Cisco CCNP TSHOOT Troubleshooting and Maintaining Network Security Solutions
Cisco CCNP TSHOOT Troubleshooting Layer 4 Problems
The above slide depicts a flow diagram of the troubleshooting process. The first thing is to clearly define the problem. After the problems is defined you need to gather facts and look at all possibilities. After gathering all the facts and analyzing them you can create and apply a solution. Once the solution is implemented it needs to be tested (observe and report results). You then need to determine if the problem was solved. If it was, you then need to document and record the results, otherwise it is back to gathering the facts as part of an iterative troubleshooting process.
Cisco CCNP TSHOOT Troubleshooting Layer 4 Problems (cont’d)
First you need to define the problem. Document a detailed description of the problem along with any symptoms. Good documentation allows for easy handoff of troubleshooting in the event tasking changes and someone else has to take over. It should also reduce the amount of work in later steps. Troubleshooting a problem starts with having a good understanding of how your network typically runs under normal conditions (e.g. response time, throughput, etc). Look at how the current problem deviates from the baseline might help in defining the cause of the problem.
Next , gather facts from users, network administrators, and other personnel effected by the problem. Use network tools from things like network management systems, protocol analyzers, etc to gather additional information. Also, comparing the current configuration on routers and switches with stored off configurations looking for any changes is also helpful.
Cisco CCNP TSHOOT Troubleshooting Layer 4 Problems (cont’d)
Consider all possibilities and rank them from most likely to least likely. Create a plan to test the most likely causes. Make only one change at a time so you know exactly what resolved the problem. Keep track of what you have done so that you don’t repeat yourself. Try and minimize the impact to the network when testing potential solutions. This might mean having to test off hours or at a minimum coordinate outages during normal business hours. Keep gathering and documenting information until the problem is solved. Continue testing different solutions until the problem is resolved
Cisco CCNP TSHOOT Troubleshooting Layer 4 Problems (cont’d)
Once the problem is resolved it is important to document and record the results. Documenting both the problem and the solution will help solve similar problems in the future.
Cisco CCNP TSHOOT Cisco IOS Firewall
There are two types of Cisco IOS Firewall: Classic Cisco IOS Firewall and Zone-Based Policy Firewall. Cisco IOS firewalls are capable of stateful deep packet inspection (all the way to the application layer).
Cisco CCNP TSHOOT Zone Based Firewall
With Zone Based Firewalls, firewall policies are configured on traffic moving between zones. Zone Based Firewalls are very flexible.
Some of the functions they support are as follows:
- • Application inspection
- • Stateful inspection
- • URL filtering
- • Per-policy parameter
- • Virtual routing and forwarding (VRF)-aware firewall
- • Transparent firewall
Cisco CCNP TSHOOT AAA
AAA is a major part of the security the needs to be implemented within an organization. AAA provides a way to ensure secure remote device access. AAA can utilize a centralized server that contains all security policies and users. The three main components of AAA are:
- • Authentication
- • Authorization
- • Accounting
Cisco CCNP TSHOOT AAA Authentication
Authentication provides a way to identify users. Typically this is done via username and password. The debug aaa authentication command is the best way to troubleshoot problems with AAA Authentication.
There are several events that occur during the debug aaa authentication process. Examples are as follows:
- • Remote user attempts to logon to a router
- • Router checks to see if AAA authentication service is enabled
- • Router checks if he default method list is used (e.g. TACACS+)
- • User enters username / password. Credentials are sent to TACACS+ (or other defined server) for verification
Cisco CCNP TSHOOT AAA Authorization
The authorization portion of AAA determines what the user is allowed to do. It essentially determines what commands a user is allowed to perform. The debug aaa authorization command is the best way to troubleshoot problems with AAA Authorization.
Cisco CCNP TSHOOT AAA Accounting
The accounting portion of AAA provides a way to collect and send security information used for things such as billing, auditing and reporting. The debug aaa accounting command is the best way to troubleshoot problems with AAA Accounting.
Cisco CCNP TSHOOT Comparison of TACACS+ and RADIUS
Cisco CCNP TSHOOT Common TACACS+ Problems
One of the most common problems with TACACS+ is the loss of network connectivity. If the TACACS+ server is down or just loses network connectivity the router/switch will not be able to authenticate. For situations such as this, it is recommended that the router/switch is configured to fallback to the local database for authentication in the event TACACS+ server is not available.
Another potential problem is a misconfiguration of the key on the router/switch and/or TACACS+ server. Both keys must match for successful communication between the router/switch and the TACACS+ server.
Another potential problem is a bad username and/or password.
Cisco CCNP TSHOOT Common RADIUS Problems
One of the most common problems with RADIUS is the loss of network connectivity. If the RADIUS server is down or just loses network connectivity the router/switch will not be able to authenticate. For situations such as this, it is recommended that the router/switch is configured to fallback to the local database for authentication in the event RADIUS server is not available.
Another potential problem is a misconfiguration of the key on the router/switch and/or RADIUS server. Both keys must match for successful communication between the router/switch and the RADIUS server.
Another potential problem is a bad username and/or password.
Cisco CCNP TSHOOT Chapter 6 Summary
