1.1 Explain Different design principles Thursday, December 5, 2019 8:40 AM 1.1a Enterprise network design principles used in an enterprise network • A standard hierarchical LAN design has three layers: Access, Distribution, and Core • Access layer: Gives the end devices and users direct access to the network Also referred to as the network edge, it provides high bandwidth connectivity for wireless or wired devices. Typical media used for connections are Gigabit Ethernet and 802.11n/802.11ac wireless. VLANS are a common means of separating devices in the Access Layer Communication between different Access Layer devices on different switches occurs at the Distribution Layer. QoS trust boundary and QoS mechanisms are usually enabled at the Access Layer. Port security and 802.1x can be found here Voice VLANs, QoS functions, PoE, STP, VACL(VLAN ACL) • Distribution layer: Acts as a meeting place for Access layer activity and provides a boundary for Core and Access layer. One of the key functions the boundary provides is to serve as a boundary for Spanning Tree Protocol, limiting propagation of L2 faults. On the L3 side the distribution layer provides a logical point to summarize IP routing information before it reaches the Core. This summarization helps reduce the routing table for easier troubleshooting and reduces overhead. Summarization, security, policy, load balancing, routing Ideally only uses 2 switches. Houses FHRPS • Core layer: Provides connections between distribution layers for large environments The Core is the backbone of for large enterprises and serves as an aggregation point for multiple networks and provides scalability, high availability and fast convergence. The Core layer helps to reduce network complexity. redundancy • Two –tier Design (Collapsed Core) Used mainly in smaller environments that have no need for a Core and want to find a cost effective solution. Before deciding to go with this design, these things must be considered: future scale, expansion and manageability. Combines functions of the core layer with distribution layer. Handles fast L3 switching, SVIs, and connections to the internet. Generally used when you have more distributions block. Typical campus design 2 Tier “Spine-Leaf” Function of each layer Spine acts like the aggregation/distribution layer handles fast L3 switching. It’s the backbone and responsible for interconnecting all leaf switches. Leaf is similar to access because end devices connect there, but it also pulls in internet and core services. L3 services. Overlay friendly and easy to scale. Low latency. Connectivity between layers VPCs (virtual port channels) are used to connect devices and overcome STP issues. Allows for maximum use of bandwidth. A network mesh with every leaf switch connected to every spine switch. Makes devices one hop away which helps with redundancy and reliability. Architecture Page 1 Fabric Capacity Planning Overlay vs Underlay Overlay is the application running on top. Something like NSX or SD-WAN Underlay is the physical network that provides your networking services. Layer 3 routed access vs Layer 2 access design Network convergence is improved STP can be eliminated FHRP is no longer required to provide a default gateway All links can be utilized through ECMP routing 1.1b High availability techniques such as redundancy, FHRP, and SSO High Availability Redundancy Having a secondary path to a default gateway in case of a link failure. First Hop Redundancy Protocol (FHRP) When there is a link failure the new active path sends out a gratuitous ARP letting devices in the network know it’s the new path. An additional function that can be used is Object Tracking which can monitor status of routes, line protocol(L2 Status), reac hability, and IP SLA. For design purposes GLBP is only beneficial when you have 3-4 gateways. Can load balance with HSRP/VRRP when you configure a different active for different vlans STP Root HSRP/VRRP primary and VPC(virtual port channel) should all be on same switch and timers should be close. HSRP Cisco FHRP that provides active/standby redundancy for a local subnet by creating a virtual router. V1 can handle 256 groups v2 can handle 4096 groups Router priority (default 100) ties are broken by who has the higher IP Standby router monitors active by sending Hello messages every 3secs. Preemption must be configured for standby to become active router Uses text or MD5 authentication which is preferred V1 uses UDP packets to communicate vMAC v1 0000.0C07.ACxx v2 0000.0C9F.Fxxx Active/Active in data center States Active – This is the state of the device that is actively forwarding traffic. Init or Disabled – This is the state of a device that is not yet ready or able to participate in HSRP. Learn – This is the state of a device that has not yet determined the virtual IP address and has not yet seen a hello message from an active device. Listen – This is the state of a device that is receiving hello messages. Speak – This is the state of a device that is sending and receiving hello messages. Standby – This is the state of a device that is prepared to take over the traffic forwarding duties from the active device. V1 Udp port 1985, 256 groups, vMAC 0000.0C07.Axxx, 224.0.0.2 V2 Udp port 1985, 4096 groups, vMAC 0000.0C9F.Fxxx, 224.0.0.102 V6 Udp port 2029, 4096 groups, 0005.73A0.0xxx, FF02::66 VRRP Open standard redundancy protocol that provides master/backup redundancy. Does not need a virtual router. When you don’t configure vIP address you don’t configure priority vMAC 0000.5e00.01xx 256 groups Uses text or MD5 authentication which is preferred Active/Active in data center Default priority 100 224.0.0.18 Pre-emption enabled by default VRRP v2 IPv4 VRRP v3 IPv4 & IPv6 Architecture Page 2 VRRP v2 IPv4 VRRP v3 IPv4 & IPv6 IP protocol number 112 GLBP Cisco redundancy protocol that provides active/active load balancing. Includes a weighted parameter. Roles are active virtual gateway and active virtual forwarder. Configured by priority. 4 routers can actively forward traffic AVG responds to ARP requests Uses a single virtual IP and a different MAC for each AVF Uses round robin, weighted and host dependent(MAC address) to balance traffic vMAC 0007.b40x.xxyy xxx= group id 1024 groups yy= avf id same timers and authentication methods as HSRP/VRRP All routers in a GLBP can participate in forwarding traffic In a GLBP group only one AVG(Active Virtual Gateway) can be assigned but multiple AVF(Active Virtual Forwarder)can be assigned Stateful Switchover Seamless transition between a “dead” path and an active path. Minimizes amount of down time. Uses non-stop forwarding to achieve this. Control plane handles routes and data plane handles packets. Data plane is online when SSO is in process Both routers must have NSF enabled to work SSO is focused on hardware and NSF maintains network stability. NSF prevents routing flaps. Architecture Page 3 1.2 Analyze design principles of a WLAN deployment Saturday, January 4, 2020 5:17 PM Design Principles in WLAN Coverage and capacity are two things to take into account when planning AP deployment. WLC placement and AP to WLC connectivity If you need omnidirectional antennas you can use APs with internal or external antennas 67dBm is considered quality strength for a wireless network supporting voice and video. Also want 35% overlap of AP signals Quality can be increased by increasing capacity of APs deployed The closer the db is to one the better Autonomous Design SSIDs act as VLANs for APs. BVI(bridged virtual interface) instead of SVI. Trunk is the uplink for autonomous APs Hard to manage, WLSM/WLSE are management software that can aid configuration. Autonomous controllers push configs to APs using CLI Lightweight Design Needs a controller to fully function AP will download config and software from WLC Can manage a lot of devices from a single point and you don’t have to worry about L3 roaming Wireless clients are logically located at the WLC Wireless deployment models CAPWAP(control and provisioning of wireless access points) Forms the tunnel from the AP to the WLC, makes it look like it’s directly connected Utilizes DTLS(datagram transport layer security) UDP ports 5246(Control) 5247(data) Allows the AP to focus on client access Centralizes the authentication and policy enforcement functions Centralized Uses CAPWAP to connect AP to WLC Enables L2 roaming meaning IP doesn’t have to change Placement of WLC and licensing is important WLC can provide centralized bridging, forwarding and encryption of user traffic Architecture Page 4 user traffic Enables shifting of higher-level protocol processing from the AP Distributed Used when you have multiple sites, still enables L2 roam Increases devices you have to manage and license Distribution switches connect the WLCs to campus CAPWAP tunnels stay in each location Controller-less Controller software is virtualized Have to deal with vendor lock-in w/o the cloud service APs are bricks Common in a distributed WLAN design Mobility Express and Meraki are Cisco based technologies Mobility express does not support L3 roaming Mobility express can support up to 2000 users Controller-based APs must connect to some form of a management device Gives variety in how you deploy Cloud Meraki handles cloud wireless, WLC is in the cloud APs form tunnels to cloud WLC Don’t need to worry about licensing L2 roaming isn’t as efficient Drops traffic onto local switch Remote branch (FlexConnect) Still uses CAPWAP but only on the control plane. Less than 50 APs and delay less than 100ms Internal traffic is dropped off to the local switch guest access can still be sent to WLC Very efficient, simple design, L2 roam is no longer seamless. Location services Clients Realtime Location services (RTLS) track any WiFi device Knows where clients are connecting and can send targeted Architecture Page 5 Knows where clients are connecting and can send targeted information DNA Spaces, CMX, Prime Infrastructure, and DNA Center can all provide location tracking services Client location can be determined by triangulating dBm from AP RF fingerprinting can be used to overcome issues caused by signal blocking. Maps out area by gathering multiple RSSI RFID tracking WiFi asset tags allows for location of items and tracking inventory Geofencing allows for tracking items that leave a designated area 4 channels (2.4GHz), scans on channel programmed Probe request forwarding Architecture Page 6 1.3 Differentiate between on-premises and cloud infrastructure deployments Saturday, January 4, 2020 5:17 PM On-prem Contains App data, networking, servers, storage, virtualization, and BU/DR all under one entity Can be harder and more costly to maintain Decrease in latency compared to cloud hosted Cloud characteristics: On-demand Self-service, broad network access, resource pooling, rapid elasticity, and metered service CapEx versus OpEx Capital expense- an expense incurred to create a future benefit purchase of fixed assets, such as new buildings or business equipment, upgrades to existing facilities, and the acquisition of intangible assets, such as patents. Operating expense- cost of day to day operations such as general and administrative expenses, research and development Reduced procurement delays Rapid Elasticity allows you to increase or decrease resources as needed Pay as you go IaaS You maintain the operating system but not the hardware it runs on. PaaS You only manage the applications and not the OS. SaaS Most expensive model. Your application is hosted on someone else’s hardware. Security proactive prediction of network-related and security-related risks security Group Access Control Lists (SGACLs) provides a much simpler and more scalable form of policy enforcement based on identity instead of an IP address – Work with SGTs Flexibility You can have On-Demand self-service with cloud 4 different deployment models Public, Private, Hybrid, Community Public your services are hosted on another company’s equipment Private provides the 5 characteristics of cloud computing on locally-owned hardware. Chargeback enables an ORG to track individual usage of resources by a department. UCS director provides self-service allowing users to “order” what they need Hard to achieve rapid-elasticity because of cost Hybrid low cost of private but can also use the features of public. Allows you to secure proprietary information Cloud brokering software can take the place of on-demand allowing users to determine what they need on app by app basis Cisco product is Cloud Center Architecture Page 7 need on app by app basis Cisco product is Cloud Center Community allows for sharing of resources between partner associations. Gov, Military, Academia Global Being able to access your environment/product/data anywhere any time API-centric Application Policy Infrastructure Controller (APIC) API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JSON or XML documents Standard REST methods are supported on the API, which includes POST, GET,PUT, and DELETE operations through HTTP Architecture Page 8 1.4 Explain the working principles of the Cisco SD-WAN solution Saturday, January 4, 2020 5:18 PM Traditional WAN issues Different connection types based on location Complex because of redundant WAN providers, media types, cloud connectivity, # of locations, and cost SD-WAN components Main components vManage network management system vSmart Controller SD-WAN routers vBond Orchestrator Underlay and overlay networks . The overlay is the logical network we want and the underlay is the physical that we have. Using tunnels helps give you the topology you want and software makes configuring and deploying the tunnels less complex VXLAN helps build the tunnels and edge routers take pressure off the core A key component is the controller, helps configure and push policies to the entire network vManage(controller), vSmart( control plane pushes policy to edge), vEdge(usually an ISR router or virtual deployed at location), vBond(orchestrator that points edges to controller and holds everything together) OBM vManage can deploy 2 devices in Active/Standby Can be configured from the GUI or REST API Transport agnostic, can use any type of IP underlay including internet, satellite, dedicated circuits, 3G/4G LTE, and MPLS vBond must be configured with a public IP. This allows it to be accessed by other SD-WAN components even if they reside behind NAT devices such as firewalls or routers. Authenticates the vSmart controllers and the SD-WAN routers and orchestrate connectivity between them NETCONF Uses XML messages inside of SSH. Forms SSH connection and then the XML script is pushed REST API Representational State Transfer Uses HTTP verbs Get Post Put Delete Used by vManage Architecture Page 9 vManage Network Management System (NMS)—The vManage NMS is a centralized network management system that lets you configure and manage the entire overlay network from a simple graphical dashboard. vSmart Controller—The vSmart controller is the centralized brain of the Cisco SD-WAN solution, controlling the flow of data traffic throughout the network. The vSmart controller works with the vBond orchestrator to authenticate Cisco vEdge devices as they join the network and to orchestrate connectivity among the vEdge routers. vBond Orchestrator—The vBond orchestrator automatically orchestrates connectivity between vEdge routers and vSmart controllers. If any vEdge router or vSmart controller is behind a NAT, the vBond orchestrator also serves as an initial NAT-traversal orchestrator. vEdge Routers—The vEdge routers sit at the perimeter of a site (such as remote offices, branches, campuses, data centers) and provide connectivity among the sites. They are either hardware devices or software, called a vEdge Cloud router, that runs as a virtual machine. vEdge routers handle the transmission of data traffic. vEdge router can be a Cisco SD-WAN hardware device or software that runs as a virtual machine, and the remaining three are software-only components SD-WAN Topology With a base license CISCO SD-WAN can only support hub and spoke Advanced licenses can support full/partial mesh P-to-P Active/Standby pinning can be used to direct specific types of traffic Application-Aware SLA is like object tracking and will switch to the better route path when degradation is detected based on live data DPI(Deep Packet Inspection) when licensed can look at a packet to determine the application and choose the best route. 6 tuple look-up is used when you don’t have the DPI license source and destination IP address, source and destination port, QoS markings, and protocol # Controller Deployment Models Public- the most common( Cisco uses AWS) redundant deployment of vSmart, vBonds in Active/Active vManage is done in Active/Standby Hybrid controller is in private space to increase resiliency on user to maintain VMs. Uses public IPs Hybrid w/ private IPs requires user to NAT vBond needs 1:1 NAT Control plane vSmart, northbound, pushes policies to v/c edge uses OMP(TCP/TLS) vSmart distributes security information between vEdge routers to facilitate data plane tunnel creation Data plane Architecture Page 10 v/cEdge, southbound Overlay Mgmt protocol carries the control plane data that helps form VXLANs and policies Architecture Page 11 1.5 Explain the working principles of the Cisco SD-Access solution Saturday, January 4, 2020 5:18 PM Software-defined access is taking a campus fabric and managing it via a controller called the DNA Center. SD-Access fabric architecture • Cisco switches: provide wired(LAN) access to fabric. Supports multiple types of Catalyst devices including NX-OS • Cisco routers: provide WAN and branch access to the fabric. ASR 1000, ISR CSR CSRv ISRv • Cisco wireless: Cisco WLCs and AP provide wireless(WLAN) access to fabric • Cisco controller appliances: only 2 types of appliances to consider: DNA Center and ISE • No firewalls are apart of the architecture Control plane LISP is used to map users/endpoints and their location in the network. LISP solves the issue of IP address ID’ing you and your location, separates that connection so you get an ID separate from the IP. LISP uses EID to track endpoint and RLOC to ID the assigned network device. This info is sent to a map server in CP node Host tracking database—The host tracking database (HTDB) is a central repository of EID-tofabric-edge node bindings. Provides dynamic host mobility for wired and wireless endpoints Data plane VXLAN L3-VRFs, L2-Headers, scaling VNID 16M vlans IS-IS is used over OSPF because it supports more network protocols and uses fewer cpu resources Policy plane ISE as a part of TrustSec(CTS) is used to control user access regardless of location Micro-segmentation scalable groups(SGs) and VN(virtual network) Macro-segmentation used for scalability uses VRFs for separation Roles A default user with SUPER-ADMIN-ROLE permissions is created when you install DNA Center Administrator has full rights Network Administrator have full access to network related functions but can access system functions like backup and restore Observer have view only access DNA Center Architecture Page 12 DNA Center • Components: Design, Assurance, Provision (DAP) • upgrade procedure: need SUPER-ADMIN-ROLE permissions, back up data, check for system updates then upgrade application Traditional campus and SD-Access integration 4 layers physical, network, controller(DNA-C,ISE), and management(GUI, REST-API, 4 step workflow) NCP(Network Control Platform) automation of under/over, CLI|SNMP, NETCONF operates in controller layer NDP(Network Data Platform) Assurance, data collection SNMP, NetFlow, telemetry controller layer Campus Fabric • An instance of a Network Fabric. A Network Fabric describes a network topology where data Architecture Page 13 • An instance of a Network Fabric. A Network Fabric describes a network topology where data traffic is passed through interconnecting switches while providing the abstraction of a single L2 and/or L3 device. • Provides seamless connectivity regardless of underlay configuration. With policy application and enforcement at the edges of the fabric. • SD-Access is called the campus fabric when manually configured Fabric Edge Node • Responsible for admitting, encapsulating/decapsulating and forwarding traffic to and from endpoints connected to the fabric edge. • Edge nodes lie at the perimeter of the fabric and are the first point for attachment of the policy • Can be indirectly attached to a fabric edge node via an intermediate L2 network that lies outside the fabric domain • Provides connectivity to fabric AP's • Does not directly connect to a fusion router • Connects endpoint devices to the fabric • Functions as an anycast L3 default gateway for all endpoints • Implements LISP XTR function Fabric intermediate Node • Provides L3 underlay transport service to fabric traffic • These nodes are pure L3 forwarders that connect the Fabric Edge and Fabric Border nodes • Capable of supporting VXLAN traffic but doesn't participate in fabric operations • Outside the fabric along with ISE and WLC Fabric Border Node • Connect traditional L3 networks or different fabric domains to the Campus Fabric domain • If there are multiple Fabric domains the Fabric border nodes connect a fabric domain to one or more fabric domains • The device where the fabric control planes of two domains exchange reachability and policy information • Connects the fabric to external networks • Use BGP to form peering connections with fusion routers to advertise EID prefixes Fusion Router • Uses BGP for the connection between fusion routers and fabric border routers • Fusion routers connect the SD-Access fabric to shared services (DNS, DHCP,NTP) • Also connects ISE DNAC( Digital Network Architecture Controller) appliances and WLC ot the fabric so their services are accessible to the virtual networks and their associated endpoints Architecture Page 14 fabric so their services are accessible to the virtual networks and their associated endpoints • SD-Access needs a fusion router to perform VRF route leaking between user VRFs and SharedServices, which may be in the Global routing table (GRT) or another VRF • Accesses the fabric through direct connections to fabric border nodes WLC Node • Lies outside of the fabric Control plane node • Manages host tracking database which is used to map EIDs to RLOC Extension Node • Reside in the physical layer of the SD-Access architecture • Access layer switches don't participate in the fabric but are included in SD-Access automation Architecture Page 15 1.6 Describe concepts of wired and wireless QoS Saturday, January 4, 2020 5:18 PM Classification is the first thing that’s done when a packet is received on a QoS-enabled interface • Factors that affect network quality Delay variation (Jitter) - difference in the end-to-end delay between packets Delay—The finite amount of time it takes a packet to reach the receiving endpoint after being transmitted from the sending endpoint Loss—A relative measure of the number of packets that were not received compared to the total number of packets transmitted QoS approaches Best Effort As packets come in the device will do its best to send them IntServ(Integrated Services) A bandwidth guarantee . Uses a RSVP from one end device to the next to reserve bandwidth Reserved bandwidth not being used is wasted because no other traffic flow can use it Applications are responsible for creating reservations for the network resources required for their traffic flows DiffServ(Differentiated Services) QoS DiffServ components Classification and marking. Done close to the edge and part of trust boundary Multiple methods of classification QoS groups(done by app type), physical interface/sub-interface, MAC, DSCP, TCP/UDP ports, IP Precedence, NBAR2(dependent on CEF) Marking Options Internal: QoS groups, L2: CoS bits, L2.5 MPLS EXP bits, L3: DSCP & IPP You can only apply policies to traffic after it has been positively classified Policing & Shaping Traffic Shaping Buffer & delay excess traffic Will queue traffic Designed to allow you to keep traffic instead of dropping it Only applied to outbound traffic Uses a "leaky bucket" which is waiting until you have enough tokens before sending packets which smooths traffic Scheduling tools determine how a frame/packet exits a device Traffic Policing Drop or re-mark 3 types of marking Architecture Page 16 Drop or re-mark 3 types of marking Marking down excessive traffic means giving it a lower priority number Single rate 2 color, single rate 3 color, two rate 3 color Applied to inbound & outbound traffic Inbound should be applied at the network edge so bandwidth isn't wasted Outbound should be applied at the network edge or core facing interfaces A downside of policing is that it causes TCP retransmissions when it drops traffic. Avoids delays due to queuing Token Bucket Algorithm The method by which policers and shapers are based Committed Information Rate(CIR) - the policed traffic rate agreed upon in the traffic contract Committed burst Size(Bc) - max size of CIR token bucket measured in bytes Committed time interval(Tc) - time in ms over which the Bc is sent Token - represents 1 byte Token bucket - takes action on what to do with a packet based on number of token in it Can buffer to wait on additional tokens to send packet (shaping) Drop them (policing) Mark down (policing) Architecture Page 17 Congestion Management FIFO - single queue first packet in first packet out round robin - each queue is processed in order sending a packet at a time. No way to prioritize traffic WRR - provides prioritization to round robin CQ - Cisco version of WRR 16 queues each one can be assigned a specific bandwidth PQ - 4 queues high medium normal low FIFO by priority the higher priority queue most be completely done before a lower priority can go WFQ - automatically divides interface bandwidth by the number of flows. Weighted by IP precedence. Best for high priority real-time flows CBWFQ - 256 queues for 256 traffic classes. Each queue is served based on bandwidth assigned to that class. The assigned bandwidth is the minimum allotted to that queue LLQ - combo of CBWFQ & PQ best for voice and video. If all the bandwidth assigned to a class isn't being used it can be shared Congestion Avoidance RED - randomly drops packets before queue is full. Drops packets when the queue min defined threshold is exceeded WRED - Cisco version can manipulate drops using IP precedence or DSCP. Explicit Congestion Notification(ECN) bit is used to indicate congestion which tells ECN enabled endpoints to slow their transmission rate IP Precedence Uses no drop preference in its marking. AF code starts with CS# DSCP Per-Hop Behavior Class selector(bigger number is better) and drop preference (lower is better) Expediated forwarding EF used on voice means never drop Trust boundary Architecture Page 18 Should be placed closer to the end devices. Moving it closer to the core risks overloading the networking Devices that can do marking and be trusted to do marking should be allowed to do it Where are specific traffic descriptors located Wireless QoS policies • The WLC is the location for the wireless QoS trust boundary because it sits between the wireless and wired domain • QoS policy can be uniquely defined on each WLAN • • In a newly created WLAN Silver is the default policy • Wi-Fi Multimedia WMM 4 Access categories 802.1P AC_VO (voice) 6 &7 AC_VI (video) 4 & 5 AC_BE (best effort) 0 & 3 AC_BK (Background) 1 & 2 802.1P markings map to WMM access categories Access category determines Interframe Space and Random Backoff Timer Architecture Page 19 Access category determines Interframe Space and Random Backoff Timer Architecture Page 20 1.7 Differentiate hardware and software switching mechanisms Saturday, January 4, 2020 5:19 PM Centralized CAM and FIB are stored on the supervisor Cost is lower but packets have to go back through the supervisor Distributed CAM and FIB are stored on line card A router that uses a distributed architecture enables each line card in the chassis to independently forward traffic Distributed platforms enable line cards to locally switch packets without using backplane or fabric resources. Traffic with a DST next hop on the same line card doesn't typically have to cross the backplane of the device Process switching Runs Ip input to figure out where to send a packet. Checks RIB runs on the CPU so its slow. First packet to a destination will always be process switched before fast switching takes over CEF switching When per-destination load balancing is enabled traffic is distributed statistically so that a given path is not overwhelmed Per-destination load balancing sends all packets that belong to a particular session over the same path A router that uses a distributed architecture enables each line card in the chassis to independently forward traffic. The line card CEF tables are created from the RIB stored on the primary route processor module or supervisor module, depending on the platform in use. Distributed platforms enable line cards to locally switch packets without using backplane or fabric resources. Per-packet load balancing can affect VoIP traffic because packets could arrive out of order Load Sharing Algorithms Original Uses hash of SRC/DST IP address to ID traffic flow Can lead to distortions in traffic flow when loads are shared across multiple routers running the same algorithm Universal Default load sharing algorithm Addresses the weakness of the original algorithm by adding a unique hash Allows each router to make its own forwarding decision Tunnel Used for efficient operation in environments with a limited number of SRC/DST host pairs Used mainly in environments connected by tunnels such as GRE Include-ports Allows a router to include L4 information when forwarding decisions are being made Can be configured to consider the SRC/DST port individually or together Architecture Page 21 Can be configured to consider the SRC/DST port individually or together Allows traffic that would not be affected normally to be load balanced even if they share the same SRC/DST IP because they will have different SRC/DST ports RIB L3 table (connected, static, and dynamic routes) The AD is only used when you have the same network from different protocols. Otherwise the more specific route is used. EIGRP 10.0.0.0/24 vs OSPF 10.0.0.0/25 OSPF would be use even though it has a higher AD Used as a database to inform the FIB for CEF Once a route is in the RIB AD no longer matters FIB A hardware based copy of the RIB L3 table stores next-hop MAC and egress interfaces To verify if an entry is in the table use sh ip cef x.x.x.x/x Adjacency table ● ● ● Maintains Layer 2 next-hop addresses that are used for hardware switching. Incomplete Adjacencies happen because the router can’t use ARP successfully for the next hop interface. If a static route points to a multi-access interface, an adjacency with an incorrect interface is created. CAM Table High speed look-up L2 table CAM look-up provides the content and a value is returned (true or false) Can only search for an exact match MAC address table Used at L2 stores all incoming MACs if a destination is not in the table it will flood the MAC out every port but the one it came in on TCAM Allows for searching of non-matching characters Stores info in V(value(ip address)) M(mask(subnet mask)) R(result, (allow/deny next hop)) provides a true/false/do not care result used to implement hardware-based packet forwarding of certain features, like ACLs and QoS because of its flexibility and speed Primarily used on multilayer switches Architecture Page 22 Architecture Page 23 S2.1 Describe device virtualization technologies Tuesday, January 7, 2020 9:52 PM A hypervisor is the virtualization software that creates VMs and performs the hardware abstraction that allows multiple VMs to run concurrently Type 1 hypervisor Bare-metal runs on the device itself without another OS. Basically it is the OS. Best used in a data center Can be embedded into firmware at the same level as the BIOS ESXi, Hyper V (because it communicates directly with the hardware), Citrix Zen Server Usually used on a blade server or rack mounted server hardware Type 2 hypervisor Hypervisor needs an OS to run also called host Used in labs because an OS is most likely already installed Virtual box, VmWare workstation Can not be installed on a bare metal server Easier to use and maintain Virtual machine Runs it own OS on the hypervisor Resources provided to it by the hypervisor Can migrate a live VM or power down and do a cold migration A software emulation of a physical server with an operating system Must make sure the hardware can support the minimum requirements needed Each one requires its on unique IP and MAC Virtual switching software-based Layer 2 switch that operates like a physical Ethernet switch Overcomes the issue of not being able to send and receive traffic on the same L2 link One physical NIC can only attach to 1 vSwitch but each vSwitch can connect to multiple VMs Uses pinning which ID’s all the MACs of the VMs Multiple vSwitches can be created under a virtualized server, but network traffic cannot flow directly from one vSwitch to another vSwitch within the same host every vSwitch that is part of a cluster of virtualized servers needs to be configured individually in every virtual host Distributed virtual switching, a feature that aggregates vSwitches together from a cluster of Virtualization Page 24 Distributed virtual switching, a feature that aggregates vSwitches together from a cluster of virtualized servers and treats them as a single distributed virtual switch Container • an isolated environment where containerized applications run • It contains the application, along with the dependencies that the application needs to run • Should not be referred to as a light weight VM • Containers, share the underlying resources of the host operating system and do not include a guest OS, as VMs do; containers are therefore lightweight (small in size) • When a container starts, it leverages the kernel of the host OS, which is already running, and it typically takes a few seconds to start. • Types of containers: Rkt Open container initiative LXD DockerLinux-Vserver Windows Containers • Containers not connected to the same node can't communicate with each other until routing at the OS level or an overlay network has been configured Network functions virtualization • Network functions virtualization (NFV) is an architectural framework created by the European Telecommunications Standards Institute (ETSI) that defines standards to decouple network functions from proprietary hardware-based appliances and have them run in software on standard x86 servers • defines how to manage and orchestrate the network functions • NFV infrastructure (NFVI) is all the hardware and software components that comprise the platform environment in which virtual network functions (VNFs) are deployed. • Virtual network functions the virtual or software version of an NF, and it typically runs on a hypervisor as a VM commonly used for L4 through L7 functions, such as those provided by load balancers (LBs) and application delivery controllers (ADCs), firewalls, intrusion detection systems (IDSs), and WAN optimization appliances. Can still do L2/L3 functions • NFVI Virtualized Infrastructure Manager (VIM) responsible for managing and controlling the NFVI hardware resources (compute, storage, and network) and the virtualized resources Handles service chaining which ties all the VNFs together • Element managers (EMs), also known as element management systems (EMSs), are responsible for the functional management of VNFs • PCI passthrough allows VNFs to have direct access to physical PCI devices The downside to PCI passthrough is that the entire pNIC is dedicated to a single VNF and cannot be used by other VNFs, so the number of VNFs that can use this technology is limited by the number of pNICs available in the system • SR-IOV is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC 2 modes virtual ethernet bridge and virtual ethernet port aggregator Virtual Ethernet Bridge (VEB): Traffic between VNFs attached to the same pNIC is hardware switched directly by the pNIC. Virtual Ethernet Port Aggregator (VEPA): Traffic between VNFs attached to the same pNIC is switched by an external switch. Allows multiple VNFs to share the same pNIC by emulating multiple PCIe devices Virtualization Page 25 • Cisco Enterprise Network Functions Virtualization (ENFV) Cisco solution based on the ETSI NFV architectural framework Supports Cisco SD-WAN cEdge and vEdge virtual router onboarding Centralizes management through Cisco DNA Center, which greatly simplifies designing, provisioning, updating, managing, and troubleshooting network services and VNFs • Cisco ENFV Solution Architecture a virtualized solution for network and application services for branch offices Management and Orchestration (MANO): Cisco DNA Center provides the VNF management and NFV orchestration capabilities. It allows for easy automation of the deployment of virtualized network services, consisting of multiple VNFs. VNFs: VNFs provide the desired virtual networking functions. Network Functions Virtualization Infrastructure Software (NFVIS): An operating system that provides virtualization capabilities and facilitates the deployment and operation of VNFs and hardware components. Hardware resources: x86-based compute resources that provide the CPU, memory, and storage required to deploy and operate VNFs and run applications. • Management and Orchestration Cisco DNA Center provides the MANO functionality to the Cisco Enterprise NFV solution Two of the main functions of DNA Center are to roll out new branch locations or deploy new VNFs and virtualized services Plug and Play provisioning provides a way to automatically and remotely provision and onboard new network devices DNA Center provides centralized policies • Virtual Network Functions and Applications the Cisco Enterprise NFV solution provides an environment for the virtualization of both network functions and applications in the enterprise branch Both Cisco and third-party VNFs can be onboarded onto the solution Can support apps running on Linux or Windows • Network Function Virtualization Infrastructure Software (NFVIS) based on standard Linux packaged with additional functions for virtualization, VNF lifecycle management, monitoring, device programmability, and hardware acceleration Virtualization Page 26 2.2 Configure and verify data path virtualization technologies Tuesday, January 7, 2020 9:54 PM Virtual Routing and Forwarding (VRF) A L3 vlan concept, can separate traffic for multiple clients existing in different routing domains VRFs can be used to isolate the management network VRF-Lite does not support IS-IS or IGRP BGP should be used between the CE and PE OSPF process IDs become relevant when separating different VRFs, Help keep them unique The management VRF is created by default also a default vrf is created on an interface when one isn't specified When adding a VRF to an interface it's L3 config will be lost so make sure to copy it before adding the VRF To see VRF routing you have to specify the VRF you want to see sh ip route vrf vrf id ping vrf vrf id ip address Configure vrf with router routing protocol protocol id vrf vrf id We can apply route targets to a VRF to control the import and export of routes among it and other VRFs. Generic Routing Encapsulation (GRE) Allows for encapsulation of non-ip packets with an ip header Increases packet size by 24bytes to prevent fragmentation GRE ip header is assigned protocol number 47 To avoid recursive routing do advertise the tunnel destination into the tunnel When configuring GRE or mGRE the source IP address and source interface must be configured Adds 4 additional bytes to the header Default mtu for a GRE tunnel is 1476 When connecting 2 private IP addresses over the internet: Tunnel interface number is locally significant A route to the tunnel destination must exist on the local router The tunnel source must be specified as an IP address or an interface number IPsec Provides authentication, integrity, and confidentiality Has 2 headers Authentication Header(51) and Encapsulating Security Payload(50) AH can apply authentication and integrity to entire payload but can’t encrypt it. Only used when confidentiality isn’t needed ESP can encrypt the entire payload as well as integrity and authentication. supports NAT traversal AH can’t ESP has 2 modes transport and tunnel Transport doesn’t protect the Ip header tunnel does IKE Tunnels Phase 1 belongs to the control plane phase 2 belongs to data plane Virtualization Page 27 Phase 1 belongs to the control plane phase 2 belongs to data plane Allows for secure communication to form a tunnel IKEv1 uses 5 step process in phase 1 to create tunnel HAGLE. Phase 2 is formation of the IPsec tunnel IKEv1 phase 1 lasts for 24H phase 2 lasts for 12H IKEv2 reduces the number of messages sent in tunnel creation and also eliminates the 2 phases The same version must be used on either side of the tunnel Crypto isakmp policy creates the phase 1 IKE tunnel Crypto ipsec profile creates the ike phase 2 tunnel IKEv1 has 3 modes to choose from Main aggressive quick Main needs to exchange 9 messages to form a tunnel aggressive only needs 6 Main mode is more secure than aggressive Main mode hides the identity of the two peers during phase 1 negotiations IKEv2 only needs 4 messages less exchanges and bandwidth needed vs v1 DMVPN • Phase 1 Hub and spoke • Phase 2 spoke to spoke • Phase 3 the summarizes all spoke prefixes and configures them as NHRPs so all spokes can talk to the others Virtualization Page 28 2.3 Describe network virtualization concepts Tuesday, January 7, 2020 9:55 PM LISP Separates Ip address from location and identity of device Should be used when you have a high density of endpoints and mobile users Used as the control plane of the overlay in SD-Access Uses a pull model and is a mapping protocol LISP tunnel router (xTR) adds host in LISP mapping database every time a client moves the database is updated xTR registers host (MAC or IP) in LISP mapping database Instead of an ip address an Endpoint Identifier(EID) is used The LISP data plane uses Ip/UDP port 4341 Map Register EID = IP, VNI(virtual network identifier VXLAN info) RLOC = xTR IP LISP Map caching which saves the location so it's easier to look up What happens when you move? A new registration will be made in the map database Routing Locator (RLOC): A RLOC is an IPv4 or IPv6 address of an egress tunnel router (ETR). A RLOC is the output of an EID-to-RLOC mapping lookup. identifies the IP address of a router responsible for forwarding traffic to devices within a LISP location Endpoint ID (EID): An EID is an IPv4 or IPv6 address used in the source and destination address fields of the first (most inner) LISP header of a packet. BGP-EVPN can be used to help with VXLAN latency issues An ETR connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to MapRequest messages, and decapsulates and delivers LISP-encapsulated user data to end systems at the site. An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites VXLAN Enhanced version of 802.1x Used to overcome VLAN shortcomings, has a 24 bit segment ID that defines the broadcast domain Permits ECMP The data plane of SD-Access Used instead of LISP because it includes the L2 ethernet header and LISP doesn’t Uses security group tags VXLAN Header (Fabric Header) Virtualization Page 29 carries the segment ID(VNI) and user group(SGT). encoded in the reserved bits of the VXLAN header Modified to support 64,000 SGTs using a 16-bit field (Group Policy ID) D bit indicates the egress VTEP should not learn the source address of the encapsulated frame VNI(virtual network identifier) is the broadcast domain of the VXLAN infrastructure Can theoretically have 16million overlay networks in the same infrastructure VXLAN-GPO encapsulation 16 bits are allocated to ID the SGT tag The Policy applied bit (A bit) is used to signal a policy has already been applied or the policy has not yet been applied to the packet Network functions virtualization • Network functions virtualization (NFV) is an architectural framework created by the European Telecommunications Standards Ins titute (ETSI) that defines standards to decouple network functions from proprietary hardware -based appliances and have them run in software on standard x86 servers • defines how to manage and orchestrate the network functions • NFV infrastructure (NFVI) is all the hardware and software components that comprise the platform environment in which virtual network functions (VNFs) are deployed. • Virtual network functions the virtual or software version of an NF, and it typically runs on a hypervisor as a VM commonly used for L4 through L7 functions, such as those provided by load balancers (LBs) and application delivery controllers (ADCs), firewalls, intrusion detection systems (IDSs), and WAN optimization appliances. Can still do L2/L3 functions • NFVI Virtualized Infrastructure Manager (VIM) responsible for managing and controlling the NFVI hardware resources (compute, storage, and network) and the virtualized resources Handles service chaining which ties all the VNFs together • Element managers (EMs), also known as element management systems (EMSs), are responsible for the functional management of VNF s • PCI passthrough allows VNFs to have direct access to physical PCI devices The downside to PCI passthrough is that the entire pNIC is dedicated to a single VNF and cannot be used by other VNFs, so the number of VNFs that can use this technology is limited by the number of pNICs available in the system • SR-IOV is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC 2 modes virtual ethernet bridge and virtual ethernet port aggregator Virtual Ethernet Bridge (VEB): Traffic between VNFs attached to the same pNIC is hardware switched directly by the pNIC. Virtual Ethernet Port Aggregator (VEPA): Traffic between VNFs attached to the same pNIC is switched by an external switch. • Cisco Enterprise Network Functions Virtualization (ENFV) Cisco solution based on the ETSI NFV architectural framework Supports Cisco SD-WAN cEdge and vEdge virtual router onboarding Centralizes management through Cisco DNA Center, which greatly simplifies designing, provisioning, updating, managing, and troubleshooting network services and VNFs • Cisco ENFV Solution Architecture a virtualized solution for network and application services for branch offices Management and Orchestration (MANO): Cisco DNA Center provides the VNF management and NFV orchestration capabilities. It allows for easy automation of the deployment of virtualized network services, consisting of multiple VNFs. VNFs: VNFs provide the desired virtual networking functions. Network Functions Virtualization Infrastructure Software (NFVIS): An operating system that provides virtualization capabilities and facilitates the deployment and operation of VNFs and hardware components. Hardware resources: x86-based compute resources that provide the CPU, memory, and storage required to deploy and operate VNFs and run applications. • Management and Orchestration Virtualization Page 30 • Management and Orchestration Cisco DNA Center provides the MANO functionality to the Cisco Enterprise NFV solution Two of the main functions of DNA Center are to roll out new branch locations or deploy new VNFs and virtualized services Plug and Play provisioning provides a way to automatically and remotely provision and onboard new network devices DNA Center provides centralized policies • Virtual Network Functions and Applications the Cisco Enterprise NFV solution provides an environment for the virtualization of both network functions and applications in the enterprise branch Both Cisco and third-party VNFs can be onboarded onto the solution Can support apps running on Linux or Windows • Network Function Virtualization Infrastructure Software (NFVIS) based on standard Linux packaged with additional functions for virtualization, VNF lifecycle management, monitoring, device programmability, and hardware acceleration Virtualization Page 31 3.1 Layer 2 Tuesday, January 7, 2020 9:57 PM Static 802.1Q trunks Configured with switchport mode trunk Will advertise DTP packets to the other end to establish a trunk Trunk status can be verified with show switchport trunk Dynamic 802.1Q trunks Established in 1 of 2 ways Switchport mode dynamic desirable this mode will actively try to form a trunk with the connected interface Switchport mode dynamic auto will only form a trunk if the other side is actively trying switchport non-negotiate- disables a trunk port Allowed VLANs on trunks Controls what VLANs can use the trunk switchport trunk vlan allowed vlan id VTP Sends vlan information to other switches to reduce management, can be problematic. Usually disabled or run in transparent mode A client with a higher revision number will replace the vlans on a server with a lower number Messages are sent to a multicast dest. MAC address 01:00:0C:CC:CC:CC Message types are : summary advertisement, subset advertisement and advertisement request VTP pruning Disabled by default. Reduces unnecessary flooded traffic Enhances network bandwidth Static Layer 2 EtherChannel No health status check Channel-group etherchannel-id mode on Sends vlan information Dynamic Layer 2 EtherChannel Use PAgP(CISCO) or LACP Static Layer 3 EtherChannel Must use no switchport command to enable L3 routing Assigned an Ip address PAgP ON command Dynamic Layer 3 EtherChannel PAgP Desirable or Auto LACP active or passive LACP uses multicast MAC address 0180:C200:0002 to communicate and form LACP neighbors EtherChannel/Link bundling 802.3AD • 802.3AD allows multiple 802.1Q tags on a single Ethernet frame, known as Q-in-Q. • 802.3AD can improve the stability of the spanning tree topology. Infrastructure Page 32 • 802.3AD can improve the stability of the spanning tree topology. • 802.3AD provides a cost-effective way to increase bandwidth by logically combining multiple member links. • Seen as a single interface in spanning tree • Its best to use one of the dynamic protocols like LACP or PAgP • Best practice is to use LACP rate fast when fast failure detection is required • Load-Balancing Algorithms Dst-ip Dst-mac: uses a packet’s destination MAC address to select the physical connection in an EtherChannel bundle that is used to send a packet The number of bits in the destination MAC address used to make the path selection decision is determined by the number of links in the EtherChannel (remember bits are done in powers of 2.) 8 links would be 2^3 so 3 bits) Src-dst-ip Src-dst-mac Src-ip Src-mac Advanced STP(802.1D) Tuning Root bridge should be placed on a core switch and the secondary should be placed to minimize changes to the overall STP Root bridge is achieved by assigning the lowest possible system priority 0 - 61440 increments of 4096 and all ports of the root bridge are designated ports Best way to manually set primary & secondary is assigning priorities of 0 & 4096 A switch generating a BPDU only includes the calculated metric to the root and not the cost of the egress port. The receiving switch will add the cost for the ingress port to the total path cost. Changing the port costs can change the forwarding path. Turning an alternate port into a designated port or into a blocking port by raising the cost Root guard is placed on designated ports facing other switches that should never become root bridges Portfast should only be used on a trunk when it's connected to a single device otherwise Portfast should be configured on access ports connected to end hosts to reduce convergence time Convergence is typically around 50sec TCNs are not generated when an edge port changes state Will bypass listening and learning to move straight to forwarding BPDU Guard needs portfast to be enabled before it can be applied to an interface BPDU guard is typically configured with all host-facing ports that are enabled with portfast. BPDU filter simply blocks BPDUs from being transmitted out a port. It also ignores any received BPDU. Loop Guard STP loop guard feature is used to ensure that a root port or an alternate port is always receiving BPDUs from the neighboring switch. This provides protection against a link failing to send BPDUs bidirectionally, allowing a port to assume that no other bridge is connected. If BPDUs stop being received, the port moves to blocked status until BPDUs resume, and it shows a loop inconsistent state. Configured on root ports Loop guard is used in conjunction with UDLD to protect against broken cables that could cause incorrect STP behavior Infrastructure Page 33 Loop guard is used in conjunction with UDLD to protect against broken cables that could cause incorrect STP behavior • STP 802.1dforwarding timer is used to determine how long a port remains in the listening and learning states before transitioning to a new state. Valid port types are root and designated Topology Change When a config BPDU is received from root bridge set MAC address aging timer to the forwarding delay and flush out MACs that have not communicated in the past 15 secs When the root bridge receives one it generates a new BPDU with the change flag set Port priority prefers the lower port cost. Values range from 0 to 240 and increment by 16. 128 is the default port cost UDLD(unidirectional link detection) Must be enable on both the local and remote switches' ports to become functional 2 modes aggressive and normal Port cost Ethernet link 10mbps = stp cost of 100 Fast ethernet link 100mbps = stp cost of 19 Gigabit link 1,000mbps = stp cost of 4 Root path cost is calculated by the advertised root cost from the upstream switch plus the local port cost Non-root bridge root port selection: □ Lowest root path cost □ Lowest upstream advertised bridge ID □ Lowest upstream advertised port priority □ Lowest upstream advertised port ID STP Error messages and cause STP-2-Block_PVID_Local and STP-2-Block_PVID_Peer : an interface has received a BPDU that is tagged with the same VLAN ID as the interface's native VLAN STP-2-Block_BPDUGUARD : a BPDU is received and BPDU guard is enabled STP-2-Block-Dispute_Detected : the switch has received an inferior BPDU that are marked designated and learning or forwarding STP-2-Bridge_Assurance_Block : STP BDPU has not been received on an interface with Bridge Assurance enabled RSTP(802.1W) Infrastructure Page 34 Only has 3 states for faster error recovery discarding, learning, forwarding Doesn’t use timers to determine movement to next state. It has a negotiation mechanism Sync is the method which it uses to recover. Synch occurs when a link comes up between two switches. All non-edge ports are blocked and each connected switch will send a proposal that it's port should be the designated port Has alternate ports rather than blocked ports indicating another path to the root 2 port types p2p(interfaces running in full duplex, half is shared port and can only use STP) edge ports( portfast enabled) if it receives a BPDU its demoted to a regular RSTP port Only when a non-edge port moves to forwarding does RSTP send a TCN to the network through all non-edge designated ports If connected to a switch not running RSTP it will default to 802.1D behavior During the sync process when 2 switches come each sends a proposal that it's port should be the designated port Topology Change TC timer value is equal to twice the hello timer MAC table associated with all ports are cleared except for the port that received the BPDU with the TC flag set □ Occurs on all designated and root ports MSTP(802.1s) Creates instances that VLANS can be mapped to. A L2 VRF Reduces the cpu burden when using PVST or R-PVST Uses the concept of regions logically separate instances MST incorporates mechanisms that make an MST region appear as a single virtual switch to external switches MST supports the tuning of port cost and port priority. This can be done on per instance basis on the interface Pruning of vlans should not occur for vlans in the same MST region on different network links Hello and forward timers are only configured on the IST root bridge Making the MST region the root bridge ensures that all region boundary ports flood the same IST instance BPDU to all the VLANs in the PVST topology. The spanning tree port priority can be configured per instance on an interface. The spanning tree cost can be configured per instance on an interface. The hello and forward delay timers are configured only on the IST root bridge. When a MST region is on a switch running 802.1W(RSTP) The 802.1w switches will view the MST region as a single bridge and place alternate ports in the blocking state The root bridge for all VLANS will be in the MST region All VLANs mapped to instance 0 and mapping must be manually done Troubleshooting • Error message "STP-2-Dispute_Detected could appear because of a unidirectional link failure Infrastructure Page 35 3.2 Layer 3 Tuesday, January 7, 2020 9:59 PM EIGRP • EIGRP OTP (Over the Top) allows you to run EIGRP between routers that are not directly connected Uses VXLAN as an overlay(tunneling) to connect endpoints like DMPVN EIGRP OTP only uses LISP for the data plane, EIGRP is used for the control plane. • Sends hello packets to multicast group 224.0.0.10 • When a new neighbor is formed an empty update message is sent Compare EIGRP and OSPF Algorithm EIGRP smart distance vector protocol. diffusing update algorithm (DUAL). Uses pre-calculated loop-free backup paths for fast convergence OSPF link state Dijkstra shortest path first (SPF) algorithm to construct a loop-free topology of shortest paths Load balancing EIGRP unequal cost load balancing ECMP this is done by changing the variance OSPF can equal cost load balance up to four paths by default and track up to 16 next hops to same destination Path selection EIGRP successor route path with lowest metric to destination. Then a feasible successor which is determined by the reported distance received for that route must be less than the feasible distance calculated locally OSPF path is determined by the cumulative cost of all interfaces of the next-hops to the destination Path operations EIGRP uses split horizon and poison reverse to avoid loops OSPF looks at path type then the metric. The preferred path types Intra-Area (O) Inter-Area (O IA) NSSA Type 1 (N1) External Type 1 (E1) NSSA Type 2 (N2) External Type 2 (E2) Metric EIGRP uses cumulative delay and minimum bandwidth by default uses K values to determine other metrics OSPF metric is determined by cost, a higher bandwidth has a lower cost. Default cost may need to be changed to account for higher speed interfaces Configure and verify OSPF Normal areas Router# router ospf 100 network ip-address wildcard-mask area area-id Filtering Can be done in one of 3 ways area filtering, route summarization, and local OSPF filtering LSA filtering, which prevents type 1 LSAs from being advertised through a member router Area filtering, which prevents type 1 LSAs from being generated into a type 3 LSA FILTERING by Summarization: area area-id range network subnet-mask not-advertise under the OSPF process. This is a limited form of filtering Infrastructure Page 36 AREA Filtering: area area-id filter-list prefix prefix-list-name {in | out} on the ABR distribute list on an ABR does not prevent type 1 LSAs from becoming type 3 LSAs in a different area because the type 3 LSA g eneration occurs before the distribute list is processed distribute list on an ABR prevents type 3 LSAs coming from the backbone from being regenerated into non-backbone areas because this regeneration process happens after the distribute list is processed A distribute list should not be used for filtering of prefixes between areas distribute-list {acl-number | acl-name | prefix prefix-list-name | route-map route-map-name} in show ip ospf database [router | network | summary] to view LSAs in the LSDB For a distribute list ○ In: prevents LSA from becoming a route in the local routing table, but you cannot stop an LSA from entering the routing table since all neighbors in the area must have the same database. The LSA is added to the LSDB, but the route is not added to the table. ○ Out: Used on ASBR’s to stop the creation of external LSAs for specific routes. ● Network Types Infrastructure Page 37 ○ ● Networks DR/BDR manual neighbor configuration ○ Broadcast DR/BDR no manual neighbor configuration ○ Non-broadcast DR/BDR needs manual configuration ○ Point to point no DR/BDR neighborship automatically configured ○ Point to multipoint no DR/BDR no manual neighbors ○ Networks that don’t broadcast require manual neighbor configuration ○ Automatic neighbor discovery relies on broadcasts and multicasts ○ The multicast used by DR/BDR is 224.0.0.6 ○ An OSPF Network Type of Point-to-Point is the default OSPF Network Type on a non-Frame Relay serial interface. ◊ HDLC or PPP will have a default of point to point Summarization Helps SPF calculate routes faster occurs between areas on ABRs. Interarea summarization reduces the number of type 3 LSAs that an ABR advertises Interarea summarization on the ABR suppress more specific routes The command to summarize on a ABR(Type 3) is area range on a ASBR(Type 4) you use summary-address Infrastructure Page 38 Only type 1 LSAs can be summarized reduces the size and volatility of the LSDB Passive interface Prevents interface from sending hellos or processing any received OSPF packets but still adds it to the LSDB and no adjacencies are formed Network types Ip ospf network [network type] verified with sh ip ospf interface [interface id] | include type Neighbor states 1-3 are establishing neighbor adjacencies 4-6 synchronize OSPF databases All non-DR/BDR routers will stay in the 2-way state. This is normal behavior Load balancing Use the maximum-paths command Maximum-paths only limits the number of parallel paths that can be used for load balancing Route advertisement OSPF can inject a default route into the LSDB if you use the default-information originate [always] command. If there is no default route in the RIB already, the always keyword is required. Type 1, Type 2, and Type 3 LSAs are flooded within an area Type 5 LSAs are flooded throughout the OSPF domain, across ABRs. Troubleshooting Areas need to match RID can't be the same Timers must match neighbor's Mismatched MTU sizes could cause the neighbor to be stuck in the Exstart or Exchange state because the DBD packet will exceed the MTU size when sending to the neighboring router Max metric is 65535 reference bandwidth is 10^8 by default 100mbps Infrastructure Page 39 OSPFv3 supports IPv4 and IPv6 address families RID must always be manually configured on IOS router To enable IPv4 IPv6 must be enabled on the interface, then you must explicitly configure the interface to enable IPv4 in OSPFv3 ( ospfv3 process-id ipv4 areaid) A reserved instance ID in the range 64 to 95 identifies a neighbor adjacency is being used for IPv4 A next-hop address is shown as a link-local address in the IPv6 routing table LSA Types Type 3 is interarea prefix for ABRs Type 4 interarea for ASBRs Type 5 AS external used to advertise redistributed routes Type 8 link LSAs advertise link-local IPv6 info Type 9 is intra-area prefix carry IPv6 info The LSAs only provide interface type and cost information Uses Ipsec instead of MD5 for security Supports multiple instances on a single link The BDR is elected before the DR Enabling OSPFv3 on a interface enables the OSPFv3 routing process on the router In order to configure OSPFv3, the process configuration must be completed, and then each interface must be enabled for the process and correct area ID which must match if the passive interface default is used, each interface needs to be specifically made not passive in the configuration to allow OSPFv3 to form an adjacency. • Summarization Summarization is performed on ABRs, just as with IPv4 common error is to perform address summarization in decimal, forgetting that the address is represent in hex. • Network types Uses the same 4 networks as OSPFv2: PtP, broadcast, PtMulitpoint, non-broadcast Configure and verify eBGP eBGP Multihop Must be directly connected because the TTL is set to 1 Can increase TTL with neighbor ip address ebgp-multihop number between 2 -255 Can be configured with link-local or global unicast addresses Can exchange IPv6 NLRI using IPv4 peer address by activating a neighbor configured with an IPv4 address in the IPv6 unicast address family BGP neighbor states Idle initial state that the BGP routing process enters when the routing process is enabled or when the device is reset in this state, the device waits for a start event, such as a peering configuration with a remote peer Active the BGP routing process tries to establish a TCP session with a peer device using the ConnectRetry timer Start events are ignored while the BGP routing process is in the Active state If the BGP routing process is reconfigured or if an error occurs, the BGP routing process will release system resources and return to an Idle state. Established The initial keepalive is received from the remote peer Peering is now established with the remote neighbor and the BGP routing process starts exchanging update messages with the re mote peer BGP best path selection algorithm 3 tables are used to maintain network prefix and path attributes for routes: Adj-Rib In - NLRI(Network Layer Reachability Information) holds routes before they're processed by inbound policies Loc-RIB - presents routes to the routing table. Contains locally generated or peer provided NLRIs Adj-RIB-Out - holds NLRIs after outbound policies are processed Infrastructure Page 40 Adj-RIB-Out - holds NLRIs after outbound policies are processed First three criteria used to choose a route are: Highest weight(applies to routes received), highest local preference(would determine always going to the same place), and loc ally originated paths ○ We Love Oranges AS Oranges Mean Pure Refreshment ○ Default local preference is 100. If column is blank it means it's set at the default 100 Then shortest as path, lowest origin type, lowest med, external over internal BGP, lowest IGP cost, oldest path, and lowest R ID For MED to be used the routes must come from the same AS Summarization In order to advertise the configured aggregate at least one component route must exist in the BGP table BGP uses an aggregate address configuration to dynamically summarize routes By default both the summary and the aggregate routes are advertised to neighbors BGP also may discard some of the attributes of the component routes when building the aggregate The as-set option can be used to preserve some of the AS_Path information in the form of an unordered list A network statement is added that includes the less specific network mask A static null route is used to prevent forwarding loops when summarizing A static null route can also be used to drop traffic w/o using an ACL With BGP in a neighbor statement: ○ In: prevents update from entering neighbor ○ Out: prevents BGP route from being advertised to a neighbor. ○ neighbor<ip addr> distribute-list{ACL}{in|out} Troubleshooting Mtu mismatch Incorrect subnet in neighbor statement Sh ip bgp to see contents of th BGP routing table Community attribute is an optional transitive Infrastructure Page 41 Communities are not advertised by default between iBGP neighbors Communities are used for prefix tagging Communities can be matched using a standard IP community list, which is similar to an ACL matching for aprefix Regular expression matching of community values can be done using an expaned IP community list In order to be RFC complaint all implementations must support well-known communities Well-known communities: Internet(prefixes should be advertised to the internet), No_Advertise, No_Export(prefixes that should not be advertised to a eBGP peer) Multiprotocol BGP VPN IPv4 address begins with an 8-byte route distinguisher(RD) and ends with a 4-byte IPv4 address Advertisement A minimum of /24 is needed to advertise on the internet or it will be filtered Getting a AS from ARIN or one of the other • Source interface should be modified if you have routes to multiple carriers • LOA, SWIP, and Whois record prove you have the rights to advertise using BGP • Public and Private AS Private 64,512-65,534 and Public 1-64.495 Reserved 0 and 65,535 IS-IS • Only level 1 PDUs(protocol data units) use the area authentication password • IS-IS has 3 methods of authentication: area, domain, and interface authentication • Domain authentication is used at level 2 • Domain authentication is configured under isis router mode with domain-password password • Interface authentication is used at levels 1/2 • To configure interface authentication issue isis password password from interface config mode • Election process is preemptive highest priority becomes the new Designated Intermediate System(DIS) • Forms a full mesh of neighbor relationships • Doesn't require that timer values are the same throughout the network Infrastructure Page 42 3.3 Wireless Tuesday, January 7, 2020 10:01 PM Layer 1 concepts RF power Measured in watts(W) Law of Zero: A value of 0 dB means that the two absolute power values are equal Comparing power levels EIRP - effective isotropic radiated power The actual power level radiated from an antenna RSSI - received signal strength indicator How a receiver usually measures signal power level Measured in dBm but can vary across vendors b/c there is no standard across manufacturers Focuses on the signal it expects to receive and not any of the others it might also receive SNR - signal to noise ratio difference between the signal and the noise Infrastructure Page 43 Sources of interference The following sources can affect devices operating in the 2.4 frequency range Microwaves Radar Baby monitors Cordless phones Neighbors Analog video camera - can cause interference on 802.11g networks because they operate in the same frequency range and have a 100 percent duty cycle CCX (Cisco Compatible Extensions ) • describes a list of functional extensions to the IEEE 802.11 Wireless LAN standard to support fast roaming (CCKM) with upgrad ed security, reliability, and diagnostic performance • CCX is typically deployed in industrial, enterprise, or institutional environments where 802.11 wireless connectivity or reliability is extremely important • Typical deployments include barcode scanners in a warehouse, VoIP mobile phones in an office environment, and wearable medical devices that report patient status. 802.11 The IEEE standard for wifi Infrastructure Page 44 An AP must support the same 802.11 standards as the clients that will connect to it 802.11n, 802.11ac, and 802.11ax amendments offer a method to customize the transmitted signal to prefer one receiver over others 802.11k provides assisted roaming 802.11w helps protect against spoofed management frames 802.11r provides fast transition roaming 802.11v provides network assisted power savings AP modes Local default lightweight mode that offers one or more functioning BSSs on a specific channel when it is not transmitting, the AP scans the other channels to measure the level of noise, measure interference, discover rogue devices, and match against intrusion detection system (IDS) events Monitor AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor checks for IDS events, detects rogue access points, and determines the position of stations through location-based services FlexConnect AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the WLC is down and if it is configured to do so Can be managed remotely over a WAN link The AP can support client connections Wireless solution for branch office and remote office deployments H-REAP mode the AP can be remotely managed over a WAN link and the AP can support clients Can detect rogue APs if it's enabled to Sniffer AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device Captured traffic is then sent to a device to be analyzed Infrastructure Page 45 Rogue Detector AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over the air A rogue device would appear in both networks Bridge AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two networks Two APs in bridge mode can be used to link two locations separated by a distance Flex + Bridge FlexConnect operation is enabled on a mesh AP SE-Connect AP dedicates its radios to spectrum analysis on all wireless channels Connect remotely to a PC running analyzer software such as Cisco Spectrum Expert to determine sources of interference AP boot process When a lightweight AP boots you can't control the software image it uses, the WLC send it what ever image it is running AP discovery of WLC Internal preset You can load up to 3 controllers in an AP to look for when coming online. This info is stored in non-volatile memory so it can be remembered after a reboot or power failure If an AP was previously connected to a WLC it will store up to 8 of the 32 WLC addresses on that WLC and contact as many as possible to build a table DHCP and DNS DHCP option 43 Used to suggest a list of WLC addresses An out of the box lightweight AP will attempt to obtain a DHCP lease because a static hasn't been configured yet CISCO-CAPWAP-CONTROLLER.local-domain If a domain name is resolved the AP will attempt to contact the WLC at that address This will also be used if DHCP option 43 isn't configured If the previous steps fail and AP will reboot and start the discovery process over Broadcast If every method has been tried a CAPWAP Discovery Request broadcast message will be sent on every possible subnet Antenna types Infrastructure Page 46 Antenna types Omnidirectional Have a lower gain the directional Dipole Composed of 2 wire segments radiating along the E and H planes usually have a gain of around +2 to +5 dBi Integrated Very small put inside a device's outer case (cell phone, laptop, tablet, some APs) generally have a lower performance compared to larger devices typically have a gain of 2 dBi in the 2.4 GHz band and 5 dBi in the 5 GHz band Directional Have a higher gain than an omnidirectional antenna Yagi made up of several parallel wire segments that tend to amplify an RF signal to each other. Outer case is shaped like a thick cylinder Great for line of sight because of how tightly it can focus the beam. Best for sending to only 1 receiver Patch Flat and usually mounted on walls or ceilings Dish Highly directional and uses a passive dish shaped like a parabola to focus an RF signal into a tight beam Infrastructure Page 47 Roaming Intra-controller Client roaming that occurs between two APs joined to the same controller Takes less than 10ms to complete Inter-controller Client roaming that occurs between two APs that are joined to two different controllers Layer 2 Inter-controller roam where the WLANs of the two controllers are configured for the same Layer 2 VLAN ID; also known as a local-to-local roam Layer 3 Inter-controller roam where the WLANs of the two controllers are configured for different VLAN IDs; also known as a local-toforeign roam. CAPWAP tunnel built to allow communication between current and former controller Enhancements CCKM One controller maintains a database of clients and keys on behalf of its APs and provides them to other controllers and their APs as needed during client roams. CCKM requires Cisco Compatible Extensions (CCX) support from clients Key Caching Each client maintains a list of keys used with prior AP associations and presents them as it roams. The destination AP must be present in this list, which is limited to eight AP/key entries. 802.11r addresses fast roaming or fast BSS transition; a client can cache a portion of the authentication server’s key and present that to future APs as it roams. The client can also maintain its QoS parameters as it roams. Anchor versus Foreign Original controller vs the new controller in a layer 3inter-controller roam The foreign controller will tunnel clients back to the anchor so they retain connectivity to their original VLAN and subnet Mobility Groups Used to help with inter-controller roaming, allow for scaling and centralized controllers to cooperate over a large area Increases the speed of roaming being completed Each controller maintains a mobility list that contains its own MAC address and the MAC addresses of other controllers Must be configured with the same virtual interface IP address Troubleshooting the WLC, APs, Clients Infrastructure Page 48 AP must have connectivity to its access layer switch AP must have connectivity to its WLC unless operating in FlexConnect mode Autonomous AP to switch No image in flash Power issue The # of clients on an AP would not be used in diagnosing poor RF conditions around the AP's location Channel noise, channel interference, and air quality are all things to consider that directly relate to RF conditions Lightweight AP to WLC easiest approach is to simply look for the AP in the list of live APs that have joined the controller channel utilization indicates how much of the available air time is being consumed; higher utilizations mean that wireless devices will have less time available to claim the channel and transmit data Only requires one IP to support multiple WLANs and it is also used as the management IP Needs a single VLAN to support CAPWAP tunnels If running a different version of code compared to the WLC the AP will download it even if it's older Autonomous Can support multiple VLANs that are extended to the AP Client to AP In client view you'll have 5 dots showing the progress of a client connecting Infrastructure Page 49 LAG(Link Aggregation) Similar to LACP and PAgP LAG enables multiple physical ports on a WLC to operate as one logical group LACP/PAgP commands don't work to form the etherchannel on the connected switch. You must use the channel-group id mode on command A WLC only supports one LAG group When you enable LAG you must reboot the WLC Infrastructure Page 50 3.4 IP Services Tuesday, January 7, 2020 10:02 PM Network Time Protocol theory used to synchronize a set of network clocks in a distributed client/server architecture UDP port 123 The sync process is not fast. can synchronize a large time discrepancy to within a couple seconds of accuracy with a few cycles of polling an NTP server Uses stratum to determine time accuracy. The lower the stratum the better. A NTP server will always be stratum 1 Root dispersion (that is, the calculated error of the actual clock attached to the atomic clock) and peer dispersion (that is, the root dispersion plus the estimated time to reach the root NTP server) An NTP client can be configured for multiple NTP servers but only the one with the lowest stratum will be used NTP peers act as clients and servers to each other, in the sense that they try to blend their time to each other. □ intended for designs where other devices can act as backup devices for each other and use different primary reference sources ntp authenticate command is used to ensure only certain devices can access time source Configure and verify dynamic inside source NAT/PAT Dynamic NAT Create static route on remote router to where public addresses should go router(config)# ip router x.x.x.x int id Define pool of usable public IPs on local router router(config)# ip nat pool [pool name] x.x.x.x x.x.x.x [pool range] netmask x.x.x.x Create ACL to ID private addresses to translate router(config)# access-list [access-list id] permit x.x.x.x x.x.x.x [ip address & wildcard] Link ACL to pool of addresses router(config)# ip nat inside source list [ACL] pool [pool name] Define inside interfaces router(config-if)# ip nat inside Verify with show ip nat translations sh ip nat statistics Dynamic PAT Create static route on remote router to where public addresses should go router(config)# ip router x.x.x.x x.x.x.x int id Define pool of usable public IPs on local router (optional) router(config)# ip nat pool [pool name] x.x.x.x x.x.x.x [pool range] netmask x.x.x.x Create ACL to ID private addresses to translate router(config)# access-list [access-list id] permit x.x.x.x x.x.x.x [ip address & wildcard] Link ACL to outside public INT router(config)# ip nat inside source list [ACL] interface [intferace ID] overload Link ACL to pool of addresses router(config)# ip nat inside source list [ACL] pool [pool name] overload Define inside interface router(config-if) ip nat inside Verify with show ip nat translations sh ip nat statistics Pooled NAT vs Static NAT Infrastructure Page 51 Pooled NAT vs Static NAT □ Pooled requires less lines of configuration if many translations are needed □ Less inside global addresses are needed with pooled NAT because of Static NAT's 1:1 translations NAT-PT IPv6 to IPv4 translation □ Use the ipv6 nat prefix command and the preface needs to be 96 □ Must have ipv6 t0 ipv4 and ipv4 to ipv6 address mapping □ Ipv6 nat prefix IPv6 address::/96 then on the interface ipv6 nat □ For 6to4 tunneling addresses from 2002::/16 must be used 6to4 tunnel ◊ Interface tunnel tunnel id ◊ Ipv6 address ipv6 address ◊ Tunnel source interface id ◊ Tunnel mode ipv6ip 6to4 ◊ Ipv6 route 2002::/16 tunnel tunnel id Configure and verify HSRP interface Ethernet1/0 ip address 192.168.1.1 255.255.255.0 standby 1 ip 192.168.1.254 standby 1 priority 105 standby 1 preempt Show standby/ standby brief show standby vlan [vlan id] Infrastructure Page 52 Configure and verify VRRP 1. enable 2. configure terminal 3. interface type number 4. ip address ip-address mask 5. vrrp group description text 6. vrrp group priority level 7. vrrp group preempt [delay minimum seconds] 8. vrrp group timers advertise [sec] interval 9. vrrp group timers learn 10. exit VRRP will use the IP address of the master for the virtual IP if one is not configured Configure and verify GLBP 1. enable 2. configure terminal 3. interface type number 4. ip address ip-address mask [secondary] 5. glbp group ip [ip-address [secondary] 6. exit 7. show glbp [interface-type interface-number] [group] [state] [brief] ○ One AVG and up to four AVF PIM theory - Protocol Independent Multicast Infrastructure Page 53 PIM theory - Protocol Independent Multicast □ Routes multicast traffic between networks. Can use any unicast routing protocol to identify path between source and receivers. □ The registration message is sent as a unicast packet toward the IP □ The same packet can be forwarded to multiple different networks □ The PIM designated router is responsible for registering the source with the PIM RP □ PIM join requests can be found between 2 multicast routers □ A (*,G) where G = multicast group is sent from a client to a RP with a request to join that multicast group and receive packets □ Important Multicast IP ranges Local network control block (224.0.0.0/24) ◊ used for protocol control traffic that is not forwarded out a broadcast domain Internetwork control block (224.0.1.0/24) ◊ used for protocol control traffic that may be forwarded through the Internet (NTP, Cisco-RP Announce and Discovery) Administratively scoped block (239.0.0.0/8) ◊ limited to a local group or organization. These addresses are similar to the reserved IP unicast ranges GLOP block (233.0.0.0/8) ◊ globally scoped statically assigned addresses Source Specific Multicast (SSM) block (232.0.0.0/8) ◊ Default range for SSM. SSM forwards traffic to receivers from only those multicast sources for which the receivers have explicitly expressed interest; it is primarily targeted to one-to-many applications. □ IGMP Snooping Implemented by default in L2 switches to optimize flooding of multicast traffic W/O snooping traffic for every group would be flooded on each port in the vlan, even to receivers that don't want the traffic Primarily IGMP snooping uses PIM and IGMP messages to determine where the multicast router is connected, and membership reports are used to identify where receivers are connected and which groups they are interested in. To optimize forwarding of multicast traffic in L2 the switch listens for PIM or IGMP messages to identify which port is connected to the multicast router (mrouter) port. IGMP membership report messages from hosts are used to identify the ports that have interested receivers Multicast tree □ Multicast routers create distribution trees that define the path that IP multicast traffic follows through the network to reach the receivers RPF check □ used to prevent loops and ensure that multicast traffic is arriving on the correct interface □ Ensures that multicast traffic always flows downstream from the multicast source to the multicast receivers Infrastructure Page 54 □ □ Does this with the RPF interface. RPF interface has the lowest-cost path(based on AD/metric) to the source SPT or RP. Highest IP wins ties PIM-SM □ Used when multicast routers are thinly scattered throughout the network □ assumes that no receivers are interested in multicast traffic unless they explicitly request it □ PIM-SM allows the LHR(last hop router) to switch from the shared tree to an SPT for a specific source □ uses an explicit join model where the receivers send an IGMP join to their locally connected router, which is also known as the last-hop router (LHR) □ Requires the use of a physical RP □ The last hop router will create and cutover to a shortest path tree PIM-DM □ Used when receivers of a multicast group are on every subnet in the network □ multicast tree is built by flooding traffic out every interface from the source to every Dense Mode router in the network □ prunes expire after three minutes. This must be taken into account when using PIM-DM □ Not recommended for production environments □ Does not require an RP. PIM-S/D Mode □ Solves the issue of using Auto-RP in conjunction with Sparse mode □ allows us to flood the auto RP 224.0.1.39 and 224.0.1.40 multicast groups but in addition, it also floods all multicast traffic that we don’t have an RP for Auto-RP - Cisco proprietary mechanism that automates distro of group-to-RP mappings □ use multiple RPs within a network to serve different group ranges □ Allows load splitting and simplifies RP placement according to locations of group participants □ prevents inconsistent manual static RP configurations that might cause connectivity problems □ operates using two basic components, candidate RPs (C-RPs) and RP mapping agents (MAs) □ C-RP advertises its willingness to be an RP via RP announcement messages BSR - Boot strap router Infrastructure Page 55 BSR - Boot strap router □ Provides a fault-tolerant automated RP discovery and distribution solution □ Does not work well with Auto-RP □ Discovers and announces RP set information for each group prefix to all routers in PIM domain □ Messages originate on the BSR then are flooded hop-by-hop by intermediate routers □ Multiple BSR can be configured in PIM domain for redundancy the prime is selected by highest priority □ BSR does not elect the active RP for a group. Instead, it leaves this task to each individual router in the network Static RP □ Best used in small networks or networks that won't see many changes to the topology □ The static RP IP address needs to be configured on every router in the multicast domain □ If a manually configured RP fails there is no failover and this method doesn't provide any load splitting Bidirectional PIM □ Uses shared tree as its main forwarding mechanism □ A direct forwarder is used when this to get traffic to a RP SSM - Source Specific Multicast □ IGMPv3 provides source filtering for it □ IP block 232.0.0.0 to 232.255.255.255 □ forwards traffic to receivers from only those multicast sources for which the receivers have explicitly expressed interest; it is primarily targeted to one-to-many applications. □ In order to build a shortest path tree SSM needs (S,G) source, group learned from the client via IGMPv3 From int ip igmp join-group group address source source address From global config ip pim ssm default IGMP theory Version 2 □ Most common in multicast environments. Sent with a TTL of 1 so it's processed by the local router and not forwarded. □ □ When a receiver wants to receive a multicast stream, it sends an unsolicited membership report, commonly referred to as an IGMP join, to the local router for the group it wants to join □ IGMPv2 routers send general membership query messages with their interface address as the source IP address and destined to the 224.0.0.1 multicast address. Version 3 □ Supports source filtering unlike v2. Has 2 new modes: include/exclude. Those that want traffic and those that don't. □ Designed to co-exist with v1 and v2 □ supports all IGMPv2’s IGMP message types and is backward compatible with IGMPv2 □ differences between the two are that IGMPv3 added new fields to the IGMP membership query and introduced Infrastructure Page 56 □ differences between the two are that IGMPv3 added new fields to the IGMP membership query and introduced a new IGMP message type called Version 3 membership report to support source filtering □ IGMPv3 supports applications that explicitly signal sources from which they want to receive traffic PPPoE ○ Can use DHCP, PPP, or IPCP to automatically obtain an IP address Infrastructure Page 57 4.1 Diagnose network problems using tools such as debugs, conditional debugs, trace route, ping, SNMP, and syslog Tuesday, January 7, 2020 10:03 PM 4.1 Tools Debugs Helps narrow down cause when there are network issues by taking a deeper level inspection In regards to OSPF these are commands that can be used: □ debug ip ospf adj - will show why an adjacency isn't forming □ debug ip ospf hello - shows if there is a network mismatch Conditional debugging can be used to limit the amount of output generated by a debug. An example would be debug ip packet which in a production environment would generate a lot of output. An ACL can be used to reduce this so that only the needed networks/addresses trigger output □ Debugging can also be applied to a specific interface to reduce output. The only way to remove debugging from an interface is to use the undebug command on the interface EX: undebug interface loopback0 □ To debug a specific interface use the command debug condition interface-id A conditional debug will show output for all conditions that have been set Trace Used to determine where traffic is failing traceroute shows the IP addresses or DNS names of the hops between the source and destination Measures the time between each hop in ms, this can be useful when there is more than one path to a destination TTL is 30. it can fail if there is a missing route or mistyped destination Traceroute options [ numeric, port, prob(probs per hop), source, timeout, ttl] PING Determines reachability between points by sending ICMP echo reply messages. The destination must know the way back to the sender route trip time is measured in a minimum/average/maximum An extended ping can be used to get more detailed feedback Network Assurance Page 58 □ SNMP Used as a method of getting alerts. SNMP sends unsolicited traps to an SNMP collector or network management system (NMS). Traps are sent in response to something that happened Trap triggers could be tied to link status, improper user authentication, or power failures . There are 3 versions of SNMP. V3 is the most secure. V1 is used by default if no other version is specified. SNMPv1 and SNMPv2c use access lists and a community password or string to control what SNMP managers can talk to the devices via SNMP Uses UDP port 162 for trap messages and UDP 161 overall Version Comparison Version| Level | Authentication | Encryption | Result Network Assurance Page 59 SNMP Operations Network Assurance Page 60 Network Assurance Page 61 4.2 Configure and verify device monitoring using syslog for remote logging Tuesday, January 7, 2020 10:04 PM Syslog • By default all messages are sent to the console • Date and time must be properly configured before setting up a device to send log messages to • The default transport protocol is 602 • Syslog message levels • • When setting up syslog the logging buffer is the first thing to focus on. Default buffer size is 4096 bytes ○ Enable logging to the buffer ○ Set the severity level of messages to be sent ○ Set the logging buffer to a larger size Network Assurance Page 62 ○ • Using the logging synchronous command in a vty line unsolicited messages appear after solicited output in a Telnet session Network Assurance Page 63 4.3 Configure and verify NetFlow and Flexible NetFlow Tuesday, January 7, 2020 10:04 PM NetFlow and Flexible NetFlow • Gathers statistical information on traffic flows • 2 parts must be configured data capture and data export. Captured data is sent to a NetFlow collector like DNA Center or Prim e • NetFlow uses a lot of memory resources. The default memory size is platform specific and should be checked before configuring NetFlow • Netflow Versions ○ V5 most popular due to wide compatibility, uses a fixed data format ○ V9 most recent has added security and analysis, dynamic data format with templates • Netflow Collector: ○ Exporter bundles 30-50 similar flows ○ Flow data transported over UDP ○ Real-time and historical data • Traffic can be captured on the ingress and egress interfaces but only one direction at a time ○ Type of traffic captured by each: ○ • A flow is a unidirectional traffic stream that contains a combo of these fields: Src/Dst IP address, Src/Dst Port number, L3 protocol type, Type of Service(ToS), input logical interface • Sh ip flow top-talkers, sh ip flow interface, sh ip cache flow, sh ip flow export, sh ip flow monitor • Port numbers are displayed in hexidecimal Flexible NetFlow • Security was a major influence behind its adoption due to its ability to track all parts of the IP header as well as the packet and normalize it into flows • Can dynamically create caches for each type of flow and can also filter ingress traffic destined to a single destination • Configuration: ○ You must have flow exporter, flow record, and flow monitor. Flow sampler is optional • Collect and match commands can be used to customize the flow record Network Assurance Page 64 ○ To configure a custom flow: Define the flow record name Set a useful description of the flow record Set match criteria for key fields Define non-key fields to be collected ○ To create flow exporter: Define flow exporter name Set a useful description of the flow exporter Specify the destination of the flow exporter to be used Specify the NetFlow version to export Specify the UDP port ○ To create a flow monitor: Define the flow monitor name Set a useful description of the flow monitor Specify the flow record to be used Specify a cache timeout of 60 for active connections Assign the exporter to the monitor ○ Network Assurance Page 65 4.4 Configure and verify SPAN/RSPAN/ERSPAN Tuesday, January 7, 2020 10:05 PM • SPAN/RSPAN/ERSPAN ○ SPAN capture local network traffic on a switch and send a copy of the network traffic to a local port attached to some sort of traffic analyzer Source packet can only be : □ One or more specific ports □ A port channel □ A VLAN( all the hosts associated to the VLAN specified) but not a SVI interface Most devices can support a least 2 sessions, newer devices can do more SPAN destination ports only receives traffic and drops ingress traffic, at times connectivity to the analyzer is needed □ To allow connection to the analyzer device the following should be configured from the global config monitor session session-id destination interface interface-id ingress {dot1q vlan vlan-id | untagged vlan vlan-id} STP is disabled on the destination port to prevent extra BPDUs from being included in the network analysis Span Monitoring □ Monitor transmit, receive, or both □ Can reside in separate VLANs □ Source and destination can not be on the same port Configure source port □ monitor session session-id source {interface interface-id | vlan vlan-id} [rx | tx | both] Configure destination port monitor session session-id destination interface interface-id [encapsulation {dot1q [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}| replicate [ingress {dot1q vlan vlan-id | untagged vlan vlan-id]}} | ingress] □ Verify with sh monitor session session-id A SPAN session normally copies the packets without including any 802.1Q VLAN tags or Layer 2 protocols ○ RSPAN capture network traffic on a remote switch and send a copy of the network traffic to the local switch through Layer 2 (switching) toward a local port attached to some sort of traffic analyzer MAC addresses are not learned on ports associated with the RSPAN VLAN. Ensures that the switch does not try to use the port associated with the RSPAN VLAN to transmit data to the end host, which in turn ensures that the normal forwarding path is maintained. Traffic is flooded out all the ports associated to the RSPAN VLAN. The RSPAN VLAN should not be associated with ports that are not trunk ports between the source and destination switches. The VLAN configured for RSPAN needs to be the same on all devices □ Configured: Vlan vlan-id Name RSPAN_VLAN Remote-span The destination command: monitor session session-id destination remote vlan rspanvlan-id □ The session-id is locally significant but should be the same for easier configuration ○ ERSPAN capture network traffic on a remote device and send the traffic to the local system through Layer 3 (routing) toward a local port attached to some sort of traffic analyzer Must have end to end connectivity Used in large environments because its not always easy to move a traffic analyzer monitor session span-session-number type erspan-source □ Once the session is create the source must be defined □ Session is enabled by no shutdown command Network Assurance Page 66 ○ Network Assurance Page 67 4.5 Configure and verify IPSLA Tuesday, January 7, 2020 10:05 PM IP SLA • • Once it has been configured the schedule for when it runs needs to be configured ip sla schedule operation-number [life {forever | seconds}] [start-time {[hh:mm:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] • Show ip sla configuration • Works by using SNMP traps triggered by events • Violations can trigger other IP SLA operations • Ip sla responder is configured on the remote device to get more information about the network. This command can also add inte rface timestamps to packets • For one way delay both devices should sync to same ntp server • Round trip delay uses a total of 4 time stamps • IP SLA Responder ○ Provides more advanced response metrics ○ Used because some operations require a responder ○ ICMP and HTTP operations do not require a responder Network Assurance Page 68 4.6 Describe Cisco DNA Center workflows to apply network configuration, monitoring, and management Tuesday, January 7, 2020 10:05 PM Cisco DNA Center • Design Geography The network profile allows you to associate an SSID with a location • Policy ISE, people, endpoints, access Define users and groups The access contract is used to create permit and deny actions like an ACL • Provision Building underlay/overlay Cisco recommends using the IP subnet range for device discovery Only devices of the same type can be provisioned together • Assurance Uses network time travel to view the history of client health Configuration Can provide templates Use template editor to create static configurations that you want to apply to all devices You would use a configuration that's already been validated You can copy and paste into the editor Can select the device type that you want the template applied to and software type Monitoring Network Time Travel is an application that acts like a DVR for the network. records what is going on in the environment using streaming telemetry and can play back something that happened in the past. □ It also can show how the network is performing now as well as use things such as sensors to provide predictive analytics on how the network will perform in the future The overall health of the network for wired and wireless devices can be viewed from a client perspective Integrates with many other tools, such as Active Directory, Identity Services Engine (ISE), ServiceNow, and Infoblox □ This allows for searching of everything related to a user Management Can integrate third party apps with Cisco into a single network operation to streamline work flows Prime is the main management software Can map location of devices and total inventory of devices in the network □ maps wireless/wired routers, switches, AP, WLCs and non-Cisco devices Network Assurance Page 69 Prime infrastructure can control configuration changes as well Can view current running config of all device DNA Center Assurance Some information that can be gathered automatically: □ Device type, OS version, MAC address, IPv4 address, VLAN ID, connectivity status, last on network, SSID, last location Network Assurance Page 70 4.7 Configure and verify NETCONF and RESTCONF Tuesday, January 7, 2020 10:06 PM NETCONF and RESTCONF • NETCONF ○ uses the YANG data models to communicate with the various devices on the network ○ runs over SSH, TLS, and (although not common), Simple Object Access Protocol (SOAP) ○ uses paths to describe resources, whereas SNMP uses object identifiers (OIDs) ○ ○ exchanges information called capabilities when the TCP connection has been made ○ NETCONF common uses: Collecting the status of specific fields Changing the configuration of specific fields Taking administrative actions Sending event notifications Backing up and restoring configurations Testing configurations before finalizing the transaction netconf-yang -------------------------------------> Enable NETCONF/YANG globally. It may take up to 90 seconds to initialize username cisco1 privilege 15 password 0 cisco1 ---> Username/password used for NETCONF-SSH access show platform software yang-management process Network Assurance Page 71 NETCONF uses SSH instead of HTTP like RESTCONF • RESTCONF ○ used to programmatically interface with data defined in YANG models while also using the datastore concepts defined in NETCON F ○ Supports HTTP methods: GET, POST, PUT, DELETE, OPTIONS ○ Can use JSON or XML data formats ○ NGINX acts as a proxy server when you configure RESTCONF to communicate by using HTTPS on a Cisco device NGINX is internally installed on a Cisco device ○ Network Assurance Page 72 5.1 Configure and verify device access control Tuesday, January 7, 2020 10:06 PM 5.1 Device access control Device lines protections 3 lines to protect: console, AUX, and VTY Not recommended to configure a password directly on a line Line configuration must be done on the line or the line must be specified in the command statement Local username and pass can be a back to a AAA server From line configuration password password then login to enable password checking at login Verified by using those credentials on the line they were configured for Privilege Levels Privilege level 0: Includes the disable, enable, exit, help, and logout commands Privilege level 1: Also known as User Exec mode. The command prompt in this mode includes a greater-than sign (R1>). From this mode it is not possible to make configuration changes. Read only commands Privilege level 15: Also known as Privileged EXEC mode. This is the highest privilege level, where all CLI commands are available Verify by logging in to see what a user has access to or show privilege The following commands can not have their privilege level modified from level 0: disable, enable, exit, help, logout Password protections 5 types of passwords Type 0 most insecure Type 5 use cisco improved MD5 hash. Applied by using enable secret. Username secret also uses type 5 encryption Type 7 enabled by service password-encryption Cisco Vigenere cypher better than 0 but not 5 Type 8 specify a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret and are considered to be uncrackable Type 9 use the SCRYPT hashing algorithm considered to be uncrackable service password-encryption is primarily useful for keeping unauthorized individuals from viewing a password in a configuration file AAA Authentication, Authorization, Accounting Who are you, what do you have access to and what did you do Managed by a Radius or TACACS+ server Radius UDP port 1812 (authentication/authorization) & 1813 ( accounting) Open standard Provides secure network access control Security Page 73 Provides secure network access control Uses EAP(Extensible Authentication Protocol) which TACACS+ does not Returns all authorization parameters in a single reply Encrypts only the password Aaa authentication enable default group radius enable ensures that if the Radius server is unavailable the enable password will be used TACACS+ TCP port 49 Cisco Used mainly for device access control Can separate authentication, authorization, and accounting into independent functions How to enable AAA From config aaa new-model tacacs server name address ipv4 { hostname | host-ip-address } key key-string aaa group server tacacs+ group-name server name server-name aaa authentication login { default | custom-list-name } method1 [ method2 . . . ] Security Page 74 5.2 Configure and verify infrastructure security features Tuesday, January 7, 2020 10:07 PM ACLs Operation sequential lists of access control entries (ACEs) that perform permit or deny packet classification, based on predefined conditional matching statements can be used to provide packet classification for a variety of features, such as quality of service (QoS), Network Address Translation (NAT), or identifying networks within routing protocols No effect until applied to an interface Should be applied close tot the source of the packets being filtered. Last hop before reaching router that hosts end device Standard Numbered(1-99 & 1300-1999), Named, Port, and VLAN access-list-number { deny | permit } source [source-wildcard] [log] □ Applied to interface with ip access-group{acl-number} {in|out} □ Applied close to destination Extended Numbered(100-199 & 2000-2699), Named, Port, and VLAN access-list acl-number {deny|permit} protocol source source-wildcard destination destination-wildcard[protocoloptions] [log | log-input] Applied close to source Port Security Page 75 VACL filter traffic that is bridged within a VLAN or that is routed into or out of a VLAN How PACLs, VACLs, and RACLS are processed when configured on the same line CoPP theory and operation Security Page 76 CoPP theory and operation • control plane policing (CoPP) policy is a QoS policy that is applied to traffic to or sourced by the router’s control plane CPU • In a properly planned CoPP policy, network traffic is placed into various classes, based on the type of traffic (management, routing protocols, or known IP addresses) • implemented to limit traffic to the control plane CPU to a specific rate for each class • The QoS police command uses conform, exceed, and violate actions, which can be configured to transmit or drop traffic. • ACLs are used to identify the traffic, class maps are used to match traffic, and policy maps determine what happens to the traffic • Base line of each traffic class is determined with conform, exceed, violate actions • • • • • control-plane Service-policy input POLICY-CoP show policy-map control-plane input Typical CoPP implementations use only an input policy that allows traffic to the control plane to be policed to a desired rate but can be applied to outbound traffic The CoPP policy map needs to be applied to the control plane with the command service-policy {input|output} policy-name under control plane configuration mode Modular QoS CLI is what allows for traffic filtering Class maps - classify net traffic based on L3,4,7 info Policy maps - defines a series of action to be taken against traffic matching a class map Service polices - specify where a policy map should be implemented Main objectives ID and rate limit traffic that reaches control plane Protect IOS process memory, buffers, and ingress packet queues Protection against DoS attacks Configuration Create an ACL to ID traffic Create class map to classify traffic Create a policy map to define action to take against matched traffic Create service policy to enable policing on the control plane interface Management Plane Protection(MPP) • When configured only traffic that enters the management interface can be used to remotely manage the device. • Any management traffic from protocols that are not allowed by MPP will be dropped • Management traffic received on another interface and destined for the host will be dropped • Offers the ability to restrict an interface on which the network mgmt. packet can enter the device. After enabling, no other interface can accept destined network mgmt. traffic to a device. • Logical path for all traffic related to mgmt. of the routing platform. Used to manage the device via its network connection. Protocols processed here are telnet, SNMP, SSH, HTTPS. Device Hardening • Disable topology discovery tools (CDP, LLDP) • Disable TCP and UDP small services • Disable IP redirect services - used to inform a device of a better path to the destination network • Disable proxy Address Resolution Protocol (ARP) - a technique that a router uses to answer ARP requests intended for a different router • Disable service configuration • Disable the Maintenance Operation Protocol (MOP) service • Disable the packet assembler/disassembler (PAD) service NGFW • LINA and Snort are the two main engines used to detect and prevent attacks Security Page 77 • LINA and Snort are the two main engines used to detect and prevent attacks The LINA engine receives an incoming packet and performs checks that are related to routing an NAT If configured the LINA engine will pass the packet to the SNORT Snort inspects the packet and returns a verdict of blacklisted or whitelisted • Interfaces can be configured in one of the following modes: Routed Full LINA checks and full Snort checks are supported Switched Partial checks Passive Partial checks Passive(ERSPAN) Partial checks Inline Pair All Snort engine checks will be performed on flows Minimal LINA engine checks will be performed on flows Enables device to drop packet flows Inline Pair w/ tap • No zero touch deployment Zone-based firewall • latest integrated stateful firewall technology • Router interfaces are assigned to a specific zone, which can maintain a one-to-one or many-to-one relationship • By default, interfaces in the same security zone can communicate freely with each other, but interfaces in different zones cannot communicate with each other. • When an interface that is not in a security zone sends traffic to an interface that is in a security zone, the traffic is dropped • Self zone self zone is a system-level zone and includes all the routers’ IP addresses. By default, traffic to and from this zone is permitted to support management (for example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP) functions. After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined. • Default zone default zone is a system-level zone, and any interface that is not a member of another security zone is placed in this zone automatically. • When configuring the zones the order of the zone pair is significant; the first zone indicates the source zone, and the second zone indicates the destination zone • The inspection policy map which IDs the specified traffic has 3 options: drop, pass, inspect drop [log]: This default action silently discards packets that match the class map. pass [log]: This action makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction Security Page 78 A policy must be applied for traffic to be forwarded in the opposite direction The pass action is useful for protocols like IPsec, Encapsulating Security Payload (ESP), and other inherently secure protocols with predictable behavior inspect: The inspect action offers state-based traffic control router maintains connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy • The inspect policy map has an implicit class default that uses a default drop action Security Page 79 5.3 Describe REST API security Tuesday, January 7, 2020 10:07 PM REST API Security Algorithms PBKDF2, bcrypt and scrypt algorithms. Classic HTTP POST command is used to authenticate with DNA Center by sending the username and password Token Needed for future API calls to DNA center controller Once you authenticate you receive a token that contains a hashed string The token changes every time you authenticate If another user authenticates the will get their own unique token for the database A token can be obtained by a malicious user through reverse engineering Can use basic Auth of UN/PW to get a token Tokens only last for a limited time Oauth delegated authorization framework for REST/APIs OAuth 2.0 authorization used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords Uses a token for authorization Securing Use SSL/TLS Don’t make the database structure obvious Should be stateless (meaning it doesn't save information from a session) Include brute force protection Method: POST URL: http://APIC-EMController/api/v1/user Custom Headers: Content-Type: application/json ‘X-Auth-Token’ Request Body: JSON that created the user Security Page 80 5.4 Configure and verify wireless security features Tuesday, January 7, 2020 10:08 PM EAP variations • defines a set of common functions that actual authentication methods can use to authenticate users • Supplicant: The client device that is requesting access • Authenticator: The network device that provides access to the network (usually a wireless LAN controller [WLC]) • Authentication server (AS): The device that takes user or client credentials and permits or denies network access based on a user database and policies (usually a RADIUS server) • When using EAP always use the highest WPA mode that is supported on your WLC/Aps/Clients • Validates the user's account against an internal or external source • Uses a shared secret • 802.1x will securely capture personal credentials but doesn't encrypt • To use EAP 802.1x must be enabled on a WLC Extensible Authentication Protocol • LEAP Does not require a certificate instead uses RADIUS Cisco • EAP-FAST Doesn’t need a certificate. Uses Protected Access Credentials to authenticate users 3 phases Phase 0 optional provisioning client with PAC Phase 1 creating secure tunnel between client and server Phase 2 authenticating client Cisco • EAP-TLS Requires a client and server certificate Used for point to point connections for wired and wireless links Performs mutual authentication to secure the authentication process Client and server must obtain their certificates from the same CA • PEAP Requires a digital certificate be installed on server but not the client Open standard Security Page 81 Open standard • EAP Chaining EAP-FAST includes the option of EAP chaining, which supports machine and user authentication inside a single outer TLS tunnel enables machine and user authentication to be combined into a single overall authentication result allows the assignment of greater privileges or posture assessments to users who connect to the network using corporate-managed devices WebAuth • Uses open authentication • Directs client to webpage that just may give an AUP if just using HTTP but if using HTTPS will aske for UN/PW • Configured at L3 predefined in the gui and uses a certificate • Passthrough is what is used when you just have an AUP • 2 modes local web authentication (LWA) central web authentication(CWA) which is done from a RADIUS server • The preference for how a client is authenticated can be set LWA with an internal database on the WLC LWA with an external database on a RADIUS or LDAP server LWA with an external redirect after authentication LWA with an external splash page redirect, using an internal database on the WLC LWA with passthrough, requiring user acknowledgement PSK • Matching string on endpoint & AP • No way to track identity because every has same access credentials • Time consuming to change • Configured from the gui with SSID and PSK that users will use to gain access must enable it or the key won't be active WEP, WPA, WPA2, WPA3 • All WPA methods use one of 2 methods for client authentication. PSK or 802.1x (personal mode & enterprise mode) • Personal mode uses a PSK Security Page 82 • Personal mode uses a PSK • WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-way handshake between a client and an AP • WPA3-Personal avoids such an attack by strengthening the key exchange between clients and APs through a method known as Simultaneous Authentication of Equals (SAE) • WPA3-Personal offers forward secrecy, which prevents attackers from being able to use a key to unencrypt data that has already been transmitted over the air • WPA2 supports 256 bit encryption • WEP supports 128 bit encryption • WPA2 uses AES-CCMP for encryption 802.11w • Provides management frame protection in a WLAN. MFP prevents spoofing of the connections between an AP and a wireless client 802.11i • Defines AES which is fully used by WPA2 Security Page 83 5.5 Describe the components of network security design Tuesday, January 7, 2020 10:08 PM Components (theory only) Cisco Safe Protects these places in the network: branch, campus, data center, edge, cloud, WAN □ These areas are secured using the following concepts: management, security intelligence, compliance, segmentation, threat defense, and secure services □ PINS not needed/used in the current network infrastructure can be removed □ Cisco SAFE security architectural framework that helps design secure solutions provides this visibility through network traffic telemetry, file reputation, and contextual information (such as device types, locations, users, identities, roles, privileges levels, login status, posture status, and so on) Cisco AMP malware analysis and protection solution that goes beyond point-in-time detection and provides comprehensive protection for organizations across the full attack continuum: before, during, and after an attack most important component of the AMP architecture is AMP Cloud, which contains the database of files and their reputations (malware, clean, unknown, and custom), also referred to as file dispositions file disposition in the AMP Cloud can change based on data received from Talos or Threat Grid The architecture of AMP can be broken down into the following components: AMP Cloud (private or public) most important part. Contains database of files and their reputations (malware, clean, unknown, and custom), also referred to as file dispositions. The file disposition in the AMP Cloud can change based on data received from Talos or Threat Grid. AMP cloud performs decision making in real time AMP connectors AMP connectors remain lightweight by instead sending a hash to the cloud and allowing the cloud to make the intelligent decisions and return a verdict (about reputation or file disposition) of clean, malicious, or unknown. Supported by endpoints as well as network devices like NGFW, ISRs, email, web, and Meraki Security Page 84 Cisco AnyConnect More than just a VPN, offers enhanced security through built-in modules like VPN Posture(HostScan) and ISE Posture assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. If an endpoint is found to be noncompliant, network access can be restricted until the endpoint is in compliance. includes web security through Cisco Cloud Web Security, network visibility into endpoint flows within Stealthwatch, and roaming protection with Cisco Umbrella Cisco Umbrella provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain Name System (DNS) before an IP connection is established or a file is downloaded. All devices will forward their DNS request to Umbrella's global network Cisco Web Security Appliance All in one web gateway to block hidden malware leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid that allows it to stay one step ahead of the evolving threat landscape to prevent the latest exploits from infiltrating the network Cisco Talos Cisco threat intelligence organization tracks threats across endpoints, networks, cloud environments, the web, and email detects, analyzes, and protects against both known and emerging threats for Cisco products Cisco Email Security Appliance Detect, block, and remediate threats across the attack continuum Global threat intelligence: It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid. Cisco Advanced Phishing Protection (CAPP): CAPP combines Cisco Talos threat intelligence with local email intelligence and advanced machine learning techniques to model trusted email behavior on the Internet, within organizations, and between individuals. It uses this intelligence to stop identity deception– based attacks such as fraudulent senders, social engineering, and BEC attacks. Threat Grid Can perform static(checking filenames, MD5 checksums, file types) and dynamic(behavioral) file analysis Gets threat intelligence feeds from Talos to better identify threats Threat Grid is available as an appliance and in the cloud, and it is also integrated into existing Cisco security products and third-party solutions. Sandbox solution Firepower NGFW URL filtering and application layer inspection Stateful inspection and integrated intrusion prevention Security Page 85 Stateful inspection and integrated intrusion prevention Advanced malware detection ability to leverage external security intelligence to address evolving security threats Available as hardware and software Firepower NGIPS Real-time contextual awareness, advanced threat protection, intelligent security automation, performance & scalability, Application visibility and control (AVC) and URL filtering Automates protection policy updates Quickly IDs users affected by client-side attacks Can be virtual or physical device Firepower series appliances, Firepower Threat Defense (FTD) for ISR, NGIPS Virtual (NGIPSv) firepower integrates with Cisco Talos for up-to-the-minute IPS signature updates and URL filtering can be deployed as active/standby and intra-chassis clustering Can integrate with ISE to quarantine, unquarantine, and shutdown(the compromised port the endpoint is connected to) hosts Firepower Management Center single pane of glass for event collection and policy management can use Cisco ISE to apply remediation on compromised hosts: quarantine, unquarantine, and shutdown Cisco StealthWatch Enterprise 2 types Enterprise and Cloud At the core of Stealthwatch Enterprise are the Flow Rate License, the Flow Collector, Management Console, and Flow Sensor Required components for Enterprise Flow Rate License: The Flow Rate License is required for the collection, management, and analysis of flow telemetry data and aggregates flows at the Stealthwatch Management Console as well as to define the volume of flows that can be collected. Flow Collector: The Flow Collector collects and analyzes enterprise telemetry data such as NetFlow, IP Flow Information Export (IPFIX), and other types of flow data from routers, switches, firewalls, endpoints, and other network devices. The Flow Collector can also collect telemetry from proxy data sources, which can be analyzed by Global Threat Analytics (formerly Cognitive Threat Analytics). It can also pinpoint malicious patterns in encrypted traffic using Encrypted Traffic Analytics (ETA) without having to decrypt it to identify threats and accelerate response. Flow Collector is available as a hardware appliance and as a virtual machine. Stealthwatch Management Console (SMC): The SMC is the control center for Stealthwatch. It aggregates, organizes, and presents analysis from up to 25 Flow Collectors, Cisco ISE, and other sources. It offers a powerful yet simple-to-use web console that provides graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensiveanalysis. The SMC is available as a hardware appliance or a virtual machine. Cisco ISE security policy management platform that provides highly secure network access control (NAC) to users and devices across wired, wireless, and VPN connections Allows for visibility into what is happening in the network, such as who is connected (endpoints, users, and devices), which applications are installed and running on endpoints (for posture assessment) Cisco ISE is the central pxGrid controller (also referred to as pxGrid server), and all Cisco and third-party security platforms (referred to as pxGrid nodes) interface with it to publish, subscribe to, and query contextual information pxGrid 1.0: Released with ISE 1.3 and based on Extensible Messaging and Presence Protocol (XMPP) pxGrid 2.0: Uses WebSocket and the REST API over Simple Text Oriented Message Protocol (STOMP) 1.2 TrustSec next-generation access control enforcement solution performs network enforcement by using Security Group Tags (SGTs) instead of IP addresses and ports SGT tags represent the context of the user, device, use case, or function Configuration done in 3 phases: ingress classification, propagation, egress enforcement □ Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources (static or dynamic) □ Propagation is the process of communicating the mappings to the TrustSec network devices that will enforce policy based on SGT tags (inline tagging or SXP propagation) □ After the SGT tags have been assigned (classification) and are being transmitted across the network (propagation), policies can be enforced at the egress point of the TrustSec network. MACSec Security Page 86 802.1AE standards-based Layer 2 link encryption technology used by TrustSec to encrypt Secure Group Tag (SGT) frames on Layer 2 links between switches and between switches and endpoints Only encrypts traffic destined to other MACsec enabled devices Security Association Protocol (SAP): This is a proprietary Cisco keying protocol used between Cisco switches. MACsec Key Agreement (MKA) protocol: MKA provides the required session keys and manages the required encryption keys. The 802.1AE encryption with MKA is supported between endpoints and the switch as well as between switches. Downlink MACsec is the term used to describe the encrypted link between an endpoint and a switch Uplink MACsec is the term for encrypting a link between switches with 802.1AE 802.1X Port-based network access control L2 authentication MAB network access control technique that enables port-based access control typically used as a fallback mechanism to 802.1x MAB authenticated endpoints should be given very restricted access and should only be allowed to communicate to the networks and services that the endpoints are required to speak to MAC Authentication Bypass must wait until 802.1X times out before attempting network access. By default, this value is set to 90 seconds on a Cisco Catalyst switch □ setting the timer interval too low can result in 802.1X bypass happening unnecessarily. WebAuth network access control technique that enables access control by presenting a guest web portal requesting a username and password typically used as a fallback mechanism to 802.1x and MAB Local and centralized web authentication with ISE Endpoint Security Talos tracks threats across endpoints Threat Grid can test and analyze suspicious files before they ever touch an end device Cisco identity-based networking services (IBNS)2.0 integrated solution that offers authentication, access control, and user policy enforcement with a common end-to-end access policy that applies to both wired and wireless networks Combination of Enhanced FLexAuth(Access Session Manager), Cisco Common Classification Policy Language (C3PL), ISE Security Page 87 6.1 Interpret basic Python components and scripts Tuesday, January 7, 2020 10:09 PM • Basic Python theory ○ Simple and easy to read for humans like XML and YAML ○ Scripts are interpreted at run-time by a python interpreter ○ A string is simply one or more alphanumeric characters ○ You would use 3 quotation marks in a row to begin a multiple line string and to end a multiple line string ○ To install a different python version use command python x.x where x.x references the version number anything more than 2 digits is too specific ○ Variables "Variable" = x Can be stored in one place and used multiple times Collect info from user or database and use it throughout script ○ Uses dictionaries and lists to store variables to use later or to store gathered data ○ The print() command must be used to get data to show ○ Data Types Natively recognizes string, integer, boolean(true/false), and collections(list and dictionaries) as values ○ Lists and Dictionaries List is an ordered collection of unnamed items. Dictionaries unordered collection named(keyed) items stored in key/item pairs □ Items in a list are numbered 0 to -1 where 0 is the first item and -1 is the last A tuple is like a list but the information in it can't be changed once it's been set □ Dictionary EX: dnac = {"host": "sandboxdnac.cisco.com", "port": 443, "username": "devnetuser", "password": "Cisco123!"} A dictionary is an unordered set of name/value pairs enclosed in curly brackets ○ Python also uses if/then statements If "this" then do that. If "not this" then do/don't do that A conditional statement is where something only takes place if the right conditions are met Commonly used in loops which are recursive statements. The loop will continue until the condition is no longer met using a for statement. For "x" in "something(list/dictionary) do this Modules ○ Modules help Python understand what it is capable of Modules can be imported to expand the functionality of Python or to import something from a previous script Some modules are used for advanced math functions and some can be used when automating networks ○ Functions Functions are blocks of code that are built to perform specific actions. come functions are built into Python and do not have to be created. A great example of this is the print function, which can be used to print data to a terminal screen. ○ Classes Your own custom data type Describes how you create an object sort of a blueprint Can represent a complex 'objects' or ideas The state = properties/variables of the class and the behavior = the methods/functions ○ :The “r” mode opens a file in read-only mode. There is no “rw” mode. The “w” mode opens the file in write mode, which will overwrite any existing values when you write a new value. The “a” mode is the append mode, which will let you add values to a file without overwriting any existing values. Automation Page 88 6.2 Construct valid JSON encoded file Tuesday, January 7, 2020 10:10 PM A JSON Object is an unordered set of name/value pairs enclosed in curly brackets Create JSON file Basic syntax Easy to read whether its indented or not Stores data in key/value pairs like a Python dictionary Each object starts with a { and ends with a } { "user": "root", "father": "Jason", "mother": "Jamie", "friend": "Luke" } Array[] = to Python List Object{} = to Python dictionary Key value pairs are separated by a colon Use all data types String, a number, an object(JSON object) separated by a comma, an array, a boolean, and null Compare to XML An XML Attribute gives more detail about an element and must appear in quotes. A Comment provides documentation within a file. A Declaration is the optional first line in an XML document that contains version and encoding information. A Tag is a string of text inside the < and > signs. Easier to work with Xml uses tags to provide separation of information Automation Page 89 JSON Web Token(JWT) □ The signature is comprised of the Base64URL-encoded forms of two other components □ JWT header is used to enable secure transmission of JSON formatted information between two parties □ JWT payload component contains registered claims, public claims, and private claims □ JWT is comprised of header, payload, signature, they are separated by delimiters so delimiters do not contain data Automation Page 90 6.3 Describe the high-level principles and benefits of a data modeling language, such as YANG Tuesday, January 7, 2020 10:10 PM YANG theory (relate to NETCONF and RESTCONF) • Uses Leaf and container structure ○ A Leaf represents an attribute of something being modeled. A Container has Read-Write or Read-Only privileges and contains one or more lists, which represent something (e.g. a router interface) that’s being modeled • YANG data models are an alternative to SNMP MIBs and are becoming the standard for data definition languages • Uses a tree structure and the models inside it are similar to XML format • The tree structure represents how to reach a specific element of the model, and the elements can be either configurable or not configurable. • Every element has a defined type. For example, an interface can be configured to be on or off. However, the operational interface state cannot be changed; for example, if the options are only up or down, it is either up or down, and nothing else is possible. • YANG models make a clear distinction between configuration data and state information. • YANG data models are harder for humans to read compared to CLI output • YANG doesn't scrape output from the CLI and it eliminates the need to do so • NETCONF ○ YANG is used to communicate with different devices on the network ○ ○ Code example list interface { key "name"; leaf name { Automation Page 91 leaf name { type string; } leaf speed { type enumeration { enum 10m; enum 100m; enum auto; } } leaf observed-speed { type uint32; config false; } } Dotted line are devices talking directly back to the MGMT apps and solid line are NETCONF protocol talking between the MGMT apps and the devices ○ • RESTCONF ○ programmatically interfaces with data defined in YANG models while also using the datastore concepts defined in NETCONF. ○ goal of RESTCONF is to provide a RESTful API experience while still leveraging the device abstraction capabilities provided by NETCONF ○ Supports HTTP methods (GET, POST, PUT, DELTE, OPTIONS) and CRUD(CREATE, READ, UPDATE, DELETE) ○ RESTCONF requests and responses can use either JSON or XML structured data formats Automation Page 92 ○ Automation Page 93 6.4 Describe APIs for Cisco DNA Center and vManage Tuesday, January 7, 2020 10:10 PM APIs(Application Programming Interface) for DNA Center and vManage • • Northbound API ○ Northbound APIs are often used to communicate from a network controller to its management software. ○ DNA Center uses a GUI to manage the network controller ○ Should use TLS for encryption most APIs can use encryption • Southbound API ○ Pushes changes to network devices ○ APIs interact with the components of a network through the use of a programmatic interface. • REST API ○ RESTful APIs use HTTP methods to gather and manipulate data. Automation Page 94 ○ ○ ○ ○ ○ g • Postman ○ Application that makes it possible to interact with APIs using a console-based approach ○ Allows various data types and formats to interact with REST-based APIs ○ In the builder portion of POSTMAN there are 4 important sections to remember History □ Shows a list of all the recent API calls made using POSTMAN □ Entire history can be cleared at anytime or just individual API calls Collections □ Groups that APIs can be stored in □ These groups are specific to a structure that fits the user's needs □ Saving calls in a collection helps during testing so that APIs can be easily found and sorted □ Collections can also be favorited by clicking the star next to them New Tab □ Each tab can have its own API call and parameters that are completely independent of any other tab. □ Each tab has its own URL bar to be able to use a specific API. URL Bar □ Each API call in a RESTful API maps to an individual URL for a particular function. □ every configuration change or poll to retrieve data a user makes in a REST API has a unique URL—whether it is a GET, POST, PUT, PATCH, or DELETE function • Cisco vManage APIs ○ Use Postman to interact programmatically with the APIs ○ URL bar must have the API call to target the Authentication API ○ HTTP POST operation is used to send the username and password to Cisco vManage Automation Page 95 6.5 Interpret REST API response codes and results in payload using Cisco DNA Center and RESTCONF Tuesday, January 7, 2020 10:11 PM REST API Response Codes Informational responses (100–199) Successful responses (200–299) Redirects (300–399) Client errors (400–499) Server errors (500–599) • Error code 501 indicates the server does not have the functionality to complete the request • Error code 500 unexpected condition unable to fulfill request • Error code 405 method not allowed request method is known by the server but is not supported by the target resource Automation Page 96 6.6 Construct EEM applet to automate configuration, troubleshooting, or data collection Tuesday, January 7, 2020 10:11 PM EEM - Embedded Event Manager • Allows engineers to build software applets that can automate many tasks. • Scripts can automatically execute, based on the output of an action or an event on a device. • One of the main benefits of EEM is that it is all contained within the local device. Applet composed of multiple building blocks. 2 of the primary ones are events and actions Can match CLI patterns (the typed command) to trigger an event Uses a type of if-then logic for decision making Enable and configure terminal must be included at the beginning actions within an applet That applet assumes the user is in exec mode. If using AAA it is important to include the event manager session cli username username command. Otherwise, the CLI commands in the applet will fail. When sync no is applied output will appear in the Syslog sync yes output will appear Script Automation Page 97 An applet can be manually triggered that will then run a Tcl script that was stored in flash Use the command event manager run applet-name to manually trigger the applet Automation Page 98 6.7 Compare agent vs. agentless orchestration tools, such as Chef, Puppet, Ansible, and SaltStack Tuesday, January 7, 2020 10:11 PM • Automation tools • Agent has to have software on the target device while agentless does not • Configuration management tools function in two different types of models: push and pull. ○ Push models push configuration from a centralized tool or management server to clients ○ Pull models check in with the server to see if there is any change in the configuration, and if there is, the remote devices pull the updated configuration files down to the end device. ○ Chef Does not use SSH Agent based and uses Ruby pull model 4 types of deployment □ Chef solo - Chef server is hosted locally on the workstation. □ Chef client and server - typical Chef deployment with distributed components. □ Hosted chef - Chef server is hosted in the cloud. □ Private chef - All Chef components are within the same enterprise network. knife is the name of the command-line tool used to upload cookbooks to the Chef server. knife upload cookbookname With Chef, the kitchen is a place where all recipes and cookbooks can automatically be executed and tested prior to hitting any production nodes. ○ Puppet Agent based and uses Ruby Supported on Catalyst, Nexus, and UCS Puppet master(server) puppet agent(client) Changes and tasks are done in the puppet database. an be located on the same puppet master server or on a separate box Puppet allows for the management and configuration of multiple device types at the same time. From a basic operation perspective, puppet agents communicate to the puppet master by using different TCP connections. 3 different installation types □ Monolithic supports up to 4000 nodes the typical install □ Monolithic w/ compile masters 4000 to 20,000 nodes □ Monolithic w/ compile masters and standalone PE-PostgresSQL more than 20,000 nodes Automation Page 99 □ Monolithic w/ compile masters and standalone PE-PostgresSQL more than 20,000 nodes Puppet modules allow for the configuration of practically anything that can be configured manually. Modules contain the following: □ Manifests the code that configures the clients or nodes running the puppet agent. pushed to the devices using SSL and require certificates to be installed to ensure the security of the communications between the puppet master and the puppet agents. □ Templates □ Files Puppet Bolt is the agentless version □ Opensource and uses Ruby. SSH or WinRM Orchestrator-driven tasks: Orchestrator-driven tasks can leverage the Puppet architecture to use services to connect to devices. This design is meant for large-scale environments. Standalone tasks: Standalone tasks are for connecting directly to devices or nodes to execute tasks and do not require any Puppet environment or components to be set up in order to realize the benefits and value of Puppet Bolt. ○ Saltstack Agent based built on python a user can program directly to SaltStack by using Python code. most of the instructions or states that get sent out to the nodes are written in YAML or a DSL(domain-specific language). □ Called salt formulas □ Formulas can be modified but are designed to work out of the box Uses the concept of masters and minions can run remote commands to systems in a parallel fashion, which allows for very fast performance leverages a distributed messaging platform called 0MQ (ZeroMQ) for fast, reliable messaging throughout the networking stack event-driven technology that has components called reactors and beacons. A reactor lives on the master and listens for any type of changes in the node or device that differ from the desired state or configuration □ Cli configuration □ Disk/memory/processor utilization □ Status of services Beacons live on minions □ If a configuration changes on a node, a beacon notifies the reactor on the master. This process, called the remote execution system, helps determine whether the configuration is in the appropriate state on the minions. These actions are called jobs, and the executed jobs can be stored in an external database for future review or reuse. Pillars and grains □ Grains are run on the minions to gather system information to report back to the master. This information is typically gather ed by the salt-minion daemon. □ Pillars, on the other hand, store data that a minion can retrieve from the master. Pillars can also have certain minions assi gned to them, and other minions that are not assigned to a specific pillar would not have access to that data. SaltStack command structure contains targets, commands, and arguments. SaltStack SSH(Server-Only Mode) Automation Page 100 □ Salt SSH that allows users to run Salt commands without having to install a minion on the remote device or node □ Salt SSH connects to a remote system and installs a lightweight version of SaltStack in a temporary directory and can then optionally delete the temporary directory and all files upon completion, leaving the remote system clean □ can work in conjunction with the master/minion environment, or it can be used completely agentless across the environment ○ Ansible Agentless Uses SSH for most devices and can use Windows Remote Management(WinRM) Doesn’t need an administrative account on the client. It can use built-in authorization escalation such as sudo when it needs to raise the level of administrative control. All requests are sent from a control station which could be a laptop or server. The control station is what runs Ansible and issues changes and sends requests to the remote hosts. PPDIOO (Prepare, Plan, Design, Implement, Observe, Optimize) lifecycle uses playbooks to deploy configuration changes or retrieve information from hosts within a network. An Ansible playbook is a structured sets of instructions Playbooks are written in YAML Commands □ Ansible - Runs modules against targeted hosts □ Ansible-playbook - runs playbooks □ Ansible-docs - provides documentation on syntax and parameters in the CLI □ Ansible-pull - changes Ansible clients from the default push model to the pull model □ Ansible-vault - encrypts YAML files that contain sensitive data Operates on Linux, UNIX- like systems and Windows Automation Page 101 • Automation Page 102