Cisco CCNA Network Training Yavuz BULUT Network Consultant and Instructor Chapter-1 Introduction I Introduction I About the Instructor I Educational content I Cisco Certifications I Welcome to CCNA Training In this training, I will tell you about the basics of wired and wireless networks, how Cisco Routers and Switches are configured, how to design a wired and wireless network, and how to secure the networks we set up. Cisco is one of the leading companies in the world in the field of networking. There are not only network products, but all end-to-end IT products. By obtaining this certificate, you can easily find a job in the IT sector. When you look at job postings, Cisco Certificates are required even if there are no Cisco devices in the infrastructure of their companies. Because in this training, you will learn not only Cisco products but also general network technologies. Other brands often have similar structures to Cisco. I About the Instructor By establishing Ses Telekom company in Malatya in 2001, I Between 2013 and 2016, I worked as a project manager in a company that continued sales and installation activities of telephone exchanges in is a Cisco Gold Partner in Istanbul. After 2016, I started to give Malatya until 2009 and in Istanbul from 2009 to 2011. networking lessons and share free training videos on Youtube. In 2017, I After I closed Ses Telekom at the end of 2011, my work started to be Network-based, so I entered the world of Networking by taking Cisco training. I received my first Cisco CCNA certification in 2013, and I got CCNA Security in 2014, CCNA Voice in 2015, CCNP Routing and Switching in 2016, CCNA Collaboration 2018, Cisco Video Network Specialist in 2018, and CCNP Enterprise in 2020. continued to give training by establishing ICT Academy. As the trainings started to slowly shift towards online education, I decided to publish all of the trainings I gave through ICT Academy on Udemy as of 2020. Currently, I continue to give trainings and consultancy services to corporate companies through Udemy. I Training Content The training content has been prepared according to the curriculum of the Official book prepared by Cisco for the CCNA 200-301 training. Includes all CCNA 200-301 exam topics. It consists of a total of 14 chapters and nearly 50 main topics and sub-titles. You can download the Turkish document I prepared for each section under the first lesson of the section. Chapter-5 IPv4 Addressing and Subnetting Looking at Subnetting, Analyzing Classful IPv4 Networks Analyzing Subnet Masks, Analyzing Existing Subnets Chapter-6 IPv4 Routing Router Management, Static Routes, IPv4 Routing and Troubleshooting Chapter-1 Introduction Introduction, About Instructor, Training Content, and Cisco Certifications Chapter-7 OSPF OSPF Concepts , OSPF Applications, OSPF Network Types Chapter-2 Network Communication Introduction to TCP/IP, Ethernet Fundamentals, WAN and IP Routing Chapter-8 IP Version 6 IPv6 Fundamentals, IPv6 Address and Subnet, IPv6 Applications Chapter-3 Switch Applications in Network CLI Usage, Switches Overview, Basic Sw Configuration Chapter-9 Wireless LANs Wireless Fundamentals, Wireless Architecture, Wireless Security Chapter-4 VLAN and STP Applications VLANs, Spanning Tree Protocol, RSTP and EtherChannel Configuration Chapter-10 Access Control List TCP/IP Transport and Applications, Basic ACL, Advanced ACL I Training Content Chapter-11 Network Security Security Architecture, Securing Network Devices Switch Port Security, DHCP, DHCP Snooping and ARP Inspection Chapter-12 IP Services Device Management Protocols, NAT, QoS and Various IP Services Chapter-13 Network Architecture LAN Architecture, WAN Architecture, Cloud Architecture Chapter-14 Network Automation Controller-Based Networking, SDA, Rest-Json, Ansible, Puppet, Chef I About Cisco Certifications and Exam Before 2020 After 2020 Chapter-2 Network Fundamentals I Network Communication I Introduction to TCP/IP I Ethernet Basics I Wan and IP Routing I Network Communication Network Communication This first Chapter will help you understand how networks are There have been rapid developments in our networks in order to meet interconnected and how networks are connected to each other using Cisco many more demands such as video sharing and movie watching routers and switches. When we connect two or more LANs or WANs platforms. Considering that nowadays people who need to share network together through a router and create a logical network addressing plan resources are not in the same office environment (an increasing with a protocol such as IP, we create a network community. situation), what needs to be done is to connect many networks together Fundamentals of Network Communication so that all users can use these network resources. Networking operations have been growing very rapidly for the last 30-35 years. Although these started with basic indispensable user needs such as data and printer sharing, they are now also used as video conferencing. In some cases we may have to split a large network into several smaller ones to reduce user response time. Because as the network grows, it will get heavier. With all this growth, congestion on the LAN will rise to very high levels. The solution to this is to divide really large networks into smaller networks, called network segmentation. We can do this using devices such as routers and switches. Network connection example for home users. I Network Communication The main causes of traffic congestion in the LAN are; The four router functions in your network are as follows: • Having many users in a broadcast domain • Packet switching • Broadcast storm • Packet filtering • Multicasting • network communication • low bandwidth • Path selection • Adding a hub to connect to the network Layer 2 switches perform packet switching using frame packets. • Heavy ARP traffic Routers, unlike Layer 2 switches, provide packet switching using Today, routers are used to interconnect networks and forward data packets from one network to another. logical addressing in Layer 3. Routers can also provide packet filtering using access lists. Routers use logical addressing (IPv4 or IPv6) when they connect two or more networks. We call this formation There are two advantages to using a router in our network: a community of networks. Finally, routers use a routing table (a map • By default, they cannot forward broadcasts. of the ensemble of networks) for route selection and routing packets to • They can filter packets with Layer 3 information such as IP remote networks. address. I Network Communication Switches, in contrast, are not used to create a community of networks (they do not create broadcast domains by default); they are used to add functionality to a network. The main task of a switch is to make a LAN work better by providing higher bandwidth to LAN users and increasing their performance. Switches do not forward packets to other networks as routers do. Instead, they forward packets by switching from one port to another. Enterprise network connection example. I TCP/IP Networking Model I History to TCP/IP Introduction to TCP/IP I Overview of the TCP/IP Networking Model I TCP/IP and DoD Model I TCP/IP Layers I Data Encapsulation I Osi Reference Model I Introduction to TCP/IP TCP/IP Networking Model The Transmission Control Protocol/Internet Protocol (TCP/IP) family In the late 1970s, the Open Systems Interconnection (OSI) reference was developed by the Department of Defense (DoD) to both ensure data model was created by the International Organization for integrity and protect and maintain communication in the event of a Standardization (ISO) to remove this limitation. war. Therefore, if designed and implemented correctly, a TCP/IP network The OSI model was developed so that different vendor networks could can be truly reliable and flexible. work together. History to TCP/IP The OSI model is a primary architectural model for networks. OSI Today, TCP/IP Networking model is used in networks. But there weren't describes how to transfer data and network information from an many network protocols before, including TCP/IP. Manufacturers application on one computer to an application on another computer, created their own network protocols, and these protocols only supported across the network environment. computers they produced. For example, IBM, the computer company that had the largest market share in the 1970s and 1980s, released its System Network Architecture (SNA) network model in 1974. Other vendors have also created their own custom network models. If your company purchased computers from three suppliers, communication was achieved by creating three different networks and then connecting those networks together. I Introduction to TCP/IP Overview of TCP/IP Networking Model The TCP/IP model is a broad protocol model that allows computers to Many series of protocols come together in the Process/Application layer of communicate, it uses Requests For Comments (RFC) documents to describe the DoD model to complete the various activities and tasks that OSI's top these protocols. (You can find these RFCs using any online search engine.) three layers (Application, Presentation, and Session) describe. Another institution is the IEEE, the Institute of Electrical and Electronic Process/ Application Layer: defines node-to-node application Engineers (IEEE), which also sets the Ethernet standards. RFC specifies protocols. IEEE, on the other hand, sets the ethernet standards. communication and also controls user-interface arrangements. Host-to-host Layer: Parallels the functions of OSI's Transport layer, it deals with issues such as establishing secure end-to-end communication and error-free transmission of data. TCP/IP and DoD Model Internet Layer: It corresponds to the Network layer of OSI. It defines The DoD model is basically a condensed version protocols for the logical transmission of packets across the entire network, deals with IP addressing of user machines, and functions such as routing of the OSI model. packets across multiple networks. It consists of four layers instead of seven: Network Access Layer: monitors the information circulating between the • Process/Application layer user machine and the network. It corresponds to the Data Link layer and • Host-to-Host layer the Physical layer in the OSI model. The Network Access layer controls • Internet layer hardware addressing and defines protocols for physical transmission of • Network Access layer DoD model and OSI reference model shows a comparison. data. I Introduction to TCP/IP TCP/IP Application Layer 5 (5-6-7) HTTP Protocol Mechanisms The Application layer specifies where users actually communicate with When we take a closer look at the example below, we can see how the computer. This layer only comes into play when access to the network applications on the computer (especially the web browser application and is required within a short period of time. TCP/IP is like a NIC card. You the web server application) use the TCP / IP Application layer. can remove all network card components from the system, but you can Applications use Hypertext Transfer Protocol (HTTP) to request a web still use a web browser to browse the local HTML pages. But if you try to page and retrieve the web page's content. do things like browse an HTML page that needs to be retrieved using HTTP or download a file with FTP or TFTP, the web browser will try to access the application layer and respond to such requests. The Application layer is also responsible for identifying the appropriate communication partner and determining whether it has sufficient resources. Sometimes these tasks are important because their applications require more than just desktop resources. Examples are file transfers and e-mail. These applications will require remote access, network management activities, and client/server operations. It shows a simple web page request in the application layer. I Introduction to TCP/IP TCP/IP Transport Layer (4) The services in the transport layer divide the data coming from the application layer, reassemble it and combine it in the same data flow. It provides end-to-end data transfer services and can establish a logical The following sections describe the two protocols in this layer. • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) connection between the sender and the destination in a network community. TCP and UDP protocols work at the Transport layer, we can say that TCP is a reliable service and UDP is an unreliable service. That is, application developers have a choice between the two protocols when working with TCP/ IP. Port examples for TCP and UDP. The transport layer is responsible for providing mechanisms for multiplexing upper-layer applications, creating sessions, and closing virtual circuits. It also hides the details of network-related information from the upper layers by providing transparent data traffic. I Introduction to TCP/IP An Example for TCP and UDP To help you understand how TCP works, we can provide an example of a Using UDP is similar to sending a postcard. You don't need to first telephone conversation. We know that before we can talk to someone on contact the other party to do this. You simply write your message, the phone, we must first establish a connection with the person in front of specify the address for the postcard, and mail it. This is similar to the us. This is similar to a virtual circuit set up with the TCP protocol. If connectionless orientation of UDP. Since the message on the postcard is you're giving someone important information during your interview, not a matter of life and death, you do not need confirmation from the say, "You know what? he might say, or “You got that, right?” we may sender. Therefore, UDP does not require acknowledgment. ask. Saying such things is like many TCP acknowledgments designed to verify you. Sometimes (especially in a phone call) people also ask, “Are you still there?” they ask. They end the call by saying "Bye" at the end of their conversation. Functions similar to this worked in TCPrır. I Introduction to TCP/IP TCP/IP Network Layer (3) The network layer (known as layer 3) manages device addressing, Data packets: Used to transfer user data across the network community. monitors the location of devices on the network, and determines the best Protocols used to support data traffic are referred to as routed protocols; path for data to be transported. In other words, the Network layer is IPv4 and IPv6 are examples of routed protocols. responsible for transferring traffic between devices that are not locally Route update packets: Used to update network information on connected to each other. Routers (layer 3 devices) work at the Network neighboring routers connected to all routers in the network community. layer and provide routing services in a network community. Protocols that send route update packets are specified as routing First, when it receives a packet from the router interface, it checks the Destination IP address and checks whether there is a route for this address in the routing table, if there is a route in the routing table for this address, protocols; Commonly used routing protocols are RIP, RIPv2, EIGRP and OSPF. Route update packages are used to help create and maintain routing tables on each router. it frames this packet to the output interface. If there is no record in the routing table for the destination address of the packet, the router cancels the packet. Two types of packets are used at the network layer: 1-Data Packages, 2-Route Update Packages A simple IP Routing example. I Introduction to TCP/IP TCP/IP Data Link Layer (2) The data link layer provides the physical transfer of data. It also handles functions such as error reporting, network topology, and flow control. The Data Link layer is responsible for transporting packets of a device using a hardware address in the network and converting messages from the Network layer into bits for the Physical layer. In the Data Link layer, users use Mac addresses to send packets to other devices on the local network and transfer packets between routers. TCP/IP Physical Layer (1) Finally, when we come to the bottom layer, the Physical layer has two tasks: It sends and receives bits. Bits come and go in values of 1 and 0, with just a numeric Morse code. Step 1: Larry creates an Ethernet frame by encapsulating the IP packet between an Ethernet header and an Ethernet trailer. Example of sending an Ethernet frame to the IP packet by adding an Ethernet frame in Layer 2 Step 2: Larry physically transmits these Ethernet frame bits using electricity flowing over Ethernet cables. Step 3: R1 physically receives the electrical signal over a wire and interprets the meaning of the electrical signals, recreating the same bits. Step 4: R1 extracts the Ethernet header and trailer and separates the IP packet from the Ethernet frame. I Introduction to TCP/IP Data Encapsulation As you can understand from what we have explained about how all Step 3 Encapsulate the data provided by the transport layer within a Layers do their jobs, when sending data, we can refer to the process of network layer (IP) header. IP defines IP addresses that uniquely adding its own header information to the data provided by each Layer as identify each computer. the Data Encapsulation process. Step 4 Encapsulate the data provided by the network layer within the In TCP/IP, hosts send data as a five-step process. The first four steps relate data layer header and fragment. This layer uses both the title and to encapsulation by the TCP/IP layer, the final step is the physical fragment. transmission of data by the host. Step 5 Transmit the bits. The physical layer encodes a signal to the Step 1 Create and encapsulate application data with required application medium to transmit the frame. layer headers. For example, the HTTP OK message might be returned in an HTTP header followed by some of the content of a web page. Step 2 Encapsulate the data provided by the application layer into a transport layer header. A TCP or UDP header is often used for end-user applications. It shows Data Encapsulation in TCP/IP in 5 steps. I OSI Referans Model OSI Referans Model One of the best functions of OSI regulations is that it helps transfer data None of the upper layers (Layer 7-6-5) know anything about network between completely different user machines. For example, they allow us to setup and network addresses, this TCP/IP grandfather is the same. These transfer data between a Unix host, a PC or a Mac. are the responsibility of the lower four layers. However, OSI is not a physical model. Rather, it is a set of rules that application developers can use to build and complete applications running on a network. It also provides a framework for creating and completing networking standards, devices, and inter-network communication plans. OSI has seven layers, divided into two groups. The When we look at the figure below, you can see the operation of the four layers, which explains how data is transferred with the help of switches and routers or over a physical cable. These lower layers also determine how a data stream from the source host is regenerated in the destination host's application. top three layers describe how applications on end stations communicate with each other and with users. The bottom four layers describe how to transfer data from end to end. The Application Layer is responsible for the communication of the applications between the computers and the user interfaces, as well as the upper layers, the user machines. Osi Referans Model Layer 4-3-2-1 Osi Reference Model vs. TCP/IP Model I OSI Referans Model OSI Reference Model Layers I Overview of Lans I SOHO and Enterprise LANs I Ethernet Standards in Layer 1 Ethernet Fundamentals I Ethernet Cabling I Copper Cable Types I Fiber Cable Types I Sending Data on Ethernet I Ethernet Addressing I Half and Full Duplex Ethernet I Ethernet Fundamentals Overview of LANs Simple Enterprise LANs Simple SOHO LANs Corporate networks have similar aspects to a SOHO network, For example, Small Office / Home Office (SOHO) networks require a device called a Switch, corporate networks start when plugged into a LAN Switch in a cable closet which provides a physical port to which many cables can be connected. The behind a locked door on each floor of a building. Electricians install Ethernet switch uses Ethernet cables to connect different Ethernet devices or switches to cables from this cable locker into cabinets and conference rooms where devices one of the Ethernet ports. may need to be connected to the LAN. At the same time, most businesses The figure on the left shows a single switch, and its connected devices: three support wireless LANs in the same area, allowing people to move around and PCs, a printer, and a router. (The router connects the LAN to the WAN, in this still work, and support an increasing number of devices without Ethernet case the Internet.) LAN interfaces. A simple SOHO LAN A simple Enterprise LAN I Ethernet Fundamentals Ethernet Standards at the Physical Layer Ethernet was first standardized by a group known as DIX (Digital, Intel and Xerox). This group established IEEE to create the first Ethernet standard. The first ethernet standard was a 10 Mbps ethernet standard running on 802.3 coaxial cable and later on a spiral-pair and fiber environment. Later, in parallel with the developing technologies, the following new IEEE Example of sending data between different Ethernet standards. ethernet standards were created. Although Ethernet includes many physical layer standards, Ethernet acts as a single LAN technology because it uses the same data link layer standard over all types of Ethernet physical links. This standard defines a common Ethernet header. Regardless of whether data flows over a UTP cable or any fiber cable, the data link uses the same ethernet Frame format. Ethernet Types While physical layer standards focus on sending bits over a cable, Ethernet focuses on sending the frame. I Ethernet Fundamentals The IEEE Ethernet 802.3 standards that we use frequently today are: 1000BaseT (IEEE 802.3ab): Category 5-6-7, up to 100 meters, quad-pair UTP cabling. 1000BaseSX (IEEE 802.3z): MMF using 62.5 and 50-micron cores; It uses an 850 nanometer laser and can reach up to 220 meters with 62.5 microns and 10 Mbps ve 100 Mbps düz kablo pinout örneği. 550 meters with 50-microns. 1000BaseLX: 9-micron core, single-mode fiber that delivers a 1300 nano-meter laser and can travel from 3km to 10km. Ethernet Cabling Crossover Cable The crossover cable is used to connect. - Switch to switch Ethernet cabling is an important topic, especially if you plan to take Cisco - hub to hub exams. There are three types of Ethernet cables: - host to host - Straight-through cable - Hub to switch - Crossover cable - rollover cable Straight-Through Cable Straight cable is used to connect: Example of 10 Mbps and 100 Mbps Cross cable pinout. - Host to switch or hub - Router to switch or hub Note: Normally, the switches are connected with a cross cable when connecting to each other, but generally flat cables are used when applying in the field, thanks to the auto-mdix feature in the switches, we can connect them with a flat cable without any problems. I Ethernet Fundamentals Copper Cable Types The cable is one of the most important components in horizontal cabling in terms of the performance of the entire connection, both in terms of product quality and convenience of installation. Cable installation errors will seriously compromise installation performance. For structured cabling systems, standard Cat 5e, 6 and 6A (100 MHz, 250 MHz and 500 MHz, respectively) require the use of twisted symmetrical 4-pair cables with 100 Ω impedance. The cable can be one of the following types: ✓ Unshielded U/UTP (Unshielded Twisted Pairs) Data transmission cables consist of four pairs arranged in a sheath ✓ Shielded F/UTP (Foiled Twisted Pairs) according to a certain arrangement necessary to reduce power loss and ✓ Dual screen SF/UTP or S/FTP. crosstalk problems. This arrangement consists of separately twisting NOTE: Category 7 has not been widely used to date, despite being standardized pairs of conductors. These pairs are identified by standard colors. Each and offering high levels of performance. The form factor is used where there are of the pairs has a different area and is alternately twisted differently installation difficulties for cost reasons. inside the outer sheath. The conductor size allowed by the standards is between 22 and 26 AWG: 23 AWG is most commonly used in any case. I Ethernet Fundamentals Cable Examples Cat 5e U/UTP Cat 6 U/UTP Cat 6 F/UTP Cat 6 U/FTP Cat 6 F/FTP Cat 6A S/FTP Cat5 and Cat6 Cable Examples. I Ethernet Fundamentals UTP Cable 1000 BaseT (IEEE 802.3ab) Pinouts Multi Mode Fiber Cable Category 5-6-7, up to 100 meters, quad-pair UTP cabling. Multi-mode fiber (MM) is a type of fiber optic cable used over short 1000BASE-T (Gigabit Ethernet) differs from 10BASE-T and 100BASE- distances, for example inside a building or campus. Multi mode fiber T according to cable and pinouts. Four wire pairs are required for optic cable has a 50 or 62.5 micron core that allows multiple light modes 1000BASE-T. and the pins must match. to be emitted. Therefore, more data can pass through the Multi mode fiber core at any given time. The maximum transmission distance for MM cable is around 550m at 10Git/s, it goes to 2km at 100Mb/s, it can go more distance at lower data rates. Multi mode fiber optic cables defined by the ISO 11801 standard can be classified as OM1 fiber, OM2 fiber, OM3 fiber, OM4 fiber and OM5 fiber. Example of 1000 Mbps Straight and Cross cable pinout. Multi Mode Fiber Cable Example. I Ethernet Fundamentals MM OM1 Fiber MM OM3 Fiber OM1 cables come with an orange sheath. It has a core size of 62.5 µm. It can OM3 fiber comes in Aqua or Turquoise. Like the OM2, the core size is 50 µm, support 10 Gigabit Ethernet up to 33 meters long. Mostly used for 100 Megabit but the cable is optimized for laser-based equipment. OM3 supports 10 Gigabit Ethernet applications. The OM1 usually uses an LED light source. Ethernet up to 300 meters. Also, OM3 can support 40 Gigabit and 100 Gigabit MM OM2 Fiber Ethernet up to 100 meters, it is commonly used for 1 and 10 Gigabit Ethernet. The OM2 comes with an orange casing similar to the OM1 and uses an LED MM OM4 Fiber light source, but with a smaller core size of 50 µm. This supports 10 Gigabit Ethernet up to 82 meters, but is more commonly used for 1 Gigabit Ethernet applications. The OM4, on the other hand, is fully backward compatible with OM3 fiber and uses the same aqua outer sheath. The OM4 is specially developed for VSCEL laser transmission. It can transmit 10 Gig/s link speed up to 550m. And it can run 40/100GB up to 150 meters using an MPO connector. MM OM5 Fiber OM5 fiber, also known as WBMMF (wideband multimode fiber), is the newest type of multimode fiber and is backward compatible with OM4. OM2 has the same core size as OM3 and OM4. The color of the OM5 fiber sheath was chosen as lime green. It is designed and specified to support at least four WDM channels at a rate of at least 28 Gbps per channel through the 850-953 nm window. Multi Mode Fiber Cable Types History Chart I Ethernet Fundamentals Single Mode Fiber Cable In fiber optic technology, single mode fiber (SM) or mono mode fiber is an OS1 fiber is a tightly buffered cable designed for use in indoor applications optical fiber designed to propagate a single mode of light as a carrier. (such as campuses or data centers) where the maximum distance is 10 km. Generally, single mode cable has a narrow core diameter of 8 to 10 µm OS2 fiber is a loose conduit cable designed for use where the maximum (micrometers), which can travel at wavelengths of 810 nm and 1550 nm. The distance is up to 200 km (such as street, underground and graveyard). Both small single-mode fiber core size virtually eliminates any distortion from OS1 and OS2 fiber optic cable allow 10G Ethernet. In addition, OS2 fiber can overlapping light jumps. Therefore, single mode fiber optic cable provides the support 40G and 100G Ethernet. least signal attenuation and the highest transmission rates. For these reasons, single mode optical fiber is the best choice for long-distance data transmission. SMF fiber types can be categorized as OS1 and OS2. OS1 and OS2 are standard Single and Mode Fiber Cable Core single mode optical cables used at 1310nm Single Mode Advantages and 1550 nm w ave len gt h s with a ✓ Longer transmission distance maximum derating of 1 dB/km and 0.4 ✓ Larger Bandwidth Capacity dB/km respectively. ✓ Increased Transmission Speed ✓ Limited Data Distribution and External Noise ✓ Low Signal Attenuation Single Mode Fiber Cable Core I Ethernet Fundamentals Sending Data on Ethernet Ethernet Frames The Data Link layer is responsible for combining bits into bytes and frames Destination Address (DA): DA is used by the receiving devices to detect whether into bytes. Frames are used at the Data Link layer to encapsulate packets from an incoming packet is addressed at a particular switch. The destination the Network layer for transfer in a media medium access type. address can be an individual address or a broadcast or multicast MAC The function of Ethernet ports is to pass data frames among others, using a set address. of bits known as the MAC frame format. This provides error detection with CRC Source Address (SA): SA is a 48-bit MAC address used to identify (cyclic redundancy check). But remember that this is bug fixing, not bug transmitting devices. Broadcast and multicast address formats are invalid in fixing. the SA field. Lenght or Type: 802.3 uses a Lenght field, but the Ethernet frame uses a Type field to detect the Network layer protocol. 802.3 cannot recognize top-layer Ethernet Frame Format Preamble: The choppy 1.0 form provides a 5MHz speed at the start of each packet. This allows the receiving devices to stop the incoming bit stream. protocols and must be used with a proprietary LAN (such as IPX). Data: This is a packet sent from the Network layer to the Data Link layer. Its size can vary from 46 to 1,500 bytes. Start Frame Delimiter (SFD)/Synch: SFD is 10101011, where a final pair allows the receiver to change the 1.0 form somewhere in the middle, still Frame Check Sequence (FCS): FCS is a field at the end of the frame used to maintain the sync state and determine the start of the data. store CRCs. I Ethernet Fundamentals Ethernet Addressing Ethernet addressing uses the Media Access Control (MAC) address printed on Network interface cards (NIC). A MAC or hardware address is a 48-bit (6-byte) address written in hexadecimal format. Below is the 48-bit MAC address and how the bits are split. Sending data in Full Duplex Ethernet Lan 1. PC1 creates and sends the original Ethernet frame using its MAC address as the source address and PC2's MAC address as the destination address. Unicast Ethernet Address Format Organizationally unique identifier (OUI) is assigned to an 2. SW1 receives Ethernet frame and transmits it from G0/1 interface to SW2. 3. Switch SW2 receives Ethernet frame and transmits it from F0/2 interface organization by the IEEE. It consists of 24 bits or 3 bytes. The to PC2. organization, in turn, assigns a (24-bit or 3-byte) address that is 4. PC2 realizes that it is the destination MAC address and receives the frame unique (by default and not guaranteed) on each NIC generation. and processes it. I Ethernet Fundamentals Half and Full Duplex Ethernet When IEEE first introduced the 10 BASE-T in 1990, Switches didn't exist yet; instead, devices called Hubs were used, like a Switch, the Hub used ports with RJ-45 connections to interconnect PCs; however, hubs used different rules to transmit data. Collision occurs due to the working logic of the hub Hubs transmit data using physical layer standards rather than data link standards and are therefore considered Layer 1 devices. When a hub receives an electrical signal, the hub sends that electrical signal to all other ports (except the inbound port). Thus, the data reaches all other hosts connected to the hub. The disadvantage of using hubs is that if two or more devices transmit a If you replace the Hub with a Switch in the figure above, the switch avoids the collision on the left. The switch operates as a Layer 2 device, meaning it looks after the data link header and frames. A switch looks up MAC addresses and even if the switch has to forward both packets to Larry on the left, the switch sends the first packet and queues the other packet until the first packet is finished. signal at the same time, the electrical signal will collide and become corrupted. The hub repeats all received electrical signals, even if it receives multiple signals at the same time. For example, in the Figure PC shows Archie and Bob sending an electrical signal simultaneously (in Steps 1A and 1B) and the hub repeating both electrical signals to Larry on the left (Step 2). Example of Half and Full Duplex Ethernet working together in a simple LAN. I Wide Area Network (WAN) WAN and IP Routing Fundamentals I Leased-Line WANs I Using Ethernet in WAN I IP Routing I How to Use IP Routing in Layer 3 I Layer 3 Other Features I DNS, ARP, Ping I WAN Fundamentals Wide Area Network (WAN) Leased-Line WANs Cisco IOS supports many different wide area network (WAN) protocols to To connect your local networks to local networks in your remote offices help you extend your local networks with other remote networks. Doing using WAN, it uses a router with WAN connection for each local your own structured cabling between different regions and trying to network. First, you get the WAN connection suitable for your business connect to all remote locations of your company using your own from the ISPs (Internet Service Provider) and start using it. infrastructure may not be cost effective or possible. A much better Routers connect to both WAN and LAN as shown in the figure below. solution is to lease existing infrastructure that service providers already Note that a curved line between routers is a common way to represent a have. Leased-Line line when the drawing need not show any physical details In this section, we will continue by talking about the different connection of the line. types, technologies and devices commonly used in WANs. In this Chapter, I will talk about High-Level Data-Link Control (HDLC), Pointto-Point Protocol (PPP), Point-to-Point Protocol and Leased-Lines WANs connections. Other WAN services such as Metro Ethernet, DSL, MPLS, and VPN will also be covered in Chapter-13 on Wan Architecture. Example of Leased-Line on a simple Enterprise network. I WAN Fundamentals The Leased-Line service receives and sends bits in both directions at a Since Leased-Lines define only Layer 1 transmission service, many predetermined rate using Full duplex logic. In fact, it logically behaves as companies and standards organizations have created data link if you have a bidirectional crossover Full duplex Ethernet connection protocols to control and use Leased-Lines. Today, the two most popular between the two Routers, as shown in Figure. Leased-Line uses two pairs of data-link layer protocols used for leased lines between two routers are cables to send data, allowing bidirectional operation. High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). All data-link protocols follow a similar path to control the correct distribution of data over a physical link of a certain type. For example, an Ethernet data-link protocol uses a destination address field to identify the correct device that should receive the data, and an FCS field Logical View of Leased-Line Service HDLC Data-Link Details of Leased-Lines in the ethernet frame to check that the receiving device is receiving the data correctly. HDLC provides similar functionality. Leased-Lines provide layer 1 service. In other words, it receives and sends bits between devices connected to the leased-line. However, the lease-line itself does not define a data link layer protocol to be used on the leasedline. Note: The default data protocol of Leased-Line lines is HDLC. I WAN Fundamentals How Routers Use the WAN Data Link Leased-Lines connect to routers and routers focus on delivering packets to the target computer. However, routers are physically connected to both LANs and WANs, the Router needs to send this data inside with frames. First, the TCP/IP network layer focuses on forwarding IP packets from the source device to the destination device. Basically, LANs and WANs act as LAN'lar ve WAN'lar üzerinden IP Yönlendirme Mantığı a way to carry packets to the next router or end-user device. The figure shows the point of view of the Network Layer. General Concept of Routers De-encapsulating and Re-encapsulating IP packets I WAN Fundamentals Using Ethernet on WAN When Ethernet first came out, it was only suitable for LANs. Due to the limitations in cable lengths and devices, we were able to set up a LAN that extended up to a kilometer or two. As time went on, the IEEE improved its Ethernet standards making it a good WAN technology. For example, the 1000BASE-LX standard uses single-mode fiber cable that supports a cable length of 5 km; The 1000BASE-ZX standard also supports 70 km cable length. As time went on and IEEE improved the cabling distances for fiber Ethernet connections, Ethernet became a good WAN technology. Many WAN service providers (SPs) today offer WAN services that leverage Ethernet. SPs offer various Ethernet WAN services to their customers. Example of Fiber Ethernet Connection for Connecting to CPE Router Service Provider's WAN. I IP Routing Fundamentals IP Routing Internet Protocol (IP) Internet Protocol (IP) is actually the Network layer. Other protocols available here are just to support it. The IP has an overview, it can be said to see them all, and is aware of all interconnected networks. IP looks at the address of each packet. It then chooses the best route using a routing table and decides where to send a packet. Network Layer Routing (Forwarding) Logic Routers and end-user computers (called Host in TCP/IP network) work together to perform IP routing. The host operating system (OS) has TCP/ IP software, including software that implements the network layer. This software uses it to choose where to send IP packets, usually to a nearby router. These routers choose where to send the IP packet. Together with the host routers, the IP packet It transmits to the correct destination as shown in the example in the figure. CPE PC-1 to PC-2 Routing Logic I IP Routing Fundamentals How Does IP Routing Use in Layer 3 (Network Layer)? Although the network layer routing logic ignores the physical Step 3: Compare the destination IP address in the IP packet with the transmission details, the bits still need to be transmitted. To do this, routing table and find the most suitable route to the destination Network layer logic in a host or router must deliver the packet to the Data Link layer protocols, which in turn ask the physical layer to actually send data. Before sending the frames over each physical network, the Data Link layer creates a frame and adds the appropriate header and address. This route shows the next router's IP address on the router's output interface. Step 4: It encloses the IP packet in a new data-link header and trailer suitable for the outgoing interface and transmits the frame. trailer to the packet. The following list summarizes how a router interface is transmitted from one router to the other from the network layer for each packet, starting with the incoming frame: Step 1: To ensure that there is no error in the frame, the data connection uses the Frame Check Sequence (FCS-Frame Check Sequence) field and discards the frame if an error occurs. Step 2: Assuming the frame was not fired in Step 1, it discards the old data link header and trailer when leaving the IP packet. CPE PC-1 to PC-2 Routing Logic I IP Routing Fundamentals In the figure, we will look at what stages the packet sent from PC-1 to PC-2 goes Next, R1 compares the destination address of the packet (150.150.4.10) with through in Network Layer and Data Link Layer. the routing table and finds the outbound route to subnet 150.150.4.0. R1 forwards the packet from the interface (Serial0) to R2 (150.150.2.7) on this matching route. R1 first encapsulates and sends the IP packet to an HDLC frame. Step C: When R2 receives HDLC frame, it repeats the same process as R1. R2 checks the FCS field and detects no errors, and then discards HDLC header and trailer information. Then R2 compares the destination address of the packet (150.150.4.10) with the routing table and finds the route to subnet 150.150.4.0 and sends the packet from Fast Ethernet 0/0 to 150.150.3.1. R2 Network Layer and Data-Link Layer Encapsulation Step A: Network layer of PC1 adds PC2's IP address(150.150.4.10). To check if this IP address is local, it should send it to the default router. PC1 adds an Ethernet data link frame with the IP address of PC2 and R1 to the IP packet and sends the frame to Ethernet. Step B: R1 checks if there is an error in the FCS of the incoming ethernet frame and if there is no error, it discards the header and trailer information. sends the HDLC packet from R1 back to the Ethernet Frame by encapsulation. Step D: Like R1 and R2, R3 checks FCS, discards old data-link header and trailer information, and looks at its own route table for 150.150.4.0 subnet, but because R3 is directly connected to 150.150.4.0 subnet, there is no next router. All R3 has to do is encapsulate it by adding PC2's mac address and destination ethernet address to the incoming Ethernet frame information. Note: At the bottom of the Figure, R3 will use ARP once to learn PC2's MAC address before sending any packets to PC2. I IP Routing Fundamentals IP Header The routing process uses the IPv4 Header as shown in the figure below. The 32-bit source IP address and 32-bit destination IP address are listed in the header. Of course, it has more information fields in the header. But we will cover as much as the CCNA training covers. For now we will focus on the source and destination ip fields. Note that in the examples in this section, the IP Header information remains unchanged by the IP Routing process, while routers remove and add data-link headers each time they forward a packet. IP Header is 20 Bytes in total Ethernet Frame Format I IP Routing Fundamentals Layer 3 (Network Layer) Other Features TCP/IP defines many functions in Network Layer beyond IP. Of course, IP Consider: What if you wanted to move your web page to another service plays a huge role in networking today by defining IP addressing and IP provider? Your IP address would change and no one would know your new IP. routing. However, it is very important at the network layer in other standards DNS lets you use a domain name to specify an IP address. You can change and protocols defined by the RFC. In the last part of this section, I will talk your IP address as often as you want so no one will know about the change. about 3 network layer features that will help you a lot in the future. DNS; It is used to resolve an FQDN (fully qualified domain name) such as ✓ Domain Name System (DNS) www.yavuzbulut.com or ccna.yavuzbulut.com. FQDN is a hierarchy that can ✓ Address Resolution Protocol (ARP) logically place a domain identifier-based system. ✓ Internet Control Message Protocol (ICMP) Domain Name System (DNS) Domain Name Service (DNS) resolves computer names, especially internet names such as www.routersim.com. You don't have to use DNS, you can just type the IP address of a device you want to connect to. An IP address identifies user machines on both the network and the internet. However, DNS is designed to make our lives easier. A simple DNS Request I IP Routing Fundamentals Address Resolution Protocol (ARP) Address Resolution Protocol (ARP) finds the hardware address of a user machine from a known IP address. When IP has a datagram to send, it has to announce the hardware address of the destination in the local network to a Network layer protocol such as Ethernet or Token Ring (the destination's IP address is pre-announced by the upper-layer protocols). If the IP cannot find the hardware address of the target machine in the ARP cache, it will use ARP to find this information. Like the detective of IP, ARP queries the local network by sending a broadcast requesting the hardware address of the machine it is asking with a specific IP address. Essentially, ARP translates the software (IP) address into a hardware address (for example, the Ethernet board address of the target machine) and from that infers its location on the LAN by sending a broadcast for the address. Figure 3-11 shows how ARP looks at the local network. A simple ARP Query I IP Routing Fundamentals Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) runs at the Network layer and is Hops: Each IP packet is sent to a certain number of routers, known as hops, to used by IP for many different services. ICMP is a management protocol and pass over it. If it reaches the hop limit before it reaches its destination, the last messaging service provider for IP. Messages are carried like IP datagrams. RFC router that received this packet deletes it. Next, the hangman router uses ICMP 1256 is an addition to ICMP that provides expanded host capability for to send an obituary message. It notifies the sending machine that the packet routing gateways. is dead. ICMP packages have the following features: Ping: Packet Internet Groper (Ping) uses ICMP echo request and replay - Provides user machines with information about network problems. - They are encapsulated in IP datagrams. The following are some common ICMP-related events and messages: Destination Unreachable: If a router can no longer send an IP packet, it uses messages to check the physical and logical connectivity of machines in a network community. Traceroute: Using ICMP time-outs, Traceroute is used to find the path a packet travels through the network community. ICMP to send a message to the sender stating its status. For example, let's take a look at Figure 3-12, which shows that the Lab_B router's E0 interface is down. When HostA sends a packet destined for HostB, the Lab_B router will send an ICMP destination unreachable message to the sending device (HostA in this example). Buffer Full: If the router's buffer is full to receive incoming packets, it will use ICMP to send this message until the congestion is cleared. A Simple ICMP Example Note: Both the Ping and Troceroute command (also used as Trace, Microsoft Windows uses tracert) allow you to verify your address settings in your network community. Chapter-3 Switch Applications in Network 04 - Using Command-Line Interface 05 - Switches Overview 06 - Basic Switch Configuration 07 - Configuring Switch Interfaces I Accessing Cisco Switch with CLI I Connecting to Cisco Switch Using CLI I Connecting to Console with Cable I Connecting with Telnet I Connecting via SSH I Reviewing Router Modes I Cisco IOS Configuration I Using the Command-Line Interface Accessing Cisco Switch with CLI IOS User Interface The Cisco Internetwork Operating System (IOS) is the core of Cisco routers and many switches. In case you didn't know, a kernel is an essential core part of an operating system, providing administrative capabilities and resources such as low-level hardware interfaces and security. Connecting to Cisco Switch You can connect to configure a Cisco switch, verify the configuration, and check Figure 4-1 CLI Connection Options statistics. There are different ways to do this, but the most common is to first connect to it via the console port. The console port is an RJ-45 (8 pin modular) connection, which is usually located on the back of the switch, on new models, on the front. Newer models also have a mini-USB B Console port. By default, a password may or may not be set. By default it uses Cisco as username and password. The second way to connect to a Cisco switch is with the Telnet program from the network. Telnet is a terminal emulation program that acts as a dumb terminal. Another way of connection is to connect via SSH, which is the most secure way to connect to devices over the network. Figure 4-2 USB or Serial Console Cable Connection Options I Using the Command-Line Interface Connecting to Console with Cable Figure 4-3 shows the Cisco 2960-XR Switch Console Port Inputs. The switch console port settings must be configured to match the computer's serial port settings. The default console port settings on a switch are as follows. ✓ 9600 bits/second ✓ No hardware flow control ✓ 8-bit ASCII ✓ No parity bits ✓ 1 stop bit Figure 4-4 Terminal settings for console access. As a terminal program, you can use programs such as Putty or SecureCRT in the simplest way. With these programs, you can make serial, telnet and ssh connections. I Using the Command-Line Interface Connecting with Telnet Connecting via SSH Telnet, part of the TCP/IP protocol stack, is a virtual terminal that allows you Instead of Telnet, you can use Secure Shell. SSH creates a more secure to connect remote devices to gather information and run programs. session than Telnet applications that use unencrypted data streams. Secure After your routers and switches are configured, you can use the Telnet Shell (SSH) uses encrypted keys to send data so your username and program to reconfigure and/or control your switches and routers without password are not sent publicly. using a console cable. For Telnet to work, you need to have VTY passwords on switches and routers. Reviewing Switch Modes For configuration from the CLI, you can make general changes to the switch line vty 0 ? line vty 0 4 by typing configure terminal (or config t for short). This will take you to password telnet the global configuration mode and change the settings known as running- login config. A global command (running from the global config) is set only once and affects the entire switch. You can type config from the command line in privileged-mode and then just press Enter to get to the terminal's default. As it looks below: Bulut-R1#config Figure 4-5 User ve Privileged Mode. Configuring from terminal, memory, or network [terminal]? [press enter] Enter configuration commands, one per line. End with CNTL/Z. Bulut-R1(config)# I Using the Command-Line Interface The User Mode example gives a warning as follows when you try to run the Cisco IOS Configuration reload command in user mode, this command works in privileged mode. Some Basic Commands We Will Use: Press RETURN to get started. User Access Verification enable disable configure terminal hostname line console 0 password xxxxxxxx login interface GigabitEthernet show running-config show startup-config write erase erase startup-config Password: Bulut-SW1> Bulut-SW1> reload Translating "reload" % Unknown command or computer name, or unable to find computer address Bulut-SW1> enable Password: Bulut-SW1# Bulut-SW1# reload Proceed with reload? [confirm] y 00:08:42: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. Figure 4-6 Switching between modes. erase nvram: I LAN Switching Concepts Overview of Switches I Overview of Switch Operation Logic I Mac Address Learning I Loop Avoidance I Analyzing and Verifying Switch I Switches Overview LAN Switching Concepts Overview of Switch Operation Logic 2 LAN examples are given in Figure 5-1, the first is Campus LAN and the other Consequently, the role of a switch is to transmit Ethernet frames. Switches are is Data Center LAN. At first glance, it seems that there is no difference, but end connected to each other, connecting user devices, servers and other devices. The user devices are connected to the access switches in Campus LAN, and servers are primary job of the switches is to forward the frames to the correct destination connected to the access switches on the data center side. Although the topology is (MAC) address. And to achieve this goal, the switches use logic based on the the same here, we will choose and design our switches according to where we will source and destination MAC address in the ethernet frameSample Switch use the switches that we need to pay attention to when designing the network, Forwarding and Filtering Decision header. what type of devices will be connected and how much traffic there will be. Figure 5-1 Example of Campus LAN and Data Center LAN. Figure 5-2 Example of Switch Forwarding and Filtering Decision. I Switches Overview Figure 5-3 Example of Two Switch Forwarding and Filtering Decisions. First Switch. Layer 2 switch has three main functions. ✓ Address learning ✓ Forward and filter decisions ✓ Avoid the loop. Address Learning: Layer 2 switches remember the source hardware address of each frame received from an interface and enter this information into a MAC database called the forward/filter table. Forward/filter Decisions: When a frame is received from the interface, the switch looks at the target hardware address and finds the output interface in the MAC database. The frame is sent from the specific destination port. Loop Avoidance: Network vicious circles can occur if multiple connections between switches are created for redundancy. Spanning Tree Protocol (STP) is used to stop network loops while redundancy is still allowed. Let's take a look at how forwarding and filtering is done in a two-switch network in Figures 5-3 and 5-4. Figure 5-4 Example of Two Switch Forwarding and Filtering Decisions. Second Switch. I Switches Overview Mac Address Learning Avoiding the Loop Fortunately, not all personnel need to know all these MAC addresses. Instead, Redundant links between switches are good as they protect the entire network each switch performs one of its main functions, mac address learning. from becoming unusable if one link fails. The switch creates the Address table by listening to the incoming frames and But backup links, although very useful, cause more problems than they solve. examining the source MAC address in the frames. A frame enters the switch Due to the simultaneous sending of frames from all redundant links, it and if the source MAC address is not in the MAC address table, the switch adds causes network vicious circles and other problems. that mac address to the table. This table entry lists the interface from which the frame came. The learning logic of the Switch is that simple. If there is no loop prevention mechanism, the switches will send broadcasts nonstop across the network community. This is sometimes described as a broadcast storm. Figure 5-6 shows how a broadcast spreads across the network. Observe how a frame is constantly circulating through the physical network medium of the network community. Figure 5-5 Switch Learning: Adding an Empty Table and Two Entries. Figure 5-6 Formation of vicious circle and its transformation into a broadcast storm. I Switches Overview Analyzing and Verifying the Switch Some Commands We Can Use For Analysis and Verification: Cisco Catalyst switches come from the factory ready to replace frames from show mac address-table dynamic Ethernet. All you have to do is connect the power cable, plug in the Ethernet We can see the mac addresses that the Switch learns dynamically. cables and the switch starts changing incoming frames. When you connect multiple switches together, the frames are ready to be transmitted between the switches as well. Let's take a look at the default settings. ✓ Interfaces are enabled by default, ready to work once the cable is connected. show interfaces status We can see if the switch interface (port) is down or up. show interfaces f0/1 counters We can see outgoing packets from FastEthernet 0/1. show mac address-table dynamic address 0200.1111.1111 ✓ All interfaces are assigned Vlan1. We can see which interface this mac address is on. ✓ 10/100 or 10/100/1000 Mbps speeds are in Auto mode. show mac address-table dynamic interface fastEthernet 0/1 ✓ MAC learning, routing, filtering logic works by default. We can see the mac address of the connected device on this ✓ STP is enabled. interface. show mac address-table dynamic vlan 1 It shows us the mac addresses in Vlan 1. show mac address-table count We can see how many records are in the Switch mac table and how much more we can record. Basic Switch Configuration I CLI Security on Switch I Local Usernames I AAA Server I Configuring SSH I Giving IP to Switch I Basic Switch Configuration CLI Security on Switch In this section, I will show you how we can secure our passwords when we connect to the switch via the Console port or via telnet or ssh. To protect user mode and privileged mode with simple passwords. • To secure user mode access with local usernames. • Securing user mode access with external authentication servers. • Providing remote access with Secure Shell (SSH). Figure 6-2 Basit şifre yapılandırma. Switch# configure terminal Switch(config)# enable secret love Figure 6-1 Security concept with simple passwords. Switch#(config)# line Switch#(config-line)# Switch#(config-line)# Switch#(config-line)# console 0 password faith login exit Switch#(config)# line Switch#(config-line)# Switch#(config-line)# Switch#(config-line)# Switch# vty 0 15 password hope login end I Basic Switch Configuration Switch# show running-config ! Building configuration... Current configuration: 1333 bytes ! version 12.2 ! enable secret 5 $1$OwtI$A58c2XgqWyDNeDnv51mNR. ! interface FastEthernet0/1 ! Protecting User Mode Access with Local Usernames and Passwords When we look at the show running-config output on the side, our passwords are open. Someone sitting next to us or someone listening to our network can see these passwords. Now we will remove these passwords and add users in the local database and log in with them. interface FastEthernet0/2 ! ! Several lines have been omitted here - in particular, lines for FastEthernet interfaces 0/3 through 0/23. ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! line con 0 password faith login ! line vty 0 4 password hope login ! line vty 5 15 password hope login Figure 6-3 Login with Local User. I Basic Switch Configuration Protecting User Mode with External Authentication Servers Configuring SSH In this option, our username and passwords are stored on a remote AAA server, SW1# configure terminal ! SW1(config)# hostname SW1 SW1(config)# ip domain-name example.com SW1(config)# crypto key generate rsa The name for the keys will be: SW1.example.com Choose the size of the key modulus in the range of 360 to 2048 for your and when we try to connect to the switch, the switch goes and verifies the username and password we entered from the AAA server, if the information is correct, it allows us to log in. General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. Figure 6-4 Basic Authentication Process with External AAA Server. Maintaining a Remote Connection with SSH Instead of Telnet, you can use Secure Shell. SSH creates a more secure session than Telnet applications that use unencrypted data streams. Secure Shell (SSH) uses encrypted keys to send data so your username and password are not sent publicly. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 4 seconds) SW1(config)# ! ! Optionally, set the SSH version to version 2 (only) - preferred ! SW1(config)# ip ssh version 2 ! ! Next, configure the vty lines for local username support, just like ! with Telnet ! SW1(config)# line vty 0 15 SW1(config-line)# login local SW1(config-line)# exit ! ! Define the local usernames, just like with Telnet ! SW1(config)# username yavuz password cisco SW1(config)# username bulut password cisco SW1(config)# ^Z SW1# I Basic Switch Configuration Giving the Switch an IP Address for Remote Access We need to give an ip to the switch so that we can access it remotely and make our settings via telnet or ssh. Let's not forget to give the default gateway ip to be able to access from different subnets and vlans. Bulut-Sw1# configure terminal Bulut-Sw1(config)# interface vlan 1 Bulut-Sw1(config-if)# ip address 192.168.1.200 255.255.255.0 Bulut-Sw1config-if)# no shutdown 00:25:07: %LINK-3-UPDOWN: Interface Vlan1, changed state to up 00:25:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up Bulut-Sw1(config-if)# exit Bulut-Sw1(config)# ip default-gateway 192.168.1.1 Figure 6-5 Giving IP for Remote Access to the Switch. Configuring Switch Interfaces I Configuring Speed, Duplex, and Description I Checking Interface Status I Auto-negotiation I Configuring Switch Interfaces Configuring Speed, Duplex, and Description Interface Shutdown and Administratively Check Its Status Here, we will configure the process of manually adjusting our speed under the Bulut-Sw1(config)# interface range FastEthernet 0/11 - 20 interface, manually selecting whether our connection will be half duplex or FastEthernet We can enter the same settings with multiple commands from 11 to 20. full duplex, and adding annotations to inform and help us later about that interface. Bulut-Sw1(config)# interface fastEthernet 0/1 Bulut-Sw1(config-if)# shutdown Bulut-Sw1# configure terminal Bulut-Sw1(config-if)# Bulut-Sw1(config)# interface FastEthernet 0/1 *Mar 2 03:02:19.701: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down Bulut-Sw1(config-if)# duplex full Bulut-Sw1(config-if)# speed 100 Bulut-Sw1config-if)# description “3.Kat yazıcı bagli-full 100 mb ayarli” Bulut-Sw1# show interfaces f0/1 status Bulut-Sw1(config-if)# exit We can get information about the interface status. Bulut-Sw1config)# interface range FastEthernet 0/11 - 20 Bulut-Sw1 (config -if-range)# kullanıcılar var” Bulut-Sw1(config-if-range)# ^Z Bulut-Sw1# Bulut-Sw1# show interfaces status We can close an interface that we do not use, or we can close and open the port remotely. description “Bu portlarda son SW1(config)# interface fastethernet 0/2 SW1(config-if)# no speed SW1(config-if)# no duplex SW1(config-if)# no description SW1(config-if)# no shutdown We can remove a configuration that we entered before by putting the no command at the beginning. I Configuring Switch Interfaces Auto-negotiation By default, interfaces are in Autonegotiation mode. That is, when a device is connected to an interface, it negotiates with it and asks for information such as speed status, connection type (half/full) and configures itself accordingly. Figure 7-3 Example of Switch and Hub Connection Let's look at a few examples: Checking and Analyzing Interface Status Bulut-SW1# show interfaces status Bulut-SW1# show interfaces fa0/13 Bulut-SW1# show interfaces gi0/1 status Figure 7-1 Example 1 Figure 7-2 Example 2 Chapter - 4 VLAN and STP APPLICATIONS I Virtual LANs ( VLAN ) I Spanning Tree Protocol ( STP ) I Configuring RSTP and EtherChannel I VLANs Concepts I VLAN Trunking VLANs Virtual LANs I VLAN Tagging I Inter-Vlan Data Forwarding I VLAN Configuration and Authentication I VLAN Trunking Configuration I Data and Voice VLAN I Virtual LANs ( VLANs ) Virtual LANs Concepts In a network of switches, we can create a Virtual local area network (VLAN) to separate broadcast domains. A VLAN is a logical grouping of resources and network users connected to administratively defined ports on a switch. When you create VLANs, you have the ability to create smaller broadcast domains in Figure 8-1 Using different subnets with two physical switches without VLAN. a Layer 2 switch network community by assigning different ports on the switch to different subnets. Each VLAN acts as its own subnet or broadcast In Figure 8-2 below, we can see the example of dividing our network into two domain. In other words, frames broadcast to the network are only switched subnets with VLANs on the switch using a single physical switch. between logically grouped ports in the same VLAN. Does this mean we won't need routers anymore? Maybe yes, maybe no. It all depends on what you want and what your needs are. By default, hosts in a particular VLAN cannot communicate with hosts that are members of another VLAN. If you want inter-VLAN communication, the answer is that you still need a router. In figure 8-1 on the side, we can see that we have divided our network into two subnets and two broadcast domains using 2 switches without VLAN. Figure 8-2 Using two subnets in one switch using VLAN. I Virtual LANs ( VLANs ) Using VLAN Trunking on Multiple Switches We can interconnect two or more switches and connect hosts that are in the same VLAN on these switches. As seen in the example given in Figure 8-3, there are two switches and two different subnets are used by creating vlan 10 and vlan 20 in each switch. Separate cable is connected between 2 switches for each vlan. Figure 8-4 Using Vlan Trunking in multiple switches Figure 8-3 Using VLAN in multi-switch without using VLAN Trunk It would not be practical to use such an application in our network, for example, if there were 5 vlans on each switch, then we would have to connect a cable for each vlan between each switch, but such an application may make it impossible to use VLANs in large networks, so you can use multiple switches and multiple VLANs. In cases where we use the ports, we need to configure the ports that we connect between the two switches as VLAN trunks. In Figure 8-4, we can see an example of using VLAN trunk. Figure 8-5 Example of Vlan Tagging between two Switches. I Virtual LANs ( VLANs ) Frame Tagging Every switch that the frame reaches must first detect its VLAN ID from the By running ISL, you can interconnect many switches, and on trunk links, frame tag. It then determines what to do with the frame by looking at the you can still provide VLAN information while traffic flows between switches. information in the filter table. If the frame reaches a switch with another ISL operates at Layer 2 by encapsulating a data frame with a new header and trunk link, the frame will be forwarded to the trunk link port. cyclic redundancy check (CRC). When the frame reaches an output determined by the forward/filter table to be ISL is specific to Cisco switches and is used only for FastEthernet and Gigabit an Access link matching the frame's VLAN ID, the switch removes the VLAN Ethernet links. ISL routing is versatile and can be used on a switch port, identifier. Thus, the target device will be able to receive the frames without router interfaces, and server interface cards that are trunked to a server. having to understand the VLAN IDs. IEEE 802.1Q Created by IEEE as a standard frame tagging method, IEEE 802.1Q adds a field to the frame to identify the VLAN. If you are trunking between Cisco switch link and a different brand switch, you should use 802.1Q for Figure 8-6 802.1Q Trunking Inter-Switch Link (ISL) Inter-Switch Link (ISL) is a way to explicitly label VLAN information in an Ethernet frame. This tagging information allows VLANs to be multiplexed across a trunk link with an external encapsulation method (ISL). ISL allows the switch to detect the VLAN membership of a frame along the trunk link. trunking. It works like this: First, define each port to be trunked with 802.1Q encapsulation. Ports must be assigned a specific VLAN ID for their communication, which makes them native VLANs. Ports placed on the same trunk form a group with this native VLAN and each port is tagged with an ID number with default VLAN 1. Native VLAN allows trunks to carry received information without any VLAN IDs or frame tags. I Virtual LANs ( VLANs ) Inter-Vlan Data Forwarding VLAN Configuration and Verification We have logically divided the switches with vlans, inter-vlan broadcasts and Let's create three vlans on a switch. traffic no longer go to other vlans, but what should we do if we need to access hosts in other vlans and they need to reach us too? Then we need a router or a switch that can do Layer 3 routing. To access a different vlan, we need to enter the default router ip information on our hosts, otherwise you cannot go out of your own vlan. Figure 8-9 Example of three vlans on the Switch. Figure 8-7 There is no route between Layer 2 switch Vlans. SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 10 SW1(config-vlan)# name Muhasebe-Vlan SW1(config-vlan)# exit SW1(config)# interface range fastethernet 0/11 - 12 SW1(config-if)# switchport access vlan 10 SW1(config-if)# switchport mode access SW1(config-if)# end SW1# show vlan brief Figure 8-8 Routing between two physical interfaces and two vlans. SW1# show running-config SW1# show vlan id 10 I Virtual LANs ( VLANs ) Vlan Trunk Configuration Let's make two switch and three vlan examples and vlan trunk between two SW1# show interfaces gigabit 0/1 switchport switches. SW1# show interfaces trunk SW1(config)# interface gigabit 0/1 SW1(config-if)# switchport mode dynamic desirable SW1# show interfaces gigabit 0/1 switchport SW1# show interfaces trunk SW1# show vlan id 2 Figure 8-11 Example of vlan trunk between three vlans and two switches. Figure 8-10 Example of vlan trunk between three vlans and two switches. I Virtual LANs ( VLANs ) Data and Voice VLAN Voice VLAN feature enables on access ports to carry IP voice traffic from an IP phone. You can also configure another VLAN for data traffic from a device such as a Cisco IP phone connected access port, a VLAN for voice traffic, and a PC attached to the phone. SW1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# vlan 10 SW1(config-vlan)# vlan 11 SW1(config-vlan)# interface range FastEthernet0/1 - 4 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 10 SW1(config-if)# switchport voice vlan 11 SW1# show interfaces FastEthernet 0/4 switchport SW1# show interfaces trunk SW1# show interfaces F0/4 trunk Figure 8-12 Pre-IP Phone Figure 8-13 Post IP Phone Figure 8-14 Using Voice and Data Vlan on LAN I STP Consecpts STP/RSTP Spanning Tree Protokol I How STP Works I Root Switch Selection I RSTP Concepts I EtherChannel I Spanning Tree Protocol STP Spanning Tree Protocol STP Concepts Routing protocols have processes that stop network loops at the Network layer. However, if there are physical redundant links between your switches, the routing protocols will not do anything like stop loops at the Data Link layer. The Spanning Tree Protocol was developed to stop the vicious circles in the Layer 2 switch network. The basis of this very important protocol and how it works in a switch network are important topics that we will cover throughout this Chapter. Figure 9-1 Broadcast Storm. Why Do We Need STP? Redundant links between switches are good as they prevent the entire network from becoming unusable if one link fails. Sounds good, but redundant links, while very useful, cause more problems than they solve. Due to the simultaneous sending of frames from all backup links, it causes loops in the network, the Spanning Tree Protocol has been developed to prevent this problem. Figure 9-2 STP Blocks Loop in Network. I Spanning Tree Protocol STP How STP Works It constantly monitors the network to find all links and closes redundant Non-root Bridges: These are non-root bridges. Nonroot bridges swap their BPDUs links to make sure there is no vicious circle. STP uses a spanning-tree with all bridges and update the STP topology database on all switches. They algorithm (STA) to first create a topology database and then search and prevent loops and provide a defensive measure against link failures. eliminate redundant links. With STP, frames will only be sent from priority Port cost: Port cost determines the best path when multiple links are used links selected by STP. between switches and none of the links has a root port. The cost of a link is Spanning Tree Terms determined by the bandwidth of a link. Root bridge: Root bridge is the bridge with the best bridge ID. Choosing a root bridge that is the central point in the network with STP is important for all switches in the network. All decisions in the network, such as which port to block and which to put in forwarding mode, are made from the perspective of this root bridge. Bridge ID: Bridge ID is the record that STP keeps for all switches in the network. This is determined by a combination of bridge priority (32,768 by default on Cisco switches) and MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network. BPDU: All switches change their information for use both in root switch selection and in subsequent network configuration. Each switch compares the Root port: The root port is always the direct link to the bridge or the shortest path to the root bridge. If more than one link is connected to the root bridge, the port cost is determined by checking the bandwidth of each link. The lowest cost port becomes the root port. If multiple links have the same cost, the bridge with the lower bridge ID will be used. Since multiple links can be from the same device, the lowest port number will be used. Designated port: A designated port is one that has the best (lowest) cost. A designated port will be marked as a forwarding port. Nondesignated port: A nondesignated port is a higher-cost port than a designated port. Nondesignated ports are put in blocking mode. They are not forwarding ports. Forwarding port: A forwarding port forwards frames. parameters in the Bridge Protocol Data Unit (BPDU) that it receives from one Blocked port: A blocked port will not forward frames to avoid vicious cycles. neighbor and sends to the other. However, a blocked port will always listen for frames. I Spanning Tree Protocol STP Root Switch Selection Switch ID is used to select the root switch in the STP domain and to determine the root port for each of the other devices in the STP domain. This ID is 8 bytes in size and contains the priority and the MAC address of the device. The default priority on all devices running IEEE STP is 32,768. You use each switch's priority, along with its MAC address, to determine the root switch. If two switches have the same priority value, the MAC address will be decisive to determine which one has the lowest (good) ID. Here's how: If two switches named A and B use the 32768 priority by default, their MAC address will be used. If Switch A's MAC address is 0000.0c00.1111 and Switch B's MAC address is 0000.0c00.2222, SwitchA will be the root switch. Remember that lower value is best when choosing root switch. By default, BPDUs will be sent every two seconds from all active ports on the switch. (The switch with the lowest (good) switch ID is the root switch.) You can change the ID of the switch by changing its priority. So it will automatically become the root switch. Being able to do this is important in large networks. Figure 9-3 Root Switch Selection Process I Spanning Tree Protocol STP Why is Root Switch Selection Important? Convergence happens when all ports on switches switch to forwarding or blocking mode. No data will be transmitted until the convergence is complete. And before data can start transmitting again, all devices need to be updated. Yes, you read that right: STP converges, while all host data stops the transfer! If you want to stay connected (or always running) with your network users, you should make sure that your switch network is physically well designed so that STP converges quickly. Convergence is really important as it ensures that all devices have the same database. But as I specifically mentioned, it will cost you money. Usually, it Figure 9-4 Using Cost on non-root ports takes 50 seconds to go from blocking to forwarding, and I do not recommend changing the STP timers (but you can change these timers if necessary). By creating your physical switch design in a hierarchical fashion, as shown in Figure 9-3, you can make your core switch the STP root. This will speed up the STP converge time. Figure 9-5 IEEE Default Cost Values Figure 9-3 An optimal hierarchical switch design. Note: Cost determines the best path when none of the links have a root port. The cost of a link is determined by the bandwidth of a link. I Spanning Tree Protocol STP Rapid Spanning Tree Protocol RSTP Concepts 802.1w Would you like to have an STP configuration that works well in your switch network and have all the features effectively on each switch, regardless of the switch brand? Definitely yes! Good, then, welcome to the world of Rapid Spanning Tree Protocol (RSTP). Cisco developed Port-Fast, UplinkFast, and BackboneFast to correct the loopholes ✓ RSTP adds a mechanism by which a switch can change the root port without going into forwarding mode. ✓ RSTP adds a mechanism to the designated port before a switch goes into forwarding mode. ✓ RSTP reduces wait times in some cases. and disadvantages of the IEEE 802.1d standards offered. The disadvantage of these is that they are Cisco proprietary only and require additional configuration. But the new 802.1w standard (RSTP) examines all these issues in one package. Just enable RSTP and go. STP and RSTP Comparison ✓ RSTP and STP use the same rules when choosing root switches. ✓ RSTP and STP use the same rules when choosing root ports. ✓ RSTP and STP use the same rules when choosing designated ports. ✓ RSTP and STP make each connection port forwarding or blocking, but RSTP uses discarding instead of blocking. Figure 9-6 Comparison of STP and RSTP Port Status I Spanning Tree Protocol STP PortFast EtherChannel If we use the portfast command on our switches, we avoid the problem of our In STP, a port is blocked and we actually use a single connection even though hosts not getting a DHCP address. Because STP takes a lot of time to converge we have two connections, but with etherchannel you can combine the links and and exceeds the hosts DHCP request time. create a logical aggregation. Thus, many of our links will appear as one. If BPDU Guard doing this will provide the same redundancy as STP, why not merge our backup links? It provides both redundancy like STP and allows us to use the ports If you open PortFast, it's a really good idea to open BPDUGuard. If a switch port with PortFast enabled receives a BPDU from that port, it will make the port error disabled. This prevents an administrator from accidentally connecting another switch or hub port to a PortFast configured switch port. In fact, you are preventing this from happening and causing your network to crash or at least be seriously damaged. You can only configure this command on your Access layer switches to which users are directly connected. Therefore, we will not actively, plus we can connect up to eight mutual ports between two switches. (It may vary according to the switch brand and model) As usual, EtherChannel has Cisco version and IEEE version. The Cisco version is defined as Port Aggregation Protocol (PAgP) and the IEEE 802.3ad standard is called Link Aggregation Control Protocol (LACP). Both standards work equally, the configuration of the two is different. configure this on our Core switch. Figure 9-7 Example of EtherChannel Connection. I Multiple Spanning Trees MST and EtherChannel I STP Modes and Standards I RSTP Configuration I EtherChannel Configuration I MST and EtherChannel Multiple Spanning Trees STP Modes and Standards In the mid-1990s, VLANs appeared along with switches. The emergence of PVST+ Peer VLAN Spanning Tree: Since there was only one 802.1D VLANs posed a challenge for STP, which was the only type of STP available at Spanning Tree standard in the 1990s, Cisco developed the PVST+ protocol for a the time, because STP defined a single Common Spanning Tree (CST) topology Spannin Tree to Every Vlan. for the entire LAN. IEEE needed to create a Multiple Spanning Tree to balance RPVST+ Rapid Peer VLAN Spanning Tree: When IEEE created RSTP in 2001, traffic between existing links as shown in Figure 10-1. In two different STP Cisco created RPVST+. This Standard provides Spanning Tree per Vlan but instances, SW3 can block on a different Interface in each VLAN as shown in more features than RSTP. MSTP: IEEE did not fully adopt Cisco's PVST+ and RPVST+ and created a the figure. different protocol as MSTP, initially defined as 802.1Q but later changed to 802.1S. Figure 10-2 Timeline of Per-VLAN and Multiple STP Features Figure 10-1 Load Balancing between an STP Vlan 1 and Vlan 2 Figure 10-3 STP Standard and Configuration Options. I MST and EtherChannel Layer 2 EtherChannel Configuration Let's simply configure Layer 2 EtherChannel between two switches. interface Port-channel 1 switchport mode trunk no shut interface range FastEthernet0/1-2 switchport mode trunk channel-group 1 mode desirable no shut sh int trunk Figure 10-4 Simple EtherChannel Example. sh etherchannel summary SW2#show etherchannel load-balance We do the same configuration on both Switches. In the second Switch, we can set the channel-goup mode as auto or desirable. If you are not using multiple vlans on switches, you do not need to switchport mode trunk. SW2(config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr Chapter - 5 IPv4 ADDRESSING ve SUBNETTING I Introduction to IPv4 Subnetting I IPv4 Addressing I Analyzing Subnet Masks I Analyzing Existing Subnets IPv4 Introduction to Subnetting I Subnetting Basics I Subnet Design I Subnet Mask Selection I Using Host Bits I Plan and Implementation I Introduction to IPv4 Subnetting Subnetting Basics How to Create Subnets? If you want to take a single network address and create six networks from it, we To create subnets, you take bits from the host portion of the IP address and will need to use the subnetting method. Because this will allow you to take a reserve them to define subnet addresses. This means fewer bits for the host, so large network and divide them into smaller network segments. the more subnets there are, the fewer bits there will be to identify the host. There are tons of reasons to use subnetting, including the following benefits: But before you actually subnetting, you have to define your plans based on Low network traffic: We welcome any type of low traffic. Networks are no both your current needs and your future situation. different. Without reliable routers, packet traffic on the switches brings the entire network to a standstill. With routers, most traffic will remain in the local network, only packets destined for other networks will be passed through the router. Routers create broadcast domains. The more broadcast domains you create, the less network traffic and smaller broadcast domains occur in each network segment. 1. Which hosts do we need to group with a subnet? 2. How many subnets are needed for this network? 3. How many host IP addresses are required for each subnet? 4. For simplicity, will we use a single subnet size or not? Optimized network performance: This is the result of a low network traffic. Simplified management: Identifying and isolating network problems is easier in smaller network groups than in a large network. Streamlined, wide geographic distance distribution: Because WAN links are slower and more expensive than LAN links, connecting many small networks will make the system more efficient if we have a large network spread over a wide area. Figure 11- 1 Subnet Planning, Design, and Implementation Tasks I Introduction to IPv4 Subnetting One Size Subnet Fits All Designing Public IP Networks The IPs used in the internet environment had to be unique and unique, so these IPs were divided into Classes and allocated to ISPs and companies. RFC Classes A, B and C have reserved a certain part of IPs as Private IPs for use in the LAN, let's take a look at them below. Figure 11- Using 2 Single Subnets Multiple Subnet Sizes (Variable-Length Subnet Masks) Figure 11- 4 Two companies Public IP Usage Figure 11- 5 Two Companies Using Private IP Private IP Networks Private IP list reserved for use in our local network. Figure 11- 3 Using Three Subnets and Three Masks Figure 11- 6 RFC 1918 Private IP Addresses I Introduction to IPv4 Subnetting Mask Selection Selecting Host Bits for Subnet If you have followed the topics in order so far, you can answer the following How Many Subnets Do We Need? questions. According to the example in Figure 11-3. How many hosts do we need? Number of Subnets required Number of hosts / subnets required It was preferred to use only one mask, as all subnets are the same size (same number of hosts / subnets). Choosing the IP block we will use in the subnet. Figure 11- 9 Host and Subnet bit selection ✓ Let's use a single mask for each subnet. ✓ Let's have 200 Subnets. ✓ Have 200 hosts in each subnet. ✓ Let's use Class B 172.16.0.0 Network. Figure 11- Class A, B and C Networks without 7 Subnets Class A: 224 – 2 = 16,777,214 Figure 11- Class A, B and C Networks Using 8 Subnets Figure 11- 11 Creating the Subnet Mask Class B: 216 – 2 = 65,534 Class C: 28 –2 Binary—Class B Network =254 Figure 11- 10 Mask selection N = 16, S = 8, H = 8 I Introduction to IPv4 Subnetting Figure 11-13 Plan and implementation steps. Figure 11-12 Subnets we can use for our example. Figure 11-14 Applying subnets to different locations. Plan and Implementation Before starting the plan and implementation, we must choose which subnets we will use for the devices and locations we will use. We can use the subnets in the table above for our locations. If there are devices that will use Statip IP, we can identify them and reserve those IPs on the DHCP server or adjust the DHCP server IP distribution range accordingly. Figure 11-14 Static IP usage and IP distribution from DHCP Server IPv4 Addresses I IPv4 Address Classes and Related Information I Number and Size of Class A, B, and C Networks I Default Mask I Practicing IPv4 I IPv4 Addressing IP Terminology IPv4 Network Classes and Related Information Bit: A bit is a number that is either 1 or 0. There are five types of Classes in IPv4, Classes A, B and C are Unicast Byte: A byte is 7 or 8 bits, depending on the parity used. For the remainder of addresses, Class D is Mulicast addresses, and Class E is used in scientific this module, we will think of a byte as 8 bits. research. Octet: An 8-bit octet is an ordinary 8-bit binary number. The terms byte and octet are completely interchangeable in this module. Network address: This is the application used in routing to send packets to a remote network. For example, 10.0.0.0, 172.16.0.0, and 192.168.10.0. Broadcast address: This address, which is used by applications and user Figure 12- 1 IPv4 Address Classes Based on First Octet Values machines to send information to all hosts on the network, is defined as the broadcast address. For example, 255.255.255.255 includes all networks and hosts, 172.16.255.255 specifies all networks on the 172.16.0.0 network, and 10.255.255.255 is the broadcast address for all subnets and users on the 10.0.0.0 network. Figure 12- 2 Basic Information for Classes A, B and C I IPv4 Addressing Number and Size of Class A, B, and C Networks In Class A, the first octet is the network address, and the remaining three octets Default Mask Default Masks are as in the list below. are host addresses. In Class B the first two octets are the network addresses, the last two octets are the host addresses, in Class C the first three octets are the network addresses and the last octets are reserved for hosts. Figure 12- 3 Classes A, B and C Network and Host Numbers Figure 12- 5 Classes A, B and C Default Mask Addresses Figure 12- 4 Network and Host Bits I IPv4 Addressing Practicing IPv4 I IPv4 Addressing IPv4 Practice Answers I Subnet Mask Conversion Subnet Masks Analyzing I Understanding the Powers of 2 I Prefix (CIDR) I Prefix Conversion I Subnet Mask Conversion Practice I Classless and Classful Addressing I Analyzing Subnet Masks Subnet Mask Conversion Converting from Binary to Decimal Understanding the Powers of 2 What interests us in binary numbering is a value represented in typical decimal The exponents of the number 2 are important to understand and keep in mind format with the base 10 number arrangement we have used since kindergarten. for IP subnetting. To browse to the power of 2, when you see a number with its Binary numbers are placed in a value field: it starts from the right and power, you will multiply the number itself by the number of exponents continues to the left. Each number has a value equal to twice the previous number specified. For example, 23 is 2x2x2 = 8. Here is a list of exponents of 2 that you value. should memorize: Byte Values 128 64 32 16 8 4 2 1 Since they are all used, we sum all the bit fields. The maximum value of a byte is seen as: Figure 13-1 Powers of two memorization chart 11111111 = 128+64+32+16+8+4+2+1 = 255 Prefix Classless Inter-Domain Routing (CIDR) There are many decimal values to which a binary number can equal. Let's look at some examples: Another term you should know well is Prefix = Classless Inter-Domain Routing Which bits are used? Bits 128, 16, 4 and 2 are used, so we just add them. reserve an address for a business or home user. 10010110 = 128+16+4+2 = 150 When a block address is received from the ISP, it will be: 192.168.10.32/28. This Which bits are used? Bits 64, 32, 8 and 4 are used, so we just add them. 01101100 = 64+32+8+4 = 108 (CIDR). It is actually the method that ISPs (internet service providers) use to tells you what your subnet mask is. The slash notation (/) means how many bits will be 1. Obviously, the maximum can be /32 since a byte has 8 bits and an IP address has 4 bytes (4x8=32). But keep in mind that since you have to reserve at least 2 bits for the host bits, the largest available subnet mask (regardless of the class of the address) can be /30. I Analyzing Subnet Masks Convert Subnet Prefixes (CIDR) to Binary Let's look at examples of Binary to Prefix and Prefix to Binary conversions. Figure 13-5 Example of Decimal to Binary, Binary to Prefix Figure 13-2 Example of Conversion from Prefix to Binary Subnet Mask Conversion Practice Figure 13-3 Example of Binary to Prefix Conversion Figure 13-4 Example of Conversion from Prefix to Binary and from Binary to Decimal I Analyzing Subnet Masks Classless and Classful Addressing Figure 13-6 Classful Network Example Figure 13-7 Example of Classless Network I Analyzing Subnet Masks Subnet Mask Conversion Practical Answers Existing Subnets Analyzing I Subnet Determination I Easy Mask Calculation I Subnet ID Finding: Different Masks I Finding Broadcast Addresses: Different Masks I Practicing I Analyzing Existing Subnets Subnet Determination We use blocks such as 4-8-16-32-64-128-256 when specifying subnets. We can determine the size of the subnet according to the number of hosts that will be in that subnet. Figure 14-3 Resident Subnet for 172.16.150.41, 255.255.192.0 Two private IPs cannot be used in a Subnet Subnet ID and Broadcast Address 172.16.0.0 Network and Four Subnet Examples For example, let's IP 172.16.150.41 and Subnet Mask 255.255.192.0 and find these subnets. Analyzing Current Subnet: Easy Mask Calculation Subnet ID: Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is. Step 2: If mask octet is 0, write 0. Broadcast Address: Figure 14-1 Class B Network and /18 Mask Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is. Step 2: If mask octet is 0, write 255. Figure 14-2 Network 172.16.0.0, Divided into Four Equal Subnets Table 14-4 Subnet ID and Broadcast Address Practice I Analyzing Existing Subnets Finding Subnet ID: Different Masks Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is. Step 2: If mask octet is 0, write 0. Step 3: If the mask is not 255 or 0, we will use our magic number, subtract the mask from 256 and find how many blocks the subnet has. Figure 14-7 Finding Subnet ID: 192.168.5.77, 255.255.255.224 Subnet ID Practice Figure 14-5 Calculating octets block by block Figure 14-8 Finding Subnet ID: 192.168.5.77, 255.255.255.224 Figure 14-6 Finding Subnet ID: 130.4.102.1, 255.255.240.0 I Analyzing Existing Subnets Finding a Broadcast Address: Different Masks Broadcast Address Practicing Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is. Step 2: If mask octet is 0, write 255. Step 3: If the mask is not 255 or 0, we subtract the mask from 256 and find how many blocks the subnet has. Let the example be 16. 16-1= 15 When we add 15 to the Subnet ID, we find the Broadcast Address. Figure 14-11 Finding Broadcast Address from Shortcut Figure 14-9 Find the Subnet Broadcast: 130.4.96.0, 255.255.240.0 Figure 14-10 Find the Subnet Broadcast: 192.168.5.64, 255.255.255.224 I Analyzing Existing Subnets Figure 14-4 Subnet ID and Broadcast Address Responses Figure 14-8 Finding Subnet ID Shortcut Answers Figure 14-11 Shortcut Broadcast Address Answers Chapter - 6 IPv4 ROUTING I Cisco Router Management I IPv4 Static Routes I IPv4 Routing on LAN I IPv4 Routing Troubleshooting Cisco Router Management I Running the Router I Cisco ISR Router I Cisco Router Interface I Router Interface IP Address I Router Auxiliary Port I Cisco Router Management Running a Router The first time you turn on a Cisco router, it runs a power-on self-test (POST). This is the first part of the router boot process output. It is the information If it passes, it searches for Cisco IOS from the flash drive and loads it (if an about the bootstrap program when the POST runs first. Then it tells the router IOS file exists). (By the way, if you don't know, flash memory is an how to load (default is to find IOS in flash memory). It also lists the RAM electronically erasable programmable read-only memory-EEPROM.) After size in the router. that, IOS loads and looks for a valid configuration (startup-config). It is The next Chapter shows us how to decompress IOS into RAM: stored in non-volatile RAM (NVRAM). program load complete, entry point: 0x8000f000, size: 0x14b45f8 The following messages are the ones that appear when you first boot or reload a Self decompressing the image : router. ############################################################## ###### System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) ############################################ [OK] Technical Support: http://www.cisco.com/techsupport Pound signs tell us that IOS is being loaded into RAM. After unzipped IOS to Copyright (c) 2006 by cisco Systems, Inc. RAM, IOS is loaded and the router starts working as seen below. Note that the Initializing memory for ECC c2811 platform with 262144 Kbytes of main memory iOS version is enhanced security version 12.4.(12): Main memory is configured to 64 bit mode with ECC enabled Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Upgrade ROMMON initialized Version program load complete, entry point: 0x8000f000, size: 0xcb80 12.4(12), RELEASE SOFTWARE (fc1) program load complete, entry point: 0x8000f000, size: 0xcb80 Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team Image text-base: 0x40093160, data-base: 0x41AA0000 I Cisco Router Management One of the nice new features of ISR routers is that the IOS name is not encrypted. The filename actually tells you what IOS can do, as in Advanced Security. When IOS is loaded, the information learned from POST will be displayed. You can see it below. [some output cut] Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. Processor board ID FTX1049A1AB Figure 15-1 A General Enterprise Network Diagram 2 FastEthernet interfaces 4 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module Cisco Integrated Services Routers (ISR) DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. Other brands, including Cisco, often have several different types of router 62720K bytes of ATA CompactFlash (Read/Write) models. Routers today often do a lot more than just forward packets; they There are two FastEthernet, four serial interfaces and a VPN module. The size of RAM, NVRAM and flash are also displayed. The router output above shows us 256MB of RAM, 239K of NVRAM and 64MB of flash. actually act as a device or platform to provide many network services. Cisco even branded enterprise routers not only as routers, but also as "Integrated Services Routers (ISRs)", emphasizing the multi-purpose nature of the products. Note: When IOS is loaded and running, a pre configuration (called startup-config) is copied from NVRAM to RAM. A copy of this file is placed in RAM and designated as running-config. I Cisco Router Management As an example, let's take the network functions needed in a typical branch office. A typical corporate branch office needs a router for WAN/LAN connectivity and a LAN switch to provide a LAN connection. Many branches also need Voice over IP (VoIP) services and various security services to support IP phones. In addition, it is difficult to imagine a company today with users without Wi-Fi access. Therefore, Cisco has single router models that act as both routers and switches and provide other functions, rather than requiring multiple separate devices in a company, as shown in Figure 15-2. Figure 15-3 Cisco 4321 Integrated Services Router (ISR) Model Router Photograph Figure 15-3 shows a photo of the Cisco 4321 ISR and shows some of its more important features. The figure shows a complete view of the back of the router. This model comes with two internal Gigabit Ethernet Interface and two modular slots that allow you to add small cards called Network Interface Modules (NIMs). An example NIM (a NIM providing two serial interfaces) is shown on the right of the figure. It has other inputs as well, including a router RJ-45 and a USB console port. Figure 15-2 A more detailed Enterprise Network Diagram Note : Cisco has covered Serial connection issues ( Bandwidth and Clock Rate on Serial Interfaces ) in CCNA curves since 1998, but since this technology is not used much anymore, CCNA 200-301 has removed it from the training content. I Cisco Router Management Cisco Router Interfaces Router Interfaces IP Address Accessing the Cisco router CLI is the same as in sitches. We can connect via Console, Telnet and SSH. If you forgot these connection methods, you can refer to Chapter-2 topic 4 CLI usage again. Below we can see some types of interfaces used in the router.interface ethernet 0 interface fastethernet 0/1 interface gigabitethernet 0/0 interface gigabitethernet 0/1/0 interface serial 1/0/1 Figure 15-4 IPv4 Address Example Diagram R1# configure terminal Enter configuration commands, one per line. End with CNTL/ Z. R1config)# interface G0/0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# interface S0/0/0 R1(config-if)# ip address 172.16.4.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# interface G0/1/0 R1(config-if)# ip address 172.16.5.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# ^Z R1# IPv4 Static Routes I IP Routing I IP Routing Process I IP Routing Example I Configuration I IPv4 Static Routes IP Routing This is an important topic to understand, as all routes and configurations are IP related. IP routing is the process of moving packets from one network to another using routers. Before you start explaining this section, you have to know the difference between a routing protocol and a routed protocol. A routing protocol is used by Figure 16-1 Host Routing Logic Summary routers to dynamically find all networks in the network community and ensure that all routers are in the same routing table. Essentially, a routing protocol determines the path a packet will follow through the network community. Examples of routing protocols are RIP, RIPv2, EIGRP and OSPF. When the routers learn all the networks, the routed protocol can be used to send user data (packets) on the installed structure. Examples of routed protocols are IPv4 and IPv6. IP Routing Process We've seen the basics of IP Routing in Chapter 1, chapter 3, and in this chapter, we'll use the IP addressing terms we covered in chapters 2, 3, and 4. Figure 16-2 Routing Logic Summary of Router I IPv4 Static Routes IP Routing Example Our IP address is 172.16.1.9 / 24 Destination IP 172.16.2.9 / 24 Our Default Gateway Address is 172.16.1.1 Figure 16-4 Host A sends the packet to Host B. We add our Mac address to the Ethernet Frame and send the packet to our Step :1 Router 1 checks the Target Mac and FCS in the incoming packet, if there is no error, it goes to step 2. default gateway. Step :2 Router 1 de-encapsulates the incoming packet. Figure 16-3 Example of routing in five steps I IPv4 Static Routes Step :3 Router 1 looks at the route table for the destination ip in the incoming packet If the packet were to go to 172.16.3.9, it would send it from the G0/1/0 LAN and selects the interface to send if there is a route in the table. interface, then it would send the packet by encapsulating by adding an ethernet frame, not hdlc. Step :5 Router 1 sends the ready frame packet. Step :4 Router 1 encapsulates the packet again. I IPv4 Static Routes Configuring IP Addresses I am writing the Router 1 Ip configuration as an example, let's configure the other routers together. R1# interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.255.0 interface Serial0/0/0 ip address 172.16.4.1 255.255.255.0 interface GigabitEthernet0/1/0 ip address 172.16.5.1 255.255.255.0 R1# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is not set Figure 16-5 Simple network diagram configuration. 172.16.0.0/16 is variably subnetted, 6 C 172.16.1.0/24 is directly connected, L 172.16.1.1/32 is directly connected, C 172.16.4.0/24 is directly connected, L 172.16.4.1/32 is directly connected, C 172.16.5.0/24 is directly connected, subnets, 2 masks GigabitEthernet0/0 GigabitEthernet0/0 Serial0/0/0 Serial0/0/0 GigabitEthernet0/1/0 L 172.16.5.1/32 is directly connected, GigabitEthernet0/1/0 R1# show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.1.1 - 0200.2222.2222 ARPA GigabitEthernet0/0 Internet 172.16.1.9 35 0200.3333.3333 ARPA GigabitEthernet0/0 I IPv4 Static Routes Configuring Static Routes Floating Static Routes R1# If you pay attention to the command line below, you will see the number 130 ip route 172.16.2.0 255.255.255.0 S0/0/0 ip route 172.16.3.0 255.255.255.0 172.16.5.3 R1# show ip route static at the end of the line, now you will say what is this, this is administrative distance. administrative distance; The priority order in the route table is 110 in OSPF AD default, it is static route 1 but here it is changed to 130 so OSPF has first priority. ip route 172.16.2.0 255.255.255.0 172.16.5.3 130 Figure 16-6 Static Routes Concept Static Host Routes The first line sends 10.2.2.2 as the next-hop router for the 10.1.1.0 subnet, the second line sends the incoming route requests to the 10.1.1.9 host on the same subnet to 10.9.9.9. ip route 10.1.1.0 255.255.255.0 10.2.2.2 ip route 10.1.1.9 255.255.255.255 10.9.9.9 Figure 16-7 Using Floating Static Route for Subnet 172.16.2.0 Static Default Routes R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# ip route 0.0.0.0 0.0.0.0 s0/0/1 R2(config)# ^Z R2# show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Serial0/0/1 LAN IPv4 Routing I VLAN Routing with I Router 802.1Q Trunk I Configuring ROAS ( Router On A Stick ) I Configuring VLAN Routing with SVI I Configuring VLAN Routing with Route Port I Layer 3 EtherChannel I IPv4 Routing (LAN) VLAN Routing with Router 802.1Q Trunk ROAS ( Router On A Stick ) Configuration Routing by connecting a cable to the router for each vlan on the switch will not In the example below, there are two vlans on the switch and it is connected to the be very useful. There are more functional ways of doing this, I'll teach you router with a single cable, in this case, we will make Sub-interfaces and allow about them. What are our options, let's take a look at them; different vlans to pass through with a single connection. Router-On-A-Stick (ROAS) Switched Virtual Interfaces (SVI) with Layer 3 Sw VLAN Routing with Route Port on Layer 3 Switch Ether Channel on Layer 3 Switch Figure 17-2 Example of ROAS with Subinterfaces on Router B1 B1# show running-config ! Only pertinent lines shown interface gigabitethernet 0/0 ! No IP address up here! No encapsulation up here! ! interface gigabitethernet 0/0.10 encapsulation dot1q 10 ip address 10.1.10.1 255.255.255.0 ! Figure 17-1 Example of Using Layer 3 Switch in Central Location interface gigabitethernet 0/0.20 encapsulation dot1q 20 ip address 10.1.20.1 255.255.255.0 I IPv4 Routing (LAN) Configuring Vlan Routing with Layer 3 SVI Configuring Vlan Routing with Route Port on Layer 3 Switch Using a router with ROAS to route packets makes sense in some situations, When we use SVI in Layer 3 switches, the physical interfaces work as Layer 2 especially in small networks. In networks with larger LANs, we prefer to use as usual, that is, the ethernet receives the frame souce the mac learns and the Layer 3 switches for Inter VLAN Routing. switch transmits the frame by adding the target mac address of the frame. Instead, we can routing the Layer 3 switch physical port with the Layer 3 mode as the route mode. Figure 17-3 Example of Routing Using Vlan Interfaces on Layer 3 Switch ip routing ! interface vlan 10 ip address 10.1.10.1 255.255.255.0 ! interface vlan 20 ip address 10.1.20.1 255.255.255.0 ! interface vlan 30 ip address 10.1.30.1 255.255.255.0 SW1# show ip route Figure 17-4 Example of Routing Using Route Port on Layer 3 Switch ip routing ! interface vlan 10 ip address 10.1.10.1 255.255.255.0 ! interface vlan 20 ip address 10.1.20.1 255.255.255.0 ! interface gigabitethernet 0/1 no switchport ip address 10.1.30.1 255.255.255.0 SW1# show ip route I IPv4 Routing (LAN) EtherChannel on Layer 3 Switch If you prefer multiple and redundant connections rather than a single connection, you can use the Layer 3 EtherChannel application. Figure 17-5 Example of Layer 3 EtherChannel interface GigabitEthernet1/0/13 no switchport no ip address channel-group 12 mode desirable ! interface GigabitEthernet1/0/14 no switchport no ip address channel-group 12 mode desirable ! interface Port-channel12 no switchport ip address 10.1.12.1 255.255.255.0 IPv4 Routing Troubleshooting I Troubleshooting Using the Ping Command I Using Extended Ping I Using the TraceRoute Command I Using Extended TraceRoute I Telnet and SSH Troubleshooting I IPv4 Routing Troubleshooting Troubleshooting Using the Ping Command Step 1: Open a command (cmd) window and ping 127.0.0.1. This is the Debugging IP addressing is clearly a very important skill. That's why this is system diagnostic or loopback address, and your TCP/IP stack is considered to where I'm going to show you the Cisco method of debugging IP addressing. Let's be working if you can ping it. If you can't, then you have an IP stack problem look at Figure 18-1 for an example of your simple IP problem. Poor Sally cannot and need to reinstall TCP/IP on the host. connect to the Windows server. Can you handle this by calling the Microsoft C:\Users\Yavuz>ping 127.0.0.1 team and mentioning that their server is a pile of garbage and is causing all your problems? Probably not such a good idea. Let's revisit our network instead. Let's get started by following Cisco's troubleshooting steps. They are quite simple, but equally important. Imagine you are at the client's machine and cannot communicate with the server that is on a remote network. Below are four Cisco recommended troubleshooting steps: Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Step 2: Ping the IP address of the local host from the command window. If this is successful, your network interface card (NIC) is working. If you can't, then there is a problem with the NIC. Success here does not mean that the cable is plugged into the NIC. Only the IP protocol stack on the host can communicate with the NIC (with the help of the LAN driver). Figure 18-1 Example of Simple Troubleshooting C:\>ping 172.16.10.2 Pinging 172.16.10.2 with 32 bytes of data: Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Reply from 172.16.10.2: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.10.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), I IPv4 Routing Troubleshooting Step 3: From the command window, ping the default gateway. If ping is If the user is still not able to communicate with the server after steps 1 to 4 are working, it means that the NIC is connected to the network and can successful, you probably have some name resolution problems and you should communicate with the local network. If it doesn't, you have a physical network problem somewhere between the NIC and the router. C:\>ping 172.16.10.1 Pinging 172.16.10.1 with 32 bytes of data: Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Step 4: If steps 1 to 3 are successful, try to ping the remote server. If this works, there is IP communication between the local host and the remote server. Also, you know it's running on its remote physical network. check your Domain Name System (DNS) settings. But if there is a problem pinging the remote server, you know you have some physical network problems, you need to go to the server machine and do steps 1 to 3 until you find the problem. Before we discuss IP address problems and how to fix them, I want to describe some basic DOS commands you can use to help troubleshoot your network from both a PC and a Cisco router (the commands may do the same thing, but they work differently): Packet InterNet Groper (ping): On a network, Ping uses ICMP echo request and reply to test if the IP stack has started and is active. traceroute: Displays a list of routers in the path to a destination network, using TTL time-outs and ICMP error messages. This command will not work from a DOS command system. tracert: Same command as traceroute, but a Microsoft Window command and will C:\>ping 172.16.20.2 Pinging 172.16.20.2 with 32 bytes of data: Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms not work on a Cisco router. arp -a: Used for IP-to-MAC address mapping on a Windows PC. show ip arp: Same command as arp -a, but displays the ARP table on a Cisco router. Like the traceroute and tracert commands, they are not interchangeable in DOS and Cisco. ipconfig /all: Only available from the DOS command line, it will show you the PC network configuration. I IPv4 Routing Troubleshooting Using Extended Ping Test the Reverse Route Troubleshooting Using the TraceRoute Command Like ping, the traceroute command helps network engineers isolate problems. Here is a comparison of the two: Both send messages on the network to test the connection. Both send a reply back to the incoming message. Figure 18-2 Extended Ping Both have broad support for many different operating systems. Both can use a hotname or IP address to identify the target. R1# ping Protocol [ip]: Target IP address: 172.16.2.101 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.101, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Routers have a standard and extended version of both, allowing better testing of the reverse route. Figure 18-3 Simple traceroute example. traceroute 172.16.2.101 traceroute to 172.16.2.101, 64 hops max, 52 byte packets 1 172.16.1.1 (172.16.1.1) 0.870 ms 0.520 ms 0.496 ms 2 172.16.4.2 (172.16.4.2) 8.263 ms 7.518 ms 9.319 ms 3 172.16.2.101 (172.16.2.101) 16.770 ms 9.819 ms 9.830 ms I IPv4 Routing Troubleshooting Standard and Extended Traceroute Telnet and SSH Troubleshooting Telnet and ssh work from PC1 to R1 but not from PC1 to R2 and R3. R1# traceroute 172.16.2.101 Type escape sequence to abort. Tracing the route to 172.16.2.101 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec * R1# traceroute Protocol [ip]: Target IP address: 172.16.2.101 Source address: 172.16.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 172.16.2.101 VRF info: (vrf in name/id, vrf out name/id) Figure 18-4 Telnet and SSH Error Example. Telnet and ssh from PC1 to R1, R1 to R2 and R2 to R3 are working, but if PC1 still cannot reach other devices other than R1, there is probably a route problem. 1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec * Figure 18-5 Example of Telnet and SSH. Chapter - 7 OSPF I OSPF Concepts I OSPF Applications I OSPF Network Types and Neighbors I OSPF Fundamentals OSPF Concepts I Interior and Exterior Routing Protocols I Administrative Distance I Neighbors I OSPF Areas and LSAs I OSPF Concepts Open Shortest Path First (OSPF) Fundamentals Open Shortest Path First (OSPF) is an open standard routing protocol Routing Protocol: It consists of a set of messages, rules and algorithms used implemented by many manufacturers, including Cisco. If you have multiple by routers to learn routes. This process includes the exchange and analysis of routers and they are not all Cisco, you cannot use EIGRP. Your remaining options are basically RIP, RIPv2, and OSPF. If it's a large network then your really only options are OSPF and route redistribution. Redistribution is a conversion service between routing protocols. routing information. Each router chooses the best route for each subnet (route selection) and finally places these best routes in the IP routing table. Examples include RIP, EIGRP, OSPF, and BGP. OSPF works using the Dijkstra algorithm. First, a shortest path tree (SPF) is Routed Protocol and Routable Protocol: Both terms refer to a protocol that configured and the resulting best paths are placed in the routing table. Although defines packet structure and logical addressing, allowing routers to route or not as fast as EIGRP, OSPF converges quickly and supports multiple, equal- forward packets. Routers forward packets defined by routed and routable cost routes to the same destination. It supports both IPv4 and IPv6 routed protocols. Examples are IP Version 4 (IPv4) and IP Version 6 (IPv6). protocols such as EIGRP. OSPF provides the following features: It consists of Areas and autonomous systems. It minimizes routing update traffic. It provides scalability. Supports Subnet / Prefixes. It has unlimited number of hops. Many manufacturers allow its deployment (open standard). OSPF is a link-state routing protocol most people are familiar with. Interior and Exterior Routing Protocols IGP: A routing protocol designed for use within a single autonomous system (AS). For example RipV2, EIGRP and OSPF EGP: It is a routing protocol designed to be used between different autonomous systems. For example BGP (Border Gateway Protocols) I OSPF Concepts IGP Routing Protocol Algorithms The basic algorithm of a routing protocol determines how it will do the routing work. The term routing protocol algorithm refers to the logic and processes of learning all routes, choosing the good path for each subnet, and using different methods to solve the converging problem in response to changes in the network. It uses three different algorithms of IGP routing protocols. Distance vector (sometimes called Bellman-Ford after its creators) Advanced distance vector (sometimes called “balanced hybrid”) link state Figure 19 -1 Example of IGP and EGP Routing Protocols Metrics It is used to choose the best route and compare routes. Comparing Interior Gateway Protocols Companies have several IGP options for their corporate networks, but most companies nowadays use OSPF or EIGRP. We will learn OSPFv2 protocol, EIGRP is in the training content of CCNP Enterprise certification. Figure 19 -2 IGP Metrics I OSPF Concepts If a router receives two updates listing the same remote network, the first thing the router checks is AD. If one of the advertised routes has a lower AD than the other, the route with the lowest AD will be put in the routing table. If two advertised routes for the same network have the same AD, routing protocol metrics (hop count or line bandwidth) will be used to find the best route to the remote network. The advertised route with the lowest metric will Figure 19 -3 Comparison of RIP and OSPF Metrics be put in the routing table. If two advertised routes have both the same AD and the same metrics, then the routing protocol will load-balance the remote network. (packages will be sent from both links). Table 19 -4 Comparison of IGP Protocols Administrative Distance It is used to rate the reliability of a routing information from a neighboring router. An administrative distance is a number between 0 and 255. 0 is most reliable, 255 is untrusted, if AD 255 means no traffic will be passed through this route. Table 19 -5 Default Administrative Distances I OSPF Concepts OSPF Terminology Link: A link is the network or router interface assigned to a particular network. Neighbor: Neighbors are two or more routers with one interface in the public When an interface is added to the OSPF process, it is considered a link on the network, such as two routers connected by a point-to-point serial link. OSPF side. This link or interface will have status information about both up/ down and one or more IP addresses. Router ID: While OSPF has many optional features, most enterprise companies using OSPF choose to configure an OSPF Router ID on each router. OSPF speaking routers must have a Router ID (RID) to function properly. By default, routers will choose an interface IP address to use as the RID. However, many Adjacency: An adjacency is a relationship between two OSPF routers that allows to exchange route updates directly. OSPF is very selective in sharing routing information, unlike EIGRP, which shares routes directly with all its neighbors. OSPF only shares routes with neighbors where it has established adjacency. All neighbors will not be adjacent, this depends on both the network type and the configuration of the routers. network engineers prefer to specify the router ID of each router, so the output from Hello protocol: OSPF Hello protocol provides dynamic neighbor detection and commands like show ip ospf neigbors lists more recognizable Router IDs. maintain neighbor relations. Hello packets and Link State Advertisements (LSA) create and maintain a topological database. Hello packets are sent to The router uses the following methods to select the Router ID. 224.0.0.5. If the Router ID is entered while configuring Ospf, it uses this ID. If any Loopback address is configured, if the Loopback interface is up, the Loopback Interface IP with the larger IP will be used as the Router ID. If it is not available in the above two options, Router ID is the one with the highest IP among the Up Interfaces. Figure 19 -6 OSPF Hello Package I OSPF Concepts Designated Router: A desiganted router (DR) is selected when OSPF routers are connected to the same multi-access networks. But in reality they are networks with a large number of receivers. Try not to confuse multi-access with multipoint. Sometimes it can be easily confused. Calculating the Best Route OSPF LSAs contain useful information, but not specific information that must be added to the router's IPv4 routing table. So to know which routes to add to the routing table, each router needs to do some SPF math to choose the The prime example is an Ethernet LAN. To minimize the number of installed best routes. Then it selects the next-hop-router and adds which interface it will neighborhoods, a DR is selected (eliminated) to spread/receive routing go from to the table. information to or from other routers on the broadcast network or link. This ensures that the topology tables are synchronized. All routers in shared networks will be adjacent to DR and backup designated router (BDR). The selection will be won by the router with the highest priority, and if the priority is the same across multiple routers, Router ID is used for DR selection. Backup Designated Router: A backup designated router (BDR) is a primary backup for DR on multi-access links (remember Cisco sometimes refers to it as a broadcast network). BDR receives all routing updates from OSPF neighbor routers, but does not send LSA updates. Figure 19 -7 DR and BDR selection and Database Exchange over Ethernet Figure 19 -8 Path selection for the best route. Note: We will look at the cost values in detail while making the application. I OSPF Concepts OSPF Areas and LSAs We can list the problems related to a single-area design as follows. It can be used in some networks that are not very wide, which were not A larger topology also requires more memory for the router database. considered too much while designing. You just turn on OSPF on all routers, The larger the database, the longer it will take to process the SPF algorithm in put all interfaces in the same area (usually area 0) and it works! Figure 19-9 the router. It will require more CPU power. shows 11 routers configured with Area 0. A single interface status change (up or down) anywhere on the network causes the SPF (Shortest Path First) algorithm to work again in every router. OSPF Areas OSPF area design can take into account a few basic rules. To apply the rules, after you have properly drawn the networks and determined the router interfaces, select the areas for each router and interface as follows: Place all interfaces connected to the same subnet in the same area. Figure 19 -9 Single Area OSPF Larger OSPFv2 networks may have a single-area design. For example, now imagine a corporate network with 900 routers and several thousand subnets instead of just 11. As it turns out, it takes a lot of CPU time to run the SPF algorithm on all this topology data. As a result, the OSPFv2 convergence time - Areas must be adjacent. Some routers may have all interfaces in a single area. Some routers can be Area Border Router (ABR) because some interfaces are connected in the backbone area and some are connected in the non-backbone area. may be too slow to react to changes in the network. Routers may also have less All non-backbone areas must have a way to reach their area (area 0) by RAM. connecting at least one ABR in both the backbone area and the non-backbone area. I OSPF Concepts Figure 19-10 Three OSPFv2 LSA Types Seen by Multi-Area OSPF Design Figure 19 -9 Three-Area OSPF with D1 and D2 as ABRs LSA (Link State Advertisement) A Link State Advertisement (LSA) is an OSPF data packet containing linkstate and routing information shared between OSPF routers. An OSPF router will only exchange LSA packets with routers for which it has set up adjacency. When we look at it with the show ip ospf database command, it will seem like a lot of complex code, but you will become familiar with them over time. I Single-Area OSPF Applications I Wildcard Mask OSPF Applications I Verify OSPF I Configuring the OSPF Router ID I Multi-Area OSPF Configuration I Configuring OSPF Under Interface I OSPF Additional Features I OSPF Applications Single-Area OSPF Applications The way to understand the OSPFv2 configuration shown in this example is to understand the OSPF network command. The OSPF network command compares the first parameter in the command with the IP address of each interface in the local router, trying to find a match. However, instead of comparing the entire number in the network command with the entire IP address on the interface, the router can compare wildcard masks as follows: Wildcard Matching with the network Command Wildcard 0.0.0.0: Compare four octets. In other words, the numbers must match exactly. Figure 20 -1 Example OSPFv2 configuration. Wildcard 0.0.0.255: Compare only the first three octets. Ignore the last octet when comparing numbers. interface GigabitEthernet0/0.1 encapsulation dot1q 1 native ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet0/0.2 encapsulation dot1q 2 ip address 10.1.2.1 255.255.255.0 ! interface GigabitEthernet0/0/0 ip address 10.1.12.1 255.255.255.0 ! interface GigabitEthernet0/1/0 ip address 10.1.13.1 255.255.255.0 ! interface GigabitEthernet0/2/0 ip address 10.1.14.1 255.255.255.0 router ospf 1 network 10.0.0.0 0.255.255.255 area 0 Wildcard 0.0.255.255: Compare only the first two octets. Ignore the last two octets when comparing numbers. Wildcard 0.255.255.255: Compare only the first octet. Ignore the last three octets when comparing numbers. Wildcard 255.255.255.255: Do not compare anything this wildcard mask means all addresses will match the network command. Let's understand the working logic by making the configurations on other routers together and using different wildcard masks on those routers. I OSPF Applications Verifying OSPF OSPF Router ID Configuration We can control the configurations we have made using these commands. While OSPF has many optional features, most enterprise companies using OSPF choose to configure an OSPF Router ID on each router. OSPF speaking routers must have a Router ID (RID) to function properly. By default, routers will choose an interface IP address to use as the RID. However, many network engineers prefer to specify the router ID of each router, so the output from commands like show ip ospf neigbors lists more recognizable Router IDs. The router uses the following methods to select the Router ID. If the Router ID is entered while configuring Ospf, it uses this ID. If any loopback address is configured, if the lookback interface is up, it uses the larger IP as the Router ID. If it is not available in the above two options, Router ID is the one with the highest IP among the interfaces with Up. Figure 20 -2 OSPFv2 authentication commands.. I OSPF Applications Multi-Area OSPF Configuration Configuring OSPF Under Interface R1(config)# router ospf 1 router ospf 1 R1(config-router)# no network 10.0.0.0 0.255.255.255 area 0 network 10.1.1.0 0.0.0.255 area 0 R1(config-router)# interface g0/0.1 network 10.1.2.0 0.0.0.255 area 0 R1(config-subif)# ip ospf 1 area 0 network 10.1.12.0 0.0.0.255 area 23 R1(config-subif)# interface g0/0.2 network 10.1.13.0 0.0.0.255 area 23 R1(config-subif)# ip ospf 1 area 0 network 10.1.14.0 0.0.0.255 area 4 R1(config-subif)# interface g0/0/0 R1(config-if)# ip ospf 1 area 0 R1(config-if)# interface g0/2/0 R1(config-if)# ip ospf 1 area 0 I OSPF Applications Default Routes: OSPF Additional Features Passive interfaces Default routes Metrics Load balancing Passive Interface: After OSPF is enabled on an Interface, the router tries to find neighboring OSPF routers and establish a neighbor relationship. To do this, the router periodically sends OSPF Hello messages (called Hello Interval). The router also listens for Hello messages from potential neighbors. In some cases, some Interfaces do not need to be neighbors. There is no other example, or there may be an Interface facing the WAN side, in this case we can make this Interface a passive interface. The interface continues to send the connected Subnet information, but stops receiving and sending hello packets. router ospf 1 passive-interface GigabitEthernet0/0.1 R1# show ip route static Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP ! Rest of the legend omitted for brevity Gateway of last resort is 192.0.2.1 to network 0.0.0.0 S* 0.0.0.0/0 [254/0] via 192.0.2.1 B1# show ip route ospf O*E2 0.0.0.0/0 [110/1] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks passive-interface GigabitEthernet0/0.2 O 10.1.3.0/24 [110/3] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0 O 10.1.13.0/24 [110/2] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0 I OSPF Applications Interface Default Cost Values OSPF Metrics (Cost): In Topic 19 OSPF Concepts, we talked about finding the best route in SPF, now let's manually change the cost values here. We can do it directly under Interface using ip ospf cost x command. There are interface default cost values, we can change the cost settings by changing these values, bandwidth settings. We can change OSPF cost references. Cost Value Change: R1(config)# interface g0/0/0 R1(config-if)# ip ospf cost 4 R1(config-if)# interface g0/1/0 R1(config-if)# ip ospf cost 5 OSPF Cost Reference Replacement Default 100 Mb 100 000 000 R1# show ip ospf interface brief Interface Gi0/0/0 Gi0/1/0 Gi0/2/0 PID Are Ip Address/Mask Cost State Nbrs 1 1 1 0 0 0 10.1.12.1/24 10.1.13.1/24 10.1.14.1/24 4 5 1 DR BDR DR 1/1 1/1 1/1 F/C ospf auto-cost reference-bandwidth value no ospf auto-cost reference-bandwidth value OSPF Load Balancing For example, if a network has six possible routes between parts of the network, if you want all routes to be used, the router can be configured under the ospf x command with the maximum-paths 6 subcommand. OSPF Network Types and Neighbors I OSPF Broadcast Network Type I DR/BDR Manual Selection I OSPF Point-to-Point Network Type I OSPF Neighbor Relationships I OSPF Network Types and Neighbors OSPF Network Types router ospf 1 OSPF Broadcast Network Type By default, OSPF uses a broadcast type on all Ethernet Interface types. Note that all Ethernet Interfaces in the examples in Chapter 20 depend on this default setting. router-id 1.1.1.1 ! interface gigabitEthernet0/0 ip ospf 1 area 0 ! interface gigabitEthernet0/1 ip ospf 1 area 0 Let's look at the following example to better understand the OSPF Broadcast Network Type. Figure 21 -2 R1’s List of Neighbors Let's Verify Broadcast Network Type: Figure 21 -1 Single Area Design ✓ OSPF sends a broadcast to 224.0.0.5 IP to all routers to detect neighbors. Broadcast IP reserved for OSPF Routers. Let's take a look with the commands below. show ip ospf interface brief show ip ospf interface g0/0 ✓ Tries to select DR and BDR in each Subnet. ✓ It becomes DR because there is no other router in the G0/1 subnet. ✓ When there are 3 other routers in the G0/0 subnet, it will be DR, BDR or DROther. ✓ It sends a broadcast to 224.0.0.6 to select DR, BDR and DROther. Figure 21 -3 OSPF DR/BDR/DROther Roles in the Network I OSPF Network Types and Neighbors DR/BDR Manual Selection Let's give priority to this router interface by entering the ip ospf priority 99 command under Interface, but when we look with the show ip ospf interface brief command, we will see that there is still no change. This is because there is no reason to start the selection process again, so the configuration we make will wait for the next election. If the interface of one of the routers in the subnet is down, the process will start again. Let's turn one of the interfaces off and on and test it and observe the results. I OSPF Network Types and Neighbors OSPF Point-to-Point Network Type By nature, this OSPF network type works well for data links between two These connections generally do not support datalink broadcasts. Also, having routers. For example, let's take a look at the topology in Figure 21-4, which only two devices in the connection adds a bit more convergence time. Since we shows two Ethernet WAN links with three WAN links and one serial link, R1. are using the Point-to-Point Network type, it tells the router not to use DR / BDR. R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# interface g0/0/0 R1(config-if)# ip ospf network point-to-point R1(config-if)# R1# show ip ospf interface g0/0/0 GigabitEthernet0/0/0 is up, line protocol is up Figure 21 -4 Sample OSPF Design with Serial and Ethernet WAN First, let's look at the serial connection. Since R1 and R4 are directly connected, we cannot add a third router. As you can imagine, the data link Internet Address 10.1.12.1/24, Area 0, Attached via Interface Enable Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 4 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 protocols used to control a link with up to two devices may work differently from Ethernet. For example, the most commonly used data link protocols (HDLC and PPP) data link protocols do not support broadcast. Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 R1# show ip ospf interface brief Interface Gi0/0/0 PID Area 1 0 IP Address/Mask 10.1.12.1/24 Cost State 4 P2P Nbrs 1/1 F/C I OSPF Network Types and Neighbors OSPF Neighbor Relationships When we enable OSPF on a router and interfaces, IOS then tries to discover other neighbors connected to that interface by sending and listening OSPF Hello messages. However, two routers may not be neighbors each time. They must have compatible values for Hello packets exchanged between the two routers and various other settings. Parameters in this hello package must match, let's have a look at the list below. Requirements for OSPF Neighbor Establishment; Listed below are some commands with which we can check for problems Chapter - 8 IP Version 6 I IPv6 Basics I IPv6 Addressing and Subnetting I IPv6 Address Applications I IPv6 Routing Applications IPv6 Fundamentals I Internet Protocol Version 6 (IPv6) I IPv6 Routing I IPv6 Addressing Formats and Conversion I IPv6 Prefix (Subnet ID) I Practicing IPv6 I IPv6 Fundamentals Internet Protocol Version 6 (IPv6) People refer to IPv6 as the next generation Internet Protocol, and it was developed as a solution to IPv4's inevitable, address exhaustion situation. You've probably heard about IPv6 before. The capacity of its ancestor, IPv4, is insignificant compared to it. That is why it will eventually be completely buried in history. IPv6 addresses are 128 bits or 16 bytes.. Figure 22-1 IPv4 Adreslerinin tükenmesi, kısa ve uzun vade çözümleri. 2345:1111:2222:3333:4444:5555:6666:AAAA 2000:1:2:3:4:5:6:A Why Do We Need IPv6? IPv6 Routing It is a fact that the number of people and devices connected to the network is Like many functions of IPv6, IPv6 routing is similar to IPv4 routing from an increasing day by day. This is not entirely a bad thing. We're always finding overview, let's take a look at them. some new and exciting ways to get more people to know, which is nice. In fact, this To create and send IPv6 packets over an interface, end-user devices need an is a basic human need. But the weather doesn't always mean perfectly blue skies IPv6 address on those interfaces. and sunny weather. Because, as I implied in the introduction of this section, the addresses we will use for IPv4, on which our communication capability depends, will be exhausted for now. IPv4 has 4.3 billion addresses in theory, and we know we can't use all of them. The use of Classless Inter-Domain Routing (CIDR) and Network Address Translation (NAT) helps prolong the inevitable dwindling of addresses. But we will consume them, and that will be in a few years. If the host needs to access a different subnet, it needs to know the default router IP. The router de-encapsulate and re-encapsulate when sending an IPv6 packet. The router looks at the destination IP in the IPv6 packet and sends the packet by matching it with the Route table. I IPv6 Fundamentals Figure 22-2 IPv6 Header Figure 22-3 IPv6 Host Building and Sending an IPv6 Packet Figure 22-4 IPv6 Router Performing Routine Encapsulation Tasks When Routing IPv6 Figure 22-5 Comparing an IPv6 Packet to R1’s IPv6 Routing Table I IPv6 Fundamentals IPv6 Routing Protocols IPv6 Address Full Spelling IPv6 routers need to learn routes for all possible IPv6 prefixes (subnets). As with IPv6 addresses use the hexadecimal (hex) format. It consists of eight blocks, IPv4, IPv6 routers use the routing protocols we know for IPv6. We can see them in each block has four hex digits, each block separated by two dots. Let's look at the table below. the example. Figure 22-6 IPv6 Routing Protocols IPv6 Addressing Formats and Conversion I will briefly talk about these issues here, but we will deal with them in detail in the 23rd issue. Interpret and convert IPv6 addresses consisting of 32 numbers and letters. How to shorten and interpret IPv6 addresses. Interpreting IPv6 prefixes How to find IPv6 prefix (subnet id). Figure 22-7 Hexadecimal/Binary Conversion Chart I IPv6 Fundamentals IPv6 Shortening and Extending And know that you cannot: There are some subtleties that will help us when we write this long address. One is 2001::12::1234:56ab that you can skip parts of the address to summarize. But to do this, you have to Instead, the best you can do is: follow some rules. First, you can discard leading zeros in each of the reserved blocks. After doing that, the address in the previous example looks like this: 2001:db8:3c4d:12:0:0:1234:56ab 2001::12:0:0:1234:56ab The reason why the above example is the best; in the other example, if we discard the two zero blocks, the device looking at the address has no chance of This is a good development. At least we don't have to write those extra zeros. But knowing where to put the zeros back. In fact, the router will look at the wrong what about the entire block with nothing but zeros in it? We can destroy at least address and say, "Shall I place two blocks in the first pair of colons, or some of them. If we look at our example again, we can omit two blocks of zeros by should I place three blocks in the first set and one block in the second set?" replacing them with two colons. The address will now be: will say. And since the information the router needs is not there, it will keep 2001:db8:3c4d:12::1234:56ab going. Very nice! We wrote two colons in place of all zero blocks. The rule you have to follow for this is that you can only place a contiguous block of zeros at an address. So if your address has four zero blocks and they're all reserved, I can't place all of them. Remember the rule that you can put a colon instead of just an adjacent block. Check out this example: 2001:0000:0000:0012:0000:0000:1234:56ab Figure 22-8 IPv6 Shortening and Extension Practical I IPv6 Fundamentals Prefix (Subnet ID) As in IPv4, IPv6 uses subnet masks, but here we call it prefix. The logic here is the same, we specify how many bits the host will use and how many bits the subnet will use. We can write in two ways as in the example below, you can leave a space if you want, or you can write adjacent. 2222:1111:0:1:A:B:C:D/64 2222:1111:0:1:A:B:C:D /64 Figure 22-9 Creating the IPv6 Prefix from an Address/Length Let's look at the example; 2000:1234:5678:9ABC:1234:5678:9ABC:1111/64 Finding IPv6 Prefix 2000:1234:5678:9ABC:0000:0000:0000:0000/64 2000:1234:5678:9ABC::/64 Copy the first bits Put zero for remaining bits Calculated as multiples of Prefix 4. To find the hex length of the Prefix, we divide the Prefix bits by 4 to find how many hex-digits to write. Copy the prefix hex digits as in the example. Substitute zeros for other hex values. Figure 22-10 Finding Prefix Practice I IPv6 Fundamentals Finding Different IPv6 Prefixes 2000:1234:5678:9ABC:1234:5678:9ABC:1111/56 2000:1234:5678:9A00:0000:0000:0000:0000/56 2000:1234:5678:9A00::/56 2000:1234:5678:9A::/56 Figure 22-10 Finding Different Prefixes I IPv6 Fundamentals Ansvers Figure 22-8 IPv6 Shortening and Extending Practical Answers Figure 22-10 Finding Prefix Practical Answers Figure 22-10 Finding Different Prefixes Answers IPv6 Addressing and Subnetting I Global Unicast Addressing Concepts I Public and Private IPv6 Addresses I IPv6 Global Routing Prefix I Global Unicast IPv6 Addresses Range I Unique Local Unicast Addresses I IPv6 Addressing and Subnetting Global Unicast Addressing Concepts IPv6 Global Routing Prefix In this section, we will focus on Glabal Unicast addresses, as the name suggests, Companies that want to use these IPs should get the Global Routing Prefix and they are IPs used in real real internet environment, such as Public IPs in IPv4. In then distribute it to the end users. this section we will also cover how a block of IPv6 Subneting and Global Unicast addresses is created for giving to companies. Public and Private IPv6 Addresses IPv4 IPs were first distributed to each company for use in the public environment, but as it was understood that these IPs would run out in time, after 1990 RFC The term Global Routing Prefix actually refers to the idea that Internet routers can have a way to express all addresses in the address block without needing routes for smaller sections of that block. For example, Figure 23-1 shows three companies with three different IPv6 global routing prefixes; The router on the right (R4) has an IPv6 route for each global routing prefix. reserved some IPs for use in the Private environment, we have seen these IPs before in Chapter-5 and Thus, by giving companies a Public IP, they have extended the IPv4 expiration process by using Private Ip inside. Of course, while going from LAN to WAN, we converted these Private IPs to the Public IP given to us using NAT, and we accessed the internet environment. I will cover NAT in Chapter-12. There is a similar structure in IPv6 dada, so we can use it as Private and Public. Global Unicast: Addresses that work like IPv4 public addresses. Companies that need IPv6 addresses either allocate IPv6 address blocks to end users from Global Prefixes assigned to them in ISPs. From now on, these companies only use IPv6 blocks starting with this prefix. Unique Local: Addresses used like IPv4 private addresses. Multiple companies can use the same IPs, they don't need to get an IP from anywhere. Figure 23-1 Three Global Routing Prefixes, with One Route per Prefix I IPv6 Addressing and Subnetting Using Global Unicast IPv6 Address Subnetting Imagine an ISP has received a Global Routing Prefix and it needs to distribute it by dividing it into subnets as in IPv4. Where and how much do we need IPv6 Subnets, actually we need 4 subnets in the same IPv4 in the example below. Figure 23-2 Prefix Assignment with IANA, RIRs, and ISPs Global Unicast IPv6 Addresses Range In fact, in IPv6, Global Unicast Addresses use most of the space, in IPv4, classes such as A, B, C, D and E were classified where IPs are used. Which IP will be used for what purpose in IPv6 is categorized as in the list below. Figure 23-3 IPv6 Address Types Figure 23-4 Locations for IPv6 Subnets I IPv6 Addressing and Subnetting Assigning IPs to Hosts in Subnet After deciding which subnet to use in which location, we can configure IP addresses for hosts. We can either configure the IPs manually or by using a DHCP server. 2001:0DB8:1111 and /48 Prefix Assigned. The company uses /64 for Interface ID. 16 bits left for Subnet, (We can use 65,536 Subnets.) Figure 23-6 We Select the Subnets to Apply. Figure 23-5 First available 16 Subnets Figure 23-7 Implementing IPv6 Addresses I IPv6 Addressing and Subnetting Unique Local Unicast Addresses Using Unique Local Address IPv6 Subnetting Unique Local Unicast addresses act as private IPv6 addresses. The division of It's the same as Global Unicast address, except that we don't choose the first two these addresses into subnets has similar aspects to Global Unicast addresses. digits (8 bits) for prefix, we choose the next 40 bits. The biggest difference is related to Unique Local addresses (starting with hex FD00:0001:0001::/48, or FD00:1:1::/48 FD) and the management process: Unique Local Prefixes are not registered with any authority or company and can be used by multiple companies. Although Unique Local addresses can be used without any registration or assignment, we still have to follow some rules such as: • In the first two digits we should use FD as hex. • We must choose a unique 40-bit global ID. • For the /48 Bit Prefix, we must add FD to the Global ID. • Use the next 16 bits as the subnet field. • Note that 64 bit remains for Interface ID. Figure 23-8 IPv6 Unique Local Unicast Address Format Figure 23-9 Using Unique Local Address Subnetting I Configuring Static Unicast Address IPv6 Address Applications I Full 128-Bit Address Configuration I EUI-64 IPv6 Address Format I Configuring Dynamic Unicast Address I Using Private Address on Router I Link-Local Addresses I IPv6 Address Applications Configuring Static Unicast Address We have two options in IPv6 address configuration, the first option we specify R1# show ipv6 interface GigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up all 128 bits, the second option we specify /64 prefix, the rest determine IPv6 is enabled, link-local address is FE80::1:AAFF:FE00:1 Interface ID from 64 bit Interface mac address (48bit+16 bit). I will explain No Virtual link-local address(es): this in the upcoming issues. Global unicast address(es): 2001:DB8:1111:1::1, subnet is 2001:DB8:1111:1::/64 Full 128-Bit Address Configuration R1# show ipv6 interface brief GigabitEthernet0/0 [up/up] FE80::1:AAFF:FE00:1 2001:DB8:1111:1::1 GigabitEthernet0/1 [administratively down/down] unassigned GigabitEthernet0/0/0 [up/up] FE80::32F7:DFF:FE29:8568 Figure 24-1 Full 128-Bit IPv6 Configuration 2001:DB8:1111:4::1 ipv6 unicast-routing ! interface GigabitEthernet0/0 ipv6 address 2001:DB8:1111:1::1/64 ! interface GigabitEthernet0/0/0 ipv6 address 2001:0db8:1111:0004:0000:0000:0000:0001/64 R1# show ipv6 route connected IPv6 Routing Table - default - 5 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route C C 2001:DB8:1111:1::/64 [0/0] via GigabitEthernet0/0, directly connected 2001:DB8:1111:4::/64 [0/0] via GigabitEthernet0/0/0, directly connected I IPv6 Address Applications EUI-64 IPv6 Address Format Our second option in IPv6 address configuration, using EUI-64, we can automatically assign the 64 bit after prefix as Interface ID. To do this, we can use a DHCPv6 server with IPv4 or Stateless Address Auto Configuration (SLAAC). How does EUI-64 generate the Interface ID. 1- First, the interface takes the mac address and divides it into two. The mac address is 48 bits 12 hex-digits, separating it into 6 hex-digits. Figure 24-3 EUI-64 Interface ID Creation Process two Examples 2- Interface ID should be 64 bit 16 hex-digit, it adds 16 bit 4 hex-digit FFFE to the middle of the mac address it splits into two and completes it to 64 bit. 3- The seventh bit of the resulting Interface ID inverts. So if the seventh bit is 0 it makes 1, if it is 1 it makes 0. Figure 24-4 Seventh Bit Change in EUI-64 Interface ID Generation Process Figure 24-2 IPv6 Address EUI-64 Format I IPv6 Address Applications Configuring Dynamic Unicast Address Normally, we prefer Dynamic IP configuration on end-user devices, we usually determine the IP when making interface settings of devices such as routers, but in some cases, for example, if there is a DSL or Cable Modem connected to the Interface, we can use the DHCP or SLAAC method for that interface. Figure 24-5 Creating EUI-64 Interface ID Practice Cisco Routers support both methods. interface GigabitEthernet0/0/0 ipv6 address 2001:DB8:1111:1::/64 eui-64 ! This interface uses DHCP to learn its IPv6 address ! interface GigabitEthernet0/0/1 ipv6 address 2001:DB8:1111:4::/64 eui-64 ! interface FastEthernet0/1 [up/up] FE80::1:AAFF:FE00:1 2001:DB8:1111:1:1:AAFF:FE00:1 GigabitEthernet0/0/1 ipv6 address dhcp ! This interface uses SLAAC to learn its IPv6 address R1# show ipv6 interface brief GigabitEthernet0/0 interface FastEthernet0/0 [up/up] FE80::32F7:DFF:FE29:8568 2001:DB8:1111:4:32F7:DFF:FE29:8568 ipv6 address autoconfig I IPv6 Address Applications Using Private Address on Router When the ipv6 unicast-routing command is enabled on the router, the router Routers also use Link-Local addresses as next-hop IP addresses in IPv6 performs the following steps to perform IPv6 routing. routers, as shown in Figure 24-6. In IPv6, hosts use the default router (default • Gives the Interface an IPv6 Unicast IP. gateway) concept, but in IPv4, hosts use an ip from the same subnet, but IPv6 • Allows inbound and outbound IPv6 Routing in the Interface. • Defines the Prefix found in this Interface. hosts use the router's Link-Local Ip. In the show ipv6 route command, the neighboring router lists the link-local address of the neighboring router instead of the global unicast or unique local unicast address. • Interface up/up adds it to the route table. Link-Local Addresses IPv6 Link-Local Addresses use as private IPv6 Unicast address. These addresses are not used to stream data in IPv6 packets. Instead, these addresses are used by some common protocols and for routing. Link-Local Address Concepts IPv6 Link-Local Addresses define the rules so that sent packets are not forwarded by any router to another subnet. As a result, protocol messages that must remain within the Local LAN use IPv6 Link-Local addresses. For example, Neighbor Discovery Protocol (NDP), which replaces the ARP functions of IPv4, uses Link-Local addresses. Figure 24-6 IPv6 Using Link-Local Addresses as the Next-Hop Address I IPv6 Address Applications Link-Local Address Configuration: If you use EUI-64 format in the interface, Anycast: Like multicast addresses, an anycast address defines multiple the Link-Local address will be created with the same method, but if you specify interfaces. But there is one big difference: An anycast packet is delivered to a the IPv6 address as static in the interface, you can configure the Link-Local single address (actually, to the first address it finds, defined by its routing Address as well. distance). This address is special because you can assign a single address to more than one interface. You can specify them as one-to-one-of-many addresses, but just specify them as anycast for convenience. Figure 24-7 Link-Local Address Format Some Special Addresses 0:0:0:0:0:0:0:0 Equals :: This is equivalent to 0.0.0.0 of IPv4 and is typically a host's source address when you use a stateful configuration. 0:0:0:0:0:0:0:1 Equals ::1 Equivalent to 127.0.0.1 in IPv4. 0:0:0:0:0:0:192.168.100.1 This is the way an IPv4 address is written in a mixed IPv6/IPv4 network environment. 2000::/3 Global unicast address range. FE80::/10 Link-local unicast range. Multicast: As in IPv4, packets sent to a multicast address are delivered to all interfaces detected by the multicast address. Sometimes people refer to them as FF00::/8 Multicast range. 3FFF:FFFF::/32 Reserved for example and documentation. 2001:0DB8::/32 This too is reserved for example and documentation. one-to-many addresses. Multicast addresses in IPv6 are really easy to spot 2002::/16 Used with 6to4, which is a transition system. A structure that allows since they always start with FF. IPv6 packets across an IPv4 network without the need for specified tunnels. I IPv6 Address Applications IPv6 Routing Applications I IPv6 Routes I Static IPv6 Routes I Static Default Routes I Floating Static IPv6 Routes I Neighbor Discovery Protocol NDP I IPv6 Routing Applications IPv6 Routes R1# show ipv6 route static Cisco Routers follow a similar path to IPv4 when adding IPv6 routes to the route ! Legend omitted for brevity table. S 2001:DB8:1111:2::/64 [1/0] via Serial0/0/0, directly connected It adds the IPv6 addresses in the up interface to the route table as local and R1# show ipv6 route 2001:db8:1111:2::22 Routing entry for 2001:DB8:1111:2::/64 connected. Known via "static", distance 1 , metric 0 Adds statically entered routes to the routing table. Route count is 1/1, share count 0 Routing paths: directly connected via Serial0/0/0 If OSPFv3 is configured, it adds the routes learned from OSPFv3. Static Routes Using Next-Hop Address: Static IPv6 Routes Static Routes Using Outgoing Interface: R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 R2(config)# ipv6 route 2001:db8:1111:1::/64 s0/0/1 R2's IPv6 address for our Next-Hop address R1, R1's IPv6 address in R2. R1(config)# ipv6 route 2001:db8:1111:2::/64 2001:DB8:1111:4::2 R2(config)# ipv6 route 2001:db8:1111:1::/64 2001:db8:1111:4::1 R1# show ipv6 route static ! Legend omitted for brevity S 2001:DB8:1111:2::/64 [1/0] via 2001:DB8:1111:4::2 R1# show ipv6 route 2001:db8:1111:2::22/64 Routing entry for 2001:DB8:1111:2::/64 Known via "static", distance 1, metric 0 Backup from "ospf 1 [110]" Route count is 1/1, share count 0 Routing paths: Figure 25-1 IPv6 Static Route Example 2001:DB8:1111:4::2 I IPv6 Routing Applications Static Routes Using Link-Local Address: Static Default Routes: ! The first command is on router R1, listing R2's link-local address !Forward out B1's S0/0/1 local interface... R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 FE80::FF:FE00:2 B1(config)# ipv6 route ::/0 S0/0/1 ! The next command is on router R2, listing R1's link-local address R2(config)# ipv6 route 2001:db8:1111:1::/64 S0/0/1 FE80::FF:FE00:1 B1# show ipv6 route static S ::/0 [1/0] via Serial0/0/1, directly connected R1# show ipv6 route static ! Legend omitted for brevity S 2001:DB8:1111:2::/64 [1/0] via FE80::FF:FE00:2, Serial0/0/0 R1# show ipv6 route 2001:db8:1111:2::22 Routing entry for 2001:DB8:1111:2::/64 Known via "static" , distance 1, metric 0 Backup from "ospf 1 [110]" Route count is 1/1, share count 0 Figure 25-2 Using Default Route in B1 Routing paths: FE80::FF:FE00:2, Serial0/0/0 Last updated 00:08:10 ago Static IPv6 Host Routes R1(config)# ! The next command also lists host B's address, prefix length /128, ! but with R2's global unicast address as next-hop, and no outgoing interface. R1(config)# ipv6 route 2001:db8:1111:2::22/128 2001:DB8:1111:4::2 I IPv6 Routing Applications Floating Static IPv6 Routes R1# show ipv6 route static ! Legend omitted for brevity S 2001:db8:1111:7::/64 [130/0] via 2001:db8:1111:9::3 R1# show ipv6 route 2001:db8:1111:7::/64 Routing entry for 2001:db8:1111:7::/64 Known via "static", distance 130, metric 0 Route count is 1/1, share count 0 Routing paths: 2001:db8:1111:9::3 Last updated 00:00:58 ago Table 25-3 Default Administrative Distance Figure 25-4 Using the Floating Static Route I IPv6 Routing Applications Neighbor Discovery Protocol Neighbor Discovery Protocol is a protocol that works like ARP in IPv4. NDP plays an important role on routers. Let's look at some important functions of the NDP protocol. Neighbor MAC Discovery: Replaces ARP in IPv4. It can learn a Mac address from a known IP address. Router Discovery: Allows Hosts in the same subnet to learn IPv6 Router information. SLAAC: When using Stateless Address Auto Configuration (SLAAC), the host uses NDP messages to learn the prefix information used in the subnet. DAD: Before the host uses an IPv6 address, it uses Duplicate Address Detection (DAD) to check if another host is using that IPv6 address. Figure 25-5 IPv6 Neighbor Table Figure 25-6 Finding Default Router Chapter - 9 Wireless LAN I Wireless Networks Fundamentals I Cisco Wireless Architecture I Wireless Networks Security I Creating a Wireless LAN Wireless Networks Fundamentals I Introduction to Wireless Technology I Wireless LAN Topologies I Other Wireless Topologies I RF Overview I Wireless Bands and Channels I AP and Wireless Standards I Wireless Networks Fundamentals Introduction to Wireless Technology Transferring a signal using the typical 802.11 arrangement works quite similarly to a simple Ethernet hub: Both are two-way communication models. They use the same frequency to send and receive, and this is referred to as halfduplex as described in the previous sections. Wireless LANs (WLAN) use radio frequencies (RF) radiated into the air from an antenna that creates radio waves. These waves can be absorbed, refracted or reflected by water, walls and metal surfaces, reducing the signal strength. Because of the inherent sensitivity surrounded by these environmental factors, it is clear that wireless will never be able to deliver the same service that wired networks can. But this still does not mean that we will not use wireless. Believe me, we will definitely use it! Various organizations have long struggled to help manage the use of wireless devices, frequencies, standards, and frequency spectrum. Table 26-1 shows the existing institutions around the world that have helped create, provide, and even implement wireless standards. Table 26-1 Wireless Standard Organizations I Wireless Networks Fundamentals Wireless LAN Topologies Wireless communication takes place over free space using radio frequency (RF) Since two devices use the same channel, one device sends data while the other signals. The theory behind RF signals can be complex, which I'll explain in device receives, the other device waits to send data, so it's a one-way more detail in the following sections. Assume for now that the transmitter of communication. If more than one signal is received at the same time with one device is sending RF signals to the receiver of another device. As shown in wireless communication, they can interfere with each other. The greater the Figure 26-2, the transmitter can always reach the receiver as long as both number of wireless devices, the greater the likelihood of interference. For devices are tuned to the same frequency and use the same frequency to carry data between them. Everything seems simple, though not very practical. Figure 26-2 Unidirectional Communication Figure 26-3 Bidirectional Communication To take full advantage of wireless communication, data must travel in both directions, as shown in Figure 26-3. Sometimes Device A needs to send data to Device B while sometimes Device B wants to communicate to send data. example, Figure 26-4 shows four devices tuned to the same channel and what can happen if some or all data are transmitted simultaneously. Figure 26-4 Several devices sending data on the same channel. In order to avoid interference and pending returns, devices need to work in half duplex. If they do not send and receive sequentially, interference and waiting times will increase, but more than one device can share the same channel and access that channel in wireless networks. For this reason, only one device should transmit at any time, and 802.11 standards were created to ensure this. Wireless devices are produced according to these standards. I Wireless Networks Fundamentals Basic Service Set Since the operation of a BSS is dependent on the AP, the BSS is limited to the As a solution, things can be settled with an AP (Accees Point) that every area where the AP's signal is available. This is known as the Basic Set Area wireless device can connect to. In order for the devices to connect to the AP, the (BSA) or cell. In Figure 26-5 the cell is shown as a simply shaded circular area AP broadcasts a BSS and the devices use the 802.11 standards to register. The centered around the AP. Depending on the antenna attached to the AP and the AP BSS broadcasts on a single channel and uses a single channel so that physical environment that may affect the AP's signals, cells may have other devices can communicate correctly. shapes. In addition, the AP identifies the wireless network with the Service Set Identifier (SSID), which is a text string containing a logical name. It broadcasts a name to the devices to be connected to the network with the AP SSID, and broadcasts the mac address in the background with a BSSID broadcast for this SSID. Figure 26-5 802.11 Basic Service Set Figure 26-6 Traffic flow with BSS I Wireless Networks Fundamentals Distribution System We gathered the BSS and wireless devices in an AP in one place, but for now they can only communicate with each other, but the task of the beep AP does not end with BSS only, it needs to communicate the devices connected to the network with the devices on the wired network. Fortunately, the AP has a wired Ethernet connection and this It can move the hosts on it to other networks over the connection. The figure below has an example of how this happens. Figure 26-8 Using Multiple SSIDs on an AP In the figure above, an example of using more than one SSID on an AP is given. In this example, the connection between the AP and the switch is configured as trunk and we can connect users to different networks by creating different SSIDs on the AP. Figure 26-7 Distribution System Supporting a BSS I Wireless Networks Fundamentals Extended Service Set Normally, an AP does not cover the entire area where clients can be found. For example, you may need wireless coverage on all floors of a hotel, hospital, or other large building. Simply add and configure more APs to cover more areas. You must configure your network so that the APs communicate with each other over the switch. As in the example given in Figure 26-9; When you leave the coverage area of one AP and enter the coverage area of the other AP, the host will automatically switch to the other AP without you needing to take any action. Figure 26-9 Extended Service Set Example Figure 26-8 Using Multiple SSIDs on an AP I Wireless Networks Fundamentals Other Wireless Topologies Repeater Work Group Bridge It is the transfer or extension of the signal by the existing AP to a region where Let's say you have a device that supports a wired Ethernet connection but does the signal of the Repeater AP is weak. Normally, the problem should be solved by not have a wireless connection. For example, some mobile medical devices can pulling a network cable to the area where the signal is weak and putting a new only be designed with a wired connection. While it is possible to plug the device AP. But if you do not have the possibility to pull a cable and you need an into an Ethernet connection if needed, a wireless connection would be much urgent solution, you can use this method. more practical. You can use the York group bridge (WGB) to connect the device's wired network adapter to a wireless network. Figure 26-10 Example of Repeater Usage Figure 26-11 Using WGB for Non-Wireless Device I Wireless Networks Fundamentals Outdoor Bridge Mesh Network An AP can be configured to act as a Bridge to create a single wireless You may not be able to run Ethernet cables to every AP to provide wireless connection from one network to another over a long distance. Outdoor Bridged coverage over a very large area. Instead, you can use APs by configuring them connections are often used to connect buildings or cities. in mesh mode. In a mesh topology, wireless traffic is bridged from AP to AP using another wireless channel in a daisy chain. Figure 26-12 Point-to-Point Outdoor Bridge Figure 26-14 Typical Wireless Mesh Network Figure 26-13 Point-to-Multipoint Outdoor Bridge I Wireless Networks Fundamentals RF Overview To send data over a wired connection, an electrical signal is applied at one end Electromagnetic waves do not travel in a straight line. Instead, they are and carried to the other. The wire of the cable is continuous and conductive, so transmitted away from the antenna, expanding in all directions. The the signal is transmitted quite easily. But a wireless connection does not have resulting waves start small and expand outward, only to be replaced by new any physical path to carry the signal. waves. In empty space, electromagnetic waves expand outward in all three In RF, the sender (a transmitter) can send an alternating current to a section dimensions. of wire (antenna), which tunes moving electric and magnetic fields that propagate out and away as moving waves. Electric and magnetic fields move Figure 26-16 shows a Simple antenna. The waves produced expand outward together and are always at right angles to each other, as shown in Figure 26-15. circularly. The waves will eventually reach the receiver in addition to many The signal must be constantly switched or flipped up and down to allow the other locations in other directions. electric and magnetic field waves to overlap and push outward. Figure 26-15 Moving Electric and Magnetic Waves. Figure 26-16 Wave Propagation with a Simple Antenna I Wireless Networks Fundamentals At the receiving end of the wireless connection, the process is reversed. As the electromagnetic waves reach the antenna of the receiver, they create an electrical signal. If all goes well, the received signal will be a reasonable copy of the original sent signal. The electromagnetic waves involved in a wireless connection can be measured Figure 26-18 Frequency Unit Names and described in several ways. One of the key features is the frequency of the wave, or the number of times the signal cycles fully up and down in 1 second. Figure 26-17 shows how a wave cycle can be defined. A cycle begins when the signal rises and falls from the centerline and rises again. The interval from the apex of one center to the apex of the other center can be measured as a cycle. Wherever you start measuring a loop, the signal should make a full row back to its starting position, ready to repeat the same cyclic pattern. Figure 26-17 Cycles in a Wave Figure 26-19 Frekans Spektrumu I Wireless Networks Fundamentals Wireless Bands and Channels One of the two main frequency ranges used for wireless LAN communication is between 2.400 and 2.4835 GHz. It is often referred to as the 2.4 GHz band, although it does not cover the entire range between 2.4 and 2.5 GHz. The other wireless LAN range is often referred to as the 5-GHz band because it is between 5.150 and 5.825 GHz. The 5 GHz band actually includes the following Figure 26-20 2.4 Ghz Band Channels four separate bands: • 5.150 to 5.250 GHz • 5.250 to 5.350 GHz • 5.470 to 5.725 GHz • 5.725 to 5.825 GHz A frequency band contains a continuous frequency range. If a single frequency is required for a wireless connection between two devices, what frequency can they use? How many unique frequencies can be used in a band? Bands are often split into several different channels to keep everything organized and harmonious. Each channel is known by a channel number and is assigned a specific frequency. As long as the channels are defined by the national or international standards body, they can be used consistently in all locations. Figure 26-20 2.4 Figure 26-21 shows the channel layout for the 5 GHz bands. Figure 26-21 5 Ghz Band Channels I Wireless Networks Fundamentals AP and Wireless Standards Wireless devices and APs must all be able to operate in the same band. For example, on the 5 GHz band, a wireless phone can only communicate with an AP that offers Wi-Fi service on 5 GHz channels. In addition, devices and APs must work in compliance with the 802.11 standards. As the IEEE 802.11 Wi-Fi standard develops and innovations, it specifies these standards with new names under the 802.11 standard. Figure 26-22 IEEE 802.11 Standards Cisco Wireless Architecture I Autonomous AP Architecture I Split-Mac AP Architecture I Cloud-Based AP Architecture I Comparing WLC Types I Cisco AP Modes I Cisco Wireless Architecture Autonomous AP Architecture The primary task of an Access Point is to transmit data from wireless devices to An Autonomous AP must also be configured with a management IP address a regular wired network. It acts as a bridge between the wired network and the before you can manage remotely (10.10.10.10 in Figure 27-1). Ultimately, client to allow wireless clients to access the wired network. you will want to configure SSIDs, VLANs, and many RF parameters such as An Autonomous AP works independently. It offers one or more BSS, we can the channel to use and transmit power. The Management address is not make it work with different Vlans by creating different SSIDs. Figure 27-1 shows the basic architecture. normally part of data VLANs, so a special Management VLAN (i.e. VLAN 10) must be created to reach the AP. Unless you are leveraging a management platform such as Cisco Prime Infrastructure or Cisco DNA Center, each AP must be configured individually. Figure 27-1 Wireless Network Architecture with Autonomous AP Figure 27-2 Data VLANs Coverage with Autonomous AP I Cisco Wireless Architecture Split-Mac AP Architecture Because Autonomous APs work alone, managing RF operations can be quite challenging. As a network administrator, you are responsible for selecting and configuring the channel used by each AP, and identifying and dealing with any Rogue APs that may interfere. Management functions are not integrated with the processing of frames on RF channels, but are things that need to be managed centrally. Therefore, these functions can be moved away from the AP to a central platform. When the functions of an Autonomous AP are divided, it is known as a Lightweight AP and only performs real-time 802.11 processing. Administrative operations of Lightweight APs are done by a Wireless Lan Controller (WLC) that controls it. This is shown in Figure 27-3. APs continue their duties in Layers 1 and 2. All other WLAN functions such as authenticating users, managing security policies and even selecting RF channels and output power are handled by WLC. Note: Lightweight APs cannot run on their own without WLC. Figure 27-3 Comparison of Autonomous AP and Lightweight AP. I Cisco Wireless Architecture CAPWAP Control Messages: Carries control messages used to configure the AP and manage its operation. Control messages are authenticated and encrypted so that the AP is only securely controlled by the appropriate WLC, then transported over the control tunnel. CAPWAP Data: Used for outgoing and incoming packets to wireless clients. Data packets are carried over the data tunnel, but are not encrypted by default. When data encryption is enabled for an AP, packets are protected by Datagram Transport Layer Security (DTLS). Figure 27-5 CAPWAP Tunneling with WLC When connecting Lightweigth APs to switches, the switch's port works in access mode, not trunk mode, APs create CAPWAP Tunnels between themselves with WLC and vlans go and come from this tunnel. Figure 27-4 Linking a Lightweight AP and WLC with CAPWAP I Cisco Wireless Architecture Cloud-Based AP Architecture Autonomous APs work as standalone and we need to configure and maintain them one by one or we need to use Cisco Prime Infrastructure. But as our network grows, it will become increasingly difficult to control Autonomous APs one by one. Cloud-Based Cisco Meraki APs, on the other hand, can be easily managed from a single center via a Management Portal on the Cloud. It can become very easy to generate reports such as configurations of APs, user performance and activity. Figure 27-6 Cisco Meraki Cloud Based Wireless Network Architecture I Cisco Wireless Architecture Comparing WLC Types Figure 27-7 Unified WLC Figure 27-8 Cloud WLC Figure 27-9 Mobility Express WLC Figure 27-10 Embedded WLC I Cisco Wireless Architecture Cisco AP Modes Local: It is the default mode in Lightweight AP. When not transmitting, the AP Bridge : An AP becomes a private bridge (point-to-point or point-to-multipoint) scans other channels to measure noise level, measure interference, find rogue between two networks. Two APs in bridge mode can be used to connect two devices, and match intrusion detection system (IDS) events. locations separated by distance. Monitor: The AP does not transmit at all, but its receiver is made to act as a Flex+Bridge : FlexConnect operation is enabled on a mesh AP. special sensor. The AP checks for IDS events, detects rogue APs, and locates stations via location-based services. FlexConnect: An AP at a remote location can carry the traffic between the SSID and the VLAN locally over the switch, if WLC is turned off or cannot access, if WLC and CAPWAP tunneling cannot be established and configured to do so. Sniffer: An AP is set to receive traffic from other sources such as other 802.11 wireless devices. The captured traffic is then forwarded to network analysis software installed on a PC, such as Wildpackets OmniPeek or WireShark, where it can be further analyzed. Rogue Detector : An AP is set to detect rogue/rogue devices by comparing MAC addresses advertised on wired and wireless network. Fake devices are devices that appear on both networks. SE-Connect : The AP is dedicated to performing spectrum analysis of its radios on all wireless channels. It sends spectrum analysis data to a PC running software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to collect and analyze to discover sources of interference. Wireless Network Security I Secure Connection Anatomy I Wireless Client Authentication Methods I Wireless Privacy and Integrity Methods I WPA, WPA2, and WPA3 I Wireless Network Security Secure Connection Anatomy Authentication In a wired connection, a client is directly connected to the switch and what they Before users start using the wireless network, they need to be authenticated send goes directly, but in a wireless connection, the clients are not directly with some authentication methods. connected. Assume that your company's confidential information and documents can Consider the scenario in Figure 28-1. The wireless user logs on to remote servers be accessed through your wireless network. In this case, only trusted and and shares a secret password. Since both untrusted users are in range of the known devices should be given access to people. If guest users are allowed, they client's signal, they can also learn the password by capturing the frames sent should be allowed to join a different guest WLAN where they can access non- in the channel. It also makes it easier for malicious users to listen and use private or public resources. signals that come and go in wireless communication. Wireless authentication can take many forms. The first of these methods only requires that all trusted users know a common preset password on the APs. The password is stored on the user device and presented directly to the AP when needed. What can happen if the device is stolen or lost? Most likely, any user who owns the device can still authenticate to the network. One of the other authentication methods requires use with an enterprise user database. In these cases, the end user must enter a valid username and password, something that will not be known to malicious people. Figure 28-1 Unsecured Wireless Connection Traffic I Wireless Network Security Message Privacy Integrity Let's say you authenticate before joining the wireless network. However, data We encrypt our data and hide it from other users using the same channel. passing to and from the client is available to eavesdropping users on the same Message integrity check (MIC) is a security tool that can protect against data channel. tampering. It adds a secret stamp in the encrypted data frame of the sender of To maintain data privacy on a wireless network, data must be encrypted a MIC. The stamp is based on the content of the data bits to be transmitted. during air travel. Wireless data packets are encrypted when sent and decrypted When the receiver decrypts the frame, he can compare the hidden stamp with when received. It is to use an encryption method that the transmitter and his own idea of what the stamp should be based on the data bits received. If the receiver share so that data can be successfully encrypted and decrypted. two stamps are the same, the recipient can safely assume that the data has not been tampered with. Figure 28-3 shows MIC operation. Figure 28-2 Encrypting Wireless Data to Protect Data Privacy Figure 28-3 Checking Message Integrity over Wireless Network I Wireless Network Security Wireless Client Authentication Methods WEP (Wired Equivalent Privacy) You can use many authentication methods to connect wireless users to the As you can imagine, Open Authentication offers nothing that can hide or network. These methods became obsolete over time and authentication methods encrypt data sent between a user and an AP. Alternatively, the 802.11 evolved as security vulnerabilities emerged and wireless hardware developed. In standard has traditionally defined Wired Equivalent Privacy (WEP) this Chapter, I will describe the most common authentication methods you may standards as a method of making a wireless connection more similar or encounter. Open Authentication The original 802.11 standard offered only two options for authenticating a equivalent to a wired connection. WEP uses the RC4 cipher algorithm to hide each wireless data frame. The same algorithm encrypts the data at the sender and decrypts it at the receiver. The algorithm uses a string of bits, often called a WEP key, as a key to derive other user: Open Authentication and WEP. Open Authentication offers open access to encryption keys, one per wireless frame. As long as the sender and receiver have a wireless network, just checking whether users support the wireless standard the same key, one can decrypt the other encryption. 802.11. This method is often used in cafes, shopping malls and common places, where authentication is done through a web page. Most operating systems will give WEP keys can be 40 or 104 bits long, represented by a string of 10 or 26 hex digits. As a general rule, longer keys provide more unique bits for the algorithm, resulting in stronger encryption. WEP was defined in the 802.11 you a warning when joining such networks, informing you that your wireless standard in 1999, but in 2001, a number of weaknesses were discovered and data will not be secure at all if you join such networks. exposed, so work began on finding better wireless security methods. WEP was officially discontinued in 2004. WEP encryption is considered a weak method to secure wireless LAN. I Wireless Network Security 802.1x EAP A more secure authentication method was needed than Open Authentication and WEP. Instead of creating additional authentication methods to the 802.11 standard, Extensible Authentication Protocol (EAP), a more flexible and scalable authentication framework, was chosen. EAP defines a set of common functions that real authentication methods can use to authenticate users. EAP can integrate with the IEEE 802.1x port-based access control standard. When 802.1x is enabled, access to the network environment is restricted until a Figure 28-4 802.1x Client Authentication Roles client authenticates. This means that the wireless user cannot transmit data to WLC becomes the agent in the client authentication process and controls user any other part of the network until successful authentication. access with 802.1x and communicates with the authentication server using the Authentication is done without Open or WEP authentication. With 802.1x, it EAP framework. uses open authentication to associate with the client AP and then forwards it to LEAP a custom authentication server for the actual client authentication process. To close the weaknesses in WEP, Cisco developed a proprietary wireless Figure 28-4 shows the three-sided 802.1x arrangement: authentication method called Lightweight EAP (LEAP). For authentication, the client must provide username and password credentials. It asks for passwords for messages received and sent for both the authentication server and the client. This ensures mutual authentication as long as the messages can be successfully decrypted, the client and AS have authenticated each other. I Wireless Network Security EAP-FAST PEAP Cisco has developed a more secure method called EAP Flexible Authentication Like EAP-FAST, the Protected EAP (PEAP) method uses internal and external with Flexible Authentication by Secure Tunneling (EAP-FAST). authentication, while the AS provides a digital certificate to authenticate with Authentication information is protected by passing a protected access credential the requester in external authentication. (PAC) between the AS and the recipient. PAC is a shared password format AS's digital certificate consists of data in a standard format "signed" or created by AS and used for mutual authentication. EAP-FAST is a sequence of three phases: Phase 1: The PAC is created or provisioned and installed on the client. Phase 2: After the requestor and AS authenticate each other, they agree on a Transport Layer Security (TLS) tunnel. Phase 3: The end user is authenticated over the TLS tunnel for added security. certified by the Certificate Authority. The third party is known as Certificate Authority (CA) and is known and trusted by both AS and recipients. The requestor must also have the CA certificate to be able to verify the certificate obtained from the AS. The certificate is also used to pass a public key in plain view, which can be used to help decrypt messages from the AS. Note that only AS is PEAP certified. This means that the requester can easily Note that there are two separate authentication processes in EAP-FAST, one with AS to the requestor and one with the end user. These happen as internal verify the AS. The client does not have or uses its own certificate, so it must be authenticated within the TLS tunnel using one of the following two methods: authentication as external authentication (outside the TLS tunnel) and internal authentication (inside the TLS tunnel). MSCHAPv2: Microsoft Challenge Authentication Protocol version 2 Like other EAP-based methods, a RADIUS server is required. However, in order GTC: A hardware device user that generates one-time passwords for the Generic for the RADIUS server to generate one PAC per user, it must also function as an Token Card, or a manually generated password. EAP-FAST server. I Wireless Network Security EAP-TLS PEAP uses the digital certificate in AS as a powerful method to authenticate the Note: EAP-TLS is only useful if wireless clients can accept and use digital certificates. Many wireless RADIUS server. Getting and installing certificates on a single server is easy, devices, such as communicators, medical devices, and RFID tags, have a base operating system that cannot but EAP Transport Layer Security (EAP-TLS) requires installing certificates on the AS and on each client device. With EAP-TLS, AS and client exchange certificates and can authenticate each other. A TLS tunnel is then built so that encryption keys can be exchanged securely. EAP-TLS is considered the most secure wireless authentication method available, however, it can be difficult to implement. Each wireless client with AS must obtain and install a certificate. Manually installing certificates on hundreds or thousands of clients may not be practical. Instead, you need to implement a Public Key Infrastructure (PKI) that can securely and efficiently issue certificates and revoke them when a client or user no longer needs access to the network. This usually involves setting up your own CA or establishing a trust relationship with a third-party CA who can provide certificates to your customers. interface with a CA or use certificates. I Wireless Network Security Wireless Privacy and Integrity Methods TKIP CCMP The Counter/CBC-MAC Protocol (CCMP) is considered more secure than TKIP. After WEP authentication was found to be vulnerable in wireless clients CCMP consists of two algorithms: and APs, the Temporal Key Integrity Protocol (TKIP) was developed. AES counter mode encryption TKIP uses the following security features using legacy hardware and Cipher Block Chaining Message Authentication Code (CBC-MAC) used as message basic WEP encryption; integrity check (MIC) MIC: This efficient algorithm adds a hash value every frame as a message The Advanced Encryption Standard (AES) is the current encryption algorithm integrity check to prevent tampering; often referred to as “Michael” in adopted by the US National Institute of Standards and Technology (NIST) and the unofficial reference to the MIC. Time Stamp: A timestamp is added to the MIC to prevent attacks that attempt to reuse or reconstruct previously sent frames. TKIP sequence counter: This feature provides a record of frames sent by a unique MAC address to prevent frame tampering. US government and widely used all over the world. In other words, AES is public and offers the most secure encryption method available today. For CCMP to be used to secure wireless networks, client devices and APs must support AES Counter mode and CBC-MAC in hardware. CCMP is not available on devices that only support WEP or TKIP. CCMP is used with WPA and WPA2. Key mixing algorithm: This algorithm calculates a unique 128-bit WEP GCMP key for each frame. Galois/Counter Mode Protocol (GCMP) is a robust authentication encryption suite that is more secure and more efficient than CCMP. GCMP consists of two algorithms: AES counter mode encryption Galois Message Authentication Code (GMAC) used as a message integrity check (MIC) GCMP is used with WPA3. I Wireless Network Security WPA, WPA2, and WPA3 In the previous sections, we covered various authentication methods, encryption It also uses Protected Management Frames (PMF) to secure critical 802.11 and message integrity algorithms. When it's time to configure a WLAN with management frames between APs and clients and prevent malicious activities wireless security, should we know which one is the best or which one works well that could spoof or tamper with a BSS's operation. together? Which authentication methods are compatible with which encryption algorithms? The Wi-Fi Alliance (http://wi-fi.org), a nonprofit wireless industry association, has found easy ways to do this through its Wi-Fi Protected Access (WPA) industry certifications. There are three different versions to date: WPA, WPA2 and WPA3. Wireless products are tested in authorized testing laboratories against strict criteria that represent the correct application of a standard. As long as the Wi-Fi Alliance certifies a wireless client device and an AP and its associated WLC for the same version of WPA, it must be compliant and offer the same security components. The Wi-Fi Alliance introduced WPA Version 3 (WPA3) as a future replacement for WPA2 in 2018 and added several important and superior security mechanisms. WPA3 benefits from stronger encryption by AES with Galois/Counter Mode Protocol (GCMP). Figure 28-5 Comparison of WPA, WPA2, and WPA3 Also note that WPA, WPA2, and WPA3 simplify wireless network configuration and compliance because they limit what authentication and privacy/integrity methods can be used. I Wireless Network Security Figure 28-6 Overview of Wireless Security Mechanisms and Options Wireless LAN Creation I Connecting a Cisco AP I Connecting the Cisco WLC to the Network I Accessing Cisco WLC I WLAN Configuration I Creating a Wireless LAN Connecting a Cisco AP Connecting Cisco WLC to Network A Cisco wireless network may consist of Lightweight APs or Autonomous APs Let's get to know the ports on WLC. working with one or more Wireless LAN Controllers. You must know how to Service Port: Used for system recovery and first boot functions, always connect each AP type to the switch side so that the APs can forward traffic connected to a switch port in access mode. between the appropriate VLANs and WLANs. Distribution System Port : Used for all normal AP and AP management traffic, usually connected to an 802.1Q trunked switch port. Console Port : Used for system recovery and first boot functions; with a terminal program (9600 baud by default, 8 data bits, 1 stop bit) Redundancy Port: It allows us to backup the system by connecting a second WLC. Figure 29-5 Cisco Wireless LAN Controller Ports Figure 29-1 Connecting Method of APs Figure 29-6 Cisco 5508 Wireless LAN Controller I Creating a Wireless LAN Accessing Cisco WLC To connect and configure a WLC, you need to open a web browser and access the page that opens ( http / https ) by typing the WLC's management IP. It can only be done if the WLC has its initial configuration and a management IP address assigned to the management interface. The web-based GUI provides an efficient way to monitor, configure, and troubleshoot a wireless network. You can also connect to a WLC via an SSH session, where you can use its CLI to monitor, configure, and debug activity. When you open the web browser by typing management IP, you will see the first login screen. Click the Login button as shown in Figure 29-2; then enter your user credentials when prompted. Figure 29-3 Switching to the Advanced Configuration Interface Figure 29-2 WLC Initial Login Screen Figure 29-4 WLC Advanced Configuration GUI I Creating a Wireless LAN WLAN Configuration It works with a Wireless LAN Controller and APs to provide network connectivity to wireless clients. The AP broadcasts an SSID so that the client can join. It connects to the switch via one of the WLC dynamic Interfaces. To complete the path between SSID and VLAN as shown in Figure 29-7, we first need to create a WLAN in WLC. Figure 29-8 Displaying the List of RADIUS Authentication Servers Figure 29-7 Connecting the Wired and Wireless Network Step 1: Configure Radius Server If you are going to perform 802.1x authentication on your network, you must first set up the authentication server, if you do not have an authentication server, you can skip this step. Figure 29-9 Configuring a New RADIUS Server I Creating a Wireless LAN Step 2: Configuring the Interface Figure 29-10 Displaying a List of Dynamic Interfaces Figure 29-11 Defining a Dynamic Interface Name and VLAN ID Figure 29-12 Editing the Dynamic Interface Parameters I Creating a Wireless LAN Step 3: Configuring WLAN Figure 29-13 Displaying a List of WLANs Figure 29-14 Creating a New WLAN Figure 29-15 Configuring the General WLAN Parameters I Creating a Wireless LAN WLAN Security Configuration Figure 29-16 Configuring Layer 2 WLAN Security Figure 29-17 Selecting RADIUS Servers for WLAN Authentication I Creating a Wireless LAN QoS Configuration Figure 29-18 Configuring QoS Settings Figure 29-20 Configuring Management Access from Wireless Networks We Finish WLAN Configuration Figure 29-19 Displaying WLANs Configured on a Controller Chapter - 10 ACCESS CONTROL LIST I TCP/IP Transport and Applications I Basic - ACL Access Control Lists I Extended - ACL Access Control Lists I TCP/IP Transport TCP/IP Transport and Applications I TCP - Transmission Control Protocol I UDP - User Datagram Protocol I TCP/IP Applications I URI - Uniform Resource Identifiers I Using DNS I File Transfer via HTTP I TCP/IP Transport and Applications TCP/IP Layer 4 Transport Protocols: TCP and UDP TCP - Transmission Control Protocol The main difference between TCP and UDP is that TCP provides a wide variety Figure 30-1 shows TCP header fields. You do not need to memorize the names of services to applications but UDP does not. For example, routers drop packets or locations of the fields. We'll cover more in the remainder of this section. for many reasons, including bit errors, congestion, and when the correct route is not known. Many data link protocols detect errors but discard frames with errors, but TCP provides retransmission (error recovery) and helps prevent congestion (flow control), but UDP does not retransmit. As a result, many application protocols choose to use TCP. Figure 30-1 TCP Header But do not think that UDP is worse than TCP because of its shortcomings. By providing fewer services, UDP headers require fewer bytes than TCP, which means less byte overhead on the network. UDP software does not slow down data transfer when TCP is slow. Also, some applications, especially Voice over IP (VoIP) and Video over IP today, don't need error recovery, so they use UDP. Therefore, UDP also has an important place in TCP / IP networks today. Figure 30-2 Example of Adding TCP Header I TCP/IP Transport and Applications Known (System) Ports: These are the ports used by the system, ports 0 to 1023 Figure 30-3 shows an example using three temporary port numbers on the left are designated by IANA to be used by the system. user device; The server on the right uses two system ports and one user register User Register Ports: Fewer rules apply by IANA to assign these ports compared port. Computers use three applications at the same time; therefore, the three port to system ports, ports 1024 to 49151. connection is open. Because a port on a single computer must be unique, the Temporary (Dynamic, Dedicated) Ports: Numbers 49152 through 65535 that connection between two ports must identify a unique port between the two are unassigned and intended to be temporarily assigned and used for a client computers. This uniqueness means you can use multiple applications at the application dynamically while the application is running. same time by talking to applications running on the same or different computers. Port-based multiplexing ensures data is delivered to the right applications. Figure 30-3 Example of Port Usage between User and Server Figure 30-4 Some of the Commonly Used Known System Ports I TCP/IP Transport and Applications UDP - User Datagram Protocol TCP/IP Applications UDP provides some of TCP's functions, such as data transfer and multiplexing Creating a corporate network or connecting a small home or office network to using port numbers, and requires less byte overhead and less processing than the Internet is to use applications such as web browsing, text messaging, TCP. email, file downloads, audio and video. In this Chapter we will examine a Applications using UDP are tolerant of lost data or have some application specific application for web browsing using Hypertext Transfer Protocol mechanism to recover lost data. For example, VoIP uses the UDP protocol because (HTTP). if a voice packet is lost, there is too much delay until the lost packet is detected and retransmitted, and the voice is unintelligible so it uses UDP because the UDP protocol works faster than TCP. . Also, DNS requests use UDP because the user will retry an operation if DNS requests fail. As another example, Network File System(NFS), a remote file system implementation, performs recovery with application layer code, so UDP features are used by NFS. The World Wide Web (WWW) consists of all Internet-connected web servers in the world and all Internet-connected users with web browsers. Web servers store information (in the form of web pages) that can be useful to different people. A web browser installed on the end user's computer wants to connect to a web server and view the web pages stored on the web server. Several specific application processes must occur for this process to work. The user must somehow define the server, the particular web page, and the protocol used to retrieve data from the server. The client usually finds the web server's IP Figure 30-5 UDP Header address using DNS. The client must request the web page consisting of multiple individual files and the server must send the files to the web browser. I TCP/IP Transport and Applications URI - Uniform Resource Identifiers Using DNS In order for the browser to display a web page, we need to type the web page A host can use DNS to find the IP address of a particular web server. URIs address to which we will connect to the browser, for example www.cisco.com. usually list the name of the server. The web browser cannot send an IP packet The browser user can identify a web page when you click something on a web on behalf of the target web server, but the target web server can send a packet to page or enter Uniform Resource Identifiers (URI) in the browser's address field. the IP address. So, before the browser sends a packet to the web server, the browser Both options (clicking a link and typing a URI) point to a URI because when usually needs to resolve the name in the URI and the corresponding IP address you click a link on a web page that link actually points to a URI. of that name. When we examine the example below, we can see how the process URIs used to connect to a web server include three basic components as outlined takes place. in Figure 30-6. The figure shows the official names of the URI fields. More importantly, remember that the text before // identifies the protocol used to connect to the server, the text between // and / identifies the server with its name, and the web page after the /. http://www.yavuzbulut.com/blog Figure 30-6 Web page URI example Figure 30-7 DNS Resolution and Web Page Request I TCP/IP Transport and Applications File Transfer with HTTP To retrieve a file from the web server, the client sends an HTTP GET request to the server listing the filename. If the server decides to send the file, the server sends an HTTP GET response with a return code of 200 (meaning OK) with its contents. Web pages often consist of multiple files. Most web pages contain text as well as various graphic images, animated advertisements, and possibly audio or video. Each of these components is stored as a different file on the web server. To get them all, the web browser takes the first file. This file may (and often does) contain references to other URIs, so the browser requests other files as well. Figure 30-8 shows the scanner receiving the first file and then the other two files. Figure 30-8 Multiple HTTP GET Requests/Responses I Basic Access Control List Basic - ACL Access Control List I ACL Location and Direction I Types of ACLs I Subnet Matching with Wildcard I Standard Numbered ACL I Configuring ACL with Standard Number I Basic ACL - Access Control List Basic Access Control List IPv4 ACLs are most commonly used for packet filtering in Cisco routers. ACL The arrows in Figure 31-1 indicate locations in the topology where you can provides filtering by checking packets passing through routers. Once enabled, filter packets flowing from left to right. For example, suppose you want to the router decides whether to block or allow each IP packet. allow packets sent by user A to server S1 but block packets sent by user B to However, ACLs can also be used for many other IOS features. As an example, server S1. Each arrowed line represents a location and direction in which a ACLs can be used to match packages to implement Quality of Service (QoS) router can filter sent packets. features. By prioritizing some packets we can forward packets according to the priority we want. For example, voice packets need to have very low latency so that ACLs can match voice packets and QoS logic transmits voice packets faster than data packets. ACL Location and Direction Cisco routers can apply ACLs to packets at the point where IP packets enter or exit an Interface. In other words, the ACL is associated with an Interface and packet flow direction (In or Out). In other words, the router checks the applied ACLs in the In or Out direction of the Interfaces without making the routing decision and makes the routing accordingly or not. Figure 31-1 Packet traffic from user A and B to S1 server I Basic ACL - Access Control List Matching Packages ACL Types When you think about the location and direction of an ACL, you should ✓ Standard numbered ACLs (1–99) already be thinking about which packets you want to allow or block. You must ✓ Extended numbered ACLs (100–199) configure the router with an IP ACL that matches the packets. They are lists of how to configure ACL commands to look at each packet, and which packets should be discarded and which should be allowed. For example, imagine that you allow the traffic from Host A to the S1 server ✓ Additional ACL numbers (1300–1999 standard, 2000–2699 extended) ✓ Named ACLs ✓ Improved editing with sequence numbers and limit the outgoing traffic from the Host B user as in Figure 31-2, there are already Host A and B IPs, we know where they want to go, accordingly, by writing an ACL in R2, this is the ACL that we have decreased. We must configure ' as In or Out in the right direction under S0/0/1 Interface. The correct direction here is the In direction. Figure 31-3 ACL Types Figure 31-2 ACL Command Logic I Basic ACL - Access Control List Subnet Matching with Wildcard Address Typically when you want to enforce an ACL you want to map not a Let's practice by finding the IP ranges that the access-lists in the list below will check. single private IP address, but a range of IP addresses or all IP addresses in a subnet. If you want to check multiple IP addresses in one address range. You can map to subnets using WC masks. There is a short way to calculate wildcards. Subnet 10.1.1.0 SubnetMask 255.255.255.0 Subnet 172.16.8.0 SubnetMask 255.255.252.0 access-list 1 permit 172.16.8.0 0.0.3.255 From Subnet Mask Finding Wildcard Easy When you type the access list line as above, the access list allows all IPs in the range from 172.16.8.0 to 172.16.11.255. 172.16.8.0 0. 0.3.255 + ——————————————— 172.16.11.255 Figure 31-4 Using Wildcard Note: When we add Subnet and Wildcard, we find the IP range that ACL will control in an easy way. I Basic ACL - Access Control List Standard Numbered ACL Scripting Standard ACLs are a type of Cisco filter that only looks at IPv4 packets, Standard numbered IP ACLs use the following generic command: configured to identify ACLs that match the source IP address of the packet. access-list {1-99 | 1300-1999} {permit | deny} matching-parameters Let's examine the example below; access-list 1 permit 10.1.1.1 Figure 31-5 Example of Standard ACL access-list 1 permit host 10.1.1.1 I Basic ACL - Access Control List Configuring Standard Numbered ACLs Lab - 1 Lab - 2 1- S1 Server can access Subnet of Host A and B. 1- Host A can access S1 server. 2- Subnet 10.1.1.0/24 cannot access S1 server. 3- All remaining 10.0.0.0/8 Subnets can be accessed. Figure 31-6 Standart ACL Lab - 1 2- S1 Server cannot access Host C's Subnet. 3- Allow S2 Server to access Host C's Subnet. 4- S2 Server cannot access Host A and Binin Subnet. R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2# configure terminal R1(config)# access-list 1 remark Bu ACL S1 Sunucusunun Host A Subnetine Erisimine Izin Verir Enter configuration commands, one per line. End with CNTL/Z. R1(config)# access-list 1 permit 10.2.2.1 R2(config)# access-list 1 permit 10.1.1.1 R1(config)# access-list 2 remark Bu ACL S2 Sunucusunun Host C Subnetine Erisimine Izin Verir R1(config)# access-list 2 permit 10.2.2.2 R2(config)# access-list 1 deny 10.1.1.0 0.0.0.255 R1(config)# interface Fa0/0 R2(config)# access-list 1 permit 10.0.0.0 0.255.255.255 R1(config-if)# ip access-group 1 out R2(config)# interface S0/0/1 R1(config)# interface Fa0/1 R2(config-if)# ip access-group 1 in R1(config-if)# ip access-group 2 out Extended - ACL Access Control List I ACL with Extended Number I Configuring Extended Numbered ACLs I Named ACL I Editing Named ACLs I Named ACL Configuration I Extended ACL Extended Numbered ACL Matching Packages Extended ACLs are a type of Cisco filter that looks at IPv4 packets and is Like standard numbered ACLs, extended IP ACLs use the access-list global configured to control source, destination addresses and protocols at Layer 4. command. The script is the same as the permit or deny keyword. At this point, They are used between 100-199 or 2000-2699. the command lists matching parameters and they are different of course. Specifically, the extended ACL access-list command requires three matching parameters: IP protocol type, source IP address, and destination IP address. Figure 32-2 IP Header Focusing on Required Fields in Extended ACLs Figure 32-1 ACL Types Figure 32-3 Extended ACL Scripting I Extended ACL Mapping by TCP and UDP Port Numbers Extended ACLs can also inspect the TCP and UDP header sections, specifically In the first example below, packet filtering is done with the destination port, the source and destination port number fields. Port numbers identify the and in the second example, it is done with the source port. application sending or receiving the data. Figure 32-4 TCP Header and Port Number Fields After IP Header Figure 32-6 Packet Filtering by Destination Port Number Figure 32-5 Extended ACL Scripting in TCP and UDP usage Figure 32-7 Source Port Numarası ile Paket Filtreleme I Extended ACL Popular Port Numbers Example Extended ACL I Extended ACL Configuring Extended Numbered ACLs Application example on R1. interface Serial0 Lab - 1 ip address 172.16.12.1 255.255.255.0 1- Larry Server 1 cannot access the web server. ip access-group 101 in 2- Bob cannot access ftp services 3- Do not block the remaining traffic. ! interface Serial1 ip address 172.16.13.1 255.255.255.0 ip access-group 101 in ! access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www access-list 101 permit ip any any Or Configuring on R2 and R3. interface Ethernet0 ip address 172.16.3.1 255.255.255.0 Figure 32-8 Extended ACL Lab - 1 ip access-group 103 in access-list 103 remark deny Bob to FTP servers in subnet 172.16.1.0/24 access-list 103 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp access-list 103 permit ip any any I Extended ACL Lab-2 1- Sam cannot access the subnet where Bugs and Daffy are located. We are making our configuration on the Yosemite Router. 2- Users on the Yosemite subnet cannot access the Seville subnet interface ethernet 0 3- Do not block the remaining traffic. ! ip access-group 110 in access-list 110 deny ip host 10.1.2.1 10.1.1.0 0.0.0.255 access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 access-list 110 permit ip any any Figure 32-9 Extended ACL Lab - 2 I Extended ACL Named ACL and Editing We did the filtering with Standard and Extended ACLs, but since we used Named ACL Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip access-list extended barney Router(config-ext-nacl)# permit tcp host 10.1.1.2 eq www any Router(config-ext-nacl)# deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)# permit ip any any Router(config-ext-nacl)# interface serial1 Router(config-if)# ip access-group barney out Although they do the same things as Standard and Extended ACLs, they have Router# show running-config sequence numbers, if you did not write a remark (reminder note) after a while, it may be difficult to remember why we wrote this ACL, but with Named ACLs, you can give a name and then specify what this ACL is for. We remember that we typed it in, and Named ACLs are easier to edit later. some differences; Using names instead of numbers to describe the ACL makes it easy to remember what we wrote the ACL for. Using ACL subcommands instead of global commands to define parameters. Using ACL editing features that allow the CLI user to delete individual lines from the ACL and add new lines. Figure 32-10 Numbered and Named ACL Spelling ip access-list extended barney permit tcp host 10.1.1.2 eq www any deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 permit ip any any To delete a line where we wrote an edit. Router(config)# ip access-list extended barney Router(config-ext-nacl)# no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router# show access-list Extended IP access list barney 10 permit tcp host 10.1.1.2 eq www any 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 50 permit ip any any Chapter - 11 Network Security I Security Architecture I Securing Network Devices I Switch Port Security Applications I DHCP Applications I DHCP Snooping and ARP Inspection I Security Terminology Security Architecture I Security Threats I Types of Attacks I Controlling User Access I Security Architecture Security Terminology Assuming that in a perfect world every user has access to everything on the The organization may want Guest users to connect to the wireless network. If network and every user makes full use of the available resources, you can create the business offers a wireless connection to its employees (and guests), these a network open to every user in a company. The network shown in Figure 33-1 signals can be accessed by unauthorized malicious people. And the list goes on. may represent such a scenario. Even this ideal closed system is not completely As the network and its connectivity expands, the business will have more secure, as a user may want to annoy a co-worker or view information on a company server that should be restricted or confidential. difficulty maintaining the secure, closed boundary around itself, as seen in Figure 33-2. Figure 33-1 An Example of a Closed Company Network Now imagine that almost no company uses such a limited and closed environment. Ultimately, the company will want to connect to the internet and some of its dealers. They will also want to be mobile-connected to use their employees' laptops, tablets, and smartphones inside and outside the organization. Figure 33-2 Example of a Versatile Company Network I Security Architecture Security Threats Because modern enterprise networks often consist of many parts working For example, an attacker could send packets from a fake IP address instead of together, securing them can become a very complex task. You can't attempt to his own IP address as shown in Figure 4-4. When the target receives the packets, secure it until you identify and assess most vulnerabilities and understand it sends return traffic to the fake address that came to it instead of the where the threats might come from. Appropriate measures and mitigation attacker's real address. If there is a fake address, this device will receive the measures can be taken after making the determinations. packet. If there is no address, it will be forwarded first and then dropped. Attacks That Spoof Addresses Parameters and services can be used reliably when systems operate normally. For example, when a device sends you an IP packet, you expect the destination IP address in that packet to be your IP address. You expect the souce MAC address in the Ethernet frame to be the sender's MAC address. Services like DHCP and DNS should also work properly. If a device sends a DHCP or DNS request, it expects the DHCP or DNS response to come from a legitimate and trusted server. Figure 33-3 Simple Spoofing Attack Spoofing attacks focus on this vulnerability. Attacks usually occur by An attacker can also send fake MAC addresses to add false information to replacing the required information with fake information. Address Spoofing mac tables or ARP tables used by the switch. Fake MAC addresses can also be attacks can be simple and straightforward; where one address value is replaced sent to the DHCP server and fill the address distribution pool, leaving no by another. empty IP addresses for normal use. I Security Architecture Denial-of-Service (DOS) Attacks Suppose a malicious user found an abnormal connection path to the company server. The TCP connection starts with the malicious user sending the SYN flag, but the sourec IP address is replaced with a fake one. The server adds the TCP connection to the client connections table and responds to the bogus address with a SYN-ACK. Because the spoof address is not included in the TCP connection, there is no ACK response to complete the TCP three-way handshake. The incomplete connection remains in the server's table until it times out and is removed. During this time, the attacker could try to open so many connections that the server's connection table is populated. At this point, the server is no longer able to respond to TCP connections with real users, so the server is inactive and stops. Figure 33-4 illustrates this process. Figure 33-4 Denial-of-Service (DOS) Attacks I Security Architecture Man-in-the-Middle Attack The man-in-the-middle attack uses the ARP table. Normally, if one host needs Step 1: Client sends arp request to ask which mac address 198.51.100.10 is to send data to another, it looks for the host to which it will send data in the using. ARP table. If found in the arp table, the Ethernet frame can be sent directly to Step 2: The arp request goes to everyone on the network. The attacker listens to the destination MAC address; if it cannot find it in the arp table, it issues an the network and prepares. ARP request containing the IP address of the target and should wait for the Step 3: The attacker sends his own mac address. target to respond with an ARP response and its own MAC address. Now the attacker has come between the server and the client, the traffic now passes through the attacker. Figure 33-5 A Man-in-the-Middle Attack Begins Figure 33-6 A Man-in-the-Middle Attack Occurs I Security Architecture Buffer Overflow Attacks Human Vulnerabilities Operating systems and applications normally read and write data using An attacker can pose as IT staff and attempt to communicate with real end buffers and volatile memory space. Buffers are also important when one system users via phone calls, emails and social media. The end goal may be to communicates with another, as IP packets and Ethernet frames come and go. As persuade users to reveal their credentials or set their passwords to a "temporary" long as memory space is properly protected and data is placed within the correct value due to some fictitious IT overhaul to occur, and allow the attacker to gain buffer limits, everything should work as expected. easy access to secure systems. Attackers may also be physically present and However, some systems and applications have vulnerabilities that could allow spy on users as they enter their credentials. buffers to fill. An attacker can exploit this by sending larger-than-expected data. Password Vulnerabilities Malware When users access a system, they usually enter a username and password. It Some security threats can be in the form of malware or malware. For example, a trojan is malicious software that is hidden and packaged inside other seemingly legitimate and legitimate software. Trojan software is also installed silently if a bona fide user decides to install it. Later, the malware can carry out its own attacks on the local system or against other systems. Trojan malware can only spread from one computer to another through user interaction, such as opening email attachments, downloading software from the Internet, and plugging a USB drive into a computer. can be pretty easy to guess someone's username based on a person's real name. An attacker can also easily gain access to the system if the user's password is set to a default value or an easy-to-guess word or text string. Think like an attacker for a moment and see if you can make some guesses about the passwords you can try if you want to log into a random system. Maybe the password is password123, 123456, etc. You have thought of passwords like Maybe you can try username admin and password admin. I Security Architecture Controlling and Monitoring User Access You can manage user activities to and from systems with Authentication, Authorization, and Accounting (AAA) mechanisms. AAA uses some standard methods to provide users with credentials before access is granted or authorized. Accounting protocols can also log user activity in enterprise systems. AAA is widely used to control and monitor access to network devices such as routers, switches, firewalls and so on. Authentication: Who is the user? Authorization : What is the user allowed to do? Figure 33-7 Example AAA Accounting : What did the user do? Developing a Security Program to Educate Users AAA servers typically support the following two protocols to communicate with An effective approach a business can take to improve information security is to corporate resources: educate users through a corporate security program. Many users may not have TACACS+: A Cisco proprietary protocol that separates each of the AAA IT knowledge, so they may not recognize vulnerabilities or realize the functions. Communication is secure and encrypted over TCP port 49. consequences of their own actions. For example, if a corporate user receives an RADIUS: A standards-based protocol that combines Authentication and email message threatening to expose some illegal behavior, they may be tempted Authorization into a single source. Communication uses UDP ports 1812 and to click a link to a malicious site. Such an action could introduce malware or 1813, but Accounting is not fully encrypted. worms to a user's computer that could affect business operations. Network Devices Securing I Securing IOS Passwords I Firewall I IPS ( Intrusion Prevention Systems ) I Next Generation Firewalls I Securing Network Devices Securing IOS Passwords The best way to protect passwords on Cisco IOS devices is to not store passwords Switch3# show running-config | section line con 0 on IOS devices. So use (AAA) server. However, it is common for some passwords line con 0 to be stored in a router or switch configuration, and here I will describe some password cisco login ways to protect these passwords. Switch3(config)# service password-encryption Switch3(config)# ^Z Switch3# show running-config | section line con 0 line con 0 password 7 070C285F4D06 login We can understand that we use the service password-encryption Figure 34-1 Example Login Security Configuration Hiding IOS Passwords When we look at the passwords on Cisco IOS devices with show running-config, you will see that these passwords are not hidden, we can protect these passwords with the service password-encryption command. command from the "7" that is automatically added after the password command. I Securing Network Devices Enable Password Protection Local Username and Password Protection Switch3(config)# enable secret fred Switch3# show running-config | include enable secret enable secret 5 $1$ZGMA$e8cmvkz4UjiJhVp7.maLE1 R1(config)# enable algorithm-type scrypt secret mypass1 R1# show running-config | include enable enable secret 9 $9$II/EeKiRW91uxE$fwYuOE5EHoii16AWv2wSywkLJ/KNeGj8uK/ 24B0TVU6 Telnet-SSH Protection - ACL We must protect the routers or switches with an ACL, we can restrict access to the hosts we want or from a particular subnet. line vty 0 4 login local access-class 3 in ! ! Next command is a global command that matches IPv4 packets with ! a source address that begins with 10.1.1. access-list 3 permit 10.1.1.0 0.0.0.255 I Securing Network Devices Firewall Security Zones A firewall examines all packets so the firewall can choose which packets to Most companies have an inside and outside zone and a special zone called the discard and which to allow. Firewall protects the network from problems by Demilitarized Zone (DMZ). While the name DMZ comes from the real world, allowing only allowed types of traffic to flow in and out of the network. In its it has been used in IT for decades to refer to a firewall security zone used to most basic form, firewall actually does the same job as routers do with ACLs, but place servers that should be available to users on the public Internet. For the firewall can perform this packet filtering function with more options and example, Figure 5-8 shows a typical Internet design with several web servers perform other security tasks. connected to its DMZ via firewall. The figure shows a firewall connecting to the Cisco Adaptive Security Appliance (ASA) Firewall Internet connected to a Cisco router. All corporate traffic to and from the Internet is sent through the firewall. Firewall considers its own rules and decides whether to allow the packet. Figure 34-2 Traditional Firewall Usage Figure 34-3 Firewall Zone Usage Example I Securing Network Devices IPS (Intrusion Prevention Systems) A traditional intrusion prevention system (IPS) may sit on the path that packets travel through the network and filter packets, but make their decisions with different logic. IPS first downloads a database of exploit signatures. Each signature identifies different header field values found in packet sequences used by different vulnerabilities. The IPS can then examine the packets, compare them with known exploit signatures, and recognize when packets might be malicious. Once defined, IPS can log the event, discard packets, and even forward packets to another security application for further inspection. A traditional IPS differs from firewalls in that we create the rules on the firewall, based on the port numbers of the applications when creating these rules, but the IPS implements logic based on signatures provided by the manufacturer. These signatures look for such attacks: • Dos • DDos • Worms • Viruses Figure 34-4 IPS and Signature Database I Securing Network Devices Next Generation Firewalls In the mid-2010s, Cisco and some of its competitors began using the term Next Advanced Malware Protection (AMP): A network-based anti-malware function Generation to highlight new security products. In short, Next Generation can run on the firewall, block file transfers that will install malware, and save Firewalls (NGFW) and Next Generation IPS (NGIPS) are Cisco's current copies of files for later analysis. Firewall and IPS products. Next Generation products have useful features not URL Filtering: This feature inspects the URLs in each web request, categorizes found in previous products. the URLs and filters traffic according to rules or speed limits. The Cisco Talos As for Cisco products, Cisco has for many years called Firewalls Cisco Adaptive security group monitors and generates trust scores for every known domain on Security Appliance (ASA). Cisco acquired Sourcefire, a security product the Internet; URL filtering can use these scores to decide on categorization, company, around 2013. Most of the next-generation firewall (and IPS) features filtering, or rate limiting. come from software through this purchase. As of 2019, all Cisco firewalls NGIPS : Cisco NGFW products can run NGIPS features along with the firewall. currently sold are referred to as Cisco Firepower Firewall. Some features of NGFW; Traditional Firewall: Performs traditional firewall features such as packet filtering, NAT/PAT and VPN termination. Application Visibility and Control (AVC): This feature looks deep into application layer data to identify the application. For example, it can identify the application by data rather than port number to defend against attacks using arbitrary port numbers. Figure 34-5 NGIPS ve NGFW Switch Port Security I Switch Port Security Concepts I Configuring Switch Port Security I Switch Port Security Violation Modes I Switch Port Security Switch Port Security Concepts If the network engineer knows which devices should be connected to which ports on the switch, the engineer can use switch port security so that only those devices can use these ports. In the figure below, when PC1 will be connected to port F0/1 in SW1, if switch port security is enabled on that port, the mac address of the connected device will be checked. Figure 35-1 Switch Port Security Concepts Configuring Switch Port Security There are four different methods of implementing switch port security, shown in the figure below. Figure 35-2 Switch Port Security Methods I Switch Port Security Switch Port Security Violation Modes Protect and Restrict Mode We saw the switch port security configuration in the previous topic, but if there These mods block untrusted traffic but the port is not closed. As a result, the is a security breach, what will this port do and what precautions will it take? In port continues to forward secure traffic, but blocks unsafe traffic. Restrict this section, we will see the commands we need to configure so that the switch mode sends an SNMP message. decides what to do in case of a security breach. The port has three security modes to apply; Shutdown Mode The default violation mode is shutdown, the port becomes errdisable in case of violation, we can see the status by using the show interfaces Fa0/13 status command. We have to go to the port and open it manually, but we can do this automatically, we need to enter the following commands. errdisable recovery cause psecure-violation errdisable recovery interval seconds switchport port-security violation protect switchport port-security violation restrict I Dynamic Host Configuration Protocol DHCP I DHCP Concepts I DHCP Relay I DHCP Configuration I DHCP Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) provides one of the most commonly used services in a TCP/IP network. Majority of hosts in TCP/IP network are user devices and majority of user devices learn IP information using IPv4 settings using DHCP. DHCP uses the following four messages between client and server; Discover : The host sends a discovery packet to find the DHCP server. Offer : It sends an offer to that client by the DHCP server to give a specific IP address. It has many advantages over manually configuring IP settings. Hosts make Request : The host requests to accept the offer of this DHCP server. requests to the DHCP server using DHCP messages to configure IP settings. As Acknowledgment: The DHCP server sends the information to the client with an a result, the host IP configuration is controlled by IT personnel, resulting in acknowledgment message. less user error. DHCP allows host addresses to be permanently assigned IP addresses, but more commonly, DHCP assigns hosts a temporary IP address to use for a specified period of time. DHCP Concepts The host acts as a DHCP client. As a DHCP client, the host starts without IP settings No IPv4 address, no subnet mask, no default gateway and no DNS server IP address. However, a DHCP client knows about the DHCP protocol, so the client can use this protocol to find a DHCP server or request to lease an IPv4 address. Figure 36-1 DHCP Discover and Offer I DHCP DHCP Relay DHCP packets are sent on the same subnet and within the vlan. Setting up a DHCP server in every vlan and subnet will not be very functional. For this, you need to forward your requests from the subnet you are on to the subnet where DHCP is located, for this we use a DHCP relay IP helper address, as in the example below. Figure 36-2 IP Helper Address Effect I DHCP Snooping DHCP Snooping Arp Inspection I DHCP Snooping Logic I Configuring DHCP Snooping I DAI - Dynamic ARP Inspection I DAI - Dynamic ARP Logic I DAI Configuration I DHCP Snooping ve Arp Inspection DHCP Snooping DHCP Snooping is to observe and block unwanted DHCP packets on our network. For example, a malicious user connected to the switch can install a DHCP server program on his computer and try to distribute IP by responding to DHCP requests from the network, we can use DHCP snooping to prevent this. Figure 37-2 DHCP Attack Distributes correct IP but shows itself as GW. Figure 37-1 Secure and insecure ports. As in Figure 37-2, the attacker listens to DHCP requests coming from the network with the DHCP server software she installed on her own computer and tries to attack by giving false information. Figure 37-3 DHCP Attack Man in the Middle I DHCP Snooping ve Arp Inspection DHCP Snooping Logic DHCP Snooping Configuration DHCP Snooping prevents such attacks by making our desired ports untrusted. Figure 37-5 Example of DHCP Snooping Configuration ip dhcp snooping ip dhcp snooping vlan 10,20,30 no ip dhcp snooping information option ip dhcp snopping database flash:/snoopy.db ! interface GigabitEthernet1/0/2 ip dhcp snooping trust Figure 37-4 DHCP Snooping Operating Rules Step 1: Examines all incoming DHCP messages. Step 2: Blocks DHCP server messages. Step 3: Filters if user requests. For DISCOVER and REQUEST messages, it checks for MAC address consistency between Ethernet frames and DHCP message. Checks the IP address in the DHCP Snooping binding table for RELEASE or DECLINE messages from the port. Step 4: Create a new entry in the DHCP Snooping binding table for unfiltered messages whose DHCP process is successful. Limiting DHCP Messages We can limit the dhcp messages that users can send. errdisable recovery cause dhcp-rate-limit errdisable recovery interval 30 ! interface GigabitEthernet1/0/2 ip dhcp snooping limit rate 10 ! interface GigabitEthernet1/0/3 ip dhcp snooping limit rate 2 I DHCP Snooping ve Arp Inspection DAI - Dynamic ARP Inspection The Dynamic ARP Inspection (DAI) feature on a switch examines ARP Normally, a host uses ARP when it knows the IP address of another host and messages from untrusted ports to filter out who it believes to be part of an wants to know the MAC address of that host. However, for certain reasons, a host attack. The key feature of DAI compares incoming ARP messages with two may want to obtain information about all host MAC addresses in the subnet. It data sources: the DHCP Snooping Binding table and any configured ARP can be useful, for example, when a host changes its MAC address. ACLs. If the incoming ARP message does not match the tables in the switch, the switch discards the ARP message. For example PC A ; Instead of PC1, it sends an Arp Reply because my mac address has changed and updates the mac table in R2. At this point, when R2 forwards the IP packets to the IP address of PC1 (172.16.2.101), it places PC A's mac address in the Ethernet frame instead of PC1's MAC address. Let's take a look at what's going on in Figure 37-8. Figure 37-6 Normal ARP Request Figure 37-7 Incorrect Use of ARP Response Causes Incorrect ARP Data on R2. I DHCP Snooping ve Arp Inspection 1- PC1 sends message to some server on left side of R2. Dynamic ARP Inspection Logic 2- Server returns to PC1 IP address, but R2 sends PC 1's chest to PC A's mac If a host does not yet have an IP address, that is, the DHCP process has not been address. completed, it does not need to use ARP. After the host learns an IP address and 3- PC A copies the package for later viewing. subnet mask, it needs ARP to learn other host MAC addresses or the default 4- PC A forwards the packet in the new frame to PC1, so PC1 continues to work. router in the subnet, so it sends some ARP messages. In short, it becomes DHCP first, then ARP. DAI compares the starting IP and starting MAC address fields of the ARP message with the DHCP Snooping Binding table for all untrusted ports. Allows DAI ARP if found in the table, but discards DAI ARP if not. Figure 37-8 Man-in-the-Middle Attack Result Figure 37-9 DAI Filtering ARP Based on DHCP Snooping Binding Table I DHCP Snooping ve Arp Inspection Note that although DAI can use DHCP Snooping Binding data as shown here, it can also use similar statically structured data that lists the correct IP and MAC address pairs through a tool called ARP ACL. Using ARP ACLs with DAI is useful for ports connected to devices using static IP addresses rather than DHCP. Note that DAI looks for both DCHP Snooping Binding data and ARP ACLs. Figure 37-10 DAI Configuration DAI Dynamic ARP Inspection Configuration Limiting DAI Messages ip arp inspection vlan 11 ip dhcp snooping errdisable recovery cause dhcp-rate-limit ip dhcp snooping vlan 11 errdisable recovery cause arp-inspection no ip dhcp snooping information option errdisable recovery interval 30 ! ! interface GigabitEthernet1/0/2 ip dhcp snooping trust ip arp inspection trust show ip arp inspection interface GigabitEthernet1/0/2 ip dhcp snooping limit rate 10 ip arp inspection limit rate 8 SW2# show ip arp inspection interfaces SW2# show ip arp inspection statistics Chapter - 12 IP SERVICES I Device Management Protocols I Network Address Translation (NAT) I Quality of Service (QoS) I Various IP Services Device Management Protocols I System Message Logging (Syslog) I Network Time Protocol (NTP) I Cisco Discovery Protocol (CDP) I Link Layer Discovery Protocol (LLDP) I Device Management Protocols System Message Logging (Syslog) Saving Log Messages for Later Review Cisco devices can send detailed system messages or notification messages. It is When the console is logged on via telnet and ssh, IOS sends messages to the important to record these messages in order to keep these messages and to be able console and terminal sessions, and then IOS deletes the message. It's helpful to be warned beforehand of problems that may occur on the network, there are to keep a copy of the log messages for later review, so IOS provides two basic several ways to do this. ways to keep a copy. When you want to log on to Cisco IOS devices and look at them instantly, we can If we enter the logging buffered command while in global mode, IOS give you real-time status information or save it for future viewing. will store these messages in ram, we can see them later with the show logging command. Real-Time Message to Existing Users Our other option is to send messages to a syslog server and store them there. By default IOS shows log messages to all users. In fact, if you're using a console logging host {address | hostname} port, you've probably noticed a lot of syslog messages like Interfaces up or down. We can send it to the server by entering the command. The logging monitor command must be active in global configuration mode in order for users connecting via Telnet and SSH to see these messages instantly, and if the user wants to see these messages when connected, he or she must also use the terminal monitor command in exec (enable) mode. Figure 38-2 Storing Logs in Ram and Server Figure 38-1 IOS Actions for Log Messages to Existing Users I Device Management Protocols Log Message Notification Level We can ensure that the log messages are transmitted and stored at the level we choose between 0-7. SysLog Configuration In the example below, we will see an example of configuring four devices to send logs to the syslog server and store them in ram. Figure 38-5 Simple syslog example Figure 38-3 Log Message Levels logging console 7 logging monitor debug logging buffered 4 logging host 172.16.3.9 logging trap warning show logging Figure 38-4 Logging command options I Device Management Protocols Network Time Protocol (NTP) Setting the Clock and Time Zone It is very important that the time information is correct when recording system R1# configure terminal log messages, let's take another example, there are problems in the serial Enter configuration commands, one per line. End with CNTL/Z. connection between R1 and R2, and the OSPF connections are constantly R1(config)# clock timezone UTC 3 0 R1(config)# clock summer-time utc recurring last Sun Mar 1:00 last having problems, and you look at the system messages and see the results as Sun Oct 1:00 below. R1(config)# ^Z R1# R1# clock set 20:52:49 21 October 2015 R1# show clock 20:52:55.051 EDT Wed Oct 21 2015 Since the time information of the two routers is not correct, it will be very difficult to solve the problem by looking at the logs, so time information is very important in systems. We use NTP so that the clocks on the devices are synchronized and show the correct time. I Device Management Protocols Simple NTP Configuration Cisco provides two ntp configuration commands that determine how NTP ! Configuration on R1: works in a router or switch: ntp server 172.16.2.2 ntp master {stratum-level}: NTP Server mode — the device acts only ! Configuration on R2: as an NTP server, not as an NTP client. The device gets the time information ntp server 172.16.3.3 from the internal clock in the device. ! Configuration on R3: ntp server {address | hostname}: NTP client / server mode — device acts as both client and server. First, it acts as an NTP client to synchronize time with a server. Once synchronized, the device can act as an NTP server to provide time to other NTP clients. ntp master 2 R1# show ntp status Clock is synchronized, stratum 4, reference is 172.16.2.2 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**21 ntp uptime is 1553800 (1/100 of seconds), resolution is 4000 reference time is DA5E7147.56CADEA7 (19:54:31.339 EST Thu Feb 4 2016) Figure 38-6 Simple NTP Configuration I Device Management Protocols Redundant NTP Configuration ! Configuration on R1 ve R2: To set our clock, you can refer to better resources on the Internet or purchase a ntp server 193.140.100.40 custom-built NTP server with better clocking hardware. For example, we can ntp server 178.79.155.116 enter ntp.ulakbim.gov.tr , tr.pool.ntp.org and directly nep server IP information. ntp master 7 178.79.155.116 193.140.100.40 In other Routers, we can enter R1 and R2 ip as ntp servers. R1 and R2 also do not reach the ntp servers when the internet connection is gone, so we used the ntp master command to continue the ntp server task to other devices. By making stratum 7 for R1 and R2, we have taken it to a worse level than the ntp server on the internet. Figure 38-7 Configuring Redundant NTP I Device Management Protocols CDP and LLDP Examining Information Learned by CDP CDP: Discover basic information about neighboring routers and switches without having to know the passwords of neighboring devices. Send CDP messages to each of the interfaces to discover information. The messages essentially provide information about the device that sent the CDP message. Devices that support CDP learn about other devices by listening to messages sent by other devices. CDP discovers some useful detail from neighboring Cisco devices: Device identifier: Host Name Address list: IP addresses Port identifier: Port and Interface information Capabilities list: Information about the type of device (router, switch, ip phone) Platform: Model and software version of the device. Figure 38-8 Using CDP I Device Management Protocols Examining Information Learned by LLDP Link Layer Discovery Protocol (LLDP), defined in IEEE standard 802.1AB, is a standardized protocol that provides the same general features as CDP. LLDP has a similar configuration and practically the same show commands compared to CDP. LLDP Configuration lldp run ! interface gigabitEthernet1/0/17 no lldp transmit no lldp receive ! interface gigabitEthernet1/0/18 no lldp receive interface gigabitEthernet1/0/19 lldp transmit lldp receive ! interface gigabitEthernet1/0/20 lldp receive show lldp show lldp interface g1/0/2 show lldp traffic SW2# show lldp entry R1 I NAT Concepts NAT Network Address Translation I Static NAT I Dynamic NAT I Overload NAT (PAT) I NAT Configuration I Network Address Translation Availability of IPv4 Addresses Initially, IPv4 addresses started to be given to each company and companies were provided with access to the internet environment, but in the 1990s, with the slow spread of the internet, it was understood that IPv4 addresses would not be enough and it could not continue like this. Many short-term solutions to the addressing problem have been proposed, but three standards have been focused on to solve the problem. Two of the standards work together: Network Address Translation (NAT) and Private Addresses. Together, these features allow many organizations to use the same IPv4 network numbers internally and still communicate well with the Internet. The third standard, Classless Inter Domain Routing (CIDR), allows a company to reduce the waste of IPv4 addresses by dividing that network address into subnets instead of the entire network. Figure 39-1 Example of CIDR Usage Private Addressing All IPs must be unique in the Internet environment, so since the IPv4 addresses will expire one day, some IPs have been reserved for use in the corporate environment and every company can use these IPs within the company without the approval of any institution, but they cannot use these IPs in the internet environment. . We call these IPs Private IPs. CIDR A rule that defines how ISPs should assign globally unique IPv4 addresses to each organization. The Internet Assigned Numbers Authority (IANA) does this IP allocation. Figure 39-2 Private IP Range I Network Address Translation Network Address Translation Concepts Static NAT NAT public, defined in RFC 3022, allows a host without a unique IP address to Static NAT works like the example shown in Figure 39-4, but IP addresses are communicate with another host on the Internet. Hosts may be using the same statically mapped to each other. private IP addresses used by other companies. In both cases, NAT allows these addresses that cannot be used in the Internet environment to continue to be used. Figure 39-3 Exchange of Public IP with Private IP address NAT Figure 39-4 Static NAT Example I Network Address Translation Dynamic NAT Overloading NAT with Port Address Translation (PAT) In Dynamic NAT, imagine we have five public IPs available as in the example, and we have five users on the Inside side. We create a Pool for these five public IPs and when an insider accesses the internet, we dynamically give the IPs in this Pool to these users. We use Nat Overload or Port Address Translation (PAT) when we have only one public IP. It is the most commonly used method. In this example, we have three users and all of them want to connect to a web server using port 80, where the NAT device takes the IP addresses and port numbers, converting them to public IP, and forwards them to the target. Figure 39-5 Example of Dynamic NAT Figure 39-6 NAT Overload (PAT) Example I Network Address Translation Static NAT Configuration Figure 39-7 Static NAT Configuration I Network Address Translation Dynamic NAT Configuration I Network Address Translation NAT Overload (PAT) Configuration I QoS Introduction QoS Quality of Service I Bandwidth, Delay, Jitter, and Loss Management I Traffic Types I Classification and Marking I Queuing I Shaping and Policing I Quality of Service QoS Introduction QoS: Bandwidth, Delay, Jitter, and Loss Management Routers work with both WAN and LAN interfaces. While these LAN There is a wide variety of QoS features in both routers and switches. These features interfaces operate at higher speeds, WAN interfaces operate at slower speeds. help us manage the traffic on our network. These features are; While the router is busy sending packets waiting on this WAN interface, • Bandwidth hundreds or even thousands of IP packets may come from the LAN interface and it has to transmit all of them from the same WAN interface. What should the router do? Send them all in the order they came in? Prioritize packets to send earlier than others, preferring one type of traffic • Delay • Jitter • Loss over another? Delete some packets when the number of packets waiting to Bandwidth ; Expresses the speed of a connection in bits per second (bps). The QoS exit the router is too large? feature determines which packet is sent over the next connection; and controls how much bandwidth each traffic type can use over time. In the paragraph above, we talked about some of the many classic Quality Delay ; It can be defined as the round-trip delay in outgoing and incoming packets. of Service (QoS) questions on the network. For example, WAN router jitter ; It refers to the variation in one-way delay between consecutive packets sent by interfaces queue pending packets. The router may use a queue scheduling the same application. algorithm to determine which packets will be sent first or later, and may Lost ; usually refers to the number of lost messages as a percentage of packets sent. prioritize some packets and hold other packets. The comparison is simple: for some application, if the sender sent 100 packets and only 98 reached the destination, that application stream lost 2 percent. I Quality of Service Traffic Types Data Applications Voice and Video Applications First, consider a basic web application that is on a user PC or tablet. The user A phone call between two IP phones will create a flow for both directions. For enters an address to open a web page. This request may require a single packet to video it can be security camera or Video conference call traffic. be sent to the web server, but may result in hundreds or thousands of packets being returned to the web client, as shown in Figure 40-1. VoIP takes the sound of a conversation made on one phone and puts it in IP packets so that it can be heard on the other phone. Figure 40-2 illustrates the general idea. The steps in the figure include: 1-The phone user makes a phone call and starts talking. Figure 40-1 HTTP Traffic A chip called a 2-codec processes (digitizes) the audio to generate binary code for a given time (usually 20 ms). Usually the G.711 codec is used 160 bytes. So what is the impact of bandwidth, delay, jitter and loss on an interactive webbased application? First, packages require a certain amount of bandwidth 3-The phone encapsulates the data in an IP packet. 4-The phone sends the packet to the target IP phone. capacity. As for delay, each of these packets takes some one-way delay from server to client, and there is some jitter as well. Figure 40-2 VOIP Paket G.711 Codec I Quality of Service With the G.711 codec, this single call also requires approximately 80 Kbps of Classification and Marking bandwidth (data-lik added on header and trailer). If we include the headers QoS tools, such as ACLs, stop on the path that packets take as they are and VoIP payload as in the figures, each of the IP packets has 200 bytes. Each transmitted over a router or switch and check the passing traffic. Like ACLs, holds 20 ms of digital audio, so the phone sends 50 packets per second. Each QoS tools are enabled for one direction on interfaces. of these 50 packets of 200 bytes is equivalent to 10,000 bytes per second, or 80,000 bits per second, or 80 Kbps. Other audio codecs require less bandwidth, The term classification refers to the process of matching fields in a message to the widely used G.729 takes about 24 Kbps (data-ness added on header and select a QoS traffic. So, if we compare QoS tools again with ACLs, they classify trailer). and filter like ACLs; i.e. ACLs match (classify) package headers. ACLs help us You can get quality voice traffic over an IP network, but you must implement decide which packages to discard or which packages to choose. QoS to do so. QoS tools are tuned to respond to the behavior required by different types of traffic. Cisco recommends the following guidelines for For example, if we enable QoS on the output interface of the router as in Figure quality voice traffic: Video call For video; 40-3, it will classify the outgoing traffic according to the rules we set and put it • Delay (one-way): 150 ms or less. • Bandwidth: 384 Kbps to 20+ Mbps • Jitter: 30 ms or less. • Delay (one-way): 200–400 ms • Loss: 1% or less. • Jitter: 30–50 ms • Loss: 0.1%–1% in a queue (Queue). I Quality of Service Figure 40-4 shows an example of a PC on the left sending an IP packet to hosts (not shown) on the right of the figure. The first switch SW1 to forward the packet does some mixed comparisons and marks the Differentiated Services Code Point (DSCP) field of the packet as a 6-bit field, which means the QoS flag in the IP herader. The next three devices that process this Figure 40-3 Classifying and Queuing Traffic on a Router Step 1: The router makes a forwarding decision. Step 2: The router uses classification logic to determine the type of packets. message—SW2, R1, and R2—use simpler mapping to classify the packet, comparing the packet's DSCP value, mapping packets to a DSCP value in Class 1 and other packets to a DSCP value in Class 2. Step 3: The output interface of the router keeps the waiting packets in the output queue. Step 4: The scheduling logic of the Quene agent selects which packet to prioritize and puts it in order. Sometimes we can apply QoS to both the input and output interfaces of the devices, which may cause the performance of the devices to decrease. It recommends matching on packet headers recommended by both Cisco and RFC, and then flagging the packet. Figure 40-4 Systematically marking and classifying I Quality of Service Classification on Router with ACL and NBAR This Chapter delves a little deeper into the Classification on routers, and we'll NBAR2 looks at more in a message than the ACL can review. Many take a closer look at the marking function. applications cannot be identified by well-known port numbers alone. NBAR Figure 40-5 shows IP and TCP headers. All these areas can be mapped for QoS classification. solves these problems. For example, the Cisco WebEx application provides audio and video conferencing on the web. In a QoS plan, you may want to categorize WebEx differently from other video traffic and categorize it differently from voice calls between IP phones. That is, you can classify WebEx traffic and give it a unique DSCP Figure 40-5 Five classification areas used by the Extended ACL mark. NBAR provides easy built-in matching capability for WebEx and more than 1000 different app subcategories. For example, if all IP phones use a subnet in the address range of 10.3.0.0/16, we can configure an extended ACL to map all its packets in the 10.3.0.0/16 subnet and use this ACL for QoS operations suitable for voice traffic. However, not every classification can be easily done by pairing it with an ACL. In more demanding situations, Cisco Network-Based Application Recognition (NBAR) can be used. In short, NBAR2 maps packets for classification in a wide variety of ways, which is very useful for QoS. Pairing apps with NBAR2; I Quality of Service IP Header Marking Marking a QoS field in the IP header works well because the IP header goes from The IPP only gave us eight (0-7) different values to mark, so later RFCs the source host to the destination host. When a host sends data, it sends the redefined the ToS byte with the DSCP field. DSCP increased the number of data-link frame that contains the IP packet. Each router that forwards the IP mark bits to 6 bits and allowed 64 unique values that could be marked. DSCP; packet assigns the old data-link header and adds a new header. Because routers It was considered the most common method to use when doing QoS in the late do not discard and re-place IP headers, the flagging fields in the IP header 1990s, and it has become quite common to use the DSCP field for marking. remain unchanged until they reach the destination host. It defines a Type of Service (ToS) byte in the IP header as shown in Figure 40-6. The original RFC defined a 3-bit IP Precedence (IPP) field for the QoS flag. This field gives us eight separate binary values, for example 000, 001, 010, etc. - 111 When converting them to decimal numbers, we mark them with a number between 0 and 7. Figure 40-6 DSCP and IPP area in IP Header I Quality of Service Marking the Ethernet 802.1Q Header Another useful Marking field is in the 802.1Q header. In the third byte of the 802.1Q header, it is marked as a 3-bit field and provides eight possible values to mark (see Figure 40-7). It goes by two different names: Class of Service or CoS and Priority Code Point or PCP. Figure 40-8 Trunk Port’ta CoS Marking Other Marking Areas Figure 40-7 Class of Service Alanı 802.1Q/p Header The 802.1Q header is not included in all Ethernet frames. The 802.1Q header is only available when an 802.1Q trunk is used on a link. As a result, QoS tools can only use CoS space for QoS features enabled on interfaces using trunks as shown in Figure 40-8. I Quality of Service Defining Confidence Boundaries The end-user device can flag the DSCP domain or even the CoS domain if trunk is used for the connection. Would you trust these devices and allow DSCP and CoS markings? Most of us wouldn't, because anything the end user controls can be used inappropriately at times. For example, a PC user might know that for Voice Figure 40-9 Confidence Boundary SW traffic it is marked with a DSCP called Expedited Forwarding (EF) 46. Since voice traffic is prioritized by QoS, all traffic of PC users is marked as DSCP 46. QoS plan creators must choose where to place the trust boundary of the network. The trust boundary refers to the point in a packet path flowing over the network at which network devices can trust valid QoS signals. This limit is typically located on a device under the control of IT personnel. Figure 40-10 Confidence Limit IP Phone I Quality of Service DiffServ Recommended Marking Values Assured Forwarding (AF) DiffServ is intended for consistent use of DSCP values across all networks by Assured Forwarding (AF) DiffServ RFC (2597) defines a set of 12 DSCP recommending specific Markings for certain types of traffic. Thus, values that are intended to be used in concert with each other. manufacturers can use these default settings for QoS features, so that QoS Assured Forwarding defines specific AF DSCP text names and equivalent can work better between different brands and devices. There are three DSCP values used in marking in DiffServ. EF-AF and CS decimal values as listed in Figure 11-11. Text names follow an AFXY format; X corresponds to Queue (1 to 4) and Y corresponds to drop priority (1 to 3). Expedited Forwarding (EF) DiffServ defines the recommended Accelerated Forwarding (EF) DSCP value (a single value) for packets that require low latency (delay), low jitter, and low loss. Defines DSCP 46 and an equivalent text name (EF). QoS configuration commands allow the use of a decimal value or text name, but one purpose of using the text abbreviation is to make the value more memorable, so many Figure 40-11 Differentiated Services Assured Forwarding Values and Meaning QoS configurations refer to text names. Many times QoS plans use EF to flag voice payload packets. By default, Cisco IP Phones mark voice packets with EF and send signaling (sip, scp) packets with CS3. For example, if you marked the packet value 12, AF11, AF12, and AF13 all enter a single Queue; Those with AF21, AF22 and AF23 enter another queue; and such that. For the same Queue, AF21 takes priority and AF23 stays last. I Quality of Service Class Selector (CS) Initially, the ToS field was defined by the 3-bit IPP field. When DiffServ ✓ DSCP EF: Voice payload redefined the ToS domain, eight DSCP values were created so that the DSCP was ✓ AF4x: Interactive video (for example, videoconferencing) backwards compatible with the IPP values. Class Selector (CS) DSCP values are ✓ AF3x: Streaming video these settings. ✓ AF2x: High priority (low latency) data ✓ CS0: Standard data Figure 40-12 Class Selector Guidelines for DSCP Marking Values With many different values, different uses of different DSCP values by different devices in the same enterprise will complicate the deployment of QoS. Without going into the depth of any QoS plans, the plans all set some variation on how all devices should flag data: I Quality of Service Queuing Round-Robin Scheduling (Prioritization) The term queuing refers to the QoS toolset used to manage queues that hold Routers use a popular tool called Class-Based Weighted Fair Queuing (CBWFQ) packets while they wait for their turn to exit an interface. In Figure 40-13, the to provide the least bandwidth for each class. That is, each class receives at least output interface sends the first comer in a single queue, according to the the amount of bandwidth configured, but perhaps more based on availability queued traffic. Since QoS tools are not used here, Interface sends the first later on. CBWFQ allows us to define weights as a percentage of link bandwidth incoming traffic respectively. while using a weighted sequential turn timing algorithm. Figure 40-15 shows an example where three queues in the system are given 20, 30 and 50 percent of the bandwidth, respectively. Figure 40-13 Queue traffic without QoS In Figure 40-14, there is more than one queue and it exits Interface in order Figure 40-15 CBWFQ Round-Robin Scheduling of priority. With the queuing system shown in the figure, if the outbound link is congested, the scheduler guarantees the percent bandwidth shown in the figure for each queue. That is, queue 1 takes 20 percent of the connection Figure 40-14 Queue traffic with QoS applied even at peak times. In this method, the bandwidth is guaranteed, but the output is determined by the sequential return algorithm. I Quality of Service Low Latency Queuing (LLQ) Unfortunately, a round-robin timer does not provide enough low latency, jitter or loss. Solution: Add Low Latency Queuing (LLQ) to the timer. The solution, LLQ, tells the scheduler to treat one or more queues as special priority queues. The LLQ scheduler always receives the message after one of these special priority queues. Problem solved: very little delay for packets in this queue causes very little flickering. Figure 11-17 shows adding LLQ logic for the audio queue. Figure 40-16 Using LLQ with CBWFQ In LLQ, we guarantee bandwidth with priority, and if voice traffic comes in the output queue, it goes to the front of the queue. I Quality of Service Shaping and Policing Where to Use Policing Both Policing and Shaping monitor the bitrate of composite messages flowing Policing monitors messages, measures speed and discards some messages. How through a device. When enabled, it notes each packet that passes policing or does this help us with QoS? At first glance, it seems to harm the network by shaping and measures the bits per second over time. Both try to keep the bitrate at throwing out the messages sent by the transport or application layer. How does or below the configured rate, but use two different methods: discarding policing this bandwitdh improve delay, jitter or loss? packets, shaping keeping packets in queue to delay packets. Policing only makes sense in certain situations and can generally be used on Policing routers between two networks. For example, consider a typical point-to-point Traffic reaches network devices at a varying speed with spikes. In other words, if metro Ethernet WAN connection between R1 and R2. you graph the bitrate of the batch bits entering or leaving any interface, the graph will look like the left side of Figure 40-17. Policing measures this rate, the horizontal dashed line on the left represents the rate configured for policing. Therefore, policing has information about the measured bitrate over time, which can be compared to the preset rate. The right side of the figure cuts off excess traffic at the rate set for policing. Figure 40-18 Ethernet WAN: Link Speed Versus CIR Now imagine you have a 200 Mbps metro ethernet connection as shown in the figure. But keep in mind that the connection speed between the router and the switch is 1 Gbps. Since the traffic leaving us is 1 Gb, but our main connection speed is 200 Mbps, the packets leaving us will be held by the ISP, but we can Figure 40-17 A Policing and Shaping Impact on Delivered Traffic Load limit it to 200 Mbps before the traffic leaves us. I Quality of Service Shaping You have a 1 Gbps connection between an ISP's metro ethernet switch and your router, but the speed you get from the ISP is 200 Mbps, the ISP will not always allow traffic exceeding 200Mbps. Solution ; We can set our speed to 200 Mbps by slowing down the traffic using Shaping. Shaping slows down messages by queuing messages from queues schedules. Following the left-to-right flow in Figure 40-19, the packet is forwarded to an Figure 40-20 One Second (1000 ms) Shaping Time Interval, Shaping at 20 percent of Line speed interface for a router, so that the sending rate through shaping does not exceed. The solution to this problem: configure a short time interval. Consider the following time intervals (abbreviated Tc) and their effects with shorter time intervals for the same example: Tc = 1 second (1000 ms): Send at 1 Gbps for 200 ms, rest for 800 ms Figure 40-19 Shaping Queues: Scheduling with LLQ and CBWFQ Setting Good Shaping Interval for Audio and Video Tc = .1 second (100 ms) : Send at 1 Gbps for 20 ms, rest for 80 msTc = .01 second (10 ms) : Send at 1 Gbps for 2 ms, rest for 8 ms We tried to solve a QoS (quality of service) problem with a QoS (quality of service) tool but the side effect of shaping is that it slows packets down, which Use a short time frame when shaping. As a recommendation, use a 10ms creates more latency and possibly more jitter. Fortunately, you can (and timeframe to support audio and video. should) configure some setting of Shaping that changes its internal operation, reducing the latency and jitter that causes audio and video traffic. I First Hop Redundancy Protocol (FHRP) I HSRP Concepts Various IP Services I HSRP Load Balancing I Simple Network Management Protocol (SNMP) I FTP / TFTP I IOS Image Update I Various IP Services First Hop Redundancy Protocol (FHRP) When we use a design that includes redundant routers, switches, LAN In Figure 41-2, there are two routers and two WAN connections on the Main connections, and WAN connections in networks, in some cases other protocols are Side, whichever route has priority when going to the remote site, it goes from required to avoid the problems this causes. there if one of the lines breaks, it uses the other one, there is only one router For example, imagine a WAN with many remote branches. If each remote branch but two wan connections on the remote side. has two WAN links connecting it to the rest of the network, these routers can use the IP routing protocol to choose the best routes. The routing protocol learns routes over both WAN links, adding the best route to the routing table. When the better WAN link fails, the routing protocol takes advantage of the redundant link and adds the alternate routing to the IP routing table. Figure 41–2 R1 with two Wan Connections Redundancy Let's give a few examples. In Figure 41-1, we see a single WAN connection and a single router connection network. In Figure 41-3, backup was made with two routers, but only one gateway ip was given to the hosts. Figure 41–1 Router with Single WAN Connection Figure 41–3 Using Two Routers I Various IP Services Why FHRP is Necessary Of the designs shown so far, only the design in Figure 41-3 has two routers in the network on the left side of the figure. Having redundant routers on the same subnet gives us redundancy, but manual intervention is required to ensure redundancy, in such cases it should use an FHRP in the network. To see the necessity and benefit of using FHRP, first consider how these backup routers can be used as default routers by hosts in VLAN 10 / subnet 10.1.1.0/24 as shown in Figure 41-4. Host IPs will remain unchanged, so each host has a Figure 41–4 Using Different Default Routers for Different Users single default router IP. Therefore, we have some design options for the default There are three types of FHRP solutions, but we will only cover HSRP in the router settings; CCNA training curriculum. All hosts in the subnet use R1 (10.1.1.9) as the default router and if R1 has a problem, we can statically reconfigure the default router settings to IP 10.1.1.129 of R2. Half the hosts use R1, half R2 as default routers, and if one of the routers fails, we can statically reconfigure the default router settings of half the users. Figure 41–5 FHRP Solutions I Various IP Services HSRP Concepts It works with the HSRP active / standby model. HSRP allows two (or more) routers to work together, all acting as default routers. However, only one router actively supports end-user traffic at any given time. Packets sent to the default gateway (router) by the hosts are transferred to this active router. Then, other routers that are in an HSRP standby state will be on standby in case the active HSRP router has a problem. The HSRP active router implements a virtual IP address and a virtual MAC address. Figure 41–6 Traffic exiting R1, R2 in Standby This virtual IP address exists as part of an additional configuration, the HSRP configuration. Under the interface command, this virtual IP address is given in the same subnet as the interface IP address, but with a different IP address. The router then automatically generates a virtual MAC address. All cooperating HSRP routers know these virtual addresses, but only active HSRP routers use these addresses. In Figure 41-6, R1 is active and traffic is flowing through R1, R2 is in standby state. In case of a problem occurring in R1, R2 will be activated as we will see in the figure below. Figure 41–7 R1 cannot be accessed and R2 has tripped. I Various IP Services HSRP Load Balancing HSRP Configuration It works with the HSRP active / standby model, so the hosts in the same subnet exit R1# show running-config ! Lines omitted for brevity interface GigabitEthernet0/0 through the active router. As in Figure 41-6, all traffic leaves R1 and R2 remains on hold. But when configuring HSRP, we can actively select different routers for ip address 10.1.1.9 255.255.255.0 standby version 2 standby 1 ip 10.1.1.1 different subnets, which allows us to actively use both devices by distributing standby 1 priority 110 traffic. Let's examine the example in Figure 41-8. standby 1 name HSRP-Group standby 1 preempt R2# show running-config ! Lines omitted for brevity interface GigabitEthernet0/0 ip address 10.1.1.129 255.255.255.0 standby version 2 standby 1 ip 10.1.1.1 standby 1 preempt standby 1 name HSRP-Group sh standby brief Default priority is 100. When R1 is made priority 110, R1 becomes an active router. Figure 41–8 Load Balancing with HSRP Using Different Active Routers in Different Subnets I Various IP Services Simple Network Management Protocol (SNMP) SNMP Notifications NMS (Network Management System): It is a software that provides In addition to the Get and Set housings, SNMP can initiate communication simultaneous monitoring and management of the information of all devices in with the NMS. These messages, often referred to as notifications, use two the network. NMS typically polls the SNMP agent on each device. NMS can special SNMP messages: Trap and Inform, which tracks changes to devices via report the status of devices on the network by sending e-mails or messages to a SNMP and sends a Trap or Inform SNMP message to the NMS to list their user. You can configure devices via SNMP if you have allowed SNMP in status. configuration changes. NMS uses SNMP Get message to request information from a device. NMS sends an SNMP Set message to change the device's configuration. Figure 41-9 shows this SNMP get and set traffic. As an example of Trap, let's assume that Router 1's G0 / 0 Interface fails as shown in step 1 in Figure 41-10. When Traps is configured, the router sends an SNMP Trap message to the NMS and this Trap message informs that the G0 / 0 Interface is down. Then the NMS software can send a text message to the network support personnel, open a window on the NMS screen, change the color of the correct router icon to red in the graphical interface, etc. Figure 41–9 SNMP Get Request and Get Response Message Flow Most commonly, a network administrator collects and stores statistics over time using NMS. It can analyze various statistical data with stored data. To be proactive, administrators can set limits for certain switch variables and tell it to send a notification when a limit value is passed. Figure 41–10 SNMP Trap Notification Process I Various IP Services Simple Network Management Protocol (SNMP) NMS (Network Management System): It is a software that provides simultaneous monitoring and management of the information of all devices in the network. NMS typically polls the SNMP agent on each device. NMS can report the status of devices on the network by sending e-mails or messages to a user. You can configure devices via SNMP if you have allowed SNMP in configuration changes. NMS uses SNMP Get message to request information from a device. NMS sends an SNMP Set message to change the device's configuration. Figure 41-9 shows this SNMP get and set traffic. I Various IP Services FTP and TFTP IOS Image Upgrade File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP). Both use a Step 1: First, IOS Image is downloaded from Cisco support page. user and server model where a user connects to a server and then the user can Step 2: Place the downloaded file on FTP/TFTP and a USB stick. copy files to or from the server. Step 3: Send it to Router Compact Flash Memory using the copy command. Managing with Cisco IOS FTP / TFTP IOS exists as a file (single file) that routers load into RAM to use as the operating system. Cisco routers often use flash memory without a hard disk drive. Flash memory is rewritable permanent storage. It is ideal for storing files that need to be kept when the power of the router goes out. Flash memory has no moving parts, so it is less likely to fail. Some routers have flash memory on the motherboard. Others have flash memory slots that allow easy removal and replacement of the flash card, but the card remains in the device most of the time. Also, many devices have USB ports that support USB flash drives. The IOS operating system is stored compressed in this flash memory. It stores other files that are used not only for IOS, but also for startup-config and system. Figure 41–11 IOS Image Update I Various IP Services IOS Image Verification FTP Upload We can verify if there is any interference with the IOS Image file that we There are many file transfer options in the network world; many of them IOS downloaded from Cisco's site with the MD5 key we will get from the site. support IOS file system transfer found in routers. TFTP and FTP have been supported for the longest time, but newer types of protocols such as SFTP and SCP are starting to be supported. Sw-1(config)#ip ftp username cisco Sw-1(config)#ip ftp password cisco Sw-1#copy ftp: flash: Address or name of remote host []? 192.168.1.10 Source filename []? c2960-lanbase-mz.122-25.SEE1.bin Destination filename [c2960-lanbase-mz.122-25.SEE1.bin]? Accessing ftp://192.168.1.10/c2960-lanbase-mz.122-25.SEE1.bin... [OK - 4670455 bytes] 64016384 bytes total (54929883 bytes free) Sw-1(config)#boot system flash:c2960-lanbase-mz.122-25.SEE1.bin Chapter - 13 Network Architecture I LAN Architecture I WAN Architecture I Cloud Computing Architecture LAN Architecture I Two-Tier Campus Design (Collapsed Core) I Three-Tier Campus Design (Core) I Small Office/Home Office I Power over Ethernet (POE) I LAN Architecture Two-Tier Campus Design (Collapsed Core) He uses some common terms to refer to Cisco -oriented LAN designs to determine Cisco uses three terms to describe the role of each switch in campus design: all the requirements of a campus Lan and then to talk about it. You should know Access, Distribution and Core. some important campus design terminology. Access: We define Switches as Access Layer. The Two-Tier Campus Design Distribution: We define it as the layer where Access Switches are connected. As shown in Figure 42-1, it shows a typical design of a large campus Lan. This Core: We define the layer where the distribution switches are connected. LAN has about 1000 pc, each connected to 40 Switch, each supporting about 25 Figure shows a two-layer design in 42-1; The layers are the Access Tier (or ports. Layer) and the Distribution Tier (or Layer). A two-layer Two-tier design solves the main need. Figure 42-1 Campus LAN with Design Terminology Listed I LAN Architecture Two-Tier Design Terminology Star: A design in which a central device is connected to other devices, so that when you take the connections in any direction, the design looks like a light shining star in all directions. Full Mesh: All existing switches are the type of design in which they are connected to each other. Hybrid: A design that combines topology design concepts into a wider (typically more complex) design. Figure 42-3 Using a Full Mesh at the Distribution Layer, 6 Switches, 15 Links Figure 42-2 The Star Topology Design Concept in Networking I LAN Architecture Three-Tier Campus Design (Core) The two-layer design in Figure 42-1 is the most common campus design. It also But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs; passes with two common names; Two-tier and Collapsed Core. Collapsed Core Savings on switch ports and cables. And in the connections between the means that two -layer design does not have a third layer, Core layer. Imagine that your campus has only two or three buildings. Each building has a two-tier design in the building, and each building has a pair of distribution switch and access switches spread around the building when necessary. How do you tie the LANs in every building? As shown in only a few buildings, Figure buildings, remember that the cables are withdrawn from the outside underground and that the installation is usually more expensive. Therefore, it can help reduce costs without increasing the number of cables used between buildings. 42-4, it makes sense to simply cable distribution switches. Figure 42-4 Three Buildings Non-Core Two-Tier Design Figure 42-5 Three Buildings Three-Tier Design I LAN Architecture Small Office/Home Office Small Office/Home Office (Soho) Lan. Soho varies significantly depending on But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs; the design of Campus LAN, a small number of switch, a few APs, a few router Savings on switch ports and cables. And in the connections between the and WAN connection designs and applications. The term Soho refers to a small buildings, remember that the cables are withdrawn from the outside office where a user or a small number of people work from home. underground and that the installation is usually more expensive. Therefore, At home, you probably use a single device called a mini router. One side of the device is connected to the internet and the other side is connected to the devices in it can help reduce costs without increasing the number of cables used between buildings. the house. At home, the devices can be connected with either Wi-Fi or a cable Figure 42-7 shows how the only device used in the home or in the small office ethernet cable. For example, as in Figure 42-6. does the work of a few devices. Figure 42-6 Typical Soho Network Usage Figure 42-7 Distribution of tasks of a single device I LAN Architecture Power Over Ethernet (Poe) It has been developed for devices that can work through the Ethernet cable. On the switch, it must provide this power to the device connected by cable. Companies can save cable costs by using Poe. Figure 42-9 Power over Ethernet Standards Figure 42-8 Power Over Ethernet Example Poe usually provides a great advantage for devices that are used to positions without a pre -electrical cable or socket. For example, you need to attach an AP to the ceiling, and there is no electric cable, then Poe is very advantageous. IP cameras can also be placed in the ceiling corners or various external locations. Instead of pulling new power and network cables for each device, you can provide power to the device by pulling a single Ethernet cable and communicate with normal Ethernet via the same cable. WAN Architecture I Metro Ethernet I Multi Protocol Label Switching (MPLS) I Internet I VPN Fundamentals I Site to Site VPN I WAN Architecture Metro Ethernet Metro Ethernet (Metroe) includes various WAN services with some common From the SP perspective, the SP must establish a network to create the Metro features. Ethernet uses physical connections to connect the customer device to Ethernet service. To keep the costs lower, the SP places a device physically as the device of the service provider. This service is the layer of the WAN provider close to many customers as possible. These SP switches need to be close to transmitted to the Ethernet frames from the customer device to another. In many customer positions, so that Ethernet standards support the distance Figure 43-1, the Metro Ethernet shows the use of four branches. from the POP ’point of the SP to each customer. Figure 43-2 brings together some of these terms and ideas. Figure 43-1 Metro Ethernet Concept as a Large Ethernet Switch Metro Ethernet Design and Topology Figure 43-2 Ethernet Access Links into a Metro Ethernet Service In order to use Metro Ethernet service, each branch must be connected to the service with an Ethernet connection. Figure 43-3 Metro Ethernet Standards I WAN Architecture Multi Protocol Label Switching (MPLS) In Figure 43-4, you've learned a lot about Layer 3 orientation, as represented by MPLS creates a WAN service that directs IP packages among customer the package flowing from left to right. Each router manifests a separate locations. It distributes corporate routers and switches as usual. The SP then guidance to transmit the package as shown in Step 1, 2 and 3. Each router forms its own IP network covering a wide geographical region. The customer makes a comparison between the target IP address of the package and the router's then connects to the MPLS network with a connection from each location, the IP routing table; The matching IP routing table input informs the Router where customer sends IP packages from one location to another with SP orientation. to send the next package. To learn these ways, routers typically run some For example, Figure represents the MPLS network of the Figure 43-5 and the routing protocols. four router SPs in the middle, and the routers on the edges are routers of a company. Figure 43-4 Basic IP Routing of IP Packets Figure 43-5 MPLS SP Topology Example I WAN Architecture Internet In order to install the Internet environment, internet service providers (ISP) need connections to other ISPs and their customers on other ISPs. It connects ISPs by using various high -speed technologies in the internet infrastructure. They connect their customers to the Internet using various technologies on ISPs. The combination of customer networks connected to ISP networks and ISPs creates the Internet worldwide. Some WAN technologies work well especially in internet access technologies. For example, many telephone companies use the phone line at home, so that the ISPs do not have to establish additional cables. Some use TV cables while some use wirelessly. Figure 43-6 Internet Access Examples DSL - Digital Subscriber Line DSL technology is widely used in Turkey. The ISPs use their internet connection to Consumers can usually use the Internet as a WAN service while connecting to the homes or companies using existing telephone cables. There are varieties of DSL Internet to achieve goals on the Internet. First, the company receives internet connection connection, there are varieties such as ADSL, VDSL and G.SHDSL, these connection to each location. Then, using the virtual private network (VPN) technology, the models can be up to 100 MB/PS. company can create VPN over the Internet. When sending VPN data over the internet, it can keep the packages confidential by encrypt. Access to the Internet In addition to the traditional services shown in the figure, businesses can use internet access technologies that are used more frequently by consumers, including DSL, cable, 4G / 5G and fiber ethernet. In this section, we will talk about Internet access technologies before entering Internet VPN topics. Figure 43-7 DSL Internet Access Example I WAN Architecture Cable TV Internet Wireless Wan (3G, 4G, LTE, 5G) Cable TV Internet is a very low cost connection for a SOHO (Small Office). Most of you have a mobile phone with internet access. So, you can check your e- Even for larger companies, cable (or DSL) can be very good as a backup link. mail, navigate on the web, download app, and watch videos. Today, most of us They use Dochis technology. rely on our mobile phones and our internet access to these phones. In this DOCSIS (Data Over Cable Service Interface Specification): All cable modems section, we will examine mobile internet access technology. and similar devices must comply with this standard. Mobile phones use radio waves to communicate through a nearby base station. The phone has a small radio antenna, but the base station has a much larger antenna. Telephones, tablet computers, laptops and even routers (Wireless Wan cards) can communicate over the Internet using this technology, as shown in Figure 43-9. Figure 43-8 Cable tv Internet Access Sample Figure 43-9 Mobile Internet Access Example I WAN Architecture Fiber (ethernet) Internet VPN BASES Copper wires are used in cables used by DSL and cable internet, but by VPNs (Virtual Private Network) can provide significant security features such comparing different types of physical environment, fiber optic cable usually as the following when sending data through an open network like the Internet: supports higher speeds for longer distances. That is, by comparing physical • Confidentiality (Privacy) network technologies over the width of the network, fiber optic wiring supports • Authentication longer connections and these connections usually operate at equivalent or • Data Integrity higher speeds. • Anti-Replay Some ISPs now offer fiber Internet or Internet access, which is only called fiber. Let's examine the traffic in Figure 43-10. To do this job, some local companies with the right to wiring underground (usually a telephone company) set up new fiber optic cables. After the cable plant is installed (usually a large budget, as well as years of process), fiber ISP, fiber optic cable using the customers to the Internet connects to the Internet. Usually fiber uses ethernet protocols on fiber. Conclusion: High -speed internet usually using ethernet technology. Figure 43-10 VPN Tunnel Concepts for a Site-to-Site Intranet VPN I WAN Architecture Site to Site VPN Remote Access VPNS with TLS The site provides VPN services with a single VPN tunnel for devices in two To support multiple devices in each location, a site to site VPN connection is locations. For example, if there is dozens of devices that should communicate created by CT personnel. On the contrary, a user can dynamically start their between locations in each location, not every devices should form VPN. Instead, VPN connections in cases where there is no site to site VPN. For example, a user they configure devices such as routers or firewalls (as shown in Figure 43-10) can enter a café and connect to free Wi-Fi, but in this cafe, there is no site VPN to form a VPN tunnel. The tunnel creates endpoints and always leaves a that can access the user's corporate network. Instead, the user can connect to the working position, so that VPN is available when any device in both facilities company network via a previously installed Remote Access VPN program. decides to send data. All devices in each location can access other devices using Remote access VPNs usually use the Transport Layer Security (TLS) protocol VPN via Firewall and Router without having to create VPN. to create a secure VPN session. The data encryption for an IPSEC VPN usually works as shown in Figure 43-11. Figure 43-12 Remote Access VPN Options (TLS) Figure 43-11 Basic IPsec Encryption Process Cloud Computing Architecture I server virtualization I Creating Virtual Switch I Physical Data Center Network I Cloud Information Services I Cloud Architecture Server Virtualization Traditionally, when you think of a server, that server runs an operating Today, most companies are instead of a virtual data centers. Each OS is system. Inside, hardware contains a CPU, some RAM, some kind of separated from the hardware and is therefore virtual (unlike physical). Any piece permanent storage (such as disk drives) and one or more NIC. And an of hardware that we will consider as a physical server before can operate more than operating system can use all the hardware on the server and then run one or one operating system at the same time with each virtual OS called virtual more applications. Figure 44-1 shows these main ideas. machine. Although a virtual server is separated from the hardware, an OS still needs hardware. Each virtual machine has a configuration for minimum number of VCPUs, minimum RAM and similar. The virtualization system then starts the virtual machine, so that it has sufficient physical hardware capacity to support all virtual machines running on that physical server. Therefore, virtual servers use a subset of CPU, RAM, storage and NICs on the physical server. In Figure Figure 44-1 is an OS on a classic physical server and working applications With the physical server model shown in Figure 44-1, each physical server 44-2, it shows a graph of this concept with four different VMs working on a physical server. operates an operating system and the operating system uses all the hardware on that server. This was valid for the servers in the days before the server virtualization. Figure 44-2 Four virtual servers and applications working under the management of Hypervisor on the physical server I Cloud Architecture Creating Virtual Switch on the Virtualized Server Generally, there are two nics on the servers today, of course, additional cards can be increased, these cards have 1 GBPS, 10 GBPS or even 40 GBPS speeds that support the speeds of NIC cards. Normally, an operating system may be a NIC, maybe more. The operating system has a NIC (at least) NIC to ensure normal operation, but it is a virtual NIC for a VM. (For example, in VMware's virtualization systems, VM's virtual Figure 44-3 Basic Networking in a Virtualized Host with a Virtual Switch NIC is called VNIC.) The server must combine the physical nic in a switch with VNICs used by VMs. Ports Connected to VMS: VSWitch can configure a port in its own VLAN or Often, each server usually usually uses a kind of internal ethernet switch share the same VLAN with other VMs or even use the VLAN channel to itself. concept called a virtual switch or vswitch. In Figure 44-3, an example with four Ports Connected to Physical NICS: VSWitch uses physical NICs in server VM, each of which is a VNIC, is shown. The physical server has two physical NICs. hardware, so that Switch works with external physical switch. VSWitch can VNICs and physical NICs are built in a virtual key. use Vlan trunk (and uses it greatly). Automated Configuration: Configuration can be easily done from the same virtualization software that controls VMs. This programmability allows the virtualization software to carry VMs VMs between servers and re -program the VSWitch, so that VM has the same network capabilities, no matter where it works. I Cloud Architecture Physical Data Center Network Workflow with Virtualized Data Center In a virtualized data center, each physical server must have a physical Virtualization engineers also establish and privatize virtualization tools. connection with the network. Figure shows traditional cables for a data center Beyond the hypervisor on each server, many other useful tools help manage LAN in 44-4. Each long rectangle represents a shelf in the data center; It and control a virtualized data center. For example, with data central represents small squares and cables representing nic ports. management programs, the whole physical server can manage all Hypervisor and virtual servers loaded on them. Now a customer wants a "server". In fact, the developer requires a VM (or many) with specific requirements: a certain number of VCPUs, a certain amount of RAM, etc. The developer requesting the virtualization engineer to establish VMs as shown in Figure 44-5. Figure 44-4 Traditional Physical Data Center Network Figure 44-5 Customer's virtual server request and creating an example I Cloud Architecture Cloud computing services Cloud Information is a different model of providing IT services. Cloud computing usually uses virtualization products, but uses products specially produced for cloud computing. Cloud computing is not only a product group to be applied; Instead, it is a way to provide IT services. Private Cloud (On-Premise) To create Private Cloud, an organization usually expands CT tools (such as virtualization tools) and changes internal workflow processes. For example, imagine that an application developer in a company needs VMs to use to develop an application. The application developer may want these VMs to start automatically and be available in minutes. A lot of cloud computing services use a catalog to achieve this. This catalog is found for the user as a web application that lists everything that can be requested through the company's cloud infrastructure. 44-6, as shown in step 2, this step appears in minutes without human interaction and is ready for use. Figure 44-6 Basic Private Cloud Workflow to Create One VM For the operation of this process, the cloud team must add some tools and processes to the virtualized data center. For example, it uploads software to create the cloud services interface catalog with the APIs of both user interface and virtualization systems. This interface software can react to user requests by using virtualization software with APIs to add, transport or create virtual machinery. In addition, a cloud team consisting of server, virtualization and network engineers can collect user statistics and updates accordingly to test and add new services in the user interface. I Cloud Architecture Public Cloud In Private Cloud, cloud provider and cloud user are part of the same company. In Public Cloud, the opposite applies to this: The Public Cloud provider sells all services to all users and all companies. The following figure shows the public cloud workflow. Figure 44-8 IaaS Concept Figure 44-7 Public Cloud Provider in the Internet Cloud and the “as a service” model Figure 44-9 SaaS Concept In cloud computing, three most common models are used in the market today. ✓ Infrastructure as a Service ✓ Software as a Service ✓ (Development) Platform as a Service Figure 44-10 PaaS Concept Chapter - 14 NETWORK AUTOMATION I Controller Based Networks I Cisco Software Defined Access-SDA I Understanding REST and JSON I Understanding Ansible, Puppet, and Chef Controller Based Networks I SDN and Controller Based Networks I Controllers and Software-Defined Architecture I Network Programmability and SDN Examples I Controller Based Networks SDN and Controller Based Networks Data Plane Software Defined Networking (SDN) The term Data Plane refers to the tasks that a network device performs to In this Chapter we will cover the most basic concepts of SDN and Network programmability. We will start by dividing some of the functions found in transmit a message. In other words, everything it does about receiving, processing and transmitting the same data is part of the Data Plane. traditional network devices, then I will talk about how we can easily manage a As an example, consider how routers forward IP packets, as shown in the figure network using central management software called Controller. below. When you think of Layer 3 logic; Data, Control, and Management Planes Step 1: The host sends the packet to its default router, R1. Step 2: R1 does some processing on the received packet, makes a forwarding First, let's talk about some functions in network devices. Routers and switches, decision and forwards the packet. for example, are physically wired and wirelessly connected to each other to form Steps 3 and 4: Routers R2 and R3 also receive, process and forward the packet. a network. Switches transmit Ethernet frames, routers transmit IP packets. They use many different protocols, such as routing protocols, to learn network This example takes place in the Data Plane phase of the router. layer routes. Network devices can be categorized with a particular Plane, each function that it does. These Categories are divided into three as Data Plane, Control Plane and Management Plane. Figure 45-1 Data Plane Operations on a Router in Simple I Controller Based Networks Let's take a look at the details of some of the functions that are commonly performed in Traditional networks use both a distributed Data Plane and a distributed the Data Plane phase in network devices from the list below. Control Plane. In other words, every device has a Data Plane and a Control ■ Un-encapsulating and re-encapsulating an ethernet frame packet (Router and Layer Plane. The example below shows the Data Plane and Control Plane stages in 3 Switches) routers. ■ Adding or removing 802.1Q Trunk Headers (Routers and Switches) ■ Matching the destination MAC address on an Ethernet Framin with the MAC address table (Layer 2 Switches) ■ Matching the destination IP address of an IP packet with the IP routing table (Routers and Layer 3 Switches) Figure 45-2 Working Logic of Control and Data Plane Stages in Router ■ Encrypting data and adding a new IP Header (for VPN] operations) ■ Changing the Source or Destination IP address (for NAT operation) In the figure above, OSPF, the Control Plane protocol, works on all Routers. Adds, Deleting a message due to a filter (ACLs and Port Security operations) removes and changes routes in the OSPF IP Routing table on each Router. Once valid All the actions in the list make up the Data Plane phase, because the Data Plane contains all the actions per message. Control Plane The term Control Plane refers to any action that controls the Data Plane. You already know many Control Plane protocols, for example all IP routing protocols work in Control Plane phase. routes are determined, Data Plane can forward incoming packets. The following list includes most of the common Control Plane protocols: ■ Routing protocols OSPF, EIGRP, RIP, BGP ■ IPv4 ARP ■ IPv6 Neighbor Discovery Protocol (NDP) ■ MAC Address learning of switches. ■ STP I Controller Based Networks Management Plane Control Plane directly affects the behavior of the Data Plane. However, Management Plane does not directly affect Data Plane. Instead, the Management Plane includes protocols that allow us to manage network devices. Telnet and SSH are Management Plane protocols. The figure below shows some of the Management Plane Protocols. Figure 45-3 Working Logic of Control and Data Plane Stages in Router I Controller Based Networks Controllers and Software-Defined Architecture A Controller centralizes control of software-based (SDN) network devices. The New approaches to networking emerged in the 2010s, most of them porting degree of control and the type of control vary greatly. For example, Controller Control Plane functionality to a piece of software called Controller that runs as a It can perform all Control Plane functions by replacing the distributed Control central application. Plane of devices. Alternatively, the Controller can manage the ongoing Central Management with Controllers operation of distributed Data, Control and Management Planes without Most traditional Control plane operations use a distributed architecture. For example, each Router runs its own OSPF Routing protocol process. To perform operations, these distributed Control Plane processes use messages such as OSPF protocol messages to establish communication between Routers. As a result, traditional networks are said to use a distributed Control Plane. There are pros and cons to using distributed or centralized architectures to perform any function in a network. Many Control Plane functions have a long history of working well with a distributed architecture. However, a centralized changing the way devices operate. And the list goes on with many variations. To better understand the idea of a Controller, consider a special case as shown in Figure 45-4, where an SDN Controller centralizes all important Control Plane functions. First, the Controller connects to the network so that it can access the devices on the network. Each of the network devices still has a Data Plan; however, the Control Plane functions of the devices are now performed by the Controller. Programs the Controller Data Plane inputs directly. Network devices do not populate routing tables with traditional distributed Control Plane operations. application may be easier to write than a distributed application because the centralized application collects all the data in one place. This emerging world of software-defined architectures (SDA) uses a centralized architecture with a central Control Plan at its foundation called the Controller. Figure 45-4 Centralized Control Plane and a Distributed Data Plane I Controller Based Networks Southbound Interface In a Controller-based network architecture, the Controller must communicate with network devices. In most network drawings and architectural drawings, these network devices are typically located below the Controller as shown in Figure 45-4. There is an Interface between the Controller and these devices, and given its location at the bottom of the network devices in the drawings, these Interfaces came to be known as the Southbound Interface (Southbound Interface) or SBI. An SBI usually contains a protocol so that the Controller and devices can communicate, but usually includes an application programming interface (API). An API is a method for an application (program) to exchange data with another application. Programs process data so an API allows two programs to exchange data. While a protocol usually exists as a document from a body of standards, an API exists as generally usable codes (functions, variables, and data structures) that can be used by a program to transmit and copy structured data between programs on a network. It is an interface between SBI Controller and network devices and allows two programs to communicate, the sole purpose is to allow Controller to program Data Plane routing tables of network devices. Figure 45-4 Centralized Control Plane and a Distributed Data Plane I Controller Based Networks Northbound Interface In a central control model, the Controller does most of the work required for the To see where the NBI is, first consider the Controller itself. A controller is Control Plane and gathers all sorts of useful information about the Network. software that runs on a VM or physical servers. An application can run on the The controller can create a central repository for all this useful information same server as the Controller and use an API, an NBI, so that the two programs about the network. The following list lists the information that the Controller can communicate. collects on the network; The Figure below shows just such an example. The big box in the figure ■ List of all devices on the network represents the system where the Controller software is located. This Controller is ■ Capabilities of each device Java based software and has a Java based native API. Controller manufacturer, ■ Interfaces / ports on each device another company, or anyone can write an application that runs on the same ■ Current status of each Port operating system that uses the Controller's Java API. Using this API to ■ Topology - which devices are connected to which interface Device configuration - IP addresses, VLANs, etc. exchange data with the controller, the application can learn the information about the network. a Controller; It opens the Northbound Interface (NBI) so that its data and functions can be used by other programs, enabling much faster network programmability. Programs can retrieve information using the Controller's APIs. NBIs also enable programs to use the Controller's capabilities to program streams entering devices using the Controller's SBIs. Figure 45-5 Java API: Java Applications Communicates with Controller I Controller Based Networks Network Programmability and SDN Examples In this Chapter, we will talk about three different SDN and network The Open SDN model centralizes most Control Plane functions, with network programmability solutions Cisco offers. control by the Controller and all applications using the Controller's NBIs. The • OpenDaylight Controller • Cisco Application Centric Infrastructure (ACI) Figure below, which actually shows network devices without Control Plane functions, represents this centralized OpenFlow model of SDN. • Cisco APIC Enterprise Module (APIC-EM) In the OpenFlow model, applications can use any APIs (NBIs) they support in OpenDaylight and OpenFlow It comes from the Open Networking Foundation their Controller to dictate what type of routing table entries to add to devices, but (ONF), a common SDN format, and is called Open SDN. ONF network devices must be devices that support OpenFlow. (www.opennetworking.org) acts as a consortium of users (operators) and vendors to help establish SDN in the marketplace. The purpose of this study is to try to help people implement their SDN vision using SBI and NBIs. SDN's ONF model features OpenFlow. OpenFlow defines a Controller concept with an IP-based SBI between Controller and network devices. OpenFlow defines a standard idea of what a switch's capabilities are based on the ASICs and TCAMs commonly used in switches today. I Controller Based Networks OpenDaylight Controller Cisco Open SDN Controller (OSC) OpenDaylight is one of the most successful SDN Controller platforms to In the 2010s, Cisco released a commercial version of its OpenDaylight emerge from the consolidation process in the 2010s as an open source SDN Controller model called the Cisco Open SDN Controller (OSC). This Controller Controller. All manufacturers can use the open source Controller as the basis was inspired by the model developed for the ODL project. for their products, and each manufacturer can focus on product differentiation rather than core features. Cisco no longer manufactures and sells Cisco OSC, I wanted to briefly mention the past products for your knowledge. As a result, the OpenDaylight SDN Controller (www.opendaylight.org) was born in the mid-2010s. OpenDaylight (ODL) started as a separate project, but is now maintained as a project managed by the Linux Foundation. Figure 45-6 shows a generalized version of the ODL architecture. Figure 45-6 Architecture of NBI, Controller Internals, and SBI to Network Devices I Controller Based Networks Cisco Application Centric Infrastructure (ACI) As Cisco redesigned networking for the data center, SCI designers focused on the applications running in a data center and what they needed. As a result, they created networking concepts around application architectures. Cisco has made its network infrastructure application-centric, hence Cisco's SDN data center solution is called Application Centric Infrastructure (ACI) ACI Physical Design: Spine and Leaf Cisco ACI uses a special physical switch topology called Spine and Leaf. With ACI, the physical network contains a set of Spine Switches and a set of Leaf switches, as shown in the Figure on the right. Figure 45-7 Spine-Leaf Network Design ■ Each Leaf Switch must be connected to each Spine Switch. ■ Each Spine Switch must be connected to each Leaf Switch. ■ Leaf Switches cannot be interconnected. ■ Spine Switches cannot be interconnected. ■ Endpoints connect to Leaf switch only. I Controller Based Networks Cisco APIC Enterprise Module When Cisco started implementing new network designs in companies, they faced a major hurdle. Most of the existing devices in the customers' networks did not have any corporate SDN solution, since some of the existing devices support SBIs, it was seen that SDN solutions could not be implemented centrally, APICEM product was developed for this. APIC-EM Basics When Cisco introduced its first SDN (network programmability) solution, it rejected the idea of customers replacing all their hardware and getting products compatible with SDN solutions. Instead, he looked for ways to add the benefits of SDN to networks with a central Controller without replacing existing devices. Cisco APIC-EM product offered enterprise SDN solutions without changing devices in existing networks. What advantages can a Controller-based architecture offer if devices on the network do not have new SDN features? It can provide the advantages in Figure 45-8. Cisco announced the end of sales for its current APIC-EM product in 2019. Many of the functions of the APIC-EM product have become key features of the Cisco DNA Center (DNAC). Figure 45-8 APIC-EM Controller Model ■ Topology Map: The application discovers and displays the topology of the network. ■ Path Tracking: User provides a source and target device and the app shows the route on the network with routing details at each step. ■ Plug and Play: This app provides plug and play support so you can take a new device out of the box and make it IP accessible through automation in the Controller. ■ Easy QoS: With a few simple steps in the Controller, you can configure complex QoS features on each device. SDA I SDA Fabric, Underlay, and Overlay Software Defined Access I DNA Center as Network Management Platform I DNA Center and SDA Operation I Software-Defined Access SDA Fabric, Underlay, and Overlay Cisco Software Defined Access (SDA) is a completely new way to create Campus Underlay : Overlay uses wired and wireless connections to dynamically find LANs compared to traditional networking methods. Cisco began redesigning all SDA supported devices and provide IP connectivity for those devices as part Campus LANs with SDA in the mid-2010s. of the process of creating VXLAN tunnels. SDA uses a Software Based Architecture model with a Controller and various APIs. In this architecture, a physical network is still used, which includes Fabric: It uses a combination of overlay and underlay, which offers all the features to transmit data over the network. Switches, Routers, cables and various endpoints. As shown in the figure on the right, Digital Network Architecture (DNA) software becomes the central Controller, automation is provided using a graphical user interface (GUI) and APIs. In short, DNA Center becomes the Controller of SDA networks. Architecturally, the Controller SBI side includes; Fabric, Underlay and Overlay. Overlay: VXLAN tunnel mechanisms are created between SDA Switches, then the SDA structure is used to move traffic from one device to another. Figure 46-1 DNA-Centered SDA Architecture Model I Software-Defined Access SDA Underlay SDA Overlay SDA Underlay functions to provide connectivity between Switches in the SDA First, an endpoint sends a frame to be delivered over the SDA network. The first environment to support VXLAN tunnels in the Overlay network. Underlay SDA Switch to receive the frame encapsulates the frame using a tunneling uses the wired and wireless connections that make up the physical network to feature called VXLAN and forwards the frame. Other SDA Switches forward do this. frames according to VXLAN tunnel details. The final SDA Switch removes the Using Existing Devices for SDA Underlay VXLAN details and forwards the original frames to the target endpoint. Companies have two basic options for building an SDA underlay network. They can use existing campus networks or alternatively purchase new Switches and set up the SDA network without worrying about damaging existing traffic and migrate endpoints to the new SDA network over time. Using New Devices for SDA Underlay Buying new devices for the SDA structure eliminates many of the difficulties that can be encountered when using existing devices. You can easily order compatible hardware and software and automatically configure all underlay features with DNA Center. Figure 46-3 Basics of VXLAN Encapsulation in SDA For this to work, Underlay will first configure all switches with these IP numbers, using the 172.16.0.0/16 IPv4 address space. The figure below shows a small SDA design with four switches, each with the underlay IP address shown (from 172.16.0.0/16 address space). I Software-Defined Access DNA Center and SDA Operation Cisco DNA Center (www.cisco.com/go/dnacenter) has two important roles in our networks: • Working as a Controller in a network using Cisco SDA. • Working as a network management platform for traditional (non-SDA) network devices Cisco DNA Center Cisco DNA Center supports several Southbound APIs so it can communicate with the devices it manages. You can think of them as two categories: • Protocols supporting traditional network devices / software versions: Telnet, SSH, SNMP • Protocols supporting newer network devices / software versions: NETCONF, RESTCONF Cisco DNA Center requires legacy protocols to support many legacy Cisco devices and operating system versions. Over time, Cisco is adding support for NETCONF and RESTCONF to its more current hardware and software. Figure 46-4 Cisco DNA Center with Northbound and Southbound Interfaces I Software-Defined Access DNA Center as Network Management Platform Cisco Prime Infrastructure (PI) (www.cisco.com/go/primeinfrastructure) The PI itself runs as an application on a server platform with GUI access via a product is used to manage traditional corporate networks. Cisco Prime web browser. The PI server can be purchased from Cisco as a software package to Infrastructure has been used for network management in companies for many install and run on your servers or as a physical device. years. It includes the following features: ■ All PI functions and features are available through a single GUI. ■ Discovers network devices, creates an inventory, and creates a topology map of them. ■ Provides support for traditional enterprise LAN, WAN, and data center management functions. Similarities of DNA Center to Traditional Management All features of DNA Center are similar to traditional management software. For example, both can discover network devices and create a network topology map. ■ Uses SNMP, SSH, and Telnet, as well as CDP and LLDP, to view and learn information about devices on the network. As an example, the next page shows a network topology map in the DNA Center ■ Simplifies QoS configuration to each device in Figure 46-5. Both PI and DNA Center can perform a discovery process to It allows you to manage both wired and wireless networks from the same find all devices on the network and then create topology maps to show the management platform. devices. (Interestingly, DNA Center can work with PI using data discovered ■ Manages software on network devices and automates updates. by PI instead of performing the discovery work again.) ■ Performs initial setups for new network devices after physically installing the new device, connecting a network cable and powering up the device. I Software-Defined Access Figure 46-5 DNA Center Topology Map Figure 46-6 Details About a Cisco 9300 Switch from DNA Center and Click The GUI mechanisms are relatively intuitive with the ability to click on more or I recommend you take some time to use and watch some videos about Cisco less details. Figure 45-6 shows a little more detail after pointing and clicking DNA Center. You can find Cisco DNA Center virtual labs to practice with Cisco one of the switches in the topology in Figure 45-5. DNA Center at https://developer.cisco.com. I Software-Defined Access Differences between Traditional Management and DNA Center Broadly speaking, there are a few key differences between Cisco DNA Center ■ EasyQoS: You can perform QoS, which is complicated to configure and traditional network management platforms such as Cisco PI. The biggest manually, with just a few simple options from Cisco DNA Center. difference: Cisco DNA Center supports SDA while other management Encrypted traffic analysis: Cisco DNA Center enables the use of different applications do not. Cisco PI still has some traditional management features algorithms to recognize security threats even with encrypted traffic. not found in Cisco DNA Center. So while focusing on future features such as ■ Provides comprehensive information about the health status of devices. SDA support that Cisco DNA Center has many of these features, consider PI ■ Network time travel: Shows historical client performance on a timeline to extensively for traditional device management. compare current behavior By improving Cisco DNA Center features, it aims to simplify the work done by businesses and to make changes much faster with lower costs. Cisco DNA Center helps make initial setups easier and simplify the job to implement features with demanding configurations and help you spot problems faster. Some of the Cisco DNA Center-specific features include: Note: Cisco hopes to continue updating the DNA Center traditional network management features compared to the Cisco PI to the point where DNA Center can replace the PI. Understanding REST and JSON I REST Based APIs I REST APIs and HTTP I Data Modeling and JSON I Interpreting JSON I Understanding REST and JSON REST Based APIs REST Based (RESTful) APIs Applications use application programming interfaces (API) to communicate. To REST APIs follow a set of ground rules for what constitutes and does not do this, a program can learn variables and data structures used by another constitute a REST API. It includes six properties defined by Roy Fielding, program, make logical choices based on these values, change the values of these creator of REST APIs. (You can find a good summary at https:// variables, create new variables, and delete variables. APIs allow programs restfulapi.net). These six features running on different computers to run collaboratively and exchange data to achieve a goal. ■ Client/server architecture In the API software world, some applications form an API along with many ■ Stateless Operation other applications that use the API. Software developers add APIs to their ■ Clear statement of cacheable/uncacheable software so that other applications can take advantage of the first application's ■ Uniform Interface features. ■ Layered A developer writes some code when writing an application, but by using some Code-on-Demand APIs that can provide data and functions, the developer can do more by writing less code, reducing the amount of new code that needs to be written. The first three of these features form the basis of how a REST API works. You can see these first three features more easily when working with networking REST APIs, now let's look at these first three features. I Understanding REST and JSON Client/Server Architecture Stateless Operation Like many applications, REST applications use a client/server architectural The stateless nature of REST APIs means that REST does not save and use model. First, an application developer creates a REST API, which acts as a REST information about how to handle subsequent API changes. server while the application is executed. Any other application can make a REST API call (REST client) by running some code that causes a request to flow For comparison, TCP protocol uses a stateful approach while UDP uses stateless from the client to the server. For example, in Figure 47-1 processing. A TCP connection requires endpoints to initialize variables at each end, update these variables over time, and use these variables for subsequent TCP 1- The REST client on the left sends a REST API message call to the REST messages. For example, TCP uses sequence numbers and confirmation numbers server. to manage data flow in a TCP connection. 2- The REST server on the right has the API code that considers the request and decides how to respond. Cacheable (or Not) 3- The REST server returns the reply message with the appropriate data To understand what the word cacheable means, consider what happens when you variables in the reply message. browse a website. When your browser loads a new web page, it contains various objects (text, images, videos, audio) inside the page. Some objects rarely change, so you'd better download the object once and not download it again; in this case, the server marks this object as cacheable. For example, a logo or other image displayed on many pages of a website hardly changes and can possibly be cached. However, the product list returned in your most recent website search cannot be cached because the server will want to update and provide a new list Figure 47-1 Client / Server Operation with REST each time you request the page. I Understanding REST and JSON REST APIs and HTTP Read: Stores a copy of the variable structures and values in the client, allowing APIs are used to allow two programs to exchange data. Some APIs can be it to retrieve (read) the current value of the variables in the server. designed as an interface between programs running on the same computer so Update: Allows the client to change (update) the value of variables located on the that communication between programs takes place within a single operating server system. Many APIs must be available for programs running on other computers, so the API must define the type of network protocols supported by the API, and many REST-based APIs use the HTTP protocol. Delete: Allows the client to delete different instances of data variables from the server For example, if you're using a DNA Controller's Nourthbound REST API, you might want to create something new, like a new security policy. From a Developers of REST-based APIs often choose HTTP because the logic of HTTP programming perspective, the security policy is available as a set of matches some of the concepts that define it more generally for REST APIs. configuration settings in the DNA Controller, represented internally by HTTP uses the same principles as REST, works with a client/server model; It uses the stateless operation model and includes headers that mark objects as cacheable or non-cacheable. variables. To do this, a REST client application uses a render action using the DNA Center RESTful API, which creates variables on the DNA Controller via the DNA Center REST API. Creating new configuration in Controller is done via API using CRUD actions. Software CRUD Actions and HTTP Verbs HTTP works well with REST in part because HTTP has Verbs that match The software industry uses CRUD, a catchy acronym for the four main actions common program actions in the CRUD paradigm. Table 47-1 lists the terms performed by an application. These actions HTTP Verb and CRUD. Create: Allows the client to create some new variables and data structures on the server and initialize the values held on the server Tablo 47-1 Comparing CRUD Actions to REST Verbs I Understanding REST and JSON Data Modeling and JSON XML Data modeling languages provide methods for using text to define variables so Extensible Markup Language (XML) was developed later to make some that text can be sent over a network or stored in a file. Data modeling languages improvements to older markup languages. He needed a markup language that give us a way to represent variables with text rather than the internal could define variables to use on a web page. XML defines a markup language representations used by any particular programming language. with many features for describing variables, values, and data structures. Every Data modeling language enables API servers to return data, so the API client can replicate the same variable names as well as the data structures available on the API server. To describe data structures, data modeling languages contain special characters and rules that convey ideas about list variables, dictionary variables, and other more complex data structures. Compared to XML vs JSON, both try to be human readable, but XML is a bit harder to read. For example, like HTML, XML uses start and end tags for each variable, as shown in the figure below. Specifies a variable name with the value located between the <macAddress> and </macAddress> tags in the highlighted line in the example. Data Modeling Languages JSON JavaScript Object Notation tries to strike a balance between human and machine readability. At the same time, JSON data makes it easy for programs to convert JSON text into variables, making it very useful for exchanging data between applications that use APIs. You can find details of JSON in IETF RFC 8259 and on a number of Internet searches including www.json.org. Example 47-1 JSON Output from a REST API Call I Understanding REST and JSON YAML (Ain't Markup Language) XML tries to define markup details but YAML doesn't try to define markup details. Instead, YAML focuses on the data model (structure) details. YAML also tries to be clean and simple. YAML Data is the easiest to read of the modeling languages. Table 47-2 Comparing Data Modeling Languages Example 47-2 YML File Used by Ansible I Understanding REST and JSON Interpreting JSON Even without knowing anything about the JSON command line, you can ■ Value: The element that represents the key value, after the colon. probably understand it from your previous knowledge of Cisco Routers and ■ Text: Listed in double quotes. Switches. You can probably understand that the example below shows a list of ■ Numeric: Listed without quotation marks. Interfaces on both devices in the JSON command line. ■ Array: A special value [ ] ■ Object(Object): A special value { } ■ Multiple Pairs: When listing the Multiple Key Value pair, separate the pairs with a comma the end of each pair (except the last pair). To work with some of these rules, consider the JSON data of Example 47-4 and focus Example 47-3 Simple JSON Listing Router Interfaces on three Key: Value Pairs. The text after the example will analyze the example. JSON Key Interpretation: Value Pairs Let's review these rules about Key: Value Pairs: in JSON, which you can think of as argument names and values. Key: Value Pairs: Defines a Key: Value Pairs with the value before and after the colon. Key: Text used as a name that refers to a value, in double quotes, before a colon. Example 47-4 One JSON Object (Dictionary) with Three Key:Value Pairs As for other special characters, watch out for commas and curly braces. The first two Key: Value Pairs: ends with a comma, so it must be followed by another Key: Value Pairs:. The curly braces that start and end JSON data indicate a single JSON Object. I Understanding REST and JSON Interpreting JSON Objects and Arrays It uses JSON Object and JSON Arrays to pass data structures beyond Key: Value Pairs: with a simple value. Object can be somewhat flexible, but in most uses they act like a dictionary. Arrays list an array of values. Let's look at how to interpret the command line for JSON Object and Array. { } - Object : Consists of an Array and Key: Value Pairs, enclosed in a pair of curly braces. [ ] - Array : Not an array of values (Key: Value Pairs) enclosed in square bracket pairs. Example 47-5 A JSON Snippet Showing a Single JSON Array (List) Now consider the entire structure of the JSON data in Figure 47-4. It has a matching pair of curly braces to start and end text and enclose an object (Object). This object contains two colons, so there are two Key: Value Pairs: inside the object. Key : All Key Value Pairs inside an object follow the rules of the previous Key: Value Pairs. Value Inside Arrays : For example, double quotes around text, no quotes around numbers). Example 47-5 shows a single array (Array) in JSON format. Notice that the JSON data begins with square brackets [ followed by a list of three text values. It then ends with a square bracket ]. Figure 47-4 Accurate/Complete JSON Data with One Object, Two Keys, Two JSON List Values I Understanding REST and JSON Shortened and Smooth JSON JSON allows or disallows spaces depending on your needs. For humans, JSON can be much easier to read with space-organized and aligned text. For example, having matching opening and closing braces on the same line makes it much easier to find which braces end with which. {"1stbest": "Messi", "2ndbest": "Ronaldo", "3rdbest": "Pele"} Understanding Ansible, Puppet, and Chef I Ansible, Puppet and Chef Basics I Summary of Configuration Management Tools I Ansible, Puppet, and Chef Ansible, Puppet and Chef Basics Ansible, Puppet, and Chef are configuration and management software Templates: Using the Jinja2 language, templates represent a device's packages. There are paid and free versions of these software tools, but you may configuration with variables. need to run them on Linux as some tools do not work on Windows operating Variables: Using YAML, a file can list variables that Ansible will substitute system. into templates. All three software agents emerged as part of the transition from hardware-based servers to virtualized servers. As the number of Virtual Servers began to increase, various automation software was needed to create, configure and remove VMs. Ansible uses an agent-less architecture to manage network devices. It means that Ansible does not trust any code (agent) running on the network device. Instead, Ansible uses SSH or NETCONF features to make changes and get Ansible information on network devices. When using SSH, Ansible makes changes on You can install Ansible (www.ansible.com) on a Linux VM on Mac, Linux or a the device as its users do, but does the job with Ansible code instead of a human. Windows to install its software. You can use the free open source version or use the paid Ansible Tower server version. Once installed, several files are created, such as: Ansible uses the push model (Puppet and Chef use the pull model) as shown in Figure 48-1, instead of the pull model. After installing Ansible, you need to create and edit Playbooks and other Ansible files. Playbooks: These files provide actions and logic for what Ansible should do. Inventory: These files provide device names along with information about each device so Ansible can perform functions for subsets of the inventory. Figure 48-1 Ansible Push Model I Ansible, Puppet, and Chef Puppet To use Puppet (www.puppet.com), you can start by installing it on a Linux Puppet typically uses an agent-based architecture for network devices support. operating system. You can install it on your own Linux server for testing, but Some network devices enable Puppet support via an on-device tool. However, for normal use you need to install it on a Linux server called Puppet master. As not every Cisco operating system supports Puppet agents, so Puppet solves this with Ansible, you can use the paid or free versions. You can start learning problem by using a proxy agent running on some external computer (called Puppet without a separate server to learn and test. Agent-less process). The external agent then uses SSH to communicate with Once installed, Puppet also uses several important text files with different the network device, as shown in Figure 48-2. components such as: Manifest: A text file that makes the configuration status of a device human readable in the Puppet master. Resource, Class, Module: These terms refer to the components of the manifest. Templates: Using a Puppet-specific language, these files allow Puppet to create declarations (and modules, classes, and resources) by manipulating variables in templates. Figure 48-2 Agent Based and Agent-less Puppet Operation I Ansible, Puppet, and Chef Puppet agent (Agent) must be enabled earlier on the device, it uses a Pull model Chef to make this configuration appear on the device as shown in the figure below. Chef (www.chef.io) is a software package that you install and run, like Ansible Once installed these steps happen and Puppet. The Chef company has many products, while the Chef Automate Step 1: You create and edit all the files on the Puppet server. software is what most people simply refer to as Chef. As in Puppet, in Chef you Step 2: You need to configure and enable the agent or a proxy agent on each run its software by installing it on a server. device. After installing the Chef software, you create several text files with different Step 3: The Agent pulls the notification details from the server, which tells the components such as: Agent what its configuration should be. Step 4: If the Agent device configuration needs to be updated, the Puppet tool performs additional shots with the agent updating the device configuration to get all the necessary details. Resource: Chef-managed configurations are managed objects. Recipe: Chef logic applied to determine when and how to act on resources. Cookbooks: Provides a set of conveniences for the same type of work, grouped for easier management and sharing. Runlist: An ordered list of Recipes that should be run on a particular device. It uses a similar architecture to Chef Puppet. Runs an agent for network devices. Ansible and Puppet are more used because the Cisco device does not support a Chef client. Figure 48-3 Pull Model with Puppet I Ansible, Puppet, and Chef Summary of Configuration Management Tools All three of the configuration management tools listed here have a good user base and different strengths. Ansible is most commonly used to manage the configuration of network devices, followed by Puppet and Chef. Supports many Cisco devices with Ansible's Agent-less Architecture and use of SSH Puppet's Agent-less model also provides broad support for Cisco devices. Table 48-1 Comparison of Ansible, Puppet and Chef I Course Summary with Physical Devices | lab Final I Exam Question Examples I Exam Lab Examples I How to enter the exam? I Final I Final Course Summary with Physical Devices Let's repeat some of the configurations that we have handled and used frequently on physical devices. Configurations that we will repeat frequently; 1- CLI Access and CLI Security, Telnet and SSH 2- Switch Interface Configuration 3- VLAN creation and VLAN Trunking. 4- Static Route, Default Route 5- Routing Between VLAns 6- Switchport Security 7- DHCP configuration, DHCP Snooping and ARP Inspection 8- NAT Overload (PAT) 9- Cisco IOS Config Backup and Deletion. R1 D-Sw D-Sw D-Sw D-Sw Sw-1 Sw-POE WLC ESXi Gi 0/1 Fa 0/1 Vlan 10 Vlan 20 Vlan 30 Vlan 10 Vlan 10 Mngmt Mngmt Admin-YB AP-1602 AP-1240 192.168.2.1 —->>> 192.168.2.2 —->>> 192.168.10.1 192.168.20.1 192.168.30.1 192.168.10.101 192.168.10.102 192.168.20.254 192.168.10.120 D-Sw R1 Fa0/1 Gi0/1 D-Sw D-Sw D-Sw D-Sw Fa0/4 Fa0/5 Fa0/2 Fa0/3 Vlan 10 Vlan 20 Vlan 20 Sw-1 Sw-POE Sw-POE Fa0/1 Fa0/1 Fa0/2 Our Lab Topology I Final Exam Question Examples https://learningnetwork.cisco.com/s/certification-exam-tutorials 1- Multiple-Choice Single Answer 2- Multiple-Choice Multiple Answer 3- Drag and Drop 4- Fill-in-the-Blank 5- Testlet 6- Simlet 7- Simulation Multiple-Choice Single Answer Drag and Drop Answer Multiple-Choice Multiple Answer I Final How to enter the exam? https://home.pearsonvue.com/cisco.aspx You can take the test at Pearson VUE Test Centers or at home. The exam has an average of 55-65 questions. Exam duration is 120 minutes. Exam Fee 350 Usd Thank You. For questions about education, you can contact me at the Udemy question and answer section. www.udemy.com www.yavuzbulut.com