CCIE实验指南 Security 英文版PDF|Epub|txt|kindle电子书版本下载

CCIE实验指南 Security 英文版PDF格式电子书版下载

注意：本站所有压缩包均有解压码： 点击下载压缩包解压工具

Part Ⅰ The CCIE Program and Your Lab Environment3

Chapter 1 The CCIE Security Program5

The Cisco CCIE Program5

The CCIE Security Exam5

Qualification Exam6

Lab Exam9

Summary10

Chapter 2 Building a CCIE Mind-Set13

What It Takes to Become a CCIE13

Developing Proper Study Habits14

Good Study Habits15

Common Study Traps16

Lab Experience Versus Real-World Experience18

Summary19

Chapter 3 Building the Test Laboratory21

Study Time on a Lab21

Work-Based Study Lab22

Home-Based Study Lab22

Remote Lab23

Planning Your Home Lab23

Sourcing the Lab Equipment24

Windows-based Products and UNIX26

Designing Your Practice Lab for This Book26

Summary27

Part Ⅱ Connectlvity29

Chapter 4 Layer 2 and Layer 3 Switching and LAN Connectivity31

Catalyst Operating System31

Switching Overview32

Switching Technologies32

Transparent Bridging33

Spanning Tree Overview34

Bridge Protocol Data Unit35

Election Process37

Spanning-Tree Interface States38

Spanning-Tree Address Management40

STP and IEEE 802.1q Trunks40

VLAN-Bridge STP41

STP and Redundant Connectivity41

Accelerated Aging to Retain Connectivity41

RSTP and MSTP42

Layer 3 Switching Overview42

Virtual LAN Overview42

Assigning or Modifying VLANs44

Deleting VLANs45

Configuring Extended-Range VLANs46

VLAN Trunking Protocol Overview46

The VTP Domain46

VTP Modes46

VTP Passwords47

VTP Advertisements47

VTP Version 248

VTP Pruning49

VTP Configuration Guidelines50

Displaying VTP50

Switch Interface Overview51

Access Ports51

Trunk Ports51

Routed Ports52

EtherChannel Overview53

Port-Channel Interfaces54

Understanding the Port Aggregation Protocol54

EtherChannel Load Balancing and Forwarding Methods55

EtherChannel Configuration Guidelines56

Creating Layer 2 EtherChannels57

Optional Configuration Items57

BPDU Guard57

BPDU Filtering58

UplinkFast58

BackboneFast59

Loop Guard59

Switched Port Analyzer Overview59

SPAN Session60

Configuring SPAN60

Basic Catalyst 3550 Switch Configuration63

Case Study 4-1: Basic Network Connectivity63

Case Study 4-2: Configuring Interfaces70

Case Study 4-3: Configuring PortFast72

Case Study 4-4: Creating a Layer 2 EtherChannel72

Case Study 4-5: Creating Trunks73

Case Study 4-6: Configuring Layer 3 EtherChannels74

Case Study 4-7: EtherChannel Load Balancing76

Case Study 4-8: Configuring a Routed Port77

Case Study 4-9: Configuring SPAN78

Summary80

Review Questions80

FAQs81

Chapter 5 Frame Relay Connectivity83

Frame Relay Overview83

Frame Relay Devices85

Frame Relay Topologies86

Star Topologies86

Fully Meshed Topologies87

Partially Meshed Topologies87

Frame Relay Subinterfaces88

Frame Relay Virtual Circuits89

Switched Virtual Circuits90

Permanent Virtual Circuits91

Frame Relay Signaling91

LMI Frame Format92

LMI Timers93

LMI Autosense95

Network-to-Network Interface95

User-Network Interface96

Congestion-Control Mechanisms96

Frame Relay Discard Eligibility98

DLCI Priority Levels98

Frame Relay Error Checking99

Frame Relay ForeSight99

Frame Relay Congestion Notification Methods100

Frame Relay End-to-End Keepalives100

Configuring Frame Relay102

Case Study 5-1: Configuring Frame Relay102

Case Study 5-2: Configuring Frame Relay SVCs109

Case Study 5-3: Frame Relay Traffic Shaping114

Creating a Broadcast Queue for an Interface119

Transparent Bridging and Frame Relay120

Configuring a Backup Interface for a Subinterface120

TCP/IP Header Compression121

Configuring an Individual IP Map for TCP/IP Header Compression121

Configuring an Interface for TCP/IP Header Compression122

Disabling TCP/IP Header Compression122

Troubleshooting Frame Relay Connectivity122

The show frame-relay lmi Command122

The show frame-relay pvc Command123

The show frame-relay map Command125

The debug frame-relay lmi Command125

Summary126

Review Questions127

FAQs128

Chapter 6 ISDN Connectivity133

ISDN Overview133

ISDN Standards Support133

ISDN Digital Channels134

ISDN Terminal Equipment and Network Termination Devices134

Reference Points135

ISDN Layers and Call Stages136

Point-to-Point Protocol （PPP） Overview139

Link Control Protocol （LCP）139

Network Control Protocol （NCP）140

Dial-on-Demand Routing （DDR） Overview141

Configuring ISDN142

Lesson 6-1: Beginning ISDN Configuration142

Lesson 6-2: Configuring DDR144

Lesson 6-3: Routing Over ISDN149

Lesson 6-4: Configuring the Interface and Backup Interface157

Lesson 6-5: Configuring PPP Options160

Lesson 6-6: Configuring Advanced Options161

Lesson 6-7: Monitoring and Troubleshooting ISDN169

Summary178

Review Questions178

FAQs180

Chapter 7 ATM Connectivity183

ATM Overview183

Configuring ATM184

Lesson 7-1: RFC 2684: Multiprotocol Encapsulation over AAL5185

Lesson 7-2: RFC 2225: Classical IP and ARP over ATM191

Summary195

Review Questions195

FAQs196

Part Ⅲ IP Routing199

Chapter8 RIP201

RIP Structure201

Routing Updates and Timers201

Routing Metric202

Split-Horizon Issues202

RIP and Default Routes203

RIPvl Versus RIPv2203

Configuring RIP203

Case Study 8-1: Basic RIP Configuration204

Case Study 8-2: RIPv1 over Router to PIX 5.2 Connection221

Case Study 8-3:RIPv2 over Router to PIX 6.2 Connection withAuthentication225

Lesson 8-1: Advanced RIP Configuration233

Summary235

Review Questions235

FAQs236

Chapter9 EIGRP239

An EIGRP Overview240

Configuring EIGRP241

Lesson 9-1: Configuring Simple EIGRP241

EIGRP Building Blocks243

Packet Formats243

EIGRP Tables244

Feasible Successors250

Route States250

Route Tagging251

IGRP and EIGRP Interoperability251

An Example of DUAL in Action251

Configuring EIGRP Options253

Lesson 9-2: Adding a WAN Connection253

Lesson 9-3: Logging Neighbor Adjacency Changes255

Lesson 9-4: Disabling Route Summarization256

Lesson 9-5: Configuring Manual Route Summarization258

Lesson 9-6: Configuring Default Routing259

Lesson 9-7: Controlling EIGRP Routes261

Lesson 9-8: Redistributing EIGRP with Route Controls263

Lesson 9-9: Configuring EIGRP Route Authentication263

Lesson 9-10: Configuring EIGRP Stub Routing264

Lesson 9-11: Configuring EIGRP Over GRE Tunnels266

Lesson 9-12: Disabling EIGRP Split Horizon269

Troubleshooting EIGRP270

Summary272

Review Questions272

FAQs273

Chapter 10 OSPF277

Configuring OSPF278

Case Study 10-1: Basic OSPF Configuration279

Case Study 10-2: OSPF and Route Summarization306

Case Study 10-3: OSPF Filtering310

Case Study 10-4: OSPF and Non-IP Traffic over GRE312

Monitoring and Maintaining OSPF315

Verifying OSPF ABR Type 3 LSA Filtering316

Displaying OSPF Update Packet Pacing317

Summary317

Review Questions317

FAQs318

Chapter 11 IS-IS321

Integrated IS-IS Overview321

Configuring IS-IS322

Case Study 11-1: Configuring IS-IS for IP322

IS-IS Building Blocks328

The IS-IS State Machine330

The Receive Process330

The Update Process331

The Decision Process331

The Forward Process331

Pseudonodes331

IS-IS Addressing333

The Simplified NSAP Format333

Addressing Requirements334

Limiting LSP Flooding335

Blocking Flooding on Specific Interfaces335

Configuring Mesh Groups336

Generating a Default Route336

Route Redistribution337

Setting IS-IS Optional Parameters338

Setting the Advertised Hello Interval339

Setting the Advertised CSNP Interval339

Setting the Retransmission Interval339

Setting the LSP Transmission Interval339

Configuring IS-IS Authentication340

Case Study 11-2: IS-IS Authentication340

Authentication Problems345

Using show and debug Commands346

Monitoring IS-IS346

Debugging IS-IS346

Summary348

Review Questions348

FAQs349

Chapter12 BGP351

Understanding BGP Concepts351

Autonomous Systems351

BGP Functionality352

EBGP and IBGP352

BGP Updates353

Configuring BGP353

Case Study 12-1: Single-Homed Autonomous System Setup354

Case Study 12-2: Transit Autonomous System Setup363

Case Study 12-3: BGP Confederations372

Case Study 12-4: BGP Over a Firewall with a Private Autonomous System377

Case Study 12-5: BGP Through a Firewall with Prepend386

Summary394

Review Questions394

FAQ395

Chapter13 Redistribution397

Metrics397

Administrative Distance398

Classless and Classfui Capabilities398

Avoiding Problems Due to Redistribution399

Configuring Redistribution of Routing Information399

Redistributing Connected Networks into OSPF402

Lesson 13-1: Redistributing OSPF into Border Gateway Protocol402

Lesson 13-2: Redistributing OSPF Not-So-Stubby Area External Routes into BGP405

Lesson 13-3: Redistributing Routes Between OSPF and RIP Version 1407

Lesson 13-4: Redistributing Between Two EIGRP Autonomous Systems408

Lesson 13-5: Redistributing Routes Between EIGRP and IGRP in Two Different Autonomous Systems409

Lesson 13-6: Redistributing Routes Between EIGRP and IGRP in the Same Autonomous System411

Redistributing Routes to and from Other Protocols from EIGRP412

Lesson 13-7: Redistributing Static Routes to Interfaces with EIGRP412

Lesson 13-8: Redistributing Directly Connected Networks413

Lesson 13-9: Filtering Routing Information416

Summary421

Review Questions422

FAQs423

Part Ⅳ Security Practices425

Chapter 14 Security Primer427

Important Security Acronyms428

White Hats Versus Black Hats432

Cisco Security Implementations432

Cisco IOS Security Overview433

CatalystOS Security Overview434

VPN Overview435

AAA Overview436

IDS Fundamentals436

Summary437

Review Questions437

FAQs438

Chapter 15 Basic Cisco IOS Software and Catalyst 3550 Series Security441

Cisco IOS Software Security441

Network Time Protocol Security441

HTTP Server Security442

Password Management442

Access Lists443

Secure Shell443

Basic IOS Security Configuration443

Lesson 15-1: Configuring Passwords, Privileges, and Logins444

Lesson 15-2: Disabling Services451

Lesson 15-3: Setting up a Secure HTTP Server456

Case Study 15-1: Secure NTP Configuration458

Case Study 15-2: Configuring SSH464

Catalyst 3550 Security467

Lesson 15-4: Port-Based Traffic Control467

Summary472

Review Questions473

FAQs474

Chapter 16 Access Control Lists477

Overview of Access Control Lists477

Where to Configure an ACL478

When to Configure an ACL479

ACLs on the IOS Router and the Catalyst 3550 Switch480

Basic ACLs480

Advanced ACLs482

Time-of-Day ACLs483

Lock-and-Key ACLs484

Why You Should Use Lock-and-Key485

When You Should Use Lock-and-Key485

Source-Address Spoofing and Lock-and-Key485

Lock-and-Key Configuration Tips485

Verifying Lock-and-Key Configuration487

Maintaining Lock-and-Key487

Manually Deleting Dynamic Access List Entries487

Reflexive ACLs488

Reflexive ACL Benefits and Restrictions489

Reflexive ACL Design Considerations489

Router ACLs490

Port ACLs490

VLAN Maps491

Using VLAN Maps with Router ACLs491

Fragmented and Unfragmented Traffic493

Logging ACLs494

Defining ACLs495

The Implied “Deny All Traffic” ACE Statement495

ACE Entry Order496

Applying ACLs to Interfaces496

Lesson 16-1: Configuring an ACL498

Lesson 16-2: Creating a Numbered Standard IP ACL502

Lesson 16-3: Creating a Numbered Extended IP ACL502

Lesson 16-4: Creating a Named Standard IP ACL503

Lesson 16-5: Creating a Named Extended IP ACL503

Lesson 16-6: Implementing Time of Day and ACLs504

Lesson 16-7: Configuring Lock-and-Key506

Lesson 16-8: Configuring Reflexive ACLs507

Lesson 16-9: Logging ACLs511

Lesson 16-10: Configuring a Named MAC Extended ACL512

Creating a VLAN Map513

Lesson 16-11: Using ACLs with VLAN Maps513

Maintaining ACLs514

Displaying ACL Resource Usage515

Troubleshooting Configuration Issues516

ACL Configuration Size517

Unsupported Features on the Catalyst 3550 Switch518

Summary519

Review Questions519

FAQs520

Chapter 17 IP Services523

Managing IP Connections523

ICMP Unreachable Messages524

ICMP Redirect Messages524

ICMP Mask Reply Messages525

IP Path MTU Discovery525

MTU Packet Size526

IP Source Routing526

Simplex Ethernet Interfaces527

DRP Server Agents527

Filtering IP Packets Using Access Lists527

Hot Standby Router Protocol Overview528

HSRP and ICMP Redirects528

IP Accounting Overview530

IP MAC Accounting530

IP Precedence Accounting531

Configuring TCP Performance Parameters531

Compressing TCP Packet Headers532

Setting the TCP Connection Attempt Time533

Using TCP Path MTU Discovery533

Using TCP Selective Acknowledgment534

Using TCP Time Stamps534

Setting the TCP Maximum Read Size534

Setting the TCP Window Size535

Setting the TCP Outgoing Queue Size535

Configuring the MultiNode Load Balancing Forwarding Agent535

Configuring the MNLB Forwarding Agent536

Network Address Translation Overview537

When to Use NAT539

Configuring IP Services539

Lesson 17-1: Configuring ICMP Redirects539

Lesson 17-2: Configuring the DRP Server Agent540

Lesson 17-3: Configuring HSRP541

Lesson 17-4: Configuring IP Accounting548

Lesson 17-5: Configuring NAT549

Monitoring and Maintaining IP Services555

Verifying HSRP Support for MPLS VPNs556

Displaying System and Network Statistics556

Clearing Caches, Tables, and Databases557

Monitoring and Maintaining the DRP Server Agent558

Clearing the Access List Counters558

Monitoring the MNLB Forwarding Agent558

Monitoring and Maintaining HSRP Support for ICMP Redirect Messages558

Monitoring and Maintaining NAT559

Summary559

Review Questions560

FAQs561

Part V Authentication and Virtual Private Networks565

Chapter 18 AAA Services567

TACACS+ Versus RADIUS567

Underlying Protocols567

Packet Encryption568

Authentication, Authorization, and Accounting Processes568

Router Management568

Interoperability568

Traffic569

Configuring AAA569

Case Study 18-1: Simplified AAA Configuration Using RADIUS569

Case Study 18-2: Configuring AAA on a PIX Firewall581

Case Study 18-3: Configuring VPN Client Remote Access593

Case Study 18-4: Authentication Proxy with TACACS+610

Case Study 18-5: Privilege Levels with TACACS+617

Case Study 18-6: Configuring PPP Callback with TACACS+621

Summary627

Review Questions627

FAQs628

Chapter 19 Virtual Private Networks631

Virtual Private Network （VPN） Overview631

Site-to-Site VPNs631

Remote-Access VPNs633

IPSec Overview633

Authentication Header （AH）634

Encapsulating Security Payload （ESP）635

IPSec Protocol Suite636

Tunnel and Transport Modes639

IPSec Operation640

Defining Interesting Traffic641

IKE Phase 1641

IKE Phase 2642

IPSec Encrypted Tunnel643

Tunnel Termination643

Configuring IPSec in Cisco IOS Software and PIX Firewalls643

Case Study 19-1: Configuring a Basic IOS-to-IOS IPSec VPN644

Case Study 19-2: Configuring a Basic PIX-to-PIX IPSec VPN671

Certificate Authority （CA） Support695

Configuring CA696

IOS-to-IOS VPN Using CA696

PIX-to-PIX VPN Using CA703

Summary710

Review Questions711

FAQs712

Chapter 20 Advanced Virtual Private Networks715

Issues with Conventional IPSec VPNs715

Solving IPSec Issues with GREs716

Solving IPSec Issues with DMVPNs716

Configuring Advanced VPNs718

Case Study 20-1: Using Dynamic Routing Over IPSec-Protected VPNs718

Case Study 20-2: Configuring DMVPN732

Summary745

Review Questions746

FAQs747

Chapter 21 Virtual Private Dialup Networks749

L2F and L2TP Overview749

VPDN Process Overview749

PPTP Overview751

Configuring VPDNs752

Case Study 21-1: Configuring the VPDN to Work with Local AAA752

Case Study 21-2: Configuring TACACS+ Authentication and Authorization for VPDN761

Case Study 21-3: Configuring the PIX Firewall to Use PPTP766

Lesson 21-1: Configuring the Default VPDN Group Template768

Summary769

Review Questions770

FAQs771

Part Ⅵ Firewalls773

Chapter 22 Cisco IOS Firewall775

Creating a Customized Firewall776

Configuring TCP Intercept776

Lesson 22-1: Configuring TCP Intercept778

CBAC Overview781

Traffic Filtering781

Traffic Inspection782

Alerts and Audit Trails782

Intrusion Detection783

CBAC Limitations and Restrictions783

CBAC Operation784

When and Where to Configure CBAC790

CBAC-Supported Protocols790

Using IPSec with CBAC791

Lesson 22-2: Configuring CBAC791

Monitoring and Maintaining CBAC798

Turning Off CBAC802

Case Study 22-1: Configuring CBAC on Two Interfaces802

Port-to-Application Mapping （PAM）806

How PAM Works806

When to Use PAM808

Lesson 22-3: Configuring PAM808

Monitoring and Maintaining PAM810

Summary810

Review Questions810

FAQs811

Chapter23 Cisco PIX Firewall813

Security Levels and Address Translation813

TCP and UDP814

Configuring a Cisco PIX Firewall814

Lesson 23-1: Configuring the PIX Firewall Basics815

Lesson 23-2: Configuring Network Protection and Controlling Its Access and Use824

Lesson 23-3: Supporting Specific Protocols and Applications834

Lesson 23-4: Monitoring the PIX Firewall838

Lesson 23-5: Using the PIX Firewall as a DHCP Server844

Lesson 23-6: New Features in PIX Firewall Version 6.2846

Summary854

Review Questions854

FAQs855

Part Ⅶ Intrusion Detection857

Chapter 24 IDS on the Cisco PIX Firewall and lOS Software859

Cisco IOS Software Intrusion Detection859

Cisco PIX Firewall Intrusion Detection860

Cisco IOS Software and PIX IDS Signatures861

Configuring Cisco IDS867

Case Study 24-1: Configuring the Cisco IOS Software IDS867

Case Study 24-2: Configuring the Cisco Secure PIX Firewall IDS870

Summary874

Review Questions874

FAQs876

Chapter 25 Internet Service Provider Security Services879

Preventing Denial-of-Service Attacks879

Committed Access Rate （CAR）879

Reverse Path Forwarding （RPF）880

Layer 2 VPN （L2VPN）880

802.1Q881

Layer 2 Protocol Tunneling881

Configuring ISP Services881

Case Study 25-1: DoS Prevention Through Rate Limiting882

Case Study 25-2: DoS Prevention Through RPF886

Case Study 25-3: Configuring L2VPN887

Summary895

Review Questions895

FAQs896

Part Ⅷ Sample Lab Scenarios899

Chapter 26 Sample Lab Scenarios901

Practice Lab Format901

How the Master Lab Compares to the CCIE Security Lab Exam902

CCIE Practice Lab 1: Building Layer 2903

Equipment List903

Prestaging: Configuring the Frame Relay Switch904

Prestaging: Configuring the First Backbone Router, R9-BB 1905

Prestaging: Configuring the Second Backbone Router, R7-BB2907

Lab Rules909

Timed Portion909

CCIE Practice Lab 2: Routing911

Equipment List911

Lab Rules912

Timed Portion913

CCIE Practice Lab 3: Configuring Protocol Redistribution and Dial Backup915

Equipment List915

Lab Rules915

Timed Portion916

CCIE Practice Lab 4: Configuring Basic Security917

Equipment List917

Lab Rules919

Timed Portion919

CCIE Practice Lab 5: Dial and Application Security921

Equipment List921

Lab Rules921

Timed Portion922

CCIE Practice Lab 6: Configuring Advanced Security Features926

Equipment List926

Lab Rules926

Timed Portion927

CCIE Practice Lab 7: Service Provider931

Equipment List931

Lab Rules932

Timed Portion932

CCIE Practice Lab 8: All-Inclusive Master Lab933

Equipment List933

Prestaging: Configuring the Frame Relay Switch934

Prestaging: Configuring the First Backbone Router, R7-BB1936

Prestaging: Configuring the Second Backbone Router, R7-BB2937

Prestaging: Configuring the Reverse Telnet Router940

Lab Rules941

Timed Portion942

Summary952

Part Ⅸ Appendixes955

Appendix A Basic UNIX Security957

Appendix B Basic Windows Security969

Appendix C ISDN Error Codes and Debugging Reference983

Appendix D Password Recovery on Cisco IOS, Catalystos, and PIX995

Appendix E Security-Related RFCs and Publications1017

Appendix F Answers to the Review Questions1029