Security Device Management

Dr. K. Ganesan
Professor – Higher Academic Grade
School of Information Technology and
Engineering, Vellore Institute of Technology,
Vellore – 632 014
kganesantifac@gmail.com
Phone : 6382203768
• What Firewall Software Does
• A firewall is a program or hardware device that filters the
information coming through the Internet connection into our
private network or computer system.
• If an incoming packet of information is flagged by the filters, it is
not allowed through.
• Let's say that we work at a company with 500 employees.
• The company will therefore have hundreds of computers that all
have network cards connecting them together.
• The company will have more connections to the Internet.
• Without a firewall in place, all of those hundreds of computers are
directly accessible to anyone on the Internet.
• A person who knows what he or she is doing can probe those
computers using FTP and Telnet services.
• If one employee makes a mistake and leaves a security hole,
hackers can get to the machine and exploit the hole.
• A company can place a firewall at every connection to
the Internet to implement security rules.
• One of the security rules inside the company might be:
• Out of the 500 computers inside the company, only one
of them is permitted to receive public FTP traffic.
• Allow FTP connections only to that one computer and
prevent them on all other computers.
• A company can set up rules like this for FTP servers, Web
servers, Telnet servers and so on.
• In addition, the company can control how employees
connect to Web sites, whether files are allowed to leave
the company over the network and so on.
• A firewall gives a company tremendous control over how
people use the network.
• Firewalls use one or more of three methods to control traffic flowing in
and out of the network:
• Packet filtering
• Packets (small chunks of data) are analyzed against a set of filters.
• Packets that make it through the filters are sent to the requesting system
and all others are discarded.
• Proxy service
• Information from the Internet is retrieved by the firewall and then sent to
the requesting system and vice versa.
• Stateful inspection
• A newer method that doesn't examine the contents of each packet but
instead compares certain key parts of the packet to a database of trusted
information.
• Information traveling from inside the firewall to the outside is monitored
for specific defining characteristics, then incoming information is
compared to these characteristics.
• If the comparison yields a reasonable match, the information is allowed
through, Otherwise it is discarded.
• Firewall Software Configuration - Firewall Configuration
• Firewalls are customizable means that we can add or remove filters
based on several conditions.
• IP addresses
• Each machine on Internet is given a unique address called IP address.
• IP addresses are 32- bit numbers (IPv4), expressed as four "octets"
in a "dotted decimal number”, say, 216.27.61.137.
• If IP address outside the company is reading too many files from a
server, firewall can block all traffic to or from that IP address.
• Domain names
• As it is hard to remember numbers that make up an IP address, and
because IP addresses sometimes need to change, all servers on the
Internet have human-readable names, called domain names.
• For example, it is easier to remember www.howstuffworks.com
than it is to remember 216.27.61.137.
• A company might block all access to certain domain names.
• Protocols
• The protocol is the pre-defined way that someone who wants
to use a service talks with that service.
• The "someone" could be a person, but more often it is a
computer program like a Web browser.
• Protocols are often text, simply describe how the client and
server will have their conversation : http in Web's protocol.
• Common protocols that we can set firewall filters for include:
• IP (Internet Protocol) - delivery system for info over Internet
• TCP (Transmission Control Protocol) - used to break apart and
rebuild information that travels over the Internet
• HTTP (Hyper Text Transfer Protocol) - used for Web pages
• FTP (File Transfer Protocol) - used to download, upload files
• UDP (User Datagram Protocol) - used for information that
requires no response, such as streaming audio and video
• ICMP (Internet Control Message Protocol) - used by a router to
exchange the information with other routers
• SNMP (Simple Network Management Protocol) - used to collect
system information from a remote computer
• SMTP (Simple Mail Transport Protocol) - used to send text-based
information (e-mail)
• Telnet /SSH- used to perform commands on a remote computer
• A company might set up only one or two machines to handle a
specific protocol and ban that protocol on all other machines.
• Ports
• Server makes its services available to the Internet using
numbered ports, one for each service available on the server.
• For example, if a server machine is running a Web (HTTP) server
and an FTP server, Web server would typically be available on
port 80, and the FTP server would be available on port 21.
• Can block port 21 access on all machines but one inside company.
• Specific words and phrases
• This can be anything. The firewall will sniff (search through) each
packet of information for an exact match of text listed in the filter.
• Instruct the firewall to block any packet with the word "X-rated" in it.
• The key here is that it has to be an exact match.
• The "X-rated" filter would not catch "X rated" (no hyphen).
• We can include many words, phrases, variations of them also.
• Some OS come with a firewall. Otherwise, a software firewall can be
installed on computer that has an Internet connection.
• This computer is considered a gateway because it provides the only
point of access between our home network and the Internet.
• A hardware firewall comes with Ethernet card and hub.
• Computers in our home network connect to the router, which in
turn is connected to either a cable or DSL modem.
• We configure router via a Web-based interface that we reach
through the browser on our computer. We can set any filters.
• Why Firewall Security?
• There are many creative ways that unscrupulous people use to
access or abuse unprotected computers:
• Remote login
• When someone is able to connect to our computer and control it.
• Can view or access our files and run programs on our computer.
• Application backdoors
• Some programs have special features that allow for remote access.
• Others contain bugs that provide a backdoor, or hidden access that
provides some level of control of the program.
• SMTP session hijacking
• SMTP is common method of sending e-mail over the Internet.
• By gaining access to a list of e-mail addresses, a person can send
unsolicited junk e-mail (spam) to thousands of users.
• This is done by redirecting e-mail through the SMTP server of an
unsuspecting host, making actual sender of spam difficult to trace.
• Operating system bugs
• Like applications, some operating systems have backdoors.
• Others provide remote access with insufficient security controls or
have bugs that an experienced hacker can take advantage of.
• Denial of service
• Here hacker sends a request to the server to connect to it.
• When the server responds with an acknowledgement and tries to
establish a session, it cannot find the system that made the
request.
• By inundating a server with these unanswerable session requests,
a hacker causes the server to slow to a crawl or eventually crash.
• E-mail bombs
• An e-mail bomb is usually a personal attack.
• Someone sends the same e-mail hundreds or thousands of times
until our e-mail system cannot accept any more messages.
• Macros
• Many applications allow us to create a script of command that the
application can run (MS Office tools use macros)
• This script is known as a macro. Hackers have taken advantage of this to
create their own macros that, depending on the application, can
destroy our data or crash our computer.
• Viruses
• A virus is a small program that can copy itself to other computers.
• This way it can spread quickly from one system to the next.
• Viruses range from harmless messages to erasing all of our data.
• Spam
• Harmless but annoying and is electronic equivalent of junk mail.
• Spam can be dangerous.
• Quite often it contains links to Web sites.
• One has to be careful of clicking on these because we may accidentally
accept a cookie (used in website hacking) that provides a backdoor to
our computer.
• Redirect bombs
• Hackers can use ICMP to change (redirect) the path
information it takes by sending it to a different router.
• This is one of ways a denial of service attack is set up.
• Source routing
• In most cases, the path a packet travels over the Internet (or
any other network) is determined by the routers along that
path.
• But the source providing the packet can arbitrarily specify
the route that the packet should travel (like we specify the
route to be followed while hiring a vehicle for a trip).
• Hackers sometimes take advantage of this to make
information appear to come from a trusted source or even
from inside the network.
• Most firewall products disable source routing by default.
• Security against unauthorized access or abuse
• Some of the items in the list above are hard to filter
using a firewall.
• While some firewalls offer virus protection, it is worth
the investment to install anti-virus software on each
computer.
• Some spam is going to get through our firewall as long
as we accept e-mail.
• The level of security we establish will determine how
many of these threats can be stopped by our firewall.
• The highest level of security is block everything but it
defeats the purpose of having an Internet connection.
• But a common thumb rule is to block everything, then
begin to select what types of traffic we will allow.
• We can also restrict traffic that travels through the
firewall so that only certain types of information,
such as e-mail, can get through.
• This is a good rule for businesses that have an
experienced network administrator who understands
what the needs are and knows exactly what traffic to
allow through.
• For most of us, it is better to work with the defaults
provided by the firewall developer unless there is a
specific reason to change it.
• Good thing about a firewall from a security standpoint
is that it stops anyone on the outside from logging
onto a computer in our private network.
• Proxy Servers and DMZ
• A function that is combined with a firewall is a proxy server.
• The proxy server is used to access Web pages on behalf of
other computers.
• When a computer requests a Web page, it is retrieved by
the proxy server and then sent to the requesting computer.
• The effect of this action is that the remote computer hosting
the Web page never comes into direct contact with anything
on our home network, other than the proxy server.
• Proxy servers make our Internet access work more efficiently.
• If we access a Web page / site, it is cached on proxy server.
• This means that the next time we go back to that page; it
normally doesn't have to load again from the Web site.
• Instead it loads instantaneously from the proxy server.
• At times we may want remote users to have access to items on
our network. Some examples are:
• Web site
• Online business
• FTP download and upload area
• For this, we may want to create a DMZ (Demilitarized Zone).
• DMZ is just an area that is outside the firewall.
• Think of DMZ as the front yard of a house.
• It belongs to the owner, who put things there, but would put
anything valuable inside the house where it can be properly
secured and setting up a DMZ is very easy.
• If we have multiple computers, we can choose one of the
computers between the Internet connection and the firewall as
our DMZ.
• Most of the software firewalls allow us to designate a directory on
the gateway computer as a DMZ.
• Configuring a Simple Firewall
• The Cisco 1800 integrated services routers support network traffic
filtering by means of access lists.
• The router also supports packet inspection and dynamic temporary
access lists by means of Context- Based Access Control (CBAC).
• Basic traffic filtering is limited to configured access list
implementations that examine packets at the network layer or, at
most, the transport layer, permitting or denying the passage of each
packet through the firewall.
• However, the use of inspection rules in CBAC allows the creation and
use of dynamic temporary access lists.
• These dynamic lists allow temporary openings in the configured
access lists at firewall interfaces.
• These openings are created when traffic for a specified user session
exits the internal network through the firewall.
• The openings allow returning traffic for the specified session (that
would normally be blocked) back through the firewall.
The figure above shows a router with a firewall configured
1. Multiple networked devices—Desktops, laptop PCs, switches
2. Fast Ethernet LAN interface (the inside interface for NAT)
3. PPPoE (Point-to-Point Protocol over Ethernet) client and
firewall implementation—Cisco 1811/1812 or Cisco
1801/1802/1803 series integrated services router, respectively
4. Point at which NAT (Network Address Translation) occurs
5. Protected network
6. Unprotected network
• In the configuration example that follows, the firewall is applied
to the outside WAN interface on the Cisco router and it
protects the Fast Ethernet LAN by filtering and inspecting all
traffic entering the router on the Fast Ethernet WAN interface.
• Access Control List (ACL) - Introduction
• ACL is a set of rules which will allow or deny the specific traffic
(in the case of extended ACL - selected hosts, services or
devices) moving through the router.
• It is a Layer 3 security which controls the flow of traffic from
one router to another.
• It is also called as Packet Filtering Firewall.
• Two kinds of ACLs : Named (set of rules are identified by a
name) and Numbered (set of rules are identified by a number)
• Named ACLs can be editable.
• Both Named and Numbered ACLs are further classified as
Standard (has only basic kind of filtering) and Extended
• Standard Access List Extended Access List
• 1) The access list number 1)The access-list number
range is 1-99. range is 100 – 199.
2)We can allow or deny a
• 2) Can block a Network,
Network, Host, Subnet
Host (single system) and and Service.
Subnet. 3)Selected services can be
• 3) All services are blocked.(HTTP, FTP, …)
blocked. 4)Implemented closest to
• 4) Implemented closest the source.
to the destination. 5)Filtering is done based
• 5) Filtering is done based on source IP, destination
IP, protocol, port
on only source IP
number.
address.
• Implementing Standard ACL (Part – 1)
• Assume that we have 3 networks 192.168.1.0/24 (4 computers),
192.168.2.0/24 (2 computers) and 192.168.3.0/24 (2 computers).
• Let each of these networks are connected with a switch.
• Let each of these switches (SW1, SW2 and SW3) are connected with a
Router.
• Hence we have 3 Routers R1, R2 and R3 and they are inter connected.
• Task : Configure the appropriate router as per the rules given :
• 1) Deny the host 192.168.1.1. communicating with 192.168.2.0
• 2) Deny the host 192.168.1.2 communicating with 192.168.2.0
• 3) Deny the network 192.168.3.0 communicating with 192.168.2.0
• 4) Permit all the remaining traffic.
• Note : The above ACL rules should not affect the other
communication.
• Pre-requisite : Configure the router with any routing protocol - RIP,
OSPF or EIGRP.
 Popular Routing Protocols
• Routing Information Protocol (RIP) is a dynamic routing protocol which
uses hop count as a routing metric to find the best path between the
source and the destination network.
• Open Shortest Path First (OSPF) is a link-state routing protocol that is used
to find the best path between the source and the
destination router using its own Shortest Path First.
• The process ID (to be used with OSPF) is the ID of the OSPF process to
which the interface belongs.
• The process ID is local to the router, and two OSPF neighboring routers
can have different OSPF process IDs.
• Enhanced Interior Gateway Routing Protocol (EIGRP) is an interior
gateway protocol suited for many different topologies and media.
• In a well designed network, EIGRP scales well and provides extremely
quick convergence times with minimal network traffic. 
• The EIGRP uses AS number so that it makes sure it only talks to
other EIGRP speakers that are in the same AS (Autonomous System).
• Creation of Standard Access List (Part – 2)
• Router(config)#access-list <acl no> <permit/deny> <source
address> <source Wild Card Mark>
• Decide the following before writing the ACL:
• 1) On which Router to implement ACL
• 2) Identify Source and Destination
• 3) In/Out
• Note : The router on which we are implementing the ACL
must be the transit router.
• Think of our router as destination (incoming as source)
• Carefully choose the source and destination
• Configure the Routing : Configure the Routers with some
routing protocol (RIP, EIGRP, OSPF)
• Implement the ACL rule on chosen Router
• Go to CLI of the chosen Router and use ? to implement the rule
syntax step by step.
• Access-list ?
• Access-list 15
• Choose deny or permit
• Access-list 15 deny
• Access-list 15 deny ?
• Specify source address
• Access-list 15 deny 192.168.1.1
• Access-list 15 deny 192.168.1.1 ?
• Asks to Specify wild card bits
• (Wild card mask for network will be inverse mask and wildcard
mask for a single host will be always 0.0.0.0 or write host
192.168.1.1)
• Note : Use add permit any as the last rule.
• To verify the access list :
• show access-list
• show running-config
• Implementation of ACL on which interface?
• Implement the standard ACL on an interface which is nearest to the
destination on the LAN .
• Then Go to interface – say F0/0 on Router 2
• ip access-group 15 (here 15 is the ACL number)
• Understand IN / OUT
• In to the router
• Out of the router
• Thumb Rule is :
• Coming towards is chosen as the router interface (in)
• Far from is chosen as router interface (out)
• Go to CLI : R-2(config)# int f0/0
• ip access-group 15 out
• Extended ACL
• Task : Configure the Appropriate Router as per the rules given below :
• 1) Deny the users on LAN 192.168.2.0 should not access 192.168.1.3
HTTP service
• 2) Deny the users on LAN 192.168.3.0 should not access 192.168.1.4
FTP service
• 3) Deny the users on LAN 192.168.3.1 should not access 192.168.1.3
HTTP service
• 4) Deny the users on LAN 192.168.2.0 should not get DNS service from
DNS server 192.168.1.4
• 5) Deny the users from the host between 192.168.3.2 and 192.168.1.2
should not be able to send ICMP (ping / trace) message.
• 6) Remaining hosts and services should be permitted.
• Note : The above ACL rules should not affect the other communication.
• Assume 192.168.1.3 is running as a HTTP Server. (Destination)
• Assume 192.168.1.4 is running as FTP Server and DNS Server.
(Destination)
• Implement rules on Router R1.
• Choice of source and destination does not matter as in
extended ACL the rules involve source address and
destination address (in the case of standard ACL we use
to give only source address in the rule)
• For extended ACL use access list number between 100 –
199.
• The Protocol Hierarchy :
• IP
– TCP (Category 1)
• HTTP, Telnet, FTP, SMTP (Services)
– UDP (Category 2)
• DNS, TFTP, DHCP, NNTP (Services)
– ICMP (Category 3) – Control Messages
• PING, TRACEROUTE (Services)
• Operators: eq( equal to), neq (not equal to), lt (less
than) and gt (greater than).
• Operator is to be followed by service to be
blocked /allowed.
• access-list 125 deny tcp 192.168.2.0 0.0.0.255 host
192.168.1.3 eq www (or port number 80)
• access-list 125 deny udp 192.168.2.0 0.0.0.255
192.168.1.4 eq domain (or port number 53)
• access-list 125 deny icmp host 192.168.3.2 host
192.168.1.2 echo (no operator used here)
• show access-list (to see the rules)
• Let us implement this ACL on a chosen interface
• Implementation of extended ACL
• Named ACL
• ACL Rules
• Configuration Example (example of extended
ACL)
• Firewall Limitations
• A firewall is a crucial component of securing our
network and is designed to address the issues of
data integrity or traffic authentication (via stateful
packet inspection) and confidentiality of our internal
network.
• Our network gains these benefits from a firewall by
receiving all transmitted traffic through the firewall.
• The firewalls do have the following limitations:
• A firewall cannot prevent users or attackers with
modems from dialing into or out of the internal
network, thus bypassing the firewall and its
protection completely.
• Firewalls cannot enforce our password policy or prevent misuse of
passwords.
• Our password policy is crucial because it outlines acceptable conduct and
sets the ramifications of noncompliance.
• Firewalls are ineffective against nontechnical security risks such as social
engineering.
• (In the context of information security, social engineering is
the psychological manipulation of people into performing actions or
divulging confidential information.
• An example of social engineering is the use of the "forgot password"
function on most websites which require login.
• An improperly-secured password-recovery system can be used to grant a
malicious attacker full access to a user's account, while the original user
will lose access to the account.)
• Firewalls cannot stop internal users from accessing websites with
malicious code, making user education critical.
• Firewalls cannot protect us from poor decisions.
• Firewalls cannot protect us when our security policy is too lax.
• Troubleshooting CISCO IOS Firewall configurations
• In order to reverse (remove) an access list, put a "no" in front of the access-
group command in interface configuration mode:
• int <interface>
• no ip access-group # in|out
• If too much traffic is denied, study the logic of our list or try to define an
additional broader list, and then apply it instead.
• For example:
• access-list # permit tcp any any
• access-list # permit udp any any
• access-list # permit icmp any any
• int <interface>
• ip access-group # in|out
• The show ip access-lists command shows which access lists are applied and
what traffic is denied by them.
• If we look at the packet count denied before and after the failed operation
with the source and destination IP address, this number increases if the
access list blocks traffic.
• If the router is not heavily loaded, debugging can be done at a
packet level on the extended or ip inspect access list.
• If the router is heavily loaded, traffic is slowed through the router.
• Use discretion with debugging commands.
• Temporarily add no ip route-cache command to interface:
• int <interface>
• no ip route-cache
• Then, in enable (but not config) mode:
• term mon
• debug ip packet # det
• produces output similar to this:
• *Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100
(Ethernet0), g=10.31.1.21, len 100, forward
• *Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9
(Serial0), g=9.9.9.9, len 100, forward
• Extended access lists can also be used with the "log" option at the end of the
various statements:
• access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
• access-list 101 permit ip any any
• We see messages on the screen for permitted and denied traffic:
• *Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp
171.68.118.100
• -> 10.31.1.161 (0/0), 15 packets
• *Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp
171.68.118.100(0)
• -> 10.31.1.161(0), 1 packet
• If the ip inspect list is suspect, the debug ip inspect <type_of_traffic>
command produces the output:
• Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack
3195751223
• seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23)
• Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack
3659219378
• seq 3195751223(12) (10.31.1.5:11109) <= (12.34.56.79:23)
 Troubleshooting Routers
• When a router isn’t functioning, steps to perform are:
• Physical Layer Stuff: Check power issues.
• Look for power lights, check plugs, and circuit breakers.
• Check the Interfaces: Use the command show ip interface brief or show
ipv6 interface brief to ensure that desired interfaces are up and
configured properly.
• Ping: Use ping and trace commands to check for connectivity.
• Check Routing Table: Use the show ip route or show ipv6 route command
to find out what the router knows.
• Is there either an explicit route to the remote network or a gateway of last
resort?
• Is there a Firewall on the Computer?
• If the problem involves a computer, check to ensure that its firewall is not
blocking packets.
• Sometimes there are computers at client locations with firewalls in
operation without the client’s knowledge.
• Any Access Lists? If the above steps don’t resolve the issue,
check for access-control lists that block traffic.
• There is an implicit “deny any” at the end of every access-
control list, so even if we don’t see a statement explicitly
denying traffic, it might be blocked by an implicit “deny any.”
• Is VPN Up? If a VPN is part of connection, check that it is up.
• Use the show crypto family of commands to check VPN
connections.
• With VPN connections, each end of connection must mirror
other.
• For example, even something as seemingly inconsequential as a
different timeout value or a different key lifetime can prevent a
connection.
• Do the Protocols Match? If we are trying to gain remote access
to a server, ensure that it supports the protocol we’re
attempting to use.
• If the router hasn’t been configured to support SSH and we
use default settings in PuTTY which call for SSH, we won’t be
connected.
• Admins change default port numbers, so we expect to use
port 22 with SSH, but admin may have configured for a non-
standard port.
• Check for Human Error: User errors can also be the source of
errors.
• Check to ensure that correct usernames and passwords are
being used, that we and the admin on the other end of the
connection are using the same network addresses and
matching subnet masks.
• Often, by using the above steps, we can solve the problem.
• If that doesn’t do it, then proceed to more advanced show
and debug commands to isolate the problem.
• Router Troubleshooting Tools
• Using Router Diagnostic Commands
• Cisco routers provide numerous integrated commands to
assist us in monitoring and troubleshooting our
internetwork.
• The show commands help monitor installation behaviour
and normal network behaviour, as well as isolate problem
areas.
• The debug commands assist in the isolation of protocol and
configuration problems.
• The ping commands help determine connectivity between
devices on our network.
• The trace commands provide a method of determining the
route by which packets reach their destination from one
device to another.
• Using show Commands
• The show commands are powerful monitoring and
troubleshooting tools.
• We can use show commands to perform a variety of functions:
• Monitor router behaviour during initial installation
• Monitor normal network operation
• Isolate problem interfaces, nodes, media, or applications
• Determine when a network is congested
• Determine the status of servers, clients, or other neighbours
• Following are some of commonly used show commands:
• show interfaces—Use the show interfaces exec command to
display statistics for all interfaces configured on the router or
access server.
• The resulting output varies, depending on the network for
which an interface has been configured.
• Some of the frequently used show interfaces commands:
• — show interfaces ethernet
• — show interfaces tokenring
• — show interfaces fddi
• — show interfaces atm
• — show interfaces serial
• — show controllers—This command displays statistics for interface card
controllers.
• For example, show controllers mci command provides the following fields:
• MCI 0, controller type 1.1, microcode version 1.8
• 128 Kbytes of main memory, 4 Kbytes cache memory
• 22 system TX buffers, largest buffer size 1520
• Restarts: 0 line down, 0 hung output, 0 controller error
• Interface 0 is Ethernet0, station address 0000.0c00.d4a6
• 15 total RX buffers, 11 buffer TX queue limit, buffer size 1520
• Transmitter delay is 0 microseconds
• … for other interfaces
• Some show controllers commands include the following:
• — show controllers token
• — show controllers FDDI
• — show controllers LEX
• — show controllers ethernet
• — show controllers E1
• — show controllers MCI
• — show controllers cxbus
• — show controllers t1
• — show running-config— Displays router configuration currently
running
• — show startup-config—Displays the router configuration stored in
nonvolatile RAM (NVRAM)
• — show flash—Group of commands that display the layout and
contents of flash memory
• — show buffers—Displays statistics for the buffer pools on the router
• — show memory—Shows statistics about the router’s memory, including
free pool statistics
• — show processes—Displays information about the active processes on the
router
• — show stacks—Displays information about the stack utilization of processes
and interrupt routines, reason for the last system reboot
• (Some network switches have the ability to be connected to other switches
and operate together as a single unit.
• These configurations are called "stacks", and are useful for quickly increasing
the capacity of a network.)
• — show version—Displays the configuration of the system hardware, the
software version, the names and sources of configuration files, and the boot
images
• There are hundreds of other show commands available.
• Using debug Commands
• The debug privileged exec commands can provide a wealth of information
about the traffic being seen (or not seen) on an interface, error messages
generated by nodes on the network, protocol-specific diagnostic packets,
and other useful troubleshooting data.
• To access and list privileged exec commands, do the tasks:
• Step 1 Enter the privileged exec mode:
• Command:
• Router> enable
• Password: XXXXXX Router#
• Step 2 List privileged exec commands:
• Router# debug ?
• When we finish using a debug command, disable it with its
specific no debug command (or use the no debug all command to
turn off all debugging).
• Use debug commands to isolate problems, not to monitor normal
network operation.
• Because the high processor overhead of debug commands can
disrupt router operation, we should use them only when we are
looking for specific types of traffic or problems and have narrowed
our problems to a likely subset of causes.
• Output formats vary with each debug command.
• Some generate a single line of output per packet, and others
generate multiple lines of output per packet. Some generate lines of
text, others generate information in field format.
• Step 1 Use no logging console global configuration command on our
router.
• This command disables all logging to the console terminal.
• Step 2 Telnet to a router port and enter the enable exec command.
• enable exec command will place router in the privileged exec mode.
• After entering the enable password, we will receive a prompt that
will consist of the router name with a # symbol.
• Step 3 Use the terminal monitor command to copy debug command
output and system error messages to our current terminal display.
• By redirecting output to our current terminal display, we can view
debug command output remotely, without being connected through
console port.
• Using Router Diagnostic Commands
• In many situations, using third-party diagnostic tools can be more
useful and less intrusive than using debug commands.
• Using the ping Command
• To check host reachability and network connectivity, use the
ping exec (user) or privileged exec command.
• After we log in to the router or access server, we are
automatically in user exec command mode.
• The exec commands available at the user level are a subset of
those available at the privileged level.
• In general, the user exec commands allow us to connect to
remote devices, change terminal settings on a temporary basis,
perform basic tests, and list system information.
• The ping command can be used to confirm basic network
connectivity on AppleTalk, ISO Connectionless Network Service
(CLNS), IP, Novell, Apollo, VINES, DECnet, or XNS networks.
• For IP, the ping command sends Internet Control Message
Protocol (ICMP) Echo messages.
• ICMP is the Internet protocol that reports errors and
provides information relevant to IP packet addressing.
• If a station receives an ICMP Echo message, it sends an ICMP
Echo Reply message back to the source.
• The extended command mode of the ping command
permits us to specify the supported IP header options.
• This allows router to perform extensive range of test options.
• To enter ping extended command mode, enter yes at the
extended commands prompt of the ping command.
• It is a good idea to use the ping command when the network
is functioning properly to see how the command works
under normal conditions and so we have something to
compare against when troubleshooting.
• Using the trace Command
• The trace user exec command discovers the routes that a
router’s packets follow when traveling to their destinations.
• The trace privileged exec command permits the supported IP
header options to be specified, allowing router to perform
extensive range of test options.
• The trace command works by using the error message
generated by routers when a datagram exceeds its time-to-
live (TTL) value.
• First, probe datagrams are sent with a TTL value of 1.
• This causes the first router to discard the probe datagrams
and send back “time exceeded” error messages.
• The trace command then sends several probes and displays
the round-trip time for each.
• After every third probe, the TTL is increased by one.
• Each outgoing packet can result in one of two error messages.
• A “time exceeded” error message indicates that an
intermediate router has seen and discarded the probe.
• A “port unreachable” error message indicates that the
destination node has received the probe and discarded it
because it could not deliver the packet to an application.
• If the timer goes off before a response comes in, trace prints
an asterisk (*).
• The trace command terminates when the destination
responds, when the maximum TTL is exceeded, or when the
user interrupts the trace with the escape sequence.
• As with ping, it is a good idea to use the trace command when
the network is functioning properly to see how the command
works under normal conditions and so we have something to
compare against when troubleshooting.