CISCO CERTIFIED

NETWORK ASSOCIATE
4.0 :: IP CONNECTIVITY
WHAT WILL WE COVER?
» NAT e PAT » DHCP RELAY
[CHAPTER 4.1] [CHAPTER 4.6]

» NTP » QOS
[CHAPTER 4.2] [CHAPTER 4.7]

» DHCP e DNS » SSH (Coberto no Módulo 5.0)

[CHAPTER 4.3] [CHAPTER 4.8]

» SNMP » FTP/TFTP
[CHAPTER 4.4] [CHAPTER 4.9]

» SYSLOG
[CHAPTER 4.5]
4.1 :: NAT e PAT
4.1.a :: INTRODUÇÃO A NETWORK
ADDRESS TRANSLATION
4.1.b :: NAT ESTÁTICO
4.1.c :: NAT DINÂMICO
4.1.d :: PORT ADDRESS
TRANSLATION
4.2 :: NTP
4.3 :: DHCP e DNS
4.3.a :: DHCP
4.3.b :: DNS
4.4 :: SNMP
4.5 :: SYSLOG
4.6 :: DHCP RELAY
4.7.a :: INTRODUÇÃO A QoS
Parte I
4.7.b :: INTRODUÇÃO A QoS
Parte II
4.7.c :: CLASSIFICAÇÃO E
MARCAÇÃO
4.7.d :: CONGESTION AVOIDANCE,
POLICING & SHAPING
4.7.e :: CONGESTION MANAGEMENT
4.7.f :: CONGESTION AVOIDANCE
PRE EMPTIVE QUEUE DROPS
4.8 :: SSH
CONFIGURE NETWORK DEVICES FOR
REMOTE ACCESS USING SSH

» SSH can use the same local login

authentication method as Telnet,
with the locally configured username
and password. (SSH cannot rely on
a password only.) So, the
configuration to support local
usernames for Telnet, also enables
local username authentication for
incoming SSH connections.
CONFIGURE NETWORK DEVICES FOR
REMOTE ACCESS USING SSH
» IOS uses the three SSH-specific configuration commands in the figure to create the SSH
encryption keys. The SSH server uses the fully qualified domain name (FQDN) of the switch
as input to create that key. The term FQDN combines the hostname of a host and its
domain name, in this case the hostname and domain name of the switch. Figure begins by
setting both values (just in case they are not already configured). Then the third command,
the crypto key generate rsa command, generates the SSH encryption keys.

» The configuration in Figure relies on two default settings that the figure therefore
conveniently ignored. IOS runs an SSH server by default. In addition, IOS allows SSH
connections into the vty lines by default.
CONFIGURE NETWORK DEVICES FOR
REMOTE ACCESS USING SSH
» SSH CONFIGURATION PROCESS TO MATCH FIGURE
CONFIGURE NETWORK DEVICES FOR
REMOTE ACCESS USING SSH
» To control which protocols a switch supports on its vty lines, use the subcommand in vty
mode, with the following options:

transport input {all | none | telnet | ssh} vty

• TRANSPORT INPUT ALL OR TRANSPORT INPUT TELNET SSH: Support both Telnet
and SSH

• TRANSPORT INPUT NONE: Support neither

• TRANSPORT INPUT TELNET: Support only Telnet

• TRANSPORT INPUT SSH: Support only SSH

CONFIGURE NETWORK DEVICES FOR
REMOTE ACCESS USING SSH
hostname R1
ip domain-name CCNA.com
!
crypto key generate rsa modulus 1024
!
username kevin privilege 15 secret cisco
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 deny any log
!
line vty 0 15
access-class 1 in
login local
transport input ssh
4.9 :: TFTP/FTP
FTP IN THE NETWORK
» The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of
computer files between a client and server on a computer network.

» FTP is built on a client-server model architecture using separate control and data
connections between the client and the server. FTP users may authenticate themselves
with a clear-text sign-in protocol, normally in the form of a username and password, but
can connect anonymously if the server is configured to allow it. For secure transmission
that protects the username and password, and encrypts the content, FTP is often secured
with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP)

» FTP login uses normal username and password scheme for granting access. The username
is sent to the server using the USER command, and the password is sent using the PASS
command. This sequence is unencrypted "on the wire", so may be vulnerable to a network
sniffing attack.
FTP IN THE NETWORK
» For example, consider the simple network shown in Figure on next slide. The FTP server
sits on the right, with the client on the left. The figure shows the syntax of an ACL that
matches the following:

• Packets that include a TCP header

• Packets sent from the client subnet

• Packets sent to the server subnet

• Packets with TCP destination port 21 (FTP server control port)
FTP IN THE NETWORK
» FILTERING PACKETS BASED ON DESTINATION PORT
TFTP IN THE NETWORK
» Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which
allows a client to get a file from or put a file onto a remote host. One of its primary uses is
in the early stages of nodes booting from a local area network. TFTP has been used for
this application because it is very simple to implement.

» TFTP was first standardized in 1981 and the current specification for the protocol can be
found in RFC 1350.

» TFTP is a simple protocol for transferring files, implemented on top of the UDP/IP
protocols using well-known port number 69. TFTP was designed to be small and easy to
implement, and therefore it lacks most of the advanced features offered by more robust
file transfer protocols. TFTP only reads and writes files from or to a remote server. It
cannot list, delete, or rename files or directories and it has no provisions for user
authentication. Today TFTP is generally only used on local area networks (LAN).
TFTP IN THE NETWORK
» You can use the CLI to upgrade the IOS image on an autonomous AP and convert it to
lightweight mode. You will also need a TFTP or FTP server along with the appropriate
lightweight code image. The process is simple—save the AP’s configuration, then use the
following command:

archive download-sw /overwrite /force-reload {tftp:|ftp:}//location/image-name

» The lightweight image will be downloaded such that it overwrites the current autonomous
IOS image, then the AP will reload and run the new image.
TFTP IN THE NETWORK

» One other configuration DHCP server setting for a value that can be passed to DHCP
clients—the IP address of a Trivial File Transfer Protocol (TFTP) server. TFTP servers
provide a basic means of storing files that can then be transferred to a client host. As it
turns out, Cisco IP phones rely on TFTP to retrieve several configuration files when the
phone initializes. DHCP plays a key role by supplying the IP address of the TFTP server
that the phones should use.

» Use the next-server ip-address command in DHCP pool configuration mode to define the
TFTP server IP address used by any hosts (like phones) that need a TFTP server.
TFTP IN THE NETWORK
TFTP IN THE NETWORK

» For Cisco phones IP addresses can be

assigned manually or by using DHCP.
Devices also require access to a TFTP
server that contains device configuration
name files (.cnf file format), which
enables the device to communicate with
Cisco Call Manager.
TFTP IN THE NETWORK

» TFTP includes no login or access control mechanisms. Care must be taken when using
TFTP for file transfers where authentication, access control, confidentiality, or integrity
checking are needed. Note that those security services could be supplied above or below
the layer at which TFTP runs. Care must also be taken in the rights granted to a TFTP
server process so as not to violate the security of the server's file system. TFTP is often
installed with controls such that only files that have public read access are available via
TFTP. Also listing, deleting, renaming, and writing files via TFTP are typically disallowed.
TFTP file transfers are not recommended where the inherent protocol limitations could
raise insurmountable liability concerns