IntroductionIf you are preparing for the Cisco Certified Network Associate (CCNA) exam or have been involved with Cisco networking, then you have probably heard about Cisco Packet Tracer. In this article, we will discuss what Packet Tracer is and how to get it, highlight some useful Packet Tracer resources and look at how it compares to other tools. What Is Cisco Packet Tracer?One of the regrets early on in my career was not taking enough time to build the right foundation for my understanding of networking. I paid the price for this as I moved on from CCNA to CCSP (now known as CCNP Security), because I had to go back and learn a lot of things that I should have been better grounded in. This is one of the reasons I am a firm believer in practical skills versus just plain theoretical knowledge.
Cisco Packet Tracer is one of those tools that can help build practical skills in the networking and security field.Cisco Packet Tracer is a simulation tool for network, security and other related technologies. Basically, it provides a platform for students to build, configure, troubleshoot and experiment with network topologies using simulated devices such as routers, switches, firewalls, access points and laptops.While Cisco does not intend for Packet Tracer to be a replacement for real devices, this tool, even when used alone, can actually give you enough hands-on experience to prepare for certification exams such as CCNA Routing and Switching, CCNA Security and — if used properly — CompTIA Network+. How to Get Packet TracerIn the past, you as someone preparing for the CCNA exam had limited options for getting practical networking skills.
You either used real hardware, which could be very expensive, or you used simulation tools like Boson NetSim. Then Cisco released Packet Tracer but made it available to only Cisco Network Academy students. Unfortunately, Cisco Network Academy was not an option for many people who either preferred the self-study route or just couldn’t afford to enroll in the academy.As with any software, illegal copies of Cisco Packet Tracer became available for free download on the Internet. All of a sudden, people could practice for the exam without enrolling with a Cisco Network Academy institution. I’m not certain what caused Cisco to finally decide to release Packet Tracer FREE, but they did. Now, all you have to do to download Packet Tracer is:.
Go to the site. Sign up for free. Enroll in the free Introduction to Packet Tracer course. While this course will be helpful in understanding how to use Packet Tracer, you do not have to complete the course. Once signed up, access the Packet Tracer download area from Resources Download Packet TracerCisco Packet Tracer is available for Windows, Linux, iOS and Android operating systems. Cisco Packet Tracer ResourcesNow that we understand what Packet Tracer is and how to get it, let’s look at some resources that will help you get started and improve your skills with this tool.First, to learn how to use Packet Tracer, here are some useful resources:. Cisco Networking Academy’s course.
Enroll, download and start learning valuable tips and best practices for using Cisco’s innovative simulation tool, Packet Tracer. This self-paced course is designed for beginners with no prior networking knowledge. Cisco Packet Tracer 7.2.1 by Cisco Systems is available for download and installation. If you have already installed the software, you may need to download and install the new version in order to update. The latest version is not a major update but a bug fix update fixing only one bug in the earlier version.
Packet Tracer for Beginners video: andSecondly, since Packet Tracer is all about developing your practical networking skills, you need to build and configure labs using Packet Tracer. Useful resources for this include:. Study guides and official certification guides.
When you are reading through these books, always build the labs used in those books. YouTube channels such as and. Networking blogs such as and.
Personal labs. One of the best ways to learn is to think about different scenarios and “lab it up” to see how it works (or doesn’t work)How Can You Make the Most of Packet Tracer?Cisco Packet Tracer is a really cool study tool even when used as-is. However, here are some things to try with Packet Tracer that will help you make the most of the tool:. Always download and use the latest version. This should go without saying, but new versions usually come with updated features. For example, the latest Packet Tracer version (7.2.1 as of this writing) supports ASA 5506-X, 802.1X and PPPoE!.
Use different types/models of the same device. For example, there are several router models on Cisco Packet Tracer including 4321, 2901 and 2911. Apart from these models having different physical attributes (e.g., interfaces), some models support more commands than others. The “Automatically Choose Connection Type” option is very useful when connecting devices together. However, don’t always rely on this option so that you can build your knowledge about the different cable types to use to connect various devices.
This will come in handy in the real world. The “Simulation Mode” is one of the best features to try in Cisco Packet Tracer because it allows you to see how things actually work in slow motion. You can even apply filters to see only relevant packet types. Try it!Packet Tracer versus GNS3 and OthersOne question those just entering the Cisco networking field is how Packet Tracer is different from GNS3 and other simulation tools. Let’s start by establishing that Packet Tracer is a simulation tool, which means it is not the real thing but behaves similarly to the real thing. When you use Packet Tracer, you will discover that it does not support all commands that are available on a real Cisco device. In some cases, it even behaves slightly differently than a real device.
These reasons make Packet Tracer useful for specific cases such as the CCNA exam; it cannot be used to effectively prepare for higher-level exams, such as CCNP.On the other hand, GNS3 is an emulation tool. This means that GNS3 uses real Cisco software files (called IOS images) and runs them on your PC as if your PC was a real Cisco device. Therefore, GNS3 is as close to the real thing as possible, just the way a virtual machine running Windows 8 and a physical laptop running Windows 8 are the “same”.As such, GNS3 can be used to prepare for all levels of the Cisco certification hierarchy, from CCNA to CCIE (although it’s better suited for some specializations like Routing and Switching than others). Moreover, GNS3 can be used to emulate devices from other vendors, especially when coupled with a virtual machine application.However, while Packet Tracer is self-contained, you need to obtain the images to use on GNS3. This can be problematic, since Cisco does not legally provide free copies of their IOS images. Also, GNS3 can be very processor-intensive compared to Packet Tracer when running the same number of devices.Other simulation/emulation tools include Cisco Virtual Internet Routing Lab ( ) and, both of which are paid.In summary, if you are preparing for the CCNA Routing and Switching or CCNA Security certification exams, then Cisco Packet Tracer is enough to prepare with.
However, if you are going for higher-level certifications, then you will need to consider other options like GNS3 and Cisco VIRL.ConclusionThis brings us to the end of this article. We have looked at what the Cisco Packet Tracer is and how it can be downloaded free from the Cisco Networking Academy website. We have also highlighted some Cisco Packet Tracer resources and tips to make the most of this tool. Finally, we saw how this tool compares to other simulation/emulation tools like GNS3 and Cisco VIRL.
Article Contents.From my experience as a Network Security Engineer, I have worked on many Cisco projects involving on the routers but not so many that involve AAA on the. I find that a bit weird considering that the Cisco ASA is the real security device. I wonder if the slightly different configuration on the Cisco ASA is responsible for this.Note: AAA stands for Authentication (who a user is), Authorization (what a user can do), and Accounting (what a user did).When speaking about AAA, there are generally two areas in which AAA is applied: Device administration and Network access. Device administration has to do with the management of devices (e.g. Access to a device) while Network access deals will granting users access to network resources (e.g. VPN user accessing a local server).Note: Sometimes, Cisco differentiates Network Access from VPN access but we can use the broad phrase “Network Access” here to mean both.The statement I made above about AAA on the Cisco ASA not being as common as AAA on other devices like Cisco routers is actually only true for AAA when used for Device administration. When it comes to Network access, AAA on the Cisco ASA is as common as (or even more common than) AAA on other Cisco IOS devices.Therefore, what we will do in this article is to explore AAA on the Cisco ASA as used for Device administration.
We will discuss the different AAA components as relevant to the Cisco ASA, identify the AAA servers that can be used with the Cisco ASA, and then look at a lab of how these features can be applied on the Cisco ASA especially in comparison to other Cisco IOS devices. AAA on the Cisco ASAGenerally speaking, AAA provides an extra level of protection instead of using a blanket security policy for everyone.
For example, you can filter access to a device using an access list. However, if different groups of users will be accessing that device to perform different functions, then your ACL cannot provide that level of protection. Using AAA, you can turn on user-level security functions such that network managers have full access to the device while support staff can only perform monitoring, for example.Let’s now explore the three AAA functions as applicable to the Cisco ASA. AuthenticationIn terms of Authentication, the ASA can be configured to authenticate the following:. Management access e.g. SSH, Telnet, ASDM (HTTPS), Enable. Network access e.g.
Configure the ASA to authenticate users that need to access an FTP server. VPN access e.g. AnyConnect VPNAuthorizationFor authorization to be configured on the ASA, authentication must also be configured. The ASA can be configured to authorize the following:. Commands authorization e.g.
A user can perform show commands but cannot use the configure command. Network access e.g. User-specific downloadable ACLs. VPN access e.g. What time of day a user can login to a VPNAccountingAccounting is more about logging information about traffic passing through the ASA, information such as service used, duration of session, username, etc. Accounting information can be tracked per user (if authentication is also configured) or per IP address (if authentication is not configured).
AAA Server Support on the Cisco ASALike other Cisco devices, the Cisco ASA supports a variety of AAA servers which can be divided into internal and external AAA servers. The only internal AAA server is the ASA’s Local Database. External AAA servers supported by the ASA include, LDAP, RSA SecurID, Kerberos, etc.To give a typical example: Many organizations use Microsoft Active Directory (AD) which is a type of LDAP server to authenticate users and also enforce organization-wide policies for devices.
The ASA can be configured to also use this AD to authenticate/authorize users for the various functions already described above.It is also important to note that there are some AAA functions that certain AAA servers do not support. For example, only RADIUS and TACACS+ servers support the accounting function. You can check the features supported by the various AAA servers. Lab: Authentication for Device AdministrationIn this section of the article, we will configure a lab on the Cisco ASA where we will focus on AAA for device administration i.e.
Management access. As we go along, we will point out differences between this configuration and how it is on Cisco IOS routers.The Lab setup in GNS3 is as shown below. I am using ASAv version 9.8(1).Scenario #1: TelnetBy default, you can open a telnet connection to a Cisco IOS router as long as a password is configured on the VTY lines using the password command. The Cisco ASA behaves similarly except that the command is different ( passwd) and this command is a global configuration command versus a line configuration as it is on the Cisco IOS routers.So let’s test this.
We will open a telnet connection from our host to the ASA.Tip: The ASA does not allow Telnet to the lowest security interface except that telnet connection is over a VPN tunnel.As you can see, the telnet connection failed. This is because we did not specify the IP addresses that can connect to the ASA using Telnet. We do this using the telnet command, along with the interface on which those addresses can connect from. This is another difference between the Cisco ASA and Cisco IOS routers. The Cisco ASA takes a deny-all approach to security and you must explicitly allow what you want.Also, we need to configure a Telnet login password using the passwd command.
There used to be a default password on Cisco ASAs of “cisco” but this has been removed from ASA version 9.0(2). Passwd ciscotelnettelnet 192.168.105.0 255.255.255.0 insideLet’s test again.As you can see, we are connected to the ASA and placed at User EXEC mode (privilege level 1).However, what we have done has nothing to do with AAA (as we are familiar with it from Cisco IOS routers).
This is just basic telnet access authentication and it cannot be used to differentiate between users. To configure the ASA to authenticate based on username/password, we have to configure AAA Telnet authentication. Aaa authentication telnet console LOCALNote: Cisco’s terminology for this is quite confusing. The consider using the passwd command “no authentication” but using AAA as “authentication”.With this configuration, the ASA will check the LOCAL database to perform user authentication. We can also create an AAA server group (e.g.
RADIUS) and used it for authentication. In the same way, you can also use the ASA’s local database as a fallback AAA server, just like we do on Cisco IOS routers.Notice that unlike the Cisco IOS router, we do not need to turn on AAA on the Cisco ASA using the aaa new-model command. In fact, there is no aaa new-model command on the ASA. However, just like the Cisco IOS router, if you will be using the local database for authentication, you should populate the database with usernames/passwords.For our example, let’s create three users with different privilege levels. If you don’t specify a privilege level for a user, the default is 2.
Username cisco1 password cisco1 privilege 1username cisco2 password cisco2username cisco15 password cisco15 privilege 15Note: If you want to configure a privilege level for a user on the Cisco IOS router, you must make sure you configure it before the password/secret because the router interprets the entire string after the password/secret option as the password. In the ASA, you can do it in any order.Let’s test again.Notice now that it asks for a username and password and that user (cisco1) is placed at user EXEC mode with a privilege level of 1. Let’s test the other usernames. Notice that irrespective of the user’s privilege level, they are all placed at privilege level 1.
Soft cell 2018. We will talk about how to change this behavior later on in this article.Note: On Cisco IOS routers, we could use the login local command to ensure that users are placed at their configured privilege level upon login. This feature is not available on the Cisco ASA without using AAA. Scenario #2: SSHSSH requires a username and password to successfully open a connection.