area <area> stub no-summary)Cisco proprietaryIt contain type 1, 2 LSAsLSA Type 3, 4 and 5 are stoppedA default route is injected by the ABR.Only ABR has to be configured with the "no-summary" commandIntra area routers in the Totally Stubby area should have "area <area> stub" command
∑ Standard areas can contain LSAs of type 1, 2, 3, 4, and 5, and may contain an ASBR. The backbone is considered a standard area.
∑ Stub areas can contain type 1, 2, and 3 LSAs. A default route is substituted for external routes.
∑ Totally stubby areas can only contain type 1 and 2 LSAs, and a single type 3 LSA. The type 3 LSA describes a default route, substituted for all external and inter-area routes.
∑ Not-so-stubby areas implement stub or totally stubby functionality yet contain an ASBR. Type 7 LSAs generated by the ASBR are converted to type 5 by ABRs to be flooded to the rest of the OSPF domain.
Network Types- An OSPF router maintains a data structure for each OSPF-enabled interface.- If the network type is changed, the hello and dead timers will be adjusted accordingly.- OSPF defines six network types
Broadcast NetworkThe default network type on Ethernet interfaces.Will elect a DR and a BDR.Uses the multicast MAC 224.0.0.5 (0100.5E00.0005) for All SPFRouters and 224.0.0.6 (0100.5E00.0006) for All DRouters.There is NO next-hop modification. The next-hop IP remains that of the originating router.Layer3 to layer2 resolution is required.Broadcast networks can't have unicast neighbours configured.10 hello / 40 dead-interval.
Non-Broadcast NetworkCan connect more than two routers but has no native broadcast capability.Non-Broadcast is the default network type on multipoint frame-relay interfaces, e.g. a main interface.OSPF routers on NBMA networks elect a DR and BDR, but all OSPF packets are unicast between each manually specified neighbour with the "neighbour" command.The next-hop IP is not changed and remains the IP address of the originating router.The default priority is 1, and should be disabled (=0) on ALL SPOKES, to prevent a spoke from becoming a blackhole DR/BDR.30 hello / 120 dead-interval.
Point-to-Point NetworkDefault on T1, DS-3, SONET links and on point-to-point sub-interfaces on frame-relay.Has no DR/BDR election, OSPF configured is as per normal.Uses the multicast destination to AllSPFRouters (224.0.0.5), except for retransmitted LSAs, which are unicast.The next-hop IP is that of the advertising router.
OSPF ignores subnet mask mismatch on point-to-point links.10 hello / 40 dead-interval
Points to Remember:
∑ When priority is set to 0, that router won’t participate in DR/BDR election ∑ When other routing protocol routes are being redistributed into OSPF,
Make sure "Subnet" option is added ∑ If ping to 224.0.0.5 fails, it means Router have no OSPF neighbors ∑ When OSPF is enabled across an NBMA network -- DR BDR election will
occur. We need to configure neighbor command to build adjacencies ∑ If no Loopback is configured, Highest IP address will be the DR ∑ OSPFv3 for IPv6 authentication is supported by IPv6 IPSec. ∑ By default, redistribution of routes from other routing protocols into OSPF
will appear as type E2 routes in OSPF routing table ∑ In OSPF, Router will only establish full adjacency with the DR and BDR on
broadcast multi-access networks. ∑ OSPF Network LSAs are originated by the DR on every multi-access
network. They include all attached routers including the DR itself ∑ In OSPF, If a router is stuck in INIT STATE means that router didn’t receive
hello packets from neighboring router
Advantages of creating multiple areas in OSPF∑ Less frequent SPF calculation ∑ Smaller routing table ∑ Reduced LSU overhead
Three restrictions apply to OSPF stub areas?∑ No virtual links are allowed. ∑ The area cannot be a backbone area. ∑ No Autonomous System Boundary Routers (ASBR) are allowed.
Two statements about route redistribution when implementing OSPF ∑ OSPF can import routes learned using EIGRP, RIP∑ OSPF routes can be exported into BGP
· 3 statements about OSPF areas
o Areas introduce a boundary on the link-state updates.
o All routers within an area have the exact link-state database.
o The calculation of the Dijkstra algorithm on a router is limited to changes within an area.
R2 belongs to both Area 0 and Area 1. R5 belongs to both Area 0 and Area 2. These routers are known as Area Border Routers (ABRs).
Area 0 is known as Backbone Area. Every router which has an interface in Area 0 can be considered a Backbone Router. All other areas must have a connection to Area 0 (except using virtual-link). Without Area 0, routers can only function within that area.
OSPF has 11 LSA Types from 1 to 11 but some of them are not used like Type 6 (Multicast LSA), 8 (used for BGP), 9, 10, 11 (Opaque LSAs).
R7: Have Type1, Type2 and Type 3 LSA;If you check in R2 (ABR) it has Type1, Type2 and Type 3 for both Area 0 as well as Area 1;If you check in R5 (ABR) it has Type1, Type2 and Type 3 for both Area 0 as well as Area 2;
Router link LSA (Type 1) – Each router generates a Type 1 LSA that lists its active interfaces, IP addresses, neighbors and the cost to each. LSA Type 1 is only flooded inside the router’s area, it does not cross ABR.
Network link LSA (Type 2) – is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Types 2 are flooded within its area only; does not cross ABR. Type 1 & type 2 are the basis of SPF path selection.
Summary link LSA (Type 3) – ABRs generate this LSA to send between areas (so type 3 is called inter-area link). It gathers information it has learned on one of its attached areas and summarizes them before sending out to another area. LSAs Type 3 is injected by the ABR from the backbone area into other areas and from other areas into the backbone area.
“ADV router” is the router that is advertising that information.
R3#router ospf 1redistribute eigrp 100 subnets
Summary ASBR LSA (Type 4) – Generated by the ABR to describe an ASBR to routers in other areas so that routers in other areas know how to get to external routes through that ASBR;
LSA Type 4 is used so routers in other areas can find the ASBR, since R1 and R2 are in the same area (R1 already knows the router ID of R2 btw) there is no need to install LSA type 4 in the LSDB of R1.
External Link LSA (LSA 5) – Generated by ASBR to describe routes redistributed into the area and point the destination for these external routes to the ASBR; These routes appear as O E1 or O E2 in the routing table. In the topology below, R3 generates LSAs Type 5 to describe the external routes redistributed from R8 and floods them to all other routers and tell them “hey, if you want to reach these external routes, send your packets to me!”. But other routers will ask “how can I reach you? You didn’t tell me where you are in your LSA Type 5!”. And that is what LSA Type 4 do – tell other routers in other areas where the ASBR is!
Multicast LSA (Type 6) is specialized LSAs that are used in multicast OSPF applications. Cisco does not support it.
NSSA External LSA (Type 7) – Generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA; LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR.
LSA Type 8 (External attributes LSA for Border Gateway Protocol (BGP))Used to work with BGP
LSA Type 9, 10, 11 (Opaque LSAs)-For future use
BGP (Border Gateway Protocol)Within an autonomous System we use an IGP Protocol like OSPF, EIGRP. For Routing Between different Autonomous System we use EGP i.e. BGP
Internet is a bunch of AS that is connected to each other. We need to register AS Number for BGP just like Public IP AddressAS Numbers is 16 bit from 1-65535Private Range 64512-65535
There are 2 Types of BGP∑ EBGP∑ IBGP
EBGP: It is used for routing between two different Autonomous Systems.IBGP: It is used for routing within same Autonomous Systems
Features:∑ It is Open Standard∑ Exterior Gateway Protocol∑ It is the routing protocol we use to route between autonomous systems:∑ It guarantees loop-free routing information.∑ It avoids loops by using path vector routing protocol [BGP saves path when
they enter inside a AS]∑ It doesn't use metrics but a rich set of BGP attributes.∑ It uses TCP port 179∑ Administrative distance of EBGP is 20∑ Administrative distance of IBGP is 200∑ Authentication used in BGP is MD5∑ Currently using BGP v4
∑ BGP saves paths to all destination in a table called forwarding table. Best path from forwarding table is saved in routing table
∑ Routers running BGP is termed as BGP speakers∑ Its neighbor is called Peers. Peers must be configured statically∑ It was built for reliability and Control but not for speed.∑ Once BGP peers form a neighbor relationship, they share their full routing
table. Afterwards, only changes to the routing table are forwarded to peers.
ASA(ADAPTIVE SECURITY APPLIANCE)
ASAFirewall & types of firewallA firewall is a network security device; it is used to secure the network. It permits or denies traffic between an untrusted zone (Internet) and a trusted zone (a private or corporate network). By default all the traffic in blocked in firewall.Type of FirewallPacket Filtering FirewallApplication Gateway FirewallStateful Inspection
Stateful firewall & stateful inspectionStateful firewall keeps track of the state of the network connections travelling across it.
Stateful inspection is a technology used in stateful firewall. It is also referred as dynamic packet filtering
Security Context & types of contextVirtually dividing the firewall into more than one firewall is called Security Context.
Context TypesSystem ContextAdmin ContextUser-defined Context
admin-context admincontext Adminconfig-url Admin.cfgallocate-interface GigabitEthernet0/2
context C1config-url C1.cfgallocate-interface GigabitEthernet0/1allocate-interface GigabitEthernet0/0
How many Virtual Firewalls can be configured?Mode No of Firewalls Supported5505 None5510 25520 205540 505550 505580 50
How to active the licenseactivation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6Cluster ASA & high availabilityActive / Standby: One-forwarding path and active ASA. The standby forwards traffic when the active device fails over. Traffic is not evenly distributed over both units. Active / Standby uses single or multiple context mode.
Active / Active for groups of context: Not supported in single context mode. Only available in multiple context mode; Both ASAs forward at the same time by splitting the context into logical failover groups.
Active-Active failoverAvailable multiple context mode, both security appliances can pass network traffic.
Configuration:mac-address auto
ASA1(config)# failover group 1ASA1(config-fover-group)# primaryASA1(config-fover-group)# preempt
ASA1(config)# failover group 2ASA1(config-fover-group)# secondary
ASA1(config)# context CTX-1ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX-2ASA1(config-ctx)# join-failover-group 2
failover lan unit primaryfailover lan interface FOVER GigabitEthernet 0/1failover link FOVER GigabitEthernet 0/1failover interface ip FOVER 7.7.100.100 255.255.255.0 standby 7.7.100.101
packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 eq 23
Redundant interface & Ether channel
Redundant Interface
Interface Redundant 1Member-interface g0/1Member-interface g0/2Nameif InsideNo shutIp address 10.1.1.1 255.255.255.0
ASA can have a maximum of 48 EtherChannelsSLA Route monitoringIf ASA is the border router, and if the ISP link fails after a Switch [ASA <-> Switch <-> ISP], ASA will not get to know about the link failure. To overcome this, we make use of IP Route Tracking.
This is done by sending ICMP Echos to the ISP, which the ISP router keeps replying to. If the ISP router fails, it will not send the reply.As a backup, we need to have ISP2 configured and ASA will automatically update its routing table to the ISP2.
Syntax:sla monitor < Number>type echo protocol ipIcmpEcho <IP address> interface <interface name>timeout <0-604800000> in millisecondsfrequency <<1-604800> in secondssla monitor schedule < Number > start-time now life < Life seconds/forever>track <1-500 Tracked object> rtr < Number > reachability
Configuration:sla monitor 100type echo protocol ipIcmpEcho 7.7.6.6 interface outsidetimeout 100frequency 1sla monitor schedule 100 start-time now life forevertrack 1 rtr 100 reachability
RTR- Response Time Reporter
Routed firewall & transparent firewallRouted Firewall Transparent FirewallDefault mode for an ASA firewall. Known as Bumps in the WireIt acts as a layer 3 device It acts as a layer 2 deviceIt uses routing protocols and static routes.
Forwarding is based on destination IP addresses.
Forwarding is based on destination MAC add
stateful Adaptive Security Device Manager (ASDM) installationTelnet:ASA(config)# telnet <IP Address> <subnet mask> <Interface Name>
SSH:ASA(config)# crypto key generate rsa modulus 1024ASA(config)# ssh <IP Address> <subnet mask> <Interface Name>ASA(config)# username cisco password ciscoASA(config)# aaa authentication ssh console LOCAL
HTTP:ASA(config # http server enableASA(config)# http <IP Address> <subnet mask> <Interface Name>ASA(config)# aaa authentication http console LOCAL
Static Route ASA(config)# route <Interface Name> <Dest Network> <Net Mask> <Next Hop Ip>
Default Route ASA(config)# route <Interface-Name> 0.0.0.0 0.0.0.0 <Next Hop Ip>
EIGRProuter eigrp <AS>network <____________> <Subnet Mask>no auto-summary
OSPFrouter ospf <process No.>network <_________> <Subnet Mask>
Authentication in ASA Routing ProtocolsRIPrip authentication mode md5rip authentication key cisco key_id 1
EIGRP authentication mode eigrp 100 md5authentication key eigrp 100 cisco key-id 1
Bypass traffic through SAME SECURITY LEVELsame-security-traffic permit inter-interface
Hair Pinning in ASAsame-security-traffic permit intra-interface
Access Control ListAccess lists can be configured to filter network traffic as it passes through the firewall.
ASA supports the following types of access control lists: -1. Standard access lists2. Extended access lists3. Webtype access lists4. IPv6 ACL5. Ethertype ACL
1. Standard access lists:Identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.
2. Extended access lists:Use one or more access control entries (ACE) in which you can specify the line number to insert the ACE, the source and destination addresses, and. depending upon the ACE type, the protocol, the ports (for TCP or UDP) Or the ICMP type (for ICMP).An extended access list is made up of one or more access control entries (ACE) in which you can specify the line number to insert the ACE, the source and destination addresses. and, depending upon the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type.
3. Webtype access lists:Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN.
4. EtherType access lists:An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number. You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can also apply the same access lists on multiple interfaces.
ASA in Transparent Mode supports two types of access lists: IPv4 Extended ACLs used for Layer 3 traffic filtering and Ethertype ACLs used for Layer 2 traffic filtering.
Properties of Transparent Mode∑ ASA can be used in Transparent Firewall mode∑ This is done, if you do not want the subnet or next hop to change in the
network∑ It is a Layer 2 Firewall∑ Also known as Bump in the wire/ stealth firewall∑ Works on the Mac - Address instead of Routing Table∑ QoS not supported in Transparent∑ Not counted as router hop∑ By default ARP traffic is allowed from ANY to ANY∑ ARP can be controlled via ARP inspection
Limitations of Transparent Mode∑ VPN cannot be terminated, but can pass through∑ Cannot configure routing protocol∑ Can be a DHCP Server but cannot be a DHCP relay agent∑ Ether-type ACLs can only be configured in Transparent Mode∑ CDP cannot pass through in ASA unless Ether-Type value is greater than
0x600∑ Can filter All IP and Non IP traffic
There are 2 types of failover:Stateless Failover
∑ When a failover occurs, all active connections are dropped.∑ The end user/clients will need to re-establish connections when the new
active unit takes over
Stateful Failover∑ When a stateful failover is enabled, the active unit will continuously pass
per connection state information to the standby unit.∑ When a failover occurs, the same connection information would be
available at the new active unit thus the failover happens seamlessly.∑ Supported end user applications are not required to reconnect to keep the
same communication sessions
Failover Requirements
∑ Both ASA pairs should be the same model∑ Both ASA should have the same number and type of interfaces∑ Both ASA should have the same amount of RAM∑ Should be in the same operating mode (Transparent/Router &
Single/Multiple)∑ Major and Minor version of the OS should be same but patch no. can be
different
Failover Link∑ Failover link is a link connecting between the ASA unit in failover pair.∑ They constantly communicate over the failover link to determine the
operating state of each unit.∑ They are NEVER a data link and will never participate in data traffic!∑ Cisco recommends using a Switch between a failover link, to find out which
side is faulty if the failover connection is down.
There are 2 types of failover links:LAN failover link (Used for Stateless Failover)
∑ Message 1: Unit State (Active/Standby)∑ Message 2: Hello Message (Keep Alives - Every 15 seconds)∑ Message 3: Network Link Status∑ Message 4: Mac-Address Exchange∑ Message 5: Configuration Replication & Synchronization
Stateful failover link (Both together used for Stateful Failover)∑ Table 1: NAT Translation Table (Xlate)∑ Table 2: TCP Connection Table∑ Table 3: UDP Connection Table∑ Table 4: ARP Entries∑ Table 5: Layer 2 Bridge Table (Transparent)∑ Table 6: HTTP Connections Table (if http replication is enabled)∑ Table 7: ISAKMP & IPsec Table (VPN)
Health MonitoringUnit Monitoring: The failover link determines the health of the overall unit. HELLO packets are sent over the failover link. Lack of three consecutive HELLO’s cause ASA to send an additional HELLO packet out ALL data interfaces, including the failover link.
Upgrade ASA 8.2 to 9.1 Zero downtime stepsFor CLI
Step 1 Back up your configuration either by TFTP or using command and copy the output:ASA# more system:running-config
Step 2 Copy ASA software to the active unit flash memoryASA# copy tftp://192.168.100.100/asa901-smp-k8.bin disk0:/asa901-smp-k8.bin
Step 3 Copy the software to the standby unit. Use the same path as the active unitASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asa901-smp-k8.bin disk0:/asa901-smp-k8.bin
Step 4 Copy ASDM image to the active ASA unit’s flash memoryASA# copy tftp://192.168.100.100/asdm-711.bin disk0:/asdm-711.binStep 5 Copy ASDM image to the standby ASA unit; Use the same path as the active unitASA# failover exec mate copy /noconfirm tftp://192.168.100.100/asdm-711.bin disk0:/asdm-711.bin
Step 6 Enter global configuration modeASA# conf tasa(config)#
Step 7 Verify current boot images configured. ASA uses these images in order. To make the ASA boot to the new image, remove the existing entries and enter the image URLs in the order desired.asa(config)#show running-config boot system
Step 8 Remove any existing boot image.asa(config)#no boot system disk0:/asa861-smp-k8.bin
Step 9 Set the ASA image to boot. Repeat command for backup images.asa(config)#boot system disk0:/asa901-smp-k8.binasa(config)#boot system disk0:/asa861-smp-k8.bin
Step 10 Set the ASDM image to use. Only one can be configured.asa(config)#asdm image disk0:/asdm-711.bin
Step 11 Save settings to startup config.wr mem
Step 12 Reload the standby unit to boot the new image. Wait for the standby to finish loading and use show failover command to verify the standby unit is in Standby Ready state.ASA# failover reload-standby
Step 13 Force the active unit to fail over to the standby unit.ASA# no failover active
Step 14 Reload the former active unit. Log into active unitASA# reload
State Information Passed:∑ NAT Table∑ TCP Connection States∑ UDP Connection States∑ ARP Table∑ HTTP Connection States∑ ISAKMP and IPSec SA table∑ SIP signaling sessions
State Information Not Passed:∑ User authentication (uauth) table.∑ Routing tables.∑ State information for Security Service Modules.∑ DHCP server address leases.
Short:∑ Load the image on both units' disk0:∑ Change the boot variable∑ Save the config with that change∑ From the active unit, "failover reload-standby"∑ Wait for successful reload and verify configuration is synced OK. You should
expect a message that mate software version is different.∑ "no failover active" on active unit∑ Log into newly active unit and "failover reload-standby"∑ Wait for successful reload and verify configuration is synced OK. Both units
are now on 9.1(1)
How switch divert traffic to standby ASA when link to active ASA is down?
Switches only forward frames based MAC address. The secondary ASA takes over the MAC address of the failed ASA.
Active/Standby Failover Overview Active/Standby failover enables you to use a standby ASA to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.
ASA 5505Maximum throughput 150 MbpsMaximum connections 10,000 (Security Plus -25,000)Maximum connections/sec 4,000Maximum 3DES/AES (VPN) throughput 100 MbpsMaximum VPN sessions 10 (Security Plus -25)Maximum SSL VPN sessions 25Interface 8 Ethernet
ASA 5510Maximum throughput 300 MbpsMaximum connections 50,000 (Security Plus -130,000)Maximum connections/sec 9,000Maximum 3DES/AES (VPN) throughput 170 MbpsMaximum VPN sessions 250Maximum SSL VPN sessions 250Interface 5 FastEthernet (2 Gigabit Ethernet + 3 Fast Ethernet)
ASA 5520Maximum throughput 450 MbpsMaximum connections 280,000Maximum connections/sec 12,000Maximum 3DES/AES (VPN) throughput 225 MbpsMaximum VPN sessions 750Maximum SSL VPN sessions 750
Interface 4 Gigabit Ethernet + 1 Fast Ethernet
ASA 5540Maximum throughput 650 MbpsMaximum connections 400,000Maximum connections/sec 25,000Maximum 3DES/AES (VPN) throughput 325 MbpsMaximum VPN sessions 5,000Maximum SSL VPN sessions 2,500Interface 4 Gigabit Ethernet + 1 Fast Ethernet
ASA 5550Maximum throughput 1.2 GbpsMaximum connections 650,000Maximum connections/sec 36,000Maximum 3DES/AES throughput 425 MbpsMaximum VPN sessions 5,000Maximum SSL VPN sessions 5,000Interface 8 Gigabit Ethernet + 1 Fast EthernetASA 5580Maximum throughput 10 GbpsMaximum connections 2000000Maximum connections/sec 150,000 Maximum 3DES/AES throughput 1 GbpsMaximum VPN sessions 10,000Maximum SSL VPN sessions 10,000
NAT ASA
Static NATStatic PATDynamic NATDynamic PAT
Bypass NAT- Identity NAT (nat 0)- Static Identity NAT- NAT ExemptionPolicy NAT- Static policy NAT- Dynamic Policy NAT
Static NAT static (inside,outside) <Mapped IP> <Real IP> <netmask> <Subnet Mask>static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
Static PAT static(inside,outside) <tcp|udp> <Mapped_IP> <Map_port> <real_IP> <real_port> netmask <mask>static (inside,outside) tcp 5.5.5.5 telnet 10.1.1.1 telnet netmask 255.255.255.255
DYNAMIC NAT nat (interface) <nat_id> <Network ID> <Subnet Mask> global (interface) <nat_id> <StartIP>-<EndIP> netmask <Subnet Mask>nat (inside) 1 1.1.1.0 255.255.255.0global (outside) 1 5.5.5.1-5.5.5.3 netmask 255.255.255.0
Dynamic PAT nat (inside) <nat_id> 2.2.2.0 255.255.255.0 global (outside) <nat_id> interfaceglobal (outside) 1 20.1.1.1
NAT BYPASS
Identity NAT nat (interface) 0 <network> <mask>nat (inside) 0 1.1.1.0 255.255.255.0
Static Identity NAT static (inside,outside) <mapped IP> <Real IP> netmask <Subnet Mask>static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0
NAT Exemption (Policy Based Identity NAT)access-list <acl no> permit ip host < Source IP> host < Destination IP>nat (inside) 0 access-list <ACL Name>
access-list 101 permit ip host 2.2.2.2 host 20.1.1.1 nat (inside) 0 access-list 101
Policy Based Dynamic NAT access-list <ACL_Name2> permit ip 1.1.1.0 255.255.255.0 host 20.1.1.1 nat (interface) <nat_id> access-list <ACL> global (interface) <nat_id> <mapped IP range>
Policy based Static NAT access-list <aclno > permit ip host 2.2.2.1 host 3.3.3.1 static (INSIDE, OUTSIDE) 22.22.22.22 access-list <Name>
Dynamic Policy PATnat (interface) <ID> access-list <ACL> global (interface) <ID> <mapped IP|interface>
IPSEC VPN ASA
Step 1: enablecrypto isakmp enable outside
Step 2: ISAKMP Policycrypto isakmp policy 10authentication pre-shareencryption aes-256hash shagroup 2lifetime 86400
Step 3: IPsec Transform Setcrypto ipsec transform-set TSET esp-aes-256 esp-sha-hmac
Step 4: Create an ACL to Match Trafficaccess-list LAN_Traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Step 5: Create a Tunnel Grouptunnel-group 172.16.2.2 type ipsec-l2ltunnel-group 172.16.2.2 ipsec-attributespre-shared-key cisco
Step 6: Create and Apply a Crypto Mapcrypto map IMAP 1 match address LAN_Trafficcrypto map IMAP 1 set peer 172.16.2.2crypto map IMAP 1 set transform-set L2L
Step 7: Apply a Crypto Mapcrypto map IMAP interface outside
Types of Attack∑ Cryptographic Attacks∑ Injection Attacks∑ Privilege escalation ∑ Phishing∑ DoS ∑ Spoofing∑ Malwares
Password guessing attackUnauthorized user repeatedly tries to log on to a computer or network by guessing usernames and passwords.
∑ BruteForce Attack ∑ Dictionary attack
Brute force attackBrute force attack is a type of password guessing attack. In this type of attack, attackers systematically try every conceivable combination to find out the password of a user.
Dictionary attackThis type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks.
Man in the middle attackOccur when an attacker successfully inserts an intermediary software or program between two communicating systems.
Phishingó Phishing is a type of deception designed to steal your valuable personal
data, such as credit card numbers, passwords, account data, or other information.
ó Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card Company, and request that you provide personal information.
DoS attackó It is also known as “network saturation attack” or “bandwidth consumption
attack”.ó Attackers make Denial-of-Service attacks by sending a large number of
protocol packets to a network.
Common DoS Attacks1. SYN attack2. PING flood3. Ping of death4. Teardrop attack5. Smurf attack
SYN attack/SYN floodingó A SYN attack affects computers running on the TCP/IP protocol.ó an attacker sends multiple SYN packets to the target computer. ó For each SYN packet received, the target computer allocates resources and
sends an acknowledgement (SYN-ACK) to the source IP address. Since the target computer does not receive a response from the attacking computer, it attempts to resend the SYN-ACK.
ó This leaves TCP ports in a half-open state. When an attacker sends TCP SYNs repeatedly, the target computer eventually runs out of resources and is unable to handle any more connections, thereby denying services to legitimate users.
PING floodó It relies on the ICMP echo command, more popularly known as ping . ó In legitimate situations the ping command is used by network
administrators to test connectivity between two computers.
ó In the ping flood attack, it is used to flood large amounts of data packets to the victim’s computer in an attempt to overload it.
Ping of deathó The maximum size for a packet is 65,535 bytes. If one were to send a
packet larger than that, the receiving computer would ultimately crash from confusion.
ó Sending a ping of this size is against the rules of the TCP/IP protocol, but hackers can bypass this by cleverly sending the packets in fragments. When the fragments are assembled on the receiving computer, the overall packet size is too great. This will cause a buffer overflow and crash the device.
Teardrop attackó Teardrop attacks exploit the reassembly of fragmented IP packets.
Fragment offset indicates the starting position of the data contained in a fragmented packet relative to the data of the original unfragmented packet.
Smurf attackó The attacker sends a large amount of ICMP traffic to a broadcast address
and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim.
Spoofingó Spoofing is a technique that makes a transmission appears to have come
from an authentic source by forging the IP address.
ó In IP spoofing, a hacker modifies packet headers by using someone else’s IP address to hide his identity.
VPNVPN:
A VPN connection is the extension of a private network that includes links across shared or public networks, such as the Internet. VPN connections (VPNs) enable organizations to send data between two computers across the Internet in a manner that emulates the properties of a point-to-point private link.
Types of VPN1. Site-To-Site VPN- Between two Branches2. Remote-Access VPN- Accessing or forming VPN from Remote Locations.
Phase 1 Tunnel only 6 packets go through. Known as ISAKMP Tunnel;Phase 2 Tunnel Only DATA goes through this tunnel, No negotiation
Control traffic goes through Phase 1 tunnelData traffic goes through Phase 2 tunnel
Phase 1 is called ISAKMP TunnelPhase 2 is called IPSEC Tunnel
-> 1st packet is ISAKMP Policy exchange[Encryption: 3des; Hash: sha; Authentication: PSK; Group: 2]<- 2st packet is ISAKMP Policy exchangeIt is to protect the 1st tunnel (Phase 1 tunnel) because through the 1st tunnel we are going to exchange pre-shared key. Policy exchange takes place before the 1st tunnel is created.
-> 3rd packet DH Public Key+ nonce<- 4th packet DH Public Key+ nonce[A nonce is a random number that may only be used once. It is issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.]
->5th SSK (Shared Secret Key is generated) Pre shared Key (PSK) is encrypted with SSK<-6th Pre shared Key (PSK)
->7th Packet Transform-Set (AES, MD5)<-8th Packet Transform-Set (AES, MD5)->9th Packet is an Acknowledgment (ACK)
Phase 1 Exchange (Main mode) [Control Plane]If the exchange is get stopped in 1st and 2nd packet that means ISAKMP policy mismatch.Packet 3rd & 4th is DH Public + NoncePacket 5th & 6th PSK (PreShared Key)
Phase 2 Exchange (Quick mode) [Data Plane]7th & 8th Transform-set (SA(Security Association Polices) exchange AES, MD5)9th packet Acknowledgment
Main ModeMM_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
MM_SA_SETUP The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information.
MM_KEY_EXCH The devices have used DH algorithm to create a common key, but they have not yet authenticated the session.
Aggressive ModeAG_NO_STATE There is an ISAKMP SA, but none of the parameters have been
negotiated yet.
AG_INIT_EXCH The devices have initiated an Aggressive Mode exchange
AG_AUTH The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode.
Quick ModeQM_IDLE The SA is authenticated and ready for use.
TroubleshootingMM_NO_STATE - Policy mismatchMM_KEY_EXCH - DH-Key MismatchQM_Idle but Phase 2 tunnel not formed - Policy mismatch in Phase 2 (Transform-set)
What is tunnel and how it is secure?
Two protocols support tunneling1. IPSEC2. SSL
SSL is widely used then IPSEC because it is easy to implement. But it is less secure than IPSec. It’s widely supported it’s openly supported by lot of vendors.
IPSEC was a L3 VPN, because it was protecting the packet from Layer 3 (IP Address) onwards.
SSL VPNSSL VPN is a L7 VPN, because Encryption happens on Layer 7;TCP Port no 443 (HTTPS)SSL Handshake
Remote access VPN always the Client first initiates the connection;1. Client Hello2. Server Hello3. PKI Certificate4. Server Hello Done5. Pre_Master Key6. Change CIPHER Suite7. Client handshake Done8. Change CIPHER Suite9. Server Handshake Done
Client Hello Server HelloPKI Certificate
Server Hello DonePre_Master KeyChange CIPHER SuiteClient handshake Done
Change CIPHER SuiteServer handshake Done
Quick Overview:
1st packet is originate from the client, client Hello with all the policies,
2nd Packet The server replies with his Hello as Server Hello
3rd Packet Server sends the Certificate, Public key sometimes it might ask another certificate from client
4th packet is Server Hello Done;
5th Client sends a Pre-master key, encrypted using the public
6th sends a Change Cipher Suite
7th Client Hello Done
8th Packet Change Cipher Suite
9th Packet Server Done
3 Main implementations of SSL VPN1. Clientless2. Thin Client3. Thick Client
Clientless: a way to configure the VPN where the client doesn't have to do anything, all the client would require to connect up with the VPN gateway is a Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec VPN but it is easier on the client, and we can send traffic like http, ftp, through that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these protocols. Telnet, SMTP, and all the protocols that require well known port no we can use them. It gives a very good flexibility. L4-L7
Think Client: gives the complete control just like IPSec VPN. Protecting from Layer3 onwards, gives full control over private IPS, Public IPS etc.
webvpn gateway ROB generates 1024 bit keysssl trustpoint <CA Server> verify; pointed to the ca server it will go and itself signed; If
you leave it will be self signedip address 150.1.20.2 port 443Inservice it’s like no shutdown; Gateway is enabledssl encryption username gdwn@Admin password ciscousername Rob@Sales password ciscoaaa new-modelaaa authentication login Paris local Local database because user name and password are
saved on the local database. if it was a AAA server, you be pointing into that;
Domain name: On a router for every different domain, we have different SSL VPNpage, like admin, sales, marketing they will have a separate page; and the users will also be different. Username and password will be stored in Lightweight Directory Access Protocol (LDAP) AAA server;Handshake is done when we open the page. 1.webvpn gateway ROBip address 150.1.20.2 port 443inservice
2.username Gdwn@Admin password ciscousername Rob@Sales password cisco
aaa new-modelaaa authentication login Paris local
3.webvpn context Admin-context!policy group Admin-Policyfunctions file-accessfunctions file-browse
default-group-policy Admin-Policy
aaa authentication list Parisaaa authentication domain @Admingateway ROB domain Admininservice
Upgrading Cisco Routers, Switches using TFTP Server Backup of IOS
∑ #Copy flash tftp
Restore or Upgrade IOS∑ #copy TFTP Flash
Backup of Configs∑ #copy startup-config TFP
Restore Configs∑ # copy TFTP running-config
Show version or show flash command we can see the router IOS fileR1#show versionR1#show flash
Backup of router IOS on tftp ServerR1#copy flash tftpSource filename []? c1841-advipservicesk9-mz.124-15.T1.binAddress or name of remote host []? 1.0.0.2Destination filename [c1841-advipservicesk9-mz.124-15.T1.bin]?
Now copy running-config to startup-configR1#copy run start
Then copy the startup-config file to tftp server machine so that we can get it back from there whenever we need.R1#copy startup-config tftpAddress or name of remote host []? 1.0.0.2Destination filename [R1-confg]? R1-config
Testing recovery or restore router configurationR1#erase startup-config
R1#show startup-configstartup-config is not present
R1#reload
Router(config)#int fa0/0Router(config-if)#ip address 1.0.0.1 255.0.0.0Router(config-if)#no shut
Router#copy tftp running-configAddress or name of remote host []? 1.0.0.2Source filename []? R1-configDestination filename [running-config]?
Password Reverting on Cisco Routers1. Power on the Router2. Press CRTL+SHIFT+BREAK3. Modular routers
∑ Rommon1>config 0x2142∑ Rommon2>reset
Now router boots without any password and enters into setup modeRouter>EnableRouter#copy start-config running-config(very imp if we don't want to lose the configs i the NVRAM)
Change the password (overwrite with new password)
Router(cionfig)#config-register 0x2102Router#writeRouter#reload
First Hop Redundancy Protocols (Gateway Redundancy Protocol: HSRP, VRRP,GLBP)Protocol Features
HSRP VRRP GLBP
Scope Cisco Propriety IEEE Standard Cisco ProprietyLoad Balancing No No YesMulticast 224.0.0.2 224.0.0.18 224.0.0.102Port Number UDP 1985 UDP 112 UDP 3222Timers Hello- 3sec
Hold- 10secAdvertisement-1secDowntime- 3*Ad
Hello- 3secHold- 10sec
Election Active1. Highest Priority2. Highest IP add
Master1. Highest Priority2. Highest IP add
Active Virtual Gateway1. Highest Priority2. Highest IP add
Router Role ∑ Active∑ Standby∑ Listening
MasterBackup
ActiveVirtual Forwarder (AVF)SecondaryVirtual Forwarder (SVF)
States DisabledInitialLearnListenSpeakStandbyActive
Preempt By default Preempt is
By default Preempt is ON in VRRP, If
By default Preempt is disabled, If Active
disabled, If Active Router (Highest Priority) is down and up again, Preempt should be configured to become a Active Router again.
Active Router is down and up again, It will automatically become a Master Router
Router (Highest Priority) is down and up again, Preempt should be configured to become a Active Router again.
Virtual MAC 0000.0c07.acxx 0000.5e00.01xx 0007.b4xx.xxxxConfiguration
Troubleshooting VLAN IssuesPhysical ConnectivityShow interface statusShow ip interface briefShow mac-address-tableShow vlanPort security (err disable state)Same networkDevices on the same VLAN
SSL VPNSSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser
How it works?A consumer's browser begins the SSL handshake process by requesting a secure Web page using the HTTPS protocol. Pot no 443,
Why Do I Need SSL?One of the most important components of online business is creating a trusted environment where potential customers feel confident in making purchases. Browsers give visual cues, such as a lock icon or a green bar, to help visitors know when their connection is secured.
SSL Handshake1. Client HelloIt has all the policies, the client is going to use; for encryption, hashing etc [3des,SHA] SSL verion that is using;[SSL V 1.0, 2.0,3.0; TLS V 1.1, 1.2,1.3][3des,sha],[TLS v 1.0,1.1]
2. Server HelloServer will accept the Client hello chooses the highest one its supports among the one which the client supports, if the client supports 1.0 and 1.2 the server only has 1.0 they both will go down to 1.0;they will choose Whichever is the most highest compatible between them. Sever will reply with [3des,sha],[TLS v 1.0]
3. Server PKI Certificatenow the server sends PKI certifaicate, its a public key signed by the CA server. Once we have that keys we can use it for identification;
4. Server Hello DoneIm done, you accepted my certificate.
5. Client Pre_Master KeyThey both agreed on encryption, hashing (3des,sha) but they still need the key, In ipsec DH exchange automatically provided the Key, here a client creates a key not the complete key but half of the key with some random numbers, encrypted using public key 1024 bit which received earlier from server and send it back to the Server. now we use 2048 bit key;
6. Client Change CIPHER SuiteChange Cipher Suite means after this whatever message is sending is going to be encrypted, since both of them have the Key;
7. Client handshake done
8. Server Change CIPHER SuiteLast message is encrypted saying that Handshake is done.
9. Server Handshake DoneThe server recives this and sends change cipher suite and Server done.
Brief
1. Client HelloThis initiates a secure session with the website by sending a Client Hello message to the Web server. The Client Hello message contains information about which encryption and compression algorithms the browser supports;
2. Server HelloThe Web server responds with a Server Hello message, which also includes information about supported algorithms; The Web server chooses the strongest cipher that both the browser and server support.
3. Server PKI CertificateThe server also sends its digital certificate to the browser to guarantee for the identity of an individual or a computer system.
3. The Web server then sends a Server Hello Done message indicating that it is finished and awaiting a response from the browser.
Once the browser receives the server's message, it checks the certificate against a list of known Certificate Authorities to ensure the certificate is valid. The server's certificate contains its public key and the name of the server, which must match the name of the server the browser requested. For example, if the user typed the URL "https://www.secureserver.com" in the browser, the certificate should contain a subject name of "www.secureserver.com" or "*.secureserver.com."
4. Client Pre_Master KeyThe client then computes a premaster secret using the two random values that were generated during the Client and Server Hello messages. This premaster secret is encrypted using the public key from the server's certificate and sent in a Client Key Exchange message to the server. If the server can decrypt this data, the client is assured that the server has the correct private key. A message encrypted with a public key can only be decrypted by the matching private key, and visa versa. This step is crucial to proving the authenticity of the server. Only the server with the private key that matches the public key in the certificate can decrypt this data and continue to the protocol negotiation.
The SSL handshake process securely exchanges data that is then used by both the client and the server to calculate a Master Secret key. Because both the server and the client can calculate the Master Secret key, it does not need to be exchanged. The server can now respond to the browser with a request to begin communicating using the established keys and parameters. Thus, by combining SSL with a Web server's digital certificate, a consumer can establish a secure
connection to a website without having to pass secret encryption keys in the clear.
3 Main implementations of SSL VPN∑ Clientless∑ Thin Client∑ Thick Client
Clientless: a way to configure the VPN where the client doesn't have to do anything, all the client would require to connect up with the VPN gateway is a Browser. it doesn't support all the protocols, so it won't give the flexibility of IPSec VPN but it is easier on the client, and we can send traffic like http, ftp, through that SSL VPN. (HTTPS, FTPS) L4-L7
Thin Client: is a Java based application where we can extend the scope of these protocols. Telnet, SMTP, and all the protocols that require well known port no we can use them. It gives a very good flexibility. L4-L7Think Client: gives the complete control just like IPSec VPN. Protecting from Layer3 onwards, gives full control over private IPS, Public IPS etc.
Steps to configure SSL VPN1.webvpn gateway ROBip address 150.1.20.2 port 443inservice
2.username Gdwn@Admin password ciscousername Rob@Sales password cisco
aaa new-modelaaa authentication login Paris local
3.webvpn context Admin-context!policy group Admin-Policyfunctions file-accessfunctions file-browse
default-group-policy Admin-Policyaaa authentication list Paris
aaa authentication domain @Admingateway ROB domain Admininservice
CP(CHECKPOINT FIREWALL)
Check Point FirewallThis is a software firewall and one of the earliest firewalls to use Stateful inspection.
Checkpoint Firewall Components∑ Management Server∑ Firewall Module∑ Graphical User Interface (GUI)
Checkpoint Three Tier Architecture∑ SmartConsole∑ SmartCenter Server∑ Enforcement Module
Firewall Models∑ Single Gateway product∑ Enterprise Gateway product (Distributed Setup)
Rules∑ Stealth Rule∑ Cleanup Rule
Stealth Rule
Cleanup Rule
Creating Administrative ProfilesAdministrator
New AdministratorUsername: ReadOnlyEmail: [email protected]
AuthenticationPassword: 12345
NAT∑ Hide NAT∑ Static NAT
NATHide NAT
LAN_Network Object is created
Add 2 RulesName Source Dst VPN Service Action Track Install On TimeHide LAN_Network Any Any Traffic Any Accept Log GatewayHide Any Any Any Traffic TCP http Accept Log Gateway
Policy∑ Install
Static NATTwo nodes 1. Available public IP Address 2. Internal private IP of the Server
1. Network Objects∑ Nodes
NodeHost
2. Network Objects∑ Nodes
NodeHost
Add 2 RulesName Source Dst VPN Service Action Track Install OnStatic Private_Server_IP Any Any Any Accept Log GatewayStatic Any Public_Server_IP Any Any Accept Log Gateway
User Authentication1. Checkpoint Password 2. OS password 3. RADIUS 4. TACACS 5. SecurID
Types of Clusters∑ HIGH AVAILABILITY∑ LOAD BALANCING
Checkpoint∑ Installation∑ Install Secure Platform on the Branch Gateway∑ Perform Backup and restore∑ Configuring DMZ∑ Configuring NAT∑ Monitoring with Smartview Tracker∑ Client Authentication
∑ Identity Awareness∑ Site-to-Site VPN between Corporate and Branch Office
Difference between Checkpoint and ASASIC Secure Internal CommunicationIt stands for Secure Internal Communication and it is a Checkpoint Proprietary Protocol. It creates a secured tunnel between Security Gateways, Security Management Servers that can communicate freely and securely using a simple communication-initialization process.
SIC Resetcpfw[admin]# cpconfig
(6) Secure Internal Communication
Checkpoint supports 3 types of Backups and Recovery, Those are: 1. Snapshot 2. CPBackup 3. Upgrade_Tools
Snapshot[Expert@cpModule]# snapshot[Expert@cpModule]# revert
CPBackup [Expert@cpModule]# backup[Expert@cpModule]# restore
Upgrade_Toolscd $FWDIR/bin/upgrade_tools
Smart Dashboard Object Tree1. Network Objects
∑ Checkpoint∑ Nodes∑ Networks∑ Groups∑ Address Ranges∑ Dynamic Objects
2. ServicesTCPUDPICMP
3. Resources
4. Servers and OPSEC 5. Users and Administrators 6. VPN Communities
Site To SiteRemote Access
ProcessesCPD – CPD is a high in the hierarchical chain and helps to execute many services, such as Secure Internal Communication (SIC), Licensing and status report.
FWM – The FWM process is responsible for the execution of the database activities of the SmartCenter server. It is; therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log Display, etc.
FWD – The FWD process is responsible for logging. It is executed in relation to logging, Security Servers and communication with OPSEC applications
cpstart/cpstop utilities : Allow you to stop and start Check Point component services.
Check Point registry : Common cross-platform registry for Check Point and OPSEC products.
Check Point daemon (cpd): Cross-platform manager for all Check Point internal communications.
OPSECOPSEC stands for Open Platform for Security, which is designed to extend the SVN framework to include third-party products and services
AntiSpoofingAnti-spoofing is a security feature that enables a firewall to determine whether traffic is legitimate or if it is being used for malicious purposes.EX: If the firewall is configured that the 192.168.1.1 address is an internal network address, the firewall can drop the traffic, because there is no legitimate reason why any traffic received on the Internet interface should contain a source IPaddress of an internal system. Any traffic containing a source IP address of an internal system should only ever be received on the internal interface.
Common Command Explanation
cpstart The cpstart CLI utility starts all the Check Point applications installed on a machine, excluding the cprid daemon, which is started separately during machine boot up. In a VPN-1/FireWall-1 installation, this starts the VPN-1/ FireWall-1 components, as well as the SVN foundation.
fwstart The fwstart CLI utility starts all VPN-1/FireWall-1 components installed on a machine. VPN-1/FireWall-1 components including the enforcement module (fwd), the SmartCenter server (fwm), the VPN-1/FireWall-1 NG SNMP daemon (snmpd), and authentication daemons (such as in.httpd, which is used to provide an HTTP application-layer gateway daemon for authenticating HTTP access).
cplic print The cplic print CLI utility prints information about Check Point product licenses.
fwm load The fwm load CLI utility instructs a SmartCenter server to install the current security policy to one or more enforcement modules. This command has the following syntax: fwm load [filter-file | rule-base] targets
fwm unload The fwm unload CLI utility instructs a SmartCenter server to uninstall the current security policy from one or more enforcement modules. This command has the following syntax: fwm unload targets
What is a Default rule?This rule will default to any drop, do not log
What is a Stealth rule?Stealth rule should prevent all direct connections to the Security gatewayIt is the first rule in the Rule Base that prevents traffic from directly accessing the firewall itself.Source Destination Service Action Track Install On TimeAny Firewalls Any Drop Log Policy Targets Any
What is the purpose of clean up rule?Clean up is a explicit deny rule with logging enabled, this needs to be the last rule in the rule baseSource Destination Service Action Track Install On TimeAny Any Any Drop Log Policy Targets Any
Firewall ClusteringA cluster is a group of devices and other resources that act like a single device and enable high availability and load balancing.
High AvailabilityActive-StandbyIt gives us the Redundancy, if one device fails other device comes up.
Load BalancingActive-ActiveBoth the devices up and they will share the data
Site-to-Site∑ VPN Domain∑ VPN Community∑ Creating VPN Rule∑ Troubleshooting a VPN
4 Steps1. Create objects for the network or gateway2. Configure the VPN Community3. Defining VPN Domains4. Finishing the VPN Configuration
Creating the ObjectsNetwork Objects --> Networks
1. Create 2 Objects1. Local LANName: Local_LANIPV4 Address: 10.10.1.0Net Mask: 255.255.255.0
2. Remote LANName: Remote_LANIPV4 Address: 10.10.2.0Net Mask: 255.255.255.0
Network ObjectsOthers
Externally Managed VPN Gateway
Local LANGeneral PropertiesName: Local_FirewallIP Address: 192.168.0.10Platform: Gaia
Network Security TabEnable IPSec VPN
Topology TabVPN Domain
Manually defined: Local_LAN
OK
Remote LANGeneral PropertiesName: Remote_FirewallIP AddresS: 192.168.0.11Platform: Gaia
Network Security TabEnable IPSec VPN
Topology TabVPN Domain
Manually defined: Remote_LAN
OK
VPN Community∑ Meshed
General ∑ Name: Site-to-Site
Participating Gateways∑ Add
Encryption∑ Encryption Method∑ IKEv1 Only
Encryption Suite∑ Custom
Phase 1 Properties∑ Encryption AES-256
∑ Data integrity: SHA1
Phase 2 Properties∑ Encryption: AES-128∑ Data integrity: SHA1
Tunnel Management∑ On all Tunnels in the community∑ VPN Tunnel Sharing∑ One VPN tunnel per subnet pair
Shared Secret∑ Enter Secret: Checkpoint
Advaced VPN Properties IKE Phase 1
∑ Diffie helman Group∑ Group 2 (1024), 1 (768 bit), 5 (1536), 14 (2048)
IPSec Phase 2∑ Regenerate IPSec security association 3600 Seconds
NAT∑ Disable NAT inside the VPN community
OK
Rule Tab∑ Add Rule ∑ Top
Name Source Dst VPN Service Action Track Install On TimeVPN Local LAN RemoteLAN Site-to-Site Any Accept Log GatewayVPN RemoteLAN Local LAN Site-to-Site Any Accept Log Gateway
Remote Access SSL VPN∑ Network Objects
o Checkpointß CPModule
∑ Edit
Network Security tab∑ Enable Mobile Access
2 RulesName Source Dst VPN Service Action Track Install On TimeSSL Local_LAN CPModule Any Traffic TCP https accept Log Gateway
Stealth Any CPModule Any Traffic Any drop Log Gateway
Firewall Clustering
Clustering on the SPLAT Firewall Modules can be enabled by two ways as shown below, At the Initial Setup in CLI wizard
Login to Firewall SPLAT CLI, run the command cpconfig. Under the menu options, select option 6
[FW-2]# cpconfig(6) Enable cluster membership for this gatewayTo proceed with Configuration, connect to the Management Server (Smartcenter Server) as an Administrator
Under Network Objects ∑ Checkpoint Module ∑ Security Cluster
Wizard mode configurationSpecify the Cluster Object name and it IP address. IP address with be the Internal VIP. In the below example we are going by clusterXL technology and High Availability cluster configuration mode
Once the SIC key is entered Trust is established in between Management Server and Firewall Module
Add both the Firewall Modules under the Cluster object and click next
Specify the Sync network as the Sync Interface, in this example we go by Primary Sync Interface
Specify other two networks as Private and non monitored for each member
Once done with the above wizard setup, both the firewalls will be listed under the Cluster object container. Right click on the cluster object and click on edit
Make sure that clusterXL is enabled, and in this example we also uncheck IPSec VPN and IPS software blades
Cluster Members option will list the existing members of the cluster. The priority of a member can be increased or decreased if required
In this configuration we go by HA mode cluster configuration, wherein One Firewall will be Active and another in Standby mode
Under the Topology container, click on the edit topology and add interfaces for the Cluster object. One Internal and one external interface have to be added for the cluster object. There IP’s are referred as Internal VIP and External VIP
Specify the Internal VIP details
Specify the External VIP details
Topology configuration should look as shown below
Write the Firewall rules by specifying the cluster object as shown below
Make sure the Gateway for the LAN Network machines is the Internal VIP of the Cluster.
Once the setup is complete, you should be able to ping out to router’s interface through Firewall Cluster
Firewall clustering can also be setup in the Load sharing mode wherein both the Firewalls will be in Active state.
Login to Smartview Monitor to verify the Cluster Configuration
COMMAND FOR CLI R76 and R751. comp_init_policy : by using this command we can generate and load or to
remove the initial policy. This initial policy offers protection to the gateway before the administrator has installed a policy on the gateway.
fwdir/bin/comp_init_policy [-u] [-g]comp_init_policy -gU:> for remove the current initial policy and ensures that it will not be generated in future when cpconfig is run.-g :> can be used if there is no initial policy. If there is make sure that after removing the policy.
2. cp_admin_convert : to export automatically export administrator definitions which are configured in smartdashboard.3. cpca_client : This commands exexute oprations on ICA (Internal Certificate Authority). Eg : cpca_client revoke_cert, cpca_client iscert.
CP_CONF: to use configure/reconfigure a security gateway installation.
Cp_conf sic : to manage SIC on the security management serverCp_conf sic state: shows sic trust state.Cp_conf sic init (key) : restarts SIC with the activation key.
Cp_conf admin : manage check point system administrators for the security management server.cp_conf admin get # Get the list of administrators.cp_conf admin add <user> <pass> {a|w|r}cp_conf admin del
cp_conf lic: shows the installed licenses and lets you manually add new ones.> cp_conf lic get> cp_conf lic add -f <file>> cp_conf lic add -m <Host> <Date> <Key> <SKU>> cp_conf lic del <Signature Key>
cp_conf client: maage the GUI clients that can use SmartConsoles to connect to the security Management Server.
> cp_conf client get # Get the GUI clients list> cp_conf client add <GUI client> # Add one GUI Client> cp_conf client del < GUI client 1> < GUI client 2>... # Delete GUI Clients> cp_conf client createlist < GUI client 1> < GUI client 2>... # Create new
CpconfigDescription Run a command line version of the Check Point Configuration Tool. This tool is used to configure an installed Check Point product. The options shown depend on the installed configuration and products. Amongst others, these options include:Licenses and contracts - Modify the necessary Check Point licenses and contracts.Administrator - Modify the administrator authorized to connect to the Security Management server.GUI Clients - Modify the list of SmartConsole Client machines from which the administrators are authorized to connect to a Security Management server.Security Management Server and Firewall Commands Command Line Interface Reference Guide R76 | 16SNMP Extension - Configure the SNMP daemon. The SNMP daemon enables SecurePlatform toexport its status to external network management tools.PKCS #11 Token - Register a cryptographic token, for use by SecurePlatform; see details of the token, and test its functionality.Random Pool - Configure the RSA keys, to be used by SecurePlatform.Certificate Authority - Install the Certificate Authority on the Security Management server in a first-time installation.Secure Internal Communication - Set up trust between the gateway on which this command is being run and the Security Management server.Certificate's Fingerprint - Display the fingerprint which will be used on first-time launch to verify the identity of the Security Management server being accessed by the SmartConsole. This fingerprint is a text string derived from the Security Management server's certificate.Automatic Start of Check Point Products - Specify whether Check Point Security Gateways will start automatically at boot time.
Cpinfo: It is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. Engineers can open the CPinfo file in demo mode, while viewing real Security Policies and objects. This allows for in-depth analysis of all of configuration options and environment settings.
cpinfo [-v] [-l] [-n] [-o ] [-r | -t: V : prints version.-l: enables log record.-n: does not resolve network address.-o: output to a file and on the screen.
-t : output consists of table onle-r: includes the registry.
Cplic : to check point license management.Cplic check: use to check license at local machine, -p(product), -v (version), -c(count), -t(date), -r(router), -s(srusers).Cplic db_add : use to add one or more licenses to the license repository on the Security Management server.Cplic db_print : details of check point licenses stored in the license stored in the license repository on the security management server.Cplic db_rm: removes a license from the license repository on the security management server. It can be executed only after the license was detached using the cplic del command.Cplic del : delete a single check point license on a host, including unwanted evaluation, expired and other licenses. Used for both local and remote machines.Cplic get : the cplic get command retrieves all licenses from a security gateway. This command helps you to synchronize the repository with the checkpoint security gateway.Cplic put : install one or more local license on a local machineCpilc print : prints details of check point licenses on the local machine.Cplic upgrde : to upgrade licenses in the license repository using licenses in a license file obtained from the user center
Process for up gradation of License
1. Import all licenses into the license repository.
2. For that run the command : cplic get –all.
3. Download a file containing the upgraded licenses. Only download licenses for the product that were upgraded from versin NGX to software blades.
4. Run the license upgrade command : cplic upgrade –l (inputfiile).
Cppkg : manage the product repository. It always executed on the Security Management Srervr.Cppkg add : add a product to the product repository. Only SmartUpdate packages can be added to the product repository.Cppkg delete: delete a product from the repository. To delete a product package you must specify a number of options.Cppkg get : synchronizes the packages repository database with the content of the actual package repository under.Cppkg getroot : find out the location of the product repository.Cppkg print : list the contents of the product repository.
Cppkg setroot: create a new repository root directory location.When changing repository root directory:The contents of the old repository is copied into the new repository.The $SUROOT environment variable gets the value of the new root path.A product package in the new location will be overwritten by a package in the old location, if the packages are the same (that is, they have the same ID strings).The repository root directory should have at least 200 Mbyte of free disk space.
Cpridrestart : stops and starts the check point remote installation Daemon.Cpridstart : starts the check point remote installation Daemon.This is the service that allows for the remote upgrade and installation of products.Cpridstop: stop starts the check point remote installation Daemon.Cprinstall: perform remote installation of product packages and associated operations.On the remote Check Point gateways the following are required:Trust must be established between the Security Management server and the Check Point gateway.cpd must run.cprid remote installation daemon must run.Cpstart : Start all Check Point processes and applications running on an appliance or server.Cpstat: displays the status of Check Point applications, either on the local or on another appliance or server, in various formats.Cpstop: Terminate all Check Point processes and applications, running on an appliance or server.Cpwd_admin: cpwd (also known as WatchDog) is a process that invokes and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are cpd, fwd, fwm.fwd does not work in a Security Management Only machine. To work with fwd in a Security Management Only machine add -n (for example, fwd -n).cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In addition, monitoring information is written to the console on UNIX platforms, and to the Windows Event Viewer. The cpwd_admin utility is used to show the status of processes, and to configure cpwd.Cpwd_admin start: start a new process by cpwd.Cpwd_admin stop: stop a process which is being monitored by cpwd.Cpwd_admin list: print a status of the selected processes being monitored by cpwd.
disconnect_client: SmartDashboard can connect to a Security Management Server using one of these modes:Read/Write - Administrators have full permissions to create or change all objects, settings and policies.Read Only - Administrators can see all objects, settings and policies, but cannot add, change or deletethem.Only one administrator can use SmartDashboard to connect to a Security Management Server in the read/write mode at one time. When an administrator connects in the Read/Write mode, this prevents other administrators from doing these actions:Connecting to the same management in the read/write modeCreating or changing objects, settings and policiesBacking up the management server databaseInstalling a Security PolicyYou can use a special command line utility to disconnect a different SmartDashboard client that is open in the Read/Write mode.
Dbedit: Edit the objects file on the Security Management server. Editing the objects.C file on the gateway is not required or desirable, since it will be overwritten the next time a Policy is installed.
Dbver: The dbver utility is used to export and import different revisions of the database. The properties of the revisions (last time created, administrator responsible for, etc) can be reviewed. The utility can be found in $FWDIR/bin. Run these commands from Expert mode.
dbver create: Create a revision from the current state of $fwdir/conf, including current objects, rule bases, and so on.Syntaxdbver> create <version_name> <version_comment>
dbver export Description Archive the revision as an archive file in the revisions repository: $fwdir/conf/db_versions/export.Syntaxdbver> export <version_numbers> <delete|keep>
dbver import Description Add an exported revision to the repository a version from$fwdir/conf/db_versions/export. Give filename of revision as input.Syntax
dbver> import <exported_version_in_server>
dbver print Description Print the properties of the revision.Syntaxdbver> print <version_file_path>
dbver print_all Description Print the properties of all revisions to be found on the server side: $fwdir/conf/db_versions Syntax dbver> print_all
fw: All fw commands are executed on the Check Point Security Gateway. Typing fw at the command prompt sends a list of available fw commands to the standard output.Syntax> fw
fw –i: Generally, when Check Point Security gateway commands are executed on a Security gateway they will relate to the gateway as a whole, rather than to an individual kernel instance. For example, the fw tab command will enable viewing or editing of a single table of information aggregated for all kernel instances. This command specifies that certain commands apply to an individual kernel instance. By adding –I <kern> after fw in the command, where <kern> is the kernel instance's number.
fw ctl Description The fw ctl command controls the Firewall kernel module.Syntaxfw ctl {install|uninstall}fw ctl debug [-m <module>] [+|-] {options | all | 0}fw ctl debug -buf [buffer size]fw ctl kdebugfw ctl pstat [-h][-k][-s][-n][-l]fw ctl iflistfw ctl arp [-n]fw ctl block {on|off}fw ctl chainfw ctl conn
fw ctl debugDescription Generate debug messages to a buffer.Syntax A number of debug options are available:fw ctl debug -buf [buffer size]: Allocates a buffer of size kilobytes (default 128) and starts collecting messages there.
fw ctl debug [-m <module>] [+ | -] {options|all|0} : Specify the Security Gateway module you wish to debug.fw ctl debug 0 : Returns all flags in all gateways to their default values, releases the debug buffer (if there was one).fw ctl debug [-d <comma separated list of strings>]: Only lines containing these strings are included in the outputfw ctl debug [-d <comma separated list of ^strings>]: Lines containing these strings are omitted from the outputfw ctl debug [-s <string>]fw ctl debug -hfw ctl debug –x
fw ctl affinity : Sets CoreXL affinities when using multiple processors. For an explanation of kernel, daemon and interface affinities.
The fw ctl affinity command is different for a VSX Gateway and a Security Gateway: VSX Gateway - Use the -d parameter to save the CoreXL affinity settings after you reboot it
Security Gateway - The CoreXL affinity settings are not saved after you reboot itSyntax> fw ctl affinity -s <proc_selection> <cpuid><proc_selection>fw ctl affinity –l: Lists existing CoreXL affinities when using multiple processors.Syntax> fw ctl affinity -l [<proc_selection>] [<listtype>]
fw ctl engine Description Enables the INSPECT2C engine, which dynamically converts INSPECT code to C code. Run the command on the Check Point Security Gateway.Syntax> fw ctl engine {on|off|stat|setdefault}
fw fetch : Fetches the Inspection Code from the specified host and installs it to the kernel.Syntax> fw fetch [-n] [-f <filename>] [-c] [-i] master1 [master2] ...
fw fetchlogs; fw fetchlogs fetches Log Files from a remote machine. You can use the fw fetchlogs command to transfer Log Files to the machine on which the fw fetchlogs command is executed. The Log Files are read from and written to the directory $FWDIR/log.
fw hastat The fw hastat command displays information about High Availability machines and their states.Syntax> fw hastat [<target>]
fw isp_link: Takes down (or up) a redundant ISP link.Syntax> fw isp_link [<target>] <link-name> {up|down}
fw kill: Prompts the kernel to shut down all firewall daemon processes. The command is located in the $FWDIR/bin directory on the Security Management server or gateway machine.The firewall daemons and Security servers write their pids to files in the $FWDIR/tmp directory upon startup. These files are named $FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the firewall snmp daemon is: $FWDIR/tmp/snmpd.pid.Syntax> fw kill [-t <sig_no>] <proc-name>
fw lichosts: Print a list of hosts protected by Security Gateway products. The list of hosts is in the file $fwdir/database/fwd.hSyntax> fw lichosts [-x] [-l]
fw log: fw log displays the content of Log files.Syntax> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m{initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]
-f [-t]: The -t parameter indicates that the display is to begin at the end of the file,-n: Do not perform DNS resolution of the IP addresses in the Log file.-l: Display both the date and the time for each log record.-o: Show detailed log chains (all the log segments a log record consists of).-C: Display only events whose action is action, that is, accept, drop,reject, authorize, deauthorize, encrypt and decrypt.-h: Display only log whose origin is the specified IP address or name.Logfile: Use logfile instead of the default Log file. The default Log File is$FWDIR/log/fw.log.
fw logswitch: fw logswitch creates a new active Log File. The current active Log File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. A Security Management server can use fw logswitch to change a Log File on a remote machine and\transfer the Log File to the Security Management server. This same operation can be performed for a remote machine using fw lslogs
fw monitor: fw monitor is a powerful built-in tool to simplify the task of capturing network packets at multiple capture points within the firewall chain. These packets can be inspected using industry-standard tools later on. In many deployment and support scenarios capturing network packets is an essential functionality. tcpdump or snoop are tools normally used for this task. fw monitorprovides an even better functionality but omits many requirements and risks of these tools.
> fw monitor [-u|s] [-i] [-d] [-D] [{-e <expr>|{-f <filter-file>|-}}] [-l<len>] [-m <mask>][-x <offset>[,<len>]] [-o <file>] [[-pi <pos>] [-pI <pos>] [-po <pos>] [-pO<pos>] | -p all]] [-a][-ci <count>] [-co <count>] [-h] –T
-u|s : Printing the UUID or the SUUID:-I : Flushing the standard output:[-d] [-D]: Debugging fw monitor:{-e <expr>|{-f <filter-file>|-}} : Filtering fw monitor packets-l <len> : Limiting the packet length:-m <mask> : Setting capture masks:-x <offset>[,<len>] : Printing packet/payload data:-o <file>: Write output to file:
fw lslogs: Display a list of Log Files residing on a remote or local machine. You must initialize SIC between the Security Management server and the remote machine.Syntax> fw lslogs [[-f <filename>] ...] [-e] [-s{<name>|<size>|<stime>|<etime>}] [-r] [<machine
fw putkey: Install a Check Point authentication password on a host. This password is used to authenticate internal communications between Security Gateways and between a Check Point Security Gateway and its Security Management server. A password is used to authenticate the control channel the first time
communication is established. This command is required for backward compatibility scenarios.
Syntax> fw putkey [-opsec] [-no_opsec] [-ssl] [-no_ssl] [-k <num>] [-n <myname>] [-p<pswd>] <host>...
fw repairlog: fw repairlog rebuilds a Log file's pointer files. The three files: name.logptr, name.loginitial_ptr and name.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is modified only if the -u flag is specified.Syntaxfw repairlog [-u] <logfile>
fw stat: Use fw stat to view the policy installed on the gateway, and which interfaces are being protected.Note - The cpstat command is an enhanced version of fw statSyntax> fw stat -l> fw stat –s
fw tab: The fw tab command shows data from the kernel tables, and lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.Kernel tables (also known as State tables) store data that the Firewall and other modules in the Security\Gateway use to inspect packets. These kernel tables are the "memory" of the virtual computer in the kernel and are a critical component of Stateful Inspection. The kernel tables are dynamic hash tables in the kernel memories.Syntaxfw tab [-t <table>] [-s] [-c] [-f] [-o <filename>] [-r] [-u | -m <maxval>] [{-a|-x} -e <entry>] [-y] [<hostname>]-t : Specifies a table for the command.-s: Shows a short summary of the table (s) data.-c: Shows formatted table information in common format.-f: Shows a formatted version of the table data. Each table can use a different style.-o: Outputs CL formatted file called.-r: Resolves IP addresses in formatted output.-u: Show unlimited table entries.-m: Sets the maximum table entries that are shown to <maxval>.
-a|-x: Adds (-a) or removes (-x) an entry from the specified table.-e: One or more entries that you add or remove from the table.-y: Do not show a prompt to users before they run commands.
fw ver: Display the Security Gateway major and minor version number and build number.
Syntax> fw ver [-k][-f <filename>]Fwm: management operations on the Security Gateway. It controls fwd and all Check Point daemons.Syntax> fwm
fwm dbimport: Imports users into the Check Point User Database from an external file. You can create thisfile yourself, or use a file generated by fwm dbexport.Syntax> fwm dbimport [-m] [-s] [-v] [-r] [-k <errors>] [-f <file>] [-d <del]-m: If an existing user is encountered in the import file, the user's default values will be replaced by the values in the template-s: Suppress the warning messages issued when an existing user's values are changed byvalues in the import file.-v: verbose mode-r: fwm dbimport will delete all existing users in the database.-k: Continue processing until nerror errors are encountered. The line count in the error messages starts from 1 including the attributes line and counting empty or commented out lines.-f: The name of the import file. The default import file is $FWDIR/conf/user_def_file-d: Specifies a delimiter different from the default value (;).
fwm expdate: Modify the expiration date of all users and administrators.Syntax> fw expdate dd-mmm-1976
fwm dbexport: Export the Check Point User Database to a file. The file may be in one of the followingformats:The same syntax as the import file for fwm dbimport
LDIF format, which can be imported into an LDAP server using ldapmodifyTo export the User Database to a file that can be used with fwm dbimport:> fwm dbexport [ [-g group | -u user] [-d delim] [-a {attrib1, attrib2, ...} ][-f file] ]To export the User Database as an LDIF file:> fwm dbexport -l -p [-d] -s subtree [-f file] [-k IKE-shared-secret]
fwm dbload : Download the user database and network objects information to selected targets. If no target is specified, then the database is downloaded to localhost.Syntax> fwm dbload {-all|-conf <conffile>} [<targets>]
fwm load: Compile and install a Security Policy or a specific version of the Security Policy on the target's Security Gateways. This is done in one of two ways:
fwm load compiles and installs an Inspection Script (*.pf) file on the designated Security Gateways.
fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script (*.pf) file then installs it to the designated Security Gateways.Syntax > fwm load [-p <plug-in>] [-S] <rulebase> <targets>-s ; The targets are UTM-1 Edge gateways-p : Specifies the product name <plug-in> if applicable.Rulebase : A Rule Base created by the GUI. Specify the name of the rulebase, such as Standard (case sensitive).
fwm lock_admin: View and unlock locked administrators.Syntax >fwm lock_admin [-v][-u <administrator>][-ua]
fwm logexport: fwm logexport exports the Log file to an ASCII file.Syntax > fwm logexport [-d <delimiter>] [-i <filename>] [-o <outputfile>] [-n][-p][-f] [-m {initial|semi|raw}] [-a]
fwm sic_reset: Reset the Internal CA and delete all the certificates from the Internal CA and the Internal CA itself. After running sic_reset, the ICA should be initialized through the cpconfig command. If this command is run all the certified IKE from the Internal CA should be removed (using the SmartConsole).Syntax > fwm sic_reset
fwm unload <targets>: Uninstall the currently loaded Inspection Code from selected targets.
Syntax > fwm unload <targets> [-all|-c <conffile>]
fwm ver: fwm ver shows the build number.Syntax > fwm ver [-f <filename>]
Ldapcmd: ldapcmd is used to manage processes running on the Security Gateway collectively orindividually. It includes:CacheCache operations, such as emptying the cache, as well as providing debug information.StatisticsLookup statistics such as:
All user search
LoggingView the alert and warning log regarding debug.Syntax# ldapcmd -p {<process_name>|all} <command> [-d debug_level] [command_arg]
Ldapcompare : ldapcompare is used to perform compare queries that prints a message whether the result returned a match or not. ldapcompare opens a connection to an LDAP directory server, binds, and performs the comparison specified on the command line or from a specified file.Syntax# ldapcompare -d [<options>] dn <attribute> <value>Ldapconvert : ldapconvert is a utility program to port from Member mode to MemberOf mode. This is done by searching all specified group/template entries and fetching their Member attribute values.Each value is the DN of a member entry. The entry identified by this DN will be added the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values will be deleted from the group/template unless Both mode is specified. While running the program, a log file, named ldapconvert.log, is generated in the current directory, logging all modifications done and errors encountered.Syntax> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f <file>]-m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]
Ldapmodify: ldapmodify imports users to an LDAP server. The input file must be in the LDIF format.Syntax# ldapmodify -a -c -d -h <host> -p <port> -D <LDAPadminDN> -p<LDAPadminPassword> -f <exportfilename>.ldif –d
Ldapsearch ldapsearch queries an LDAP directory and returns the results.Syntaxldapsearch [options] filter [attributes] –d
log_export: log_export is a utility that allows you to transfer Log data to an external database. This utility behaves as a LEA client. LEA (Log Export API) enables Security Gateway Log data to be exported to third-party applications. log_export receives the Logs from the Security Management server via LEA so it can be run from any host that has a SIC connection with the Security Management server and is defined as an OPSEC host. To run log_export, you need a basic understanding and a working knowledge of:
Oracle database administrationLEA
Syntax# log_export [-f <conf_file>] [-l <lea_server_ip_address>] [-g<log_file_name>,<log_file_name>,...][-t <database_table_name>] [-p <database_password>][-h] [-d]
rs_db_tool: rs_db_tool is used to manage DAIP gateways in a DAIP database.Syntax# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip><-TTL Time-To-Live> ># rs_db_tool [-d] <-operation fetch <-name object_name> ># rs_db_tool [-d] <-operation <delete <-name object_name> ># rs_db_tool [-d] <-operation <list> ># rs_db_tool [-d] <-operation <sync> >
sam_alert: This tool executes FW-1 SAM (Suspicious Activity Monitoring) actions according to information received through Standard input. This tool is for executing FW-1 SAM actions with the FW-1User Defined alerts mechanism.Syntaxsam_alert [-o] [-v] [-s <sam_server>] [-t <timeout>] [-f <fw_host1><fw_host2>...]
[-C] [-n|-i|-I -src|-dst|-any|-srv]
svr_webupload_config: This utility is used to configure the SmartReporter web upload script.Syntax# svr_webupload_config [-i <perl_int_loc>][-p <rep_dir_root>]
VPN Commandsvpn crl_zap: Erase all Certificate Revocation Lists (CRLs) from the cache.Usage vpn crl_zapReturn Value 0 for success; any other value equals failure.
vpn crlview: Retrieve the Certificate Revocation List (CRL) from various distribution points and displays it for the user. The command comes in three flavors:
vpn crlview -obj <MyCA> -cert <MyCert>. The VPN daemon contacts the Certificate Authority called MyCA and locates the certificate called MyCert. The VPN daemon extracts the certificate distribution point from the certificate then goes to the distribution point, which might be an LDAP or HTTP server. From the distribution point, the VPN daemon retrieves the CRL and displays it to the standard output.
vpn crlview -f d:\temp\MyCert. The VPN daemon goes to the specified directory, extracts the certificate distribution point from the certificate, goes to the distribution point, retrieves the CRL, and displays the CRL to the standard output.
vpn crlview -view <lastest_CRL>. If the CRL has already been retrieved, this command instructs the VPN daemon to display the contents to the standard output.Usage vpn crlview -obj <object name> -cert <certificate name>vpn crlview -f <filenamevpn crlview -view
vpn debug: Instruct the VPN daemon to write debug messages to the VPN log file.To debug all available topics, use: ALL for the debug topic.IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elgUsage Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff |trunc | timeon <SECONDS>|timeoffvpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoffvpn debug ikeon | ikeoff timeon|timeoff
vpn debug trunkvpn drv: Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver.Usage vpn drv on|offvpn drv statvpn tu: Launch the TunnelUtil tool which is used to control VPN tunnels.Usage vpn tuvpn tunnelutil
Output********** Select Option **********(1) List all IKE SAs(2) List all IPsec SAs(3) List all IKE SAs for a given peer (GW) or user (Client)(4) List all IPsec SAs for a given peer (GW) or user (Client)(5) Delete all IPsec SAs for a given peer (GW)(6) Delete all IPsec SAs for a given User (Client)(7) Delete all IPsec+IKE SAs for a given peer (GW)(8) Delete all IPsec+IKE SAs for a given User (Client)(9) Delete all IPsec SAs for ALL peers and users(0) Delete all IPsec+IKE SAs for ALL peers and users(Q) Quit
vpn ver: Display the VPN major version number and build number.Usage vpn ver [-k] -f <filename>
SmartView Monitor Commands
rtm debug: Send debug printouts to the $FWDIR/log/rtmd.elg file.Usage rtm debug <on | off> [OPSEC_DEBUG_LEVEL |TDERROR_<AppName>_<Topic>=<ErrLevel>]
rtm drv: Start, stop or check the status of the SmartView Monitor kernel driver.Usage rtm drv <on | off | stat>
rtm monitor <module_name>{<interface_name>|-filter"<complex filter>"}: Starts the monitoring process and specify parameters for monitoring an interface.Usage rtm monitor <module_name><interface_name>[options]-g<grouping> [entity-1...entity-n]
orrtm monitor <module_name>-filter["complex filter"][options]-g<grouping>[entity-1...entity-n]-a: <aggregate|individual>-w : <bandwidth|loss|rtt>-t : <wire|application>-i: <number of seconds>@@: specifies subrule (for example, 'rule@@subrule-d : Specifies one of the following monitor directions:inbound.outbound, eitherbound-y Specifies one of the following measurement units:- bytes, pkts, lineC : Average concurrent connections-a : Aggregate - displays a specific type of connections as an aggregate.-g : Specifies one of the following grouping options for monitored traffic:Src : Monitors according to a network object (source only).Dst : Monitors according to a network object (destination only).Ip; Monitors according to a network object (source and destination).
rtm monitor <module_name>-v<virtual_link_name>:Start the monitoring process and specifies parameters for monitoring a Virtual Link.Usage rtm monitor <module_name> v<virtual_link_name>[options]entity-1...entity-n
rtm rtmd: Start the SmartView Monitor daemon manually. This also occurs manually when rtmstart is run.Usage rtm rtmd
rtm stat Display the general SmartView Monitor status. In addition, it displays the status of the daemon, driver, opened views and active virtual links.Usage rtm stat [flavor(s)] [-h] [-v[v][v]]
rtm ver Display the SmartView Monitor version.Usage rtm ver [-k]
Rtmstart Load the SmartView Monitor kernel module and starts the SmartView Monitor daemon.Usage rtmstartRtmstop Kill the SmartView Monitor daemon and unloads the SmartView Monitor kernel module.Usage rtmstop
ClusterXL CommandsCphaprob: The cphaprob command verifies that the cluster and the cluster members are working properly.
Cphastart: Running cphastart on a cluster member activates ClusterXL on the member. It does not initiate full synchronization. cpstart is the recommended way to start a cluster member.
Cphastop : cphastop on a cluster member stops the cluster member from passing traffic. State synchronization also stops. It is still possible to open connections directly to the cluster member. In High Availability Legacy mode, running cphastop may cause the entire cluster to stop functioning.
Identity Awareness Commands: PDP - The process on the Security Gateway responsible for collecting and
sharing identities.PEP - The process on the Security Gateway responsible for enforcing network
access restrictions. Decisions are made according to identity data collected from the PDP.
AD Query - AD Query is the module responsible for acquiring identities of entities (users or computers) from the AD (Active Directory). AD Query was called Identity Logging in previous versions and in some cases is also referenced as AD
Log. The adlog is the command line process used to control and monitor the AD Query feature.
test_ad_connectivity - A utility that runs connectivity tests from the Security Gateway to an AD domain controller. The PEP and PDP processes are key components of the system. Through them, administrators control user access and network protection.AD Query can run either on a Security Gateway that has been enabled with Identity Awareness or on a Log Server. When it runs on a Security Gateway, AD Query serves the Identity Awareness feature, and giveslogging and policy enforcement. When it runs on a Log Server, AD Query gives identity logging. The command line tool helps control users’ statuses as well as troubleshoot and monitor the system.The test_ad_connectivity utility runs over both the LDAP and WMI protocols. It is usually used by the SmartDashboard Identity Awareness first time wizard, but you can run it manually on the Security Gateway.
Pdp: These commands control and monitor the PDP process.Syntax # pdp [command]... <parameter><none> Display available options for this command and exitdebug Control debug messagestracker Tracker optionsconnections pdp connections informationnetwork :pdp network informationstatus :pdp status informationcontrol :pdp control commandsmonitor : Display monitoring dataupdate : Recalculate users and computers group membership (deleted accounts will not be updated)ad :Operations related to AD Querytimers :Show pdp timers information
pdp connections These commands assist in monitoring and synchronizing the communication between the PDP and the PEP.Syntax # pdp connections <parameter>
pdp control Provides commands to control the PDP process.Syntax # pdp control <parameter> <option>
pdp network Shows information about network related features.Syntax # pdp network <parameter>
pdp debug Activates and deactivates the debug logs of the PDP daemon.Syntax # pdp debug <parameter> <option>pdp tracker Adds the TRACKER topic to the PDP logs (on by default). This is very useful when monitoring the PDP-PEP identity sharing and other communication on distributed environments. This can be set manually by adding the TRACKER topic to the debug logs.Syntax # pdp tracker <parameter>(on/off)pdp update Initiates a recalculation of group membership for all users and computers. Note that deleted accounts will not be updated.Syntax # pdp update <parameter>pdp ad associate For AD Query, adds an identity to the Identity Awareness database on the Security Gateway. The group data must be in the AD.Syntax # pdp ad associate ip <ip> u <username> d <domain> [m <machine>] [t <timeout>] [s]
pdp ad disassociate Removes the identity from the Identity Awareness database on the Security Gateway. Identity Awareness does not authenticate a user that is removed.Syntax # pdp ad disassociate ip <ip> {u <username>|m <machine>} [r {probed|override|timeout}]
Pep:Provides commands to control and monitor the PEP process.Syntax # pep [command]... <argument>Parameter DescriptionTracker: Tracker options.Show: Display PEP information.
pep showDescription Displays information regarding pep status.Syntax # pep show <parameter> <option>
pep show: user Enables monitoring the status of sessions that are known to the PEP. You can perform varied queries according to the usage below to get the output you are interested in.Syntax # pep show user all
pep show pdp:
Enables monitoring the communication channel between the PEP and the PDP. The output displays the connect time and the number of users that were shared through the connection.Syntax # pep show pdp <parameter>
pep show stat Shows the last time the daemon was started and the last time a policy was received. Important - Each time the daemon starts, it loads the policy and the two timers (Daemon start time and Policy fetched at) will be very close.Syntax # pep show stat
pep show network Shows network related information.Syntax # pep show network <parameter>
IPS Commands:
ips bypass statDescription Usage- ips bypass statComments - Shows this information:
IPS bypass mode - on or offCPU thresholdsMemory thresholds.
ips bypass on|off- Manages IPS bypass. When IPS bypass is enabled:
and isautomatically disabled.
he CPU or memory goes below the low threshold, IPS exits bypass mode and isautomatically enabled.Usage - ips bypass {on|off}
ips bypass set Configures the thresholds for the ips bypass command.Usage - ips bypass set {cpu|mem} {low|high} <th>Cpu :Configure the CPU thresholdMem :Configure the memory threshold.Low :Configure the lower threshold to exit bypass mode.High :Configure the higher threshold to enter bypass mode.<th> :The CPU or memory threshold value.ips debug Shows the IPS debug information.Usage - ips debug [-e <filter>] -o <outfile>
INTERVIEW QUESTIONS
KPIT HP1. What is vlan?2. How to configure vlan in L2 switch?3. What is Layer 3 vlan?4. How many tcp flags? Name them.5. What is Window size?6. What is fragmentation?7. OSPF LSA types.8. Explain LSA 5.9. Both HSRP routers become active during bootup. How will you
troubleshoot?10.What are the changes that occur in a packet when it goes from a host to
another host traversing a switch and two routers?11.What is NAT and PAT? Explain with example.12.Why do we apply acl from inside to outside for icmp even though traffic
from inside to outside is allowed by default in asa?13.How will a switch connected to failover firewalls know when FW1 fails and
FW2 becomes active?14.VPN 9 packet negotiation15.IPSEC parameters.16.What is firewall? What is statefull firewall?17.Natting definition, Static Nat, Dynamic Nat, Identity Nat, Nat exemption,
Nat-Control18.Mechanism of NAT and how nat works19.Nat Order20.How does packet flow works. If from inside, packet is getting dropped while
going outside, than how will be trace21.Active ftp and passive ftp concept in ASA22.What is inspection and MPF23.How we can know whether our inspection is working on nat. Tell command.24.IPSEC : i phase and modes
a. ii Tshoot on tunnel down ( phase I is up)b. iii Aggressive mode
25.SSL VPN.26.Same security level ping will happen or not?
Same-security-traffic permit intra-interface (to allow U-turning traffic)Same-security-traffic permit inter-interface (for communication between DMZ and DMZ-2 having same security level)
27.IP spoofing28.DNS Doctoring.29.Site-to-Site vpn configuration on ASA30.On which port SSL VPN works.31.Difference between SSL VPN and WEB VPN32. Statefull firewall33.What is packet tracer34.What is ip add? Private ip address35.Does switch works on mac-address/ ip address.36.10.1.1.0/24 which class it belongs.37.FWSM (ASA- Firewall service module)
Q1. Tell me about yourselfQ2. How does a ping/ traceroute / tracert window works ?Q3. How does routing loop/ switch loop occurs in a router/ switch Q4. TCP handshake? Give some ex. Of troubleshooting. You did in your company? Q5. Why there is requirement first needed to set up 3-way handshake: Q6. What does SSL mean?Q7. Modes of IPSECQ8. Hashing mechanism, Encryption Mechanism, ESPQ9. In TCP 3-way handshakes What are the contents present in the Syn packet.Q10. Basic function of firewallQ11. STP, PVST+Q12. OSPFQ13. Troubleshooting on firewallQ14. Proxy firewall/ cluster firewallQ15. Types of NAT & basic diff of NAT & PATQ16. Why we need DMZ in firewall?Q17. What do you know about IPSEC?Q18. Network Architecture; how much you big was the N/W on which you have worked?
NET-APPQ1. Transparent firewallQ2. Same security level; how they can communicate with each other.Q3. IPSEC/ SSLVPNQ4. Types of NAT (Order of NAT), STATIC NAT configurationQ5. IPSEC troubleshoot phase I and II.Q6. External client want to communicate then web server situated inside in company.Q7. Frame (preamble).Q8 Tell us about your company project.
Q9 DNS
First Stage in NAT-APP testQ1. Stuck in ActiveQ2. FTP definition.Q3. What is subnet mask? Why we are using subnet mask.Q4. OSI LayerQ5. TCP/IP Layer.Q6. What is DOS?Q7. What is private IP and range?Q8. What is VPN?Q9. What is the use of tunnel in VPN?
IBMQ1. What is VLAN?Q2. Function of HSRPQ3. Stuck in ActiveQ4. AD of OSPFQ5. A.D. and F.D. of EIGRPQ6. Role of area 0
Q7. In this scenario, Host should be communicating with server. What will be routing.Q8. Downtime zero, in ASA firewallQ9. Site –to – site VPN (Modes and 9 packet negotiation)Q10. SSL VPN packets transfer.
Q11. In Below scenario PC wants to ping internet but it is dropping. What will be tshoot. Scenario is below
Q12. Difference between ABR and ASBRQ13. What is AD value of OSPF?Q14. In below scenario How PC A will communication with PCB
Q15. In this scenario will inside communicate or ping to outside.
CSS CORPQ1. TCP WindowingQ2. MTU and MSSQ3. DHCP DORAQ4. TCP sequence numberQ5. VPN 9 packetsQ6. DORA Packets typeQ7. Does UDP packet have sequence number?Q8. After windowing. If one segment gets dropped from the receiver end then what does the receiver send to the sender so as to get the dropped packet.Q9. In this scenario PC-3 getting APIPA address. What will be tshoot
Q10. Difference between NACK and ACKQ11. Difference between Main Mode and Aggressive ModeQ12. SSL HandshakeQ13. Why do we use VPN?Q14. In this Scenario how C does comes to know that each fragment put has been reject and how C will come to know which one is first bit/last bit
IBMQ1. Tell me about yourself and day by day job responsibility.Q2. What is the difficult troubleshoot u faced in previous company.Q3. One site is India and other site s USA. Create site to site tunnel and tell us the configuration part.Q4. How to check the command that the tunnel is upQ5. VPN:=> show vpn connected session.Q6. In firewall how to check the configuration of cluster i.e. contextQ7. There are two firewall ASA 5520 and ASA 5510. We are trying to make these cluster but it is not done. What will be tshootQ8. Why are you leaving this job?Q9. Difference between 5505 and 5510 firewall
ACCENTUREQ1 In this scenario, Before I was able to work with printer. I updated firmware of printer. After this task now I am not able to work with printer. Condition is that I am able to ping ip address of printer.
Q2. What is packet capture command?Q3. What is Hair pinning.Q4. In this scenario, my ip 10.10.10.1 and 20.20.20.1 is natted. And I want to communicate with destination ip 30.30.30.1 and 40.40.40.1. What will type of natting I will use?
Q5. What is DNS DOCTORING?Q6. What is nat exemption?Q7. Identity NATQ8. Types of NAT and NAT order.Q9. OSPF LSA.Q10. F5 –Load Balancer (i-rule, static load balancing, dynamic load balancing, http and https i-rule).
CGIQ1. EIGRP, OSPF, STP, VLAN, RSTP.Q2. Firewall hardeningQ3. Difference between L3 and L2 switchQ4. Difference between MPLS and L2Q5. Site to Site VPN and IPSEC VPNQ6. Failover is running between two firewall. These two firewall connected with switch. How will switch find out that which firewall is in active and standby?
Q7. 3 tier architecture of checkpointQ8. How to add policy in checkpointQ9. Packet flow of checkpoint
WIPROQ1. Day to day job responsibilitiesQ2. Cisco ASA:- Difference (8.2,8.4,8.6)Q3. Checkpoint versionQ4. What is SIC? Why we need SIC. Where we configure SIC in checkpoint? How many SIC can form.Q5. Difference between OSI model s vs TCP/IP modelsQ6. TCP flags and 3 way handshakeQ7. What is proxy serverQ8. What is forward proxy and reverse proxy.Q9 What is DNS and how does it work.Q10 Password recover on router.Q11. Chassis of nexsus switch.
UNKNOWNQ1. Pcket flow between PC and InternetQ2. Packet flow in checkpoint firewallQ3. Packet flow in cisco ASAQ4. TCP statesQ5. Example of session layerQ6. Which OSI model decides? When a packets to move outside or to remain insideQ7 How will you triubleshoot if your PC is not getting connected with internet.
TEK SYSTEMSQ1. Tell me about yourself and day by day job resposiblity.Q2. In 8.2 we want to upgrade to 9.0 with zeo downtime.Q3. Difference between Site to Site Vpn and Ipsec VPNQ4. How does phase 1 works.Q5. What will be tshoot when we will get MM_MO_ACTIVE in VPN?Q6. Is it necessary to create phase-1 for phase-2.Q7. In my network, duplicate ip address is detecting. What will be tshoot for it?Q8. When does you felt offended in your previous organization.Q9. How does network know that router is in stuck in active?Q10. LSA 7Q11. In our network BPDU Guard is enable. IF we add a new switch in our network what type of massage display on switch.
Q12. In this scenario, One hour ago my PC was able to get internet. After one hour PC is not able to access yahoo.com. What will be tshoot
Q13. What are the phase of Site-to-site VPN Q14. What are the modes of IPSec VPN?Q15. What are the parameter of Phase IQ16. What is MDS?Q17. Three important things to run a network of companyQ18. What is ip spoofing? And what is spoof attack.Q19. How can we use spoofing in ASA?Q20. What is stealth rule? Why we need and purpose of stealth rule.Q21. Packet tracer command inASA
HP (KPIT)Q1. Failover is running between two firewall. These two firewall connected with switch. How will switch find out that which firewall is in active and standby?Q2. Packet flow of checkpointQ3. In Automatic nat how many rules will be createdQ4. By using CLI how we will make backup.Q5. When a packet enters in router, than how works router with a packet
BARQ1. TCP 3 way handshakeQ2. Packet level – which bit is getting setQ3. Difference between push and urgentQ4. Packet flow between two PCsQ5. Arp header sizeQ6. DHCPQ7. Ipsec packet levelQ8. Difference between ASA and routerQ9. SSL how SSL VPN works in application layerQ10. Proxy arp.Q11. NAT-ASAQ12. DNS DoctoringQ13. FTPQ14. Where will we implement this is firewall i.e. active ftp and passive ftp and what are the problems.Q15. Ip fragmentation
Q16. Ip header- identification, offset fied.Q17. CSR- SSL vpnQ18. HTTPQ19. DHCP relay agentQ20.Configuration parameter DHCpQ21 what will indicate phase I failure on an IOS device.Q22. What can be various reason for IPSEC negotiation Q23. What is NAT T?
FNFQ1. How to change or reset pwd in Cisco switches.Q2. How to tshoot when smartview tracker is not showing log by cliQ3. How to make backup from checkpoint cliQ4. Where log store?Q5. Where Backup file will be storeQ6. What is HSRP (All Discuss?)Q7. What is the Etherchannel, why we need Etherchannel?Q8. What are protocols of Etherchannel?Q9. How can we configure Etherchannel?Q10. Command for port-securityQ11. What is AD value of Eigrp and OSPF?Q12. What are values of AD in EIGRP?Q13. What is OSPF?Q14. What is difference between OSPF and EIGRP?Q15. What is different between ABR and ASBR?Q16. What are the states of OSPF? Explain.Q17. What is multicast ip address of OSPF?Q18. What is ACL?Q19. Difference between Standard and extended acl.Q20. What are types of ACL?Q21. Configuration of Switch ACL
TTNIQ1. What is difference between Cisco ASA and Checkpoint?Q2. What is SIC? What is the purpose of it's?Q3. Process for backupQ4. Difference between snapshot and backupQ5. What is stealth rule and what Is purpose of its.Q6. What is cleanup rule and what is purpose of its.Q7. What is FWM?Q8. What is PDP?
Q9. What is RTMQ10. What is tcpdump.Q11. How can we check the log between two gateways.Q12. What is mode of firewall.Q13. What is context.Q14. How we create context.Q15. Where we create context in routed firewall or transparent firewall?Q16. What is transparent firewall?Q17. What is difference between switch and transparent firewall?Q18. Can we create context in routed mode.Q19. What is ipsec.Q20. By default which mode is available in IPSec
MIND TREEQ1. Suppose a switch is connected to a router and two PC are connected to switch. How will Communicate PCA and PCB. Here is Scenario
Q2. Suppose four pc (A, B, C, D) are connected to a switch1 and four PCs(E,F,G,H)are connected to Switch 2. In this scenario I want to communicate PCA to PCE. What will be steps for this task?
Q3. In this Scenario Router R1 and Router R2 connected to Sw1 and Sw2. PC1 and PC2 are connected to SW1 and Sw2. Pc1 and Pc2 want to communicate with each other. What will be Steps? Scenario is below.
Q4. What is dynamic configuration of Vlan?Q5. What is ipv4 and discuss in detail.Q6. What is tcp flags?Q7. What is reset flag and what is purpose of Reset flag.Q8. What is three way handshake?Q9. What is four way handshake?Q10. What I nat.Q11. What is the order of NAT?Q12. What is dynamic NAT and Dynamic PAT and syntax.Q13. What is packet tracer command?. How it check the packet.Q14. What are the security parameter of ipsec phase1.Q15. By default which mode available in phase 1 mode.Q16. Phase 1 and phase 2 are active, data is encrypting but data not decrypting. What is tshoot for that?
CAPGEMINIQ1. In network there are two router. At router R1 protocol Eigrp is running and at router R2 protocol OPSF is running. Pc which are connected to router R1 and R2. PC1 and PC2 are want to communicate with internet. Which protocol PCs will prefer. Scenario is below
Q2. Now in this scenario network of R1 is 192.1.1.0/24 and network of R2 192.1.1.0/28. Now which protocol will pc prefer.
Q3 In this scenario PC1 is connect to sw1 and there is vlan 10 on pc and PC2 is connected to SW2 and vlan is 20. How these PC will communicate.
Q4 what is difference between NAT and PAT.
HR Interview QuestionsHow long would you expect to work for us if hired?As far as I can tell, this company has everything I’m looking for. I enjoy this type of work and the benefits at this company are great. I am looking for a long term position and if there are opportunities for advancement and growth here, then I want to stay for a long time.
Are you willing to travel or relocate, if necessary?YES, I am OK with the relocation as it is an opportunity to learn something new and visit new places. I love to travel and I can easily adapt to new environment.
What is more important to you money or work?Work is more important because without doing work we can't earn money.
Where do you see yourself after 5 years?After 5 Years from now I would like to see myself at a respectable position in the company where I can take the decisions for the welfare of the company.
How did you handle work criticism?
Describe a time when your work was criticized and how you handled it?I don't remember such incident of criticism in my work career but I always use to take feedback from my Colleagues and Managers, so that I can correct my mistakes, improve way of communication and working style and never repeat those mistakes again in future.
What are some of your achievements or accomplishments?
Why did you resign from your previous job?I would like to thank my current company which gave me a platform to start my professional career, and where I learned more professional skills.I decided for a change looking for better opportunities and more challenging to grow professionally and financially.
What was the toughest challenge you have ever faced?Tell me honestly about the strong points and weak points of your boss (company, management team, etc.)Strong point: Good time management, good listener, and wickedness: repeating one thing so often which is annoying?
Because of weak points only our good points can be recognized. So my boss is leading a team of talented people, he is expert in handling pressure in tricky situations, energetic and he always took part in extracurricular activities with his team either organizing team fun or holidays outside town. I never noticed his weak points. He is very helpful in every step of work whenever anyone needed.
Why should I hire you from the outside when I could promote someone from within?In my own perspective point of view, a new employer is someone that can give fresh ideas that can improve to the company which I think every company needed so I think your company deserves more interesting and new ideas and I think I am the best person that suit to it.
How do you feel about reporting to a younger person?Knowledge is the only thing which matters for me not age I would like to respect his/her position tries to learn from him or her. I will take him as my inspiration to grow thoroughly and work hard for it.Why should I hire you?
What are your strengths and weaknesses?
MY STRENGTHS:1. Dedication2. Hard work3. I like to work with team spirit4. Punctuality is also one of the strength for me5. I also believe that success is achieved only with perfection
WEAKNESS: 1. I can't easily say no to the task. I don't matter what the task is!
What is the difference between confidence and over confidence?Confidence is true trust on yourself that you can do it.
While overconfidence is truth on yourself beyond your ability and capability i.e. you shall do it in every condition.
If someone says, "I have the ability to complete this job" is confidence while someone says, "I'm the only one person to complete this job and don't dare to others", is overconfidence.What is the difference between hard work and smart work?For example, teacher ask two students they are,1. Hard work2. Smart work
Question: Tell me the answer to "what are the even numbers?1: He told like that "2, 4, 6, 8, 10, 12, 14, 16, 18, 202: He told like that "divisible by 2 all are even no's".How do you feel about working nights and weekends?Be truthful,
nobody wants to work in night & weekends. But if the company give growth & provide full facilitate then everyone want to work in night & weekends according to company needs. And I am one of them.
Can you work under pressure?I know working under pressure is a difficult one but I will try my level best to complete the project assigned to me within a specific time by time management and schedules.
What are your goals?
My short term goal is to work in reputed company like yours and want to see myself on improving the way of doing work.My long term goal is that to see myself at the respectable position and make parents happy.
Give me an example of your creativity.Creativity is that which show how we do the work smartly and extraordinary way with the help of over brain.Eg:- we can use punching machine for cutting the sheets if we don't have scissor.How long would you expect to work for us if hired?This is the job opportunity I have been looking for. This is the career path I've been waiting for. I ready to serve you as long as the company needs me.What was the toughest decision you ever had to make?Nothing is tough. It all lies in how you can convince yourself. Be practical, logical and most importantly, be positive of whatever decision you take.Where do you see yourself five years from now?On a scale of one to ten, rate me as an interviewer.First of all thank you, sir/ mam, for giving me this opportunity. I think I am not the right person to rate you but still it's an interviews question. So I will 9/10 because nobody is perfect in the world everybody needs improvement.Thank you.
Do you have any questions for me?∑ I would like to know about job responsibility and training would you be
providing?∑ And how this profile will improve my growth in my career? ∑ What type of projects going on? ∑ What is the main target of this company?
