59260343 Comandos de Seguridad Ccna 4

COMANDOS DE SEGURIDAD CCNA 4R1(config)#enable secret ciscoccna R1(config)#username ccna privilegio 5 password ciscoccna R1(config)#aaa new-model --- El comando aaa habilita la AAA (autenticacin, auto rizacin y contabilidad) globalmente en el router. Esto se utiliza para conectarse al router. R1(config)#aaa authentication login LOCAL_AUTH local ---- Puede crear una lista de autenticacin a la que pueda accederse cuando alguien intenta iniciar sesin en el dispositivo despus de aplicarla a las lneas vty y lneas de consola. La palabra c lave local indica que la base de datos del usuario se encuentra almacenada en forma local en el ro uter. R1(config)#line console 0 R1(config-lin)#login authentication LOCAL_AUTH R1(config-lin)#line vty 0 4 R1(config-lin)#login authentication LOCAL_AUTH R1(config)#service password-encryption ---- Para aplicar encriptacin simple a l as contraseas, ingrese el siguiente comando en el modo de configuracin global: Puede hacer que el router desconecte una lnea que ha estado inactiva durante un d eterminado perodo de tiempo. Si un ingeniero de red estaba conectado a un dispositivo de red y tuv o que ausentarse repentinamente, este comando desconecta al usuario automticamente despus de un det erminado perodo de tiempo. Los siguientes comandos hacen que la lnea se desconecte despus de 5 minutos. R1(config)#line console 0 R1(config-lin)#exec-timeout 5 0 R1(config-lin)#line vty 0 4 R1(config-lin)#exec-timeout 5 0 El siguiente comando dificulta los intentos de conexin de fuerza bruta. El router bloquea los intentos de conexin durante 5 minutos si una persona intenta sin xito conectarse 5 veces en 2 minutos. R1(config)#login block-for 300 attempt 2 within 120 R1(config)#security authentication failure rate 5 log R1(config)#router rip R1(config-router)#passive-interface default R1(config-router)#no passive-interface s0/0/0 --- El comando passive-interface impide que los routers enven actualizaciones de enrutamiento a todas las interfaces, excepto a aquellas que se configuraron para participar en las actualizaciones de enrutamiento. Este comando se ejecuta como parte de la configuracin RIP. El primer comando coloca todas las interfaces en modo pasivo (la interfaz slo rec ibe actualizaciones RIP). El segundo comando hace que determinadas interfaces regresen del modo pasi vo al modo activo(mediante el envo y la recepcin de actualizaciones RIP). El primer paso en la seguridad de RIP es impedir las actualizaciones RIP inneces arias hacia toda la red. El prximo paso es proteger las actualizaciones RIP con contraseas. Para ello, prim ero se debe configurar la clave que se utilizar. R1(config)#key chain RIP_KEY R1(config-keychain)#key 1 R1(config-keychain-key)#key-string cisco Para utilizar la clave, debe configurarse cada interfaz que participe en las act ualizaciones RIP. stas son las mismas interfaces que se habilitaron anteriormente mediante el comando no pa ssive-interface. R1 R1(config)#int s0/0/0 R1(config-if)#ip rip authentication mode md5 R1(config-if)#ip rip authentication key-chain RIP_KEY Utilice el comando logging para seleccionar la direccin IP del dispositivo al que se enviarn los mens ajes SNMP R1(config)#logging 192.168.10.10 El comando logging trap establece el nivel de gravedad. El nivel de gravedad inc luye el nivel especificado y cualquier otro nivel por debajo de ste (en cuanto a gravedad). Est ablezca R1 en el nivel 4 para capturar mensajes con niveles de gravedad 4, 5, 6 y 7. R1(config)#logging trap warnings 4 Paso 2: Deshabilitar los servicios globales que no se utilizan. La mayora de las redes modernas no necesitan muchos servicios. Si se deja habilit ados los servicios que no se utilizan, se dejarn los puertos abiertos que podrn utilizarse para poner en riesgo la red. Deshabilite cada uno de estos servicios de R1. R1(config)#no service pad R1(config)#no service finger R1(config)#no service udp-small-server R1(config)#no service tcp-small-server R1(config)#no ip bootp server R1(config)#no ip http server R1(config)#no ip finger R1(config)#no ip source-route R1(config)#no ip gratuitous-arps R1(config)#no cdp run Paso 3: Desactivar los servicios de interfaz que no se utilizan. Estos comandos se ingresan en el nivel de interfaz y deberan aplicarse a cada una de las interfaces del R1. R1(config-if)#no ip redirects R1(config-if)#no ip proxy-arp R1(config-if)#no ip unreachables R1(config-if)#no ip directed-broadcast R1(config-if)#no ip mask-reply R1(config-if)#no mop enabledMediante funcin AutoSecure, se pueden aplicar a un router las mismas caracterstica s de seguridad recin aplicadas (excepto la seguridad de RIP) de manera mucho ms rpida. Debido a qu e ya se estableci la seguridad de R1 R3#auto secure Puede utilizar el comando dir all para mostrar todos los archivos en el router. R2#dir all Desde R1, recupere el archivo y gurdelo en la memoria flash. R2#copy tftp flash Dado que no se desea que los archivos sin utilizar ocupen espacio valioso en la memoria, se deben eliminar ahora de la memoria flash de R1. Hay que tener mucho cuidado al hacerlo . El ==========ROUTER 1========== enable configure terminal hostname R1 enable secret cisco username cisco password cisco line console 0 password cisco login exit ip domain-name chile.cl crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 transport input ssh login local exit interface serial 0/0/0 ip address 10.0.59.153 255.255.255.252 clock rate 128000 no shutdown exit interface fastethernet 0/1 ip address 10.0.59.161 255.255.255.252 no shutdown exit interface fastethernet 0/0.91 encapsulation dot1q 91 native ip address 10.0.59.129 255.255.255.248 exit interface fastethernet 0/0.10 encapsulation dot1q 10 ip address 10.0.59.1 255.255.255.128 exit interface fastethernet 0/0.20 encapsulation dot1q 20 ip address 10.0.58.1 255.255.255.0 exit interface fastethernet 0/0.30 encapsulation dot1q 30 ip address 10.0.56.1 255.255.254.0 exit interface fastethernet 0/0.40 encapsulation dot1q 40 ip address 10.0.54.1 255.255.254.0 exit interface fastethernet 0/0.50 encapsulation dot1q 50 ip address 10.0.52.1 255.255.254.0 exitinterface fastethernet 0/0.60 encapsulation dot1q 60 ip address 10.0.48.1 255.255.252.0 exit interface fastethernet 0/0 no shutdown exit router eigrp 65500 no auto-summary network 10.0.48.0 0.0.3.255 network 10.0.52.0 0.0.1.255 network 10.0.54.0 0.0.1.255 network 10.0.56.0 0.0.1.255 network 10.0.58.0 0.0.0.255 network 10.0.59.0 0.0.0.127 network 10.0.59.128 0.0.0.7 network 10.0.59.160 0.0.0.3 network 10.0.59.152 0.0.0.3 end wr ==========ROUTER 2========== enable configure terminal hostname R2 enable secret cisco username cisco password cisco line console 0 password cisco login exit ip domain-name chile.cl crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 transport input ssh login local exit interface serial 0/0/0 ip address 10.0.59.157 255.255.255.252 clock rate 128000 no shutdown exit interface serial 0/0/1 ip address 10.0.59.154 255.255.255.252 no shutdown exit interface fastethernet 0/1 ip address 10.0.59.165 255.255.255.252no shutdown exit interface fastethernet 0/0.92 encapsulation dot1q 92 native ip address 10.0.59.137 255.255.255.248 exit interface fastethernet 0/0.70 encapsulation dot1q 70 ip address 10.0.44.1 255.255.252.0 exit interface fastethernet 0/0.80 encapsulation dot1q 80 ip address 10.0.40.1 255.255.252.0 exit interface fastethernet 0/0.90 encapsulation dot1q 90 ip address 10.0.36.1 255.255.252.0 exit interface fastethernet 0/0.100 encapsulation dot1q 100 ip address 10.0.32.1 255.255.252.0 exit interface fastethernet 0/0.110 encapsulation dot1q 110 ip address 10.0.24.1 255.255.248.0 exit interface fastethernet 0/0 no shutdown exit router eigrp 65500 no auto-summary network 10.0.24.0 0.0.7.255 network 10.0.32.0 0.0.3.255 network 10.0.36.0 0.0.3.255 network 10.0.40.0 0.0.3.255 network 10.0.44.0 0.0.3.255 network 10.0.59.136 0.0.0.7 network 10.0.59.164 0.0.0.3 network 10.0.59.152 0.0.0.3 network 10.0.59.156 0.0.0.3 end wr ==========ROUTER 3========== enable configure terminal hostname R3 enable secret ciscousername cisco password cisco line console 0 password cisco login exit ip domain-name chile.cl crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 transport input ssh login local exit interface serial 0/0/1 ip address 10.0.59.158 255.255.255.252 clock rate 128000 no shutdown exit interface fastethernet 0/1 ip address 10.0.59.169 255.255.255.252 no shutdown exit interface fastethernet 0/0.93 encapsulation dot1q 93 native ip address 10.0.59.145 255.255.255.248 exit interface fastethernet 0/0.120 encapsulation dot1q 120 ip address 10.0.16.1 255.255.248.0 exit interface fastethernet 0/0.130 encapsulation dot1q 130 ip address 10.0.8.1 255.255.248.0 exit interface fastethernet 0/0.140 encapsulation dot1q 140 ip address 10.0.0.1 255.255.248.0 exit interface fastethernet 0/0 no shutdown exit router eigrp 65500 no auto-summary network 10.0.0.0 0.0.7.255 network 10.0.8.0 0.0.7.255 network 10.0.16.0 0.0.7.255 network 10.0.59.144 0.0.0.7 network 10.0.59.156 0.0.0.3 network 10.0.59.168 0.0.0.3 endwr ==========SWITCH 1========== enable configure terminal hostname SW1 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode server domain duoc1 password vtp1vlan 10 name DIEZ exit vlan 20 name VEINTE exit vlan 30 name TREINTA exit vlan 40 name CUARENTA exit vlan 50 name CINCUENTA exit vlan 60 name SESENTA exit vlan 91 name ADM1 exit spanning-tree mode rapid-pvst interface fastethernet 0/3 switchport mode trunk switchport trunk native vlan 91 exit interface range fastethernet 0/1 - 2 switchport mode trunkswitchport trunk native vlan 91 spanning-tree link-type point-to-point exit interface range fastethernet 0/4 - 24 switchport mode access switchport access vlan 91 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/24 switchport port-security mac-address 0090.0C49.2C12 no shutdown exit interface vlan 91 ip address 10.0.59.130 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.129 end wr ==========SWITCH 2========== enable configure terminal hostname SW2 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode client domain duoc1 password vtp1spanning-tree mode rapid-pvst interface range fastethernet 0/1 - 2 switchport mode trunk switchport trunk native vlan 91 spanning-tree link-type point-to-point exit interface range fastethernet 0/3 - 10 switchport mode access switchport access vlan 10switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/11 - 20 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/21 - 24 switchport mode access switchport access vlan 30 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0007.ECE1.17AC no shutdown exit interface fastethernet 0/15 switchport port-security mac-address 0006.2ABB.B625 no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 0040.0B43.13C4 no shutdown exit interface vlan 91 ip address 10.0.59.131 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.129 end wr ==========SWITCH 3========== enable configure terminal hostname SW3 line console 0 password cisco login exitline vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode client domain duoc1 password vtp1spanning-tree mode rapid-pvst spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree vlan vlan vlan vlan vlan vlan vlan vlan 91 priority 4096 10 priority 4096 20 priority 4096 30 priority 4096 40 priority 4096 50 priority 4096 60 priority 4096 1 priority 4096interface range fastethernet 0/1 - 2 switchport mode trunk switchport trunk native vlan 91 spanning-tree link-type point-to-point exit interface range fastethernet 0/3 - 10 switchport mode access switchport access vlan 40 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/11 - 20 switchport mode access switchport access vlan 50 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/21 - 24 switchport mode access switchport access vlan 60 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0000.0CAA.3E68 no shutdown exitinterface fastethernet 0/15 switchport port-security mac-address 0002.4AE0.5D78 no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 0002.179C.A2A6 no shutdown exit interface vlan 91 ip address 10.0.59.132 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.129 end wr ==========SWITCH 4========== enable configure terminal hostname SW4 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode server domain duoc2 password vtp2vlan 70 name SETENTA exit vlan 80 name OCHENTA exit vlan 90 name NOVENTA exit vlan 100 name CIEN exit vlan 110 name CIENTODIEZ exitvlan 92 name ADM2 exit interface range fastethernet 0/1 - 3 switchport mode trunk switchport trunk native vlan 92 exit interface range fastethernet 0/4 - 15 switchport mode access switchport access vlan 70 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/16 - 24 switchport mode access switchport access vlan 80 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/5 switchport port-security mac-address 00D0.97A2.0EE5 no shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0090.2BB6.24CC no shutdown exit interface vlan 92 ip address 10.0.59.138 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.137 end wr ==========SWITCH 5========== enable configure terminal hostname SW5 line console 0 password cisco login exitline vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode client domain duoc2 password vtp2interface range fastethernet 0/1 - 4 switchport mode trunk switchport trunk native vlan 92 exit interface range fastethernet 0/5 - 15 switchport mode access switchport access vlan 90 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/16 - 24 switchport mode access switchport access vlan 100 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0090.2187.B06D no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 00D0.D3D4.E967 no shutdown exit interface vlan 92 ip address 10.0.59.139 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.137 end wr ==========SWITCH 6========== enable configure terminalhostname SW6 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vtp vtp vtp vtp version 2 mode client domain duoc2 password vtp2interface range fastethernet 0/1 - 2 switchport mode trunk switchport trunk native vlan 92 exit interface range fastethernet 0/3 - 15 switchport mode access switchport access vlan 110 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/15 switchport port-security mac-address 0001.9715.4AC5 no shutdown exit interface vlan 92 ip address 10.0.59.140 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.137 end wr ==========SWITCH 7========== enable configure terminal hostname SW7 line console 0 password cisco login exit line vty 0 15 password cisco login exitenable secret cisco vlan 120 name CIENTOVEINTE exit vlan 130 name CIENTOTREINTA exit vlan 140 name CIENTOCUARENTA exit vlan 93 name ADM3 exit spanning-tree vlan 120 root primary interface range fastethernet 0/1 - 3 switchport mode trunk switchport trunk native vlan 93 exit interface range fastethernet 0/4 - 10 switchport mode access switchport access vlan 120 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/11 - 19 switchport mode access switchport access vlan 130 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/20 - 24 switchport mode access switchport access vlan 140 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 00E0.8F18.490C no shutdown exitinterface fastethernet 0/15 switchport port-security mac-address 000A.41C8.6330 no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 0030.F287.0EA9 no shutdown exit interface vlan 93 ip address 10.0.59.146 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.145 end wr ==========SWITCH 8========== enable configure terminal hostname SW8 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vlan 120 name CIENTOVEINTE exit vlan 130 name CIENTOTREINTA exit vlan 140 name CIENTOCUARENTA exit vlan 93 name ADM3 exit spanning-tree vlan 130 root primary interface range fastethernet 0/1 - 2 switchport mode trunk switchport trunk native vlan 93 exitinterface range fastethernet 0/4 - 10 switchport mode access switchport access vlan 120 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/11 - 19 switchport mode access switchport access vlan 130 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/20 - 24 switchport mode access switchport access vlan 140 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0001.6444.B7B2 no shutdown exit interface fastethernet 0/15 switchport port-security mac-address 00E0.A396.D365 no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 0001.63C2.9DD3 no shutdown exit interface vlan 93 ip address 10.0.59.147 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.145 end wr ==========SWITCH 9========== enableconfigure terminal hostname SW9 line console 0 password cisco login exit line vty 0 15 password cisco login exit enable secret cisco vlan 120 name CIENTOVEINTE exit vlan 130 name CIENTOTREINTA exit vlan 140 name CIENTOCUARENTA exit vlan 93 name ADM3 exit spanning-tree vlan 140 root primary interface range fastethernet 0/1 - 2 switchport mode trunk switchport trunk native vlan 93 exit interface range fastethernet 0/4 - 10 switchport mode access switchport access vlan 120 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/11 - 19 switchport mode access switchport access vlan 130 spanning-tree portfast switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface range fastethernet 0/20 - 24 switchport mode access switchport access vlan 140 spanning-tree portfast switchport port-securityswitchport port-security maximum 1 switchport port-security violation shutdown shutdown exit interface fastethernet 0/22 switchport port-security mac-address 0001.6473.8E80 no shutdown exit interface fastethernet 0/15 switchport port-security mac-address 00D0.58CB.4C7A no shutdown exit interface fastethernet 0/5 switchport port-security mac-address 00E0.8FB7.5BD8 no shutdown exit interface vlan 93 ip address 10.0.59.148 255.255.255.248 no shutdown exit ip default-gateway 10.0.59.145 end wr ==========EQUIPOS========== PC10 IP ADDRESS MASCARA GATEWAY SERV. DNS PC20 IP ADDRESS MASCARA GATEWAY SERV. DNS PC30 IP ADDRESS MASCARA GATEWAY SERV. DNS PC40 IP ADDRESS MASCARA GATEWAY SERV. DNS = = = = = = = = = = = = = = = = 10.0.59.10 255.255.255.128 10.0.59.1 10.0.59.170 10.0.58.10 255.255.255.0 10.0.58.1 10.0.59.170 10.0.56.10 255.255.254.0 10.0.56.1 10.0.59.170 10.0.54.10 255.255.254.0 10.0.54.1 10.0.59.170PC50 IP ADDRESS = 10.0.52.10 MASCARA = 255.255.254.0GATEWAY = 10.0.52.1 SERV. DNS = 10.0.59.170 PC60 IP ADDRESS MASCARA GATEWAY SERV. DNS PC77 IP ADDRESS MASCARA GATEWAY SERV. DNS PC70 IP ADDRESS MASCARA GATEWAY SERV. DNS PC80 IP ADDRESS MASCARA GATEWAY SERV. DNS PC90 IP ADDRESS MASCARA GATEWAY SERV. DNS PC100 IP ADDRESS MASCARA GATEWAY SERV. DNS PC110 IP ADDRESS MASCARA GATEWAY SERV. DNS PC127 IP ADDRESS MASCARA GATEWAY SERV. DNS PC128 IP ADDRESS MASCARA GATEWAY SERV. DNS = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 10.0.48.10 255.255.252.0 10.0.48.1 10.0.59.170 10.0.59.133 255.255.255.248 10.0.59.129 10.0.59.170 10.0.44.10 255.255.252.0 10.0.44.1 10.0.59.170 10.0.40.10 255.255.252.0 10.0.40.1 10.0.59.170 10.0.36.10 255.255.252.0 10.0.36.1 10.0.59.170 10.0.32.10 255.255.252.0 10.0.32.1 10.0.59.170 10.0.24.10 255.255.248.0 10.0.24.1 10.0.59.170 10.0.16.7 255.255.248.0 10.0.16.1 10.0.59.170 10.0.16.8 255.255.248.0 10.0.16.1 10.0.59.170PC129 IP ADDRESS = 10.0.16.9 MASCARA = 255.255.248.0GATEWAY = 10.0.16.1 SERV. DNS = 10.0.59.170 PC137 IP ADDRESS MASCARA GATEWAY SERV. DNS PC138 IP ADDRESS MASCARA GATEWAY SERV. DNS PC139 IP ADDRESS MASCARA GATEWAY SERV. DNS PC147 IP ADDRESS MASCARA GATEWAY SERV. DNS PC148 IP ADDRESS borrado accidental de la memoria flash significar que se deber volver a instalar toda la i magen de IOS para el router. Si el router indica que se borrase la memoria flash (erase flash), signi fica que existe un error. Pocas veces se querr borrar toda la memoria flash. La nica ocasin legtima en que est o suceder es cuando se actualice el IOS a una imagen de IOS grande. Si aparece al indicador e rase flash, tal como se muestra en el ejemplo, DETNGASE DE INMEDIATO. NO presione Intro. Pida ayu da al instructor DE INMEDIATO. Erase flash: ?[confirm] no R1#delete flash:test-server Delete filename [test-server]? Delete flash:test? [confirm] R1#delete flash:test-router Delete filename [test-router]? Delete flash:test-router? [confirm]

Documents

59260343 Comandos de Seguridad Ccna 4