10
November, 2019
If you’ve been studying for your CCNA, specifically the Security track and were in midstream when you received the sudden news that Cisco would be merging that exam with the ICND1 & 2, or for some, the CCNA Routing and Switching certs, don’t panic…I got you. If you’ve just embarked upon the journey of Cisco certs and are navigating in uncharted territory, don’t panic…I still got you.
What I’m going to do moving forward is provide you with jewels from all the above exams. That’ll way you’re still going to emerge crowned. Let’s get to it.
Imagine it’s your first day on the job. Nah’, second day. You’re sitting with your senior engineer while he works. You’re doing a little shoulder surfing and you see him issue the following commands:
- Logging console 4
- Logging monitor 2
- Logging buffered 7
(You were not able to tell if the L’s were capital or not but who cares, right, you got the job, man…Yay!)
Excluding whether the L’s were capital or not, there are 3 things about the above commands that you can be certain of. Not necessarily in this order but – one, the console will display warnings, errors, critical, alerts, and emergencies messages. Two, VTY sessions will display critical, alerts, and emergencies messages. Three, the internal buffer will show every type of log message. Now, where am I going with that? Bam…
Anyhow, you have two full-duplex Layer 2 switches, SwitchN and SwitchS. Both switches have been configured with a manual trunk link and configured to operate within separate VTP domains, each also operating in VTP server mode. You issue the following set of commands on SwitchN:
- Vlan 102
- Interface range fastethernet 0/5 – 10
- Switchport access vlan 102
- Switchport mode acess
Mr. Shoulder Surfer from the Southside is adamant that you’ve done something to the configs that is going to screw up the VLANS on the switches. You kindly explain to him that no VLAN-related changes are going to happen on SwitchS. However, your friend is not so sure about that and would like for you to explain to him Why Not?
.
“Just by moving sand in your shoe, from the beach to home, you’re not changing the world (“eps1.4_3xpl0its”)”
This is when you take a deep breath and rattle off the following – “No VLAN-related changes will occur on SwitchS, because SwitchS is operating in a separate VTP domain than SwitchN. A VLAN is a logical switch, or LAN, that runs on the same physical infrastructure as other logical switches.”
You go on to explain that, “whenever a VLAN is added, modified, or deleted on a VTP-enabled switch, the switch will send out VTP advertisements that contain the VLAN changes, thereby propagating these command changes to all the other switches in the VTP domain. A VTP domain consists of all the switches that should share a common VLAN configuration.”
Furthermore, you say, “each switch can belong to only one VTP domain. By default, a switch belongs to the NULL domain. To manually specify the VTP domain name, you should issue the vtp domain name command from global configuration mode. It is case sensitive; and after you have configured a VTP domain name, you can change it, but you cannot remove it.” And with that, he digresses.
.
A spoiler here. The remainder of the post will pertain to security. It will be long, but trust, it will be on your exam in one form or another. Here we go- Cryptographic Algorithms. And you will need to know which algorithms are not considered NGE (Next Generation Encryption), and which should be avoided.
Diffie-Hellman (DH) with a 768-bit modulus (DH-768) and DH with a 1,024-bit modulus (DH-1024) are not considered Next Gens and they should be avoided, as they are not expected to meet the confidentiality requirements to take us into the next decade. For that matter, due to the huge advances in computing power, many of our cryptographic algorithms no longer provide adequate security. Any modulus size less than 2,048 bits cannot be considered to provide an acceptable level of security. With that in mind, you must also be aware that security flaws have also been discovered in SHA-1 and MD-5 thus, it is likewise recommended that these algorithms be avoided.
There you go. I realize this post was long, but I hadn’t posted in awhile and I felt that I needed to cover a lot of ground from where I left off in the series. As always, I hope that this information can be useful to you on your journey. Feel free to leave a comment. Hack on Ladies and Gents!