Now that I have made it through all of the videos, now it is time to go through all the labs to force myself to remember the commands that were reviewed in the training.

As I know that I will not be able to remember all the commands, I am going to put some rules in place to make sure that I am forced to research the commands and not just read the commands and blindly enter them.

  1. I cannot use the lab Answers
  2. Have to use the CLI help first
  3. Google answer next step
  4. Read notes taken from videos on this blog

 

 

  • Lab 11 – Device Function
    • Verify interfaces
      • show ip int brief
    • Find MAC address
      • show int [interface
    • Verify connectivity
      • ping [IP address]
        • This works for the lab but depending on real life setup pings can be mis-leading as ICMP is not always allowed.
    • Show dynamically learned MAC address on switch between routers
      • show mac-address-table
    • Clear mac address table
      • #clear mac-address-table
    • Do you see MAC address after clearing, why or why not?
      • If you do a show quickly the table will be clear, but it is populated quite quickly as the devices (routers) and constinatly talking which re-populates the table.
    • Show routes
      • show ip route
    • Configure IP address on interface
      • conf t
      • int [interface]
      • ip address [ip address] [subnet]
      • no shutdown
        • I tend to forget this one, I will have to make a mental note to turn it on.
    • Configure static route
      • conf t
      • ip route [destination ip address range] [subnet] [default ip of next hop]
        • Example – ip route 10.10.30.0 255.255.255.0 10.10.10.2
  • Lab 12 – Life of a Packet
    • Configure DNS server
      • conf t
      • ip name-server [IP address]
        • So after I have completed and tested that it worked I went through the answer guide to ensure that I hadn’t missed anything.  They had the command ip domain-lookup. 
          • Doing some research I found that this was on be default but many people use the “no ip domain-lookup” command as if you mis-type a command the device will attepmt to reach out to DNS to try and resolve  the mis-typed info.
          • Another tip given here by Peter Paluch:https://community.cisco.com/t5/switching/no-ip-domain-lookup/td-p/2705168
            • What could be considered a more proper way of doing things, however, is this: Have the DNS server configured using the ip name-server command, and at the same time, on all lines (con 0, aux 0, vty 0 15), deactivate the automatic action of telnetting into all “words” that look like hostnames
            • I am not sure if this “transport perferred” command is not in Packet Tracer but did not show in my tests.
    • View ARP cache
      • show arp
  • Section 13 – Troubleshooting Methodology
    • This lab didn’t have real right/wrong steps, but started with: Troubleshoot Connectivity to DNS Server
      • Steps I took
        • Ping DNS server, failed
        • Pinged gateway, success
        • Traceroute to DNS server, reached gateway but no other hops.
        • Check gateway router with “ip int brief” found interface down
        • performed “no shut” on interface and tested with ping, success
        • Test ping to another device with name, failed unrecongnized host/address/protocol on IP address 10.10.10.1
          • IP address in correct
          • Added correct address
          • Tried again and still when to same 10.10.10.1
          • Removed 10.10.10.1
          • Tried ping by name and reached 10.10.10.10
          • Still did not work
          • Checked DNS server and DNS service was off
          • Turned on DNS server
          • Test and had success
    • At first it bothered me to be tested on the DNS server being off but it is a great reminder that networks can be perfectly setup but services can make it appear that it is the network that not working correctly.  I have found this many times while supporting the Symantec/Bluecoat ProxySG.  You must look at all aspects of the network not just the devices that you are responsible for.
  • Lab 14 – Router and Switch Basics
    • Router and Switch inital Configuration
      • Change hostname
        • conf t
        • hostname [name]
      • Set IP addres on interface
        • conf t
        • int [interface#]
        • ip address [ip address] [subnet]
        • no shut
      • Set management IP on switch
        • After trying to assign a interface an IP address, I had to look this one up as I was quite sure it was not vty line…
          • So the first search took me to a Cisco fo dummies, kind of funny: https://www.dummies.com/programming/networking/cisco/cisco-networking-switch-management-interface-configuration/
          • So the first thing that it reminded me, switch ports cannot have IP address assigned to them and that IP address needs to be assigned to VLAN
        • conf t
        • int vlan 1
          • VLAN 1 is the default VLAN
        • ip address [ip address] [subnet]
          • -Tested ping from another and it did not work
          • Did a show “do ip int brief” and found that I forgot the “no shut” command
        • no shut
          • Working
      • Default gateway
        • ip default-gateway [ip address]
      • Add description for interface
        • conf t
        • int [interface]
        • descritption [text]
          • I made the mistake of putting the description on the VLAN as that is what I had configured for the mgmt interface.
      • Verify the speed of the interface
        • show int [interface]
      • Manually configure interface
        • conf t
        • int [interface]
        • duplex full
          • This brought the link down, set the duplex on the router that the interface was connected to to match and everything came back online
        • speed [speed]
      • What version of IOS on switch
        • show version
    • CDP (Cisco Discovery Protocol) Configuration
      • Verify neighbors
        • show cdp neighbors
      • Disable CDP to one router on switch
        • (config-int)#no cdp enable
      • Clear CDP cache
        • This was a little of a cheat since the lab exercise gave me that answer in the steps
        • (config)#no cdp run
        • (config)#cdp run
  • Lab 15 – Device Management
    • Factory Reset 
      • Display running config
        • show run
      • Factory reset router and reboot
        • erase startup-config
          • The lab had the command “write erase” which does the same thing.
        • reload
          • I had to google this one as I missed the command in help…
    • Password Recovery
      • Set enable secret password
        • (config)#enable secret [password]
      • Boot into the rommon prompt
        • Another on the that I had to look up but on this page it talks about tftp server and the rommon:
          • https://www.sysnettechsolutions.com/en/recover-cisco-router-ios-using-rommon-mode-in-cisco-packet-tracer/
          • List of all the config-register codes: https://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/50421-config-register-use.html
        • (config)#config-register 0x2100
        • #reload
          • The lab had a step doing a “copy run start” but I did not complete this as it was not asked for, will see if nessary to recover the password
          • Also they used 0x2120 opposed to 0x2100 that I used.
            • It appears that the 0 at the end is the important designator that causes the device to boot into ROMmon, but it appears that 2120 sets console speed to 19200 where I believe 2100 stays at 9600
      • Ignore the startup-config when booting
        • rommon > confreg 0x2142
        • rommon > reset
      • Exit wizard – copy start-config to running-config
        • copy start run
          • So when I was doing the lab I did “copy run start” which copied everything over and broke the lab and basically set the device back to factory default
      • Remove password
        • (config)#no enable secret
      • Set the router to boot normally
        • (config)#config-register 0x2102
        • #copy run start
        • #reload
    • Configuration Backup
      • Backup running config to flash
        • copy run flash:
        • show flash
      • Backup startup config to tftp
        • copy start tftp:
        • Enter IP of TFTP server
    • IOS System Image Backup and Recovery
      • Backup the IOS system images
        • #copy flash: tftp
        • Enter source filename
        • Enter tftp address
        • Enter destination filename wanted
      • Delete system image and reload it.
        • del [filename]
        • confirm name
        • confirm deletion
        • copy tftp flash
          • enter tftp address
          • tftp file name
          • name that it should be called when it is copied back to device.
        • Made a mistake in reading insturctions, they didn’t want the file reloaded back out the device they wanted the device to be restarted.
    • The lab redirects you to an article to give you steps to restore the device instead of asking question that you need to know.
      • Load file from tftp
        • Set vaiables
          • IP_ADDRESS=[device ip]
          • IP_SUBNET_MASK=[device subnet]
          • DEFAULT GATEWAY=[Gateway IP]
            • For our lab there was no gateway since TFTP server was on the same subnet as device, so we used the IP address of the device.
          • TFTP_SERVER=[TFTP IP]
          • TFTP_DESTINATION=flash:
          • TFTP_FILE=[file name]
      • Start Download
        • tftpdlnd
          • Yes to continue.
          • Unable to complete due to Packet Tracer limitations
    • IOS Image Upgrade
      • Verify device version
        • #show version
      • Use tftp to upgrade device
        • copy tftp flash
        • (config)#system boot [file name]
        • #write mem
        • reload

The final day of videos!!, time to get this done and start with the review of data for the test.

 

 

Section 38 continued…

  • APIs (Application Programming Interfaces) – CRUD, REST and SOAP
    • NETCONF and RESTCONF are APIs specifically desigened to work with network devices.
    • CRUD – Create – Read – Update – Delete
    • SOAP – Simple Object Access Protocol
      • Statndared communicatoin protocol system taht permits processes using different OS like Linux and Windows to talk.
      • typically uses HTTP(S) and data is always formatted as XML
      • It has strict standard to adhere to
    • REST – Representational State Transfer
      • Is an architecture, not a protocol
        • Gives guidelines for structure and organization of an API
      • Support any transport and data format
      • Commonly uses http(s) as transport and commonly uses JSON (or XML) data formats
      • Typically has faster performation and is easier to use than SOAP
      • Contraints
        • Client- Server architecture
          • Send & response model
        • Uniform interface
        • Statelessness
          • no client context is stored on the sever between requests
        • Cacheability
          • responses need to be define cacheable or non-cacheable
        • Layered system
          • devices between client and server must be transparent
        • Optional – Code on demand
          • Server can temporarily extend or customze the functionality of a client by transferriing executable code.
      • REST Response Codes
        • Success 
          • 1xx: Informational
          • 2xx: Success
            • 200: OK
            • 201: Created
            • 204: No Content/Deleted
          • 3xx: Redirection
        • Errors
          • 4xx
            • 400: Bad request/malforned syntax
            • 401: Unauthorized
            • 403: Forbidden
            • 404: Not Found
          • 5xx: Server Error
            • 400: Internal Server Error
          • Responses to Get requests include data in the body
          • Headers can also be included in the response
  • Configuration managemetn Tools
    • System to make managing large number of devices easy
    • Automate many different systems from one location
    • Popular free options (Enterprise paid options)
      • Ansible
        • Any machine with python 2 or 3 
        • Agentless
        • Push Model
        • Uses SSH by default
        • Simpler than othe tools
        • Modules are pre-built python scripts
        • Inventory files define all hosts to be managed
        • Playbooks are YAML files that outline the instructions it needs to run
      • Puppet
        • Uses agent on the target
        • Runs on Linux
        • Pull model so agent checks in every 30 minutes by default
        • Programmed in Tuby
        • Proprietary DSL rather than YAML
        • ‘Manifest’ defines the device’s properties
        • Can check config consistency
      • Chef
        • Uses agent on the target
        • Pull model
        • Programmed in Ruby
        • Terminology is Cook Book > Recipe
    • Automate provisioning an deployment of servers and network devices
    • Require little program knowldege
    • Development practices
      • version control
      • testing
  • SDN – Software Defined Networking
    • Router and Switch Planes
      • Data (Forwarding) Plane: Traffic which is forwarded through the device
      • Control Plane: Makes decisions about how to forward traffic.
        • Packets such as routing protocol or spanning tree updates are destined to or locally originated on the device itself.
      • Management Plane
        • The device is configured and moniorted in this plane.
    • SDN – Data and Control Plane Separation
      • Traditionally network infrastructure devices are responsible for thier own control and data planes
      • SDN decouple the data and control plans
      • Network Devices are still responsible for forwarding traffic, but control plane moves to a centralised SDN controller.
    • Data and control plane separation
      • Rules for packet handling are sent to the network devices from the controller
      • The network devices query the controller for guidance as needed and provide the controller with info about traffic being handled.
    • Pure SDN vs Hybrid SDN
      • Pure SDN
        • The control plane runs purely on the SDN controller
        • Data plane runs purely on the network device
      • Hybrid SDN
        • Majority of the Control plane intelligence is provided by an SND controller
        • Network Devices retain some control plane intelligence as well as the data plane operations
        • Most implementations use a hybrid SDN
    • SDN Architecture
    • Cisco SDN Controllers
      • APIC – Application Policy Infrastructure Controller
        • Main component of the Cisco ACI (Application Centric Infrastructure) solution
        • made to manage data center environments with Nexus Switches
      • DNA Center – Digital Network Architecture
        • mad to manage enterprise environment
          • Campus
          • Branch
          • WAN
        • Upgrade to APIC-EM (Application Policy Infrastructure Controller – Enterprise Module
  • DNA Center
    • One part of three building blocks of Cisco DNA and Software Defined Architecture 
    • “Cisco DNA enables you to streamline operation and facilitate IT and business innovation.”
    • Intent-based networking (IBN) built on Cisco DNA takes a software-delivered approach to automate and assuring services across your WAN, Campus, and Branch networks
    • A Cisco SDN controller which is designed to manage enterprise environments (campus, branch and WAN)
      • Opposed to APIC which manages data center environments with Nexus Switches
    • DNA Center Appliance
      • Runs on Cisco UCS server hardware
      • Built Linux OS 
      • Can cluster for redundancy
    • IBN – Intent Based Networking
      • Controller led network that translates the business needs into policies that can be automated and applied consistently 
      • Goal is to continuously monitor and adjust network performance to help assure desired business
      • Example 1
        • a QoS policy roll-out
          • The Intent: The network policy is first defined, guaranteed service to voice and video across network locations
          • Traditional method
            • Network team researches and plans the implementation, then configures each network device individually
            • Different network device models require different commands
            • Very time consuming and prone to mistakes
          • IBN
            • Network team creates a application policy in DNA Center specifying voice and video as business relevant apps.
            • DNA Center auto configures the best practice QoS setting on devices
            • Reduce time from potentially months to minutes
      • Example 2
        • SSecurity traffic flows in the campus
          • The intent: Users in DeptA and DeptB must have connectivity to other users in the own department and the company servers
          • the must not have connection to the users in the other department.
          • Traditional
            • Plan VLAN, IP subnet and ACL implementation, the configure each switch individually
            • Users will stay in the same access port, and they are assigned a VLAN and IP address based on their physical location
            • Time consuming, liable to mistakes and does not support mobility
          • IBN
            • Create a group-based access control policy in DNA which specifies the allowed traffic flows
            • User log in from and can move to any physical location on campus
            • User are Authenticated by Cisco ISE Identity Services Engine and assigned a Security Group Tag controlling their access
    • Network Plug and Play
      • Allows routers, switches and WAP to be deployed in remote offices with zero touch config
      • Device is physically installed at location and connected to the network.
      • It discovers DNA Center through various methods
        • DHCP option 43
        • DNS ‘pnpserver.domain-name.com’
      • Device registers with and downloads its configuration from DNA Center
      • This ensure correct config in remote devices and can keep a engineer to be onsite.
    • Assurance
      • Guarantees that the infrastructure is doing what was intended
      • Receives info from all devices and ISE
      • Correlation engine can identify 150+ different types of network and client issues
        • Report problems and provides recommended remediation actions
      • Admins can drill down into the health status of devices and clients
      • See current and historical status info
      • Userful for troubleshooting intermittent problems and/or issues which occurred in the past.
    • Path Trace
      • Use to query DNA center for the path that traffic takes over the network
      • This aids troubleshooting
    • API Support
      • Can provide Northbout REST API
      • Supports East and West bound APIs for integration for items like reporting and analytics
  • Software Defined Architecture – SD Access
    • Traditional Access Control
      • Control access to and traffic flows within a network is fixed VLANs, IP addresses and ACLs
      • User expect to connect to the same physical port and assigned VLAN and IP subnet
      • ACL controls traffic flows
      • More complex with each device
      • Does not support mobility for the user
    • SD-Access – Software Devined Access
      • Newer method of network access control wich solves the limitation of the traditional implementation
      • Traffic flow security is base on user identity, not physical location and IP address
      • User log in from and can move to any physical location in the network.
      • Tow components required
        • ISE (Identity Service Engine) for user authentication
        • Security Policy configured on DNA Center
          • Permit and deny communication between groups
      • Underlay and overlay Network
        • Underlay network is the underlying physical network. Provides the underlying physical connection which the overlay network is built on top of.
        • Overlay network is a logical eopolgy used to virtually connect devices. It is built over the physical underlay network.
        • The combination of underlay and overlay forms the SD0Access ‘network fabric’
      • Underlay Network
        • Any existing (‘brownfield’) underlying physical network can be deployed. 
          • Links between devices can be layer 2 or layer 3 and any routing protocol can be used
          • DNA center can be used to auto provision the underlay network in new (‘greenfield’) sites. Layer 3 links are used between devices and IS-IS is used as the routing protocol
      • Overlay Network
        • LISP is used for Control Plane
        • VXLAN is used for the Data Plane
        • Cisco TrustSec CTS is used for the policy
          • Each technology has been optimized for SD-Access
      • Policy Plane – Cisco TrustSec CTS
        • Users are authed by ISE
        • Polciy configured on DNA Center
        • Users are allocated an SGT – Scalable Group Tag
        • Cisco TurstSec secures traffic flows based on the security policy and SGTs
        • Standard Trust Sec needs end-to-end TrustSec devices, SD-Access uses overlay tunnels so can work with other devices.
  • SD-WAN
    • Traditional WAN Deployment
      • Individual device conf
      • conf is not standard
      • Focus on link connectivity notthe required performance for apps
      • Typically difficult to migrate to another WAN service
    • It provides automated setup of WAN connectivity between sites
    • Monitoring and ailover is automated
    • Traffic flow control is application aware
    • SD-WAN Benefits
      • Auto, standardized setup of connectivity between sites
      • Transport independent
      • Simplified, integrated operations
      • More flexibility and easier to migrate WAN services
      • The required, predictable performance for important applications
      • Integration with the latest cloud and network tech
      • Lower Cost
    • Data Plane – vEdge Routers
      • vEdge router run the data plane
      • They are physical or virtual routers
      • They form an IPsec encrypted data plane between each other
      • A site can have 2 vEdge routers for redundancy
    • Control Plane – vSmart Controllers
      • vSmart controllers run the control plane
      • The are the centralized brain of the solution
      • They run as virtual machines
      • They distribute policy and forwarding info to the vEdge routers inside TLS tunnels
      • Each vEdge router connects to two vSmart controllers for redundancy
    • Management Plane – vManage NMS
      • The vMange NMS provides the management plane GUI
      • It enables centralized configuration and simplifies changes
      • It provides real time alerting
      • It runs as a virtual machine
      • Multiple vMange NMS are clusters for redundancy
    • Orchastration – vBond orchestrator
      • The Bond orchestrator authenticates all vSmart controllers, vManage NMS and VEdge routers that join the SD-Wan network
      • It enable vEdge routers to discover each other, vMange and Vsmart
      • It ahs a public IP address and is deployed in DMZ
      • It runs a virtual machine (can run on a router in smaller deployments)
      • Multiple vBond orchestrators can be deployed with round robin DNS
    • ZTP Zero Touch Provisioning service
      • Cloud based shared service hosted by Cisco
      • Utilized on first boot of vEdge router only
      • Directs it to vBond to orchestrate joining it to the network.
      • On Premises and Cloud
        • vBond, vSmart and vMange can be deployed
          • On premises
          • Hosted in Cisco (or partner) cloud
        • Most deployments are in the cloud
      • Building the Data Plane
        • VSmart Controller directs the vEdge router to build a full mesh (default) of IPsec VPN tunnels between themsleves
        • VSmart propagest policy and routing info to the vEdge routers with Overylay management Protocol (OMP)
      • BF (Bidirection Forwading) VPN Tunnel Monitoring
        • BF Detection packets are sent over all VPN tunnels
        • this detects if a tunnel goes down, and also provides latency, jitter and loss statistics
      • Traffic Forwading Option
        • If multiple tunnels are available (MPLS and Internet) traffic can be load balanced over the tunnels
          • Active/Active
          • Weighted Active/Active
          • Applicaation pinning Active/Standby
          • Application Aware Routing
      • App Aware Routing
        • BFD monitors the latency, jitter and loss across the VPNtunnels
        • You can set minimum req. for an for an app with SLA classes
        • SD-WAN ensures the app is sent over a link which meets its SLA
        • By default traffic will fall back to another link if no suitable link is available.
  • Further Learning Resources
    • Network programmability Basics video course: https://developer.cisco.com/video/net-prog-basics/
    • DevNet Sandbox: https://devnetsandbox.cisco.com
    • DevNet Learning Labs: https:developer.cisco.com/learning/
    • Further Cert: Cisco Certified DevNet Associate

 

That was a rough section and there was a lot new stuff that I had to learn…  Now time for practice test and lots of review.

 

And then there was 5…  Only 5 sections left in Cisco CCNA 200-301 – The Complete Guide to Getting Certified.  I have really enjoyed Neil Anderson’s course and I am feeling very confident about the test coming up at the end of the month.

Check the course out on Udemy: https://www.udemy.com/course/ccna-complete/

Neil Anderson’s Youtube Channel Flackbox: https://www.youtube.com/channel/UCVOdgH0-GrxtAFSZjHVEB0A

Website flackbox.com

 

 

Section 35: QoS – Quality of Service

  • Overview
    • The first need to QoS was VoIP
    •  Traditionally each service would have its own network
      • The phone would use PBX and go over Public Switch Telephony Network
      • Video chat would use an ISDN
      • Computer over an IP WAN
    • Modern networks will go over the same IP infrastructure
      • This still requires a connection to the Public Switched Telephony Network
      • Enable cost savings
      • Increased features
      • Data, voice, and video are all fighting for the same shared bandwidth
    • Voice and standard video packets must meet these recommended requirements for acceptable quality
      • Latency (delay) less or equal 150 ms
      • Jitter (variation in delay) less or equal 30 ms
        • VoIP systems attempt to smooth out the packets coming in to make the call sound natural so jitter needs to be low for the jitter buffer to work correctly
      • Lossless or equal 1%
    • HD video has higher requirements, any loss at all you will start to notice issues
    • FIFO – First In First Out
      • When congestion occurs on ta router or switch packets are sent out in a FIFO manner by default
      • Congestion is when more traffic is coming in than what is being sent out.
        • Effect of Congestion
          • Delays of packets while they wait in the queue
          • Queue size can affect jitter
          • The packet can be drop if the queue is full
          • Lower quality to an unacceptable level for voice and video
        • Dealing with Congestion
          • Add more bandwidth (cost more money
          • Use QoS to deliver better service to specified traffic
            • QoS will deliver packets quicker and overwrite the FIFO default behavior based on QoS classification
        • Effects of QoS queuing
          • Reduce delivery time (latency, jitter, and loss for specified traffic
          • Can be used for more than Voice and Video, but for any specified traffic
          • Other traffic that is not part of the QoS may receive worse services due to QoS traffic being delivered first
          • QoS is used to mitigate temporary periods of congestion, and more bandwidth is recommended on lines that have consistent congestion
  • Classification and Marking
    • Identifying Traffic
      • COS (Class of Service) marking
        • 3 bits field in the Layer 2 802.1q frame header
        • Value of 0-7 can be set, default is zero (designates as Best Effort)
          • Higher the number, the higher the priority
        • Value 6-7 are reserved for network use
        • IP phones mark their call signaling traffic as CoS 3 and voice payload CoS 5
      • DSCP (Differentiated Service Code Point) marking
        • The preferred classification as it can be identified easily was as ACL and NBAR take more processor cycles to identify
        • Layer 3 ToS (Type of Service) byte
        • 6 bits so 64 possible values, default is zero (designates as Best Effort)
        • IP phones mark the call signaling traffic as 23 (CS3) and voice payload 46 (EF)
        • Standard 26 (AF31) for mission-critical data and 24 (AF41) for SD video.
      • Access Control List
        • Phone and voice set their own DSCP and CoS but if other traffic needs to be set for QoS it is unlikely that the application with be able to mark its own traffic.
        • Use ACL to designate traffic
      • NBAR (Network-Based Application Recognition)
        • Uses Layer 3-7 information to identify traffic
        • Can download signatures from Cisco to be loaded on routers to recognize well know applications
    • Trust Boundary
      • Switch router should not trust the PC that might be behind the phone
      • Trust sources
        • Phone can set both the COS (Layer 2) and DSCP (Layer 3)
        • Layer 4 uses UDP Port
    • If NBAR or ACL is used it should be done as close to the source as possible (First switch if possible).
    • The classification does not change the service itself and only identifies the traffic
  • Congestion Management
    • Can manage switch and router congestion using queuing
    • Bandwidth guarantees to specified traffic using CBWFQ (Class-Based Weighted Fair Queuing)
    • LLQ (Low Latency Queuing) is CBWFQ with a priority queue
      • Traffic in the priority queue is sent before other traffic
    • MQC – Modular QoS CLI
      • Has 3 main sections
        • Class Maps define the traffic to take action on
        • Policy Maps take the action on that traffic
        • Service Policies apply the policy to an interface
      • MQC was first used for QoS but it is now used in other location like Firewall rules
    • Command Example
      • Configure the same LLQ policy on the routers in both locations (internal call)
      • Apply to WAN interfaces
      • Policy-map will not be applied unless there is congestion detected
      • Create Class map
        • class-map VOICE-PAYLOAD
        • match ip dscp ef
        • class-map CALL-SIGNALING
        • match ip dscp cs3
      • Apply Class Map to Policy-map
        • policy-map WAN-EDGE
        • class VOICE-PAYLOAD
        • priority percent 33
        • class CALL-SIGNALING
        • bandwidth percent 5
        • class class-default
        • fair-queue
          • class class-default is all other traffic
          • fair-queue is a better queuing system than FIFO as FIFO tends to penalize smaller packet
      • Apply Policy-map to interface
        • int serial0/0/0
        • bandwidth 768
        • service-policy out WAN-EDGE
    • For the test, you do not need to know the configuration but you need to know and understand the theory behind the mappings and “Policy and Shaping”
  • Policing and Shaping
    • Can be used to control the traffic rate
    • Measure the rate of traffic through an interface and take action if above-configured limits
    • Traffic shaping buffers excess traffic so overall traffic stays in the desired rate limit
    • Policing drops or re-marks traffic to enforce rate limits
    • Classification can be used in policing and shaping to allow different rates for different types of traffic
    • Policing 
      • Example
        • ISP
          • Set policing policy to set bandwidth for customer
        • Worm/Junk traffic
          • Mark worms and junk traffic like p2p as ‘Scavenger’ traffic
          • Recommended DSCP value to be marked DSCP 8 (CS1)
          • Use to limit junk traffic down to prevent it from taking bandwidth from business applications
    • Shaping Scenario
      • As the ISP has a Policing policy that will drop packets if it goes over, the internal side can set a shaping policy to have all traffic be sent within the ISP limits
      • After setting the policing policy a congestion policy needs to be put in place also
        • As only one policy map can be set to an interface, other policy needs to be nested into the shaping policy

 

 

Section 36: Cloud Computing

  • Test Notes
    • Will not test on configuration
    • Will test on the theory of cloud computing
      • Service Modules
      • Deploy Models
  • Traditional Deployment Models
    • On Prem
      • All equipment located in the building
      • Owned by you
      • A clear line of who owns what
      • Equipment is CapEx (Capital Expenditure)
      • Can take over a week to receive and deploy
      • Need a planned refresh of equipment
      • Plan redundancy
    • Colo
      • Owned Equipment located in a rented space/data center
      • The datacenter provides services like power, cooling, physical securing, networking, and internet connections
      • Service provided through an SLA
      • The connection from corp buildings and colo are the responsibility of ISPs
  • Defining Cloud Computing
    • NIST Definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access toa shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
    • NIST Characstics
      • On-Demand Self-Serice: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
      • Rapid Elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
      • Broad Network Access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms.
      • Resource Pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
      • Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service.
  • Cloud Service Models
    • Models define where the customer and providers areas of responsibility are and what level the customer gains access
    • The models build on top of one another
    • Models 
      • IaaS – Infrastructure as a Service
        • Provides: Facility->Network->Storage->Computer->Hpervisor
      • Paas – Platform as a Service
        • Provides: Facility->Network->Storage->Computer->Hpervisor->Operating System
      • SaaS – Software as a Service
        • Provides: Facility->Network->Storage->Computer->Hpervisor->Operating System-Application->Data
  • Cloud Deployment Models
    • Public Cloud
      • The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
      • Well known providers
        • AWS
        • Azure
        • IBM Bluemix
        • Salesforce
      • Most common deployment
    • Private Cloud
      • The could infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers. It may be owned, managed, and operated by the organization, a third party, or some combination of them and it may exist on or off-premises.
      • Private Cloud works the same way as Public Cloud, but the services are provided to internal business units instead of to external public enterprises.
      • Fulfills the cloud ‘Essential Characteristics’
        • On-Demand Self-Service
        • Rapid Elasticity
        • Broad Network Access
        • Resource Pooling
        • Measured Service
      • The company will use automation software such as Cisco UCS Director
      • DNA Center can be used as an SDN controller
    • Community Cloud
      • The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns.
      • This is the least common deployment model. It is sometimes used in government environments.
    • Hybrid Cloud
      • the cloud infrastructure is a composition of two or more distinct could infrastructures that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.
  • Cloud Computing Advantages
    • Scalability
      • Ability to regulate the service in accordance with their current requirements:
        • Scale capacity up and down
        • Infinite computing capacity on demand
        • Flexibility through cloud bursting
      • Agility
        • Ability to handle expected or unexpected changes in load
        • Reduced time to deploy
      • Cost Efficiency
        • pay for what you need
        • Avoid provisioning and pay for the peak as a permanent fixture
        • Move from a large upfront CapEx cost to a comparatively small monthly OpEx cost
        • ICT costs are more transparent
        • Do not have depreciable hardware assets
        • The provider is responsible for tech refresh
        • Predictable monthly fee.
      • Competitive Advantage
        • Traditional CapEx can be directed to other investments
        • Can respond quickly to evolving markets and on growing business core
      • Productivity
        • IT staff can focus on strategic decisions and developing and improving core applications rather than maintaining or troubleshooting hardware infrastructure.
        • Does not mean that in-house IT is not needed. Deploying in the public cloud is just like deploying in-house.  IT is able to focus on design, security, and support of the applications and data opposed to hardware.
      • Availability and Reliability
        • Facilities are located in hardened data centers
          • redundant power
          • onsite security
          • no single point of failure
        • Certified with standards such as ISO 9001 and 27001
        • Data centers follow best practices for facilities, server, networking and storage
        • Provide SLA
      • Cost
        • Advantages usually come down to Cloud Computing usually comes down to the overall long-term cost
        • Compare TCO of On-Premises Vs Cloud Equivalent.
        • Most companies use a mix of On-Premises and Cloud solutions

 

 

Section 37: Wireless Network Fundamentals

  • Wireless Network Types
    • 802.11 WiFi Standard
    • WPAN – Wireless Person Area Network
      • Devices are within 10 meters of each other
      • Bluetooth is often used
    • WLAN: Wireless Local Area Network
      • CCNA focuses on WLAN 
      • Provides access to a campus network, without the need for a cable
      • Devices within 100m of a WAP (Wireless Access Point
    • WMAN: Wireless Metropolitan Area Network
      • Covers a large area such as a city
    • Modes
      • Ad Hoc Networks
        • Two or more wireless stations communicate directly with each other
          • IBSS – Independent Basic Service Set
      • Infrastructure Mode
        • Stations communicate via a Wireless Access Point (AP)
        • This can provide access to a wired network
        • Multiple APs can be deployed for coverage
      • WiFi Direct
        • Allows the device to be connected to an AP and also be part of a peer-to-peer wireless network
        • Does not operate in Ad-Hoc IBSS mode, it is an extension to Infrastructure Mode
        • WPS WiFi Protected Setup enables connection setup by pushing a button
          • GARBAGE… DO NOT USE NOT SECURE (This comment is not part of CCNA)
        • It is WPAN 
        • Services
          • Miracast
          • DLNA – Digital Living Network Alliance – allows devices to stream music and video
          • Direct Print
    • Wireless Bridge
      • Used to connect areas which are not reachable via cable 
    • Mesh Networks
      • Spread the coverage area
      • One AP radio is used to serve the client
      • Other radios connect to the backhaul network
  • Infrastructure Mode and Wireless Access Points (WAP)
    • WAP provides connectivity between wireless stations and between the wireless and wired network
    • Wireless is half-duplex
      • One device can communicate at a time
    • BSS – Basic Service Set
      • Access Point centralizes access and control over a group of wireless devices
      • the device and their wireless setting makeup a BSS
    • DS – Distribution System
      • A distribution system connects WAP to the wired network
    • BSSID – Basic Service Set Identifier
      • Devices within BSS are identified by the BSSID, which is based on their MAC address
    • BSA – Basic Service Area
      • The BSA is the wireless coverage area of an Access Point
      • AKA wireless cell
    • SSID – Service Set Identifier
      • A unique identifier that names the wireless network
    • Multiple SSID Service Set Identifiers
      • A single AP can support multiple SSIDs
      • Different SSIDs can have different security settings and be mapped to different VLANs
    • Beacons
      • WAP broadcast information about their WLANs with beacon frames
      • This can be disabled
    • ESS – Extended Service Set
      • The same SSID across multiple AP to increase the coverage area
    • Roaming
      • Clients can roam across APs supporting the same WLAN
  • WLC – Wireless LAN Controllers and CAPWAP
    • Configuring a large amount of APs one by one becomes unmanageable
    • WLC is a centralized device to manage all APs
    • Virtual WLC is available
    • Redundancy is support
    • Autonomous vs Lightweight Access Point
      • Autonomous APs are standalone APs
      • Lightweight AP are WLC controlled
      • Installed software image determines whether an AP is autonomous or Lightweight
    • ZTP – Zero Touch Provisioning
      • Lightweight AP support Zero Touch Provisioning
      • They discover their wireless LAN Controller via these options:
        • DHCP – option 43 gives the IP address of the WLC
        • DNS – ‘cisco-capwap-controller’ resolves the IP address of the WLC
        • Local subnet broadcast
      • Wireless Access Points
        • AP downloads it configuration from the WLC
        • Includes what WLANs it should support and their settings
        • The WLC also monitors the wireless quality and controls the channels and power of the Access Points
        • Can detect rogue APs
    • Roaming with WLC
      • Stations can roam between APs cells that have the same WLANs
      • Infrastructure can be configured to be seamless
    • CAPWAP – Control and Provisioning of Wireless Access Points
      • Communications are encrypted in a DTLS CAPWAP tunnel
      • Uses UDP port 5246 and 5247
      • management traffic between the AP and WLC passes through the CAPWAP tunnel
      • LAG (Link Aggregation is often used on the WLC to switch link
    • Split MAC
      • Work is moved from the AP to the WLC
      • Real-time traffic is handled by the AP to provide suitable performance, the rest is handled by the WLC
      • Work is split between the AP and WLC hence the name ‘Split MAC’
      • AP Operations
        • Client handshake when connecting
        • Beacons
        • Performance monitoring
        • Encryption and decryption
        • Clients in power save
      • WLC operations
        • Auth
        • Roaming control
        • 802.11 to 802.3 communication
        • Radio Frequency mgmt
        • Security mgmt
        • QoS mgmt
    • FlexConnect
      • Traffic is forwarded locally when FlexConnect is configured, keeping it from being sent to a WLC in another location. Example AP in Los Angeles and WLC NYC
      • This useful for small branch offices without a Wireless LAN Controller
  • Switch Configuration for Wireless Networks
    • Autonomous AP
      • Switch Commnads
        • Create VLANs that each SSID will exist on
          • (config)#vlan 21
          • config-vlan)#name [VLAN1 Name]
          • (config)#vlan 22
          • (config-vlan)#name [VLAN2 Name]
        • Configure the Switch the AP is plugged into
          • (config)#interface gig1/0/1
          • (config-if)#switchport trunk encap dot1q
          • (config-if)#switchport mode trunk
          • (config-if)#switchport trunk allowed vlan 21,22
    • CAPWAP
      • AP sends traffic to the WLC over the CAPWAP tunnel and does not tag the traffic for the specified VLAN
      • The WLC will tag traffic and send it to the correct VLAN and send it to the switch for final delivery
      • Link between the WLC and switch needs to be a trunk but the link between the AP and the switch should remain an access port on the management vlan that the CAPWAP uses.
      • Commands
        • Create VLANs that each SSID will exist on
          • (config)#vlan 21
          • config-vlan)#name [VLAN1 Name]
          • (config)#vlan 22
          • (config-vlan)#name [VLAN2 Name]
        • Create WLC management and AP management VLANs
          • (config)#vlan 10
          • (config-vlan)#name [WLC MGMT name]
          • (config)#vlan 11
          • (config-vlan)#name [AP MGMT name]
        • Configure Switch ports for WLC
          • (config)#int gig1/0/2
          • (config-if)#switchport trunk encap dot1q
          • (config-if)#switchport mode tunk
          • (config-if)#switchport trunk allowed vlan 10,11,21,22
        • Configure Switch port for AP
          • (config)#int gig1/0/1
          • (config-if)#switchport mode access
          • (config-if)#switchport access vlan 11
  • Wireless Channels and RF (Radio Frequencies)
    • Operate in the 2.4 and 5 GHz frequency spectrum
    • Allocated for ISM (industrial, scientific and medical) use
    • No radio operator’s license is needed
    • No regulatory protection against interference from other users of the band.
    • IEEE 802.11 Standards
      • Standard – Year – Frequency – Data rate – Backward Compatibility
        • 802.11 – 1997 – 2.4 GHz – 1, 2
        • 802.11a – 1999 – 5 GHz – 6, 9, 12, 18, 24,36, 48, 54
        • 802.11b – 1999 – 2.4 GHz – 1, 2, 5.5, 11
        • 802.11g – 2003 – 2.4 GHz – 6, 9, 12, 18, 24, 36, 48, 54 – 802.11b 1, 2, 5.5, 11
        • 802.11n – 2009 – 2.4 & 5 GHz – up to 600, Compatible with a, b, g
        • 802.11ac – 2013 – 5 GHz – up to 3500, compatible with a and n
      • Cisco AP support all standards
    • 2.4 GHz Spectrum
      • ranges from 2.4 to 2.4835
        • Japan 2.4 to 2.497
      • Channels are 22 MHz ranges
        • 14 Channels
          • Standard non-overlapping channels 1, 6, 11
      • Each AP operates in one channel
      • Overlapping channels can cause interference with each other
      • Access Points with overlapping server areas should use non-overlapping channels
    • 5 GHz Spectrum
      • Channels are 20 MHz
      • Less overlapping
      • Neighboring APs should be separated by at least one channel
      • Channels can be bonded to multiply data rates by 2, 4 or 8x
        • 40, 80 or 160 MHz wide
    • Interference
      • 2.4 – there are many devices in this range
        • Microwave
        • Wireless Video Cameras
        • Fluorescent Lights
        • Baby Monitors
      • 2.4 vs 5 GHZ
        • 2.4 has greater range and is able to propagation through obstacles better
        • 2.4 is more crowded
        • 5 GHz 802.11ac has higher throughput than is available with 2.4 GHz
    • Site Surveys
      • Used to design layout of AP
        • Maximum coverage of the required area
        • Minumum leakage
        • Discover potential sources of interference
        • WLC can manage channel allocation and power levels of APs
      • inSSIDer – Free software to see SSIDS in the area
  • Wireless Security
    • Leakage, this is when a signal goes outside of the wanted area
    • No physical is needed to join the network
    • More vulnerable to attack
    • Strong auth and encryption should be used
    • Security Standards
      • WEP – Wired Equivalent Privacy (1999) – RC4 encryption
      • WPA WiFi Protected Access (2003) – RC4 Encryption, TKIP (Temporal Key Integrity Protocol)
      • WPA2 (2004) – AES encryption, CCMP Counter Cipher Mode with Block Chaining Message Authentication Code protocol
      • WPA3 (2018) – AES encryption, CCMP, protection against KRACK attack
    • WPA Personal/Enterprise
      • Personal uses pre-shared keys (PSKs)
      • Enterprise uses a AAA server

 

 

Section 38: Network Automation and Programmability

  • Taditionalnetwork management
    • Manage a single device at a time over SSH or GUI tools
    • Copy and pasting from a text file
    • NMS – Network Mangement Systems
      • Use protocols such as SNMP and NetFlow to gather info/state of the network
      • SNMP used to push configuration, can be complex
      • SNMP has security concerns
    • Issues
      • Time consuming configuring one device at a time
      • likelihood of typos/other mistakes
      • Having many admins lead to difficult change control handling
      • Easy to get non-standard configurations which are diffucult to troubleshoot
  • Network Automation
    • Use for
      • Device configuration
      • Initial device provisioning
      • Software Version Control
      • Collecting Statistics from devices
      • Compliance verification
      • Reports Troubleshooting
    • Automation Benefits
      • network programmability enables automation, reducing human to machine interaction
      • Reducing human error such a typos
      • Moden tools have been built with monitoring, configuration and troubleshooting in mind
      • More scalable than configuring one device at a time
      • Provide configuration version control
      • provide software version control
    • Assurance
      • Ensure standardized configuration
      • Provide repons on and correct any exceptions
      • provide Correlation between events on different devices
      • Automatically take corrective action on events and error codes
    • Method to Use
      • Network Management
        • Python Scripts
        • NETCONF
        • RESTCONF
        • Ansible
        • Puppet
        • SDN
        • Cisco DNA Center
      • not all methods are supported  by all devices
      • Choose the method(s) which is most suitable for your environment and skills
  • Python, Git, GitHub and CI-CD
    • Python of Network programmability
      • Relatively easy to learn with many training resources 
      • Human readable
      • Open source
      • Can be installed on all popular operating systems
      • Easy to find network automation code samples
    • Git
      • Version cotrol system for tracking changes in source code and files
      • Used mainly for software dev, but can provide version control for any type of files
      • Git is a distributed version control system
      • Every Git directory on each computer has a full copy of the repository with history and full version-tracking abilities
        • This allows multiple developers to use at the same time
        • Typically there is a designated repository/master copy
    • GitHub
      • A Git repository hosting service
      • Can be public and private
      • Can be copied between users
      • Management tools are avaiable
      • Provide security and resolve conflicts
    • CI/CD
      • CI – Continuous Integration
      • CD – Continuous Delivery or Continuous Deployment
      • CI/CD is a set of operating principles and practices that enable appliation dev teams to deliver code changes more frequently and reliably
      • Frequent changes are more efficient than rolling them up into large change windows
      • Automation of building, testing and deployment allows this
      • The implementation is known as the CI/CD pipeline
      • Tools such as Jenkins and Travis CI aid management of the pipline
  • Data Serialization Formats: SML, JSON and YAML
    • Data serialization is the process of converting structureed data to a standardized format that allws sharing or storage of the data in a aform that allows recovery of it original structure
      • Allows transfer of data between different systems, applications and programming languages
      • Data formats are mostly interchangeable
    • JSON – JavaScript Object notation
      • Easier for humans to read and work with than XML
      • Can be imported directly into JavaScript
      • RESTful APIs often use JSON
      • JSON Data Types
        • Object
          • Unordered collection of key/value pairs
          • Surrounded by curly braces {}
          • Strings and values must be a valid JSON data types
          • Keys and values are separated by a colon
          • Eabh key/value pair is separated by a comma
        • Array
          • An ordered list of values
          • Surrounded by square brackets []
          • Values must be a valid JSON data types
        • String
          • text in quotes
        • Number
          • a number
          • No quotes (putting it in qutoes will change it to a string)
        • Boolean
          • true/false
        • Null
          • represents a blank entry
          • Can be type out or field can be left blank (as long as application support blank)
    • XML – eXtensible Markup Language
      • Designed to describe and transfer data
      • <key>value</key> contained within object tags
    • YAML – RAML aint Markup Language
      • Often used in Python, Perl and Ansible
      • Easily read by humans
      • White space (indentation) is important
      • Common indentation level is considered related at the same level
      • Starts with —
      • Key: value representation
      • – indicates a list
      • Ansible playbooks use YAML

 

 

Time flies when you are having fun… and sometimes when you are not.

It has been 9 days since I have been able to study as house prep for the sale of our house is taking longer than what we had expected and the search for a new position continues on.  Now I just have to make sure that I don’t get distracted by all the going ons and try to meet my target date of August 30th for this test.

 

 

Section 33: Cisco Device Security

  • Line Level Security
    • No security on the device when received for the factory
    • Access through a console cable, no password required
    • The first task should be to set security for only authorized admins
    • IOS Command Hierarchy
      • hostname> – User Exec mode
      • hostname# – privileged Exec mode (Enable mode)
      • hostname(config)# – Global Config mode (Configure Terminal)
      • hostname(config-if)# – Interface Config mode 
    • Basic Line Level Security
      • Console line – console cable  access to User Exec mode
        • Access to only one person at a time
        • Command
          • (config)#line console 0
          • (config-line)#password [password]
          • (config-line#login
      • Virtual terminal VTY line – Telnet or SSH Secure Shell access to User Exec mode
        • Not accepted by default
        • IP address and VTY line access must be configured
        • Used to connect to the device over an IP connection
        • Command
          • Setup 
            • (config)#line vty 0 15
            • (config-line)#password [password]
            • (config-line)#login
        • Note:
        • Multiple connections allowed at once
        • First come first serve
    • Privileged Exec Mode – Accessed through the User Exec mode
      • Notes:
        • Passwords can be different for each level
    • Exec Timeout
      • The default time is 10 minutes
      • Command
        • Turn-off
          • no exec-timeout
          • exec-timeout 0
        • Set time -out
          • (config)#line con 0
          • config-line)#exec-timeout 15
          • (config)#line vty 0 15
          • (config-line)#exec-timeout 5 30
            • the first number is minutes, the second number is seconds
        • Set access base on access-list
          • (config)#ilne vty 0 15
          • (config-line)#login
          • (config-line)#password [password]
          • config-line)#access-class 1 in
  • privileged Exec and Password Encryption
    • Enter ‘enable’ at User Exec mode to enter privileged Exec Mode
    • Password is stored in plain text by default
      • Should use the ‘enable secret’ command and not the ‘enable password’
      • If both ‘enable password’ and ‘enable secret’ is used only ‘enable secret’ is used
      • You can use the same password for both but system will request the password be put in twice
      • Use service password-encryption command to encrypt all passwords including the vty passwords
    •  Command
      • Set enable password
        • (config)#enable password [password]
      • Set encrypted password
        • (config)#enable secret [password] 
      • Set all password in config to be enctypted
        • (config)#service password-encryption
  • Usernames and Privilege Levels
    • With line level security all admins log in with the same password
    • Username Level Security
      • Command
        • (config)#username admin1 secret [password]
        • (config)#username admin2 secret [password]
        • (config)#line console 0
        • (config-line)#login local
        • (config)#line vty 0 15
        • (config-line)#login local
    • Privilege Levels
      • There are 16 privilege levels (0-15), the default level is level 1.
      • Usernames can be assigned privilege level but will default to level 1 if not specified.
      • Each command in IOS can be assigned a privilege level
      • three levels of privilege are used by default
        • zero
          • Allows logout, enable, disable, help and exit
        • user (level 1)
          • limited read-only access
        • privileged(level 15)
          • Complete control over the device.
          • When entering enable mode you have at level 15 by default
      • Configure command to have a privilege level
        • (config)#privilege exec level [level #] [command]
    • Set a password to open with a specified privilege level
      • If no level is set it will default to level 15
      • Command
        • (config)#enable secret level [level # to be set] [password]
  • SSH Secure Shell
    • Telnet crosses the network in plain text, SSH is encrypted
    • It is Best practice is to disable telnet
    • SSH uses a digital certificate with a key length of at least 768 bit and must be generated to enable SSH encryption
    • Command
      • Domain name needs to be set first before generating an encryption key
        • (config)#ip domain-name [domain]
      • Generate key
        • (config)#crypto key generate rsa
      • Name of key will be device hostname dot domain name
      • Choose the length of the key
        • How many bits in the modulus [512]: [key length]
    • SSH only uses usernames and will not accept line-level passwords.
    • Command
      • (config)#line vty 0 15
      • (config-line)#transport input ssh
      • (config-line)#login local
      • (config-line)#exit
      • (config)#ip ssh version 2
        • This command is optional but it is recommended as it will only allow version 2
      • KNOW this command as it could be on the test
        • >ssh -l [username] [IP Address]
  • AAA – Authentication, Authorization and accounting
    • Limitation of Local Security Configuration
      • Setting line level security and/or local username on each device has serious scalability limitation
        • Password add, remove and/or change will have to be done on each box
    • AAA servers allow
      • centralized passwords
      • Multiple servers can be used for redundancy
    • Authorization and Accounting are optional.  Authentication is mandatory if when Authorization and/or accounting are used.
    • AAA Protocols
      • RADIUS and TACACS+
      • Both are open standards, but vendors by have proprietary extensions
      • RADIUS is also used commonly for other services (example VPN)
      • TACACS+ Commonly used for admin access as it provides more granular authorization abilities
    • Cisco AAA
      • Current version is ISE (Identity Services Engine)
      • End of Life version is ACS (Access Control Server)
    • Commands
      • Old RADIUS Config
        • (config)#uername [username] secret [password]
          • backup username and password to be used in an emergency if the AAA server is unreachable
          • This username/password will not work if the AAA server is reachable by the device and will only be accessible when the AAA server is not able to be reached.
        • (config)#aaa new-model
          • This just set AAA to be used
        • (config)#radius-server host [primary AAA server ip address] key [password]
        • (config)#radius-server host [secondary AAA server ip address] key [password]
          • Sets location of the radius server and if more than one is added this will allow redundancy
        • (config)#aaa group server radius FB-RG
        • (config-sg-radius)#server 10.10.10.10
        • (config-sg-radius)#server 10.10.10.11
          • Set a AAA group, this is optional to only authenticate against specified AAA servers
        • (config)#aaa authentication login default group radius local
          • Use all Radius servers or
        • (config)#aaa authentication login default group FB-RG local
          • use servers in the specified group, detail of the other aaa commands is not covered in CCNA
      • New RADIUS Config – New config gives AAA servers a name for each server and sub-commands for those servers.
        • (config)#aaa new-model
        • (config)#radius server Server1
        • (config-radius-server)# address ipv4 10.10.10.10
        • (config-radius-server)# key [password]
        • (config)#radius server Server2
        • (config-radius_server)# address ipv4 10.10.10.11
        • (config-radius-server)#key [password]
        • (config-radius-server)#aaa group server radius [groupname]
        • (config-sg-radius)#server name Server1
        • (config-sg-radius)#server name Server2
        • (config-sg-radius)#aaa authentication login default group [groupname] local
      • Old & New TACACS+ commands
        • Same as RADIUS but you use ‘tacacs+’ oppose to ‘radius’
  • Global Security Best Practices
    • Login Banner – this message will be seen before the user logs in
      • Command
        • (config)#banner login ” [hit enter]
          Enter TEXT message. End with the character ‘”‘.
          Authorized users only”
    • Exec banner – this message will be seen after the user logs in to the device
      • Command
        • (config)#banner exec ”
          Enter TEXT message. End with the character ‘”‘.
          Please log out immediately if you are not an authorized administrator”
    • Disable unused services
      • Reduces attack surface
      • Disable HTTP always and CDP in highly secure environments
      • Command
        • (config)#no ip HTTP server
        • (config)#no cdp run
    • All network devices should have time synchronized
      • Aids troubleshooting
      • Required for features such as Kerberos and digital certs
      • Use NTP as time can drift over time
      • Command
        • (config)#clock timezone [timezone]
        • (config)#ntp sever [server IP]
        • (config)#ntp master
          • Sets configure the router to be NRP server
      • Verification Commands
        • #show clock
          • It can take up to 5 minutes for the device to sync its time.
        • #show ntp status
  • Network Device Management
    • Syslog
      • Generated when something happens on the device
      • Format
        • seq no
        • Timestamp
        • %facility
        • severity
          • Levels – 8 levels
            • 0 – Emergency – System is unusable
            • 1 – Alert – A condition that should be correct immediately
            • 2 – Critical – Critical conditions
            • 3 – Error – Error conditions
            • 4 – Warning – Warning Condition
            • 5 – Notice – normal but significant conditions
            • 6 – Information – Informational messages
            • 7 – Debug – messages that contain information normally of use only when debugging a program.
        • mnemonic
          • Short desc
        • description
      • Logging locations
        • Console line
          • All events logged by default
        • VTY Terminal lines
          • Not enabled by default
        • Logging buffer
          • Events saved in RAM memory can be viewed with show logging command
          • All events logged by default
        • External Syslog servers
      • You can specify different logging levels to each location
      • When a severity level is set, all events with levels higher than the set level will be logged.
      • Command
        • Disable console logging
          • (config)#no logging console
        • VTY lines logging
          • (config)#logging monitor [severity level]
        • Events with severity level 7 and higher will be logged to the buffer
          • (config#logging buffered debugging
        • Set external syslog server
          • (config)#logging [syslog ip address]
          • (config)#logging trap debugging
      • Systems used to collect logs
        • Syslog server
        • SIEM (Security Information and Event Management) and will typically provide analysis and correlation of events.
      • Verification Command
        • #show logging
      • To keep logging commands to show up in the middle of typing use the ‘#logging synchronous’ command which will display the debug message and then reprint what you have typed on a new line.
      • Notes about logging
        • Debug commands are outputted to the console line and for them to be displayed on a vty line the #terminal monitor command needs to be used.
        • Debug commands can produce large amounts of output and can overwhelm a device so use very carefully in a production environment.
  • SNMP – Simple Network Management Protocol
    • An open standard used on most network devices
    • SNMP Terms
      • SNMP Manager
        • Collects and organized information from SNMP Agents
        • AKA SNMP Server or NMS (Network Management System)
        • Can pull info from SNMP devices ‘get’ or device can push ‘Trap’ information to the SNMP Server
        • Devices can also support changes being made over SNMP by an SNMP Server
        • MIB (Management Information Base (MIB) which organizers the data being delivered or retrieved from the device.
        • SNMP server and SNMP device use the same MIB so they know what data is and can be passed.
    • SNMP Versions
      • SNMPv1 plain text between server and agent, using matching Community strings
      • SNMPv2c same as v1 but supports bulk retrieval of data
      • SNMPv3 supports strong Auth and encryption, recommended but is not supported on all devices 
    • Commands
      • Sets SNMP Information
        • (config)#snmp-server contact [email]
        • (config)#snmp-server location [text description]
      • Set Community Strings
        • (config)#snmp-server community [string] to
        • (config)#snmp-server community [string] rw
      • Set SNMP server and traps
        • (config)#snmp-server host [IP address] [communitystring]
        • (config)#snmp-server enable traps [traptype]
    • Best Practice
      • SNMP should be disabled if not being used.
      • Should change the default SNMP community strings if SNMP is going to be used
      • Use SNMPv3 with secure passwords
  • SNMPv3 Configuration
    • Supports authentication and encryption
    • Works with users and groups
    • Matching user account is set up on the NMS server and network device
    • Settings are made up from the groups the user is a member of
    • Security Levels
      • noAuthnoPriv
        • No Auth password is exchanged
        • Communications between the agent and server are not encrypted
        • username replaces the community string
      • AuthNoPriv
        • Uses Auth password
        • No encryption is used for communication
      • AuthPriv
        • Uses Auth password
        • Communication is encrypted
    • Configuration Action
      • access – specify an access-list associated with this group
        • limits the device to communicate with access list specified NMS server
      • context – specify a context to associate these views for the group
        • specify which VLANs are accessible via SNMP
      • match – context name match criteria
      • notify – specify a notify view for the group
      • read – specify a read view for the group
      • write – specify a write view for the group
        • Views
          • limit what information is accessible to the NMS server
          • If read view is not specified all MIB objects are accessible
          • If write view is not specified no MIB objects are accesible
          • NMS gets read-only access to all MIBs by default
          • Notify is disabled by default if not specified, it is used to send a notification to group members
    • Command
      • Group config 
        • (config)#snmp-server group [groupName] v3 [Security Level] [action]
      • User config
        • (config)#snmp-server user [user] [groupname] v3 auth [auth Algorythm] [password] priv [encryption] [bit size] [priv password]
          • Auth algorithm
            • md5
            • sha – most secure but slower
          • Encryption type
            • des
            • 3des
            • aes – most secure but slower
              • 128 – Use 128 bits
              • 192 – Use 192 bits
              • 256 – Use 256 bits
    • Syslog vs SNMP
      • Both provide logging functionality
      • Syslog often provides more detailed information
      • SNMP support pushing data
      • NMS servers typically support both syslog and SNMP
    • NMS vs SIEM
      • Both pull reports to help with early warning and troubleshooting but are focused on  
        • NMS focuses on network information 
        • SIEM focuses on security info 

 

 

 

 

 

What not to do if you are trying to study for a certification, work a fulltime job, interview for new positions, prepare to sell a house, and look for a new house in a new state…  It is really not very the best way to focus on learning, but 

“Control what you can control”

So on with a short day 11 of studying.

 

 

Section 32: The Security Threat Landscape

  • Most of this Section is a review since I have passed both of my Comptia Security+ and Cysa+ certification, it is not until the site-to-sit VPN that we start focusing on setting up and configuration.
  • Site-to-site VPN Virtual Private Networks – This
    • Phase 1 – Initial Setup of the tunnel 
      • Command to setup site-to-site VPN
        • (config)#crypto isakmp policy 1
        • (confi-isakmp)#encryption aes
        • (confi-isakmp)#hash sha
        • (confi-isakmp)#authentication pre-share
        • (confi-isakmp)#group 2
        • (confi-isakmp)#lifetime 86400
        • (confi-isakmp)#crypto isakmp key [pre-shared key] address [address connecting to]
      • Command to setup ACL and define the Interesting traffic/traffic that will be transversing the VPN
        • (config)#ip access-list extended [text name]
        • (config-ext-nacl)#permint ip [source IP range] [source subnet index] [detination ip range] [ destination subnet index]
    • Phase 2 – encryption of data that will be transversing the tunnel
      • Command for ipsec
        • (config-ext-nacl)#crypto ipsec transform-set [textname] esp-aes esp-sha-hmac
      • Command for defining the traffic
        • (config)#crypto map [textname] 10 ipsec-isakmp
        • (config-crypto-map)#set peer [destination ip]
        • (config-crypto-map)#set transform-set [textname]
        • (config-crypto-map)#match address [accesslistName]
      • Command to assign encryption to the interface
        • (config-crypto-map)#interface [interface]
        • (config-if)#crypto map [cryptoMapName]
  • Remote Access VPN Virtual Private networks
    • Cisco AnyConnect is used on the ASA firewall for remote access
      • uses TLS
    • Split Tunneling
      • Corporate traffic will go over the VPN, internet traffic will go direct to the internet
    • Full Tunneling
      • All traffic will go through the VPN traffic and internet traffic will then be sent to the internet.
  • Threat Defense Solutions
    • malware, phishing and data exfiltration
      • Cisco ESA – Email Security Appliance
        • Scans links and attachments in incoming emails for malware, phishing attacks, and spam.
      • Cisco WSA – Web Security Appliance
        • Prevents users from accessing dangerous websites
      • Policies can be implemented on both systems to prevent sensitive information from being sent out of the org.
    • DDoS – Distributed Denial of Service
      • Advanced firewalls can offload incoming connection attempts from servers when the traffic rate reaches a threshold and respond with quicker connection timeouts and/or cookies

 

I found studying really interesting, I feel like I have covered so much data but there always seems like there is so much more to learn.  There are a total of 309 lectures in the course and I have completed 223 of them and with 72% it is hard not to focus on how much more there is to learn and for me it is stressful.  Then I look at my daughter and I can see that I have passed that on to her also.

This is where I have to remember that I will never know everything and I am learning the information to build my base of knowledge and while it increases that base, the base that I have built to this point of my career is pretty fantastic and there is little if nothing that I can’t grasp so what I continue to learn is just supporting my abilities to support others.

 

Section 31: WAN – Wide Area networks

  • VPN – Virtual Private Network
    • A virtual tunnel between private networks across a shared public network
    • Traffic is encrypted while traveling over the VPN
    • Public internet connections are cheaper than physical links, so they will tend to be cheaper.
    • Type
      • Site to site
        • Terminated between routers/firewalls
        • Invisible to nodes
        • Typically uses IPsec for encryption
      • Remote access
        • Client uses software to connect remotely to a location
        • Can access anywhere there is internet connectivity
        • Usually uses SSL and sometimes IPsec
    • Configuration Options
      • IPsec Tunnel
        • Open standard IP tunnel
        • Does not support multicast
      • GRE (Generic Routing Encapsulation) over IPsec tunnel
        • adds support for multicast
      • IPsec VTI (Virtual Tunnel Interface)
        • Cisco proprietary Simplified Configuration
        • Support multicast
      • DMVPN (Dynamic Multipoint VPN
        • Cisco proprietary
        • Scalable simple hub and spoke config
        • Enables direct full mesh connectivity between all devices
      • FlexVPN
        • Cisco proprietary
        • Similar to DMVPN
        • Newer technology
      • GETVPN (Group Encrypted Transport VPN)
        • Cisco proprietary
        • Scalable centralized policy for VPN over non-public infrastructure (like MPLS)
  • WAN Connectivity Options
    • Service provider will typically provide an SLA (Service Level Agreement)
      • Guarantees for uptime
      • Traffic delay
      • Loss on the link
    • Leased Lines/Satellite
      • Connectivity to the internet
      • Direct Connectivity between offices
      • Connectivity between offices over VPN
      • Dedicated physical connection
      • Reserved bandwidth, not shared with anyone else
      • Bandwidth is available in both directions
      • Commonly lease from a service provider for a monthly fee
      • Common uses
        • point to point connectivity between two offices
        • data center providing multipoint connectivity between offices
        • Data center connected to the internet, providing Internet connectivity and option connectivity over Internet VPN
      • Leased line uses a serial connection
      • Common bandwidth options
        • North America
          • T1 – 1.544 Mbps
          • T2 – 6 Mbps
          • T3 – 45 mbps
          • T4 – 275 Mbps
        • Europe
          • E1 – 2Mbps
          • E2 – 8 Mbps
          • E3 – 34 Mbps
          • E4 – 140 Mbps
      • Typically provide an SLA for uptime, traffic delay and loss on the link.
      • typically more expensive
      • usually a longer lead time for installation
      • Satellite
        • Typically more expensive and low bandwidth, but maybe the only option in hard to reach areas.
    • MPLS – Multi Protocol Label Switching
      • Shared core infrastructure at the service provider
      • Connectivity to the internet
      • Connectivity between the office over VPN
      • MPLS VPN
        • usually operate by a service provider
        • Can travel over the provider’s shared MPLS network
        • Different levels of SLA  for uptime, traffic delay and loss are often available at different price point
        • Typically Ethernet connections to customer router
        • Provides full mesh topology by default
      • Layer 3 MPLS VPN
        • runs across the providers core
        • Customer routers do not run MPLS
        • Static routes or a routing protocol runs between the customer Edge and Provider Edge routers
        • Customer sites are in different IP subnets
      • Layer 2 MPLS VPN
        • Customer and provider routers do not peer with each other
        • provider network acts like a giant swtich
        • Customer sites are in the same  IP subnet
        • Reason to use
          • required for clustering an app over WAN
          • useful for migrating hosts during Disaster Recovery
        • Terminology
          • VPLS – Virtual Private LAN service 
            • Multipoint Layer 2 VPN
          • VPWS – Virtual PseudoWire Service
            • Point to point Layer 2 vpn
    • Optical Fiber
      • More suitable then copper for long distances
      • Commonly used for backhaul connections for service providers 
      • Types of FTTx Services
        • Fiber to the Home
        • Fiber to the Premises
        • Fiber to the aBuilding
        • Fiber to the Neighborhood
    • SONET (North America)/SDH (rest of the world)
      • Standards used in service provider optical fiber networks
        • Sonet STS – SONET OC – SDH STM – Bit Rate Mbps
          • STS-1 – OC-1 –  – 51.84
          • STS-3 – OC-3 – STM-1 – 155.52
          • STS-12 – OC-12 – STM-4 – 155.52
          • STS-48 – OC-48 – STM-16 – 2488.32
          • STS-192 – OC-192 – STM-64 – 9953.28
    • DWDM – Dense Wavelength Division Multiplexing
      • Combines multiple optical signals into one optical signal transmitted over a shingle fiber strand
      • Allows more capacity to be added to existing infrastructure
      • Used in all modern long haul optical connections
    • Dark Fiber
      • Unused fiber that was not needed by a service provider.
    • WAN Backup and small Office Solutions
      • Options often aimed at home user Internet access
      • Typically do not carry a SLA that meets corporate levels
      • Can be used in smaller offices to connect to corporate network
        • DSL – Digital Subscriber Line
        • Cable
        • Wireless – Example 4G
    • Legacy WAN Connectivity Options
      • PSTN – Public Switched Telephone Network
      • ISDN – Integrated Services Digital Network
      • Frame Relay
      • ATM – Asynchronous Transfer Mode
      • X.25
  • PPPoE – Point to Point Protocol over Ethernet
    • Commonly used in DSL deployments
    • Can be configured on either the DSL modem or the router
  • WAN Topology Options
    • Hub and spoke (Star)
      • Advantages
        • Simplicity
        • Centralized security policy
      • Disadvantages
        • Single point of failure
        • Suboptimal traffic flow
    • Redundant Hub and Spoke
      • Advantages
        • Removes single point of failure
        • centralized security policy
      • Disadvantages
        • Higher cost
        • suboptimal traffic flow
    • Full Mesh
      • Advantages
        • Optimal Traffic flow
      • Disadvantages
        • Higher complexity and cost
    • Partial Mesh
      • Advantages
        • Partial optimal traffic flow
      • Disadvantages
        • Her cost

10 Sections left and then it is a week of labbing, Cert Prep video, and prep tests!!  Let’s just keep it going!

 

Section 29: NAT – Network Address Translation

  • NAT was developed to deal with the exhaustion of the IPv4 network range, this allows the Private address ranges to be used while using a single or a few public IP addresses.
  • NAT Types 
    • Static Nat
      • One-to-one mapping
      • Usually used for server hosting
      • The static route will route both incoming and outgoing traffic to be routed in a single rule.
      • Commands
        • Route 
          • Outside 
            • (config)#int [interface1]
            • (config-if#ip nat outside
          • Inside
            • (config#int [interface2]
            • (config-if)#ip nat inside
          • Route
            • (config)#ip nat inside source static [Interface1 IP] [Interface2 IP]
        • Verification
          • show ip nat translation
      • For one way NAT, the Outside local and Outside Gloabl addresses will be reported as being the same.
    • Dynamic NAT
      • IP address that is given out on a first come first served basis
      • Usually for users connecting to the Internet but do not accept incoming connections
      • You need a public IP address for each host that will be communicating out of the router on standard Dynamic NAT
      • If no available IP address the device wanting to communicate would have to wait for a connection to be torn done and release back into the pool
      • Commands
        • Route 
          • Outside 
            • (config)#int [interface1]
            • (config-if#ip nat outside
          • Inside
            • (config#int [interface2]
            • (config-if)#ip nat inside
          • Config pool of global address
            • (config)#ip nat pool [pool name] [start ip of range] [End ip of range] netmask [subnet mask]
          • Create an Access list example
            • (config)#access-list 1 10.0.2.0 0.0.0.255
          • An associate access list with NAT pool
            • (config)#ip nat inside source list 1 pool [pool name]
        • Verification
          • #show ip nat translation
          • #show ip nat statistics
        • Clear NAT translations
          • #clear ip nat translation
        • Clear all dynamic translations
          • #cle ip nat translations *
    • Port Address Translation
      • Allows the same IP address to be reused
        • Different ports being directed to different locations
      • The device keeps track of the client’s port number
        • Tracks translations by IP and Layer 4 port
      • Commands
        • Configuration with static IP address(es)
          • Use the same configuration as Standard Dynamic NAT except when associating the access list to the NAT pool us the “overload” variable
            • (config)#ip nat inside source list [list number] pool [name] overload
        • Configuration with the dynamic outside IP address
          • Interfaces
            • (config)#int [interface1 outside]
            • (config-if)#ip address dhcp
            • (config-if)#ip nat outside
            • (config)#int [interface2 inside]
            • (config-if)#ip nat inside
          • Access list
            • (config)#access-list 1 permit 10.0.2.0 0.0.0.255
          • Associate access list to an interface
            • (config)#ip nat inside source list 1 interface [interface1 outside] overload
        • Verification
          • Show ip nat translation
  • NAT Translation
    • Inside Local Address
      • IP address actually configured on inside the host’s OS 
        • Example: Internal IP address on the server hosting website.
    • Inside Global Address
      • NAT’d address of an inside host that outside sources will use to reach inside the host.
        • Example: External IP address that an external DNS would point to for a web server.
    • Outside Local Address
      • The address that outside would see if the internal server sent traffic to an outside destination.
    • Outside Global
      • The ip address assigned to the host outside the network by the host’s owner
      • This becomes important if the router is hosting the same IP address as the one that it is routing to.  It has to present a different address to the other router that is hosting the same IP.
        • For example, if two routers are hosting 10.10.10.0, the first router local address could be presenting the IP address range as 10.10.20.0 and the second router as 10.10.30.0, and those ranges would be translated to the Outside local address of 10.10.10.0.
          • Router 1 would know routers 2’s 10.10.10.0 range as 10.10.30.0
          • Router 2 would know routers 1’s 10.10.10.0 range as 10.10.20.0

 

 

Section 30: IPv6

  • IPv4 and Ipv6 does not have to be an ‘either-or’ decision using a ‘dual-stack’ solution
    • ‘dual-stack’ implementation can have both IPv4 and IPv6 addresses assigned to interfaces.
      • Communication can use either protocol
      • Long term support for both protocols, and a good transition strategy
  • IPv6 Addressing Format
    • 128-bit address
    • Uses 8 – 16-bit hexadecimal fields to specify the address, each segment is known as a hexadectet, but AKA hextets, pieces, or quartets.
      • example: fe80:0000:0000:0000:d60a:a9ff:fee1:bc51
    • Addressing shortening
      • When a hextet contains all zeros it can be replaced by a single zeros
        • fe80:0:0:0:d60a:a9ff:fee1:bc51
      • Leading zeros can be removed from a hextet and if all zeros it can be replaced with a single zero
        • Full address example: 2001:0DB9:0000:0001:0000:0000:0000:0001
        • Zero shorting: 2001:DB9:0:1:0:0:0:1
      • If there are several hextets that contain all zeros they can be replaced by two colons,
        • fe80::d60a:a9ff:fee1:bc51
        • This can only be done once on an address as if it was complete twice the system trying to translate it would not know how many are incorporated between the double colon.
          • Example of bad address:
            • Full address /w Zero shorting: 2001:DB9:0:1:0:0:0:1
            • Incorrect format: 0DB9::0001::0001
              • Only 3 hextets are represted and the system need to place 5 additional hextets but it does not know where to place them
            • Correct format: 2001:DB9:0:1::1
              • 5 hextets are been present and since there is only a single place presented where the all-zero hextets can place the translating system will populate the zeros in hextets section 5-7.
            • Also correct 2001:DB9::1:0:0:0:1
              • Not as efficient as we are only replacing a single hextet.
  • IPv6 Global Unicast Address
    • IPv6 does not support broadcast traffic but does support multicast using ff02::1
    • Global Unicast
      • Assigned to an individual host and have global reachability
      • Range 2000::/3
        • Internet authorities assign block for this range to orgs
        • The common assignment is a /48 block
          • Example 2001:10:10::/48
        • The size can be adjusted larger or smaller based on the size of a company
      • IPv6 standard state that addresses assigned to individual hosts should use a /64 mask
        • Network X:X:X:X:|X:X:X:X Host
      • Commands
        • Enable IPv6 routing
          • (config)#ipv6 unicast-routing
          • (config)#int f0/0
          • (config-if)#ipv6 add [ipv6 address]
          • (config-if)#int f2/0
          • (config-if)#ipv6 add [ipv6 address]
    • Unique Local
      • Similar to IPv4 Private addresses RFC 1918 (Example 10.0.0.0)
      • Not Publicly reachable
      • Range FC00::/7
      • Should use the /64 addressing schema
    • Link Local
      • Valid for communication on that link will not be passed by a router
      • Used for things like routing protocol hello packets
      • Mandatory on IPv6 enable Cisco router interfaces
      • range FE80::/10-FEB0::/10
      • Should use the /64 addressing schema
      • Addresses are auto-generated with EUI-64 address on IPv6 enable Cisco router interfaces
        • Addresses can be overridden with manual conf
      • Command
        • Manual link local config
          • (config)#int f0/0
          • (config-if)#ipv6 address [link local address] link-local
    • EUI-64 Addresses
      • Cisco router can auto-generate a full ipv6 addresses for itself when given the interface and /64 network to use
      • Host portion of the address is derived from the interface’s MAC address
        • MAC is only /48 buts compared to /64 of the IPv6 address
        • FF:FE is injected in the middle of the /48 MAC address to make a /64 and the 7th bit is inverted.
          • inverting the 7th bit converts it from a local/#global to a global/#local making the address non-internet routable.
      • Router will borrow the MAC address from the first Ethernet port for non-Ethernet interfaces such as serial ports
      • Not recommended to use EUI-64 on router interfaces.
      • Command
        • Assign eui-64
          • (config)#int [interface]
          • (config-if)#ipv6 address 2001:db8:0:0::/64 eui-64
        • Verification
          • Check MAC
            • #sho int [interface]
              • You will see “Hardware is [type], address is [MAC address]
            • #show ipv6 interface brief
    • Multiple IP Addresses
      • IPv4 (not sure why this was not covered in the IPv4 section
        • You can only have a max of two IPv4 addresses on an interface. 
        • If you enter an IPv4 without the secondary command it will over-write the previous address
        • Command using the “secondary” command
          • (config-if)#ip address [ipv4 address] [subnet] secondary
      • IPv6
        • You can have multiple IPv6 addresses on an interface, so you use the same command for adding a secondary IPv6 address and unlike IPv4 with over-writes the previous IP address it will append the requested address.
    • SLACC – Stateless Address AutoConfiguration
      • Clients can be assigned IPv6 address through static, DHCPv6 or SLAAC
        • DHCP used MAC address to IP address assignment which is stateful addressing
      • Clent’s with SLACC
        • Learn the /64 subnet from their local router to generate their own IPv6 EUI-64 address
          • Modern OS randomize the host portion of the address for privacy reasons
        • The router does not track ip to host address so this is stateless
      • When IPv6 addresses are configured the router advertises the network prefix by default
        • ICMP messages are set by multicast addresses from link-local address to all nodes.
        • Hosts can also sent a ‘Router Solicitaion’ message to request subnet info.
        • Router will also tell host to use itself at the default gateway
      • Current SLAAC does not pass other information such as DNS
        • If you have DHCP pass DNS only and on an IP address it will still be considered “stateless”
    • Unknown address
      • ::/0 in IPv6 is equivalent to IPv4 0.0.0.0 0.0.0.0 when routing
        • :: is used as the source when interface is trying to get an address.
    • Neighbor Discovery
      • IPv6 ARP 
      • Uses ICMP Neighbor Solicitations and Neighbor Advertisements instead of ARP requests
      • Uses a Solicited-Node multicast address to reach all hosts
      • Verification command
        • #show ipv6 neighbors
          • Returns link-layer addresses
    • IPv6 Static Routes
      • IPv4 and IPv6 use separate routing tables
        • These routing tables are created the same way
      • IPv6 has to be enabled ‘#ipv6 unicast-routing’
        • IPv6 can be assigned without enabling routing but traffic will not be passed to other segments

Week 4 day 2 and a scheduled 70 minutes of videos.  I find that study of the information and the taking of notes this should take about 2 to 2.5 hours.  I have less than two weeks of study but some of those days are 150 minutes of videos in a day which could be a good 3.5 hours of study time for the way that I learn.  So let’s get started.

 

 

Section 28: ACLs – Access Control Lists

  • Identifies traffic based on packet info such as IP address (source/destination), port, protocol, etc
  • ACL work on both routers and switches
  • ACLs were originally used as a security feature to allow or deny passage through the device and by default, the device will allow traffic
  • ACLs also are used for identifying traffic for QoS (Quality of Service) and the translation of addresses in NAT (Network Address Translation) policy
  • ACLs are made up of ACEs (Access Control Entries)
  • ACL Syntax
    • Example ACE
      • access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23
        • Standard vs Extended ACL
          • access-list “100″
            • Standard ACL 1-99, 1300-1999
              • Reference the source address only
            • Extended ACL Range: 100-199, 2000-2699
              • Check based on the protocol, source address, destination address and port#
        • Access statement
          • access-list 100 “deny | allow | remark”
        • Protocol
          • ahp – Authentication Header Protocol
          • eigrp – Cisco’s EIGRP routing protocol
          • esp – Encapsulation Security Payload
          • gre – Cisco’s GRE tunneling
          • icmp – Internet Control Message Protocol
          • ip – Any Internet Protocol
          • ospf – OSPF routing protocol
          • tcp – Transmission Control Protocol
          • udp – User Datagram protocol
        • Source IP address/IP address range
          • access-list 100 allow “10.10.10.0” 0.0.0.255
        • Wildcard mask
          • access-list 100 allow 10.10.10.0 “0.0.0.255”
          • The default wildcard mask is 0.0.0.0
            • If you don’t enter a wildcard mask it will attempt to use the default
          • You must enter a wildcard mask when specifying an IP subnet
            • The system will allow you to enter an IP subnet without a wildcard mask
          • If you 
        • Network Port
          • Port Deginator
            • any = Any destination host
            • eq = equal to
            • gt = greater than
            • host = A single destination host
            • lt = less than
            • neq = Match only packets not on a given port number
            • range = Match only packets in the range of port numbers
        • Destination IP address/IP address range
        • Destination Subnet Mask
          • The destination subnet mask does not have a default subnet mask so if not entered an error message will be returned.
        • Additional options
          • ack = Match on the ACK bit
          • eq = Match only packets on a given port number
          • established – Match established connections
          • fin = Match on the Fin bit
          • gt = Match only packets with a greater port number
          • log = Log matches against this entry
          • log-input = Log matches against the entry, including input interface
          • lt = Match only packets with a lower port number
          • neq = Match only packets not on a given port number
          • range = Match only packets in the range of port numbers
          • rst = Match on the RST bit
          • syn = Match on the SYN bit
          • urg = Match on the URG bit
          • Others not listed here
      • Named ACLs
        • You can refer to ACLs by number or by a name
        • named ACLs begin the command ‘ip access-list’ instead of just ‘access-list’
        • Command Example for Named ACL syntax
          • (config)#ip access-list standard [name]
          • (config-std-nacl)#deny 10.10.10.10 0.0.0.0
          • (config-std-nacl#permit 10.10.10.0 0.0.0.255
        • Verification commands
          • show access-lists [acl#]
    • ACL Operations
      • Access Groups
        • ACLs are applied at the interface level with the ‘access-group’ command
        • You can have a max of 1 ACL per interface per direction
      • Command example
        • (config)#int gigabitEthernet0/1
        • (config-if)#ip access-group 100 out
        • (config-if)#ip access-group 101 in 
      • Verification Command
        • #show ip interface [interface] | include access list
      • Access Control Entry Order
        • ACL is read by the router from top to bottom
        • When a rule is matched by the packet, the permit or deny action is applied and no more rules are evaluated.
      • Injecting ACE in an Existing ACL
        • ACEs are automatically numbered in increments of 10
        • This allows rules to be placed between pre-existing rules.
        • Command example
          • (config)#ip access-list extended 110
          • (config-ext-nacl)#[ACE#] [deny|allow] [protocol] host [sourceIP] host [destination IP] eq [port]
      • Implicit Deny All
        • If there is no ACL applied to an interface ‘any’ traffic will be able to pass.
        • If there is an ACL an implicit deny all rule is applied, so an allow rule is needed for any traffic trying to be allowed through the interface.
      • ACLs do not apply to the traffic coming from the device itself.

The first day back at work so not much as time to focus on learning CCNA commands so the goal this week is to follow the Study plan for week four which is 1 to 2 hours a night.  It will be a little tough but anything worthwhile is worth spending time on completing.

 

 

Section 27: Swtich Security

  • DHCP Snooping
    • Drops DHCP Server responses if they don’t arrive on a trusted port.
    • Command Example
      • (config)#ip dhcp snooping
      • (config)#IP dhcp snooping vlan 10
      • (config)#int f0/1
      • (config-if)#ip dhcp snooping trust
  • DAI: Dynamic ARP Inspection
    • Protect against Man in the Middle ARP Spoofing
    • Must have DHCP Snooping
      • The switch inspects the DHCP traqffic and keeps track of which IP addresses were assigned to which MAC addresses
    • If invalid ARP traffic tries to pass through the swtich, the switch drops the traffic.
    • Command example:
      • Trust ports that are not assigned through DHCP 
        • (config)#int f0/1
        • (config-if)#ip arp inspection trust
      • Enable ARP inspection at the VLAN level
        • (config)#ip arp inspection vlan 10
  • 802.1S Identity Based networking
    • Only authentication traffic is allowed on port, until host and user are authenticated
    • AFter a valid username and password are entered the switch port switches to a normal access port in the correct VLAN.
    • Steps taken in 802.1X
      • Supplicant (end user) sends username and password to Authenticator Switch
      • Authenticator Switch confirms the username and password with Authentication server
      • Port on the switch then transition the port to a regular switch port and allows the supplicant to transverse the network.
  • Preventing Unauthorised Device with Port Security
    • Shut Donw Unused Interfaces when not in use
      • (config)#int f0/2
      • (config-if)#shutdown
    • Port Security
      • Enable an admin to specify which MAC address or addresses can send traffic on a individual switch port.
      • This can be used to lock a port down to specific host(s)
      • You can specify a certain number of MACs to be able to connect to a port
      • You can set the port to learn MAC addresses automatically
      • MAC address can easily be spoofed, so this is used more for keeping from adding Wireless Access Points or other shared devices to the network on these protected ports
    • Command Example, this is set at the interface level
      •  This allows a single MAC address at a time but doesn’t specify or care what the MAC address is and devices can be swapped out allowing only one device at a time. If two MACs are connected the port will shutdown
      • Must be set on access ports
        • (config)#int f0/2
        • (config-if)#switchport port-security
    • Verification Commands
      • show port-security interface [interface]
    • Security Violation Actions – 3 options
      • Shutdown (Default):
        • Interface is placed into an error-disabled state
        • Will block traffic
        • Command – Restore an error-disabled interface back to service
          • Remove offending MAC address
          • Perform a shutdown and no shutdown command.
        • Command – Auto-Recovery, set at global level
          • (config)#errdisable recovery cause psecurity-violation
          • (config)#errdisable recovery interval 600
      • Protect:
        • Unauthorised address(es) traffice will be dropped.
        • Only authorised traffic will be forwarded
      • Restrict:
        • Same as Protected
        • Also Unauthorised addresses will be logged and the violation counter is incremented.
      • Command set at the interface level
        • (config)#int f0/2
        • (config-if)#swtichport-sectuity violation [protect | restrict]
    • Locking Ports to Hosts with Port Security
      • Maximum MAC Address
        • Default to 1 MAC address per port, this can be changed to whatever number needed
      • Example Command at interface level
        • (config)# interface f0/2
        • (config-if)#swtichport port-security maximum 2
      • Verification command
        • #show port-security int f0/2
    • manually adding MAC Addresses
      • Statically added MAC addresses to a specified port
      • Example Command – Set at the interface level
        • (config)#int f0/10
        • (config-if)#switchport port-security
        • (config-if)#switchport port-security mac-address [MAC address]
        • (config-if)#switchport port-security maximum 1
    • MAC Adress Learning
      • Used when you have a large number of ports that you need to be locked down and Manually configuring each port is not a scalable solution
      • Sticky MAC address add learned MAC addresses to the running-config (Save to startup-config to make permanent)
      • Example Command – Set at the interface level
        • (config)#interface f0/2
        • (config-if)#swtichport port-security
        • (config-if)#swtichport port-security mac-address sticky
      • Verification command
        • #show port-security address
          • Shows how the MAC addresses were assigned to the port [DyanmicConfigured | SecureConfigured]
          • Also shows how many MAC addresses have been assigned and how many MAX it can have.
        • #show port-security
          • Show a summary of the number of Max Secured addresses, Current address, Security Violation, and Security Action.