CCNA
Cisco Certified Network Associate Exam (200-301)
––––––––
Technology Workbook
www.ipspecialist.net
––––––––
Document Control
––––––––
–––––––– ––––––––
–––––––– ––––––––
––––––––
––––––––
Copyright © 2018 IPSpecialist LTD.
Registered in England and Wales
Company Registration No: 10883539
Registration Office at: Office 32, 19-21 Crawford Street, London
W1H 1PJ, United Kingdom
www.ipspecialist.net
All rights reserved. No part of this book may be reproduced or
transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any
information storage and retrieval system, without the written
permission from IPSpecialist LTD, except for the inclusion of brief
quotations in a review.
Feedback:
If you have any comments regarding the quality of this book,
or otherwise alter it to better suit your needs, you can contact us
through email at info@ipspecialist.net
Please make sure to include the book’s title and ISBN in your
message.
About IPSpecialist
IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND
DEDICATED TO YOUR SUCCESS.
Our philosophy is to treat our customers like family. We want
you to succeed, and we are willing to do everything possible to
help you make it happen. We have the proof to back up our
claims. We strive to accelerate billions of careers with great
courses, accessibility, and affordability. We believe that continuous
learning and knowledge evolution are the most important things
to keep re-skilling and up-skilling the world.
Planning and creating a specific goal is where IPSpecialist
helps. We can create a career track that suits your visions as well
as develop the competencies you need to become a professional
Network Engineer. We can also assist you with the execution and
evaluation of your proficiency level, based on the career track you
choose, as they are customized to fit your specific goals.
We help you STAND OUT from the crowd through our detailed
IP training content packages.
Course Features:
❖ Self-Paced Learning
Learn at your own pace and in your own time
❖ Covers Complete Exam Blueprint
Prep-up for the exam with confidence
❖ Case Study Based Learning
Relate the content with real-life scenarios
❖ Subscriptions that Suits You
Get more and pay less with IPS subscriptions
❖ Career Advisory Services
Let the industry experts plan your career journey
❖ Virtual Labs to Test Your Skills
With IPS vRacks, you can evaluate your exam preparations
❖ Practice Questions
Practice questions to measure your preparation standards
❖ On Request Digital Certification
On request digital certification from IPSpecialist LTD.
About the Authors:
This book has been compiled with the help of multiple
professional engineers. These engineers specialize in different fields
e.g., Networking, Security, Cloud, Big Data, IoT, etc. Each engineer
develops content in his/her own specialized field that is compiled
to form a comprehensive certification guide.
About the Technical Reviewers:
Nouman Ahmed Khan
AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless),
CISSP, CISA, CISM, Nouman Ahmed Khan is a Solution Architect
working with a major telecommunication provider in Qatar. He
works with enterprises, mega-projects, and service providers to
help them select the best-fit technology solutions. He also works
as a consultant to understand customer business processes and
helps select an appropriate technology strategy to support
business goals. He has more than fourteen years of experience
working in Pakistan/Middle-East & UK. He holds a Bachelor of
Engineering Degree from NED University, Pakistan, and M.Sc. in
Computer Networks from the UK.
Abubakar Saeed
Abubakar Saeed has more than twenty-five years of experience,
managing, consulting, designing, and implementing large-scale
technology projects. He also has extensive experience heading ISP
operations, solutions integration, heading Product Development,
Pre-sales, and Solution Design. Emphasizing on adhering to
Project timelines and delivering as per customer expectations, he
always leads the project in the right direction with his innovative
ideas and excellent management skills.
Uzair Ahmed
Uzair Ahmed is a professional technical content writer holding
a Bachelor’s Degree in Computer Science from PAF-KIET
University. He has sound knowledge and industry experience in
SIEM implementation, .NET development, machine learning,
Artificial intelligence, Python and other programming and
development platforms like React.JS Angular JS Laravel.
Muhammad Yousuf
Muhammad Yousuf is a professional technical content writer.
He is a Certified Ethical Hacker (CEHv10) and Cisco Certified
Network Associate (CCNA) in Routing and Switching, holding
bachelor’s degree in Telecommunication Engineering from Sir Syed
University of Engineering and Technology. He has both technical
knowledge and sound industry information, which he uses perfectly
in his career
––––––––
Afreen Moin
Afreen Moin is a professional Technical Content Developer. She
holds a degree in Bachelor of Engineering in Telecommunications
from Dawood University of Engineering and Technology. She has a
great knowledge of computer networking and attends several
training programs. She possesses a keen interest in research and
design related to computers, which reflects in her career.
––––––––
Free Resources:
With each workbook purchased, IPSpecialist offers free
resources to our valuable customers.
Once you buy this book you will have to contact us at
support@ipspecialist.net or tweet @ipspecialistnet to get this
limited time offer without any extra charges.
Free Resources Include:
Exam Practice Questions in Quiz Simulation: With 250+ Q/A,
IPSpecialist's Practice Questions is a concise collection of
important topics to keep in mind. The questions are especially
prepared following the exam blueprint to give you a clear
understanding of what to expect from the certification exam. It
goes further on to give answers with thorough explanations. In
short, it is a perfect resource that helps you evaluate your
preparation for the exam.
Career Report: This report is a step-by-step guide for a novice
who wants to develop his/her career in the field of computer
networks. It answers the following queries:
What are the current scenarios and future prospects?
Is this industry moving towards saturation or are new
opportunities knocking at the door?
What will the monetary benefits be?
Why get certified?
How to plan and when will I complete the certifications if I start
today?
Is there any career track that I can follow to accomplish
specialization level?
Furthermore, this guide provides a comprehensive career path
towards being a specialist in the field of networking and also
highlights the tracks needed to obtain certification.
IPS Personalized Technical Support for Customers: Good
customer service means helping customers efficiently, in a friendly
manner. It is essential to be able to handle issues for customers
and do your best to ensure they are satisfied. Providing good
service is one of the most important things that can set our
business apart from the others of its kind.
Great customer service will result in attracting more customers
and attaining maximum customer retention.
IPS is offering personalized TECH support to its customers to
provide better value for money. If you have any queries related to
technology and labs you can simply ask our technical team for
assistance via Live Chat or Email.
Our Products
Technology Workbooks
IPSpecialist Technology workbooks are the ideal guides to
developing the hands-on skills necessary to pass the exam. Our
workbook covers official exam blueprint and explains the
technology with real life case study based labs. The content
covered in each workbook consists of individually focused
technology topics presented in an easy-to-follow, goal-oriented,
step-by-step approach. Every scenario features detailed breakdowns
and thorough verifications to help you completely understand the
task and associated technology.
We extensively used mind maps in our workbooks to visually
explain the technology. Our workbooks have become a widely used
tool to learn and remember the information effectively.
vRacks
Our highly scalable and innovative virtualized lab platforms let
you practice the IP Specialist Technology Workbook at your own
time and your own place as per your convenience.
Quick Reference Sheets
Our quick reference sheets are a concise bundling of
condensed notes of the complete exam blueprint. It is an ideal
and handy document to help you remember the most important
technology concepts related to the certification exam.
Practice Questions
IP Specialists’ Practice Questions are dedicatedly designed from
a certification exam perspective. The collection of these questions
from our technology workbooks are prepared keeping the exam
blueprint in mind covering not only important but necessary topics
as well. It’s an ideal document to practice and revise your
certification.
Content at a glance
Chapter 01: Network Fundamentals
Chapter 02: Network Access
Chapter 03: IP Connectivity
Chapter 04: IP Services
Chapter 05: Security Fundamentals
Chapter 06: Automation and Programmability
Answers:
Acronyms:
References:
About Our Products
Table of Contents
Chapter 01: Network Fundamentals
Technology Brief
Role and Function of Network Components
Routers
L2 and L3 Switches
Next-Generation Firewalls and IPS
Access Points
Controllers (Cisco DNA Center and WLC)
Endpoints
Servers
Characteristics of Network Topology Architectures
2 Tier
3 Tier
Spine-Leaf
WAN
Small Office/Home Office (SOHO)
On-Premises and Cloud
Physical Interface and Cabling Types
Cabling Type and Implementation Requirements
Ethernet Connectivity Recommendations
Single Mode Fiber, Multimode Fiber, Copper
Connections
Concepts of PoE
Identifying Interface and Cable Issues
Collisions
Errors
Duplex
Speed
TCP vs. UDP
TCP and UDP Working
IPv4 Addressing and Subnetting
Advantages of Subnetting
The Need for Private IPv4 Addressing
Case Study
IPv6 Addressing and Prefix
Restrictions for Implementing IPv6 Addressing and Basic
Connectivity
IPv6 Address Formats
IPv6 Subnetting
IPv6 Packet Header
IPv6 Addressing and Subnetting
Mind Map
IPv6 Address Types
Global Unicast
Unique Local
Link Local
Anycast
Multicast
Modified EUI 64
IP Parameters for Client OS (Windows, Mac OS, Linux)
Windows
Linux
Mac OS
Wireless Principles
SSID
RF
Encryption
Virtualization Fundamentals
Benefits of Virtualization
Types of Virtualization
Switching Concepts
MAC Learning and Aging
Frame Switching
Frame Flooding
MAC Address Table
Mind Map
Summary
Role and Function of Network Components
Characteristics of Network Topology Architectures
Physical Interface and Cabling Types
Identify Interface and Cable Issues
TCP vs. UDP
IPv4 Addressing and Subnetting
The Need for Private IPv4 Addressing
IPv6 Addressing and Prefix
IPv6 Address Types
Wireless Principles
Virtualization Fundamentals
Switching Concepts
Practice Questions
Chapter 02: Network Access
Technology Brief
VLANs (Normal Range) Spanning Multiple Switches
Access Ports (Data and Voice)
Default VLAN
Connectivity
Interswitch Connectivity
Trunk Ports
802.1Q
Native VLAN
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
Cisco Discovery Protocol (CDP)
LLDP (Link Layer Discovery Protocol)
(Layer 2/Layer 3) EtherChannel (LACP)
EtherChannel
Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel
Case Study
Topology
Configuration
Verification
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Configuring Rapid PVST+
Root Port, Root Bridge (Primary/Secondary), and other Port Names
Rapid PVST+ Port State
PortFast
Cisco Wireless Architectures vs. AP Modes
Cisco Unified Wireless Network Architecture
AP Modes
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
Access Points
Wireless LAN Controllers
Access Ports/Trunk Ports
LAG
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
Access Point
Wireless Controllers Management Access Connections
Components of a Wireless LAN Access for Client Connectivity
using GUI
Step 1. Configure a RADIUS Server
Step 2. Create a Dynamic Interface
Step 3. Create a New WLAN
Mind Map of Network Access
Summary
VLANs (Normal Range) Spanning Multiple Switches
Interswitch Connectivity
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
(Layer 2/Layer 3) EtherChannel (LACP)
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Cisco Wireless Architectures vs. AP Modes
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
Components of a Wireless LAN Access for Client Connectivity
using GUI
Practice Questions
Chapter 03: IP Connectivity
Technology Brief
Components of the Routing Table
Routing Protocol Code
Prefix
Network Mask
Next Hop
Administrative Distance
Metric
Gateway of Last Resort
How a Router Makes Forwarding Decision by Default?
Longest Match
Administrative Distance
Routing Protocol Metric
IPv4 and IPv6 Static Routing
IP Addresses
IPv4 Address
IPv6 Address
Difference between IPv4 and IPv6 Addresses
Default Route
Network Route
Host Route
Floating Static
Case Study Static Routing>
Topology Diagram:
Configuration
Verification
Case Study Static Routing>
Topology Diagram
Configuration
Verification
Single Area OSPFv2
Neighbor Adjacency
Point-to-Point
Broadcast (DR/BDR Selection)
Router ID
Purpose of First Hop Redundancy Protocol
Types of Redundancy Protocols
Case Study
Topology Diagram
Configuration
Verification
Mind Map
Summary
Components of the Routing Table
A Router Makes Forwarding Decision by Default
Configure and Verify IPv4 and IPv6 Static Routing
Configure and Verify Single Area OSPFv2
Purpose of First Hop Redundancy Protocol
Practice Question
Chapter 04: IP Services
Technology Brief
Configure and Verify Inside Source NAT using Static and Pools
NAT Inside and Outside Addresses
Types of Network Address Translation (NAT)
Advantages of NAT
Disadvantages of NAT
NTP Operating in a Client and Server Mode
NTP Authentication
Role of DHCP and DNS within the Network
Configuring DHCP
TFTP, DNS, and Gateway Options
The Function of SNMP in Network Operations
SNMPv2:
SNMPv3:
Management Information Base (MIB):
Use of Syslog Features Including Facilities and Levels
Syslog
Syslog Facilities and Features
DHCP Client and Relay
Router/Switch as a DHCP Server
Forwarding Per-Hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
Classification:
Congestion
Queuing
Shaping
Policing
Differentiated Services
Network Devices for Remote Access using SSH
Capabilities and Functions of TFTP/FTP in the Network
File Transfer Protocol (FTP)
Trivial File Transfer Protocol (TFTP)
Differences between TFTP & FTP
Mind Map
Summary
Configure and Verify Inside Source NAT using Static and Pools
Configure and Verify NTP Operating in a Client and Server Mode
The Role of DHCP and DNS within the Network
The Function of SNMP in Network Operations
Use of Syslog Features
Configure and Verify DHCP Client and Relay
Forwarding Per-hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
Network Devices for Remote Access using SSH
Capabilities and Functions of TFTP/FTP in the Network
Practice Question
Chapter 05: Security Fundamentals
Technology Brief
Security Concepts
Threats
Vulnerabilities
Exploits
Mitigation Techniques
Security Program Elements
User Awareness
Training
Physical Access Controls
Configure Device Access Control using Local Passwords
Configure Local User-Specific Passwords
Configure AUX Line Password
Security Password Policies Elements
Password Management
Password Complexity
Password Alternatives
Remote Access and Site-to-Site VPNs
VPN
Remote Access VPN
Site-to-Site VPN
Mind Map
Configure and Verify Access Control Lists
Inbound and Outbound ACL
Lab: NAT, DHCP, NTP, Syslog, and SSH
Case Study
Topology Diagram
Configuration
Verification
Layer 2 Security Features
DHCP Snooping
Dynamic ARP Inspection
Port Security
Authentication, Authorization, and Accounting Concepts
AAA Components
Wireless Security Protocols
WPA
WPA2
WPA3
Configure WLAN using WPA2 PSK using GUI
WPA2-PSK Configuration with GUI
Verifying WPA2 PSK
Mind Map
Summary
Security Concepts
Security Program Elements
Configure Device Access Control Using Local Passwords
Security Password Policies Elements
Remote-Access and Site-to-Site VPNs
Configure and Verify Access Control Lists
Layer 2 Security Features
Authentication, Authorization, and Accounting Concepts
Wireless Security Protocols
Configure WLAN using WPA2 PSK using GUI
Practice Question
Chapter 06: Automation and Programmability
Automation Impacts on Network Management
Why do we need to automate our network?
How automation of network can be beneficial?
Why Choose Cisco for Networking
Compare Traditional Networks with Controller-based Networking
Controller-based and Software Defined Architectures
SD- Access Architecture
Underlay
Overlay
Fabric
Separation of Control Plane and Data Plane
Northbound and Southbound APIs
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Characteristics of REST-based APIs
CRUD
HTTP Verbs
Capabilities of Configuration Management Mechanisms
Puppet
Chef
Ansible
Interpret JSON Encoded Data
PHP JSON Encode and Decode
Encoding and Decoding
PHP JSON Encode
Mind Map
Summary
Automation Impacts on Network Management
Compare Traditional Networks with Controller-based Networking
Controller-based and Software Defined Architectures
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Characteristics of REST-based APIs
Capabilities of Configuration Management Mechanisms
Interpret JSON Encoded Data
Practice Question
Answers:
Chapter 01: Network Fundamentals
Chapter 02: Network Access
Chapter 03: IP Connectivity
Chapter 04: IP Services
Chapter 05: Security Fundamentals
Chapter 06: Automation and Programmability
Acronyms:
References:
About Our Products
About this Workbook
This workbook covers all the information you need to pass the
Cisco CCNA 200-301 exam (Latest Exam). The workbook is
designed to take a practical approach of learning with real life
examples and case studies.
––––––––
➢
➢
➢
➢
➢
➢
Covers complete CCNA updated blueprint
Summarized content
Case Study based approach
Ready to practice labs on Virtualized Environment
100% pass guarantee
Mind maps
Cisco Certifications
Cisco Systems, Inc. specializes in networking and
communications products and services. A leader in global
technology, the company is best known for its business routing
and switching products that direct data, voice, and video traffic
across networks worldwide.
Cisco also offers one of the most comprehensive vendor-specific
certification programs in the world, the Cisco Career Certification
Program. The program has six (6) levels, which begins at the
Entry level and then advances to Associate, Professional, and
Expert levels. For some certifications, the program closes at the
Architect level.
Figure 1. Cisco Certifications Skill Matrix
How does Cisco certifications help?
Cisco certifications are a de facto standard in networking
industry, which help you boost your career in the following ways:
Gets your foot in the door by launching your IT career
Boosts your confidence level
Proves knowledge that helps improve employment opportunities
As for companies, Cisco certifications are a way to:
Screen job applicants
Validate the technical skills of the candidate
Ensure quality, competency, and relevancy
Improve organization credibility and customers’ loyalty
Meet the requirement in maintaining organization partnership level
with OEMs
Helps in Job retention and promotion
Cisco Certification Tracks
Figure 2. Cisco Certifications Track
About the CCNA Exam
➢ Exam Number: 200-301 CCNA
➢ Associated Certifications: CCNA
➢ Duration: 120 minutes
➢ Exam Registration: Pearson VUE
The Cisco Certified Network Associate (CCNA) composite exam
(200-301) is a 120-minute, assessment that is associated with the
CCNA certification. This exam tests a candidate's knowledge and
skills related to secure network infrastructure, understanding core
security concepts, managing secure access, VPN encryption,
firewalls, intrusion prevention, web and email content security, and
endpoint security.
The following topics are general guidelines for the content likely
to be included on the exam:
➢ Network Fundamentals
20%
➢ Network Access
20%
➢ IP Connectivity
25%
➢ IP Services
10%
➢ Security Fundamentals 15%
➢ Automation and Programmability 10%
Complete list of topics covered in the CCNA 200-301 exam can
be downloaded from here.
Chapter 01: Network Fundamentals
Technology Brief
In computer the term network refers to the interconnection of
devices such as computers, laptops, IoTs, servers, routers and
much more. This network of devices is capable of sharing the
information among each other and offers different services over
the network. Evolution of computer networks has raised the
demand of network engineers to install, configure, operate and
troubleshoot the small personal area network to large scale
enterprise networks. Typical Networking Fundamentals topics
include WAN technologies, basic security and wireless concepts,
routing and switching fundamentals, and configuring simple
networks.
In this chapter, we will discuss role and function of network
component, network characteristics of network topology
architectures, TCP and UDP network protocols, wireless principles,
virtualization fundamentals (virtual machines), switching concepts
and their categories. This chapter also examines the limitations of
IPv4 and describes how IPv6 resolves these issues while offering
other advantages as well. The rationale of IPv6 and concerns
regarding IPv4 address depletion. This chapter presents a brief
history of both IPv4 and IPv6 addressing and address types. It
also includes the representation of IPv6 addresses, along with the
IPv6 header.
Role and Function of Network Components
A network is the set of interconnected devices sharing the
resources. A computer network allows different computers/devices
to connect to one another and share resources. The integrant of
network architecture consists of numerous devices that perform a
definite function or set of functions in a network. It is essential to
understand the purpose of each device so that an individual
would be familiar with the functionalities of the devices that are
used in the network. In this section, we will cover these
requirements.
Network Topology
Network topology demonstrate the relationship between, various
elements of networks. Network topology can be categorized as
physical or logical topology. Physical topology shows the physical
network infrastructure whereas logical topology shows the logical
overview of the network. Network topology boils down to two
basic elements: nodes and links. Nodes represent any number of
possible network devices, such as routers, switches, servers,
phones, cameras, or laptops. The topological structure of a
network consists of nodes and links that are connected physically
or logically.
Bus Topology
In the case of bus topology, all devices share single
communication line or cable. Bus topologies may have issues
when multiple hosts send data at the same time. Therefore, bus
topology either uses CSMA/CD technology or recognizes one host
as the Bus Master to solve this issue. It is one of the simplest
forms of networking where a failure of a device does not affect
the other devices. But then again, failure of the shared
communication line can make all other devices stop functioning.
Figure 1-01: Bus Topology
Ring Topology
In ring topology, each host machine connects to exactly two
other machines, creating a circular network structure. When one
host tries to communicate or send a message to a host which is
not adjacent to it, the data travels through all intermediate hosts.
To connect one more host in the existing structure, the
administrator may need only one more extra cable.
Figure 1-02: Ring Topology
Star Topology
The advantage of the star topology is that there is a central
device that serves as the mediator for every station and the
station seems to be indirectly connected to each other.
The disadvantage is that it is too costly and is hub or central
device dependent.
The following figure illustrates the topology used in star
topology:
Figure 1-03: Star Topology
Mesh Topology
If you observe, you will see that each computer is
interconnected to every other computer. That is the simplest way
to explain Mesh though there are some theoretical background
that we can dig deeper with Mesh like Reed’s law, flooding and
routing, it is important for us to know the disadvantages of Mesh
are difficult installation and expensive cabling. On the other hand,
it is good when it comes to providing security. Privacy and
troubleshooting would be easy.
The following figure shows mesh topology structure:
Figure 1-04: Mesh Topology
Hybrid Topology
Hybrid topology is a mixture of more than one topology, which
may include mesh topology, start topology ring topology, etc. The
disadvantage of one topology may offset by the advantage of the
other one. Thus, the reason of making hybrid topology is to
eliminate the shortcoming of the network.
Figure 1-05: Hybrid Topology
Routers
Routers are used to connect networks. A router receives a packet
and observes the destination IP address information to determine
which network the packet needs to reach, then sends the packet
out of the corresponding interface.
Routers are network devices that accurately route information
about the network by inspecting information as it reaches, the
router can decide the destination address for the information;
then, by using tables of defined routes, the router determines the
best way for the data to continue its journey. Unlike bridges and
switches that use the hardware-configured MAC address to
determine the destination of the data, routers use the softwareconfigured network address to make decisions. This approach
makes routers more functional than bridges or switches, and it
also makes them more complex because they have to work harder
to determine the information.
Figure 1-06: Router
Functions
Routers work on Internet Protocol (IP) specifically on the logical
address also known as IP address
Routers perform actions on the layer 3, i.e., Network Layer of the
OSI model
They route traffic from one network to the desired destination
network
As described, a router is an intelligent device that either first finds
out the network or the traffic that relates to their network
After deciding, the router forwards the traffic to the required
destination
Applications
Routers provide interfaces for different physical network
connections such as copper cables, optic fiber, or wireless
transmission
The Network Administrator can configure the routing table
manually as well as dynamically
Routers learn its routing table by using static and dynamic routing
protocols
Multiple routers are used in interconnected networks
Dynamic exchange of information about the destination is made
possible by the dynamic routing protocol; the administrator will
have to advertise routing path manually for static networks
L2 and L3 Switches
Open System Interconnect (OSI) model is a reference model for
describing and explaining network communications, the terms Layers
2 & 3 are adopted from it. The OSI model has seven layers that
include: application layer, presentation layer, session layer, transport
layer, network layer, data link layer and physical layer, amid which
network layer is on Layer 3 and data link layer is on Layer 2.
Figure 1-07: OSI Model
Layer 2 switches provides direct data transmission between two
devices within a LAN. A Layer 2 switch purpose is to keep a table of
Media Access Control (MAC) addresses. The data frames are
switched through MAC addresses individually inside the LAN and will
not be identified outside it. A Layer 2 switch can allocate VLANs to
specific switch ports, which in turn are in dissimilar layer 3 subnets.
So the communication with other VLANs or LANs desires the
purpose or function of Layer 3.
Figure 1-08: Layer 2 & Layer 3 Switches
Difference between Layer 2 and Layer 3 Switches
The basic difference between Layer 2 and Layer 3 is the routing
function. 2 works only on MAC addresses and does not concern IP
addresses or any items of higher layers. A Layer 3 switch can
perform all the task that a Layer 2 switch can. Furthermore, it can
do dynamic routing and static routing. This means, a Layer 3 switch
has both MAC address table and IP routing table, and handles intraVLAN communication and packets routing between distinct VLANs as
well. A switch that adds merely static routing is known as a Layer 2+
or Layer 3 Lite. Other than routing packets, Layer 3 switches similarly
include some functions that need the capability to understand the IP
address information of data that is coming to the switch, such as
tagging VLAN traffic depending on IP addresses instead of manually
configuring a port. Layer 3 switches are more reliable from security
and power perspective.
Which Device Do You Need?
With the emergence of Layer 3 switches, deciding when to use a
Layer 2 switch and when to use a Layer 3 switch, choosing a Layer 3
switch for routing or choosing a router, and similar predicaments are
troubling many people. Which device is the better one according your
needs?
Figure 1-09: Layer 2 Switch, Layer 3 Switch and Router
When lingering between Layer 2 and Layer 3 switches, you should
think about where it will be used. If you have a pure Layer 2
domain, you can simply go for Layer 2 switch; if you need to do
inter-VLAN routing, then you need a Layer 3 switch. A pure Layer 2
domain is where the hosts are connected, so it will work fine there.
This is usually called access layer in a network topology. If it is
required for the switch to aggregate multiple access switches and do
inter-VLAN routing, then a Layer 3 switch will be needed. This is
known as distribution layer in network topology.
Since both the Layer 3 switch and the router have routing
functions, which one is better? Actually, it is less a question of which
is better for routing, as both are useful in particular applications. If
you want to do multiple switching and inter-VLAN routing, and need
no further routing to the Internet Service Provider (ISP)/WAN, then
you can go well with a Layer 3 switch. Otherwise, you should go for
a router with more Layer 3 features.
features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
features. features. features. features. features. features. features.
Table 1-01: Layer 2 & Layer 3 Switches
Next-Generation Firewalls and IPS
Firewalls have evolved beyond simple packet filtering and stateful
inspection. Most companies are deploying next-generation firewalls
to block modern threats such as advanced malware and
application-layer attacks. According to Gartner, Inc.’s definition, a
next-generation firewall must include:
●
●
●
●
●
Standard firewall capabilities like stateful inspection
Integrated intrusion prevention
Application awareness and control to see and block risky apps
Upgraded paths to include future information feeds
Techniques to address evolving security threats
Figure 1-10: Firewall
Traditional Firewall Vs. Next Generation Firewalls
As their names suggest, next generation firewalls are a more
advanced version of the traditional firewall, and they offer the
same benefits. Like regular firewalls, NGFWs use both static and
dynamic packet filtering and VPN support to ensure that all
connections between the network, internet, and firewall are valid
and secure. Both firewall types should also be able to translate
network and port addresses in order to map IPs.
There are also fundamental differences between next generation
firewalls. The most obvious difference between the two is an
NGFW’s ability to filter packets based on applications. These
firewalls have extensive control and visibility of applications that it
is able to identify using analysis and signature matching. They can
use whitelists or a signature-based IPS to distinguish between safe
applications and unwanted ones, which are then identified using
SSL decryption. Unlike most traditional firewalls, NGFWs also
include a path through which future updates will be received.
Importance of Next Generation Firewalls
Installing a firewall is any business. In today’s environment,
having a next generation firewall is a mandatory part of network.
Threats to personal devices and larger networks are changing
every day. With the flexibility of a NGFW, it protects devices and
companies from a much broader spectrum of intrusions. Although
these firewalls are not the right solution for every business,
security professionals should carefully consider the benefits that
NGFWs can provide, as it has a very large upside.
Firepower announced its Next-Generation Firewall (NGFW) that
combines IPS threat prevention, integrated application control and
firewall capabilities in a high-performance security appliance.
Functions
NGFWs are able entering a network
They are better equipped to address Advanced Persistent Threats
(APTs)
NGFWs can be a low-cost option for companies looking to
improve their basic security because they can incorporate the work
of antiviruses, firewalls, and other security applications into one
solution
Applications
NGFWs being more intelligent and with deeper traffic inspection,
they may also be able to perform intrusion detection and
prevention. Some next-gen firewalls might include enough IPS
functionality that a stand-alone IPS might not be needed
NGFWs can also provide reputation-based filtering to block
applications that have a bad reputation. This can possibly check
phishing, virus, and other malware sites and applications
They can identify and filter traffic based upon the specific
applications, rather than just opening ports for any and all traffic.
This prevents malicious applications and activity from using nonstandard ports to evade the firewall
Access Points
An access point is a device that offers network connectivity to the
large number of endpoints. Wireless access point typically
connects to a wired router, switch, or WLC to provide wireless
connectivity. For example, if you want to enable Wi-Fi access in
your company's reception area but do not have a router within
range, you can install an access point near the front desk and
run an Ethernet cable through the ceiling back to the server
room.
Figure 1-11: Access Point
Advantages of Using Wireless Access Points
When you have both employees and guests connecting with
their laptops, mobile phones, and tablets, several devices will be
connecting and disconnecting from the network. To support these
simultaneous connections, an access points gives scalability to
connect the number of devices on your network. But that’s only
one of the advantages of using these network enhancers—consider
these points:
● Business-grade access points can be installed anywhere you
can run an Ethernet cable. Newer models are also compatible with
Power over Ethernet Plus, or PoE+ (a combination Ethernet and
power cord), so there is no need to run a separate power line or
install an outlet near the access point
● Additional standard features include Captive Portal and Access
Control List (ACL) support, so you can limit guest access without
compromising network security, as well as easily manage users
within your Wi-Fi network
● Selected access points include a Clustering feature—a single
point from which the IT administrator can view, deploy, configure,
and secure a Wi-Fi network as a single entity rather than a series
of separate access point configurations
Controllers (Cisco DNA Center and WLC)
Cisco DNA Center is the foundational controller and analytics
platform. DNA Center is the heart of Cisco’s intent-based network
architecture. Cisco DNA Center offers centralized, intuitive
management that makes it fast and easy to design, provision, and
apply policies across your network environment. The Cisco DNA
Center UI provides end-to-end network visibility and uses network
insights to optimize network performance and deliver the best
user and application experience.
The Cisco Wireless Controller (WLC) series devices provide a
single solution to configure, manage and support corporate
wireless networks, regardless of their size and locations. Cisco
WLCs have become very popular during the last decade as
companies move from standalone Access Point (AP) deployment
designs to a centralized controller-based design, reaping
the enhanced functionality and redundancy benefits that come with
controller-based designs.
Cisco currently offers a number of different WLC models, each
targeted for different sized networks. As expected, the larger
models (WLC 8500, 7500, 5760, etc.) offer more high-speed
gigabit network interfaces, high availability and some advanced
features required in large & complex networks, for example
supporting more VLANs and WiFi networks, thousands of AP &
Clients per WLC device, and much more.
Recently, Cisco has begun offering WLC services in higher-end
Catalyst switches by embedding the WLC inside Catalyst
switches e.g., Catalyst 3850, but also as a virtual image 'Virtual
WLC' that runs under VMware ESX/ESXi 4.x/5.x. Finally, Cisco ISR
G2 routers 2900 & 3900 series can accept Cisco UCS–E server
modules, adding WLC functionality and supporting up to 200
access points and 3000 clients.
Exam Tip: WLC interfaces, their physical and logical ports, how
they connect to the network and how Wireless SSIDs are mapped
to VLAN interfaces, these topics are very important for exam.
Endpoints
a remote computing device that communicates back and forth
with a network to which is it connected. Examples of endpoints
include:
Desktops
Laptops
Smartphones
Tablets
Servers
Workstations
Endpoints represent key vulnerable points of entry for
cybercriminals. Endpoints are where attackers execute code and
exploit vulnerabilities, and where there are assets to be encrypted,
exfiltrated or leveraged. With organizational workforces becoming
more mobile and users connecting to internal resources from offpremise endpoints all over the world, endpoints are increasingly
susceptible to cyberattacks. Objectives for targeting endpoints
include, but are not limited to:
› Take control of the device and use in execute attack
› Use the endpoint as an entry point into an organization to
access high-value assets and information
For several decades, organizations have heavily relied on the
antivirus as a means to secure endpoints. However, traditional
antiviruses can no longer protect against today’s modern threats.
An advanced endpoint security solution should prevent known and
unknown malware and exploits; incorporate automation to alleviate
security team workloads; and protect and enable users without
impacting system performance.
Servers
A server is a computer program or a device that provides
functionality for other programs or devices. A server is a software
or hardware device that accepts and responds to requests made
over a network. The device that makes the request, and receives a
response from the server, is called a client. On the internet, the
term "server" commonly refers to the computer system that
receives a request for a web document, and sends the requested
information to the client.
Servers are used to manage network resources. For example, a
user may set up a server to control access to a network,
send/receive emails, manage print jobs, or host a website. They
are also proficient at performing intense calculations. Some servers
are committed to a specific task, often referred to as dedicated.
However, many servers today are shared servers that can take on
the responsibility of emails, DNS, FTP, and even multiple websites
in the case of a web server.
Types of Servers
Servers are frequently categorized in terms of their purpose. A
few instances of the types of servers available are:
a computer program that serves or files. In this circumstance, a
as the client or user
in a computer in offers the business rationality for an application
program
software that acts as an intermediary between such as a
computer, and another server from which a user or client is
requesting a service
an application that receives incoming emails from local users
(people within the and remote senders and forwards outgoing
emails for delivery
running on a mutual server that is configured in such a way that
it appears to individual users that they have complete control of a
server
a server framework for housing multiple shrill, modular electronic
circuit boards, known Each blade is a server in its own right,
often dedicated to a solitary application
a computer responsible for the central storage and management
of information documents so that different computers on the
same network can access them
A policy server is a security element of network that and
facilitates tracking and control of files
Characteristics of Network Topology Architectures
Network topology is defined as the graphical arrangement of
computer systems, or nodes to form a computer network.
There are two types of network topology: physical topology and
logical topology. Physical topology of a network refers to the
physical arrangement of computer nodes based on configuration of
computers, cables, and other peripherals. Whereas, logical topology
is the method used to permit the information between
workstations.
Both topologies exist in a Local Area Network (LAN). All the
nodes in LAN are connected with each other through a valid
media that shows its physical arrangement based on hardware
used while data flow through this arrangement shows logical
topology.
The characteristics of network topology architecture are as
follows:
2 Tier
The word "tier" usually refers to splitting the two software layers
onto two distinctive physical pieces of hardware. Multi-layer
programs can be based on one tier or level, but because of
operational partialities, many two-tier architectures utilize a
computer for the first tier and a server for the second tier.
A two-tier or level architecture is a software architecture in
which a presentation layer or interface keeps running on a client,
and a data layer or data structure gets stored on a server.
Separating these two components into different locations
represents a two-tier architecture.
Figure 1-12: Two-Tier Network Design Model
3 Tier
A three-tier or level architecture is a client-server architecture
design in which the functional procedure logic, information access,
computer information storage and UI (user interface) are created
and maintained as independent modules on discrete platforms.
Three-tier architecture is a software configuration design pattern
and a well-established software architecture structure.
Three-tier or level architecture permits any one of the three
tiers to be promoted or substituted autonomously. The UI (User
Interface) is implemented on a desktop PC and it utilizes a
standard GUI (Graphical User Interface) by different modules
running on the application server.
The following three layers included in a typical three-tier
architecture network design are:
Core ideal channel between high-performance routing and to the
criticality of the core layer, the design principles of the core
should provide a suitable level of flexibility that offers the
capability to recoup rapidly and easily after any network or system
failure experience with the core block
Distribution policy-based connectivity and boundary the access and
core layers
Access user/workgroup access to the system or two essential and
common hierarchical design architectures of enterprise are the
three-level and two-level layer models
Figure 1-13: Three-Tier Network Design Model
The design model, illustrated in the above figure is usually used
in large enterprise campus systems or networks that are
constructed by multiple functional distribution layer blocks.
The hierarchical network design model breaks the complex level
system into multiple smaller and more manageable networks. Each
tier or level in the hierarchy is focused on a specific set of roles.
This design approach offers network designers a high degree
of flexibility to optimize and select the right network hardware,
software, and features to perform specific roles for the different
network layers.
Spine-Leaf
With the increased emphasis on massive information
transmissions and instantaneous information travel in the network,
the aging three-tier architecture within a data center is
interchanged with the Leaf-Spine architecture. A Leaf-Spine
architecture is adaptable to the continuously changing
requirements of companies in big data industries with evolving
data centers.
Leaf-Spine Network Topology
With Leaf-Spine configurations, all devices are exactly the same
number of segments that contain an expected and consistent
amount of latency or delay for voyaging data. It can be only
possible because of the new topology design that has two layers,
the Leaf layer and Spine layer. The Leaf layer consists of access
switches that connect to devices like servers, load balancers,
firewalls, and edge routers. The Spine layer (made up of switches
that perform routing) is the backbone of the network, where every
Leaf switch is interconnected with each and every Spine switch.
Figure 1-14: Leaf-Spine Architecture Design
WAN
Wide Area Network helps organizations to expand geographically
around the globe. By using WAN services from service providers
usually called “off-sourcing” or “outsourcing”, organizations just
have to focus on their local connectivity while rest of the network
is taken care of by the internet service providers. The following
figure shows the basic network topology seen under Wide Area
Network in use today:
Figure 1-15: WAN Network
WAN Topology Options
There are four types of basic topologies for a WAN design.
Point-to-Point
The connection between two endpoints or nodes is known as
Point-to-Point connection. Typically, point-to-point connection is
used when a dedicated link is required from customer premises to
the provider’s network. Point-to-point communication links usually
offer high service quality, if they have adequate bandwidth. The
dedicated capacity removes latency or jitter between the endpoints.
Figure 1-16: Point-to-Point Topology
Hub and Spoke
In this topology, there is a single hub (central router) that
provides access from remote networks to a core router. You can
see below the diagram for Hub and Spoke.
Figure 1-17: Hub & Spoke Topology
Communication among the networks travels through the core
router. The advantages of a star physical topology are less cost
and easier administration, but the disadvantages can be significant:
● (HUB) The central router represents a single point of failure
● (HUB) The central router limits the overall performance for
access to centralized resources. It is a single pipe that manages
all traffic intended either for the centralized resources or for the
other regional routers
Full Mesh
In Full Mesh, each routing node on the edge of a given
packet-switching network has a direct path to every other node on
the cloud. You can see its working flow in the following diagram.
Figure 1-18: Full Mesh Topology
Configuration of this topology provides a high level of redundancy,
but the costs are the highest. In conclusion, a fully meshed
topology really is not viable in large packet-switched networks.
Here are some issues you will contend by using a fully meshed
topology:
● Many virtual circuits are required-one for every connection
between routers, which brings up the cost
● Configuration of this topology is more complex for routers
without multicast support in non-broadcast environments
Figure 1-19: Partially Meshed Topology
Single vs Dual-Homed
On one end of a WAN link, when a single connection is
implemented using a single network interface, it is called a singlehomed connection. When an additional network interface is
dedicated to the same WAN link, it is called a dual-homed
connection. This is typically done for purposes of redundancy.
This concept is applied to the organization's connection to its
ISP in many cases. Taking this concept a step further, both singlehomed and dual-homed connections can be duplicated, with one
set of connections to one ISP and another set of connections to
a different ISP, providing both link redundancy and ISP
redundancy. When this is done with a dual-homed connection to
each ISP, they are called dual-multi-homed connections. If a singlehomed connection is provided for each ISP, it is called dual-singlehomed connection.
WAN Access Connectivity Options
WAN can use a number of different connection types available
on the market today. The figure below shows the different WAN
connection types that can be used to connect your LANs (made
up of data terminal equipment, or DTE) together over the Data
Communication Equipment (DCE) network.
Figure 1-20: WAN Access Connect Options
Let’s apprehend the different WAN connectivity options:
Dedicated (Leased are usually called point-to-point or dedicated
connections. A leased line is a pre-established WAN
communications' path that goes from the CPE through the DCE
switch, and then over to the CPE of the remote site. The CPE
enables DTE networks to communicate at any time with no
cumbersome setup procedures to muddle through before
transmitting data.
Circuit you see term circuit switching, think phone call. The big
advantage is cost; Plainest Old Telephone Service (POTS) and
ISDN dial-up connections are not flat rate, which is their
advantage over dedicated lines because you pay only for what you
use, and you pay only when the call is established. No data can
be transferred before an end-to-end connection is established.
Circuit switching uses dial-up modems or ISDN and is used for
low-bandwidth data transfers.
Packet WAN switching method that allows you to share
bandwidth with other companies to save money, just like a super
old party line, where homes shared the same phone number and
line to save money. Packet switching can be thought of as a
network that is designed to look like a leased line, yet it charges
you less, like circuit switching does. As usual, you get what you
pay for, and there is definitely a serious downside to this
technology.
Small Office/Home Office (SOHO)
SOHO is generally a remote office or enterprise environment with
small to medium infrastructure. SOHO users are connected to
corporate headquarter by using WAN MPLS or some other
technology based services provided by service providers. Normally,
access switches are used to provide connectivity with SOHO
environment.
Figure 1-21: SOHO Network Topology
On-Premises and Cloud
On-premises system monitoring software has been the standard
for quite a long time. Presently, a few associations are moving to
cloud-based network monitoring and management. A few
applications make a lot of sense in the cloud, like CRM software
and marketing automation solutions. Deploying in the cloud can
spare your organization expenses and give you more noteworthy
adaptability.
Physical Interface and Cabling Types
Physical interfaces consist of a software driver and a connector
into which you connect network media, such as an Ethernet cable.
Whereas, cabling
is the channel through which data usually transfers from one netw
ork device to another. There are numerous types of cable
that are generally used with LANs. In some cases, a network will
utilize only one type of cable, other networks will use a multiple
types of cable.
The type of cable selected for a network is related to the protocol,
network’s topology, and size. Understanding the features of
different types of cables and how they relate to further aspects of
a network is essential for the evolution of a successful network.
The following sections discuss the categories of cables used in
networks and other related topics.
Cabling Type and Implementation Requirements
Selecting The Appropriate Cabling Type Based On Implementation
Requirements. Several types of cables and connectors can be used
in a network, depending on the requirements for the network and
the type of Ethernet to be implemented. These connectors also
vary depending on the type of media that you have installed.
Nowadays, Ethernet is considered the king when it comes to
cabling. The table below shows some forms of Ethernet cabling of
which you should be aware:
aware: aware: aware: aware:
aware: aware: aware:
aware: aware: aware:
aware: aware: aware: aware: aware: aware: aware:
aware: aware: aware:
aware: aware: aware: aware: aware: aware: aware: aware: aware:
aware: aware:
aware: aware: aware:
Table 1-02: Various Cabling Options
Ethernet Connectivity Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations Recommendations
Recommendations Recommendations Recommendations
Table 1-03: Cabling Requirements over Different Layers
Straight and Crossover Cables: Making the right choice of cable
can be tricky for troubleshooting. Just imagine, you already
checked the running configurations, all of which you thought you
programmed accurately and then all of a sudden, one of the
power indicator for the switch is not lighting up because you
used the wrong cable.
Figure 1-22: Ethernet Cable
Straight cable wiring scheme is similar at both ends but in case
of crossover, is different that’s why crossover cables are called
crossover cables because the strands crossover. Just notice 1 and
2 crossovers with 3 and 6 and vice versa or keep in mind, orange
pair wires are replaced with green pairs.
Let’s figure out what type of cables we have to use based on
the device implementation:
● Crossover cable is used for same devices
● Straight through cable is used for dissimilar devices
All of the devices attached to the switch must use straight
through cable
- Except: switch to switch and switch to hub
Crossover cable is used for devices given below:
● Similar Devices
● Switch to Switch
● Router to Router
● Hub to Hub
● Switch to Hub
● Pc to Pc
● Router to Pc
––––––––
through cable is used for devices given below:
● Switch and Hub
● Switch to Router
● Switch to PC
● Switch to Server
● Hub to PC
● Hub to Server
● Router and Hub
Single Mode Fiber, Multimode Fiber, Copper
Single Mode Cable
Single Mode Cable is a single stand (most applications use 2
fibers) of glass fiber with a diameter of 8.3 to 10 microns that
has one mode of communication. Single Mode Fiber with a
relatively narrow diameter, through which only one mode will
propagate is usually 1310 or 1550nm. This mode requires higher
bandwidth than multimode fiber, but requires a light source with a
narrow spectral width.
Single Modem Fiber is used in many applications where data is
sent at multi-frequency (WDM Wave-Division-Multiplexing) so only
one cable is needed - (single-mode on one single fiber)
Single-mode fiber gives you a higher transmission rate and up
to 50 times more distance than multimode, but it also costs
more. Single-mode fiber has a much smaller core than multimode.
The small core and single light-wave virtually eliminate any
distortion that could result from overlapping light pulses, providing
the least signal attenuation and the highest transmission speeds
of any fiber cable type.
Single-mode optical fiber is an optical fiber in which only the
lowest order bound mode can propagate at the wavelength of
interest typically 1300 to 1320nm.
Multimode Cable
Multimode Cable has a little bit bigger diameter, with mutual
diameters in the 50-to-100 micron range for the light carry
component (in the US, the most common size is 62.5um). Most
applications in which multimode fiber is used, 2 fibers are used
(WDM is not usually used on multi-mode fiber).
Multimode fiber gives you high bandwidth at high speeds (10
to 100MBS - Gigabit to 275m to 2km) over medium distances.
Light waves are dispersed into numerous paths, or modes, as they
travel through the cable's core, which is typically 850 or 1300nm.
Typical multimode fiber core diameters are 50, 62.5, and 100
micrometers. However, in long cable runs (greater than 3000 feet
[914.4 meters]), multiple paths of light can cause signal distortion
at the receiving end, resulting in an unclear and incomplete data
transmission. So, designers now call for single mode fiber in new
applications using Gigabit and beyond.
Copper Cable
Networks use copper media because it is inexpensive, easy to
install, and has low resistance to electrical current. However,
copper media is limited by distance and signal
Data is transmitted on copper cables as electrical pulses
between networks. A detector in the network interface of a
destination device must receive a signal that can be successfully
decoded to match the signal sent. However, the longer the signal
travels, the more it deteriorates in a phenomenon referred to as
signal attenuation. For this reason, all copper media must follow
strict distance limitations as specified by the guiding standards.
Copper Media
In networking, there are three main types of copper media
used:
Unshielded Twisted-Pair (UTP)
Shielded Twisted-Pair (STP)
Coaxial
Unshielded Twisted Pair (UTP) Cable
Twisted pair cabling comes in two varieties: shielded and
unshielded. Unshielded Twisted Pair (UTP) is the most popular
and is generally the best option for school networks.
Figure 1-23: Unshielded Twisted Pair
The quality of UTP may vary from telephone-grade wire to
extremely high-speed cable. A cable has four pairs of wires inside
a jacket. Each pair is twisted with a different number of twists per
inch to help eliminate interference from adjacent pairs and other
electrical devices. The EIA/TIA (Electronic Industry
Association/Telecommunication Industry Association) has
established standards of UTP and rated five categories of wire.
wire.
wire. wire. wire. wire.
wire. wire. wire. wire. wire. wire.
wire. wire. wire. wire. wire.
wire. wire. wire. wire. wire. wire. wire. wire.
wire. wire. wire. wire. wire. wire.
wire. wire. wire. wire. wire. wire.
wire. wire. wire. wire.
Table 1-04: Categories of Unshielded Twisted Pair
––––––––
Unshielded Twisted Pair Connector
The standard connector for unshielded twisted pair cabling is a
RJ-45 connector. This is a plastic connector that looks like a large
telephone-style connector. A slot allows the RJ-45 to be inserted
only one way. RJ stands for Registered Jack, implying that the
connector follows a standard borrowed from the telephone
industry.
This standard designates which wire goes with each pin inside
the connector.
Figure 1-24: RJ-45 Connector
A disadvantage of UTP is that it may be susceptible to radio
and electrical frequency interference. Shielded Twisted Pair (STP) is
suitable for environments with electrical interference; however, the
extra shielding can make the cables quite bulky. Shielded twisted
pair is often used on networks using Token Ring technology.
Figure 1-25: Shielded Twisted Pair (STP)
––––––––
Coaxial Cable
Coaxial Cabling has a single copper conductor at its center. A
plastic layer provides
insulation between the center conductor and a braided metal
shield. The metal shield helps to block any outside interference
from fluorescent lights, motors,
and other computers.
Figure 1-26: Coaxial Cable
Coaxial Cable Connectors
The most common type of connector used with coaxial cables
is the Bayone-Neill-Concelman (BNC) connector. Different types of
adapters are available for BNC connectors, including a T-connector,
barrel connector, and terminator. Connectors on the cable are the
weakest points in any network. To help avoid problems with your
network, always use the BNC connectors that crimp, rather than
screw, onto the cable.
Figure 1-27: BNC Connector
Fiber Optic Cable
Fiber Optic Cabling consists of a center glass core surrounded
by several layers of protective materials. It transmits light rather
than electronic signals, eliminating the problem of electrical
interference. This makes it ideal for certain environments that
contain a large amount of electrical interference. Due to its
immunity to the effects of moisture and lighting, it has become
the standard for connecting networks between buildings.
Fiber optic cable has the ability to transmit signals over much
longer distances than coaxial and twisted pair. It also has the
capability to carry information at vastly greater speeds. This
capacity broadens communication possibilities to include services
such as video conferencing and interactive services. The cost of
fiber optic cabling is comparable to copper cabling; however, it is
more difficult to install and modify.
Figure 1-28: Fiber Optic Cable
Fiber Optic Cable Connector
The most common connector used with fiber optic cable is a
ST (Straight Tip) connector. It is barrel shaped, similar to a BNC
connector. A newer connector, the SC (Subscriber Connector), is
becoming more popular. It has a squared face and is easier to
connect in a confined space.
space. space.
space. space.
space. space.
space. space.
space. space.
Table 1-05: Ethernet Cable Summary
Connections
Point-to-Point:
Computers are connected by communication channels that each
connect exactly two computers with access to full channel
bandwidth
Forms a mesh or point-to-point network
Allows flexibility in communication hardware, packet formats, etc.
Provides security and privacy because communication channel is
not shared
Number of channels grows as square of number of computers for
n computers: (n2 -n)/2
Shared or Broadcast
All computers are connected to a shared broadcast-based
communication channel and share the channel bandwidth
Security issues as a result of broadcasting to all computers
Cost effective due to reduced number of channels and interface
hardware components
Concepts of PoE
Power over Ethernet (PoE) is a technology for Area Networks that
allows the for the operation of each device to be carried by the
data cables rather than by power cords. Doing so minimizes the
number of wires that must be strung in order to install the
network. PoE was originally developed in 2003 to support devices
like Wi-Fi Access Points PoE made AP installations easier and
more flexible, especially on ceilings.
For PoE to work, the electrical current must go into the data
cable at the power-supply end, and come out at the device end,
in such a way that the current is kept separate from the data
signal so that neither interferes with the other. The current enters
the cable by means of a component called an injector. If the
device at the other end of the cable is PoE compatible, then that
device will function properly without modification. If the device is
not PoE compatible, then a component called a picker (or tap)
must be installed to remove the current from the cable. This
"picked-off" current is routed to the power jack.
Identifying Interface and Cable Issues
Interface and cable issues can be due to collisions, errors, duplex
mismatch or speed mismatch. To show interface command on a
switch displays a ton of potential errors and problems that might
happen due to interface and cable issues.
Example 1-1: The “show interface” Output on a Cisco Switch
interface gi 0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3eb4.b62b (bia
fa16.3eb4.b62b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Unknown, Unknown, link type is auto, media type is unknown
media type
output flow-control is unsupported, input flow-control is
unsupported
Auto-duplex, Auto-speed, link type is auto, media type is
unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output
drops: 32562
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
6783 packets input, 0 bytes, 0 no buffer
Received 14 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
108456 packets output, 7107939 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Switch#
Collisions
A collision is the mechanism used by Ethernet to control access
and allocate shared bandwidth among stations that want to
transmit at the same time on The mechanism where the medium
is shared is known as collision detection. It must exist where two
stations can detect that they want to transmit data at the same
time. Collision detection is disabled in full-duplex Ethernet (Carrier
Sense Multiple Access/Collision its collision detection method. Here
is a simplified example of Ethernet operation:
Figure 1-29: Collision Architecture
Station A wishes to send a frame. First, it checks if the medium
is available (Carrier Sense). If it is not, it waits until the current
sender on the medium has finished.
Suppose Station A believes the medium is available and attempts
to send a frame. Because the medium is shared (Multiple
Access), other senders might also attempt to send at the same
time. At this point, Station B tries to send a frame at the same
time as Station A.
Shortly after, Station A and Station B realize that there is another
device attempting to send a frame (Collision Detect). Each station
waits for a random amount of time before sending again. The
time after the collision is divided into time slots; Station A and
Station B, each pick a random slot for attempting a
retransmission.
Should Station A and Station B attempt to retransmit in the same
slot, they extend the number of slots. Each station then picks a
new slot, thereby decreasing the probability of retransmitting in
the same slot.
Errors
Errors may occur in your network for a wide variety of reasons.
For example, there could be electrical interference somewhere, or
there is a bad Network Interface Card that is not able to frame
things correctly for the network. Remember, the Frame Check
Sequence often is the source for catching these errors. Each time
a router forwards a packet on an Ethernet network, it replaces
and rewrites the Layer 2 Ethernet header information, along with a
new FCS.
Duplex
This used to be a big concern in Ethernet LANs. Because you
might be using half-duplex due to having hubs in your network,
you need to ensure that duplex mismatches did not occur
between full-duplex (switched) areas and half-duplex areas. Today,
auto negotiation to full-duplex between devices is common. If an
older device is hard coded to half-duplex and you code the LAN
device connected to full duplex, a duplex mismatch can still result.
These can be difficult to track down since some packets typically
make it through the connection fine, while others are dropped. In
networks that operate in half duplex, the technology of Carrier
Sense Multiple Access with Collision Detection (CSMA/CD) is used
to allow devices to operate on a half-duplex network.
Speed
Speed is another area where conflict can occur, but is also
becoming a less common problem as technologies advance. For
example, 1 Gigabit per second interfaces is quite common now
and operate with each other seamlessly at 1 Gbps. The issue
again is older equipment that might default to a slower speed
causing a speed mismatch.
There are some terms used in the above example, so we need
to explore these terms briefly:
briefly: briefly: briefly:
briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly:
briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly:
briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly:
briefly: briefly: briefly: briefly: briefly: briefly:
Table 1-06: Cable Terminologies
TCP vs. UDP
There are two types of Internet Protocol (IP) traffic. They
are TCP or Transmission Control Protocol and UDP or User
Datagram Protocol. TCP is connection oriented. Once a connection
is established, data can be sent bidirectional. UDP is a simpler,
connectionless internet protocol. Multiple messages are sent as
packets in chunks using UDP. Unlike the TCP, UDP adds no
reliability, flow-control, or error-recovery functions to IP packets.
Because of UDP’s simplicity, UDP headers contain fewer bytes and
consume less network overhead than TCP.
The following table demonstrates the comparison of TCP and
UDP protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol:
protocol: protocol: protocol: protocol: protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol: protocol: protocol: protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol: protocol: protocol:
protocol: protocol: protocol:
protocol: protocol: protocol:
protocol:
protocol:
protocol:
protocol:
protocol:
protocol: protocol:
protocol: protocol:
protocol:
protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol: protocol: protocol: protocol:
protocol: protocol: protocol: protocol:
protocol: protocol:
protocol: protocol: protocol: protocol:
Table 1-07: Comparison of TCP and UDP Protocol
TCP and UDP Working
Figure 1-30: TCP and UDP Working
IPv4 Addressing and Subnetting
In this topic, we are going to explore IPV4 addressing and
subnetting. So first of all, you should know what an IP address is.
IP Address: IP address is the way to present a host in a
network or, in simple words, a unique string of numbers
separated by full stops that identifies each computer using the
Internet Protocol to communicate over a network. An example is
given below:
below: below: below: below: below: below: below: below: below:
below: below: below: below: below: below: below:
An IPv4 address is a 32-bit number that we like to represent in
dotted decimal notation. Consider using a conversion chart for the
8 bits that exist in an octet to help you with the various
subnetting exercises you might encounter in the exam.
exam. exam. exam. exam. exam. exam. exam. exam. exam.
exam.
Table 1-08: Comparison Chart for IPV4 Addressing and Subnetting
Example: We have to calculate 186 then we will ON these bits:
10111010. So from above table, you can easily calculate these
values.
CIDR Inter-Domain Routing) is a slash notation of subnet
mask. CIDR tells us the number of on bits in a network address.
IPv4 address is a 32 bit, 4-octet number in a format of
192.168.1.1/24
/24 is CIDR notation, it defines the number of host and
networks.
Earlier on, in the development of TCP/IP, the designers created
address classes to attempt toward accommodate networks of
various sizes. Notice that they did this by setting the initial bit
values
IP addresses are broken into the two components:
Network network segment of device.
Host the specific device on a particular network segment
segment segment segment segment segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment
segment segment segment segment segment segment
Table 1-09: Ipv4 Address Range
0 [Zero] is reserved and represents all IP addresses
127 is a reserved address and is used for testing, like a loop back
on an interface. For example: 127.0.0.1
255 is a reserved address and is used for broadcasting purposes
IPV4 Subnetting: Subnetting is a process of dividing a large
network into the smaller networks based on layer 3 IP address.
Every computer on network has an IP address that represent its
location on the network. Two versions of IP addresses are
available, which are IPv4 and IPv6. In this workbook, we will
perform subnetting on IPv4.
Another critical memorization point here is the default subnet
masks for these address classes. Remember, it is the job of the
subnet mask to define what portion of the 32-bit address
represents the network portion versus the host portion. The table
below defines the default masks.
masks. masks. masks. masks.
masks.
masks.
masks.
Table 1-10: IPV4 Subnetting
Note that subnet masks must use continuous on bits (1). This
results in the only possible values in a subnet mask octet as
shown in the table below:
below:
below:
below:
below:
below:
below:
below:
below:
below:
below:
Table 1-11: Subnet Mask Values
Subnet Subnet Mask is a 32-bit long address used to
distinguish between network address and host address in IP
address. Subnet mask is always used with IP address. Subnet
mask has only one purpose, to identify which part of an IP
address is network address and which part is host address.
For example, how will we figure out network partition and host
partition from IP address 192.168.1.4? Here, we need subnet mask
to get details about network address and host address.
In decimal notation subnet mask value 1 to 255 represent
network address and value 0 [Zero] represent host address.
In binary notation subnet mask, ON bit [1] represents network
address while OFF bit [0] represents host address.
In Decimal Notation
IP address 192.168.1.4
Subnet mask 255.255.255.0
Network address is 192.168.1.0 and host address is 192.168.1.4.
The binary notation for the host address will be:
In Binary Notation
IP address 11000000.10101000.00000001.00000100
Subnet mask 11111111.11111111.11111111.00000000
Network address is 11000000.10101000.00000001 and host
address is 00001010.
Advantages of Subnetting
Subnetting breaks a large network in smaller networks and smaller
networks are easier to manage
Subnetting reduces network traffic by removing collision and
broadcast traffic, that overall improves performance
Subnetting allows you to apply network security polices at the
interconnection between subnets
Subnetting allows you to save money by reducing the requirement
for IP range
Example Class C Subnetting
Subnetting Subnetting Subnetting
Subnetting Subnetting Subnetting
Subnetting Subnetting Subnetting
Subnetting Subnetting Subnetting
Subnetting Subnetting Subnetting
Subnetting Subnetting Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Subnetting
Table 1-12: Subnet Mask Status
You can see clearly that 192.168.1.4 belongs to Subnet 1, so by
using this simple method, you can calculate things easily.
easily. easily. easily. easily. easily. easily. easily. easily. easily. easily.
easily. easily. easily. easily. easily. easily. easily. easily. easily. easily.
easily.
Example 2: Given- 172.18.27.0 123 Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts
Hosts Hosts Hosts Hosts Hosts
––––––––
–––––––– ––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
Table 1-13: Subnet Mask Table
The Need for Private IPv4 Addressing
The designers of IPv4 created private address space to help
alleviate the depletion of IPv4 addresses. This address space is
not routable on the public internet. The address space can be
used as needed inside corporations and would then be translated
using Network Address Translation (NAT) to allow access to and
through the public internet.
The use of private addresses and NAT is tending to see the
same addresses ranges used in homes today (typically in the
192.168.1.X range). Table below shows you the private address
space:
space: space: space: space:
space: space: space:
space: space: space:
space: space: space:
Table 1-14: The IPv4 Private Address Ranges
Case Study
A local bank in your city has recently revamped their WAN and
LAN network. The bank has 14 branches in the city connected to
Head Office over frame relay network. All links are point to point
(unique subnet). The Head office has around 400 hosts and each
of the branches has 15 to 20 hosts. You are assigned the task of
designing the private network schema for the bank.
Solution
You have decided to use the Class A “10.0.0.0” network
segment for the bank network.
Figure 1-31: IPV4 Addressing and Subnetting
Head Office LAN
Let’s start with HO (Head Office) LAN, which has 400 hosts.
You discussed with your senior and he advised that 400 hosts in
a single segment could create a lot of broadcast traffic. You
decided to break the LAN segment into two subnets.
1. Network: 10.0.0.0 Mask: 255.0.0.0
You only need 200 hosts in your LAN segment.
Use the formula 2^n – 2 to calculate the number of hosts per
subnet, where n is the number of bits for the host portion.
2. No of Hosts:(2^8)-2=254
Hosts:(2^8)-2=254
Hosts:(2^8)-2=254
Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:
(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254
Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:
(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254
Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:
(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254
Hosts:(2^8)-2=254
Hosts:(2^8)-2=254
Branches LAN
No of branches: 14
No of hosts in each branch: 15-20
No of Hosts: (2^5)-2=30
No of Subnets: (2^5)-2=30
Note: We could have taken (2^4)-2=14 for the number of
networks but it will just be enough for the current scenario. We
should always leave some buffer for future expansion.
We will start from subnet 10.1.3.0/27, which will give us 30
hosts in each subnet.
subnet. subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
Table 1-15: LAN Branch Status
WAN
As all the links are point to point; there will be 14 subnets in
total with each subnet having 2 hosts.
No of hosts (routers) in each subnet: 2
No of point-to-point segments: 14
No of Hosts: (2^1)-2=2
No of Subnets (2^5)-2=30
We will start from subnet 10.1.3.0/30, which will give us 2
hosts in each subnet.
subnet. subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
subnet.
Table 1-16: WAN Branch Status
IPv6 Addressing and Prefix
IPv6, formerly named IPng (next generation), is the latest version
of the Internet Protocol (IP). IP is a packet-based protocol used
to exchange data, voice, and video traffic over digital networks.
IPv6 was proposed when it became clear that the 32-bit
addressing scheme of IP version 4 (IPv4) was inadequate to meet
the demands of internet growth. After extensive discussion, it was
decided to base IPng on IP but add a much larger address space
and improvements such as a simplified main header and
extension headers. IPv6 is described initially in RFC 2460, Internet
Protocol, Version 6 (IPv6). Specification, issued by the Internet
Engineering Task Force (IETF). Further RFCs describe the
architecture and services supported by IPv6.
Internet Protocol version 6 (IPv6) expands the number of
network address bits from 32 bits (in IPv4) to 128 bits, which
provides more than enough globally unique IP addresses for every
networked device on the planet. The unlimited address space
provided by IPv6 allows Cisco to deliver more and newer
applications and services with reliability, improved user experience,
and increased security.
Implementing basic IPv6 connectivity in the Cisco software
consists of assigning IPv6 addresses to individual device
interfaces. IPv6 traffic forwarding can be enabled globally, and
Cisco Express Forwarding switching for IPv6 can also be enabled.
The user can enhance basic connectivity functionality by
configuring support for AAAA (Authentication, Authorization,
Accounting, and Auditing) record types in the Domain Name
System (DNS) name-to-address and address-to-name lookup
processes, and by managing IPv6 neighbor discovery.
Restrictions for Implementing IPv6 Addressing and Basic
Connectivity
IPv6 packets are transparent to Layer 2 LAN switches because the
switches do not examine Layer 3 packet information before
forwarding IPv6 frames. Therefore, IPv6 hosts can be directly
attached to Layer 2 LAN switches.
Multiple IPv6 global addresses within the same prefix can be
configured on an interface.
IPv6 Address Formats
IPv6 addresses are represented as a series of 16-bit hexadecimal
fields separated by colons (:) in the format: x:x:x:x:x:x:x:x. Following
are two examples of IPv6 addresses:
2001:DB8:7654:3210:FEDC:BA98:7654:3210
2001:DB8:0:0:8:800:200C:417A
IPv6 addresses commonly contain successive hexadecimal fields
of zeros. Two colons (::) may be used to compress successive
hexadecimal fields of zeros at the beginning, middle, or end of an
IPv6 address (the colons represent successive hexadecimal fields
of zeros). The table below lists compressed IPv6 address formats.
A double colon may be used as part of when consecutive 16bit values are denoted as zero. You can configure multiple IPv6
addresses per interfaces, but only one link-local address.
Exam Tip
Two colons (::) can be used only once in an IPv6 address to
represent the longest successive hexadecimal fields of zeros. The
hexadecimal letters in IPv6 addresses are not case-sensitive.
case-sensitive. case-sensitive.
case-sensitive.
case-sensitive.
case-sensitive.
case-sensitive.
Table 1-17: Compressed IPv6 Address Formats
The loopback address listed in the table above may be used by a
node to send an IPv6 packet to itself. The loopback address in
IPv6 functions the same as the loopback address in IPv4
(127.0.0.1).
Exam Tip
The IPv6 unspecified address cannot be assigned to an
interface. The unspecified IPv6 addresses must not be used as
destination addresses in IPv6 packets or the IPv6 routing header.
An IPv6 address prefix, in the format ipv6-prefix/prefix-length,
can be used to represent bit-wise contiguous blocks of the entire
address space. The ipv6-prefix must be in the form documented
in RFC 2373 where the address is specified in hexadecimal using
16-bit values between colons. The prefix length is a decimal value
that indicates how many of the high-order contiguous bits of the
address comprise the prefix (the network portion of the address).
For example, 2001:DB8:8086:6502::/32 is a valid IPv6 prefix.
IPv6 Subnetting
Figure 1-32: IPv6 Subnetting
As shown in the IPv6 address can be subnetted in three ways.
You can either divide Site bits, Sub Site bits and Host bits or
Only in Site and Host bits for large host support.
IPv6 Packet Header
The basic IPv4 packet header has 12 fields with a total size of 20
octets (160 bits) (see the figure below). The 12 fields may be
followed by an Options field, which is followed by a data portion
that is usually the transport-layer packet. The variable length of the
Options field adds to the total size of the IPv4 packet header. The
shaded fields of the IPv4 packet header shown in the figure below
are not included in the IPv6 packet header.
Figure 1-33: IPv4 Packet Header Format
The basic IPv6 packet header has 8 fields with a total size of 40
octets (320 bits). Fields were removed from the IPv6 header because,
in IPv6, fragmentation is not handled by devices and checksums at
the network layer are not used. Instead, fragmentation in IPv6 is
handled by the source of a packet and checksums at the data link
layer and transport layer are used. In IPv4, the UDP transport layer
uses an optional checksum. In IPv6, use of the UDP checksum is
required to check the integrity of the inner packet. Additionally, the
basic IPv6 packet header and Options field are aligned to 64 bits,
which can facilitate the processing of IPv6 packets.
packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets. packets. packets. packets.
packets. packets. packets. packets. packets.
Table 1-18: IPv6 Header Field
Following the eight fields of the basic IPv6 packet header, which
are optional extension headers and the data portion of the packet. If
present, each extension header is aligned to 64 bits. There is no
fixed number of extension headers in an IPv6 packet. The extension
headers form a chain of headers. Each extension header is identified
by the Next Header field of the previous header. Typically, the final
extension header has a Next Header field of a transport-layer
protocol, such as TCP or UDP.
IPv6 Addressing and Subnetting
The IPv6 address format is eight sets of four hex digits. A colon
separates each set of four digits. For example:
2001:1111: A231:0001:2341:9AB3:1001:19C3
Remember, there are two rules for shortening these IPv6
address:
Once in the address, you can represent consecutive sections of
0000s with a double colon (::)
As many times as you can in the address, you can eliminate
leading 0s; you can even take a section of all zeros (0000) and
represent it as simply 0
Here is an example of the application of these rules to make
the address the most convenient to read and type:
2001:0000:0011: 0001:0000:0000: 0001:1AB1
2001:0:11:1::1:1AB1
You present the subnet mask in prefix notation only. For
example, an IPv6 address, that uses the first 64 bits to represent
the network could be shown as:
2001:0:11:1::1:1AB1 /64
This section of your exam blueprint focuses on the global
unicast address space for IPv6. These function like the public IPv4
addresses that we are accustomed to. Other types of IPv6
addresses are elaborated upon later in this chapter.
The Internet Assigned Numbers Authority (IANA) does the
management of the IPv6 address space. IANA assigns blocks of
address spaces to regional registries, who then allocate address
spaces to network service providers. Your organization may request
address spaces from a service provider. For example, a company
may be assigned the address space similar to 2001:DB8:6783: :/48
and from that network address space, they can create and use
subnets.
To simplify subnetting in IPv6, companies often use a /64
mask. Remember, this means a 64-bit network portion and a 64bit host portion.
IPv6 Stateless Address Auto Configuration
If you think the ability to have the IPv6 network device
configure its own host address (modified EUI) is pretty awesome,
what is even more exciting is having one network device assist
another in the assignment of the entire address. This is Stateless
Address Auto Configuration (SLAAC). Stateless simply means that
a device is not keeping track of the address information. For
example, in IPv4 and IPv6, you can use a DHCP server in a
“stateful” manner. A DHCP device provides the address
information that devices need, and tracks this information in a
database. Obviously, there is a fair amount of overhead involved
in this process for the DHCP server. Fortunately, in IPv6, you can
use SLAAC and stateless DHCP to provide a host with all of the
information it might need. This of course includes things like the
IPv6 address, the prefix length, the default gateway address, and
the DNS server(s) address.
With SLAAC, the IPv6 device learns its prefix information
automatically over the local link from another device (such as the
router), and then can randomly assign its own host portion of the
address. Remember, since SLAAC cannot provide additional
information such as DNS server addresses, we often combine
SLAAC with the use of stateless DHCP in IPv6.
––––––––
Note
Remember, Cisco routers that support IPv6 are ready for any of
the IPv6 interface addressing methods with no special
configuration. However, if the router needs to run IPv6 routing
protocols (such as OSPF or EIGRP), you must use the ipv6
unicast-routing command as was discussed earlier in this chapter.
What’s wrong with IPv4?
Addressing
Not enough addresses-
Current addressing scheme allows for over 2 million networks, but
most are Class “C”, which are too small to be useful
Most of the Class “B” networks have already been assigned
Quality of Service
Flow control and QoS options are not available in IPv4 header
that allows better connections of high bandwidth and high
reliability applications
Security
IP packets can be easily snooped from the network
No standard for authentication of the user to a server
No standard for encryption of data in packets
Packet Size
Maximum packet size is 216 – 1 (65,535)
May be too small considering newer, faster networks
IPv6 Enhancements
• Expanded address space up to 128 bits
• Improved option mechanism by separating optional headers
between IPv6 header and transport layer header
• Improved speed and simplified router processing
• Dynamic assignment of addresses and auto configuration
• Increased addressing flexibility by anycast (delivered to one of a
set of nodes) and improved scalability of multicast addresses
• Support for resource allocation
– Replaces type of service
– Labeling of packets to particular traffic flow
– Allows special handling, e.g., real time video
Mind Map
Figure 1-34: Mind Map of Network Fundamentals
IPv6 Address Types
IPv6 address types are defined in RFC Version 6 Addressing In this
section, we examine a brief look at the different types of IPv6
addresses that are as follows:
Figure 1-35: IPv6 Address Types
Note
IPv6 does not have a broadcast address. Other options exist in
IPv6, such as a solicited-node multicast address and an all-IPv6
devices multicast address.
Global Unicast
Global Unicast Addresses (GUAs) are globally routable and
reachable in the IPv6 Internet; they are equivalent to public IPv4
addresses. GUA addresses are also known global unicast It
contains global routing prefix, subnet ID and interface ID. They
have global unicast prefix. These addresses are used on those
links that are aggregated upward eventually to ISPs (Internet
Service Provider). The initial 3 bits are set from 001 to 111 hence
ranges from 2000::/3 to E000::/3 having 64 bit EUI.
Figure 1-36: Aggregatable Global Address
Unique Local
Unique Local is similar to the concept of private use only
addresses (RFC 1918) in IPv4 and not intended to be routable in
the IPv6 Internet. However, unlike RFC 1918 addresses, these
addresses are not intended to be state-fully translated to a global
unicast address.
Figure 1-37: Unique Local Address
Link Local
As the name makes it clear, these addresses only function on the
local link. IPv6 devices automatically generate them in order to
perform many automated functions between devices. The Link
Local address uses the prefix FE80: :/10. These addresses are
used for Stateless Auto-Configuration and Neighbor Discovery
Protocol.
Figure 1-38: Link Local Address
Anycast
An IPv6 anycast address is an address that can be assigned to
more than one interface (typically different devices). In other words,
multiple devices can have the same anycast address. A packet sent
to an anycast address is routed to the “nearest” interface having
that address, according to the router’s routing table.
There is no special prefix for an IPv6 anycast address. An IPv6
anycast address uses the same address range as global unicast
addresses. Each participating device is configured to have the same
anycast address. For example, servers A, B, and C in the below
figure could be DHCPv6 servers with a direct Layer 3 connection
into the network. These servers could advertise the same /128
address using OSPFv3. The router nearest the client request would
then forward packets to the nearest server identified in the routing
table.
Figure 1-39: Anycast Address
Multicast
Just like in an IPv4 environment, multicast traffic is beneficial in
IPv6. Remember, multicasting means a packet is sent to a group
of devices interested in receiving the information. In IPv6,
multicasting actually replaces completely the IPv4 approach of
broadcasting. In IPv6, if your device wants to reach all devices, it
sends traffic to the IPv6 multicast address of FF02::1.
Modified EUI 64
Modified Extended Unique Identifier (EUI) is an IPv6 feature that
allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits.
It eliminates the need of manual configuration and DHCP as a
key benefit over IPv4. EUI-64 is formed by 48-bit MAC address
including 16-bit FFFE in the middle of the OUI and NIC.
Figure 1-40: Modified EUI-64
IP Parameters for Client OS (Windows, Mac OS, Linux)
An operating system is considered to be the backbone of any
system. Without an operating system, users and systems cannot
interact. We mainly have three kinds of operating systems namely,
Linux, MAC, and Windows. To begin with, MAC is an OS which
focuses on graphical user interface and was developed by Apple
Inc. for their Macintosh systems. Microsoft developed operating It
was developed so as to overcome the limitation of the MS-DOS
operating system. Linux is UNIX like a source software and can
use an operating system that provides full memory protection and
multi-tasking operations.
Windows
In order to verify OS Parameters for windows operating system,
following steps are used:
Open the Command Prompt and enter the ipconfig command. It
will display the list of all the connections.
Figure 1-41: The “ipconfig” Command
––––––––
Here, you can see the IP address is 192.168.100.108; we will
change this address by providing the system static IP address.
Click on Adaptor setting, you will see this window that shows the
connected media to the operating system.
Figure 1-42: Network Connections
Right click on “Wi-Fi”. Select “Properties”, you will see this
window:
Figure 1-43: Wi-Fi Properties
After selecting properties, select the “Internet Protocol Version 4
(TCP/IPv4)” option. Then assign the new IP address, DNS server
and alterate DNS server to the system.
Figure 1-44: Internet Protocol Version 4 Properties
After providing the Static IP address, verify the IP address
parameters by executing the ipconfig command on command
prompt.
Figure 1-45: Command Prompt
Linux
In order to verify OS Parameters for Linux Operating system,
follow the steps which are given below:
Open the Terminal and enter the ifconfig command. It will display
the list of all the connections.
Figure 1-46: Kali Linux
Figure 1-47: The “ifconfig” Command
Here, you can see the IP address is 192.168.100.125 netmask
255.255.255.0 and broadcast 192.168.100.255, we will change this
address by providing the system static IP address.
Click on “Settings, then select “network”. You will see the window
that shows the connected media to the operating system.
Figure 1-48: Kali Linux Setting
In wired, go to “Setting”, the next window will appear.
Select “IPv4” and provide the new static IP address, netmask,
gateway and DNS server.
Figure 1-49: Wired Connections
Select “Manual” and provide the fields.
Figure 1-50: Wired Settings
Mac OS
To set up a network connection on MAC OS, select “Setting”, go
to “System Preferences” and click on “Network”.
Figure 1-51: System Preferences
A new network window will open, change the location from
automatic to “Manual”.
Figure 1-52: Network Settings
Provide the appropriate IP address and subnet mask and then
click the “Advanced” button.
Figure 1-53: Ethernet Status
Select the DNS tab and then click the “+” button.
Figure 1-54: Ethernet DNS Settings
Enter the DNS server address and then click “Ok”.
Figure 1-55: Ethernet DNS Server
Now, click the button to save the changes.
Figure 1-56: Providing Static IP Address
Wireless Principles
Wireless is a popular networking technology. By using this
technology, we can exchange the information between two or more
devices. To establish a reliable system, there are some challenges
that are discussed below:
Non-overlapping Wi-Fi channels
There are channel settings in your router's settings. Most
routers have channel settings that are set to "Auto", but if you
look through the channels, there are at least a dozen of WLAN
channels. So how do you know which Wi-Fi channels are faster
than the others in that list? Choosing the suitable Wi-Fi channel
can vastly improve your Wi-Fi coverage and performance. But even
if you discover the fastest channel there, it does not always mean
you should select it right away.
Various frequency bands (2.4GHz, 3.6 GHz, 4.9 GHz, 5 GHz,
and 5.9 GHz) have their own range of channels. Usually, routers
will use the 2.4GHz band with a total of 14 channels, however in
reality, it may be 13 or even less that are used around the world.
There are five combinations of available non-overlapping
channels, which are given below:
Figure 1-57: Wi-Fi Channels
From the diagram it can be seen that Wi-Fi channels 1, 6, 11, or
2, 7, 12, or 3, 8, 13 or 4, 9, 14 (if allowed) or 5, 10 (and possibly
14 if allowed) can be used together as sets.
All Wi-Fi versions through 802.11n (a, b, g, n) work between
the channel frequencies of 2400 and 2500 MHz. These 100 MHz
in between are split in 14 channels, 20 MHz each. As a result,
each 2.4GHz channel overlaps with two to four other channels
(see diagram above). Overlapping makes wireless network
throughput quite poor. Most common channels for 2.4 GHz Wi-Fi
are 1, 6, and 11, because they do not overlap with one another.
The whole spectrum is 100 MHz wide and the channel centers
are separated by 5 MHz only. This leaves no choice to eleven
channels but to overlap.
SSID
Set Identifier (SSID) is an ASCII string that is used to establish
wireless networking devices and maintain wireless connectivity.
Same SSIDs can be used by multiple access points on a network
or sub-network. They are case sensitive and can contain up to 32
alphanumeric characters.
You may configure up to 16 SSIDs on your access point and
assign different configuration settings to each SSID. All the SSIDs
may be active at the same time; that is, client devices can
associate to the access point using any of the SSIDs. Following
are some settings you can assign to each SSID:
VLAN
Client authentication settings
Client authenticated key management settings
Insert AP or Authentication Parameter (while using AP to AP links,
such as bridges)
Insert Management frame protection settings (Cisco MFP/802.11w)
Maximum number of client associations by using the SSID
RADIUS accounting for traffic using the SSID
Guest mode (it defines if the SSID string should be broadcasted
in the beacons)
Define legacy AP to AP authentication method, once using PSK or
LEAP security in AP to AP links
Redirection of packets received from client devices
If you want the access point SSID to be visible to all wireless
clients, including clients not having a profile to that
particular SSID, you can setup a guest SSID. The access point
mentions the guest SSID in its beacon. If the guest mode is
disabled, the AP will still send beacons for this SSID, but
the SSID string will not be mentioned.
If your access point is projected to be a repeater or a non-root
bridge, you can setup credentials, on the repeater or on the nonroot bridge side, so that the root or primary AP can authenticate
the repeater or the non-root bridge. You can assign an
authentication username and password to the repeatermode SSID to allow the repeater to authenticate to your network
like a client device.
If your network uses VLANs, you can allocate to
individual SSID a VLAN, and client devices using the SSIDs
that are grouped in VLANs.
RF
RF stands for radio frequency. It is a wireless communication that
initiated at the turn of the 20th century, more than 100 years ago,
when Marconi established the first successful and practical radio
system. A Radio Frequency (RF) signal refers to
a wireless electromagnetic signal used as a form
of communication. It is an alternating current that inputs to an
antenna, to generate an electromagnetic field that can be used
for wireless broadcasting and/or communications. The field is
referred to as an RF field or a radio wave. Radio waves are a
form of electromagnetic radiation with identified radio frequencies
that range from 3 kHz to 300 GHz.
Encryption
As encryption is defined at the interface (VLAN or radio) level of
the access point, and can be common to several SSIDs,
encryption is usually configured before the SSID and its
authentication mechanism. Just as someone within range of a
radio station can tune to the station's frequency and listen to the
signal, any wireless networking device within range of an access
point can receive the access point's radio transmissions. Because
encrypted communication is the initial line of defense against
attackers, Cisco recommends that you use full encryption on your
wireless network.
The original encryption mechanism described in the 802.11
standard is WEP (Wired Equivalent Privacy). The encryption of
WEP scrambles the communication between the access point and
client devices to keep the communication private. In this mode,
WEP keys are statically defined by the client and the AP. The
access point and client devices both uses the same WEP key to
encrypt and unencrypt radio signals. WEP keys encrypt mutually
unicast and multicast messages. Unicast messages are addressed
to just a single device on the network. Multicast messages are
addressed to multiple devices on the network.
Virtualization Fundamentals
A virtual machine is a computer software program that runs an
operating system and applications. Each virtual machine contains
its own virtual, or software-based, hardware, including a virtual
CPU, memory, hard disk, and network interface card.
Virtualization is the process of creating a software-based, or
virtual, representation of something, such as virtual applications,
servers, storage and networks. It is the single most effective way
to reduce IT expenses while boosting efficiency and agility for all
size businesses.
Benefits of Virtualization
Virtualization can increase IT agility, adaptability and versatility
while making critical cost deductions. Greater workload mobility,
increased performance and availability of resources, automated
operations, these benefits of virtualization make IT simpler to
manage and less costly to possess and work.
Additional benefits include:
Reduced capital and operating or working expenses
Downtime is minimized or eliminated
Increased IT profitability, proficiency agility and responsiveness
Provide faster provisioning of applications and resources
Greater business coherence and disaster recovery
Simplified data center management
Availability of a genuine Software-Defined Data Center
Types of Virtualization
There are three main types of virtualization that are as follows:
Server Virtualization
Server multiple operating systems to run on a single physical
server as highly proficient virtual machines. Key advantages of
server virtualization includes:
Greater IT efficiencies
Reduced operating or working expenses
Quicker workload deployment
Improved application performance
Higher server accessibility
Eliminated server sprawl and difficulty
Network Virtualization
Network logical networking devices and services such as logical
ports, switches, routers, firewalls, load balancers, VPNs and more
to connected workloads. Network applications to run on a virtual
network as if they were running on a physical network yet with
more prominent operational advantages and all the hardware
equipment independencies of virtualization.
Desktop Virtualization
Deploying desktops as a managed service administration
empowers IT associations to respond faster to changing work
environment needs and emerging opportunities. Virtualized
desktops and applications can also be quickly and easily delivered
to branch offices, outsourced and offshore employees, and mobile
workers using iPad and Android tablets.
Switching Concepts
Layer 2 switches and bridges are faster than routers because they
do not take up time looking at the Network layer header
information. Instead, they look at the frame's hardware addresses
before deciding to either forward, flood, or drop the frame. The
next sections are related to functions a switch preforms and the
components it uses to do so.
MAC Learning and Aging
To learn the MAC address of devices is the fundamental
responsibility of switches. The switch transparently observes
incoming frames. It records the source MAC address of these
frames in its MAC address table. It also records the specific port
for the source MAC address. Based on this information, it can
make intelligent frame forwarding (switching) decisions. Notice that
a network machine could be turned off or moved at any point. As
a result, the switch must also age MAC addresses and remove
them from the table after they have not been seen for some
duration.
Frame Switching
Along with building a MAC address table (learning MAC address
to port mappings), the switch also forwards (switches) frames
intelligently from port to port. Think about this as the opposite of
how a Layer 1 Hub works. Device hub takes in a frame and
always forwards this frame out all other ports. In a hub-based
network, every port is part of the same collision domain. The
switch is too smart for that. If its MAC address table is fully
populated for all ports, then it “filters” the frame from being
forward out ports unnecessarily. It forwards the frame to the
correct port based on the destination MAC address.
Frame Flooding
What happens when a frame has a destination address that is not
in the MAC address table? The frame is flooded out to all ports
(other than the port on which the frame was received). The
flooding happens when the switch in its MAC address table has
no entry for the frame’s destination. With flooding, the frame is
sent out to every port except the frame it came in on. This also
happens when the destination MAC address in the frame is the
broadcast address.
MAC Address Table
The MAC address table is a critical component in the modern
switch and acts as a brain of the switch operation. It contains the
MAC address to port mappings so the switch can work its
network magic.
The below example shows how easy it is to examine the MAC
address table of a Cisco switch.
Example: Examining a Real MAC Address Table
Switch#show mac address-table
Mac Address Table
—————————————————————————————
—————-
Vlan Mac Address
Type Ports
—— ————————- ————
1 e213.5864.ab8f
1 fa16.3ee3.7d71
DYNAMIC
——-
Gi0/0
DYNAMIC Gi1/0
Mind Map
Figure 1-58: Mind Map of Network Fundamentals
Summary
Role and Function of Network Components
Network Fundamentals teaches the building blocks of modern
network design. In this session, we have briefly discussed about
the network components related to their functions and
performance
A Router receives a packet and observes the destination IP
address information to determine what network the packet needs
to reach, then sends the packet out of the corresponding interface
2 works only on MAC addresses and does not worry about IP
address or any items of higher layers. A Layer 3 switch can
perform all the task that a Layer 2 switch can
Firewalls have evolved beyond simple packet filtering and stateful
inspection. Most companies are deploying next-generation firewalls
to block modern threats such as advanced malware and
application-layer attacks
a device that creates a Wireless Local Area Network, or WLAN,
usually in an office or large building
The Cisco Wireless Controller (WLC) series devices provide a
single solution to configure, manage and support corporate
wireless networks, regardless of their size and locations
a remote computing device that communicates back and forth
with a network to which is it connected such as desktop, laptop
etc.
A server is a device that provides a facility to another computer
program and its client
Characteristics of Network Topology Architectures
Network topology is defined as the physical arrangement of nodes
to form a computer network. There are two types of network
topology: physical topology and logical topology
A two-tier or level architecture is a software architecture in which
a presentation layer or interface keeps running on a client, and a
data layer or data structure gets stored on a server
A three-tier or level architecture is a client-server architecture
design in which the functional procedure logic, information access,
computer information storage and UI (User Interface) are created
and maintained as independent modules on discrete platforms
A Leaf-Spine architecture is adaptable to the continuously changing
requirements of companies in big data industries with evolving
data centers
Wide-Area Network helps organizations to expand geographically
around the globe. Using WAN services from service providers
usually called “off-sourcing” or “outsourcing”
SOHO is generally a remote office or enterprise environment with
small to medium infrastructure. SOHO users are connected to
corporate headquarter by using WAN MPLS or some other
technology based services provided by service providers
On-premises system monitoring software has been the standard
for quite a long time. Presently, a few associations are moving to
cloud-based network monitoring and management
Physical Interface and Cabling Types
Physical interfaces consist of a software driver and a connector
into which you connect network media
The type of cable selected for a network is related to the protocol,
network’s topology, and size
Single Modem fiber is used in many applications where data is
sent at multi-frequency (WDM Wave-Division-Multiplexing) so only
one cable is needed
Multimode fiber gives you high bandwidth at high speeds (10 to
100MBS - Gigabit to 275m to 2km) over medium distances
Networks use copper media because it is inexpensive, easy to
install, and has low resistance to electrical current. However,
copper media is limited by distance and signal interference
Computers connected by communication channels that each
connect exactly two computers with access to full channel
bandwidth is known as point-to-point connection whereas, all
computers connected to a shared broadcast-based communication
channel and share the channel bandwidth is known as shared or
broadcast connection
Power over Ethernet (PoE) is a technology for area networks that
allows the for the operation of each device to be carried by the
data cables rather than by power cords. It made AP installations
easier and more flexible, especially on ceilings
Identify Interface and Cable Issues
A collision is the mechanism used by Ethernet to control access
and allocate shared bandwidth among stations that want to
transmit at the same time on
Errors may occur in your network for a wide variety of reasons.
For example, there could be electrical interference somewhere, or
there is a bad Network Interface Card that is not able to frame
things correctly for the network
Duplex used to be a big concern in Ethernet LANs. Because you
might be using half-duplex due to having hubs in your network,
you need to ensure that duplex mismatches do not occur between
full-duplex (switched) areas and half-duplex areas
TCP vs. UDP
There are two types of Internet Protocol (IP) traffic. They
are TCP or Transmission Control Protocol and UDP or User
Datagram Protocol
TCP is connection oriented. Once a connection is established, data
can be sent bidirectional
UDP is a simpler, connectionless Internet protocol. Multiple
messages are sent as packets in chunks using UDP
Unlike the TCP, UDP adds no reliability, flow-control, or errorrecovery functions to IP packets. Because of UDP’s simplicity, UDP
headers contain fewer bytes and consume less network overhead
than TCP
IPv4 Addressing and Subnetting
In this section, we have explored IPV4 addressing and subnetting.
We also configured and verified the classes and subnet mask of
IPv4 by performing lab
The Need for Private IPv4 Addressing
The designers of IPv4 created private address space to help
alleviate the depletion of IPv4 addresses
This address space is not routable on the public internet
The address space can be used as needed inside corporations and
would then be translated using Network Address Translation (NAT)
to allow access to and through the public internet
IPv6 Addressing and Prefix
Internet Protocol version 6 (IPv6) expands the number of network
address bits from 32 bits (in IPv4) to 128 bits, which provides
more than enough globally unique IP addresses for every
networked device on the planet
The unlimited address space provided by IPv6 allows Cisco to
deliver more and newer applications and services with reliability,
improved user experience, and increased security
Implementing basic IPv6 connectivity in the Cisco software
consists of assigning IPv6 addresses to individual device
interfaces. IPv6 traffic forwarding can be enabled globally, and
Cisco Express Forwarding switching for IPv6 can also be enabled
The user can enhance basic connectivity functionality by
configuring support for AAAA (Authentication, Authorization,
Accounting, and Auditing) record types in the Domain Name
System (DNS) name-to-address and address-to-name lookup
processes, and by managing IPv6 neighbor discovery
IPv6 Address Types
Global Unicast Addresses (GUAs) are globally routable and
reachable in the IPv6 Internet, they are equivalent to public IPv4
addresses
Unique local is similar to the concept of private use only
addresses (RFC 1918) in IPv4 and not intended to be routable in
the IPv6 Internet
Local link addresses only function on the local link. IPv6 devices
automatically generate them in order to perform many automated
functions between devices
An IPv6 anycast address is an address that can be assigned to
more than one interface
Multicasting means a packet is sent to a group of devices
interested in receiving the information. In IPv6, multicasting
actually replaces completely the IPv4 approach of broadcasting
Modified Extended Unique Identifier (EUI) is an IPv6 feature that
allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits.
It eliminates the need of manual configuration and DHCP as a
key benefit over IPv4
Wireless Principles
There are channel settings in your router's settings. Most routers
have channel settings that are set to "Auto", but if you look
through the channels, there are at least a dozen of WLAN
channels
The SSID is an ASCII string that is used to establish wireless
networking devices and maintain wireless connectivity. Same SSIDs
can be used by multiple access points on a network. They are
case sensitive and can contain up to 32 alphanumeric characters
RF stands for Radio Frequency. It refers to
a wireless electromagnetic signal used as a form
of communication
As encryption is defined at the interface (VLAN or radio) level of
the access point, and can be common to several SSIDs,
encryption is usually configured before the SSID and its
authentication mechanism
Virtualization Fundamentals
A virtual machine is a computer software program that runs an
operating system and applications. Each virtual machine contains
its own virtual, or software-based, hardware, including a virtual
CPU, memory, hard disk, and network interface card
Virtualization is the process of creating a software-based, or
virtual, representation of something, such as virtual applications,
servers, storage and networks. It is the single most effective way
to reduce IT expenses while boosting efficiency and agility for all
size businesses
Virtualization can increase IT agility, adaptability and versatility
while making critical cost deductions. Greater workload mobility,
increased performance and availability of resources, automated
operations, these benefits of virtualization makes IT simpler to
manage and less costly to possess and work
Switching Concepts
To learn the MAC address of devices is the fundamental
responsibility of switches. The switch transparently observes
incoming frames. It records the source MAC address of frames in
its MAC address table
Along with building a MAC address table (learning MAC address
to port mappings), the switch also forwards (switches) frames
intelligently from port to port
The frame is flooded out to all ports (other than the port on
which the frame was received). The flooding happens when the
switch in its MAC address table has no entry for the frame’s
destination
The MAC address table is a critical component in the modern
switch and acts as a brain of the switch operation. It contains the
MAC address to port mappings so the switch can work its
network magic
Practice Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Chapter 02: Network Access
Technology Brief
This chapter defines the network access in general; both from
physical and logical perspective. Gaining access to network
resources is based on identification through authentication, proving
the identity, requesting access, and being granted the requested
access. This chapter first describes the different type of LAN
technologies and other related technologies and protocols. We will
briefly discuss the WLAN architecture introduced by the Cisco,
where we will describe the accessing mechanism of WLAN
architecture.
VLANs (Normal Range) Spanning Multiple Switches
A Virtual LAN is a switched network that is logically divided by
function, project team or application without regarding physical
locations of the users or host. VLANs have similar attributes as
physical LANs, but you can group end stations/hosts even if they
are not physically situated on the same LAN segment. Any switch
port can belong to a VLAN; and unicast, multicast, and broadcast
packets are forwarded and flooded only to end points in the
VLAN. Every VLAN is considered a logical network, and packets
destined for stations that do not belong to the VLAN must be
forwarded via router or a switch supporting fallback bridging.
VLANs can be created with ports across the stack; because a
VLAN is considered a separate logical network that contains its
own bridge Management Information Base (MIB) information and
can support its own implementation of spanning tree.
VLANs are often linked with IP subnetwork. For example, all
the end stations/host in a particular IP subnet belongs to the
same VLAN. Traffic between VLANs must be routed. LAN port
VLAN membership is assigned manually on port-by-port basis.
The switch supports VLANs in VTP client mode, server mode,
and transparent mode.
Cisco IOS Release 12.2SY supports 4096 VLANs in accordance
with the IEEE 802.1Q standard. These VLANs are organized into
several ranges; you use each range slightly differently. Some of
these VLANs are propagated to other switches in the network
when you use the VLAN Trunking Protocol (VTP). The extendedrange VLANs are not propagated, so you must configure extended-
range VLANs manually on each network device. VLANs 0 & 4095
are reserved for system use only, we cannot access these VLANs.
The port-channel range which is a number to 4094 . VLAN IDs
1002-1005 are reserved for Token Ring & FDDI VLANs.
––––––––
Figure 2-01: VLAN IDs
––––––––
The following example demonstrates how to create Ethernet VLAN
2, name it test2, and add it to the VLAN database:
Switch# configure terminal
Switch(config)# vlan 2
Switch(config-vlan)# name test2
Switch(config-vlan)# end
The following example shows how to configure a port as an
access port in VLAN 2:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 2
Switch(config-if)# end
Configuring Normal-Range VLANs
Normal-range VLANs are VLANs with VLAN IDs 1-1005. If the
switch is in VTP server or VTP transparent mode, you can add,
modify or remove configurations for VLANs 2 to 1001 in the
VLAN database.
You can configure VLANs in vlan global configuration command
by typing a VLAN ID. Type a new VLAN ID to create a VLAN, or
enter an existing VLAN ID to modify the VLAN. You can use the
default VLAN configuration or use multiple commands in order to
create the VLAN. When you have completed the configuration, you
must exit VLAN configuration mode for the configuration to show
the effect. To show the VLAN configuration, enter privileged EXEC
command.
The configurations of VLAN IDs 1 to 1005 are always saved in
the VLAN database (vlan.dat file). If the VTP mode is transparent,
they are also saved in the running configuration file of switch. You
can enter the copy running-config start-upconfig privileged EXEC
command to save the configuration in the start-up configuration
file. In a switch stack, the entire stack uses the same vlan.dat file
and running configuration. To display the VLAN configuration,
enter EXEC command.
When you save VLAN and VTP information (including extendedrange VLAN configuration information) in the start-up configuration
file and reboot the switch, the switch configuration is selected as
follows:
If the VTP mode is transparent in the start-up configuration, and
the VLAN database and the VTP domain name from the VLAN
database matches that in the start-up configuration file, the VLAN
database is ignored (cleared), and the VTP and VLAN
configurations in the start-up configuration file are used.
The VLAN database revision number remains unchanged in the
VLAN database
In VTP versions 1 and 2, if VTP mode is server, the domain
name and VLAN configuration for only the first 1005 VLANs use
the VLAN database information. VTP version 3 also supports
VLANs 1006 to 4094
If the VTP mode or domain name in the start-up configuration
does not match the VLAN database, the VTP mode and domain
name and configuration for the first 1005 VLANs use the VLAN
database information
Access Ports (Data and Voice)
Traffic is both received and sent in native formats without VLAN
information (tagging) whatsoever. Any information arriving on
access port, simply belongs to the VLAN assigned to that port.
Data: A data VLAN is a VLAN that is configured to carry usergenerated traffic. A VLAN carrying voice or management traffic
would not be part of a data VLAN. It is common practice to
separate voice and management traffic from data traffic.
Voice: Most switches allow you to add a second VLAN on a
switch port for your voice traffic, called the voice VLAN. The voice
VLAN used to be called the auxiliary VLAN, which allowed it to
be overlapped on top of the data VLAN for enabling both types
of traffic to travel through the same port.
Although it is technically considered to be a different type of
link, it just happens because of the access port that can be
configured for both data and voice VLANs. It allows you to
connect both phone and PC to one switch port but in a separate
VLAN.
Default VLAN
Cisco switches always have VLAN 1 as the default VLAN, which is
needed for many protocol communications between switches like
spanning-tree protocol. All control traffic is set on VLAN 1. It
cannot be disabled and poses a security risk as a lot of Cisco
services run on the default VLAN. It is recommended to set all
ports to a different VLAN other than default VLAN.
Connectivity
End-to-end Connectivity is a successful connection between to
endpoints, ports, nodes. Communications between two endpoints
include a number of intermediary devices that process or forward
the packet toward the destination. End-to-end connectivity means
that these intermediary devices do not alter the essential data in
the packets during communication. Issues related to end-to-end
connectivity are the unavailability of remote endpoint, closed ports
of application server, incorrect access control list, and others.
Interswitch Connectivity
Cisco originally created their own way of marking traffic with a
VLAN ID for transport over link. It was named Inter Switch Link
(ISL) and it acquired an interesting approach. It fully reencapsulated the frame in order to add a VLAN marking. 802.1Q
takes a different approach. It injects in a tag value in the existing
frame.
Trunk Ports
A trunk port is a port that is allocated to carry traffic for all the
VLANs that are accessible by a specific switch, a process known
as trunking. Trunk ports mark frames with unique identifying tags,
either 802.1Q tags or Interswitch Link (ISL) tags as they move
between switches.
Add and Remove VLANs on a Trunk
For Adding and Removing VLANs on a trunk, we have to
perform few steps, which are given below:
To restrict the traffic that trunk carries, issue configuration
command. This removes specific VLANs from the allowed list
To add a VLAN to the trunk, issue the switchport trunk allowed
vlan add vlan-list command
add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command
add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command
add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command
add vlan-list command add vlan-list command add vlanlist command
––––––––
To configure VLANs on a Cisco switch, use the global
config vlan command. In the following example, we are going to
demonstrate how to configure VLANs on the Switch by creating
three VLANs. Remember that VLAN 1 is the native and
management VLAN by default.
Switch(config)#int eth0/0
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 1,10,20
Switch(config-if)#exit
802.1Q
an IEEE standard trunking protocol that supports Virtual LANs
(VLANs) on an Ethernet network. Cisco switches supports both
Inter Switch Link (ISL) and 802.1Q. The IEEE 802.1Q standard
states the operation of VLAN Bridges that allows the definition,
operation and administration of Virtual LAN topologies within a
Bridged LAN infrastructure.
The concept for the IEEE 802.1Q to perform the above
functions is in its tags. 802.1Q-compliant switch ports can be
configured to transmit tagged or untagged frames. A tag field
containing VLAN information can be inserted into an Ethernet
frame.
802.1Q adds a 4-Byte header to the frame indicating the VLAN
(Virtual LAN) membership as compared to ISL, which encapsulates
(adds header and trailer) to the frame.
frame. frame. frame. frame. frame. frame. frame. frame. frame.
frame. frame. frame. frame. frame. frame. frame. frame. frame.
frame. frame. frame. frame. frame. frame. frame. frame. frame.
frame. frame. frame. frame. frame. frame. frame. frame. frame.
––––––––
Following figure illustrate the original and tagged Ethernet frames
format:
Figure 2-02: Ethernet Original and Tagged Frame Format
Following figure represents sub-fields of Tag Field:
Figure 2-03: Sub-field of Tag Filed
Field Descriptions:
Tag Protocol Identifier 16-bit field reserve to a value of 0x8100
in order to categorize the frame as an IEEE 802.1Q-tagged frame.
Priority 3-bit priority describe the priority of the packet (8
priority levels)
Canonical Format Indicator 1 bit CFI indicates the drop of
frames in case of network blocking
VLAN Identifier (VID): A 12-bit field specifying the VLAN to
which the frame belongs.
Native VLAN
By default, VLAN 1 is referred to as native VLAN. Usually, in
Cisco’s LAN connection, the switch leaves the native VLAN
untagged on 802.1Q trunk ports. VLAN1 is the only untagged
VLAN in the architecture. Cisco introduces this special feature of
VLAN for management traffic and this crucial traffic can still flow
between devices even if a link fails its trunking status.
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) is a Device Discovery protocol,
which operates at data-link layer (Layer 2) on all Ciscomanufactured devices and permits network management
applications for discovering Cisco devices that are neighboring
devices. By means of CDP, network management applications can
learn the device type and the Simple Network Management
Protocol (SNMP) agent address of neighboring devices running
lower-layer, transparent protocols. This feature enables applications
to send SNMP queries to neighboring devices.
CDP runs on each media that support Subnetwork Access
Protocol (SNAP). As CDP runs over the data-link layer only, two
systems that support various network-layer protocols can learn the
network
Every CDP-configured device sends periodic messages to a
multicast address, advertising at least one address at which it can
receive SNMP messages. The advertisements also contain Time to
Live (TTL) or hold-time information, which is the length of time
for receiving device that holds CDP information before discarding
it. Every device listens to the messages forwarded by other devices
to learn about neighboring devices.
Figure 2-04: CDP Features
Features Features Features Features Features Features Features Features
Features Features Features Features Features Features
LLDP (Link Layer Discovery Protocol)
Cisco Discovery Protocol is a device discovery protocol that runs
over Layer 2 (the data link layer) on all devices manufactured by
Cisco-like routers, bridges, access servers, and switches. CDP
permits network management applications to automatically discover
and learn about other Cisco devices that are connected to the
network.
To support non-Cisco devices and allow for interoperability
between other devices, the switch supports the IEEE 802.1AB
LLDP. LLDP is a neighbor discovery protocol that is used for
network devices to advertise information about themselves to other
devices on the network. This protocol runs over the data-link layer
(Layer 2), which permits two systems running different network
layer protocols in order to learn each other network. LLDP
supports a set of aspects that it uses to discover neighbor
devices. These attributes contain length, type and value
descriptions and are referred to as Type-Length-Values LLDP
supported devices may use TLVs to receive and send information
to their neighbors. Details like configuration information, device
identity, and device capabilities can be advertised by using this
protocol.
The switch supports the following simple management TLVs,
which are optional:
Port Description TLV
System Capabilities TLV
Management Address TLV
System Name TLV
System Description TLV
Following example shows how to configure a hold-time of 120
second, a delay time of 2 seconds and an update frequency of
20:
Switch# configure terminal
Switch(config)# lldp holdtime 120
Switch(config)# lldpreinit 2
Switch(config)# lldp timer 20
Switch(config)# end
Following example shows how to transmit only LLDP packets:
switch# configure terminal
switch(config)# no lldp receive
switch(config)# end
If you want to receive LLDP packets again, do the following:
switch# configure terminal
switch(config)# lldp receive
switch(config)# end
Following example shows how to globally disable LLDP.
Switch# configure terminal
Switch(config)# no lldp run
Switch(config)# end
Following example shows how to globally enable LLDP.
Switch# configure terminal
Switch(config)# lldp run
Switch(config)# end
Following example shows how to enable LLDP on an interface.
Switch# configure terminal
Switch(config)# interface GigabitEthernet 1/1
Switch(config-if)# lldp transmit
Switch(config-if)# lldp receive
Switch(config-if)# end
To monitor and maintain LLDP and LLDP-MED on your device,
execute one or more of the following tasks, beginning in privileged
EXEC mode:
show lldp
show lldp entry entry-name
show lldp errors
show lldp interface [interface-id]
show lldp traffic
show lldpneighbors [interface-id] [detail]
(Layer 2/Layer 3) EtherChannel (LACP)
EtherChannel
An EtherChannel consists of Fast Ethernet or Gigabit Ethernet
links bundled into a single logical link as shown in figure below.
Figure 2-05: EtherChannel
The EtherChannel offers full-duplex bandwidth up to 800 Mb/s
(Fast EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one
switch to another switch. An EtherChannel can consist of up to
eight compatibly configured Ethernet ports.
All ports in every EtherChannel must be configured as either
Layer 2 or Layer 3 ports. The number of EtherChannel is limited
to 48. The EtherChannel Layer 3 ports are designed with routed
ports. Routed ports are physical ports that are configured to be in
Layer 3 mode by entering no switchport interface configuration
command.
Link Aggregation Control Protocol
The Link Aggregation Control Protocol (LACP) is specified in
IEEE as 802.3ad. It allows Cisco switches to handle Ethernet
channels among switches. LACP allows the automatic creation of
EtherChannels by exchanging the LACP packets between Ethernet
ports. The switch learns the status of partners capable of
supporting LACP and the capabilities of each port by using LACP.
After that, it dynamically groups similarly configured ports into a
single logical link (channel or aggregate port). Ports that are
configured similarly are grouped based on hardware, administrative
and port parameter controls. For example, LACP groups the ports
with the same speed, duplex mode, native VLAN, VLAN range,
and trunking status and type. While grouping the links into an
EtherChannel, LACP adds the group to the spanning tree as a
single switch port.
port.
port. port. port. port. port. port. port. port. port. port. port. port.
port. port. port. port. port. port. port. port. port.
port. port. port. port. port. port. port. port. port. port. port. port.
port. port. port. port. port. port. port. port. port. port. port. port.
port. port. port. port. port. port. port. port. port. port.
Table 2-01: LACP Mode
Both active allows ports for negotiation with partner ports to
an EtherChannel based on defined criteria such as port speed
and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Ports can form an EtherChannel while they are in different
LACP modes as long as the modes are compatible.
For example:
A port in can form an EtherChannel with another port that is in
A port in cannot form an EtherChannel with another port that is
also in because neither port starts LACP negotiation
Configuring Layer 2 EtherChannels
This example demonstrates how to configure an EtherChannel
on a switch. It assigns two ports as static-access ports in VLAN
11 to channel 4 with the LACP mode active:
Switch# configure terminal
Switch(config)# interface range gigabitethernet 2/0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 11
Switch(config-if-range)# channel-group 4 mode active
Switch(config-if-range)# end
Configuring Layer 3 EtherChannels
Following example shows how to create the logical port channel
4 and assign 172.10.10.10 as its IP address:
Switch# configure terminal
Switch(config)# interface port-channel 4
Switch(config-if)# no switchport
Switch(config-if)# ip address 172.10.10.10 255.255.255.0
Switch(config-if)# end
Following example demonstrates how to configure an
EtherChannel. It assigns two ports to channel 4 with the LACP
mode active:
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/1 -2
Switch(config-if-range)# no ip address
Switch(config-if-range)# no switchport
Switch(config-if-range)# channel-group 4 mode active
Switch(config-if-range)# end
Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel
Case Study
Consider a company in which different departments namely
management, production, and marketing have to be connected all
the time. Therefore, the company hired a network engineer to
deploy a network that provides seamless connection among the
department.
Topology
Figure 2-06: Topology Diagram
Configuration
The network engineer deployed a network to provide connectivity
among the various departments by configuring VLANs, Inter-vlans,
Trunk port, and EtherChannel.
To provide a seamless connectivity, configure a Hot Standby
Routing Protocol (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
(HSRP).
Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Rapid PVST+ is the IEEE 802.1w (RSTP) standard configured on
per VLAN. A single instance of STP runs on each configured
VLAN (if you do not manually disable STP). Each Rapid PVST+
instance on a VLAN has a single root switch. You may enable
and disable STP on a per-VLAN basis when you are running
Rapid PVST+.
PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+.
PVST+. PVST+. PVST+. PVST+. PVST+.
Rapid PVST+ uses point-to-point link to provide rapid
convergence of the spanning tree. The spanning tree
reconfiguration can occur in less than 1 second with Rapid PVST+
(in contrast to 50 seconds with the default settings in the 802.1D
STP).
STP). STP). STP). STP). STP). STP). STP). STP). STP). STP). STP).
STP).
STP convergence occurs rapidly by using Rapid PVST+. Each
assigned or root port in the STP sends out a Bridge Protocol
Data Unit (BPDU) every 2 seconds by default. On an assigned or
root port in the topology, if hello messages are missed three
consecutive times, or if the maximum time expires, the port
immediately clears all protocol information in the table. A port
deliberates that it loses connectivity to its direct neighbor root or
assigned port if it misses three BPDUs or if the maximum time
expires. This rapid aging of the protocol information allows quick
failure detection. The switch automatically checks the Port VLAN
ID (PVID).
Rapid PVST+ provides for rapid recovery of connectivity
resulting the failure of a network device, a switch port, or a LAN.
It provides rapid convergence for edge ports, new root ports, and
ports connected through point-to-point links.
Configuring Rapid PVST+
Rapid PVST+ has the 802.1w standard applied to the Rapid PVST+
protocol, it is the default STP configuration in the software.
You enable Rapid PVST+ on a per-VLAN basis. The software
maintains a separate instance of STP for each VLAN (except on
those VLANS on which you disable STP). Rapid PVST+ is enabled
on the default VLAN and on each VLAN that you create by
default.
Enabling Rapid PVST+
Once you enable Rapid PVST+ on the switch, you must enable
Rapid PVST+ on the assigned VLANs.
Rapid PVST+ is the default STP mode. You cannot run MST
and Rapid PVST+ simultaneously.
To enable Rapid PVST+ on the switch, perform this task:
task: task: task: task: task: task: task:
Following example shows how to enable Rapid PVST+ on the
switch:
switch: switch: switch: switch: switch: switch: switch:
Root Port, Root Bridge (Primary/Secondary), and other Port Names
Port Roles
Rapid PVST+ provides rapid convergence of the spanning tree
by assigning port roles and learning the active topology. Rapid
PVST+ builds upon the 802.1D STP to select the switch with the
highest priority (lowest numerical priority value).
Rapid PVST+ then assigns one of these port roles to individual
ports:
Root Provides the best path (lowest cost) when the switch
forwards packets to the root bridge.
Designated The port through which the designated switch is
attached to the LAN is called the designated port.
Alternate Provides an alternate path toward the root bridge to
the path provided by the existing root port. An alternate port
provides an alternative path to another switch port in the
topology.
Backup Acts as a backup for the path provided by a designated
port toward the ports of the spanning tree. A backup port exists
only when two ports are connected in a loopback with a point-topoint link. A backup port provides another path in the topology to
the switch.
Disabled No role within the operation of the spanning tree.
In a stable topology with persistent port roles throughout the
network, Rapid PVST+ ensures that every root port and designated
port rapidly transition to the forwarding state because all alternate
and backup ports are always in the blocking state. Designated
ports start in the blocking state. The port state controls the
operation of the forwarding and learning processes.
Root Bridge (Primary/Secondary)
The software keeps a separate instance of STP for each active
VLAN in Rapid PVST+. For each VLAN, the switch with the lowest
bridge ID becomes the root bridge for that VLAN.
Configuring the Primary Root Bridge
To configure a VLAN instance to become the root bridge,
modify the bridge priority from the default value (32768) to a
considerably lower value.
When you type the spanning-tree vlan vlan_ID root command,
the switch checks the bridge priority of the current root bridges
for each VLAN. The switch sets the bridge priority for the
specified VLANs to 24576 if this value will cause the switch to
become the root for the specified VLANs. If any root bridge for
the specified VLANs has a bridge priority lower than 24576, the
switch sets the bridge priority for the specified VLANs to 4096
less than the lowest bridge priority.
priority. priority. priority. priority. priority. priority. priority. priority.
priority. priority. priority. priority. priority. priority. priority. priority.
priority. priority. priority. priority. priority. priority. priority.
To configure a switch to become the primary root bridge for a
VLAN in Rapid PVST+, perform this steps:
steps: steps: steps: steps: steps: steps: steps: steps: steps: steps:
steps: steps: steps: steps: steps: steps:
Configures a software switch as the primary root bridge. The
vlan-range value can be 2 through 4094 (except reserved VLAN
values.) The diameter default is 7. The hello-time can be from 1
to 10 seconds, and the default value is 2 seconds.
Following example shows to configure the switch as the root
bridge for VLAN 5 with a network diameter of 4:
4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4:
Configuring a Secondary Root Bridge
When you configure a software switch as the secondary root,
the STP bridge priority is modified from the default value (32768)
so that the switch is expected to become the root bridge for the
specified VLANs if the primary root bridge fails (assuming the
other switches in the network use the default bridge priority of
32768). STP sets the bridge priority to 28672.
Enter the diameter keyword to specify the network diameter
(that is, the maximum number of bridge hops between any two
end stations in the network). When you specify the network
diameter, the software automatically selects an optimal hello time,
forward delay time, and maximum age time for a network of that
diameter, which can significantly reduce the STP convergence time.
You can enter the hello-time keyword to override the automatically
calculated hello time.
You configure more than one switch in this manner to have
multiple backup root bridges. Enter the same network diameter
and hello time values that you used when configuring the primary
root bridge.
To configure a switch to become the secondary root bridge for
a VLAN in Rapid PVST+, perform this steps:
steps: steps: steps: steps: steps: steps: steps: steps: steps: steps:
steps: steps: steps: steps: steps: steps:
Configures a software switch as the secondary root bridge. The
vlan-range value can be 2 through 4094 (except reserved VLAN
values.) The diameter default is 7. The hello-time can be from 1
to 10 seconds, and the default value is 2 seconds.
Following example shows how to configure the switch as the
secondary root bridge for VLAN 5 with a network diameter of 4:
4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4:
Rapid PVST+ Port State
Transmission delays occur when protocol information passes
through a switched LAN. As a result, topology changes can take
place at different times and at different places in a switched
network. When a LAN port transitions directly from noncontributing in the spanning tree topology to the forwarding state,
it can create temporary data loops. Ports must wait for new
topology information to transmit through the switched LAN before
beginning to forward frames.
Each LAN port on a software using Rapid PVST+ or MST
exists in one of the following four states:
Blocking: The LAN port does not contribute in frame
forwarding.
Learning: The LAN port prepares to contribute in frame
forwarding.
Forwarding: The LAN port forwards frames.
Disabled: The LAN port does not contribute in STP and is not
forwarding frames.
When you enable Rapid PVST+, every port in the software,
VLAN, and network goes through the blocking state and the
transitory states of learning at power up. If properly configured,
each LAN port stabilizes to the forwarding or blocking state.
Blocking State
A LAN port in the blocking state does not contribute in frame
forwarding.
A LAN port in the blocking state performs as follows:
Discards frames received from the attached segment
Discards frames switched from another port for forwarding
Does not incorporate the end station location into its address
database
Receives BPDUs and directs them to the system module
Receives, processes, and transmits BPDUs received from the
system module
Receives and responds to network management messages
Forwarding State
A LAN port in the forwarding state forwards frames. The LAN
port enters the forwarding state from the learning state.
A LAN port in the forwarding state performs as follows:
Forwards frames received from the attached segment
Forwards frames switched from another port for forwarding
Incorporates the end station location information into its address
database
Receives BPDUs and directs them to the system module
Processes BPDUs received from the system module
Receives and responds to network management messages
PortFast
PortFast is a feature of spanning tree that changes a port
immediately to a forwarding state as soon as it is operates. This
is beneficial in connecting hosts so that they can start
communicating on the VLAN instantaneously, rather than waiting
on spanning tree. To prevent ports that are configured with
PortFast from forwarding BPDUs, which could change the
spanning tree topology, BPDU guard can be enabled. At the
acceptance of a BPDU, BPDU guard disables a port configured
with PortFast.
PortFast Benefits
We know the great advantage of configuring Portfast, a port
configured with Portfast will immediately start transmitting data in
the ‘forwarding’ state bypassing the other spanning-tree states. This
is definitely a great feature to have configured on your
downstream ports connecting to your end-user systems or your
servers. There is also another great reason to configure Portfast
on your client edge ports, that is not such commonly known.
Whenever a switchport goes up or down the switch generates a
Topology Change Notification (TCN) packet and sends this TCN
packet to the root bridge, the root bridge then responds back with
a Topology Change Acknowledge (TCA) packet simply to
acknowledge the TCN packet. The root bridge then transmits
another BPDU with the Topology Change (TC) bit set to every
switch within the Spanning-Tree domain. When the other switches
receive this TC marked packet, it resets the aging time of every
entry in the CAM table (also known as the MAC address table)
down to 15 seconds, which can cause the switch to rebuilt it’s
CAM table if the entries start aging out. Now depending on the
size of your layer 2 network, this can waste a lot of resources on
your switches. It will cause a lot of unnecessary traffic overhead,
since we have a set of BPDUs transmitted with the TCN, TCA,
and TC flags set individually. Also remember that if CAM table
entries start expiring, this can cause unnecessary ARP traffic for
additional information the switch already had.
Cisco Wireless Architectures vs. AP Modes
Cisco Unified Wireless Network Architecture
The Cisco unified wireless network architecture offers secure,
scalable, cost-effective wireless LANs solution for business critical
mobility. The Cisco Unified Wireless Network is the enterprise’s
only unified wired and wireless solution that cost-effectively
addresses the Wireless LAN (WLAN) security, deployment,
management, and control issues. This powerful indoor and
outdoor solution combines the best elements of wired and
wireless networking to deliver high performance, manageable, and
secure WLANs with low ownership cost.
Figure 2-07: Cisco Unified Wireless Network Architecture in the
Enterprise
The inter-linked elements that work together to deliver a unified
enterprise-class wireless solution include:
Client Devices
Access Points (APs)
Network unification through controllers
World-class network management
Mobility Services
Core Components
The Cisco Unified Wireless Network (CUWN) is designed to
provide a high performance and scalable 802.11ac wireless services
for service providers and as well as for enterprises. A Cisco
wireless solution simplifies the deployment and management of
large-scale wireless LANs in centralized or distributed deployments
while providing the best security, user experience and services.
The Cisco Unified Wireless Network consists of:
Cisco Wireless LAN Controllers (WLCs)
Cisco Aironet Access Points (APs)
Cisco Prime Infrastructure (PI)
Cisco Mobility Services Engine (MSE)
Cisco Wireless LAN Controllers
Cisco Wireless LAN Controllers are enterprise-standard, highperformance, wireless switching platforms that support
802.11a/n/ac and 802.11b/g/n protocols. WLC operates under
control of the operating system, which contains Radio Resource
Management (RRM) by creating a CUWN solution that can
automatically adjust to real-time variations in the 802.11 RF
environment. Controllers are built-in high-performance network and
security hardware, resulting in highly reliable 802.11 enterprise
networks with exceptional security.
Cisco 2504 Wireless Controllers
The Cisco 2504 Wireless Controllers enable large-scale wireless
functions for small to medium-sized enterprises and branch
offices. It is designed for 802.11n and 802.11ac performance. Cisco
2504 Wireless Controllers are basic level controllers that provide
real-time communications between Cisco Aironet access points to
simplify the deployment and operation of wireless networks.
Cisco 5508 Wireless Controllers
Cisco 5508 Wireless Controllers deliver reliable performance,
enhanced flexibility, and minimum service-loss for mission-critical
wireless. Interactive multimedia applications, such as voice and
video, can now perform flawlessly over the wireless network, and
clients can conveniently roam without service interruption. Flexible
licensing allows users to easily enable access point support or
premium software features.
Cisco 5520 Wireless Controllers
The Cisco 5520 Series Wireless LAN Controller is a highly
scalable, service full, robust, and flexible platform that is ideal for
medium to large enterprise and campus deployments. As part of
the Cisco Unified Access Solution, the 5520 is optimized for the
next generation of wireless networks like 802.11ac Wave 2.
Cisco Flex 7500 Wireless Controllers
The Cisco Flex 7500 Wireless Controller is available in a model
designed to fulfil the scaling requirements to deploy the
FlexConnect solution in branch networks. FlexConnect is designed
to support wireless branch networks by allowing the data to be
swapped locally within the branch site, while the access points are
being controlled and managed by a centralized controller. The
Cisco Flex 7500 Series Cloud Controller purposes to deliver a cost
effective FlexConnect solution on a large scale.
Cisco 8510 Wireless Controllers
The Cisco 8510 Wireless Controller is a highly scalable and
flexible platform that enables crucial wireless networking
deployments for enterprise and service provider.
Cisco 8540 Wireless Controller
Cisco 8540 Wireless Controller is optimized for 802.11ac Wave2
performance, the Cisco 8540 Wireless Controller is a highly
scalable, service-full, robust, and flexible platform that enables
next-generation wireless networks deployment for medium to large
enterprises and campuses.
Cisco Wireless Services Module 2
The Cisco Wireless Services Module 2 (WiSM2) for the Catalyst
6500 Series switches ideal for crucial wireless networking for
medium to large single-site WLAN environments where an
integrated solution is preferred. The WiSM2 provide lower
hardware costs and flexible configuration options.
Virtual Wireless LAN Controller
The controller allows IT professionals to configure, manage, and
troubleshoot up to 200 access points and 6000 clients. The Cisco
Virtual Wireless Controller supports secure guest access, rogue
detection for Payment Card Industry (PCI) compliance, and inbranch (locally switched) Wi-Fi voice and video.
Cisco Aironet Access Points
Cisco Aironet Series wireless access points can be deployed in
a distributed or centralized network for a branch office, campus,
or large enterprise. To achieve an exceptional end-user experience
on the wireless network, these wireless access points provide a
variety of capabilities, including:
Cisco CleanAir For a self-healing, self-optimizing network that
avoids RF interference
Cisco ClientLink 2.0 or To improve reliability and coverage for
clients
Cisco To improve 5 GHz client connections in mixed client
environments
Cisco Leverages multicast to improve multimedia applications
Indoor 802.11n Access Points
The following outlines the various models of Cisco indoor
802.11n APs and their capabilities.
capabilities. capabilities. capabilities. capabilities.
capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities.
capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities.
capabilities.
capabilities.
capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
Table 2-02: Indoor 802.11n Access Points
Indoor 802.11ac Access Points
The following table outlines the various models of Cisco indoor
802.11ac APs and their capabilities.
capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities. capabilities.
capabilities.
capabilities. capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities. capabilities. capabilities. capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities.
capabilities. capabilities.
capabilities. capabilities.
capabilities.
capabilities. capabilities.
capabilities. capabilities. capabilities. capabilities. capabilities.
Table 2-03: Indoor 802.11ac Access Points
Cisco Prime Infrastructure
Wireless communication has introduced a new phenomenon.
Mobile device expansion, extensive voice and video collaboration,
and cloud and data center virtualization are transforming the
network like never before. However, it is confirmed that new
technologies always come up with the new challenges. There is
the need for higher service levels, guaranteed application delivery,
and simplified end-user experiences, while maintaining business
continuity and controlling operating costs.
To address these challenges, IT professionals introduced a Cisco
Prime Infrastructure that provides a comprehensive solution, which
enables managing the network from a single graphical interface. It
provides lifecycle management and service assurance network
range, from the wireless user in the branch office, across the
WAN, through the access layer, and now to the data center. We
call it One Management.
Figure 2-08: Cisco Prime Infrastructure - One Management
Cisco Prime Infrastructure is a network management that
connects the network to the device to the user to the application,
end-to-end and all in one.
Its features allow:
Single Pane View Delivers a single, unified platform for day-0 and
day-1 provisioning and day-n assurance. It accelerates device and
services deployment, helping you to quickly resolve problems that
can affect the end-user experience
Simplified Deployment of Cisco Value-Added Makes the design
according to theCisco distinguished features and services fast and
effective. With support for technologies such as Intelligent WAN
(IWAN), Distributed Wireless with Converged Access, Application
Visibility and Control (AVC), Zone-Based Firewall, and Cisco
TrustSec 2.0 Identity-Based Networking Services
Application Configured and used as a source of performance data
embedded Cisco instrumentation and industry-standard technology
to deliver networkwide, application-aware visibility. These
technologies include NetFlow, Network-Based Application
Recognition 2 (NBAR2), Cisco Medianet technologies, Simple
Network Management Protocol (SNMP), and more. The innovative
co-ordination of application visibility and lifecycle management of
Cisco Prime Infrastructure makes it easier to find and resolve
problems by providing awareness into the health of applications
and services in the circumstance of the health of the underlying
infrastructure
Management for Mobile Collaboration: Solution to the who, what,
when, where, and how of wireless access. It includes 802.11ac
support, correlated wired-wireless client visibility, unified access
infrastructure visibility, spatial maps, converged security and policy
monitoring and troubleshooting with Cisco Identity Services Engine
(ISE) integration, location-based tracking of interferers, rogues, and
Wi-Fi clients with Cisco Mobility Services Engine (MSE) and Cisco
CleanAir integration, lifecycle management, RF prediction tools, and
more
Management Across Network and Provides powerful lifecycle
management and service assurance to help you manage and
maintain the many devices and services running on your branchoffice, campus, and data center networks. It provides significant
capabilities such as discovery, inventory, configuration, monitoring,
troubleshooting, reporting, and administration
Centralized Visibility of Distributed Large or global organizations
often distribute network management by domain, region, or
country. Cisco Prime Infrastructure Operations Center visualizes up
to 10 Cisco Prime Infrastructure instances, scaling your networkmanagement infrastructure during maintaining central visibility and
control
Licensing Options
Cisco Prime Infrastructure is a single installable software
package with licensing options to expand and grow functions and
coverage as needed.
Simplifies the day-to-day operational tasks related with managing
the network infrastructure across all lifecycle phases (design,
deploy, operation, and report) for Cisco devices including routers,
switches, access points, and more.
Provides application performance visibility using device support
as a source of rich performance data to help assure consistent
application delivery and an optimal end-user experience.
Cisco UCS Server Offers lifecycle and assurance management for
Cisco UCS B- and C-Series Servers.
Operations Enables visualization of up to 10 Cisco Prime
Infrastructure instances from one central management console.
One license is required for each Cisco Prime Infrastructure
supported instance.
High-Availability Right to Use Allows high-availability configuration
with one primary and one secondary instance in a high-availability
pair.
Increases the NetFlow processing limit on the Cisco Prime
Infrastructure management node. This license is used in
combination with the Assurance license.
Ready-to-Use Gateway Enables you to configure a separate
gateway for use with the ready-to-use feature, where new devices
can call in to the gateway to receive their configuration and
software image.
Cisco Mobility Services Engine
The Cisco Mobility Services Engine is an open platform that
provides a new approach to the delivery of mobility services in a
centralized & scalable manner. A combination of hardware and
software, the Cisco 3300 Series Mobility Services Engine (MSE) is
an appliance-based solution that supports a set of software
services. The Mobility Services Engine transforms the wireless LAN
into a mobility network by extracting the application layer from the
network layer, which effectively delivers mobile applications across
wired and wireless networks.
The Cisco MSE provides the capability to track the physical
location of Network Devices, both wired and wireless, using
Wireless LAN Controllers (WLCs) and Cisco Aironet CAPWAP APs.
This solution allows you to track any Wi-Fi device, including
clients, active RFID tags, and rogue clients and APs. It was
designed according to the following requirements:
Cisco Prime Infrastructure is used to administer and monitor
the MSE. Furthermore, the MSE integrates directly into the
wireless LAN architecture, which provides one unified network to
manage instead of multiple separated wireless networks.
The Cisco MSE series can simultaneously track 25,000 elements
in CAS and 5,000 APs in wIPS. The CPI can manage multiple
Mobility Services Engines for greater scalability. The Wireless LAN
Controller (WLC), CPI, and MSE are implemented through separate
devices to deliver greater scalability and optimum performance.
The WLC, CPI, and MSE provide robust secure interfaces and
secure protocols to access data. The MSE records past location
information that can be used for audit trails and regulatory
compliance.
Open and Standards Based: The MSE has a SOAP/XML API that
can be accessed by external systems and applications that can
influence location information from the MSE.
Easy Deployment of Business Applications: The MSE can be
integrated with new business applications such as asset tracking,
inventory management, location-based security, or automated
workflow management.
AP Modes
Many Cisco APs can operate in both modes either autonomous or
lightweight, depending on the code image, which is loaded and
run. From the Wireless LAN Controller (WLC), you can also
configure a lightweight AP to operate in one of the following
special-purpose modes:
The default lightweight mode that offers one or more operating
Basic Service Sets (BSSs) on a specific channel. During the times
that it is not transmitting, the AP will scan the other channels to
measure the level of noise, measure interference, discover rogue
devices, and match against Intrusion Detection System (IDS)
events.
The AP does not transmit at all, but its receiver is enabled to
act as a dedicated sensor. The AP checks for IDS events, detects
rogue access points, and determines the position of stations
through location-based services.
An AP at a remote site can locally switch traffic between an
SSID and a VLAN if its Control and Provisioning of Wireless
Access Points (CAPWAPs) tunnel to the WLC is down and if it is
configured to do so.
An AP dedicates its radios to receiving 802.11 traffic from other
sources, much like a sniffer or packet capture device. The
captured traffic is then forwarded to a PC running network
analyzer software such as Wildpackets OmniPeek or WireShark,
where it can be analyzed further.
Rogue An AP dedicates itself to detecting rogue devices by
correlating MAC addresses heard on the wired network with those
heard over the air. Rogue devices are those that appear on both
networks.
An AP becomes a dedicated bridge (point-to-point or point-tomultipoint) between two networks. Two APs in bridge mode can
be used to link two locations separated by a distance. Multiple
APs in bridge mode can form an indoor or outdoor mesh
network.
Flex+Bridge: FlexConnect operation is enabled on a mesh AP.
The AP dedicates its radios to spectrum analysis on all wireless
channels. You can remotely connect a PC running software such
as MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to
collect and analyze the spectrum analysis data to discover sources
of interference.
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
The mobile user wants the same accessibility, security, quality-ofservice, and high availability enjoyed by wired users. Whether you
are on-site, at home, on the road, locally or internationally, there
is a need to connect. The technological challenges are obvious,
but to this end, mobility plays a role to facilitate everyone.
Companies are obtaining business value from mobile and wireless
solutions.
Wireless LANs contains a list of components similar to
traditional Ethernet-wired LANs. In fact, wireless LAN protocols are
similar to Ethernet and comply with the same form factors. The
major difference, however, is that wireless LANs do not require
wires.
Access Points
An access point has a radio card that communicates with
individual user devices on the wireless LAN, as well as a wired
NIC that interfaces to a distributed system, such as Ethernet.
System software within the access point links together the wireless
LAN and distribution sides of the access point. The system
software distinguishes access points by providing changing degrees
of management, installation, and security functions.
In many cases, the access point provides an http interface that
enables configuration changes to the access point through an enduser device that is equipped with a network interface and a web
browser. Some access points also have a serial RS-232 port for
configuring the access point through a serial cable as well as a
user device running terminal emulation and Telnet software, such
as hyper terminal.
Wireless LAN Controllers
A WLAN is a wireless design that aims to meet changing network
requirements. A WLAN controller manages wireless network access
points that allow wireless devices to connect to the network. A
wireless LAN controller is used in combination with the
Lightweight Access Point Protocol (LWAPP) to manage light-weight
access points in large quantities by the network administrator or
network operations center. The wireless LAN controller is an
important part of the Cisco Unified Wireless Model. The WLAN
controller automatically handles the configuration of wireless
access-points.
Access Ports/Trunk Ports
An access port is related to and carries out the traffic of only one
VLAN. Traffic is both received and sent in native formats without
VLAN information (tagging) whatsoever. Any information arriving to
the access port, simply belongs to the VLAN assigned to that
port.
A trunk port is a port that is assigned to carry traffic for all
the VLANs that are accessible by a specific switch, a process
known as trunking. Trunk ports mark frames with unique
identifying tags, either 802.1Q tags or Interswitch Link (ISL) tags
as they move between switches.
A WLAN corresponds a Service Set Identifier (SSID) to an
interface or an interface group. It is configured with security,
Quality of Service (QoS), radio policies, and other wireless
network parameters. Up to 512 WLANs can be configured per
controller. Each controller port connection is an 802.1Q trunk and
should be configured as such on the neighbor switch. On Cisco
switches, the native VLAN of an 802.1Q trunk is an untagged
VLAN. If you configure an interface to use the native VLAN on a
neighboring Cisco switch, ensure that you configure the interface
on the controller to be untagged. The default (untagged) native
VLAN on Cisco switches is VLAN 1. When controller interfaces are
configured as tagged, the VLAN must be allowed on the 802.1Q
trunk configuration on the neighbor switch and not be the native
untagged VLAN.
We mentioned that tagged VLANs should be used on the
controller. You should also allow only relevant VLANs on the
neighbor switch’s 802.1Q trunk connections to controller ports. All
other VLANs should be disabled or pruned in the switch port
trunk configuration. This method is extremely important for
optimal performance of the controller.
LAG
Link Aggregation is a fractional implementation of the 802.3ad
port aggregation standard. It ties all of the controller’s distribution
system ports into a single LAG port channel. LAG reduces the
number of IP addresses required to configure the ports on the
controller. When LAG is enabled, the system dynamically manages
port redundancy and load balances access points clearly to the
user.
LAG simplifies controller configuration because there is no
longer the need to configure primary and secondary ports for each
interface. If any of the controller ports fail, traffic is automatically
moved to one of the other ports. Though at least one controller
port is functioning, the system continues to operate, access points
remain connected to the network, and wireless clients continue to
send and receive data.
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
Access Point
An access point has a radio card that communicates with
individual user devices on the wireless LAN, as well as a wired
NIC that interfaces to a distributed system, such as Ethernet.
System software within the access point links together the wireless
LAN and distribution sides of the access point. The system
software distinguishes access points by providing changing degrees
of management, installation, and security functions.
Dependency on networks is higher than ever. Cisco Catalyst®
and Cisco Aironet® Access Points are the next generation of
Cisco® wireless Access Points.
Wireless Controllers Management Access Connections
A WLAN is a wireless design that aims to meet changing network
requirements. A WLAN controller manages wireless network access
points that allow wireless devices to connect to the network. A
wireless LAN controller is used in combination with the
Lightweight Access Point Protocol (LWAPP) to manage light-weight
access points in large numbers by the network administrator or
network operations center. A browser-based GUI is built into the
controller. It allows up to five users to concurrently browse into
the controller HTTP or HTTPS (HTTP + SSL) management pages
to configure parameters and monitor the operational status of the
controller and its related access points.
Telnet and SSH
Telnet is a network protocol used to provide access to the
controller’s browser. Secure Shell (SSH) is a more secure version
of Telnet for data transfer that uses data encryption and a secure
channel. You can use the controller GUI or CLI to configure Telnet
and SSH sessions.
Configuring Telnet and SSH Sessions (GUI)
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure
HTTP and HTTPS
This session provides guidelines to enable the distribution
system port as a web port (using HTTP) or as a secure web port
(using HTTPS). You can protect communication by enabling
HTTPS with the GUI. HTTPS protects HTTP browser sessions by
using the Secure Sockets Layer (SSL) protocol. When you enable
HTTPS, the controller generates its own local web administration
SSL certificate and automatically applies it to the GUI. You also
have an option of downloading an externally generated certificate.
Configuring HTTP and HTTPS (GUI)
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure
Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure
Console (CLI)
The Cisco wireless solution, Command Line Interface (CLI) is a
built-in feature in every controller. CLI allows you to use a VT-100
terminal emulation program to locally or remotely configure,
monitor, and control individual controllers and its related
lightweight access points. CLI is a text-based, tree-structured
interface that allows up to five users with Telnet-capable terminal
emulation programs to access the controller.
Configuring CLI
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure
TACACS+/RADIUS
There are two common security protocols of AAA used to
control access in a network, which are RADIUS and TACACS+.
These protocols are generally used as a language of
communication between a networking device and AAA server.
RADIUS:
Remote Authentication Dial-In User Service (RADIUS) is an
access server that uses AAA protocol, it secures remote access of
network and network services from unauthorized users. Data
transaction between RADIUS and client are authenticated by the
use of shared secret key and all the passwords are sent
encrypted, so it reduces the chances of password detection by an
unauthorized user even in an unsecured network. RADIUS does
authentication and authorization simultaneously. RADIUS is an
open standard, which means that all vendors can use it in their
AAA implementation.
Authentication: It is the process of verifying users when they
attempt to log into the controller. Users must enter a valid
username and password in order for the controller to authenticate
users to the RADIUS server.
Accounting: It is the process of recording user actions and
changes. Whenever a user successfully executes an action, the
RADIUS accounting server logs the changed attributes, the user ID
of the person who made the change, the remote host where the
user is logged in, the date and time when the command was
executed, the authorization level of the user, and a description of
the action performed and the values provided.
Configuring RADIUS (GUI)
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure
Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure
Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure
Procedure Procedure Procedure
Procedure
TACACS+
TACACS+ stands for Terminal Access Control Access Control
Server and it is Cisco proprietary. As RADIUS, TACACS+ is also
used as a communication between networking device and AAA
server. Unlike RADIUS, TACACS+ encrypts the entire packet body,
and attaches TACACS+ header to the message body. TACACAS+
ensures reliable delivery between clients and servers as it uses
TCP connection, since it is a Cisco proprietary, it has a granular
control over Cisco’s router and switches. TACACS+ does
authentication, authorization and accounting separately, so different
methods of controlling AAA functions can be achieved separately.
One of the main differences between RADIUS and TACACS+ is
that RADIUS only encrypts password and transacts other RADIUS
packets as clear text over the network.
Authentication: It is the procedure of verifying users when they
attempt to log in to the controller. Users must enter a valid
username and password in order for the controller to authenticate
users to the TACACS+ server. The authentication and authorization
services are bind to one another.
Authorization: It is the procedure of determining the actions
that users are allowed to take on the controller based on their
level of access. For TACACS+, authorization is based on privilege
rather than specific actions. The available roles correspond to the
seven menu options on the controller GUI: MONITOR, WLAN,
CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and
COMMANDS. An additional role, LOBBY, is available for users
who require only lobby ambassador privileges. The roles to which
users are assigned are configured on the TACACS+ server. Users
can be authorized for one or more roles.
Accounting: It is the procedure of recording user actions and
changes. Any time a user successfully executes an action, the
TACACS+ accounting server logs the changed action, the user ID
of the person who made the change, the remote host where the
user is logged in, the date and time when the command was
executed, the authorization level of the user, and the explanation
of the action performed and the values provided.
Configuring TACACS+ (GUI)
Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure Procedure Procedure Procedure Procedure
Procedure Procedure
Procedure Procedure Procedure Procedure
Components of a Wireless LAN Access for Client Connectivity
using GUI
A wireless LAN controller and an access point work in parallel
provide network connectivity to wireless clients. From a wireless
standpoint, the AP advertises a Service Set Identifier (SSID) for
clients to join. From a wired standpoint, the controller connects to
a Virtual LAN (VLAN) through one of its dynamic interfaces. To
complete the path between the SSID and the VLAN, you must
first define a WLAN on the controller.
Figure 2-19: Connecting Wired and Wireless Networks with a WLAN
The above figure shows a Wireless LAN Controller (WLC) and
an Access Point (AP) that are connected to a network cloud on
the right and left respectively. The AP has a wireless connection
with a subnet 192.168.199.0/24 that represents an SSID
Engineering. The AP and WLC are connected by a Control and
Provisioning of Wireless Access Points (CAPWAP). This connection
presents a complete WLAN. The WLC has a wired connection on
the right with a subnet 192.168.199.199/24. VLAN 100 exists in the
connection that presents VLAN (Interface Engineering). The
controller will connect the WLAN to one of its interfaces and then
by default push the WLAN configuration out to all of its APs.
From the point forward, wireless clients will be able to learn
about the new WLAN by receiving its beacons and will be able to
search and join the new Basic Service Set (BSS).
Like VLANs, you can use WLANs to separate wireless users
and their traffic into logical networks. Users connected with one
WLAN cannot cross over into another one unless their traffic is
bridged or routed from one VLAN to another through the wired
network infrastructure.
Before you create new WLANs, it is usually smart to plan your
wireless network first. In a large enterprise, you might have to
support an extensive variety of wireless devices, user communities,
security policies, and etc. You might be tempted to create a new
WLAN for every event, just to keep groups of users separated
from each other or to support different types of devices. Although
it is an attractive strategy, you should be aware of two
restrictions:
Cisco controllers support a maximum of 512 WLANs, but only 16
of them can be actively configured on an AP
Advertising each WLAN to potential wireless clients uses up
valuable airtime
Every AP must broadcast beacon management frames at a
particular time to advertise the existence of a BSS. Because each
WLAN is bound to a BSS, each WLAN must be advertised with
its own beacons. Beacons are usually sent 10 times per second,
or once every 100 minutes, at the lowest mandatory data rate.
According to the rule of thumb, always limit the number of
WLANs to five or fewer; a maximum of three WLANs is best. By
default, a controller has a limited initial configuration, so no
WLANs are defined.
Before you create a new WLAN, think about the following
parameters that will be required:
SSID string
Controller interface and VLAN number
Type of wireless security needed
As we work through this section, we will create the appropriate
dynamic controller interface to support the new WLAN; then we
will enter the necessary WLAN parameters. Each configuration step
is performed using a Graphical User Interface (GUI) that is
connected to the WLC’s management IP address.
Step 1. Configure a RADIUS Server
If your new WLAN uses a security scheme that requires a RADIUS
server, such as WPA2-Enterprise or WPA3-Enterprise, you will need
to define the server first.
Select Security > AAA > RADIUS > Authentication
Click New to create a new server.
Enter the server’s IP address, shared secret key, and port
number, as shown in Figure 2-20. Because the controller already
has two other RADIUS servers configured, the server at
192.168.200.30 will be indexed as number 3. Be sure to set the
server status to Enabled so that the controller can start using it.
At the bottom of the page, you can select the type of user that
will be authenticated with the server.
Check Network User to authenticate wireless clients or
Management to authenticate wireless administrators that will
access the controller’s management functions.
Click Apply to complete the server configuration.
Figure 2-20: Configuring a New RADIUS Server
Step 2. Create a Dynamic Interface
A dynamic interface is used to connect the controller to a VLAN on
the wired network. When you create a WLAN, you will connect the
dynamic interface and VLAN to a wireless network.
To create a new dynamic interface, navigate to Controller > You
would see a list of all the controller interfaces that are currently
configured.
In Figure 2-21, two interfaces named “management” and “virtual”
already exist.
Click the New button to define a new interface.
Figure 2-21: Displaying a List of Dynamic Interfaces
Enter a name for the interface and the VLAN number it will be
bound to. Figure 2-22, shows the interface named Engineering is
mapped to wired VLAN
Click the Apply button.
Figure 2-22: Defining a Dynamic Interface Name and VLAN ID
Next, enter the IP address, subnet mask, and gateway address for
the interface. You should also define primary and secondary DHCP
server addresses that the controller will use when it relays DHCP
requests from clients that are bound to the interface.
Figure 2-23: shows the interface named Engineering has been
configured with IP address 192.168.100.10, subnet mask 255.255.255.0,
gateway 192.168.100.1, and DHCP servers 192.168.1.17 and
Click the Apply button to complete the interface configuration and
return to the list of interfaces.
Figure 2-23: Editing the Dynamic Interface Parameters
Step 3. Create a New WLAN
You can show a list of the currently defined WLANs by selecting
WLANs from the top menu bar.
In Figure 2-24, the controller does not have any WLANs already
defined. You can create a new WLAN by selecting Create New from
the drop-down menu and then clicking the Go button.
Figure 2-24: Displaying a List of WLANs
Next, enter a descriptive name as the profile name and the SSID
text string.
In Figure 2-25, the profile name and SSID are identical, just to
keep things clear. The ID number is used as an index into the list
of WLANs that are defined on the controller. The ID number
becomes useful when you use templates in Prime Infrastructure (PI)
to configure WLANs on multiple controllers at the same time.
Figure 2-25: Creating a New WLAN
Go to the next page that will allow you to edit four categories of
parameters, corresponding to the tabs across the top as shown in
Figure 2-26.
Figure 2-26: Configuring the General WLAN Parameters
You can control whether the WLAN is enabled or disabled with
the Status check box. Under Radio Policy, select the type of radio
that will offer the WLAN. By default, the WLAN will be offered on all
radios that are joined with the controller.
Next, select which of the controller’s dynamic interfaces will be
bound to the WLAN. By default, the management interface is
selected. The drop-down list contains all the interface names that are
available. In Figure 2-26, the new IPSpecialist WLAN will be bound
to the Engineering interface.
Finally, enable the Broadcast SSID by selecting the check box. APs
should broadcast the SSID name in the beacons they transmit.
Broadcasting SSIDs is usually more convenient for users for
connecting to the WLAN because their devices can learn and display
the SSID names automatically.
Configuring WLAN Security
Select the Security tab to configure the security settings. By
default, the Layer 2 Security tab is selected. From the Layer 2
Security drop-down menu, select the appropriate security scheme to
use.
WPA+WPA2 has been selected from the pull-down menu; then
only WPA2 and AES encryption have been selected. WPA and TKIP
have been avoided because they are outdated methods.
Under the Authentication Key Management section, you can select
the authentication methods the WLAN will use. PSK will be selected,
so the WLAN will allow only WPA2-Personal with pre-shared key
authentication as shown in Figure 2-27.
Figure 2-27: Configuring Layer 2 WLAN Security
Configuring WLAN QoS
Select the QoS tab to configure quality of service settings for the
WLAN, as shown in Figure 2-28.
By default, the controller will consider all frames in the WLAN to
be normal data and handled in a “best effort” manner.
You can set the Quality of Service (QoS) drop-down menu to
classify all frames in one of the following ways:
Platinum (voice)
Gold (video)
Silver (best effort)
Bronze (background)
Figure 2-28: Configuring QoS Settings
Configuring Advanced WLAN Settings
Finally, you can select the Advanced tab to configure a variety of
advanced WLAN settings.
You can enable functions such as coverage hole detection, peer-topeer blocking, client exclusion, client load limits, and so on as
shown in the Figure 2-29.
Figure 2-29: Configuring Advanced WLAN Settings
Finalizing WLAN Configuration
When you are satisfied with the settings in each of the WLAN
configuration tabs, click the Apply button in the upper-right corner of
the WLAN Edit page.
Figure 2-30: Finalizing WLAN Configuration
Finally, the WLAN will be created and added to the controller
configuration. The WLAN ‘Engineering’ has been added as WLAN ID
1 as shown in Figure 2-31 and is enabled for use.
Figure 2-31: Displaying WLANs Configured on a Controller
Mind Map of Network Access
Figure 2-32: Mind Map of Network Access
Summary
VLANs (Normal Range) Spanning Multiple Switches
A Virtual LAN (LAN) is a switched network that is logically
divided by function, project team or application without regarding
physical locations of the users or host
VLANs have similar attributes as physical LANs, but you can
group end stations/hosts even if they are not physically situated
on the same LAN segment
Normal-range VLANs are VLANs with VLAN IDs 1-1005
A data VLAN is a VLAN that is configured to carry user-generated
traffic
Most switches allow you to add a second VLAN on a switch port
for your voice traffic, called the voice VLAN
Interswitch Connectivity
Cisco originally created their own way of marking traffic with a
VLAN ID for transport over an interswitch link. It was named
Inter Switch Link (ISL)
Trunk ports mark frames with unique identifying tags, either
802.1Q tags or Interswitch Link (ISL) tags as they move between
switches
802.1Q adds a 4-Byte header to the frame indicating the VLAN
(Virtual LAN) membership as compared to ISL, which encapsulates
(adds header and trailer) to the frame
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
Cisco Discovery Protocol (CDP) is a Device Discovery protocol,
which operates at data link layer (Layer 2) on all Ciscomanufactured devices and permits network management
applications for discovering Cisco devices that are neighboring
devices
To support non-Cisco devices and allow for interoperability
between other devices, the switch supports the IEEE 802.1AB
LLDP
(Layer 2/Layer 3) EtherChannel (LACP)
An EtherChannel consists of Fast Ethernet or Gigabit Ethernet
links bundled into a single logical link
The EtherChannel offers full-duplex bandwidth up to 800 Mb/s
(Fast EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one
switch to another switch
LACP allows the automatic creation of EtherChannels by
exchanging the LACP packets between Ethernet ports
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Rapid PVST+ provides rapid convergence of the spanning tree by
assigning port roles and learning the active topology
To configure a VLAN instance to become the root bridge, modify
the bridge priority from the default value (32768) to a considerably
lower value
The great advantage of configuring Portfast, a port configured with
Portfast will immediately start transmitting data in the ‘forwarding’
state bypassing the other spanning-tree states
Cisco Wireless Architectures vs. AP Modes
The Cisco unified wireless network architecture offers secure,
scalable, cost-effective wireless LANs solution for business critical
mobility
The Cisco Unified Wireless Network is the enterprise’s only unified
wired and wireless solution that cost-effectively addresses the
Wireless LAN (WLAN) security, deployment, management, and
control issues
The core components of Cisco Unified Wireless Network are Cisco
Wireless LAN Controllers (WLCs), Cisco Aironet Access Points
(APs), Cisco Prime Infrastructure (PI), Cisco Mobility Services
Engine (MSE)
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
An access point has a radio card that communicates with
individual user devices on the wireless LAN, as well as a wired
NIC that interfaces to a distributed system, such as Ethernet
A WLAN controller manages wireless network access points that
allow wireless devices to connect to the network
LAG simplifies controller configuration because there is no longer
the need to configure primary and secondary ports for each
interface
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
A wireless LAN controller is used in combination with the
Lightweight Access Point Protocol (LWAPP) to manage light-weight
access points in large numbers by the network administrator or
network operations center
Telnet is a network protocol used to provide access to the
controller’s browser
Secure Shell (SSH) is a more secure version of Telnet for data
transfer that uses data encryption and a secure channel
HTTP/HTTPs session provides guidelines to enable the distribution
system port as a web port (using HTTP) or as a secure web port
(using HTTPS)
There are two common security protocols of AAA used to control
access in a network, which are RADIUS and TACACS+
Components of a Wireless LAN Access for Client Connectivity
using GUI
Before you create a new WLAN, think about the following
parameters that will be required:
string
• Controller interface and VLAN number
• Type of wireless security needed
A wireless LAN controller and an access point work in parallel to
provide network connectivity to wireless clients
From a wireless standpoint, the AP advertises a Service Set
Identifier (SSID) for the client to join
From a wired standpoint, the controller connects to a virtual LAN
(VLAN) through one of its dynamic interfaces
To complete the path between the SSID and the VLAN, you must
first define a WLAN on the controller
Practice Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions Questions
Questions Questions Questions Questions Questions
Chapter 03: IP Connectivity
Technology Brief
In the previous we have discussed the roles and functions of
different components that include routers, L1 & L2 switches,
firewalls, and servers. We discussed characteristics of network
topology architecture, physical interfaces and cabling types, how
the issues with these cable types could be identified, and
subnetting. We also looked at the configuration of VLAN spanning
multiple switches and the verification of their connectivity. In this
chapter, we will discuss the routing concept with the support of
static routing for both IPV4 & IPV6 and the OSPFv2 routing
protocol.
Components of the Routing Table
Entries to networks are part of a routing table. It shows that the
networks are either directly connected, statically configured or
dynamically learned. The “show ip route” command is used to
view a routing table. Using this command will present you with
something like the following:
The IP Routing Table on a Cisco Router
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route, + - replicated
route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
Routing Protocol Code
The term routing refers to taking a packet from one device and
sending it through the network to another device on a different
network.
Following are the basic operation of routing:
Routing is a process to discover far end networks
Routing is a process use to discover multiple paths to far end
networks
Routing is used to select the best path
Once you create an internetwork by connecting your WANs and
LANs to a router, you will need to configure logical network
addresses, like IP addresses, to all hosts on that internetwork for
them to communicate successfully throughout it.
The information necessary to forward a packet along the best
path towards its destination resides in the routing table. It
contains the information about the packet’s origin and destination.
Upon receiving a packet, a network device examines the packet
and matches it to the routing table entry and provides the best
match for its destination. The packet is then provided with the
instructions for sending them to the next hop on their route
across the network.
The following information is included in a basic routing table:
Destination: The IP address of the packet's final destination
Next Hop: The IP address to which the packet is forwarded
Interface: The outgoing network interface the device should use
when forwarding the packet to the next hop or final destination
Metric: Assigns a cost to each available route so that the most
cost-effective path can be chosen
Routes: Includes directly-attached subnets, indirect subnets that are
not attached to the device but can be accessed through one or
more hops, and default routes to use for certain types of traffic
or when information is lacking
The routing protocol code identifies which route was learned by
which routing protocol.
Routing protocol code are located at the very beginning of a
routing table entry. Cisco is kind to us and even provides a
legend at the beginning of the show output to explain what each
value means. Here are those values for your ease of reference:
• L—local
• C—connected
• S—static
• R—RIP
• M—mobile
• B—BGP
• D—EIGRP
• EX—EIGRP external
• O—OSPF
• IA—OSPF inter area
• N1—OSPF NSSA external type 1
• N2—OSPF NSSA external type 2
• E1—OSPF external type 1
• E2—OSPF external type 2
• i—IS-IS
• su—IS-IS summary
• L1—IS-IS level-1
• L2—IS-IS level-2
• ia—IS-IS inter area
• *—candidate default
• U—per-user static route
• o—ODR
• P—periodic downloaded static route
• +—replicated route
Prefix
The network address is simply termed as a prefix. The prefix is
the destination network address in the routing table. The
shorthand way to express a subnet mask using CIDR notation is a
prefix-length e.g., for the subnet mask 255.255.255.0, the prefixlength is /24.
Notice that the routing table lists the parent and children
prefixes reachable in the table. For example, in the table above,
the entry 172.16.0.0/24 is subnetted, three subnets are listing the
parent prefix, then the specific child prefixes below are
of 172.16.1.0, 172.16.2.0, and 172.16.3.0.
Network Mask
As we mentioned the prefix-length is simply a shorthand way to
express a network mask using CIDR notation. A network mask is
also called a subnet mask or net mask for short.
Notice, in the routing table list given, the parent prefix lists the
network mask in prefix notation. So for the 172.16.0.0 example
above, the network mask is /24. Remember, in non-prefix notation,
this is 255.255.255.0.
255.255.255.0. 255.255.255.0.
255.255.255.0.
255.255.255.0.
255.255.255.0.
255.255.255.0.
Table 3-01: Types of Route and Subnet Mask
Next Hop
The IP address of the next router inline is identified by next hop
to forward the packet. The next hop IP address follows the “via”
word for a child prefix entry. The next hop refers to the IP
address of the next router in the path when forwarding packets to
a remote destination.
Administrative Distance
Administrative distance is used to select the best path when a
router has two different paths to the same destination via two
different routing protocols.
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
RIP AD
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnet
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnet AD
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
As shown in the above outputs. The administrative distance for
RIP is 120 for 172.16.1.0 connected through 10.10.10.3 while AD
for OSPF is 110 for 192.168.2.2 connected through 10.10.10.2.
The Administrative Distance for the Prefix
Note that the Administrative Distance (AD) associated with the
172.16.0.0/24 prefixes is 120. This is because these routes were
learned via RIP, and 120 is the default administrative distance for
RIP. Most of the routing protocols are not compatible with other
protocols. It is a critical task to select the best path between
multiple protocols in a network with multiple routing protocols.
The reliability of a routing protocol is defined by an administrative
distance. An administrative distance value prioritizes each routing
protocol in order of most to least reliable. IPv6 also uses the
same distances as IPv4.
The AD is used to rate the trustworthiness of routing
information received on a router from a neighbour router. An
administrative distance is an integer from 0 to 255, where 0 is
the most trusted and 255 means no traffic will be passed via this
route.
If a router receives two updates listing the same remote
network, the first thing the router checks is the AD. If one of the
advertised routes has a lower AD than the other route with the
lowest AD will be chosen and placed in the routing table.
Default Administrative Distances
The default administrative distances are shown in the table
given below:
below: below:
below:
below:
below:
below:
below:
below:
below:
below:
below:
below:
below:
below: below: below: below: below: below: below:
Table 3-02: Values for the Administrative Distances
Metric
The metric is a value that is produced by the routing protocol's
algorithm. The best path to a destination network within a routing
protocol is determined by the metric value.
The metric varies for the dynamic routing protocol involved. It
is a measure of the “distance” to reach the prefix. In our 172
prefixes, it is a hop count. This is the simple metric used by RIP.
It indicates how many routers you must cross to reach the
destination prefix in question. Different protocols have different
matrices as described in the table given below:
below:
below: below:
below: below:
below: below:
Table 3-03: Matrices for Different Protocols
Routes to a destination are compared using metric value by the
same routing protocol. The preferred routes to be followed by the
lower matric values.
Routing Information Protocol (RIP) Metric Value
Hop count is used by the RIP (Routing Information Protocol) as
the metric
Data must pass from source network to reach the destination by
passing through the number of routers termed as hop count
Hop Count is the Number of Routers data must pass from
source network to reach the destination
Figure 3-01: Hop Count
In the topology given above, the Source Network router is R1
and the Destination Network router is R4. An IP datagram must
hop three routers to reach the Destination Network. The middle
route consists of R2, and R3 to reach the destination R4.
Gateway of Last Resort
The default route configured on the router is termed as the
gateway of last resort. Packets that are addressed to networks not
explicitly listed in the routing table are directed using default
routes. When learning all the more specific networks topologies
that are not desirable, default routes become invaluable.
Any of the following commands can be used to configure the
gateway of last resort:
ip default-gateway a.b.c.d
ip default-network a.b.c.d
ip route 0.0.0.0 0.0.0.0 a.b.c.d
Notice again in our routing table example, it is indicated that
there is no Gateway of Last Resort set. This means that there is
no default route 0.0.0.0/0 setup that allows the router to send
traffic somewhere if it does not have a specific prefix entry for the
destination IP address. The Gateway of Last Resort can be
dynamically learned, or can be set using three different
commands: ip default-gateway, ip default-network, and ip route
0.0.0.0 0.0.0.0.
The IP Routing Table on a Cisco Router
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route, + - replicated
route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnet
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnet
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
How a Router Makes Forwarding Decision by Default?
Longest Match
The longest prefix match is an algorithm used in Internet
Protocol (IP) networking for selecting an entry from a forwarding
table. Each entry in a forwarding table specifies a sub-network.
More than one forwarding table entry may be matched with one
destination address. In the matching table entries, the one with
the longest subnet mask is called the longest prefix match. It is
the entry where the largest number of leading address bits of the
destination address match those in the table entry.
Example
Let’s look at a scenario; a router with varying prefix lengths has
four routing processes running on it, and each process has
received these routes:
EIGRP (internal): 192.168.32.0/26
RIP: 192.168.32.0/24
OSPF: 192.168.32.0/19
In the routing table, the installed routes will be with the one
having best administrative distance. In this example EIGRP internal
routes have the best administrative distance, it is tempting to
assume the first one will be installed.
Making Forwarding Decisions
The three routes installed in the routing table can be shown by
the command:
router# show ip route
....
D 192.168.32.0/26 [90/25789217] via 10.1.1.1
R
192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/19 [110/229840] via 10.1.1.3
....
If a packet destined for 192.168.32.1 arrives on a router
interface, the route to be chosen depends on the prefix length, or
the number of bits set in the subnet mask. Longer prefixes are
always preferred over shorter ones when forwarding a packet.
A packet destined to 192.168.32.1 is directed toward 10.1.1.1 as
192.168.32.1 falls within the 192.168.32.0/26 network. It also falls
within the other two routes available, but the 192.168.32.0/26 has
the longest prefix within the routing table (26 bits verses 24 or 19
bits).
Administrative Distance
By using the administrative distance, one routing protocol is
preferably chosen over another when both accounts have the same
destination network. The routing information received from
different protocols of a Cisco router for the same destination
network, the Routing Protocol having a lower administrative
distance will be used.
Static routes have a lower AD than any of the dynamic routing
protocols. The routes for same destination network learned from
dynamic routing protocols will preferably be followed.
The multiple static routes can be specified via different
interfaces with higher administrative distance for the purpose of
failover. If the router’s interface goes down, it will remove the
route through it and install the other static route with a higher
AD. These routes are called floating static routes.
Routing Protocol Metric
The routers use the Metrics cost value. Metric determines the
best path to a destination network. The preferred or shortest path
to a particular destination is determined by the dynamic routing
protocols. The main factors for the decision include metrics and
algorithms. The preferred path to be followed by the packets is
decided by Metrics. These are static and may not be changed for
some routing protocols. A network administrator may assign these
values for other routing protocols. The hop, bandwidth, delay,
reliability, load, and cost are the most common metric values.
Hop
This metric value is used to measure distance based on the
number of networks a datagram crosses
A single hop count is considered each time a router forwards a
datagram onto a segment
Routing protocols observing hops as their primary metric value
consider the best or preferred path to a destination to be the one
with the least number of network hops
Routing protocols that only reference hops as their metric do not
always select the best path through a network
Just because a path to a destination contains fewer network hops
than another does not make it the best
The upper path may contain a slower link, such as 56Kb dial-up
link along the second hop, whereas the lower path may consist of
more hops but faster links, such as gigabit Ethernet
If this were the case, the lower path would undoubtedly be faster
than the upper. However, routing protocols that use hops do not
consider other metric values in their routing decisions
Bandwidth
This metric is used by protocols that consider the capacity of a
link
Bits per second is used to measure the Bandwidth
Links supporting the higher transfer rates like gigabit are preferred
over lower capacity links like 56Kb
The bandwidth capacity of each link along the end-to-end path is
determined and considered by these protocols
The path chosen as the best route is with the overall higher
bandwidth
Delay
Delay is measured in tens of microseconds
The symbol μ is used to indicate a delay
Delay represents the amount of time it takes for a router to
process, queue, and transmit a datagram out an interface
Protocols that use this metric must determine the delay values for
all links along the end-to-end path, considering the path with the
lowest (cumulative) delay to be a better route
Reliability
An administrator may configure this matric as a fixed value. It
is measured dynamically over a specific time frame. The attached
links, reporting problems, such as link failures, interface errors,
lost datagrams are observed by the routers. Links having more
problems would be considered less reliable. The higher the
reliability is, the better is the path. The link reliability will change
with a constant changing network conditions. This value is
generally measured as a percentage of 255, with 255 being the
most reliable and 1 being the least reliable.
Load
Load is a variable value that indicates the traffic load over a
specific link
Load is a variable value, generally measured over a five-second
window indicating the traffic load over a specific link
The amount of traffic occupying the link over this time frame as
a percentage of the link's total capacity is measured by the load
The value 255 is equivalent to 100% utilization or load
The higher the value, the higher will be the traffic load (bandwidth
utilization) across this link
Increasing this value results in the increase of the traffic
Congestion is indicated by the values approaching 255, while lower
values indicate moderate traffic loads
The less congested path is mostly preferred Cost
The way routers make path decisions can be affected by network
administrators
It is by setting arbitrary metric values on links along the end-toend path
These arbitrary values are typically single integers with lower
values indicating better paths
IPv4 and IPv6 Static Routing
IP Addresses
An Internet Protocol address is also called IP address. This is a
numerical label assigned to each device connected to a computer
network that uses the IP for communication. For a specific
machine on a particular network, the IP address act as an
identifier. It is also called IP number and internet address. The
technical format of the addressing and packets scheme is specified
in the IP address. IP is combined with a TCP in most of the
networks. A virtual connection development between a destination
and a source is allowed in IP addresses.
IPv4 Address
The first version of IP was IPv4. It was deployed in the ARPANET
for production, in 1983. It is the most widely used IP version
nowadays. Devices on a network are identified by using an
addressing system. A 32-bit address scheme is used in IPv4 that
allows to store 2^32 addresses, which is more than 4 billion
addresses.
IPv6 is a successor of IPv4. With IPv4, a system will be able
to simplify address assignments and additional network security
features and will also offer far more numerical addresses. The
IPv4 to IPv6 transition is likely to be rough, though.
This underlying technology allows us to connect our devices to
the web. A device accessing the internet is assigned a unique,
numerical IP address such as 99.48.227.227. A data packet must
be transferred across the network containing the IP addresses of
both devices in order to send data from one computer to another
through the web. Computers would not be able to communicate
and send data to each other without IP addresses.
Features of IPv4
It is a connectionless Protocol
It allows creating a simple virtual communication layer over
expanded devices
Less memory and ease of remembering addresses are required in
this addressing scheme
Millions of devices support this protocol
Video libraries and conferences are offered in IPV4
The Reason Why We Are Running out of IPv4 Addresses
32-bits internet addresses are used in IPv4. Around 4.29 billion,
i.e., 2^32 IP addresses in total can be supported in this scheme.
All these 4.29 billion IP addresses have now been assigned to
various institutions, leading to the crisis we face today. Many of
them are unused and in the hands of institutions like MIT and
companies like Ford and IBM. More IPv4 addresses will be traded
or sold and many are available to be assigned but they will
become a rarer product over the next two years until it produces
problem for the web.
Commands used to add a static route to a routing table from
global config are given below:
This list describes each command in the string:
ip The command used to create the static route.
destination The network you are placing in the routing table.
subnet mask used on the network.
next-hop This is the IP address of the next-hop router that will
receive packets and forward them to the remote network, which
must signify a router interface that is on a directly connected
network. You must be able to successfully ping the router
interface before you can add the route. Important note to self is
that if you type in the wrong next-hop address or the interface to
the correct router is down, the static route will show up in the
router's configuration but not in the routing table.
be used in place of the next-hop address if you want, and it
shows up as a directly connected route.
administrative By default, static routes have an administrative
distance of 1 or 0 if you use an exit interface instead of a next-
hop address. You can change the default value by adding an
administrative weight at the end of the command.
If the interface is shut down or the router cannot communicate
to the next-hop router, the route will automatically be discarded
from the routing table by default. Choosing the permanent option
keeps the entry in the vector.
IPv6 Address
The most recent version of the Internet Protocol is IPv6. It was
initiated in early 1994 by the Internet Engineer Taskforce. The
design and development of that suite is now called IPv6. It is the
sixth revision to the Internet Protocol and the successor to IPv4.
The need for more internet addresses is fulfilled by deploying this
new IP address version. The issues associated with IPv4 has been
resolved with this addressing scheme. Three hundred and forty
(340) undecillion unique address spaces are allowed with 128-bit
address space. It is also called IPng (Internet Protocol next
generation). It functions likewise to IPv4 and provides the unique,
numerical IP addresses essential for internet-enabled devices to
communicate. The one major difference of this addressing scheme
is that it utilizes 128-bit addresses.
Features of IPv6
It offers hierarchical addressing and routing infrastructure
It allows stateful and stateless configurations
It supports Quality of Service (QoS)
For neighboring node interaction, it is an ideal protocol
Problem Solved with IPv6
As IPv6 utilizes 128-bit internet addresses, internet addresses
can be supported in this scheme. Hence, it contains
340,282,366,920,938,000,000,000,000,000,000,000,000 addresses.
They are a lot of addresses and it requires a hexadecimal system
to display the addresses. There are more than enough IPv6
addresses to keep the internet operational for a very, very long
time.
Difference between IPv4 and IPv6 Addresses
Both IPv4 & IPv6 are IP addresses representing binary numbers
IPv4 is 32bit binary number while IPv6 is 128-bit binary number
address
IPv4 address are separated by full stops (.) while IPv6 address are
separated by colons (;)
Both are used to identify machines connected to a network
In principle, they are the same, but they are different in how they
work
IPv4 and IPv6 can exist together on the same network but cannot
communicate with other. This is also known Stack.
Default Route
Default route is used by IP to forward any packet with a
destination not found in the routing table, which is why it is also
called a gateway of last resort. Here is the configuration:
Router(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route, H - NHRP, l LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via Route
Network Route
When a route is created to a network (as most route entries do),
it is called a network route. This simply means that the route
points to a group of hosts, as does the following entry:
Router(config)#ip route 200.100.50.0 255.255.255.0 172.16.10.2
Network Route
Router(config)#do show ip route
S 200.100.50.0/24 [1/0] via 172.16.10.2
Host Route
In most cases, we create routes to networks, but you can create a
route leading to a single host. An example of a host route is
shown below. Note that the mask that goes with the route is 32
bits in length, meaning it is a route to a single IP address.
There are dynamically created host routes called local host
routes as well. One of these will be placed in the routing table
for each router interface. An example is shown below. Note that it
has an L next to it and is preceded by the network route for the
directly connected network in which the interface resides.
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route, H - NHRP, l LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.10.2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Ethernet1/0
L 172.16.10.1/32 is directly connected, Route
S 172.16.20.0/24 is directly connected, Ethernet1/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/0
L 192.168.1.1/32 is directly connected, Route
S 192.168.2.0/24 is directly connected, Ethernet1/0
S 200.100.50.0/24 [1/0] via 172.16.10.2
Floating Static
A floating static route is simply one that has been created as a
backup to a route learned though a routing protocol. By creating
the static route with an administrative distance larger than that of
the routing protocol, we can prevent the use of the static route
unless the dynamic route is unavailable.
The following example configures a static route with a distance
of 125, which would prevent it from being placed in the routing
table as long as a route to the same network with a lower
distance value is present.
Router(config)#ip route 192.168.4.0 255.255.255.0 125
A static route that the router uses to back up a dynamic route
is known as a floating static route. A floating static route must be
configured with a higher administrative distance than the dynamic
route that it backs up. A dynamic route is preferred to a floating
static route at this instance. A floating static route could be used
as a replacement on losing a dynamic route.
route.
route.
route.
route.
route.
route.
route.
route.
route. route. route. route. route. route. route. route.
route. route. route. route. route. route. route. route.
route. route. route. route. route. route. route. route.
route.
Case Study Static Routing>
An organization has interconnected three networks. All the
networks need to be connected statically to route traffic. The
networks are able to access the ISP. if any route to ISP gets
disconnected, it should be able to access the ISP through the
floating static route with a greater administrative distance. The
configuration has been implemented using IPV4.
Topology Diagram:
Figure 3-02: IPV4 Static Routing
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Case Study Static Routing>
An organization has interconnected three networks. All the
networks need to be connected statically to route traffic. The
networks are able to access the ISP. If any of the route to ISP,
let’s say the link between R1 and ISP, gets disconnected, it should
be able to access the ISP through the floating static route with a
greater administrative distance. The configuration has now been
implemented using IPv6.
Topology Diagram
Figure 3-03: IPV6 Static Routing
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Verification
Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification
Single Area OSPFv2
Configuring basic OSPF is not as simple as configuring RIP and
EIGRP, and it can get really complex once the many options that
are allowed within OSPF are factored in. But that's okay because
you really only need to focus on the basic, single-area OSPF
configuration at this point.
Next, we will show you how to configure single-area OSPF. The
two factors that are foundational to OSPF configuration are
enabling OSPF and configuring OSPF areas.
Common terminologies for OSPF are:
Router Types:
Internal Router: All interfaces reside within the same area
Backbone Router: A router with an interface in area 0 (the
backbone)
Area Border Router (ABR): Connects two or more areas
Autonomous System Boundary Connects to additional routing
domains, typically located at the backbone
Area Types:
Standard Area: Default OSPF area type
Stub Area: External link (type 5) LSAs are replaced with a default
route
Totally Stubby Area: Type 3, 4, and 5 LSAs are replaced with a
default route
Not So Stubby Area (NSSA): A stub area containing an ASBR;
type 5 LSAs are converted to type 7 within the area
Enabling Single: The easiest and also least scalable way to
configure OSPF is to use a single area. Doing this requires a
minimum of two commands.
The first command used to activate the OSPF routing process
is as follows:
follows: follows: follows: follows: follows: follows: follows: follows:
follows: follows: follows: follows: follows: follows: follows: follows:
Process ID <1-65535>
The OSPF process ID values range from 1 to 65535.
the process ID is used to enable one or more OSPF processes
on a router. An OSPF process can be removed by using of the
command.
A value in the range from 1 to 65,535 identifies the OSPF
process ID. It is a unique number on this router that groups a
series of OSPF configuration commands under a specific running
process. Different OSPF routers do not have to use the same
process ID to communicate.
The Show IP OSPF Interface Command
The show ip ospf interface command reveals all interface-related
OSPF information. Data is displayed about OSPF information for
all OSPF-enabled interfaces or for specified interfaces. Here are
some of the more important factors highlighted for you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you: you: you: you: you: you: you: you:
you: you: you: you: you: you:
So this command has given us the following information:
Interface IP Address
Area Assignment
Process ID
Router ID
Network Type
Cost
Priority
DR/BDR Election Information (if applicable)
Hello and Dead Timer Intervals
Adjacent Neighbor Information
The reason the show ip ospf interface g0/0 command is used
is because there would be a designated router elected on the
GigabitEthernet broadcast multi-access network.
The show ip ospf neighbor command is super-useful because it
summarizes the pertinent OSPF information regarding neighbors
and the adjacency state. If a DR or BDR exists, that information
will also be displayed. Here is a
sample: sample: sample: sample:
sample: sample: sample: sample:
sample: sample: sample: sample:
sample:
sample: sample: sample: sample:
sample: sample: sample: sample:
sample: sample: sample: sample:
sample: sample: sample: sample:
The Show IP Protocols Command
The show ip protocols command is also highly useful, whether
you are running OSPF, EIGRP, RIP, BGP, IS-IS, or any other
routing protocol that can be configured on your router. It provides
an excellent overview of the actual operation of all running
protocols.
protocols. protocols. protocols. protocols. protocols. protocols.
protocols. protocols. protocols. protocols. protocols. protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols.
protocols. protocols.
Figure 3-07: Showing the IP Protocols
The table below defines OSPF verification commands:
commands:
commands: commands: commands: commands:
commands: commands: commands: commands: commands:
commands: commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands: commands:
commands: commands:
commands: commands:
commands: commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands:
commands: commands:
commands: commands:
commands: commands:
commands:
Table 3-04: OSPF Verification Commands
Loopback logical interfaces, which means that they are virtual,
software-only interfaces, not actual, physical router interfaces. A big
reason we use loopback interfaces with OSPF configurations is
because they ensure that an interface is always active and
available for OSPF processes.
Loopback interfaces also come in very handy for diagnostic
purposes as well as for OSPF configuration. Understand that if
you do not configure a loopback interface on a router, the highest
active IP address on a router will become that router's RID during
boot-up:
City_X(config)#interf loopback 0
City_X(config-if)#ip address 172.31.1.2 255.255.255.0
City_X(config-if)#no sh
Neighbor Adjacency
There should be a compatible configuration with a remote
interface for OSPFv2 interface before the two can be considered
neighbors. The following criteria must be matched by the two
OSPFv2 interfaces:
Hello Interval
Dead Interval
Area ID
Authentication
Optional Capabilities
If a match is found, the information entered into the neighbor
table will be as follows:
Neighbor ID: The router ID of the neighbor
Priority: Priority of the neighbor
State: It indicates whether the neighbor has just been heard
from, the bidirectional communications are setup, the link-state
information is shared, or the full adjacency has been achieved
Dead Time: It indicates the time since the last Hello packet
was received from this neighbor
IP Address: The neighbor’s IP address
Designated Router: It Indicates whether the neighbor is declared
as the designated router or as the backup designated router
Local Interface: The local interface that received the Hello
packet for this neighbor
Adjacency
Adjacency is not established by all the neighbors. Some of the
neighbors become fully adjacent and share LSAs with all their
neighbors depending on the network type and designated router
establishment. (For more information see the “Designated Routers”
section.)
Database Description packets, Link State Request packets, and
Link State Update packets in OSPF are used to establish the
adjacency. Only the LSA headers from the link-state database of
the neighbor are included in the Database Description packet.
The local router makes a comparison of these headers with its
own link-state database and defines which LSAs are new or
updated. A Link State Request packet for each LSA is being sent
by the local router. The request shows that it needs new or
updated information. The neighbor starts responding with a Link
State Update packet. This process of exchange continues until
both routers have the same link-state information.
Point-to-Point
Open Shortest Path First (OSPF) runs as a point-to-point network
type on point-to-point links such as High-Level Data Link Control
(HDLC) and Point-to-Point Protocol (PPP). The OSPF network type
is enabled by default.
The OSPF supports other network types that include Point-toMultipoint, Broadcast, and Non-Broadcast. The show ip ospf
interface command is issued for checking the network type of an
interface that runs OSPF.
Broadcast (DR/BDR Selection)
The role of the Designated Router (DR) and a Backup Designated
Router (BDR) is to act as a central point to exchange the OSPF
information between multiple routers on the same, multi-access
broadcast network segment. The routing information should only
be exchanged with the DR and BDR by the Non-DR and Non-BDR
routers instead of exchanging updates with every other router
upon the segment. The amount of OSPF routing updates are then
significantly reduced.
Note
OSPF does not elect DR/BDR roles upon point-to-point links,
i.e., two directly connected routers.
Election
Each router will go through an election process upon the
segment to elect a DR and BDR. The elected one is determined
by using the two rules as:
Priority: Router with the highest priority wins the election. 1 is
the default priority. It is configured on a per-interface level.
Router ID: The highest router ID wins the election if there is a
tie.
2-way
A full relationship is to be formed with the Designated and
Backup Designated Routers. The 2-way neighbor state is formed
with Non-DR and Non-BDR. They both send/receive each other's
HELLOs but they do not exchange any routing updates.
Router ID
The selection of OSPF Router-ID takes place in the order given
below:
A 32-bit Router-ID is configured manually
If 1 is not configured, the highest IP of the loop back interface
must be selected
If 1 & 2 has not been configured, the highest IP of any active
interface must be selected
Purpose of First Hop Redundancy Protocol
First Hop Redundancy Protocol (FHRP) is used to allow gateway
redundancy. A class of redundancy protocols known as FHRPs
includes VRRP (Virtual Router Redundancy Protocol), HSRP (Hot
Standby Router Protocol), and GLBP (Gateway Load Balancing
Protocol). A single point of failure for the default gateway is
protected by these protocol. It may also provide a load balancing
if multiple uplinks are available at first-hop routers.
Scenario
There are three redundancy routers presented in the figure above.
In this case the routing protocols are not present between the
gateway and the end users. The redundancy is provided between
the gateway routers that are multi layered switches. By sharing all
these gateways, a virtual gateway is created that allows using any
of the gateway without even using the dynamic protocols. In this
virtual redundancy, the virtual gateways are allowed to send traffic
to the physical devices. If any of the GETs fails, the other
redundant router takes a charge and starts sending the packets to
the outside world.
––––––––
The two or more routers on a LAN that are working together in a
group are enabled by both HSRP and VRRP. The routers being
served share a single group IP address. In each of the host, the
group IP address is configured as the default gateway. One router
is elected to handle all requests sent to the group IP address in
an HSRP or VRRP group. It is called the active router with HSRP
and the master router with VRRP. There must be at least one
standby router with HSRP and at least one backup router with
VRRP. Gateway Load Balancing Protocol (GLPB) is something that
goes a step beyond VRRP and HSRP. It provides load balancing in
addition to redundancy.
The first hop for packets from a particular LAN, or VAN to be
said more accurately, is a default gateway to reach a remote
network. The packets can be forwarded by the routers as long as
its routing table keeps a route to the intended remote network or
a default route is present. The particular network will become
incapable of communicating with the outside world if that first
hop ever goes down. It allows only the local communication
across the switched domain.
As Hop Redundancy Protocols allow default gateway redundancy,
it is suggested to have more than one default gateway enabled.
There exists a backup device that kicks in and almost
transparently to users in the event of a router failure. The traffic
to remote networks is forwarded continually so as to avoid the
situation of isolation.
Types of Redundancy Protocols
The first hop redundancy protocols that could be used for this
purpose falls into the following three categories as:
HSRP (Hot Standby Router Protocol)
VRRP (Virtual Router Redundancy Protocol)
GLBP (Gateway Load Balancing Protocol)
HSRP:
It is a Cisco proprietary that was the first ever created first hope
redundancy protocol
HSRP is enabled in a particular interface and this interface is part
of a “standby” group
Besides the physical IP address of the defined interface, there is a
virtual IP address in the same subnet
The idea behind this is to perform a similar configuration in an
interface belonging to another router
The redundancy will be generated in this way
The different interface from different devices would be sharing the
address
The hosts in a network are assigned a virtual IP address as a
default gateway
There will always be a consistent gateway that you can reach
regardless of which host is active
HSRP has an active/standby relationship, which means that one
device forwards packets while the other device stands by or just
listens.
VRRP:
The IETF (Internet Engineering Task Force) started working on a
standards-based FHRP and the result was VRRP
VRRP is not significantly different from HSRP, it is really just the
“open” version of it
The differences that exist between the two protocols are very
minimal
HSRP versus VRRP Comparison Table
Table
Table Table
Table Table
Table Table Table Table Table Table Table Table Table Table Table
Table Table Table
Table Table Table Table Table Table Table
Table Table Table Table Table Table
Table Table Table Table Table Table Table Table Table Table Table
Table Table Table Table Table Table Table Table Table Table Table
Table Table Table Table Table Table Table Table Table Table Table
Table Table Table Table Table
Table Table Table Table Table Table Table Table Table Table Table
Table Table
Table 3-05: HSRP versus VRRP Comparison
GLBP
The more advanced of the three possible FHRP protocols is
GLBP. The one main goal of GLBP is to improve the resource
utilization by achieving built-in load balancing between participating
routers.
While using HSRP or VRRP of gateway redundancy, the loadbalancing between different VLANs could be achieved by
configuring different standby groups with different priorities in
each router to achieve this “active-active” type of design. It will
not waste the capabilities of a full router while waiting for the
others to fail.
Although it is still a common practice, it can still be
administratively burdensome. It might not scale as according to
one’s wish. For the purpose the protocol, GLBP was created so
that would natively provide both redundancy and load balancing.
GLBP tool is a Cisco proprietary. It has taken the HSRP and
VRRP to the next level. A load balancing mechanism must be
provided for the clients in order to provide the first hop
redundancy. Routers that are to participate in GLBP must be a
member of the same group as with HSRP and VRRP. One router
is elected to be the AVG (Active Virtual Gateway) after all the
routers are in the same group. The AVG is elected based on
highest priority, which then falls back to highest IP if the priorities
match. One is the AVG, and up to three others can be AVFs
(Active Virtual Forwarders) while there are up to four routers in
total that can be in the same GLBP group. The routers that are
able to forward traffic actively will apply the 4 router limit. The
joining fifth or higher router will become a SVF (Standby Virtual
Forwarder) and will take the place of a AVF in case of failure.
SVG (Standby Virtual Gateway) also plays a role in this as well.
The traffic is balanced with GLBP by having the AVG assign
each AVF virtual MAC addresses. The AVG responds to the clients
ARP request with one of the AVF’s virtual MACs while an ARP
request come in for the virtual IP.
Note
Some of the documentations uses the SVF term to describe a
router that is above and beyond the four router AVF limit. SVF is
also used in other documentations to describe an active AVF that
is ready to take over another AVFs role in case of failure. The
router 1 is a SVF for routers 2, 3, 4 and 5.
Figure 3-04: GLBP Routers
Five GLBP routers are there in this example. The bare
minimum GLBP configuration must be put on each router and the
configuration is used to examine what has occurred.
Case Study
An organization needs to extend its business and spread its
branches in multiple countries. In order to fulfil the need, it
spreads its business by opening a new branch in a city. The
organization needs to configure network for that branch and
connect that internal network with the backbone network of the
company. The network admin of the organization decided to
implement OSPF routing protocol to fulfil the network
requirements. Below is the network topology diagram suggested by
the network admin to be implemented.
Topology Diagram
Figure 3-05: OSPF Routing
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification
Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Figure 3-21: Verification Outputs
Mind Map
Figure 3-06: Mind Map of IP Connectivity
Summary
Components of the Routing Table
In this section, we learned that the networks are either directly
connected, statically configured or dynamically learned. The “show
ip route” command is used to view a routing table
The routing protocol code identifies which route was learned by
which routing protocol
The network address is simply termed as a prefix and the
shorthand way to express a subnet mask using CIDR notation is a
prefix-length e.g., for the subnet mask 255.255.255.0, the prefixlength is /24
The prefix-length is simply a shorthand way to express a network
mask using CIDR notation. A network mask is also called a
subnet mask or net mask for short
The next hop IP address follows the “via” word for a child prefix
entry. The next hop refers to the IP address of the next router in
the path to the destination network
Administrative distance is used to select the best path when a
router has two different paths
The best path to a destination network within a routing protocol
is determined by the metric value
Packets that are addressed to networks not explicitly listed in the
routing table are directed using default routes
A Router Makes Forwarding Decision by Default
The longest prefix match is an algorithm used in Internet
Protocol (IP) networking for selecting an entry from a forwarding
table. Each entry in a forwarding table specify a sub-network
One routing protocol is preferably chosen over another when both
account the same destination network in the case of
administrative distance
Metric determines the best path to a destination network. The
preferred or shortest path to a particular destination is determined
by the dynamic routing protocols
Configure and Verify IPv4 and IPv6 Static Routing
Static routes are manually assigned both in IPV4 and IPV6
Default route is used by IP to forward any packet with a
destination not found in the routing table
When a route is created to a network, it is called a network route
A route leading to a single host can be created
A floating static route is simply one that has been created as a
backup to a route learned though a routing protocol
Configure and Verify Single Area OSPFv2
With a remote interface for OSPFv2 interface, there should be a
compatible configuration before the two can be considered
neighbors
The OSPF supports the other network types including Point-toMultipoint, Broadcast, and Non-Broadcast
The Designated Router (DR) and a Backup Designated Router
(BDR) acts as a central point to exchange the OSPF information
between multiple routers on the same, multi-access broadcast
network segment
Purpose of First Hop Redundancy Protocol
A gateway redundancy is allowed by the First Hop Redundancy
Protocol (FHRP)
A class of redundancy protocols known as FHRPs includes VRRP
(Virtual Router Redundancy Protocol), HSRP (Hot Standby Router
Protocol), and GLBP (Gateway Load Balancing Protocol)
Practice Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question
Chapter 04: IP Services
Technology Brief
IP Service is a professional combination of all management,
operation and maintenance services, facilities and territories. A
long-term contract service for corporate customers are considered
as the main task. A reliable partnership and comfortable
conditions are guaranteed for effective business.
Features to be deployed individually or in combination with
each other across a wide range of Cisco hardware include
Network Address Translation (NAT), Dynamic Host Configuration
Protocol (DHCP), and Hot Standby Router Protocol (HSRP).
Cisco’s IP Services comprise of many basic and advanced building
blocks. They allow customers to be able to deploy an IP network
with basic end-to-end IP connectivity, manage their IP addressing
requirements from a central location, control the IP addressing
scheme used throughout their network, provide redundancy at
major network connection points, and much more.
Configure and Verify Inside Source NAT using Static and Pools
In the process of Network Address Translation (NAT), a network
device, typically a firewall, allocates an address that is public to a
computer or group of computers within a private network. The
amount of public IP addresses an organization or company needs
to use is limited by using NAT. It is essential for both economy
and security purposes. A huge private network consuming
addresses in a private range (the ranges consisting of 10.0.0.0 to
10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255) is involved in the most common form of network
translation. Computers having to access resources inside the
network, like workstations needing access to file servers and
printers, utilizes the private addressing scheme. The traffic between
private addresses can be routed by the routers inside the private
network without having any trouble. These computers need to
have a public address to access resources outside the network in
order for replies to their requests to return to them. It is a very
quick process instead of being complex and the end user rarely
knows it has occurred. A call to a computer on the internet is
made by a workstation inside a network. The request is sent to
the firewall after the router within the network having recognized
that the request is not for an inside resource of the network. The
firewall observes the request from the computer with the internal
IP. The same request to the internet is then made by using its
own public address, and the response is returned from the
internet resource to the computer inside the private network. From
the resource’s perspective on the internet, information is sent to
the address of the firewall and the communication appears to be
happening directly with the site on the internet from the
workstation’s perspective. However, all users inside the private
network accessing the internet have the same public IP address
while using the internet. Hence, only one public address is needed
for hundreds or even thousands of users.
Most modern firewalls are able to set up the connection
between the internal workstation and the internet resource and are
considered as stateful. The track of details of the connection, like
ports, packet order, and the IP addresses involved is kept within
the firewall. It is called “keeping track of the state of the
connection”. The session consists of communication between the
workstation and the firewall and the firewall with the internet is
kept track in this way. The firewall rejects all of the information
about the connection upon ending of the session.
Moreover, some servers may act as web servers in large
networks and the access from the Internet is required. The public
IP addresses are assigned to these servers on the firewall. These
addresses allow the public to access the servers only through that
IP address. The firewall acts as the middle way between the
outside world and the protected internal network and appears to
be an additional layer of security. Additional rules can be added
that includes the ports can be accessed at that IP address. The
internal network traffic is routed more efficiently by using NAT
and more ports are allowed access while restricting access at the
firewall. The detailed logging of communications between the
network and the outside world is also allowed in NAT. It can also
be used to allow selective access to the outside of the network,
too. Workstations or other computers that require special access
outside the network are assigned specific external IPs using NAT.
This allows the Workstations or computers to communicate with
computers and applications that require a unique public IP
address. The firewall is able to control the session in both
directions and restricts the port access and protocols as an
intermediary object.
Figure 4-01: Network Address
It is a very important aspect of firewall security. The number of
public addresses used inside an organization are conserved in it.
The stricter control of access to resources on both sides of the
firewall is allowed by NAT.
The private IP addresses are mapped by using Network Address
Translation (NAT) inside source. The mapping of the addresses is
carried out on the outside interface of the router on a LAN from
private to a public IP address(es).
Network Address Translation (NAT) is utilizes to map private IP
addresses on a LAN to public IP address(es) on the external
interface of the router
The router’s interface connecting to the LAN network is the inside
The router’s interface connecting to the WAN is the outside
Depending on the preferred outcome, different methods of NAT
are used: Static, Pool and PAT
NAT Inside and Outside Addresses
Inside refers to the addresses that must be translated. Outside
refers to the addresses that are not in control of an organization.
The network addresses allow the translation of the addresses to
occur.
Inside Local Address
An IP address assigned to a host on the inside network is
called the inside local address. This address is probably not
assigned by the service provider, i.e., there are IP addresses that
are private.
Inside Global Address
IP address that denotes one or more inside local IP addresses
to the external world is termed as inside global address. It is the
inside host as seen from the outside network.
Outside Local Address
In the local network after translation, this is the actual IP
address of the destination host.
Outside Global Address
The outside host as seen from the external network is termed
as the outside global address. It represents the IP address of the
outside destination host before translation.
Types of Network Address Translation (NAT)
There are three ways to configure NAT. These are:
Static NAT
Dynamic NAT
Port Address Translation (PAT)
Static NAT
A legally registered (Public) IP address maps a single
unregistered (Private) IP address, i.e., one-to-one mapping between
local and global address. Generally, web hosting uses the static
NAT. Organizations with many devices having to be facilitated and
to provide internet access do not use the static NAT and the
public IP address is needed. An organization having 3000 devices
needs to buy 3000 public addresses in order to access the
internet, which will be very costly.
Dynamic NAT
A registered (Public) IP address is a result of an unregistered
IP address from a pool of public IP address. The packet will be
dropped as only a fixed number of private IP address can be
translated to public addresses if the IP address of pool is not
free.
A pool of 2 public IP addresses is able to translate only 2
private IP addresses. The 3rd private IP address willing to access
internet will result in dropping the packet consequently as many
private IP addresses are mapped to a pool of public IP addresses.
Network with fixed number of users usually utilizes the NAT. An
organization needs to buy many global IP addresses to make a
pool making it very costly.
Port Address Translation
NAT allows many local (Private) IP addresses to be translated
to a single registered IP address. It is also known as NAT
overload. The traffic is being distinguished as which traffic belongs
to which IP address by port numbers. Thousands of users can be
linked to the internet by using only one real global (Public) IP
address. It is cost-effective hence used most frequently.
Advantages of NAT
The legally registered IP addresses are conserved in NAT
It offers privacy as the device’s IP address, sending and receiving
the traffic, will be hidden
When a network evolves, the address renumbering is eliminated
Disadvantages of NAT
Switching path delay appears as a result of this translation
Having NAT enabled, certain applications will not function
The tunneling protocols such as IPsec is complicated
Further, router should not tamper with port numbers being a
network layer device. It tampers with port number because of
NAT.
Example:
Port Address Translation (PAT) or NAT (Network Address
Translation) Overloading is a modified form of dynamic NAT. The
number of inside local addresses are greater than the number of
inside global addresses in PAT or NAT overloading. Mostly, just a
single inside global IP address provides the internet access to all
inside hosts. NAT Overloading is actually the only flavor of NAT
covering the IP addresses and also appears to be the most
popular form of NAT as well.
Figure 4-02: Port Address Translation (PAT)
(PAT) (PAT) (PAT) (PAT)
(PAT) (PAT) (PAT)
(PAT) (PAT) (PAT)
(PAT) (PAT) (PAT)
Table 4-01: Protocol with Inside Local and Global IP
The overloading or the mapping of more than one inside local
address to the same inside global address is allowed with PAT.
The arrival packets would all have the same destination address
as they arrive to the NAT router.
How would the router get to know which inside local address
each return packet belongs to?
The scenario suggests that the NAT entries in the translation
table are extended entries; the protocol types and ports are also
tracked by the entries beside the relevant IP addresses. Up to
65535 inside local addresses could be mapped theoretically to a
one inside global address by interpreting both the IP address and
the port number of a packet, based on the 16-bit port number.
Approximately 160 bytes of router memory is used by a single
NAT entry so more than 10 MB of memory and a large amounts
of CPU power would be taken by 65535 entries. This is a
theoretical limit and in practical, PAT configurations stands
nowhere near this number of addresses.
Static:
Allows one-to-one mapping
A specific inside IP address is translated to a specific outside IP
address
In the translation table, translations are statically configured and
placed whether there is traffic or not
The hosts providing application services like mail, web, FTP, etc.
mostly use this
Pool:
A Dynamic NAT form many-to-many mappings
The multiple inside IP addresses are translated to multiple outside
IP addresses
With the fewer available addresses, the pool is more useful than
actual hosts to be translated
In the translation table, the entries are created while connections
are initiated. It creates one-to-on mappings but is said to be
many-to-many because the mappings can vary and at the time of
the request, they are dependent on the available IPs in the pool
NAT entries are detached from the translation table and after a
specified & configurable amount of time, the IP address is
reverted to the NAT pool
Exam Tip
You must have a clear understanding of what NAT is and how
it is configured both statically and dynamically. The labs included
must be practiced to be able to have a hands-on experience.
NTP Operating in a Client and Server Mode
Network Time Protocol provides time to all our network devices.
In simple words, NTP synchronizes clocks of computer systems
over packet-switched, data networks of variable-latency.
Typically, there exists an NTP server that connects through the
internet to an atomic clock. This time can then be synchronized
via the network to retain all routers, switches, servers, etc. to
receive the same time information.
Precise network time within the network is important because:
Tracking of events in the network is possible with correct time
Clock synchronization is critical for the right interpretation of
events within the syslog data
Clock synchronization is critical for digital certificates
Switches and Routers issue log messages when different events
take place. For example, when an interface goes down and then
backs up. As you already know, all messages produced by the IOS
go only to the console port by default. However, those console
messages are directed to a syslog server.
A syslog server saves copies of console messages and can
time-stamp them so you can view them at a later time.
There are many things involved in the securing of a network
such as security logs along with an accurate date and timestamp.
Secondly, when an attack is encountered on a network, it is
important to identify when the attack occurred and the order in
which a specified attack was encountered on a network. Log
messages can be accurately time stamped by the synchronization
of clocks on hosts and network devices manually as well as using
Network Time Protocol.
Typically, the date and time settings on the router can be set
using one of two methods:
Manually set the date and time
Configure the Network Time Protocol (NTP)
The figure below shows an example of manually updating the
clock. As a network develops, it becomes difficult to ensure and
verify that all infrastructure devices within a network are
functioning with synchronized time. Even in a minor network
environment, the manual method is not ideal. For example, if a
router reboots, how will it get an accurate date and timestamp?
A better solution to prevent manual configuration of time and
date in a network is to configure the Network Time Protocol
(NTP) on the network. This protocol allows networking devices on
the network to synchronize their time and date with an NTP
server device. This is a better way because a group of NTP clients
obtaining time and date information from a single source has
more consistent time settings. When NTP is configured in the
network, it can synchronize to a NTP server, which is publicly
available, or it can be synchronize to a private master clock.
NTP uses UDP port 123 and is documented in RFC 1305. Here
is an example to manually set Time and Date on a device.
R1#clock set 04:00:00 12 nov 2019
// To set time 04 hr 00 min 00 sec and date nov 2019
R1#show clock
// To check the Time and date running on the device
NTP Authentication
NTP version 3 and later versions support a cryptographic
authentication technique between NTP peers. This authentication
can be used to mitigate an attack.
Three commands are used on the NTP master and the NTP
client:
ntp authenticate
ntp authentication-key key-number md5 key-value
ntp trusted-key key-number
Without NTP Authentication configuration, Network time
information can still be exchanged between server and clients but
the difference is these NTP clients do not authenticate the NTP
server as a secure source as to what if the legitimate NTP server
goes down and Fake NTP server overtake the real NTP server.
Use the show ntp associations detail command in order to
confirm that the server is an authenticated source.
Use the show ntp status command to confirm that the server and
client are synchronized.
Figure 4-04: Output of NTP Associations
Tip
For clearing this exam, you must know how the NTP client is
synchronized with the server. Their use in a network should be
clear along with the NTP_master and NTP_Client concepts.
Role of DHCP and DNS within the Network
DHCP (Dynamic Host Configuration Protocol) provides quick,
automatic, and central management for the distribution of IP
addresses within a network. It is also used to configure the
default gateway, subnet mask, and DNS server information on the
device.
A scope, or range, of IP addresses is defined by a DHCP
server. These dynamic addresses are used to serve devices with an
address. A device obtains a valid network connection from this
pool of addresses. Several devices are allowed to connect to a
network over a period of time without needing a pool of available
addresses.
Example:
If 20 addresses are defined by the DHCP server, 30, 50, 200,
or more devices can be connected to the network. No more than
20 devices can be used out of one of the available IP addresses
simultaneously.
IP addresses for a specific period of time (called a lease
period) is assigned using DHCP. Different results are yielded over
time by using commands like ipconfig to find a computer's IP
address. The dynamic IP addresses are delivered to clients using
DHCP. Devices with dynamic addresses and devices having their
IP addresses manually assigned can both exist on the same
network. Usually, IP addresses to ISPs are assigned by using
DHCP.
Configuring DHCP
The following information are required in configuring a DHCP
server for hosts:
Network and Mask for Every ID that is also termed as “scope”.
All addresses in a subnet can be hosts by default.
Reserved/Excluded addresses for servers, printers, routers, etc.
These addresses will not be handed over to hosts.
Default Router: Address of router for to every LAN.
DNS list of DNS server addresses provided to hosts so they
can resolve names.
––––––––
DNS: Domain Names System (DNS) is used to translate IP
Addresses. A list of mail servers can be provided to accept emails
for each domain name. A set of name servers to be authoritative
for its DNS records will be nominated by the domain name in
DNS. When looking for information about the domain name, all
other name servers will be pointed to DNS. A name-service
protocol is implemented with the name server. It stores the zone
file and DNS record. Domain names are pointed to IP addresses
with a small set of instructions called zone
Configuration Steps:
Eliminate the addresses you want to reserve. The purpose you do
this step first is that as soon as you set a network ID, the DHCP
service will start responding to client requests
Create your pool for every LAN using a distinctive name
Select the network ID and subnet mask for the DHCP pool that
the server will use to provide addresses to hosts
Add the address used for the defaulting gateway of the subnet
Provide the DNS server address(es)
If you do not want to practice the default lease time of 24 hours,
you need to set the lease time in days, hours, and minutes
TFTP, DNS, and Gateway Options
A few optional but recommended commands including TFTP, DNS
and Default Gateway IP address are used to configure the Cisco
IOS DHCP feature
An external server that will be used to store the DHCP bindings
database is identified by using the TFTP option 150
The DNS server’s IP address on the network is identified by using
the DNS setting
A default-gateway for the clients is defined by using the gateway
option
Tip
Make sure you can quickly tell the difference observed in a
network after configuring DHCP.
The Function of SNMP in Network Operations
An Application layer protocol is Simple Network Management
Protocol (SNMP). It provides a message format for agents on a
variety of devices to communicate with Network Management
Stations (NMSs). The NMS station receives messages from these
agents. The information in the database is then either read or
written. This information is called a Management Information Base
(MIB).
The SNMP agent on a device is periodically queried or polled
by NMS to gather and analyze statistics via GET messages. An
SNMP trap would be sent by the end devices running SNMP
agents to the NMS if a problem occurs.
The basic operation of SNMP protocol can be depicted from
the following figure:
Figure 4-03: Working of SNMP
Admins use SNMP to provide some configurations to agents and
is called SET messages. SNMP is also used for analyzing
information and compiling the outcomes in a report or even a
graph. An exceeded notification process is triggered by using the
thresholds. The CPU numbers of Cisco devices like a core router
are monitored by using the graphing tools. The CPU should be
watched continuously and the statistics can be graphed by the
NMS. Upon exceeding the threshold, notifications are sent. The
SNMP has three versions (v1, v2 and v3), which are given below:
SNMPv2:
SNMPv2 is similar to SNMPv1 with slight modifications. However,
SMNPv1 is no longer in use. SNMPv2 supports plain-text
authentication with community strings with no encryption but
offers GET BULK, which is a way to collect many kinds of
information at once and reduce the number of GET requests. It
offers a more comprehensive error message reporting method
called INFORM, but it is not more secure than v1. It practices
UDP even though it can be configured to use TCP.
SNMPv3:
SNMPv3 supports strong authentication with SHA or MD5,
providing confidentiality (encryption) and data integrity of
messages via Data Encryption Standard (DES) or DES-256
encryption concerning agents and managers. GET BULK is a
sustained feature of SNMPv3, and this version also uses TCP.
Management Information Base (MIB):
When you want to access data from so many kinds of devices, a
standard way to organize this plethora of data is required. This is
implemented using MIB in SNMP protocol.
A Management Information Base (MIB) is a gathering of
information that is organized hierarchically and can be get by
protocols like SNMP. RFCs describe some common public
variables, but most organizations define their personal private
branches beside basic SNMP standards. Organizational IDs (OIDs)
are set out as a tree with different levels assigned by different
organizations with top-level MIB OIDs that belongs to numerous
standards organizations.
To obtain some information from the MIB on the SNMP agent,
you can use several different operations:
operation is used to get information from the MIB to an
SNMP agent.
operation is used to get information to the MIB from an
SNMP manager.
operation is used to list information from successive MIB
objects within a specified MIB.
operation is used by the SNMP agent to send a triggered piece
of information to the SNMP manager.
operation is the same as a trap, but it adds an
acknowledgment that a trap does not provide.
Exam Tip
To describe the function of SNMP, the concept of Management
Server and Agent needs a clear understanding.
Use of Syslog Features Including Facilities and Levels
Syslog
In a network where a certain event occurs, networking devices
have a trusted technique to inform or notify the network
administrator by detailed system messages. These messages may
be either non-critical or significant. Network administrators have
many options for storing, interpreting, and viewing these
messages, and for being informed to those messages that could
have the greatest impact on the network infrastructure. One of the
most common methods to access system messages that devices
provide is by using protocol called syslog. Syslog is a system
logging protocol, which keeps monitoring the event running on the
system, and store the message to the desired location. It was
developed for UNIX based systems in the 1980s, but was first
documented in 2001 as RFC 3164 by IETF. Syslog uses port 514
(UDP) to send event notification messages over IP networks.
Figure 4-04: Syslog Messages
Many of the networking devices support syslog, routers, switches,
servers, firewalls, and other network appliances. Syslog allows the
networking devices to send their system logging messages through
the network to syslog servers. It is conceivable to build a special
Out-of-Band (OOB) network for this purpose.
There are several different types of syslog server software
packages for Windows and UNIX. Many of them are freeware.
The syslog logging service offers three primary functions:
The ability to collect logging messages for monitoring and
troubleshooting
The ability to select the specific type of logging information that
is captured
The ability to specify the destinations to store the captured syslog
messages
Figure 4-05: Syslog
You can read system messages from a switch's or router's internal
buffer. It is the most popular and effective method of watching
what's going on with your network at a specific time. But the
finest way is to log messages to which stocks messages from you
and can even time-stamp and arrange them in order, and it's easy
to set up and configure.
By using syslog, you can show, sort, and even search
messages, all of which sorts it as a really great troubleshooting
tool. The search feature is particularly powerful because you can
practice keywords and even severity levels. Plus, the server can
email admins centered on the message’s severity level.
Network devices can be configured to produce a syslog
message and forward it to various destinations. These four
examples are standard ways to gather messages from Cisco
devices:
●
●
●
●
Logging Buffer (on by default)
Console Line (on by default)
Terminal Lines (using the terminal monitor command)
Syslog Server
You should know, all system messages and debug output
produced by the IOS go out only by the console port by default
and are logged in buffers in RAM. And, you should also know
that Cisco routers are not precisely cautious about sending
messages. To send message to the VTY lines, monitor command
is used.
Note
The Cisco router would send a broad version of the message
to the syslog server that would be configured into something like
this:
Seq no: timestamp: %facility-severity-MNEMONIC: report
The system message format can be broken in this way:
Seq stamp logs messages with a sequence number, but not by
default. If you want this output, you have got to configure it.
and time of the message or event, which again will show up
only if configured.
facility to which the message refers.
A single-digit code from 0 to 7 that indicates the severity of
the message.
string that uniquely describes the message.
string containing detailed information about the event being
reported.
The severity levels, from the most severe level to the least
severe, are mentioned in the table below:
below:
below: below: below:
below: below: below: below:
below: below:
below:
below:
below:
below:
below:
below:
below:
below: below: below:
below: below:
below:
Table 4-02: Severity Levels and their Explanation
Syslog Facilities and Features
Syslog is primarily used for system management. The proactive
syslog monitoring can significantly reduce downtime of servers and
also the other devices in an infrastructure. Moreover, the cost
savings should be achieved by preventing the loss of productivity
that usually accompanies reactive troubleshooting. A variety of
options and severity levels can be chosen in setting up syslog
alerts, including emergency, critical, warning, error, and so on.
Network Alerting: Critical network issues are identified with
Syslog. For example, the fabric channel errors can be detected on
a switch fabric module. The other forms of monitoring metrics
cannot be detected with these warnings or errors.
Security Alerting: The detailed context of security events is
provided with Syslog messages. The communication relationships,
timing, and in some cases, an attacker’s motive and tools can be
recognized by using syslog.
Server Alerting: Syslog is able to alert on server startups,
abrupt server shutdowns, clean server shutdowns, runtime
configuration impact, configuration reloads and failures, resource
impact, and so on. The failed connections can also be detected
with Syslog. Server alerts are always valuable, specifically when you
supervise hundreds of servers.
Application Alerting: Logs are created in different ways by
applications. Some of the logs are created through syslog. Dozens
of logs are written in the log folder while running a web
application. A syslog monitoring solution is needed to get realtime monitoring. A syslog monitoring solution can observe
changes in the log folder. Another good use of syslog is
Monitoring High-Availability (HA) servers. Only the logs that are
troublesome needs to be monitored. All the logs from the server
are needed in case of a HA server failure. Having a dedicated
syslog server for HA cluster is the solution in this way.
The detailed analysis of error is needed to dig into the
historical syslog reports using any syslog analysis tool, like Kiwi or
syslog-ng. The comprehensive details, like high momentary error
rates, configuration changes, or a sustained abnormal condition
cannot be shown using other forms of monitoring.
The basic features of any syslog monitoring tool include a
synchronous web dashboard, alerting system, and log storage. The
trouble tickets can be reduced with proactive syslog monitoring
and troubleshooting. The syslog monitoring feature is enhanced
with integrating the syslog monitoring tool with other infrastructure
management tools.
DHCP Client and Relay
A framework for transferring configuration information dynamically
to hosts on a TCP/IP network is provided by DHCP
The parameters to be configured such as an IP address is
obtained by an internet host that is using DHCP called a DHCP
client
Any host that forwards DHCP packets between clients and servers
is a DHCP relay agent. The requests and replies are forwarded
between clients and servers by using the rely agents when these
two are not on the same physical subnet
Relay agent forwarding is different from the normal forwarding of
an IP router. In the forwarding of an IP router, IP datagrams are
switched between networks
DHCP messages are being received by relay agents and a new
DHCP message is generated to send on another interface
Figure 4-06: DHCP Request for an IP Address from a DHCP Server
a network server. IP addresses, default gateways and extra network
parameters are provided automatically with the DHCP Server.
Dynamic Host Configuration Protocol or DHCP is responsible to
respond to broadcast queries by clients in a DHCP Server.
The required network parameters are sent automatically for
clients to properly communicate on the network. Instead the
network administrator has to manually set up each client joining
the network that is not an easy task, especially in larger networks.
Each client is assigned with a unique dynamic IP address by
DHCP servers that changes when the lease of client for that IP
address has terminated.
Router/Switch as a DHCP Server
DHCP for IPv4 is used by many enterprise companies on their
routers/switches. The network administrator usually handles those
who need to get a DHCP capability up and run it quickly but do
not have access to a DHCP server.
The following DHCP server support is provided with most of
the routers/switches:
It supports a DHCP client and an interface IPv4 address is being
from an upstream DHCP service
It supports a DHCP relay and UDP DHCP messages are
forwarded from clients on a LAN to and from a DHCP server
It supports a DHCP server that allows the router/switch services
DHCP requests directly. There are still some limitations to using a
router/switch as a DHCP server
Resources on the network device are consumed by running a
DHCP server on a router/switch. Software, not hardware
accelerated forwarding, handles these DHCP packets. This practice
is not suitable for a network with a large number (> 150) of
DHCP clients. It does not support dynamic DNS
An access into DNS on behalf of the client built on the IPv4
address cannot be created by the router/switch DHCP server. The
entry is leased to the client
The scope is not managed easily and the current DHCP bindings
and leases across multiple routers are not observed. To get the
information about DHCP bindings, an administrator must log into
the switch/router individually
This would cause the current DHCP server and default gateway
fails. There is no high availability or redundancy of the DHCP
bindings
DHCP options are more difficult to be configured on router/switch
platform
A router/switch having DHCP service running is not integrated
with IP Address Management (IPAM) for tracking address and
scope utilization or security forensics
Benefits of a Dedicated DHCP Server
Using a centralized DHCP server is a better approach than
using DHCP on your router/switch. Network environments
requiring support of both DHCP for IPv4 and DHCP for IPv6 at
the same time particularly utilize this. The similar management
interface for IPv4 and IPv6 can be used by all DHCP server
vendors that supports support both protocols.
Enterprises use DHCPv6 for several benefits that make it
advantageous. These include:
The IPv6-enabled client nodes are given visibility for IPv6 having a
DHCPv6 server that is integrated into an IP Address Management
(IPAM) system
The logging and management interfaces are provided with DHCP
servers that aid administrators manage their IP address scopes.
An organization usually wants an accounting of what is on a
network regardless of IP version being used
Redundancy and high availability can be provided with DHCP
servers. The clients will reserve their current IP addresses in case
of one DHCP server fails. It does not cause an interruption for
end-nodes
A DHCPv6 server that has been tested and tried will be preferred
by organizations. The USGv6 certification laboratory has certified
the Infoblox DHCPv6 server as “IPv6 Ready”
DHCP for IPv4 possibility off the routers/switches should be
mitigated in organizations beginning to implement IPv6 and the
organizations should be put on a robust DHCP server
infrastructure. The advantage of the centralized dual-protocol
DHCP server will be given to the enterprise organizations to
deliver IPv4 and IPv6 addresses to client devices
Forwarding Per-Hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
In Behavior the forwarding behavior is assigned to a Differentiated
Services Code Point (DSCP). The forwarding priority that a marked
packet receives in relation to other traffic on the Diffserv-aware
system is defined by the PHB. The marked packets are forwarded
and dropped by the IPQoS-enabled system or Diffserv router.
IPQoS-enabled system or Diffserv router is determined by this
precedence. The same PHB is applied to each Diffserv router that
the packet encounters en route to its destination unless another
Diffserv system has changed the DSCP.
A definite amount of network resources to a class of traffic on
the contiguous network is provided by a PHB. DSCPs indicate the
precedence levels for traffic classes when the traffic flow leaves
the IPQoS-enabled system in the QoS policy defined DSCPs.
Precedencies are ranged from high-precedence/low-drop probability
to low-precedence/high-drop probability.
For example, a low-drop precedence PHB from any Diffservaware router is guaranteed by the QoS policy assigned DSCP to
one class of traffic. This low-drop precedence PHB guarantees
bandwidth to packets of this class. The varying levels of
precedence to other traffic classes are assigned by adding other
DSCPs to the QoS policy. Diffserv systems provides bandwidth to
the lower-precedence packets in agreement with the priorities that
are indicated in the packets' DSCPs. The two types of forwarding
behaviors are supported by IPQoS. The behaviors defined in the
Diffserv architecture include the Expedited Forwarding (EF) and
Assured Forwarding (AF).
Classification:
Expedited Forwarding
Any traffic class with EFs associated to DSCP is assured to be
given highest priority in per-hop behavior. Traffic with an EF DSCP
does not wait in line. A low loss, latency, and jitter is provided
with EFs. 101110 is the recommended DSCP for EF. A guaranteed
low-drop precedence is received by a packet that is marked with
101110. A low-drop precedence is received as the packet traverses
Diffserv-aware networks en route to its destination. The customers
or applications with a premium SLA are assigned priority by using
the EF DSCP.
Expedited Forwarding PHB
A component of the integrated services model, Resource
Reservation Protocol (RSVP), provides a guaranteed bandwidth
service. This kind of robust service is essential for the applications
such as Voice over IP (VoIP), video, and online trading programs.
This kind of robust service is supplied by providing low loss, low
latency, low jitter, and assured bandwidth service.
The most significant 3 bits of the DSCP field set to 101 in
Expedited Forwarding (EF) PHB. Hence, the whole DSCP field is
set to 101110, decimal value of 46. The low delay service is
provided with EF PHB.
Figure 4-07: IP Header DS Field and DSCP PHBs
The low delay service is provided with EF PHB. It should also
minimize jitter and loss. The bandwidth dedicated to EF must be
limited and the queue dedicated to EF must be the highest
priority queue so as to assign the traffic to get through fast and
not experience significant delay or loss. It can be achieved when
assigned traffic is kept within its bandwidth limit/cap. By utilizing
QoS, techniques such as admission control the successful
deployment of EF PHB is ensured. Three important facts about
the EF PHB include:
During congestion, EF polices bandwidth
It provides bandwidth guarantee
It imposes minimum delay
The non-DSCP compliant applications were being set the IP
precedence bits to 101, decimal 5 which is called Critical, for
delay-sensitive traffic such as voice. The most significant bits are
101 for the EF marking (101110) that makes it backward
compatible with the binary 101 IP precedence (Critical) setting.
Assured Forwarding
The four different forwarding classes are provided by per-hop
behavior. These different forwarding classes can be assigned to a
packet. The three drop precedencies, low-drop, medium-drop, and
high-drop are provided by every forwarding class.
The Assured Forwarding (AF) PHB is equivalent to Controlled
Load Service available in the integrated services model. A method
is defined by an AF PHB to give different forwarding assurances.
Following are the classes for network traffic:
Gold: 50 percent of the available bandwidth is allocated for the
traffic in this category.
Silver: 30 percent of the available bandwidth is allocated for the
traffic in this category.
Bronze: 20 percent of the available bandwidth is allocated for
the traffic in this category.
The four AF classes of the AF PHB are AF1, AF2, AF3, and
AF4. A specific amount of buffer space and interface bandwidth is
assigned to each class, according to the SLA with the service
provider or policy map. Three drop precedence (dP) values: 1, 2,
and 3 can be specified within each AF class.
With the Assured Forwarding (AF) PHB the most significant 3
bits of the DSCP field are set to 001, 010, 011, or 100. These bits
are also called AF1, AF2, AF3, and AF4. AF PHB is used for
guaranteed bandwidth service.
Default Per-Hop Behavior
The three most significant bits of the DiffServ/DSCP field are
set to 000 in Default PHB. It is used for Best Effort (BE)
service. The DSCP value of a packet is consequently assigned to
the default PHB if it is not mapped to a PHB.
Packet Forwarding in a Diffserv Environment
A network solution aimed at classifying the IP traffic flow into
traffic classes is called the Differentiated Service (DiffServ). DiffServ
Code Point (DSCP) uses six bits, part of the eight-bit field called
Type of Service (TOS) inside the IP header. The determination of
PHB is its main goal that defines of each node. The DiffServ
Domain actually identify the scope of this protocol.
Figure 4-08: Diffserv Environment
The part of an intranet at a company with a partially Diffservenabled environment is shown in the figure given below. All hosts
on the IPQoS enabled and on both networks, the local routers are
Diffserv aware.
Figure Forwarding Across Diffserv-Aware Network Hops
The flow of the packet begins with the progress of a packet that
originates at The steps continue through several hops to
is run access which is three hops away
The QoS policy is applied by the resulting packet flow. is then
successfully classified by ipqos1
A class for all has been created by the system administrator. The
traffic initiates on the local network 10.10.0.0. Traffic for is
assigned the AF22 per-hop behavior: class two, medium-drop
precedence. For a traffic flow rate of 2Mb/sec is configured
The flow exceeding the committed rate of 2 Mbit/sec is
determined by
The DS arenas in the is marked with the 010100 DSCP,
corresponding to the AF22 PHB by the marker
are received by and then the DSCP is checked. Packets marked
with AF22 gets dropped, found to be congested
In agreement with the per-hop behavior, is forwarded to the next
hop. This per-hop behavior is configured for AF22 files
The traversed by the The network is not Diffserv aware. The “besteffort” forwarding behavior is then received by the traffic as a
result
is passed to by genrouter receives the traffic
Diffserv aware. are then forwarded to the network in contract with
the PHB that is defined in the router policy for AF22 packets
is received by ipqos2. The user is then prompted a user name
and password
The set of end-to-end Quality of Service (QoS) skills is called
DiffServ. The capability of the network to deliver service required
by specific network traffic from one end of the network to another
is an end-to-end QoS. The three types of service models
supported by Cisco IOS QoS software include: Integrated Services
(IntServ), Best-Effort Services, and Differentiated Services.
Congestion
To avoid tail congestion avoidance techniques such as Weighted
Random Early Detection (WRED) are deployed on each queue.
Packet drop is performed based on the marking differences of the
packets. Within each AFxy class, y specifies the drop preference
(or probability) of the packet. Some packets are marked with
minimum probability/preference of being dropped, some with
medium, and the rest with maximum probability/preference of
drop. The y part of AFxy is one of 2-bit binary numbers 01, 10,
and 11; this is embedded in the DSCP field of these packets and
specifies high, medium, and low drop preference. Note that the
bigger numbers here are not better, because they imply higher
drop preference. Therefore, two features are embedded in the AF
PHB:
Four traffic classes (BAs) are assigned to four queues, each of
which has a minimum reserved bandwidth.
bandwidth. bandwidth.
bandwidth.
bandwidth. bandwidth. bandwidth.
bandwidth.
bandwidth. bandwidth. bandwidth.
bandwidth.
bandwidth. bandwidth. bandwidth.
bandwidth.
Table 4-03: The AF DSCP Values
Each queue that has congestion avoidance deployed to avoid
tail drop and to have preferential drops displays the four AF
classes and the three drop preferences (probabilities) within each
class. Beside each AFxy within the table, its corresponding decimal
and binary DSCP values are also displayed for your reference.
Queuing
Per-Hop Behavior Queue Design Principles
Voice, video, and data applications are converged in the
network to be co-existed seamlessly by allowing each with
appropriate QoS service expectations and guarantees.
The non-real–time applications’ performance can be significantly
degraded when real-time applications are the only ones that
consume link bandwidth. The significant performance impact on
non-real–time applications is shown by the extensive testing results
when more than one-third of the connections is used by real-time
applications as part of a strict-priority queue. More than a third of
link bandwidth is not recommended to be used for strict-priority
queuing. The non-real–time applications are prevented from being
dropped out of their required QoS recommendations with this
principle. Also, no more than 33 percent of the bandwidth be
used for the expedite forwarding queue. This 33% design principle
is not necessarily a mandatory rule but a best practice design
recommendation.
For an assured forwarding per-hop behavior, a minimum of one
queue should be provisioned but up to four subclasses can be
well-defined within the AF class: AF1x, AF2x, AF3x, and AF4x.
A bandwidth corresponding to the application requirements of
that traffic subclass must be there in the specified AF subclass
that belongs to each queue. All the traffic not explicitly defined in
other queues lie in the Default Forwarding (DF) class. It is
important to have acceptable space for those traffic types while
many applications are used by an enterprise. For this service
class, typically 25 percent of link bandwidth can be used. As for
each of the queue, a pre-specified bandwidth is reserved if the
amount of traffic on a particular queue exceeds the reserved
bandwidth for that queue, the queue builds up and eventually
incurs packet drops.
Queuing Schedulers
Priority Queueing (PRIQ)
The simplest form of traffic shaping is Priority Queuing. It is
often the most effective. Only the prioritization of traffic is
performed without regard for bandwidth.
Pros
Easy to understand and configure.
Cons
Lower precedence queues can be completely starved easily for
bandwidth.
Class Based Queueing (CBQ)
The next step up from priority queuing is CBQ. A tree
hierarchy of classes is created with an allocated priority and
bandwidth limit. Instead of processing all packets from the class,
the PRIQ will only process enough packets until the bandwidth
limit is reached.
Shaping
Traffic shaping is used to assign more predictive behavior to
traffic. It uses Token Bucket model. The Token Bucket characterizes
traffic source.
The main parameters for Token Bucket includes:
Token Arrival Rate - v
Bucket Depth - Bc
Time Interval – tc
Link Capacity - C
Configuring Traffic Shaping
Traffic shaping and queuing can be accomplished in several
ways. The easiest way implemented is ALTQ-based shaping that is
with the Traffic Shaping Wizard.
Traffic Shaping configuration is based at Firewall > Traffic
Shaping.
Limitations
An upper limit on traffic cannot be set by ALTQ shaping.
Wizards
A default set of rules are created by using The Traffic Shaping
Wizard. The rules shaped by the wizard cope well with VOIP
traffic but may need modification to accommodate other traffic not
enclosed by the wizard. The exact choices of wizards depend on
the version in use.
The queue sizes and bandwidths are sized appropriately for
most configurations by the wizard. They may need to be manually
adjusted in some cases but for the majority of cases, it is
unnecessary.
Multiple Lan/Wan
An arbitrary number of WANs and LANs can be accommodated
with this wizard.
Dedicated Links
When the specific LAN/WAN pairings do not mix traffic with
others, this wizard is meant for multiple WANs and LANs. Several
‘virtual’ links are managed by a single firewall in this way.
Other Wizards
If the descriptions of the other wizards suit the respective
environment, they can be used. The Multiple Lan/Wan wizard can
be used due to a large amount of unnecessary redundancy
between the various wizards.
Policing
QoS policy prevents manual policy changes in network devices. Its
Community attribute is usually used for color assignments.
Note
DiffServ or differentiated services is a computer networking
architecture. A mechanism that is simple and scalable for
classifying and managing network is specified in these services. It
also provides Quality of Service (QoS) on modern IP networks.
Differentiated Services
The differing QoS requirements are classified with a multiple
service model called Differentiated Services. A specific kind of
service based on the QoS is delivered by the network with
Differentiated Services. This QoS is specified by each packet. Many
different ways support the occurrence of this specification. The
QoS specification is used in a network to classify, mark, shape,
and police traffic to perform intelligent queueing.
Several mission-critical applications use differentiated services. It
is also used for providing end-to-end QoS. Differentiated Services
performs a relatively coarse level of traffic classification and is
appropriate for aggregate flows.
DS Field Definition
The DS field is well-defined by Differentiated Services. It is also
termed as a replacement header field. The current definitions of
the IP version 4 (IPv4) type of service (ToS) octet (RFC 791) and
the IPv6 traffic class octet are superseded by the DS field. To
select the Per-Hop Behavior (PHB) on each and every interface,
six bits of the DS field are used as the DSCP. A 2-bit (CU)
unused field is kept for the obvious congestion notification (ECN).
DS-compliant interfaces usually ignore the value of the CU bits
while determining the PHB to apply to a received packet.
Per-Hop Behaviors
The PHB has been defined as the externally observable
forwarding behavior by RFC 2475. This behavior is applied at a
DiffServ-compliant node to a DiffServ Behavior Aggregate (BA) with
the aptitude of the system to mark packets according to DSCP
setting. The collections of packets with the same DSCP setting
can be grouped into a BA that are sent in a particular direction.
Packets from several sources or applications can belong to the
same BA.
A PHB is also referred as packet scheduling, queueing, policing,
or shaping behavior of a node on any particular packet belonging
to a BA. This is as configured by a Service Level Agreement (SLA)
or a policy map.
Default PHB
The traditional best-effort package from a DS-compliant node is
received by a packet marked with a DSCP value of 000000 that
is essentially specified in the default PHB. The packet will be
mapped to the default PHB upon arriving of packets at a DScompliant node. The DSCP value will not be mapped to any other
PHB.
Class-Selector PHB
A DSCP value in the form xxx000 has been defined by DiffServ
to reserve backward-compatibility with any IP precedence scheme
currently in use on the network, where x is either 0 or 1. ClassSelector Code Points is the name given to these DSCP values.
The DSCP worth for a packet with default PHB 000000 is also
termed as the Class-Selector Code Point. A Class-Selector PHB is
the PHB associated with a Class-Selector Code Point. Most of the
forwarding behavior is retrained in these Class-Selector PHBs as
nodes that implement IP Precedence-based classification and
forwarding.
For example, packets having a DSCP value of 11000 usually
have preferential forwarding treatment. Remember that the 11000
is the equivalent of the IP Precedence-based value of 110 and the
preferential forwarding treatment is followed for scheduling,
queueing, and so on. These Class-Selector PHBs confirm that DScompliant nodes can coexist with IP Precedence-based nodes.
Figure 4-10: Per-Hop Treatment
Benefits of Implementing DiffeServe
For end-to-end quality of service, the DiffServ is set to
implement the Differentiated Services architecture. The benefits of
implementing Differentiated Services include:
Burden on network devices is reduced and can be scaled easily as
the network grows
Any existing Layer 3 ToS prioritization scheme can be kept by
customers
DiffServ-compliant devices can be mixed with any existing ToSenabled equipment in use by the customers
The current corporate network resources can be alleviated through
efficient management
Network Devices for Remote Access using SSH
By applying to the line (as we explain in a section Local
Authentication) access to a device can be controlled at any line
(console, aux, or terminal). A method SSH is also used for
securing access.
Source Address: Securing address is done through the
configuration of access-lists as described in the section “Local
Authentication”.
Telnet/SSH: You should use Secure Shell (SSH) instead of
telnet because it creates a more secure session. Telnet
applications practice an unencrypted data stream, but SSH uses
encryption keys to send data so that no one can see your
username and password.
Exam Tip
When we use telnet at the end of the ssh command, only then
SSH will work on the device. SSH is more secure than Telnet.
Accessing a network using SSH is a topic that you need to
understand both for clearing the exam and making your network
secure.
Capabilities and Functions of TFTP/FTP in the Network
File Transfer Protocol (FTP)
Files are transferred between systems by using both the File
Transfer Protocol (FTP) and the Trivial File Transfer Protocol
(TFTP). The remote user is allowed to navigate the server's file
structure and upload and download files with FTP. A simplified
alternative to FTP is TFTP that provides no authentication and the
configurations are transferred to and from network devices by
using it. Both FTP and TFTP are insecure protocols inherently.
Encryption is not used by these protocols and both
authentication and file data to traverse the network in the clear
are allowed. These protocols are considered while sharing nonsensitive data with the general public or operating in an inherently
secure environment. A secure alternative to these protocols is
there. The Secure Shell (SSH) protocol is used by the secure FTP
protocol to encrypt standard FTP communications and provide
confidentiality in transit.
Note
The two TCP ports used by FTP are: port 20 for sending data
and port 21 for sending control commands. The use of
authentication is supported by the protocol, but like Telnet, all
data including the usernames and passwords are sent in clear
text.
Capabilities and functions of File Transfer Protocol
File Transfer Protocol, FTP, is a protocol for application layer
that transfers files between local and remote file systems. It
functions on the top of TCP, like HTTP. To move a file, two TCP
connections are used by FTP in parallel: control connection and
data connection.
Figure 4-11: File Transfer Protocol Diagram
What is control connection?
The control information like user identification, commands to
change the remote directory, password, commands to retrieve and
store files, etc., are controlled by making the use of FTP
connection. This control connection initiates on port number 21.
What is data connection?
FTP makes use of data connection for sending the actual file.
Port number 20 allows the initiation of data connection. The
control information is sent out-of-band as FTP uses a separate
control connection. Hence, they are said to send their control
information in-band for this reason. HTTP and SMTP are the like
examples.
FTP Session:
The client starts a control TCP connection with the server side
when the FTP session is started between a client and a server.
The control information is sent over a TCP connection by the
client. A data connection to the client side is initiated when the
server receives this information. One data connection allows only
one file to be sent over it. The control connection remains active
during the user session. As HTTP is stateless, it does not have to
keep track of any user state. But a state about FTP’s user needs
to be maintained throughout the session.
Data types of data structures are allowed with FTP:
File Structure: There is no internal structure present in a filestructure and the file is deliberated to be a continuous sequence
of data bytes.
Record Structure: The file is made up of sequential records in
record-structure.
Page Structure: The file is made up of independent indexed
pages in page-structure.
FTP Commands:
Some of the FTP commands are given below:
The user identification is sent to the server by this command.
The user password to the server is sent by this command.
The user is allowed to work with a different directory or dataset
for file storage or retrieval by using this command. This is without
altering login or accounting information.
RMD: The directory specified in the path-name to be removed
as a directory is caused by this command.
The directory specified in the pathname to be created as a
directory is resulted by this command.
PWD: This command is used to return the name of the current
working directory in the reply results.
RETR: A data connection of the remote host is initiated and
the requested files are sent over the data connection by using this
command.
STOR: The current directory of the remote host stores a file by
using this command.
LIST: The list of all the files present in the directory is
displayed by sending this request.
ABOR: The previous FTP service command and the transfer of
data that is associated by using this command are aborted by this
request.
QUIT: A USER is terminated and the control connection of
server gets closed by using this command if the file transfer is
not in progress.
FTP Replies:
The FTP replies include:
200 Command is okay.
530 Not logged in.
331 User name is okay; a password is needed.
225 Open a data connection; no transfer is in progress.
221 Control connection is being closed by the service.
551 Aborted the requested actions: unknown page type.
502 Command is not implemented.
503 Commands with bad sequence.
504 For the parameter, command was not implemented.
Trivial File Transfer Protocol (TFTP)
A network protocol used to handover files between remote
machines is called TFTP. It lacks in having some of the more
innovative features that FTP offers. It requires less resources than
FTP. TFTP can be used merely to send and receive files. TFTP
was developed in the 1970’s. It still can be used to save and
bring back a router configuration or to backup an IOS image. It
is a very simple protocol. It has limited features as compared to
File Transfer Protocol (FTP). No authentication and security
while transferring files are provided in TFTP. The boot files or
configuration files are usually transferred between machines in a
local setup by using this protocol. In a computer network, users
interactively utilize these protocols. However, it is very dangerous
to use it over the internet due to the lack of its security.
The boot computers and devices not having hard disk drives or
storage devices significantly use this protocol because a small
amount of memory is enough to implement it. Due to this
feature, TFTP appears to be one of the core elements of network
boot protocol or Pre-boot Execution Environment (PXE). Initiation
of data transfer takes place through port 69. When the connection
is initialized, the data transfer ports are selected by the sender
and receiver.
TFTP are used by the home network administrators to upgrade
the router firmware. TFTP are used by the professional
administrators to distribute software across corporate networks.
Key Features of TFTP
Good for simple file handovers, such as during boot time
UDP is used as transport layer protocols. The TFTP server must
handle the errors in the transmission (checksum errors, lost
packets)
Only one connection is used through well-known port 69
A simple lock-step protocol is used by TFTP. In the simple lockstep protocol, each data packet needs to be acknowledged. Thus
the throughput is limited
Capabilities of TFTP
The client and server software are used by TFTP to make
connections between two devices. From a TFTP client, the
individual files can be copied (uploaded) to or downloaded from
the server. The files and the client requests are hosted by the
server or files are sent.
Note
TFTP relies transport data
A computer can be initiated remotely and the network or router
configuration files are backed up by using TFTP.
TFTP Client and Server Software
The current versions of Microsoft Windows, Linux, and MacOS
include the command-line TFTP clients. These TFTP clients with
graphical interfaces are also available For example, includes a
TFTP server. Another example of a GUI client and server for TFTP
is windows TFTP
Windows TFTP available for download. The TFTP servers are
used by the Linux and MacOS systems in spite the fact that they
could be disabled by default.
Note
Networking experts recommend configuring TFTP servers
carefully to avoid potential security problems.
Differences between TFTP & FTP
The key aspects that differentiate the Trivial File Transfer Protocol
from FTP are:
Original versions of TFTP were able to transfer files up to 32 MB
in size, the latest TFTP servers removed this restriction or might
limit the file size to 4 GB
There are no login features available in TFTP, so a username and
password is not prompted
Sensitive files must not be shared by using TFTP; These files can
be protected or the access to the files must be audited
It is not allowed to listen, rename, and delete files over TFTP
UDP port 69 is used by TFTP to establish network connections
while ports 20 and 21 are used by FTP
UDP is used to implement TFTP. It generally works only area
networks
Exam Tip
To pass the exam, you should know the difference between the
FTP and TFTP with respect to the encryption, authentication and
confidentiality.
Mind Map
Figure 4-12: Mind Map of IP Services
Summary
Configure and Verify Inside Source NAT using Static and Pools
A firewall gives a public address to a computer or group of
computers within a private network in the process of Network
Address
The traffic between private addresses can be routed by the routers
inside the private network without having any trouble
The firewall acts as the intermediary between the external world
and the protected internal network and appears to be an
additional layer of security
The inside addresses must be translated while the outside
addresses are not in control of an organization
The 3 ways to configure NAT are Static NAT, Dynamic NAT, and
Port Address Translation (PAT)
NAT64 is the process of translating an IPv6 address to IPv4
address for communication and vice versa
Cisco IP SLA (Service Level Agreement) allows you to monitor
services in order to increase performance, productivity, lowering
the network outage frequency, etc.
PAT is an extension to NAT. On a LAN, the multiple IP addresses
are mapped to a single public IP address
Configure and Verify NTP Operating in a Client and Server Mode
NTP synchronizes clocks of computer systems over packetswitched, variable-latency data networks
An NTP server connects through the internet to an atomic clock
The date and time settings on the router can be set using one of
two methods: Manually Setting the date and time, and Configuring
the Network Time Protocol (NTP)
NTP allows networking devices on the network to synchronize
their time and date with an NTP server device
Syslog is one of the most common methods to access system
messages that devices provide
It keeps monitoring the event running on the system, and stores
the message to the desired location
The Role of DHCP and DNS within the Network
The information required to configure a DHCP server for hosts
includes: Network and Mask for every LAN, Reserved/Excluded
Addresses, Default Router, and DNS Address
The DNS server’s P address on a network be identified by using
the DNS settings
A default-gateway for the clients is defined by using the gateway
option
The Function of SNMP in Network Operations
Simple Network Management Protocol (SNMP) provides a
message format for agents on a variety of devices to
communicate with Network Management Stations (NMSs)
The information in the database is either read or written as a
Management Information Base (MIB)
SNMP is used to provide some configurations to agents and it is
called SET messages
SNMP is used for analyzing information and compiling the
outcomes in a report or even a graph
The SNMP has three versions (v1, v2 and v3)
SNMPv2 supports plain-text authentication with community strings
with no encryption but offers GET BULK that is a way to collect
many types of information at once and minimize the number of
GET requests
SNMPv3 supports strong authentication with SHA or MD5
It provides confidentiality (encryption) and data integrity of
messages via Data Encryption Standard (DES) or DES-256
encryption between agents and managers
Use of Syslog Features
An effective method of watching what's going on with a network
at a particular time is by using the syslog features
Network devices are being configured to produce a syslog
message and forward it to various destinations
The system message format can be broken as Seq no,
Timestamp, Facility, Severity, MNEMONIC, and Description
Configure and Verify DHCP Client and Relay
Dynamic Host Configuration Protocol (DHCP) is a network
protocol
It enables a server to assign an IP address automatically to a
computer from a defined range of numbers
A DHCP Server is a network server. It automatically provides and
assigns IP addresses, default gateways and other network
parameters to client devices
The network administrator has to set up every client manually that
joins the network without having a DHCP
DHCP servers offer logging and management interfaces that aid
administrators manage their IP address scopes
Forwarding Per-hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
The forwarding behavior is assigned to a DSCP
The forwarding priority for a marked packet is defined by the PHB
When the traffic flows leave the IPQoS-enabled system in the QoS
policy defined DSC, the DSCPs indicates the precedence levels for
traffic classes Ps
The behaviors are defined in the Diffserv architecture, which
includes the Expedited Forwarding (EF) and Assured Forwarding
(AF)
Network Devices for Remote Access using SSH
A method SSH is used for securing access
Securing address is done through the configuration of access-lists
Telnet application practices an unencrypted data stream, but SSH
uses encryption keys to send data so no one is able to see the
username and password
Capabilities and Functions of TFTP/FTP in the Network
Both the File Transfer Protocol (FTP) and the Trivial File Transfer
Protocol (TFTP) are used to send files among the systems
TFTP is an easy alternative to FTP that offers no authentication
The configurations are transferred to and from network devices by
using TFTP
The Secure Shell (SSH) protocol is used by the secure FTP
protocol to encrypt standard FTP communications and provide
confidentiality in transit
FTP makes use of data connection for sending the actual file
where Port number 20 allows the initiation of data connection
TFTP lacks in having some of the more innovative features that
FTP offers
Boot computers and devices not having hard disk drives or
storage devices significantly use this protocol because a small
amount of memory is enough to implement it
TFTPs are used by the professional administrators to distribute
software across corporate networks
Practice Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Chapter 05: Security Fundamentals
Technology Brief
As the computer network technology and the internet technology
is developing more rapidly, people are becoming more aware of
the importance of the network security. Network security is the
main issue of computing because many types of attacks are
increasing day by day. Protecting computer and network security
are critical issues. Network security is a very important
consideration for accessing the internet and for transferring the
data. In this chapter, we are going to discuss the security threats,
observed vulnerabilities, exploits and the mitigation techniques.
Security Concepts
The most prominent topics nowadays is network and information
system security and their associated risks and attacks. One after
another, networks are compromised due to insufficient network
security policies. But the question is; why is network security so
important? Network security is important because of its direct
impact to the continuity of any organization’s business.
Network security attacks can cause the following impacts in an
organization:
o Loss of business data
o Interruption and misuse of people’s privacy
o Threaten and compromise the integrity of organization’s data
o Loss of reputation
Nowadays, people are becoming more aware about securing
their devices connected to the public internet because of occurred
events of data leakage, it’s alteration and misuse in the past few
years. Network vulnerability and new methods of attack are
growing day by day, hence the evolving techniques of making
network more secured is growing.
Threats
A threat indicates the possibility of an exploit or attack with
potential risks. A threat is any insecurity lying in a system that
can be exploit. The presence of vulnerability in a system results in
a threat. The entity that uses the vulnerability to attack a system
is known as malicious actor and the path used by this entity to
launch attack is known as threat vector. Some of the major threat
classifications include:
User Identity Spoofing: This includes multiple techniques used
to represent legitimate user information like GPS spoofing, emailaddress spoofing and caller-ID spoofing, which are used in Voiceover-IP.
Information Tampering: This includes threats that are related to
the changing of information rather than stealing it. Like changing
the financial records and transactions used in banks, criminal
records, etc.
Data Leakage: This means revealing or sending the data either
outside the organization or to someone who is not authorized for.
It also includes the disclosure of information from different
running services and operational processes. Implementing DLP
controls and strict information security policies can help to
overcome this leakage.
Denial of Service (DoS): This is a type of attack in which
service offered by a system or a network is denied. Services may
either be denied, reduce the functionality, or prevent the access to
the resources even to the legitimate users. There are several
techniques to perform DoS attack such as generating a large
number of requests to the targeted system for service. These large
numbers of incoming requests overload the system capacity, which
results in denial of service. Botnets and Zombies are the
compromised systems, which are used for generating huge traffic
for DDoS attack.
Figure 5-01: Denial-of-Service Attack
Common Symptoms of DoS attack are:
Slow performance
High CPU and memory utilization
Unavailability of a resource
Loss of access to a service
Discontinuation of a wireless or wired internet connection
Denial of access to any internet service
Vulnerabilities
Vulnerability is defined as an inherent weakness in the design,
configuration, implementation, or management of a network or
system that can be exploited by an attacker. Vulnerability can be
present at any level of system architecture.
Classifying vulnerabilities on the basis of how threatening it is
or how it would impact the system helps in identifying its impact
on system. The Common Vulnerabilities and Exposures (CVE) List
was launched by MITRE as a community effort in 1999, and the
U.S. National Vulnerability Database (NVD) was launched by the
National Institute of Standards and Technology (NIST) in
2005. CVE categorizes the known vulnerabilities over the internet.
It can be searched via any search engine available today. The
following are few of the important reasons through which
vulnerability can exist in the system:
Policy flaws
Design errors
Protocol weaknesses
Misconfiguration
Software vulnerabilities
Human factors
Malicious software
Hardware vulnerabilities
Physical access to network resources
Exploits
The term “exploits” refers to the action of an attacker where a
vulnerability is leveraged to intrude into the system. The attacker
takes the advantage of the vulnerability such as an unpatched
system is easily exploitable. It may also refer to a software code
or program, which bypasses the security mechanism to provide
access to the system.
Some exploits are designed to specifically attack vulnerabilities
on applications or systems to take control over servers or
computer systems. Remember that in some cases, exploits do not
need software to achieve their goals. For example, scams that
involve social engineering a person or employee into revealing
sensitive or critical information are perfect examples of exploits
that do not require software and hacking skills.
Mitigation Techniques
The word mitigation defines the act of reducing the severity or
seriousness of the impact of something on a situation. IT Threat
Mitigation is then defined as the addressing actions, prevention
techniques, or remedies implemented to reduce IT threats on a
network, computer, or server. 'IT threat' is actual a broad term
that holds physical, software, and hardware threats that any IT
system may encounter.
Signature Management
A digital signature is a digital equivalent authentication
mechanism, which validates the integrity of a message or file.
Digital signatures can also provide non-repudiation. It is important
to detect forgery or tampering in digital information. Digital
signatures are equivalent to traditional handwritten signatures in
many respects, but properly implemented digital signatures are
more difficult to forge than the handwritten type. Digital signatures
employ asymmetric cryptography.
Digital signatures are the digitalized equivalent of a sealed
envelope and are intended to ensure that a file has not been
altered during transit. Any file with a digital signature is allowed
to verify not only the publishers of the content or file, but also to
verify the content integrity at the time of download. On the
network, PKI enables users to issue certificates to internal
developers/contractors and allows any member to verify the origin
and integrity of downloaded applications.
Device Hardening
Device hardening is a technique that applies not only in
routers, switches and servers but also applies on all network
devices including laptops, desktops and mobile devices. One of
the current goals of operations security is to ensure that all
systems have been hardened to the extent that is possible and
still provide functionality. The hardening can be achieved both on
a physical and logical basis.
From a logical perspective:
Implementing least privilege rule
Changing default credentials and implementing strong password
policy
Patching OS and applications
Disabling unnecessary services and ports
Change Default Native VLAN
On switches, the native VLAN is the only VLAN that is not
tagged in a trunk. This means that native VLAN frames are
transmitted unchanged. By default, the native VLAN port is 1, and
that default port represents a weakness in a way that it is an
information that an attacker can take advantage of it. To provide
security, you must take some steps and change the native VLAN
to another VLAN.
Switch Port Protection
The switch port protection feature is a key implementation of
the network switch security. It provides the ability to limit what
addresses will be allowed to send traffic on individual switch ports
within the switched network. Switch port security starts with
understanding potential vulnerabilities and then addressing them
through correct configuration. This addresses may include
Spanning Tree, Flood Guard, BPDU Guard, Root Guard, and
DHCP Snooping. Unused switch ports must be administratively
shutdown.
Network Segmentation
Network segmentation reduces the congestion in the network.
Apart from enhancing the network performance, network
segmentation plays an important role in strengthening the network
security by isolating the management network and critical servers
from normal traffic.
DMZ
Generally, three zones are related with firewalls: Internal,
External, and Demilitarized (DMZ). The internal zone is the zone
inside of all firewalls, and it is considered to be the protected
area where most critical servers, such as domain controllers that
control sensitive information, are placed. The external zone is the
area outside the firewall that represents the network against inside
protection such as the internet. The DMZ is placed where the
network has more than one firewall. It is a zone that is between
two firewalls. It is created using a device that has at least three
network connections, sometimes referred to as a three-pronged
firewall. In DMZ, place the servers that are used by hosts on
both the internal network and the external network that may
include web, VPN, and FTP servers.
Figure 5-02: DMZ using One Firewall
VLAN
Switches and routers have physical interfaces, commonly known
as a physical port; these ports can be configured in a variety of
ways, depending upon the topology, design, type of encapsulation,
duplex, and speed of the link.
VLANs on switches allow users to create network segmentation
by creating multiple virtual subnets while maintaining a flexible
network that is easy to modify when required. Alternatively, an
improper VLAN assignment on a port will effectively place clients
in a subnet that will not be controlled by the administrator. It is
not only a connectivity issue, but it could also create security
issues. While assigning a VLAN, it should be done with great care
as to which client computer is connected to which VLAN
interface.
Privileged User Account
The Least Privilege Principle states that,
“A subject should be given only those privileges needed for it to
complete its task”
The least set of privileges is used to complete the job by every
program and every user of the system. The damage resulted from
an accident or error is limited by this principle. The number of
potential interactions among privileged programs are reduced to
the minimum for correct operation, so that unintentional,
unwanted, or improper uses of privilege are less likely to occur.
The number of programs to be audited are minimized if a
question arises related to misuse of a privilege. An example of
this principle is the military security rule of "need-to-know".
Only the minimum access necessary to perform an operation
should be granted according to the principle of least privilege. The
access should be granted only for the minimum amount of
necessary time.
File Integrity Monitoring
Integrity is the process to ensure that the received data is
same as the originally sent. Integrity is designed to eliminate the
situations where someone is tampering with your data. However,
file integrity monitoring is performed as the concept of file
hashing that were discussed earlier but with a software program.
File integrity monitoring observes changed settings or access
controls, attributes and sizes, and, of course, the hashes of files.
Role Separation
Role separation also known as separation of duties, requires
one user to perform a specific task, and another one to perform
a related task. This reduces the possibility of scams or errors
from occurring, by implementing an equalized system between
different users.
Restricting Access via ACLs
Firewalls generally contain Access Control Lists (ACLs) that
allow or deny packets based on specified criteria such as IP
addresses, ports, or the data they contain. The firewall generally
processes from top to bottom when the traffic meets the criteria
then the related action of authority or deny is applied. Usually,
there is an implicit deny statement at the end of the firewall ACL
that will deny any packets that have not been allowed before they
reach that point. Sometimes, that statement is not implicit but is
listed as the default statement at the end of the list.
Honeypot/Honeynet
Honeypots are security devices used as a decoy to act as a
valuable server target to an attacker. When they are monitored and
are inaccessible from any truly sensitive computer data, they also
appear to be vulnerable to attacks and are quite undefended. The
idea is to get the attacker to take the lure, making them waste
their time in the honeypot, while keeping the network’s real data
safe, and then gathering information about the attacker and giving
it to proper authorities.
Two or more honeypots on the same network, make a
honeynet. It is used in a large organization where a single
honeypot server will not be sufficient. The honeynet simulates a
production network but is deeply monitored and isolated from the
true production network.
Penetration Testing
Penetration testing, also known as PT is a methodology in
which pentesters penetrate into a target. Pentesting is a technique
where the pentester monitors the target with an attacker’s mindset
to find weaknesses and vulnerabilities in the target. The purpose
of pentesting is not to exploit and hack a system but to find the
loopholes in security of a system in order to counter them before
a real attacker exploit them.
Typically, pentesting professionals who are expert in in-depth
monitoring, having a hacker’s mindset performs this job. There are
also several tools available that assist them in finding
vulnerabilities. Aircrack-ng is an open source tool for pentesting
and pretty much every aspect of wireless networks. Metasploit,
another unique open source tool, enables the pentester to use a
massive library of attacks as well as pull those attacks for unique
penetrations.
Figure 5-03: Metasploit Output
Output
Output
Output
Output
Output
Output
Output
Output
Output
Output
Output
Output
Output Output Output Output Output
Output Output Output Output Output
Output Output Output Output Output
Output
Security Program Elements
Security program elements are critical to the success of a security
effort. They include explaining awareness and training, policies,
procedures, and recent threats to both users and management. A
security-awareness program can do much to support in your
efforts to improve and maintain security. Such efforts need to be
continuing, and they should be part of the organization’s normal
communications practice. The following section discusses some of
the things you can do as a security professional to address the
business issues associated with training the people in your
organization to operate in a manner that is consistent with
organizational security goals.
User Awareness
Education and awareness help ensure that security information is
conveyed to the appropriate people in a timely manner. Most
users are not aware of modern security threats. If you established
a process in place to concisely and clearly explain what is
happening and what is being done to correct current threats, you
will probably find acceptance of your efforts to be much higher.
Educational methods that have proven to be effective for
publishing information through internal security websites, news
servers, and emails. You might want to consider a regular
notification process to convey information about security issues
and changes. In general, the more you educate about this in a
regular manner, the more likely people will realize the fact that
security is everyone’s responsibility.
responsibility. responsibility. responsibility. responsibility.
responsibility. responsibility. responsibility. responsibility.
responsibility. responsibility. responsibility. responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
responsibility.
Training
The efforts in education and training must help users clearly
understand prevention, enforcement, and threats. Integrating the
efforts of the IT staff, the security department will also probably
be responsible for a security-awareness program. Organization’s
training and educational programs need to be personalized for at
least three different audiences:
The Organization
Its Management
The Technical Staff
These three organizational parts have different deliberations and
concerns. For example, with organization-wide training, everyone
understands the policies, procedures, and resources available to
deal with security issues, so it helps ensure that all employees are
on the same page. The following list classifies the types of issues
that members of an organization should be aware of and
understand.
Organization
Ideally, a security-awareness training program for the whole
organization should cover the following areas:
Importance of security
Responsibilities of people in the organization
Policies and procedures
Usage policies
Account and password-selection criteria
Social engineering prevention
You can accomplish this training either by using internal staff
or by hiring outside trainers. It is recommended doing much of
this training during new-employee orientation and staff meetings.
To stay in their forefront of their minds, though, the training
needs to be repeated periodically (twice a year often works well).
Also, do not forget to have the employees signature as a proof
that they received the training and are aware of the policies.
Management
Managers are concerned with more universal issues in the
organization, including implementing security policies and
procedures. Managers will want to know the purpose and reasons
of a security program; how it works and why it is necessary. They
should receive additional training or exposure that describes the
issues, threats, and techniques of dealing with threats.
Management should also take concern about productivity effects,
enforcement, and how the various departments are affected by
security policies.
Technical Staff
The technical staff requires special knowledge about the
methods, implementations, and capabilities of the systems used to
manage security. Network administrators will want to evaluate how
to manage the network, best practices, and configuration issues
related with the technologies they support. Developers and
implementers will want to evaluate the effect of these measures
on existing systems and new development projects. The training
that both administrators and developers need should be vendor
specific; vendors have their own methods of implementing security.
Remember that all of your efforts will be wasted if you do not
make sure to reach an appropriate audience. Spending an hour
preaching on backend database security will likely be an hour
wasted if the only members of the audience are data-entry
operators who get paid by the keystroke to make weekly changes
as quickly as possible.
Physical Access Controls
Physical access controls are mechanisms that are designed to
minimize the risk of harm. A simple example is a smart door
lock, which will disallow many potential attackers; the installation
of biometric sensors, such as iris scanning or fingerprint
recognition, can make the most determined intruder weaken while
trying to gain access to a secured place. Sometimes, all that is
needed to resolve the issue is a procedure to provide enough
time to contact the appropriate authorities.
We should consider shut down access to laptops, desktops,
and servers. Many companies are taking the precaution of
removing all drives from individual computers to prevent the use
of USB, COM, LPT theft, and establishing additional BIOS
password protection just to prevent employees from installing
personal software, gaining unauthorized access, and eventually,
participating in stealing. One possible scenario to strengthen
security is to use the terminal server and a bootable Linux
distribution.
Configure Device Access Control using Local Passwords
The use of password protection to control or restrict access to
the Command Line Interface (CLI) of the router is one of the
fundamental elements of an overall security plan.
The CTY line-type is the Console Port. On any router, it
appears in the router configuration as line con 0 and in the
output of the show line command, as CTY. The console port is
primarily used for local system access using a console terminal.
The AUX line is the auxiliary port, seen in the configuration as
line aux 0.
The VTY lines are the Virtual Terminal lines of the router, used
solely to control inbound Telnet connections. They are virtual, in
the sense that they are a function of software - there is no
hardware associated with them. They appear in the configuration
as line vty 0 4.
Each of these types of lines can be configured with password
protection. Lines can be configured to use one password for all
users, or for user-specific passwords. User-specific passwords can
be configured locally on the router, or you can use an
authentication server to provide authentication.
There is no prevention against configuring different lines with
different types of password protection. It is, in fact, common to
see routers with a single password for the console and userspecific passwords for other inbound connections.
Configure Local User-Specific Passwords
To establish a authentication system, use the username command
in global configuration mode. To enable password checking at
login, use the login local command in line configuration mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode.
Configure AUX Line Password
In order to configure a password on the AUX line, give the
password command in line configuration mode. In order to enable
password checking at login, give the login command in line
configuration mode.
mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode. mode. mode. mode. mode. mode. mode. mode. mode.
mode.
Security Password Policies Elements
Without a security policy, the network availability can be
compromised. The policy begins with assessing the risk to the
network and building a team to respond. Continuation of the
policy requires implementing a security change management
practice and accessing the network by using several authentication
mechanisms which will be discussed in this section.
Password Management
Passwords are a set of strings provided by users at the
authentication prompts of web accounts. Although passwords are
still considered as one of the most secure methods of
authentication available to date, they are exposed to a number of
security threats when misused. The role of password management
comes in handy in such scenarios. Password management is a set
of principles and best practices to be followed by users while
storing and managing passwords in an efficient manner to secure
passwords as much as they can prevent unauthorized access.
How to manage passwords?
Use strong and unique passwords for all websites and applications
Reset passwords after particular time
Configure two-factor authentication for all accounts
Securely share passwords with friends, family, and colleagues
Store all enterprise passwords in one place and enforce secure
password policies within the business environment
Periodically review the violations and take necessary actions
actions
actions
actions
actions
actions
actions
actions
actions
actions
actions
actions
actions
actions actions actions actions actions
actions actions actions actions actions
actions actions actions actions actions
actions
Password Complexity
A password policy is both a set of rules written out as part of
the organizational security policy that dictates the requirements of
user and device passwords as well as a technical enforcement tool
that enforces the password rules. The password policy typically
comprises the requirements for minimum password length,
maximum password age, minimum password age, password
history retention, and some sort of complexity requirement. This
latter setting often enforces a minimum of three out of four
standard character types (uppercase and lowercase letters,
numbers, and symbols) to be represented within the password
and disallows the username, real name, and email address from
appearing within the password. Generally, passwords over 12
characters are considered fairly secure, and those over 15
characters are considered very secure. Usually, the more characters
in a password, along with some character type–complexity, the
more resistant it is to password-cracking techniques, specifically
brute force attacks. Requiring regular password changes, such as
every 90 days, and forbidding the reuse of previous passwords
(password history) will improve the security of a system that uses
passwords as the primary means of authentication.
Password Alternatives
As cybercriminal and password-focused attacks increase, many
businesses and users have the requirement to shift to more
advance means of secure authentication. The future is full of
choices that could replace traditional passwords. Here are some of
the alternatives of passwords:
Multi-Factor Authentication
Multi-factor Authentication means to authenticate the user by
two or more accessing methods. A system that authenticates
users by a smart card that has pin numbers along with biometric
verification such as thumb scanned, iris scanned, and others
belong to multi-factor authentication.
Two-Factor Authentication: The means to authenticate the user
by something they have or something they know. For example,
authentication by a smart card that also has pin numbers usually
belongs to two-factor authentication.
Something You Know
A user name, a password, a passphrase, or a Personal
Identification Number (PIN).
Something You Have
A physical security device that authenticates users, such as a
smart card, badge, or key fob.
Something You Are
Some distinctive, specific characteristic, such as a biometric.
Somewhere You Are
Some location factor requires users to be in a place to
authenticate. It is somewhat based on geolocation.
Something You Do
Some actions that users must take to complete authentication,
such as typing on the keyboard.
keyboard. keyboard. keyboard. keyboard. keyboard. keyboard.
keyboard. keyboard. keyboard. keyboard. keyboard. keyboard.
keyboard. keyboard. keyboard. keyboard.
Certificates
A certificates is a form of digital credentials that validates
users, computers, or devices on the network. It is a digitally
signed statement that relates the credentials of a public key to the
identity of the person, device, or service that holds the
corresponding private key.
Biometrics
Biometric access is the best way to build physical security by
using a unique physical characteristic of a person to allow access
to a controlled IT resource. These physical characteristics include
fingerprints, handprints, voice recognition, retina scans, and so on.
This biometric is stored in the database to implement any security
measures that the vendor recommends protecting the integrity of
the metrics and the associated database.
Figure 5-05: Biometric Authentication
Remote Access and Site-to-Site VPNs
VPN
Private Network (VPN) is an encrypted communication channel or
tunnel between two remote sites over the internet”. The concept of
Virtual Private Network (VPN) arises where an organization wants
to implement confidentiality, integrity and authorization of data in
motion over the public internet or some other autonomous system
with minimum expenses.
VPN is a logical network that allows connectivity between two
devices. Those devices can either belong to the same network or
connected over a Wide Area Network. As we go deep down into
the word VPN, the term “Virtual” here refers to the logical link
between the two devices, as the VPN link does not exist
separately, it uses internet as a transport mechanism. The term
“Private” here refers to the security VPN provides to the
connection between the two devices, as the medium of transport
is internet, which is not secure and VPN adds confidentiality and
data integrity. It encrypts the data and prevents alteration or
manipulation of data from unauthorized person along the path.
Following are the key features of VPN technology:
Confidentiality: Only the intended destination’s user can
understand the data, as data is sent in an encrypted form, data
for any other person would be meaningless.
Data Integrity: VPN makes sure that the sent data is accurate,
secured and remains unaltered end to end.
Authentication: VPN authenticates the peer on both side of the
tunnel through pre- shared public or private keys or by using user
authentication method.
Anti-replay Protection: VPN technology makes sure that if any
VPN packet has been sent for transaction and accounted for, then
the exact same packet is not valid for the second time of VPN
session; no one can befool VPN peer into believing that the peer
trying to connect is the real one.
Figure 5-06: Example of Using VPN for Secure Connection
Types of VPN
Remote-Access VPN
Site-to-Site VPN
Remote Access VPN
Remote access VPNs allow remote users such as telecommuters
to securely access the corporate network wherever and whenever
they need to. Remote access VPN feature allows an end-point to
connect to the secure LAN network of an organization. These endpoint devices include smartphones, tablets, laptops etc.
For example, consider an employee of an organization who
works from different remote locations to provide real-time data to
the organization. The organization wants to provide a secure
communication channel, which connects the remote employee to
the organization’s internal network securely. Remote-access VPNs
provide the solution by allowing the remote employee’s device to
connect to the corporate headquarters or any other branch of that
organization. This is referred as a remote-access VPN connection.
Remote-access VPNs uses IPsec or Secure Sockets Layer
(SSL) technologies for securing the communication tunnel. Many
organizations use Cisco’s AnyConnect client for remote access SSL
VPNs.
Site-to-Site VPN
Site to site VPNs, or intranet VPNs, allow a company to connect
its remote sites to the corporate backbone securely over a public
medium like the internet instead of requiring more expensive WAN
connections like Frame Relay. Site-to-site VPNs securely connect
two or more sites that want to connect together over the internet.
For example, a corporate office wants to connect to its head office
or there are multiple branches that want to connect with each
other. This is referred to as site-to-site VPN. Site-to-site VPNs
generally use IPsec as a VPN technology.
This figure below shows the conceptual view of two main types
of VPN connections:
Figure 5-07: Types of VPN
Mind Map
Figure 5- 08: Mind Map of Security Fundamentals
Configure and Verify Access Control Lists
A list of conditions that categorize packets, and they really come
in handy when you need to control over network traffic is known
as an access control list. Common use of access lists is to filter
unwanted packets when implementing security policies.
By using access lists, you can restrict traffic patterns so that
access list will allow only certain hosts to access web resources
on the internet while restricting others. With the right combination
of access lists, network managers arm themselves with the power
to enforce nearly any security policy they can invent.
Configuring an access list is just like programming a series of
if-then statements; If a condition is met, then a given action is
taken. If a condition is not met, nothing happens and the next
statement is evaluated. Access-list configuration steps or
statements are basically packet filters that are compared.
Three important rules that a packet follows when it is
compared with an access list:
Packet is compared in sequential order with each line of the
access-list. It will start comparing from the first line of the accesslist, then move to the second, then to the third and so on
Lines of access-list are compared with the packet until a match is
made. Packet is acted upon when it matches the condition on a
line of the access-list
When a packet does not match the condition on any of the lines
in an access-list, the packet will be discarded. This is an implicit
deny at the end of each access-list
Inbound and Outbound ACL
Inbound Access-List is more efficient than outbound access-list
because any matched “deny” packet is dropped before packet
routed to the destination or broadcast to all. By using Outbound
ACL, the packets (both deny and permit) get routed to the
outbound interface and then denied packets will be drop.
There are several types of access lists: standard, extended, and
named.
Standard
Standard IP access lists filter network traffic on the base of
source IP address in a packet. You can create IP access using the
access-list numbers 1–99 or numbers in the expanded range of
1300–1999. Router follows traffic permit and deny rules on the
base of access-list numbers.
Extended
In extended access-lists, we specify both source and destination
addresses as well as protocol and port number that identify the
upper layer protocol or an application.
Range – 100 to 199 and 2000 – 2699.
Named
Another way to create standard and extended access lists are
named access-lists. In large organizations, managing access-lists
can become a real problem, the best way to overcome this is to
use named access-lists instead of using large lines of access-lists
with numbers.
Suppose you are using access-lists 70 lines long, it will be
difficult for you to remember access-list number series, then
comes a named access-list that is easy to remember like an
access list with a name like “BusinessLAN” rather than one
dubbed “70”.
Lab: NAT, DHCP, NTP, Syslog, and SSH
Case Study
An organization has deployed a network architecture. The two
routers R1 and R2 are made DHCP server to provide an address
pool for the end users. Also the routers are served as NTP Client
for R3 that is made an NTP server. SSH is being configured on
all the routers so as to provide secure access from the
management station. The router to ISP is configured with NAT
protocol for providing private to public address translation. The
routing protocol RIP is configured to provide the interconnectivity
for networks.
Topology Diagram
Figure 5-09: Topology for NAT, DHCP, NTP, Syslog, and SSH
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration Configuration Configuration
Configuration Configuration
Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification
Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Verification Verification Verification Verification
Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification
Verification
Verification Verification Verification Verification Verification
Verification Verification Verification Verification Verification
Verification
Layer 2 Security Features
With the rapid development of IP networks in the past years, high
level switching has played one of the most fundamental roles in
moving data reliably, efficiently, and securely across networks.
Cisco Catalyst switches are the leaders in the switching market
and major players in today's networks.
The data-link layer (Layer 2) of the OSI model provides the
functional and procedural means to transfer data between network
nodes with interoperability and interconnectivity to other layers, but
from a security standpoint, the data-link layer presents its own
challenges. Network security is considered to be the strongest and
also the weakest link. Applying high level security measures to the
upper layers (Layers 3 and higher) does not add value to your
network if Layer 2 is compromised. Cisco switches offer a wide
variety of security features at Layer 2 to protect the network traffic
flow and the devices themselves.
DHCP Snooping
DHCP Snooping is a security feature designed by Cisco to
mitigate the issues created by rogue DHCP servers.
It is a security feature that behaves like a firewall between
trusted DHCP servers and untrusted hosts. DHCP snooping
validates the DHCP messages either received from the legitimate
source or from an untrusted source and filters out the invalid
messages.
It is actually very easy for someone to bring a DHCP server in
a corporate environment, accidentally or maliciously. DHCP
Snooping is all about protecting against all this.
Consider a scenario of a corporate network:
Figure 5-10: Rogue DHCP Server in Corporate Environment
As shown in the diagram above, a DHCP server is running with
an IP address of Let’s consider a disgruntled employee say, Bob,
has some administrative issues at work and has decided to bring
an embedded device the following day to the office. On the
embedded device, Bob has installed Back Track, which is a Linux
distribution commonly used for penetration testing and ethical
hacking. Bob plugged the Back Track based embedded device into
his workstation’s port and started listening to the DHCP requests
from different end-devices. A DHCP is a four-step process as
show below:
D – Discover: Sent by end-devices for discovering DHCP server
O – Offer: Response from DHCP server for corresponding
Discover message
R – Request: Sent by end-devices as request for IP address to
DHCP server
A – Acknowledge: Response of DHCP server for Request
message
Due to the broadcast nature of these steps, request will be
listened by both DHCP servers. Now, any IP address assigned by
rouge DHCP server will also advertise itself to be the default
gateway and DNS server as well. End-users who get IP address
from rouge DHCP server will never know about it as this process
is done automatically and most of the employees do not have
deep understanding of how different networking services work.
Now, the disgruntled employee, after receiving the traffic, will send
it to the correct gateway and successfully implement the man-inthe-middle attack.
In order to mitigate such attacks, DHCP snooping feature is
enabled on networking devices to identify the only trusted ports
from DHCP traffic either in ingress or egress direction is
considered legitimate. Any access port who tries to reply the
DHCP requests will be ignored because device will only allow
DHCP process from trusted port as defined by the networking
team.
Dynamic ARP Inspection
Dynamic ARP inspection is a security feature that validates ARP
packets in a network. Dynamic ARP inspection determines the
authenticity of packets by performing an IP-to-MAC address
binding inspection stored in a trusted database, i.e., the DHCP
snooping binding database, before forwarding the packet to the
appropriate destination. Dynamic ARP inspection will drop all ARP
packets with invalid IP-to-MAC address bindings that fail the
inspection. The DHCP snooping binding database is created when
the DHCP snooping feature is enabled on the VLANs and on the
switch.
The Dynamic ARP Inspection (DAI) feature protects the network
from many of the commonly known Man-in-the-Middle (MITM)
type attacks. Dynamic ARP Inspection ensures that only valid ARP
requests and responses are forwarded.
Port Security
Port Security is used to bind the MAC address of known devices
to the physical ports and also define the violation action in that
port. When an attacker tries to connect his/her PC or embedded
device to the switch port, then it will shut down or restrict the
attacker from generating the attack. In dynamic port security, you
configure the total number of allowed MAC addresses, and the
switch will allow only that number concurrently, without defining
to what those MAC addresses are.
If a switch detects an unbounded MAC-address on a port,
there are three actions defined in Cisco IOS for the violation
against configured MAC address: switch will shut down the port,
restrict the port or protect the port.
Authentication, Authorization, and Accounting Concepts
In the previous we have discussed different techniques to prevent
an attacker from getting unauthorized access to network
infrastructure. Those users who are required to access networking
devices for maintenance or for configuration also need to have
authorization as well as a proper audit trail so that authorized
and unauthorized users can be differentiated.
Authentication, Authorization and Accounting (AAA) framework,
as its name suggests is used to identify, validate and authenticate
a legitimate user on the management plane of a network device.
AAA supports both local databases for usernames and passwords
as well as configuring an Active Directory (AD). If the network
administrator wants multiple users to access the devices in a
network, a centralized AD is created, which lists authorized users
to authenticate the users.
AAA Components
AAA is a modular framework and it tries to provide all kinds of
traffic over the network, whether it is some network administrator
trying to access a networking device or some end user trying to
send data traffic out of local LAN.
The three main components of AAA are:
Authentication
Authentication is the process of proving an identity to the
system by login identification and a password. It also does the
purpose of determining whether the user is the same person he
claims to be or not.
It is used in every system, not just in computer networking. In
banking system, we need it to prove the identity by entering the
password before making the transaction. Similarly, if a network
administrator needs to access a router or a switch and wants to
make some changes, some kind of authentication must be defined
on the device. The first but least usable practical solution would
be to define the usernames passwords database inside the device.
The second option would be the use of some centralized server
like Cisco ACS or ISE. In Cisco devices, we can use the
combination of both options by defining a method list, which
states the list of preferred methods for authentication. If one
option is not available, then the second option will be used and
so on.
Authorization
Authorization determines the access of resources and the
operations performed by users according to their role of job.
After the user authentication succeeds, the next step is to deal
with is the level of clearance that a user needs to perform by his
legal actions. A banking example would be perfect in this regard.
After entering correct password, we get the authorization to
withdraw the maximum cash depending on balance available in
bank account. Similarly, there are similar scenarios in computer
networking where we need to restrict the access to the user. For
example, an end user may need network resources for eight hours
a day. Similarly, a network administrator may need commands
associated with privilege level 4. Custom as well as default
method lists are used to define the authorization in Cisco devices.
Accounting
Third element of AAA is accounting or auditing, which keeps
the track of how the network resources of an organization are
being used. Whenever users are authenticated and authorized to
specific set of commands of Cisco devices, the set of commands
used while accessing the specific device at the specific time must
be recorded. Like authentication and authorization, we also use
methods like default or custom method list to define what should
be accounted for and where to send this information.
Wireless Security Protocols
Wireless communication has become popular with each passing
year. Therefore, it is essential to understand such protocols and
procedures that can secure wireless networks. This section will
discuss WPA, WPA2, WPA3.
WPA
Wi-Fi Protected Access (WPA) was designed to improve on WEP
as a means of securing wireless communications. WPA is an
upgradation on the system that currently uses WEP.
WPA offers two distinct advantages over WEP:
- Improved data encryption through the Temporal Key Integrity
Protocol (TKIP), which scrambles the keys using a hashing
algorithm
- User authentication using the Extensible Authentication Protocol
(EAP) and user certificates. It ensures that only authorized users
can gain access to the network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
network
WPA2
Wi-Fi Protected Access version 2 (WPA2) further improves on
WPA, offering additional advantages such as the following:
- Uses Advanced Encryption Standard (AES) mode of encryption
for much stronger security and longer security keys. It is usually
installed in enterprise environments
- Implements Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP), which is based on the
802.11i standard and offers an enhanced data cryptographic
encapsulation mechanism that replaces TKIP completely with a
much stronger security method.
method. method. method. method. method. method. method.
method. method. method. method. method. method. method.
method. method. method. method. method. method. method.
method. method. method. method. method. method. method.
method. method. method.
WPA3
Wi-Fi Protected Access 3 (WPA3) is the third iteration of a
security certification program developed by the Wi-Fi Alliance.
WPA3 is the modern, updated implementation of WPA2, which has
been in use since 2004. The Wi-Fi Alliance began to certify WPA3approved products in 2018.
The WPA3 protocol provides new features for personal and
enterprise use such as 256-bit Galois/Counter Mode Protocol
(GCMP-256), 384-bit Hashed Message Authentication Mode
(HMAC) and 256-bit Broadcast/Multicast Integrity Protocol (BIPGMAC-256). The WPA3 protocol also supports security measures
such as perfect forward privacy.
WPA3 support will not be automatically upgraded to every
device. Users that want to use WPA3-approved devices will have
to either buy new routers that support WPA3 or hope the device
is updated by the manufacturer to support the new protocol
Configure WLAN using WPA2 PSK using GUI
This section explains the configuration of Wi-Fi Protected Access2
(WPA2) PSK in a Wireless LAN (WLAN) controller.
WPA2-PSK Configuration with GUI
Complete these steps in order to configure a WPA2 PSK in the
WLC GUI:
Navigate to GUI > Wireless > and go to the Basic Wireless
Create a new WLAN with network name Cisco and leave the other
parameters by default as shown in Figure 5-10.
Figure 5-11: Basic Wireless Settings
Go to the Wireless Security tab and select the WPA2 Personal
from the drop-down menu.
Select the Encryption type AES or TKIP. Here, we selected AES
Enter a passphrase. As shown in Figure 5-11, we have set it as
“cisco123” .
Figure 5-12: Wireless Security
Click the Save button in the bottom of the GUI page to save the
configuration.
Figure 5-13: Configuring WPA2 PSK
To check the status of the WPA2 PSK, go to Wireless Network
tab.
Figure 5-14: Checking Wireless Network Status
Verifying WPA2 PSK
Use this section to confirm that your configuration works properly.
Connect one PC to the WLC and check the connection profile.
Below figure confirm that the WPA2-PSK client is connected:
Figure 5-15: Verifying WPA2 PSK
Mind Map
Figure 5-16: Mind Map of Security Fundamentals
Summary
Security Concepts
The presence of vulnerability in a system results in a threat
Vulnerability is an inherent weakness in the design, configuration,
implementation, or management of a network or system that can
be exploited by an attacker
Exploits are software programs that were specifically designed to
attack systems with vulnerabilities
IT Threat mitigation is therefore defined as the addressing actions,
prevention techniques or remedies implemented to reduce IT
threats on a network, computer, or server
Security Program Elements
Security program elements are critical to the success of a security
effort
They include explaining awareness and training, policies,
procedures, and recent threats to both users and management
A security-awareness and program can do plenty to support you in
your efforts to improve and maintain security
Configure Device Access Control Using Local Passwords
The use of password protection to control or restrict access to
the Command Line Interface (CLI) of the router is one of the
fundamental elements of an overall security plan
The CTY line-type is the Console Port
The AUX line is the Auxiliary Port
The VTY lines are the Virtual Terminal lines of the router, used
solely to control inbound Telnet connections
Security Password Policies Elements
Password management is a set of principles and best practices to
be followed by users while storing and managing passwords in an
efficient manner to secure passwords as much as they can
prevent unauthorized access
The password policy typically comprises the requirements for
minimum password length, maximum password age, minimum
password age, password history retention, and some sort of
complexity requirement
Remote-Access and Site-to-Site VPNs
Virtual Private Network (VPN) is an encrypted communication
channel or tunnel between two remote sites over the internet
Features of VPN technology are Confidentiality, Data Integrity,
Authentication, and Anti-Replay Protection
Remote access VPN feature allows an end point to connect to the
secure LAN network of an organization
Site-to-site VPN securely connects two or more sites that want to
connect together over the internet
Configure and Verify Access Control Lists
Standard IP access lists filter network traffic on the basis of
source IP address in a packet
Extended access-lists specify both source and destination addresses
as well as protocol and port number that identify the upper layer
protocol or an application
Another way to create standard and extended access lists are
named access-lists
Layer 2 Security Features
Applying high level security measures to the upper layers (Layers 3
and higher) does not add value to your network if Layer 2 is
compromised
DHCP Snooping is a security feature designed by Cisco, to
mitigate the issues created by rogue DHCP servers
Dynamic ARP inspection determines the authenticity of packets by
performing an IP-to-MAC address binding inspection stored in a
trusted database
Port Security is used to bind the MAC address of known devices
to the physical ports and also defined the violation action in that
port
Authentication, Authorization, and Accounting Concepts
Authentication, Authorization and Accounting (AAA) framework, as
its name suggests, is used to identify, validate and authenticate a
legitimate user on the management plane of a network device
Authentication is the process of proving an identity to the system
by login identification and a password
Authorization determines the access of resources and the
operations performed by users according to their role of job
Third element of AAA is accounting or auditing, which keeps the
track of how the network resources of an organization are being
used
Wireless Security Protocols
WPA is an upgradation on the system that currently uses WEP
WPA2 uses Advanced Encryption Standard (AES) mode of
encryption and implements Counter Mode Cipher Block Chaining
Message Authentication Code Protocol (CCMP), offering an
enhanced data cryptographic encapsulation mechanism
WPA3 protocol provides new features for personal and enterprise
use such as 256-bit (GCMP-256), 384-bit (HMAC) and 256-bit (BIPGMAC-256)
Configure WLAN using WPA2 PSK using GUI
Configure the WPA2 PSK in the Wireless LAN controller by
selecting the WPA2 personal option in the wireless security tab on
the WLC GUI
Practice Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Chapter 06: Automation and Programmability
The network programmability toolset is the foundation for
advanced next-generation network automation. Network automation
adds pre-built intelligence that can assist with network
deployments, operations, or troubleshooting. Like programmability,
automation reduces cost and complexity. Network automation
toolsets have been available for some time; however, due to the
complexity or cost, very few networks are automated. Network
programmability, specifically open APIs, makes automation simpler
and more accessible through standard tools.
Automation Impacts on Network Management
Nowadays, automation technology is getting more and more
attention due to its benefits in terms of flexible configuration,
programmability, and cost efficiency. Network automation is the
automating procedure of configuring, testing, managing, deploying,
and operating virtual and physical devices within a network
Why do we need to automate our network?
Network automation can be used by any type of network.
Hardware- and software-based solutions enable service providers,
data centers, and enterprises to implement network automation to
increase efficiency, reduce human error, and lower operating
expenses. One of the major issues for network managers is the
evolution of IT costs for network operations. The evolution of data
and devices are beginning to overtake IT capabilities by creating
manual approaches almost impossible. However, around 95
percent of network changes are performed manually, resulting in
operational costs of up to 2 to 3 times greater than the cost of
the network or system. Increase in the IT automation, centrally
and remotely managed, is essential for businesses to keep pace in
the digital world.
How automation of network can be beneficial?
There are three core benefits of network automation that are as
follows:
Improved Efficiency: Humans no longer have to perform timeconsuming tasks by automating functions on network devices.
Reduced Likelihood of Human Error: Manual tasks or
responsibilities are inclined to manual changes and human errors
that lead to configuration errors and inconsistencies in the
network. Setting up a task for automation means that it can only
need to be entered once corrected.
Lower Operational benefit comes from as a result of the
previous two points. By eliminating certain manual tasks around
network device provisioning and network management, businesses
can operate with greater speed and agility. For example, automated
provisioning may save a network engineer from having to travel to
a new branch office to establish network connectivity, thus
enabling employees at that site to get to work faster.
Why Choose Cisco for Networking
Makes working together possible
Cisco offerings are made to work together by providing you
with all the necessary elements you need for network automation.
Provides comprehensive solutions + software + products +
services
Software outlines how our hardware, software, fabric digital
automation, and non-fabric base automation work together.
Migrate at your own speed
Migrate at a pace that makes you easy and comfortable. Import
your former work or task on device mapping and policies.
No other vendor delivers like Cisco
Only Cisco is able to deliver IBNs (Identity-Based Networking
Services) that influence automation, intelligence, and human
expertise in such a way that helps to simplify the complexity,
optimize IT, and as well as reduce operational costs.
costs. costs. costs. costs. costs. costs. costs. costs. costs. costs.
costs. costs. costs. costs. costs. costs. costs. costs. costs.
Compare Traditional Networks with Controller-based Networking
Figure 6-01: Traditional Vs. SD-WAN
Traditional networking works on per-device management that takes
time and creates many complexities. This approach is inclined to
human errors. Cisco SD-Access practices a modern controller
designed to drive business that is intent into the orchestration
and operation or process of network elements. It includes the day0 configuration of devices and policies related to end-users,
devices and endpoints as they are connected to the network. The
controller is responsible for a network abstraction layer to arbitrate
the specifics of a number of network elements. Furthermore, the
Cisco DNA Center controller exposes northbound Representational
State Transfer (REST)-based APIs to assist third-party or in-house
development of meaningful services on the network.
network.
network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network.
network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network.
network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network.
network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network.
network.
network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network. network. network. network.
network. network. network. network.
network.
network. network. network. network. network. network. network.
network. network. network. network. network. network. network.
network.
network. network. network. network.
network.
network. network. network. network. network.
network. network. network.
network. network. network. network. network. network.
network. network. network. network. network. network. network.
network. network. network.
network.
network. network.
network. network. network. network. network. network.
Table 6-01: Traditional Vs. SD-WAN
SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN
SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN
Controller-based and Software Defined Architectures
Cisco® Software-Defined Access (SD-Access) is the development
from traditional campus LAN designs to networks that directly
implement the intent of an organization. SD-Access is supported
with an application suite that runs as part of the Cisco DNA
Center software for designing, applying policy, provisioning, and
facilitating the creation of a smart campus wired and wireless
network with assurance.
SD- Access Architecture
Cisco SD-Access is one of the most important elements of the
Cisco Digital Network Architecture (Cisco DNA). Cisco DNA is the
plan for the future of intent based networking in Cisco Enterprise
Networks. the Cisco SD-Access solution can be divided into five
basic layers, and then divided further. This section emphasis on
the relationships between these five basic layers, from an overall
architectural perspective. Figure 6-02 illustrates the layers and their
relation to one another.
Figure 6-02: SD-Access Architecture
Physical Layer: Comprises the hardware elements, such as
routers, switches and wireless devices, interfaces and clusters or
virtual switches, as well as server appliances.
Network Layer: Comprises the control plane, data plane, and
policy plane elements that make up the network underlay and
fabric overlay.
Controller Layer: Comprises the software system management
and orchestration elements and associated subsystems, such as
automation, identity, and analytics.
Management Layer: Comprises the elements that users interact
with, in particular the Graphical User Interface (GUI), as well as
APIs and Command Line Interfaces (CLIs) where appropriate.
Partner Ecosystem: Comprises all of the Cisco and third-party
partner systems that are capable of augmenting and/or leveraging
services within SD-Access.
Underlay
The underlay network is designed by the physical switches and
routers that are used to deploy the SD-Access network. All
network nodes of the underlay must establish IP connectivity
through the use of a routing protocol. Instead of using random
network topologies and protocols, the underlay implementation for
SD-Access uses a well-designed Layer 3 foundation including the
campus edge switches, to guarantee scalability, performance, and
high availability of the network.
In SD-Access, the underlay switches provision the physical
connectivity of endpoints for users. Though, end-user subnets and
endpoints are not part of the underlay network; they are element
of a programmable Layer 2 or Layer 3 overlay network. The
authenticated SD-Access solution supports IPv4 underlay networks,
and IPv4 and IPv6 overlay networks.
Overlay
An overlay network is designed on top of the underlay to deploy
a virtualized network. The data plane traffic and control plane
signaling are enclosed within each virtualized network, maintaining
separation among the networks as well as independence from the
underlay network. The SD-Access fabric implements virtualization
by encapsulating user traffic in overlay networks using IP packets
that are obtained and terminated at the edge of the fabric. The
fabric boundaries contain borders for incoming and outgoing to a
fabric, fabric edge switches for wired clients, and fabric APs for
wireless clients. Overlay networks can run across all parts of the
underlay network devices. Multiple overlay networks can run
through the same underlay network to support multitenancy via
virtualization. Each overlay network acts as a Virtual Routing and
Forwarding (VRF) instance for connectivity to external networks.
You reserve the overlay separation when extending the networks
outside of the fabric by using VRF-lite, and maintaining the
network separation within devices connected to the fabric and on
the connection between VRF-enabled devices.
Fabric
Fabric technology is an integral part of SD-Access that provides
wired and wireless campus networks with programmable overlays
and easy to implement network virtualization. It permits a physical
network to host one or more logical networks as required to meet
the design aim. In addition, fabric technology in the campus
network develops control of communications, providing softwarebased segmentation and policy enforcement based on user identity
and group participation.
participation. participation. participation. participation. participation.
participation. participation. participation. participation. participation.
participation. participation. participation. participation. participation.
participation. participation. participation. participation. participation.
Separation of Control Plane and Data Plane
Fabric Control Plane
The basic technology used for the fabric control plane is based
on the Locator ID Separation Protocol (LISP). LISP is an IETF
standard protocol, i.e., RFC-6830 based on a simple endpoint ID
(EID) to routing locator mapping system, to separate the
“identity” (address) from its current “location” (attached router).
LISP dramatically simplifies traditional routing system by
removing the need for each router to process all possible IP
destination address and route. This is done by moving remote
destination information to a centralized map database. It allows
each router to manage only its local routes and query the map
system to locate destination endpoints.
This technology offers many advantages for Cisco SD-Access,
such as less CPU usage, smaller routing tables (hardware and/or
software), address-agnostic mapping (IPv4, IPv6, and/or MAC),
dynamic host mobility (wired and wireless), built-in network
segmentation (Virtual Routing and Forwarding), etc.
In Cisco SD-Access, several developments have been added to
the original LISP specifications, containing Virtual Network (VN)
Extranet and Fabric Wireless, distributed Anycast Gateway, and will
continue to add more features in the future.
Fabric Data Plane
The basic technology used for the fabric data plane is based
on Virtual Extensible LAN (VXLAN). VXLAN is an IETF standard
encapsulation, i.e., RFC-7348. VXLAN encapsulation is IP/UDPbased, meaning that it can be forwarded by any IP-based network
and effectively create the “overlay” feature of the SD-Access fabric.
VXLAN encapsulation is used for two main reasons. VXLAN
includes the source Layer 2 (Ethernet) header, and it also provides
special fields for additional information such as virtual network ID
and group ID.
This technology provides some advantages for SD-Access, such
as support for both Layer 2 and Layer 3 virtual topologies
(overlays), and the ability to operate over any IP-based network
with built-in network segmentation (VRF/VN) and built-in groupbased policy.
In SD-Access, some enhancements to the original VXLAN
specifications have been added, particularly the use of Security
Group Tags (SGTs). This new VXLAN format is recently an IETF
draft known as Group Policy Option or VXLAN-GPO.
Northbound and Southbound APIs
A northbound interface allows a specific component of a network
to communicate with an upper-level component. On the other
hand, a southbound interface allows a specific network component
to communicate with a lower-level component.
Figure 6-03: Northbound and Southbound APIs
As show in figure, northbound flow can be thought of as going
upward, while southbound flow can be thought of as going
downward. In SDN, the southbound interface is the OpenFlow
protocol specification. Its main function is to allow communication
between the SDN controller and the network nodes; both physical
and virtual switches and routers, so that the router can discover
network topology. It defines network flows and implement requests
transmitted to it by northbound APIs. The northbound interface
defines the area of protocol-supported communication between the
controller and applications or higher layer control programs.
In an enterprise data center, the functions of northbound APIs
involve management solutions for automation and orchestration,
and the sharing of actionable data between systems. The functions
of southbound APIs involve communication with the switch fabric,
network virtualization protocols, or the integration of a distributed
computing network.
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Cisco DNA Center is a comprehensive network management and
control system that allows your network to drive business toward
growth and innovation.
Your network is more planned for your business than ever
before. You require a network management system that can
automate the deployment, connectivity, and lifecycle of your
infrastructure and proactively sustain the quality and security of
your applications so that your IT staff can concentrate on
networking projects that improve your core business.
With Cisco DNA Center, the age of time-consuming network
provisioning and deadly troubleshooting tasks are over. Zero-touch
device connectivity and Software Image Management (SWIM)
features reduce the device installation and upgradation times from
hours to minutes and bring new remote offices online with plugand-play comfort from an off-the-shelf Cisco DNA Assurance
allows every point on the network to become a sensor, sending
continuous, streaming telemetry on application performance and
user connectivity in real-time. This proficiency, coupled with
automatic path trace visibility and guided remediation, means
network issues are resolved in minutes before they come to be
problems. Addition with Cisco provides detection and mitigation of
threats, even when they are hidden in encrypted traffic. Cisco DNA
Center also offers an open, extensible platform with wide support
for external applications and systems to exchange data and
intelligence, building upon its built-in functions. It is the only
centralized network management system to bring all of this
functionality into one platform.
Benefits of Cisco DNA Center:
Network Over a centralized dashboard, it manages your
enterprise network
It deploys networks in minutes, not days, by using spontaneous
workflows. Cisco DNA Center makes it easy to design, provision,
and apply policies across the network
Costs: Policy-driven provisioning and guided advice increase
network uptime and reduce time spent to managing simple
network operations
your cloud services and applications that take advantage from
the intelligent network optimization carried by Cisco DNA Center.
What makes Cisco DNA Center different?
Cisco DNA Center is a broad management and control platform
for the network, created, designed, and implemented by Cisco.
This single, expandable software platform includes integrated tools
for network automation, management analytics, virtualization, and
security, assurance, and Internet of Things (IoT) connectivity and
can also interface with your business-critical tools. Until now, this
complete functionality could be achieved only through the
purchase and operation of multiple third-party software tools. The
advantages of having all core network tools integrated into a
single software platform are quite effective. These being:
Multiple tools with multiple interfaces enhance complexity, which
rises the chance of errors in configuration and management. This
can be especially damaging when errors in security settings lead
to exposed vulnerabilities
Varying between program interfaces during network operations is
time-consuming and can make even simple changes or
troubleshooting tasks take much time to complete
Third-party platforms will never support the equal levels of device
management and control as those that are integrated and
designed to work together
Automatic troubleshooting with guided advice is extremely complex
in recent virtualized networks. Third-party tools can often tell you
if a problem is due to the network or affected by an application,
but they cannot offer guided advice without correct integration
between the tools that control automation, analytics and
virtualization
Actual intent-based networking requires extensive real-time data
flow between the operational tools that are core to the network.
The management of network configuration, security, automation,
and analytics comes together to deliver the true business purpose
of the operation. Core management tools are supplied by multiple
third-party vendors and cannot efficiently share or react to the
amounts of data and critical information required to carry a real
intent-based network experience
Cisco DNA Center is an open and extendable platform that allows
third-party applications and processes to exchange data and
intelligence with the network. This improves IT operations by
automating workflow procedures based on network intelligence
coming from Cisco DNA Center
Cisco DNA Center offers a single platform for every core
function in network. With this platform, IT can become far
nimbler and respond to variations and challenges faster and more
wisely.
Cisco DNA Center is the network management system,
foundational controller, and analytics platform at the core of
Cisco’s intent-based network. Cisco DNA Center is a set of
software solutions that provide:
A management platform for all of your network
A software-defined networking controller for automation of your
virtual devices and services
An assurance engine to guarantee the best network experience for
all your users
Cisco DNA Center software exists on the Cisco DNA Center
appliance and controls all of your Cisco devices both physical and
virtual (fabric and non-fabric). From the key menu, Cisco DNA
Center has four general divisions:
your network using physical maps and logical topologies for
quick graphic reference. The direct import feature brings in
images, existing maps, and topologies directly from Cisco and the
Cisco Application Policy Infrastructure Controller Enterprise Module
(APIC-EM), making upgrades easy and fast. Device discovery is
automatic and can be done either through Cisco Discovery
Protocol or simply by entering a range of IP addresses.
user and device profiles that enable highly secure access and
network segmentation based on business requirements. Cisco DNA
Center takes the information collected in policy and translates it
into network-specific and device-specific configurations required by
the different types, operating systems, makes, models, roles, and
resource restrictions of your network devices. Using Cisco DNA
Center, you can create virtual networks, traffic copy policies, access
control policies, and application
you have created policies in Cisco DNA Center, provisioning is
a simple drag-and-drop task. Groups of identities (users, devices,
applications, etc.) in the Cisco DNA Center inventory list are
assigned a policy, and this policy will always follow the identity.
The process is completely automated and zero-touch. New devices
added to the network are assigned a policy based on identity that
greatly facilitates remote office setups.
DNA Assurance provides a broad solution to help assure better
and reliable service levels to meet growing business demands. It
addresses not just responsive network monitoring and
troubleshooting, but also the proactive and predictive features of
running the network, and improving client, application, and service
performance. The result is a consistent experience and proactive
optimization of your network, with less time spent on
troubleshooting tasks.
Figure 6-04: Cisco DNA Center Design
––––––––
––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
–––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– ––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
–––––––– –––––––– –––––––– –––––––– –––––––– ––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
––––––––
Table 6-02: Cisco DNA Center Features
Cisco DNA Center allows you to run the network with high
performance, security, reliability, and open interfaces. Unlock the
power of data by starting your journey with Cisco DNA Center.
Characteristics of REST-based APIs
Nowadays, almost every application on the internet does require to
provide interoperability as an elementary feature. At any known
instant, applications are collaborating with other applications (for
example, a mobile application communicating with a web application).
Thus, it is essential that all applications should be able to
communicate with other applications without depending on the core
operating system and the programming languages. Web services are
used to form such applications.
Figure 6-05: Web Service
Web Services
A web service is a group of standards and protocols that are used
by applications and systems for substituting information over the
internet. A web service is OS-independent and can be written in any
programming language.
For instance, by using java, an application built in PHP running
on a Linux server can communicate with the built-in Android
application that runs on an Android operating system.
What is meant by REST?
REST stands for Representational State Transfer. REST is a
stateless software architecture that provides various underlying
characteristics and protocols by governing the behavior of clients and
servers.
What is meant by REST API?
REST API can be used by any application no matter whichever
language it is written in because the requests are based on the
universal HTTP protocol, and the data is typically returned in the
JSON format so that it can be readable to almost all programming
languages.
Figure 6-06: REST API Architecture
What is meant by RESTful?
An API is said to be RESTful if it contains the following features:
Server-Client Architecture: The server is the back-end and the client is
the front-end of the service. It is significant to note that these two
entities are independent of each other
Stateless: No data or information must be stored on the server
during the processing of the requested transmission. The state of the
session must be saved at the client’s end
Cacheable: The client would have the capability to store responses in
a cache. This significantly increases the performance of the API
Isolation: Client is isolated to the request path
Idempotence: Identical request do not have any side effect
What is meant by RESTful API?
A RESTful API also called RESTful web service is a web service
that is implemented by using HTTP protocol and the REST principles.
It is a collection of resources that serves HTTP methods (PUT, GET,
POST, DELETE).
The collection of the resources is then represented in a
standardized form (usually XML) that can be any effective Internet
media type, provided that it is a valid hypertext standard.
Figure 6-07: Representation of RESTful API
Why should we use RESTful API?
A RESTful API is used to make applications distributed and
independent over the internet with the purpose of enhancing the
performance, simplicity, scalability, visibility, modifiability, reliability, and
portability of the
Real-World RESTful API Examples
Every popular websites and social media platforms offer RESTful
API. Several examples include:
Twitter REST API
Cloudways REST API
Google Translate REST API
Facebook REST API
Magento REST API
CRUD
Figure 6-08: Characteristics of RESTful API
REST is an API that permits clients to perform read/write
operations on data or information stored on the server. REST
utilizes HTTP to perform a set of actions commonly known which
stands for:
Create
Read
Update
Delete
Assuming we want to manipulate a device object on a server,
we can send get a response with a payload holding a full list of
well-known devices.
If we need to add a new device, we need to build a payload
with device attributes (e.g., IP Address, Hostname) and send it
attached to
To update a device, we are required to send the full updated
payload with the HTTP
Figure 6-09: CRUD Method
Remember that both Update and Delete API calls refer to a
specific number in That is server assigns to every new object and
is returned sent in response to the Create request.
HTTP Verbs
Figure 6-10: HTTP Verbs
The HTTP Protocol
If you ever used the internet, you are guaranteed to have a
sense of how it works. It sends requests from your desktop
application and receives back information from remote servers.
That is the internet in a nutshell and it is feasible because all the
computers that use the net, speak in the same language and the
same protocol with the name of HTTP.
The internet is based on HTTP protocol. It permits computers
from anyplace to send requests to remote servers, and get back
responses that can be displayed in browsers.
HTTP Methods
Following are the four main HTTP methods:
HTTP GET
We use the GET method to retrieve data from a remote server.
It can be one resource or a list of resources. For any given HTTP
GET API, if the resource is found on the server, then it must
return HTTP response code 200 (OK) – along with response body,
which is usually either XML or JSON code. In case resource is
NOT found on a server, then it must return HTTP response
code 404 (NOT FOUND).
Examples of Request URIs
HTTP
HTTP
HTTP
HTTP
GET
GET
GET
GET
http://www.appdomain.com/users
http://www.appdomain.com/users?size=20&page=5
http://www.appdomain.com/users/123
http://www.appdomain.com/users/123/address
HTTP POST
We use the POST method to create a new resource on the
remote server. Preferably, if a resource has been created on the
origin server, the response should be HTTP response code 201
(Created) and hold an entity that describes the status of the
request and refers to the new resource, and a location header.
Examples of Request URIs
HTTP POST http://www.appdomain.com/users
HTTP POST http://www.appdomain.com/users/123/accounts
HTTP PUT
We use the PUT method to update the data on the remote
server. If a new source has been created by the PUT API, the
origin server MUST inform the user agent through the HTTP
response and if an existing resource is modified, either (No
Content) response codes should be sent to specify successful
completion of the request.
Examples of Request URIs
HTTP PUT http://www.appdomain.com/users/123
HTTP PUT http://www.appdomain.com/users/123/accounts/456
Exam Tip
The difference between both of the POST and PUT APIs can be
observed in request URIs. POST requests are made on resource
collections whereas PUT requests are made on an individual
resource.
HTTP DELETE
We use the DELETE method when we want to delete data from
the remote server. DELETE operations are unchanged. If you
DELETE a resource, it is removed from the collection of the
resource. Repeatedly calling DELETE API on that resource will not
change the result however, calling DELETE on a resource a second
time will return a 404 (NOT FOUND) because it was already
removed. Some may argue that it makes the DELETE method
non-idempotent. It is a matter of discussion and personal opinion.
Example of Request URIs
HTTP DELETE http://www.appdomain.com/users/123
HTTP DELETE http://www.appdomain.com/users/123/accounts/456
Exam Tip
The is used by some APIs to perform any change to the
database. The changes can be creating, updating or deleting.
Capabilities of Configuration Management Mechanisms
Cisco UCS (Unified Computing System) is an IT infrastructure that
can be programmed as code to automate system configuration
and resource allocation.
The Cisco UCS Unified API is similarly used by Cisco’s large
group of management solution partners. Your DevOps teams or
group can practice the tools with which they are already wellknown, for example, Puppet, Chef, and Ansible, to deploy,
orchestrate, and manage distinct Cisco UCS servers, Cisco
Nexus® switches, storage systems, and fabric interconnects,
including entire Cisco® converged and hyper-converged systems
(Figure 1).
Figure 6-11: The unified API provides programming tools with access
to all Cisco UCS resources
The ability to provision entire application stacks in minutes from
automating Cisco UCS policies and service profile configurations to
ongoing management and the detection and remediation of
unintended changes improves efficiency. It reduces the likelihood
of errors, and accelerates time to deployment.
Puppet
Puppet Enterprise is an important tool for DevOps configuration
management. Puppet is quickly becoming an essential standard for
IT automation and management. With an extensible plug-in
architecture and dominant declarative language, Puppet offers an
adaptable, simple to use platform that flawlessly incorporates the
exclusive proficiencies of Cisco Nexus solutions and Cisco UCS.
You can:
• Manage your infrastructure and application assignments from
end to end
• For Cisco, UCS uses Puppet modules to perform initial
infrastructure configuration and server job tasks
• Perform speedy day-one provisioning with the Puppet Razor
module that offers a robust set of programmatic interfaces used
for provisioning the workload and operating system
• Use Cisco, UCS administration profiles to make adaptable
meanings of server jobs and pass that data to Puppet Razor
• Perform day-two and past management and monitoring of
applications using open-source Puppet or Puppet Enterprise
• Deploy a wide scope of managed workloads through major
operating systems, virtual machines, and containerized
surroundings
Chef
Chef is an open-source system and cloud infrastructure automation
framework. By utilizing a Chef cookbook, your DevOps groups can
configure your Cisco UCS platforms and disseminate strategies.
Everything required to provision your deployment is defined,
including libraries, recipes, files, and furthermore.
Each cookbook and recipe is an assortment of property
definitions for setting device states that instruct the Chef client on
how to configure each node in the system. Because the details for
checking and setting property states are abstracted, instructions
can be used for multiple operating systems and platforms. The
recipe can also be used to install software packages, copy files
and start services.
Cisco has established a cookbook for independent Cisco UCS
C-Series Rack Servers and the Cisco Integrated Management
Controller (IMC). Based on the Cisco IMC Ruby Software
Development Kit (SDK), the cookbook streamlines the distribution
of servers and applications to any virtual, physical, or cloud
location.
Ansible
By using Ansible your DevOps teams can be able to automate
and orchestrate your IT surroundings merely by defining the
infrastructure configuration that is desirable. A human-readable
markup language (YAML) describes a series of “plays” that outline
the automation across an inventory of hosts. Each play involves
multiple tasks that target one or more hosts and call an Ansible
module that implements configuration operations.
The Cisco UCS Unified API, Cisco UCS Manager, and
independent rack servers incorporate with Ansible as shown in
below figure. This integration permits your DevOps teams to use
Ansible to configure, deploy, and orchestrate your Cisco UCS
infrastructure.
Using the extensible framework and Ansible open along with
the Cisco NX-API, you can practice a particular tool to manage
your servers and Cisco Nexus 3000 and 9000 Series Switches,
improving automation and simplifying daily IT tasks. The NX-API
is a REST-like API for Cisco NX-OS Software-based systems.
Ansible modules call NX-API functions to collect real-time state
data and configure or reconfigure switches. Ansible modules for
Cisco UCS are based on the Cisco UCS Python SDK.
Figure 6-12: Ansible playbooks automate and orchestrate Cisco UCS
deployments
deployments
deployments deployments
deployments deployments
deployments deployments
deployments deployments deployments
Table 6-03: Matrix of Common Info and Terms
Interpret JSON Encoded Data
JavaScript Object Notation (JSON) is a standard lightweight datainterchange format which is fast and easy to parse and generate.
JSON, like XML, is a text-based format that is simple to write and
easy to understand for both humans and machines, but unlike
XML, JSON data structures occupy less bandwidth than their XML
versions.
Figure 6-13: JSON Object Data Format
JSON is based on two basic structures:
Object: Object is defined as a collection of key/value pairs (i.e.,
key:value). Each object starts with a left curly bracket and finishes
with a right curly bracket Multiple key/value pairs are separated by
a comma (,).
Example of a JSON Object
Following structure shows the example of a valid JSON object
structure.
structure. structure. structure. structure. structure. structure.
structure. structure. structure. structure. structure. structure.
structure. structure. structure. structure. structure. structure.
structure. structure. structure.
Array: Array is defined as an ordered list of values. An array
starts with a left bracket "[" and finishes with a right bracket "]".
Values are separated by a comma (,).
Example of a JSON Array
Following example shows a JSON array structure.
structure. structure. structure. structure. structure. structure.
In JSON, keys are always strings, though the value can be a
string, array, object, number, true or false, or null. Strings must
be bounded in double quotes (") and can contain escape
characters such as \n, \t and \.
PHP JSON Encode and Decode
JSON encode decode is one of the most commonly required
operations. In this part, we are going to see how to encode and
decode JSON using PHP. PHP provides integrated functions to
perform these two operations. Those are:
json_encode()
json_decode()
Encoding and Decoding
Encoding and decoding are the couple of operations that are most
importantly used in many application programming. Encoding is
used to bundle data with respect to a particular format. This
process will be required to preserve data stability. Decoding is a
reverse process that returns encoded data back to its original
form.
PHP JSON Encode
In PHP, is used to convert PHP supported data type into JSON
formatted string to be returned as a result of JSON encode
operation.
This function takes the following set of arguments:
Data to be encoded
Options with JSON encode constants reflect effects on encoding
behavior
Depth limit for performing recursive encoding with nested levels
of input
input input input input input input input input input input input
input input input input input input input
Parameters
Value
The value being encoded can be of any type except a resource.
All string data must be UTF-8 (8-bit Unicode Transformation
Format) encoded.
Options
Predefined JSON Constants
For PHP JSON encodes, the following list of constants will be
used for the options parameter of json_encode() function.
function. function. function. function. function. function. function.
function. function. function. function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function. function. function. function. function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function.
function. function. function. function. function. function. function.
function. function. function. function. function. function.
function. function. function. function. function. function.
function. function. function. function. function. function.
Table 6-04: Predefined JSON Constants
Depth
Set the maximum depth. It must be greater than zero.
Return Values
Returns a JSON encoded string on success or FALSE on
failure.
Example: PHP json_encode()
Let’s take the example of PHP program to perform JSON
encode. So, the following program handles few json_encode()
function invoked with some of the available JSON encode
constants as its option parameter.
parameter. parameter. parameter. parameter. parameter. parameter.
parameter. parameter. parameter. parameter.
The output of the above example will be:
be:
Mind Map
Figure 6-14: Mind Map of Automation and Programmability
Summary
Automation Impacts on Network Management
Network automation is the procedure of automating the
configuring, testing, managing, deploying, and operating of virtual
and physical devices within a network
Automation technology is getting more and more attention due to
its benefits in terms of flexible configuration, programmability, and
cost efficiency
Compare Traditional Networks with Controller-based Networking
Traditional networking works on per-device management that takes
time and creates many complexities; this approach is inclined to
human errors
Cisco SD-Access practices a modern controller design to drive
business that is intent into the orchestration and operation or
process of network elements
Controller-based and Software Defined Architectures
Cisco® Software-Defined Access (SD-Access) is the development
from traditional campus LAN designs to networks that directly
implement the intent of an organization
SD-Access is supported with an application suite that runs as part
of the Cisco DNA Center software for designing, applying policy,
provisioning, and facilitating the creation of a smart campus wired
and wireless network with assurance
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Cisco DNA Center is the network management system,
foundational controller, and analytics platform at the core of
Cisco’s intent-based network
Zero-touch device connectivity and Software Image Management
(SWIM) features reduce the device installation and upgradation
times from hours to minutes and bring new remote offices online
with plug-and-play comfort from an off-the-shelf Cisco® device
Characteristics of REST-based APIs
REST API can be used by any application no matter the language
it is written in because the requests are based on the universal
HTTP protocol, and the data is typically returned in the JSON
format so that it can be readable to almost all programming
languages
A RESTful API also called RESTful web service is a web service
that is implemented by using HTTP protocol and the REST
principles
It is a collection of resources that serves HTTP methods (PUT,
GET, POST, DELETE)
Capabilities of Configuration Management Mechanisms
The ability to provision entire application stacks in minutes from
automating Cisco UCS policies and service profile configurations to
ongoing management and the detection and remediation of
unintended changes improves efficiency
Puppet, Chef, and Ansible are used to deploy, orchestrate, and
manage distinct Cisco UCS servers, Cisco Nexus® switches,
storage systems, and fabric interconnects, including the entire
Cisco® converged and hyper-converged systems
Interpret JSON Encoded Data
JavaScript Object Notation (JSON) is a standard lightweight datainterchange format which is fast and easy to parse and generate
In PHP, json_encode() is used to convert PHP supported data
type into JSON formatted string to be returned as a result of
JSON encode operation
Practice Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question Question
Question Question Question Question Question Question
Answers:
Chapter 01: Network Fundamentals
1. C.
Explanation: While an ARP broadcast may initially be needed, since
these systems have already communicated, the traffic can have sent
unicast.
1. D.
Explanation: The destination address of FF: FF: FF: FF: FF: FF is a
reserved MAC address to indicate a broadcast.
1. C.
Explanation: The Host B IP address is the subnet identifier for that
subnet and it is reserved.
1. C.
Explanation: The network portion is typically 64 bits and the host
portion is 64 as well.
1. A.
Explanation: The command required to enable IPv6 routing capabilities
on a Cisco router is ipv6 unicast-routing.
1. C.
Explanation: The default aging time on most Cisco switches is 300
seconds.
1. A.
Explanation: Topology in networks is the structure or pattern in
which each and every node in the network is connected.
1. C.
Explanation: Segment is a grouping of number of bytes together
into a packet.
1. A.
Explanation: UDP is an unreliable, connectionless transport layer
protocol.
1. C.
Explanation: A router[a] is a networking device that forwards data
packets between computer networks. Routers perform the traffic
directing functions on the internet.
1. A.
Explanation: In a broadcast network, an information is sent to all
stations in a network whereas, in a multicast network the data or
information is sent to a group of stations in the network. In unicast
network, information is sent to only one specific station.
1. D.
Explanation: IPv6 datagram has fixed header length of 40bytes,
which results is faster processing of the datagram.
1. A.
Explanation: Broadcast has been eliminated in IPv6.
1. B.
Explanation: An IPv6 address is 128 bits long.
1. B.
Explanation: For TCP, it is 6.
1. A.
Explanation: Error reporting is handled by ICMP.
1. C.
Explanation: Encryption is the process of using an algorithm to
transform information to make it unreadable for unauthorized users. It
helps protect private information, sensitive data, and provide security of
communication between client apps and servers.
1. C.
Explanation: UDP is an unreliable, connectionless transport layer
protocol and uses minimum overload.
1. C.
Explanation: Wide-Area Network helps organizations to expand
geographically around the globe. By using WAN, services from service
providers usually called “off-sourcing” can span over a large physical
area.
1. B.
Explanation: Switches automatically segment the network and
dramatically decrease the traffic in the segments that are less used.
1. C.
Explanation: A multilayer switch can perform its function on both layer
2 and layer 3.
1. D.
Explanation: Firewalls act as filter which filters the flow of traffic either
it can be inbound traffic or outbound traffic of a network.
1. B.
Explanation: Network Address Translation (NAT) server is used for the
mapping of IP addresses and translating the private addresses inside the
network into authorized addresses before packets are delivered to another
network.
1. C.
Explanation: RJ-45 provides communication and control factor in
network devices.
1. B. and D.
Explanation: IPv4 addresses are 32 bits long and are represented in
decimal format. IPv6 addresses are 128 bits long and are represented in
hexadecimal format.
Chapter 02: Network Access
1. B.
Explanation: 802.1Q defines a 4-byte header, inserted after the original
frame’s destination and source MAC address fields. The insertion of this
header does not change the original frame’s source or destination address.
The header itself holds a 12-bit VLAN ID field, which identifies the
VLAN associated with the frame.
1. B. & C.
Explanation: The show interfaces switchport command lists both the
administrative and operational status of each port. The show interfaces
trunk command lists a set of interfaces—the interfaces that are operating
as trunks. So, both of these commands identify interfaces that are
operational trunks.
1. D.
Explanation: The PortFast feature allows STP to move a port from
blocking to forwarding without going through the interim listening and
learning states.
1. A.
Explanation: pvst and rapid-pvst are valid options on the command. Of
those, the rapid-pvst option enables Rapid Per VLAN Spanning Tree
(RPVST+), which uses RSTP. The pvst option enables Per VLAN
Spanning Tree (PVST) that uses STP, not RSTP. The other two options, if
attempted, would cause the command to be rejected because the option
does not exist.
1. D.
Explanation: IOS uses the channel-group configuration command to
create an EtherChannel.
1. C.
Explanation: An AP offers a Basic Service Set (BSS).
1. A.
Explanation: The show vlan brief command allows you to easily verify
the VLANs and the interface assignments.
1. D.
Explanation: The correct command is switchport access vlan 20.
1. A.
Explanation: The correct command is switchport voice vlan 10.
1. C.
Explanation: The correct command is switchport mode trunk.
1. B.
Explanation: The correct command is show interface trunk.
1. D.
Explanation: You can use HTTP and HTTPS to access the GUI of a
wireless LAN controller, as well as SSH to access its CLI.
1. C.
Explanation: Controllers use a Link Aggregation Group (LAG) to tie
multiple ports together.
1. C. & D.
Explanation: A WLAN binds an SSID to a controller interface so that
the controller can link the wired and wireless networks.
1. D.
Explanation: Cisco controllers support a maximum of 512 WLANs, but
only 16 of them can be actively configured on an AP.
1. A. & C.
Explanation: The SSID and controller interface are the only parameters
from the list that are necessary.
1. A.
Explanation: Link Aggregation (LAG) is a fractional implementation of
the 802.3ad port aggregation standard.
1. A.
Explanation: A lightweight AP requires connectivity to only a single
VLAN, so access mode link is used.
1. B.
Explanation: 802.1Q defines a 4-byte header, inserted after the original
frame’s destination and source MAC address fields. The insertion of this
header does not change the original frame’s source or destination address.
1. D.
Explanation: The PortFast feature allows STP to move a port from
blocking to forwarding without going through the interim listening and
learning states.
Chapter 03: IP Connectivity
1. B.
Explanation: The information necessary to forward a packet along the
best path towards its destination resides in a routing table.
1. A.
Explanation: The prefix-length is simply a shorthand way to express a
network mask using CIDR notation.
1. C.
Explanation: 120 is the default administrative distance for RIP.
1. B.
Explanation: The best path to a destination network within a routing
protocol is being determined by the metric value.
1. B.
Explanation: By using the administrative distance, one routing protocol
is preferably chosen over another when both accounts have the same
destination network.
1. C.
Explanation: Static routes have an administrative distance of 1 or 0 if
you use an exit interface instead of a next-hop address.
1. C.
Explanation: A floating static route is simply one that has been created
as a backup to a route learned though a routing protocol.
1. D.
Explanation: A value in the range from 1 to 65,535 identifies the OSPF
process ID. It is a unique number on the router that groups a series of
OSPF configuration commands under a specific running process.
1. B.
Explanation: First Hop Redundancy Protocol (FHRP) are used to allow
gateway redundancy.
1. B.
Explanation: Router will go through an election process upon the
segment to elect a DR and BDR.
1. B. & D.
Explanation: DHCP servers assign IP addresses to hosts. Thus, DHCP
allows easier administration by providing IP information to each host
automatically.
1. C.
Explanation: SNMPv2c Supports plaintext authentication with MD5 or
SHA with no encryption.
1. B.
Explanation: The “show ip route” command is used to view a routing
table.
1. B.
Explanation: The prefix-length is /24 for the subnet mask 255.255.255.0.
1. A.
Explanation: An administrative distance for static route is 1.
1. B.
Explanation: The value 255 is equivalent to 100% utilization or load.
1. B.
Explanation: The correct command for configuring the static route is ip
route [destination_network] [mask] [nexthop_address or exit_interface]
[administrative_distance] [permanent]
1. B.
Explanation: The particular network will become incapable to
communicate to the outside world if that first hop ever goes down. It
allows only the local communication across the switched domain.
1. B.
Explanation: Except BRRP (Broadway Router Redundancy Protocol),
the other three options given in the question falls into the category of the
first hop redundancy protocol.
1. D
Explanation: HTTPS uses port 443 by default.
Chapter 04: IP Services
1. B.
Explanation: Simple Network Management Protocol (SNMP) provides a
message format for agents on a variety of devices to communicate with
Network Management Stations (NMSs). It is the most popular and
efficient method of seeing what's going on with your network at a
particular time.
1. C.
Explanation: A low loss, latency, and jitter is provided with EFs related
DSCP.
1. C.
Explanation: Four different forwarding classes are provided by these
per-hop behaviors.
1. B.
Explanation: SSH uses encryption keys to send data so that no one can
see your username and password.
1. B.
Explanation: The boot files or configuration files are usually transferred
between machines in a local setup by using TFTP.
1. B.
Explanation: SNMP is also used for analyzing information and
compiling the outcomes in a report or even a graph.
1. C.
Explanation: SNMPv2 supports plain-text authentication with
community strings with no encryption but provides GET BULK that is a
way to gather many types of information at once and minimize the
number of GET requests.
1. B.
Explanation: Simple Network Management Protocol (SNMP) is the
most popular and efficient method of seeing what's going on with your
network at a particular time.
1. A.
Explanation: The boot computers and devices not having hard disk
drives or storage devices significantly use this protocol because a small
amount of memory is enough to implement this protocol.
1. B.
Explanation: UDP port 69 is used by TFTP to establish network
connections while ports 20 and 21 are used by FTP.
1. B.
Explanation: The remote user is allowed to navigate the server's file
structure and upload and download files with FTP.
1. C.
Explanation: The client starts a controlled TCP connection with the
server side when the FTP session is started between a client and a server.
The control information is sent over a TCP connection by the client.
1. B.
Explanation: A simple lock-step protocol is used by TFTP. In the simple
lock-step protocol, each data packet needs to be acknowledged. Thus, the
throughput is limited.
1. C.
Explanation: Workstations or other computers that requires special
access outside the network are assigned specific external IPs using NAT.
1. B.
Explanation: Outside refers to the addresses that are not in control of
any organization.
1. D.
Explanation: PAT is a translation method. It allows the user to conserve
addresses in the global address pool by allowing source ports in TCP and
UDP to be translated. To the same global address, different local
addresses are mapped and the necessary uniqueness is provided with the
port translation.
1. C.
Explanation: NTP version 3 (NTPv3) and later versions support a
cryptographic authentication technique between NTP peers. This
authentication can be used to mitigate an attack.
1. C.
Explanation: This operation is used by the SNMP agent to send a
triggered piece of information to the SNMP manager.
1. A.
Explanation: Traffic with an EF DSCP does not wait in line. A low loss,
latency, and jitter is provided with EF.
1. B.
Explanation: A DHCP Server is a network server. It automatically
provides and assigns IP addresses, default gateways and other network
parameters to client devices
.
Chapter 05: Security Fundamentals
1. C, D, & E.
Explanation: There are three main components of information security:
Confidentiality: It makes sure that only authorized users can see and
tamper data. It provides encryption to encrypt and hide data.
Integrity: It makes sure that the data remains un-tampered during transit.
Availability: It makes sure that the data remains available for authorized
users.
1. A.
Explanation: Cisco and other security vendors have created databases
known as the Common Vulnerabilities and Exposures (CVE) that
categorizes the threats over the internet. It can be searched via any search
engine available today.
1. A.
Explanation: Denial-of-Service (DoS) Attack is an availability attack
intended to downgrade or deny the targeted service or application.
1. A.
Explanation: Denial-of-Service (DoS) is a type of attack in which
services offered by a system or a network is denied. Services may either
be denied, reduce the functionality or prevent the access to the resources
even to the legitimate users. There are several techniques to perform DoS
attack such as generating a large number of requests to the target system
for service.
1. B.
Explanation: Digital signatures rely on digital certificates to verify the
identity of the originator in order to authenticate a vendor website and
establish an encrypted connection to exchange confidential data.
1. B.
Explanation: Authentication is the process of proving an identity of a
system by login identification and a password. It has the purpose of
determining whether the user is the same person he claims to be or not.
1. A, C, & D.
Explanation: Following are the key features of VPN technology:
Confidentiality: Data is sent in an encrypted form, data for any other
person would be meaningless.
Data Integrity: VPN makes sure that the sent data is accurate, secure and
remains unaltered end to end.
Authentication: VPN authenticate the peer on both side of the tunnel
through pre-shared public or private keys or by using user’s
authentication method.
1. B.
Explanation: Types of VPN:
1) Remote-access VPN makes a networking device to connect outside a
corporate office.
2) Site-to-site VPN connects two or more sites that want to connect
together over the internet.
1. B.
Explanation: A remote-access VPN helps a networking device to
connect outside a corporate office. These devices include smartphones,
tablets, laptops etc. commonly known as end devices.
1. C.
Explanation: DHCP snooping validates the DHCP messages received
from either the legitimate source or from an untrusted source and filters
out invalid messages. It is actually very easy for someone to bring
accidentally or maliciously a DHCP server in a corporate environment.
DHCP snooping is all about protecting against it.
1. D.
Explanation: Here is the list of mitigation procedures of layer 2 attacks:
DHCP Snooping
Dynamic ARP Inspection
Port Security
BPDU Guard
Root Guard
Loop Guard
1. A.
Explanation: Port Security is used to bind the MAC address of known
devices to the physical ports and violation action is also defined.
1. D.
Explanation: Port security feature allows limited number of MAC
addresses on a single port. So, if an attacker tries to connect his/her PC or
embedded device to the switch port, then it will shut down or restrict the
attacker from even generating an attack.
1. D.
Explanation: Both IPsec and SSL are supported by Cisco AnyConnect.
1. A.
Explanation: DHCP snooping is a method of controlling IP address
assignments to prevent the possibility of attacks related to ARP spoofing.
1. B.
Explanation: WPA is an upgradation on the system that currently uses
WEP.
1. A.
Explanation: The Dynamic ARP Inspection (DAI) feature protects the
network from many of the commonly known Man-in-the-Middle (MITM)
type attacks.
1. D.
Explanation: Social engineering is more likely to occur if users are not
properly trained to detect and prevent it.
1. B.
Explanation: Two-factor authentication is always more secure than any
single factor of authentication.
1. A.
Explanation: Type 2 authentication factor is “something you have”. This
could be a smart card, ATM card, token device, or memory card.
Chapter 06: Automation and
Programmability
1. D.
Explanation: There are three core benefits of network automation are as:
1) Improved efficiency
2) Reduced likelihood of human error
3) Lower operational expenses
1. C.
Explanation: Representational State Transfer (REST is the full form of
the acronym REST in REST-based APIs.
1. B.
Explanation: Software-Defined Access (SD-Access) is the full form for
SD-Access.
1. C.
Explanation: Cisco SD-Access is one of the most important elements of
the Cisco Digital Network Architecture (Cisco DNA).
1. B.
Explanation: Cisco SD-Access solution can be divided into five basic
layers, which are:
1) Physical Layer
2) Network Layer
3) Controller Layer
4) Management Layer
5) Partner Ecosystem
1. A.
Explanation: Data-link layer is not the basic layer of Cisco SD-Access
solution while it is an important layer of the OSI model.
1. D.
Explanation: Fabric overlay and network underlay is an integral part of
the Network Layer of the Cisco SD-Access solution.
1. B.
Explanation: The basic technology used for the fabric control plane is
based on the Locator ID Separation Protocol (LISP).
1. A.
Explanation: The basic technology used for the fabric data plane is
based on Virtual Extensible LAN (VXLAN).
1. B.
Explanation: LISP is an IETF standard protocol, i.e., RFC-6830.
1. C.
Explanation: VXLAN is an IETF standard encapsulation, i.e., RFC7348.
1. D.
Explanation: Cisco DNA Center has four general divisions, which are:
1) Design
2) Policy
3) Provision
4) Assurance
1. D.
Explanation: In SDN, the southbound interface is the OpenFlow
protocol specification. Its main function is to allow communication
between the SDN controller and the network nodes; both physical and
virtual switches and routers, so that the router can discover network
topology.
1. C.
Explanation: REST-API utilizes HTTP to perform a set of actions
commonly known as CRUD:
Create
Read
Update
Delete
1. B.
Explanation: We use the HTTP PUT method to update the data on a
remote server.
1. A.
Explanation: We use the HTTP GET method to retrieve data from a
remote server.
1. B. & C.
Explanation: Object & array are the two basic structures of JSON.
1. D.
Explanation: JavaScript Object Notation (JSON) is a standard
lightweight data-interchange format, which is fast and easy to parse and
generate.
1. D.
Explanation: Value, Options, Depth are the main parameters of
json_encode().
1. B.
Explanation: Each object in JSON starts with a left curly bracket “{“ and
finishes with a right curly bracket “}”.
Acronyms:
Authorization, and Accounting
ACL Access Control List
AES Advanced Encryption Standard
AP Access Point
ARP Address Resolution Protocol
BPDU
Bridge Protocol Data Unit
CCMP Counter Mode Cipher Block Chaining Message
Authentication Code Protocol
CCNA Cisco Certified Network Associate
Cisco DNA Cisco Digital Network Architecture
CLIs
CommandLine Interfaces
CVE Common Vulnerabilities and Exposures
DAC Discretionary access control
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service/Domain Name Server/Domain
Name System
DoS Denial-of-Service
EAP Extensible Authentication Protocol
GUI
GUI
Graphical User Interface
Graphical User Interface
HTTPS Hyper Text Transfer Protocol Secure
IBNS
Identity-Based Networking Services
ICMP Internet Control Message Protocol
IEEE
IT
Institute of Electrical and Electronics Engineers
Information Technology
LISP
Locator/ID Separation Protocol
MAC Mandatory Access Control
MAC Media Access Control
NAC Network Access Control
NIC Network Interface Card
OSI
Open Systems Interconnect
PIN Personal Identification Number
PoLP Principle of Least Privilege
RADIUS Remote Authentication Dial In User Service
RBAC Role-based access control
REST Representational State Transfer
SD-Access Software-Defined Access
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
SWIM
Software Image Management
TACACS Terminal Access Controller Access Control System
TCP Transmission Control Protocol
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TTLS Tunneled Transport Layer Security
UCS
Unified Computing System
VLAN Virtual Local Area Network
VPN Virtual Private Networks
VRF
Virtual Routing and Forwarding
VXLAN Virtual Extensible LAN
WEP Wired Equivalent Privacy
WLAN
Wireless LAN
WPA Wi-Fi Protected Access
References:
https://www.cisco.com/c/en/us/products/collateral/cloud-systemsmanagement/dna-center/nb-06-dna-center-so-cte-en.html
https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_
methods
https://phpenthusiast.com/blog/what-is-rest-api
https://www.gspann.com/resources/blogs/puppet-vs-chef-vs-ansible
https://www.cisco.com/c/dam/en/us/products/collateral/serversunified-computing/ucs-devops-integration-sol-brief.pdf
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprisenetworks/software-defined-access/white-paper-c11-740585.pdf
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sd
a-sdg2019oct.html#CiscoDigitalNetworkArchitectureandSoftwareDefinedAcc
ess
https://www.tutorialrepublic.com/php-tutorial/php-json-parsing.php
https://phppot.com/php/php-json-encode-and-decode/
https://www.cisco.com/c/en/us/support/docs/wirelessmobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
https://www.cisco.com/c/en/us/support/docs/ios-nx-ossoftware/ios-software-releases-110/45843-configpasswords.html
https://learning.oreilly.com/library/view/comptia-securitytmreview/9781118113523/xhtml/sec2.html#sec2
https://learningnetwork.cisco.com/community/certifications/ccnacert/ccna-exam/study-material
About Our Products
Other products from IPSpecialist LTD regarding Cisco technology
are:
CCNA Routing & Switching Technology Workbook
CCNA Security v2 Technology Workbook
CCNA Service Provider Technology Workbook
CCDA Technology Workbook
CCDP Technology Workbook
CCNP Route Technology Workbook
CCNP Switch Technology Workbook
CCNP Troubleshoot Technology Workbook
CCNP Security SENSS Technology Workbook
CCNP Security SIMOS Technology Workbook
CCNP Security SITCS Technology Workbook
CCNP Security SISAS Technology Workbook
CompTIA Network+ Technology Workbook
CompTIA Security+ v2 Technology Workbook
Certified Information System Security Professional (CISSP)
Technology Workbook
CCNA CyberOps SECFND Technology Workbook
Certified Block Chain Expert Technology Workbook
Certified Cloud Security Professional (CCSP) Technology Workbook
CompTIA Pentest Technology Workbook
CompTIA A+ Core I (220-1001) Technology Workbook
CompTIA A+ Core II (220-1002) Technology Workbook
CompTIA CyberSecurity Analyst CySA+ Technology Workbook
Certified Application Security Engineer | JAVA
CCNA 200-301 Technology Workbook
Note from the Author:
Reviews are gold to authors! If you have enjoyed this book and
it has helped you along certification, would you consider rating
and reviewing it?
Link to Product Page: