정보보안의 최고의 실력자

process 관련 명령어.. ps 이외의 명령어입니다. [공통]

2007-12-03T18:42:52Z

프로세스 상태를 추적, 관리하기

프로세스의 상태를 체크하기 위해 ps 명령어나 proctool, top 등을 써 보았을 것입니다.그런
데 많은 분들이 유용하게 사용할 수 있는 명령어들을 몰라서 소개해 놓았습니다.
프로세스를 관리하는 명령어들이 /usr/proc/bin에 있으므로 PATH를 추가하면 이후 내용을
해보기가 쉽겠죠
본,콘쉘 상태에서
#PATH=/usr/proc/bin:$PATH;export PATH

1. ptree :프로세스 트리구조를 보여준다
# ps -ef |grep netscape 해서 나온 결과가
dol 669 655 82 18:58:20 ? 65:55 /opt/netscape/netscape

프로세스 아이디가 669번 이므로
#ptree 669
269 /usr/dt/bin/dtlogin -daemon
541 /usr/dt/bin/dtlogin -daemon
561 /bin/ksh /usr/dt/bin/Xsession
613 /usr/dt/bin/sdt_shell -c unset DT; DISPLAY=:0;
/usr/dt/bin/dt
616 -ksh -c unset DT; DISPLAY=:0;
/usr/dt/bin/dtsession_res -merg
655 /usr/dt/bin/dtsession
669 /opt/netscape/netscape
676 (dns helper)

위의 결과를 보면 269번 dtlogin이 dtlogin을 생성한뒤 dtlogin이 561번을 생성 561번이 613
을 등등등.... 669번의 netscape 가 676번을 호출한 것을 알 수 있다.

2. pstop : 프로세스를 정지한다
#pstop 669
netscape 을 잠시 정지한다

3. prun : 프로세스를 다시 시작한다
#prun 669
netscape 을 다시 시작한다

4 pcred : 프로세스의 보안정보 표시
#pcred 669
669: e/r/suid=101 e/r/sgid=14
effective,real saved(u/g)id를 표시한다.

5. 프로세스의 메모리 맵상의 정보 표시
#pmap 669
669: /opt/netscape/netscape
00010000 13124K read/exec /opt/netscape/netscape
00CF0000 988K read/write/exec /opt/netscape/netscape
00DE7000 15816K read/write/exec [ heap ]
EEE60000 8K - [ anon ]
메모리 주소번지와 메모리 세그먼트의 사이즈를 표시한다.

6. pflags : 프로세스와 플래그 정보, 시그널 핸들링 상태 등을 표시
#pflags 669
669: /opt/netscape/netscape
data model = _ILP32 flags = PR_ORPHAN
/1: flags = PR_PCINVAL|PR_ASLEEP [ poll(0xef201a00,0x5,0xa603) ]
sigmask = 0x00002000,0x00000000 lwppend = 0x00002000,0x00000000
플래그와 시그널 핸들링 상태 등을 표시한다 .

7. pldd : 다이나믹 라이브러리에 링크된 정보 표시
#pldd 669
669: /opt/netscape/netscape
/usr/dt/lib/libXm.so.3
/usr/openwin/lib/libXt.so.4
/usr/openwin/lib/libXmu.so.4
/usr/openwin/lib/libXext.so.0
/usr/openwin/lib/libX11.so.4
...
링크된 다이나믹 라이브러리들 표시해준다.

8. ptime : 수행 시간 표시
#ptime ls
dtdbcache_:0 ps_data sdtvolcheck677 speckeysd.lock
real 0.166
user 0.029
sys 0.057
실제 수행시간, 유저프로세스시간, 시스템 프로세스 시간을 보여 준다 .

9. pfiles : open한 파일 표시
#pfiles 669
669: /opt/netscape/netscape
Current rlimit: 64 file descriptors
0: S_IFCHR mode:0620 dev:32,24 ino:76843 uid:101 gid:7 rdev:24,2
O_RDWR|O_LARGEFILE
1: S_IFCHR mode:0666 dev:32,24 ino:76599 uid:0 gid:3 rdev:13,2
해당 프로세스와 연관된 파일들과 열수 있는 파일갯수를 확인 할 수 있다.

10. pwdx 프로세스의 현재 디렉토리 표시
#ps -e |grep cmdtool
#pwdx 669
669: /w/dol

11. pwait : 프로세스가 끝날 때까지 기다림
#ps -e | grep cmdtool
273 console 0:01 cmdtool
281 console 0:01 cmdtool
중간에 281을 kill 한다
# pwait -v 281
281: terminated, wait status 0x0000

12. psig : 프로세스의 시그널 처리 성향 표시
#psig 669
669: /opt/netscape/netscape
HUP caught 0
HUP,INT,QUIT,ILL,TRAP,ABRT,EMT,FPE,BUS,SEGV,SYS,PIPE,ALRM,TERM,USR1,USR
2,CLD,PWR,WINCH,URG,POLL,TSTP,CONT,TTIN,TTOU,VTALRM,PROF,XCPU,XFSZ,W
AITING,LWP,FREEZE,THAW,CANCEL,LOST,RTMIN ....
시그널 처리 성향을 보여준다.

13. pstack : 스택의 점유상태 표시
#pstack 669
669: /opt/netscape/netscape
ef31437c poll (ef201a00, 5, 29bb)
ef2ce3dc select (ef201a28, ef201c70, ef334ffc, ef201c74, ef335000, 1d) + 298
Hex값과 심볼릭 값으로 스택에 있는 상태 표시, 만일 문제가 생긴 프로세스이면 어디에서
프로세스가 정지 했는지 확인 할 수 있다

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

[정보] 파일 생성,삭제 시 이루어시는 프로세스 상태

2007-12-03T18:41:31Z

파일이 생성될때 삭제될때 프로세상에서 바라본 절차입니다..
모르는 용어(inode, inumber 등)가 있으면, 중급자 강의를 보시기 바랍니다.

●파일 생성시
1) 슈퍼 블럭에서 하나의 inode를 할당한다.
2) inode의 내용들을 초기화한다.
3) inumber와 파일시스템을 해당 상위 디렉토리에 기록한다.
4) i-list에 있는 한 엔트리를 할당한다.
5) 사용자 영역의 파일 지시자(descriptor)에 한 엔트리를 할당한다.
6) 파일 지시자를 프로세스에게 반환한다.

●파일 삭제시
1) 주어진 경로명을 i-list의 포인터로 바꾼다.
2) 주어진 파일이 마운트되었으면 삭제 못하고 반환한다.
3) 주어진 파일이 공유된 텍스트이고 링크 수가 1이면 반환한다.
4) 파일의 링크 수를 하나 감소 시키고, 상위 디렉토리에서 그 파일의 inumber 를 0으로 설정한다.

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

gzip, gcc 설치하기 [공통 ]

2007-12-01T15:40:50Z

1. gzip 설치
1) 인스톨시 설치
- Solaris install 시에 install 레벨을 Developer 이상으로 설치하면 자동으로 설치됨
2) 패키지 설치
- http://www.sunfreeware.com 에서 gzip을 다운 받으셔서 아래 명령을 수행
- 인텔용과 스팍용이 있습니다. 자기시스템에 맞는걸 다운받으세요..
# pkgadd -d gzip-1.2.4a-sol8-intel-local

2. gcc 설치
- gcc는 Solaris 에서는 지원되지 않습니다.
http://www.sunfreeware.com 에서 다운로드 받으세요..
# gzip -d gcc-3.0-sol8-intel-local.gz
# pkgadd -d gcc-3.0-sol8-intel-local
# ln -s /usr/local/bin/gzip /usr/bin/gzip

3. PATH 설정
- 위 작업을 수행한 다음 gcc 명령을 내리면 명령이 없다고 나올 겁니다.
명령어의 위치가 설정되어 있지 않은거죠.. 그러면 다음과 같이 경로 에 있는 디렉토리에 링크 파일을 만들어줍니다.
# ln -s /usr/local/bin/gcc /usr/bin/gcc
ln 명령어의 방법은
ln -s [원본파일] [링크파일] 입니다..

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

솔라리스에서 ls 에 색깔을 주자.. [공통]

2007-12-01T15:39:58Z

리눅스의 ls는 색깔로 구분해줘서 찾기가 참 쉽습니다.
솔라리스에서도 이렇게 사용할 수 있는데요..

파일 : http://www.sunfreeware.com
가셔서 우측메뉴에서 환경과 솔라버전에 맞춰서 누른후 하단에 보시면
fileutils-4.1 이라고 있습니다.

패키지로 받으셔서 , pkgadd -d fileutils-4.1 하신 후에 /usr/local/bin 이 밑에 깔리니 다음과 같이 입력하시면 됩니다.

/usr/local/bin/ls --color

매번 칠때마다 경로와 옵션을 지정해주려면 귀찮으니 쓰고계신 쉘의 환경설정파일에 앨리어싱 설정을 해주신후 사용하면 편리합니다.

# alias ls='/usr/local/bin/ls --color'

이렇게 사용해 보세요.. ^^;

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

키보드 접촉 불량시 시스템 Hang 을 막자 [Sparc CPU]

2007-12-01T15:38:53Z

sparc 솔라리스의 경우..

운영체제가 돌아가고 있는 도중 키보드가 빠져버리면.. 시스템이 정지 해버립니다.
이 때.. 키보드를 다시 �으면 되지만.. 이렇게 키보드가 빠져도 운영체제를 계속 돌리게 하려면 다음과 같은 작업을 해야 합니다.

/etc/default/kbd 라는

KEBOARD_ABORT=disable
이 값이 주석처리 되어 있는데..
주석 처리 되어 있는 곳을 지우시고 위 값을 활성화 시키시면..

키보드의 stop-a 키도 먹지 않고..
키보드 접촉 불량시에 ... 시스템이 정지 되는 것을 막을 수 있습니다..

물론 수정하고 난 다음에 시스템을 리부팅 시켜줘야 겠죠..

리부팅 시켜 주시지 않으실려면.. 다음을 수행하시면 됩니다.

# kbd -i

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

floppy disk ufs filesystem format 하기.... [공통]

2007-12-01T15:38:05Z

1. floppy diskette을 drive에 넣고 아래와 같이 fdformat 명령을 실행한다.

# fdformat -U -b "label-name"
Formatting 1.44 MB in /vol/dev/rdiskette0/no_name
Press return to start formatting floppy.
..................................................................
#

위의 명령중 각 option 의 내용은 아래와 같다.

-U : floppy diskette이 이미 mount 된 경우라도 umount하여 format한다.
-b : diskette의 label 이름을 지정하기 위한 option이다
"label-name" : diskette에 지정할 label 이름이다.
이 이름은 floopy diskette 을 mount하였을때 생기는 실제
mount point(/floppy/"label-name")의 이름이 된다.

2. format 이 정상적으로 끝나면 "newfs" 명령을 실행하여 filesystem을 만든다.

# newfs /dev/rdiskette0

만약 위의 명령을 실행했을때 아래와 같이 error message가 발생하면 volume manager
daemon인 "vold" 를 종료시킨 후 다시 newfs 명령을 실행한다.

# newfs /dev/rdiskette0
/dev/rdiskette0: Device busy

# ps -ef|grep vold
root 267 1 0 11월 28 ? 0:02 /usr/sbin/vold
^^^^^
vold process id
# kill 267
# newfs /dev/rdiskette0
newfs: construct a new file system /dev/rdiskette0: (y/n)?

위와 같이 new file system을 만들것인지 물어보면 "y"와 "retunrn" key를 친다.

3. newfs가 정상적으로 끝나면 "vold" process가 실행중인지 확인한 후, 실행중이
아니면 vold를 실행한다.

# ps -ef|grep vold
root 8321 1 1 17:26:20 ? 0:00 /usr/sbin/vold

위와 같이 결과가 나오지 않으면 아래와 같이 명령을 실행한다.

# /etc/init.d/volmgt start
volume management starting.

4. "volcheck" 명령을 실행하여 floppy diskette을 mount한후 "df" 명령으로 mount가
되었는지 확인한다.

# volcheck
# df -k
파일시스템 K바이트 사용 가용 용량 설치지점
/dev/dsk/c0t0d0s0 1813958 696114 1063426 40% /
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
/vol/dev/diskette0/"label-name"
1263 9 1128 1% /floppy/"label-name"

위의 결과중 "label-name"은 diskette을 format 할때(fdformat) 지정한 label
name 이다.

출처 : SUN 기술문서

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

파일 확장자 한꺼번에 바꾸기...shell script [공통]

2007-12-01T15:36:19Z

유닉스에서 불편한점은 여러개의 확장자가 같은 파일의 확장자를 한꺼번에 이름을 바꾸어주려면 매우 불편합니다.

예를 들어..
test.tot 를 test.txt 로 바꿔줘야 한다면.. 간단하죠..
$ mv test.tot test.txt 이렇게 하면 됩니다.

하지만 test.tot, test1.tot, test3.tot 등 2개이상의 파일을 한꺼번에
test.txt, test1.txt, test3.txt로 바꿔줘야 할 때는?

음... 이거 문제입니다.. ㅡㅡ;
한꺼번에 바꿔주는 명령이 유닉스에서는 존재하지 않습니다. ㅡㅡ;

이걸 쉘 프로그램으로 해결 했습니다.
그럼..아래의 텍스트를 복사해서 그대로 파일로 만들어 쓰시기 바랍니다.

복사한 다음에는 반드시 다음과 같은 명령을 내리셔야합니다.
스크립트 이름을 ext.sh 라고 가정한다면..

# chmod 755 ./ext.sh -> 실행권한을 주는겁니다.
# ./ext.sh -> 실행합니다.

그럼.. 다음을 vi 로 작성하시면 됩니다.

============= 파일 시작 ==================
#!/bin/ksh
# Script Name : ext.sh
# Program Explan : change extention of all files in curent director
# by vivakim
# 2003. 2. 7
# !! Coution !!
## This Progrm is only in xxx.xxx file used
# The Other files is unusable
##################################################3

echo "insert source ext : \c" # source extention input
read X2
echo "insert result ext : \c" # Result extention input
read R2

if [[ "$R2" = "" ]] || [[ "$X2" = "" ]] # argument check
then
echo "insert two args"
exit 1
fi

ls *.$X2 > tmpfile 2> /dev/null # save file

if [[ $? != 0 ]] # extention check
then
echo "$X2 is not found"
exit 2
fi

IFS='.' # Field seperator setting in '.'

while read X1 X2 # X1 is filename X2 is extention
do
EXTS="$X1.$X2" # EXTS is source entire filename
EXTR="$X1.$R2" # EXTR is Result entire filename
mv "$EXTS" "$EXTR"
echo "$EXTS to $EXTR change sucess"
if [[ $? != 0 ]] ; then
echo " $EXTS to $EXTR change false "
exit 3
fi
done < tmpfile
rm tmpfile # tmp file deleted

========== 파일 끝 ===========

tag : 정보보안, 정보보안학원, 유닉스, IT뱅크

CCNP - Switching Exam Certification Guide9

2007-11-30T17:02:12Z

Switch Port Aggregation with EtherChannel 151

contiguous on the switch module. Newer switch modules allow the ports to be selected from
anywhere on the module or even across modules. Generally, all bundled ports must first belong
to the same VLAN. If used as a trunk, bundled ports must all be in trunking mode and pass the
same VLANs. As well, each of the ports should have the same speed and duplex settings before
they are bundled.

Distributing Traffic in EtherChannel

Traffic in an EtherChannel is statistically load-balanced across the individual links bundled
together. However, the load is not necessarily balanced equally across all of the links. Instead,
frames are forwarded on a specific link as a function of the addresses present in the frame. Some
combination of source and destination addresses (either MAC or IP addresses) is used to form
a binary pattern used to select a link number in the bundle.

Switches perform an exclusive-OR (XOR) operation on one or more low-order bits of the
addresses to determine what link to use. For example, an EtherChannel consisting of two links
bundled together requires the XOR of the last bit of the addresses in the frame. A four-link
bundle uses the XOR of the last two bits. Likewise, an eight-link bundle uses the XOR of the
last three bits. The outcome of the XOR operation selects the outbound link of the
EtherChannel. Table 5-2 shows the results of an XOR on a two-link bundle.

Table 5-2 Frame Distribution on a Two-Link EtherChannel

Binary Addresses Two-Link EtherChannel XOR and Link Number
Addr1: ... xxxxxxx0
Addr2: ... xxxxxxx0 ... xxxxxxx0: Link 0
Addr1: ... xxxxxxx0
Addr2: ... xxxxxxx1 ... xxxxxxx1: Link 1
Addr1: ... xxxxxxx1
Addr2: ... xxxxxxx0 ... xxxxxxx1: Link 1
Addr1: ... xxxxxxx1
Addr2: ... xxxxxxx1 ... xxxxxxx0: Link 0

The XOR operation is performed independently on each bit position in the address value. If the
two address values have the same bit value, the XOR result is 0. If the two address bits differ,
the XOR result is 1. In this way, frames can be statistically distributed among the links with the
assumption that MAC or IP addresses are statistically distributed throughout the network. In a
four-link EtherChannel, the XOR is performed on the lower two bits of the address values
resulting in a two-bit XOR value (each bit is computed separately) or a link number from 0 to 3.

A conversation between two devices will always be sent through the same EtherChannel link
because the two endpoint addresses stay the same. However, when a device talks to several

152 Chapter 5: Redundant Switch Links

other devices, chances are that the destination addresses are equally distributed with zeros and
ones in the last bit (even and odd address values). This causes the frames to be distributed across
the EtherChannel links. Note that a conversation between two end devices to create a load
imbalance is possible using one of the links in a bundle because all traffic between a pair of
stations will use the same link.

Switches with an Ethernet Bundling Controller (EBC) are limited to distributing frames based
on source and destination MAC addresses only. For each frame, the source MAC address is
XOR’d with the destination MAC address. Because this is the only choice, no switch
configuration is necessary.

Switches such as the IOS-based Catalyst 2900 and 3500XL distribute frames according to a
different criteria. By default, EtherChannel frames are distributed by the low-order bits of their
source MAC addresses. The administrator can select either source or destination addresses as
the distribution method by using the following command (the port group is defined in the next
section):

Switch (config-if)# port group group-number [distribution {source | destination}]

Other switches, such as the Catalyst 6000, offer more flexibility in computing frame
distribution. The XOR operation can be performed on either MAC or IP addresses and can be
based solely on source or destination addresses or both. Use the following command to
configure frame distribution for all EtherChannel switch links:

Switch> (enable) set port channel all distribution {ip | mac} [source | destination
| both]

The default configuration is to use IP addresses, both source and destination. Normally, this
action should result in a statistical distribution of frames. However, you should determine if the
EtherChannel is imbalanced according to the traffic patterns present. For example, if a single
server is receiving most of the traffic on an EtherChannel, the source IP addresses of the stations
talking to the server can cause one link to be overused. In the case of a four-link EtherChannel,
perhaps two of the four links are overused. Configuring the use of MAC addresses or only the
source IP addresses might cause the distribution to be more balanced across all the bundled
links.

In applications involving switches like the Catalyst 6000, some EtherChannel traffic may
consist of protocols other than IP. For example, IPX or SNA frames may be switched along with
IP. Non-IP protocols would need to be distributed according to MAC addresses because IP
addresses are not applicable. Here, the switch should be configured to use MAC addresses
instead of the IP default.

Switch Port Aggregation with EtherChannel 153

NOTE A special case results when a router is connected to an EtherChannel because the router will
use its own MAC address in all frames that it forwards to many end stations. For the EBC-based
switch, this means that the destination MAC address is always the same for frames destined
through the router. Usually this won’t present a problem because the source MAC addresses are
all different. When two routers are forwarding frames to each other, however, both source and
destination MAC addresses will remain constant and only one link of the EtherChannel will be
used. The flexibility in the Catalyst 6000 switch allows the administrator to select exactly which
criteria frames will be distributed. If the MAC addresses are remaining constant, you should
choose IP addresses instead.

Port Aggregation Protocol (PAgP)

To provide automatic EtherChannel configuration and negotiation between switches, Cisco
developed the Port Aggregation Protocol (PAgP). PAgP packets are exchanged between
switches over EtherChannel-capable ports. The identification of neighbors and port group
capabilities are learned and are compared with local switch capabilities. Ports that have the
same neighbor device ID and port group capability will be bundled together as a bidirectional,
point-to-point EtherChannel link.

PAgP will form an EtherChannel only on ports that are configured for either identical static
VLANs or trunking. PAgP also dynamically modifies parameters of the EtherChannel if one of
the bundled ports is modified. For example, if the VLAN, speed, or duplex mode of a port in an
established bundle is changed, PAgP will change that parameter for all ports in the bundle.

When ports are bundled into an EtherChannel, all broadcasts and multicasts are sent over one
port in the bundle only. Broadcasts will not be sent over the remaining ports and will not be
allowed to return over any other port in the bundle.

Switch ports can be configured for the following modes of PAgP:

. On.The ports will always be bundled as an EtherChannel. No negotiation takes place
because PAgP packets are not sent or processed.
. Off.The ports will never be bundled as an EtherChannel. They will remain as individual
access or trunk links. No PAgP packets are sent.
. Auto.(Default) PAgP packets are sent to negotiate an EtherChannel only if the far end
initiates EtherChannel negotiations. Therefore, auto mode is a passive mode that requires
a neighbor in desirable mode. (Two switches in auto mode will never negotiate an
EtherChannel because each is passively waiting for the other to request an EtherChannel.)
. Desirable.PAgP packets are sent to actively negotiate an EtherChannel. This mode
starts the negotiation process, and will bring up a successful EtherChannel with another
switch in either desirable or auto mode.

154 Chapter 5: Redundant Switch Links

EtherChannel Configuration

Before configuring switch ports into an EtherChannel bundle, you should make sure the switch
module supports it. Use the show port capabilities [module/port] command to do this. (This
command is available on Catalyst software versions 4.x and later.) Example 5-1 demonstrates
using the show port capabilities command to ensure the switch module supports EtherChannel
bundling.

Example 5-1 show port capabilities Command Output

Switch (enable) show port capabilities 2
Model WS-X5234
Port 2/1
Type 10/100BaseTX
Speed auto,10,100
Duplex half,full
Trunk encap type ISL,802.1Q
Trunk mode on,off,desirable,auto,nonegotiate
Channel 2/1-2,2/1-4
Broadcast suppression percentage(0-100)
Flow control receive-(off,on),send-(off,on)
Security yes
Membership static,dynamic
Fast start yes
Rewrite yes

On this and other early Ethernet modules, only certain ports can be bundled. Notice that
Example 5-1 shows that only ports 2/1 and 2/2 or 2/1 through 2/4 can be bundled. These
modules use a hardware chip called the Ethernet Bundling Controller (EBC) to manage the
EtherChannel ports. Ports to be bundled must belong to the same EBC, according to the specific
arrangement of ports on the module. For example, a 24-port module offers three groups of eight
ports and a 12-port module offers three groups of four ports. Generally, the EBC requires an
EtherChannel to start with the first port of a group. The output of the show port capabilities
command will show the acceptable port groupings, if they are available.

Newer modules, such as the Catalyst 6000, offer more flexibility with EtherChannel
configuration. Ports located anywhere on an EtherChannel-capable module can be bundled
along with ports from other modules.

NOTE Remember the following guidelines that apply to the switch ports that will be grouped into an
EtherChannel:

. All ports should be assigned to the same VLAN or configured for trunking (an
EtherChannel can be used as a trunk link).
. If the EtherChannel will be a trunk link, all ports should have the same trunk mode and
should carry the same VLANs over the trunk.

Switch Port Aggregation with EtherChannel 155

. All ports should be configured for the same speed and duplex mode.
. Do not configure the ports as dynamic VLAN ports.
. All ports should be enabled; a disabled port will be seen as a failed link, forcing its traffic
to be moved to the next available link in the bundle.
EtherChannel Configuration on a CLI-Based Switch

To configure an EtherChannel on a CLI-based switch, use the following command:

Switch (enable) set port channel module/port-range mode {on | off | desirable |
auto}

Ports are grouped into an EtherChannel by specifying them as a range, as in set port channel
2/1-4 mode on.

EtherChannel Configuration on an IOS-Based Switch

To configure an EtherChannel on an IOS-based switch, use the following command:

Switch (config-if)# port group group-number [distribution {source | destination}]

The port must be assigned to a group number, which represents the EtherChannel as a number
from 1 to 12.

Displaying EtherChannel Configuration

Information about the current EtherChannel configuration can be displayed using the show
port channel [mod/port] [info | statistics] command on a CLI-based switch and the show port
group [group-number] command on an IOS-based switch. Example 5-2 demonstrates how the
show port channel info command can be used to view the current status of EtherChannel links
on a CLI-based switch.

Example 5-2 show port channel info Command Output

Switch> (enable) show port channel info
Switch Frame Distribution Method: mac both
Port Status Channel Admin Channel Speed Duplex Vlan
mode group id
----- ---------- -------------------- ----- ------- ----- ------ ----
3/29 connected desirable silent 158 847 a-100 a-full 53
3/30 connected desirable silent 158 847 a-100 a-full 53
----- ---------- -------------------- ----- ------- ----- ------ ----
3/31 connected auto silent 159 848 a-100 a-full 101
3/32 connected auto silent 159 848 a-100 a-full 101
----- ---------- -------------------- ----- ------- ----- ------ ----

156 Chapter 5: Redundant Switch Links

The first shaded line shows that the switch is using both source and destination MAC addresses
to distribute frames across the bundled links. The next set of shaded lines show that switch ports
3/29 and 3/30 are bundled as EtherChannel ID number 847, are operating at 100 Mbps full-
duplex (autonegotiated), and are assigned to VLAN 53 only. The second EtherChannel is made
up of switch ports 3/31 and 3/32 bundled as EtherChannel ID 848, passing VLAN 101.

Spanning-Tree Protocol

A robust network design not only includes efficient transfer of packets or frames but also
considers how to recover quickly from faults in the network. In a Layer 3 environment, the
routing protocol(s) in use keeps track of redundant paths to a destination network so that a
secondary path can be quickly utilized if the primary path fails. Layer 3 routing allows many
paths to a destination to remain up and active and allows load sharing across multiple paths.

In a Layer 2 environment (switching or bridging), however, no routing protocols are used and
redundant paths are not allowed. Instead, some form of bridging provides data transport
between networks or switch ports. The Spanning-Tree Protocol (STP) is used to provide
network link redundancy and load balancing so that a Layer 2 switched network can recover
from failures without intervention in a timely manner.

STP is discussed in relation to the problems it solves in the following sections.

Bridging Loops

Recall that a Layer 2 switch mimics the function of a transparent bridge. A transparent bridge
must offer segmentation between two networks, while remaining transparent to all the end
devices connected to it. For the purpose of this discussion, consider a two-port Ethernet switch
and its similarities to a two-port transparent bridge.

A transparent bridge (and the Ethernet switch) must operate as follows:

. The bridge has no initial knowledge of the location of any end device; therefore, the bridge
must “listen” to frames coming into each of its ports to figure out on which network a
device resides. The source address in an incoming frame is the clue to a device’s
whereabouts.the bridge assumes the source device is located behind the port that the
frame arrived on. As the listening process continues, the bridge builds a table containing
source MAC addresses and the bridge port numbers associated with them.
The bridge has the capability to constantly update its bridging table upon
detecting the presence of a new MAC address or upon detecting a MAC address
that has changed location from one bridge port to another. The bridge is then able
to forward frames by looking at the destination address, looking up the address
in the bridge table, and sending the frame out the port where the destination
device is located.

Spanning-Tree Protocol 157

. If a frame arrives with the broadcast address as the destination address, the bridge must
forward or flood the frame out all available ports. However, the frame is not forwarded out
the port that initially received the frame. In this way, broadcasts are able to reach all
available networks. A bridge only segments collision domains but does not segment
broadcast domains.
. If a frame arrives with a destination address that is not found in the bridge table, the bridge
is unable to determine which port to forward the frame to for transmission. This type of
frame is known as an unknown unicast. In this case, the bridge treats the frame as if it were
a broadcast and forwards it out all remaining ports. After a reply to that frame is overheard,
the bridge will learn the location of the unknown station and add it to the bridge table for
future use.
. Frames that are forwarded across the bridge cannot be modified.
Bridging or switching in this fashion works well. Any frame received, whether to a known or
unknown destination, will be forwarded out the appropriate port or ports so that it is very likely
to be received successfully at the end device. Figure 5-2 shows a simple two-port switch
functioning as a bridge, forwarding frames between two end devices. However, this network
design offers no additional links or paths for redundancy, should the switch or one of its links
fail.

Figure 5-2 Transparent Bridging with a Switch

PC-4PC-3
PC-1 PC-2
1/1
1/2
Switch A
Segment A
Segment B

158 Chapter 5: Redundant Switch Links

To add some redundancy, a second switch can be added between the two original network
segments, as shown in Figure 5-3. Now two switches offer the transparent bridging function in
parallel. Consider what will happen when PC-1 sends a frame to PC-4. For now, assume that
both PC-1 and PC-4 are known to the switches and are in their address tables. PC-1 sends the
frame out onto network Segment A. Switch A and Switch B both receive the frame on their 1/1
ports. Because PC-4 is already known to the switches, the frame is forwarded out ports 2/1 on
each switch onto Segment B. The end result is that PC-4 will receive two copies of the frame
from PC-1. This is not ideal, but is not disastrous either.

Figure 5-3 Redundant Bridging with Two Switches

PC-4PC-3
PC-1 PC-2
1/1
2/1
Switch A
Segment A
Segment B
1/1
2/1
Switch B
Now consider the same process of sending a frame from PC-1 to PC-4. This time, however,
neither switch knows anything about PC-1 or PC-4. PC-1 sends the frame to PC-4 by placing
it on Segment A. The sequence of events is as follows:

1 Both Switch A and Switch B receive the frame on their 1/1 ports. Because PC-1’s MAC
address has not yet been seen or recorded, each switch records PC-1’s MAC address in its
address table along with the receiving port number, 1/1. From this information, both
switches infer that PC-1 must reside on Segment A.

2 Because PC-4’s location is unknown, both switches forward the frame out all available
ports, or their 2/1 ports, and onto Segment B.

Spanning-Tree Protocol 159

3 Each switch places a new frame on its 2/1 port on Segment B. PC-4, located on Segment
B, receives the two frames destined for it. However, Switch A hears the new frame
forwarded by Switch B, and Switch B hears the new frame forwarded by Switch A.

4 Switch A sees that the “new” frame is from PC-1 to PC-4. From the address table, the
switch had learned that PC-1 was on port 1/1 or Segment A. However, the source address
of PC-1 has just been heard on port 2/1 on Segment B. By definition, the switch must
relearn PC-1’s location, which is now incorrectly assumed to be Segment B. (Switch B
follows the same procedure, based on the “new” frame from Switch A.)

5 At this point, neither Switch A nor Switch B has learned the location of PC-4 because no
frames have been received with PC-4 as the source address. Therefore, the frame must be
forwarded out all available ports in an attempt to find PC-4. This frame is then sent out
Switch A’s 1/1 port and onto Segment A.

6 Now both switches relearn PC-1’s location as Segment A, forward the “new” frames back
onto Segment B, and the whole process repeats.

This process of forwarding a single frame around and around between two switches is known
as a bridging loop. Neither switch is aware of the other, so each just happily forwards the same
frame back and forth between its segments. Also note that because two switches are involved
in the loop, the original frame has been duplicated and now gets sent around in two counter-
rotating loops. What stops the frame from being forwarded in this fashion forever? Nothing.
PC-4 will begin receiving frames addressed to it as fast as the switches can forward them.

Notice how the learned location of the PCs keeps changing as frames get looped. Even a unicast
frame has caused a bridging loop to form, and each switch’s bridge table is repeatedly corrupted
with incorrect data.

What would happen if PC-1 had sent a broadcast frame instead? The bridging loops (remember
that there are two of them produced by the two parallel switches) will form exactly as before.
The broadcast frames will continue to circulate forever. Now, however, every end-user device
located on both Segments A and B will receive and process each and every broadcast frame.
This type of broadcast storm can easily saturate the network segments and bring every host on
the segments to a halt.

The only way to end the bridging loop is to physically break the loop by disconnecting switch
ports or by shutting a switch down. Rather than break devastating bridging loops, they should
be prevented instead.

Preventing Loops with Spanning-Tree Protocol

Bridging loops form basically because parallel switches (or bridges) are unaware of each other.
STP was developed to overcome the possibility of bridging loops so that redundant switches
and switch paths could be used for their benefits. In a nutshell, the protocol enables switches to
become aware of each other so that they can negotiate a loop-free path through the network.

160 Chapter 5: Redundant Switch Links

Loops are discovered before they are opened for use, and redundant links are shut down to
prevent the loops from forming. In the case of redundant links, switches can be made aware that
a link shut down for loop prevention should be quickly brought up in case of a link failure. This
is discussed in later sections of this chapter.

STP is communicated between all connected switches on a network. Each switch executes the
Spanning-Tree Algorithm (STA) based on information received from other neighboring switches.
The algorithm chooses a reference point in the network and calculates all the redundant paths
to that reference point. When redundant paths are found, STA picks one path to forward frames
with and disables or blocks forwarding on the other redundant paths.

As its name implies, STP computes a tree structure that spans all switches in a subnet or
network. Redundant paths are placed in a blocking or standby state to prevent frame forwarding.
The switched network is then in a loop-free condition. However, if a forwarding port fails or
becomes disconnected, the STA will run again to recompute the Spanning-Tree topology so that
blocked links can be reactivated.

Spanning-Tree Communication: Bridge Protocol Data Units

STP operates as switches communicate with one another. Data messages are exchanged in the
form of Bridge Protocol Data Units (BPDUs). A switch sends a BPDU frame out a port, using
the unique MAC address of the port itself as a source address. The switch is unaware of the
other switches around it. Therefore, the BPDU frame has a destination address of the well-
known STP multicast address 01-80-c2-00-00-00 to reach all listening switches.

There are two types of BPDU: the Configuration BPDU, used for Spanning Tree computation;
and the Topology Change Notification (TCN) BPDU, used to announce changes in the network
topology. The Configuration BPDU message contains the fields shown in Table 5-3. The TCN
BPDU is discussed in the “Topology Changes” section later in this chapter.

The exchange of BPDU messages works toward the goal of electing reference points as a
foundation for a stable Spanning-Tree topology. As well, loops will be identified and removed
by placing specific redundant ports in a blocking or standby state. Notice that several key fields
in the BPDU are related to bridge (or switch) identification, path costs, and timer values. These
all work together so that the network of switches will converge upon a common Spanning-Tree
topology and will select the same reference points within the network. These reference points
are defined in the following sections.

BPDUs are sent out all switch ports every two seconds so that current topology information is
exchanged and loops are identified quickly.

Spanning-Tree Protocol 161

Table 5-3 Configuration BPDU Message Content

Field Description Number of Bytes
Protocol ID (always 0) 2
Version (always 0) 1
Message Type (Configuration or Topology 1
Change Notification BPDU)
Flags 1
Root Bridge ID 8
Root Path Cost 4
Sender Bridge ID 8
Port ID 2
Message Age (in 256ths of a second) 2
Maximum Age (in 256ths of a second) 2
Hello Time (in 256ths of a second) 2
Forward Delay (in 256ths of a second) 2

Electing a Root Bridge

For all switches in a network to agree on a loop-free topology, a common frame of reference
must exist to use as a guide. This reference point is called the Root Bridge. (The term “bridge”
continues to be used even in a switched environment because STP was developed for use in
bridges. Therefore, when you see “bridge,” think “switch.”)

The Root Bridge is chosen by an election process among all connected switches. Each switch
has a unique Bridge ID that it uses to identify itself to other switches. The Bridge ID is an
8-byte value that is made up of the following fields:

. Bridge Priority (2 bytes).The priority or weight of a switch in relation to all other
switches. The priority field can have a value of 0 to 65,535 and defaults to 32,768 (or
0x8000) on every Catalyst switch.
. MAC Address (6 bytes).The MAC address used by a switch can come from the
Supervisor module, the backplane, or a pool of 1024 addresses that are assigned to every
Supervisor or backplane depending on the switch model. In any event, this address is
hardcoded, unique, and cannot be changed by the user.
When a switch first powers up, it has a narrow view of its surroundings and assumes that it is
the root bridge itself. Obviously, this notion will probably change as other switches check in
and enter the election process. The election process then proceeds as follows: Every switch
begins by sending out BPDUs with a Root Bridge ID equal to its own Bridge ID and a Sender

162 Chapter 5: Redundant Switch Links

Bridge ID of its own Bridge ID. The Sender Bridge ID simply tells other switches who is the
actual sender of the BPDU message.

Received BPDU messages are analyzed to see if a “better” root bridge is being announced. A
root bridge is considered better if the Root Bridge ID value is lower than another. Again, think
of the Root Bridge ID as being broken up into Bridge Priority and MAC address fields. If two
Bridge Priority values are equal, then the lower MAC address makes the Bridge ID better. When
a switch hears of a better Root Bridge, it replaces its own Root Bridge ID with the Root Bridge
ID announced in the BPDU. The switch is then required to nominate the new Root Bridge ID
in its own BPDU messages although it will still identify itself as the Sender Bridge ID.

Sooner or later, the election will converge and all switches will agree on the notion that one of
them is the Root Bridge. As might be expected, if a new switch with a lower MAC address
powers up, it will begin advertising itself as the Root Bridge. Because the new switch does
indeed have a lower Bridge ID, all the switches will soon reconsider and record it as the new
Root Bridge. Root Bridge election is then an ongoing process, triggered by Root Bridge ID
changes in the BPDUs every two seconds.

As an example, consider the small network shown in Figure 5-4. For simplicity, assume that
each Catalyst switch has a MAC address of all zeros with the last hex digit equal to the switch
label.

Figure 5-4 Example of Root Bridge Election

Catalyst A

Root Bridge

32768.00-00-00-00-00-0a

1/1

1/2

100 Mbps 100 Mbps
Cost = 19 Cost = 19

1/1

1/2 1/2
Catalyst C
32768.00-00-00-00-00-0c

1/1 100 Mbps
Cost = 19
Catalyst B
32768.00-00-00-00-00-0b

Spanning-Tree Protocol 163

In this network, each switch has the default Bridge Priority of 32768. The switches are
interconnected with Fast Ethernet links, having a default path cost of 19. All three switches try
to elect themselves as the root but all of them have equal Bridge Priority values. Therefore, the
election is determined by the lowest MAC address.that of Catalyst A.

Electing Root Ports

Now that a reference point has been nominated and elected for the entire switched network,
each non-root switch must figure out where it is in relation to the Root Bridge. This action can
be performed by selecting only one Root Port on each non-root switch.

STP uses the concept of cost to determine many things. Selecting a Root Port involves
eval!!uating the Root Path Cost. This value is the cumulative cost of all the links leading to the
Root Bridge. A particular switch link has a cost associated with it, too, called the Path Cost. To
understand the difference between these values, remember that only the Root Path Cost is
carried along inside the BPDU. As the path cost travels along, other switches can modify its
value to make it cumulative. The Path Cost, however, is not contained in the BPDU. It is known
only to the local switch where the port (or “path” to a neighboring switch) resides.

Path Costs are defined as a one-byte value, with the default values shown in Table 5-4. Generally,
the higher the bandwidth of a link, the lower the cost of transporting data across it. The original
IEEE 802.1D standard defined path cost as 1000 Mbps divided by the link bandwidth in Mbps.
These values are shown in the center column of the table. Modern networks commonly use
Gigabit Ethernet and OC-48 ATM, which are both either too close to or greater than the
maximum scale of 1000 Mbps. The IEEE now uses a non-linear scale for path cost, as shown
in the right column of the table.

Table 5-4 STP Path Cost

Link Bandwidth Old STP Cost New STP Cost
4 Mbps 250 250
10 Mbps 100 100
16 Mbps 63 62
45 Mbps 22 39
100 Mbps 10 19
155 Mbps 6 14
622 Mbps 2 6
1 Gbps 1 4
10 Gbps 0 2

164 Chapter 5: Redundant Switch Links

NOTE Be aware that not all versions of the Catalyst Supervisor code use the newer non-linear scale by
default. For example, Catalyst 5000 versions 2.4 and lower use the older linear scale. Catalyst
5000 versions 3.1 and higher, Catalyst 4000 (all versions), and Catalyst 6000 (all versions) use
the non-linear scale by default.

The Root Path Cost value is determined in the following manner:
1 The Root Bridge sends out a BPDU with a Root Path Cost value of zero because its ports
sit directly on the Root Bridge.
2 When the next closest neighbor receives the BPDU, it adds the Path Cost of its own port

where the BPDU arrived.
3 Then the neighbor sends out BPDUs with this new cumulative value as the Root Path Cost.
4 This value is incremented by subsequent switch port Path Costs as the BPDU is received

by each switch on down the line.

NOTE Note the emphasis on incrementing the Root Path Cost as BPDUs are received. When
computing the STA manually, remember to compute a new Root Path Cost as BPDUs come in
to a switch port, not as they go out.

After incrementing the Root Path Cost, a switch also records the value in its memory. When a
BPDU is received on another port and the new Root Path Cost is lower than the previously
recorded value, this lower value becomes the new Root Path Cost. In addition, the lower cost
tells the switch that the Root Bridge must be closer to this port than it was on other ports. The
switch has now determined which of its ports is the closest to the root.the Root Port.

Figure 5-5 shows the same network from Figure 5-4 in the process of Root Port selection.

Spanning-Tree Protocol 165

Figure 5-5 Example of Root Port Selection

Catalyst A

Root Bridge

32768.00-00-00-00-00-0a
1/1 1/2
1/2 1/2
1/1 1/1100 Mbps
Cost = 19
100 Mbps100 Mbps
Cost = 19Cost = 19
Catalyst B
32768.00-00-00-00-00-0b
Root Port

Root Port

Root Path Cost = 19 Root Path Cost = 19

Catalyst C
32768.00-00-00-00-00-0c

(Root Path Cost = 19 + 19)

The Root Bridge, Catalyst A, has already been elected. Therefore, every other switch in the
network must choose one port that is closest to the Root Bridge. Catalyst B selects its port 1/1,
with a Root Path Cost of 0+19. Port 1/2 is not chosen because its Root Path Cost is 0 (BPDU
from Catalyst A) plus 19 (Path Cost of A-C link) plus 19 (Path Cost of C-B link), or a total of

38. Catalyst C makes a similar choice of port 1/1.
Electing Designated Ports

By now, you should begin to see the process unfolding: a starting or reference point has been
identified, and each switch “connects” itself toward the reference point with the closest single
link. A tree structure is beginning to emerge, but links have only been identified at this point.
All links are still connected and could be active, leaving bridging loops.

To remove the possibility of bridging loops, STP makes a final computation to identify one
Designated Port on each network segment. Suppose that two or more switches have ports
connected to a single common network segment. If a frame appears on that segment, all the
bridges will attempt to forward it to its destination. Recall that this behavior!! was the basis of a
bridging loop and should be avoided.

166 Chapter 5: Redundant Switch Links

Instead, only one of the links on a segment should forward traffic to and from that segment. This
location is the Designated Port. Switches choose a Designated Port based on the lowest
cumulative Root Path Cost to the Root Bridge. For instance, a switch always has an idea of its
own Root Path Cost, which it announces in its own BPDUs. If a neighboring switch on a shared
LAN segment sends a BPDU announcing a lower Root Path Cost, the neighbor must have the
Designated Port. If a switch only learns of higher Root Path Costs from other BPDUs received
on a port, however, it then correctly assumes that its receiving port is the Designated Port for
the segment.

Notice that the whole STP determination process has only served to identify bridges and ports.
All ports are still active and bridging loops might still lurk in the network. STP has a set of
progressive states that each port must go through, regardless of the type or identification. These
states will actively prevent loops from forming and are described in the next section.

NOTE In each determination process discussed so far, two or more links to having identical Root Path
Costs is possible. This results in a tie condition, unless other factors are considered. In fact, all
STP decisions are based on the following sequence of four conditions:

1. Lowest Root Bridge ID
2. Lowest Root Path Cost to Root Bridge
3. Lowest Sender Bridge ID
4. Lowest Port ID
Figure 5-6 demonstrates an example of Designated Port selection. This figure is identical to
Figure 5-4 and Figure 5-5, with further Spanning Tree development. The only changes shown
are the choices of Designated Ports, although seeing all STP decisions shown in one network
diagram is handy.

Spanning-Tree Protocol 167

Figure 5-6 Example of Designated Port Selection

Designated Designated
Port 32768.00-00-00-00-00-0a Port

Root Path Cost = 0 Root Path Cost = 0

1/1

1/2

100 Mbps 100 Mbps
Cost = 19 Cost = 19

Root Port Root Port

Root Path Cost = 19 1/1 100 Mbps 1/1
Cost = 19

1/2 1/2
Catalyst B Catalyst C
32768.00-00-00-00-00-0b 32768.00-00-00-00-00-0c

Designated
Port

Both Root Path Cost = 19
Catalyst B has lowest Bridge ID

The three switches have chosen their Designated Ports (DP) for the following reasons:

. Catalyst A.Because this switch is the Root Bridge, all its active ports are Designated
Ports by definition. At the Root Bridge, the Root Path Cost of each port is zero.
. Catalyst B.Catalyst A port 1/1 is the DP for the Segment A-B because it has the lowest
Root Path Cost (0). Catalyst B port 1/2 is the DP for segment B-C. The Root Path Cost for
each end of this segment is 19, determined from the incoming BPDU on port 1/1. Because
the Root Path Cost is equal on both ports of the segment, the DP must be chosen by the
next criteria.the lowest Sender Bridge ID. When Catalyst B sends a BPDU to Catalyst
C, it has the lowest MAC address in the Bridge ID. Catalyst C also sends a BPDU to
Catalyst B, but its Sender Bridge ID is higher. Therefore, Catalyst B port 1/2 is selected
as the DP of the segment.
Catalyst A
Root Path Cost = 19
Root Bridge

168 Chapter 5: Redundant Switch Links

. Catalyst C.Catalyst A port 1/2 is the DP for Segment A-C because it has the lowest Root
Path Cost (0). Catalyst B port 1/2 is the DP for Segment B-C. Therefore, Catalyst C port
1/2 will be neither a Root Port nor a Designated Port. As discussed in the next section, any
port that is not elected to either position will enter the blocking state. Where blocking
occurs, bridging loops are broken.
STP States

To participate in STP, each port of a switch must progress through several states. A port begins
its life in a Disabled state moving through several passive states and finally into an active state
if allowed to forward traffic. The STP port states are as follows:

. Disabled.Ports that are administratively shut down by the network administrator or by
the system due to a fault condition are in the Disabled state. This state is special and is not
part of the normal STP progression for a port.
. Blocking.After a port initializes, it begins in the Blocking state so that no bridging loops
can form. In the Blocking state, a port cannot receive or transmit data and cannot add
MAC addresses to its address table. Instead, a port is only allowed to receive BPDUs so
that the switch can hear from other neighboring switches. In addition, ports that are put
into standby mode to remove a bridging loop enter the Blocking state.
. Listening.The port will be moved from Blocking to Listening if the switch thinks that
the port can be selected as a Root Port or Designated Port. In other words, the port is on
its way to begin forwarding traffic. In the Listening state, the port still cannot send or
receive data frames. However, the port is allowed to receive and send BPDUs so that it can
actively participate in the Spanning-Tree topology process. Here the port is finally allowed
to become a Root Port or Designated Port because the switch can advertise the port by
sending BPDUs to other switches. Should the port lose its Root Port or Designated Port
status, it is returned to the Blocking state.
. Learning.After a period of time called the Forward Delay in the Listening state, the port
is allowed to move into the Learning state. The port still sends and receives BPDUs as
before. In addition, the switch can now learn new MAC addresses to add into its address
table. This gives the port an extra period of silent participation and allows the switch to
assemble at least some address table information.
. Forwarding.After another Forward Delay period of time in the Learning state, the port
is allowed to move into the Forwarding state. The port can now send and receive data
frames, collect MAC addresses into its address table, and send and receive BPDUs. The
port is now a fully functioning switch port within the Spanning-Tree topology.

Spanning-Tree Protocol 169

NOTE Remember that a switch port is only allowed into the Forwarding state if there are no redundant
links (or loops) and if the port has the best path to the root bridge as the Root Port or Designated
Port.

Example 5-3 shows the output of a switch as one of its ports progresses through the STP port
states.

Example 5-3 A Port Progressing Through the STP Port States

Console> (enable) set port disable 4/10
This command may disconnect your telnet session.
Do you want to continue (y/n) [n]?y
Port 4/10 disabled.
Console> (enable) set port enable 4/10
Port 4/10 enabled.
Console> (enable) show spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 listening 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 listening 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 listening 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 learning 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 learning 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 learning 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 learning 10 32 disabled
Console> (enable) sh spant 4/10
Port Vlan Port-State Cost Priority Fast-Start
4/10 1 forwarding 10 32 disabled
Console> (enable)

170 Chapter 5: Redundant Switch Links

The example begins as the port is administratively disabled from the command line. When the
port is enabled, successive show spantree module/port commands display the Port-State as
Listening, Learning, and then Forwarding. Because this port was eligible as a Root Port, the
show command was never able to execute fast enough to show the port in the Blocking state.

STP Timers

STP operates as switches send BPDUs to each other in an effort to form a loop-free topology.
The BPDUs take a finite amount of time to travel from switch to switch. In addition, news of a
topology change (such as a link or Root Bridge failure) can suffer from propagation delays as
the announcement travels from one side of a network to the other. Because of the possibility of
these delays, keeping the Spanning-Tree topology from settling out or converging until all
switches have had time to receive accurate information is import!!ant.

STP uses three timers to make sure that a network converges properly before a bridging loop
can incorrectly form. The timers and their default values are as follows:

. Hello Time.The time interval between Configuration BPDUs sent by the Root Bridge.
The Hello Time value configured in the Root Bridge switch will determine the Hello Time
for all non-root switches because they just relay the Configuration BPDUs as they are
received from the root. However, all switches have a locally configured Hello Time that is
used to time TCN BPDUs when they are retransmitted. The IEEE 802.1D standard
specifies a default Hello Time value of two seconds.
. Forward Delay.The time interval that a switch port spends in both the Listening and
Learning states. The default value is 15 seconds.
. Maximum (max) Age.The time interval that a switch stores a BPDU before discarding
it. While executing the STP, each switch port keeps a copy of the “best” BPDU that it has
heard. If the source of the BPDU loses contact with the switch port, the switch will notice
that a topology change has occurred after the Max Age time elapses and the BPDU is aged
out. The default Max Age value is 20 seconds.
The STP timers can be configured or adjusted from the switch command line. However, the
timer values should never be changed from the defaults without careful consideration. Then, the
values should only be changed on the Root Bridge switch. Recall that the timer values are
advertised in fields within the BPDU. The Root Bridge will make sure that the timer values are
propagated to all other switches.

NOTE The default STP timer values are based on some assumptions about the size of the network and
the length of the Hello Time. A reference model of a network having a diameter of seven
switches is used to derive these values. The diameter is measured from the Root Bridge switch
outward, including the Root Bridge. A Hello Time of two seconds is used in this computation.

Test King, 350-018 CCIE.350-018.Security.v3.1.pctools5

2007-11-29T17:30:00Z

- 41 -

350 - 018

Sun Solaris
Solaris 2.5.1 or 2.6
HP OpenView 4.1, 5.01, or 6.0
Web browser (for NSDB and help file)

QUESTION NO: 76
In the IPSec protocol suite, transport mode & tunnel mode describe:

A. AH header and datagram layouts.
B. Diffie-Hellman keying.
C. SHA security algorithm.
D. ESP header and datagram layouts.
Answer: D
Explanation: OK I dont get this question ESP or AH can be used in tunnel or transport mode. - CCIE
PRofessional Development Network Security Pratices and Principles by Saadit Malik pg 313-316 In Transport
Mode ESP, the ESP header is inserted into the IP datagram immediately prior to the transport-layer protocol
header (such as TCP, UDP, or ICMP). In Tunnel Mode ESP, the original IP datagram is placed in the encrypted
portion of the ESP and that entire ESP frame is placed within a datagram having unencrypted IP headers.

QUESTION NO: 77
What well known port is commonly used for TFTP?

A. TCP 23
B. UDP 23
C. UDP 161
D. UDP 69
Answer: D
Explanation: Abbreviation of Trivial File Transfer Protocol, a simple form of the File Transfer Protocol (FTP).
TFTP uses the User Datagram Protocol (UDP)and provides no security features. It is often used by servers to
boot diskless workstations, X-terminals, and routers.

QUESTION NO: 78
What is RPF?

Leading the way in IT testing and certification tools, www.testking.com

- 42 -

350 - 018

A. Reverse Path Forwarding
B. Reverse Path Flooding
C. Router Protocol Filter
D. Routing Protocol File
E. None of the above.
Answer: A
Explanation: This chapter describes Unicast Reverse Path Forwarding (Unicast RPF) commands.

QUESTION NO: 79
IKE Phase 1 policy does not include negotiation of the:

A. Encryption algorithm
B. Authentication method.
C. Diffie-Hellman group.
D. Lifetime
E. Crypto-map access-list
Answer: E
Explanation: "Ike Phase 1 Policy Parameters - Encryption, Hash, Authentication method, Key exchange, Ike
SA lifetimes" Cisco Secure PIX Firewall Advanced 2.0 14-14 "IKE's responsiblities in the IPSEC protocol
include Negotiating protocol parameters, Exchaning public keys, authenticating both sides, managing keys
after the exchange...In Phase 1 exchange, peers negotiate a secure, authenticated channel with which to
communicate." CCIE PRofessional Development Network Security Pratices and Principles by Saadit Malik pg
276, 278 "The first two messages in IKE main mode negotiation are used to negotiate the various values, hash
mechanismes, and encryption mechanisms to use for the later half of the IKE negotiations.” CCIE PRofessional
Development Network Security Pratices and Principles by Saadit Malik pg 280

QUESTION NO: 80
Exhibit:

Leading the way in IT testing and certification tools, www.testking.com

- 43 -

350 - 018

In a move to support standards-based routing, the decision is made to use the OSPF routing protocol
throughout the entire network. The areas are shown as in the exhibit, and the subnets are:

Ethernet on Router A: 108.3.1.0
Serial line between Router A and Router B: 108.3.100.0
Token ring on Router B: 108.3.2.0

How should OSPF be configured on Router B?

A. router ospf
network 108.3.0.0
B. router ospf 1
network 108.3.100.0 0.0.0.255 area 6
network 108.3.2.0 0.0.0.255 area 6
C. router ospf 1
network 108.3.100.0 0.0.0.255 area 6
network 108.3.2.0 0.0.0.255 area 0
D. router ospf 1
network 108.3.100.0 255.255.255.0 area 6
network 108.3.2.0 255.255.255.0 area 6
E. router ospf 1
network 108.3.1.0 0.0.0.255 area 6
network 108.3.100.0 0.0.0.255 area 6
network 108.3.2.0 0.0.0.255 area 6
Answer: D
Explanation: Networks 108.3.100.0 and 108.3.2.0 using a /24 need to be put into the ospf statement. both are
configured in area 6. the ethernet network on router A will be given to router B by rotuer A so there is no need
to insert the network statement for it.

Leading the way in IT testing and certification tools, www.testking.com

- 44 -

350 - 018

QUESTION NO: 81
Exhibit:

/etc/hosts.equiv:

2.2.2.2
/etc/passwd:
user_B:x:1003:1:User B:/export/home/user_B:/bin/kshuser_C:x:1004:1:User C:/export/home/user_C:/bin/kshwith host_B having the ip 2.2.2.2 & host C having the ip 3.3.3.3
What policy would be enforced given the files shown?

A. Allow user_B on Host_B to access host_A via rlogin, rsh, rcp, & rcmd without a password.
B. Allow user_B to access host_A via rlogin, rsh, rcp, & rcmd with a password but to prevent access from
unlisted hosts including host_C
C. Allow users to telnet from host_B to host_A but prevent users from telnetting from unlisted hosts
including host_C
D. Allow users on host_A to telnet to host_B but not to unlisted hosts including host_C
Answer: B
Explanation:

QUESTION NO: 82
Given:
Two routers have their SA lifetime configured for 86399 seconds and 2 million kilobytes. After 24 hours
have passed and 500 KB of traffic have been tunneled, what happens?

A. If pre-shared keys are being used, traffic will stop until new keys are manually obtained and inputted.
B. The SA will be renegotiated.
C. The SA will not be renegotiated until 2 MB of traffic have been tunneled.
D. Traffic will be sent unencrypted.
Answer: C
Explanation: more or less 86399 seconds is 23.9 hours however 86400 is 24 hours so the SA need to be
renegotiated

QUESTION NO: 83
Why is authentication NOT used with TFTP?

Leading the way in IT testing and certification tools, www.testking.com

- 45 -

350 - 018

A. TFTP protocol has no hook for a username/password.
B. TFTP uses UDP as a transport method.
C. TFTP is initiated by a server.
D. TFTP is already secure.
E. All of the above.
Answer: A
Explanation: FTP requires a username and password. TFTP does not.

QUESTION NO: 84
If a network manager believes security has been compromised on a router or PC client, and he/she wishes
to have the CA certificate revoked, the manager would:

A. Contact the CA administrator and be prepared to provide the challenge password chosen upon
installation.
B. If a router is involved, type:
configure terminal crypto ca revoke

C. Uninstall the IPSec software on the PC, erase the router configuration and reconfigure the router, and
request the certificate in the same way as the initial installation (Issuance of the new certificate will
revoke the old one automatically).
D. Send e-mail to ‘sysadmin@icsa.net’ with the hostname and IP of the compromised device requesting
certificate revocation.
Answer: A
Explanation: If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's
certificate, but will require further manual authentication of the PIX Firewall administrator identity.

QUESTION NO: 85
Scanning tools may report a root Trojan Horse compromise when run against an IOS component.
Why does this happen?

A. The port scanning package mis-parses the IOS error messages.
B. IOS is based on BSD UNIX and is subject to a Root Trojan Horse compromise.
C. The scanning software is detecting the hard-coded backdoor password in IOS.
D. Some IOS versions can be crashed with the telnet option vulnerability.
E. IOS will not respond to vulnerability scans.
Leading the way in IT testing and certification tools, www.testking.com

- 46 -

350 - 018

Answer: A

QUESTION NO: 86
Which statement regarding the RADIUS authentication protocol are true? Multiple answer)

A. UDP 1812 is specified in RFC 2138.
B. UDP 1645 is commonly used by many vendors.
C. UDP 1647 is specified in RFC 2139.
D. UDP 48 is commonly used by many vendors.
Answer: A, B
Explanation: Exactly one RADIUS packet is encapsulated in the UDP Data field [2], where the UDP
Destination Port field indicates 1812 (decimal). When a reply is generated, the source and destination ports are
reversed. This memo documents the RADIUS protocol. There has been some confusion in the assignment of
port numbers for this protocol. The early deployment of RADIUS was done using the erroneously chosen port
number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS
is 1812.

QUESTION NO: 87
A Security Manager needs to configure an IPSec connection using ISAKMP with routers from mixed
vendors.
What information is NOT needed to configure the local security device to communicate with the remote
machine?

A. Remote peer address.
B. Main mode attributes.
C. Quick mode attributes.
D. Addresses that need to be encrypted.
E. Peer gateway subnet.
F. Encryption authentication method.
Answer: E
Explanation: The peers gateway subnet is not needed. The address is needed.

QUESTION NO: 88
An ISAKMP NOTIFY message is used between IPSec endpoints for what purpose?

Leading the way in IT testing and certification tools, www.testking.com

- 47 -

350 - 018

A. To let the other side know that a failure has occurred.
B. To let the other side know the status of an attempted IPSec transaction.
C. To let the other side know when a physical link with an applied SA has been torn down.
D. To let the other side know that an SA has been bought up on an unstable physical connection; potential
circuit flapping can cause problems for SPI continuity.
Answer: C

QUESTION NO: 89
Exhibit:

If Host 1 cannot ping Host 2 and Host 2 cannot ping Host 1, what is most likely the cause?

A. Split horizon issue.
B. Default gateway on hosts.
C. Routing problem with RIP.
D. All of the above.
Answer: D

QUESTION NO: 90

Leading the way in IT testing and certification tools, www.testking.com

- 48 -

350 - 018

When building a non-passive FTP data connection, the FTP client:

A. Indicates the port number to be used for sending data over the command channel via the PORT
command.
B. Receives all data on port 20, the same port the FTP server daemon sends data from.
C. Uses port 20 for establishing the command channel and port 21 for the data channel.
D. Initiates the connection from an ephemeral port to the RFC specified port of the server.
Answer: D
Explanation: Standard mode FTP uses two channels for communications. When a client starts an FTP
connection, it opens a standard TCP channel from one of its higher-order ports to port 21 on the server. This is
referred to as the command channel. Cisco Secure PIX firewall Advanced 2.0 10-5

QUESTION NO: 91
The RADIUS attribute represented by the value 26 is used for:

A. Specifying accounting data specific to a particular vendor service.
B. Specifying the vendor name of the NAS.
C. Allowing vendors to define out-of-band RADIUS timeouts.
D. Transmitting vendor-specific attributes.
Answer: D
Explanation: Vendor-specific . allows vendors to support their own extended attributes that are unsuitable for
general use. Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. Network Security Principles and Practices, Saadat Malik p 524

QUESTION NO: 92
A Hash (such as MD5) differs from an Encryption (such as DES) in what manner?

A. A hash is easier to break.
B. Encryption cannot be broken.
C. A hash is reversible.
D. A hash, such as MD5, has a final fixed length.
E. Encryption has a final fixed length.
Answer: D

Leading the way in IT testing and certification tools, www.testking.com

- 49 -

350 - 018

Explanation: The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit
"fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce
two messages having the same message digest, or to produce any message having a given prespecified target
message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be
"compressed" in a secure manner before being encrypted with a private (secret) key under a public-key
cryptosystem such as RSA.

'Message hashing is an encryption technique that can be used to ensure that
a message has not been altered. The MD5 algorithm takes as input a
cleartext message of arbitrary length...The MD5 algorithm is run on the
input, which produces as output a fixed-length,128-bit "message digest" or
"hash" of the input.'
"It is considered computationally infeasible to reverse the hash process or
to produce two message having the same message digest"

Managging Cisco Network Security by Michael Wenstrom pg 464

QUESTION NO: 93
Which statement about the Diffie-Hellman key exchange is false?

A. The two routers involved in the key swap generate large random integers (i), which are exchanged in
private.
B. The local secret key is combined with known prime numbers n and g in each router to generate a Public
key.
C. Each router combined the private key received from the opposite router with its own public key to create
a shared secret key.
D. Each router uses the received random integer to generate a local secret (private) crypto key.
Answer: D
Explanation: more or less XvA=G^A mod P Network Security Principles and Practices, Saadat Malik p 284285

QUESTION NO: 94
Exhibit:
Configuration of Router A:

crypto map tag 1 ipsec-isakmpset security-association lifetime seconds 240set security-association lifetime kilobytes 10000

Leading the way in IT testing and certification tools, www.testking.com

- 50 -

350 - 018

Configuration of Peer Host Router B:

crypto map tag 1 ipsec-isakmpset security-association lifetime seconds 120set security-association lifetime kilobytes 20000

Router A is configured as shown. Predict and explain what will happen after 110 seconds and 1500
kilobytes of traffic:

A. Router A will not talk to Router B because the security association lifetimes were misconfigured; they
should be the same.
B. The security association will not be renegotiated until 20000 kilobytes have traversed the link, because
the interval will be the greater of 2 parameters . time and kilobytes.
C. Security association renegotiation will have started.
D. Assuming the same traffic pattern and rate, the present security associations will continue until almost
240 seconds have elapsed.
Answer: A
Explanation: I have heard different answers to this question. 1 is that the lesser of the values will be used. But
the SA need to match which these dont.

QUESTION NO: 95
What encryption algorithm is used for Microsoft Point-to-Point Encryption?

A. DES CBC
B. RSA RC4
C. RSA CBC
D. DES RC4
Answer: B
Explanation: MPPE uses the RSA RC4 [3] algorithm to provide data confidentiality.

QUESTION NO: 96
The TFTP protocol:

A. Uses the UDP transport layer and requires user authentication.
B. Uses the TCP transport layer and does not require user authentication.
C. Uses the UDP transport layer and does not require user authentication.
D. Used TCP port 69.
Leading the way in IT testing and certification tools, www.testking.com

tag : 정보보안, CCNA, 정보보안학원, IT뱅크

Test King, 350-018 CCIE.350-018.Security.v3.1.pctools4

2007-11-29T17:28:10Z

- 31 -

350 - 018

QUESTION NO: 54
Describe the correct authentication sequence for the IOS Firewall Authentication Proxy:

A. The user authenticates by FTP, and route maps are downloaded from the proxy server.
B. The user authenticates locally to the router.
C. The user authenticates by Telnet, and access lists are downloaded from the AAA server.
D. The user authenticates by HTTP, or Telnet, and access lists are downloaded from the AAA server.
E. The user authenticates by HTTP, and access lists are downloaded from the AAA server.
Answer: E
Explanation: When a user initiates an HTTP session through the firewall, the authentication proxy is triggered

QUESTION NO: 55
Exhibit:

Host A is attempting to send a packet through Router B to Host D. There are not routing protocols
configured nor are there any static routes for router B or C. However, Router B does have a default-
gateway configured to the IP address of Router C using the configuration ip default-gateway 10.1.2.2.
Will Host A’s packet reach Host D?

A. This will work of the routers are configured to bridge.
B. This will work because Router B will forward the packets destined to 10.1.3.0/24 to Router C through
its IP default-gateway configuration.
C. The packets will reach Host D, but Host D will not be able to communicate back to Host A, so the
session will fail.
D. This will work if CDP is enabled on the routers.
E. Routers only route packets to routes in the routing table, not their IP default-gateway so Host A’s
packets will never reach Router C or Host D.
Answer: B

Leading the way in IT testing and certification tools, www.testking.com

- 32 -

350 - 018

Explanation: This is a tricky question becouse it does not say that C has ip default-gateway. SO it wont be
able to send the packet back but the packet will reach D. PIck your option The ip default-gateway command
differs from the other two commands in that it should only be used when ip routing is disabled on the Cisco
router

QUESTION NO: 56
The purpose of Administrative Distance, as used by Cisco routers, is:

A. To choose between routes from different routing protocols when receiving updates for the same
network.
B. To identify which routing protocol forwarded the update.
C. To define the distance to the destination used in deciding the best path.
D. To be used only for administrative purposes.
Answer: A
Explanation: Administrative distance is the feature used by routers to select the best path when there are two or
more different routes to the same destination from two different routing protocols. Administrative distance
defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable
(believable) using an administrative distance value.

QUESTION NO: 57

-User_A and User_B are both members of the global group “DOMAIN USERS”.

-Global group “DOMAIN USERS” is included in local group “USERS”.

-All users and groups are in the domain “CORP”.

-The directory D:\data has the share permission for local group “USERS” set to “Read”.

-The Microsoft Word document D:\data\word.doc has file permissions for local group “USERS” set

to “Full Control”.

-The Microsoft Word document D:\data\word.doc is owned by User_B.

Given this scenario on a Windows NT 4.0 network, what is the expected behavior!! when User_A attempts
to edit D:\data\word.doc?

A. User_A has full control and can edit the document successfully.
B. There is not enough information.
Permissions for Microsoft Word are set within the application and are not subject to file and share level
permissions.
C. Access would be denied.
Only the owner of a file can edit a document.
D. Global groups can not be placed into local groups.
Leading the way in IT testing and certification tools, www.testking.com

- 33 -

350 - 018

The situation could not exist.

E. Edit access would be denied.
The “Read” permission is least permissive so it would apply in this situation.
Answer: E
Explanation: Based on the name of each group, you might think that you'd add local groups to global groups.
This isn't the case. You assign users or global groups to local groups to give access to local resources

QUESTION NO: 58
A network manager issues an RCP (Remote Copy) when copying a configuration from a router to a Unix
system.
What file on the Unix system would need to be modified to allow the copying to occur?

A. rcmd
B. rcmd.allow
C. allow.rcmd
D. hosts.allow
E. .rhosts
Answer: D
Explanation: NOT SURE OF THIS ANSWER I AM SAYING .RHOSTS The $HOME/.rhosts file defines
which remote hosts (computers on a network) can invoke certain commands on the local host without supplying
a password. This file is a hidden file in the local user's home directory and must be owned by the local user

QUESTION NO: 59
In the context of intrusion detection, what is the definition of exploit signatures?

A. Policies that prevent hackers from your network.
B. Security weak points in your network that can be exploited by intruders.
C. Identifiable patterns of attack detected on your network.
D. Digital graffiti from malicious users.
E. Certificates that authenticate authorized users.
Answer: C

Leading the way in IT testing and certification tools, www.testking.com

- 34 -

350 - 018

QUESTION NO: 60
The network administrator has forgotten the enable password of the router. Luckily, no one is currently
logged into the router, but all passwords on the router are encrypted.
What should the administrator do to recover the enable secret password?

A. Call the Cisco Technical Assistance Center (TAC) for a specific code that will erase the existing
password.
B. Reboot the router, press the BREAK key during boot up, boot the router into ROM Monitor mode to
either erase or replace the existing password, and reboot the router as usual.
C. Reboot the router, press the BREAK key during boot up, and boot the router into ROM Monitor mode to
erase the configuration, and re-install the entire configuration as it was saved on a TFTP server.
D. Erase the configuration, boot the router into ROM Monitor mode, press the BREAK key, and overwrite
the previous enable password with a new one.
Answer: C
Explanation: The other possible answer is not correct in my view as you still need to put the config back onto
the router after rommon mode (normally in nvram but TFTP is a valid storage place as well)

QUESTION NO: 61
According to RFC 1700, what well-known ports are used for DNS?

A. TCP and UDP 23.
B. UDP 53 only.
C. TCP and UDP 53.
D. UDP and TCP 69.
Answer: C
Explanation: Type Application layer name space translation protocol. Port 53 (TCP, UDP)
server.

QUESTION NO: 62
The purpose of Lock & Key is:

A. To secure the console port of the router so that even users with physical access to the router cannot gain
access without entering the proper sequence.
B. To allow a user to Telnet to the router and have temporary access lists applied after issuance of the
access-enable command.
C. To require additional authentication for traffic travelling through the PIX for TTAP compliance.
Leading the way in IT testing and certification tools, www.testking.com

- 35 -

350 - 018

D. To prevent users from getting into enable mode.
Answer: B
Explanation: Lock-and-key access allows you to set up dynamic access lists that grant access per user to a
specific source/destination host through a user authentication process. You can allow user access through a
firewall dynamically, without compromising security restrictions. The following process describes the lock-andkey
access operation A user opens a Telnet session to a border router configured for lock-and-key access. The
Cisco IOS software receives the Telnet packet and performs a user authentication process. The user must pass
authentication before access is allowed. The authentication process can be done by the router or a central access
server such as a TACACS+ or RADIUS server.

QUESTION NO: 63
In addition to Kerberos port traffic, what additional service is used by the router and the Kerberos
server in implementing Kerberos authentication on the router?

A. TCP
B. DNS
C. FTP
D. ICMP
E. Telnet
Answer: E
Explanation: The following network services are supported by the Kerberos authentication capabilities in
Cisco IOS software Telnet, rlogin, rsh, rcp

QUESTION NO: 64
Identify the default port(s) used for web-based SSL (Secure Socket Layer) Communication:

A. TCP and UDP 1025.
B. TCP 80.
C. TCP and UDP 443.
D. TCP and UDP 1353.
Answer: C
Explanation: Secure Sockets Layer (SSL) is an application-level protocol that enables secure transactions of
data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys.

Leading the way in IT testing and certification tools, www.testking.com

- 36 -

350 - 018

Use 443 (generally used for SSL transactions) as the SSL TCP service port and 443 as the clear text port.
Configure the server to not use SSL and to monitor port 443. TCP service port 80 requests are serviced
normally. Use 443 as the SSL TCP service port and 81 (or another unused port) for the clear text port.
Configure the server to monitor port 81. TCP service port 80 requests are serviced normally.

QUESTION NO: 65
In the TACACS+ protocol, the sequence number is: (Multiple answer)

A. An identical number contained in every packet.
B. A number that must start with 1 (for the fist packet in the session) and increment each time a request or
response is sent.
C. Always on odd number when sent by the client.
D. Always an even number when sent by the client and odd when sent by the daemon.
Answer: B, C
Explanation: Seq_no - The sequence number of the current packet for the current session. The first TACACS+
packet is a session must have the sequence number 1, and each subsequent packet increments the sequence
number by 1. Thus, clients (such as the NAS) send only packets containing odd sequence numbers, and
TACACS+ daemons send only packets containing even sequence numbers. The sequence number mst never
wrap. In other words, if the sequence number 2^8-1 is ever reached, that session must terminate and be restarted
with a sequence number of 1. CCIE Professional Development Network Security Principles and Pratices by
Saadat Malik pg 496

QUESTION NO: 66
A network administrator is troubleshooting a problem with FTP services. If a device blocks the data
connection, the administrator should expect to see:

A. Very slow connect times.
B. Incomplete execution, when issuing commands like “pwd” or “cd”.
C. No problems at all.
D. User login problems.
E. Failure when listing a directory.
Answer: E
Explanation: Below is a capation from a cert advisory about FTP. FTP can have problems when the data
channel is blocked. In FTP PASV mode, the client makes a control connection to the FTP server (typically port
21/tcp) and requests a PASV data connection. The server responds by listening for client connections on a
specified port number, which is supplied to the client via the control connection An active open is done by the

Leading the way in IT testing and certification tools, www.testking.com

- 37 -

350 - 018

server, from its port 20 to the same port on the client machine as was used for the control connection. The client
does a passive open. For better or worse, most current FTP clients do not behave that way.

QUESTION NO: 67
A Denial of Service (DoS) attack works on the following principle:

A. MS-DOS and PC-DOS operating systems utilize a weak security protocol.
B. All CLIENT systems have TCP/IP stack implementation weaknesses that can be compromised and
permit them to launch an attack easily.
C. Overloaded buffer systems can easily address error conditions and respond appropriately.
D. Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete
connections (SYN/RCVD State).
E. A server stops accepting connections from certain networks, once those networks become flooded.
Answer: B
Explanation: Some of these answers are true examples of types of dos but in itself does not define a dos
Denial-of-service (DOS) attacks might attempt o starve a host of reasources needed to function correctly.
Network Intrusion Detection third edition by Stephen Northcutt and Judy Novak pg 93

QUESTION NO: 68
Global deployment of RFC 2827 (ingress and egress filtering) would help mitigate what classification of
attack?

A. Sniffing attack
B. Denial of service attack
C. Spoofing attack
D. Reconnaissance attack
E. Port Scan attack
Answer: C
Explanation: Network Ingress Filtering- Defeating Denial of Service Attacks which employ IP Source Address
Spoofing

QUESTION NO: 69
Which security programs can effectively protect your network against password sniffer programs?
(Multiple answer)

Leading the way in IT testing and certification tools, www.testking.com

- 38 -

350 - 018

A. IPSec, because it encrypts data.
B. One time passwords, because the passwords always change.
C. RLOGIN, because it does not send passwords.
D. Kerberos, because it encrypts passwords.
E. Use of POP e-mail, because it is better than using SMTP.
Answer: A, B

QUESTION NO: 70
Exhibit:

Host 1 and Host 2 are on Ethernet LANs in different building. A serial line is installed between two Cisco
routers using Cisco HDLC serial line encapsulation. Routers A and B are configured to route IP traffic.
Host 1 sends a packet to Host 2. A line hit on the serial line causes an error in the packet.
When this is detected, the retransmission is sent by:

A. Host 1
B. Host 2
C. Router A
D. Router B
E. Protocol analyzer
Answer: C

QUESTION NO: 71
The Diffie-Hellman key exchange allows two parties to establish a shared secret key: (Multiple answer)

A. Over an insurance medium.
B. After a secure session has been terminated.
C. Before a secure session has been initiated.
D. After a session has been fully secured.
E. During a secure session over a secure medium.
Leading the way in IT testing and certification tools, www.testking.com

- 39 -

350 - 018

Answer: A, C
Explanation: DH is used over a insecure medium

QUESTION NO: 72
Exhibit:

aaa new-model
aaa authentication login default localaaa authentication exec default local
username abc privilege 5 password xyzprivilege exec level 3 debug ip icmp

If a router is configured as shown, what will happen when user ABC Telnets to the router and tries to
debug ICMP? (Multiple answer)

A. The user will be locked out because the aaa new-model command is enabled and no TACACS server is
defined.
B. The user can gain entry with the local username/password, but will not be able to use any debug
commands because command authorization will fail.
C. The user can gain entry with the local username/password at Level 5, but cannot use any commands
because none are assigned at Level 5.
D. The user can gain entry with a local username/password at Level 5 and run debug ip icmp
unchallenged.
Answer: D
Explanation: To understand this example, it is necessary to understand privilege levels. By default, there are
three command levels on the router. privilege level 0 . includes the disable, enable, exit, help, and logout
commands privilege level 1 . normal level on Telnet; includes all user-level commands at the router> prompt
privilege level 15 . includes all enable-level commands at the router# prompt username john privilege 9
password 0 doe - He can configure snmp-server community because configure terminal is at level 8 (at or below
level 9), and snmp-server community is level-8 command.

QUESTION NO: 73
When the Cisco Secure Intrusion Detection System sensor detects unauthorized activity:

A. It sends e-mail to the network administrator.
B. It sends an alarm to Cisco Secure Intrusion Detection System Director.
C. It shuts down the interface where the traffic arrived, if device management is configured.
D. It performs a traceroute to the attacking device.
Leading the way in IT testing and certification tools, www.testking.com

- 40 -

350 - 018

Answer: B
Explanation: CSIDS does a lot of these things, but the sensor is more specified. It sends the alarm to the full
CSIDS director

QUESTION NO: 74
Every time a typing mistake is made at the exec prompt of a router, the message from the router
indicates a lookup is being performed. Also, there is a waiting period of several seconds before the next
command can be typed.
Can this behavior!! be changed?

A. No, this is built in feature of Cisco IOS software.
B. Yes, use the no ip domain-lookup command.
C. Yes, use the no ip helper-address command.
D. Yes, use the no ip multicast helper-map command.
E. Yes, use the no exec lookup command.
Answer: B
Explanation: You can disable IP domain lookup using the no ip domain-lookup command under the router's
global configuration mode. This will stop the IP domain lookup and speed up the show command output.

QUESTION NO: 75
What network management software must be installed prior to the Cisco Secure Intrusion Detection
System Director software?

A. CiscoWorks 2000 on Unix.
B. SunNetManager on Solaris.
C. HP OpenView on HPUX or Solaris.
D. Microsoft Internet Information Server on Windows NT.
E. NetSonar on Linux.
Answer: C
Explanation: The following software must be installed on your workstation:
HP-UX
HP-UX 10.20
HP OpenView 4.1, 5.01, or 6.0
Web browser (for NSDB and help file)

Leading the way in IT testing and certification tools, www.testking.com

tag : 정보보안, CCNA, 정보보안학원, IT뱅크

8.22 Terminfo 능력,8.22.1 논리 능력

2007-11-29T17:26:31Z

Variable	Cap.	Int.	Description
	Name	Code
auto_left_margin	bw	bw	cub1이 컬럼 0부터 마지막 컬럼까지 포함한다(wrap)
auto_right_margin	am	am	단말기가 자동적으로 여백을 갖는다.
back_color_erase	bce	ut	화면은 백그라운드 색상으로 지원진다.
can_change	ccc	cc	단말기는 존재하는 색상들로 재정의될 수 있다.
ceol_standout_glitch	xhp	xs	표준출력은 overwritong에 의해 지워지지 않는다.(hp)
col_addr_glitch	xhpa	YA	오직 hpa/mhpa 능력을 위한 적극적인 움직임
cpi_changes_res	cpix	YF	문자 pitch의 변화는 해상도를 변화시킨다.
cr_cancels_micro_mode	crxm	YB	cr를 사용하여 매크로 모드를 off로 전환한다.
eat_newline_glitch	xenl	xn	newline은 80cols 이후에는 무시된다.
erase_overstrike	eo	eo	공백을 가지고 overstrikes를 지울 수 있다.
generic_type	gn	gn	일반적인 줄(line) 타입 (e.g.,, dialup, switch)
hard_copy	hc	hc	단말기를 하드카피한다.
hard_cursor	chts	HC	커서를 보기 어렵다.
has_meta_key	km	km	메타 키를 갖는다 (패리티 비트가 지정된 shift)
has_print_wheel	daisy	YC	프린터는 문자 집합을 바꾸기위한 연산자(operator)가 필요하다
has_status_line	hs	hs	여분의 "상태 줄"을 갖는다
hue_lightness_saturation	hls	hl	단말기는 오직 HLS 색상 표기법만을 사용한다(Tektronix)
insert_null_glitch	in	in	삽입 모드는 널(null)을 구분한다.
lpi_changes_res	lpix	YG	줄(line) pitch의 변경은 해상도를 바꾼다.
memory_above	da	da	Display는 화면 위에 계속 유지되어진다.
memory_below	db	db	Display는 화면 아래에 계속 유지되어진다.
move_insert_mode	mit	mi	삽입 모드 안에서의 이동은 안전하다.
move_standout_mode	msgr	ms	표준출력 모드안에서의 이동은 안전하다.
needs_xon_xoff	nxon	nx	padding은 작업하지 않을 것이고 xon/xoff가 요구된다.
no_esc_ctl_c	xsb	xb	붐비는 장소 (f1=escape, f2=ctrl+c)
non_rev_rmcup	nrrmc	NR	smcup는 rmcup를 반대로 하지 않는다.
no_pad_char	npc	NP	pad 문자는 존재하지 않는다.
non_dest_scroll_region	ndscr	ND	스크롤링 지역은 파괴적이지 않다.
over_strike	os	os	단말기 overstrikes
prtr_silent	mc5i	5i	프린터는 화면에 반향(echo)하지 않는다.
row_addr_glitch	xvpa	YD	vhp/mvpa 능력(caps)를 위한 오직 양의(positive) 움직임
semi_auto_right_margin	sam	YE	마지막 컬럼의 인쇄는 cr를 야기시킨다.
status_line_esc_ok	eslok	es	Escape은 상태줄 상에서 사용되어질 수 있다.
dest_tabs_magic_smso	xt	xt	Tabs ruin, magic so char (Teleray 1061)
tilde_glitch	hz	hz	Hazel-tine; 's를 인쇄할 수 없다.
transparent_underline	ul	ul	밑줄 문자 overstrikes
xon_xoff	xon	xo	단말기는 xon/xoff handshaking을 사용한다.

tag : 리눅스, 정보보안, 정보보안학원, IT뱅크

정보보안/IT-C++ const 용법정리

2007-11-29T17:25:04Z

const에 대해 정리해봤습니다. 약간 불명확한 부분이 있을수도 있겠네요.

const는 변수, 포인터형, 참조형, 함수, 클레스 등에 붙을수 있음.

1. 변수
예)
    const i = 100;
i 값 변경불가

2. 포인터형 : 기본적으로 2가지 형태가 있을 수 있음. 그외 여려형태가 가능
예1) 값은 변경 불가능하지만 주소는 변경가능한 형태
    int temp = 100, temp2 = 200;
    const int *ipConst = &temp;  // *ipConst 값 변경 불가, ipConst(주소)값은 변경가능
    // int const *ipConst = &temp;  // 이런형태로 써도 위와 같은 의미

    // *ipConst = 300;   // 불가능한 형태
    ipConst = &temp2;  // 가능한 형태

예2) 주소는 변경 불가능하지만 값은 변경가능한 형태
    int temp = 100, temp2 = 200;
    int * const iConstp = &temp;  // *iConstp 값 변경 가능, iConstp(주소)값은 변경불가

    *iConstp = 300;   // 가능한 형태
    //iConstp = &temp2;  // 불가능한 형태

주의 : const가 결합되는 위치가 값인지 주소인지에 유의

3. 참조형
예1) 직접적으로 값과 주소 모두 변경 불가능하지만 참조 원본을 통한 값변경은 가능한 경우
   int temp3 = 100, temp5 = 200;
   int const &ircVal = temp3;

   //ircVal = 2000; // 컴파일 에러 발생 (const 참조는 값 변경불가)
   //ircVal = temp5;  // 주소도  변경불가
   temp3 = 9000;  // 참조 원본은 변경가능, 결과적으로 ircVal의 값도 변하게됨


예2) 직접적으로 값과 주소 모두 변경 가능하지만 참조가 가르키는 값은 변화가 없는경우
    int temp4 = 300, temp5 = 500;
    int & const icrVal = temp4;

    icrVal = 6000;  // 값변경 가능, 하지만 값에 변경이 안됨
    cout << " icrVal " << icrVal << endl;  // 여전히 300이 찍힘
    icrVal = temp5; // 주소도 변경가능 역시 값에 변경이 안됨
    cout << " icrVal " << icrVal << endl;  // 여전히 300이 찍힘

4. 함수 : class의 멤버함수인 경우만 const 함수 사용가능. 해당 class의 멤버변수를 변경할수 없음.
예)
class ConstTest
{
public:
        int m_iA;

        ConstTest()
        {        m_iA = 1;           }
        int const_func1( int &a_iA,  int &a_iB) const
        {
                int a = 1;
                int b = 2;
                int c = 0;

                c = a + b;
                a_iA += 100;
                // m_iA += 100; // 에러발생. 멤버변수는 변경 불가
                return m_iA;
        }
};


5. 클레스
예)
  const CMyConstClass CC;

  // 내부 멤버변수 전체를 변경불가능한 클레스,(생성자 함수만은 예외)
  // 모든 내부 멤버 함수는 기본적으로 const 함수가 되야만함.
  // 내부 함수의 지역 변수및 인자로 받은 변수는 변경가능.

tag : 정보보안, C언어, 정보보안학원, C++, IT뱅크

리눅스/8.21 디버그 함수 (Debug Function)

2007-11-28T19:31:13Z

void _init_trace()

void _tracef(char *, ...)

char *_traceattr(mode)

void traceon()

void traceoff()

tag : 리눅스, 정보보안, 정보보안학원, it뱅크

리눅스/8.20 Terminfo 함수들(Functions)

2007-11-28T19:30:15Z

int setupterm(char *term, int fildes, int *errret)
int setterm(char *term)
int set_curterm(TERMINAL *nterm)
int del_curterm(TERMINAL *oterm)
int restartterm(char *term, int fildes, int *errret)
(Note: 아직 구현되지 않음.)
char *tparm(char *str, p1, p2, p3, p4, p5, p6, p7, p8, p9)
p1 - p9 long int.
int tputs(char *str, int affcnt, int (*putc)(char))
int putp(char *str)
int vidputs(chtype attr, int (*putc)(char))
int vidattr(chtype attr)
int mvcur(int oldrow, int oldcol, int newrow, int newcol)
int tigetflag(char *capname)
int tigetnum(char *capname)
int tigetstr(char *capname)

tag : 리눅스, 정보보안, 정보보안학원, it뱅크

리눅스/8.19 Termcap Emulation

2007-11-28T19:29:09Z

int tgetent(char *bp, char *name)

int tgetflag(char id[2])

int tgetnum(char id[2])

char *tgetstr(char id[2], char **area)

char *tgoto(char *cap, int col, int row)

int tputs(char *str, int affcnt, int (*putc)())

tag : 리눅스, 정보보안, 정보보안학원, it뱅크