ISCW – Course 1 Page Type Introduction exercise The title of this exercise is “Removing Cable Modem and CPE Entries from the CMTS by Configuring the Cisco CMTS Static CPE Override.” The Cable Modem Termination System (CMTS) Dynamic Host Configuration Protocol (DHCP) server dynamically assigns Internet Protocol (IP) addresses to requesting cable modems, for data/voice communication sessions between the CMTS headend and the subscriber. The Customer Premise Equipment (CPE) devices receive a DHCP-assigned IP address from the CMTS along with a MAC address that is configured behind the cable modem with a service ID (SID), and assigned to the IP address. However, various restrictions exist for CPE devices; one, in particular, is that: An original CPE device (with the original MAC address and SID) is not allowed behind a different cable modem with the original IP address. If this restriction were not in place, the original cable modem (with the original IP address and SID) would experience interrupted service. The CPE Override is a feature that can be configured by a Cisco-trained, field service technician, for the purpose of correcting an original CPE device (with the original MAC address and SID) from supporting a second SID or IP address through a second cable modem. To do so, a Cisco-trained field service technician will enable the Cisco CMTS Static CPE Override feature, which is disabled by default. The Cisco-trained field service technician take a laptop onsite and execute the ‘cable submgmt default’ command statement to assume an existing IP address and service ID (SID) behind a cable modem. In this exercise, a Cisco uBR10012 router is being used. This procedure will ensure that the original CPE device reclaims its IP address using DHCP. Step 1 The Cisco-trained field service technician and the ‘cable submgmt default’ command statement will accomplish the following tasks: 1. The original CPE device will continue to receive service, but will be assigned a static IP address from the Cisco CMTS 2. The newly-assigned static IP address will override the DHCPassigned IP address without first clearing the DHCP CPE device from the CMTS routing tables 3. The original CPE device will automatically change from ‘dhcp cpe’ to ‘static cpe’ in the CMTS host routing tables, and the CPE device will continue to receive service with the same SID 4. Additional CPE devices will be able to share the same IP address and SID as the original CPE device Enable privileged EXEC mode and enter a password, if prompted Step 2 Command statement: Router> enable Enter the Cisco global configuration mode, to configure terminal Command statement: Router# config t Step 3 Enable the Cisco CMTS Static CPE Override feature behind the subscriber’s cable modem. Command statement: Router(config)# cable submgmt default active Step 4 Step 5 This will change the subscriber’s CPE device from ‘dhcp cpe’ to ‘static cpe’ in the CMTS host routing tables The Cisco-trained field technician would enable a filter group ID (0-1024) to be applied for the CM or CPE, downstream or upstream filter. This causes one or more temporary CPE devices behind the subscriber's cable modem to operate within the cable modem's downstream or upstream filter group. Command statement: Router(config)# cable submgmt default filter-group {cm | cpe} {downstream | upstream} group-id Set the default to true (the default value), to specify that the CMTS is to learn the IP addresses for the CPE devices behind the CM, up to the value specified by the MAX-CPE parameter. The CMTS will learn the IP addresses by monitoring the traffic sent by the CPE devices, and the first CPE devices to transmit traffic will be the first CPE devices to be learned. This will enable one or more temporary CPE devices behind a subscriber's cable modem to learn and operate within the routing table defined on the Cisco CMTS. Step 6 Step 7 Step 8 Step 9 Command statement: Router(config)# cable submgmt default learnable The Cisco-trained field technician will then set the maximum number of CPE devices (0 to 1024; shown after the ‘max-cpe’ parameter in the command statement) that will be allowed behind a subscriber's cable modem. And, of course, each device will inherit the SID settings as defined by the subscriber's current SID. Command statement: Router(config)# cable submgmt default max-cpe 6 Next, the Cisco-trained field technician must configure a specified interface in interface configuration mode. The subslot is required syntax for the Cisco uBR10012 router, but is not used for the Cisco uBR7246VXR or Cisco uBR7100 series routers. Command statement: Router(config)# interface 8/1/0 Then, the Cisco-trained field technician must set a primary or secondary IP address for a CPE device, and use the ‘ip address ip-address mask [secondary]’ command statement in interface configuration mode. The IP address is the static IP address for the CPE device, and [secondary] as an optional parameter would specify that the configured address is a secondary IP address. As with other command statements in this exercise, use no form of the command to remove or disable the configuration setting. Command statement: Router(config-if)# ip address 131.109.2.8 255.255.255.0 Once steps 1 through 8 are completed, the Cisco-trained service Step 10 Step 11 technician may need to conduct onsite CPE troubleshooting based on the objective of ensuring that cable modem and CPE entries are removed from the display, when executing the ‘show cable modem’ command statement. Next, the Cisco-trained service technician executes the Ctrl^z command statement to return to global configuration mode. Router(config-if)# Ctrl^z Then, the Cisco-trained service technician needs to: Step 12 Step 13 disable Static CPE override return the on-site CPE device(s) and cable modem to their original DHCP state (dynamic IP address with associated SID); and, clear the CPE cable modem host from the Cisco router's internal address tables in privileged EXEC mode. Command statement: Router(config)# no cable submgmt default -orRouter(config)# clear cable host Once the work is completed, the Cisco-trained service technician will return the prompt to privileged EXEC mode Command statement: EXIT Then, execute a proper Telnet disconnection from the Cisco router. Command statement: QUIT ISCW – Course 2 Page Type Introduction Step exercise Configuring MPLS on a Frame Mode Interface In global configuration mode, Enable MPLS globally, on the router: Router(config)# mpls ip Step Step Step While MPLS is enabled by default, the global ‘mpls ip’ command reenables it. Move to interface configuration mode for the frame mode interface that you want to configure; let’s use interface FastEthernet 0/0. Router(config)# interface fastethernet 0/0 In interface configuration mode, enable MPLS on the specified interface: Router(config-if)# mpls ip At this point TDP, LDP or both, can be enable on the frame mode interface. First, to enable TDP (Tag Distribution Protocol) on this interface, enter the following Cisco command statement: Router(config-if)# mpls label protocol tdp TDP is a Cisco proprietary protocol, and Cisco is changed from TDP to a fully compliant LDP (Label Distribution Protocol). LDP is the default Step Step protocol on Cisco IOS 12.4(3) and later. TDP is the default protocol on older releases. Then, to enable LDP on the frame mode interface, enter the following Cisco command statement: Router(config-if)# mpls label protocol ldp To enable both TDP and LDP on this interface, enter the following Cisco command statement: Router(config-if)# mpls label protocol both Step Step Step Step Step ISCW – Course 3 Page Type Introduction Step exercise Create a Crypto Configuration for the Cisco IOS Router In this intermediate network, we want to create a crypto configuration and define a VPN tunnel with IPSec-encapsulated GRE between Router 3 and Router4. We will need to configure each router. We start on Router3, in configuration mode, and enable ‘crypto’ with ISAKMP using the following Cisco command statement: Step Router3(config)# crypto isakmp enable Next, identify the hostname: Step Router3(config)# crypto isakmp identity hostname Define an ISAKMP numbered policy with encryption algorithm and RSA encryption key authentication mode. Step Router3(config)# crypto isakmp policy 1 Router3(config-isakmp)# authentication rsa-encr Next, create ‘permit’ access list 131 to permit GRE host 10.1.1.1 and host 10.1.1.2 traffic. The access-list defines the traffic that has to be protected. This ACL is only allowed to have one entry for manual IPSec: Step Step Router3(config)# access-list 131 permit gre host 10.1.1.1 host 10.1.1.2 Define a transform set, which is a Cisco abstraction for a certain combination of protocols to be applied to a particular conduit, and change the mode to ‘transport.’ Router3(config)# crypto ipsec transform-set test esp-des esp-sha-hmac Router3(cfg-crypto-trans)# mode transport Router3(cfg-crypto-trans)# exit Router3(config)# Create a crypto map named ‘XYZ,’ configuring IP and IPSec-ISAKMP mode. The map set's sequence number is 10, which is used to rank multiple entries within one crypto map set—so that—the lower the sequence number, the higher the priority Step Step Step Router3(config)# crypto map XYZ 10 ip Router3(config)# crypto map XYZ 10 ipsec-is Next, enable the new crypto map by configuring a peer and a valid access list. Match access list 131 (as created earlier in this exercise), and associate the access with the two peers. Router3(config-crypto-map)# set transform-set test Router3(config-crypto-map)# match address 131 Router3(config-crypto-map)# set peer 10.1.1.2 Router3(config-crypto-map)# Router3(config)# access-list 131 permit gre host 10.1.1.1 host 10.1.1.2 Next, Create the actual GRE tunnel interface through which traffic will be transported to the endpoint. The peer and the physical interface through which the tunnel endpoint should be bound needs to be specified: Router3(config)# interface Tunnel0 Apply the crypto map to the physical interface on which tunnel-associated traffic will be going out: Router3(config-if)# crypto map XYZ Router3(config)# interface ethernet 1/0 Router3(config-if)# crypto map XYZ Step Step Step Step Step Step ISCW - Course 4 Page Type Introduction Step Step Step exercise Set up accounting to record all start and stop times for EXEC processes and network processes on an ACS server. In global configuration mode, identify the TACACS+ server whose IP address is 133.15.17.201 using a pre-shared key of future123key: Router1(config)# tacacs-server host 133.15.17.201 Router1(config)# tacacs-server key future123key Set up the router to time-stamp logging and debug entries using local time; for tracking and debugging purposes. Also record debug times to the millisecond. Router1(config)# service timestamps debug datetime localtime msec Router1(config)# service timestamps log datetime localtime Set up accounting to record all start and stop times for EXEC processes and network processes on the ACS server: Router1(config)# aaa accounting exec start-stop tacacs+ Router1(config)# aaa accounting network start-stop tacacs+ Step Step Step Step Step Step Step Step ISCW – Course 5 Page Type Introduction Step Step Step Step Step Step exercise Update the bogon filter as recommended in the Cisco AutoSecure documentation, and reapply the filter to the device—using the command line interface (CLI) rather than the Router and Security Device Manager (SDM) to make the desired changes to the device or devices Determine which bogon to remove, then enter enable mode, then config mode. Router>enable Password: Router#config t Router(config)# Enter the following set of Cisco command statements to update the bogon filter. Router(config)#ip access-list extended autosec_complete_bogon Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any Router(config-ext-nacl)#exit Router(config)# ip autosec_iana_reserved_block Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any Router(config-ext-nacl)#exit Router(config)# The alternative to updating the bogon filter is the delete the bogon filter, altogether. This process can also be performed at the command line interface. To do so, enter enable mode, then config mode. Router>enable Password: Router#config t Router(config)# Enter interface config mode for the interface on which the bogon filter is applied. Router(config)#interface Serial0/0 Router(config-if)# Remove the bogon filter from the interface (using the appropriate accesslist name) Router(config-if)#no ip access-group autosec_complete_bogon in (Optional) Remove the bogon filter from the router configuration to prevent the inadvertent reapplication of the bogon filter in the future. Router(config-if)#exit Router(config)#no ip access-list extended autosec_complete_bogon Router(config)#no ip access-list extended autosec_iana_reserved_block Step Exit config mode. Save the configuration to memory. Router(config)#exit Router#copy running-config startup-config Step Step Step Step Page Type Introduction Step Step Step exercise Configure an Access List to ‘Deny” an IP Host Address Add the “?” to the end of the Cisco ‘access-list’ command statement, to display the complete range of choices for access list numbers available, for filtering a network. RouterA(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <200-299> Protocol type-code access list <300-399> DECnet access list <400-499> XNS standard access list <500-599> XNS extended access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list Use IP standard access lists ‘1-99’ and create access- list number ’10.’ Use the “?” to display available options, methods or parameters for this command. RouterA(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward From the options in the previous step, let’s make this access list a ‘deny’ access list. Then, let’s ask what our options are for creating a ‘deny’ access list 10. RouterA(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address Step While the ‘any’ command option would allow us to deny all source host addresses, the ‘Hostname or A.B.C.D’ and ‘host’ command options allow us to specify an IP host address. Create a ‘deny’ access-list 10 for host 161.15.29.1 RouterA(config)# access-list 10 deny host 161.15.29.1 - OR RouterA(config)# access-list 10 deny 161.15.29.1 This command tells the router to deny any packets from IP host address 161.15.29.1. The word ‘host,’ in this command can also be omitted as it is the default. Step Step Step Step Step Step Step Page Type Introduction Step Step exercise Configure an Extended Access List Type in the ‘access-list ?’ command statement to display the available access lists. RouterA(config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <200-299> Protocol type-code access list <300-399> DECnet access list <400-499> XNS standard access list <500-599> XNS extended access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list Use IP standard access lists ‘100-199’ and create access- list number ’120.’ Use the “?” to display available options, methods or parameters for this command. RouterA(config)# access-list 10 ? deny Specify packets to reject permit Specify packets to forward RouterA(config)# access-list 120 ? deny Specify packet dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward Step Notice that the command options are different for this list than for access lists ‘1-99.’ The ‘dynamic’ command option exists for access lists ‘100199.’ Also, when we query on the ‘deny’ command option, access lists ‘100-199’ provide a different set of options. RouterA(config)# <0-255> eigrp gre icmp igmp igrp ip access-list 120 deny ? An IP protocol number Cisco's EIGRP routing protocol Cisco's GRE tunneling Internet Control Message Protocol Internet Gateway Message Protocol Cisco's IGRP routing protocol Any Internet Protocol ipinip nos ospf tcp udp Step Step IP in IP tunneling KA9Q NOS compatible IP over IP tunneling OSPF routing protocol Transmission Control Protocol User Datagram Protocol Next, let’s choose a range of IP address hosts, for our extended ACL (Access Control List). Let’s select the ‘any’ command option and query on other command options. RouterA(config)# access-list 120 deny tcp any ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers Using the 161.15.29.1 host address, we want to look at two more queries, for command option. First: RouterA(config)# access-list 120 deny tcp any host 161.15.29.1? eq Match only packets on a given port number established Match established connections fragments Check fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value We want to filter traffic for a specific port number. Let’s select the ‘eq’ command option and query once more for other command options: RouterA(config)# access-list 120 deny tcp any host 161.15.29.1 eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd,514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh,512) finger Finger (79) ftp File Transfer Protocol (21) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) Step login Login (rlogin,513) lpd Printer service (515) nntp Network News Transport Protocol (119) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web HTTP (80) We can now complete the creation of the access list that will filter traffic on our specified port using our specified IP host address. Our access list 120 command is now complete. We can use this access list to mitigate threats and attacks, and to implement robust and secure infrastructure protection. RouterA(config)# access-list 120 deny tcp any host 161.15.29.1 eq 620 For more specific filtering, we could also add a subnet mask (e.g., 161.15.29.1 255.255.255.0) so that filtering will be to the last bit. Step Step Step Step Step ISCW – Course 6 Page Type Introduction Step exercise Configuring MTU Size in Label Switching Enter interface configuration mode: Step Router(config)# interface fasthethernet 0/0 Change the maximum size of an MPLS-labeled packet to 1508 bytes: Router(config-if)# mpls mtu 1508 Step NOTE: The Cisco ‘mpls mtu’ command statement is necessary in the event of an addition of the label header; the MTU on LAN interfaces should be increased to prevent IP fragmentation. The minimum MTU is 64 bytes, and the maximum MTU is based on the type of interface medium that is being used. The MPLS MTU size for backbone LSRs is examined using the show mpls forwarding-table prefix detail command. Verify the MPLS MTU size using the ‘show mpls forwarding-table’ command statement, and notice that the MTU=1508 setting reflects our previous ‘mpls mtu’ command statement. Router# show mpls forwarding-table 10.1.1.1 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 18 Pop tag 10.1.1.1/32 1544 Fa1/0 10.20.10.1 MAC/Encaps=14/14, MTU=1508, Tag Stack{} 00049BD60C1C00D06354701C8847 No output feature configured Per-packet load-sharing Router# ISCW - Course 7 Page Type Introduction Step Step Step exercise Configure IPS inline VLAN pair settings on a sensor to mitigate network security threats Log in to the CLI using an account with administrator privileges. Enter the interface sub-mode: sensor# configure terminal sensor(config)# service interface sensor(config-int)# Verify whether or not any inline interfaces exist (the sub-interface type should read "none," if no inline interfaces have been configured): sensor(config-int)# show settings physical-interfaces (min: 0, max: 999999999, current: 2) ----------------------------------------------<protected entry> name: GigabitEthernet0/0 <defaulted> ----------------------------------------------media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry> name: GigabitEthernet0/1 <defaulted> ----------------------------------------------media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry> name: GigabitEthernet0/2 <defaulted> ----------------------------------------------media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry> name: GigabitEthernet0/3 <defaulted> ----------------------------------------------media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry> name: Management0/0 <defaulted> Step ----------------------------------------------media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------none ------------------------------------------------------------------------------------------------------------------------------------------subinterface-type ----------------------------------------------none --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------command-control: Management0/0 <protected> inline-interfaces (min: 0, max: 999999999, current: 0) --------------------------------------------------------------------------------------------bypass-mode: auto <defaulted> interface-notifications ----------------------------------------------missed-percentage-threshold: 0 percent <defaulted> notification-interval: 30 seconds <defaulted> idle-interface-delay: 30 seconds <defaulted> ----------------------------------------------sensor(config-int)# Remove any inline interfaces that use this physical interface: Step sensor(config-int)# no inline-interfaces interface_name Display the list of available interfaces: Step sensor(config-int)# physical-interfaces ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. sensor(config-int)# physical-interfaces Specify an interface: Step sensor(config-int)# physical-interfaces GigabitEthernet0/2 Enable the admin-state of the interface: sensor(config-int-phy)# admin-state enabled Step The interface must be assigned to the virtual sensor and enabled in order to monitor traffic. Add a description of this interface: sensor(config-int-phy)# description INT1 Step Configure the duplex settings: sensor(config-int-phy)# duplex full Step This option is not available on modules. Configure the speed: sensor(config-int-phy)# speed 1000 Step This option is not available on modules. Set up the inline VLAN pair: Step sensor(config-int-phy)# subinterface-type inline-vlan-pair sensor(config-int-phy-inl)# subinterface 1 sensor(config-int-phy-inl-sub)# vlan1 52 sensor(config-int-phy-inl-sub)# vlan2 53 Add a description for the inline VLAN pair: Step sensor(config-int-phy-inl-sub)#description pairs vlans 52 and 53 Verify the inline VLAN pair settings: Step sensor(config-int-phy-inl-sub)# show settings subinterface-number: 1 ----------------------------------------------description: VLANpair1 default: vlan1: 52 vlan2: 53 ----------------------------------------------sensor(config-int-phy-inl-sub)# Exit the interface sub-mode: Step Step sensor(config-int-phy-inl-sub)# exit sensor(config-int-phy-inl)# exit sensor(config-int-phy)# exit sensor(config-int)# exit Apply Changes:?[yes]: Press Enter to apply the changes, or enter ‘no’ to discard them Enter virtual sensor configuration mode: Step sensor(config)# service analysis-engine sensor(config-ana)# virtual-sensor vs0 Add the interface to the virtual-sensor: Step sensor(config-ana-vir)# physical-interface GigabitEthernet0/2 subinterface-number 1 Exit virtual-sensor submode: Step sensor(config-ana-vir)# exit sensor(config-ana)# exit Apply Changes:?[yes]: Press Enter in order to apply the changes, or enter no to discard them.