CCNP ENARSI 300-410 Exam Cram Notes

3.0 Infrastructure Security

3.3 Troubleshoot control plane policing (CoPP) (Telnet, SSH, HTTP(S), SNMP, EIGRP, OSPF, BGP)

This protocol can collects and manipulate valuable network information from switches, routers, servers, printers, and other network-attached devices.

An SNMP-managed network consists of two components:

Network management station (NMS): the software which runs on the administrative computer. This software gathers SNMP data by requiring the devices on the network to disclose certain information. Devices can also inform the NMS about problems they are experiencing by sending an SNMP alert (called a trap).

Agent: the software which runs on managed devices and reports information via SNMP to the NMS.

SNMP agents use a UDP port 161, while the manager uses a UDP port 162. The current SNMP version is SNMPv3. The prior versions, SNMPv1 and SNMPv2 are considered obsolete.

The following security levels and encryption are available in SNMPv3:

NoAuthNoPriv - Uses only User Name for authentication and no encryption or privacy.

AuthNoPriv - Provides authentication based on the Hashed Message Authentication Code (HMAC)- MD5 or HMAC-SHA algorithms

AuthPriv - Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. In addition to authentication, provides DES 56-bit encryption based on the Cipher Block Chaining (CBC)-DES (DES-56) standard.

Note that there is no such "AuthEncr" level.

IGMP: The Internet Group Management Protocol is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast.

ICMP: The Internet Control Message Protocol is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

To measure end-to-end response time we have to use ICMP echo to continuously ping to a remote device. The difference between ICMP path echo and ICMP echo is the former can measure hop-by-hop response time on its whole path while the latter can only measure to a specific destination.

A BGP speaking router will have two tables: one for IP routing information, and the other for BGP information. It is possible to share the information between the two tables.

The traceroute command allows you to determine the path a packet takes in order to get to a destination from a given source by returning the sequence of hops (with IP addresses) the packet has traversed. This utility comes with your host operating system (for example, Linux or Microsoft (MS) Windows), as well as with Cisco IOSĀ® Software. The traceroute command is a privileged EXEC command in Cisco IOS.

SNMPv3 Agent supports the following set of security levels as defined in the USM MIB (RFC 2574) :

noAuthnoPriv - Communication without authentication and privacy.

authNoPriv - Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).

authPriv - Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) may be used.

You can configure MD5 authentication between two BGP peers, and the password must be same on both BGP peers; otherwise, the connection between them will not succeed. There are two cases with setting up of MD5 authentication:

a. If a router has a password configured for a peer, but the other peer does not, a message "No MD5 digest from" will appear on the console while the routers attempt to establish a session between them. Therefore A is correct because Router NY (with an ip address of is not configured with a password.

b. If the two routers have different passwords configured, a message "Invalid MD5 digest from" will show up in the debug output.

To distribute Border Gateway Protocol (BGP) neighbor information as specified in an access list, use the neighbor distribute-list command in address family or router configuration mode.

To distribute Border Gateway Protocol (BGP) neighbor information as specified in a prefix list, use the neighbor prefix-list command in address family or router configuration mode.

The following router configuration mode example applies the prefix list named mylist1 to outgoing advertisements from the neighbor

router bgp 100
neighbor prefix-list mylist1 out

The following are a few examples of how a prefix list can be used (while configuring BGP policies to filter route updates):

To deny the default route
ip prefix-list mylist1 deny

To permit the prefix
ip prefix-list mylist1 permit

The following examples show how to specify a group of prefixes.

To accept a mask length of up to 24 bits in routes with the prefix 192/8:

ip prefix-list mylist1 permit le 24

To deny mask lengths greater than 25 bits in routes with a prefix of 192/8:

ip prefix-list mylist1 deny ge 25

The command "show ip bgp neighbors" is most useful in troubleshooting BGP connections. When the connection is established, the peer/neighbor router exchanges BGP information. If a TCP connection (BGP session) is not established, a BGP router can not exchange any BGP routing information with the adjacent router with which it is trying to establish neighbor relationship.

ccnp enarsi cram notes bgp neghbours

Previous   Contents   Next

CCNP ENARSI Cram Notes Contents
certexams ad

simulationexams ad