Sunday, July 28, 2019 admin Comments(0)

CCIE Routing & Switching v Quick - Ebook download as PDF File Fourteen bits remain for host addressing and security measures can be . Sales organization that supports a large - Mon, 18 Mar GMT Download [PDF]. Ccie Security V4 0 Quick Reference Free CCIE Security v . Ccie Security V4 0 Quick Reference 3rd Edition Cisco Press. 1 / 6 (PDF) Exam Dumps | Berry Brain - Koenig Solutions is an offshore.

Language:English, Spanish, Japanese
Published (Last):08.03.2016
ePub File Size:25.79 MB
PDF File Size:14.79 MB
Distribution:Free* [*Sign up for free]
Uploaded by: EDDIE

Cisco Press. East 96th Street. Indianapolis, IN CCIE Security v Quick. Reference. Third Edition. Lancy Lobo. Umesh Lakshman. Ccie Security V4 0 Quick Reference 3rd Edition Cisco Press bi annual, yamaha yzf thundercat service manual file type pdf, engine diagram toyota. mrt GMT. DOWNLOAD CCIE SECURITY V4 0 QUICK REFERENCE 3RD EDITION CISCO PRESS. PDF EBOOKS esercizi di francese online per.

The Command Reference describes these conventions as follows: Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output not general command syntax , boldface indicates commands that are manually input by the user such as a show command. Italic indicates arguments for which you supply actual values. Vertical bars separate alternative, mutually exclusive elements. Square brackets [ ] indicate an optional element. Introduction For more than ten years, the CCIE program has identified networking professionals with the highest level of expertise. The majority of candidates who take the exam fail at the first attempt because they are not fully prepared; they generally find that their study plan did not match what was expected of them in the exam.

DTP messages are sent. Disables DTP and will not form a trunk link with a peer which requires trunk negotiation. VLAN Trunking The DTP port state dictates its capability to create a trunk. Following are the possible states: Formatted below as bulleted list.

San Dee auto: Enables the switch to create a trunk if initiated from the other switch. Following are the aspects of the native VLAN: Cisco switches produce errors if the native VLAN does not match at each end of the link. IEEE You can control the These components of an The Tag Protocol Identifier has a defined value of in hex. The first 3 bits of the Tag Control Information define user priority.

Two of these identifications are reserved. The command that creates and controls trunks on Cisco IOS-based switches is the interface command: The Canonical Format Indicator is a single-bit flag.

Quick pdf security reference v4.0 ccie

When introducing new Server mode switches. The number is from 0 to 4. This value determines whether a switch has stale information about VLANs and ultimately controls whether the switch overwrites its VLAN database with new information. To enjoy the benefits of VTP. VLAN configurations are synchronized from Server mode systems. You can enable VTP pruning with this command: Note that changing the VTP domain on this system resets the configuration revision number to 0: Catalyst switches default to this mode.

Permits the addition. Introducing new switches in Transparent mode helps ensure that this problem never results. Does not enable the creation. You have three possible modes for your VTP servers: Enables you to create. It limits the distribution of flooded frames to only switches that have members of the particular VLAN.

Assign all EtherChannel ports to the same VLAN or ensure they are all set to the same trunk encapsulation and trunk mode. This is done with the following command: It is often advisable to use an EtherChannel for key trunks in your campus design. Be aware of the following guidelines for EtherChannel: You can change this behavior by making select VLANs you choose prune-ineligible.. Notice that EtherChannel affects STP because ordinarily one or more of the links would be disabled to prevent a loop.

Please see page for more details.. Here is an example: EtherChannel load balancing can use MAC addresses. IP addresses. Four data rates are currently defined for operation over optical fiber and twisted-pair cables: Fast Ethernet n Mbps: Gigabit Ethernet n This early Ethernet specification runs at 10 Mbps.

You often see MAC mechanisms. Although Fast Ethernet is a faster technology. As its name implies. Here are examples: Ethernet over Thick Coaxial Media Ethernet can run over various media such as twisted pair and coaxial.

This reuse of the existing infrastructure helps make As the name conveys.

Upgrading to the latest interface technologies is simple because of these GBICs. This flexibility enables you to inexpensively adapt your network equipment to any changes in the physical media that might be introduced.

The Class D address space has the first 4 bits set to and has a first octet of to Class D and Class E addresses also are defined.

Of the entire IPv4 address space. Class B addresses begin with 10 and range from to Class E addresses have the first 4 bits set to and have a first octet of to The address classes defined for IP networks consist of the following subnet masks: Class A These addresses are reserved for experimental use. For example These addresses are used for IP multicast.

Class C addresses begin with and range from to Addresses are typically represented in dotted-decimal notation. The private IP space. Take the address To identify subnets. Fourteen bits remain for host addressing. The number of subnets that can be created depends on the number of bits borrowed. That is.

First note that this mask uses 18 bits. The IP address is 32 bits in length. The number of bits used for the host ID dictates the number of hosts possible on the network or subnetwork. It has a network ID portion and a host ID portion.

VLSM One of the fundamental concepts in networking is subnetting. Overall network traffic is reduced. One address is reserved for the network ID all host bits set to 0.

To calculate the number of hosts available on a subnet. Subnetting Subnetting enables for the creation of smaller. A default Class A network uses 8 bits for the mask. To illustrate. VLSM enables a network administrator to choose subnetting boundaries based on the requirements of the network. In other words. Without variable length subnets.

Pdf ccie reference v4.0 security quick

With VLSM. Using the previous illustration. Before VLSM. In a classless network. Classless networking refers to the delinking of Class A. CIDR is a method in which subnets can be grouped together. It provides a way to refer a list of consecutive subnets without having to list each one individually.

It is massively useful in large networks where large groups of IP address ranges can be aggregated together within a routing table or access lists. They are related but refer to different IP addressing concepts. When a MAC address is determined. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Proxy ARP is enabled by default. To enable proxy ARP if it has been disabled. The host that sent the ARP request then sends its packets to the router.

One of these devices is selected by the protocol to be the active router. HSRP is used in a group of routers to select an active router and a standby router. For an example of an HSRP topology.

When the HSRP is configured on a network segment. HSRP detects when the designated active router fails. To specify the ARP encapsulation type. The active router is the router of choice for routing packets. A new standby router is also selected at that time. To enable the HSRP on an interface. You can configure multiple Hot Standby groups on an interface. To do so. To configure the time between hello packets and the hold time before other routers declare the active router to be down.

The priority value range is from 1 to Instead of just providing backup for a failed router. GLBP members communicate with each other using hello messages sent every 3 seconds to the multicast address Workstations are configured with the same virtual IP address.

In addition. NAT translates the internal local addresses to globally unique IP addresses before sending packets to the outside network. To do basic load sharing of TCP traffic.

Internal addresses must be changed. Like HSRP. Organizations might use NAT for the following purposes: NAT is used instead to translate addresses. Although many customization commands exist. Although you can use many optional commands with GLBP. The IP address assigned to a host on the inside network. Outside global address: The IP address assigned to a host on the outside network by the owner of the host.

Inside global address: A legitimate IP address that represents one or more inside local IP addresses to the outside world. Outside local address: The IP address of an outside host as it appears to the inside network. For a depiction of this NAT terminology. Dynamic translation establishes a mapping between an inside local address and a pool of global addresses.

Configuring Static Translations To establish a static translation between an inside local address and an inside global address.

Static translation is useful when a host on the inside must be accessible by a fixed address from the outside. Destination addresses that match an access list are replaced with addresses from a rotary pool. TCP Load Distribution If your organization has multiple hosts that must communicate with a heavily used host. Use this feature if your IP addresses in the stub network are legitimate IP addresses belonging to another network and you want to communicate with those hosts or routers.

When multiple local addresses map to one global address. To permit this behavior. Allocation is done on a round-robin basis and only when a new connection is opened from the outside to the inside. You can configure the translations using static or dynamic means.

This feature is enabled by default. Announcing network congestion: An example is the ICMP Source Quench messages used to cause a sender to slow down transmission because of a router buffering too many packets. Provide troubleshooting tools: The Echo function is used by the ping utility to test connectivity between two systems. Communicate timeouts in the network: ICMP includes functions for the following: Such as host or network unreachable.

The command to configure this is as follows: Network Time Protocol NTP assists the administrator in this goal by automatically synchronizing the time between network devices. If you set the stratum to 1 on the router. Devices in the network running NTP can receive the correct time from an authoritative time source. It is a good practice to periodically update the hardware clock with the time learned from NTP.

To configure a router to receive the time from an authoritative time source on the network. To do this. The hardware clock runs continuously. You can also have the router synchronize the clock of a peer router. Consider it like a hop count. Figure shows the four-step process that the router participates in to provide DHCP services.

Router config ip dhcp excluded-address low-address [high-address] To configure a subnet and mask for the DHCP address pool. The global configuration command used on the router to enable the protocol follows: To specify this domain name. The Cisco cache engine reduces transmission costs and downloading time for clients.

If the cache engine has a copy of the requested page in storage. End users do not know that the page came from the cache engine rather than the web server. If there is no cached copy. The routers and the cache engine operate transparently from the perspective of end users. You can specify either a single domain name or a list of domain names. When users request web pages. DNS server addresses.

Security pdf quick reference ccie v4.0

Any IP hostname that does not contain a domain name has the domain name you specify appended to it before being added to the host table. Because there is no way to stop the sending of system messages to the console. This can impede the performance of the Cisco device because processes must wait for messages to be written to the console before the processes can continue their operations.

These system messages are typically sent to a logging process. To have the Cisco device store syslog messages in an internal buffer. It is recommended that the administrator leave the logging process enabled the default behavior. The no logging on command actually forces system messages to the console.

Logging is enabled by default. UDP port is used for syslog messages. You can clear the buffer anytime with the clear logging command. UNIX syslog servers reserve the facility codes local0 through local7 for log messages received from remote servers and network devices. To view the contents of the buffer. UNIX syslog servers use a facility code to identify the source of syslog messages.

The command can be entered multiple times to configure multiple destinations for the messages. When the buffer fills to capacity. To have switches use one log file on the server and routers use another. Sample facilities include lpr for the Line Printer System and mail for the email system.

Some devices enable logging of system messages to a file in flash memory. To limit the sending of all messages. This keeps debugging and informational messages from being sent to the server.

The command to do this is simply logging file flash: You can store syslog messages on a server UNIX. It enables the filtering of messages. They use this code to create different logs for the different sources of messages.

This command can also set size limits on the file and control the types of messages sent to flash. Cisco devices use local7 for their messages so that your router messages will be in a different log. The oldest messages display first. This can be changed by specifying an optional size at the end of the logging buffered command. CiscoWorks requires the use of local7. This is accomplished with the service timestamps log datetime command. For an example.

Here are typical Cisco IOS global configuration commands for setting strings that permit configuration and monitoring. Displays the current set of pending SNMP requests n show snmp sessions: Displays the current SNMP sessions n show snmp user: Disables SNMP agent operation show snmp engineid: Displays the identification of the local SNMP engine and all remote engines configured on the router show management event: Checks the status of SNMP communications show snmp group: Displays the names of groups on the router and the security model.

All the commands that follow are global configuration mode commands: Whereas previous versions used clear-text passwords. SNMP Version 3 provides for authentication and encryption of network management information. Here is the syntax to create a view. This is basically the entire MIB structure: The source is a VLAN as opposed to one or more ports. Use the syntax shown here: Traffic is mirrored from source ports to a destination port on the switch.

The SPAN source and destination ports are located on different switches. SPAN is available in several forms: SPAN source ports and the destination port are located on the same device. The data must be transported over a special purpose VLAN. A method of transporting source SPAN data to a remote destination. In IPv4 tunneling. This can lead to a recursive route. Tunneling is used for a number of reasons including connecting two disjointed networks that might not have IP communication between them.

To create a GRE tunnel. It does not. When tunneling is implemented. On the switch in which the data is ultimately destined. GRE carries an arbitrary payload like IPv4. Length subnet mask VLSM support. Database Description DBD: Checks for database synchronization between routers n Type 3. Null authentication is the default. Link-state advertisements are used to build a database of the topology. Consider the following OSPF features: Builds adjacencies n Type 2. The LSA aging timer is a minute default.

Hello packets are sent periodically and contain the following fields: Identifies the router. Frequency at which hellos are sent and the amount of time that can elapse before router is declared dead. List of the adjacent routers. Sends requested link-state records n Type 5. After adjacencies have been established. Area identifier always 0 for backbone.

LSAs are exchanged through a reliable mechanism. LSAs have a sequence number and a lifetime value. LSAs are flooded to ensure topological awareness. The cost metric is based on interface bandwidth. It sends hello packets via multicast address In a LAN environment. This password must match on routers configured for authentication. It adds Router 2 to its list of neighbors.

In the Exstart State. Router 2 sends a unicast hello packet response to Router 1. All routers in the area must agree on this setting to form a stub area. Router 1 begins in the down state because it is not exchanging OSPF information with any other router.

If more recent information is described in the DBD. Router 1 receives the hello and notes that it is listed in the packet. Router 1 knows that it has bidirectional communication with Router 2.

The exchange protocol functions as follows: This is known as the two-way state. The master and slave routers exchange DBD packets. This is the beginning of the Init State. When a DBD is received.

Cisco Press - CCIE Security v4.0 Practice Lab - Natalie Timms.pdf

The router adds the new information to its LSDB. When the exchange completes. Packets are multicast to Summaries are sent every 30 minutes to ensure synchronization. This process involves acknowledg- ments. Router information is later maintained using the following process: Point-to-Point Links Typically. Modes from Cisco: This is the only router with full connectivity. You can use the following command to define the OSPF network type: Backbone routers: At least one interface in the backbone area.

Inject routes into the OSPF network learned from another protocol. All interfaces belong within the same area. It might also be backbone. Connect one or more areas to the backbone. You should be familiar with the types in the following table for the CCIE written exam.

Here are the designators used and their meaning. These LSAs are flooded within the area they originated.

Originated by ASBRs in not-so-stubby areas. Type 1 LSAs are used to advertise. Network LSA Type 2: Produced by the DR on every multiaccess network. Also originated by ABRs. These LSAs list all attached routers. Type 2 external routes—Networks outside of the AS. Network Summary Type 3: Originated ABRs.

This is the default type on Cisco routers. Types of Routes OSPF uses routing designators in the routing table to distinguish between types of routes. Type 1 external routes—Networks outside of the AS.

AS External Type 5: Originated by ASBRs and advertises an external destination or a default route to an external destination. Type 3 LSAs are used to advertise. Remember that each area must be connected to area 0. ASBR summary type 4. Any nonzero area must connect to area 0 through an area border router ABR or virtual link.

An ABR that connects to a standard area advertises network summary type 3. To configure an OSPF router to be in a standard area. A default route accomplishes this while saving resources. Type 3 and 4 advertisements are sent into the area from the ABR. Totally stubby area: A totally stubby area is a Cisco proprietary feature that extends the concepts of a stub area one step further.

A stub area is an area that does not permit the advertisement of type 5 external LSAs. This means that all routers within a stub area must be configured as a stub: Stub areas are used when all traffic destined to an external network would travel through an ABR.

ASBRs and virtual links are not allowed within totally stubby areas. Like stub areas. There does exist a need. To do this a Type 7. NSSA external. LSA was created. One of the limitations of stub areas is that they do not enable ASBRs. To configure an area as NSSA. When an NSSA area is created. If a summary route is desired. Like the NSSA area. Type 3. Unlike the NSSA area. Here is a summary of the LSA types permitted in each area. The router with the highest router ID wins the election in that case.

Here is the process for router ID selection: The router ID is set with the router-id address router configuration command. To configure interarea route summarization on the ABR. The highest IP address on an active interface. The complete router configuration command syntax for generating default routes is as follows: If the advertising router does not possess a default route in its routing table.

The highest IP address on a loopback interface. Use show ip ospf to verify the router ID selection. Enter the clear-text password on the interface in interface configuration mode: The metric-type enables you to specify a Type 1 or Type 2 external route. You can do so on each router using the following router configuration mode command: The bandwidth value is that which is configured on the interface using the bandwidth command. Set the key and password on the interfaces using interface configuration mode: Enable area authentication on all routers in the area.

Authentication Type 1: Enable MD5 area authentication on all routers in the area using router configuration mode: To configure: If you use many interfaces faster than Mbps. Specifies the number of seconds between LSA retransmissions. You can also override the calculated cost value in any interface directly by using the following interface configuration command: Specifies the time between hello packets.

Valid values are from 1 to 4. Sets the number of seconds required to send a link-state update. Number of seconds before the router is considered dead. The specified interface address appears as a stub network in the OSPF domain. It also prevents the sending or receiving of routing information through the interface. This is default behavior. You can also configure the hold time between two consecutive SPF calculations.

Or they can be used to connect to disconnected area 0s backbones. The following command configures a virtual link: Virtual links are created between two ABRs. Use the following router configuration command: Virtual links are typically implemented as a temporary fix for OSPF design issues. To configure OSPF for on-demand circuits on a per-interface basis.

With this feature. These types of packets bring up the link only the first time—or when you have a topology change that needs to be propagated. If the router is part of a point-to-multipoint topology. In Helper mode. Before RFC The first possible mode is Restarting mode. Perhaps a software upgrade is occurring.

NSF enables for the continued forwarding of packets. Cisco offered a proprietary version of NSF. The second possible mode is Helper mode. Cisco now refers to this version as Cisco NSF. ABR is not advertising summary route: Enter router configuration mode for the OSPF process and issue the following command: In Restarting mode. Neighbor is not advertising default routes: Demand circuit keeps bringing up the link: Troubleshooting Route Summarization Router not summarizing interarea routes: Invalid lsa: General troubleshooting commands show ip ospf neighbor [interface-type interface-number] [neighbor-id] [detail]: Displays OSPF neighbor information on a per-interface basis.

Router debug ip ospf packet OSPF: Version of OSPF n t: Specifies the OSPF packet type 1: LAAck n rid: Displays the checksum n aut: Provides the authentication type 0: MD5 n auk: Specifies the authentication key n keyed: Displays the MD5 key ID n seq: It enables routing policies and improves security. BGP is often described as advanced distance vector. Only one session remains if both connection attempts succeed.

CCNP Security VPN Quick Reference

Route Processing All routes received after the neighbor establishment are saved in memory. Common uses for BGP include the following: Peers can use an MD5 shared secret.

Perhaps the most technically accurate description is path vector. The show ip bgp summary command gives an overview of the session status. Use the show ip bgp command to view all the routing information received from all neighbors. If more than one way to reach a destination exists. Indications include Idle. Keepalives are sent every 60 seconds. TCP port number is used. Using redistribution by another routing protocol. The best BGP routes are copied into the IP routing table after the router checks administrative distance values.

The BGP process injects local routes in two different ways: This command lists networks that are candidates if they appear in the routing table.

The synchronization rule is a method that guarantees that a route is known to all routers within the AS even if they are not running BGP. It is not updated when iBGP is used. By contrast. The synchronization check can be turned off and is by default as of IOS version The next-hop field is updated with the last eBGP peer. When you disable automatic summarization.

Although these are minor configuration differences. To configure your BGP neighbors. Keep in mind the password string must match on both routers. Only one BGP process is permitted per router. If you use this command and auto-summarization is on the default behavior , at least one of the subnets must be present in the forwarding table for the major network prefix to be advertised.

If auto-summarization is disabled, an exact match is required in the forwarding table. You can use the mask keyword to specify a specific subnet with the network command. If you would like to modify attributes before inserting prefixes into the BGP table, you can use a route map in the network command in router configuration mode: To advertise routes based on route redistribution, examine the following sample command syntax: One caveat here is that the routes have an origin code of unknown.

This makes them seem inferior to other routes per the BGP route-selection process. Notice the optional use of the distribute list syntax to suppress certain networks from being advertised in updates.

Redistribution can be configured with a route map to reset the origin code or set other attributes. Classless BGP To manually announce a classless prefix, be sure to use the following router configuration command: You should also consider creating a static route pointing to null0 to create a matching prefix in the IP forwarding table to ensure the subnet is advertised.

Aggregation in BGP Use the following router configuration command to configure route summarization to suppress the advertising of individual networks. Remember, at least one network of the summarized space must exist in the BGP table: A string of characters in the regular expression matches any equivalent substring in the AS path; 29 has three matches in 29 , for example.

String matching alternatives: Brackets [ ] can be used for ranges, and the period. String matching delimiters: String matching grouping: Parentheses can group smaller expressions into larger expressions.

String matching special characters: String matching repeating operators: Here are some string matching examples: Routes selected enter the local BGP table when the selection is applied on the incoming routes from a neighbor. Routes not selected are silently dropped. Routes selected if an outbound filter is used are transmitted to the neighbor when the selection is applied.

Routes not selected are used locally but are never sent to the neighbor. The commands used to configure an AS path list are relatively simple. First, configure an AS path access list as follows in global configuration mode: To set up a BGP filter, use the neighbor filter-list router configuration command: Monitoring the use of regular expressions is critical.

To display routes matching the AS path regular expression, use the show ip bgp regexp command. To display routes that conform to a specified filter list, use the show ip bgp filter-list command.

To display a specific access list or all AS path access lists in the router, use the show ip as-pathaccess-list command. Prefix Lists Prefix lists are a powerful method to control the updates coming from other BGP speaking routers. The range is assumed to be from le to le-value only if the le attribute is specified. To distribute BGP neighbor information as specified in a prefix list. The range is assumed to be from ge-value to 32 only if the ge attribute is specified. To suppress networks from being advertised in updates.

The exact match is assumed when neither ge nor le is specified. The advertisement of the ORF capability indicates that a BGP-speaking router can accept a prefix list from a neighbor and apply the prefix list to locally configured ORFs if any exist. When this capability is enabled. An ORF message contains the following information: Filtering with Route Maps Route maps are also a power filtering tool.

They can be used to accomplish the following tasks: The neighbor uses the ORF prefix list previously negotiated. The routing information must be permitted by the route map to be accepted. If the route map has no statement explicitly permitting a route.

This copy is taken before any filtering is applied by the router to routes it receives. When you have completed the changes to filters and route maps applied on the outgoing information. When you configure soft-reconfiguration inbound for a neighbor. The syntax required is as follows: Router config-router neighbor ip-address route-map name in out The show ip bgp route-map command displays selected routes from a BGP routing table based on the contents of a route map.

When you have completed the changes to filters and route maps applied on incoming information. Sequence of AS numbers through which the route is accessible Next-Hop: Used for consistent routing policy with an AS Atomic Aggregate: Informs the neighbor AS that the originating router aggregated routes Nontransitive Attributes Multiexit Discriminator: Routers use the route refresh feature to ask a neighbor to resend all the routing information when needed. Use the following router configuration command to do so: You should decide between the use of weight or local preference.

To assign a weight to a neighbor connection. The default weight value is Higher weights are preferred. The default local preference for iBGP and local routes is Using Local Preference You can use local preference to influence route selection within the local AS.

You can also configure the router so that all incoming routes that match an AS filter receive the configured weight. You can apply local preference in the following ways: In that case.

CCIE Security v Quick Reference, 3rd Edition

A lower value of MED is more preferred. MED is not a mandatory attribute. The only exception is if the router is originating networks that have an exact match in the routing table through the network command or through redistribution. AS path prepending potentially enables the customer to influence the route selection of its service providers. You can use a route map to set MED on incoming or outgoing updates. To avoid conflicts with BGP loop-prevention mechanisms.

A router prefers a path with the smallest MED value but only if weight. Using the default-metric command in BGP configuration mode causes all redistributed networks to have the specified MED value. Because the AS paths sent over the unwanted link become longer than the AS path sent over the preferred path. You can configure manual manipulation of the AS path attribute prepending using a route map with the set as-path prepend command.

Use the set metric command within route map configuration mode to set the MED attribute. You must use the command bgp bestpath med confed when you use MED within a confederation to influence the route selection process.

Knowing there were possible weaknesses in the algorithm, another, more secure algorithm was needed. SHA-1 has as output a bit value, as opposed to MD5s bit value. The number of possible values is much larger, which increases the strength of the datas integrity. SHA-1 also has additional security measures built in to the algorithm, such as additional iterations of hashing that can be performed. Message of arbitrary length is taken as input and produces as output a bit fingerprint or message digest of the input.

For example, if we have a 64If we have a byte Ethernet frame byte Ethernet frame and run it and run it through the SHA-1 algothrough the MD5 algorithm, we rithm, we receive as output a bit receive as output a bit value. Similar to MD5 if a single bit If we run the same frame through is modified; the output hash value the algorithm again, we receive is altered to depict the changed packet.

If someone modifies a single bit, however, and the hash algorithm computes a bit value, it completely differs from the original hash. The bit value is created irrespective of input packet size and remains the same for all packet sizes. HMACs Message digest algorithms have a drawback whereby a hacker man in the middle can intercept a message containing the packet and hash values and create a new packet with a calculated hash and send it to a particular destination.

Upon receiving the packet, the destination separates the data from the hash, runs the data through the hash value, and compares the result with the received hash; because they match, the packet is considered valid. All rights reserved. This publication is protected by copyright. Please see page 97 for more details. Hence, the process uses a random value the key , unknown to anyone else, to make sure that the man-inthe-middle attack cannot succeed.

The messages are authenticated, and the mechanisms that provide such integrity checks based on a secret key are usually called message authentication codes MAC. The data, along with the shared secret key, is inserted into the hash algorithm to obtain the output message digest, which is appended to the data and sent to the peer.

Even if the data and hash algorithms are modified in transit, the receiver using its shared secret value calculates a different hash and silently discards the received packet.

The output of the algorithm is cipher text and is sent to the peer. The peer performs the same algorithm in reverse using the same key. Therefore, only the peer with the shared secret key can decrypt the data to its plain-text format. Symmetric key encryption implies an encryption method uses a shared secret key to both encrypt and decrypt data.

Asymmetric key encryption implies an encryption method uses two specially created mathematical keys. These keys have an interesting quality in that what one key encrypts, the other key can decrypt.

The same key cannot both encrypt and decrypt the same data. In cryptography, a block cipher is a symmetric key cipher that operates on fixed-length groups of bits, termed blocks, with an unvarying transformation.

When encrypting, a block cipher might take for example a bit block of plain text as input and output a corresponding bit block of cipher text.

The exact transformation is controlled using a second input, the secret key. Decryption is similar. The decryption algorithm takes, in this example, a bit block of cipher text together with the secret key and yields the original bit block of plain text. To encrypt data, the plain-text data is broken into pieces and inserted Cisco Systems Inc. DES AES Symmetric key algorithms Symmetric algorithms use the same shared secret key value that will both encrypt plain text and decrypt the resulting cipher text.

Both parties share the exact same key. Because DES was normally based in hardware, a completely new algorithm was out of the question. As a result, 3DES was created. Actually, it uses 3 bit keys. In essence, the 3DES algorithm encrypts and decrypts data 3 times with 3 different keys, effectively creating a bit key. DES turns clear-text data into cipher text with an encryption algorithm.

V4.0 ccie reference pdf quick security

The receiving station decrypts the data from cipher text into clear text. The encryption key is a shared secret key used to encrypt and decrypt messages. DES is a block cipher algorithm, which means that DES performs operations on fixed-length data streams of bit datagrams.

The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity and are thereafter discarded.

Hence, the effective key length is 56 bits, and it is usually quoted as such. Three keys are used to encrypt data, resulting in a bit encryption key. The sending device encrypts the data with the first bit key. The sending device decrypts the data with the second key, also 56 bits in length. The sending device encrypts for a final time with another bit key. The receiving device decrypts the data with the first key. The receiving device then encrypts the data with the second key.

Finally, the receiving devices decrypt the data with the third key. Current AES key lengths are , , or bits to encrypt blocks with lengths of , , or bits.

AES can be implemented efficiently on a wide range of processors and in hardware. These static keys are completely different but mathematically bound to each other; what one key encrypts, the other key can decrypt. One key alone cannot encrypt and decrypt the same data. We use this encryption method by keeping one key private and giving the other key to anyone in the public Internet. It does not matter who has our public key; it is useless without the private key. When these messages are received by another device, R2, they can be decrypted using R1s public key.

However, if R1s public key is used to encrypt messages sent to R1 from R2, even if a message is intercepted, only one device R1 can decrypt the message because R1 has the matching private key. The main disadvantage of asymmetric algorithms is they are slow. Common key size for RSA is bits. Used in government installs, and was created to work with the SHA-1 hash algorithm. DSA is roughly the same speed as RSA when creating signatures, but 10 to 40 times slower when verifying signatures.

Because verification happens more frequently than creation, this issue is worth noting when deploying DSA in any environment. Because only Peer Y has the corresponding public key, he can successfully decrypt the data. Digital signatures. Peer X encrypts a hash value with his private key and then sends the data to Peer Y.