Build a Small Network

Minggu, 11 Maret 2018

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Perkenalan :
Hamdan Hibatullah

BestPath-Network & Pondok Cyber

+62 8970030957

@HamdanH48

Hamdangt48@gmail.com

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 1. Devices in a small Network
2. Small Network Application and Protocols
3. Scale to Lager Networks
4. Security Threats and Vulnerabilities

Agenda 5.

6.
Network Attack
Network Attack Mitigation
7. Device Security
8. Basic Network Performance
9. Troubleshooting Methologies
10. Troubleshooting Cables and Interfaces

11. Troubleshoot Scenarios

12. Q&A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Devices in a small Network
• Cost
• Speed and Types of port/Interfaces
• Expandalbiity
• Operating System Featutures amd Services

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Small Network Application and Protocols

Sumber : http://blog.systoolsgroup.com/wp-content/uploads/2013/12/network.png

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Scale to Lager Networks

• Network Documentation

• Device inventory

• Buget

• Traffic analysis

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Security Threats and Vulnerabilities

• Information Theft

• Data Loses and Manipuation

• Identity Theft

• Disruption of Service

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Security Threats and Vulnerabilities

• Hardware threats

• Evironment threats

• Electrical threats

• Maintanance threats

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Network Attacks

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Example Network Attack Use Malware

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Network Attack Mitigation

• Backup

• Upgrade

• Update

• Patch

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Network Attack Mitigation Cons.

Authentication, authorization, and accounting (AAA,

or “triple A”) network security services provide the
primary framework to set up access control on a
network device. AAA is a way to control who is
permitted to access a network (authenticate), what
they can do while they are there (authorize), and
what actions they perform while accessing the
network (accounting).

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Network Attack Mitigation Cons.

Firewall products use various techniques for

determining what is permitted or denied access to a
network. These techniques are:
• Packet filtering - Prevents or allows access based
on IP or MAC addresses
• Application filtering - Prevents or allows access
by specific application types based on port numbers
• URL filtering - Prevents or allows access to
websites based on specific URLs or keywords
• Stateful packet inspection (SPI) - Incoming
packets must be legitimate responses to requests
from internal hosts. Unsolicited packets are blocked
unless permitted specifically. SPI can also include
the capability to recognize and filter out specific
types of attacks, such as denial of service (DoS)

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Network Attack Mitigation Cons.

An endpoint, or host, is an individual computer

system or device that acts as a network client.
Common endpoints, as shown in the figure, are
laptops, desktops, servers, smartphones, and
tablets. Securing endpoint devices is one of the
most challenging jobs of a network administrator
because it involves human nature. A company must
have well-documented policies in place and
employees must be aware of these rules.
Employees need to be trained on proper use of the
network. Policies often include the use of antivirus
software and host intrusion prevention. More
comprehensive endpoint security solutions rely on
network access control.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Device Security
When a new operating system is installed on a
device, the security settings are set to the default
values. In most cases, this level of security is
inadequate. For Cisco routers, the Cisco
AutoSecure feature can be used to assist securing
the system, as shown in the figure. In addition, there
are some simple steps that should be taken that
apply to most operating systems:
• Default usernames and passwords should be
changed immediately.
• Access to system resources should be restricted
to only the individuals that are authorized to use
those resources.
• Any unnecessary services and applications
should be turned off and uninstalled when
possible.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Device Security
Here are standard guidelines to follow:
• Use a password length of at least 8 characters, preferably
10 or more characters. A longer password is a better
password.
• Make passwords complex. Include a mix of uppercase and
lowercase letters, numbers, symbols, and spaces, if
allowed.
• Avoid passwords based on repetition, common dictionary
words, letter or number sequences, usernames, relative or
pet names, biographical information, such as birthdates, ID
numbers, ancestor names, or other easily identifiable
pieces of information.
• Deliberately misspell a password. For example, Smith =
Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly
compromised, the window of opportunity for the attacker to
use the password is limited.
• Do not write passwords down and leave them in obvious
places such as on the desk or monitor.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Device Security
• Strong passwords are only as useful as they are
secret. There are several steps that can be taken
to help ensure that passwords remain secret.
• Another way hackers learn passwords is simply
by brute-force attacks, trying multiple passwords
until one works. It is possible to prevent this type
of attack by blocking login attempts to the device
if a set number of failures occur within a specific
amount of time.
• Another recommendation is setting executive
timeouts. By setting the exec timeout, you are
telling the Cisco device to automatically
disconnect users on a line after they have been
idle for the duration of the exec timeout value.
Exec timeouts can be configured on console, VTY,
and aux ports using the exec-timeout command
in line configuration mode.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Basic Network Performance

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Basic Network Performance

CDP provides the following information about each CDP neighbor

device:
• Device identifiers - For example, the configured host name of
a switch
• Address list - Up to one network layer address for each
protocol supported
• Port identifier - The name of the local and remote port in the
form of an ASCII character string, such as FastEthernet 0/0
• Capabilities list - For example, whether this device is a router
or a switch
• Platform - The hardware platform of the device; for example, a
Cisco 1841 series router
The show cdp neighbors detail command reveals the IP
address of a neighboring device. CDP will reveal the neighbor's
IP address regardless of whether or not you can ping that
neighbor. This command is very helpful when two Cisco routers
cannot route across their shared data link. The show cdp
neighbors detail command will help determine if one of the CDP
neighbors has an IP configuration error.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Basic Network Performance

Verifying Router Interfaces

• One of the most frequently used commands is the
show ip interface brief command. This
command provides a more abbreviated output
than the show ip interface command. It provides
a summary of the key information for all the
network interfaces on a router.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Basic Network Performance

• IOS processes, protocols, mechanisms and events

generate messages to communicate their status. These
messages can provide valuable information when
troubleshooting or verifying system operations. The IOS
debug command allows the administrator to display these
messages in real-time for analysis. It is a very important
tool for monitoring events on a Cisco IOS device.
• All debug commands are entered in privileged EXEC
mode. The Cisco IOS allows for narrowing the output of
debug to include only the relevant feature or sub-feature.
This is important because debugging output is assigned
high priority in the CPU process and it can render the
system unusable. For this reason, use debug commands
only to troubleshoot specific problems. To monitor the
status of ICMP messages in a Cisco router, use debug ip
icmp, as shown in the figure.
• To list a brief description of all the debugging command
options, use the debug ? command in privileged EXEC
mode at the command line.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Troubleshooting Methologies
Basic Troubleshooting Approaches
• Network problems can be simple or complex, and can
result from a combination of hardware, software, and
connectivity issues. Technicians must be able to analyze
the problem and determine the cause of the error before
they can resolve the network issue. This process is called
troubleshooting.
• A common and efficient troubleshooting methodology is
based on the scientific method and can be broken into
the six main steps shown in the figure.
• To assess the problem, determine how many devices on
the network are experiencing the problem. If there is a
problem with one device on the network, start the
troubleshooting process at that device. If there is a
problem with all devices on the network, start the
troubleshooting process at the device where all other
devices are connected. You should develop a logical and
consistent method for diagnosing network problems by
eliminating one problem at a time.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Troubleshooting Methologies

• If a ping is successful, as shown in Figure 1, it is

safe to conclude packets are being routed from
source to destination.
• Note: A failed ping usually does not provide
enough information to draw any conclusions. It
could be the result of an ACL or firewall blocking
ICMP packets, or the destination device may be
configured to not respond to pings. A failed ping is
usually indication that further investigation is
required.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Troubleshooting Methologies

• The traceroute command, as shown in Figure 2

2, is useful for displaying the path that packets are
using to reach a destination. While output from
the ping command shows whether a packet has
arrived at the destination, output from the
traceroute command shows what path it took to
get there, or where the packet was stopped along
the path.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Troubleshooting Methologies

Displays the output of a show ip interface brief

command. Notice that the two interfaces configured
with IPv4 addresses are both “up” and “up”. These
interfaces can send and receive traffic. The other
three interfaces have no IPv4 addressing and are
administratively down.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Troubleshooting Cables And Interfaces

Duplex Operation
In data communications, duplex refers to the
direction of data transmission between two devices.
If the communications are restricted to the exchange
of data in one direction at a time, this connection is
called half-duplex. Full-duplex allows the sending
and receiving of data to happen simultaneously.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Troubleshooting Cables And Interfaces

Duplex Mismatch
Duplex mismatches may be difficult to troubleshoot
as the communication between devices still occurs.
A duplex mismatch may not become apparent even
when using tools such as ping. Single small packets
may fail to reveal a duplex mismatch problem. A
terminal session which sends data slowly (in very
short bursts) could also communicate successfully
through a duplex mismatch. Even when either end
of the connection attempts to send any significant
amount of data and the link performance drops
considerably, the cause may not be readily apparent
because the network is otherwise operational.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Troubleshooting Scenarios

IP Addressing Issues on IOS Devices

IP address-related problems will likely keep remote
network devices from communicating. Because IP
addresses are hierarchical, any IP address assigned
to a network device must conform to that network’s
range of addresses. Wrongly assigned IP addresses
create a variety of issues, including IP address
conflicts and routing problems.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Troubleshooting Scenarios

IP Addressing Issues on End Devices

• In Windows-based machines, when the device
cannot contact a DHCP server, Windows will
automatically assign an address belonging to the
169.254.0.0/16 range. This process is designed to
facilitate communication within the local network.
Think of it as Windows saying “I will use this
address from the 169.254.0.0/16 range because I
could not get any other address”. More often than
not, a computer with a 169.254.0.0/16 will not be
able to communicate with other devices in the
network because those devices will most likely not
belong to the 169.254.0.0/16 network. This situation
indicates an automatic IPv4 address assignment
problem that should be fixed.
Note: Other operating systems, such Linux and OS X,
will not assign an IPv4 address to the network
interface if communication with a DHCP server fails.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Troubleshooting Scenarios

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Troubleshooting Scenarios

• Troubleshooting DNS Issues

Domain Name Service (DNS) defines an automated

service that matches names, such as
www.cisco.com, with the IP address. While DNS
resolution is not crucial to device communication, it
is very important to the end user.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Thank you.