1.1 Explain Different design principles
Thursday, December 5, 2019
8:40 AM
1.1a Enterprise network design principles used in an enterprise network
• A standard hierarchical LAN design has three layers: Access, Distribution, and Core
• Access layer: Gives the end devices and users direct access to the network
Also referred to as the network edge, it provides high bandwidth connectivity for wireless or wired devices. Typical media used for connections are Gigabit Ethernet and
802.11n/802.11ac wireless.
VLANS are a common means of separating devices in the Access Layer
Communication between different Access Layer devices on different switches occurs at the Distribution Layer.
QoS trust boundary and QoS mechanisms are usually enabled at the Access Layer.
Port security and 802.1x can be found here
Voice VLANs, QoS functions, PoE, STP, VACL(VLAN ACL)
• Distribution layer: Acts as a meeting place for Access layer activity and provides a boundary for Core and Access layer.
One of the key functions the boundary provides is to serve as a boundary for Spanning Tree Protocol, limiting propagation of L2 faults.
On the L3 side the distribution layer provides a logical point to summarize IP routing information before it reaches the Core. This summarization helps reduce the routing table
for easier troubleshooting and reduces overhead.
Summarization, security, policy, load balancing, routing
Ideally only uses 2 switches. Houses FHRPS
• Core layer: Provides connections between distribution layers for large environments
The Core is the backbone of for large enterprises and serves as an aggregation point for multiple networks and provides scalability, high availability and fast convergence.
The Core layer helps to reduce network complexity.
redundancy
• Two –tier Design (Collapsed Core)
Used mainly in smaller environments that have no need for a Core and want to find a cost effective solution. Before deciding to go with this design, these things must be
considered: future scale, expansion and manageability.
Combines functions of the core layer with distribution layer. Handles fast L3 switching, SVIs, and connections to the internet. Generally used when you have more distributions
block.
Typical campus design
2 Tier “Spine-Leaf”
Function of each layer
Spine acts like the aggregation/distribution layer handles fast L3 switching. It’s the backbone and responsible for interconnecting all leaf switches.
Leaf is similar to access because end devices connect there, but it also pulls in internet and core services. L3 services.
Overlay friendly and easy to scale. Low latency.
Connectivity between layers
VPCs (virtual port channels) are used to connect devices and overcome STP issues. Allows for maximum use of bandwidth.
A network mesh with every leaf switch connected to every spine switch. Makes devices one hop away which helps with redundancy and reliability.
Architecture Page 1
Fabric Capacity Planning
Overlay vs Underlay
Overlay is the application running on top. Something like NSX or SD-WAN
Underlay is the physical network that provides your networking services.
Layer 3 routed access vs Layer 2 access design
Network convergence is improved
STP can be eliminated
FHRP is no longer required to provide a default gateway
All links can be utilized through ECMP routing
1.1b High availability techniques such as redundancy, FHRP, and SSO
High Availability
Redundancy
Having a secondary path to a default gateway in case of a link failure.
First Hop Redundancy Protocol (FHRP)
When there is a link failure the new active path sends out a gratuitous ARP letting devices in the network know it’s the new path.
An additional function that can be used is Object Tracking which can monitor status of routes, line protocol(L2 Status), reac hability, and IP SLA.
For design purposes GLBP is only beneficial when you have 3-4 gateways.
Can load balance with HSRP/VRRP when you configure a different active for different vlans
STP Root HSRP/VRRP primary and VPC(virtual port channel) should all be on same switch and timers should be close.
HSRP
Cisco FHRP that provides active/standby redundancy for a local subnet by creating a virtual router.
V1 can handle 256 groups v2 can handle 4096 groups
Router priority (default 100) ties are broken by who has the higher IP
Standby router monitors active by sending Hello messages every 3secs.
Preemption must be configured for standby to become active router
Uses text or MD5 authentication which is preferred
V1 uses UDP packets to communicate
vMAC v1 0000.0C07.ACxx v2 0000.0C9F.Fxxx
Active/Active in data center
States
Active – This is the state of the device that is actively forwarding traffic.
Init or Disabled – This is the state of a device that is not yet ready or able to participate in HSRP.
Learn – This is the state of a device that has not yet determined the virtual IP address and has not yet seen a hello message from an
active device.
Listen – This is the state of a device that is receiving hello messages.
Speak – This is the state of a device that is sending and receiving hello messages.
Standby – This is the state of a device that is prepared to take over the traffic forwarding duties from the active device.
V1
Udp port 1985, 256 groups, vMAC 0000.0C07.Axxx, 224.0.0.2
V2
Udp port 1985, 4096 groups, vMAC 0000.0C9F.Fxxx, 224.0.0.102
V6
Udp port 2029, 4096 groups, 0005.73A0.0xxx, FF02::66
VRRP
Open standard redundancy protocol that provides master/backup redundancy. Does not need a virtual router.
When you don’t configure vIP address you don’t configure priority
vMAC 0000.5e00.01xx 256 groups
Uses text or MD5 authentication which is preferred
Active/Active in data center
Default priority 100
224.0.0.18
Pre-emption enabled by default
VRRP v2 IPv4 VRRP v3 IPv4 & IPv6
Architecture Page 2
VRRP v2 IPv4 VRRP v3 IPv4 & IPv6
IP protocol number 112
GLBP
Cisco redundancy protocol that provides active/active load balancing. Includes a weighted parameter.
Roles are active virtual gateway and active virtual forwarder. Configured by priority.
4 routers can actively forward traffic
AVG responds to ARP requests
Uses a single virtual IP and a different MAC for each AVF
Uses round robin, weighted and host dependent(MAC address) to balance traffic
vMAC 0007.b40x.xxyy xxx= group id 1024 groups yy= avf id
same timers and authentication methods as HSRP/VRRP
All routers in a GLBP can participate in forwarding traffic
In a GLBP group only one AVG(Active Virtual Gateway) can be assigned but multiple AVF(Active Virtual Forwarder)can be assigned
Stateful Switchover
Seamless transition between a “dead” path and an active path. Minimizes amount of down time. Uses non-stop forwarding to achieve this.
Control plane handles routes and data plane handles packets. Data plane is online when SSO is in process
Both routers must have NSF enabled to work
SSO is focused on hardware and NSF maintains network stability. NSF prevents routing flaps.
Architecture Page 3
1.2 Analyze design principles of a WLAN deployment
Saturday, January 4, 2020
5:17 PM
Design Principles in WLAN
Coverage and capacity are two things to take into account when planning AP deployment.
WLC placement and AP to WLC connectivity
If you need omnidirectional antennas you can use APs with internal or external antennas
67dBm is considered quality strength for a wireless network supporting voice and video.
Also want 35% overlap of AP signals
Quality can be increased by increasing capacity of APs deployed
The closer the db is to one the better
Autonomous Design
SSIDs act as VLANs for APs. BVI(bridged virtual interface) instead of SVI. Trunk is
the uplink for autonomous APs
Hard to manage, WLSM/WLSE are management software that can aid
configuration.
Autonomous controllers push configs to APs using CLI
Lightweight Design
Needs a controller to fully function
AP will download config and software from WLC
Can manage a lot of devices from a single point and you don’t have to worry
about L3 roaming
Wireless clients are logically located at the WLC
Wireless deployment models
CAPWAP(control and provisioning of wireless access points)
Forms the tunnel from the AP to the WLC, makes it look like it’s
directly connected
Utilizes DTLS(datagram transport layer security) UDP ports
5246(Control) 5247(data)
Allows the AP to focus on client access
Centralizes the authentication and policy enforcement functions
Centralized
Uses CAPWAP to connect AP to WLC
Enables L2 roaming meaning IP doesn’t have to change
Placement of WLC and licensing is important
WLC can provide centralized bridging, forwarding and encryption of
user traffic
Architecture Page 4
user traffic
Enables shifting of higher-level protocol processing from the AP
Distributed
Used when you have multiple sites, still enables L2 roam
Increases devices you have to manage and license
Distribution switches connect the WLCs to campus
CAPWAP tunnels stay in each location
Controller-less
Controller software is virtualized
Have to deal with vendor lock-in w/o the cloud service APs are
bricks
Common in a distributed WLAN design
Mobility Express and Meraki are Cisco based technologies
Mobility express does not support L3 roaming
Mobility express can support up to 2000 users
Controller-based
APs must connect to some form of a management device
Gives variety in how you deploy
Cloud
Meraki handles cloud wireless, WLC is in the cloud
APs form tunnels to cloud WLC
Don’t need to worry about licensing
L2 roaming isn’t as efficient
Drops traffic onto local switch
Remote branch (FlexConnect)
Still uses CAPWAP but only on the control plane.
Less than 50 APs and delay less than 100ms
Internal traffic is dropped off to the local switch guest access can
still be sent to WLC
Very efficient, simple design, L2 roam is no longer seamless.
Location services
Clients
Realtime Location services (RTLS) track any WiFi device
Knows where clients are connecting and can send targeted
Architecture Page 5
Knows where clients are connecting and can send targeted
information
DNA Spaces, CMX, Prime Infrastructure, and DNA Center can all
provide location tracking services
Client location can be determined by triangulating dBm from AP
RF fingerprinting can be used to overcome issues caused by signal
blocking. Maps out area by gathering multiple RSSI
RFID tracking
WiFi asset tags allows for location of items and tracking inventory
Geofencing allows for tracking items that leave a designated area
4 channels (2.4GHz), scans on channel programmed
Probe request forwarding
Architecture Page 6
1.3 Differentiate between on-premises and cloud
infrastructure deployments
Saturday, January 4, 2020
5:17 PM
On-prem
Contains App data, networking, servers, storage, virtualization, and BU/DR all under one entity
Can be harder and more costly to maintain
Decrease in latency compared to cloud hosted
Cloud characteristics: On-demand Self-service, broad network access, resource pooling, rapid elasticity, and metered service
CapEx versus OpEx
Capital expense- an expense incurred to create a future benefit
purchase of fixed assets, such as new buildings or business equipment, upgrades to existing facilities,
and the acquisition of intangible assets, such as patents.
Operating expense- cost of day to day operations
such as general and administrative expenses, research and development
Reduced procurement delays
Rapid Elasticity allows you to increase or decrease resources as needed
Pay as you go
IaaS
You maintain the operating system but not the hardware it runs on.
PaaS
You only manage the applications and not the OS.
SaaS
Most expensive model. Your application is hosted on someone else’s hardware.
Security
proactive prediction of network-related and security-related risks
security Group Access Control Lists (SGACLs) provides a much simpler and more scalable form of policy
enforcement based on identity instead of an IP address
– Work with SGTs
Flexibility
You can have On-Demand self-service with cloud
4 different deployment models Public, Private, Hybrid, Community
Public your services are hosted on another company’s equipment
Private
provides the 5 characteristics of cloud computing on locally-owned hardware.
Chargeback enables an ORG to track individual usage of resources by a department.
UCS director provides self-service allowing users to “order” what they need
Hard to achieve rapid-elasticity because of cost
Hybrid
low cost of private but can also use the features of public.
Allows you to secure proprietary information
Cloud brokering software can take the place of on-demand allowing users to determine what they
need on app by app basis Cisco product is Cloud Center
Architecture Page 7
need on app by app basis Cisco product is Cloud Center
Community
allows for sharing of resources between partner associations. Gov, Military, Academia
Global
Being able to access your environment/product/data anywhere any time
API-centric
Application Policy Infrastructure Controller (APIC)
API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JSON or XML documents
Standard REST methods are supported on the API, which includes POST, GET,PUT, and DELETE operations
through HTTP
Architecture Page 8
1.4 Explain the working principles of the Cisco SD-WAN solution
Saturday, January 4, 2020
5:18 PM
Traditional WAN issues
Different connection types based on location
Complex because of redundant WAN providers, media types, cloud connectivity, # of
locations, and cost
SD-WAN components
Main components
vManage network management system
vSmart Controller
SD-WAN routers
vBond Orchestrator
Underlay and overlay networks . The overlay is the logical network we want and the
underlay is the physical that we have.
Using tunnels helps give you the topology you want and software makes configuring and
deploying the tunnels less complex
VXLAN helps build the tunnels and edge routers take pressure off the core
A key component is the controller, helps configure and push policies to the entire network
vManage(controller), vSmart( control plane pushes policy to edge), vEdge(usually an ISR
router or virtual deployed at location), vBond(orchestrator that points edges to controller
and holds everything together) OBM
vManage can deploy 2 devices in Active/Standby
Can be configured from the GUI or REST API
Transport agnostic, can use any type of IP underlay including internet, satellite, dedicated
circuits, 3G/4G LTE, and MPLS
vBond must be configured with a public IP. This allows it to be accessed by other SD-WAN
components even if they reside behind NAT devices such as firewalls or routers.
Authenticates the vSmart controllers and the SD-WAN routers and orchestrate
connectivity between them
NETCONF
Uses XML messages inside of SSH. Forms SSH connection and then the XML
script is pushed
REST API Representational State Transfer
Uses HTTP verbs Get Post Put Delete
Used by vManage
Architecture Page 9
vManage Network Management System (NMS)—The vManage NMS is a centralized network
management system that lets you configure and manage the entire overlay network from a
simple graphical dashboard.
vSmart Controller—The vSmart controller is the centralized brain of the Cisco SD-WAN
solution, controlling the flow of data traffic throughout the network. The vSmart controller
works with the vBond orchestrator to authenticate Cisco vEdge devices as they join the
network and to orchestrate connectivity among the vEdge routers.
vBond Orchestrator—The vBond orchestrator automatically orchestrates connectivity
between vEdge routers and vSmart controllers. If any vEdge router or vSmart controller is
behind a NAT, the vBond orchestrator also serves as an initial NAT-traversal orchestrator.
vEdge Routers—The vEdge routers sit at the perimeter of a site (such as remote offices,
branches, campuses, data centers) and provide connectivity among the sites. They are
either hardware devices or software, called a vEdge Cloud router, that runs as a virtual
machine. vEdge routers handle the transmission of data traffic.
vEdge router can be a Cisco SD-WAN hardware device or software that runs as a
virtual machine, and the remaining three are software-only components
SD-WAN Topology
With a base license CISCO SD-WAN can only support hub and spoke
Advanced licenses can support full/partial mesh P-to-P
Active/Standby pinning can be used to direct specific types of traffic
Application-Aware SLA is like object tracking and will switch to the better route path when
degradation is detected based on live data
DPI(Deep Packet Inspection) when licensed can look at a packet to determine the
application and choose the best route.
6 tuple look-up is used when you don’t have the DPI license source and destination IP
address, source and destination port, QoS markings, and protocol #
Controller Deployment Models
Public- the most common( Cisco uses AWS) redundant deployment of vSmart, vBonds in
Active/Active vManage is done in Active/Standby
Hybrid controller is in private space to increase resiliency on user to maintain VMs. Uses
public IPs
Hybrid w/ private IPs requires user to NAT vBond needs 1:1 NAT
Control plane
vSmart, northbound, pushes policies to v/c edge uses OMP(TCP/TLS)
vSmart distributes security information between vEdge routers to facilitate data plane
tunnel creation
Data plane
Architecture Page 10
v/cEdge, southbound Overlay Mgmt protocol carries the control plane data that helps form
VXLANs and policies
Architecture Page 11
1.5 Explain the working principles of the Cisco SD-Access
solution
Saturday, January 4, 2020
5:18 PM
Software-defined access is taking a campus fabric and managing it via a controller called the DNA
Center.
SD-Access fabric architecture
• Cisco switches: provide wired(LAN) access to fabric. Supports multiple types of Catalyst devices
including NX-OS
• Cisco routers: provide WAN and branch access to the fabric. ASR 1000, ISR CSR CSRv ISRv
• Cisco wireless: Cisco WLCs and AP provide wireless(WLAN) access to fabric
• Cisco controller appliances: only 2 types of appliances to consider: DNA Center and ISE
• No firewalls are apart of the architecture
Control plane
LISP is used to map users/endpoints and their location in the network.
LISP solves the issue of IP address ID’ing you and your location, separates that connection so
you get an ID separate from the IP.
LISP uses EID to track endpoint and RLOC to ID the assigned network device. This info is sent
to a map server in CP node
Host tracking database—The host tracking database (HTDB) is a central repository of EID-tofabric-edge node bindings.
Provides dynamic host mobility for wired and wireless endpoints
Data plane
VXLAN L3-VRFs, L2-Headers, scaling VNID 16M vlans
IS-IS is used over OSPF because it supports more network protocols and uses fewer cpu
resources
Policy plane
ISE as a part of TrustSec(CTS) is used to control user access regardless of location
Micro-segmentation scalable groups(SGs) and VN(virtual network)
Macro-segmentation used for scalability uses VRFs for separation
Roles
A default user with SUPER-ADMIN-ROLE permissions is created when you install DNA
Center
Administrator has full rights
Network Administrator have full access to network related functions but can access
system functions like backup and restore
Observer have view only access
DNA Center
Architecture Page 12
DNA Center
• Components: Design, Assurance, Provision (DAP)
• upgrade procedure: need SUPER-ADMIN-ROLE permissions, back up data, check for system
updates then upgrade application
Traditional campus and SD-Access integration
4 layers physical, network, controller(DNA-C,ISE), and management(GUI, REST-API, 4 step
workflow)
NCP(Network Control Platform) automation of under/over, CLI|SNMP, NETCONF operates in
controller layer
NDP(Network Data Platform) Assurance, data collection SNMP, NetFlow, telemetry
controller layer
Campus Fabric
• An instance of a Network Fabric. A Network Fabric describes a network topology where data
Architecture Page 13
• An instance of a Network Fabric. A Network Fabric describes a network topology where data
traffic is passed through interconnecting switches while providing the abstraction of a single L2
and/or L3 device.
• Provides seamless connectivity regardless of underlay configuration. With policy application and
enforcement at the edges of the fabric.
• SD-Access is called the campus fabric when manually configured
Fabric Edge Node
• Responsible for admitting, encapsulating/decapsulating and forwarding traffic to and from
endpoints connected to the fabric edge.
• Edge nodes lie at the perimeter of the fabric and are the first point for attachment of the policy
• Can be indirectly attached to a fabric edge node via an intermediate L2 network that lies outside
the fabric domain
• Provides connectivity to fabric AP's
• Does not directly connect to a fusion router
• Connects endpoint devices to the fabric
• Functions as an anycast L3 default gateway for all endpoints
• Implements LISP XTR function
Fabric intermediate Node
• Provides L3 underlay transport service to fabric traffic
• These nodes are pure L3 forwarders that connect the Fabric Edge and Fabric Border nodes
• Capable of supporting VXLAN traffic but doesn't participate in fabric operations
• Outside the fabric along with ISE and WLC
Fabric Border Node
• Connect traditional L3 networks or different fabric domains to the Campus Fabric domain
• If there are multiple Fabric domains the Fabric border nodes connect a fabric domain to one or
more fabric domains
• The device where the fabric control planes of two domains exchange reachability and policy
information
• Connects the fabric to external networks
• Use BGP to form peering connections with fusion routers to advertise EID prefixes
Fusion Router
• Uses BGP for the connection between fusion routers and fabric border routers
• Fusion routers connect the SD-Access fabric to shared services (DNS, DHCP,NTP)
• Also connects ISE DNAC( Digital Network Architecture Controller) appliances and WLC ot the
fabric so their services are accessible to the virtual networks and their associated endpoints
Architecture Page 14
fabric so their services are accessible to the virtual networks and their associated endpoints
• SD-Access needs a fusion router to perform VRF route leaking between user VRFs and SharedServices, which may be in the Global routing table (GRT) or another VRF
• Accesses the fabric through direct connections to fabric border nodes
WLC Node
• Lies outside of the fabric
Control plane node
• Manages host tracking database which is used to map EIDs to RLOC
Extension Node
• Reside in the physical layer of the SD-Access architecture
• Access layer switches don't participate in the fabric but are included in SD-Access automation
Architecture Page 15
1.6 Describe concepts of wired and wireless QoS
Saturday, January 4, 2020
5:18 PM
Classification is the first thing that’s done when a packet is received on a QoS-enabled interface
• Factors that affect network quality
Delay variation (Jitter) - difference in the end-to-end delay between packets
Delay—The finite amount of time it takes a packet to reach the receiving endpoint after
being transmitted from the sending endpoint
Loss—A relative measure of the number of packets that were not received compared to the
total number of packets transmitted
QoS approaches
Best Effort
As packets come in the device will do its best to send them
IntServ(Integrated Services)
A bandwidth guarantee . Uses a RSVP from one end device to the next to
reserve bandwidth
Reserved bandwidth not being used is wasted because no other traffic flow can
use it
Applications are responsible for creating reservations for the network resources
required for their traffic flows
DiffServ(Differentiated Services)
QoS DiffServ components
Classification and marking. Done close to the edge and part of trust boundary
Multiple methods of classification
QoS groups(done by app type), physical interface/sub-interface, MAC, DSCP,
TCP/UDP ports, IP Precedence, NBAR2(dependent on CEF)
Marking Options
Internal: QoS groups, L2: CoS bits, L2.5 MPLS EXP bits, L3: DSCP & IPP
You can only apply policies to traffic after it has been positively classified
Policing & Shaping
Traffic Shaping
Buffer & delay excess traffic
Will queue traffic
Designed to allow you to keep traffic instead of dropping it
Only applied to outbound traffic
Uses a "leaky bucket" which is waiting until you have enough
tokens before sending packets which smooths traffic
Scheduling tools determine how a frame/packet exits a device
Traffic Policing
Drop or re-mark 3 types of marking
Architecture Page 16
Drop or re-mark 3 types of marking
Marking down excessive traffic means giving it a lower priority
number
Single rate 2 color, single rate 3 color, two rate 3 color
Applied to inbound & outbound traffic
Inbound should be applied at the network edge so bandwidth isn't
wasted
Outbound should be applied at the network edge or core facing
interfaces
A downside of policing is that it causes TCP retransmissions when it
drops traffic.
Avoids delays due to queuing
Token Bucket Algorithm
The method by which policers and shapers are based
Committed Information Rate(CIR) - the policed traffic rate agreed
upon in the traffic contract
Committed burst Size(Bc) - max size of CIR token bucket measured
in bytes
Committed time interval(Tc) - time in ms over which the Bc is sent
Token - represents 1 byte
Token bucket - takes action on what to do with a packet based on
number of token in it
Can buffer to wait on additional tokens to send packet
(shaping)
Drop them (policing)
Mark down (policing)
Architecture Page 17
Congestion Management
FIFO - single queue first packet in first packet out
round robin - each queue is processed in order sending a packet at a
time. No way to prioritize traffic
WRR - provides prioritization to round robin
CQ - Cisco version of WRR 16 queues each one can be assigned a
specific bandwidth
PQ - 4 queues high medium normal low FIFO by priority the higher
priority queue most be completely done before a lower priority can
go
WFQ - automatically divides interface bandwidth by the number of
flows. Weighted by IP precedence. Best for high priority real-time
flows
CBWFQ - 256 queues for 256 traffic classes. Each queue is served
based on bandwidth assigned to that class. The assigned bandwidth
is the minimum allotted to that queue
LLQ - combo of CBWFQ & PQ best for voice and video. If all the
bandwidth assigned to a class isn't being used it can be shared
Congestion Avoidance
RED - randomly drops packets before queue is full. Drops packets
when the queue min defined threshold is exceeded
WRED - Cisco version can manipulate drops using IP precedence or
DSCP. Explicit Congestion Notification(ECN) bit is used to indicate
congestion which tells ECN enabled endpoints to slow their
transmission rate
IP Precedence
Uses no drop preference in its marking. AF code starts with CS#
DSCP Per-Hop Behavior
Class selector(bigger number is better) and drop preference (lower
is better)
Expediated forwarding EF used on voice means never drop
Trust boundary
Architecture Page 18
Should be placed closer to the end devices. Moving it closer to the
core risks overloading the networking
Devices that can do marking and be trusted to do marking should be
allowed to do it
Where are specific traffic descriptors located
Wireless QoS policies
• The WLC is the location for the wireless QoS trust boundary because it sits between the wireless
and wired domain
• QoS policy can be uniquely defined on each WLAN
•
• In a newly created WLAN Silver is the default policy
• Wi-Fi Multimedia WMM
4 Access categories 802.1P
AC_VO (voice) 6 &7
AC_VI (video) 4 & 5
AC_BE (best effort) 0 & 3
AC_BK (Background) 1 & 2
802.1P markings map to WMM access categories
Access category determines Interframe Space and Random Backoff Timer
Architecture Page 19
Access category determines Interframe Space and Random Backoff Timer
Architecture Page 20
1.7 Differentiate hardware and software switching
mechanisms
Saturday, January 4, 2020
5:19 PM
Centralized
CAM and FIB are stored on the supervisor
Cost is lower but packets have to go back through the supervisor
Distributed
CAM and FIB are stored on line card
A router that uses a distributed architecture enables each line card in the chassis to independently forward traffic
Distributed platforms enable line cards to locally switch packets without using backplane or fabric resources.
Traffic with a DST next hop on the same line card doesn't typically have to cross the backplane of the device
Process switching
Runs Ip input to figure out where to send a packet. Checks RIB runs on the CPU so its slow.
First packet to a destination will always be process switched before fast switching takes over
CEF switching
When per-destination load balancing is enabled traffic is distributed statistically so that a given path is not overwhelmed
Per-destination load balancing sends all packets that belong to a particular session over the same path
A router that uses a distributed architecture enables each line card in the chassis to independently forward traffic.
The line card CEF tables are created from the RIB stored on the primary route processor module or supervisor module,
depending on the platform in use.
Distributed platforms enable line cards to locally switch packets without using backplane or fabric resources.
Per-packet load balancing can affect VoIP traffic because packets could arrive out of order
Load Sharing Algorithms
Original
Uses hash of SRC/DST IP address to ID traffic flow
Can lead to distortions in traffic flow when loads are shared across multiple routers running the same algorithm
Universal
Default load sharing algorithm
Addresses the weakness of the original algorithm by adding a unique hash
Allows each router to make its own forwarding decision
Tunnel
Used for efficient operation in environments with a limited number of SRC/DST host pairs
Used mainly in environments connected by tunnels such as GRE
Include-ports
Allows a router to include L4 information when forwarding decisions are being made
Can be configured to consider the SRC/DST port individually or together
Architecture Page 21
Can be configured to consider the SRC/DST port individually or together
Allows traffic that would not be affected normally to be load balanced even if they share the same SRC/DST IP
because they will have different SRC/DST ports
RIB
L3 table (connected, static, and dynamic routes)
The AD is only used when you have the same network from different protocols. Otherwise the more specific route
is used. EIGRP 10.0.0.0/24 vs OSPF 10.0.0.0/25 OSPF would be use even though it has a higher AD
Used as a database to inform the FIB for CEF
Once a route is in the RIB AD no longer matters
FIB
A hardware based copy of the RIB
L3 table stores next-hop MAC and egress interfaces
To verify if an entry is in the table use sh ip cef x.x.x.x/x
Adjacency table
●
●
●
Maintains Layer 2 next-hop addresses that are used for hardware switching.
Incomplete Adjacencies happen because the router can’t use ARP successfully for the next hop interface.
If a static route points to a multi-access interface, an adjacency with an incorrect interface is created.
CAM Table
High speed look-up L2 table
CAM look-up provides the content and a value is returned (true or false)
Can only search for an exact match
MAC address table
Used at L2 stores all incoming MACs if a destination is not in the table it will flood the MAC out every port but the one it came
in on
TCAM
Allows for searching of non-matching characters
Stores info in V(value(ip address)) M(mask(subnet mask)) R(result, (allow/deny next hop))
provides a true/false/do not care result
used to implement hardware-based packet forwarding of certain features, like ACLs and QoS because of its flexibility and
speed
Primarily used on multilayer switches
Architecture Page 22
Architecture Page 23
S2.1 Describe device virtualization technologies
Tuesday, January 7, 2020
9:52 PM
A hypervisor is the virtualization software that creates VMs and performs the hardware abstraction that
allows multiple VMs to run concurrently
Type 1 hypervisor
Bare-metal runs on the device itself without another OS. Basically it is the OS.
Best used in a data center
Can be embedded into firmware at the same level as the BIOS
ESXi, Hyper V (because it communicates directly with the hardware), Citrix Zen Server
Usually used on a blade server or rack mounted server hardware
Type 2 hypervisor
Hypervisor needs an OS to run also called host
Used in labs because an OS is most likely already installed
Virtual box, VmWare workstation
Can not be installed on a bare metal server
Easier to use and maintain
Virtual machine
Runs it own OS on the hypervisor
Resources provided to it by the hypervisor
Can migrate a live VM or power down and do a cold migration
A software emulation of a physical server with an operating system
Must make sure the hardware can support the minimum requirements needed
Each one requires its on unique IP and MAC
Virtual switching
software-based Layer 2 switch that operates like a physical Ethernet switch
Overcomes the issue of not being able to send and receive traffic on the same L2 link
One physical NIC can only attach to 1 vSwitch but each vSwitch can connect to multiple VMs
Uses pinning which ID’s all the MACs of the VMs
Multiple vSwitches can be created under a virtualized server, but network traffic cannot
flow directly from one vSwitch to another vSwitch within the same host
every vSwitch that is part of a cluster of virtualized servers needs to be configured
individually in every virtual host
Distributed virtual switching, a feature that aggregates vSwitches together from a cluster of
Virtualization Page 24
Distributed virtual switching, a feature that aggregates vSwitches together from a cluster of
virtualized servers and treats them as a single distributed virtual switch
Container
• an isolated environment where containerized applications run
• It contains the application, along with the dependencies that the application needs to run
• Should not be referred to as a light weight VM
• Containers, share the underlying resources of the host operating system and do not include a
guest OS, as VMs do; containers are therefore lightweight (small in size)
• When a container starts, it leverages the kernel of the host OS, which is already running, and it
typically takes a few seconds to start.
• Types of containers:
Rkt
Open container initiative
LXD
DockerLinux-Vserver
Windows Containers
• Containers not connected to the same node can't communicate with each other until routing at
the OS level or an overlay network has been configured
Network functions virtualization
• Network functions virtualization (NFV) is an architectural framework created by the European
Telecommunications Standards Institute (ETSI) that defines standards to decouple network
functions from proprietary hardware-based appliances and have them run in software on
standard x86 servers
• defines how to manage and orchestrate the network functions
• NFV infrastructure (NFVI) is all the hardware and software components that comprise the
platform environment in which virtual network functions (VNFs) are deployed.
• Virtual network functions
the virtual or software version of an NF, and it typically runs on a hypervisor as a VM
commonly used for L4 through L7 functions, such as those provided by load balancers (LBs)
and application delivery controllers (ADCs), firewalls, intrusion detection systems (IDSs), and
WAN optimization appliances.
Can still do L2/L3 functions
• NFVI Virtualized Infrastructure Manager (VIM)
responsible for managing and controlling the NFVI hardware resources (compute, storage,
and network) and the virtualized resources
Handles service chaining which ties all the VNFs together
• Element managers (EMs), also known as element management systems (EMSs), are responsible
for the functional management of VNFs
• PCI passthrough allows VNFs to have direct access to physical PCI devices
The downside to PCI passthrough is that the entire pNIC is dedicated to a single VNF and
cannot be used by other VNFs, so the number of VNFs that can use this technology is limited
by the number of pNICs available in the system
• SR-IOV is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC
2 modes virtual ethernet bridge and virtual ethernet port aggregator
Virtual Ethernet Bridge (VEB): Traffic between VNFs attached to the same pNIC is
hardware switched directly by the pNIC.
Virtual Ethernet Port Aggregator (VEPA): Traffic between VNFs attached to the same
pNIC is switched by an external switch.
Allows multiple VNFs to share the same pNIC by emulating multiple PCIe devices
Virtualization Page 25
• Cisco Enterprise Network Functions Virtualization (ENFV)
Cisco solution based on the ETSI NFV architectural framework
Supports Cisco SD-WAN cEdge and vEdge virtual router onboarding
Centralizes management through Cisco DNA Center, which greatly simplifies designing,
provisioning, updating, managing, and troubleshooting network services and VNFs
• Cisco ENFV Solution Architecture
a virtualized solution for network and application services for branch offices
Management and Orchestration (MANO): Cisco DNA Center provides the VNF management
and NFV orchestration capabilities. It allows for easy automation of the deployment of
virtualized network services, consisting of multiple VNFs.
VNFs: VNFs provide the desired virtual networking functions.
Network Functions Virtualization Infrastructure Software (NFVIS): An operating system that
provides virtualization capabilities and facilitates the deployment and operation of VNFs and
hardware components.
Hardware resources: x86-based compute resources that provide the CPU, memory, and
storage required to deploy and operate VNFs and run applications.
• Management and Orchestration
Cisco DNA Center provides the MANO functionality to the Cisco Enterprise NFV solution
Two of the main functions of DNA Center are to roll out new branch locations or deploy
new VNFs and virtualized services
Plug and Play provisioning provides a way to automatically and remotely provision and
onboard new network devices
DNA Center provides centralized policies
• Virtual Network Functions and Applications
the Cisco Enterprise NFV solution provides an environment for the virtualization of both
network functions and applications in the enterprise branch
Both Cisco and third-party VNFs can be onboarded onto the solution
Can support apps running on Linux or Windows
• Network Function Virtualization Infrastructure Software (NFVIS)
based on standard Linux packaged with additional functions for virtualization, VNF lifecycle
management, monitoring, device programmability, and hardware acceleration
Virtualization Page 26
2.2 Configure and verify data path virtualization technologies
Tuesday, January 7, 2020
9:54 PM
Virtual Routing and Forwarding (VRF)
A L3 vlan concept, can separate traffic for multiple clients existing in different routing domains
VRFs can be used to isolate the management network
VRF-Lite does not support IS-IS or IGRP
BGP should be used between the CE and PE
OSPF process IDs become relevant when separating different VRFs, Help keep them unique
The management VRF is created by default also a default vrf is created on an interface when one isn't specified
When adding a VRF to an interface it's L3 config will be lost so make sure to copy it before adding the VRF
To see VRF routing you have to specify the VRF you want to see sh ip route vrf vrf id ping vrf vrf id ip address
Configure vrf with router routing protocol protocol id vrf vrf id
We can apply route targets to a VRF to control the import and export of routes among it and other VRFs.
Generic Routing Encapsulation (GRE)
Allows for encapsulation of non-ip packets with an ip header
Increases packet size by 24bytes to prevent fragmentation
GRE ip header is assigned protocol number 47
To avoid recursive routing do advertise the tunnel destination into the tunnel
When configuring GRE or mGRE the source IP address and source interface must be configured
Adds 4 additional bytes to the header
Default mtu for a GRE tunnel is 1476
When connecting 2 private IP addresses over the internet:
Tunnel interface number is locally significant
A route to the tunnel destination must exist on the local router
The tunnel source must be specified as an IP address or an interface number
IPsec
Provides authentication, integrity, and confidentiality
Has 2 headers Authentication Header(51) and Encapsulating Security Payload(50)
AH can apply authentication and integrity to entire payload but can’t encrypt it. Only used when confidentiality isn’t needed
ESP can encrypt the entire payload as well as integrity and authentication. supports NAT traversal AH can’t
ESP has 2 modes transport and tunnel
Transport doesn’t protect the Ip header tunnel does
IKE Tunnels
Phase 1 belongs to the control plane phase 2 belongs to data plane
Virtualization Page 27
Phase 1 belongs to the control plane phase 2 belongs to data plane
Allows for secure communication to form a tunnel
IKEv1 uses 5 step process in phase 1 to create tunnel HAGLE. Phase 2 is formation of the IPsec tunnel
IKEv1 phase 1 lasts for 24H phase 2 lasts for 12H
IKEv2 reduces the number of messages sent in tunnel creation and also eliminates the 2 phases
The same version must be used on either side of the tunnel
Crypto isakmp policy creates the phase 1 IKE tunnel
Crypto ipsec profile creates the ike phase 2 tunnel
IKEv1 has 3 modes to choose from Main aggressive quick
Main needs to exchange 9 messages to form a tunnel aggressive only needs 6
Main mode is more secure than aggressive
Main mode hides the identity of the two peers during phase 1 negotiations
IKEv2 only needs 4 messages less exchanges and bandwidth needed vs v1
DMVPN
• Phase 1 Hub and spoke
• Phase 2 spoke to spoke
• Phase 3 the summarizes all spoke prefixes and configures them as NHRPs so all spokes can talk to the others
Virtualization Page 28
2.3 Describe network virtualization concepts
Tuesday, January 7, 2020
9:55 PM
LISP
Separates Ip address from location and identity of device
Should be used when you have a high density of endpoints and mobile users
Used as the control plane of the overlay in SD-Access
Uses a pull model and is a mapping protocol
LISP tunnel router (xTR) adds host in LISP mapping database every time a client moves the database is updated
xTR registers host (MAC or IP) in LISP mapping database
Instead of an ip address an Endpoint Identifier(EID) is used
The LISP data plane uses Ip/UDP port 4341
Map Register
EID = IP, VNI(virtual network identifier VXLAN info)
RLOC = xTR IP
LISP Map caching which saves the location so it's easier to look up
What happens when you move? A new registration will be made in the map database
Routing Locator (RLOC): A RLOC is an IPv4 or IPv6 address of an egress tunnel router (ETR). A RLOC is the output of an EID-to-RLOC mapping lookup.
identifies the IP address of a router responsible for forwarding traffic to devices within a LISP location
Endpoint ID (EID): An EID is an IPv4 or IPv6 address used in the source and destination address fields of the first (most inner) LISP header of a packet.
BGP-EVPN can be used to help with VXLAN latency issues
An ETR connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to MapRequest messages, and decapsulates and delivers LISP-encapsulated user data to end systems at the site.
An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites
VXLAN
Enhanced version of 802.1x
Used to overcome VLAN shortcomings, has a 24 bit segment ID that defines the broadcast domain
Permits ECMP
The data plane of SD-Access
Used instead of LISP because it includes the L2 ethernet header and LISP doesn’t
Uses security group tags
VXLAN Header (Fabric Header)
Virtualization Page 29
carries the segment ID(VNI) and user group(SGT).
encoded in the reserved bits of the VXLAN header
Modified to support 64,000 SGTs using a 16-bit field (Group Policy ID)
D bit indicates the egress VTEP should not learn the source address of the encapsulated frame
VNI(virtual network identifier) is the broadcast domain of the VXLAN infrastructure
Can theoretically have 16million overlay networks in the same infrastructure
VXLAN-GPO encapsulation
16 bits are allocated to ID the SGT tag
The Policy applied bit (A bit) is used to signal a policy has already been applied or the policy has not yet been applied to the packet
Network functions virtualization
• Network functions virtualization (NFV) is an architectural framework created by the European Telecommunications Standards Ins titute (ETSI) that
defines standards to decouple network functions from proprietary hardware -based appliances and have them run in software on standard x86
servers
• defines how to manage and orchestrate the network functions
• NFV infrastructure (NFVI) is all the hardware and software components that comprise the platform environment in which virtual network functions
(VNFs) are deployed.
• Virtual network functions
the virtual or software version of an NF, and it typically runs on a hypervisor as a VM
commonly used for L4 through L7 functions, such as those provided by load balancers (LBs) and application delivery controllers (ADCs),
firewalls, intrusion detection systems (IDSs), and WAN optimization appliances.
Can still do L2/L3 functions
• NFVI Virtualized Infrastructure Manager (VIM)
responsible for managing and controlling the NFVI hardware resources (compute, storage, and network) and the virtualized resources
Handles service chaining which ties all the VNFs together
• Element managers (EMs), also known as element management systems (EMSs), are responsible for the functional management of VNF s
• PCI passthrough allows VNFs to have direct access to physical PCI devices
The downside to PCI passthrough is that the entire pNIC is dedicated to a single VNF and cannot be used by other VNFs, so the number of VNFs
that can use this technology is limited by the number of pNICs available in the system
• SR-IOV is an enhancement to PCI passthrough that allows multiple VNFs to share the same pNIC
2 modes virtual ethernet bridge and virtual ethernet port aggregator
Virtual Ethernet Bridge (VEB): Traffic between VNFs attached to the same pNIC is hardware switched directly by the pNIC.
Virtual Ethernet Port Aggregator (VEPA): Traffic between VNFs attached to the same pNIC is switched by an external switch.
• Cisco Enterprise Network Functions Virtualization (ENFV)
Cisco solution based on the ETSI NFV architectural framework
Supports Cisco SD-WAN cEdge and vEdge virtual router onboarding
Centralizes management through Cisco DNA Center, which greatly simplifies designing, provisioning, updating, managing, and troubleshooting
network services and VNFs
• Cisco ENFV Solution Architecture
a virtualized solution for network and application services for branch offices
Management and Orchestration (MANO): Cisco DNA Center provides the VNF management and NFV orchestration capabilities. It allows for
easy automation of the deployment of virtualized network services, consisting of multiple VNFs.
VNFs: VNFs provide the desired virtual networking functions.
Network Functions Virtualization Infrastructure Software (NFVIS): An operating system that provides virtualization capabilities and facilitates
the deployment and operation of VNFs and hardware components.
Hardware resources: x86-based compute resources that provide the CPU, memory, and storage required to deploy and operate VNFs and run
applications.
• Management and Orchestration
Virtualization Page 30
• Management and Orchestration
Cisco DNA Center provides the MANO functionality to the Cisco Enterprise NFV solution
Two of the main functions of DNA Center are to roll out new branch locations or deploy new VNFs and virtualized services
Plug and Play provisioning provides a way to automatically and remotely provision and onboard new network devices
DNA Center provides centralized policies
• Virtual Network Functions and Applications
the Cisco Enterprise NFV solution provides an environment for the virtualization of both network functions and applications in the enterprise
branch
Both Cisco and third-party VNFs can be onboarded onto the solution
Can support apps running on Linux or Windows
• Network Function Virtualization Infrastructure Software (NFVIS)
based on standard Linux packaged with additional functions for virtualization, VNF lifecycle management, monitoring, device programmability,
and hardware acceleration
Virtualization Page 31
3.1 Layer 2
Tuesday, January 7, 2020
9:57 PM
Static 802.1Q trunks
Configured with switchport mode trunk
Will advertise DTP packets to the other end to establish a trunk
Trunk status can be verified with show switchport trunk
Dynamic 802.1Q trunks
Established in 1 of 2 ways
Switchport mode dynamic desirable this mode will actively try to form a trunk with the connected interface
Switchport mode dynamic auto will only form a trunk if the other side is actively trying
switchport non-negotiate- disables a trunk port
Allowed VLANs on trunks
Controls what VLANs can use the trunk switchport trunk vlan allowed vlan id
VTP
Sends vlan information to other switches to reduce management, can be problematic. Usually disabled or run in transparent
mode
A client with a higher revision number will replace the vlans on a server with a lower number
Messages are sent to a multicast dest. MAC address 01:00:0C:CC:CC:CC
Message types are : summary advertisement, subset advertisement and advertisement request
VTP pruning
Disabled by default. Reduces unnecessary flooded traffic
Enhances network bandwidth
Static Layer 2 EtherChannel
No health status check
Channel-group etherchannel-id mode on
Sends vlan information
Dynamic Layer 2 EtherChannel
Use PAgP(CISCO) or LACP
Static Layer 3 EtherChannel
Must use no switchport command to enable L3 routing
Assigned an Ip address
PAgP ON command
Dynamic Layer 3 EtherChannel
PAgP Desirable or Auto LACP active or passive
LACP uses multicast MAC address 0180:C200:0002 to communicate and form LACP neighbors
EtherChannel/Link bundling 802.3AD
• 802.3AD allows multiple 802.1Q tags on a single Ethernet frame, known as Q-in-Q.
• 802.3AD can improve the stability of the spanning tree topology.
Infrastructure Page 32
• 802.3AD can improve the stability of the spanning tree topology.
• 802.3AD provides a cost-effective way to increase bandwidth by logically combining multiple member links.
• Seen as a single interface in spanning tree
• Its best to use one of the dynamic protocols like LACP or PAgP
• Best practice is to use LACP rate fast when fast failure detection is required
• Load-Balancing Algorithms
Dst-ip
Dst-mac: uses a packet’s destination MAC address to select the physical connection in an EtherChannel bundle that
is used to send a packet
The number of bits in the destination MAC address used to make the path selection decision is determined
by the number of links in the EtherChannel (remember bits are done in powers of 2.) 8 links would be 2^3 so
3 bits)
Src-dst-ip
Src-dst-mac
Src-ip
Src-mac
Advanced STP(802.1D) Tuning
Root bridge should be placed on a core switch and the secondary should be placed to minimize changes to the overall STP
Root bridge is achieved by assigning the lowest possible system priority 0 - 61440 increments of 4096 and all ports of the root
bridge are designated ports
Best way to manually set primary & secondary is assigning priorities of 0 & 4096
A switch generating a BPDU only includes the calculated metric to the root and not the cost of the egress port. The receiving
switch will add the cost for the ingress port to the total path cost.
Changing the port costs can change the forwarding path. Turning an alternate port into a designated port or into a blocking
port by raising the cost
Root guard is placed on designated ports facing other switches that should never become root bridges
Portfast should only be used on a trunk when it's connected to a single device otherwise Portfast should be configured on
access ports connected to end hosts to reduce convergence time
Convergence is typically around 50sec
TCNs are not generated when an edge port changes state
Will bypass listening and learning to move straight to forwarding
BPDU Guard needs portfast to be enabled before it can be applied to an interface
BPDU guard is typically configured with all host-facing ports that are enabled with portfast.
BPDU filter simply blocks BPDUs from being transmitted out a port. It also ignores any received BPDU.
Loop Guard
STP loop guard feature is used to ensure that a root port or an alternate port is always receiving BPDUs from the
neighboring switch. This provides protection against a link failing to send BPDUs bidirectionally, allowing a port to
assume that no other bridge is connected. If BPDUs stop being received,
the port moves to blocked status until BPDUs resume, and it shows a loop inconsistent state.
Configured on root ports
Loop guard is used in conjunction with UDLD to protect against broken cables that could cause incorrect STP behavior
Infrastructure Page 33
Loop guard is used in conjunction with UDLD to protect against broken cables that could cause incorrect STP behavior
• STP 802.1dforwarding timer is used to determine how long a port remains in the listening and learning states before
transitioning to a new state.
Valid port types are root and designated
Topology Change
When a config BPDU is received from root bridge set MAC address aging timer to the forwarding delay and flush out
MACs that have not communicated in the past 15 secs
When the root bridge receives one it generates a new BPDU with the change flag set
Port priority prefers the lower port cost. Values range from 0 to 240 and increment by 16. 128 is the default port cost
UDLD(unidirectional link detection)
Must be enable on both the local and remote switches' ports to become functional
2 modes aggressive and normal
Port cost
Ethernet link 10mbps = stp cost of 100
Fast ethernet link 100mbps = stp cost of 19
Gigabit link 1,000mbps = stp cost of 4
Root path cost is calculated by the advertised root cost from the upstream switch plus the local port cost
Non-root bridge root port selection:
□ Lowest root path cost
□ Lowest upstream advertised bridge ID
□ Lowest upstream advertised port priority
□ Lowest upstream advertised port ID
STP Error messages and cause
STP-2-Block_PVID_Local and STP-2-Block_PVID_Peer : an interface has received a BPDU that is tagged with the same
VLAN ID as the interface's native VLAN
STP-2-Block_BPDUGUARD : a BPDU is received and BPDU guard is enabled
STP-2-Block-Dispute_Detected : the switch has received an inferior BPDU that are marked designated and learning or
forwarding
STP-2-Bridge_Assurance_Block : STP BDPU has not been received on an interface with Bridge Assurance enabled
RSTP(802.1W)
Infrastructure Page 34
Only has 3 states for faster error recovery discarding, learning, forwarding
Doesn’t use timers to determine movement to next state. It has a negotiation mechanism
Sync is the method which it uses to recover. Synch occurs when a link comes up between two switches. All non-edge ports
are blocked and each connected switch will send a proposal that it's port should be the designated port
Has alternate ports rather than blocked ports indicating another path to the root
2 port types p2p(interfaces running in full duplex, half is shared port and can only use STP) edge ports( portfast enabled) if it
receives a BPDU its demoted to a regular RSTP port
Only when a non-edge port moves to forwarding does RSTP send a TCN to the network through all non-edge designated
ports
If connected to a switch not running RSTP it will default to 802.1D behavior
During the sync process when 2 switches come each sends a proposal that it's port should be the designated port
Topology Change
TC timer value is equal to twice the hello timer
MAC table associated with all ports are cleared except for the port that received the BPDU with the TC flag set
□ Occurs on all designated and root ports
MSTP(802.1s)
Creates instances that VLANS can be mapped to. A L2 VRF
Reduces the cpu burden when using PVST or R-PVST
Uses the concept of regions logically separate instances
MST incorporates mechanisms that make an MST region appear as a single virtual switch to external switches
MST supports the tuning of port cost and port priority.
This can be done on per instance basis on the interface
Pruning of vlans should not occur for vlans in the same MST region on different network links
Hello and forward timers are only configured on the IST root bridge
Making the MST region the root bridge ensures that all region boundary ports flood the same IST instance BPDU to all the
VLANs in the PVST topology.
The spanning tree port priority can be configured per instance on an interface. The spanning tree cost can be configured per
instance on an interface. The hello and forward delay timers are configured only on the IST root bridge.
When a MST region is on a switch running 802.1W(RSTP)
The 802.1w switches will view the MST region as a single bridge and place alternate ports in the blocking state
The root bridge for all VLANS will be in the MST region
All VLANs mapped to instance 0 and mapping must be manually done
Troubleshooting
• Error message "STP-2-Dispute_Detected could appear because of a unidirectional link failure
Infrastructure Page 35
3.2 Layer 3
Tuesday, January 7, 2020
9:59 PM
EIGRP
• EIGRP OTP (Over the Top) allows you to run EIGRP between routers that are not directly connected
Uses VXLAN as an overlay(tunneling) to connect endpoints like DMPVN
EIGRP OTP only uses LISP for the data plane, EIGRP is used for the control plane.
• Sends hello packets to multicast group 224.0.0.10
• When a new neighbor is formed an empty update message is sent
Compare EIGRP and OSPF
Algorithm
EIGRP smart distance vector protocol. diffusing update algorithm (DUAL). Uses pre-calculated loop-free backup paths for fast convergence
OSPF link state Dijkstra shortest path first (SPF) algorithm to construct a loop-free topology of shortest paths
Load balancing
EIGRP unequal cost load balancing ECMP this is done by changing the variance
OSPF can equal cost load balance up to four paths by default and track up to 16 next hops to same destination
Path selection
EIGRP successor route path with lowest metric to destination. Then a feasible successor which is determined by the reported distance received for that
route must be less than the feasible distance calculated locally
OSPF path is determined by the cumulative cost of all interfaces of the next-hops to the destination
Path operations
EIGRP uses split horizon and poison reverse to avoid loops
OSPF looks at path type then the metric. The preferred path types
Intra-Area (O)
Inter-Area (O IA)
NSSA Type 1 (N1)
External Type 1 (E1)
NSSA Type 2 (N2)
External Type 2 (E2)
Metric
EIGRP uses cumulative delay and minimum bandwidth by default uses K values to determine other metrics
OSPF metric is determined by cost, a higher bandwidth has a lower cost. Default cost may need to be changed to account for higher speed interfaces
Configure and verify OSPF
Normal areas
Router# router ospf 100 network ip-address wildcard-mask area area-id
Filtering
Can be done in one of 3 ways area filtering, route summarization, and local OSPF filtering
LSA filtering, which prevents type 1 LSAs from being advertised through a member router
Area filtering, which prevents type 1 LSAs from being generated into a type 3 LSA
FILTERING by Summarization: area area-id range network subnet-mask not-advertise under the OSPF process. This is a limited form of filtering
Infrastructure Page 36
AREA Filtering: area area-id filter-list prefix prefix-list-name {in | out} on the ABR
distribute list on an ABR does not prevent type 1 LSAs from becoming type 3 LSAs in a different area because the type 3 LSA g eneration occurs
before the distribute list is processed
distribute list on an ABR prevents type 3 LSAs coming from the backbone from being regenerated into non-backbone areas because this
regeneration process happens after the distribute list is processed
A distribute list should not be used for filtering of prefixes between areas
distribute-list {acl-number | acl-name | prefix prefix-list-name | route-map route-map-name} in
show ip ospf database [router | network | summary] to view LSAs in the LSDB
For a distribute list
○ In: prevents LSA from becoming a route in the local routing table, but you cannot stop an LSA from entering the routing table since all
neighbors in the area must have the same database. The LSA is added to the LSDB, but the route is not added to the table.
○ Out: Used on ASBR’s to stop the creation of external LSAs for specific routes.
● Network Types
Infrastructure Page 37
○
● Networks DR/BDR manual neighbor configuration
○ Broadcast DR/BDR no manual neighbor configuration
○ Non-broadcast DR/BDR needs manual configuration
○ Point to point no DR/BDR neighborship automatically configured
○ Point to multipoint no DR/BDR no manual neighbors
○ Networks that don’t broadcast require manual neighbor configuration
○ Automatic neighbor discovery relies on broadcasts and multicasts
○ The multicast used by DR/BDR is 224.0.0.6
○ An OSPF Network Type of Point-to-Point is the default OSPF Network Type on a non-Frame Relay serial interface.
◊ HDLC or PPP will have a default of point to point
Summarization
Helps SPF calculate routes faster occurs between areas on ABRs. Interarea summarization reduces the number of type 3 LSAs that an ABR advertises
Interarea summarization on the ABR suppress more specific routes
The command to summarize on a ABR(Type 3) is area range on a ASBR(Type 4) you use summary-address
Infrastructure Page 38
Only type 1 LSAs can be summarized
reduces the size and volatility of the LSDB
Passive interface
Prevents interface from sending hellos or processing any received OSPF packets but still adds it to the LSDB and no adjacencies are formed
Network types
Ip ospf network [network type] verified with sh ip ospf interface [interface id] | include type
Neighbor states
1-3 are establishing neighbor adjacencies 4-6 synchronize OSPF databases
All non-DR/BDR routers will stay in the 2-way state. This is normal behavior
Load balancing
Use the maximum-paths command
Maximum-paths only limits the number of parallel paths that can be used for load balancing
Route advertisement
OSPF can inject a default route into the LSDB if you use the default-information originate [always] command. If there is no default route in the RIB
already, the always keyword is required.
Type 1, Type 2, and Type 3 LSAs are flooded within an area
Type 5 LSAs are flooded throughout the OSPF domain, across ABRs.
Troubleshooting
Areas need to match
RID can't be the same
Timers must match neighbor's
Mismatched MTU sizes could cause the neighbor to be stuck in the Exstart or Exchange state because the DBD packet will exceed the MTU size when
sending to the neighboring router
Max metric is 65535 reference bandwidth is 10^8 by default 100mbps
Infrastructure Page 39
OSPFv3
supports IPv4 and IPv6 address families
RID must always be manually configured on IOS router
To enable IPv4 IPv6 must be enabled on the interface, then you must explicitly configure the interface to enable IPv4 in OSPFv3 ( ospfv3 process-id ipv4 areaid)
A reserved instance ID in the range 64 to 95 identifies a neighbor adjacency is being used for IPv4
A next-hop address is shown as a link-local address in the IPv6 routing table
LSA Types
Type 3 is interarea prefix for ABRs
Type 4 interarea for ASBRs
Type 5 AS external used to advertise redistributed routes
Type 8 link LSAs advertise link-local IPv6 info
Type 9 is intra-area prefix carry IPv6 info
The LSAs only provide interface type and cost information
Uses Ipsec instead of MD5 for security
Supports multiple instances on a single link
The BDR is elected before the DR
Enabling OSPFv3 on a interface enables the OSPFv3 routing process on the router
In order to configure OSPFv3, the process configuration must be completed, and then each interface must be enabled for the process and correct area ID
which must match
if the passive interface default is used, each interface needs to be specifically made not passive in the configuration to allow OSPFv3 to form an adjacency.
• Summarization
Summarization is performed on ABRs, just as with IPv4
common error is to perform address summarization in decimal, forgetting that the address is represent in hex.
• Network types
Uses the same 4 networks as OSPFv2: PtP, broadcast, PtMulitpoint, non-broadcast
Configure and verify eBGP
eBGP Multihop
Must be directly connected because the TTL is set to 1
Can increase TTL with neighbor ip address ebgp-multihop number between 2 -255
Can be configured with link-local or global unicast addresses
Can exchange IPv6 NLRI using IPv4 peer address by activating a neighbor configured with an IPv4 address in the IPv6 unicast address family
BGP neighbor states
Idle
initial state that the BGP routing process enters when the routing process is enabled or when the device is reset
in this state, the device waits for a start event, such as a peering configuration with a remote peer
Active
the BGP routing process tries to establish a TCP session with a peer device using the ConnectRetry timer
Start events are ignored while the BGP routing process is in the Active state
If the BGP routing process is reconfigured or if an error occurs, the BGP routing process will release system resources and return to an Idle state.
Established
The initial keepalive is received from the remote peer
Peering is now established with the remote neighbor and the BGP routing process starts exchanging update messages with the re mote peer
BGP best path selection algorithm
3 tables are used to maintain network prefix and path attributes for routes:
Adj-Rib In - NLRI(Network Layer Reachability Information) holds routes before they're processed by inbound policies
Loc-RIB - presents routes to the routing table. Contains locally generated or peer provided NLRIs
Adj-RIB-Out - holds NLRIs after outbound policies are processed
Infrastructure Page 40
Adj-RIB-Out - holds NLRIs after outbound policies are processed
First three criteria used to choose a route are:
Highest weight(applies to routes received), highest local preference(would determine always going to the same place), and loc ally originated
paths
○ We Love Oranges AS Oranges Mean Pure Refreshment
○ Default local preference is 100. If column is blank it means it's set at the default 100
Then shortest as path, lowest origin type, lowest med, external over internal BGP, lowest IGP cost, oldest path, and lowest R ID
For MED to be used the routes must come from the same AS
Summarization
In order to advertise the configured aggregate at least one component route must exist in the BGP table
BGP uses an aggregate address configuration to dynamically summarize routes
By default both the summary and the aggregate routes are advertised to neighbors
BGP also may discard some of the attributes of the component routes when building the aggregate
The as-set option can be used to preserve some of the AS_Path information in the form of an unordered list
A network statement is added that includes the less specific network mask
A static null route is used to prevent forwarding loops when summarizing
A static null route can also be used to drop traffic w/o using an ACL
With BGP in a neighbor statement:
○ In: prevents update from entering neighbor
○ Out: prevents BGP route from being advertised to a neighbor.
○ neighbor<ip addr> distribute-list{ACL}{in|out}
Troubleshooting
Mtu mismatch
Incorrect subnet in neighbor statement
Sh ip bgp to see contents of th BGP routing table
Community attribute is an optional transitive
Infrastructure Page 41
Communities are not advertised by default between iBGP neighbors
Communities are used for prefix tagging
Communities can be matched using a standard IP community list, which is similar to an ACL matching for aprefix
Regular expression matching of community values can be done using an expaned IP community list
In order to be RFC complaint all implementations must support well-known communities
Well-known communities: Internet(prefixes should be advertised to the internet), No_Advertise, No_Export(prefixes that should not be advertised to a
eBGP peer)
Multiprotocol BGP VPN IPv4 address begins with an 8-byte route distinguisher(RD) and ends with a 4-byte IPv4 address
Advertisement
A minimum of /24 is needed to advertise on the internet or it will be filtered
Getting a AS from ARIN or one of the other
• Source interface should be modified if you have routes to multiple carriers
• LOA, SWIP, and Whois record prove you have the rights to advertise using BGP
• Public and Private AS
Private 64,512-65,534 and
Public 1-64.495
Reserved 0 and 65,535
IS-IS
• Only level 1 PDUs(protocol data units) use the area authentication password
• IS-IS has 3 methods of authentication: area, domain, and interface authentication
• Domain authentication is used at level 2
• Domain authentication is configured under isis router mode with domain-password password
• Interface authentication is used at levels 1/2
• To configure interface authentication issue isis password password from interface config mode
• Election process is preemptive highest priority becomes the new Designated Intermediate System(DIS)
• Forms a full mesh of neighbor relationships
• Doesn't require that timer values are the same throughout the network
Infrastructure Page 42
3.3 Wireless
Tuesday, January 7, 2020
10:01 PM
Layer 1 concepts
RF power
Measured in watts(W)
Law of Zero: A value of 0 dB means that the two absolute power values are equal
Comparing power levels
EIRP - effective isotropic radiated power
The actual power level radiated from an antenna
RSSI - received signal strength indicator
How a receiver usually measures signal power level
Measured in dBm but can vary across vendors b/c there is no standard across manufacturers
Focuses on the signal it expects to receive and not any of the others it might also receive
SNR - signal to noise ratio
difference between the signal and the noise
Infrastructure Page 43
Sources of interference
The following sources can affect devices operating in the 2.4 frequency range
Microwaves
Radar
Baby monitors
Cordless phones
Neighbors
Analog video camera - can cause interference on 802.11g networks because they operate in the same frequency range
and have a 100 percent duty cycle
CCX (Cisco Compatible Extensions )
• describes a list of functional extensions to the IEEE 802.11 Wireless LAN standard to support fast roaming (CCKM) with upgrad ed security,
reliability, and diagnostic performance
• CCX is typically deployed in industrial, enterprise, or institutional environments where 802.11 wireless connectivity or reliability is
extremely important
• Typical deployments include barcode scanners in a warehouse, VoIP mobile phones in an office environment, and wearable medical devices
that report patient status.
802.11
The IEEE standard for wifi
Infrastructure Page 44
An AP must support the same 802.11 standards as the clients that will connect to it
802.11n, 802.11ac, and 802.11ax amendments offer a method to customize the transmitted signal to prefer one receiver over others
802.11k provides assisted roaming
802.11w helps protect against spoofed management frames
802.11r provides fast transition roaming
802.11v provides network assisted power savings
AP modes
Local
default lightweight mode that offers one or more functioning BSSs on a specific channel
when it is not transmitting, the AP scans the other channels to measure the level of noise, measure interference, discover
rogue devices, and match against intrusion detection system (IDS) events
Monitor
AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor
checks for IDS events, detects rogue access points, and determines the position of stations through location-based services
FlexConnect
AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the WLC is down and if it is
configured to do so
Can be managed remotely over a WAN link
The AP can support client connections
Wireless solution for branch office and remote office deployments
H-REAP mode the AP can be remotely managed over a WAN link and the AP can support clients
Can detect rogue APs if it's enabled to
Sniffer
AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device
Captured traffic is then sent to a device to be analyzed
Infrastructure Page 45
Rogue Detector
AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over
the air
A rogue device would appear in both networks
Bridge
AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two networks
Two APs in bridge mode can be used to link two locations separated by a distance
Flex + Bridge
FlexConnect operation is enabled on a mesh AP
SE-Connect
AP dedicates its radios to spectrum analysis on all wireless channels
Connect remotely to a PC running analyzer software such as Cisco Spectrum Expert to determine sources of interference
AP boot process
When a lightweight AP boots you can't control the software image it uses, the WLC send it what ever image it is running
AP discovery of WLC
Internal preset
You can load up to 3 controllers in an AP to look for when coming online. This info is stored in non-volatile memory so it can be
remembered after a reboot or power failure
If an AP was previously connected to a WLC it will store up to 8 of the 32 WLC addresses on that WLC and contact as many as
possible to build a table
DHCP and DNS
DHCP option 43
Used to suggest a list of WLC addresses
An out of the box lightweight AP will attempt to obtain a DHCP lease because a static hasn't been configured yet
CISCO-CAPWAP-CONTROLLER.local-domain
If a domain name is resolved the AP will attempt to contact the WLC at that address
This will also be used if DHCP option 43 isn't configured
If the previous steps fail and AP will reboot and start the discovery process over
Broadcast
If every method has been tried a CAPWAP Discovery Request broadcast message will be sent on every possible subnet
Antenna types
Infrastructure Page 46
Antenna types
Omnidirectional
Have a lower gain the directional
Dipole
Composed of 2 wire segments radiating along the E and H planes
usually have a gain of around +2 to +5 dBi
Integrated
Very small put inside a device's outer case (cell phone, laptop, tablet, some APs) generally have a lower
performance compared to larger devices
typically have a gain of 2 dBi in the 2.4 GHz band and 5 dBi in the 5 GHz band
Directional
Have a higher gain than an omnidirectional antenna
Yagi
made up of several parallel wire segments that tend to amplify an RF signal to each other. Outer case is shaped like
a thick cylinder
Great for line of sight because of how tightly it can focus the beam. Best for sending to only 1 receiver
Patch
Flat and usually mounted on walls or ceilings
Dish
Highly directional and uses a passive dish shaped like a parabola to focus an RF signal into a tight beam
Infrastructure Page 47
Roaming
Intra-controller
Client roaming that occurs between two APs joined to the same controller
Takes less than 10ms to complete
Inter-controller
Client roaming that occurs between two APs that are joined to two different controllers
Layer 2
Inter-controller roam where the WLANs of the two controllers are configured for the same Layer 2 VLAN ID; also known as a
local-to-local roam
Layer 3
Inter-controller roam where the WLANs of the two controllers are configured for different VLAN IDs; also known as a local-toforeign roam. CAPWAP tunnel built to allow communication between current and former controller
Enhancements
CCKM
One controller maintains a database of clients and keys on behalf of its APs and provides them to other controllers
and their APs as needed during client roams. CCKM requires Cisco Compatible Extensions (CCX) support from
clients
Key Caching
Each client maintains a list of keys used with prior AP associations and presents them as it roams. The destination
AP must be present in this list, which is limited to eight AP/key entries.
802.11r
addresses fast roaming or fast BSS transition; a client can cache a portion of the authentication server’s key and
present that to future APs as it roams. The client can also maintain its QoS parameters as it roams.
Anchor versus Foreign
Original controller vs the new controller in a layer 3inter-controller roam
The foreign controller will tunnel clients back to the anchor so they retain connectivity to their original VLAN and subnet
Mobility Groups
Used to help with inter-controller roaming, allow for scaling and centralized controllers to cooperate over a large area
Increases the speed of roaming being completed
Each controller maintains a mobility list that contains its own MAC address and the MAC addresses of other controllers
Must be configured with the same virtual interface IP address
Troubleshooting the WLC, APs, Clients
Infrastructure Page 48
AP must have connectivity to its access layer switch
AP must have connectivity to its WLC unless operating in FlexConnect mode
Autonomous AP to switch
No image in flash
Power issue
The # of clients on an AP would not be used in diagnosing poor RF conditions around the AP's location
Channel noise, channel interference, and air quality are all things to consider that directly relate to RF conditions
Lightweight AP to WLC
easiest approach is to simply look for the AP in the list of live APs that have joined the controller
channel utilization indicates how much of the available air time is being consumed; higher utilizations mean that wireless
devices will have less time available to claim the channel and transmit data
Only requires one IP to support multiple WLANs and it is also used as the management IP
Needs a single VLAN to support CAPWAP tunnels
If running a different version of code compared to the WLC the AP will download it even if it's older
Autonomous
Can support multiple VLANs that are extended to the AP
Client to AP
In client view you'll have 5 dots showing the progress of a client connecting
Infrastructure Page 49
LAG(Link Aggregation)
Similar to LACP and PAgP
LAG enables multiple physical ports on a WLC to operate as one logical group
LACP/PAgP commands don't work to form the etherchannel on the connected switch. You must use the channel-group id
mode on command
A WLC only supports one LAG group
When you enable LAG you must reboot the WLC
Infrastructure Page 50
3.4 IP Services
Tuesday, January 7, 2020
10:02 PM
Network Time Protocol theory
used to synchronize a set of network clocks in a distributed client/server architecture
UDP port 123
The sync process is not fast. can synchronize a large time discrepancy to within a couple seconds of accuracy with a
few cycles of polling an NTP server
Uses stratum to determine time accuracy. The lower the stratum the better. A NTP server will always be stratum 1
Root dispersion (that is, the calculated error of the actual clock attached to the atomic clock) and peer dispersion
(that is, the root dispersion plus the estimated time to reach the root NTP server)
An NTP client can be configured for multiple NTP servers but only the one with the lowest stratum will be used
NTP peers act as clients and servers to each other, in the sense that they try to blend their time to each other.
□ intended for designs where other devices can act as backup devices for each other and use different primary
reference sources
ntp authenticate command is used to ensure only certain devices can access time source
Configure and verify dynamic inside source NAT/PAT
Dynamic NAT
Create static route on remote router to where public addresses should go router(config)# ip router x.x.x.x
int id
Define pool of usable public IPs on local router router(config)# ip nat pool [pool name] x.x.x.x x.x.x.x [pool
range] netmask x.x.x.x
Create ACL to ID private addresses to translate router(config)# access-list [access-list id] permit x.x.x.x
x.x.x.x [ip address & wildcard]
Link ACL to pool of addresses router(config)# ip nat inside source list [ACL] pool [pool name]
Define inside interfaces router(config-if)# ip nat inside
Verify with show ip nat translations sh ip nat statistics
Dynamic PAT
Create static route on remote router to where public addresses should go router(config)# ip router x.x.x.x
x.x.x.x int id
Define pool of usable public IPs on local router (optional) router(config)# ip nat pool [pool name] x.x.x.x
x.x.x.x [pool range] netmask x.x.x.x
Create ACL to ID private addresses to translate router(config)# access-list [access-list id] permit x.x.x.x
x.x.x.x [ip address & wildcard]
Link ACL to outside public INT router(config)# ip nat inside source list [ACL] interface [intferace ID]
overload
Link ACL to pool of addresses router(config)# ip nat inside source list [ACL] pool [pool name] overload
Define inside interface router(config-if) ip nat inside
Verify with show ip nat translations sh ip nat statistics
Pooled NAT vs Static NAT
Infrastructure Page 51
Pooled NAT vs Static NAT
□ Pooled requires less lines of configuration if many translations are needed
□ Less inside global addresses are needed with pooled NAT because of Static NAT's 1:1 translations
NAT-PT IPv6 to IPv4 translation
□ Use the ipv6 nat prefix command and the preface needs to be 96
□ Must have ipv6 t0 ipv4 and ipv4 to ipv6 address mapping
□ Ipv6 nat prefix IPv6 address::/96 then on the interface ipv6 nat
□ For 6to4 tunneling addresses from 2002::/16 must be used
6to4 tunnel
◊ Interface tunnel tunnel id
◊ Ipv6 address ipv6 address
◊ Tunnel source interface id
◊ Tunnel mode ipv6ip 6to4
◊ Ipv6 route 2002::/16 tunnel tunnel id
Configure and verify HSRP
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
standby 1 ip 192.168.1.254
standby 1 priority 105
standby 1 preempt
Show standby/ standby brief show standby vlan [vlan id]
Infrastructure Page 52
Configure and verify VRRP
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. vrrp group description text
6. vrrp group priority level
7. vrrp group preempt [delay minimum seconds]
8. vrrp group timers advertise [sec] interval
9. vrrp group timers learn
10. exit
VRRP will use the IP address of the master for the virtual IP if one is not configured
Configure and verify GLBP
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group ip [ip-address [secondary]
6. exit
7. show glbp [interface-type interface-number] [group] [state] [brief]
○ One AVG and up to four AVF
PIM theory - Protocol Independent Multicast
Infrastructure Page 53
PIM theory - Protocol Independent Multicast
□ Routes multicast traffic between networks. Can use any unicast routing protocol to identify path between
source and receivers.
□ The registration message is sent as a unicast packet toward the IP
□ The same packet can be forwarded to multiple different networks
□ The PIM designated router is responsible for registering the source with the PIM RP
□ PIM join requests can be found between 2 multicast routers
□ A (*,G) where G = multicast group is sent from a client to a RP with a request to join that multicast group and
receive packets
□ Important Multicast IP ranges
Local network control block (224.0.0.0/24)
◊ used for protocol control traffic that is not forwarded out a broadcast domain
Internetwork control block (224.0.1.0/24)
◊ used for protocol control traffic that may be forwarded through the Internet (NTP, Cisco-RP
Announce and Discovery)
Administratively scoped block (239.0.0.0/8)
◊ limited to a local group or organization. These addresses are similar to the reserved IP unicast
ranges
GLOP block (233.0.0.0/8)
◊ globally scoped statically assigned addresses
Source Specific Multicast (SSM) block (232.0.0.0/8)
◊ Default range for SSM. SSM forwards traffic to receivers from only those multicast sources for
which the receivers have explicitly expressed interest; it is primarily targeted to one-to-many
applications.
□ IGMP Snooping
Implemented by default in L2 switches to optimize flooding of multicast traffic
W/O snooping traffic for every group would be flooded on each port in the vlan, even to receivers that
don't want the traffic
Primarily IGMP snooping uses PIM and IGMP messages to determine where the multicast router is
connected, and membership reports are used to identify where receivers are connected and which
groups they are interested in.
To optimize forwarding of multicast traffic in L2 the switch listens for PIM or IGMP messages to identify
which port is connected to the multicast router (mrouter) port.
IGMP membership report messages from hosts are used to identify the ports that have interested
receivers
Multicast tree
□ Multicast routers create distribution trees that define the path that IP multicast traffic follows through the
network to reach the receivers
RPF check
□ used to prevent loops and ensure that multicast traffic is arriving on the correct interface
□ Ensures that multicast traffic always flows downstream from the multicast source to the multicast receivers
Infrastructure Page 54
□
□ Does this with the RPF interface. RPF interface has the lowest-cost path(based on AD/metric) to the source SPT
or RP. Highest IP wins ties
PIM-SM
□ Used when multicast routers are thinly scattered throughout the network
□ assumes that no receivers are interested in multicast traffic unless they explicitly request it
□ PIM-SM allows the LHR(last hop router) to switch from the shared tree to an SPT for a specific source
□ uses an explicit join model where the receivers send an IGMP join to their locally connected router, which is
also known as the last-hop router (LHR)
□ Requires the use of a physical RP
□ The last hop router will create and cutover to a shortest path tree
PIM-DM
□ Used when receivers of a multicast group are on every subnet in the network
□ multicast tree is built by flooding traffic out every interface from the source to every Dense Mode router in the
network
□ prunes expire after three minutes. This must be taken into account when using PIM-DM
□ Not recommended for production environments
□ Does not require an RP.
PIM-S/D Mode
□ Solves the issue of using Auto-RP in conjunction with Sparse mode
□ allows us to flood the auto RP 224.0.1.39 and 224.0.1.40 multicast groups but in addition, it also floods all
multicast traffic that we don’t have an RP for
Auto-RP - Cisco proprietary mechanism that automates distro of group-to-RP mappings
□ use multiple RPs within a network to serve different group ranges
□ Allows load splitting and simplifies RP placement according to locations of group participants
□ prevents inconsistent manual static RP configurations that might cause connectivity problems
□ operates using two basic components, candidate RPs (C-RPs) and RP mapping agents (MAs)
□ C-RP advertises its willingness to be an RP via RP announcement messages
BSR - Boot strap router
Infrastructure Page 55
BSR - Boot strap router
□ Provides a fault-tolerant automated RP discovery and distribution solution
□ Does not work well with Auto-RP
□ Discovers and announces RP set information for each group prefix to all routers in PIM domain
□ Messages originate on the BSR then are flooded hop-by-hop by intermediate routers
□ Multiple BSR can be configured in PIM domain for redundancy the prime is selected by highest priority
□ BSR does not elect the active RP for a group. Instead, it leaves this task to each individual router in the network
Static RP
□ Best used in small networks or networks that won't see many changes to the topology
□ The static RP IP address needs to be configured on every router in the multicast domain
□ If a manually configured RP fails there is no failover and this method doesn't provide any load splitting
Bidirectional PIM
□ Uses shared tree as its main forwarding mechanism
□ A direct forwarder is used when this to get traffic to a RP
SSM - Source Specific Multicast
□ IGMPv3 provides source filtering for it
□ IP block 232.0.0.0 to 232.255.255.255
□ forwards traffic to receivers from only those multicast sources for which the receivers have explicitly expressed
interest; it is primarily targeted to one-to-many applications.
□ In order to build a shortest path tree SSM needs (S,G) source, group learned from the client via IGMPv3
From int ip igmp join-group group address source source address
From global config ip pim ssm default
IGMP theory
Version 2
□ Most common in multicast environments. Sent with a TTL of 1 so it's processed by the local router and not
forwarded.
□
□ When a receiver wants to receive a multicast stream, it sends an unsolicited membership report, commonly
referred to as an IGMP join, to the local router for the group it wants to join
□ IGMPv2 routers send general membership query messages with their interface address as the source IP address
and destined to the 224.0.0.1 multicast address.
Version 3
□ Supports source filtering unlike v2. Has 2 new modes: include/exclude. Those that want traffic and those that
don't.
□ Designed to co-exist with v1 and v2
□ supports all IGMPv2’s IGMP message types and is backward compatible with IGMPv2
□ differences between the two are that IGMPv3 added new fields to the IGMP membership query and introduced
Infrastructure Page 56
□ differences between the two are that IGMPv3 added new fields to the IGMP membership query and introduced
a new IGMP message type called Version 3 membership report to support source filtering
□ IGMPv3 supports applications that explicitly signal sources from which they want to receive traffic
PPPoE
○ Can use DHCP, PPP, or IPCP to automatically obtain an IP address
Infrastructure Page 57
4.1 Diagnose network problems using tools such as debugs,
conditional debugs, trace route, ping, SNMP, and syslog
Tuesday, January 7, 2020
10:03 PM
4.1 Tools
Debugs
Helps narrow down cause when there are network issues by taking a deeper level inspection
In regards to OSPF these are commands that can be used:
□ debug ip ospf adj - will show why an adjacency isn't forming
□ debug ip ospf hello - shows if there is a network mismatch
Conditional debugging can be used to limit the amount of output generated by a debug. An example would be debug ip
packet which in a production environment would generate a lot of output. An ACL can be used to reduce this so that only
the needed networks/addresses trigger output
□ Debugging can also be applied to a specific interface to reduce output. The only way to remove debugging from an
interface is to use the undebug command on the interface EX: undebug interface loopback0
□ To debug a specific interface use the command debug condition interface-id
A conditional debug will show output for all conditions that have been set
Trace
Used to determine where traffic is failing
traceroute shows the IP addresses or DNS names of the hops between the source and destination
Measures the time between each hop in ms, this can be useful when there is more than one path to a destination
TTL is 30. it can fail if there is a missing route or mistyped destination
Traceroute options [ numeric, port, prob(probs per hop), source, timeout, ttl]
PING
Determines reachability between points by sending ICMP echo reply messages. The destination must know the way back
to the sender
route trip time is measured in a minimum/average/maximum
An extended ping can be used to get more detailed feedback
Network Assurance Page 58
□
SNMP
Used as a method of getting alerts. SNMP sends unsolicited traps to an SNMP collector or network management system
(NMS). Traps are sent in response to something that happened
Trap triggers could be tied to link status, improper user authentication, or power failures .
There are 3 versions of SNMP. V3 is the most secure. V1 is used by default if no other version is specified.
SNMPv1 and SNMPv2c use access lists and a community password or string to control what SNMP managers can talk to
the devices via SNMP
Uses UDP port 162 for trap messages and UDP 161 overall
Version Comparison Version| Level | Authentication | Encryption | Result
Network Assurance Page 59
SNMP Operations
Network Assurance Page 60
Network Assurance Page 61
4.2 Configure and verify device monitoring using syslog for
remote logging
Tuesday, January 7, 2020
10:04 PM
Syslog
• By default all messages are sent to the console
• Date and time must be properly configured before setting up a device to send log messages to
• The default transport protocol is 602
• Syslog message levels
•
• When setting up syslog the logging buffer is the first thing to focus on. Default buffer size is 4096 bytes
○ Enable logging to the buffer
○ Set the severity level of messages to be sent
○ Set the logging buffer to a larger size
Network Assurance Page 62
○
• Using the logging synchronous command in a vty line unsolicited messages appear after solicited output in a Telnet session
Network Assurance Page 63
4.3 Configure and verify NetFlow and Flexible NetFlow
Tuesday, January 7, 2020
10:04 PM
NetFlow and Flexible NetFlow
• Gathers statistical information on traffic flows
• 2 parts must be configured data capture and data export. Captured data is sent to a NetFlow collector like DNA Center or Prim e
• NetFlow uses a lot of memory resources. The default memory size is platform specific and should be checked before configuring
NetFlow
• Netflow Versions
○ V5 most popular due to wide compatibility, uses a fixed data format
○ V9 most recent has added security and analysis, dynamic data format with templates
• Netflow Collector:
○ Exporter bundles 30-50 similar flows
○ Flow data transported over UDP
○ Real-time and historical data
• Traffic can be captured on the ingress and egress interfaces but only one direction at a time
○ Type of traffic captured by each:
○
• A flow is a unidirectional traffic stream that contains a combo of these fields: Src/Dst IP address, Src/Dst Port number, L3 protocol
type, Type of Service(ToS), input logical interface
• Sh ip flow top-talkers, sh ip flow interface, sh ip cache flow, sh ip flow export, sh ip flow monitor
• Port numbers are displayed in hexidecimal
Flexible NetFlow
• Security was a major influence behind its adoption due to its ability to track all parts of the IP header as well as the packet and
normalize it into flows
• Can dynamically create caches for each type of flow and can also filter ingress traffic destined to a single destination
• Configuration:
○ You must have flow exporter, flow record, and flow monitor. Flow sampler is optional
• Collect and match commands can be used to customize the flow record
Network Assurance Page 64
○ To configure a custom flow:
Define the flow record name
Set a useful description of the flow record
Set match criteria for key fields
Define non-key fields to be collected
○ To create flow exporter:
Define flow exporter name
Set a useful description of the flow exporter
Specify the destination of the flow exporter to be used
Specify the NetFlow version to export
Specify the UDP port
○ To create a flow monitor:
Define the flow monitor name
Set a useful description of the flow monitor
Specify the flow record to be used
Specify a cache timeout of 60 for active connections
Assign the exporter to the monitor
○
Network Assurance Page 65
4.4 Configure and verify SPAN/RSPAN/ERSPAN
Tuesday, January 7, 2020
10:05 PM
• SPAN/RSPAN/ERSPAN
○ SPAN
capture local network traffic on a switch and send a copy of the network traffic to a local port attached to some sort of traffic
analyzer
Source packet can only be :
□ One or more specific ports
□ A port channel
□ A VLAN( all the hosts associated to the VLAN specified) but not a SVI interface
Most devices can support a least 2 sessions, newer devices can do more
SPAN destination ports only receives traffic and drops ingress traffic, at times connectivity to the analyzer is needed
□ To allow connection to the analyzer device the following should be configured from the global config
monitor session session-id destination interface interface-id ingress {dot1q vlan
vlan-id | untagged vlan vlan-id}
STP is disabled on the destination port to prevent extra BPDUs from being included in the network analysis
Span Monitoring
□ Monitor transmit, receive, or both
□ Can reside in separate VLANs
□ Source and destination can not be on the same port
Configure source port
□ monitor session session-id source {interface interface-id | vlan vlan-id} [rx | tx | both]
Configure destination port
monitor session session-id destination interface interface-id [encapsulation
{dot1q [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}|
replicate [ingress {dot1q vlan vlan-id | untagged vlan vlan-id]}} | ingress]
□ Verify with sh monitor session session-id
A SPAN session normally copies the packets without including any 802.1Q VLAN tags or Layer 2 protocols
○ RSPAN
capture network traffic on a remote switch and send a copy of the network traffic to the local switch through Layer 2
(switching) toward a local port attached to some sort of traffic analyzer
MAC addresses are not learned on ports associated with the RSPAN VLAN. Ensures that the switch does not try to use the
port associated with the RSPAN VLAN to transmit data to the end host, which in turn ensures that the normal forwarding
path is maintained.
Traffic is flooded out all the ports associated to the RSPAN VLAN. The RSPAN VLAN should not be associated with ports that
are not trunk ports between the source and destination switches.
The VLAN configured for RSPAN needs to be the same on all devices
□ Configured:
Vlan vlan-id
Name RSPAN_VLAN
Remote-span
The destination command: monitor session session-id destination remote vlan rspanvlan-id
□ The session-id is locally significant but should be the same for easier configuration
○ ERSPAN
capture network traffic on a remote device and send the traffic to the local system through Layer 3 (routing) toward a local
port attached to some sort of traffic analyzer
Must have end to end connectivity
Used in large environments because its not always easy to move a traffic analyzer
monitor session span-session-number type erspan-source
□ Once the session is create the source must be defined
□ Session is enabled by no shutdown command
Network Assurance Page 66
○
Network Assurance Page 67
4.5 Configure and verify IPSLA
Tuesday, January 7, 2020
10:05 PM
IP SLA
•
• Once it has been configured the schedule for when it runs needs to be configured
ip sla schedule operation-number [life {forever | seconds}] [start-time {[hh:mm:ss] [month day | day month] | pending | now | after hh:mm:ss}]
[ageout seconds] [recurring]
• Show ip sla configuration
• Works by using SNMP traps triggered by events
• Violations can trigger other IP SLA operations
• Ip sla responder is configured on the remote device to get more information about the network. This command can also add inte rface timestamps to
packets
• For one way delay both devices should sync to same ntp server
• Round trip delay uses a total of 4 time stamps
• IP SLA Responder
○ Provides more advanced response metrics
○ Used because some operations require a responder
○ ICMP and HTTP operations do not require a responder
Network Assurance Page 68
4.6 Describe Cisco DNA Center workflows to apply network
configuration, monitoring, and management
Tuesday, January 7, 2020
10:05 PM
Cisco DNA Center
• Design
Geography
The network profile allows you to associate an SSID with a location
• Policy
ISE, people, endpoints, access
Define users and groups
The access contract is used to create permit and deny actions like an ACL
• Provision
Building underlay/overlay
Cisco recommends using the IP subnet range for device discovery
Only devices of the same type can be provisioned together
• Assurance
Uses network time travel to view the history of client health
Configuration
Can provide templates
Use template editor to create static configurations that you want to apply to all devices
You would use a configuration that's already been validated
You can copy and paste into the editor
Can select the device type that you want the template applied to and software type
Monitoring
Network Time Travel is an application that acts like a DVR for the network. records what is going on in the environment
using streaming telemetry and can play back something that happened in the past.
□ It also can show how the network is performing now as well as use things such as sensors to provide predictive
analytics on how the network will perform in the future
The overall health of the network for wired and wireless devices can be viewed from a client perspective
Integrates with many other tools, such as Active Directory, Identity Services Engine (ISE), ServiceNow, and Infoblox
□ This allows for searching of everything related to a user
Management
Can integrate third party apps with Cisco into a single network operation to streamline work flows
Prime is the main management software
Can map location of devices and total inventory of devices in the network
□ maps wireless/wired routers, switches, AP, WLCs and non-Cisco devices
Network Assurance Page 69
Prime infrastructure can control configuration changes as well
Can view current running config of all device
DNA Center Assurance
Some information that can be gathered automatically:
□ Device type, OS version, MAC address, IPv4 address, VLAN ID, connectivity status, last on network, SSID, last
location
Network Assurance Page 70
4.7 Configure and verify NETCONF and RESTCONF
Tuesday, January 7, 2020
10:06 PM
NETCONF and RESTCONF
• NETCONF
○ uses the YANG data models to communicate with the various devices on the network
○ runs over SSH, TLS, and (although not common), Simple Object Access Protocol (SOAP)
○ uses paths to describe resources, whereas SNMP uses object identifiers (OIDs)
○
○ exchanges information called capabilities when the TCP connection has been made
○ NETCONF common uses:
Collecting the status of specific fields
Changing the configuration of specific fields
Taking administrative actions
Sending event notifications
Backing up and restoring configurations
Testing configurations before finalizing the transaction
netconf-yang -------------------------------------> Enable NETCONF/YANG globally. It may take up to 90 seconds to initialize
username cisco1 privilege 15 password 0 cisco1 ---> Username/password used for NETCONF-SSH access
show platform software yang-management process
Network Assurance Page 71
NETCONF uses SSH instead of HTTP like RESTCONF
• RESTCONF
○ used to programmatically interface with data defined in YANG models while also using the datastore concepts defined in NETCON F
○ Supports HTTP methods: GET, POST, PUT, DELETE, OPTIONS
○ Can use JSON or XML data formats
○ NGINX acts as a proxy server when you configure RESTCONF to communicate by using HTTPS on a Cisco device
NGINX is internally installed on a Cisco device
○
Network Assurance Page 72
5.1 Configure and verify device access control
Tuesday, January 7, 2020
10:06 PM
5.1 Device access control
Device lines protections
3 lines to protect: console, AUX, and VTY
Not recommended to configure a password directly on a line
Line configuration must be done on the line or the line must be specified in the command statement
Local username and pass can be a back to a AAA server
From line configuration password password then login to enable password checking at login
Verified by using those credentials on the line they were configured for
Privilege Levels
Privilege level 0: Includes the disable, enable, exit, help, and logout commands
Privilege level 1: Also known as User Exec mode. The command prompt in this mode includes a greater-than sign (R1>). From this
mode it is not possible to make configuration changes. Read only commands
Privilege level 15: Also known as Privileged EXEC mode. This is the highest privilege level, where all CLI commands are available
Verify by logging in to see what a user has access to or show privilege
The following commands can not have their privilege level modified from level 0: disable, enable, exit, help, logout
Password protections
5 types of passwords
Type 0 most insecure
Type 5 use cisco improved MD5 hash. Applied by using enable secret. Username secret also uses type 5 encryption
Type 7 enabled by service password-encryption Cisco Vigenere cypher better than 0 but not 5
Type 8 specify a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret and are considered to be
uncrackable
Type 9 use the SCRYPT hashing algorithm considered to be uncrackable
service password-encryption is primarily useful for keeping unauthorized individuals from viewing a password in a configuration file
AAA
Authentication, Authorization, Accounting
Who are you, what do you have access to and what did you do
Managed by a Radius or TACACS+ server
Radius UDP port 1812 (authentication/authorization) & 1813 ( accounting)
Open standard
Provides secure network access control
Security Page 73
Provides secure network access control
Uses EAP(Extensible Authentication Protocol) which TACACS+ does not
Returns all authorization parameters in a single reply
Encrypts only the password
Aaa authentication enable default group radius enable ensures that if the Radius server is unavailable the enable password will
be used
TACACS+ TCP port 49
Cisco
Used mainly for device access control
Can separate authentication, authorization, and accounting into independent functions
How to enable AAA
From config aaa new-model
tacacs server name
address ipv4 { hostname | host-ip-address }
key key-string
aaa group server tacacs+ group-name
server name server-name
aaa authentication login { default | custom-list-name } method1
[ method2 . . . ]
Security Page 74
5.2 Configure and verify infrastructure security features
Tuesday, January 7, 2020
10:07 PM
ACLs
Operation
sequential lists of access control entries (ACEs) that perform permit or deny packet classification, based on predefined
conditional matching statements
can be used to provide packet classification for a variety of features, such as quality of service (QoS), Network Address
Translation (NAT), or identifying networks within routing protocols
No effect until applied to an interface
Should be applied close tot the source of the packets being filtered. Last hop before reaching router that hosts end
device
Standard
Numbered(1-99 & 1300-1999), Named, Port, and VLAN
access-list-number { deny | permit } source [source-wildcard] [log]
□ Applied to interface with ip access-group{acl-number} {in|out}
□ Applied close to destination
Extended
Numbered(100-199 & 2000-2699), Named, Port, and VLAN
access-list acl-number {deny|permit} protocol source source-wildcard destination destination-wildcard[protocoloptions] [log | log-input]
Applied close to source
Port
Security Page 75
VACL
filter traffic that is bridged within a VLAN or that is routed into or out of a VLAN
How PACLs, VACLs, and RACLS are processed when configured on the same line
CoPP theory and operation
Security Page 76
CoPP theory and operation
• control plane policing (CoPP) policy is a QoS policy that is applied to traffic to or sourced by the router’s control plane CPU
• In a properly planned CoPP policy, network traffic is placed into various classes, based on the type of traffic (management, routing
protocols, or known IP addresses)
• implemented to limit traffic to the control plane CPU to a specific rate for each class
• The QoS police command uses conform, exceed, and violate actions, which can be configured to transmit or drop traffic.
• ACLs are used to identify the traffic, class maps are used to match traffic, and policy maps determine what happens to the traffic
• Base line of each traffic class is determined with conform, exceed, violate actions
•
•
•
•
•
control-plane
Service-policy input POLICY-CoP
show policy-map control-plane input
Typical CoPP implementations use only an input policy that allows traffic to the control plane to be policed to a desired rate but
can be applied to outbound traffic
The CoPP policy map needs to be applied to the control plane with the command service-policy {input|output} policy-name under
control plane configuration mode
Modular QoS CLI is what allows for traffic filtering
Class maps - classify net traffic based on L3,4,7 info
Policy maps - defines a series of action to be taken against traffic matching a class map
Service polices - specify where a policy map should be implemented
Main objectives
ID and rate limit traffic that reaches control plane
Protect IOS process memory, buffers, and ingress packet queues
Protection against DoS attacks
Configuration
Create an ACL to ID traffic
Create class map to classify traffic
Create a policy map to define action to take against matched traffic
Create service policy to enable policing on the control plane interface
Management Plane Protection(MPP)
• When configured only traffic that enters the management interface can be used to remotely manage the device.
• Any management traffic from protocols that are not allowed by MPP will be dropped
• Management traffic received on another interface and destined for the host will be dropped
• Offers the ability to restrict an interface on which the network mgmt. packet can enter the device. After enabling, no other
interface can accept destined network mgmt. traffic to a device.
• Logical path for all traffic related to mgmt. of the routing platform. Used to manage the device via its network connection.
Protocols processed here are telnet, SNMP, SSH, HTTPS.
Device Hardening
• Disable topology discovery tools (CDP, LLDP)
• Disable TCP and UDP small services
• Disable IP redirect services - used to inform a device of a better path to the destination network
• Disable proxy Address Resolution Protocol (ARP) - a technique that a router uses to answer ARP requests intended for a different
router
• Disable service configuration
• Disable the Maintenance Operation Protocol (MOP) service
• Disable the packet assembler/disassembler (PAD) service
NGFW
• LINA and Snort are the two main engines used to detect and prevent attacks
Security Page 77
• LINA and Snort are the two main engines used to detect and prevent attacks
The LINA engine receives an incoming packet and performs checks that are related to routing an NAT
If configured the LINA engine will pass the packet to the SNORT
Snort inspects the packet and returns a verdict of blacklisted or whitelisted
• Interfaces can be configured in one of the following modes:
Routed
Full LINA checks and full Snort checks are supported
Switched
Partial checks
Passive
Partial checks
Passive(ERSPAN)
Partial checks
Inline Pair
All Snort engine checks will be performed on flows
Minimal LINA engine checks will be performed on flows
Enables device to drop packet flows
Inline Pair w/ tap
• No zero touch deployment
Zone-based firewall
• latest integrated stateful firewall technology
• Router interfaces are assigned to a specific zone, which can maintain a one-to-one or many-to-one relationship
• By default, interfaces in the same security zone can communicate freely with each other, but interfaces in different zones cannot
communicate with each other.
• When an interface that is not in a security zone sends traffic to an interface that is in a security zone, the traffic is dropped
• Self zone
self zone is a system-level zone and includes all the routers’ IP addresses. By default, traffic to and from this zone is
permitted to support management (for example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP)
functions.
After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined.
• Default zone
default zone is a system-level zone, and any interface that is not a member of another security zone is placed in this zone
automatically.
• When configuring the zones the order of the zone pair is significant; the first zone indicates the source zone, and the second zone
indicates the destination zone
• The inspection policy map which IDs the specified traffic has 3 options: drop, pass, inspect
drop [log]: This default action silently discards packets that match the class map.
pass [log]: This action makes the router forward packets from the source zone to the destination zone.
Packets are forwarded in only one direction
Security Page 78
A policy must be applied for traffic to be forwarded in the opposite direction
The pass action is useful for protocols like IPsec, Encapsulating Security Payload (ESP), and other inherently secure
protocols with predictable behavior
inspect: The inspect action offers state-based traffic control
router maintains connection/session information and permits return traffic from the destination zone without the
need to specify it in a second policy
• The inspect policy map has an implicit class default that uses a default drop action
Security Page 79
5.3 Describe REST API security
Tuesday, January 7, 2020
10:07 PM
REST API Security
Algorithms
PBKDF2, bcrypt and scrypt algorithms.
Classic HTTP
POST command is used to authenticate with DNA Center by sending the username
and password
Token
Needed for future API calls to DNA center controller
Once you authenticate you receive a token that contains a hashed string
The token changes every time you authenticate
If another user authenticates the will get their own unique token for the database
A token can be obtained by a malicious user through reverse engineering
Can use basic Auth of UN/PW to get a token
Tokens only last for a limited time
Oauth
delegated authorization framework for REST/APIs
OAuth 2.0 authorization used as a way for Internet users to grant websites or
applications access to their information on other websites but without giving them
the passwords
Uses a token for authorization
Securing
Use SSL/TLS
Don’t make the database structure obvious
Should be stateless (meaning it doesn't save information from a session)
Include brute force protection
Method: POST
URL: http://APIC-EMController/api/v1/user Custom
Headers:
Content-Type: application/json
‘X-Auth-Token’
Request Body: JSON that created the user
Security Page 80
5.4 Configure and verify wireless security features
Tuesday, January 7, 2020
10:08 PM
EAP variations
• defines a set of common functions that actual authentication methods can use to authenticate
users
• Supplicant: The client device that is requesting access
• Authenticator: The network device that provides access to the network (usually a wireless LAN
controller [WLC])
• Authentication server (AS): The device that takes user or client credentials and permits or
denies network access based on a user database and policies (usually a RADIUS server)
• When using EAP always use the highest WPA mode that is supported on your WLC/Aps/Clients
• Validates the user's account against an internal or external source
• Uses a shared secret
• 802.1x will securely capture personal credentials but doesn't encrypt
• To use EAP 802.1x must be enabled on a WLC
Extensible Authentication Protocol
• LEAP
Does not require a certificate instead uses RADIUS
Cisco
• EAP-FAST
Doesn’t need a certificate. Uses Protected Access Credentials to authenticate users
3 phases
Phase 0 optional provisioning client with PAC
Phase 1 creating secure tunnel between client and server
Phase 2 authenticating client
Cisco
• EAP-TLS
Requires a client and server certificate
Used for point to point connections for wired and wireless links
Performs mutual authentication to secure the authentication process
Client and server must obtain their certificates from the same CA
• PEAP
Requires a digital certificate be installed on server but not the client
Open standard
Security Page 81
Open standard
• EAP Chaining
EAP-FAST includes the option of EAP chaining, which supports machine and user
authentication inside a single outer TLS tunnel
enables machine and user authentication to be combined into a single overall
authentication result
allows the assignment of greater privileges or posture assessments to users who
connect to the network using corporate-managed devices
WebAuth
• Uses open authentication
• Directs client to webpage that just may give an AUP if just using HTTP but if using HTTPS will
aske for UN/PW
• Configured at L3 predefined in the gui and uses a certificate
• Passthrough is what is used when you just have an AUP
• 2 modes local web authentication (LWA) central web authentication(CWA) which is done from
a RADIUS server
• The preference for how a client is authenticated can be set
LWA with an internal database on the WLC
LWA with an external database on a RADIUS or LDAP server
LWA with an external redirect after authentication
LWA with an external splash page redirect, using an internal database on the WLC
LWA with passthrough, requiring user acknowledgement
PSK
• Matching string on endpoint & AP
• No way to track identity because every has same access credentials
• Time consuming to change
• Configured from the gui with SSID and PSK that users will use to gain access must enable it or
the key won't be active
WEP, WPA, WPA2, WPA3
• All WPA methods use one of 2 methods for client authentication. PSK or 802.1x (personal
mode & enterprise mode)
• Personal mode uses a PSK
Security Page 82
• Personal mode uses a PSK
• WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the
four-way handshake between a client and an AP
• WPA3-Personal avoids such an attack by strengthening the key exchange between clients and
APs through a method known as Simultaneous Authentication of Equals (SAE)
• WPA3-Personal offers forward secrecy, which prevents attackers from being able to use a key
to unencrypt data that has already been transmitted over the air
• WPA2 supports 256 bit encryption
• WEP supports 128 bit encryption
• WPA2 uses AES-CCMP for encryption
802.11w
• Provides management frame protection in a WLAN. MFP prevents spoofing of the connections
between an AP and a wireless client
802.11i
• Defines AES which is fully used by WPA2
Security Page 83
5.5 Describe the components of network security design
Tuesday, January 7, 2020
10:08 PM
Components (theory only)
Cisco Safe
Protects these places in the network: branch, campus, data center, edge, cloud, WAN
□ These areas are secured using the following concepts: management, security intelligence, compliance, segmentation, threat defense, and secure services
□ PINS not needed/used in the current network infrastructure can be removed
□
Cisco SAFE security architectural framework that helps design secure solutions
provides this visibility through network traffic telemetry, file reputation, and contextual information (such as device types, locations, users, identities, roles,
privileges levels, login status, posture status, and so on)
Cisco AMP
malware analysis and protection solution that goes beyond point-in-time detection and provides comprehensive protection for organizations across the full
attack continuum: before, during, and after an attack
most important component of the AMP architecture is AMP Cloud, which contains the database of files and their reputations (malware, clean, unknown, and
custom), also referred to as file dispositions
file disposition in the AMP Cloud can change based on data received from Talos or Threat Grid
The architecture of AMP can be broken down into the following components:
AMP Cloud (private or public) most important part. Contains database of files and their reputations (malware, clean, unknown, and custom), also referred to as
file dispositions. The file disposition in the AMP Cloud can change based on data received from Talos or Threat Grid.
AMP cloud performs decision making in real time
AMP connectors
AMP connectors remain lightweight by instead sending a hash to the cloud and allowing the cloud to make the intelligent decisions and return a verdict
(about reputation or file disposition) of clean, malicious, or unknown.
Supported by endpoints as well as network devices like NGFW, ISRs, email, web, and Meraki
Security Page 84
Cisco AnyConnect
More than just a VPN, offers enhanced security through built-in modules like VPN Posture(HostScan) and ISE Posture
assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. If an endpoint is found to be noncompliant,
network access can be restricted until the endpoint is in compliance.
includes web security through Cisco Cloud Web Security, network visibility into endpoint flows within Stealthwatch, and roaming protection with Cisco
Umbrella
Cisco Umbrella
provides the first line of defense against threats on the Internet by blocking requests to malicious Internet destinations (domains, IPs, URLs) using the Domain
Name System (DNS) before an IP connection is established or a file is downloaded.
All devices will forward their DNS request to Umbrella's global network
Cisco Web Security Appliance
All in one web gateway to block hidden malware
leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid that allows it to stay one step ahead of the evolving threat landscape to
prevent the latest exploits from infiltrating the network
Cisco Talos
Cisco threat intelligence organization
tracks threats across endpoints, networks, cloud environments, the web, and email
detects, analyzes, and protects against both known and emerging threats for Cisco products
Cisco Email Security Appliance
Detect, block, and remediate threats across the attack continuum
Global threat intelligence: It leverages real-time threat intelligence from Cisco Talos and Cisco AMP Threat Grid.
Cisco Advanced Phishing Protection (CAPP): CAPP combines Cisco Talos threat intelligence with local email intelligence and advanced machine learning
techniques to model trusted email behavior on the Internet, within organizations, and between individuals. It uses this intelligence to stop identity deception–
based attacks such as fraudulent senders, social engineering, and BEC attacks.
Threat Grid
Can perform static(checking filenames, MD5 checksums, file types) and dynamic(behavioral) file analysis
Gets threat intelligence feeds from Talos to better identify threats
Threat Grid is available as an appliance and in the cloud, and it is also integrated into existing Cisco security products and third-party solutions.
Sandbox solution
Firepower NGFW
URL filtering and application layer inspection
Stateful inspection and integrated intrusion prevention
Security Page 85
Stateful inspection and integrated intrusion prevention
Advanced malware detection
ability to leverage external security intelligence to address evolving security threats
Available as hardware and software
Firepower NGIPS
Real-time contextual awareness, advanced threat protection, intelligent security automation, performance & scalability, Application visibility and control (AVC)
and URL filtering
Automates protection policy updates
Quickly IDs users affected by client-side attacks
Can be virtual or physical device
Firepower series appliances, Firepower Threat Defense (FTD) for ISR, NGIPS Virtual (NGIPSv)
firepower integrates with Cisco Talos for up-to-the-minute IPS signature updates and URL filtering
can be deployed as active/standby and intra-chassis clustering
Can integrate with ISE to quarantine, unquarantine, and shutdown(the compromised port the endpoint is connected to) hosts
Firepower Management Center
single pane of glass for event collection and policy management
can use Cisco ISE to apply remediation on compromised hosts: quarantine, unquarantine, and shutdown
Cisco StealthWatch Enterprise
2 types Enterprise and Cloud
At the core of Stealthwatch Enterprise are the Flow Rate License, the Flow Collector, Management Console, and Flow Sensor
Required components for Enterprise
Flow Rate License: The Flow Rate License is required for the collection, management, and analysis of flow telemetry data and aggregates flows at the
Stealthwatch Management Console as well as to define the volume of flows that can be collected.
Flow Collector: The Flow Collector collects and analyzes enterprise telemetry data such as NetFlow, IP Flow Information Export (IPFIX), and other types of
flow data from routers, switches, firewalls, endpoints, and other network devices. The Flow Collector can also collect telemetry from proxy data sources,
which can be analyzed by Global Threat Analytics (formerly Cognitive Threat Analytics). It can also pinpoint malicious patterns in encrypted traffic using
Encrypted Traffic Analytics (ETA) without having to decrypt it to identify threats and accelerate response. Flow Collector is available as a hardware
appliance and as a virtual machine.
Stealthwatch Management Console (SMC): The SMC is the control center for Stealthwatch. It aggregates, organizes, and presents analysis from up to 25
Flow Collectors, Cisco ISE, and other sources. It offers a powerful yet simple-to-use web console that provides graphical representations of network
traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensiveanalysis. The SMC is
available as a hardware appliance or a virtual machine.
Cisco ISE
security policy management platform that provides highly secure network access control (NAC) to users and devices across wired, wireless, and VPN
connections
Allows for visibility into what is happening in the network, such as who is connected (endpoints, users, and devices), which applications are installed and
running on endpoints (for posture assessment)
Cisco ISE is the central pxGrid controller (also referred to as pxGrid server), and all Cisco and third-party security platforms (referred to as pxGrid nodes)
interface with it to publish, subscribe to, and query contextual information
pxGrid 1.0: Released with ISE 1.3 and based on Extensible Messaging and Presence Protocol (XMPP)
pxGrid 2.0: Uses WebSocket and the REST API over Simple Text Oriented Message Protocol (STOMP) 1.2
TrustSec
next-generation access control enforcement solution
performs network enforcement by using Security Group Tags (SGTs) instead of IP addresses and ports
SGT tags represent the context of the user, device, use case, or function
Configuration done in 3 phases: ingress classification, propagation, egress enforcement
□ Ingress classification is the process of assigning SGT tags to users, endpoints, or other resources (static or dynamic)
□ Propagation is the process of communicating the mappings to the TrustSec network devices that will enforce policy based on SGT tags (inline tagging or
SXP propagation)
□ After the SGT tags have been assigned (classification) and are being transmitted across the network (propagation), policies can be enforced at the egress
point of the TrustSec network.
MACSec
Security Page 86
802.1AE standards-based Layer 2 link encryption technology used by TrustSec to encrypt Secure Group Tag (SGT) frames on Layer 2 links between switches and
between switches and endpoints
Only encrypts traffic destined to other MACsec enabled devices
Security Association Protocol (SAP): This is a proprietary Cisco keying protocol used between Cisco switches.
MACsec Key Agreement (MKA) protocol: MKA provides the required session keys and manages the required encryption keys. The 802.1AE encryption with MKA
is supported between endpoints and the switch as well as between switches.
Downlink MACsec is the term used to describe the encrypted link between an endpoint and a switch
Uplink MACsec is the term for encrypting a link between switches with 802.1AE
802.1X
Port-based network access control
L2 authentication
MAB
network access control technique that enables port-based access control
typically used as a fallback mechanism to 802.1x
MAB authenticated endpoints should be given very restricted access and should only be allowed to communicate to the networks and services that the
endpoints are required to speak to
MAC Authentication Bypass must wait until 802.1X times out before attempting network access. By default, this value is set to 90 seconds on a Cisco Catalyst
switch
□ setting the timer interval too low can result in 802.1X bypass happening unnecessarily.
WebAuth
network access control technique that enables access control by presenting a guest web portal requesting a username and password
typically used as a fallback mechanism to 802.1x and MAB
Local and centralized web authentication with ISE
Endpoint Security
Talos tracks threats across endpoints
Threat Grid can test and analyze suspicious files before they ever touch an end device
Cisco identity-based networking services (IBNS)2.0
integrated solution that offers authentication, access control, and user policy enforcement with a common end-to-end access policy that applies to both wired
and wireless networks
Combination of Enhanced FLexAuth(Access Session Manager), Cisco Common Classification Policy Language (C3PL), ISE
Security Page 87
6.1 Interpret basic Python components and scripts
Tuesday, January 7, 2020
10:09 PM
• Basic Python theory
○ Simple and easy to read for humans like XML and YAML
○ Scripts are interpreted at run-time by a python interpreter
○ A string is simply one or more alphanumeric characters
○ You would use 3 quotation marks in a row to begin a multiple line string and to end a multiple line string
○ To install a different python version use command python x.x where x.x references the version number anything more than 2 digits is too specific
○ Variables
"Variable" = x
Can be stored in one place and used multiple times
Collect info from user or database and use it throughout script
○ Uses dictionaries and lists to store variables to use later or to store gathered data
○ The print() command must be used to get data to show
○ Data Types
Natively recognizes string, integer, boolean(true/false), and collections(list and dictionaries) as values
○ Lists and Dictionaries
List is an ordered collection of unnamed items. Dictionaries unordered collection named(keyed) items stored in key/item pairs
□ Items in a list are numbered 0 to -1 where 0 is the first item and -1 is the last
A tuple is like a list but the information in it can't be changed once it's been set
□ Dictionary EX:
dnac = {"host": "sandboxdnac.cisco.com", "port": 443, "username": "devnetuser",
"password": "Cisco123!"}
A dictionary is an unordered set of name/value pairs enclosed in curly brackets
○ Python also uses if/then statements
If "this" then do that. If "not this" then do/don't do that
A conditional statement is where something only takes place if the right conditions are met
Commonly used in loops which are recursive statements. The loop will continue until the condition is no longer met using a for statement. For "x" in "something(list/dictionary) do this
Modules
○
Modules help Python understand what it is capable of
Modules can be imported to expand the functionality of Python or to import something from a previous script
Some modules are used for advanced math functions and some can be used when automating networks
○ Functions
Functions are blocks of code that are built to perform specific actions.
come functions are built into Python and do not have to be created. A great example of this is the print function, which can be used to print data to a terminal screen.
○ Classes
Your own custom data type
Describes how you create an object sort of a blueprint
Can represent a complex 'objects' or ideas
The state = properties/variables of the class and the behavior = the methods/functions
○ :The “r” mode opens a file in read-only mode. There is no “rw” mode. The “w” mode opens the file in write mode, which will overwrite any existing values when you write a new value. The “a” mode is the append mode, which will let
you add values to a file without overwriting any existing values.
Automation Page 88
6.2 Construct valid JSON encoded file
Tuesday, January 7, 2020
10:10 PM
A JSON Object is an unordered set of name/value pairs enclosed in curly brackets
Create JSON file
Basic syntax
Easy to read whether its indented or not
Stores data in key/value pairs like a Python dictionary
Each object starts with a { and ends with a }
{
"user": "root",
"father": "Jason",
"mother": "Jamie",
"friend": "Luke"
}
Array[] = to Python List Object{} = to Python dictionary
Key value pairs are separated by a colon
Use all data types
String, a number, an object(JSON object) separated by a comma, an array, a boolean, and null
Compare to XML
An XML Attribute gives more detail about an element and must appear in quotes. A Comment provides
documentation within a file. A Declaration is the optional first line in an XML document that contains
version and encoding information. A Tag is a string of text inside the < and > signs.
Easier to work with
Xml uses tags to provide separation of information
Automation Page 89
JSON Web Token(JWT)
□ The signature is comprised of the Base64URL-encoded forms of two other components
□ JWT header is used to enable secure transmission of JSON formatted information between two
parties
□ JWT payload component contains registered claims, public claims, and private claims
□ JWT is comprised of header, payload, signature, they are separated by delimiters so delimiters do not
contain data
Automation Page 90
6.3 Describe the high-level principles and benefits of a data
modeling language, such as YANG
Tuesday, January 7, 2020
10:10 PM
YANG theory (relate to NETCONF and RESTCONF)
• Uses Leaf and container structure
○ A Leaf represents an attribute of something being modeled. A Container has Read-Write or Read-Only
privileges and contains one or more lists, which represent something (e.g. a router interface) that’s being
modeled
• YANG data models are an alternative to SNMP MIBs and are becoming the standard for data definition languages
• Uses a tree structure and the models inside it are similar to XML format
• The tree structure represents how to reach a specific element of the model, and the elements can be either
configurable or not configurable.
• Every element has a defined type. For example, an interface can be configured to be on or off. However, the
operational interface state cannot be changed; for example, if the options are only up or down, it is either up or
down, and nothing else is possible.
• YANG models make a clear distinction between configuration data and state information.
• YANG data models are harder for humans to read compared to CLI output
• YANG doesn't scrape output from the CLI and it eliminates the need to do so
• NETCONF
○ YANG is used to communicate with different devices on the network
○
○ Code example
list interface {
key "name";
leaf name {
Automation Page 91
leaf name {
type string;
}
leaf speed {
type enumeration {
enum 10m;
enum 100m;
enum auto;
}
}
leaf observed-speed {
type uint32;
config false;
}
}
Dotted line are devices talking directly back to the MGMT apps and solid line are NETCONF protocol
talking between the MGMT apps and the devices
○
• RESTCONF
○ programmatically interfaces with data defined in YANG models while also using the datastore concepts
defined in NETCONF.
○ goal of RESTCONF is to provide a RESTful API experience while still leveraging the device abstraction
capabilities provided by NETCONF
○ Supports HTTP methods (GET, POST, PUT, DELTE, OPTIONS) and CRUD(CREATE, READ, UPDATE, DELETE)
○ RESTCONF requests and responses can use either JSON or XML structured data formats
Automation Page 92
○
Automation Page 93
6.4 Describe APIs for Cisco DNA Center and vManage
Tuesday, January 7, 2020
10:10 PM
APIs(Application Programming Interface) for DNA Center and vManage
•
• Northbound API
○ Northbound APIs are often used to communicate from a network controller to its management software.
○ DNA Center uses a GUI to manage the network controller
○ Should use TLS for encryption most APIs can use encryption
• Southbound API
○ Pushes changes to network devices
○ APIs interact with the components of a network through the use of a programmatic interface.
• REST API
○ RESTful APIs use HTTP methods to gather and manipulate data.
Automation Page 94
○
○
○
○
○ g
• Postman
○ Application that makes it possible to interact with APIs using a console-based approach
○ Allows various data types and formats to interact with REST-based APIs
○ In the builder portion of POSTMAN there are 4 important sections to remember
History
□ Shows a list of all the recent API calls made using POSTMAN
□ Entire history can be cleared at anytime or just individual API calls
Collections
□ Groups that APIs can be stored in
□ These groups are specific to a structure that fits the user's needs
□ Saving calls in a collection helps during testing so that APIs can be easily found and sorted
□ Collections can also be favorited by clicking the star next to them
New Tab
□ Each tab can have its own API call and parameters that are completely independent of any other tab.
□ Each tab has its own URL bar to be able to use a specific API.
URL Bar
□ Each API call in a RESTful API maps to an individual URL for a particular function.
□ every configuration change or poll to retrieve data a user makes in a REST API has a unique URL—whether it is a GET, POST, PUT,
PATCH, or DELETE function
• Cisco vManage APIs
○ Use Postman to interact programmatically with the APIs
○ URL bar must have the API call to target the Authentication API
○ HTTP POST operation is used to send the username and password to Cisco vManage
Automation Page 95
6.5 Interpret REST API response codes and results in payload
using Cisco DNA Center and RESTCONF
Tuesday, January 7, 2020
10:11 PM
REST API Response Codes
Informational responses (100–199)
Successful responses (200–299)
Redirects (300–399)
Client errors (400–499)
Server errors (500–599)
• Error code 501 indicates the server does not have the functionality to complete the request
• Error code 500 unexpected condition unable to fulfill request
• Error code 405 method not allowed request method is known by the server but is not supported by the target resource
Automation Page 96
6.6 Construct EEM applet to automate configuration,
troubleshooting, or data collection
Tuesday, January 7, 2020
10:11 PM
EEM - Embedded Event Manager
• Allows engineers to build software applets that can automate many tasks.
• Scripts can automatically execute, based on the output of an action or an event on a device.
• One of the main benefits of EEM is that it is all contained within the local device.
Applet
composed of multiple building blocks. 2 of the primary ones are events and actions
Can match CLI patterns (the typed command) to trigger an event
Uses a type of if-then logic for decision making
Enable and configure terminal must be included at the beginning actions within an
applet
That applet assumes the user is in exec mode. If using AAA it is important to include
the event manager session cli username username command. Otherwise, the CLI
commands in the applet will fail.
When sync no is applied output will appear in the Syslog sync yes output will
appear
Script
Automation Page 97
An applet can be manually triggered that will then run a Tcl script that was stored in
flash
Use the command event manager run applet-name to manually trigger the applet
Automation Page 98
6.7 Compare agent vs. agentless orchestration tools, such as
Chef, Puppet, Ansible, and SaltStack
Tuesday, January 7, 2020
10:11 PM
• Automation tools
• Agent has to have software on the target device while agentless does not
• Configuration management tools function in two different types of models: push and pull.
○ Push models push configuration from a centralized tool or management server to clients
○ Pull models check in with the server to see if there is any change in the configuration, and if there is, the remote devices pull the updated
configuration files down to the end device.
○ Chef
Does not use SSH
Agent based and uses Ruby pull model
4 types of deployment
□ Chef solo - Chef server is hosted locally on the workstation.
□ Chef client and server - typical Chef deployment with distributed components.
□ Hosted chef - Chef server is hosted in the cloud.
□ Private chef - All Chef components are within the same enterprise network.
knife is the name of the command-line tool used to upload cookbooks to the Chef server. knife upload cookbookname
With Chef, the kitchen is a place where all recipes and cookbooks can automatically be executed and tested prior to hitting any
production nodes.
○ Puppet
Agent based and uses Ruby
Supported on Catalyst, Nexus, and UCS
Puppet master(server) puppet agent(client)
Changes and tasks are done in the puppet database. an be located on the same puppet master server or on a separate box
Puppet allows for the management and configuration of multiple device types at the same time. From a basic operation perspective,
puppet agents communicate to the puppet master by using different TCP connections.
3 different installation types
□ Monolithic supports up to 4000 nodes the typical install
□ Monolithic w/ compile masters 4000 to 20,000 nodes
□ Monolithic w/ compile masters and standalone PE-PostgresSQL more than 20,000 nodes
Automation Page 99
□ Monolithic w/ compile masters and standalone PE-PostgresSQL more than 20,000 nodes
Puppet modules allow for the configuration of practically anything that can be configured manually. Modules contain the following:
□ Manifests
the code that configures the clients or nodes running the puppet agent.
pushed to the devices using SSL and require certificates to be installed to ensure the security of the communications
between the puppet master and the puppet agents.
□ Templates
□ Files
Puppet Bolt is the agentless version
□ Opensource and uses Ruby. SSH or WinRM
Orchestrator-driven tasks: Orchestrator-driven tasks can leverage the Puppet architecture to use services to connect to devices.
This design is meant for large-scale environments.
Standalone tasks: Standalone tasks are for connecting directly to devices or nodes to execute tasks and do not require any
Puppet environment or components to be set up in order to realize the benefits and value of Puppet Bolt.
○ Saltstack
Agent based built on python
a user can program directly to SaltStack by using Python code. most of the instructions or states that get sent out to the nodes are
written in YAML or a DSL(domain-specific language).
□ Called salt formulas
□ Formulas can be modified but are designed to work out of the box
Uses the concept of masters and minions
can run remote commands to systems in a parallel fashion, which allows for very fast performance
leverages a distributed messaging platform called 0MQ (ZeroMQ) for fast, reliable messaging throughout the networking stack
event-driven technology that has components called reactors and beacons. A reactor lives on the master and listens for any type of
changes in the node or device that differ from the desired state or configuration
□ Cli configuration
□ Disk/memory/processor utilization
□ Status of services
Beacons live on minions
□ If a configuration changes on a node, a beacon notifies the reactor on the master. This process, called the remote execution
system, helps determine whether the configuration is in the appropriate state on the minions. These actions are called jobs,
and the executed jobs can be stored in an external database for future review or reuse.
Pillars and grains
□ Grains are run on the minions to gather system information to report back to the master. This information is typically gather ed
by the salt-minion daemon.
□ Pillars, on the other hand, store data that a minion can retrieve from the master. Pillars can also have certain minions assi gned
to them, and other minions that are not assigned to a specific pillar would not have access to that data.
SaltStack command structure contains targets, commands, and arguments.
SaltStack SSH(Server-Only Mode)
Automation Page 100
□ Salt SSH that allows users to run Salt commands without having to install a minion on the remote device or node
□ Salt SSH connects to a remote system and installs a lightweight version of SaltStack in a temporary directory and can then
optionally delete the temporary directory and all files upon completion, leaving the remote system clean
□ can work in conjunction with the master/minion environment, or it can be used completely agentless across the environment
○ Ansible
Agentless
Uses SSH for most devices and can use Windows Remote Management(WinRM)
Doesn’t need an administrative account on the client. It can use built-in authorization escalation such as sudo when it needs to raise
the level of administrative control.
All requests are sent from a control station which could be a laptop or server. The control station is what runs Ansible and issues
changes and sends requests to the remote hosts.
PPDIOO (Prepare, Plan, Design, Implement, Observe, Optimize) lifecycle
uses playbooks to deploy configuration changes or retrieve information from hosts within a network. An Ansible playbook is a
structured sets of instructions
Playbooks are written in YAML
Commands
□ Ansible - Runs modules against targeted hosts
□ Ansible-playbook - runs playbooks
□ Ansible-docs - provides documentation on syntax and parameters in the CLI
□ Ansible-pull - changes Ansible clients from the default push model to the pull model
□ Ansible-vault - encrypts YAML files that contain sensitive data
Operates on Linux, UNIX- like systems and Windows
Automation Page 101
•
Automation Page 102
