CCNA Cisco Certified Network Associate Exam (200-301) –––––––– Technology Workbook www.ipspecialist.net –––––––– Document Control –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– Copyright © 2018 IPSpecialist LTD. Registered in England and Wales Company Registration No: 10883539 Registration Office at: Office 32, 19-21 Crawford Street, London W1H 1PJ, United Kingdom www.ipspecialist.net All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without the written permission from IPSpecialist LTD, except for the inclusion of brief quotations in a review. Feedback: If you have any comments regarding the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at info@ipspecialist.net Please make sure to include the book’s title and ISBN in your message. About IPSpecialist IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND DEDICATED TO YOUR SUCCESS. Our philosophy is to treat our customers like family. We want you to succeed, and we are willing to do everything possible to help you make it happen. We have the proof to back up our claims. We strive to accelerate billions of careers with great courses, accessibility, and affordability. We believe that continuous learning and knowledge evolution are the most important things to keep re-skilling and up-skilling the world. Planning and creating a specific goal is where IPSpecialist helps. We can create a career track that suits your visions as well as develop the competencies you need to become a professional Network Engineer. We can also assist you with the execution and evaluation of your proficiency level, based on the career track you choose, as they are customized to fit your specific goals. We help you STAND OUT from the crowd through our detailed IP training content packages. Course Features: ❖ Self-Paced Learning Learn at your own pace and in your own time ❖ Covers Complete Exam Blueprint Prep-up for the exam with confidence ❖ Case Study Based Learning Relate the content with real-life scenarios ❖ Subscriptions that Suits You Get more and pay less with IPS subscriptions ❖ Career Advisory Services Let the industry experts plan your career journey ❖ Virtual Labs to Test Your Skills With IPS vRacks, you can evaluate your exam preparations ❖ Practice Questions Practice questions to measure your preparation standards ❖ On Request Digital Certification On request digital certification from IPSpecialist LTD. About the Authors: This book has been compiled with the help of multiple professional engineers. These engineers specialize in different fields e.g., Networking, Security, Cloud, Big Data, IoT, etc. Each engineer develops content in his/her own specialized field that is compiled to form a comprehensive certification guide. About the Technical Reviewers: Nouman Ahmed Khan AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless), CISSP, CISA, CISM, Nouman Ahmed Khan is a Solution Architect working with a major telecommunication provider in Qatar. He works with enterprises, mega-projects, and service providers to help them select the best-fit technology solutions. He also works as a consultant to understand customer business processes and helps select an appropriate technology strategy to support business goals. He has more than fourteen years of experience working in Pakistan/Middle-East & UK. He holds a Bachelor of Engineering Degree from NED University, Pakistan, and M.Sc. in Computer Networks from the UK. Abubakar Saeed Abubakar Saeed has more than twenty-five years of experience, managing, consulting, designing, and implementing large-scale technology projects. He also has extensive experience heading ISP operations, solutions integration, heading Product Development, Pre-sales, and Solution Design. Emphasizing on adhering to Project timelines and delivering as per customer expectations, he always leads the project in the right direction with his innovative ideas and excellent management skills. Uzair Ahmed Uzair Ahmed is a professional technical content writer holding a Bachelor’s Degree in Computer Science from PAF-KIET University. He has sound knowledge and industry experience in SIEM implementation, .NET development, machine learning, Artificial intelligence, Python and other programming and development platforms like React.JS Angular JS Laravel. Muhammad Yousuf Muhammad Yousuf is a professional technical content writer. He is a Certified Ethical Hacker (CEHv10) and Cisco Certified Network Associate (CCNA) in Routing and Switching, holding bachelor’s degree in Telecommunication Engineering from Sir Syed University of Engineering and Technology. He has both technical knowledge and sound industry information, which he uses perfectly in his career –––––––– Afreen Moin Afreen Moin is a professional Technical Content Developer. She holds a degree in Bachelor of Engineering in Telecommunications from Dawood University of Engineering and Technology. She has a great knowledge of computer networking and attends several training programs. She possesses a keen interest in research and design related to computers, which reflects in her career. –––––––– Free Resources: With each workbook purchased, IPSpecialist offers free resources to our valuable customers. Once you buy this book you will have to contact us at support@ipspecialist.net or tweet @ipspecialistnet to get this limited time offer without any extra charges. Free Resources Include: Exam Practice Questions in Quiz Simulation: With 250+ Q/A, IPSpecialist's Practice Questions is a concise collection of important topics to keep in mind. The questions are especially prepared following the exam blueprint to give you a clear understanding of what to expect from the certification exam. It goes further on to give answers with thorough explanations. In short, it is a perfect resource that helps you evaluate your preparation for the exam. Career Report: This report is a step-by-step guide for a novice who wants to develop his/her career in the field of computer networks. It answers the following queries: What are the current scenarios and future prospects? Is this industry moving towards saturation or are new opportunities knocking at the door? What will the monetary benefits be? Why get certified? How to plan and when will I complete the certifications if I start today? Is there any career track that I can follow to accomplish specialization level? Furthermore, this guide provides a comprehensive career path towards being a specialist in the field of networking and also highlights the tracks needed to obtain certification. IPS Personalized Technical Support for Customers: Good customer service means helping customers efficiently, in a friendly manner. It is essential to be able to handle issues for customers and do your best to ensure they are satisfied. Providing good service is one of the most important things that can set our business apart from the others of its kind. Great customer service will result in attracting more customers and attaining maximum customer retention. IPS is offering personalized TECH support to its customers to provide better value for money. If you have any queries related to technology and labs you can simply ask our technical team for assistance via Live Chat or Email. Our Products Technology Workbooks IPSpecialist Technology workbooks are the ideal guides to developing the hands-on skills necessary to pass the exam. Our workbook covers official exam blueprint and explains the technology with real life case study based labs. The content covered in each workbook consists of individually focused technology topics presented in an easy-to-follow, goal-oriented, step-by-step approach. Every scenario features detailed breakdowns and thorough verifications to help you completely understand the task and associated technology. We extensively used mind maps in our workbooks to visually explain the technology. Our workbooks have become a widely used tool to learn and remember the information effectively. vRacks Our highly scalable and innovative virtualized lab platforms let you practice the IP Specialist Technology Workbook at your own time and your own place as per your convenience. Quick Reference Sheets Our quick reference sheets are a concise bundling of condensed notes of the complete exam blueprint. It is an ideal and handy document to help you remember the most important technology concepts related to the certification exam. Practice Questions IP Specialists’ Practice Questions are dedicatedly designed from a certification exam perspective. The collection of these questions from our technology workbooks are prepared keeping the exam blueprint in mind covering not only important but necessary topics as well. It’s an ideal document to practice and revise your certification. Content at a glance Chapter 01: Network Fundamentals Chapter 02: Network Access Chapter 03: IP Connectivity Chapter 04: IP Services Chapter 05: Security Fundamentals Chapter 06: Automation and Programmability Answers: Acronyms: References: About Our Products Table of Contents Chapter 01: Network Fundamentals Technology Brief Role and Function of Network Components Routers L2 and L3 Switches Next-Generation Firewalls and IPS Access Points Controllers (Cisco DNA Center and WLC) Endpoints Servers Characteristics of Network Topology Architectures 2 Tier 3 Tier Spine-Leaf WAN Small Office/Home Office (SOHO) On-Premises and Cloud Physical Interface and Cabling Types Cabling Type and Implementation Requirements Ethernet Connectivity Recommendations Single Mode Fiber, Multimode Fiber, Copper Connections Concepts of PoE Identifying Interface and Cable Issues Collisions Errors Duplex Speed TCP vs. UDP TCP and UDP Working IPv4 Addressing and Subnetting Advantages of Subnetting The Need for Private IPv4 Addressing Case Study IPv6 Addressing and Prefix Restrictions for Implementing IPv6 Addressing and Basic Connectivity IPv6 Address Formats IPv6 Subnetting IPv6 Packet Header IPv6 Addressing and Subnetting Mind Map IPv6 Address Types Global Unicast Unique Local Link Local Anycast Multicast Modified EUI 64 IP Parameters for Client OS (Windows, Mac OS, Linux) Windows Linux Mac OS Wireless Principles SSID RF Encryption Virtualization Fundamentals Benefits of Virtualization Types of Virtualization Switching Concepts MAC Learning and Aging Frame Switching Frame Flooding MAC Address Table Mind Map Summary Role and Function of Network Components Characteristics of Network Topology Architectures Physical Interface and Cabling Types Identify Interface and Cable Issues TCP vs. UDP IPv4 Addressing and Subnetting The Need for Private IPv4 Addressing IPv6 Addressing and Prefix IPv6 Address Types Wireless Principles Virtualization Fundamentals Switching Concepts Practice Questions Chapter 02: Network Access Technology Brief VLANs (Normal Range) Spanning Multiple Switches Access Ports (Data and Voice) Default VLAN Connectivity Interswitch Connectivity Trunk Ports 802.1Q Native VLAN Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP) Cisco Discovery Protocol (CDP) LLDP (Link Layer Discovery Protocol) (Layer 2/Layer 3) EtherChannel (LACP) EtherChannel Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel Case Study Topology Configuration Verification Basic Operations of Rapid PVST+ Spanning Tree Protocol Configuring Rapid PVST+ Root Port, Root Bridge (Primary/Secondary), and other Port Names Rapid PVST+ Port State PortFast Cisco Wireless Architectures vs. AP Modes Cisco Unified Wireless Network Architecture AP Modes Physical Infrastructure Connections of WLAN Components (AP, WLC, Access/Trunk Ports, and LAG) Access Points Wireless LAN Controllers Access Ports/Trunk Ports LAG AP and WLC Management Access Connections (Telnet, SSH, HTTP, HTTPS, Console, and TACACS+/RADIUS) Access Point Wireless Controllers Management Access Connections Components of a Wireless LAN Access for Client Connectivity using GUI Step 1. Configure a RADIUS Server Step 2. Create a Dynamic Interface Step 3. Create a New WLAN Mind Map of Network Access Summary VLANs (Normal Range) Spanning Multiple Switches Interswitch Connectivity Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP) (Layer 2/Layer 3) EtherChannel (LACP) Basic Operations of Rapid PVST+ Spanning Tree Protocol Cisco Wireless Architectures vs. AP Modes Physical Infrastructure Connections of WLAN Components (AP, WLC, Access/Trunk Ports, and LAG) AP and WLC Management Access Connections (Telnet, SSH, HTTP, HTTPS, Console, and TACACS+/RADIUS) Components of a Wireless LAN Access for Client Connectivity using GUI Practice Questions Chapter 03: IP Connectivity Technology Brief Components of the Routing Table Routing Protocol Code Prefix Network Mask Next Hop Administrative Distance Metric Gateway of Last Resort How a Router Makes Forwarding Decision by Default? Longest Match Administrative Distance Routing Protocol Metric IPv4 and IPv6 Static Routing IP Addresses IPv4 Address IPv6 Address Difference between IPv4 and IPv6 Addresses Default Route Network Route Host Route Floating Static Case Study Static Routing> Topology Diagram: Configuration Verification Case Study Static Routing> Topology Diagram Configuration Verification Single Area OSPFv2 Neighbor Adjacency Point-to-Point Broadcast (DR/BDR Selection) Router ID Purpose of First Hop Redundancy Protocol Types of Redundancy Protocols Case Study Topology Diagram Configuration Verification Mind Map Summary Components of the Routing Table A Router Makes Forwarding Decision by Default Configure and Verify IPv4 and IPv6 Static Routing Configure and Verify Single Area OSPFv2 Purpose of First Hop Redundancy Protocol Practice Question Chapter 04: IP Services Technology Brief Configure and Verify Inside Source NAT using Static and Pools NAT Inside and Outside Addresses Types of Network Address Translation (NAT) Advantages of NAT Disadvantages of NAT NTP Operating in a Client and Server Mode NTP Authentication Role of DHCP and DNS within the Network Configuring DHCP TFTP, DNS, and Gateway Options The Function of SNMP in Network Operations SNMPv2: SNMPv3: Management Information Base (MIB): Use of Syslog Features Including Facilities and Levels Syslog Syslog Facilities and Features DHCP Client and Relay Router/Switch as a DHCP Server Forwarding Per-Hop Behavior for QoS such as Classification, Marking, Queuing, Congestion, Policing, Shaping Classification: Congestion Queuing Shaping Policing Differentiated Services Network Devices for Remote Access using SSH Capabilities and Functions of TFTP/FTP in the Network File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Differences between TFTP & FTP Mind Map Summary Configure and Verify Inside Source NAT using Static and Pools Configure and Verify NTP Operating in a Client and Server Mode The Role of DHCP and DNS within the Network The Function of SNMP in Network Operations Use of Syslog Features Configure and Verify DHCP Client and Relay Forwarding Per-hop Behavior for QoS such as Classification, Marking, Queuing, Congestion, Policing, Shaping Network Devices for Remote Access using SSH Capabilities and Functions of TFTP/FTP in the Network Practice Question Chapter 05: Security Fundamentals Technology Brief Security Concepts Threats Vulnerabilities Exploits Mitigation Techniques Security Program Elements User Awareness Training Physical Access Controls Configure Device Access Control using Local Passwords Configure Local User-Specific Passwords Configure AUX Line Password Security Password Policies Elements Password Management Password Complexity Password Alternatives Remote Access and Site-to-Site VPNs VPN Remote Access VPN Site-to-Site VPN Mind Map Configure and Verify Access Control Lists Inbound and Outbound ACL Lab: NAT, DHCP, NTP, Syslog, and SSH Case Study Topology Diagram Configuration Verification Layer 2 Security Features DHCP Snooping Dynamic ARP Inspection Port Security Authentication, Authorization, and Accounting Concepts AAA Components Wireless Security Protocols WPA WPA2 WPA3 Configure WLAN using WPA2 PSK using GUI WPA2-PSK Configuration with GUI Verifying WPA2 PSK Mind Map Summary Security Concepts Security Program Elements Configure Device Access Control Using Local Passwords Security Password Policies Elements Remote-Access and Site-to-Site VPNs Configure and Verify Access Control Lists Layer 2 Security Features Authentication, Authorization, and Accounting Concepts Wireless Security Protocols Configure WLAN using WPA2 PSK using GUI Practice Question Chapter 06: Automation and Programmability Automation Impacts on Network Management Why do we need to automate our network? How automation of network can be beneficial? Why Choose Cisco for Networking Compare Traditional Networks with Controller-based Networking Controller-based and Software Defined Architectures SD- Access Architecture Underlay Overlay Fabric Separation of Control Plane and Data Plane Northbound and Southbound APIs Traditional Campus Device Management vs. Cisco DNA Center Enabled Device Management Characteristics of REST-based APIs CRUD HTTP Verbs Capabilities of Configuration Management Mechanisms Puppet Chef Ansible Interpret JSON Encoded Data PHP JSON Encode and Decode Encoding and Decoding PHP JSON Encode Mind Map Summary Automation Impacts on Network Management Compare Traditional Networks with Controller-based Networking Controller-based and Software Defined Architectures Traditional Campus Device Management vs. Cisco DNA Center Enabled Device Management Characteristics of REST-based APIs Capabilities of Configuration Management Mechanisms Interpret JSON Encoded Data Practice Question Answers: Chapter 01: Network Fundamentals Chapter 02: Network Access Chapter 03: IP Connectivity Chapter 04: IP Services Chapter 05: Security Fundamentals Chapter 06: Automation and Programmability Acronyms: References: About Our Products About this Workbook This workbook covers all the information you need to pass the Cisco CCNA 200-301 exam (Latest Exam). The workbook is designed to take a practical approach of learning with real life examples and case studies. –––––––– ➢ ➢ ➢ ➢ ➢ ➢ Covers complete CCNA updated blueprint Summarized content Case Study based approach Ready to practice labs on Virtualized Environment 100% pass guarantee Mind maps Cisco Certifications Cisco Systems, Inc. specializes in networking and communications products and services. A leader in global technology, the company is best known for its business routing and switching products that direct data, voice, and video traffic across networks worldwide. Cisco also offers one of the most comprehensive vendor-specific certification programs in the world, the Cisco Career Certification Program. The program has six (6) levels, which begins at the Entry level and then advances to Associate, Professional, and Expert levels. For some certifications, the program closes at the Architect level. Figure 1. Cisco Certifications Skill Matrix How does Cisco certifications help? Cisco certifications are a de facto standard in networking industry, which help you boost your career in the following ways: Gets your foot in the door by launching your IT career Boosts your confidence level Proves knowledge that helps improve employment opportunities As for companies, Cisco certifications are a way to: Screen job applicants Validate the technical skills of the candidate Ensure quality, competency, and relevancy Improve organization credibility and customers’ loyalty Meet the requirement in maintaining organization partnership level with OEMs Helps in Job retention and promotion Cisco Certification Tracks Figure 2. Cisco Certifications Track About the CCNA Exam ➢ Exam Number: 200-301 CCNA ➢ Associated Certifications: CCNA ➢ Duration: 120 minutes ➢ Exam Registration: Pearson VUE The Cisco Certified Network Associate (CCNA) composite exam (200-301) is a 120-minute, assessment that is associated with the CCNA certification. This exam tests a candidate's knowledge and skills related to secure network infrastructure, understanding core security concepts, managing secure access, VPN encryption, firewalls, intrusion prevention, web and email content security, and endpoint security. The following topics are general guidelines for the content likely to be included on the exam: ➢ Network Fundamentals 20% ➢ Network Access 20% ➢ IP Connectivity 25% ➢ IP Services 10% ➢ Security Fundamentals 15% ➢ Automation and Programmability 10% Complete list of topics covered in the CCNA 200-301 exam can be downloaded from here. Chapter 01: Network Fundamentals Technology Brief In computer the term network refers to the interconnection of devices such as computers, laptops, IoTs, servers, routers and much more. This network of devices is capable of sharing the information among each other and offers different services over the network. Evolution of computer networks has raised the demand of network engineers to install, configure, operate and troubleshoot the small personal area network to large scale enterprise networks. Typical Networking Fundamentals topics include WAN technologies, basic security and wireless concepts, routing and switching fundamentals, and configuring simple networks. In this chapter, we will discuss role and function of network component, network characteristics of network topology architectures, TCP and UDP network protocols, wireless principles, virtualization fundamentals (virtual machines), switching concepts and their categories. This chapter also examines the limitations of IPv4 and describes how IPv6 resolves these issues while offering other advantages as well. The rationale of IPv6 and concerns regarding IPv4 address depletion. This chapter presents a brief history of both IPv4 and IPv6 addressing and address types. It also includes the representation of IPv6 addresses, along with the IPv6 header. Role and Function of Network Components A network is the set of interconnected devices sharing the resources. A computer network allows different computers/devices to connect to one another and share resources. The integrant of network architecture consists of numerous devices that perform a definite function or set of functions in a network. It is essential to understand the purpose of each device so that an individual would be familiar with the functionalities of the devices that are used in the network. In this section, we will cover these requirements. Network Topology Network topology demonstrate the relationship between, various elements of networks. Network topology can be categorized as physical or logical topology. Physical topology shows the physical network infrastructure whereas logical topology shows the logical overview of the network. Network topology boils down to two basic elements: nodes and links. Nodes represent any number of possible network devices, such as routers, switches, servers, phones, cameras, or laptops. The topological structure of a network consists of nodes and links that are connected physically or logically. Bus Topology In the case of bus topology, all devices share single communication line or cable. Bus topologies may have issues when multiple hosts send data at the same time. Therefore, bus topology either uses CSMA/CD technology or recognizes one host as the Bus Master to solve this issue. It is one of the simplest forms of networking where a failure of a device does not affect the other devices. But then again, failure of the shared communication line can make all other devices stop functioning. Figure 1-01: Bus Topology Ring Topology In ring topology, each host machine connects to exactly two other machines, creating a circular network structure. When one host tries to communicate or send a message to a host which is not adjacent to it, the data travels through all intermediate hosts. To connect one more host in the existing structure, the administrator may need only one more extra cable. Figure 1-02: Ring Topology Star Topology The advantage of the star topology is that there is a central device that serves as the mediator for every station and the station seems to be indirectly connected to each other. The disadvantage is that it is too costly and is hub or central device dependent. The following figure illustrates the topology used in star topology: Figure 1-03: Star Topology Mesh Topology If you observe, you will see that each computer is interconnected to every other computer. That is the simplest way to explain Mesh though there are some theoretical background that we can dig deeper with Mesh like Reed’s law, flooding and routing, it is important for us to know the disadvantages of Mesh are difficult installation and expensive cabling. On the other hand, it is good when it comes to providing security. Privacy and troubleshooting would be easy. The following figure shows mesh topology structure: Figure 1-04: Mesh Topology Hybrid Topology Hybrid topology is a mixture of more than one topology, which may include mesh topology, start topology ring topology, etc. The disadvantage of one topology may offset by the advantage of the other one. Thus, the reason of making hybrid topology is to eliminate the shortcoming of the network. Figure 1-05: Hybrid Topology Routers Routers are used to connect networks. A router receives a packet and observes the destination IP address information to determine which network the packet needs to reach, then sends the packet out of the corresponding interface. Routers are network devices that accurately route information about the network by inspecting information as it reaches, the router can decide the destination address for the information; then, by using tables of defined routes, the router determines the best way for the data to continue its journey. Unlike bridges and switches that use the hardware-configured MAC address to determine the destination of the data, routers use the softwareconfigured network address to make decisions. This approach makes routers more functional than bridges or switches, and it also makes them more complex because they have to work harder to determine the information. Figure 1-06: Router Functions Routers work on Internet Protocol (IP) specifically on the logical address also known as IP address Routers perform actions on the layer 3, i.e., Network Layer of the OSI model They route traffic from one network to the desired destination network As described, a router is an intelligent device that either first finds out the network or the traffic that relates to their network After deciding, the router forwards the traffic to the required destination Applications Routers provide interfaces for different physical network connections such as copper cables, optic fiber, or wireless transmission The Network Administrator can configure the routing table manually as well as dynamically Routers learn its routing table by using static and dynamic routing protocols Multiple routers are used in interconnected networks Dynamic exchange of information about the destination is made possible by the dynamic routing protocol; the administrator will have to advertise routing path manually for static networks L2 and L3 Switches Open System Interconnect (OSI) model is a reference model for describing and explaining network communications, the terms Layers 2 & 3 are adopted from it. The OSI model has seven layers that include: application layer, presentation layer, session layer, transport layer, network layer, data link layer and physical layer, amid which network layer is on Layer 3 and data link layer is on Layer 2. Figure 1-07: OSI Model Layer 2 switches provides direct data transmission between two devices within a LAN. A Layer 2 switch purpose is to keep a table of Media Access Control (MAC) addresses. The data frames are switched through MAC addresses individually inside the LAN and will not be identified outside it. A Layer 2 switch can allocate VLANs to specific switch ports, which in turn are in dissimilar layer 3 subnets. So the communication with other VLANs or LANs desires the purpose or function of Layer 3. Figure 1-08: Layer 2 & Layer 3 Switches Difference between Layer 2 and Layer 3 Switches The basic difference between Layer 2 and Layer 3 is the routing function. 2 works only on MAC addresses and does not concern IP addresses or any items of higher layers. A Layer 3 switch can perform all the task that a Layer 2 switch can. Furthermore, it can do dynamic routing and static routing. This means, a Layer 3 switch has both MAC address table and IP routing table, and handles intraVLAN communication and packets routing between distinct VLANs as well. A switch that adds merely static routing is known as a Layer 2+ or Layer 3 Lite. Other than routing packets, Layer 3 switches similarly include some functions that need the capability to understand the IP address information of data that is coming to the switch, such as tagging VLAN traffic depending on IP addresses instead of manually configuring a port. Layer 3 switches are more reliable from security and power perspective. Which Device Do You Need? With the emergence of Layer 3 switches, deciding when to use a Layer 2 switch and when to use a Layer 3 switch, choosing a Layer 3 switch for routing or choosing a router, and similar predicaments are troubling many people. Which device is the better one according your needs? Figure 1-09: Layer 2 Switch, Layer 3 Switch and Router When lingering between Layer 2 and Layer 3 switches, you should think about where it will be used. If you have a pure Layer 2 domain, you can simply go for Layer 2 switch; if you need to do inter-VLAN routing, then you need a Layer 3 switch. A pure Layer 2 domain is where the hosts are connected, so it will work fine there. This is usually called access layer in a network topology. If it is required for the switch to aggregate multiple access switches and do inter-VLAN routing, then a Layer 3 switch will be needed. This is known as distribution layer in network topology. Since both the Layer 3 switch and the router have routing functions, which one is better? Actually, it is less a question of which is better for routing, as both are useful in particular applications. If you want to do multiple switching and inter-VLAN routing, and need no further routing to the Internet Service Provider (ISP)/WAN, then you can go well with a Layer 3 switch. Otherwise, you should go for a router with more Layer 3 features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. features. Table 1-01: Layer 2 & Layer 3 Switches Next-Generation Firewalls and IPS Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks. According to Gartner, Inc.’s definition, a next-generation firewall must include: ● ● ● ● ● Standard firewall capabilities like stateful inspection Integrated intrusion prevention Application awareness and control to see and block risky apps Upgraded paths to include future information feeds Techniques to address evolving security threats Figure 1-10: Firewall Traditional Firewall Vs. Next Generation Firewalls As their names suggest, next generation firewalls are a more advanced version of the traditional firewall, and they offer the same benefits. Like regular firewalls, NGFWs use both static and dynamic packet filtering and VPN support to ensure that all connections between the network, internet, and firewall are valid and secure. Both firewall types should also be able to translate network and port addresses in order to map IPs. There are also fundamental differences between next generation firewalls. The most obvious difference between the two is an NGFW’s ability to filter packets based on applications. These firewalls have extensive control and visibility of applications that it is able to identify using analysis and signature matching. They can use whitelists or a signature-based IPS to distinguish between safe applications and unwanted ones, which are then identified using SSL decryption. Unlike most traditional firewalls, NGFWs also include a path through which future updates will be received. Importance of Next Generation Firewalls Installing a firewall is any business. In today’s environment, having a next generation firewall is a mandatory part of network. Threats to personal devices and larger networks are changing every day. With the flexibility of a NGFW, it protects devices and companies from a much broader spectrum of intrusions. Although these firewalls are not the right solution for every business, security professionals should carefully consider the benefits that NGFWs can provide, as it has a very large upside. Firepower announced its Next-Generation Firewall (NGFW) that combines IPS threat prevention, integrated application control and firewall capabilities in a high-performance security appliance. Functions NGFWs are able entering a network They are better equipped to address Advanced Persistent Threats (APTs) NGFWs can be a low-cost option for companies looking to improve their basic security because they can incorporate the work of antiviruses, firewalls, and other security applications into one solution Applications NGFWs being more intelligent and with deeper traffic inspection, they may also be able to perform intrusion detection and prevention. Some next-gen firewalls might include enough IPS functionality that a stand-alone IPS might not be needed NGFWs can also provide reputation-based filtering to block applications that have a bad reputation. This can possibly check phishing, virus, and other malware sites and applications They can identify and filter traffic based upon the specific applications, rather than just opening ports for any and all traffic. This prevents malicious applications and activity from using nonstandard ports to evade the firewall Access Points An access point is a device that offers network connectivity to the large number of endpoints. Wireless access point typically connects to a wired router, switch, or WLC to provide wireless connectivity. For example, if you want to enable Wi-Fi access in your company's reception area but do not have a router within range, you can install an access point near the front desk and run an Ethernet cable through the ceiling back to the server room. Figure 1-11: Access Point Advantages of Using Wireless Access Points When you have both employees and guests connecting with their laptops, mobile phones, and tablets, several devices will be connecting and disconnecting from the network. To support these simultaneous connections, an access points gives scalability to connect the number of devices on your network. But that’s only one of the advantages of using these network enhancers—consider these points: ● Business-grade access points can be installed anywhere you can run an Ethernet cable. Newer models are also compatible with Power over Ethernet Plus, or PoE+ (a combination Ethernet and power cord), so there is no need to run a separate power line or install an outlet near the access point ● Additional standard features include Captive Portal and Access Control List (ACL) support, so you can limit guest access without compromising network security, as well as easily manage users within your Wi-Fi network ● Selected access points include a Clustering feature—a single point from which the IT administrator can view, deploy, configure, and secure a Wi-Fi network as a single entity rather than a series of separate access point configurations Controllers (Cisco DNA Center and WLC) Cisco DNA Center is the foundational controller and analytics platform. DNA Center is the heart of Cisco’s intent-based network architecture. Cisco DNA Center offers centralized, intuitive management that makes it fast and easy to design, provision, and apply policies across your network environment. The Cisco DNA Center UI provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience. The Cisco Wireless Controller (WLC) series devices provide a single solution to configure, manage and support corporate wireless networks, regardless of their size and locations. Cisco WLCs have become very popular during the last decade as companies move from standalone Access Point (AP) deployment designs to a centralized controller-based design, reaping the enhanced functionality and redundancy benefits that come with controller-based designs. Cisco currently offers a number of different WLC models, each targeted for different sized networks. As expected, the larger models (WLC 8500, 7500, 5760, etc.) offer more high-speed gigabit network interfaces, high availability and some advanced features required in large & complex networks, for example supporting more VLANs and WiFi networks, thousands of AP & Clients per WLC device, and much more. Recently, Cisco has begun offering WLC services in higher-end Catalyst switches by embedding the WLC inside Catalyst switches e.g., Catalyst 3850, but also as a virtual image 'Virtual WLC' that runs under VMware ESX/ESXi 4.x/5.x. Finally, Cisco ISR G2 routers 2900 & 3900 series can accept Cisco UCS–E server modules, adding WLC functionality and supporting up to 200 access points and 3000 clients. Exam Tip: WLC interfaces, their physical and logical ports, how they connect to the network and how Wireless SSIDs are mapped to VLAN interfaces, these topics are very important for exam. Endpoints a remote computing device that communicates back and forth with a network to which is it connected. Examples of endpoints include: Desktops Laptops Smartphones Tablets Servers Workstations Endpoints represent key vulnerable points of entry for cybercriminals. Endpoints are where attackers execute code and exploit vulnerabilities, and where there are assets to be encrypted, exfiltrated or leveraged. With organizational workforces becoming more mobile and users connecting to internal resources from offpremise endpoints all over the world, endpoints are increasingly susceptible to cyberattacks. Objectives for targeting endpoints include, but are not limited to: › Take control of the device and use in execute attack › Use the endpoint as an entry point into an organization to access high-value assets and information For several decades, organizations have heavily relied on the antivirus as a means to secure endpoints. However, traditional antiviruses can no longer protect against today’s modern threats. An advanced endpoint security solution should prevent known and unknown malware and exploits; incorporate automation to alleviate security team workloads; and protect and enable users without impacting system performance. Servers A server is a computer program or a device that provides functionality for other programs or devices. A server is a software or hardware device that accepts and responds to requests made over a network. The device that makes the request, and receives a response from the server, is called a client. On the internet, the term "server" commonly refers to the computer system that receives a request for a web document, and sends the requested information to the client. Servers are used to manage network resources. For example, a user may set up a server to control access to a network, send/receive emails, manage print jobs, or host a website. They are also proficient at performing intense calculations. Some servers are committed to a specific task, often referred to as dedicated. However, many servers today are shared servers that can take on the responsibility of emails, DNS, FTP, and even multiple websites in the case of a web server. Types of Servers Servers are frequently categorized in terms of their purpose. A few instances of the types of servers available are: a computer program that serves or files. In this circumstance, a as the client or user in a computer in offers the business rationality for an application program software that acts as an intermediary between such as a computer, and another server from which a user or client is requesting a service an application that receives incoming emails from local users (people within the and remote senders and forwards outgoing emails for delivery running on a mutual server that is configured in such a way that it appears to individual users that they have complete control of a server a server framework for housing multiple shrill, modular electronic circuit boards, known Each blade is a server in its own right, often dedicated to a solitary application a computer responsible for the central storage and management of information documents so that different computers on the same network can access them A policy server is a security element of network that and facilitates tracking and control of files Characteristics of Network Topology Architectures Network topology is defined as the graphical arrangement of computer systems, or nodes to form a computer network. There are two types of network topology: physical topology and logical topology. Physical topology of a network refers to the physical arrangement of computer nodes based on configuration of computers, cables, and other peripherals. Whereas, logical topology is the method used to permit the information between workstations. Both topologies exist in a Local Area Network (LAN). All the nodes in LAN are connected with each other through a valid media that shows its physical arrangement based on hardware used while data flow through this arrangement shows logical topology. The characteristics of network topology architecture are as follows: 2 Tier The word "tier" usually refers to splitting the two software layers onto two distinctive physical pieces of hardware. Multi-layer programs can be based on one tier or level, but because of operational partialities, many two-tier architectures utilize a computer for the first tier and a server for the second tier. A two-tier or level architecture is a software architecture in which a presentation layer or interface keeps running on a client, and a data layer or data structure gets stored on a server. Separating these two components into different locations represents a two-tier architecture. Figure 1-12: Two-Tier Network Design Model 3 Tier A three-tier or level architecture is a client-server architecture design in which the functional procedure logic, information access, computer information storage and UI (user interface) are created and maintained as independent modules on discrete platforms. Three-tier architecture is a software configuration design pattern and a well-established software architecture structure. Three-tier or level architecture permits any one of the three tiers to be promoted or substituted autonomously. The UI (User Interface) is implemented on a desktop PC and it utilizes a standard GUI (Graphical User Interface) by different modules running on the application server. The following three layers included in a typical three-tier architecture network design are: Core ideal channel between high-performance routing and to the criticality of the core layer, the design principles of the core should provide a suitable level of flexibility that offers the capability to recoup rapidly and easily after any network or system failure experience with the core block Distribution policy-based connectivity and boundary the access and core layers Access user/workgroup access to the system or two essential and common hierarchical design architectures of enterprise are the three-level and two-level layer models Figure 1-13: Three-Tier Network Design Model The design model, illustrated in the above figure is usually used in large enterprise campus systems or networks that are constructed by multiple functional distribution layer blocks. The hierarchical network design model breaks the complex level system into multiple smaller and more manageable networks. Each tier or level in the hierarchy is focused on a specific set of roles. This design approach offers network designers a high degree of flexibility to optimize and select the right network hardware, software, and features to perform specific roles for the different network layers. Spine-Leaf With the increased emphasis on massive information transmissions and instantaneous information travel in the network, the aging three-tier architecture within a data center is interchanged with the Leaf-Spine architecture. A Leaf-Spine architecture is adaptable to the continuously changing requirements of companies in big data industries with evolving data centers. Leaf-Spine Network Topology With Leaf-Spine configurations, all devices are exactly the same number of segments that contain an expected and consistent amount of latency or delay for voyaging data. It can be only possible because of the new topology design that has two layers, the Leaf layer and Spine layer. The Leaf layer consists of access switches that connect to devices like servers, load balancers, firewalls, and edge routers. The Spine layer (made up of switches that perform routing) is the backbone of the network, where every Leaf switch is interconnected with each and every Spine switch. Figure 1-14: Leaf-Spine Architecture Design WAN Wide Area Network helps organizations to expand geographically around the globe. By using WAN services from service providers usually called “off-sourcing” or “outsourcing”, organizations just have to focus on their local connectivity while rest of the network is taken care of by the internet service providers. The following figure shows the basic network topology seen under Wide Area Network in use today: Figure 1-15: WAN Network WAN Topology Options There are four types of basic topologies for a WAN design. Point-to-Point The connection between two endpoints or nodes is known as Point-to-Point connection. Typically, point-to-point connection is used when a dedicated link is required from customer premises to the provider’s network. Point-to-point communication links usually offer high service quality, if they have adequate bandwidth. The dedicated capacity removes latency or jitter between the endpoints. Figure 1-16: Point-to-Point Topology Hub and Spoke In this topology, there is a single hub (central router) that provides access from remote networks to a core router. You can see below the diagram for Hub and Spoke. Figure 1-17: Hub & Spoke Topology Communication among the networks travels through the core router. The advantages of a star physical topology are less cost and easier administration, but the disadvantages can be significant: ● (HUB) The central router represents a single point of failure ● (HUB) The central router limits the overall performance for access to centralized resources. It is a single pipe that manages all traffic intended either for the centralized resources or for the other regional routers Full Mesh In Full Mesh, each routing node on the edge of a given packet-switching network has a direct path to every other node on the cloud. You can see its working flow in the following diagram. Figure 1-18: Full Mesh Topology Configuration of this topology provides a high level of redundancy, but the costs are the highest. In conclusion, a fully meshed topology really is not viable in large packet-switched networks. Here are some issues you will contend by using a fully meshed topology: ● Many virtual circuits are required-one for every connection between routers, which brings up the cost ● Configuration of this topology is more complex for routers without multicast support in non-broadcast environments Figure 1-19: Partially Meshed Topology Single vs Dual-Homed On one end of a WAN link, when a single connection is implemented using a single network interface, it is called a singlehomed connection. When an additional network interface is dedicated to the same WAN link, it is called a dual-homed connection. This is typically done for purposes of redundancy. This concept is applied to the organization's connection to its ISP in many cases. Taking this concept a step further, both singlehomed and dual-homed connections can be duplicated, with one set of connections to one ISP and another set of connections to a different ISP, providing both link redundancy and ISP redundancy. When this is done with a dual-homed connection to each ISP, they are called dual-multi-homed connections. If a singlehomed connection is provided for each ISP, it is called dual-singlehomed connection. WAN Access Connectivity Options WAN can use a number of different connection types available on the market today. The figure below shows the different WAN connection types that can be used to connect your LANs (made up of data terminal equipment, or DTE) together over the Data Communication Equipment (DCE) network. Figure 1-20: WAN Access Connect Options Let’s apprehend the different WAN connectivity options: Dedicated (Leased are usually called point-to-point or dedicated connections. A leased line is a pre-established WAN communications' path that goes from the CPE through the DCE switch, and then over to the CPE of the remote site. The CPE enables DTE networks to communicate at any time with no cumbersome setup procedures to muddle through before transmitting data. Circuit you see term circuit switching, think phone call. The big advantage is cost; Plainest Old Telephone Service (POTS) and ISDN dial-up connections are not flat rate, which is their advantage over dedicated lines because you pay only for what you use, and you pay only when the call is established. No data can be transferred before an end-to-end connection is established. Circuit switching uses dial-up modems or ISDN and is used for low-bandwidth data transfers. Packet WAN switching method that allows you to share bandwidth with other companies to save money, just like a super old party line, where homes shared the same phone number and line to save money. Packet switching can be thought of as a network that is designed to look like a leased line, yet it charges you less, like circuit switching does. As usual, you get what you pay for, and there is definitely a serious downside to this technology. Small Office/Home Office (SOHO) SOHO is generally a remote office or enterprise environment with small to medium infrastructure. SOHO users are connected to corporate headquarter by using WAN MPLS or some other technology based services provided by service providers. Normally, access switches are used to provide connectivity with SOHO environment. Figure 1-21: SOHO Network Topology On-Premises and Cloud On-premises system monitoring software has been the standard for quite a long time. Presently, a few associations are moving to cloud-based network monitoring and management. A few applications make a lot of sense in the cloud, like CRM software and marketing automation solutions. Deploying in the cloud can spare your organization expenses and give you more noteworthy adaptability. Physical Interface and Cabling Types Physical interfaces consist of a software driver and a connector into which you connect network media, such as an Ethernet cable. Whereas, cabling is the channel through which data usually transfers from one netw ork device to another. There are numerous types of cable that are generally used with LANs. In some cases, a network will utilize only one type of cable, other networks will use a multiple types of cable. The type of cable selected for a network is related to the protocol, network’s topology, and size. Understanding the features of different types of cables and how they relate to further aspects of a network is essential for the evolution of a successful network. The following sections discuss the categories of cables used in networks and other related topics. Cabling Type and Implementation Requirements Selecting The Appropriate Cabling Type Based On Implementation Requirements. Several types of cables and connectors can be used in a network, depending on the requirements for the network and the type of Ethernet to be implemented. These connectors also vary depending on the type of media that you have installed. Nowadays, Ethernet is considered the king when it comes to cabling. The table below shows some forms of Ethernet cabling of which you should be aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: aware: Table 1-02: Various Cabling Options Ethernet Connectivity Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Recommendations Table 1-03: Cabling Requirements over Different Layers Straight and Crossover Cables: Making the right choice of cable can be tricky for troubleshooting. Just imagine, you already checked the running configurations, all of which you thought you programmed accurately and then all of a sudden, one of the power indicator for the switch is not lighting up because you used the wrong cable. Figure 1-22: Ethernet Cable Straight cable wiring scheme is similar at both ends but in case of crossover, is different that’s why crossover cables are called crossover cables because the strands crossover. Just notice 1 and 2 crossovers with 3 and 6 and vice versa or keep in mind, orange pair wires are replaced with green pairs. Let’s figure out what type of cables we have to use based on the device implementation: ● Crossover cable is used for same devices ● Straight through cable is used for dissimilar devices All of the devices attached to the switch must use straight through cable - Except: switch to switch and switch to hub Crossover cable is used for devices given below: ● Similar Devices ● Switch to Switch ● Router to Router ● Hub to Hub ● Switch to Hub ● Pc to Pc ● Router to Pc –––––––– through cable is used for devices given below: ● Switch and Hub ● Switch to Router ● Switch to PC ● Switch to Server ● Hub to PC ● Hub to Server ● Router and Hub Single Mode Fiber, Multimode Fiber, Copper Single Mode Cable Single Mode Cable is a single stand (most applications use 2 fibers) of glass fiber with a diameter of 8.3 to 10 microns that has one mode of communication. Single Mode Fiber with a relatively narrow diameter, through which only one mode will propagate is usually 1310 or 1550nm. This mode requires higher bandwidth than multimode fiber, but requires a light source with a narrow spectral width. Single Modem Fiber is used in many applications where data is sent at multi-frequency (WDM Wave-Division-Multiplexing) so only one cable is needed - (single-mode on one single fiber) Single-mode fiber gives you a higher transmission rate and up to 50 times more distance than multimode, but it also costs more. Single-mode fiber has a much smaller core than multimode. The small core and single light-wave virtually eliminate any distortion that could result from overlapping light pulses, providing the least signal attenuation and the highest transmission speeds of any fiber cable type. Single-mode optical fiber is an optical fiber in which only the lowest order bound mode can propagate at the wavelength of interest typically 1300 to 1320nm. Multimode Cable Multimode Cable has a little bit bigger diameter, with mutual diameters in the 50-to-100 micron range for the light carry component (in the US, the most common size is 62.5um). Most applications in which multimode fiber is used, 2 fibers are used (WDM is not usually used on multi-mode fiber). Multimode fiber gives you high bandwidth at high speeds (10 to 100MBS - Gigabit to 275m to 2km) over medium distances. Light waves are dispersed into numerous paths, or modes, as they travel through the cable's core, which is typically 850 or 1300nm. Typical multimode fiber core diameters are 50, 62.5, and 100 micrometers. However, in long cable runs (greater than 3000 feet [914.4 meters]), multiple paths of light can cause signal distortion at the receiving end, resulting in an unclear and incomplete data transmission. So, designers now call for single mode fiber in new applications using Gigabit and beyond. Copper Cable Networks use copper media because it is inexpensive, easy to install, and has low resistance to electrical current. However, copper media is limited by distance and signal Data is transmitted on copper cables as electrical pulses between networks. A detector in the network interface of a destination device must receive a signal that can be successfully decoded to match the signal sent. However, the longer the signal travels, the more it deteriorates in a phenomenon referred to as signal attenuation. For this reason, all copper media must follow strict distance limitations as specified by the guiding standards. Copper Media In networking, there are three main types of copper media used: Unshielded Twisted-Pair (UTP) Shielded Twisted-Pair (STP) Coaxial Unshielded Twisted Pair (UTP) Cable Twisted pair cabling comes in two varieties: shielded and unshielded. Unshielded Twisted Pair (UTP) is the most popular and is generally the best option for school networks. Figure 1-23: Unshielded Twisted Pair The quality of UTP may vary from telephone-grade wire to extremely high-speed cable. A cable has four pairs of wires inside a jacket. Each pair is twisted with a different number of twists per inch to help eliminate interference from adjacent pairs and other electrical devices. The EIA/TIA (Electronic Industry Association/Telecommunication Industry Association) has established standards of UTP and rated five categories of wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. wire. Table 1-04: Categories of Unshielded Twisted Pair –––––––– Unshielded Twisted Pair Connector The standard connector for unshielded twisted pair cabling is a RJ-45 connector. This is a plastic connector that looks like a large telephone-style connector. A slot allows the RJ-45 to be inserted only one way. RJ stands for Registered Jack, implying that the connector follows a standard borrowed from the telephone industry. This standard designates which wire goes with each pin inside the connector. Figure 1-24: RJ-45 Connector A disadvantage of UTP is that it may be susceptible to radio and electrical frequency interference. Shielded Twisted Pair (STP) is suitable for environments with electrical interference; however, the extra shielding can make the cables quite bulky. Shielded twisted pair is often used on networks using Token Ring technology. Figure 1-25: Shielded Twisted Pair (STP) –––––––– Coaxial Cable Coaxial Cabling has a single copper conductor at its center. A plastic layer provides insulation between the center conductor and a braided metal shield. The metal shield helps to block any outside interference from fluorescent lights, motors, and other computers. Figure 1-26: Coaxial Cable Coaxial Cable Connectors The most common type of connector used with coaxial cables is the Bayone-Neill-Concelman (BNC) connector. Different types of adapters are available for BNC connectors, including a T-connector, barrel connector, and terminator. Connectors on the cable are the weakest points in any network. To help avoid problems with your network, always use the BNC connectors that crimp, rather than screw, onto the cable. Figure 1-27: BNC Connector Fiber Optic Cable Fiber Optic Cabling consists of a center glass core surrounded by several layers of protective materials. It transmits light rather than electronic signals, eliminating the problem of electrical interference. This makes it ideal for certain environments that contain a large amount of electrical interference. Due to its immunity to the effects of moisture and lighting, it has become the standard for connecting networks between buildings. Fiber optic cable has the ability to transmit signals over much longer distances than coaxial and twisted pair. It also has the capability to carry information at vastly greater speeds. This capacity broadens communication possibilities to include services such as video conferencing and interactive services. The cost of fiber optic cabling is comparable to copper cabling; however, it is more difficult to install and modify. Figure 1-28: Fiber Optic Cable Fiber Optic Cable Connector The most common connector used with fiber optic cable is a ST (Straight Tip) connector. It is barrel shaped, similar to a BNC connector. A newer connector, the SC (Subscriber Connector), is becoming more popular. It has a squared face and is easier to connect in a confined space. space. space. space. space. space. space. space. space. space. space. Table 1-05: Ethernet Cable Summary Connections Point-to-Point: Computers are connected by communication channels that each connect exactly two computers with access to full channel bandwidth Forms a mesh or point-to-point network Allows flexibility in communication hardware, packet formats, etc. Provides security and privacy because communication channel is not shared Number of channels grows as square of number of computers for n computers: (n2 -n)/2 Shared or Broadcast All computers are connected to a shared broadcast-based communication channel and share the channel bandwidth Security issues as a result of broadcasting to all computers Cost effective due to reduced number of channels and interface hardware components Concepts of PoE Power over Ethernet (PoE) is a technology for Area Networks that allows the for the operation of each device to be carried by the data cables rather than by power cords. Doing so minimizes the number of wires that must be strung in order to install the network. PoE was originally developed in 2003 to support devices like Wi-Fi Access Points PoE made AP installations easier and more flexible, especially on ceilings. For PoE to work, the electrical current must go into the data cable at the power-supply end, and come out at the device end, in such a way that the current is kept separate from the data signal so that neither interferes with the other. The current enters the cable by means of a component called an injector. If the device at the other end of the cable is PoE compatible, then that device will function properly without modification. If the device is not PoE compatible, then a component called a picker (or tap) must be installed to remove the current from the cable. This "picked-off" current is routed to the power jack. Identifying Interface and Cable Issues Interface and cable issues can be due to collisions, errors, duplex mismatch or speed mismatch. To show interface command on a switch displays a ton of potential errors and problems that might happen due to interface and cable issues. Example 1-1: The “show interface” Output on a Cisco Switch interface gi 0/1 GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is iGbE, address is fa16.3eb4.b62b (bia fa16.3eb4.b62b) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Unknown, Unknown, link type is auto, media type is unknown media type output flow-control is unsupported, input flow-control is unsupported Auto-duplex, Auto-speed, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32562 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 6783 packets input, 0 bytes, 0 no buffer Received 14 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 108456 packets output, 7107939 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Switch# Collisions A collision is the mechanism used by Ethernet to control access and allocate shared bandwidth among stations that want to transmit at the same time on The mechanism where the medium is shared is known as collision detection. It must exist where two stations can detect that they want to transmit data at the same time. Collision detection is disabled in full-duplex Ethernet (Carrier Sense Multiple Access/Collision its collision detection method. Here is a simplified example of Ethernet operation: Figure 1-29: Collision Architecture Station A wishes to send a frame. First, it checks if the medium is available (Carrier Sense). If it is not, it waits until the current sender on the medium has finished. Suppose Station A believes the medium is available and attempts to send a frame. Because the medium is shared (Multiple Access), other senders might also attempt to send at the same time. At this point, Station B tries to send a frame at the same time as Station A. Shortly after, Station A and Station B realize that there is another device attempting to send a frame (Collision Detect). Each station waits for a random amount of time before sending again. The time after the collision is divided into time slots; Station A and Station B, each pick a random slot for attempting a retransmission. Should Station A and Station B attempt to retransmit in the same slot, they extend the number of slots. Each station then picks a new slot, thereby decreasing the probability of retransmitting in the same slot. Errors Errors may occur in your network for a wide variety of reasons. For example, there could be electrical interference somewhere, or there is a bad Network Interface Card that is not able to frame things correctly for the network. Remember, the Frame Check Sequence often is the source for catching these errors. Each time a router forwards a packet on an Ethernet network, it replaces and rewrites the Layer 2 Ethernet header information, along with a new FCS. Duplex This used to be a big concern in Ethernet LANs. Because you might be using half-duplex due to having hubs in your network, you need to ensure that duplex mismatches did not occur between full-duplex (switched) areas and half-duplex areas. Today, auto negotiation to full-duplex between devices is common. If an older device is hard coded to half-duplex and you code the LAN device connected to full duplex, a duplex mismatch can still result. These can be difficult to track down since some packets typically make it through the connection fine, while others are dropped. In networks that operate in half duplex, the technology of Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used to allow devices to operate on a half-duplex network. Speed Speed is another area where conflict can occur, but is also becoming a less common problem as technologies advance. For example, 1 Gigabit per second interfaces is quite common now and operate with each other seamlessly at 1 Gbps. The issue again is older equipment that might default to a slower speed causing a speed mismatch. There are some terms used in the above example, so we need to explore these terms briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: briefly: Table 1-06: Cable Terminologies TCP vs. UDP There are two types of Internet Protocol (IP) traffic. They are TCP or Transmission Control Protocol and UDP or User Datagram Protocol. TCP is connection oriented. Once a connection is established, data can be sent bidirectional. UDP is a simpler, connectionless internet protocol. Multiple messages are sent as packets in chunks using UDP. Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP packets. Because of UDP’s simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP. The following table demonstrates the comparison of TCP and UDP protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: protocol: Table 1-07: Comparison of TCP and UDP Protocol TCP and UDP Working Figure 1-30: TCP and UDP Working IPv4 Addressing and Subnetting In this topic, we are going to explore IPV4 addressing and subnetting. So first of all, you should know what an IP address is. IP Address: IP address is the way to present a host in a network or, in simple words, a unique string of numbers separated by full stops that identifies each computer using the Internet Protocol to communicate over a network. An example is given below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: An IPv4 address is a 32-bit number that we like to represent in dotted decimal notation. Consider using a conversion chart for the 8 bits that exist in an octet to help you with the various subnetting exercises you might encounter in the exam. exam. exam. exam. exam. exam. exam. exam. exam. exam. exam. Table 1-08: Comparison Chart for IPV4 Addressing and Subnetting Example: We have to calculate 186 then we will ON these bits: 10111010. So from above table, you can easily calculate these values. CIDR Inter-Domain Routing) is a slash notation of subnet mask. CIDR tells us the number of on bits in a network address. IPv4 address is a 32 bit, 4-octet number in a format of 192.168.1.1/24 /24 is CIDR notation, it defines the number of host and networks. Earlier on, in the development of TCP/IP, the designers created address classes to attempt toward accommodate networks of various sizes. Notice that they did this by setting the initial bit values IP addresses are broken into the two components: Network network segment of device. Host the specific device on a particular network segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment segment Table 1-09: Ipv4 Address Range 0 [Zero] is reserved and represents all IP addresses 127 is a reserved address and is used for testing, like a loop back on an interface. For example: 127.0.0.1 255 is a reserved address and is used for broadcasting purposes IPV4 Subnetting: Subnetting is a process of dividing a large network into the smaller networks based on layer 3 IP address. Every computer on network has an IP address that represent its location on the network. Two versions of IP addresses are available, which are IPv4 and IPv6. In this workbook, we will perform subnetting on IPv4. Another critical memorization point here is the default subnet masks for these address classes. Remember, it is the job of the subnet mask to define what portion of the 32-bit address represents the network portion versus the host portion. The table below defines the default masks. masks. masks. masks. masks. masks. masks. masks. Table 1-10: IPV4 Subnetting Note that subnet masks must use continuous on bits (1). This results in the only possible values in a subnet mask octet as shown in the table below: below: below: below: below: below: below: below: below: below: below: Table 1-11: Subnet Mask Values Subnet Subnet Mask is a 32-bit long address used to distinguish between network address and host address in IP address. Subnet mask is always used with IP address. Subnet mask has only one purpose, to identify which part of an IP address is network address and which part is host address. For example, how will we figure out network partition and host partition from IP address 192.168.1.4? Here, we need subnet mask to get details about network address and host address. In decimal notation subnet mask value 1 to 255 represent network address and value 0 [Zero] represent host address. In binary notation subnet mask, ON bit [1] represents network address while OFF bit [0] represents host address. In Decimal Notation IP address 192.168.1.4 Subnet mask 255.255.255.0 Network address is 192.168.1.0 and host address is 192.168.1.4. The binary notation for the host address will be: In Binary Notation IP address 11000000.10101000.00000001.00000100 Subnet mask 11111111.11111111.11111111.00000000 Network address is 11000000.10101000.00000001 and host address is 00001010. Advantages of Subnetting Subnetting breaks a large network in smaller networks and smaller networks are easier to manage Subnetting reduces network traffic by removing collision and broadcast traffic, that overall improves performance Subnetting allows you to apply network security polices at the interconnection between subnets Subnetting allows you to save money by reducing the requirement for IP range Example Class C Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Subnetting Table 1-12: Subnet Mask Status You can see clearly that 192.168.1.4 belongs to Subnet 1, so by using this simple method, you can calculate things easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. easily. Example 2: Given- 172.18.27.0 123 Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts Hosts –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– Table 1-13: Subnet Mask Table The Need for Private IPv4 Addressing The designers of IPv4 created private address space to help alleviate the depletion of IPv4 addresses. This address space is not routable on the public internet. The address space can be used as needed inside corporations and would then be translated using Network Address Translation (NAT) to allow access to and through the public internet. The use of private addresses and NAT is tending to see the same addresses ranges used in homes today (typically in the 192.168.1.X range). Table below shows you the private address space: space: space: space: space: space: space: space: space: space: space: space: space: space: Table 1-14: The IPv4 Private Address Ranges Case Study A local bank in your city has recently revamped their WAN and LAN network. The bank has 14 branches in the city connected to Head Office over frame relay network. All links are point to point (unique subnet). The Head office has around 400 hosts and each of the branches has 15 to 20 hosts. You are assigned the task of designing the private network schema for the bank. Solution You have decided to use the Class A “10.0.0.0” network segment for the bank network. Figure 1-31: IPV4 Addressing and Subnetting Head Office LAN Let’s start with HO (Head Office) LAN, which has 400 hosts. You discussed with your senior and he advised that 400 hosts in a single segment could create a lot of broadcast traffic. You decided to break the LAN segment into two subnets. 1. Network: 10.0.0.0 Mask: 255.0.0.0 You only need 200 hosts in your LAN segment. Use the formula 2^n – 2 to calculate the number of hosts per subnet, where n is the number of bits for the host portion. 2. No of Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts: (2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts: (2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts: (2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Hosts:(2^8)-2=254 Branches LAN No of branches: 14 No of hosts in each branch: 15-20 No of Hosts: (2^5)-2=30 No of Subnets: (2^5)-2=30 Note: We could have taken (2^4)-2=14 for the number of networks but it will just be enough for the current scenario. We should always leave some buffer for future expansion. We will start from subnet 10.1.3.0/27, which will give us 30 hosts in each subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. Table 1-15: LAN Branch Status WAN As all the links are point to point; there will be 14 subnets in total with each subnet having 2 hosts. No of hosts (routers) in each subnet: 2 No of point-to-point segments: 14 No of Hosts: (2^1)-2=2 No of Subnets (2^5)-2=30 We will start from subnet 10.1.3.0/30, which will give us 2 hosts in each subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. subnet. Table 1-16: WAN Branch Status IPv6 Addressing and Prefix IPv6, formerly named IPng (next generation), is the latest version of the Internet Protocol (IP). IP is a packet-based protocol used to exchange data, voice, and video traffic over digital networks. IPv6 was proposed when it became clear that the 32-bit addressing scheme of IP version 4 (IPv4) was inadequate to meet the demands of internet growth. After extensive discussion, it was decided to base IPng on IP but add a much larger address space and improvements such as a simplified main header and extension headers. IPv6 is described initially in RFC 2460, Internet Protocol, Version 6 (IPv6). Specification, issued by the Internet Engineering Task Force (IETF). Further RFCs describe the architecture and services supported by IPv6. Internet Protocol version 6 (IPv6) expands the number of network address bits from 32 bits (in IPv4) to 128 bits, which provides more than enough globally unique IP addresses for every networked device on the planet. The unlimited address space provided by IPv6 allows Cisco to deliver more and newer applications and services with reliability, improved user experience, and increased security. Implementing basic IPv6 connectivity in the Cisco software consists of assigning IPv6 addresses to individual device interfaces. IPv6 traffic forwarding can be enabled globally, and Cisco Express Forwarding switching for IPv6 can also be enabled. The user can enhance basic connectivity functionality by configuring support for AAAA (Authentication, Authorization, Accounting, and Auditing) record types in the Domain Name System (DNS) name-to-address and address-to-name lookup processes, and by managing IPv6 neighbor discovery. Restrictions for Implementing IPv6 Addressing and Basic Connectivity IPv6 packets are transparent to Layer 2 LAN switches because the switches do not examine Layer 3 packet information before forwarding IPv6 frames. Therefore, IPv6 hosts can be directly attached to Layer 2 LAN switches. Multiple IPv6 global addresses within the same prefix can be configured on an interface. IPv6 Address Formats IPv6 addresses are represented as a series of 16-bit hexadecimal fields separated by colons (:) in the format: x:x:x:x:x:x:x:x. Following are two examples of IPv6 addresses: 2001:DB8:7654:3210:FEDC:BA98:7654:3210 2001:DB8:0:0:8:800:200C:417A IPv6 addresses commonly contain successive hexadecimal fields of zeros. Two colons (::) may be used to compress successive hexadecimal fields of zeros at the beginning, middle, or end of an IPv6 address (the colons represent successive hexadecimal fields of zeros). The table below lists compressed IPv6 address formats. A double colon may be used as part of when consecutive 16bit values are denoted as zero. You can configure multiple IPv6 addresses per interfaces, but only one link-local address. Exam Tip Two colons (::) can be used only once in an IPv6 address to represent the longest successive hexadecimal fields of zeros. The hexadecimal letters in IPv6 addresses are not case-sensitive. case-sensitive. case-sensitive. case-sensitive. case-sensitive. case-sensitive. case-sensitive. Table 1-17: Compressed IPv6 Address Formats The loopback address listed in the table above may be used by a node to send an IPv6 packet to itself. The loopback address in IPv6 functions the same as the loopback address in IPv4 (127.0.0.1). Exam Tip The IPv6 unspecified address cannot be assigned to an interface. The unspecified IPv6 addresses must not be used as destination addresses in IPv6 packets or the IPv6 routing header. An IPv6 address prefix, in the format ipv6-prefix/prefix-length, can be used to represent bit-wise contiguous blocks of the entire address space. The ipv6-prefix must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. The prefix length is a decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). For example, 2001:DB8:8086:6502::/32 is a valid IPv6 prefix. IPv6 Subnetting Figure 1-32: IPv6 Subnetting As shown in the IPv6 address can be subnetted in three ways. You can either divide Site bits, Sub Site bits and Host bits or Only in Site and Host bits for large host support. IPv6 Packet Header The basic IPv4 packet header has 12 fields with a total size of 20 octets (160 bits) (see the figure below). The 12 fields may be followed by an Options field, which is followed by a data portion that is usually the transport-layer packet. The variable length of the Options field adds to the total size of the IPv4 packet header. The shaded fields of the IPv4 packet header shown in the figure below are not included in the IPv6 packet header. Figure 1-33: IPv4 Packet Header Format The basic IPv6 packet header has 8 fields with a total size of 40 octets (320 bits). Fields were removed from the IPv6 header because, in IPv6, fragmentation is not handled by devices and checksums at the network layer are not used. Instead, fragmentation in IPv6 is handled by the source of a packet and checksums at the data link layer and transport layer are used. In IPv4, the UDP transport layer uses an optional checksum. In IPv6, use of the UDP checksum is required to check the integrity of the inner packet. Additionally, the basic IPv6 packet header and Options field are aligned to 64 bits, which can facilitate the processing of IPv6 packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. packets. Table 1-18: IPv6 Header Field Following the eight fields of the basic IPv6 packet header, which are optional extension headers and the data portion of the packet. If present, each extension header is aligned to 64 bits. There is no fixed number of extension headers in an IPv6 packet. The extension headers form a chain of headers. Each extension header is identified by the Next Header field of the previous header. Typically, the final extension header has a Next Header field of a transport-layer protocol, such as TCP or UDP. IPv6 Addressing and Subnetting The IPv6 address format is eight sets of four hex digits. A colon separates each set of four digits. For example: 2001:1111: A231:0001:2341:9AB3:1001:19C3 Remember, there are two rules for shortening these IPv6 address: Once in the address, you can represent consecutive sections of 0000s with a double colon (::) As many times as you can in the address, you can eliminate leading 0s; you can even take a section of all zeros (0000) and represent it as simply 0 Here is an example of the application of these rules to make the address the most convenient to read and type: 2001:0000:0011: 0001:0000:0000: 0001:1AB1 2001:0:11:1::1:1AB1 You present the subnet mask in prefix notation only. For example, an IPv6 address, that uses the first 64 bits to represent the network could be shown as: 2001:0:11:1::1:1AB1 /64 This section of your exam blueprint focuses on the global unicast address space for IPv6. These function like the public IPv4 addresses that we are accustomed to. Other types of IPv6 addresses are elaborated upon later in this chapter. The Internet Assigned Numbers Authority (IANA) does the management of the IPv6 address space. IANA assigns blocks of address spaces to regional registries, who then allocate address spaces to network service providers. Your organization may request address spaces from a service provider. For example, a company may be assigned the address space similar to 2001:DB8:6783: :/48 and from that network address space, they can create and use subnets. To simplify subnetting in IPv6, companies often use a /64 mask. Remember, this means a 64-bit network portion and a 64bit host portion. IPv6 Stateless Address Auto Configuration If you think the ability to have the IPv6 network device configure its own host address (modified EUI) is pretty awesome, what is even more exciting is having one network device assist another in the assignment of the entire address. This is Stateless Address Auto Configuration (SLAAC). Stateless simply means that a device is not keeping track of the address information. For example, in IPv4 and IPv6, you can use a DHCP server in a “stateful” manner. A DHCP device provides the address information that devices need, and tracks this information in a database. Obviously, there is a fair amount of overhead involved in this process for the DHCP server. Fortunately, in IPv6, you can use SLAAC and stateless DHCP to provide a host with all of the information it might need. This of course includes things like the IPv6 address, the prefix length, the default gateway address, and the DNS server(s) address. With SLAAC, the IPv6 device learns its prefix information automatically over the local link from another device (such as the router), and then can randomly assign its own host portion of the address. Remember, since SLAAC cannot provide additional information such as DNS server addresses, we often combine SLAAC with the use of stateless DHCP in IPv6. –––––––– Note Remember, Cisco routers that support IPv6 are ready for any of the IPv6 interface addressing methods with no special configuration. However, if the router needs to run IPv6 routing protocols (such as OSPF or EIGRP), you must use the ipv6 unicast-routing command as was discussed earlier in this chapter. What’s wrong with IPv4? Addressing Not enough addresses- Current addressing scheme allows for over 2 million networks, but most are Class “C”, which are too small to be useful Most of the Class “B” networks have already been assigned Quality of Service Flow control and QoS options are not available in IPv4 header that allows better connections of high bandwidth and high reliability applications Security IP packets can be easily snooped from the network No standard for authentication of the user to a server No standard for encryption of data in packets Packet Size Maximum packet size is 216 – 1 (65,535) May be too small considering newer, faster networks IPv6 Enhancements • Expanded address space up to 128 bits • Improved option mechanism by separating optional headers between IPv6 header and transport layer header • Improved speed and simplified router processing • Dynamic assignment of addresses and auto configuration • Increased addressing flexibility by anycast (delivered to one of a set of nodes) and improved scalability of multicast addresses • Support for resource allocation – Replaces type of service – Labeling of packets to particular traffic flow – Allows special handling, e.g., real time video Mind Map Figure 1-34: Mind Map of Network Fundamentals IPv6 Address Types IPv6 address types are defined in RFC Version 6 Addressing In this section, we examine a brief look at the different types of IPv6 addresses that are as follows: Figure 1-35: IPv6 Address Types Note IPv6 does not have a broadcast address. Other options exist in IPv6, such as a solicited-node multicast address and an all-IPv6 devices multicast address. Global Unicast Global Unicast Addresses (GUAs) are globally routable and reachable in the IPv6 Internet; they are equivalent to public IPv4 addresses. GUA addresses are also known global unicast It contains global routing prefix, subnet ID and interface ID. They have global unicast prefix. These addresses are used on those links that are aggregated upward eventually to ISPs (Internet Service Provider). The initial 3 bits are set from 001 to 111 hence ranges from 2000::/3 to E000::/3 having 64 bit EUI. Figure 1-36: Aggregatable Global Address Unique Local Unique Local is similar to the concept of private use only addresses (RFC 1918) in IPv4 and not intended to be routable in the IPv6 Internet. However, unlike RFC 1918 addresses, these addresses are not intended to be state-fully translated to a global unicast address. Figure 1-37: Unique Local Address Link Local As the name makes it clear, these addresses only function on the local link. IPv6 devices automatically generate them in order to perform many automated functions between devices. The Link Local address uses the prefix FE80: :/10. These addresses are used for Stateless Auto-Configuration and Neighbor Discovery Protocol. Figure 1-38: Link Local Address Anycast An IPv6 anycast address is an address that can be assigned to more than one interface (typically different devices). In other words, multiple devices can have the same anycast address. A packet sent to an anycast address is routed to the “nearest” interface having that address, according to the router’s routing table. There is no special prefix for an IPv6 anycast address. An IPv6 anycast address uses the same address range as global unicast addresses. Each participating device is configured to have the same anycast address. For example, servers A, B, and C in the below figure could be DHCPv6 servers with a direct Layer 3 connection into the network. These servers could advertise the same /128 address using OSPFv3. The router nearest the client request would then forward packets to the nearest server identified in the routing table. Figure 1-39: Anycast Address Multicast Just like in an IPv4 environment, multicast traffic is beneficial in IPv6. Remember, multicasting means a packet is sent to a group of devices interested in receiving the information. In IPv6, multicasting actually replaces completely the IPv4 approach of broadcasting. In IPv6, if your device wants to reach all devices, it sends traffic to the IPv6 multicast address of FF02::1. Modified EUI 64 Modified Extended Unique Identifier (EUI) is an IPv6 feature that allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits. It eliminates the need of manual configuration and DHCP as a key benefit over IPv4. EUI-64 is formed by 48-bit MAC address including 16-bit FFFE in the middle of the OUI and NIC. Figure 1-40: Modified EUI-64 IP Parameters for Client OS (Windows, Mac OS, Linux) An operating system is considered to be the backbone of any system. Without an operating system, users and systems cannot interact. We mainly have three kinds of operating systems namely, Linux, MAC, and Windows. To begin with, MAC is an OS which focuses on graphical user interface and was developed by Apple Inc. for their Macintosh systems. Microsoft developed operating It was developed so as to overcome the limitation of the MS-DOS operating system. Linux is UNIX like a source software and can use an operating system that provides full memory protection and multi-tasking operations. Windows In order to verify OS Parameters for windows operating system, following steps are used: Open the Command Prompt and enter the ipconfig command. It will display the list of all the connections. Figure 1-41: The “ipconfig” Command –––––––– Here, you can see the IP address is 192.168.100.108; we will change this address by providing the system static IP address. Click on Adaptor setting, you will see this window that shows the connected media to the operating system. Figure 1-42: Network Connections Right click on “Wi-Fi”. Select “Properties”, you will see this window: Figure 1-43: Wi-Fi Properties After selecting properties, select the “Internet Protocol Version 4 (TCP/IPv4)” option. Then assign the new IP address, DNS server and alterate DNS server to the system. Figure 1-44: Internet Protocol Version 4 Properties After providing the Static IP address, verify the IP address parameters by executing the ipconfig command on command prompt. Figure 1-45: Command Prompt Linux In order to verify OS Parameters for Linux Operating system, follow the steps which are given below: Open the Terminal and enter the ifconfig command. It will display the list of all the connections. Figure 1-46: Kali Linux Figure 1-47: The “ifconfig” Command Here, you can see the IP address is 192.168.100.125 netmask 255.255.255.0 and broadcast 192.168.100.255, we will change this address by providing the system static IP address. Click on “Settings, then select “network”. You will see the window that shows the connected media to the operating system. Figure 1-48: Kali Linux Setting In wired, go to “Setting”, the next window will appear. Select “IPv4” and provide the new static IP address, netmask, gateway and DNS server. Figure 1-49: Wired Connections Select “Manual” and provide the fields. Figure 1-50: Wired Settings Mac OS To set up a network connection on MAC OS, select “Setting”, go to “System Preferences” and click on “Network”. Figure 1-51: System Preferences A new network window will open, change the location from automatic to “Manual”. Figure 1-52: Network Settings Provide the appropriate IP address and subnet mask and then click the “Advanced” button. Figure 1-53: Ethernet Status Select the DNS tab and then click the “+” button. Figure 1-54: Ethernet DNS Settings Enter the DNS server address and then click “Ok”. Figure 1-55: Ethernet DNS Server Now, click the button to save the changes. Figure 1-56: Providing Static IP Address Wireless Principles Wireless is a popular networking technology. By using this technology, we can exchange the information between two or more devices. To establish a reliable system, there are some challenges that are discussed below: Non-overlapping Wi-Fi channels There are channel settings in your router's settings. Most routers have channel settings that are set to "Auto", but if you look through the channels, there are at least a dozen of WLAN channels. So how do you know which Wi-Fi channels are faster than the others in that list? Choosing the suitable Wi-Fi channel can vastly improve your Wi-Fi coverage and performance. But even if you discover the fastest channel there, it does not always mean you should select it right away. Various frequency bands (2.4GHz, 3.6 GHz, 4.9 GHz, 5 GHz, and 5.9 GHz) have their own range of channels. Usually, routers will use the 2.4GHz band with a total of 14 channels, however in reality, it may be 13 or even less that are used around the world. There are five combinations of available non-overlapping channels, which are given below: Figure 1-57: Wi-Fi Channels From the diagram it can be seen that Wi-Fi channels 1, 6, 11, or 2, 7, 12, or 3, 8, 13 or 4, 9, 14 (if allowed) or 5, 10 (and possibly 14 if allowed) can be used together as sets. All Wi-Fi versions through 802.11n (a, b, g, n) work between the channel frequencies of 2400 and 2500 MHz. These 100 MHz in between are split in 14 channels, 20 MHz each. As a result, each 2.4GHz channel overlaps with two to four other channels (see diagram above). Overlapping makes wireless network throughput quite poor. Most common channels for 2.4 GHz Wi-Fi are 1, 6, and 11, because they do not overlap with one another. The whole spectrum is 100 MHz wide and the channel centers are separated by 5 MHz only. This leaves no choice to eleven channels but to overlap. SSID Set Identifier (SSID) is an ASCII string that is used to establish wireless networking devices and maintain wireless connectivity. Same SSIDs can be used by multiple access points on a network or sub-network. They are case sensitive and can contain up to 32 alphanumeric characters. You may configure up to 16 SSIDs on your access point and assign different configuration settings to each SSID. All the SSIDs may be active at the same time; that is, client devices can associate to the access point using any of the SSIDs. Following are some settings you can assign to each SSID: VLAN Client authentication settings Client authenticated key management settings Insert AP or Authentication Parameter (while using AP to AP links, such as bridges) Insert Management frame protection settings (Cisco MFP/802.11w) Maximum number of client associations by using the SSID RADIUS accounting for traffic using the SSID Guest mode (it defines if the SSID string should be broadcasted in the beacons) Define legacy AP to AP authentication method, once using PSK or LEAP security in AP to AP links Redirection of packets received from client devices If you want the access point SSID to be visible to all wireless clients, including clients not having a profile to that particular SSID, you can setup a guest SSID. The access point mentions the guest SSID in its beacon. If the guest mode is disabled, the AP will still send beacons for this SSID, but the SSID string will not be mentioned. If your access point is projected to be a repeater or a non-root bridge, you can setup credentials, on the repeater or on the nonroot bridge side, so that the root or primary AP can authenticate the repeater or the non-root bridge. You can assign an authentication username and password to the repeatermode SSID to allow the repeater to authenticate to your network like a client device. If your network uses VLANs, you can allocate to individual SSID a VLAN, and client devices using the SSIDs that are grouped in VLANs. RF RF stands for radio frequency. It is a wireless communication that initiated at the turn of the 20th century, more than 100 years ago, when Marconi established the first successful and practical radio system. A Radio Frequency (RF) signal refers to a wireless electromagnetic signal used as a form of communication. It is an alternating current that inputs to an antenna, to generate an electromagnetic field that can be used for wireless broadcasting and/or communications. The field is referred to as an RF field or a radio wave. Radio waves are a form of electromagnetic radiation with identified radio frequencies that range from 3 kHz to 300 GHz. Encryption As encryption is defined at the interface (VLAN or radio) level of the access point, and can be common to several SSIDs, encryption is usually configured before the SSID and its authentication mechanism. Just as someone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions. Because encrypted communication is the initial line of defense against attackers, Cisco recommends that you use full encryption on your wireless network. The original encryption mechanism described in the 802.11 standard is WEP (Wired Equivalent Privacy). The encryption of WEP scrambles the communication between the access point and client devices to keep the communication private. In this mode, WEP keys are statically defined by the client and the AP. The access point and client devices both uses the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt mutually unicast and multicast messages. Unicast messages are addressed to just a single device on the network. Multicast messages are addressed to multiple devices on the network. Virtualization Fundamentals A virtual machine is a computer software program that runs an operating system and applications. Each virtual machine contains its own virtual, or software-based, hardware, including a virtual CPU, memory, hard disk, and network interface card. Virtualization is the process of creating a software-based, or virtual, representation of something, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses while boosting efficiency and agility for all size businesses. Benefits of Virtualization Virtualization can increase IT agility, adaptability and versatility while making critical cost deductions. Greater workload mobility, increased performance and availability of resources, automated operations, these benefits of virtualization make IT simpler to manage and less costly to possess and work. Additional benefits include: Reduced capital and operating or working expenses Downtime is minimized or eliminated Increased IT profitability, proficiency agility and responsiveness Provide faster provisioning of applications and resources Greater business coherence and disaster recovery Simplified data center management Availability of a genuine Software-Defined Data Center Types of Virtualization There are three main types of virtualization that are as follows: Server Virtualization Server multiple operating systems to run on a single physical server as highly proficient virtual machines. Key advantages of server virtualization includes: Greater IT efficiencies Reduced operating or working expenses Quicker workload deployment Improved application performance Higher server accessibility Eliminated server sprawl and difficulty Network Virtualization Network logical networking devices and services such as logical ports, switches, routers, firewalls, load balancers, VPNs and more to connected workloads. Network applications to run on a virtual network as if they were running on a physical network yet with more prominent operational advantages and all the hardware equipment independencies of virtualization. Desktop Virtualization Deploying desktops as a managed service administration empowers IT associations to respond faster to changing work environment needs and emerging opportunities. Virtualized desktops and applications can also be quickly and easily delivered to branch offices, outsourced and offshore employees, and mobile workers using iPad and Android tablets. Switching Concepts Layer 2 switches and bridges are faster than routers because they do not take up time looking at the Network layer header information. Instead, they look at the frame's hardware addresses before deciding to either forward, flood, or drop the frame. The next sections are related to functions a switch preforms and the components it uses to do so. MAC Learning and Aging To learn the MAC address of devices is the fundamental responsibility of switches. The switch transparently observes incoming frames. It records the source MAC address of these frames in its MAC address table. It also records the specific port for the source MAC address. Based on this information, it can make intelligent frame forwarding (switching) decisions. Notice that a network machine could be turned off or moved at any point. As a result, the switch must also age MAC addresses and remove them from the table after they have not been seen for some duration. Frame Switching Along with building a MAC address table (learning MAC address to port mappings), the switch also forwards (switches) frames intelligently from port to port. Think about this as the opposite of how a Layer 1 Hub works. Device hub takes in a frame and always forwards this frame out all other ports. In a hub-based network, every port is part of the same collision domain. The switch is too smart for that. If its MAC address table is fully populated for all ports, then it “filters” the frame from being forward out ports unnecessarily. It forwards the frame to the correct port based on the destination MAC address. Frame Flooding What happens when a frame has a destination address that is not in the MAC address table? The frame is flooded out to all ports (other than the port on which the frame was received). The flooding happens when the switch in its MAC address table has no entry for the frame’s destination. With flooding, the frame is sent out to every port except the frame it came in on. This also happens when the destination MAC address in the frame is the broadcast address. MAC Address Table The MAC address table is a critical component in the modern switch and acts as a brain of the switch operation. It contains the MAC address to port mappings so the switch can work its network magic. The below example shows how easy it is to examine the MAC address table of a Cisco switch. Example: Examining a Real MAC Address Table Switch#show mac address-table Mac Address Table ————————————————————————————— —————- Vlan Mac Address Type Ports —— ————————- ———— 1 e213.5864.ab8f 1 fa16.3ee3.7d71 DYNAMIC ——- Gi0/0 DYNAMIC Gi1/0 Mind Map Figure 1-58: Mind Map of Network Fundamentals Summary Role and Function of Network Components Network Fundamentals teaches the building blocks of modern network design. In this session, we have briefly discussed about the network components related to their functions and performance A Router receives a packet and observes the destination IP address information to determine what network the packet needs to reach, then sends the packet out of the corresponding interface 2 works only on MAC addresses and does not worry about IP address or any items of higher layers. A Layer 3 switch can perform all the task that a Layer 2 switch can Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks a device that creates a Wireless Local Area Network, or WLAN, usually in an office or large building The Cisco Wireless Controller (WLC) series devices provide a single solution to configure, manage and support corporate wireless networks, regardless of their size and locations a remote computing device that communicates back and forth with a network to which is it connected such as desktop, laptop etc. A server is a device that provides a facility to another computer program and its client Characteristics of Network Topology Architectures Network topology is defined as the physical arrangement of nodes to form a computer network. There are two types of network topology: physical topology and logical topology A two-tier or level architecture is a software architecture in which a presentation layer or interface keeps running on a client, and a data layer or data structure gets stored on a server A three-tier or level architecture is a client-server architecture design in which the functional procedure logic, information access, computer information storage and UI (User Interface) are created and maintained as independent modules on discrete platforms A Leaf-Spine architecture is adaptable to the continuously changing requirements of companies in big data industries with evolving data centers Wide-Area Network helps organizations to expand geographically around the globe. Using WAN services from service providers usually called “off-sourcing” or “outsourcing” SOHO is generally a remote office or enterprise environment with small to medium infrastructure. SOHO users are connected to corporate headquarter by using WAN MPLS or some other technology based services provided by service providers On-premises system monitoring software has been the standard for quite a long time. Presently, a few associations are moving to cloud-based network monitoring and management Physical Interface and Cabling Types Physical interfaces consist of a software driver and a connector into which you connect network media The type of cable selected for a network is related to the protocol, network’s topology, and size Single Modem fiber is used in many applications where data is sent at multi-frequency (WDM Wave-Division-Multiplexing) so only one cable is needed Multimode fiber gives you high bandwidth at high speeds (10 to 100MBS - Gigabit to 275m to 2km) over medium distances Networks use copper media because it is inexpensive, easy to install, and has low resistance to electrical current. However, copper media is limited by distance and signal interference Computers connected by communication channels that each connect exactly two computers with access to full channel bandwidth is known as point-to-point connection whereas, all computers connected to a shared broadcast-based communication channel and share the channel bandwidth is known as shared or broadcast connection Power over Ethernet (PoE) is a technology for area networks that allows the for the operation of each device to be carried by the data cables rather than by power cords. It made AP installations easier and more flexible, especially on ceilings Identify Interface and Cable Issues A collision is the mechanism used by Ethernet to control access and allocate shared bandwidth among stations that want to transmit at the same time on Errors may occur in your network for a wide variety of reasons. For example, there could be electrical interference somewhere, or there is a bad Network Interface Card that is not able to frame things correctly for the network Duplex used to be a big concern in Ethernet LANs. Because you might be using half-duplex due to having hubs in your network, you need to ensure that duplex mismatches do not occur between full-duplex (switched) areas and half-duplex areas TCP vs. UDP There are two types of Internet Protocol (IP) traffic. They are TCP or Transmission Control Protocol and UDP or User Datagram Protocol TCP is connection oriented. Once a connection is established, data can be sent bidirectional UDP is a simpler, connectionless Internet protocol. Multiple messages are sent as packets in chunks using UDP Unlike the TCP, UDP adds no reliability, flow-control, or errorrecovery functions to IP packets. Because of UDP’s simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP IPv4 Addressing and Subnetting In this section, we have explored IPV4 addressing and subnetting. We also configured and verified the classes and subnet mask of IPv4 by performing lab The Need for Private IPv4 Addressing The designers of IPv4 created private address space to help alleviate the depletion of IPv4 addresses This address space is not routable on the public internet The address space can be used as needed inside corporations and would then be translated using Network Address Translation (NAT) to allow access to and through the public internet IPv6 Addressing and Prefix Internet Protocol version 6 (IPv6) expands the number of network address bits from 32 bits (in IPv4) to 128 bits, which provides more than enough globally unique IP addresses for every networked device on the planet The unlimited address space provided by IPv6 allows Cisco to deliver more and newer applications and services with reliability, improved user experience, and increased security Implementing basic IPv6 connectivity in the Cisco software consists of assigning IPv6 addresses to individual device interfaces. IPv6 traffic forwarding can be enabled globally, and Cisco Express Forwarding switching for IPv6 can also be enabled The user can enhance basic connectivity functionality by configuring support for AAAA (Authentication, Authorization, Accounting, and Auditing) record types in the Domain Name System (DNS) name-to-address and address-to-name lookup processes, and by managing IPv6 neighbor discovery IPv6 Address Types Global Unicast Addresses (GUAs) are globally routable and reachable in the IPv6 Internet, they are equivalent to public IPv4 addresses Unique local is similar to the concept of private use only addresses (RFC 1918) in IPv4 and not intended to be routable in the IPv6 Internet Local link addresses only function on the local link. IPv6 devices automatically generate them in order to perform many automated functions between devices An IPv6 anycast address is an address that can be assigned to more than one interface Multicasting means a packet is sent to a group of devices interested in receiving the information. In IPv6, multicasting actually replaces completely the IPv4 approach of broadcasting Modified Extended Unique Identifier (EUI) is an IPv6 feature that allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits. It eliminates the need of manual configuration and DHCP as a key benefit over IPv4 Wireless Principles There are channel settings in your router's settings. Most routers have channel settings that are set to "Auto", but if you look through the channels, there are at least a dozen of WLAN channels The SSID is an ASCII string that is used to establish wireless networking devices and maintain wireless connectivity. Same SSIDs can be used by multiple access points on a network. They are case sensitive and can contain up to 32 alphanumeric characters RF stands for Radio Frequency. It refers to a wireless electromagnetic signal used as a form of communication As encryption is defined at the interface (VLAN or radio) level of the access point, and can be common to several SSIDs, encryption is usually configured before the SSID and its authentication mechanism Virtualization Fundamentals A virtual machine is a computer software program that runs an operating system and applications. Each virtual machine contains its own virtual, or software-based, hardware, including a virtual CPU, memory, hard disk, and network interface card Virtualization is the process of creating a software-based, or virtual, representation of something, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses while boosting efficiency and agility for all size businesses Virtualization can increase IT agility, adaptability and versatility while making critical cost deductions. Greater workload mobility, increased performance and availability of resources, automated operations, these benefits of virtualization makes IT simpler to manage and less costly to possess and work Switching Concepts To learn the MAC address of devices is the fundamental responsibility of switches. The switch transparently observes incoming frames. It records the source MAC address of frames in its MAC address table Along with building a MAC address table (learning MAC address to port mappings), the switch also forwards (switches) frames intelligently from port to port The frame is flooded out to all ports (other than the port on which the frame was received). The flooding happens when the switch in its MAC address table has no entry for the frame’s destination The MAC address table is a critical component in the modern switch and acts as a brain of the switch operation. It contains the MAC address to port mappings so the switch can work its network magic Practice Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Chapter 02: Network Access Technology Brief This chapter defines the network access in general; both from physical and logical perspective. Gaining access to network resources is based on identification through authentication, proving the identity, requesting access, and being granted the requested access. This chapter first describes the different type of LAN technologies and other related technologies and protocols. We will briefly discuss the WLAN architecture introduced by the Cisco, where we will describe the accessing mechanism of WLAN architecture. VLANs (Normal Range) Spanning Multiple Switches A Virtual LAN is a switched network that is logically divided by function, project team or application without regarding physical locations of the users or host. VLANs have similar attributes as physical LANs, but you can group end stations/hosts even if they are not physically situated on the same LAN segment. Any switch port can belong to a VLAN; and unicast, multicast, and broadcast packets are forwarded and flooded only to end points in the VLAN. Every VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded via router or a switch supporting fallback bridging. VLANs can be created with ports across the stack; because a VLAN is considered a separate logical network that contains its own bridge Management Information Base (MIB) information and can support its own implementation of spanning tree. VLANs are often linked with IP subnetwork. For example, all the end stations/host in a particular IP subnet belongs to the same VLAN. Traffic between VLANs must be routed. LAN port VLAN membership is assigned manually on port-by-port basis. The switch supports VLANs in VTP client mode, server mode, and transparent mode. Cisco IOS Release 12.2SY supports 4096 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organized into several ranges; you use each range slightly differently. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP). The extendedrange VLANs are not propagated, so you must configure extended- range VLANs manually on each network device. VLANs 0 & 4095 are reserved for system use only, we cannot access these VLANs. The port-channel range which is a number to 4094 . VLAN IDs 1002-1005 are reserved for Token Ring & FDDI VLANs. –––––––– Figure 2-01: VLAN IDs –––––––– The following example demonstrates how to create Ethernet VLAN 2, name it test2, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 2 Switch(config-vlan)# name test2 Switch(config-vlan)# end The following example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1-1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. You can configure VLANs in vlan global configuration command by typing a VLAN ID. Type a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify the VLAN. You can use the default VLAN configuration or use multiple commands in order to create the VLAN. When you have completed the configuration, you must exit VLAN configuration mode for the configuration to show the effect. To show the VLAN configuration, enter privileged EXEC command. The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If the VTP mode is transparent, they are also saved in the running configuration file of switch. You can enter the copy running-config start-upconfig privileged EXEC command to save the configuration in the start-up configuration file. In a switch stack, the entire stack uses the same vlan.dat file and running configuration. To display the VLAN configuration, enter EXEC command. When you save VLAN and VTP information (including extendedrange VLAN configuration information) in the start-up configuration file and reboot the switch, the switch configuration is selected as follows: If the VTP mode is transparent in the start-up configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the start-up configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the start-up configuration file are used. The VLAN database revision number remains unchanged in the VLAN database In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for only the first 1005 VLANs use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094 If the VTP mode or domain name in the start-up configuration does not match the VLAN database, the VTP mode and domain name and configuration for the first 1005 VLANs use the VLAN database information Access Ports (Data and Voice) Traffic is both received and sent in native formats without VLAN information (tagging) whatsoever. Any information arriving on access port, simply belongs to the VLAN assigned to that port. Data: A data VLAN is a VLAN that is configured to carry usergenerated traffic. A VLAN carrying voice or management traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. Voice: Most switches allow you to add a second VLAN on a switch port for your voice traffic, called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlapped on top of the data VLAN for enabling both types of traffic to travel through the same port. Although it is technically considered to be a different type of link, it just happens because of the access port that can be configured for both data and voice VLANs. It allows you to connect both phone and PC to one switch port but in a separate VLAN. Default VLAN Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communications between switches like spanning-tree protocol. All control traffic is set on VLAN 1. It cannot be disabled and poses a security risk as a lot of Cisco services run on the default VLAN. It is recommended to set all ports to a different VLAN other than default VLAN. Connectivity End-to-end Connectivity is a successful connection between to endpoints, ports, nodes. Communications between two endpoints include a number of intermediary devices that process or forward the packet toward the destination. End-to-end connectivity means that these intermediary devices do not alter the essential data in the packets during communication. Issues related to end-to-end connectivity are the unavailability of remote endpoint, closed ports of application server, incorrect access control list, and others. Interswitch Connectivity Cisco originally created their own way of marking traffic with a VLAN ID for transport over link. It was named Inter Switch Link (ISL) and it acquired an interesting approach. It fully reencapsulated the frame in order to add a VLAN marking. 802.1Q takes a different approach. It injects in a tag value in the existing frame. Trunk Ports A trunk port is a port that is allocated to carry traffic for all the VLANs that are accessible by a specific switch, a process known as trunking. Trunk ports mark frames with unique identifying tags, either 802.1Q tags or Interswitch Link (ISL) tags as they move between switches. Add and Remove VLANs on a Trunk For Adding and Removing VLANs on a trunk, we have to perform few steps, which are given below: To restrict the traffic that trunk carries, issue configuration command. This removes specific VLANs from the allowed list To add a VLAN to the trunk, issue the switchport trunk allowed vlan add vlan-list command add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command add vlan-list command add vlan-list command add vlanlist command add vlan-list command add vlan-list command add vlan-list command add vlan-list command add vlanlist command –––––––– To configure VLANs on a Cisco switch, use the global config vlan command. In the following example, we are going to demonstrate how to configure VLANs on the Switch by creating three VLANs. Remember that VLAN 1 is the native and management VLAN by default. Switch(config)#int eth0/0 Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk allowed vlan 1,10,20 Switch(config-if)#exit 802.1Q an IEEE standard trunking protocol that supports Virtual LANs (VLANs) on an Ethernet network. Cisco switches supports both Inter Switch Link (ISL) and 802.1Q. The IEEE 802.1Q standard states the operation of VLAN Bridges that allows the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure. The concept for the IEEE 802.1Q to perform the above functions is in its tags. 802.1Q-compliant switch ports can be configured to transmit tagged or untagged frames. A tag field containing VLAN information can be inserted into an Ethernet frame. 802.1Q adds a 4-Byte header to the frame indicating the VLAN (Virtual LAN) membership as compared to ISL, which encapsulates (adds header and trailer) to the frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. frame. –––––––– Following figure illustrate the original and tagged Ethernet frames format: Figure 2-02: Ethernet Original and Tagged Frame Format Following figure represents sub-fields of Tag Field: Figure 2-03: Sub-field of Tag Filed Field Descriptions: Tag Protocol Identifier 16-bit field reserve to a value of 0x8100 in order to categorize the frame as an IEEE 802.1Q-tagged frame. Priority 3-bit priority describe the priority of the packet (8 priority levels) Canonical Format Indicator 1 bit CFI indicates the drop of frames in case of network blocking VLAN Identifier (VID): A 12-bit field specifying the VLAN to which the frame belongs. Native VLAN By default, VLAN 1 is referred to as native VLAN. Usually, in Cisco’s LAN connection, the switch leaves the native VLAN untagged on 802.1Q trunk ports. VLAN1 is the only untagged VLAN in the architecture. Cisco introduces this special feature of VLAN for management traffic and this crucial traffic can still flow between devices even if a link fails its trunking status. Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP) Cisco Discovery Protocol (CDP) Cisco Discovery Protocol (CDP) is a Device Discovery protocol, which operates at data-link layer (Layer 2) on all Ciscomanufactured devices and permits network management applications for discovering Cisco devices that are neighboring devices. By means of CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send SNMP queries to neighboring devices. CDP runs on each media that support Subnetwork Access Protocol (SNAP). As CDP runs over the data-link layer only, two systems that support various network-layer protocols can learn the network Every CDP-configured device sends periodic messages to a multicast address, advertising at least one address at which it can receive SNMP messages. The advertisements also contain Time to Live (TTL) or hold-time information, which is the length of time for receiving device that holds CDP information before discarding it. Every device listens to the messages forwarded by other devices to learn about neighboring devices. Figure 2-04: CDP Features Features Features Features Features Features Features Features Features Features Features Features Features Features Features LLDP (Link Layer Discovery Protocol) Cisco Discovery Protocol is a device discovery protocol that runs over Layer 2 (the data link layer) on all devices manufactured by Cisco-like routers, bridges, access servers, and switches. CDP permits network management applications to automatically discover and learn about other Cisco devices that are connected to the network. To support non-Cisco devices and allow for interoperability between other devices, the switch supports the IEEE 802.1AB LLDP. LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol runs over the data-link layer (Layer 2), which permits two systems running different network layer protocols in order to learn each other network. LLDP supports a set of aspects that it uses to discover neighbor devices. These attributes contain length, type and value descriptions and are referred to as Type-Length-Values LLDP supported devices may use TLVs to receive and send information to their neighbors. Details like configuration information, device identity, and device capabilities can be advertised by using this protocol. The switch supports the following simple management TLVs, which are optional: Port Description TLV System Capabilities TLV Management Address TLV System Name TLV System Description TLV Following example shows how to configure a hold-time of 120 second, a delay time of 2 seconds and an update frequency of 20: Switch# configure terminal Switch(config)# lldp holdtime 120 Switch(config)# lldpreinit 2 Switch(config)# lldp timer 20 Switch(config)# end Following example shows how to transmit only LLDP packets: switch# configure terminal switch(config)# no lldp receive switch(config)# end If you want to receive LLDP packets again, do the following: switch# configure terminal switch(config)# lldp receive switch(config)# end Following example shows how to globally disable LLDP. Switch# configure terminal Switch(config)# no lldp run Switch(config)# end Following example shows how to globally enable LLDP. Switch# configure terminal Switch(config)# lldp run Switch(config)# end Following example shows how to enable LLDP on an interface. Switch# configure terminal Switch(config)# interface GigabitEthernet 1/1 Switch(config-if)# lldp transmit Switch(config-if)# lldp receive Switch(config-if)# end To monitor and maintain LLDP and LLDP-MED on your device, execute one or more of the following tasks, beginning in privileged EXEC mode: show lldp show lldp entry entry-name show lldp errors show lldp interface [interface-id] show lldp traffic show lldpneighbors [interface-id] [detail] (Layer 2/Layer 3) EtherChannel (LACP) EtherChannel An EtherChannel consists of Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in figure below. Figure 2-05: EtherChannel The EtherChannel offers full-duplex bandwidth up to 800 Mb/s (Fast EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one switch to another switch. An EtherChannel can consist of up to eight compatibly configured Ethernet ports. All ports in every EtherChannel must be configured as either Layer 2 or Layer 3 ports. The number of EtherChannel is limited to 48. The EtherChannel Layer 3 ports are designed with routed ports. Routed ports are physical ports that are configured to be in Layer 3 mode by entering no switchport interface configuration command. Link Aggregation Control Protocol The Link Aggregation Control Protocol (LACP) is specified in IEEE as 802.3ad. It allows Cisco switches to handle Ethernet channels among switches. LACP allows the automatic creation of EtherChannels by exchanging the LACP packets between Ethernet ports. The switch learns the status of partners capable of supporting LACP and the capabilities of each port by using LACP. After that, it dynamically groups similarly configured ports into a single logical link (channel or aggregate port). Ports that are configured similarly are grouped based on hardware, administrative and port parameter controls. For example, LACP groups the ports with the same speed, duplex mode, native VLAN, VLAN range, and trunking status and type. While grouping the links into an EtherChannel, LACP adds the group to the spanning tree as a single switch port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. port. Table 2-01: LACP Mode Both active allows ports for negotiation with partner ports to an EtherChannel based on defined criteria such as port speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers. Ports can form an EtherChannel while they are in different LACP modes as long as the modes are compatible. For example: A port in can form an EtherChannel with another port that is in A port in cannot form an EtherChannel with another port that is also in because neither port starts LACP negotiation Configuring Layer 2 EtherChannels This example demonstrates how to configure an EtherChannel on a switch. It assigns two ports as static-access ports in VLAN 11 to channel 4 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet 2/0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 11 Switch(config-if-range)# channel-group 4 mode active Switch(config-if-range)# end Configuring Layer 3 EtherChannels Following example shows how to create the logical port channel 4 and assign 172.10.10.10 as its IP address: Switch# configure terminal Switch(config)# interface port-channel 4 Switch(config-if)# no switchport Switch(config-if)# ip address 172.10.10.10 255.255.255.0 Switch(config-if)# end Following example demonstrates how to configure an EtherChannel. It assigns two ports to channel 4 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 4 mode active Switch(config-if-range)# end Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel Case Study Consider a company in which different departments namely management, production, and marketing have to be connected all the time. Therefore, the company hired a network engineer to deploy a network that provides seamless connection among the department. Topology Figure 2-06: Topology Diagram Configuration The network engineer deployed a network to provide connectivity among the various departments by configuring VLANs, Inter-vlans, Trunk port, and EtherChannel. To provide a seamless connectivity, configure a Hot Standby Routing Protocol (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). (HSRP). Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Basic Operations of Rapid PVST+ Spanning Tree Protocol Rapid PVST+ is the IEEE 802.1w (RSTP) standard configured on per VLAN. A single instance of STP runs on each configured VLAN (if you do not manually disable STP). Each Rapid PVST+ instance on a VLAN has a single root switch. You may enable and disable STP on a per-VLAN basis when you are running Rapid PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. PVST+. Rapid PVST+ uses point-to-point link to provide rapid convergence of the spanning tree. The spanning tree reconfiguration can occur in less than 1 second with Rapid PVST+ (in contrast to 50 seconds with the default settings in the 802.1D STP). STP). STP). STP). STP). STP). STP). STP). STP). STP). STP). STP). STP). STP convergence occurs rapidly by using Rapid PVST+. Each assigned or root port in the STP sends out a Bridge Protocol Data Unit (BPDU) every 2 seconds by default. On an assigned or root port in the topology, if hello messages are missed three consecutive times, or if the maximum time expires, the port immediately clears all protocol information in the table. A port deliberates that it loses connectivity to its direct neighbor root or assigned port if it misses three BPDUs or if the maximum time expires. This rapid aging of the protocol information allows quick failure detection. The switch automatically checks the Port VLAN ID (PVID). Rapid PVST+ provides for rapid recovery of connectivity resulting the failure of a network device, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links. Configuring Rapid PVST+ Rapid PVST+ has the 802.1w standard applied to the Rapid PVST+ protocol, it is the default STP configuration in the software. You enable Rapid PVST+ on a per-VLAN basis. The software maintains a separate instance of STP for each VLAN (except on those VLANS on which you disable STP). Rapid PVST+ is enabled on the default VLAN and on each VLAN that you create by default. Enabling Rapid PVST+ Once you enable Rapid PVST+ on the switch, you must enable Rapid PVST+ on the assigned VLANs. Rapid PVST+ is the default STP mode. You cannot run MST and Rapid PVST+ simultaneously. To enable Rapid PVST+ on the switch, perform this task: task: task: task: task: task: task: task: Following example shows how to enable Rapid PVST+ on the switch: switch: switch: switch: switch: switch: switch: switch: Root Port, Root Bridge (Primary/Secondary), and other Port Names Port Roles Rapid PVST+ provides rapid convergence of the spanning tree by assigning port roles and learning the active topology. Rapid PVST+ builds upon the 802.1D STP to select the switch with the highest priority (lowest numerical priority value). Rapid PVST+ then assigns one of these port roles to individual ports: Root Provides the best path (lowest cost) when the switch forwards packets to the root bridge. Designated The port through which the designated switch is attached to the LAN is called the designated port. Alternate Provides an alternate path toward the root bridge to the path provided by the existing root port. An alternate port provides an alternative path to another switch port in the topology. Backup Acts as a backup for the path provided by a designated port toward the ports of the spanning tree. A backup port exists only when two ports are connected in a loopback with a point-topoint link. A backup port provides another path in the topology to the switch. Disabled No role within the operation of the spanning tree. In a stable topology with persistent port roles throughout the network, Rapid PVST+ ensures that every root port and designated port rapidly transition to the forwarding state because all alternate and backup ports are always in the blocking state. Designated ports start in the blocking state. The port state controls the operation of the forwarding and learning processes. Root Bridge (Primary/Secondary) The software keeps a separate instance of STP for each active VLAN in Rapid PVST+. For each VLAN, the switch with the lowest bridge ID becomes the root bridge for that VLAN. Configuring the Primary Root Bridge To configure a VLAN instance to become the root bridge, modify the bridge priority from the default value (32768) to a considerably lower value. When you type the spanning-tree vlan vlan_ID root command, the switch checks the bridge priority of the current root bridges for each VLAN. The switch sets the bridge priority for the specified VLANs to 24576 if this value will cause the switch to become the root for the specified VLANs. If any root bridge for the specified VLANs has a bridge priority lower than 24576, the switch sets the bridge priority for the specified VLANs to 4096 less than the lowest bridge priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. priority. To configure a switch to become the primary root bridge for a VLAN in Rapid PVST+, perform this steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: Configures a software switch as the primary root bridge. The vlan-range value can be 2 through 4094 (except reserved VLAN values.) The diameter default is 7. The hello-time can be from 1 to 10 seconds, and the default value is 2 seconds. Following example shows to configure the switch as the root bridge for VLAN 5 with a network diameter of 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: Configuring a Secondary Root Bridge When you configure a software switch as the secondary root, the STP bridge priority is modified from the default value (32768) so that the switch is expected to become the root bridge for the specified VLANs if the primary root bridge fails (assuming the other switches in the network use the default bridge priority of 32768). STP sets the bridge priority to 28672. Enter the diameter keyword to specify the network diameter (that is, the maximum number of bridge hops between any two end stations in the network). When you specify the network diameter, the software automatically selects an optimal hello time, forward delay time, and maximum age time for a network of that diameter, which can significantly reduce the STP convergence time. You can enter the hello-time keyword to override the automatically calculated hello time. You configure more than one switch in this manner to have multiple backup root bridges. Enter the same network diameter and hello time values that you used when configuring the primary root bridge. To configure a switch to become the secondary root bridge for a VLAN in Rapid PVST+, perform this steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: steps: Configures a software switch as the secondary root bridge. The vlan-range value can be 2 through 4094 (except reserved VLAN values.) The diameter default is 7. The hello-time can be from 1 to 10 seconds, and the default value is 2 seconds. Following example shows how to configure the switch as the secondary root bridge for VLAN 5 with a network diameter of 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: 4: Rapid PVST+ Port State Transmission delays occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When a LAN port transitions directly from noncontributing in the spanning tree topology to the forwarding state, it can create temporary data loops. Ports must wait for new topology information to transmit through the switched LAN before beginning to forward frames. Each LAN port on a software using Rapid PVST+ or MST exists in one of the following four states: Blocking: The LAN port does not contribute in frame forwarding. Learning: The LAN port prepares to contribute in frame forwarding. Forwarding: The LAN port forwards frames. Disabled: The LAN port does not contribute in STP and is not forwarding frames. When you enable Rapid PVST+, every port in the software, VLAN, and network goes through the blocking state and the transitory states of learning at power up. If properly configured, each LAN port stabilizes to the forwarding or blocking state. Blocking State A LAN port in the blocking state does not contribute in frame forwarding. A LAN port in the blocking state performs as follows: Discards frames received from the attached segment Discards frames switched from another port for forwarding Does not incorporate the end station location into its address database Receives BPDUs and directs them to the system module Receives, processes, and transmits BPDUs received from the system module Receives and responds to network management messages Forwarding State A LAN port in the forwarding state forwards frames. The LAN port enters the forwarding state from the learning state. A LAN port in the forwarding state performs as follows: Forwards frames received from the attached segment Forwards frames switched from another port for forwarding Incorporates the end station location information into its address database Receives BPDUs and directs them to the system module Processes BPDUs received from the system module Receives and responds to network management messages PortFast PortFast is a feature of spanning tree that changes a port immediately to a forwarding state as soon as it is operates. This is beneficial in connecting hosts so that they can start communicating on the VLAN instantaneously, rather than waiting on spanning tree. To prevent ports that are configured with PortFast from forwarding BPDUs, which could change the spanning tree topology, BPDU guard can be enabled. At the acceptance of a BPDU, BPDU guard disables a port configured with PortFast. PortFast Benefits We know the great advantage of configuring Portfast, a port configured with Portfast will immediately start transmitting data in the ‘forwarding’ state bypassing the other spanning-tree states. This is definitely a great feature to have configured on your downstream ports connecting to your end-user systems or your servers. There is also another great reason to configure Portfast on your client edge ports, that is not such commonly known. Whenever a switchport goes up or down the switch generates a Topology Change Notification (TCN) packet and sends this TCN packet to the root bridge, the root bridge then responds back with a Topology Change Acknowledge (TCA) packet simply to acknowledge the TCN packet. The root bridge then transmits another BPDU with the Topology Change (TC) bit set to every switch within the Spanning-Tree domain. When the other switches receive this TC marked packet, it resets the aging time of every entry in the CAM table (also known as the MAC address table) down to 15 seconds, which can cause the switch to rebuilt it’s CAM table if the entries start aging out. Now depending on the size of your layer 2 network, this can waste a lot of resources on your switches. It will cause a lot of unnecessary traffic overhead, since we have a set of BPDUs transmitted with the TCN, TCA, and TC flags set individually. Also remember that if CAM table entries start expiring, this can cause unnecessary ARP traffic for additional information the switch already had. Cisco Wireless Architectures vs. AP Modes Cisco Unified Wireless Network Architecture The Cisco unified wireless network architecture offers secure, scalable, cost-effective wireless LANs solution for business critical mobility. The Cisco Unified Wireless Network is the enterprise’s only unified wired and wireless solution that cost-effectively addresses the Wireless LAN (WLAN) security, deployment, management, and control issues. This powerful indoor and outdoor solution combines the best elements of wired and wireless networking to deliver high performance, manageable, and secure WLANs with low ownership cost. Figure 2-07: Cisco Unified Wireless Network Architecture in the Enterprise The inter-linked elements that work together to deliver a unified enterprise-class wireless solution include: Client Devices Access Points (APs) Network unification through controllers World-class network management Mobility Services Core Components The Cisco Unified Wireless Network (CUWN) is designed to provide a high performance and scalable 802.11ac wireless services for service providers and as well as for enterprises. A Cisco wireless solution simplifies the deployment and management of large-scale wireless LANs in centralized or distributed deployments while providing the best security, user experience and services. The Cisco Unified Wireless Network consists of: Cisco Wireless LAN Controllers (WLCs) Cisco Aironet Access Points (APs) Cisco Prime Infrastructure (PI) Cisco Mobility Services Engine (MSE) Cisco Wireless LAN Controllers Cisco Wireless LAN Controllers are enterprise-standard, highperformance, wireless switching platforms that support 802.11a/n/ac and 802.11b/g/n protocols. WLC operates under control of the operating system, which contains Radio Resource Management (RRM) by creating a CUWN solution that can automatically adjust to real-time variations in the 802.11 RF environment. Controllers are built-in high-performance network and security hardware, resulting in highly reliable 802.11 enterprise networks with exceptional security. Cisco 2504 Wireless Controllers The Cisco 2504 Wireless Controllers enable large-scale wireless functions for small to medium-sized enterprises and branch offices. It is designed for 802.11n and 802.11ac performance. Cisco 2504 Wireless Controllers are basic level controllers that provide real-time communications between Cisco Aironet access points to simplify the deployment and operation of wireless networks. Cisco 5508 Wireless Controllers Cisco 5508 Wireless Controllers deliver reliable performance, enhanced flexibility, and minimum service-loss for mission-critical wireless. Interactive multimedia applications, such as voice and video, can now perform flawlessly over the wireless network, and clients can conveniently roam without service interruption. Flexible licensing allows users to easily enable access point support or premium software features. Cisco 5520 Wireless Controllers The Cisco 5520 Series Wireless LAN Controller is a highly scalable, service full, robust, and flexible platform that is ideal for medium to large enterprise and campus deployments. As part of the Cisco Unified Access Solution, the 5520 is optimized for the next generation of wireless networks like 802.11ac Wave 2. Cisco Flex 7500 Wireless Controllers The Cisco Flex 7500 Wireless Controller is available in a model designed to fulfil the scaling requirements to deploy the FlexConnect solution in branch networks. FlexConnect is designed to support wireless branch networks by allowing the data to be swapped locally within the branch site, while the access points are being controlled and managed by a centralized controller. The Cisco Flex 7500 Series Cloud Controller purposes to deliver a cost effective FlexConnect solution on a large scale. Cisco 8510 Wireless Controllers The Cisco 8510 Wireless Controller is a highly scalable and flexible platform that enables crucial wireless networking deployments for enterprise and service provider. Cisco 8540 Wireless Controller Cisco 8540 Wireless Controller is optimized for 802.11ac Wave2 performance, the Cisco 8540 Wireless Controller is a highly scalable, service-full, robust, and flexible platform that enables next-generation wireless networks deployment for medium to large enterprises and campuses. Cisco Wireless Services Module 2 The Cisco Wireless Services Module 2 (WiSM2) for the Catalyst 6500 Series switches ideal for crucial wireless networking for medium to large single-site WLAN environments where an integrated solution is preferred. The WiSM2 provide lower hardware costs and flexible configuration options. Virtual Wireless LAN Controller The controller allows IT professionals to configure, manage, and troubleshoot up to 200 access points and 6000 clients. The Cisco Virtual Wireless Controller supports secure guest access, rogue detection for Payment Card Industry (PCI) compliance, and inbranch (locally switched) Wi-Fi voice and video. Cisco Aironet Access Points Cisco Aironet Series wireless access points can be deployed in a distributed or centralized network for a branch office, campus, or large enterprise. To achieve an exceptional end-user experience on the wireless network, these wireless access points provide a variety of capabilities, including: Cisco CleanAir For a self-healing, self-optimizing network that avoids RF interference Cisco ClientLink 2.0 or To improve reliability and coverage for clients Cisco To improve 5 GHz client connections in mixed client environments Cisco Leverages multicast to improve multimedia applications Indoor 802.11n Access Points The following outlines the various models of Cisco indoor 802.11n APs and their capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. Table 2-02: Indoor 802.11n Access Points Indoor 802.11ac Access Points The following table outlines the various models of Cisco indoor 802.11ac APs and their capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. capabilities. Table 2-03: Indoor 802.11ac Access Points Cisco Prime Infrastructure Wireless communication has introduced a new phenomenon. Mobile device expansion, extensive voice and video collaboration, and cloud and data center virtualization are transforming the network like never before. However, it is confirmed that new technologies always come up with the new challenges. There is the need for higher service levels, guaranteed application delivery, and simplified end-user experiences, while maintaining business continuity and controlling operating costs. To address these challenges, IT professionals introduced a Cisco Prime Infrastructure that provides a comprehensive solution, which enables managing the network from a single graphical interface. It provides lifecycle management and service assurance network range, from the wireless user in the branch office, across the WAN, through the access layer, and now to the data center. We call it One Management. Figure 2-08: Cisco Prime Infrastructure - One Management Cisco Prime Infrastructure is a network management that connects the network to the device to the user to the application, end-to-end and all in one. Its features allow: Single Pane View Delivers a single, unified platform for day-0 and day-1 provisioning and day-n assurance. It accelerates device and services deployment, helping you to quickly resolve problems that can affect the end-user experience Simplified Deployment of Cisco Value-Added Makes the design according to theCisco distinguished features and services fast and effective. With support for technologies such as Intelligent WAN (IWAN), Distributed Wireless with Converged Access, Application Visibility and Control (AVC), Zone-Based Firewall, and Cisco TrustSec 2.0 Identity-Based Networking Services Application Configured and used as a source of performance data embedded Cisco instrumentation and industry-standard technology to deliver networkwide, application-aware visibility. These technologies include NetFlow, Network-Based Application Recognition 2 (NBAR2), Cisco Medianet technologies, Simple Network Management Protocol (SNMP), and more. The innovative co-ordination of application visibility and lifecycle management of Cisco Prime Infrastructure makes it easier to find and resolve problems by providing awareness into the health of applications and services in the circumstance of the health of the underlying infrastructure Management for Mobile Collaboration: Solution to the who, what, when, where, and how of wireless access. It includes 802.11ac support, correlated wired-wireless client visibility, unified access infrastructure visibility, spatial maps, converged security and policy monitoring and troubleshooting with Cisco Identity Services Engine (ISE) integration, location-based tracking of interferers, rogues, and Wi-Fi clients with Cisco Mobility Services Engine (MSE) and Cisco CleanAir integration, lifecycle management, RF prediction tools, and more Management Across Network and Provides powerful lifecycle management and service assurance to help you manage and maintain the many devices and services running on your branchoffice, campus, and data center networks. It provides significant capabilities such as discovery, inventory, configuration, monitoring, troubleshooting, reporting, and administration Centralized Visibility of Distributed Large or global organizations often distribute network management by domain, region, or country. Cisco Prime Infrastructure Operations Center visualizes up to 10 Cisco Prime Infrastructure instances, scaling your networkmanagement infrastructure during maintaining central visibility and control Licensing Options Cisco Prime Infrastructure is a single installable software package with licensing options to expand and grow functions and coverage as needed. Simplifies the day-to-day operational tasks related with managing the network infrastructure across all lifecycle phases (design, deploy, operation, and report) for Cisco devices including routers, switches, access points, and more. Provides application performance visibility using device support as a source of rich performance data to help assure consistent application delivery and an optimal end-user experience. Cisco UCS Server Offers lifecycle and assurance management for Cisco UCS B- and C-Series Servers. Operations Enables visualization of up to 10 Cisco Prime Infrastructure instances from one central management console. One license is required for each Cisco Prime Infrastructure supported instance. High-Availability Right to Use Allows high-availability configuration with one primary and one secondary instance in a high-availability pair. Increases the NetFlow processing limit on the Cisco Prime Infrastructure management node. This license is used in combination with the Assurance license. Ready-to-Use Gateway Enables you to configure a separate gateway for use with the ready-to-use feature, where new devices can call in to the gateway to receive their configuration and software image. Cisco Mobility Services Engine The Cisco Mobility Services Engine is an open platform that provides a new approach to the delivery of mobility services in a centralized & scalable manner. A combination of hardware and software, the Cisco 3300 Series Mobility Services Engine (MSE) is an appliance-based solution that supports a set of software services. The Mobility Services Engine transforms the wireless LAN into a mobility network by extracting the application layer from the network layer, which effectively delivers mobile applications across wired and wireless networks. The Cisco MSE provides the capability to track the physical location of Network Devices, both wired and wireless, using Wireless LAN Controllers (WLCs) and Cisco Aironet CAPWAP APs. This solution allows you to track any Wi-Fi device, including clients, active RFID tags, and rogue clients and APs. It was designed according to the following requirements: Cisco Prime Infrastructure is used to administer and monitor the MSE. Furthermore, the MSE integrates directly into the wireless LAN architecture, which provides one unified network to manage instead of multiple separated wireless networks. The Cisco MSE series can simultaneously track 25,000 elements in CAS and 5,000 APs in wIPS. The CPI can manage multiple Mobility Services Engines for greater scalability. The Wireless LAN Controller (WLC), CPI, and MSE are implemented through separate devices to deliver greater scalability and optimum performance. The WLC, CPI, and MSE provide robust secure interfaces and secure protocols to access data. The MSE records past location information that can be used for audit trails and regulatory compliance. Open and Standards Based: The MSE has a SOAP/XML API that can be accessed by external systems and applications that can influence location information from the MSE. Easy Deployment of Business Applications: The MSE can be integrated with new business applications such as asset tracking, inventory management, location-based security, or automated workflow management. AP Modes Many Cisco APs can operate in both modes either autonomous or lightweight, depending on the code image, which is loaded and run. From the Wireless LAN Controller (WLC), you can also configure a lightweight AP to operate in one of the following special-purpose modes: The default lightweight mode that offers one or more operating Basic Service Sets (BSSs) on a specific channel. During the times that it is not transmitting, the AP will scan the other channels to measure the level of noise, measure interference, discover rogue devices, and match against Intrusion Detection System (IDS) events. The AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor. The AP checks for IDS events, detects rogue access points, and determines the position of stations through location-based services. An AP at a remote site can locally switch traffic between an SSID and a VLAN if its Control and Provisioning of Wireless Access Points (CAPWAPs) tunnel to the WLC is down and if it is configured to do so. An AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device. The captured traffic is then forwarded to a PC running network analyzer software such as Wildpackets OmniPeek or WireShark, where it can be analyzed further. Rogue An AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over the air. Rogue devices are those that appear on both networks. An AP becomes a dedicated bridge (point-to-point or point-tomultipoint) between two networks. Two APs in bridge mode can be used to link two locations separated by a distance. Multiple APs in bridge mode can form an indoor or outdoor mesh network. Flex+Bridge: FlexConnect operation is enabled on a mesh AP. The AP dedicates its radios to spectrum analysis on all wireless channels. You can remotely connect a PC running software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to collect and analyze the spectrum analysis data to discover sources of interference. Physical Infrastructure Connections of WLAN Components (AP, WLC, Access/Trunk Ports, and LAG) The mobile user wants the same accessibility, security, quality-ofservice, and high availability enjoyed by wired users. Whether you are on-site, at home, on the road, locally or internationally, there is a need to connect. The technological challenges are obvious, but to this end, mobility plays a role to facilitate everyone. Companies are obtaining business value from mobile and wireless solutions. Wireless LANs contains a list of components similar to traditional Ethernet-wired LANs. In fact, wireless LAN protocols are similar to Ethernet and comply with the same form factors. The major difference, however, is that wireless LANs do not require wires. Access Points An access point has a radio card that communicates with individual user devices on the wireless LAN, as well as a wired NIC that interfaces to a distributed system, such as Ethernet. System software within the access point links together the wireless LAN and distribution sides of the access point. The system software distinguishes access points by providing changing degrees of management, installation, and security functions. In many cases, the access point provides an http interface that enables configuration changes to the access point through an enduser device that is equipped with a network interface and a web browser. Some access points also have a serial RS-232 port for configuring the access point through a serial cable as well as a user device running terminal emulation and Telnet software, such as hyper terminal. Wireless LAN Controllers A WLAN is a wireless design that aims to meet changing network requirements. A WLAN controller manages wireless network access points that allow wireless devices to connect to the network. A wireless LAN controller is used in combination with the Lightweight Access Point Protocol (LWAPP) to manage light-weight access points in large quantities by the network administrator or network operations center. The wireless LAN controller is an important part of the Cisco Unified Wireless Model. The WLAN controller automatically handles the configuration of wireless access-points. Access Ports/Trunk Ports An access port is related to and carries out the traffic of only one VLAN. Traffic is both received and sent in native formats without VLAN information (tagging) whatsoever. Any information arriving to the access port, simply belongs to the VLAN assigned to that port. A trunk port is a port that is assigned to carry traffic for all the VLANs that are accessible by a specific switch, a process known as trunking. Trunk ports mark frames with unique identifying tags, either 802.1Q tags or Interswitch Link (ISL) tags as they move between switches. A WLAN corresponds a Service Set Identifier (SSID) to an interface or an interface group. It is configured with security, Quality of Service (QoS), radio policies, and other wireless network parameters. Up to 512 WLANs can be configured per controller. Each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. If you configure an interface to use the native VLAN on a neighboring Cisco switch, ensure that you configure the interface on the controller to be untagged. The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged, the VLAN must be allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN. We mentioned that tagged VLANs should be used on the controller. You should also allow only relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disabled or pruned in the switch port trunk configuration. This method is extremely important for optimal performance of the controller. LAG Link Aggregation is a fractional implementation of the 802.3ad port aggregation standard. It ties all of the controller’s distribution system ports into a single LAG port channel. LAG reduces the number of IP addresses required to configure the ports on the controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points clearly to the user. LAG simplifies controller configuration because there is no longer the need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically moved to one of the other ports. Though at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data. AP and WLC Management Access Connections (Telnet, SSH, HTTP, HTTPS, Console, and TACACS+/RADIUS) Access Point An access point has a radio card that communicates with individual user devices on the wireless LAN, as well as a wired NIC that interfaces to a distributed system, such as Ethernet. System software within the access point links together the wireless LAN and distribution sides of the access point. The system software distinguishes access points by providing changing degrees of management, installation, and security functions. Dependency on networks is higher than ever. Cisco Catalyst® and Cisco Aironet® Access Points are the next generation of Cisco® wireless Access Points. Wireless Controllers Management Access Connections A WLAN is a wireless design that aims to meet changing network requirements. A WLAN controller manages wireless network access points that allow wireless devices to connect to the network. A wireless LAN controller is used in combination with the Lightweight Access Point Protocol (LWAPP) to manage light-weight access points in large numbers by the network administrator or network operations center. A browser-based GUI is built into the controller. It allows up to five users to concurrently browse into the controller HTTP or HTTPS (HTTP + SSL) management pages to configure parameters and monitor the operational status of the controller and its related access points. Telnet and SSH Telnet is a network protocol used to provide access to the controller’s browser. Secure Shell (SSH) is a more secure version of Telnet for data transfer that uses data encryption and a secure channel. You can use the controller GUI or CLI to configure Telnet and SSH sessions. Configuring Telnet and SSH Sessions (GUI) Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure HTTP and HTTPS This session provides guidelines to enable the distribution system port as a web port (using HTTP) or as a secure web port (using HTTPS). You can protect communication by enabling HTTPS with the GUI. HTTPS protects HTTP browser sessions by using the Secure Sockets Layer (SSL) protocol. When you enable HTTPS, the controller generates its own local web administration SSL certificate and automatically applies it to the GUI. You also have an option of downloading an externally generated certificate. Configuring HTTP and HTTPS (GUI) Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Console (CLI) The Cisco wireless solution, Command Line Interface (CLI) is a built-in feature in every controller. CLI allows you to use a VT-100 terminal emulation program to locally or remotely configure, monitor, and control individual controllers and its related lightweight access points. CLI is a text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulation programs to access the controller. Configuring CLI Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure TACACS+/RADIUS There are two common security protocols of AAA used to control access in a network, which are RADIUS and TACACS+. These protocols are generally used as a language of communication between a networking device and AAA server. RADIUS: Remote Authentication Dial-In User Service (RADIUS) is an access server that uses AAA protocol, it secures remote access of network and network services from unauthorized users. Data transaction between RADIUS and client are authenticated by the use of shared secret key and all the passwords are sent encrypted, so it reduces the chances of password detection by an unauthorized user even in an unsecured network. RADIUS does authentication and authorization simultaneously. RADIUS is an open standard, which means that all vendors can use it in their AAA implementation. Authentication: It is the process of verifying users when they attempt to log into the controller. Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. Accounting: It is the process of recording user actions and changes. Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. Configuring RADIUS (GUI) Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure TACACS+ TACACS+ stands for Terminal Access Control Access Control Server and it is Cisco proprietary. As RADIUS, TACACS+ is also used as a communication between networking device and AAA server. Unlike RADIUS, TACACS+ encrypts the entire packet body, and attaches TACACS+ header to the message body. TACACAS+ ensures reliable delivery between clients and servers as it uses TCP connection, since it is a Cisco proprietary, it has a granular control over Cisco’s router and switches. TACACS+ does authentication, authorization and accounting separately, so different methods of controlling AAA functions can be achieved separately. One of the main differences between RADIUS and TACACS+ is that RADIUS only encrypts password and transacts other RADIUS packets as clear text over the network. Authentication: It is the procedure of verifying users when they attempt to log in to the controller. Users must enter a valid username and password in order for the controller to authenticate users to the TACACS+ server. The authentication and authorization services are bind to one another. Authorization: It is the procedure of determining the actions that users are allowed to take on the controller based on their level of access. For TACACS+, authorization is based on privilege rather than specific actions. The available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to which users are assigned are configured on the TACACS+ server. Users can be authorized for one or more roles. Accounting: It is the procedure of recording user actions and changes. Any time a user successfully executes an action, the TACACS+ accounting server logs the changed action, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and the explanation of the action performed and the values provided. Configuring TACACS+ (GUI) Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Procedure Components of a Wireless LAN Access for Client Connectivity using GUI A wireless LAN controller and an access point work in parallel provide network connectivity to wireless clients. From a wireless standpoint, the AP advertises a Service Set Identifier (SSID) for clients to join. From a wired standpoint, the controller connects to a Virtual LAN (VLAN) through one of its dynamic interfaces. To complete the path between the SSID and the VLAN, you must first define a WLAN on the controller. Figure 2-19: Connecting Wired and Wireless Networks with a WLAN The above figure shows a Wireless LAN Controller (WLC) and an Access Point (AP) that are connected to a network cloud on the right and left respectively. The AP has a wireless connection with a subnet 192.168.199.0/24 that represents an SSID Engineering. The AP and WLC are connected by a Control and Provisioning of Wireless Access Points (CAPWAP). This connection presents a complete WLAN. The WLC has a wired connection on the right with a subnet 192.168.199.199/24. VLAN 100 exists in the connection that presents VLAN (Interface Engineering). The controller will connect the WLAN to one of its interfaces and then by default push the WLAN configuration out to all of its APs. From the point forward, wireless clients will be able to learn about the new WLAN by receiving its beacons and will be able to search and join the new Basic Service Set (BSS). Like VLANs, you can use WLANs to separate wireless users and their traffic into logical networks. Users connected with one WLAN cannot cross over into another one unless their traffic is bridged or routed from one VLAN to another through the wired network infrastructure. Before you create new WLANs, it is usually smart to plan your wireless network first. In a large enterprise, you might have to support an extensive variety of wireless devices, user communities, security policies, and etc. You might be tempted to create a new WLAN for every event, just to keep groups of users separated from each other or to support different types of devices. Although it is an attractive strategy, you should be aware of two restrictions: Cisco controllers support a maximum of 512 WLANs, but only 16 of them can be actively configured on an AP Advertising each WLAN to potential wireless clients uses up valuable airtime Every AP must broadcast beacon management frames at a particular time to advertise the existence of a BSS. Because each WLAN is bound to a BSS, each WLAN must be advertised with its own beacons. Beacons are usually sent 10 times per second, or once every 100 minutes, at the lowest mandatory data rate. According to the rule of thumb, always limit the number of WLANs to five or fewer; a maximum of three WLANs is best. By default, a controller has a limited initial configuration, so no WLANs are defined. Before you create a new WLAN, think about the following parameters that will be required: SSID string Controller interface and VLAN number Type of wireless security needed As we work through this section, we will create the appropriate dynamic controller interface to support the new WLAN; then we will enter the necessary WLAN parameters. Each configuration step is performed using a Graphical User Interface (GUI) that is connected to the WLC’s management IP address. Step 1. Configure a RADIUS Server If your new WLAN uses a security scheme that requires a RADIUS server, such as WPA2-Enterprise or WPA3-Enterprise, you will need to define the server first. Select Security > AAA > RADIUS > Authentication Click New to create a new server. Enter the server’s IP address, shared secret key, and port number, as shown in Figure 2-20. Because the controller already has two other RADIUS servers configured, the server at 192.168.200.30 will be indexed as number 3. Be sure to set the server status to Enabled so that the controller can start using it. At the bottom of the page, you can select the type of user that will be authenticated with the server. Check Network User to authenticate wireless clients or Management to authenticate wireless administrators that will access the controller’s management functions. Click Apply to complete the server configuration. Figure 2-20: Configuring a New RADIUS Server Step 2. Create a Dynamic Interface A dynamic interface is used to connect the controller to a VLAN on the wired network. When you create a WLAN, you will connect the dynamic interface and VLAN to a wireless network. To create a new dynamic interface, navigate to Controller > You would see a list of all the controller interfaces that are currently configured. In Figure 2-21, two interfaces named “management” and “virtual” already exist. Click the New button to define a new interface. Figure 2-21: Displaying a List of Dynamic Interfaces Enter a name for the interface and the VLAN number it will be bound to. Figure 2-22, shows the interface named Engineering is mapped to wired VLAN Click the Apply button. Figure 2-22: Defining a Dynamic Interface Name and VLAN ID Next, enter the IP address, subnet mask, and gateway address for the interface. You should also define primary and secondary DHCP server addresses that the controller will use when it relays DHCP requests from clients that are bound to the interface. Figure 2-23: shows the interface named Engineering has been configured with IP address 192.168.100.10, subnet mask 255.255.255.0, gateway 192.168.100.1, and DHCP servers 192.168.1.17 and Click the Apply button to complete the interface configuration and return to the list of interfaces. Figure 2-23: Editing the Dynamic Interface Parameters Step 3. Create a New WLAN You can show a list of the currently defined WLANs by selecting WLANs from the top menu bar. In Figure 2-24, the controller does not have any WLANs already defined. You can create a new WLAN by selecting Create New from the drop-down menu and then clicking the Go button. Figure 2-24: Displaying a List of WLANs Next, enter a descriptive name as the profile name and the SSID text string. In Figure 2-25, the profile name and SSID are identical, just to keep things clear. The ID number is used as an index into the list of WLANs that are defined on the controller. The ID number becomes useful when you use templates in Prime Infrastructure (PI) to configure WLANs on multiple controllers at the same time. Figure 2-25: Creating a New WLAN Go to the next page that will allow you to edit four categories of parameters, corresponding to the tabs across the top as shown in Figure 2-26. Figure 2-26: Configuring the General WLAN Parameters You can control whether the WLAN is enabled or disabled with the Status check box. Under Radio Policy, select the type of radio that will offer the WLAN. By default, the WLAN will be offered on all radios that are joined with the controller. Next, select which of the controller’s dynamic interfaces will be bound to the WLAN. By default, the management interface is selected. The drop-down list contains all the interface names that are available. In Figure 2-26, the new IPSpecialist WLAN will be bound to the Engineering interface. Finally, enable the Broadcast SSID by selecting the check box. APs should broadcast the SSID name in the beacons they transmit. Broadcasting SSIDs is usually more convenient for users for connecting to the WLAN because their devices can learn and display the SSID names automatically. Configuring WLAN Security Select the Security tab to configure the security settings. By default, the Layer 2 Security tab is selected. From the Layer 2 Security drop-down menu, select the appropriate security scheme to use. WPA+WPA2 has been selected from the pull-down menu; then only WPA2 and AES encryption have been selected. WPA and TKIP have been avoided because they are outdated methods. Under the Authentication Key Management section, you can select the authentication methods the WLAN will use. PSK will be selected, so the WLAN will allow only WPA2-Personal with pre-shared key authentication as shown in Figure 2-27. Figure 2-27: Configuring Layer 2 WLAN Security Configuring WLAN QoS Select the QoS tab to configure quality of service settings for the WLAN, as shown in Figure 2-28. By default, the controller will consider all frames in the WLAN to be normal data and handled in a “best effort” manner. You can set the Quality of Service (QoS) drop-down menu to classify all frames in one of the following ways: Platinum (voice) Gold (video) Silver (best effort) Bronze (background) Figure 2-28: Configuring QoS Settings Configuring Advanced WLAN Settings Finally, you can select the Advanced tab to configure a variety of advanced WLAN settings. You can enable functions such as coverage hole detection, peer-topeer blocking, client exclusion, client load limits, and so on as shown in the Figure 2-29. Figure 2-29: Configuring Advanced WLAN Settings Finalizing WLAN Configuration When you are satisfied with the settings in each of the WLAN configuration tabs, click the Apply button in the upper-right corner of the WLAN Edit page. Figure 2-30: Finalizing WLAN Configuration Finally, the WLAN will be created and added to the controller configuration. The WLAN ‘Engineering’ has been added as WLAN ID 1 as shown in Figure 2-31 and is enabled for use. Figure 2-31: Displaying WLANs Configured on a Controller Mind Map of Network Access Figure 2-32: Mind Map of Network Access Summary VLANs (Normal Range) Spanning Multiple Switches A Virtual LAN (LAN) is a switched network that is logically divided by function, project team or application without regarding physical locations of the users or host VLANs have similar attributes as physical LANs, but you can group end stations/hosts even if they are not physically situated on the same LAN segment Normal-range VLANs are VLANs with VLAN IDs 1-1005 A data VLAN is a VLAN that is configured to carry user-generated traffic Most switches allow you to add a second VLAN on a switch port for your voice traffic, called the voice VLAN Interswitch Connectivity Cisco originally created their own way of marking traffic with a VLAN ID for transport over an interswitch link. It was named Inter Switch Link (ISL) Trunk ports mark frames with unique identifying tags, either 802.1Q tags or Interswitch Link (ISL) tags as they move between switches 802.1Q adds a 4-Byte header to the frame indicating the VLAN (Virtual LAN) membership as compared to ISL, which encapsulates (adds header and trailer) to the frame Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP) Cisco Discovery Protocol (CDP) is a Device Discovery protocol, which operates at data link layer (Layer 2) on all Ciscomanufactured devices and permits network management applications for discovering Cisco devices that are neighboring devices To support non-Cisco devices and allow for interoperability between other devices, the switch supports the IEEE 802.1AB LLDP (Layer 2/Layer 3) EtherChannel (LACP) An EtherChannel consists of Fast Ethernet or Gigabit Ethernet links bundled into a single logical link The EtherChannel offers full-duplex bandwidth up to 800 Mb/s (Fast EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one switch to another switch LACP allows the automatic creation of EtherChannels by exchanging the LACP packets between Ethernet ports Basic Operations of Rapid PVST+ Spanning Tree Protocol Rapid PVST+ provides rapid convergence of the spanning tree by assigning port roles and learning the active topology To configure a VLAN instance to become the root bridge, modify the bridge priority from the default value (32768) to a considerably lower value The great advantage of configuring Portfast, a port configured with Portfast will immediately start transmitting data in the ‘forwarding’ state bypassing the other spanning-tree states Cisco Wireless Architectures vs. AP Modes The Cisco unified wireless network architecture offers secure, scalable, cost-effective wireless LANs solution for business critical mobility The Cisco Unified Wireless Network is the enterprise’s only unified wired and wireless solution that cost-effectively addresses the Wireless LAN (WLAN) security, deployment, management, and control issues The core components of Cisco Unified Wireless Network are Cisco Wireless LAN Controllers (WLCs), Cisco Aironet Access Points (APs), Cisco Prime Infrastructure (PI), Cisco Mobility Services Engine (MSE) Physical Infrastructure Connections of WLAN Components (AP, WLC, Access/Trunk Ports, and LAG) An access point has a radio card that communicates with individual user devices on the wireless LAN, as well as a wired NIC that interfaces to a distributed system, such as Ethernet A WLAN controller manages wireless network access points that allow wireless devices to connect to the network LAG simplifies controller configuration because there is no longer the need to configure primary and secondary ports for each interface AP and WLC Management Access Connections (Telnet, SSH, HTTP, HTTPS, Console, and TACACS+/RADIUS) A wireless LAN controller is used in combination with the Lightweight Access Point Protocol (LWAPP) to manage light-weight access points in large numbers by the network administrator or network operations center Telnet is a network protocol used to provide access to the controller’s browser Secure Shell (SSH) is a more secure version of Telnet for data transfer that uses data encryption and a secure channel HTTP/HTTPs session provides guidelines to enable the distribution system port as a web port (using HTTP) or as a secure web port (using HTTPS) There are two common security protocols of AAA used to control access in a network, which are RADIUS and TACACS+ Components of a Wireless LAN Access for Client Connectivity using GUI Before you create a new WLAN, think about the following parameters that will be required: string • Controller interface and VLAN number • Type of wireless security needed A wireless LAN controller and an access point work in parallel to provide network connectivity to wireless clients From a wireless standpoint, the AP advertises a Service Set Identifier (SSID) for the client to join From a wired standpoint, the controller connects to a virtual LAN (VLAN) through one of its dynamic interfaces To complete the path between the SSID and the VLAN, you must first define a WLAN on the controller Practice Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Questions Chapter 03: IP Connectivity Technology Brief In the previous we have discussed the roles and functions of different components that include routers, L1 & L2 switches, firewalls, and servers. We discussed characteristics of network topology architecture, physical interfaces and cabling types, how the issues with these cable types could be identified, and subnetting. We also looked at the configuration of VLAN spanning multiple switches and the verification of their connectivity. In this chapter, we will discuss the routing concept with the support of static routing for both IPV4 & IPV6 and the OSPFv2 routing protocol. Components of the Routing Table Entries to networks are part of a routing table. It shows that the networks are either directly connected, statically configured or dynamically learned. The “show ip route” command is used to view a routing table. Using this command will present you with something like the following: The IP Routing Table on a Cisco Router R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 L 10.10.10.1/32 is directly connected, FastEthernet0/0 172.16.0.0/24 is subnetted, 3 subnets R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnets O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 192.168.2.0/32 is subnetted, 1 subnets O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 Routing Protocol Code The term routing refers to taking a packet from one device and sending it through the network to another device on a different network. Following are the basic operation of routing: Routing is a process to discover far end networks Routing is a process use to discover multiple paths to far end networks Routing is used to select the best path Once you create an internetwork by connecting your WANs and LANs to a router, you will need to configure logical network addresses, like IP addresses, to all hosts on that internetwork for them to communicate successfully throughout it. The information necessary to forward a packet along the best path towards its destination resides in the routing table. It contains the information about the packet’s origin and destination. Upon receiving a packet, a network device examines the packet and matches it to the routing table entry and provides the best match for its destination. The packet is then provided with the instructions for sending them to the next hop on their route across the network. The following information is included in a basic routing table: Destination: The IP address of the packet's final destination Next Hop: The IP address to which the packet is forwarded Interface: The outgoing network interface the device should use when forwarding the packet to the next hop or final destination Metric: Assigns a cost to each available route so that the most cost-effective path can be chosen Routes: Includes directly-attached subnets, indirect subnets that are not attached to the device but can be accessed through one or more hops, and default routes to use for certain types of traffic or when information is lacking The routing protocol code identifies which route was learned by which routing protocol. Routing protocol code are located at the very beginning of a routing table entry. Cisco is kind to us and even provides a legend at the beginning of the show output to explain what each value means. Here are those values for your ease of reference: • L—local • C—connected • S—static • R—RIP • M—mobile • B—BGP • D—EIGRP • EX—EIGRP external • O—OSPF • IA—OSPF inter area • N1—OSPF NSSA external type 1 • N2—OSPF NSSA external type 2 • E1—OSPF external type 1 • E2—OSPF external type 2 • i—IS-IS • su—IS-IS summary • L1—IS-IS level-1 • L2—IS-IS level-2 • ia—IS-IS inter area • *—candidate default • U—per-user static route • o—ODR • P—periodic downloaded static route • +—replicated route Prefix The network address is simply termed as a prefix. The prefix is the destination network address in the routing table. The shorthand way to express a subnet mask using CIDR notation is a prefix-length e.g., for the subnet mask 255.255.255.0, the prefixlength is /24. Notice that the routing table lists the parent and children prefixes reachable in the table. For example, in the table above, the entry 172.16.0.0/24 is subnetted, three subnets are listing the parent prefix, then the specific child prefixes below are of 172.16.1.0, 172.16.2.0, and 172.16.3.0. Network Mask As we mentioned the prefix-length is simply a shorthand way to express a network mask using CIDR notation. A network mask is also called a subnet mask or net mask for short. Notice, in the routing table list given, the parent prefix lists the network mask in prefix notation. So for the 172.16.0.0 example above, the network mask is /24. Remember, in non-prefix notation, this is 255.255.255.0. 255.255.255.0. 255.255.255.0. 255.255.255.0. 255.255.255.0. 255.255.255.0. 255.255.255.0. Table 3-01: Types of Route and Subnet Mask Next Hop The IP address of the next router inline is identified by next hop to forward the packet. The next hop IP address follows the “via” word for a child prefix entry. The next hop refers to the IP address of the next router in the path when forwarding packets to a remote destination. Administrative Distance Administrative distance is used to select the best path when a router has two different paths to the same destination via two different routing protocols. Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 L 10.10.10.1/32 is directly connected, FastEthernet0/0 172.16.0.0/24 is subnetted, 3 subnets R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 RIP AD R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnet O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 192.168.2.0/32 is subnetted, 1 subnet AD O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 As shown in the above outputs. The administrative distance for RIP is 120 for 172.16.1.0 connected through 10.10.10.3 while AD for OSPF is 110 for 192.168.2.2 connected through 10.10.10.2. The Administrative Distance for the Prefix Note that the Administrative Distance (AD) associated with the 172.16.0.0/24 prefixes is 120. This is because these routes were learned via RIP, and 120 is the default administrative distance for RIP. Most of the routing protocols are not compatible with other protocols. It is a critical task to select the best path between multiple protocols in a network with multiple routing protocols. The reliability of a routing protocol is defined by an administrative distance. An administrative distance value prioritizes each routing protocol in order of most to least reliable. IPv6 also uses the same distances as IPv4. The AD is used to rate the trustworthiness of routing information received on a router from a neighbour router. An administrative distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. If a router receives two updates listing the same remote network, the first thing the router checks is the AD. If one of the advertised routes has a lower AD than the other route with the lowest AD will be chosen and placed in the routing table. Default Administrative Distances The default administrative distances are shown in the table given below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: Table 3-02: Values for the Administrative Distances Metric The metric is a value that is produced by the routing protocol's algorithm. The best path to a destination network within a routing protocol is determined by the metric value. The metric varies for the dynamic routing protocol involved. It is a measure of the “distance” to reach the prefix. In our 172 prefixes, it is a hop count. This is the simple metric used by RIP. It indicates how many routers you must cross to reach the destination prefix in question. Different protocols have different matrices as described in the table given below: below: below: below: below: below: below: below: Table 3-03: Matrices for Different Protocols Routes to a destination are compared using metric value by the same routing protocol. The preferred routes to be followed by the lower matric values. Routing Information Protocol (RIP) Metric Value Hop count is used by the RIP (Routing Information Protocol) as the metric Data must pass from source network to reach the destination by passing through the number of routers termed as hop count Hop Count is the Number of Routers data must pass from source network to reach the destination Figure 3-01: Hop Count In the topology given above, the Source Network router is R1 and the Destination Network router is R4. An IP datagram must hop three routers to reach the Destination Network. The middle route consists of R2, and R3 to reach the destination R4. Gateway of Last Resort The default route configured on the router is termed as the gateway of last resort. Packets that are addressed to networks not explicitly listed in the routing table are directed using default routes. When learning all the more specific networks topologies that are not desirable, default routes become invaluable. Any of the following commands can be used to configure the gateway of last resort: ip default-gateway a.b.c.d ip default-network a.b.c.d ip route 0.0.0.0 0.0.0.0 a.b.c.d Notice again in our routing table example, it is indicated that there is no Gateway of Last Resort set. This means that there is no default route 0.0.0.0/0 setup that allows the router to send traffic somewhere if it does not have a specific prefix entry for the destination IP address. The Gateway of Last Resort can be dynamically learned, or can be set using three different commands: ip default-gateway, ip default-network, and ip route 0.0.0.0 0.0.0.0. The IP Routing Table on a Cisco Router R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 L 10.10.10.1/32 is directly connected, FastEthernet0/0 172.16.0.0/24 is subnetted, 3 subnets R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0 192.168.1.0/32 is subnetted, 1 subnet O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 192.168.2.0/32 is subnetted, 1 subnet O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0 How a Router Makes Forwarding Decision by Default? Longest Match The longest prefix match is an algorithm used in Internet Protocol (IP) networking for selecting an entry from a forwarding table. Each entry in a forwarding table specifies a sub-network. More than one forwarding table entry may be matched with one destination address. In the matching table entries, the one with the longest subnet mask is called the longest prefix match. It is the entry where the largest number of leading address bits of the destination address match those in the table entry. Example Let’s look at a scenario; a router with varying prefix lengths has four routing processes running on it, and each process has received these routes: EIGRP (internal): 192.168.32.0/26 RIP: 192.168.32.0/24 OSPF: 192.168.32.0/19 In the routing table, the installed routes will be with the one having best administrative distance. In this example EIGRP internal routes have the best administrative distance, it is tempting to assume the first one will be installed. Making Forwarding Decisions The three routes installed in the routing table can be shown by the command: router# show ip route .... D 192.168.32.0/26 [90/25789217] via 10.1.1.1 R 192.168.32.0/24 [120/4] via 10.1.1.2 O 192.168.32.0/19 [110/229840] via 10.1.1.3 .... If a packet destined for 192.168.32.1 arrives on a router interface, the route to be chosen depends on the prefix length, or the number of bits set in the subnet mask. Longer prefixes are always preferred over shorter ones when forwarding a packet. A packet destined to 192.168.32.1 is directed toward 10.1.1.1 as 192.168.32.1 falls within the 192.168.32.0/26 network. It also falls within the other two routes available, but the 192.168.32.0/26 has the longest prefix within the routing table (26 bits verses 24 or 19 bits). Administrative Distance By using the administrative distance, one routing protocol is preferably chosen over another when both accounts have the same destination network. The routing information received from different protocols of a Cisco router for the same destination network, the Routing Protocol having a lower administrative distance will be used. Static routes have a lower AD than any of the dynamic routing protocols. The routes for same destination network learned from dynamic routing protocols will preferably be followed. The multiple static routes can be specified via different interfaces with higher administrative distance for the purpose of failover. If the router’s interface goes down, it will remove the route through it and install the other static route with a higher AD. These routes are called floating static routes. Routing Protocol Metric The routers use the Metrics cost value. Metric determines the best path to a destination network. The preferred or shortest path to a particular destination is determined by the dynamic routing protocols. The main factors for the decision include metrics and algorithms. The preferred path to be followed by the packets is decided by Metrics. These are static and may not be changed for some routing protocols. A network administrator may assign these values for other routing protocols. The hop, bandwidth, delay, reliability, load, and cost are the most common metric values. Hop This metric value is used to measure distance based on the number of networks a datagram crosses A single hop count is considered each time a router forwards a datagram onto a segment Routing protocols observing hops as their primary metric value consider the best or preferred path to a destination to be the one with the least number of network hops Routing protocols that only reference hops as their metric do not always select the best path through a network Just because a path to a destination contains fewer network hops than another does not make it the best The upper path may contain a slower link, such as 56Kb dial-up link along the second hop, whereas the lower path may consist of more hops but faster links, such as gigabit Ethernet If this were the case, the lower path would undoubtedly be faster than the upper. However, routing protocols that use hops do not consider other metric values in their routing decisions Bandwidth This metric is used by protocols that consider the capacity of a link Bits per second is used to measure the Bandwidth Links supporting the higher transfer rates like gigabit are preferred over lower capacity links like 56Kb The bandwidth capacity of each link along the end-to-end path is determined and considered by these protocols The path chosen as the best route is with the overall higher bandwidth Delay Delay is measured in tens of microseconds The symbol μ is used to indicate a delay Delay represents the amount of time it takes for a router to process, queue, and transmit a datagram out an interface Protocols that use this metric must determine the delay values for all links along the end-to-end path, considering the path with the lowest (cumulative) delay to be a better route Reliability An administrator may configure this matric as a fixed value. It is measured dynamically over a specific time frame. The attached links, reporting problems, such as link failures, interface errors, lost datagrams are observed by the routers. Links having more problems would be considered less reliable. The higher the reliability is, the better is the path. The link reliability will change with a constant changing network conditions. This value is generally measured as a percentage of 255, with 255 being the most reliable and 1 being the least reliable. Load Load is a variable value that indicates the traffic load over a specific link Load is a variable value, generally measured over a five-second window indicating the traffic load over a specific link The amount of traffic occupying the link over this time frame as a percentage of the link's total capacity is measured by the load The value 255 is equivalent to 100% utilization or load The higher the value, the higher will be the traffic load (bandwidth utilization) across this link Increasing this value results in the increase of the traffic Congestion is indicated by the values approaching 255, while lower values indicate moderate traffic loads The less congested path is mostly preferred Cost The way routers make path decisions can be affected by network administrators It is by setting arbitrary metric values on links along the end-toend path These arbitrary values are typically single integers with lower values indicating better paths IPv4 and IPv6 Static Routing IP Addresses An Internet Protocol address is also called IP address. This is a numerical label assigned to each device connected to a computer network that uses the IP for communication. For a specific machine on a particular network, the IP address act as an identifier. It is also called IP number and internet address. The technical format of the addressing and packets scheme is specified in the IP address. IP is combined with a TCP in most of the networks. A virtual connection development between a destination and a source is allowed in IP addresses. IPv4 Address The first version of IP was IPv4. It was deployed in the ARPANET for production, in 1983. It is the most widely used IP version nowadays. Devices on a network are identified by using an addressing system. A 32-bit address scheme is used in IPv4 that allows to store 2^32 addresses, which is more than 4 billion addresses. IPv6 is a successor of IPv4. With IPv4, a system will be able to simplify address assignments and additional network security features and will also offer far more numerical addresses. The IPv4 to IPv6 transition is likely to be rough, though. This underlying technology allows us to connect our devices to the web. A device accessing the internet is assigned a unique, numerical IP address such as 99.48.227.227. A data packet must be transferred across the network containing the IP addresses of both devices in order to send data from one computer to another through the web. Computers would not be able to communicate and send data to each other without IP addresses. Features of IPv4 It is a connectionless Protocol It allows creating a simple virtual communication layer over expanded devices Less memory and ease of remembering addresses are required in this addressing scheme Millions of devices support this protocol Video libraries and conferences are offered in IPV4 The Reason Why We Are Running out of IPv4 Addresses 32-bits internet addresses are used in IPv4. Around 4.29 billion, i.e., 2^32 IP addresses in total can be supported in this scheme. All these 4.29 billion IP addresses have now been assigned to various institutions, leading to the crisis we face today. Many of them are unused and in the hands of institutions like MIT and companies like Ford and IBM. More IPv4 addresses will be traded or sold and many are available to be assigned but they will become a rarer product over the next two years until it produces problem for the web. Commands used to add a static route to a routing table from global config are given below: This list describes each command in the string: ip The command used to create the static route. destination The network you are placing in the routing table. subnet mask used on the network. next-hop This is the IP address of the next-hop router that will receive packets and forward them to the remote network, which must signify a router interface that is on a directly connected network. You must be able to successfully ping the router interface before you can add the route. Important note to self is that if you type in the wrong next-hop address or the interface to the correct router is down, the static route will show up in the router's configuration but not in the routing table. be used in place of the next-hop address if you want, and it shows up as a directly connected route. administrative By default, static routes have an administrative distance of 1 or 0 if you use an exit interface instead of a next- hop address. You can change the default value by adding an administrative weight at the end of the command. If the interface is shut down or the router cannot communicate to the next-hop router, the route will automatically be discarded from the routing table by default. Choosing the permanent option keeps the entry in the vector. IPv6 Address The most recent version of the Internet Protocol is IPv6. It was initiated in early 1994 by the Internet Engineer Taskforce. The design and development of that suite is now called IPv6. It is the sixth revision to the Internet Protocol and the successor to IPv4. The need for more internet addresses is fulfilled by deploying this new IP address version. The issues associated with IPv4 has been resolved with this addressing scheme. Three hundred and forty (340) undecillion unique address spaces are allowed with 128-bit address space. It is also called IPng (Internet Protocol next generation). It functions likewise to IPv4 and provides the unique, numerical IP addresses essential for internet-enabled devices to communicate. The one major difference of this addressing scheme is that it utilizes 128-bit addresses. Features of IPv6 It offers hierarchical addressing and routing infrastructure It allows stateful and stateless configurations It supports Quality of Service (QoS) For neighboring node interaction, it is an ideal protocol Problem Solved with IPv6 As IPv6 utilizes 128-bit internet addresses, internet addresses can be supported in this scheme. Hence, it contains 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses. They are a lot of addresses and it requires a hexadecimal system to display the addresses. There are more than enough IPv6 addresses to keep the internet operational for a very, very long time. Difference between IPv4 and IPv6 Addresses Both IPv4 & IPv6 are IP addresses representing binary numbers IPv4 is 32bit binary number while IPv6 is 128-bit binary number address IPv4 address are separated by full stops (.) while IPv6 address are separated by colons (;) Both are used to identify machines connected to a network In principle, they are the same, but they are different in how they work IPv4 and IPv6 can exist together on the same network but cannot communicate with other. This is also known Stack. Default Route Default route is used by IP to forward any packet with a destination not found in the routing table, which is why it is also called a gateway of last resort. Here is the configuration: Router(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2 Router(config)#do show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l LISP + - replicated route, % - next hop override Gateway of last resort is 172.16.10.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via Route Network Route When a route is created to a network (as most route entries do), it is called a network route. This simply means that the route points to a group of hosts, as does the following entry: Router(config)#ip route 200.100.50.0 255.255.255.0 172.16.10.2 Network Route Router(config)#do show ip route S 200.100.50.0/24 [1/0] via 172.16.10.2 Host Route In most cases, we create routes to networks, but you can create a route leading to a single host. An example of a host route is shown below. Note that the mask that goes with the route is 32 bits in length, meaning it is a route to a single IP address. There are dynamically created host routes called local host routes as well. One of these will be placed in the routing table for each router interface. An example is shown below. Note that it has an L next to it and is preceded by the network route for the directly connected network in which the interface resides. Router(config)#do show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l LISP + - replicated route, % - next hop override Gateway of last resort is 172.16.10.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.16.10.2 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.16.10.0/24 is directly connected, Ethernet1/0 L 172.16.10.1/32 is directly connected, Route S 172.16.20.0/24 is directly connected, Ethernet1/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, FastEthernet0/0 L 192.168.1.1/32 is directly connected, Route S 192.168.2.0/24 is directly connected, Ethernet1/0 S 200.100.50.0/24 [1/0] via 172.16.10.2 Floating Static A floating static route is simply one that has been created as a backup to a route learned though a routing protocol. By creating the static route with an administrative distance larger than that of the routing protocol, we can prevent the use of the static route unless the dynamic route is unavailable. The following example configures a static route with a distance of 125, which would prevent it from being placed in the routing table as long as a route to the same network with a lower distance value is present. Router(config)#ip route 192.168.4.0 255.255.255.0 125 A static route that the router uses to back up a dynamic route is known as a floating static route. A floating static route must be configured with a higher administrative distance than the dynamic route that it backs up. A dynamic route is preferred to a floating static route at this instance. A floating static route could be used as a replacement on losing a dynamic route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. route. Case Study Static Routing> An organization has interconnected three networks. All the networks need to be connected statically to route traffic. The networks are able to access the ISP. if any route to ISP gets disconnected, it should be able to access the ISP through the floating static route with a greater administrative distance. The configuration has been implemented using IPV4. Topology Diagram: Figure 3-02: IPV4 Static Routing Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Case Study Static Routing> An organization has interconnected three networks. All the networks need to be connected statically to route traffic. The networks are able to access the ISP. If any of the route to ISP, let’s say the link between R1 and ISP, gets disconnected, it should be able to access the ISP through the floating static route with a greater administrative distance. The configuration has now been implemented using IPv6. Topology Diagram Figure 3-03: IPV6 Static Routing Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Single Area OSPFv2 Configuring basic OSPF is not as simple as configuring RIP and EIGRP, and it can get really complex once the many options that are allowed within OSPF are factored in. But that's okay because you really only need to focus on the basic, single-area OSPF configuration at this point. Next, we will show you how to configure single-area OSPF. The two factors that are foundational to OSPF configuration are enabling OSPF and configuring OSPF areas. Common terminologies for OSPF are: Router Types: Internal Router: All interfaces reside within the same area Backbone Router: A router with an interface in area 0 (the backbone) Area Border Router (ABR): Connects two or more areas Autonomous System Boundary Connects to additional routing domains, typically located at the backbone Area Types: Standard Area: Default OSPF area type Stub Area: External link (type 5) LSAs are replaced with a default route Totally Stubby Area: Type 3, 4, and 5 LSAs are replaced with a default route Not So Stubby Area (NSSA): A stub area containing an ASBR; type 5 LSAs are converted to type 7 within the area Enabling Single: The easiest and also least scalable way to configure OSPF is to use a single area. Doing this requires a minimum of two commands. The first command used to activate the OSPF routing process is as follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: follows: Process ID <1-65535> The OSPF process ID values range from 1 to 65535. the process ID is used to enable one or more OSPF processes on a router. An OSPF process can be removed by using of the command. A value in the range from 1 to 65,535 identifies the OSPF process ID. It is a unique number on this router that groups a series of OSPF configuration commands under a specific running process. Different OSPF routers do not have to use the same process ID to communicate. The Show IP OSPF Interface Command The show ip ospf interface command reveals all interface-related OSPF information. Data is displayed about OSPF information for all OSPF-enabled interfaces or for specified interfaces. Here are some of the more important factors highlighted for you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: you: So this command has given us the following information: Interface IP Address Area Assignment Process ID Router ID Network Type Cost Priority DR/BDR Election Information (if applicable) Hello and Dead Timer Intervals Adjacent Neighbor Information The reason the show ip ospf interface g0/0 command is used is because there would be a designated router elected on the GigabitEthernet broadcast multi-access network. The show ip ospf neighbor command is super-useful because it summarizes the pertinent OSPF information regarding neighbors and the adjacency state. If a DR or BDR exists, that information will also be displayed. Here is a sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: sample: The Show IP Protocols Command The show ip protocols command is also highly useful, whether you are running OSPF, EIGRP, RIP, BGP, IS-IS, or any other routing protocol that can be configured on your router. It provides an excellent overview of the actual operation of all running protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. protocols. Figure 3-07: Showing the IP Protocols The table below defines OSPF verification commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: commands: Table 3-04: OSPF Verification Commands Loopback logical interfaces, which means that they are virtual, software-only interfaces, not actual, physical router interfaces. A big reason we use loopback interfaces with OSPF configurations is because they ensure that an interface is always active and available for OSPF processes. Loopback interfaces also come in very handy for diagnostic purposes as well as for OSPF configuration. Understand that if you do not configure a loopback interface on a router, the highest active IP address on a router will become that router's RID during boot-up: City_X(config)#interf loopback 0 City_X(config-if)#ip address 172.31.1.2 255.255.255.0 City_X(config-if)#no sh Neighbor Adjacency There should be a compatible configuration with a remote interface for OSPFv2 interface before the two can be considered neighbors. The following criteria must be matched by the two OSPFv2 interfaces: Hello Interval Dead Interval Area ID Authentication Optional Capabilities If a match is found, the information entered into the neighbor table will be as follows: Neighbor ID: The router ID of the neighbor Priority: Priority of the neighbor State: It indicates whether the neighbor has just been heard from, the bidirectional communications are setup, the link-state information is shared, or the full adjacency has been achieved Dead Time: It indicates the time since the last Hello packet was received from this neighbor IP Address: The neighbor’s IP address Designated Router: It Indicates whether the neighbor is declared as the designated router or as the backup designated router Local Interface: The local interface that received the Hello packet for this neighbor Adjacency Adjacency is not established by all the neighbors. Some of the neighbors become fully adjacent and share LSAs with all their neighbors depending on the network type and designated router establishment. (For more information see the “Designated Routers” section.) Database Description packets, Link State Request packets, and Link State Update packets in OSPF are used to establish the adjacency. Only the LSA headers from the link-state database of the neighbor are included in the Database Description packet. The local router makes a comparison of these headers with its own link-state database and defines which LSAs are new or updated. A Link State Request packet for each LSA is being sent by the local router. The request shows that it needs new or updated information. The neighbor starts responding with a Link State Update packet. This process of exchange continues until both routers have the same link-state information. Point-to-Point Open Shortest Path First (OSPF) runs as a point-to-point network type on point-to-point links such as High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). The OSPF network type is enabled by default. The OSPF supports other network types that include Point-toMultipoint, Broadcast, and Non-Broadcast. The show ip ospf interface command is issued for checking the network type of an interface that runs OSPF. Broadcast (DR/BDR Selection) The role of the Designated Router (DR) and a Backup Designated Router (BDR) is to act as a central point to exchange the OSPF information between multiple routers on the same, multi-access broadcast network segment. The routing information should only be exchanged with the DR and BDR by the Non-DR and Non-BDR routers instead of exchanging updates with every other router upon the segment. The amount of OSPF routing updates are then significantly reduced. Note OSPF does not elect DR/BDR roles upon point-to-point links, i.e., two directly connected routers. Election Each router will go through an election process upon the segment to elect a DR and BDR. The elected one is determined by using the two rules as: Priority: Router with the highest priority wins the election. 1 is the default priority. It is configured on a per-interface level. Router ID: The highest router ID wins the election if there is a tie. 2-way A full relationship is to be formed with the Designated and Backup Designated Routers. The 2-way neighbor state is formed with Non-DR and Non-BDR. They both send/receive each other's HELLOs but they do not exchange any routing updates. Router ID The selection of OSPF Router-ID takes place in the order given below: A 32-bit Router-ID is configured manually If 1 is not configured, the highest IP of the loop back interface must be selected If 1 & 2 has not been configured, the highest IP of any active interface must be selected Purpose of First Hop Redundancy Protocol First Hop Redundancy Protocol (FHRP) is used to allow gateway redundancy. A class of redundancy protocols known as FHRPs includes VRRP (Virtual Router Redundancy Protocol), HSRP (Hot Standby Router Protocol), and GLBP (Gateway Load Balancing Protocol). A single point of failure for the default gateway is protected by these protocol. It may also provide a load balancing if multiple uplinks are available at first-hop routers. Scenario There are three redundancy routers presented in the figure above. In this case the routing protocols are not present between the gateway and the end users. The redundancy is provided between the gateway routers that are multi layered switches. By sharing all these gateways, a virtual gateway is created that allows using any of the gateway without even using the dynamic protocols. In this virtual redundancy, the virtual gateways are allowed to send traffic to the physical devices. If any of the GETs fails, the other redundant router takes a charge and starts sending the packets to the outside world. –––––––– The two or more routers on a LAN that are working together in a group are enabled by both HSRP and VRRP. The routers being served share a single group IP address. In each of the host, the group IP address is configured as the default gateway. One router is elected to handle all requests sent to the group IP address in an HSRP or VRRP group. It is called the active router with HSRP and the master router with VRRP. There must be at least one standby router with HSRP and at least one backup router with VRRP. Gateway Load Balancing Protocol (GLPB) is something that goes a step beyond VRRP and HSRP. It provides load balancing in addition to redundancy. The first hop for packets from a particular LAN, or VAN to be said more accurately, is a default gateway to reach a remote network. The packets can be forwarded by the routers as long as its routing table keeps a route to the intended remote network or a default route is present. The particular network will become incapable of communicating with the outside world if that first hop ever goes down. It allows only the local communication across the switched domain. As Hop Redundancy Protocols allow default gateway redundancy, it is suggested to have more than one default gateway enabled. There exists a backup device that kicks in and almost transparently to users in the event of a router failure. The traffic to remote networks is forwarded continually so as to avoid the situation of isolation. Types of Redundancy Protocols The first hop redundancy protocols that could be used for this purpose falls into the following three categories as: HSRP (Hot Standby Router Protocol) VRRP (Virtual Router Redundancy Protocol) GLBP (Gateway Load Balancing Protocol) HSRP: It is a Cisco proprietary that was the first ever created first hope redundancy protocol HSRP is enabled in a particular interface and this interface is part of a “standby” group Besides the physical IP address of the defined interface, there is a virtual IP address in the same subnet The idea behind this is to perform a similar configuration in an interface belonging to another router The redundancy will be generated in this way The different interface from different devices would be sharing the address The hosts in a network are assigned a virtual IP address as a default gateway There will always be a consistent gateway that you can reach regardless of which host is active HSRP has an active/standby relationship, which means that one device forwards packets while the other device stands by or just listens. VRRP: The IETF (Internet Engineering Task Force) started working on a standards-based FHRP and the result was VRRP VRRP is not significantly different from HSRP, it is really just the “open” version of it The differences that exist between the two protocols are very minimal HSRP versus VRRP Comparison Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table 3-05: HSRP versus VRRP Comparison GLBP The more advanced of the three possible FHRP protocols is GLBP. The one main goal of GLBP is to improve the resource utilization by achieving built-in load balancing between participating routers. While using HSRP or VRRP of gateway redundancy, the loadbalancing between different VLANs could be achieved by configuring different standby groups with different priorities in each router to achieve this “active-active” type of design. It will not waste the capabilities of a full router while waiting for the others to fail. Although it is still a common practice, it can still be administratively burdensome. It might not scale as according to one’s wish. For the purpose the protocol, GLBP was created so that would natively provide both redundancy and load balancing. GLBP tool is a Cisco proprietary. It has taken the HSRP and VRRP to the next level. A load balancing mechanism must be provided for the clients in order to provide the first hop redundancy. Routers that are to participate in GLBP must be a member of the same group as with HSRP and VRRP. One router is elected to be the AVG (Active Virtual Gateway) after all the routers are in the same group. The AVG is elected based on highest priority, which then falls back to highest IP if the priorities match. One is the AVG, and up to three others can be AVFs (Active Virtual Forwarders) while there are up to four routers in total that can be in the same GLBP group. The routers that are able to forward traffic actively will apply the 4 router limit. The joining fifth or higher router will become a SVF (Standby Virtual Forwarder) and will take the place of a AVF in case of failure. SVG (Standby Virtual Gateway) also plays a role in this as well. The traffic is balanced with GLBP by having the AVG assign each AVF virtual MAC addresses. The AVG responds to the clients ARP request with one of the AVF’s virtual MACs while an ARP request come in for the virtual IP. Note Some of the documentations uses the SVF term to describe a router that is above and beyond the four router AVF limit. SVF is also used in other documentations to describe an active AVF that is ready to take over another AVFs role in case of failure. The router 1 is a SVF for routers 2, 3, 4 and 5. Figure 3-04: GLBP Routers Five GLBP routers are there in this example. The bare minimum GLBP configuration must be put on each router and the configuration is used to examine what has occurred. Case Study An organization needs to extend its business and spread its branches in multiple countries. In order to fulfil the need, it spreads its business by opening a new branch in a city. The organization needs to configure network for that branch and connect that internal network with the backbone network of the company. The network admin of the organization decided to implement OSPF routing protocol to fulfil the network requirements. Below is the network topology diagram suggested by the network admin to be implemented. Topology Diagram Figure 3-05: OSPF Routing Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Figure 3-21: Verification Outputs Mind Map Figure 3-06: Mind Map of IP Connectivity Summary Components of the Routing Table In this section, we learned that the networks are either directly connected, statically configured or dynamically learned. The “show ip route” command is used to view a routing table The routing protocol code identifies which route was learned by which routing protocol The network address is simply termed as a prefix and the shorthand way to express a subnet mask using CIDR notation is a prefix-length e.g., for the subnet mask 255.255.255.0, the prefixlength is /24 The prefix-length is simply a shorthand way to express a network mask using CIDR notation. A network mask is also called a subnet mask or net mask for short The next hop IP address follows the “via” word for a child prefix entry. The next hop refers to the IP address of the next router in the path to the destination network Administrative distance is used to select the best path when a router has two different paths The best path to a destination network within a routing protocol is determined by the metric value Packets that are addressed to networks not explicitly listed in the routing table are directed using default routes A Router Makes Forwarding Decision by Default The longest prefix match is an algorithm used in Internet Protocol (IP) networking for selecting an entry from a forwarding table. Each entry in a forwarding table specify a sub-network One routing protocol is preferably chosen over another when both account the same destination network in the case of administrative distance Metric determines the best path to a destination network. The preferred or shortest path to a particular destination is determined by the dynamic routing protocols Configure and Verify IPv4 and IPv6 Static Routing Static routes are manually assigned both in IPV4 and IPV6 Default route is used by IP to forward any packet with a destination not found in the routing table When a route is created to a network, it is called a network route A route leading to a single host can be created A floating static route is simply one that has been created as a backup to a route learned though a routing protocol Configure and Verify Single Area OSPFv2 With a remote interface for OSPFv2 interface, there should be a compatible configuration before the two can be considered neighbors The OSPF supports the other network types including Point-toMultipoint, Broadcast, and Non-Broadcast The Designated Router (DR) and a Backup Designated Router (BDR) acts as a central point to exchange the OSPF information between multiple routers on the same, multi-access broadcast network segment Purpose of First Hop Redundancy Protocol A gateway redundancy is allowed by the First Hop Redundancy Protocol (FHRP) A class of redundancy protocols known as FHRPs includes VRRP (Virtual Router Redundancy Protocol), HSRP (Hot Standby Router Protocol), and GLBP (Gateway Load Balancing Protocol) Practice Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Chapter 04: IP Services Technology Brief IP Service is a professional combination of all management, operation and maintenance services, facilities and territories. A long-term contract service for corporate customers are considered as the main task. A reliable partnership and comfortable conditions are guaranteed for effective business. Features to be deployed individually or in combination with each other across a wide range of Cisco hardware include Network Address Translation (NAT), Dynamic Host Configuration Protocol (DHCP), and Hot Standby Router Protocol (HSRP). Cisco’s IP Services comprise of many basic and advanced building blocks. They allow customers to be able to deploy an IP network with basic end-to-end IP connectivity, manage their IP addressing requirements from a central location, control the IP addressing scheme used throughout their network, provide redundancy at major network connection points, and much more. Configure and Verify Inside Source NAT using Static and Pools In the process of Network Address Translation (NAT), a network device, typically a firewall, allocates an address that is public to a computer or group of computers within a private network. The amount of public IP addresses an organization or company needs to use is limited by using NAT. It is essential for both economy and security purposes. A huge private network consuming addresses in a private range (the ranges consisting of 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255) is involved in the most common form of network translation. Computers having to access resources inside the network, like workstations needing access to file servers and printers, utilizes the private addressing scheme. The traffic between private addresses can be routed by the routers inside the private network without having any trouble. These computers need to have a public address to access resources outside the network in order for replies to their requests to return to them. It is a very quick process instead of being complex and the end user rarely knows it has occurred. A call to a computer on the internet is made by a workstation inside a network. The request is sent to the firewall after the router within the network having recognized that the request is not for an inside resource of the network. The firewall observes the request from the computer with the internal IP. The same request to the internet is then made by using its own public address, and the response is returned from the internet resource to the computer inside the private network. From the resource’s perspective on the internet, information is sent to the address of the firewall and the communication appears to be happening directly with the site on the internet from the workstation’s perspective. However, all users inside the private network accessing the internet have the same public IP address while using the internet. Hence, only one public address is needed for hundreds or even thousands of users. Most modern firewalls are able to set up the connection between the internal workstation and the internet resource and are considered as stateful. The track of details of the connection, like ports, packet order, and the IP addresses involved is kept within the firewall. It is called “keeping track of the state of the connection”. The session consists of communication between the workstation and the firewall and the firewall with the internet is kept track in this way. The firewall rejects all of the information about the connection upon ending of the session. Moreover, some servers may act as web servers in large networks and the access from the Internet is required. The public IP addresses are assigned to these servers on the firewall. These addresses allow the public to access the servers only through that IP address. The firewall acts as the middle way between the outside world and the protected internal network and appears to be an additional layer of security. Additional rules can be added that includes the ports can be accessed at that IP address. The internal network traffic is routed more efficiently by using NAT and more ports are allowed access while restricting access at the firewall. The detailed logging of communications between the network and the outside world is also allowed in NAT. It can also be used to allow selective access to the outside of the network, too. Workstations or other computers that require special access outside the network are assigned specific external IPs using NAT. This allows the Workstations or computers to communicate with computers and applications that require a unique public IP address. The firewall is able to control the session in both directions and restricts the port access and protocols as an intermediary object. Figure 4-01: Network Address It is a very important aspect of firewall security. The number of public addresses used inside an organization are conserved in it. The stricter control of access to resources on both sides of the firewall is allowed by NAT. The private IP addresses are mapped by using Network Address Translation (NAT) inside source. The mapping of the addresses is carried out on the outside interface of the router on a LAN from private to a public IP address(es). Network Address Translation (NAT) is utilizes to map private IP addresses on a LAN to public IP address(es) on the external interface of the router The router’s interface connecting to the LAN network is the inside The router’s interface connecting to the WAN is the outside Depending on the preferred outcome, different methods of NAT are used: Static, Pool and PAT NAT Inside and Outside Addresses Inside refers to the addresses that must be translated. Outside refers to the addresses that are not in control of an organization. The network addresses allow the translation of the addresses to occur. Inside Local Address An IP address assigned to a host on the inside network is called the inside local address. This address is probably not assigned by the service provider, i.e., there are IP addresses that are private. Inside Global Address IP address that denotes one or more inside local IP addresses to the external world is termed as inside global address. It is the inside host as seen from the outside network. Outside Local Address In the local network after translation, this is the actual IP address of the destination host. Outside Global Address The outside host as seen from the external network is termed as the outside global address. It represents the IP address of the outside destination host before translation. Types of Network Address Translation (NAT) There are three ways to configure NAT. These are: Static NAT Dynamic NAT Port Address Translation (PAT) Static NAT A legally registered (Public) IP address maps a single unregistered (Private) IP address, i.e., one-to-one mapping between local and global address. Generally, web hosting uses the static NAT. Organizations with many devices having to be facilitated and to provide internet access do not use the static NAT and the public IP address is needed. An organization having 3000 devices needs to buy 3000 public addresses in order to access the internet, which will be very costly. Dynamic NAT A registered (Public) IP address is a result of an unregistered IP address from a pool of public IP address. The packet will be dropped as only a fixed number of private IP address can be translated to public addresses if the IP address of pool is not free. A pool of 2 public IP addresses is able to translate only 2 private IP addresses. The 3rd private IP address willing to access internet will result in dropping the packet consequently as many private IP addresses are mapped to a pool of public IP addresses. Network with fixed number of users usually utilizes the NAT. An organization needs to buy many global IP addresses to make a pool making it very costly. Port Address Translation NAT allows many local (Private) IP addresses to be translated to a single registered IP address. It is also known as NAT overload. The traffic is being distinguished as which traffic belongs to which IP address by port numbers. Thousands of users can be linked to the internet by using only one real global (Public) IP address. It is cost-effective hence used most frequently. Advantages of NAT The legally registered IP addresses are conserved in NAT It offers privacy as the device’s IP address, sending and receiving the traffic, will be hidden When a network evolves, the address renumbering is eliminated Disadvantages of NAT Switching path delay appears as a result of this translation Having NAT enabled, certain applications will not function The tunneling protocols such as IPsec is complicated Further, router should not tamper with port numbers being a network layer device. It tampers with port number because of NAT. Example: Port Address Translation (PAT) or NAT (Network Address Translation) Overloading is a modified form of dynamic NAT. The number of inside local addresses are greater than the number of inside global addresses in PAT or NAT overloading. Mostly, just a single inside global IP address provides the internet access to all inside hosts. NAT Overloading is actually the only flavor of NAT covering the IP addresses and also appears to be the most popular form of NAT as well. Figure 4-02: Port Address Translation (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) (PAT) Table 4-01: Protocol with Inside Local and Global IP The overloading or the mapping of more than one inside local address to the same inside global address is allowed with PAT. The arrival packets would all have the same destination address as they arrive to the NAT router. How would the router get to know which inside local address each return packet belongs to? The scenario suggests that the NAT entries in the translation table are extended entries; the protocol types and ports are also tracked by the entries beside the relevant IP addresses. Up to 65535 inside local addresses could be mapped theoretically to a one inside global address by interpreting both the IP address and the port number of a packet, based on the 16-bit port number. Approximately 160 bytes of router memory is used by a single NAT entry so more than 10 MB of memory and a large amounts of CPU power would be taken by 65535 entries. This is a theoretical limit and in practical, PAT configurations stands nowhere near this number of addresses. Static: Allows one-to-one mapping A specific inside IP address is translated to a specific outside IP address In the translation table, translations are statically configured and placed whether there is traffic or not The hosts providing application services like mail, web, FTP, etc. mostly use this Pool: A Dynamic NAT form many-to-many mappings The multiple inside IP addresses are translated to multiple outside IP addresses With the fewer available addresses, the pool is more useful than actual hosts to be translated In the translation table, the entries are created while connections are initiated. It creates one-to-on mappings but is said to be many-to-many because the mappings can vary and at the time of the request, they are dependent on the available IPs in the pool NAT entries are detached from the translation table and after a specified & configurable amount of time, the IP address is reverted to the NAT pool Exam Tip You must have a clear understanding of what NAT is and how it is configured both statically and dynamically. The labs included must be practiced to be able to have a hands-on experience. NTP Operating in a Client and Server Mode Network Time Protocol provides time to all our network devices. In simple words, NTP synchronizes clocks of computer systems over packet-switched, data networks of variable-latency. Typically, there exists an NTP server that connects through the internet to an atomic clock. This time can then be synchronized via the network to retain all routers, switches, servers, etc. to receive the same time information. Precise network time within the network is important because: Tracking of events in the network is possible with correct time Clock synchronization is critical for the right interpretation of events within the syslog data Clock synchronization is critical for digital certificates Switches and Routers issue log messages when different events take place. For example, when an interface goes down and then backs up. As you already know, all messages produced by the IOS go only to the console port by default. However, those console messages are directed to a syslog server. A syslog server saves copies of console messages and can time-stamp them so you can view them at a later time. There are many things involved in the securing of a network such as security logs along with an accurate date and timestamp. Secondly, when an attack is encountered on a network, it is important to identify when the attack occurred and the order in which a specified attack was encountered on a network. Log messages can be accurately time stamped by the synchronization of clocks on hosts and network devices manually as well as using Network Time Protocol. Typically, the date and time settings on the router can be set using one of two methods: Manually set the date and time Configure the Network Time Protocol (NTP) The figure below shows an example of manually updating the clock. As a network develops, it becomes difficult to ensure and verify that all infrastructure devices within a network are functioning with synchronized time. Even in a minor network environment, the manual method is not ideal. For example, if a router reboots, how will it get an accurate date and timestamp? A better solution to prevent manual configuration of time and date in a network is to configure the Network Time Protocol (NTP) on the network. This protocol allows networking devices on the network to synchronize their time and date with an NTP server device. This is a better way because a group of NTP clients obtaining time and date information from a single source has more consistent time settings. When NTP is configured in the network, it can synchronize to a NTP server, which is publicly available, or it can be synchronize to a private master clock. NTP uses UDP port 123 and is documented in RFC 1305. Here is an example to manually set Time and Date on a device. R1#clock set 04:00:00 12 nov 2019 // To set time 04 hr 00 min 00 sec and date nov 2019 R1#show clock // To check the Time and date running on the device NTP Authentication NTP version 3 and later versions support a cryptographic authentication technique between NTP peers. This authentication can be used to mitigate an attack. Three commands are used on the NTP master and the NTP client: ntp authenticate ntp authentication-key key-number md5 key-value ntp trusted-key key-number Without NTP Authentication configuration, Network time information can still be exchanged between server and clients but the difference is these NTP clients do not authenticate the NTP server as a secure source as to what if the legitimate NTP server goes down and Fake NTP server overtake the real NTP server. Use the show ntp associations detail command in order to confirm that the server is an authenticated source. Use the show ntp status command to confirm that the server and client are synchronized. Figure 4-04: Output of NTP Associations Tip For clearing this exam, you must know how the NTP client is synchronized with the server. Their use in a network should be clear along with the NTP_master and NTP_Client concepts. Role of DHCP and DNS within the Network DHCP (Dynamic Host Configuration Protocol) provides quick, automatic, and central management for the distribution of IP addresses within a network. It is also used to configure the default gateway, subnet mask, and DNS server information on the device. A scope, or range, of IP addresses is defined by a DHCP server. These dynamic addresses are used to serve devices with an address. A device obtains a valid network connection from this pool of addresses. Several devices are allowed to connect to a network over a period of time without needing a pool of available addresses. Example: If 20 addresses are defined by the DHCP server, 30, 50, 200, or more devices can be connected to the network. No more than 20 devices can be used out of one of the available IP addresses simultaneously. IP addresses for a specific period of time (called a lease period) is assigned using DHCP. Different results are yielded over time by using commands like ipconfig to find a computer's IP address. The dynamic IP addresses are delivered to clients using DHCP. Devices with dynamic addresses and devices having their IP addresses manually assigned can both exist on the same network. Usually, IP addresses to ISPs are assigned by using DHCP. Configuring DHCP The following information are required in configuring a DHCP server for hosts: Network and Mask for Every ID that is also termed as “scope”. All addresses in a subnet can be hosts by default. Reserved/Excluded addresses for servers, printers, routers, etc. These addresses will not be handed over to hosts. Default Router: Address of router for to every LAN. DNS list of DNS server addresses provided to hosts so they can resolve names. –––––––– DNS: Domain Names System (DNS) is used to translate IP Addresses. A list of mail servers can be provided to accept emails for each domain name. A set of name servers to be authoritative for its DNS records will be nominated by the domain name in DNS. When looking for information about the domain name, all other name servers will be pointed to DNS. A name-service protocol is implemented with the name server. It stores the zone file and DNS record. Domain names are pointed to IP addresses with a small set of instructions called zone Configuration Steps: Eliminate the addresses you want to reserve. The purpose you do this step first is that as soon as you set a network ID, the DHCP service will start responding to client requests Create your pool for every LAN using a distinctive name Select the network ID and subnet mask for the DHCP pool that the server will use to provide addresses to hosts Add the address used for the defaulting gateway of the subnet Provide the DNS server address(es) If you do not want to practice the default lease time of 24 hours, you need to set the lease time in days, hours, and minutes TFTP, DNS, and Gateway Options A few optional but recommended commands including TFTP, DNS and Default Gateway IP address are used to configure the Cisco IOS DHCP feature An external server that will be used to store the DHCP bindings database is identified by using the TFTP option 150 The DNS server’s IP address on the network is identified by using the DNS setting A default-gateway for the clients is defined by using the gateway option Tip Make sure you can quickly tell the difference observed in a network after configuring DHCP. The Function of SNMP in Network Operations An Application layer protocol is Simple Network Management Protocol (SNMP). It provides a message format for agents on a variety of devices to communicate with Network Management Stations (NMSs). The NMS station receives messages from these agents. The information in the database is then either read or written. This information is called a Management Information Base (MIB). The SNMP agent on a device is periodically queried or polled by NMS to gather and analyze statistics via GET messages. An SNMP trap would be sent by the end devices running SNMP agents to the NMS if a problem occurs. The basic operation of SNMP protocol can be depicted from the following figure: Figure 4-03: Working of SNMP Admins use SNMP to provide some configurations to agents and is called SET messages. SNMP is also used for analyzing information and compiling the outcomes in a report or even a graph. An exceeded notification process is triggered by using the thresholds. The CPU numbers of Cisco devices like a core router are monitored by using the graphing tools. The CPU should be watched continuously and the statistics can be graphed by the NMS. Upon exceeding the threshold, notifications are sent. The SNMP has three versions (v1, v2 and v3), which are given below: SNMPv2: SNMPv2 is similar to SNMPv1 with slight modifications. However, SMNPv1 is no longer in use. SNMPv2 supports plain-text authentication with community strings with no encryption but offers GET BULK, which is a way to collect many kinds of information at once and reduce the number of GET requests. It offers a more comprehensive error message reporting method called INFORM, but it is not more secure than v1. It practices UDP even though it can be configured to use TCP. SNMPv3: SNMPv3 supports strong authentication with SHA or MD5, providing confidentiality (encryption) and data integrity of messages via Data Encryption Standard (DES) or DES-256 encryption concerning agents and managers. GET BULK is a sustained feature of SNMPv3, and this version also uses TCP. Management Information Base (MIB): When you want to access data from so many kinds of devices, a standard way to organize this plethora of data is required. This is implemented using MIB in SNMP protocol. A Management Information Base (MIB) is a gathering of information that is organized hierarchically and can be get by protocols like SNMP. RFCs describe some common public variables, but most organizations define their personal private branches beside basic SNMP standards. Organizational IDs (OIDs) are set out as a tree with different levels assigned by different organizations with top-level MIB OIDs that belongs to numerous standards organizations. To obtain some information from the MIB on the SNMP agent, you can use several different operations: operation is used to get information from the MIB to an SNMP agent. operation is used to get information to the MIB from an SNMP manager. operation is used to list information from successive MIB objects within a specified MIB. operation is used by the SNMP agent to send a triggered piece of information to the SNMP manager. operation is the same as a trap, but it adds an acknowledgment that a trap does not provide. Exam Tip To describe the function of SNMP, the concept of Management Server and Agent needs a clear understanding. Use of Syslog Features Including Facilities and Levels Syslog In a network where a certain event occurs, networking devices have a trusted technique to inform or notify the network administrator by detailed system messages. These messages may be either non-critical or significant. Network administrators have many options for storing, interpreting, and viewing these messages, and for being informed to those messages that could have the greatest impact on the network infrastructure. One of the most common methods to access system messages that devices provide is by using protocol called syslog. Syslog is a system logging protocol, which keeps monitoring the event running on the system, and store the message to the desired location. It was developed for UNIX based systems in the 1980s, but was first documented in 2001 as RFC 3164 by IETF. Syslog uses port 514 (UDP) to send event notification messages over IP networks. Figure 4-04: Syslog Messages Many of the networking devices support syslog, routers, switches, servers, firewalls, and other network appliances. Syslog allows the networking devices to send their system logging messages through the network to syslog servers. It is conceivable to build a special Out-of-Band (OOB) network for this purpose. There are several different types of syslog server software packages for Windows and UNIX. Many of them are freeware. The syslog logging service offers three primary functions: The ability to collect logging messages for monitoring and troubleshooting The ability to select the specific type of logging information that is captured The ability to specify the destinations to store the captured syslog messages Figure 4-05: Syslog You can read system messages from a switch's or router's internal buffer. It is the most popular and effective method of watching what's going on with your network at a specific time. But the finest way is to log messages to which stocks messages from you and can even time-stamp and arrange them in order, and it's easy to set up and configure. By using syslog, you can show, sort, and even search messages, all of which sorts it as a really great troubleshooting tool. The search feature is particularly powerful because you can practice keywords and even severity levels. Plus, the server can email admins centered on the message’s severity level. Network devices can be configured to produce a syslog message and forward it to various destinations. These four examples are standard ways to gather messages from Cisco devices: ● ● ● ● Logging Buffer (on by default) Console Line (on by default) Terminal Lines (using the terminal monitor command) Syslog Server You should know, all system messages and debug output produced by the IOS go out only by the console port by default and are logged in buffers in RAM. And, you should also know that Cisco routers are not precisely cautious about sending messages. To send message to the VTY lines, monitor command is used. Note The Cisco router would send a broad version of the message to the syslog server that would be configured into something like this: Seq no: timestamp: %facility-severity-MNEMONIC: report The system message format can be broken in this way: Seq stamp logs messages with a sequence number, but not by default. If you want this output, you have got to configure it. and time of the message or event, which again will show up only if configured. facility to which the message refers. A single-digit code from 0 to 7 that indicates the severity of the message. string that uniquely describes the message. string containing detailed information about the event being reported. The severity levels, from the most severe level to the least severe, are mentioned in the table below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: below: Table 4-02: Severity Levels and their Explanation Syslog Facilities and Features Syslog is primarily used for system management. The proactive syslog monitoring can significantly reduce downtime of servers and also the other devices in an infrastructure. Moreover, the cost savings should be achieved by preventing the loss of productivity that usually accompanies reactive troubleshooting. A variety of options and severity levels can be chosen in setting up syslog alerts, including emergency, critical, warning, error, and so on. Network Alerting: Critical network issues are identified with Syslog. For example, the fabric channel errors can be detected on a switch fabric module. The other forms of monitoring metrics cannot be detected with these warnings or errors. Security Alerting: The detailed context of security events is provided with Syslog messages. The communication relationships, timing, and in some cases, an attacker’s motive and tools can be recognized by using syslog. Server Alerting: Syslog is able to alert on server startups, abrupt server shutdowns, clean server shutdowns, runtime configuration impact, configuration reloads and failures, resource impact, and so on. The failed connections can also be detected with Syslog. Server alerts are always valuable, specifically when you supervise hundreds of servers. Application Alerting: Logs are created in different ways by applications. Some of the logs are created through syslog. Dozens of logs are written in the log folder while running a web application. A syslog monitoring solution is needed to get realtime monitoring. A syslog monitoring solution can observe changes in the log folder. Another good use of syslog is Monitoring High-Availability (HA) servers. Only the logs that are troublesome needs to be monitored. All the logs from the server are needed in case of a HA server failure. Having a dedicated syslog server for HA cluster is the solution in this way. The detailed analysis of error is needed to dig into the historical syslog reports using any syslog analysis tool, like Kiwi or syslog-ng. The comprehensive details, like high momentary error rates, configuration changes, or a sustained abnormal condition cannot be shown using other forms of monitoring. The basic features of any syslog monitoring tool include a synchronous web dashboard, alerting system, and log storage. The trouble tickets can be reduced with proactive syslog monitoring and troubleshooting. The syslog monitoring feature is enhanced with integrating the syslog monitoring tool with other infrastructure management tools. DHCP Client and Relay A framework for transferring configuration information dynamically to hosts on a TCP/IP network is provided by DHCP The parameters to be configured such as an IP address is obtained by an internet host that is using DHCP called a DHCP client Any host that forwards DHCP packets between clients and servers is a DHCP relay agent. The requests and replies are forwarded between clients and servers by using the rely agents when these two are not on the same physical subnet Relay agent forwarding is different from the normal forwarding of an IP router. In the forwarding of an IP router, IP datagrams are switched between networks DHCP messages are being received by relay agents and a new DHCP message is generated to send on another interface Figure 4-06: DHCP Request for an IP Address from a DHCP Server a network server. IP addresses, default gateways and extra network parameters are provided automatically with the DHCP Server. Dynamic Host Configuration Protocol or DHCP is responsible to respond to broadcast queries by clients in a DHCP Server. The required network parameters are sent automatically for clients to properly communicate on the network. Instead the network administrator has to manually set up each client joining the network that is not an easy task, especially in larger networks. Each client is assigned with a unique dynamic IP address by DHCP servers that changes when the lease of client for that IP address has terminated. Router/Switch as a DHCP Server DHCP for IPv4 is used by many enterprise companies on their routers/switches. The network administrator usually handles those who need to get a DHCP capability up and run it quickly but do not have access to a DHCP server. The following DHCP server support is provided with most of the routers/switches: It supports a DHCP client and an interface IPv4 address is being from an upstream DHCP service It supports a DHCP relay and UDP DHCP messages are forwarded from clients on a LAN to and from a DHCP server It supports a DHCP server that allows the router/switch services DHCP requests directly. There are still some limitations to using a router/switch as a DHCP server Resources on the network device are consumed by running a DHCP server on a router/switch. Software, not hardware accelerated forwarding, handles these DHCP packets. This practice is not suitable for a network with a large number (> 150) of DHCP clients. It does not support dynamic DNS An access into DNS on behalf of the client built on the IPv4 address cannot be created by the router/switch DHCP server. The entry is leased to the client The scope is not managed easily and the current DHCP bindings and leases across multiple routers are not observed. To get the information about DHCP bindings, an administrator must log into the switch/router individually This would cause the current DHCP server and default gateway fails. There is no high availability or redundancy of the DHCP bindings DHCP options are more difficult to be configured on router/switch platform A router/switch having DHCP service running is not integrated with IP Address Management (IPAM) for tracking address and scope utilization or security forensics Benefits of a Dedicated DHCP Server Using a centralized DHCP server is a better approach than using DHCP on your router/switch. Network environments requiring support of both DHCP for IPv4 and DHCP for IPv6 at the same time particularly utilize this. The similar management interface for IPv4 and IPv6 can be used by all DHCP server vendors that supports support both protocols. Enterprises use DHCPv6 for several benefits that make it advantageous. These include: The IPv6-enabled client nodes are given visibility for IPv6 having a DHCPv6 server that is integrated into an IP Address Management (IPAM) system The logging and management interfaces are provided with DHCP servers that aid administrators manage their IP address scopes. An organization usually wants an accounting of what is on a network regardless of IP version being used Redundancy and high availability can be provided with DHCP servers. The clients will reserve their current IP addresses in case of one DHCP server fails. It does not cause an interruption for end-nodes A DHCPv6 server that has been tested and tried will be preferred by organizations. The USGv6 certification laboratory has certified the Infoblox DHCPv6 server as “IPv6 Ready” DHCP for IPv4 possibility off the routers/switches should be mitigated in organizations beginning to implement IPv6 and the organizations should be put on a robust DHCP server infrastructure. The advantage of the centralized dual-protocol DHCP server will be given to the enterprise organizations to deliver IPv4 and IPv6 addresses to client devices Forwarding Per-Hop Behavior for QoS such as Classification, Marking, Queuing, Congestion, Policing, Shaping In Behavior the forwarding behavior is assigned to a Differentiated Services Code Point (DSCP). The forwarding priority that a marked packet receives in relation to other traffic on the Diffserv-aware system is defined by the PHB. The marked packets are forwarded and dropped by the IPQoS-enabled system or Diffserv router. IPQoS-enabled system or Diffserv router is determined by this precedence. The same PHB is applied to each Diffserv router that the packet encounters en route to its destination unless another Diffserv system has changed the DSCP. A definite amount of network resources to a class of traffic on the contiguous network is provided by a PHB. DSCPs indicate the precedence levels for traffic classes when the traffic flow leaves the IPQoS-enabled system in the QoS policy defined DSCPs. Precedencies are ranged from high-precedence/low-drop probability to low-precedence/high-drop probability. For example, a low-drop precedence PHB from any Diffservaware router is guaranteed by the QoS policy assigned DSCP to one class of traffic. This low-drop precedence PHB guarantees bandwidth to packets of this class. The varying levels of precedence to other traffic classes are assigned by adding other DSCPs to the QoS policy. Diffserv systems provides bandwidth to the lower-precedence packets in agreement with the priorities that are indicated in the packets' DSCPs. The two types of forwarding behaviors are supported by IPQoS. The behaviors defined in the Diffserv architecture include the Expedited Forwarding (EF) and Assured Forwarding (AF). Classification: Expedited Forwarding Any traffic class with EFs associated to DSCP is assured to be given highest priority in per-hop behavior. Traffic with an EF DSCP does not wait in line. A low loss, latency, and jitter is provided with EFs. 101110 is the recommended DSCP for EF. A guaranteed low-drop precedence is received by a packet that is marked with 101110. A low-drop precedence is received as the packet traverses Diffserv-aware networks en route to its destination. The customers or applications with a premium SLA are assigned priority by using the EF DSCP. Expedited Forwarding PHB A component of the integrated services model, Resource Reservation Protocol (RSVP), provides a guaranteed bandwidth service. This kind of robust service is essential for the applications such as Voice over IP (VoIP), video, and online trading programs. This kind of robust service is supplied by providing low loss, low latency, low jitter, and assured bandwidth service. The most significant 3 bits of the DSCP field set to 101 in Expedited Forwarding (EF) PHB. Hence, the whole DSCP field is set to 101110, decimal value of 46. The low delay service is provided with EF PHB. Figure 4-07: IP Header DS Field and DSCP PHBs The low delay service is provided with EF PHB. It should also minimize jitter and loss. The bandwidth dedicated to EF must be limited and the queue dedicated to EF must be the highest priority queue so as to assign the traffic to get through fast and not experience significant delay or loss. It can be achieved when assigned traffic is kept within its bandwidth limit/cap. By utilizing QoS, techniques such as admission control the successful deployment of EF PHB is ensured. Three important facts about the EF PHB include: During congestion, EF polices bandwidth It provides bandwidth guarantee It imposes minimum delay The non-DSCP compliant applications were being set the IP precedence bits to 101, decimal 5 which is called Critical, for delay-sensitive traffic such as voice. The most significant bits are 101 for the EF marking (101110) that makes it backward compatible with the binary 101 IP precedence (Critical) setting. Assured Forwarding The four different forwarding classes are provided by per-hop behavior. These different forwarding classes can be assigned to a packet. The three drop precedencies, low-drop, medium-drop, and high-drop are provided by every forwarding class. The Assured Forwarding (AF) PHB is equivalent to Controlled Load Service available in the integrated services model. A method is defined by an AF PHB to give different forwarding assurances. Following are the classes for network traffic: Gold: 50 percent of the available bandwidth is allocated for the traffic in this category. Silver: 30 percent of the available bandwidth is allocated for the traffic in this category. Bronze: 20 percent of the available bandwidth is allocated for the traffic in this category. The four AF classes of the AF PHB are AF1, AF2, AF3, and AF4. A specific amount of buffer space and interface bandwidth is assigned to each class, according to the SLA with the service provider or policy map. Three drop precedence (dP) values: 1, 2, and 3 can be specified within each AF class. With the Assured Forwarding (AF) PHB the most significant 3 bits of the DSCP field are set to 001, 010, 011, or 100. These bits are also called AF1, AF2, AF3, and AF4. AF PHB is used for guaranteed bandwidth service. Default Per-Hop Behavior The three most significant bits of the DiffServ/DSCP field are set to 000 in Default PHB. It is used for Best Effort (BE) service. The DSCP value of a packet is consequently assigned to the default PHB if it is not mapped to a PHB. Packet Forwarding in a Diffserv Environment A network solution aimed at classifying the IP traffic flow into traffic classes is called the Differentiated Service (DiffServ). DiffServ Code Point (DSCP) uses six bits, part of the eight-bit field called Type of Service (TOS) inside the IP header. The determination of PHB is its main goal that defines of each node. The DiffServ Domain actually identify the scope of this protocol. Figure 4-08: Diffserv Environment The part of an intranet at a company with a partially Diffservenabled environment is shown in the figure given below. All hosts on the IPQoS enabled and on both networks, the local routers are Diffserv aware. Figure Forwarding Across Diffserv-Aware Network Hops The flow of the packet begins with the progress of a packet that originates at The steps continue through several hops to is run access which is three hops away The QoS policy is applied by the resulting packet flow. is then successfully classified by ipqos1 A class for all has been created by the system administrator. The traffic initiates on the local network 10.10.0.0. Traffic for is assigned the AF22 per-hop behavior: class two, medium-drop precedence. For a traffic flow rate of 2Mb/sec is configured The flow exceeding the committed rate of 2 Mbit/sec is determined by The DS arenas in the is marked with the 010100 DSCP, corresponding to the AF22 PHB by the marker are received by and then the DSCP is checked. Packets marked with AF22 gets dropped, found to be congested In agreement with the per-hop behavior, is forwarded to the next hop. This per-hop behavior is configured for AF22 files The traversed by the The network is not Diffserv aware. The “besteffort” forwarding behavior is then received by the traffic as a result is passed to by genrouter receives the traffic Diffserv aware. are then forwarded to the network in contract with the PHB that is defined in the router policy for AF22 packets is received by ipqos2. The user is then prompted a user name and password The set of end-to-end Quality of Service (QoS) skills is called DiffServ. The capability of the network to deliver service required by specific network traffic from one end of the network to another is an end-to-end QoS. The three types of service models supported by Cisco IOS QoS software include: Integrated Services (IntServ), Best-Effort Services, and Differentiated Services. Congestion To avoid tail congestion avoidance techniques such as Weighted Random Early Detection (WRED) are deployed on each queue. Packet drop is performed based on the marking differences of the packets. Within each AFxy class, y specifies the drop preference (or probability) of the packet. Some packets are marked with minimum probability/preference of being dropped, some with medium, and the rest with maximum probability/preference of drop. The y part of AFxy is one of 2-bit binary numbers 01, 10, and 11; this is embedded in the DSCP field of these packets and specifies high, medium, and low drop preference. Note that the bigger numbers here are not better, because they imply higher drop preference. Therefore, two features are embedded in the AF PHB: Four traffic classes (BAs) are assigned to four queues, each of which has a minimum reserved bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. bandwidth. Table 4-03: The AF DSCP Values Each queue that has congestion avoidance deployed to avoid tail drop and to have preferential drops displays the four AF classes and the three drop preferences (probabilities) within each class. Beside each AFxy within the table, its corresponding decimal and binary DSCP values are also displayed for your reference. Queuing Per-Hop Behavior Queue Design Principles Voice, video, and data applications are converged in the network to be co-existed seamlessly by allowing each with appropriate QoS service expectations and guarantees. The non-real–time applications’ performance can be significantly degraded when real-time applications are the only ones that consume link bandwidth. The significant performance impact on non-real–time applications is shown by the extensive testing results when more than one-third of the connections is used by real-time applications as part of a strict-priority queue. More than a third of link bandwidth is not recommended to be used for strict-priority queuing. The non-real–time applications are prevented from being dropped out of their required QoS recommendations with this principle. Also, no more than 33 percent of the bandwidth be used for the expedite forwarding queue. This 33% design principle is not necessarily a mandatory rule but a best practice design recommendation. For an assured forwarding per-hop behavior, a minimum of one queue should be provisioned but up to four subclasses can be well-defined within the AF class: AF1x, AF2x, AF3x, and AF4x. A bandwidth corresponding to the application requirements of that traffic subclass must be there in the specified AF subclass that belongs to each queue. All the traffic not explicitly defined in other queues lie in the Default Forwarding (DF) class. It is important to have acceptable space for those traffic types while many applications are used by an enterprise. For this service class, typically 25 percent of link bandwidth can be used. As for each of the queue, a pre-specified bandwidth is reserved if the amount of traffic on a particular queue exceeds the reserved bandwidth for that queue, the queue builds up and eventually incurs packet drops. Queuing Schedulers Priority Queueing (PRIQ) The simplest form of traffic shaping is Priority Queuing. It is often the most effective. Only the prioritization of traffic is performed without regard for bandwidth. Pros Easy to understand and configure. Cons Lower precedence queues can be completely starved easily for bandwidth. Class Based Queueing (CBQ) The next step up from priority queuing is CBQ. A tree hierarchy of classes is created with an allocated priority and bandwidth limit. Instead of processing all packets from the class, the PRIQ will only process enough packets until the bandwidth limit is reached. Shaping Traffic shaping is used to assign more predictive behavior to traffic. It uses Token Bucket model. The Token Bucket characterizes traffic source. The main parameters for Token Bucket includes: Token Arrival Rate - v Bucket Depth - Bc Time Interval – tc Link Capacity - C Configuring Traffic Shaping Traffic shaping and queuing can be accomplished in several ways. The easiest way implemented is ALTQ-based shaping that is with the Traffic Shaping Wizard. Traffic Shaping configuration is based at Firewall > Traffic Shaping. Limitations An upper limit on traffic cannot be set by ALTQ shaping. Wizards A default set of rules are created by using The Traffic Shaping Wizard. The rules shaped by the wizard cope well with VOIP traffic but may need modification to accommodate other traffic not enclosed by the wizard. The exact choices of wizards depend on the version in use. The queue sizes and bandwidths are sized appropriately for most configurations by the wizard. They may need to be manually adjusted in some cases but for the majority of cases, it is unnecessary. Multiple Lan/Wan An arbitrary number of WANs and LANs can be accommodated with this wizard. Dedicated Links When the specific LAN/WAN pairings do not mix traffic with others, this wizard is meant for multiple WANs and LANs. Several ‘virtual’ links are managed by a single firewall in this way. Other Wizards If the descriptions of the other wizards suit the respective environment, they can be used. The Multiple Lan/Wan wizard can be used due to a large amount of unnecessary redundancy between the various wizards. Policing QoS policy prevents manual policy changes in network devices. Its Community attribute is usually used for color assignments. Note DiffServ or differentiated services is a computer networking architecture. A mechanism that is simple and scalable for classifying and managing network is specified in these services. It also provides Quality of Service (QoS) on modern IP networks. Differentiated Services The differing QoS requirements are classified with a multiple service model called Differentiated Services. A specific kind of service based on the QoS is delivered by the network with Differentiated Services. This QoS is specified by each packet. Many different ways support the occurrence of this specification. The QoS specification is used in a network to classify, mark, shape, and police traffic to perform intelligent queueing. Several mission-critical applications use differentiated services. It is also used for providing end-to-end QoS. Differentiated Services performs a relatively coarse level of traffic classification and is appropriate for aggregate flows. DS Field Definition The DS field is well-defined by Differentiated Services. It is also termed as a replacement header field. The current definitions of the IP version 4 (IPv4) type of service (ToS) octet (RFC 791) and the IPv6 traffic class octet are superseded by the DS field. To select the Per-Hop Behavior (PHB) on each and every interface, six bits of the DS field are used as the DSCP. A 2-bit (CU) unused field is kept for the obvious congestion notification (ECN). DS-compliant interfaces usually ignore the value of the CU bits while determining the PHB to apply to a received packet. Per-Hop Behaviors The PHB has been defined as the externally observable forwarding behavior by RFC 2475. This behavior is applied at a DiffServ-compliant node to a DiffServ Behavior Aggregate (BA) with the aptitude of the system to mark packets according to DSCP setting. The collections of packets with the same DSCP setting can be grouped into a BA that are sent in a particular direction. Packets from several sources or applications can belong to the same BA. A PHB is also referred as packet scheduling, queueing, policing, or shaping behavior of a node on any particular packet belonging to a BA. This is as configured by a Service Level Agreement (SLA) or a policy map. Default PHB The traditional best-effort package from a DS-compliant node is received by a packet marked with a DSCP value of 000000 that is essentially specified in the default PHB. The packet will be mapped to the default PHB upon arriving of packets at a DScompliant node. The DSCP value will not be mapped to any other PHB. Class-Selector PHB A DSCP value in the form xxx000 has been defined by DiffServ to reserve backward-compatibility with any IP precedence scheme currently in use on the network, where x is either 0 or 1. ClassSelector Code Points is the name given to these DSCP values. The DSCP worth for a packet with default PHB 000000 is also termed as the Class-Selector Code Point. A Class-Selector PHB is the PHB associated with a Class-Selector Code Point. Most of the forwarding behavior is retrained in these Class-Selector PHBs as nodes that implement IP Precedence-based classification and forwarding. For example, packets having a DSCP value of 11000 usually have preferential forwarding treatment. Remember that the 11000 is the equivalent of the IP Precedence-based value of 110 and the preferential forwarding treatment is followed for scheduling, queueing, and so on. These Class-Selector PHBs confirm that DScompliant nodes can coexist with IP Precedence-based nodes. Figure 4-10: Per-Hop Treatment Benefits of Implementing DiffeServe For end-to-end quality of service, the DiffServ is set to implement the Differentiated Services architecture. The benefits of implementing Differentiated Services include: Burden on network devices is reduced and can be scaled easily as the network grows Any existing Layer 3 ToS prioritization scheme can be kept by customers DiffServ-compliant devices can be mixed with any existing ToSenabled equipment in use by the customers The current corporate network resources can be alleviated through efficient management Network Devices for Remote Access using SSH By applying to the line (as we explain in a section Local Authentication) access to a device can be controlled at any line (console, aux, or terminal). A method SSH is also used for securing access. Source Address: Securing address is done through the configuration of access-lists as described in the section “Local Authentication”. Telnet/SSH: You should use Secure Shell (SSH) instead of telnet because it creates a more secure session. Telnet applications practice an unencrypted data stream, but SSH uses encryption keys to send data so that no one can see your username and password. Exam Tip When we use telnet at the end of the ssh command, only then SSH will work on the device. SSH is more secure than Telnet. Accessing a network using SSH is a topic that you need to understand both for clearing the exam and making your network secure. Capabilities and Functions of TFTP/FTP in the Network File Transfer Protocol (FTP) Files are transferred between systems by using both the File Transfer Protocol (FTP) and the Trivial File Transfer Protocol (TFTP). The remote user is allowed to navigate the server's file structure and upload and download files with FTP. A simplified alternative to FTP is TFTP that provides no authentication and the configurations are transferred to and from network devices by using it. Both FTP and TFTP are insecure protocols inherently. Encryption is not used by these protocols and both authentication and file data to traverse the network in the clear are allowed. These protocols are considered while sharing nonsensitive data with the general public or operating in an inherently secure environment. A secure alternative to these protocols is there. The Secure Shell (SSH) protocol is used by the secure FTP protocol to encrypt standard FTP communications and provide confidentiality in transit. Note The two TCP ports used by FTP are: port 20 for sending data and port 21 for sending control commands. The use of authentication is supported by the protocol, but like Telnet, all data including the usernames and passwords are sent in clear text. Capabilities and functions of File Transfer Protocol File Transfer Protocol, FTP, is a protocol for application layer that transfers files between local and remote file systems. It functions on the top of TCP, like HTTP. To move a file, two TCP connections are used by FTP in parallel: control connection and data connection. Figure 4-11: File Transfer Protocol Diagram What is control connection? The control information like user identification, commands to change the remote directory, password, commands to retrieve and store files, etc., are controlled by making the use of FTP connection. This control connection initiates on port number 21. What is data connection? FTP makes use of data connection for sending the actual file. Port number 20 allows the initiation of data connection. The control information is sent out-of-band as FTP uses a separate control connection. Hence, they are said to send their control information in-band for this reason. HTTP and SMTP are the like examples. FTP Session: The client starts a control TCP connection with the server side when the FTP session is started between a client and a server. The control information is sent over a TCP connection by the client. A data connection to the client side is initiated when the server receives this information. One data connection allows only one file to be sent over it. The control connection remains active during the user session. As HTTP is stateless, it does not have to keep track of any user state. But a state about FTP’s user needs to be maintained throughout the session. Data types of data structures are allowed with FTP: File Structure: There is no internal structure present in a filestructure and the file is deliberated to be a continuous sequence of data bytes. Record Structure: The file is made up of sequential records in record-structure. Page Structure: The file is made up of independent indexed pages in page-structure. FTP Commands: Some of the FTP commands are given below: The user identification is sent to the server by this command. The user password to the server is sent by this command. The user is allowed to work with a different directory or dataset for file storage or retrieval by using this command. This is without altering login or accounting information. RMD: The directory specified in the path-name to be removed as a directory is caused by this command. The directory specified in the pathname to be created as a directory is resulted by this command. PWD: This command is used to return the name of the current working directory in the reply results. RETR: A data connection of the remote host is initiated and the requested files are sent over the data connection by using this command. STOR: The current directory of the remote host stores a file by using this command. LIST: The list of all the files present in the directory is displayed by sending this request. ABOR: The previous FTP service command and the transfer of data that is associated by using this command are aborted by this request. QUIT: A USER is terminated and the control connection of server gets closed by using this command if the file transfer is not in progress. FTP Replies: The FTP replies include: 200 Command is okay. 530 Not logged in. 331 User name is okay; a password is needed. 225 Open a data connection; no transfer is in progress. 221 Control connection is being closed by the service. 551 Aborted the requested actions: unknown page type. 502 Command is not implemented. 503 Commands with bad sequence. 504 For the parameter, command was not implemented. Trivial File Transfer Protocol (TFTP) A network protocol used to handover files between remote machines is called TFTP. It lacks in having some of the more innovative features that FTP offers. It requires less resources than FTP. TFTP can be used merely to send and receive files. TFTP was developed in the 1970’s. It still can be used to save and bring back a router configuration or to backup an IOS image. It is a very simple protocol. It has limited features as compared to File Transfer Protocol (FTP). No authentication and security while transferring files are provided in TFTP. The boot files or configuration files are usually transferred between machines in a local setup by using this protocol. In a computer network, users interactively utilize these protocols. However, it is very dangerous to use it over the internet due to the lack of its security. The boot computers and devices not having hard disk drives or storage devices significantly use this protocol because a small amount of memory is enough to implement it. Due to this feature, TFTP appears to be one of the core elements of network boot protocol or Pre-boot Execution Environment (PXE). Initiation of data transfer takes place through port 69. When the connection is initialized, the data transfer ports are selected by the sender and receiver. TFTP are used by the home network administrators to upgrade the router firmware. TFTP are used by the professional administrators to distribute software across corporate networks. Key Features of TFTP Good for simple file handovers, such as during boot time UDP is used as transport layer protocols. The TFTP server must handle the errors in the transmission (checksum errors, lost packets) Only one connection is used through well-known port 69 A simple lock-step protocol is used by TFTP. In the simple lockstep protocol, each data packet needs to be acknowledged. Thus the throughput is limited Capabilities of TFTP The client and server software are used by TFTP to make connections between two devices. From a TFTP client, the individual files can be copied (uploaded) to or downloaded from the server. The files and the client requests are hosted by the server or files are sent. Note TFTP relies transport data A computer can be initiated remotely and the network or router configuration files are backed up by using TFTP. TFTP Client and Server Software The current versions of Microsoft Windows, Linux, and MacOS include the command-line TFTP clients. These TFTP clients with graphical interfaces are also available For example, includes a TFTP server. Another example of a GUI client and server for TFTP is windows TFTP Windows TFTP available for download. The TFTP servers are used by the Linux and MacOS systems in spite the fact that they could be disabled by default. Note Networking experts recommend configuring TFTP servers carefully to avoid potential security problems. Differences between TFTP & FTP The key aspects that differentiate the Trivial File Transfer Protocol from FTP are: Original versions of TFTP were able to transfer files up to 32 MB in size, the latest TFTP servers removed this restriction or might limit the file size to 4 GB There are no login features available in TFTP, so a username and password is not prompted Sensitive files must not be shared by using TFTP; These files can be protected or the access to the files must be audited It is not allowed to listen, rename, and delete files over TFTP UDP port 69 is used by TFTP to establish network connections while ports 20 and 21 are used by FTP UDP is used to implement TFTP. It generally works only area networks Exam Tip To pass the exam, you should know the difference between the FTP and TFTP with respect to the encryption, authentication and confidentiality. Mind Map Figure 4-12: Mind Map of IP Services Summary Configure and Verify Inside Source NAT using Static and Pools A firewall gives a public address to a computer or group of computers within a private network in the process of Network Address The traffic between private addresses can be routed by the routers inside the private network without having any trouble The firewall acts as the intermediary between the external world and the protected internal network and appears to be an additional layer of security The inside addresses must be translated while the outside addresses are not in control of an organization The 3 ways to configure NAT are Static NAT, Dynamic NAT, and Port Address Translation (PAT) NAT64 is the process of translating an IPv6 address to IPv4 address for communication and vice versa Cisco IP SLA (Service Level Agreement) allows you to monitor services in order to increase performance, productivity, lowering the network outage frequency, etc. PAT is an extension to NAT. On a LAN, the multiple IP addresses are mapped to a single public IP address Configure and Verify NTP Operating in a Client and Server Mode NTP synchronizes clocks of computer systems over packetswitched, variable-latency data networks An NTP server connects through the internet to an atomic clock The date and time settings on the router can be set using one of two methods: Manually Setting the date and time, and Configuring the Network Time Protocol (NTP) NTP allows networking devices on the network to synchronize their time and date with an NTP server device Syslog is one of the most common methods to access system messages that devices provide It keeps monitoring the event running on the system, and stores the message to the desired location The Role of DHCP and DNS within the Network The information required to configure a DHCP server for hosts includes: Network and Mask for every LAN, Reserved/Excluded Addresses, Default Router, and DNS Address The DNS server’s P address on a network be identified by using the DNS settings A default-gateway for the clients is defined by using the gateway option The Function of SNMP in Network Operations Simple Network Management Protocol (SNMP) provides a message format for agents on a variety of devices to communicate with Network Management Stations (NMSs) The information in the database is either read or written as a Management Information Base (MIB) SNMP is used to provide some configurations to agents and it is called SET messages SNMP is used for analyzing information and compiling the outcomes in a report or even a graph The SNMP has three versions (v1, v2 and v3) SNMPv2 supports plain-text authentication with community strings with no encryption but offers GET BULK that is a way to collect many types of information at once and minimize the number of GET requests SNMPv3 supports strong authentication with SHA or MD5 It provides confidentiality (encryption) and data integrity of messages via Data Encryption Standard (DES) or DES-256 encryption between agents and managers Use of Syslog Features An effective method of watching what's going on with a network at a particular time is by using the syslog features Network devices are being configured to produce a syslog message and forward it to various destinations The system message format can be broken as Seq no, Timestamp, Facility, Severity, MNEMONIC, and Description Configure and Verify DHCP Client and Relay Dynamic Host Configuration Protocol (DHCP) is a network protocol It enables a server to assign an IP address automatically to a computer from a defined range of numbers A DHCP Server is a network server. It automatically provides and assigns IP addresses, default gateways and other network parameters to client devices The network administrator has to set up every client manually that joins the network without having a DHCP DHCP servers offer logging and management interfaces that aid administrators manage their IP address scopes Forwarding Per-hop Behavior for QoS such as Classification, Marking, Queuing, Congestion, Policing, Shaping The forwarding behavior is assigned to a DSCP The forwarding priority for a marked packet is defined by the PHB When the traffic flows leave the IPQoS-enabled system in the QoS policy defined DSC, the DSCPs indicates the precedence levels for traffic classes Ps The behaviors are defined in the Diffserv architecture, which includes the Expedited Forwarding (EF) and Assured Forwarding (AF) Network Devices for Remote Access using SSH A method SSH is used for securing access Securing address is done through the configuration of access-lists Telnet application practices an unencrypted data stream, but SSH uses encryption keys to send data so no one is able to see the username and password Capabilities and Functions of TFTP/FTP in the Network Both the File Transfer Protocol (FTP) and the Trivial File Transfer Protocol (TFTP) are used to send files among the systems TFTP is an easy alternative to FTP that offers no authentication The configurations are transferred to and from network devices by using TFTP The Secure Shell (SSH) protocol is used by the secure FTP protocol to encrypt standard FTP communications and provide confidentiality in transit FTP makes use of data connection for sending the actual file where Port number 20 allows the initiation of data connection TFTP lacks in having some of the more innovative features that FTP offers Boot computers and devices not having hard disk drives or storage devices significantly use this protocol because a small amount of memory is enough to implement it TFTPs are used by the professional administrators to distribute software across corporate networks Practice Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Chapter 05: Security Fundamentals Technology Brief As the computer network technology and the internet technology is developing more rapidly, people are becoming more aware of the importance of the network security. Network security is the main issue of computing because many types of attacks are increasing day by day. Protecting computer and network security are critical issues. Network security is a very important consideration for accessing the internet and for transferring the data. In this chapter, we are going to discuss the security threats, observed vulnerabilities, exploits and the mitigation techniques. Security Concepts The most prominent topics nowadays is network and information system security and their associated risks and attacks. One after another, networks are compromised due to insufficient network security policies. But the question is; why is network security so important? Network security is important because of its direct impact to the continuity of any organization’s business. Network security attacks can cause the following impacts in an organization: o Loss of business data o Interruption and misuse of people’s privacy o Threaten and compromise the integrity of organization’s data o Loss of reputation Nowadays, people are becoming more aware about securing their devices connected to the public internet because of occurred events of data leakage, it’s alteration and misuse in the past few years. Network vulnerability and new methods of attack are growing day by day, hence the evolving techniques of making network more secured is growing. Threats A threat indicates the possibility of an exploit or attack with potential risks. A threat is any insecurity lying in a system that can be exploit. The presence of vulnerability in a system results in a threat. The entity that uses the vulnerability to attack a system is known as malicious actor and the path used by this entity to launch attack is known as threat vector. Some of the major threat classifications include: User Identity Spoofing: This includes multiple techniques used to represent legitimate user information like GPS spoofing, emailaddress spoofing and caller-ID spoofing, which are used in Voiceover-IP. Information Tampering: This includes threats that are related to the changing of information rather than stealing it. Like changing the financial records and transactions used in banks, criminal records, etc. Data Leakage: This means revealing or sending the data either outside the organization or to someone who is not authorized for. It also includes the disclosure of information from different running services and operational processes. Implementing DLP controls and strict information security policies can help to overcome this leakage. Denial of Service (DoS): This is a type of attack in which service offered by a system or a network is denied. Services may either be denied, reduce the functionality, or prevent the access to the resources even to the legitimate users. There are several techniques to perform DoS attack such as generating a large number of requests to the targeted system for service. These large numbers of incoming requests overload the system capacity, which results in denial of service. Botnets and Zombies are the compromised systems, which are used for generating huge traffic for DDoS attack. Figure 5-01: Denial-of-Service Attack Common Symptoms of DoS attack are: Slow performance High CPU and memory utilization Unavailability of a resource Loss of access to a service Discontinuation of a wireless or wired internet connection Denial of access to any internet service Vulnerabilities Vulnerability is defined as an inherent weakness in the design, configuration, implementation, or management of a network or system that can be exploited by an attacker. Vulnerability can be present at any level of system architecture. Classifying vulnerabilities on the basis of how threatening it is or how it would impact the system helps in identifying its impact on system. The Common Vulnerabilities and Exposures (CVE) List was launched by MITRE as a community effort in 1999, and the U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST) in 2005. CVE categorizes the known vulnerabilities over the internet. It can be searched via any search engine available today. The following are few of the important reasons through which vulnerability can exist in the system: Policy flaws Design errors Protocol weaknesses Misconfiguration Software vulnerabilities Human factors Malicious software Hardware vulnerabilities Physical access to network resources Exploits The term “exploits” refers to the action of an attacker where a vulnerability is leveraged to intrude into the system. The attacker takes the advantage of the vulnerability such as an unpatched system is easily exploitable. It may also refer to a software code or program, which bypasses the security mechanism to provide access to the system. Some exploits are designed to specifically attack vulnerabilities on applications or systems to take control over servers or computer systems. Remember that in some cases, exploits do not need software to achieve their goals. For example, scams that involve social engineering a person or employee into revealing sensitive or critical information are perfect examples of exploits that do not require software and hacking skills. Mitigation Techniques The word mitigation defines the act of reducing the severity or seriousness of the impact of something on a situation. IT Threat Mitigation is then defined as the addressing actions, prevention techniques, or remedies implemented to reduce IT threats on a network, computer, or server. 'IT threat' is actual a broad term that holds physical, software, and hardware threats that any IT system may encounter. Signature Management A digital signature is a digital equivalent authentication mechanism, which validates the integrity of a message or file. Digital signatures can also provide non-repudiation. It is important to detect forgery or tampering in digital information. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signatures employ asymmetric cryptography. Digital signatures are the digitalized equivalent of a sealed envelope and are intended to ensure that a file has not been altered during transit. Any file with a digital signature is allowed to verify not only the publishers of the content or file, but also to verify the content integrity at the time of download. On the network, PKI enables users to issue certificates to internal developers/contractors and allows any member to verify the origin and integrity of downloaded applications. Device Hardening Device hardening is a technique that applies not only in routers, switches and servers but also applies on all network devices including laptops, desktops and mobile devices. One of the current goals of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The hardening can be achieved both on a physical and logical basis. From a logical perspective: Implementing least privilege rule Changing default credentials and implementing strong password policy Patching OS and applications Disabling unnecessary services and ports Change Default Native VLAN On switches, the native VLAN is the only VLAN that is not tagged in a trunk. This means that native VLAN frames are transmitted unchanged. By default, the native VLAN port is 1, and that default port represents a weakness in a way that it is an information that an attacker can take advantage of it. To provide security, you must take some steps and change the native VLAN to another VLAN. Switch Port Protection The switch port protection feature is a key implementation of the network switch security. It provides the ability to limit what addresses will be allowed to send traffic on individual switch ports within the switched network. Switch port security starts with understanding potential vulnerabilities and then addressing them through correct configuration. This addresses may include Spanning Tree, Flood Guard, BPDU Guard, Root Guard, and DHCP Snooping. Unused switch ports must be administratively shutdown. Network Segmentation Network segmentation reduces the congestion in the network. Apart from enhancing the network performance, network segmentation plays an important role in strengthening the network security by isolating the management network and critical servers from normal traffic. DMZ Generally, three zones are related with firewalls: Internal, External, and Demilitarized (DMZ). The internal zone is the zone inside of all firewalls, and it is considered to be the protected area where most critical servers, such as domain controllers that control sensitive information, are placed. The external zone is the area outside the firewall that represents the network against inside protection such as the internet. The DMZ is placed where the network has more than one firewall. It is a zone that is between two firewalls. It is created using a device that has at least three network connections, sometimes referred to as a three-pronged firewall. In DMZ, place the servers that are used by hosts on both the internal network and the external network that may include web, VPN, and FTP servers. Figure 5-02: DMZ using One Firewall VLAN Switches and routers have physical interfaces, commonly known as a physical port; these ports can be configured in a variety of ways, depending upon the topology, design, type of encapsulation, duplex, and speed of the link. VLANs on switches allow users to create network segmentation by creating multiple virtual subnets while maintaining a flexible network that is easy to modify when required. Alternatively, an improper VLAN assignment on a port will effectively place clients in a subnet that will not be controlled by the administrator. It is not only a connectivity issue, but it could also create security issues. While assigning a VLAN, it should be done with great care as to which client computer is connected to which VLAN interface. Privileged User Account The Least Privilege Principle states that, “A subject should be given only those privileges needed for it to complete its task” The least set of privileges is used to complete the job by every program and every user of the system. The damage resulted from an accident or error is limited by this principle. The number of potential interactions among privileged programs are reduced to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. The number of programs to be audited are minimized if a question arises related to misuse of a privilege. An example of this principle is the military security rule of "need-to-know". Only the minimum access necessary to perform an operation should be granted according to the principle of least privilege. The access should be granted only for the minimum amount of necessary time. File Integrity Monitoring Integrity is the process to ensure that the received data is same as the originally sent. Integrity is designed to eliminate the situations where someone is tampering with your data. However, file integrity monitoring is performed as the concept of file hashing that were discussed earlier but with a software program. File integrity monitoring observes changed settings or access controls, attributes and sizes, and, of course, the hashes of files. Role Separation Role separation also known as separation of duties, requires one user to perform a specific task, and another one to perform a related task. This reduces the possibility of scams or errors from occurring, by implementing an equalized system between different users. Restricting Access via ACLs Firewalls generally contain Access Control Lists (ACLs) that allow or deny packets based on specified criteria such as IP addresses, ports, or the data they contain. The firewall generally processes from top to bottom when the traffic meets the criteria then the related action of authority or deny is applied. Usually, there is an implicit deny statement at the end of the firewall ACL that will deny any packets that have not been allowed before they reach that point. Sometimes, that statement is not implicit but is listed as the default statement at the end of the list. Honeypot/Honeynet Honeypots are security devices used as a decoy to act as a valuable server target to an attacker. When they are monitored and are inaccessible from any truly sensitive computer data, they also appear to be vulnerable to attacks and are quite undefended. The idea is to get the attacker to take the lure, making them waste their time in the honeypot, while keeping the network’s real data safe, and then gathering information about the attacker and giving it to proper authorities. Two or more honeypots on the same network, make a honeynet. It is used in a large organization where a single honeypot server will not be sufficient. The honeynet simulates a production network but is deeply monitored and isolated from the true production network. Penetration Testing Penetration testing, also known as PT is a methodology in which pentesters penetrate into a target. Pentesting is a technique where the pentester monitors the target with an attacker’s mindset to find weaknesses and vulnerabilities in the target. The purpose of pentesting is not to exploit and hack a system but to find the loopholes in security of a system in order to counter them before a real attacker exploit them. Typically, pentesting professionals who are expert in in-depth monitoring, having a hacker’s mindset performs this job. There are also several tools available that assist them in finding vulnerabilities. Aircrack-ng is an open source tool for pentesting and pretty much every aspect of wireless networks. Metasploit, another unique open source tool, enables the pentester to use a massive library of attacks as well as pull those attacks for unique penetrations. Figure 5-03: Metasploit Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Output Security Program Elements Security program elements are critical to the success of a security effort. They include explaining awareness and training, policies, procedures, and recent threats to both users and management. A security-awareness program can do much to support in your efforts to improve and maintain security. Such efforts need to be continuing, and they should be part of the organization’s normal communications practice. The following section discusses some of the things you can do as a security professional to address the business issues associated with training the people in your organization to operate in a manner that is consistent with organizational security goals. User Awareness Education and awareness help ensure that security information is conveyed to the appropriate people in a timely manner. Most users are not aware of modern security threats. If you established a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you will probably find acceptance of your efforts to be much higher. Educational methods that have proven to be effective for publishing information through internal security websites, news servers, and emails. You might want to consider a regular notification process to convey information about security issues and changes. In general, the more you educate about this in a regular manner, the more likely people will realize the fact that security is everyone’s responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. responsibility. Training The efforts in education and training must help users clearly understand prevention, enforcement, and threats. Integrating the efforts of the IT staff, the security department will also probably be responsible for a security-awareness program. Organization’s training and educational programs need to be personalized for at least three different audiences: The Organization Its Management The Technical Staff These three organizational parts have different deliberations and concerns. For example, with organization-wide training, everyone understands the policies, procedures, and resources available to deal with security issues, so it helps ensure that all employees are on the same page. The following list classifies the types of issues that members of an organization should be aware of and understand. Organization Ideally, a security-awareness training program for the whole organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention You can accomplish this training either by using internal staff or by hiring outside trainers. It is recommended doing much of this training during new-employee orientation and staff meetings. To stay in their forefront of their minds, though, the training needs to be repeated periodically (twice a year often works well). Also, do not forget to have the employees signature as a proof that they received the training and are aware of the policies. Management Managers are concerned with more universal issues in the organization, including implementing security policies and procedures. Managers will want to know the purpose and reasons of a security program; how it works and why it is necessary. They should receive additional training or exposure that describes the issues, threats, and techniques of dealing with threats. Management should also take concern about productivity effects, enforcement, and how the various departments are affected by security policies. Technical Staff The technical staff requires special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues related with the technologies they support. Developers and implementers will want to evaluate the effect of these measures on existing systems and new development projects. The training that both administrators and developers need should be vendor specific; vendors have their own methods of implementing security. Remember that all of your efforts will be wasted if you do not make sure to reach an appropriate audience. Spending an hour preaching on backend database security will likely be an hour wasted if the only members of the audience are data-entry operators who get paid by the keystroke to make weekly changes as quickly as possible. Physical Access Controls Physical access controls are mechanisms that are designed to minimize the risk of harm. A simple example is a smart door lock, which will disallow many potential attackers; the installation of biometric sensors, such as iris scanning or fingerprint recognition, can make the most determined intruder weaken while trying to gain access to a secured place. Sometimes, all that is needed to resolve the issue is a procedure to provide enough time to contact the appropriate authorities. We should consider shut down access to laptops, desktops, and servers. Many companies are taking the precaution of removing all drives from individual computers to prevent the use of USB, COM, LPT theft, and establishing additional BIOS password protection just to prevent employees from installing personal software, gaining unauthorized access, and eventually, participating in stealing. One possible scenario to strengthen security is to use the terminal server and a bootable Linux distribution. Configure Device Access Control using Local Passwords The use of password protection to control or restrict access to the Command Line Interface (CLI) of the router is one of the fundamental elements of an overall security plan. The CTY line-type is the Console Port. On any router, it appears in the router configuration as line con 0 and in the output of the show line command, as CTY. The console port is primarily used for local system access using a console terminal. The AUX line is the auxiliary port, seen in the configuration as line aux 0. The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4. Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users, or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication. There is no prevention against configuring different lines with different types of password protection. It is, in fact, common to see routers with a single password for the console and userspecific passwords for other inbound connections. Configure Local User-Specific Passwords To establish a authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. Configure AUX Line Password In order to configure a password on the AUX line, give the password command in line configuration mode. In order to enable password checking at login, give the login command in line configuration mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. mode. Security Password Policies Elements Without a security policy, the network availability can be compromised. The policy begins with assessing the risk to the network and building a team to respond. Continuation of the policy requires implementing a security change management practice and accessing the network by using several authentication mechanisms which will be discussed in this section. Password Management Passwords are a set of strings provided by users at the authentication prompts of web accounts. Although passwords are still considered as one of the most secure methods of authentication available to date, they are exposed to a number of security threats when misused. The role of password management comes in handy in such scenarios. Password management is a set of principles and best practices to be followed by users while storing and managing passwords in an efficient manner to secure passwords as much as they can prevent unauthorized access. How to manage passwords? Use strong and unique passwords for all websites and applications Reset passwords after particular time Configure two-factor authentication for all accounts Securely share passwords with friends, family, and colleagues Store all enterprise passwords in one place and enforce secure password policies within the business environment Periodically review the violations and take necessary actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions actions Password Complexity A password policy is both a set of rules written out as part of the organizational security policy that dictates the requirements of user and device passwords as well as a technical enforcement tool that enforces the password rules. The password policy typically comprises the requirements for minimum password length, maximum password age, minimum password age, password history retention, and some sort of complexity requirement. This latter setting often enforces a minimum of three out of four standard character types (uppercase and lowercase letters, numbers, and symbols) to be represented within the password and disallows the username, real name, and email address from appearing within the password. Generally, passwords over 12 characters are considered fairly secure, and those over 15 characters are considered very secure. Usually, the more characters in a password, along with some character type–complexity, the more resistant it is to password-cracking techniques, specifically brute force attacks. Requiring regular password changes, such as every 90 days, and forbidding the reuse of previous passwords (password history) will improve the security of a system that uses passwords as the primary means of authentication. Password Alternatives As cybercriminal and password-focused attacks increase, many businesses and users have the requirement to shift to more advance means of secure authentication. The future is full of choices that could replace traditional passwords. Here are some of the alternatives of passwords: Multi-Factor Authentication Multi-factor Authentication means to authenticate the user by two or more accessing methods. A system that authenticates users by a smart card that has pin numbers along with biometric verification such as thumb scanned, iris scanned, and others belong to multi-factor authentication. Two-Factor Authentication: The means to authenticate the user by something they have or something they know. For example, authentication by a smart card that also has pin numbers usually belongs to two-factor authentication. Something You Know A user name, a password, a passphrase, or a Personal Identification Number (PIN). Something You Have A physical security device that authenticates users, such as a smart card, badge, or key fob. Something You Are Some distinctive, specific characteristic, such as a biometric. Somewhere You Are Some location factor requires users to be in a place to authenticate. It is somewhat based on geolocation. Something You Do Some actions that users must take to complete authentication, such as typing on the keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. keyboard. Certificates A certificates is a form of digital credentials that validates users, computers, or devices on the network. It is a digitally signed statement that relates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key. Biometrics Biometric access is the best way to build physical security by using a unique physical characteristic of a person to allow access to a controlled IT resource. These physical characteristics include fingerprints, handprints, voice recognition, retina scans, and so on. This biometric is stored in the database to implement any security measures that the vendor recommends protecting the integrity of the metrics and the associated database. Figure 5-05: Biometric Authentication Remote Access and Site-to-Site VPNs VPN Private Network (VPN) is an encrypted communication channel or tunnel between two remote sites over the internet”. The concept of Virtual Private Network (VPN) arises where an organization wants to implement confidentiality, integrity and authorization of data in motion over the public internet or some other autonomous system with minimum expenses. VPN is a logical network that allows connectivity between two devices. Those devices can either belong to the same network or connected over a Wide Area Network. As we go deep down into the word VPN, the term “Virtual” here refers to the logical link between the two devices, as the VPN link does not exist separately, it uses internet as a transport mechanism. The term “Private” here refers to the security VPN provides to the connection between the two devices, as the medium of transport is internet, which is not secure and VPN adds confidentiality and data integrity. It encrypts the data and prevents alteration or manipulation of data from unauthorized person along the path. Following are the key features of VPN technology: Confidentiality: Only the intended destination’s user can understand the data, as data is sent in an encrypted form, data for any other person would be meaningless. Data Integrity: VPN makes sure that the sent data is accurate, secured and remains unaltered end to end. Authentication: VPN authenticates the peer on both side of the tunnel through pre- shared public or private keys or by using user authentication method. Anti-replay Protection: VPN technology makes sure that if any VPN packet has been sent for transaction and accounted for, then the exact same packet is not valid for the second time of VPN session; no one can befool VPN peer into believing that the peer trying to connect is the real one. Figure 5-06: Example of Using VPN for Secure Connection Types of VPN Remote-Access VPN Site-to-Site VPN Remote Access VPN Remote access VPNs allow remote users such as telecommuters to securely access the corporate network wherever and whenever they need to. Remote access VPN feature allows an end-point to connect to the secure LAN network of an organization. These endpoint devices include smartphones, tablets, laptops etc. For example, consider an employee of an organization who works from different remote locations to provide real-time data to the organization. The organization wants to provide a secure communication channel, which connects the remote employee to the organization’s internal network securely. Remote-access VPNs provide the solution by allowing the remote employee’s device to connect to the corporate headquarters or any other branch of that organization. This is referred as a remote-access VPN connection. Remote-access VPNs uses IPsec or Secure Sockets Layer (SSL) technologies for securing the communication tunnel. Many organizations use Cisco’s AnyConnect client for remote access SSL VPNs. Site-to-Site VPN Site to site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the internet instead of requiring more expensive WAN connections like Frame Relay. Site-to-site VPNs securely connect two or more sites that want to connect together over the internet. For example, a corporate office wants to connect to its head office or there are multiple branches that want to connect with each other. This is referred to as site-to-site VPN. Site-to-site VPNs generally use IPsec as a VPN technology. This figure below shows the conceptual view of two main types of VPN connections: Figure 5-07: Types of VPN Mind Map Figure 5- 08: Mind Map of Security Fundamentals Configure and Verify Access Control Lists A list of conditions that categorize packets, and they really come in handy when you need to control over network traffic is known as an access control list. Common use of access lists is to filter unwanted packets when implementing security policies. By using access lists, you can restrict traffic patterns so that access list will allow only certain hosts to access web resources on the internet while restricting others. With the right combination of access lists, network managers arm themselves with the power to enforce nearly any security policy they can invent. Configuring an access list is just like programming a series of if-then statements; If a condition is met, then a given action is taken. If a condition is not met, nothing happens and the next statement is evaluated. Access-list configuration steps or statements are basically packet filters that are compared. Three important rules that a packet follows when it is compared with an access list: Packet is compared in sequential order with each line of the access-list. It will start comparing from the first line of the accesslist, then move to the second, then to the third and so on Lines of access-list are compared with the packet until a match is made. Packet is acted upon when it matches the condition on a line of the access-list When a packet does not match the condition on any of the lines in an access-list, the packet will be discarded. This is an implicit deny at the end of each access-list Inbound and Outbound ACL Inbound Access-List is more efficient than outbound access-list because any matched “deny” packet is dropped before packet routed to the destination or broadcast to all. By using Outbound ACL, the packets (both deny and permit) get routed to the outbound interface and then denied packets will be drop. There are several types of access lists: standard, extended, and named. Standard Standard IP access lists filter network traffic on the base of source IP address in a packet. You can create IP access using the access-list numbers 1–99 or numbers in the expanded range of 1300–1999. Router follows traffic permit and deny rules on the base of access-list numbers. Extended In extended access-lists, we specify both source and destination addresses as well as protocol and port number that identify the upper layer protocol or an application. Range – 100 to 199 and 2000 – 2699. Named Another way to create standard and extended access lists are named access-lists. In large organizations, managing access-lists can become a real problem, the best way to overcome this is to use named access-lists instead of using large lines of access-lists with numbers. Suppose you are using access-lists 70 lines long, it will be difficult for you to remember access-list number series, then comes a named access-list that is easy to remember like an access list with a name like “BusinessLAN” rather than one dubbed “70”. Lab: NAT, DHCP, NTP, Syslog, and SSH Case Study An organization has deployed a network architecture. The two routers R1 and R2 are made DHCP server to provide an address pool for the end users. Also the routers are served as NTP Client for R3 that is made an NTP server. SSH is being configured on all the routers so as to provide secure access from the management station. The router to ISP is configured with NAT protocol for providing private to public address translation. The routing protocol RIP is configured to provide the interconnectivity for networks. Topology Diagram Figure 5-09: Topology for NAT, DHCP, NTP, Syslog, and SSH Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Verification Layer 2 Security Features With the rapid development of IP networks in the past years, high level switching has played one of the most fundamental roles in moving data reliably, efficiently, and securely across networks. Cisco Catalyst switches are the leaders in the switching market and major players in today's networks. The data-link layer (Layer 2) of the OSI model provides the functional and procedural means to transfer data between network nodes with interoperability and interconnectivity to other layers, but from a security standpoint, the data-link layer presents its own challenges. Network security is considered to be the strongest and also the weakest link. Applying high level security measures to the upper layers (Layers 3 and higher) does not add value to your network if Layer 2 is compromised. Cisco switches offer a wide variety of security features at Layer 2 to protect the network traffic flow and the devices themselves. DHCP Snooping DHCP Snooping is a security feature designed by Cisco to mitigate the issues created by rogue DHCP servers. It is a security feature that behaves like a firewall between trusted DHCP servers and untrusted hosts. DHCP snooping validates the DHCP messages either received from the legitimate source or from an untrusted source and filters out the invalid messages. It is actually very easy for someone to bring a DHCP server in a corporate environment, accidentally or maliciously. DHCP Snooping is all about protecting against all this. Consider a scenario of a corporate network: Figure 5-10: Rogue DHCP Server in Corporate Environment As shown in the diagram above, a DHCP server is running with an IP address of Let’s consider a disgruntled employee say, Bob, has some administrative issues at work and has decided to bring an embedded device the following day to the office. On the embedded device, Bob has installed Back Track, which is a Linux distribution commonly used for penetration testing and ethical hacking. Bob plugged the Back Track based embedded device into his workstation’s port and started listening to the DHCP requests from different end-devices. A DHCP is a four-step process as show below: D – Discover: Sent by end-devices for discovering DHCP server O – Offer: Response from DHCP server for corresponding Discover message R – Request: Sent by end-devices as request for IP address to DHCP server A – Acknowledge: Response of DHCP server for Request message Due to the broadcast nature of these steps, request will be listened by both DHCP servers. Now, any IP address assigned by rouge DHCP server will also advertise itself to be the default gateway and DNS server as well. End-users who get IP address from rouge DHCP server will never know about it as this process is done automatically and most of the employees do not have deep understanding of how different networking services work. Now, the disgruntled employee, after receiving the traffic, will send it to the correct gateway and successfully implement the man-inthe-middle attack. In order to mitigate such attacks, DHCP snooping feature is enabled on networking devices to identify the only trusted ports from DHCP traffic either in ingress or egress direction is considered legitimate. Any access port who tries to reply the DHCP requests will be ignored because device will only allow DHCP process from trusted port as defined by the networking team. Dynamic ARP Inspection Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP inspection determines the authenticity of packets by performing an IP-to-MAC address binding inspection stored in a trusted database, i.e., the DHCP snooping binding database, before forwarding the packet to the appropriate destination. Dynamic ARP inspection will drop all ARP packets with invalid IP-to-MAC address bindings that fail the inspection. The DHCP snooping binding database is created when the DHCP snooping feature is enabled on the VLANs and on the switch. The Dynamic ARP Inspection (DAI) feature protects the network from many of the commonly known Man-in-the-Middle (MITM) type attacks. Dynamic ARP Inspection ensures that only valid ARP requests and responses are forwarded. Port Security Port Security is used to bind the MAC address of known devices to the physical ports and also define the violation action in that port. When an attacker tries to connect his/her PC or embedded device to the switch port, then it will shut down or restrict the attacker from generating the attack. In dynamic port security, you configure the total number of allowed MAC addresses, and the switch will allow only that number concurrently, without defining to what those MAC addresses are. If a switch detects an unbounded MAC-address on a port, there are three actions defined in Cisco IOS for the violation against configured MAC address: switch will shut down the port, restrict the port or protect the port. Authentication, Authorization, and Accounting Concepts In the previous we have discussed different techniques to prevent an attacker from getting unauthorized access to network infrastructure. Those users who are required to access networking devices for maintenance or for configuration also need to have authorization as well as a proper audit trail so that authorized and unauthorized users can be differentiated. Authentication, Authorization and Accounting (AAA) framework, as its name suggests is used to identify, validate and authenticate a legitimate user on the management plane of a network device. AAA supports both local databases for usernames and passwords as well as configuring an Active Directory (AD). If the network administrator wants multiple users to access the devices in a network, a centralized AD is created, which lists authorized users to authenticate the users. AAA Components AAA is a modular framework and it tries to provide all kinds of traffic over the network, whether it is some network administrator trying to access a networking device or some end user trying to send data traffic out of local LAN. The three main components of AAA are: Authentication Authentication is the process of proving an identity to the system by login identification and a password. It also does the purpose of determining whether the user is the same person he claims to be or not. It is used in every system, not just in computer networking. In banking system, we need it to prove the identity by entering the password before making the transaction. Similarly, if a network administrator needs to access a router or a switch and wants to make some changes, some kind of authentication must be defined on the device. The first but least usable practical solution would be to define the usernames passwords database inside the device. The second option would be the use of some centralized server like Cisco ACS or ISE. In Cisco devices, we can use the combination of both options by defining a method list, which states the list of preferred methods for authentication. If one option is not available, then the second option will be used and so on. Authorization Authorization determines the access of resources and the operations performed by users according to their role of job. After the user authentication succeeds, the next step is to deal with is the level of clearance that a user needs to perform by his legal actions. A banking example would be perfect in this regard. After entering correct password, we get the authorization to withdraw the maximum cash depending on balance available in bank account. Similarly, there are similar scenarios in computer networking where we need to restrict the access to the user. For example, an end user may need network resources for eight hours a day. Similarly, a network administrator may need commands associated with privilege level 4. Custom as well as default method lists are used to define the authorization in Cisco devices. Accounting Third element of AAA is accounting or auditing, which keeps the track of how the network resources of an organization are being used. Whenever users are authenticated and authorized to specific set of commands of Cisco devices, the set of commands used while accessing the specific device at the specific time must be recorded. Like authentication and authorization, we also use methods like default or custom method list to define what should be accounted for and where to send this information. Wireless Security Protocols Wireless communication has become popular with each passing year. Therefore, it is essential to understand such protocols and procedures that can secure wireless networks. This section will discuss WPA, WPA2, WPA3. WPA Wi-Fi Protected Access (WPA) was designed to improve on WEP as a means of securing wireless communications. WPA is an upgradation on the system that currently uses WEP. WPA offers two distinct advantages over WEP: - Improved data encryption through the Temporal Key Integrity Protocol (TKIP), which scrambles the keys using a hashing algorithm - User authentication using the Extensible Authentication Protocol (EAP) and user certificates. It ensures that only authorized users can gain access to the network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network network WPA2 Wi-Fi Protected Access version 2 (WPA2) further improves on WPA, offering additional advantages such as the following: - Uses Advanced Encryption Standard (AES) mode of encryption for much stronger security and longer security keys. It is usually installed in enterprise environments - Implements Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is based on the 802.11i standard and offers an enhanced data cryptographic encapsulation mechanism that replaces TKIP completely with a much stronger security method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. method. WPA3 Wi-Fi Protected Access 3 (WPA3) is the third iteration of a security certification program developed by the Wi-Fi Alliance. WPA3 is the modern, updated implementation of WPA2, which has been in use since 2004. The Wi-Fi Alliance began to certify WPA3approved products in 2018. The WPA3 protocol provides new features for personal and enterprise use such as 256-bit Galois/Counter Mode Protocol (GCMP-256), 384-bit Hashed Message Authentication Mode (HMAC) and 256-bit Broadcast/Multicast Integrity Protocol (BIPGMAC-256). The WPA3 protocol also supports security measures such as perfect forward privacy. WPA3 support will not be automatically upgraded to every device. Users that want to use WPA3-approved devices will have to either buy new routers that support WPA3 or hope the device is updated by the manufacturer to support the new protocol Configure WLAN using WPA2 PSK using GUI This section explains the configuration of Wi-Fi Protected Access2 (WPA2) PSK in a Wireless LAN (WLAN) controller. WPA2-PSK Configuration with GUI Complete these steps in order to configure a WPA2 PSK in the WLC GUI: Navigate to GUI > Wireless > and go to the Basic Wireless Create a new WLAN with network name Cisco and leave the other parameters by default as shown in Figure 5-10. Figure 5-11: Basic Wireless Settings Go to the Wireless Security tab and select the WPA2 Personal from the drop-down menu. Select the Encryption type AES or TKIP. Here, we selected AES Enter a passphrase. As shown in Figure 5-11, we have set it as “cisco123” . Figure 5-12: Wireless Security Click the Save button in the bottom of the GUI page to save the configuration. Figure 5-13: Configuring WPA2 PSK To check the status of the WPA2 PSK, go to Wireless Network tab. Figure 5-14: Checking Wireless Network Status Verifying WPA2 PSK Use this section to confirm that your configuration works properly. Connect one PC to the WLC and check the connection profile. Below figure confirm that the WPA2-PSK client is connected: Figure 5-15: Verifying WPA2 PSK Mind Map Figure 5-16: Mind Map of Security Fundamentals Summary Security Concepts The presence of vulnerability in a system results in a threat Vulnerability is an inherent weakness in the design, configuration, implementation, or management of a network or system that can be exploited by an attacker Exploits are software programs that were specifically designed to attack systems with vulnerabilities IT Threat mitigation is therefore defined as the addressing actions, prevention techniques or remedies implemented to reduce IT threats on a network, computer, or server Security Program Elements Security program elements are critical to the success of a security effort They include explaining awareness and training, policies, procedures, and recent threats to both users and management A security-awareness and program can do plenty to support you in your efforts to improve and maintain security Configure Device Access Control Using Local Passwords The use of password protection to control or restrict access to the Command Line Interface (CLI) of the router is one of the fundamental elements of an overall security plan The CTY line-type is the Console Port The AUX line is the Auxiliary Port The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections Security Password Policies Elements Password management is a set of principles and best practices to be followed by users while storing and managing passwords in an efficient manner to secure passwords as much as they can prevent unauthorized access The password policy typically comprises the requirements for minimum password length, maximum password age, minimum password age, password history retention, and some sort of complexity requirement Remote-Access and Site-to-Site VPNs Virtual Private Network (VPN) is an encrypted communication channel or tunnel between two remote sites over the internet Features of VPN technology are Confidentiality, Data Integrity, Authentication, and Anti-Replay Protection Remote access VPN feature allows an end point to connect to the secure LAN network of an organization Site-to-site VPN securely connects two or more sites that want to connect together over the internet Configure and Verify Access Control Lists Standard IP access lists filter network traffic on the basis of source IP address in a packet Extended access-lists specify both source and destination addresses as well as protocol and port number that identify the upper layer protocol or an application Another way to create standard and extended access lists are named access-lists Layer 2 Security Features Applying high level security measures to the upper layers (Layers 3 and higher) does not add value to your network if Layer 2 is compromised DHCP Snooping is a security feature designed by Cisco, to mitigate the issues created by rogue DHCP servers Dynamic ARP inspection determines the authenticity of packets by performing an IP-to-MAC address binding inspection stored in a trusted database Port Security is used to bind the MAC address of known devices to the physical ports and also defined the violation action in that port Authentication, Authorization, and Accounting Concepts Authentication, Authorization and Accounting (AAA) framework, as its name suggests, is used to identify, validate and authenticate a legitimate user on the management plane of a network device Authentication is the process of proving an identity to the system by login identification and a password Authorization determines the access of resources and the operations performed by users according to their role of job Third element of AAA is accounting or auditing, which keeps the track of how the network resources of an organization are being used Wireless Security Protocols WPA is an upgradation on the system that currently uses WEP WPA2 uses Advanced Encryption Standard (AES) mode of encryption and implements Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), offering an enhanced data cryptographic encapsulation mechanism WPA3 protocol provides new features for personal and enterprise use such as 256-bit (GCMP-256), 384-bit (HMAC) and 256-bit (BIPGMAC-256) Configure WLAN using WPA2 PSK using GUI Configure the WPA2 PSK in the Wireless LAN controller by selecting the WPA2 personal option in the wireless security tab on the WLC GUI Practice Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Chapter 06: Automation and Programmability The network programmability toolset is the foundation for advanced next-generation network automation. Network automation adds pre-built intelligence that can assist with network deployments, operations, or troubleshooting. Like programmability, automation reduces cost and complexity. Network automation toolsets have been available for some time; however, due to the complexity or cost, very few networks are automated. Network programmability, specifically open APIs, makes automation simpler and more accessible through standard tools. Automation Impacts on Network Management Nowadays, automation technology is getting more and more attention due to its benefits in terms of flexible configuration, programmability, and cost efficiency. Network automation is the automating procedure of configuring, testing, managing, deploying, and operating virtual and physical devices within a network Why do we need to automate our network? Network automation can be used by any type of network. Hardware- and software-based solutions enable service providers, data centers, and enterprises to implement network automation to increase efficiency, reduce human error, and lower operating expenses. One of the major issues for network managers is the evolution of IT costs for network operations. The evolution of data and devices are beginning to overtake IT capabilities by creating manual approaches almost impossible. However, around 95 percent of network changes are performed manually, resulting in operational costs of up to 2 to 3 times greater than the cost of the network or system. Increase in the IT automation, centrally and remotely managed, is essential for businesses to keep pace in the digital world. How automation of network can be beneficial? There are three core benefits of network automation that are as follows: Improved Efficiency: Humans no longer have to perform timeconsuming tasks by automating functions on network devices. Reduced Likelihood of Human Error: Manual tasks or responsibilities are inclined to manual changes and human errors that lead to configuration errors and inconsistencies in the network. Setting up a task for automation means that it can only need to be entered once corrected. Lower Operational benefit comes from as a result of the previous two points. By eliminating certain manual tasks around network device provisioning and network management, businesses can operate with greater speed and agility. For example, automated provisioning may save a network engineer from having to travel to a new branch office to establish network connectivity, thus enabling employees at that site to get to work faster. Why Choose Cisco for Networking Makes working together possible Cisco offerings are made to work together by providing you with all the necessary elements you need for network automation. Provides comprehensive solutions + software + products + services Software outlines how our hardware, software, fabric digital automation, and non-fabric base automation work together. Migrate at your own speed Migrate at a pace that makes you easy and comfortable. Import your former work or task on device mapping and policies. No other vendor delivers like Cisco Only Cisco is able to deliver IBNs (Identity-Based Networking Services) that influence automation, intelligence, and human expertise in such a way that helps to simplify the complexity, optimize IT, and as well as reduce operational costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. costs. Compare Traditional Networks with Controller-based Networking Figure 6-01: Traditional Vs. SD-WAN Traditional networking works on per-device management that takes time and creates many complexities. This approach is inclined to human errors. Cisco SD-Access practices a modern controller designed to drive business that is intent into the orchestration and operation or process of network elements. It includes the day0 configuration of devices and policies related to end-users, devices and endpoints as they are connected to the network. The controller is responsible for a network abstraction layer to arbitrate the specifics of a number of network elements. Furthermore, the Cisco DNA Center controller exposes northbound Representational State Transfer (REST)-based APIs to assist third-party or in-house development of meaningful services on the network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. network. Table 6-01: Traditional Vs. SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN SD-WAN Controller-based and Software Defined Architectures Cisco® Software-Defined Access (SD-Access) is the development from traditional campus LAN designs to networks that directly implement the intent of an organization. SD-Access is supported with an application suite that runs as part of the Cisco DNA Center software for designing, applying policy, provisioning, and facilitating the creation of a smart campus wired and wireless network with assurance. SD- Access Architecture Cisco SD-Access is one of the most important elements of the Cisco Digital Network Architecture (Cisco DNA). Cisco DNA is the plan for the future of intent based networking in Cisco Enterprise Networks. the Cisco SD-Access solution can be divided into five basic layers, and then divided further. This section emphasis on the relationships between these five basic layers, from an overall architectural perspective. Figure 6-02 illustrates the layers and their relation to one another. Figure 6-02: SD-Access Architecture Physical Layer: Comprises the hardware elements, such as routers, switches and wireless devices, interfaces and clusters or virtual switches, as well as server appliances. Network Layer: Comprises the control plane, data plane, and policy plane elements that make up the network underlay and fabric overlay. Controller Layer: Comprises the software system management and orchestration elements and associated subsystems, such as automation, identity, and analytics. Management Layer: Comprises the elements that users interact with, in particular the Graphical User Interface (GUI), as well as APIs and Command Line Interfaces (CLIs) where appropriate. Partner Ecosystem: Comprises all of the Cisco and third-party partner systems that are capable of augmenting and/or leveraging services within SD-Access. Underlay The underlay network is designed by the physical switches and routers that are used to deploy the SD-Access network. All network nodes of the underlay must establish IP connectivity through the use of a routing protocol. Instead of using random network topologies and protocols, the underlay implementation for SD-Access uses a well-designed Layer 3 foundation including the campus edge switches, to guarantee scalability, performance, and high availability of the network. In SD-Access, the underlay switches provision the physical connectivity of endpoints for users. Though, end-user subnets and endpoints are not part of the underlay network; they are element of a programmable Layer 2 or Layer 3 overlay network. The authenticated SD-Access solution supports IPv4 underlay networks, and IPv4 and IPv6 overlay networks. Overlay An overlay network is designed on top of the underlay to deploy a virtualized network. The data plane traffic and control plane signaling are enclosed within each virtualized network, maintaining separation among the networks as well as independence from the underlay network. The SD-Access fabric implements virtualization by encapsulating user traffic in overlay networks using IP packets that are obtained and terminated at the edge of the fabric. The fabric boundaries contain borders for incoming and outgoing to a fabric, fabric edge switches for wired clients, and fabric APs for wireless clients. Overlay networks can run across all parts of the underlay network devices. Multiple overlay networks can run through the same underlay network to support multitenancy via virtualization. Each overlay network acts as a Virtual Routing and Forwarding (VRF) instance for connectivity to external networks. You reserve the overlay separation when extending the networks outside of the fabric by using VRF-lite, and maintaining the network separation within devices connected to the fabric and on the connection between VRF-enabled devices. Fabric Fabric technology is an integral part of SD-Access that provides wired and wireless campus networks with programmable overlays and easy to implement network virtualization. It permits a physical network to host one or more logical networks as required to meet the design aim. In addition, fabric technology in the campus network develops control of communications, providing softwarebased segmentation and policy enforcement based on user identity and group participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. participation. Separation of Control Plane and Data Plane Fabric Control Plane The basic technology used for the fabric control plane is based on the Locator ID Separation Protocol (LISP). LISP is an IETF standard protocol, i.e., RFC-6830 based on a simple endpoint ID (EID) to routing locator mapping system, to separate the “identity” (address) from its current “location” (attached router). LISP dramatically simplifies traditional routing system by removing the need for each router to process all possible IP destination address and route. This is done by moving remote destination information to a centralized map database. It allows each router to manage only its local routes and query the map system to locate destination endpoints. This technology offers many advantages for Cisco SD-Access, such as less CPU usage, smaller routing tables (hardware and/or software), address-agnostic mapping (IPv4, IPv6, and/or MAC), dynamic host mobility (wired and wireless), built-in network segmentation (Virtual Routing and Forwarding), etc. In Cisco SD-Access, several developments have been added to the original LISP specifications, containing Virtual Network (VN) Extranet and Fabric Wireless, distributed Anycast Gateway, and will continue to add more features in the future. Fabric Data Plane The basic technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN is an IETF standard encapsulation, i.e., RFC-7348. VXLAN encapsulation is IP/UDPbased, meaning that it can be forwarded by any IP-based network and effectively create the “overlay” feature of the SD-Access fabric. VXLAN encapsulation is used for two main reasons. VXLAN includes the source Layer 2 (Ethernet) header, and it also provides special fields for additional information such as virtual network ID and group ID. This technology provides some advantages for SD-Access, such as support for both Layer 2 and Layer 3 virtual topologies (overlays), and the ability to operate over any IP-based network with built-in network segmentation (VRF/VN) and built-in groupbased policy. In SD-Access, some enhancements to the original VXLAN specifications have been added, particularly the use of Security Group Tags (SGTs). This new VXLAN format is recently an IETF draft known as Group Policy Option or VXLAN-GPO. Northbound and Southbound APIs A northbound interface allows a specific component of a network to communicate with an upper-level component. On the other hand, a southbound interface allows a specific network component to communicate with a lower-level component. Figure 6-03: Northbound and Southbound APIs As show in figure, northbound flow can be thought of as going upward, while southbound flow can be thought of as going downward. In SDN, the southbound interface is the OpenFlow protocol specification. Its main function is to allow communication between the SDN controller and the network nodes; both physical and virtual switches and routers, so that the router can discover network topology. It defines network flows and implement requests transmitted to it by northbound APIs. The northbound interface defines the area of protocol-supported communication between the controller and applications or higher layer control programs. In an enterprise data center, the functions of northbound APIs involve management solutions for automation and orchestration, and the sharing of actionable data between systems. The functions of southbound APIs involve communication with the switch fabric, network virtualization protocols, or the integration of a distributed computing network. Traditional Campus Device Management vs. Cisco DNA Center Enabled Device Management Cisco DNA Center is a comprehensive network management and control system that allows your network to drive business toward growth and innovation. Your network is more planned for your business than ever before. You require a network management system that can automate the deployment, connectivity, and lifecycle of your infrastructure and proactively sustain the quality and security of your applications so that your IT staff can concentrate on networking projects that improve your core business. With Cisco DNA Center, the age of time-consuming network provisioning and deadly troubleshooting tasks are over. Zero-touch device connectivity and Software Image Management (SWIM) features reduce the device installation and upgradation times from hours to minutes and bring new remote offices online with plugand-play comfort from an off-the-shelf Cisco DNA Assurance allows every point on the network to become a sensor, sending continuous, streaming telemetry on application performance and user connectivity in real-time. This proficiency, coupled with automatic path trace visibility and guided remediation, means network issues are resolved in minutes before they come to be problems. Addition with Cisco provides detection and mitigation of threats, even when they are hidden in encrypted traffic. Cisco DNA Center also offers an open, extensible platform with wide support for external applications and systems to exchange data and intelligence, building upon its built-in functions. It is the only centralized network management system to bring all of this functionality into one platform. Benefits of Cisco DNA Center: Network Over a centralized dashboard, it manages your enterprise network It deploys networks in minutes, not days, by using spontaneous workflows. Cisco DNA Center makes it easy to design, provision, and apply policies across the network Costs: Policy-driven provisioning and guided advice increase network uptime and reduce time spent to managing simple network operations your cloud services and applications that take advantage from the intelligent network optimization carried by Cisco DNA Center. What makes Cisco DNA Center different? Cisco DNA Center is a broad management and control platform for the network, created, designed, and implemented by Cisco. This single, expandable software platform includes integrated tools for network automation, management analytics, virtualization, and security, assurance, and Internet of Things (IoT) connectivity and can also interface with your business-critical tools. Until now, this complete functionality could be achieved only through the purchase and operation of multiple third-party software tools. The advantages of having all core network tools integrated into a single software platform are quite effective. These being: Multiple tools with multiple interfaces enhance complexity, which rises the chance of errors in configuration and management. This can be especially damaging when errors in security settings lead to exposed vulnerabilities Varying between program interfaces during network operations is time-consuming and can make even simple changes or troubleshooting tasks take much time to complete Third-party platforms will never support the equal levels of device management and control as those that are integrated and designed to work together Automatic troubleshooting with guided advice is extremely complex in recent virtualized networks. Third-party tools can often tell you if a problem is due to the network or affected by an application, but they cannot offer guided advice without correct integration between the tools that control automation, analytics and virtualization Actual intent-based networking requires extensive real-time data flow between the operational tools that are core to the network. The management of network configuration, security, automation, and analytics comes together to deliver the true business purpose of the operation. Core management tools are supplied by multiple third-party vendors and cannot efficiently share or react to the amounts of data and critical information required to carry a real intent-based network experience Cisco DNA Center is an open and extendable platform that allows third-party applications and processes to exchange data and intelligence with the network. This improves IT operations by automating workflow procedures based on network intelligence coming from Cisco DNA Center Cisco DNA Center offers a single platform for every core function in network. With this platform, IT can become far nimbler and respond to variations and challenges faster and more wisely. Cisco DNA Center is the network management system, foundational controller, and analytics platform at the core of Cisco’s intent-based network. Cisco DNA Center is a set of software solutions that provide: A management platform for all of your network A software-defined networking controller for automation of your virtual devices and services An assurance engine to guarantee the best network experience for all your users Cisco DNA Center software exists on the Cisco DNA Center appliance and controls all of your Cisco devices both physical and virtual (fabric and non-fabric). From the key menu, Cisco DNA Center has four general divisions: your network using physical maps and logical topologies for quick graphic reference. The direct import feature brings in images, existing maps, and topologies directly from Cisco and the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM), making upgrades easy and fast. Device discovery is automatic and can be done either through Cisco Discovery Protocol or simply by entering a range of IP addresses. user and device profiles that enable highly secure access and network segmentation based on business requirements. Cisco DNA Center takes the information collected in policy and translates it into network-specific and device-specific configurations required by the different types, operating systems, makes, models, roles, and resource restrictions of your network devices. Using Cisco DNA Center, you can create virtual networks, traffic copy policies, access control policies, and application you have created policies in Cisco DNA Center, provisioning is a simple drag-and-drop task. Groups of identities (users, devices, applications, etc.) in the Cisco DNA Center inventory list are assigned a policy, and this policy will always follow the identity. The process is completely automated and zero-touch. New devices added to the network are assigned a policy based on identity that greatly facilitates remote office setups. DNA Assurance provides a broad solution to help assure better and reliable service levels to meet growing business demands. It addresses not just responsive network monitoring and troubleshooting, but also the proactive and predictive features of running the network, and improving client, application, and service performance. The result is a consistent experience and proactive optimization of your network, with less time spent on troubleshooting tasks. Figure 6-04: Cisco DNA Center Design –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– –––––––– Table 6-02: Cisco DNA Center Features Cisco DNA Center allows you to run the network with high performance, security, reliability, and open interfaces. Unlock the power of data by starting your journey with Cisco DNA Center. Characteristics of REST-based APIs Nowadays, almost every application on the internet does require to provide interoperability as an elementary feature. At any known instant, applications are collaborating with other applications (for example, a mobile application communicating with a web application). Thus, it is essential that all applications should be able to communicate with other applications without depending on the core operating system and the programming languages. Web services are used to form such applications. Figure 6-05: Web Service Web Services A web service is a group of standards and protocols that are used by applications and systems for substituting information over the internet. A web service is OS-independent and can be written in any programming language. For instance, by using java, an application built in PHP running on a Linux server can communicate with the built-in Android application that runs on an Android operating system. What is meant by REST? REST stands for Representational State Transfer. REST is a stateless software architecture that provides various underlying characteristics and protocols by governing the behavior of clients and servers. What is meant by REST API? REST API can be used by any application no matter whichever language it is written in because the requests are based on the universal HTTP protocol, and the data is typically returned in the JSON format so that it can be readable to almost all programming languages. Figure 6-06: REST API Architecture What is meant by RESTful? An API is said to be RESTful if it contains the following features: Server-Client Architecture: The server is the back-end and the client is the front-end of the service. It is significant to note that these two entities are independent of each other Stateless: No data or information must be stored on the server during the processing of the requested transmission. The state of the session must be saved at the client’s end Cacheable: The client would have the capability to store responses in a cache. This significantly increases the performance of the API Isolation: Client is isolated to the request path Idempotence: Identical request do not have any side effect What is meant by RESTful API? A RESTful API also called RESTful web service is a web service that is implemented by using HTTP protocol and the REST principles. It is a collection of resources that serves HTTP methods (PUT, GET, POST, DELETE). The collection of the resources is then represented in a standardized form (usually XML) that can be any effective Internet media type, provided that it is a valid hypertext standard. Figure 6-07: Representation of RESTful API Why should we use RESTful API? A RESTful API is used to make applications distributed and independent over the internet with the purpose of enhancing the performance, simplicity, scalability, visibility, modifiability, reliability, and portability of the Real-World RESTful API Examples Every popular websites and social media platforms offer RESTful API. Several examples include: Twitter REST API Cloudways REST API Google Translate REST API Facebook REST API Magento REST API CRUD Figure 6-08: Characteristics of RESTful API REST is an API that permits clients to perform read/write operations on data or information stored on the server. REST utilizes HTTP to perform a set of actions commonly known which stands for: Create Read Update Delete Assuming we want to manipulate a device object on a server, we can send get a response with a payload holding a full list of well-known devices. If we need to add a new device, we need to build a payload with device attributes (e.g., IP Address, Hostname) and send it attached to To update a device, we are required to send the full updated payload with the HTTP Figure 6-09: CRUD Method Remember that both Update and Delete API calls refer to a specific number in That is server assigns to every new object and is returned sent in response to the Create request. HTTP Verbs Figure 6-10: HTTP Verbs The HTTP Protocol If you ever used the internet, you are guaranteed to have a sense of how it works. It sends requests from your desktop application and receives back information from remote servers. That is the internet in a nutshell and it is feasible because all the computers that use the net, speak in the same language and the same protocol with the name of HTTP. The internet is based on HTTP protocol. It permits computers from anyplace to send requests to remote servers, and get back responses that can be displayed in browsers. HTTP Methods Following are the four main HTTP methods: HTTP GET We use the GET method to retrieve data from a remote server. It can be one resource or a list of resources. For any given HTTP GET API, if the resource is found on the server, then it must return HTTP response code 200 (OK) – along with response body, which is usually either XML or JSON code. In case resource is NOT found on a server, then it must return HTTP response code 404 (NOT FOUND). Examples of Request URIs HTTP HTTP HTTP HTTP GET GET GET GET http://www.appdomain.com/users http://www.appdomain.com/users?size=20&page=5 http://www.appdomain.com/users/123 http://www.appdomain.com/users/123/address HTTP POST We use the POST method to create a new resource on the remote server. Preferably, if a resource has been created on the origin server, the response should be HTTP response code 201 (Created) and hold an entity that describes the status of the request and refers to the new resource, and a location header. Examples of Request URIs HTTP POST http://www.appdomain.com/users HTTP POST http://www.appdomain.com/users/123/accounts HTTP PUT We use the PUT method to update the data on the remote server. If a new source has been created by the PUT API, the origin server MUST inform the user agent through the HTTP response and if an existing resource is modified, either (No Content) response codes should be sent to specify successful completion of the request. Examples of Request URIs HTTP PUT http://www.appdomain.com/users/123 HTTP PUT http://www.appdomain.com/users/123/accounts/456 Exam Tip The difference between both of the POST and PUT APIs can be observed in request URIs. POST requests are made on resource collections whereas PUT requests are made on an individual resource. HTTP DELETE We use the DELETE method when we want to delete data from the remote server. DELETE operations are unchanged. If you DELETE a resource, it is removed from the collection of the resource. Repeatedly calling DELETE API on that resource will not change the result however, calling DELETE on a resource a second time will return a 404 (NOT FOUND) because it was already removed. Some may argue that it makes the DELETE method non-idempotent. It is a matter of discussion and personal opinion. Example of Request URIs HTTP DELETE http://www.appdomain.com/users/123 HTTP DELETE http://www.appdomain.com/users/123/accounts/456 Exam Tip The is used by some APIs to perform any change to the database. The changes can be creating, updating or deleting. Capabilities of Configuration Management Mechanisms Cisco UCS (Unified Computing System) is an IT infrastructure that can be programmed as code to automate system configuration and resource allocation. The Cisco UCS Unified API is similarly used by Cisco’s large group of management solution partners. Your DevOps teams or group can practice the tools with which they are already wellknown, for example, Puppet, Chef, and Ansible, to deploy, orchestrate, and manage distinct Cisco UCS servers, Cisco Nexus® switches, storage systems, and fabric interconnects, including entire Cisco® converged and hyper-converged systems (Figure 1). Figure 6-11: The unified API provides programming tools with access to all Cisco UCS resources The ability to provision entire application stacks in minutes from automating Cisco UCS policies and service profile configurations to ongoing management and the detection and remediation of unintended changes improves efficiency. It reduces the likelihood of errors, and accelerates time to deployment. Puppet Puppet Enterprise is an important tool for DevOps configuration management. Puppet is quickly becoming an essential standard for IT automation and management. With an extensible plug-in architecture and dominant declarative language, Puppet offers an adaptable, simple to use platform that flawlessly incorporates the exclusive proficiencies of Cisco Nexus solutions and Cisco UCS. You can: • Manage your infrastructure and application assignments from end to end • For Cisco, UCS uses Puppet modules to perform initial infrastructure configuration and server job tasks • Perform speedy day-one provisioning with the Puppet Razor module that offers a robust set of programmatic interfaces used for provisioning the workload and operating system • Use Cisco, UCS administration profiles to make adaptable meanings of server jobs and pass that data to Puppet Razor • Perform day-two and past management and monitoring of applications using open-source Puppet or Puppet Enterprise • Deploy a wide scope of managed workloads through major operating systems, virtual machines, and containerized surroundings Chef Chef is an open-source system and cloud infrastructure automation framework. By utilizing a Chef cookbook, your DevOps groups can configure your Cisco UCS platforms and disseminate strategies. Everything required to provision your deployment is defined, including libraries, recipes, files, and furthermore. Each cookbook and recipe is an assortment of property definitions for setting device states that instruct the Chef client on how to configure each node in the system. Because the details for checking and setting property states are abstracted, instructions can be used for multiple operating systems and platforms. The recipe can also be used to install software packages, copy files and start services. Cisco has established a cookbook for independent Cisco UCS C-Series Rack Servers and the Cisco Integrated Management Controller (IMC). Based on the Cisco IMC Ruby Software Development Kit (SDK), the cookbook streamlines the distribution of servers and applications to any virtual, physical, or cloud location. Ansible By using Ansible your DevOps teams can be able to automate and orchestrate your IT surroundings merely by defining the infrastructure configuration that is desirable. A human-readable markup language (YAML) describes a series of “plays” that outline the automation across an inventory of hosts. Each play involves multiple tasks that target one or more hosts and call an Ansible module that implements configuration operations. The Cisco UCS Unified API, Cisco UCS Manager, and independent rack servers incorporate with Ansible as shown in below figure. This integration permits your DevOps teams to use Ansible to configure, deploy, and orchestrate your Cisco UCS infrastructure. Using the extensible framework and Ansible open along with the Cisco NX-API, you can practice a particular tool to manage your servers and Cisco Nexus 3000 and 9000 Series Switches, improving automation and simplifying daily IT tasks. The NX-API is a REST-like API for Cisco NX-OS Software-based systems. Ansible modules call NX-API functions to collect real-time state data and configure or reconfigure switches. Ansible modules for Cisco UCS are based on the Cisco UCS Python SDK. Figure 6-12: Ansible playbooks automate and orchestrate Cisco UCS deployments deployments deployments deployments deployments deployments deployments deployments deployments deployments deployments Table 6-03: Matrix of Common Info and Terms Interpret JSON Encoded Data JavaScript Object Notation (JSON) is a standard lightweight datainterchange format which is fast and easy to parse and generate. JSON, like XML, is a text-based format that is simple to write and easy to understand for both humans and machines, but unlike XML, JSON data structures occupy less bandwidth than their XML versions. Figure 6-13: JSON Object Data Format JSON is based on two basic structures: Object: Object is defined as a collection of key/value pairs (i.e., key:value). Each object starts with a left curly bracket and finishes with a right curly bracket Multiple key/value pairs are separated by a comma (,). Example of a JSON Object Following structure shows the example of a valid JSON object structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. structure. Array: Array is defined as an ordered list of values. An array starts with a left bracket "[" and finishes with a right bracket "]". Values are separated by a comma (,). Example of a JSON Array Following example shows a JSON array structure. structure. structure. structure. structure. structure. structure. In JSON, keys are always strings, though the value can be a string, array, object, number, true or false, or null. Strings must be bounded in double quotes (") and can contain escape characters such as \n, \t and \. PHP JSON Encode and Decode JSON encode decode is one of the most commonly required operations. In this part, we are going to see how to encode and decode JSON using PHP. PHP provides integrated functions to perform these two operations. Those are: json_encode() json_decode() Encoding and Decoding Encoding and decoding are the couple of operations that are most importantly used in many application programming. Encoding is used to bundle data with respect to a particular format. This process will be required to preserve data stability. Decoding is a reverse process that returns encoded data back to its original form. PHP JSON Encode In PHP, is used to convert PHP supported data type into JSON formatted string to be returned as a result of JSON encode operation. This function takes the following set of arguments: Data to be encoded Options with JSON encode constants reflect effects on encoding behavior Depth limit for performing recursive encoding with nested levels of input input input input input input input input input input input input input input input input input input input Parameters Value The value being encoded can be of any type except a resource. All string data must be UTF-8 (8-bit Unicode Transformation Format) encoded. Options Predefined JSON Constants For PHP JSON encodes, the following list of constants will be used for the options parameter of json_encode() function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. function. Table 6-04: Predefined JSON Constants Depth Set the maximum depth. It must be greater than zero. Return Values Returns a JSON encoded string on success or FALSE on failure. Example: PHP json_encode() Let’s take the example of PHP program to perform JSON encode. So, the following program handles few json_encode() function invoked with some of the available JSON encode constants as its option parameter. parameter. parameter. parameter. parameter. parameter. parameter. parameter. parameter. parameter. parameter. The output of the above example will be: be: Mind Map Figure 6-14: Mind Map of Automation and Programmability Summary Automation Impacts on Network Management Network automation is the procedure of automating the configuring, testing, managing, deploying, and operating of virtual and physical devices within a network Automation technology is getting more and more attention due to its benefits in terms of flexible configuration, programmability, and cost efficiency Compare Traditional Networks with Controller-based Networking Traditional networking works on per-device management that takes time and creates many complexities; this approach is inclined to human errors Cisco SD-Access practices a modern controller design to drive business that is intent into the orchestration and operation or process of network elements Controller-based and Software Defined Architectures Cisco® Software-Defined Access (SD-Access) is the development from traditional campus LAN designs to networks that directly implement the intent of an organization SD-Access is supported with an application suite that runs as part of the Cisco DNA Center software for designing, applying policy, provisioning, and facilitating the creation of a smart campus wired and wireless network with assurance Traditional Campus Device Management vs. Cisco DNA Center Enabled Device Management Cisco DNA Center is the network management system, foundational controller, and analytics platform at the core of Cisco’s intent-based network Zero-touch device connectivity and Software Image Management (SWIM) features reduce the device installation and upgradation times from hours to minutes and bring new remote offices online with plug-and-play comfort from an off-the-shelf Cisco® device Characteristics of REST-based APIs REST API can be used by any application no matter the language it is written in because the requests are based on the universal HTTP protocol, and the data is typically returned in the JSON format so that it can be readable to almost all programming languages A RESTful API also called RESTful web service is a web service that is implemented by using HTTP protocol and the REST principles It is a collection of resources that serves HTTP methods (PUT, GET, POST, DELETE) Capabilities of Configuration Management Mechanisms The ability to provision entire application stacks in minutes from automating Cisco UCS policies and service profile configurations to ongoing management and the detection and remediation of unintended changes improves efficiency Puppet, Chef, and Ansible are used to deploy, orchestrate, and manage distinct Cisco UCS servers, Cisco Nexus® switches, storage systems, and fabric interconnects, including the entire Cisco® converged and hyper-converged systems Interpret JSON Encoded Data JavaScript Object Notation (JSON) is a standard lightweight datainterchange format which is fast and easy to parse and generate In PHP, json_encode() is used to convert PHP supported data type into JSON formatted string to be returned as a result of JSON encode operation Practice Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Question Answers: Chapter 01: Network Fundamentals 1. C. Explanation: While an ARP broadcast may initially be needed, since these systems have already communicated, the traffic can have sent unicast. 1. D. Explanation: The destination address of FF: FF: FF: FF: FF: FF is a reserved MAC address to indicate a broadcast. 1. C. Explanation: The Host B IP address is the subnet identifier for that subnet and it is reserved. 1. C. Explanation: The network portion is typically 64 bits and the host portion is 64 as well. 1. A. Explanation: The command required to enable IPv6 routing capabilities on a Cisco router is ipv6 unicast-routing. 1. C. Explanation: The default aging time on most Cisco switches is 300 seconds. 1. A. Explanation: Topology in networks is the structure or pattern in which each and every node in the network is connected. 1. C. Explanation: Segment is a grouping of number of bytes together into a packet. 1. A. Explanation: UDP is an unreliable, connectionless transport layer protocol. 1. C. Explanation: A router[a] is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the internet. 1. A. Explanation: In a broadcast network, an information is sent to all stations in a network whereas, in a multicast network the data or information is sent to a group of stations in the network. In unicast network, information is sent to only one specific station. 1. D. Explanation: IPv6 datagram has fixed header length of 40bytes, which results is faster processing of the datagram. 1. A. Explanation: Broadcast has been eliminated in IPv6. 1. B. Explanation: An IPv6 address is 128 bits long. 1. B. Explanation: For TCP, it is 6. 1. A. Explanation: Error reporting is handled by ICMP. 1. C. Explanation: Encryption is the process of using an algorithm to transform information to make it unreadable for unauthorized users. It helps protect private information, sensitive data, and provide security of communication between client apps and servers. 1. C. Explanation: UDP is an unreliable, connectionless transport layer protocol and uses minimum overload. 1. C. Explanation: Wide-Area Network helps organizations to expand geographically around the globe. By using WAN, services from service providers usually called “off-sourcing” can span over a large physical area. 1. B. Explanation: Switches automatically segment the network and dramatically decrease the traffic in the segments that are less used. 1. C. Explanation: A multilayer switch can perform its function on both layer 2 and layer 3. 1. D. Explanation: Firewalls act as filter which filters the flow of traffic either it can be inbound traffic or outbound traffic of a network. 1. B. Explanation: Network Address Translation (NAT) server is used for the mapping of IP addresses and translating the private addresses inside the network into authorized addresses before packets are delivered to another network. 1. C. Explanation: RJ-45 provides communication and control factor in network devices. 1. B. and D. Explanation: IPv4 addresses are 32 bits long and are represented in decimal format. IPv6 addresses are 128 bits long and are represented in hexadecimal format. Chapter 02: Network Access 1. B. Explanation: 802.1Q defines a 4-byte header, inserted after the original frame’s destination and source MAC address fields. The insertion of this header does not change the original frame’s source or destination address. The header itself holds a 12-bit VLAN ID field, which identifies the VLAN associated with the frame. 1. B. & C. Explanation: The show interfaces switchport command lists both the administrative and operational status of each port. The show interfaces trunk command lists a set of interfaces—the interfaces that are operating as trunks. So, both of these commands identify interfaces that are operational trunks. 1. D. Explanation: The PortFast feature allows STP to move a port from blocking to forwarding without going through the interim listening and learning states. 1. A. Explanation: pvst and rapid-pvst are valid options on the command. Of those, the rapid-pvst option enables Rapid Per VLAN Spanning Tree (RPVST+), which uses RSTP. The pvst option enables Per VLAN Spanning Tree (PVST) that uses STP, not RSTP. The other two options, if attempted, would cause the command to be rejected because the option does not exist. 1. D. Explanation: IOS uses the channel-group configuration command to create an EtherChannel. 1. C. Explanation: An AP offers a Basic Service Set (BSS). 1. A. Explanation: The show vlan brief command allows you to easily verify the VLANs and the interface assignments. 1. D. Explanation: The correct command is switchport access vlan 20. 1. A. Explanation: The correct command is switchport voice vlan 10. 1. C. Explanation: The correct command is switchport mode trunk. 1. B. Explanation: The correct command is show interface trunk. 1. D. Explanation: You can use HTTP and HTTPS to access the GUI of a wireless LAN controller, as well as SSH to access its CLI. 1. C. Explanation: Controllers use a Link Aggregation Group (LAG) to tie multiple ports together. 1. C. & D. Explanation: A WLAN binds an SSID to a controller interface so that the controller can link the wired and wireless networks. 1. D. Explanation: Cisco controllers support a maximum of 512 WLANs, but only 16 of them can be actively configured on an AP. 1. A. & C. Explanation: The SSID and controller interface are the only parameters from the list that are necessary. 1. A. Explanation: Link Aggregation (LAG) is a fractional implementation of the 802.3ad port aggregation standard. 1. A. Explanation: A lightweight AP requires connectivity to only a single VLAN, so access mode link is used. 1. B. Explanation: 802.1Q defines a 4-byte header, inserted after the original frame’s destination and source MAC address fields. The insertion of this header does not change the original frame’s source or destination address. 1. D. Explanation: The PortFast feature allows STP to move a port from blocking to forwarding without going through the interim listening and learning states. Chapter 03: IP Connectivity 1. B. Explanation: The information necessary to forward a packet along the best path towards its destination resides in a routing table. 1. A. Explanation: The prefix-length is simply a shorthand way to express a network mask using CIDR notation. 1. C. Explanation: 120 is the default administrative distance for RIP. 1. B. Explanation: The best path to a destination network within a routing protocol is being determined by the metric value. 1. B. Explanation: By using the administrative distance, one routing protocol is preferably chosen over another when both accounts have the same destination network. 1. C. Explanation: Static routes have an administrative distance of 1 or 0 if you use an exit interface instead of a next-hop address. 1. C. Explanation: A floating static route is simply one that has been created as a backup to a route learned though a routing protocol. 1. D. Explanation: A value in the range from 1 to 65,535 identifies the OSPF process ID. It is a unique number on the router that groups a series of OSPF configuration commands under a specific running process. 1. B. Explanation: First Hop Redundancy Protocol (FHRP) are used to allow gateway redundancy. 1. B. Explanation: Router will go through an election process upon the segment to elect a DR and BDR. 1. B. & D. Explanation: DHCP servers assign IP addresses to hosts. Thus, DHCP allows easier administration by providing IP information to each host automatically. 1. C. Explanation: SNMPv2c Supports plaintext authentication with MD5 or SHA with no encryption. 1. B. Explanation: The “show ip route” command is used to view a routing table. 1. B. Explanation: The prefix-length is /24 for the subnet mask 255.255.255.0. 1. A. Explanation: An administrative distance for static route is 1. 1. B. Explanation: The value 255 is equivalent to 100% utilization or load. 1. B. Explanation: The correct command for configuring the static route is ip route [destination_network] [mask] [nexthop_address or exit_interface] [administrative_distance] [permanent] 1. B. Explanation: The particular network will become incapable to communicate to the outside world if that first hop ever goes down. It allows only the local communication across the switched domain. 1. B. Explanation: Except BRRP (Broadway Router Redundancy Protocol), the other three options given in the question falls into the category of the first hop redundancy protocol. 1. D Explanation: HTTPS uses port 443 by default. Chapter 04: IP Services 1. B. Explanation: Simple Network Management Protocol (SNMP) provides a message format for agents on a variety of devices to communicate with Network Management Stations (NMSs). It is the most popular and efficient method of seeing what's going on with your network at a particular time. 1. C. Explanation: A low loss, latency, and jitter is provided with EFs related DSCP. 1. C. Explanation: Four different forwarding classes are provided by these per-hop behaviors. 1. B. Explanation: SSH uses encryption keys to send data so that no one can see your username and password. 1. B. Explanation: The boot files or configuration files are usually transferred between machines in a local setup by using TFTP. 1. B. Explanation: SNMP is also used for analyzing information and compiling the outcomes in a report or even a graph. 1. C. Explanation: SNMPv2 supports plain-text authentication with community strings with no encryption but provides GET BULK that is a way to gather many types of information at once and minimize the number of GET requests. 1. B. Explanation: Simple Network Management Protocol (SNMP) is the most popular and efficient method of seeing what's going on with your network at a particular time. 1. A. Explanation: The boot computers and devices not having hard disk drives or storage devices significantly use this protocol because a small amount of memory is enough to implement this protocol. 1. B. Explanation: UDP port 69 is used by TFTP to establish network connections while ports 20 and 21 are used by FTP. 1. B. Explanation: The remote user is allowed to navigate the server's file structure and upload and download files with FTP. 1. C. Explanation: The client starts a controlled TCP connection with the server side when the FTP session is started between a client and a server. The control information is sent over a TCP connection by the client. 1. B. Explanation: A simple lock-step protocol is used by TFTP. In the simple lock-step protocol, each data packet needs to be acknowledged. Thus, the throughput is limited. 1. C. Explanation: Workstations or other computers that requires special access outside the network are assigned specific external IPs using NAT. 1. B. Explanation: Outside refers to the addresses that are not in control of any organization. 1. D. Explanation: PAT is a translation method. It allows the user to conserve addresses in the global address pool by allowing source ports in TCP and UDP to be translated. To the same global address, different local addresses are mapped and the necessary uniqueness is provided with the port translation. 1. C. Explanation: NTP version 3 (NTPv3) and later versions support a cryptographic authentication technique between NTP peers. This authentication can be used to mitigate an attack. 1. C. Explanation: This operation is used by the SNMP agent to send a triggered piece of information to the SNMP manager. 1. A. Explanation: Traffic with an EF DSCP does not wait in line. A low loss, latency, and jitter is provided with EF. 1. B. Explanation: A DHCP Server is a network server. It automatically provides and assigns IP addresses, default gateways and other network parameters to client devices . Chapter 05: Security Fundamentals 1. C, D, & E. Explanation: There are three main components of information security: Confidentiality: It makes sure that only authorized users can see and tamper data. It provides encryption to encrypt and hide data. Integrity: It makes sure that the data remains un-tampered during transit. Availability: It makes sure that the data remains available for authorized users. 1. A. Explanation: Cisco and other security vendors have created databases known as the Common Vulnerabilities and Exposures (CVE) that categorizes the threats over the internet. It can be searched via any search engine available today. 1. A. Explanation: Denial-of-Service (DoS) Attack is an availability attack intended to downgrade or deny the targeted service or application. 1. A. Explanation: Denial-of-Service (DoS) is a type of attack in which services offered by a system or a network is denied. Services may either be denied, reduce the functionality or prevent the access to the resources even to the legitimate users. There are several techniques to perform DoS attack such as generating a large number of requests to the target system for service. 1. B. Explanation: Digital signatures rely on digital certificates to verify the identity of the originator in order to authenticate a vendor website and establish an encrypted connection to exchange confidential data. 1. B. Explanation: Authentication is the process of proving an identity of a system by login identification and a password. It has the purpose of determining whether the user is the same person he claims to be or not. 1. A, C, & D. Explanation: Following are the key features of VPN technology: Confidentiality: Data is sent in an encrypted form, data for any other person would be meaningless. Data Integrity: VPN makes sure that the sent data is accurate, secure and remains unaltered end to end. Authentication: VPN authenticate the peer on both side of the tunnel through pre-shared public or private keys or by using user’s authentication method. 1. B. Explanation: Types of VPN: 1) Remote-access VPN makes a networking device to connect outside a corporate office. 2) Site-to-site VPN connects two or more sites that want to connect together over the internet. 1. B. Explanation: A remote-access VPN helps a networking device to connect outside a corporate office. These devices include smartphones, tablets, laptops etc. commonly known as end devices. 1. C. Explanation: DHCP snooping validates the DHCP messages received from either the legitimate source or from an untrusted source and filters out invalid messages. It is actually very easy for someone to bring accidentally or maliciously a DHCP server in a corporate environment. DHCP snooping is all about protecting against it. 1. D. Explanation: Here is the list of mitigation procedures of layer 2 attacks: DHCP Snooping Dynamic ARP Inspection Port Security BPDU Guard Root Guard Loop Guard 1. A. Explanation: Port Security is used to bind the MAC address of known devices to the physical ports and violation action is also defined. 1. D. Explanation: Port security feature allows limited number of MAC addresses on a single port. So, if an attacker tries to connect his/her PC or embedded device to the switch port, then it will shut down or restrict the attacker from even generating an attack. 1. D. Explanation: Both IPsec and SSL are supported by Cisco AnyConnect. 1. A. Explanation: DHCP snooping is a method of controlling IP address assignments to prevent the possibility of attacks related to ARP spoofing. 1. B. Explanation: WPA is an upgradation on the system that currently uses WEP. 1. A. Explanation: The Dynamic ARP Inspection (DAI) feature protects the network from many of the commonly known Man-in-the-Middle (MITM) type attacks. 1. D. Explanation: Social engineering is more likely to occur if users are not properly trained to detect and prevent it. 1. B. Explanation: Two-factor authentication is always more secure than any single factor of authentication. 1. A. Explanation: Type 2 authentication factor is “something you have”. This could be a smart card, ATM card, token device, or memory card. Chapter 06: Automation and Programmability 1. D. Explanation: There are three core benefits of network automation are as: 1) Improved efficiency 2) Reduced likelihood of human error 3) Lower operational expenses 1. C. Explanation: Representational State Transfer (REST is the full form of the acronym REST in REST-based APIs. 1. B. Explanation: Software-Defined Access (SD-Access) is the full form for SD-Access. 1. C. Explanation: Cisco SD-Access is one of the most important elements of the Cisco Digital Network Architecture (Cisco DNA). 1. B. Explanation: Cisco SD-Access solution can be divided into five basic layers, which are: 1) Physical Layer 2) Network Layer 3) Controller Layer 4) Management Layer 5) Partner Ecosystem 1. A. Explanation: Data-link layer is not the basic layer of Cisco SD-Access solution while it is an important layer of the OSI model. 1. D. Explanation: Fabric overlay and network underlay is an integral part of the Network Layer of the Cisco SD-Access solution. 1. B. Explanation: The basic technology used for the fabric control plane is based on the Locator ID Separation Protocol (LISP). 1. A. Explanation: The basic technology used for the fabric data plane is based on Virtual Extensible LAN (VXLAN). 1. B. Explanation: LISP is an IETF standard protocol, i.e., RFC-6830. 1. C. Explanation: VXLAN is an IETF standard encapsulation, i.e., RFC7348. 1. D. Explanation: Cisco DNA Center has four general divisions, which are: 1) Design 2) Policy 3) Provision 4) Assurance 1. D. Explanation: In SDN, the southbound interface is the OpenFlow protocol specification. Its main function is to allow communication between the SDN controller and the network nodes; both physical and virtual switches and routers, so that the router can discover network topology. 1. C. Explanation: REST-API utilizes HTTP to perform a set of actions commonly known as CRUD: Create Read Update Delete 1. B. Explanation: We use the HTTP PUT method to update the data on a remote server. 1. A. Explanation: We use the HTTP GET method to retrieve data from a remote server. 1. B. & C. Explanation: Object & array are the two basic structures of JSON. 1. D. Explanation: JavaScript Object Notation (JSON) is a standard lightweight data-interchange format, which is fast and easy to parse and generate. 1. D. Explanation: Value, Options, Depth are the main parameters of json_encode(). 1. B. Explanation: Each object in JSON starts with a left curly bracket “{“ and finishes with a right curly bracket “}”. Acronyms: Authorization, and Accounting ACL Access Control List AES Advanced Encryption Standard AP Access Point ARP Address Resolution Protocol BPDU Bridge Protocol Data Unit CCMP Counter Mode Cipher Block Chaining Message Authentication Code Protocol CCNA Cisco Certified Network Associate Cisco DNA Cisco Digital Network Architecture CLIs CommandLine Interfaces CVE Common Vulnerabilities and Exposures DAC Discretionary access control DDoS Distributed Denial of Service DHCP Dynamic Host Configuration Protocol DNS Domain Name Service/Domain Name Server/Domain Name System DoS Denial-of-Service EAP Extensible Authentication Protocol GUI GUI Graphical User Interface Graphical User Interface HTTPS Hyper Text Transfer Protocol Secure IBNS Identity-Based Networking Services ICMP Internet Control Message Protocol IEEE IT Institute of Electrical and Electronics Engineers Information Technology LISP Locator/ID Separation Protocol MAC Mandatory Access Control MAC Media Access Control NAC Network Access Control NIC Network Interface Card OSI Open Systems Interconnect PIN Personal Identification Number PoLP Principle of Least Privilege RADIUS Remote Authentication Dial In User Service RBAC Role-based access control REST Representational State Transfer SD-Access Software-Defined Access SSH Secure Shell SSID Service Set Identifier SSL Secure Sockets Layer SWIM Software Image Management TACACS Terminal Access Controller Access Control System TCP Transmission Control Protocol TKIP Temporal Key Integrity Protocol TLS Transport Layer Security TTLS Tunneled Transport Layer Security UCS Unified Computing System VLAN Virtual Local Area Network VPN Virtual Private Networks VRF Virtual Routing and Forwarding VXLAN Virtual Extensible LAN WEP Wired Equivalent Privacy WLAN Wireless LAN WPA Wi-Fi Protected Access References: https://www.cisco.com/c/en/us/products/collateral/cloud-systemsmanagement/dna-center/nb-06-dna-center-so-cte-en.html https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_ methods https://phpenthusiast.com/blog/what-is-rest-api https://www.gspann.com/resources/blogs/puppet-vs-chef-vs-ansible https://www.cisco.com/c/dam/en/us/products/collateral/serversunified-computing/ucs-devops-integration-sol-brief.pdf https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprisenetworks/software-defined-access/white-paper-c11-740585.pdf https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sd a-sdg2019oct.html#CiscoDigitalNetworkArchitectureandSoftwareDefinedAcc ess https://www.tutorialrepublic.com/php-tutorial/php-json-parsing.php https://phppot.com/php/php-json-encode-and-decode/ https://www.cisco.com/c/en/us/support/docs/wirelessmobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html https://www.cisco.com/c/en/us/support/docs/ios-nx-ossoftware/ios-software-releases-110/45843-configpasswords.html https://learning.oreilly.com/library/view/comptia-securitytmreview/9781118113523/xhtml/sec2.html#sec2 https://learningnetwork.cisco.com/community/certifications/ccnacert/ccna-exam/study-material About Our Products Other products from IPSpecialist LTD regarding Cisco technology are: CCNA Routing & Switching Technology Workbook CCNA Security v2 Technology Workbook CCNA Service Provider Technology Workbook CCDA Technology Workbook CCDP Technology Workbook CCNP Route Technology Workbook CCNP Switch Technology Workbook CCNP Troubleshoot Technology Workbook CCNP Security SENSS Technology Workbook CCNP Security SIMOS Technology Workbook CCNP Security SITCS Technology Workbook CCNP Security SISAS Technology Workbook CompTIA Network+ Technology Workbook CompTIA Security+ v2 Technology Workbook Certified Information System Security Professional (CISSP) Technology Workbook CCNA CyberOps SECFND Technology Workbook Certified Block Chain Expert Technology Workbook Certified Cloud Security Professional (CCSP) Technology Workbook CompTIA Pentest Technology Workbook CompTIA A+ Core I (220-1001) Technology Workbook CompTIA A+ Core II (220-1002) Technology Workbook CompTIA CyberSecurity Analyst CySA+ Technology Workbook Certified Application Security Engineer | JAVA CCNA 200-301 Technology Workbook Note from the Author: Reviews are gold to authors! If you have enjoyed this book and it has helped you along certification, would you consider rating and reviewing it? Link to Product Page: