How to Configure Banners

by: Don R. Crawley

Banners can be configured to display when a user first connects (MOTD), when a user logs in (login), or when a user accesses privileged mode (exec). Banners are used for legal warnings such as when a user is cautioned not to access a restricted system or that their access of a system is subject to monitoring and logging. Banners are also used on locked systems placed at customer locations by service providers to provide contact information for device access or technical support. The Cisco security appliance supports the use of login banners in console sessions and Telnet sessions, but not in SSH sessions. Exec and MOTD banners are supported in console, Telnet, and SSH sessions. Banners can be up to 510 characters in length. You can create multiple line banners either by creating multiple banner statements or by using the keystroke sequence of "\n" which inserts a carriage return.

Here's how banners are displayed:

MOTD Banners--When usernames are not configured, MOTD displays at login in a serial console session and before login in Telnet sessions. When usernames are configured, MOTD displays before login in a Telnet session and after login in a serial console session.

Login Banners--The login banner displays before login in Telnet and serial console sessions.

Exec Banners--The exec banner displays upon login in all sessions.

How to Configure a Banner

Note: The following procedures were tested on an ASA 5505 Security Appliance running software version 7.22. Other hardware or software platforms may require modification of these procedures in order to function properly.

To configure a banner, use the following configuration mode commands:

asa(config)#banner motd This is a restricted system.
asa(config)#banner motd Do not attempt unauthorized access.

Notice the use of two banner motd statements to create a multi-line banner. As mentioned previously, you can also use the "\n" key sequence to insert a carriage return.

You can view the banners you created with the following privileged mode command:

asa#show running-config banner

Hands-On Exercise: Creating Banners on the Security Appliance

The following procedures are for training purposes only and should only be performed on devices in a laboratory environment. Under no circumstances should these procedures be performed on equipment in a live, production environment without first verifying their suitability in a laboratory environment.

In the following hands-on exercise, you will create MOTD, login, and EXEC banners.

Step 1: In configuration mode, enter the following commands:

asa(config)#banner motd This is the MOTD banner
asa(config)#banner login This is the login banner
asa(config)#banner exec This is the EXEC banner

Step 2: Display the banners you just created with the following command:

asa(config)#show running-config banner

Step 3: Type exit repeatedly until you are logged out of your laboratory security appliance.

Notice which banners are displayed.

Step 4: Enter privileged mode with the command "enable" and notice which banners are displayed.

Step 5: From your laboratory computer, start a Telnet session and again observe which banners are displayed. When you are finished, exit the Telnet session.

Step 6: Also from your laboratory computer, start an SSH session and again observe which banners are displayed. When you are finished, exit the SSH session.

Note: The above procedures are similar to the procedures used to configure banners on other Cisco devices including routers.

Frame Maps, Admin Distance, And More!

Cisco CCNA, CCENT, And CCNP Practice Exam Questions: Frame Maps, Admin Distance, And More!

by: Chris Bryant, CCIE #12933

CCNA And CCENT Certification:

Regarding the following frame map statement, identify the true statements below.

frame map ip 172.1.1.2 211

A. The IP address belongs to the remote router.

B. The IP address belongs to the local router.

C. The DLCI belongs to the remote router.

D. The DLCI belongs to the local router.

E. The DLCI is not shown.

Answers: A, D. The IP address will always be that of the remote router, but the DLCI will always be that of the local router.


CCNP Certification / BSCI Exam:

A route in your routing table is marked with the code "D EX". Which of the following protocols have a default AD lower than that of this route?

A. Internal EIGRP

B. External EIGRP

C. OSPF

D. ISIS

E. RIPv2

F. IGRP

G. RIPv1

Answers: A, C, D, E, F, G. This is an external EIGRP route, which will have a default AD of 170. The protocols in that list that have lower ADs are Internal EIGRP (90), OSPF (110), ISIS (115), RIPv1 and v2 (120), and IGRP (100).


CCNP Certification / BCMSN Exam:

Adjusting which of the following values will decrease BPDU traffic on your network?

A. Forward Delay

B. Max Age

C. Hello Time

D. MAC Address Aging

Answer: C. If you reduce the number of BPDUs sent, that will decrease the amount of them on the network, so adjusting them with Hello Time will do the job. This adjustment would have to be configured on the root bridge.


CCNP Certification / ISCW Exam:

Which of the following protocols and port numbers does IKE use?

A. TCP

B. UDP

C. 50

D. 51

E. 500

F. 501

G. 510

Answer: B, E. IKE uses UDP port 500.


CCNP Certification / ONT Exam:

Of the four basic types of delay, which of the following are considered "fixed delays"?

A. processing

B. queueing

C. propagation

D. serialization

Answers: C, D. Propagation and serialization delays are considered "fixed delays".

Look for more free CCNA, CCNP, and CCENT questions soon - only from The Bryant Advantage!

Teardrop Attacks And OSPF

Cisco CCNA, CCENT, And CompTIA Network+ And Security+ Questions: Teardrop Attacks And OSPF

by: Chris Bryant, CCIE #12933

To help you in your preparation for your Cisco CCNA, CCENT, and CCNP exams, here are some free practice questions covering everything from OSPF to route redistribution. And for you Network+ and Security+ certification candidates, there are questions for you as well on the OSI model and SYN attacks. I'll be adding A+ certification questions in future articles.

Let's get started!

CCENT / Network+ Certification:

Does Layer 2 of the OSI model perform error detection, error correction, both, or neither?

Answer: The Data Link layer is capable of error detection, but not error correction.


Security+ Certification:

Briefly describe the purpose of a "SYN cookie".

Answer: One defense against SYN attacks, a SYN cookie verifies the client address before actually allocating resources to that client.


CCNA Certification:

What type of OSPF router is defined as "at least one interface in Area 0, and connecting other areas to Area 0"?

A. ASBR

B. ABR

C. Internal

D. Backbone

E. External

Answer: B. That's the textbook definition of an Area Border Router (ABR).



CCNP Certification / BSCI Exam:

What term is used for the number "2" shown in the below commands?

R2(config)#router rip
R2(config-router)#redistribute ospf 1 metric 2

A. distance

B. administrative distance

C. distance

D. variance

E. seed metric

F. process number

Answer: E. The "2" is the seed metric. The "1" in the redistribute statement is the OSPF process number whose routes are being redistributed into RIP.


CCNP Certification / BCMSN Exam:

In a typical Network Management block, what switch layers are represented?

A. Access

B. Distribution

C. Core

Answers: A, B. In addition to network management devices, both Access and Distribution switches will be found here.

Look for more free Cisco and CompTIA certification exam practice questions soon! Whether you’re working on your CCNA, CCENT, CCNP, Network+ or Security+ certification, there’s something for you here!

VLANs,SYN Attacks,And More!

Cisco CCNA,CCNP,CCENT,and CompTIA Network+ And Security+ Questions:

by: Chris Bryant, CCIE #12933

Let’s test your knowledge of important topics such as SYN attacks and VLANs for your Cisco CCNA, CCNP, and CCENT exams, as well as the CompTIA Security+ and Network+ certification exams!

CCNA / CCENT / CompTIA Network+ Certification:

Host A and Host B are in the same VLAN. Host C and Host D are in a different VLAN. Host A sends a broadcast. How many other hosts will receive it?

A. Zero

B. One

C. Two

D. Three

Answer: B. The other host in the same VLAN, Host B, will receive it. Broadcasts are not forwarded to other VLANs.


Security+ Certification:

Briefly describe a "SYN attack".

Answer: The intruder will generate a series of SYN requests, and the soon-to-be-victimized network device sends a SYN-ACK in response. The device then waits for an ACK, but that never comes. These unfinished connections result in the network device not being able to accept SYN request from legitimate network hosts, since its buffers will be overwhelmed with the false (and unfinished) requests.



CCNP Certification / BSCI Exam:

If an IPv6 address begins with "FF", what type of address is it?

A. broadcast

B. unicast

C. multicast

D. MACcast

Answer: C. That's a multicast. There's no such thing as a MACcast. But there should be. ;)


CCNP Certification / BCMSN Exam:

Short answer: What interface-level command takes a port operating at L3 and places it into L2 operating mode?

Answer: switchport. To change the port back to a routed port, use no switchport.


CCNP Certification / ISCW Exam:

Short answer: You're going to write a policy map that will be applied to a Serial interface running at T1 speed. By default, how much bandwidth can you assign in that policy?

Answer: The speed of a T1 line is 1544 kbps, but by default only 75% of that bandwidth can be distributed in a policy map - that's 1158 kbps (1544 * .75).

Routing's Not Just For Cisco Exams Anymore!

Microsoft Server 2008 Certification: Routing's Not Just For Cisco Exams Anymore!

by: Chris Bryant, CCIE #12933

Knowing routing theory and routing protocols has always been a big part of earning your CCNA and CCNP certifications. According to Microsoft's exam blueprints for the Server 2008 certification exams, that knowledge will also serve you well on your Microsoft exams.

The topic outline for the Configuring Windows Server 2008 Network Infrastructure exam (70-642) specifically mentions routing and routing protocols as exam topics. Specifically mentioned are RIP, OSPF, and static routing - three topics every CCNA and CCNP candidate will be well prepared to handle!

IPSec isn't part of the CCNA exam, but you'll see it on at least one CCNP exam, and it's also listed as a 70-642 exam topic. IPv6 and IPv4 addressing are both covered on the 70-642 as well.

Microsoft's website lists the following major skills you should expect to see on this exam:

Configuring IP addresses and Services (routing with RIP and OSPF, static routing, persistent routing, addressing, DHCP and DHCP options including relay agents, IPSec policies, Authentication Header and Encapsulating Security Payload, subnetting, supernetting)

Configuring Name Resolution (DNS configuration, zones, records, replication, and integration with Active Directory, and client computer name resolution techniques)

Configuring Network Access (includes NAT, VPNs, RADIUS, 802.1x authentication, MS-CHAP, firewalls, and remote authentication)

Configuring File And Print Services (self-explanatory)

Monitoring And Managing A Network Infrastructure (includes SNMP and Windows Server Update Services)

Your CCNA and CCNP preparation will not quite be enough to get you past this exam, but as you can see, it'll give you a great head start!

Hex Conversions, Static Routes, And More!

Cisco CCNA And CCNP Practice Questions:

by: Chris Bryant, CCIE #12933

Let’s test your knowledge of important Cisco certification exam topics with these CCNA, CCENT, and CCNP questions!

CCENT and CCNA Certification:

You want to create a static route that will send packets out the ethernet0 interface on your local router if there is no other match for the actual destination in the routing table. What command will create such a route?

Answer: The ip route command is used to create a default static route, such as the one needed here. The syntax:

ip route 0.0.0.0 0.0.0.0 ethernet0

CCNA Certification:

Short answer: The binary string 11010101, converted to hex, equals ____________ .

Answer: That string converts to the decimal 213, which converts to the hex value D5, or d5.

CCNP Certification / BSCI Exam:

Short answer: What LSA type is generated by an ABR and describe inter-area links?

Answer: Type 3 LSAs are generated by ABRs and describe inter-area routes.

CCNP Certification / BCMSN Exam:

While visiting a client's network, you notice that VLAN 25 is configured as the native VLAN. No hosts are actually in VLAN 25, though. What kind of network attack does this guard against?

Answer: This is one method of preventing VLAN hopping, specifically a double tagging attack.


CCNP Certification / ONT Exam:

Which of the following QoS models uses PHB?

A. Integrated Services

B. Differentiated Services

C. Distributed Services

D. Best Effort Delivery

Answer: B. Differentiated Services uses Per-Hop Behavior (PHB), rather than create a reserved path in advance of transmission, as Integrated Services does.

CCNP Certification / ISCW Exam:

Identify the true statements.

A. A CLI session is 10 minutes by default.

B. A CLI session is 20 minutes by default.

C. A CLI session has no default length.

D. A CLI session's duration can be changed.

E. A CLI session's duration is fixed in length and cannot be changed.

Answers: A, D. A CLI session is 10 minutes by default and can be changed with the exec-timeout command.


Look for more free Cisco exam practice questions on this same website soon!

Routers, Switches, Frame Relay, And More!

Cisco CCNA / CCNP Certification Practice Questions:
by: Chris Bryant, CCIE #12933

Let’s test your knowledge of the OSI model, frame relay, and other important topics for your Cisco certification exams!

CCENT Certification:

Identify the devices that run at the bottom layer of the OSI model.

A. router

B. switch

C. hub

D. wireless access point

E. repeater

Answers: C, E. Both hubs and repeaters run at Layer 1 of the OSI model, the Physical layer.


CCNA Certification Exam:

Identify the frame relay encapsulation options.

A. Cisco (default)

B. IETF (default)

C. ANSI (default)

D. Cisco

E. IETF

F. ANSI

Answer: A, E. The encapsulation options are cisco and ietf, and cisco is the default.

CCNP Certification / BSCI Exam:

Short answer: What LSA type indicates the location of the ASBR?

Answer: Type 4 LSAs indicate the route to the ASBR.

CCNP Certification / BCMSN Exam:

Which of the following is true of the "collapsed core" design?

A. There is no dedicated core switch.

B. There is no dedicated distribution-layer switch.

C. There is no dedicated access-layer switch.

D. A single switch will handle the tasks of all three of these layers.

Answers: A, B. The term "collapsed core" refers to the middle two layers of the Cisco three-layer switching model - core and distribution - running on the same physical switches.

CCNP Certification / ISCW Exam:

Short answer: What term is given to the network attack that occurs when an intruder gathers information in preparation for a larger attack in the future?

Answer: That is a network reconnaissance attack.

CCNP Certification / ONT Exam:

Short answer: WRED uses one of what two values in order to make a decision on what traffic to drop in case of network congestion?

Answer: WRED can use the DSCP (Differentiated Services Code Point) or IP Precedence values to make this decision.

Etherchannels, The OSI Model, And More!

Cisco And CompTIA Practice Questions:

by: Chris Bryant, CCIE #12933

Here are some questions on static routing, the OSI model, IP version 6, and other topics to help prepare you for CCNA, CCENT, and CCNP certification exam success! Network+ candidates, I didn’t leave you out!

CCNA Certification:

What character or combination of characters indicates a statically configured default route?

Answer: An "S*" next to a route indicates that it is a default static route. If there were no asterisk, the route type indicated would be a static route – but not a default static route.

CCENT Certification / Network+ Certification Question:

Which one of the following networking terms is not associated with the same OSI layer as the others?

A. router

B. packet

C. TCP

D. IP

Answer: C. TCP runs at the Transport layer of the OSI model. The other three terms are associated with the Network layer. The Network layer is sometimes referred to as the “routing layer”.

CCNP Certification / BSCI Exam:

If an IPv6 address begins with "FF", what kind of address is it?

A. broadcast

B. unicast

C. anycast

D. multicast

Answer: D. Any IPv6 address beginning with "FF" is a multicast. IPv6 does not use broadcasts.

CCNP Certification / BCMSN Exam:

You've configured an Etherchannel and note that the trunk has gone down. You check the interfaces on one switch and note that two are "err-disabled". The corresponding ports on the other switch are not. What should you do?

A. Nothing - that's the normal and desired behavior.

B. Shut and reopen the err-disabled interfaces.

C. Shut and reopen the non-err-disabled interfaces.

D. Use the err-abled command on the err-disabled interfaces.

Answer: B. After finishing the config, shut and reopen the err-disabled interfaces. If the configuration is correct, that will do the trick. This is common when you configure all of the ports on one switch and then start configuring the other switch, rather than going back and forth between the appropriate ports on the switches.

See you soon with more CCNA, Network+, CCNP, and CCENT questions!

The DTE/DCE Cable

Cisco CCNA, CCENT, And CCNP Home Lab Study:

by: Chris Bryant, CCIE #12933

More Cisco CCNA, CCENT, and CCNP candidates than ever before are putting together their own home labs for their certification exam study, and that's a great trend - there's nothing like learning on the real thing!

Part of putting a home lab together is getting the right cables and understanding their usage. In this new Cisco home lab series, we'll take a look at the different cable types and how each fits into your home lab. The first cable type we'll look at is the multi-purpose DTE/DCE cable.

When I say "multi-purpose", I mean that while the cable will always perform the same task, it can be used in several different points in your home lab network. If you're going to have a frame relay switch - and you should get one if at all possible, since having your own frame relay cloud is a tremendous boost to your home lab studies and your exam score - you're going to need a DTE/DCE cable.

You can also use a DTE/DCE cable to directly connect two Cisco router serial interfaces and configure HDLC (the default) or PPP encapsulation over that point-to-point link.

Most of today's DTE/DCE cables have "DTE" clearly stamped on one end of the cable - actually, "DTE" is probably embedded into the connector itself. Naturally, the other end will have "DCE" clearly indicated. It's the DCE end that will connect to your frame relay switch. If you're going to use a direct connection to run PPP or HDLC, it almost doesn't matter which end of the cable is connected to a given router.

Keyword: "almost". You must use the clockrate command on the DCE end of the connection in order to bring the line protocol up.

If you're not sure which end of your DTE/DCE cable is connected to a given serial interface, just use the show controller serial command to get that information. Most of the output of that command isn't comprehensible, but what we need is right on top:

R3#show controller serial 1
HD unit 1, idb = 0x11B4DC, driver structure at 0x121868
buffer size 1524 HD unit 1, V.35 DCE cable

Naturally, if it's the DTE end, you'll see "DTE" there. And if you don't have anything connected to that interface, you'll see "no cable".

Whether you have your own frame relay switch or not, you'll want to pick up some DTE/DCE cables for direct connections between your Cisco home lab router's serial interfaces. Just don't forget to put the clockrate command on the DCE end of the cable! And if you're not familiar with a frame relay switch, check this same website soon for a tutorial that will show you how to set one up.

Just about any Cisco router can serve as a home lab frame relay switch, and once you've got it configured, you're in good shape - but it can be a little maddening to get it up and running in the first place. I'll show you how to avoid that aggravation in the next installment of this Cisco home lab tutorial series!

HSRP, OSPF Cost, Route Summarization, And More!

Cisco CCNA, CCENT, CCNP, And CompTIA Questions:

by: Chris Bryant, CCIE #12933

Let's test your knowledge of important CCNA, CCENT, CCNP, and Network+ exam topics!

CCNA Certification:

The term used for an OSPF path metric is ____________ .

Extra credit: What formula does OSPF use to calculate that metric?

Answer: OSPF's metric is referred to as cost, and the calculation is 100,000,000 / interface speed in bps.



Cisco CCENT / CompTIA Network+ Question:

Which of the following do TCP and UDP headers have in common?

A. sequence number

B. source port

C. source IP address

D. window

E. destination port

F. destination IP address

G. ACK bit

H. reset bit

Answer: B, E. In addition to the source port and destination port numbers, the UDP and TCP headers also have a checksum field in common.



CCNP Certification / BSCI Exam:

In ISIS, what is the most efficient point of a network at which to perform route summarization?

A. An L1 router.

B. An L2 router.

C. An L1/L2 router.

D. A DIS router.

Answer: C. L1/L2 routers are area boundary routers in ISIS, and this is the most efficient point at which to configure route summarization



CCNP Certification / BCMSN Exam:

Short answer: An HSRP router is the primary router and it has a priority of 100. Another router comes online in the same group and it has a priority of 107. Does the new router become the primary? If so, why? If not, what additional configuration is needed to make it the primary?

Answer. By default, the new router with the higher priority will not become the primary router. To allow a router with a higher priority to take over the role of HSRP primary from an existing and normally functioning primary, the preempt option must be configured on the router with the higher priority.

Let's use a two-router HSRP deployment as an example. R2 is the standby, R3 is the primary ("active"), and both have an HSRP priority of 100. Raising R2's priority to 150 does not automatically make it the primary, as shown below.


R2(config)#interface ethernet0

R2(config-if)#standby 5 priority 150


R2#show standby

Ethernet0 - Group 5

Local state is Standby, priority 150

Hellotime 4 sec, holdtime 12 sec Next hello sent in 0.896

Virtual IP address is 172.12.23.10 configured

Active router is 172.12.23.3, priority 100 expires in 8.072

Standby router is local 1 state changes, last state change 00:14:24


R2 now has a higher priority, but R3 is still the active router. R2 will not take over as the HSRP primary until R3 goes down - OR the preempt option is configured on R2.


R2(config-if)#standby 5 priority 150 preempt


1d11h: %STANDBY-6-STATECHANGE: Ethernet0 Group 5 state Standby -> Active


R2#show standby


Ethernet0 - Group 5

Local state is Active, priority 150, may preempt

Hellotime 4 sec, holdtime 12 sec Next hello sent in 1.844

Virtual IP address is 172.12.23.10 configured

Active router is local

Standby router is 172.12.23.3 expires in 10.204

Virtual mac address is 0000.0c07.ac05 2 state changes, last state change 00:00:13

That's enough for today! Look for more free Cisco and CompTIA certification exam questions on this website soon! A+ certification and Microsoft Vista certification practice questions are on the way as well!