Default Authentication Methodes

• General steps:
• enable AAA authentication with the aaa new-model global command.
• If using RADIUS or TACACS+, define the ip addresses & encryption keys used by servers by using the following  commands.
• radius-server host, 
• radius-server key, 
• tacacs-server host 
• tacacs-server key 
• Define the default set of authentication methodes used for all CLI access by using command
• aaa authentication login default
• Define the default set of authentication method used for enable-mode access by using command
• aaa authentication enable default
• For example by using above steps configure 2 RADIUS servers are configured.
• One of the serveres uses ios default port 1645
• Other one uses the reserved well known port 1812.

AAA: AUTHENTICATION

• AAA Refers to a variety of common security features.
• AAA: Authentication, Authorization & Accounting
• The strongest authentication method to protect CLI are:
• TACACS+ 
• RADIUS server 
• The Cisco Secure Access Control Server (ACS) 
• It is a cisco systems software product
• It can be installed on unix, linux & several windows platforms.
• It holds a set of usernames & passwords used for authentication
• Routers & Switches send Usernames & passwords from users are sent to server in encrypted manner.
• 
  

• 	RADIUS	TACACS+
  Scope of Encryption: Packet payload or just the password	Password only	Entire Payload
  Layer 4 Protocol	UDP	TCP
  Well-known Port/IOS default port used for authentication	1812/1645	49/49
  Standard or CISCO Proprietary	RFC 2865	Proprietary

SSH: SECURE SHELL PROTOCOL

• telnet traffic is sent in a clear text way, so it is not secure.
• It is a client/server protocol that encrypt the traffic in and out through vty ports.
• By default cisco router & switches act as SSH clients.
• To make CISCO router & switches act as SSH servers they must be configured.
• Authentications is required to connect clients.
• This authentication can be username & password or authentication with a AAA server .
• There are 2 versions in SSH
• Version 2 more secure than the Version 1.
• Cisco devices supports both versions.
• Must specify which version u want use.
• Configuring basic SSH Server requires following steps:
• Check IOS support ssh or not.
• Configure a host name (if already config leave it)
• Config a domain name. (if already  config leave  it)
• Config a client authentication method.
• Router or Switch generate RSA keys that will be used to encrypt the session.
• specify the SSH version, if u want to use version 2.
• Disable telnet on the VTY lines.
• Enable SSH on the VTY lines.
• 
  

SECUIRITY

• 3 Modes to access the user mode is:
• CONSOLE
• AUX
• TELNET
• Simple user mode CLI password protection
• line con 0
•   login
•   password cisco
• line vty 0 15
•   login
•   password cisco
• these passwords are stored as clear text in the configuration
• these passwords are encrypted by  service password-encryption command
• service password-encryption
• line console 0
•     password 7 "type pass here"
•    login
• line vty 0 4
•     password 7 "type pass here"
•     login
• after service password-encryption command is added to configuration, all clear text passwords in the running configuration are changed to an encrypted value.
• Untill copy run start , passwords in startup config are not encrypted.
• no service password-encryption command cannot automatically decrypt the encrypted passwords.
• This type encryption is weak, using some public tools can easily decrypt the passwords.

PIM-DM

PIM- Dense Mode:

• used in a situation:
• networks where many multicast clients are tightly spaced together in small networks.

PIM: Protocol Independent Multicast

• PIM is used for router to router communication.
• PIM depend upon the unicast routing protocols for topology information.
• Multicast groups can be either sparse or dense.
• Multicast interfaces are configured as either sparse or dense or both.
• PIMv2 hello message: 30sec
• on PIM enabled interfaces.
• PIMv2 hold time value: 90sec
• PIMv2 uses protocol 103 & reserved multicast address 224.0.0.13
• PIM mode only determine how traffic is send from an interface, not how it recieved.
• DR Router: single router send  IGMP host-query messages to host group membership
• Highest ip number will be DR
• Assert Forwarder: 
• one router will be elected & responsible for forwarding multicast traffic.
• AS election:
• admin distance to the source
• lowest metric to the source
• if tie, highest ip address

IGMP: Internet Group Management Protocol

• IGMP is automatically enabled when PIM enabled.
• IGMP enables the communication between multicast routers and their hosts.
• Multicast routers uses the IGMP to send ip packets to what multicast groups on what interfaces.
• Host Membership query:
• Routers use the queries to discover the presence of multicast group member on a subnet.
• general membership query is sent to the group address 0.0.0.0.
• group specific query is sent to the group address that is required.
• Host Membership Reports:
• Hosts replies to queries.
• 
  

RESERVED MULTICAST ADDRESSES

• 224.0.0.1 - All multicast hosts
• 224.0.0.2 - All multicast routers
• 224.0.0.4 - DVMRP routers
• 224.0.0.5 - OSPF routers
• 224.0.0.6 - OSPF DR routers
• 224.0.0.9 - RIPv2 routers
• 224.0.0.10 - EIGRP routers
• 224.0.0.13 - PIM routers
• 224.0.0.22 - IGMPv3
• 224.0.0.25 - RGMP
• 224.0.0.39 - Auto-RP announce (RP)
• 224.0.0.40 - Auto-RP Discovery (MA)

MULTICASTING

• multicast is udp based
• source address is always unicast address & never be multicast address.
• commands used are:
• sh ip mroute                                              // show the multicast routing table
• sh ip multicast interface                          //  shows multicast details for the interface
• clear ip mroute *                                 // clear routes from the multicast routing table
• ip multicast-routing                           // globally enables multicast routing on router
• ip multicast-routing distributed         // globally enables multicast routing on a 3560
• 
  

DIFFERENCE BETWEEN PIM-DM & DVMRP

• DVMRP uses its own dinstance vector protocol.
• update routes for every 60 seconds
• maximum 32 hops only
• dvmrp uses probe messages to  find neighbors 

DVMRP

• cisco ios does not support a full implementation of DVRMP
• but it support connectivety to a dvmrp network.
• cisco routers enough know about dvmrp to successfully forward multicast packets to and receive pakets from a dvmrp neighbour.
• dvmrp routes are propagate into & through PIM cloud.
• these dvmrp routes are maintained in a seperating routing table on each cisco router.
• 
  

Overview of Multicast Routing Protocol

• Routers can forward multicast packet by using
• dens-mode multicast routing protocol or
• sparse-mode multicast routing protocl

MULTICAST CONTROL PLANE

•  control plan used to
• who sent the traffic & to what groups
• who receiving traffic & for what groups
• how traffic should be forwarded when it received
• control plane built with a combination of
• Host to router communication (IGMP)
• Router to Router communication (PIM & MSDP)

MULTICAST ADDRESSING

• IPv4 multicast uses class D addresses
• 22.0.0.0/4 (224.0.0.0 - 239.255.255.255)
• divided into public multicast & some reserved ranges
• Reserved Ranges are:
• LINK-LOCAL ADDRESSES
• 22.0.0.0/24 (224.0.0.0 - 224.0.0.255
• SOURCE SPECIFIC MULTICAST
• 232.0.0.0 - 232.255.255.255
• ADMINISTRATIVELY SCOPED
• 239.0.0.0 - 239.255.255.255
• 
  

PE-CE routing with OSPF

• 
  

• Different routing protocols could be used between PE & CE.
• The PE-CE routing protocols run independently at every site.
• Redistribution of prefixes between MP-BGP routes PE-CE routing protocol.
• when using rip:
• when redistribute the MP-BGP routes into RIP. use
• redistribute bgp N metric metric {X|transperent}
• here N is AS number.
• X is the metric assigned to the RIP routes.
• if you are using the keyword transperent the rip metric will be recovered from RIP metric learned at the remote site.