Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 Illimitable Internetworking – International Cisco ENCOR 350-401 Complete Course Slides 1 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 1 ARCHITECTURE 2 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - CHAPTER1: ARCHITECTURE - Chapter’s Agenda: 1.1 Explain the different design principles used in an enterprise network 1.1.1 Enterprise network design such as Tier 2, Tier 3, and Fabric Capacity planning 1.1.2 High availability techniques such as redundancy, FHRP, and SSO 1.2 Differentiate between on-premises and cloud infrastructure deployments 1.3 Explain the working principles of the Cisco SD-WAN solution 1.3.1 SD-WAN control and data planes elements 1.3.2 Traditional WAN and SD-WAN solutions 1.4 Explain the working principles of the Cisco SD-Access solution 1.4.1 SD-Access control and data planes elements 1.4.2 Traditional campus interoperating with SD-Access 1.5 Describe concepts of QoS 1.5.1 QoS components 1.5.2 QoS policy 1.6 Differentiate hardware and software switching mechanisms 1.6.1 Process and CEF 1.6.2 MAC address table and TCAM 1.6.3 FIB vs. RIB 3 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.1 Enterprise Networks Design Principles 1.1.1 Tier 2, Tier 3, and Fabric Capacity planning - Simplify Scaling - Simplify Troubleshooting - Depends on your networks size, and future growing - Tier 2 will be for Small/Mid networks - One building network - only 2 Tiers (Access and Aggregation) - Access: - The first layer facies/authenticates endpoint devices - Connects the endpoints to their gateways (aggregation) - Aggregation: - Aggregates/Communicates all the access layers - Runs both Layer2 and Layer3 Techs. and Protocols - Run in pair-devices mode (SSO) 4 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Tier 3 for Mid/Large Enterprises - Multiple Buildings - More East-West traffic - Future scaling (Horizontally) - 3 Tiers (Access, Distribution, and CORE) - Core: - Aggregate multiple networks - High speed/convergence - Runs in pair-devices mode - Runs at Layer 3 - Connects to the WAN/Internet - Connects to servers and other Data Centers *Fabric Capacity Planning 5 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.1.2 High Availability - First Hop Redundancy Protocols - HSRP, VRRP, and GLBP - Runs at the Distribution layer - Provides a GW for endpoints - Needed when the Access layer is using a Layer2 techs! Hot-Standby Redundancy Protocol Virtual-Router Redundancy Protocol Gateway Load-Balancing Protocol - Cisco Only - Open Standard - Cisco Only - 2 Gateways - 2 Gateways - 4 Gateways - No Load-Balancing - No Load-Balancing - Load-Balancing 6 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Stateful Switchover (SSO) - Switches with more than 1 CPU - when 1 CPU fails, the other continuous (stateful) - best at Distribution layer - Virtual Switching System (VSS) - A clustering technique - Combines multiple switches - Act as one switch - At the distribution layer - No FHRP will be needed then - You may also hear “Stackwise” 7 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.2 On-Premise vs Cloud Infrastructure Deployments - What is the difference? And which one is the Classic known network? - On-Premise: everything is in the office, Company, Data Center - Cloud-Based: everything is at the Cloud Company (No Headache) 8 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.3 Software-Defined - Wide Area Networks - What is SDN? - where you have a “software” that runs your network - so, through a “software” you be able to run and administrate An entire network, with its different types of devices - that will need either a “Controller”!!! Or, a built-in scripting (Cisco TCL, or Python) - SD-WAN is applying SDN to your WAN part of the network! - the part that connects multiple networks through the Internet - you will administer the WAN by a software - also contains multiple layers to achieve this approach - Application - Controller - Infrastructure 9 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.3.1 SD-WAN Planes - Generally, the SD-WAN solution consists of 4 planes (orchestration, management, control, and data plane) - The control plane: - builds/maintains the network topology - makes decisions on where traffic flows https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKCRS-2112.pdf 10 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - The data plane: - responsible for forwarding packets - based on decisions from the control plane https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKCRS-2112.pdf 11 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.3.2 Traditional WAN and SD-WAN solutions SD-WAN Traditional WAN - Each network device has its own control plane - Centralized Management - Through a “software” you be able to run and administrate an entire network - Configuring, modifying, upgrading, and Monitoring is done “Box-by-Box” - Automation is easy (API) - Automation is more difficult - New devices automatically finds an initial configuration (ZTP) - New Installation requires “from scratch” efforts 12 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.4 Software-Defined Access - So, SDN, SD-WAN, and now SD-Access!! - is it really that much of different technologies! - SD-Access is simply: - applying SDN solution to your access network - when SDN controls and automates a simple campus network - And thus, there will be a controller (ex: Cisco DNA Center, Cisco APIC-EM) 13 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - SDN Implementation and Effect upon planes: - Imperative Approach - the control plane logic resides completely in the controller - the controller has a complete control over programing the forwarding decisions of the networking devices - devices then will ask the controllers before any forwarding or routing action - Declarative Approach - the control plane resides within the network device (just like before) - the controller will declare the requirements of the all the Forwarding/routing decisions to the networking devices - the network devices will then decide how to translate the Controller instructions into actions 14 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - How will the Access look like http://cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-sdg-2019oct.pdf 15 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.5 Quality of Service (QoS) - if traffic was more than bandwidth! - if congestion WILL happen, can some traffic be more preferred than another!? - Generally, UDP will be preferred over TCP (TCP will automatically do A retransmission) - QoS Tools that will do the specific desired “Preferring”: (Classification & Marking, Policing, Shaping, Queuing, and Scheduling) 16 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.5.1 QoS Components - Classification & Marking - for the Ingress traffic/interface - Classification first, please classify this type of traffic, like: “UDP=High, Mail=Low” - Then, Marking, “Marks” the classified traffics to identify them uniquely in the network *Classification usually happens by matching port numbers - if further recognizing is needed - Network-Based Application Recognition (NBAR) - recognized, identifies, and classifies a traffic - based on multiple variety of things - Word, Phrase, URL!! 17 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Policing & Shaping - The Provider – Client Relation - Policing: - From the Provider side - Drop the exceeding ingress (Coming) traffic - or mark-down that traffic, to be dropped later in the network - Shaping: - From the Client side - To avoid misunderstanding, or unwanted behavior with the provide - Queues the excess egress (Outgoing) traffic in the “Egress Queue” - This is called “Queuing” 18 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Queuing: - Dividing the Egress Queue, to multiple sub-queues - Each, is differentiated by “Priority” - To deal with classified packets - Scheduling: - How to empty the sub-queues, by which criteria - Congestion Management: - Tools for Queuing and Scheduling - Emptying the Queued traffic in the egress queue - WFQ, CBWFQ, PQ, LLQ, WRR, SRR, Shaping 19 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Congestion Avoidance: - Tools to avoid congestion - Before even happening - At the ingress interface/s (receiving queue) - RED, WRED, WTD, Policing - QoS Application in a Network - Integrated Services - unified settings all the way - uses The Resource Reservation Protocol (RSVP) - Differentiated Services - each hop has its unique settings - uses “Per-Hop Behavior” (PHB) 20 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.5.2 QoS Polices - Modular QoS Command-Line (MQC) - applying the QoS tools globally - multiple tools will be available for multiple ports/uses - requires 3 components to operate - Class-Maps - Policy-Maps - Service-Polices - Class-Maps - create a list, that identifies/matches some characteristics of a traffic - classify those “matched” traffic - to provoke this list to operate, we will need a “Policy-Map” 21 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Policy-Maps - MATCH a Class-Map - to apply a specific action to its traffic (queue it, shape it, police it…) - the same Class-Map can be matched multiple time on multiple interfaces - each time, a different “action” will be taken! - to apply a “Policy-Map” to an interface/s - we will need a “Service-Policy” - Service-Policy - apply a “Policy-Map” to an interface - either “INBOUND” or “OUTBOUND” 22 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.6 Switching Mechanisms 1.6.1 Device Processing and Cisco Express Forwarding (CEF) - Process: - processing the incoming ingress traffic - to switch it, to the desired egress outgoing interface - done by the CPU - even if the CPU is very busy - known as “IP Input” - CEF: - establish an area to store pre-defined decisions, as a reference - that area = Cache Area - will be automatically done whenever a new protocol is enabled - creates FIB & Adjacency Table - not exactly every thing is CEF switched (a first time ARP, CDP, Encryption) 23 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.6.2 FIB vs. RIB - Forwarding Information Base (FIB) - extracted from the “RIB” - Routing Information Base - The Routing Table - it is the Routing Table of the CEF - always synchs with the RIB (Routing Table) - less details * some operations are handled by the Adjacency Table - for L2 info (ARP, VLAN, MAC) 24 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 1.6.3 CAM (MAC Table) and TCAM - Content Addressable Memory (CAM) - a random memory - stores MAC Addresses - used for lookups (by the forwarding engine) - MACs are represented as “MAC Table” - Ternary Content Addressable Memory (TCAM) - also, a random memory - stores IP Addresses and subnet masks - used for Longest match lookups - Addresses and masks are represented as “Routing Table” 25 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 2 VIRTUALIZATION 26 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER2: VIRTUALIZATION - Chapter’s Agenda: 2.1 Describe device virtualization technologies 2.1.1 Hypervisor type 1 and 2 2.1.2 Virtual machine 2.1.3 Virtual switching 2.2 Configure and verify data path virtualization technologies 2.2.1 VRF 2.2.2 GRE and IPsec tunneling 2.3 Describe network virtualization concepts 2.3.1 LISP 2.3.2 VXLAN 27 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 2.1 Device Virtualization - Just Networks, BUT in Virtualized Environment - Multiple Devices inside One - Ease of Management - The Hypervisor: The new Mediator between SW/HW - Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor - Now the Hypervisor = Host, and the OS = Virtual Machines = Guest - Hypervisors: - Schedules the VMs requests to the HW - Distributes the HW resources between the VMs 28 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Hypervisors Types: - Type1: - The Native or Bare Metal - Runs directly on the HW resources - HW ---Hypervisor --- VM - Type2: - Hosted - Runs as a SW besides the OS - HW --- OS --- Hypervisor 29 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - How to connect all these? - Virtual Switches: - Connects all VMs Together like a Real Switch - Assigns a Virtual Network Interface Card (V.NIC) for each VM - Exists by default in Hypervisors Type1 - After Creating a vSwitch & vNIC, all VMs will automatically get connected together *also, can create Port Group for Complete Isolating (like VLANs) *there is another V.NIC for each VM (for Internet) - Examples: - Microsoft Hyper-V - ESXi VSwitch 30 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 2.2 Data Path Virtualization 2.2.1 Virtual Routing & Forwarding (VRF) - For Service Providers - With multiple clients - isolate each client in a “Routing Table” - for duplicated addresses - requires ISP’s network - MPLS, VPN, L3VPN, BGP - BUT, for Enterprises: - VRF-Lite - No Extra VPN protocols - classic routing protocols can be used 31 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 2.2.2 Generic Route Encapsulation (GRE) - Virtually create a P2P path - Virtually isolate some traffic in a path - Across multiple hops - Data will be “Encapsulated” at L3 - Source and Destination ports should be specified - Virtual ports will be created on Tunnel ends *NOT SECURED 32 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 2.2.3 Internet Protocol Security (IPSec) - packets travels unsecured - any sniffer, analyzer, can read your data! - IPSec is a bunch of tools - pick the set you like to secure your data - Confidentiality: Encrypt the data all the way - Data Integrity: Guarantees delivering original data - Authentication: only the trusted ends can communicate - Anti-Replay: only regenerated or duplicated packets 33 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - To provide and establish all the CIA and R - Security Associations (SA) will be exchanged between the peers - things like (tools, algorithms, protocols, and keys) will be discussed - Security Associations Parameters - hashing: redistributing data by using an algorithm (MD5, SHA) - encryption: locking data by using a 2-way algorithm - shared passwords - all of the above is either statically configured, or dynamically (IKE) - Static means that every parameter is defined manually 34 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Dynamic (Internet Key Exchange, IKE) - a group of SA’s - end tunnels will negotiate their accepted SA’s - IKE has versions 1 and 2 - IKEv1 creates 2 Tunnels (in 2 phases): - Phase1: establish an authenticated tunnel, it requires: - authentication (PSK or PKI) - encryption (DES, 3DES, or AES) - hash (SHA or MD5) - DH group - lifetime (optional) - Phase2: negotiates SA’s between end points - (Destination, Data, and Transport Method) *PSK requires Password 35 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 2.3 Network Virtualization - 2.3.1 Locator/ID Separation Protocol (LISP) - also, a tunneling protocol (like GRE) - establish a tunnel between edge routers and the WAN - separates location from identity - identity: IP Address of the host (Endpoint ID, EID) - location: IP Address of the host’s GW (Routing Locator, RLOC) - RLOC = the address facing the WAN - useful in the case of: - load sharing with the provider (multi-homed) - tunneling IPv6 over IPv4 infrastructure - other VPN uses - there are 2 required devices to perform the separation and the mapping (map this EID to that RLOC) - a map server (MS), and a map resolver (MR) - can be combined in a single device 36 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - 2.3.2 Virtual Extensible Local Area Network (VXLAN) - a tunneling protocol - for data centers - replaces VLAN as it gives 2^24 = 16,777,216 VLAN - transport L2 over L3 - extends L2 connectivity over L3 infrastructure - supports ECMP over CLOS (spine and leaf) - requires L2GW and L3GW - can use the same VXLAN number on multiple sites - thus, the same broadcast domain will be stretched between sites 37 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 3 INFRASTRUCTURE 38 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER3: INFRASTRUCTURE - Chapter’s Agenda: 3.1 Layer 2 3.1.1 Troubleshoot static and dynamic 802.1q trunking protocols 3.1.2 Troubleshoot static and dynamic EtherChannels 3.1.3 Configure and verify common Spanning Tree Protocols (RSTP and MST) 3.2 Layer 3 3.2.1 Compare routing concepts of EIGRP and OSPF (advanced distance vector vs. linked state, load balancing, path selection, path operations, metrics) 3.2.2 Configure and verify simple OSPF environments, including multiple normal areas, summarization, and filtering (neighbor adjacency, point-to-point and broadcast network types, and passive interface) 3.2.c Configure and verify eBGP between directly connected neighbors (best path selection algorithm and neighbor relationships) 3.3 IP Services 3.3.1 Describe Network Time Protocol (NTP) 3.3.2 Configure and verify NAT/PAT 3.3.3 Configure first hop redundancy protocols, such as HSRP and VRRP 3.3.4 Describe multicast protocols, such as PIM and IGMP v2/v3 39 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.1 Layer 2 Infrastructure Technologies 3.1.1 Static and Dynamic 802.1q trunking protocols - Static is to configure every port as either: - Auto (default): waiting for the other side to negotiate - Desirable: starts negotiating trunking - Dynamic (enabled by default) - only requires one side to enable trunking - negotiations will dynamically - negotiations can be “Disabled” 40 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.1.2 Static and Dynamic EtherChannels - EtherChannels are supported on Cisco switches - supporting both LACP and PAgP negotiations protocols - those are the static negotiation etherchannel protocols - LACP uses: - Active: initiates bundling negotiations - Passive: waits for other side to initiate - PAgP uses: - Desirable: initiates bundling negotiations - Auto: waits for other side to initiate - Dynamic: - Mode ON: no negotiations, direct bundling (mostly L3) 41 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.1.3 Common Spanning Tree Protocols - We need redundancy, but there will be a broadcast message! - What will happen? - Then how can we prevent what is called a “LOOP”, AKA “Broadcast Storm”? - STP requires election to be performed first - The Winner must be: 1-Lowest Priority, 2-Lowest MAC Address - After that port roles and states will happen: - Designated Port: Forwarding state - Root Port: Forwarding State - Alternative Port: Blocking State - The entire process of election takes (30 – 50) Seconds Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds 42 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - In order to speed things up: - Rapid STP: NO Listening, NO Blocking, only (Discard, Forwarding, Learning) - Then delay will become = 3 + 3 = 6 Seconds - What is the BIG benefit of Redundancy then!!!!! If STP is blocking ports - There will be a Per-VLAN STP (PVST) - Each VLAN can have an ELECTION!! - Each VLAN will have its own root! - Things are much better now - Specially that there is a RPVST+ (faster)! - RPVST+ can be further simplified by using MST - Instances (Groups) that requires domain names/revision numbers - each instance will have its own Tree 43 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.2 Layer 3 Infrastructure Technologies 3.2.1 Enhanced Interior Gateway Routing Protocol (EIGRP) - A Hybrid Protocol - classified as a “Distance Vector” protocol - it does combine both the D.V. and L.S. methods of measuring the metric - IP Protocol = 88 - Defusing Update Algorithm (DUAL) - AD = 90 - Metric = Result of the 5K’s formula: 256 * ((K1*Bandwidth) + (K2*Bandwidth)/(256-Load) + K3*Delay) * (K5/(Reliability + K4))) - The default “K Values”: - K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0 - Bandwidth is per link, while Delay is cumulative 44 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - EIGRP will apply the formula to elect its main path - for redundant paths, Feasibility Condition (FC) is used - the main path is the lowest metric calculated among available paths - The Feasible Distance (DF) - Successor - the redundant path is the lowest “Advertised” metric from the neighbor! - The Reported/Advertised Distance (RD) - Feasible Successor (FS) - only those paths can be used for UCLD - which requires the activation of “variance” 45 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.2.2 Open Shortest-Path First (OSPF) - Link State Protocol - Dijkstra algorithm - SPF algorithm for route decision - AD = 110 - Metric = Cost (lesser = Better) - Process ID for multiple instances - Area ID for Data Base isolation - Link-State Advertisements: negotiation between OSPF Routers - it contains: LSRequest: provide the missing Information LSUpdate: reply for the LSR LSAcknowledgement: reply for the LSU 46 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Neighboring Process: 47 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Link State Advertisements (LSA’s) - multiple types - depends on the advertisement they are doing - LSA Type.1 (Router LSA): investigates local OSPF connections - LSA Type.2 (Network LSA): investigates local OSPF connections for a DR - LSA Type.3 (Network Summary LSA): for ABR to reach links in Areas - LSA Type.4 (ASBR Summary LSA): for ABR to reach ASBR’s - LSA Type.5 (External LSA): for ASBR redistribution - LSA Type.7 (NSSA External LSA): for ASBR NSSA 48 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - OSPF Neighbor Types: - A Neighboring router can be a P2P neighbor - in this case no problems - or can be connected through a “SWITCH”!! - broadcast will happen - elections must take place - only One router should update the topology (DR) - a DR (Designated Router): Highest Router Priority (0-255), Def=128 - Or Highest Router ID - Router ID (R.ID): 32-bit Address - DR needs BDR (second best of everything) 49 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - OSPF Summarization - To make all the routers in all the Areas be able to communicate - LSDB’s must synchronize - routes and advertisements must be exchanged - some Routers will receive “Too Much” information about other Areas - utilizing more resources - this can be Filtered (ON ABR’s) - just summarize some prefixes and advertise one prefix instead - done by generating a Type.3 LSA - or, filter these prefixes by not generating Type.3 LSA to the other router 50 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.2.3 Border Gateway Protocol (BGP) - the only WAN routing protocol - developed from EGP - uses TCP 179 - isolates peering from neighbor advertising - needs ASN’s to operate - can be used internally (iBGP) or externally (eBGP) - flexible to apply filters, maps, polices, and attributes - AD = 20/200 - Metric = Attributes - Attributes affect path selection for packets 51 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - BGP Attributes: - Next-hop - Weigh Highest - Local Preference Highest - Locally originated - AS-Path Shortest - Origin - MED Lowest - External over Internal - IGP Metric to Next-Hop - Multipath 52 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - BGP Neighbor Relationships Edgeworth B., Rios R.G., Hucaby D., Gooley J. - CCNP and CCIE Enterprise Core ENCOR 350-401 (Official Cert Guide) 53 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.3 IP Services 3.3.1 Network Time Protocol (NTP) - we have to stay synchronized - give a precise information, with real timing and date - either by setting an inner clock manually - or asking someone to inform us about timing - uses UDP = 123 - each network device can either be a Server or a Client - Stratum is needed: - how preferred and accurate this source is - starts from 0 – 15 - the closest, the better - by default: a cisco router = 8 54 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.3.2 Network Address Translation (NAT) - Private IP Addresses must not go to the Internet! - Public IP Addresses should not be assigned to private devices! - Then!!!, NAT will translate Private to Public and vice-versa *NAT is done “ONLY” “ONLY” by Routers, no Switches, no MLS’s - it can be: Static: one-one translating Dynamic: Group-Group Translating - also, this did not solve everything, IP exhaustion still there - so here comes PAT (Port Address Translation) - also called NAPT, or NAT-Overload - PAT will do a one-65535 Translation!!! 55 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.3.3 First Hop Redundancy Protocol (FHRP) - what if the gateway went down!!!!!!!! - a redundant gateway must be there - but how to redirect the requests from one to another? - how many back-ups can there be? - What protocols will do this: Hot-Standby Redundancy Protocol (HSRP) Virtual-Router Redundancy Protocol (VRRP) Gateway Load-Balancing Protocol (GLBP) - Cisco Only - Open Standard - Cisco Only - 2 Gateways - 2 Gateways - 4 Gateways - No Load-Balancing - No Load-Balancing - Load-Balancing 56 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 3.3.4 Multicast - the one – to – group transmission - only one sender, but multiple “specific” receivers - better than having multiple senders and multiple receivers - the one sender will send only 1 packet to a Multicast Router - the multicast router will “Replicate” the packet to multiple destinations - The Multicast Router = “Rendezvous Point” - so, the entire operation will be done by the multicast router - in order to assign specific receivers, create a “Group” - and “join” the receivers and that one sender to the group - uses IPv4 block of 224.0.0.0/4 - uses MAC range of 0100:5E00:0000 – 0100:5E7F:FFFF 57 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Two types of protocols are needed - Protocol that joins the receivers to the Group: - Internet Group Management Protocol (IGMP) - responsible for joining the receivers with the Rendezvous point - tells the RP that some receivers want to receive from “224.X.X.X” - BUT, those receivers have no idea about the sender - IGMP comes in 3 versions - IGMPv1 (obsolete) - IGMPv2 (default of Cisco) - builds a shared tree - creates (*, G) 58 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - IGMPv3 - builds shortest path tree (SPT) - creates (S, G) - uses Source Specific Multicast (SSM) - SSM Block = 232.0.0.0/8 - SSM informs the receivers about the sender - NO need for RP - Also, a Routing Protocol is needed - Protocol Independent Multicast (PIM) - routes between receivers’ routers and RP - requires IGP - v2 is default - 2 Modes: - Dense Mode: like broadcast (obsolete) - Sparse Mode: connects the receiver's router to the RP 59 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 4 NETWORK ASSURANCE 60 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER4: NETWORK ASSURANCE - Chapter’s Agenda: 4.1 Diagnose network problems using tools such as: debugs, conditional debugs, trace route, ping, SNMP, and syslog 4.2 Configure and verify device monitoring using syslog for remote logging 4.3 Configure and verify NetFlow and Flexible NetFlow 4.4 Configure and verify SPAN/RSPAN/ERSPAN 4.5 Configure and verify IPSLA 4.6 Describe Cisco DNA Center workflows to apply: network configuration, monitoring, and management 4.7 Configure and verify NETCONF and RESTCONF 61 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.1 Network Problems Diagnosing Tools - Ping & Traceroute - Ping uses ICMP - Echo Request & Echo Reply - Traceroute uses UDP - Debug & Conditional Debug - Debug - detailed information about behind the scenes operations - it supports and shows everything of almost every protocol - Conditional Debug - more specific - detailed information about a specific operation, BUT, per interface, per address, etc. 62 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - SNMP & SYSLOG - Simple Network Management Protocol (SNMP) - Monitor Networks from a single point of view - Server/Agent Relationship - uses UDP 161 - the server is thee requester (and recorder) - at the agent side: - MIB Object (The Factory) - Agent (The Messenger) - SNMP versions: - v1: obsolete - v2c: enhanced - v3: supports Authentication & Encryption 63 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 https://www.paessler.com/network_monitor_software 64 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - System Loggings (Syslog) - stay aware of “everything” - know all what is happening behind the scenes (or even in front of) - starts from the obvious information up to “Emergency” 0 = Emergency - Server/Client Relationship 1 = Alert 2 = Critical 3 = Error - Server can be a Normal Server that collects all the loggings 4 = Warning - Server can use the “Syslog” or “Splunk” Software 5 = Notification - client is the networking device that generates logs - Quote: “Every Awesome Cisco Engineer Will Need Ice-Cream Daily” 65 6 = Information 7 = Debug Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 https://www.solarwinds.com/-/media/solarwinds/swdcv2/licensed-products/log-manager/images/product-screenshots/lm-real-time-log-stream.ashx 66 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.2 Syslog Logging Types - Console Logging: show logs to the console user - Terminal Logging: show logs to Line VTY user - Buffered Logging: store some logs in the RAM - Remote Logging: - collect and send Syslog messages to a remote server - remote server must be reachable via an interface - remote server must have a Syslog Application - monitoring will occur from the server side - Example: Router(config)#logging host x.x.x.x Router(config)#logging traps (0 1 2 3 4 5, etc.) Router(config)#logging source-interface Loopback0 67 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.3 Netflow - specifically, what type of traffic is passing? - not the amount, the type - like: Telnet, SSH, HTTP, etc... - more info about every type of flow - by Cisco - works with SNMP - Netflow client (node) = generator - Netflow server = collector (application) - export to UDP 2055 (can be modified) - Netflow can be exported to the CLI - versions: - v5: popular for IPv4 - v9: template-based flow, support IPv6 - flexible, define what to collect, what to export 68 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Flexible Netflow: - more options: - multiple exporters - collects more data (more fields) - flexible at collecting and exporting - uses Flow-Monitors - multiple Monitors for multiple collections 69 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.4 Switchport Analyzer (SPAN) - SPAN will assign a switchport as an analyzer - called a span source - analyzes all types of traffic passing by this port - assigns a different port as an analysis exporter - called the SPAN destination *SPAN destination ports, will be only used for monitoring *no longer sending frames, at all *SPAN source can be used for multiple sessions *SPAN destination can't be used for multiple sessions 70 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Remote SPAN (RSPAN) - when the destination is an interface on another switch - of the same networks - reachable through VLANs (trunk ports) - Encapsulated Remote SPAN (ERSPAN) - when the destination is an interface on another switch - in a different network!! - reachable through L3 connectivity and routing - requires tunneling to connect SRC and DST - like GRE Tunnel 71 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.5 IP Service Level Agreement (IP SLA) - performs a specific operation - from a specific source to a specific destination - like, icmp, http, tcp, udp, etc.. - logs statistics about the successes/failures of that operation - Enhanced Object Tracking (SLA Track) - monitors the statistics of IP SLA - performs an action based on the statistics output 72 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.6 Cisco DNA Center Workflows - all the processes that a DNAC performs to the nodes - are categorized under 4 main functions “Pillars” - under each Pillar, a procedure of steps happens to the nodes - that procedure is called “Workflow” - the 4 pillars with their workflows: - Design: - design and create the topology of the network - assign nodes to groups and profiles - Policy: - create and modify the network operations based on a policy - polices will be processed and automatically applied to all nodes - Provision: - add and initiate new nodes, to join the network and start operating - configure/modify the config of all nodes - Assurance: - monitor and manage the network 73 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 4.7 NETCONF & RESTCONF - Network Configuration Protocol (NETCONF) - responsible for collecting and exporting network devices configuration - as well as importing and implementing network devices configuration - by using SSH to connect to each device - can SSH to multiple devices at the same time - thus, multiple functions to multiple devices at the same time is applicable - utilizes YANG model - uses TCP 830 - uses XML (and support JSON) 74 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - NETCONF Architecture - netconf agent = node - netconf manager = server - netconf data store ( 3 data bases) - stores configuration information at the agent - running datastore, startup datastore, and candidate datastore *server can access a node by (windows terminal, mac, and linux terminal) 75 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Representational State Transfer Configuration Protocol (RESTCONF) - like NETCONF - but through HTTPs - so, TCP 443 - utilizes HTTP verbs (GET, PUT, POST, DELETE) - uses JSON (and supports XML) - utilizes YANG models 76 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 5 NETWORK SECURITY 77 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER5: NETWORK SECURITY - Chapter’s Agenda: 5.1 Configure and verify device access control 5.1.a Lines and password protection 5.1.b Authentication and authorization using AAA 5.2 Configure and verify infrastructure security features 5.2.a ACLs 5.2.b CoPP 5.3 Describe REST API security 5.4 Describe the components of network security design 5.4.a Threat defense 5.4.b Endpoint security 5.4.c Next-generation firewall 5.4.d TrustSec, MACsec 5.4.e Network access control with 802.1X, MAB, and WebAuth 78 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.1 Device Access Control 5.1.a Lines and password protection - there are multiple ways to access a device - Line Console - through console port - can be accessed directly, no protection - can be protected by: - assigning a login password - login password can/can’t be encrypted - a second step of protection can be applied - the “enable password” method - will not work if the password is fully privileged 79 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Line Aux: - same as Line Console - through AUX port - Line VTY - for remote access - requires a remote session to be established - either by Telnet or SSH - multiple session can be established at the same time - through multiple lines - protection can also be by: - login password - enable password - full privilege 80 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.1.b Authentication and authorization using AAA - using the 3 brothers protocol AAA - Authentication, Authorization, and Accounting - requires username, password, and a privilege level - for every login connection to be established - privileges of every account will be based on the Authorization profile - all of that can be achieved: - Locally: - by locally creating credentials and privilege levels - under AAA-Models - apply the model to the access interface (lines) 81 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Remotely: - by AAA server - uses either RADUIS or TACACS+ protocols - all the profiles will be created in the server - for every login session, the node will ask the server - for all the AAA perimeters - losing the connection to the server, with no local model - will lose access to the node - Privilege Levels: privilege level 0—Includes the disable, enable, exit, help, and logout commands privilege level 1—Includes all user-level commands at the router> prompt privilege level 15—Includes all enable-level commands at the router> prompt *default privilege for Line VTY = 1 *default privilege for Line Console 0 = 15 82 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.2 Infrastructure Security 5.2.a Access Control List - specific permissions for users/ networks - limits reachability and access - by using allow/deny rules - ACL Types - Standard: - based on source host/network - range of 1-99 - NO specific permissions - Extended: - based on source & destination hosts/networks/ports/services - range of 100-199 - specific in detail permissions (L4 & L5 perimeters) - Named: A Combination, Hierarchy Mode, Name for each list 83 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.2.b Control Plane Policing (CoPP) - some tasks are performed by the processor - utilizes the processor of course - some attackers, tends to replicate thousands of tasks to the processor - the Denial-of-Service attack (DOS) - protect all the Processor-performed-tasks - from any DOS attack - limiting the end users allowed to perform a task by the processor - also, limits the amount of traffic reaching the processor *sometimes DOS can fully utilize the processor by injecting to much traffic *sometimes by requiring the processor to generate heavy traffic 84 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.3 Representational State Transfer API Security (REST API Security) - the most common type of web-service API - utilizes HTTP verbs (GET, PUT, POST, DELETE) - any person is allowed and able to use it - by using any types of service that is carried by HTTP/HTTPs - securing the API’s is important - meaning securing the content sent and the content received - authentication and authorization are required to limit privileges - encryption is mandatory whenever possible (API Keys) - secure the encoding “JSON” by using JSON Web Token (JWT) - secured Certificates are needed, use HTTPs - better to start the limitation of privileges by: - denying everything from everyone - start giving permissions based on real privileges 85 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 5.4 Network Security Design Components - Threat Defense & Endpoint Security - the network mostly is designed as layers - layers from the edge to the core - multiple devices, platforms, and vendors are expected - each one must be protected individually: - Edge Router: ACL’s, CoPP, and some polices can protect - Firewall: analyzing traffic, deep inspecting, applying polices - Switch: ACL’s, VACL’s, and port-security features 86 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Endpoints: very important to protect as well: - from stealing personal data - from stealing confidential data - by using multiple types of Software - Anti-Malwares - any suspected element should be detected and removed - done by synchronizing and updating the defense database - contains all the types of abnormal elements - Malware, Viruses, Trojan, Hijack, and others 87 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Next-Generation Firewalls (NGFW) - Firewalls protects you from the internet - applying some restrictions to your network - separates connections into zones - inspect based on zones - can perform ACL’s, Routing, and NAT - Intrusion Prevention Systems (IPS) Do deep packet inspection (DPI) - trying to spot attacks - Next-Generation Firewalls (NGFW) = FW + IPS 88 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - TrustSec - multiple users means multiples privileges - multiples services mean more limitations must be applied to privileges - it can reach a high level of complexity - TrustSec will create a Security Group Tag - will tag each end user uniquely to a group - privileges will be assigned to the tag - done by a AAA server - receives the AAA request from the end user - tag the user with a SGT - and pushes a Security Group ACL to the switch (of the end device) 89 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - MACSec - responsible for encrypting data sent through switches - for L2 infrastructures - performed hop by hop (L2 hop) !!! - each hop will have different encryption - encryption and decryption will happen for every hop - requires a software from the beginning at the end user - can cooperate with TrustSec 90 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - 802.1X, MAB, and WebAuth - port authentication - authenticates end devices connecting to a port in the network - by authenticating the port of the switch - assigning privileges based on the credentials/profiles - by using 802.1X - authentication will require: - a AAA server (Authentication Server) - a directly connected switch to the end device (Authenticator) - an end device (Supplicant) - 802.1X must be supported all the way from the Supplicant to the Authentication server - authentication the end device by it’s port will be achieved using Credentials 91 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - by using MAC Authentication bypass (MAB) - IF the end user (supplicant) do not support 802.1X - authentication will be done based on the end device MAC Address - the authenticator will carry the MAC address - authentication and authorization will be achieved based on the MAC Address of every supplicant - by using Web Authentication - applied and enabled on a WLC - to authenticate through a Web Browser - carried by HTTP - also requires 802.1X to be activated on the authenticator - supports Pre-shared Key to encrypt user data 92 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 6 WLAN 93 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER6: WIRELESS LOCAL AREA NETWORKS - Chapter’s Agenda: 6.1 Analyze design principles of a WLAN deployment 6.1.a Wireless deployment models (centralized, distributed, controller-less, controller based, cloud, remote branch) 6.1.b Location services in a WLAN design 6.2 Wireless 6.2.a Describe Layer 1 concepts, such as (RF power, RSSI, SNR, interference noise, band and channels, and wireless client devices capabilities) 6.2.b Describe AP modes and antenna types 6.2.c Describe access point discovery and join process (discovery algorithms, WLC selection process) 6.2.d Describe the main principles and use cases for Layer 2 and Layer 3 roaming 6.2.e Troubleshoot WLAN configuration and wireless client connectivity issues 6.3 Configure and verify wireless security features 6.3.a EAP 6.3.b WebAuth 6.3.c PSK 94 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.1 WLAN Design Principles 6.1.a Deployment Models - Autonomous Architecture - Autonomous (Independent) Access Points - Independent Management (GUI) - one or more SSIDs (each = 1 VLAN) *when having multiple SSIDs, and each will be 1 VLAN, the back link Should be a trunk *adding a new SSID, requires to login to each AP individually - Split-MAC Architecture - there is a WLC - APs now will be called Lightweight APs (LAPs) - WLCs will manage (RF, QoS, AAA, Policies) - APs will (RF TX/RX of frames, RF Collision Detection, MAC & Data Management) 95 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Cloud-Based Architecture - also, a WLC - but remotely (through public cloud, or private cloud) - also, LAPs - might be a Cisco Meraki (does self-config to the LAPs) - or Cisco Cat. 9800-CL *when having WLC & LAP scenario, there will be a private tunnel between them, It will encapsulate and transfer all the control and data information between the WLC and LAPs, it is called the “Control and Provisioning of Wireless AP” Or “CAPWAP” - 2 tunnels (control tunnel = UDP5246, data tunnel = UDP5247) - control tunnel (encrypted and authenticated) - data tunnel (not encrypted by default) 96 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Centralized WLAN Architecture - single WLC that controls all the LAPs - might be placed in the DC, or near the edge of the network - all data must pass through the CAPWAP tunnel to reach the WLC - even if the destination is closer than the WLC - this can be fixed, using Cisco Flex Connect - which is a mode, to be enabled on the LAPs - especially if the LAPs like in a branch, and the WLC is in the HQ - LAPs can now pass the traffic directly to the LAN - LAPs can now authenticate the clients for access - LAPs can now work even if the CAPWAP tunnel goes down 97 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Converged WLAN Architecture - connect a WLC and an AP both, to the same switch - the access/distribution layer switch - now the LAPs are reaching the WLC through the switch - multiple WLCs will be needed in such scenario - this leads to a shorter distance CAPWAP - hence, faster Wi-Fi, less delays 98 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.1.b Location Services - some Cisco services (like DNAC) - can visualize networks topologies - including Access Points and their clients - can ask an AP to show where a client location is! - by sending a signal to the client and receive a reply from the client - based on the received signal strength of the client - a client location might be located! - can also ask multiple AP’s to perform the same request at the same time - this will show a much more accurate location to where a certain client is 99 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.2 Wireless 6.2.a Layer 1 Concepts -RF power - the amount of power an antenna will receive - to convert it to electric power - measured in either watts, or deciBills x MilliWatts (dBm) - affected by barriers in the way, and get attenuated - RF power affects signal strength - important for “Design”, to measure, how many AP we need to maintain signal strength - important for “Troubleshooting, slow internet - RSSI - received signal strength indicator - an indicator for the quality of all the broadcasting SSID's nearby 100 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Noise Floor and Interference - other electro-magnetic fields roaming in the space - conflict signals will cause interference - SNR - signal to noise ratio - the difference (-) between received signal and noise floor - Signal (-) Noise - higher = better - Channels - a group, or a range of Radio Frequencies (RF) - all are encoding and transmitting data, - each frequency can be modulated differently (for more encoding) - the total RF bandwidth is then called (Channel Bandwidth) 101 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Channels include Frequencies - either from the 2.4 GHz range, Or from the 5 GHz range - channel bandwidth: the total bandwidth of the involved frequencies https://en.wikipedia.org/wiki/2.4_GHz_radio_use#/media/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg - Client Devices Capabilities - a client device that receives a signal and data - should have an approximate power compared to the transmitter - download data will be transmitted from the AP to the client - Acknowledgments, upload data, and other communications - will be transmitted from the client - thus, capabilities should be approximate - to avoid exchanging mismatch 102 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.2b AP Modes and Antenna Types - AP Modes - Local Mode - the default of a LAP - CAPWAP to the WLC - everything passes through the CAPWAP - if the CAPWAP fails, all clients will be disconnected - Bridged Mode - allows an Autonomous AP to connect as a client to the LAP - Flex Connect Mode - a hybrid Cisco solution for LAP’s - Monitor Mode - generates reports & statistics, send them to the WLC 103 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Sniffer Mode - scan a specific channel - send the scanning reports to the WLC - Sensor Mode - perform SSID tests - send test report to the DNA Center - Mesh Mode - a frame might travel multiple mesh nodes - before reaching the LAN - uses adaptive wireless path protocol (AWPP) - to determine the best path to a root node/AP (RAP) 104 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Antenna Types - Dipole Antenna - ordinary in Home-Routers - omnidirectional - low power gain - horizontal streaming only - Yagi Antenna - linear in shape and in transmitting - sends in only one way!! - Patch Antenna - also linear - but wider than Yagi - Parabolic-Dish Antenna - outdoor - long distance - very high power gain - P2P connections - Hidden Antenna (inside client devices) 105 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.2c Access Point Discovery and Join Process - CAPWAP - Control and Provisioning of Wireless AP - when having WLC & LAP scenario - there will be a private tunnel between them - it will encapsulate and transfer all the control and data information between the WLC and LAPs - creates 2 tunnels - control tunnel = UDP5246, data tunnel = UDP5247 - control tunnel (encrypted and authenticated) - data tunnel (not encrypted by default) 106 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Discovery and Join Process - LAP tries to find and bound a CAPWAP with a WLC - if the connection was a switch (same broadcast domain) - the broadcast CAPWAP discovery message (Dst port = 5246) will reach a WLC - if the connection was a router!! - enable port forwarding for 5246 - assign IP helper on the receiving interface - LAP can be statically configured to join with WLC's (after the CAPWAP discovery) - join by name and IP of WLC - else, try to rejoin old known WLC's - or, enabling IP option 43 on DHCP server - will tell the LAP about the IP of the WLC 107 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - if multiple WLC were available - the order of assignment and discovery will be - statically configured WLC - old previously known WLC - a discovered WLC that is configured as a "Master Controller" - a discovered WLC that is the freshest operated controller 108 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.2d Roaming - having multiple AP's transmitting multiple channels - all under the same SSID - those multiple channels under same SSID are BSS's - in that case it is an ExtendedSSID (ESSID) - keeping exchanging the MGM frames (Beacons) while moving - to change the channel, while under the same SSID - the client does that when it sees a better BSS (better RSSI) - L2 Roaming - Roaming under the same broadcast domain - same subnet/VLAN - L3 Roaming - Roaming under different broadcast domain - will change DHCP, IP, privileges, and others 109 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.3 Wi-Fi Security - Unsecured WLANs are the once with no password, free, and public - Secured WLANs might have: - hidden SSID - Authentication - Encrypt Data (from the client to the AP) - Authentication can be done by: - authenticating the user’s credentials - authenticating a device’s MAC Address - captive portal 110 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Adding Cisco vWLC to EVE-NG - Power-up VM - create directory for vWLC in the VM CLI - mkdir /opt/unetlab/addons/qemu/vwlc-8.7.102 - login to the VM through FTP - navigate the new directory - /opt/unetlab/addons/qemu/vwlc-8.7.102 - upload the extracted .qcow2 image to the new directory - return to the root mode - fix the permissions - /opt/unetlab/wrappers/unl_wrapper -a fixpermissions - power-up the vWLC in EVE-NG - apply UUID - 466028c6-3052-4895-a495-683201e576f7 111 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 6.3a Extensible Authentication Protocol (EAP) - transport protocol - carries authentication information - can not travel directly in the network - must be encapsulated before injected in the media - 802.1x (Client – WLC) - RADIUS (WLC – AAA Server) 6.3b Web Authentication (WebAuth) - applied and enabled on a WLC - to authenticate through a Web Browser - carried by HTTP - also requires 802.1X to be activated on the authenticator - supports Pre-shared Key to encrypt user data 6.3c Pre-Shared Key - used to encrypt data between client and AP - same PSK can be used with all the clients connecting to the same AP - derived from the Passphrase 112 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER 7 AUTOMATION 113 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 CHAPTER7: AUTOMATION - Chapter’s Agenda: 7.1 Interpret basic Python components and scripts 7.2 Construct valid JSON encoded file 7.3 Describe the high-level principles and benefits of a data modeling language, such as YANG 7.4 Describe APIs for Cisco DNA Center and vManage 7.5 Interpret REST API response codes and results in payload using Cisco DNA Center and RESTCONF 7.6 Construct EEM applet to automate configuration, troubleshooting, or data collection 7.7 Compare agent vs. agentless orchestration tools, such as Chef, Puppet, Ansible, and SaltStack 114 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.1 Python - programming language - source-free - object-oriented - simple understandable text - standard-library - Python Components - PRINT - to show any result of any program or process - python will print whatever inside a (" ") or (‘ ‘) - ignoring the () and " '' - COMMENT - a note for the programmer only to read or memorize - python will print nothing of the comment - # sign refers to a comment on the right 115 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - VARIABLES - a storage of data to refer to - must start with an alphabetic letter - case sensitive - INPUT - requires a user to execute an input - CONDITIONALS - if statement - controls an execution based on a condition - multiple conditions can occur - resulting in multiple executions - this will require using “else-if” - AKA “elif” - LOOPS - execute a series of codes multiple times, automatically 116 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - LOGICAL OPERATORS - and, or, not - and (all the statements must be true) - or (at least one statement must be true) - not (one statement that must not be true) 117 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.2 Java-Script Object Notation (JSON) - a programming language used to create APIs - used by REST-Based APIs - human-readable - lightweight - the “Object” is about - a container that encloses “one-or-more” {name:value} pairs - also called a “key-value pairs” - JSON Values - always surrounded by a curly bracket { } - name:value pairs - a string must be enclosed with double quotes “ ” - like = {“name”:”III”, “job”:”channel”, “location”:”YouTube”} 118 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - the pairs values types - String:String - the name is a string, also the value is a string - {“name”:”III”} - String:Number - the value won’t need a double quote - {“Count”:10} - String:Arrays - for a range of values - {“Class”:[A, B, C, D]} - String:Booleans - True/False case - the value won’t need a double quote - {“Direct”:False} - Null - {“Route”:Null} 119 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.3 Data Modeling - creating a unified and standardized models to express data - across multiple vendors, multiple platforms - a software can remotely log in to a device - and push a model containing configuration - the unified models should be compatible with multiple vendors, multiple platforms - achieving the same target on all the platforms - YET ANOTHER NEXT GENERATION (YANG) - a language for building those data models - data models created by YANG - are named "YANG Modules" 120 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - YANG components - containers - like creating an empty folder - that still requires to be filled with data - leafs - the data that fills a container - can either be configurable specs or just informational * the YANG modules are built-in in the devices 121 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.4 Application Programming Interface - the transformers that are transforming everything from The Application to the controllers, and vice-versa - those will be called “Northbound API” - also transforms everything from the controller to the network Devices, and vice-versa - the “Southbound API” - so, it’s a code - written by a language - that language encodes data into an API - it uses the Server/Client relation - in the Northbound (Controller = Server, Application = Client) - in the Southbound (Network Device = Server, Controller = Client) 122 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - API types - Internal API - between applications - like transferring data from HTML to PDF - Web-Service API - exchanging data between remote devices - Uses IP address - like REST-Based API 123 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Representational State Transfer APIs (REST-Based APIs) - the most common type of web-service API - mostly found in the Northbound - utilizes HTTP verbs (GET, PUT, POST, DELETE) - while a REST API is in developing, a developer would use A CRUD to develop the API’s HTTP verbs - CRUD = Create, Read, Update, and Delete - most common languages used to encode data in a REST-Based API Are (XML, and JSON) - encoding means standardizing a data structure between the app, Controller, and nodes ** Cisco vManage is the Dashboard of Cisco DNA Center 124 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.5 REST-API response codes - for every nourthbound, REST-API being sent from an API application to a client - a response code will be replied back to the application - indicating the status of API health and if it reached the other side properly or not - most common response codes can be: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide - postman, is an API application - can push API' to a client - and shows the response code and payload of every API - all of that in JSON 125 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.6 Embedded Event Manager (EEM) - Cisco policy system - monitors and reacts - event part, cause to trigger the Cisco IOS to react - reaction part to start behaving immediately - components - server - an internal Cisco IOS component - monitors based on variety of supported features/protocols - creates its own login session and implement configuration - like any engineer logging in and configuring manually - BUT, it's automatic - event detectors - watchers, opened eyes to detect a specific event 126 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - compatible with a range of protocols and features: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide 127 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - policy - policy (reaction): either applet or script - applets: - create a small policy application - applet with event detectors will monitor for an event to occur - then the applet will paste a config - it also can pop-up a message - or send you a notification (by E-Mail) 128 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 7.7 Orchestration Tools - Automation and Scripting Programs - can be installed on a server already operating an OS - login and automate config on devices - can store the config and push it later - either scripts, IOS, YAML, Ruby, or GUI !! - Master/Agent Relation - each component should be installed on its side - agent mostly is built-in - some programs are agentless - just directly pushes the config to the nodes - push, to send immediately or at a schedule - pull, a client asks if there is a change periodically 129 Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401 - Puppet and Chef uses the “Pull” model - utilizes Ruby language - Agents - config file of puppet is named "Manifest" - config file of chef is a per vendor - cookbooks that include recipes - Ansible and SaltStack uses the “Push” model - utilizes YAML language - Salt is Agent, while Ansible is Agentless - Ansible can SSH to the nodes and push the script - config file of Ansible is named “module” - a playbooks in Ansible controls and automate the modules - SaltStack is faster, more secured, more compatible, no plugins required, but utilizes more resources 130