CCNA v1.1 200-301 Slides PDF
Document Details
Uploaded by GorgeousDanburite
Sajjad Ghaffoori
Tags
Summary
These slides provide an overview of Cisco Certified Network Associate (CCNA) concepts, covering topics such as networking fundamentals, network components, enterprise networks design, cloud-based networks, and network architecture models. It includes information about exam topics, questions and modules.
Full Transcript
III-Networking introduces Cisco Certified Network Associate By: Sajjad Ghaffoori iiinetworking.com Our Website YouTube.com/@iiinetworking Arabic IT Courses/Content Page: Facebook.com/iiinetworking Group: Facebook.com/groups/iiinetworking Technical Dis...
III-Networking introduces Cisco Certified Network Associate By: Sajjad Ghaffoori iiinetworking.com Our Website YouTube.com/@iiinetworking Arabic IT Courses/Content Page: Facebook.com/iiinetworking Group: Facebook.com/groups/iiinetworking Technical Discussion and Sharing @III_Networking Entertaining IT Content Linkedin.com/in/ sajjad-ghaffoori-6b4674134 Linkedin.com/company/iii-networking Direct Connection https://t.me/+yDIoeSbd-3EwYzA0 Courses Channel - Cisco Exams Roadmap https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - CCNA Exam Topics https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - CCNA Exam Information - Cisco Certified Network Associate 200-301 - Exam questions: 93-103 - Questions Types: MCQ, DnD, and LAB Sims - Exam duration: 120 minutes - Exam Engine: PearsonVue - Exam Passing Score: 825/1000 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] Module-1 Network Fundamentals https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-1: Network Fundamentals 1.1 Explain the role and function of network components 1.1.a Routers 1.1.b Layer 2 and Layer 3 switches 1.1.c Next-generation firewalls and IPS 1.1.d Access points 1.1.e Controllers (Cisco DNA Center and WLC) 1.1.f Endpoints 1.1.g Servers 1.1.h PoE 1.2 Describe characteristics of network topology architectures 1.2.a Two-tier 1.2.b Three-tier 1.2.c Spine-leaf 1.2.d WAN 1.2.e Small office/home office (SOHO) 1.2.f On-premise and cloud 1.3 Compare physical interface and cabling types 1.3.a Single-mode fiber, multimode fiber, copper 1.3.b Connections (Ethernet shared media and point-to-point) 1.4 Identify interface and cable issues (collisions, errors, mismatch duplex, and/or speed) 1.5 Compare TCP to UDP https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-1: Network Fundamentals 1.6 Configure and verify IPv4 addressing and subnetting 1.7 Describe private IPv4 addressing 1.8 Configure and verify IPv6 addressing and prefix 1.9 Describe IPv6 address types 1.9.a Unicast (global, unique local, and link local) 1.9.b Anycast 1.9.c Multicast 1.9.d Modified EUI 64 1.10 Verify IP parameters for Client OS (Windows, Mac OS, Linux) 1.11 Describe wireless principles 1.11.a Nonoverlapping Wi-Fi channels 1.11.b SSID 1.11.c RF 1.11.d Encryption 1.12 Explain virtualization fundamentals (server virtualization, containers, and VRFs) 1.13 Describe switching concepts 1.13.a MAC learning and aging 1.13.b Frame switching 1.13.c Frame flooding 1.13.d MAC address table https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - What is a Network? - Also called (Computer Network), it is 2 or more devices needs to share information between them. - To do that, they will need a common media between them to share that information. - Network Types (sizes): Local - some users in the same room/department connected using a switch device Area Network - Or: some users in different rooms/department connected using a router and some switches. - LAN - - Users connected globally through the Internet, Wide - Service Providers will be needed Area Network - A group of devices (Routers, Switches, & other devices) will be needed -WAN - https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Components - Routers: Network devices that connect different network domains and routes the IP packets to its correct destinations. - Each interface is a broadcast domain - Switches: Network devices that connects 2 or more devices in one network domain. - Then what is a Multi-Layer Switch? , MLS, L3Switch? - Firewalls and Intrusion Prevention Systems - Firewalls protects you from the internet - Apply some restrictions to your local network - Intrusion Prevention Systems (IPS) performs deep packet inspection (DPI) - Try to spot attacks *There is a 2 in 1 solution - Next-Generation Firewalls (NGFW) = FW + IPS https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Components – Access Points: like switches, APs are the (wireless) destination for a host to communicate with other hosts - Controllers: A - Wireless Controllers: a central management point for multiple APs, B - Cisco DNA Center: the super powerful, super capable central point of management for?? - Analytics - Automation - Using GUI to Design, Display, and Configure – Servers: a device, storing common data for users (clients) to make use of: - As a hardware matter, it is a computer! but with ________________ - While clients, are the end devices that consumes OR generates new data. https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Enterprise Networks Design - Simplify Scaling & Troubleshooting - Technologies should be distributed well, based on layers/tiers - Depends on your networks size, and future growing - Tier 2 will be for Small/Mid networks - One building network - only 2 Tiers (Access and Aggregation) - Access: - The first layer facies/authenticates endpoint devices - Connects the endpoints to their gateways (aggregation) - Aggregation: - Aggregates/Communicates all the access layers - Runs both Layer2 and Layer3 Techs. and Protocols - Run in pair-devices mode (SSO) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Enterprise Networks Design - Tier 3 for Mid/Large Enterprises - Multiple Buildings - More East-West traffic - Future scaling (Horizontally) - 3 Tiers (Access, Distribution, and CORE) - Core: - Aggregate multiple networks - High speed/convergence - Runs in pair-devices mode - Runs at Layer 3 - Connects to the WAN/Internet - Connects to servers and other Data Centers https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Enterprise Networks Design - On-Premise vs. Cloud-Based Networks - The purpose of a network is to connect - connect the customer to a service - connect the customer to another customer - connect a service to another service - Thus, networking and architecting all the components of a network happens - to engineer the routers, switches, firewalls, servers, and many other components TO DELIVER - all of which, under the naming “Infrastructure” - the cloud concept is to provide a ready-to-use infrastructure - already managed and automated - bring and connect whoever can benefit from it https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - The Cloud Approach - everything will be automatically approached - by doing no deep configuration - and worrying about no operation procedures - including - Reliability: you request a node, there will be a node, regardless of its location or circumstances - High Availability: if it fails, another will take place in seconds, just another identical node - Elasticity: if it wasn’t sufficient for the peak hours, it will enlarge for that period, and shrink later - Security: only you, and the account you authorize can access and manage - and only what you decide to protect and unprotect, will take place (elaborate!!) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - The Cloud Economics - with on-premise networks - everything, from getting the nodes (servers and appliances) (CapEX) - till the smallest terminal that connects to the power cable on the power boards (OpEX) - all the safety, electricity, fire fighting, air cooling, and operation costs are yours - not just to pay, but to consider, design, think of, consider redundancy - hire the right teams for it, and elect the best provider for each service of these - tears might come at some point - monitoring and health checks as well are your responsibility - so, equipment costs, operation costs, labor costs, and locale costs - are yours to consider, monitor, and optimize https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - The Cloud Economics - and when it comes to software - after all the headaches of the hardware part - operating systems should be provided - for Servers, DNS, load balancers, monitors, counters, logging systems - AND, their licenses - for each of the mentioned operating systems - and services https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Architecture Models A – The Open Systems Interconnection model (OSI model): - 1st model out - 7 specified layers of tech. - carries the Ethernet 802.3 - many old/ & legacy protocols - were and still using it https://www.geeksforgeeks.org/open-systems-interconnection-model-osi/ https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Architecture Models B – The Transmission Communication Protocol/Internet Protocol Model (TCP/IP Model) - 2nd model announced - less specific - deals with Ethernet II - many modern and current protocol depends on it within the networks https://www.geeksforgeeks.org/tcp-ip-model/ https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Layer 1 Technologies - Physical Links/Connections A – Copper (Ethernet): the oldest, variety in speeds, developed through time - 4 pairs of “Copper” - Functions in a matter of Electric Circuit - 2 pairs for 100 Mbps - 4 pairs for the 1000 Mbps - Shielded and Unshielded - Connecter: RJ45 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Layer 1 Technologies B – Optical Fibers: New. Already in High Speeds, even more Speed! - Single fiber is enough - Starts with 1 Gbps, up to Tens of Gbps - Either light or laser - 2 Types of Transmission media is used, either light or laser - Multimode (MM): light is used in the case of short distances - Single Mode (SM): laser is used in the case of long distances - How do the devices understand light signals?!?! - How do light become limited to a certain speed?!?! - Connectors: on the end of each Fiber Optic cable, LC, SC, FC, ST, MTP/MPO https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Layer 1 Technologies - Point to Point & Shared Media - Point to Point (P2P): directly connected, nothing in the way - Shared Media: Broadcast, a layer 2 device in the way - Power over Ethernet (PoE): - Carrying Power over 2 pairs of Copper Cables (enough to power up some network devices) - Can replace an AC adapter - PoE Terms: - PSE: Power Sourcing Equipment (Switches, Power Injectors) - PD: Powered Device (PCs, IP Phones, IP Cameras) - Negotiation happens between the PSE & PD before/after starting Suppling - Power Suppling over PoE can be from 15 – 95 Watts (Total) - UPoE+: Universal PoE make use of all the 4pair to carry both Data & Power https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Layer 1 Technologies - PoE Modes - Auto - The device automatically detects if the connected device requires power - If the device discovers a powered device connected to the port - and if the device has enough power, it grants power. - Static - The device pre-allocates power to the port - even when no powered device is connected - and guarantees that power will be available for the port - never - The device disables powered-device detection - and never powers the PoE port - even if an unpowered device is connected https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Layer 1 Technologies - Collisions - more than one device (PC) transmitting at a single time, in a shared media - causes collisions and data loss - to avoid collisions: - Carrier sense multiple access/collision detection, CSMA/CD - listen for TX and wait for your turn - the Half-Duplex - Bidirectional Transmission by buffering and transmitting - the Full-Duplex - Errors: Cabling Issue, Unsupported SFP - Duplex Mismatch: Half or Full? MUST MATCH - Speed: 10/100/1000? MUST MATCH https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Networking Languages A – The Binary Language - Only 2 digits: 0 & 1 - Everything is Binary - Each digit = 1 bit - Zeros are low Electric pulse, low frequency light wave, Once are the opposite B – The Decimal Language - 10 digits: 0 – 9 - Value: 0 – 255 - NO Number “10” - For humans, ease C - The Hexa-Decimal Language - 16 digit: 0 – 9, A – F - 0 = smallest value, F = biggest value https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Media Access Control Address - The MAC Address - Layer 2 Technology - Hexa-Decimal Language - Physical Address - Constant and Unique - 48 Bit length - Half for the Organization, half for the product https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 4 (IPv4) - Layer 3 Technology - Decimal Language (and Binary) - Logical Address - Variable, based on the need - 32 Bit length - Part for the Network, Part for the Hosts - 4 Octets, each =? - Addressing: - convert from binary to decimal, and vice versa - What defines network octets from hosts octets? - Total Hosts = 𝟐𝟑𝟐 = 4,294,967,296 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 4 (IPv4) - Subnetting - form 8 – 32 - The smallest, the bigger - /XX or XXX.XXX.XXX.XXX like the IP address - Variable-Length Subnet Mask (VLSM) - The opposite of Subnetting - Much more economic for the use of subnetting - Can obtain - Network ID - Network Addresses Range Network - Broadcast ID https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 4 (IPv4) - IPv4 Classes: - What defines the class? - Class A: /8 1.0.0.0 --- 126.255.255.255 - Class B: /16 128.0.0.0 --- 191.255.255.255 - Class C: /24 192.0.0.0 --- 223.255.255.255 - Class D: /8 224.0.0.0 --- 239.255.255.255 - Class E: /8 240.0.0.0 --- 255.255.255.255 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 4 (IPv4) - Private vs. Public IPv4 Addresses - Avoid duplication - Private: available and free - Public: reserved (costs money) - Private Addresses: - 10.0.0.0 – 10.255.255.255 /XX - 172.16.0.0 – 172.31.255.255 /XX - 192.168.0.0 – 192.168.255.255 /XX https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 4 (IPv4) - Classless Inter-Domain Routing (CIDR) - design a “subnet mask” - based on the need - need for amount of address space - factor of safety (future growth) - appropriate isolation - careful with summarization - based on the number of the hosts - get ID’s - amount of useable addresses - which mask will identify this subnet - extract 4 subnets based on the needs of 4 different design (50, 150, 300, 600) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - relevant to IPv4 - based on 128 bits in total length - leads to 340 undecillion address - an IPv6 packet has a header of 40 bytes - many new field added, others removed instead - version: 6 (0110) - traffic class & flow label: QoS - payload length: just the length of the payload - next header: replaces protocol number - hop limit: replaces TTL - Src. & Dst. Addresses https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - And thus, it can be written as - 2001:db80:0000:0000:0000:0000:0000:0001 - 8 total parts - 16 each / 4 digits - it can be simpler - 2001:db80:0000:0000:0000:0000:0000:0001 - 2001:db80:0:0:0:0:0:0001 - 2001:db80:0:0:0:0:0:1 - 2001:db80::0001 - 2001:db8::1 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - Different types are supported - to help with the private/public addressing - ::1/8 loopback address - 2000::/3 global unicast address - FC00::/7 unique local unicast address - FE80::/10 link-local unicast address - FF00::/8 multicast address - IPv6 supports - Unicast (one-to-one) - Multicast (one-to-many) - Anycast (one-to-nearest) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - IPv6 Unicast Addresses - Global Unicast - for public connection - can be reached from the internet - can be assigned per hosts - the address structure represents many details - the company - the subnet - the specific interface assigned with this address - interface ID is derived from the MAC - from the modified EUI-64 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - IPv6 Unicast Addresses - Link-Local - internal used only - within the domain/segment - between the interfaces - starts with FE80 - 24 bits of the MAC - FFFE - 24 bits of the MAC - requires the modified EUI-64 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - IPv6 Unicast Addresses - Unique Local - for internal use - within the network - not routed to the internet - starts with FC00 - global ID - subnet ID - interface ID - which is of the modified EUI-64 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Version 6 (IPv6) - IPv6 Anycast Address - a global address - that will be used multiple times - on multiple distributed nodes - at the same time - each one will serve the nearest - IPv6 Multicast Address - to many destinations - how many? - from 2 to all (all?) - which makes it a broadcast - it will be achieved (multi-destinations) - by assigning a group ID instead of an interface ID https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Transmission at Layer 4 - Transmission Communication Protocol & User Datagram Protocol TCP - Multiplexing at layer 4 HTTP = TCP80 HTTPS = TCP443 - for multi-transmission of different techs. At the same time FTP = TCP20, 21 - protocols can be SSH = TCP22 - Reliable, connection-oriented, perform the 3-way handshake Telnet = TCP23 - TCP SMTP = TCP25 - Unreliable, connection-less, direct transmission BGP = TCP179 - UDP - some technologies considers the same port of both the protocols UDP SNMP = UDP161 - which by most, are taken from the well-known domain (0-1023) TFTP = UDP69 DNS = UDP53 SYSLOG = UDP514 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - IP Parameters for Client/End Device OS - Useful Tools: - Ping: Availability Check - Traceroute: IP’s in the Way - FTP: Data Transporting - SCP: Secure Data Transporting - Telnet: Remote Access - SSH: Secure Remote Access - Ipconfig: End Device IP Assignment - PING: - Windows: Terminal --- Ping X.X.X.X - Mac OS: Terminal --- Ping X.X.X.X - Linux: Terminal --- Ping X.X.X.X https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - IP Parameters for Client/End Device OS - Traceroute: - Windows: Terminal (CMD) --- Tracert/Tracert –d X.X.X.X - Mac OS: Network Utility --- X.X.X.X --- Trace - Linux: Terminal --- Traceroute X.X.X.X - Telnet & SSH: - Windows: Telnet: Terminal --- Telnet X.X.X.X SSH: Software (SecureCRT, PuTTY) - Mac OS: Telnet: install Homebrew --- Terminal --- Telnet X.X.X.X SSH: Terminal --- ssh X.X.X.X - Linux: Telnet/SSH: Terminal --- Telnet/SSH X.X.X.X https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Principles - Mimic the Signaling in Wired-Medium - Electro-Magnetic field to encode data (0,1) - Encoding will be done by changing the frequency of a wave - that is measured by Hertz - and Hertz: the change in frequency/second - then, Modulation will express the Zeros and Ones - there are Wi-Fi generations (like Ethernet Categories) - starts from 802.11a (2 Mbps) – 802.11ax (14 Gbps) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Principles - The Encoder that turns the Zeros and Ones to that “Electro-Magnetic” field - is called a Trans/ceiver - The more transceivers available, the more data encoded - Then, a transceiver, will push the field, through an Antenna *also, the more antennas, the more data - To generate and push data through the air, there must a power source - to do so, a power source is needed - this power source might be a battery or an AC adapter - measuring the power of a frequency is called “Amplitude” https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Network Components - Wi-Fi Client (End Point): also called a “Station” - Generates/Consumes Data - Have Transceivers (to encode data) - Have Antennas (to push the data) - It will need Power - Wi-Fi Access Points (AP) - GW for the stations - Stations talks through the AP - also have Transceivers - also have Antennas - Wi-Fi Controllers - Controls APs (central point of management) - Controls Access for clients (AAA) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Modes/Terms - Ad-Hoc: Point to Point (NO APs) - Infrastructure: AP between stations - Mesh: APs talking together (Wirelessly) - Basic Service Set (BSS): A single AP and it’s coverage area - Basic Service Set Identifier (BSSID): The MAC address of that AP - Service Set Identifier (SSID): Name of the WLAN - Distribution System (DS): The Wired Net. that connects the AP to the LAN - Extended Service Set (ESS): A collection of APs connected to the same - DS, offering the same WLAN & SSID (like hotels, hotspot) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Modes/Terms - Radio Frequency power - the amount of power an antenna will receive - to convert it to electric power - measured in either watts, or deciBills x MilliWatts (dBm) - affected by barriers in the way, and get attenuated - decremented by cable length (transceiver to antenna), incremented by antenna gain - RF power affects signal strength - important for “Design”, to measure, how many AP we need to maintain signal strength - important for “Troubleshooting, slow internet - RSSI - received signal strength indicator - an indicator for the quality of all the broadcasting SSID's nearby - Noise Floor and Interference - other electro-magnetic fields roaming in the space - conflict signals will cause interference https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Modes/Terms - SNR - signal to noise ratio - the difference (-) between received signal and noise floor - Signal (-) Noise - higher = better - Client Devices Capabilities - a client device that receives a signal and data - should have an approximate power compared to the transmitter - download data will be transmitted from the AP to the client - acknowledgments, upload data, and other communications - will be transmitted from the client - thus, capabilities should be approximate - to avoid exchanging mismatch https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Frequency - Starting a wireless signal from a point - and meeting back that point - equals a frequency! - the opportunity of having a frequency or more - happening in 1 second (period of time) - is measured in Hertz - frequencies can be grouped in bonds - like 2.4 and 5 GHz bonds - their levels are of different uses - and designed to be on international standards https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Channels - A set, or a range of Radio Frequencies (RF) - established together, all encoding and transmitting data - each frequency can be modulated differently (for more encoding) - the total RF bandwidth is then called (Channel Bandwidth) - channels include Frequencies, either from the 2.4 GHz range, or the 5 GHz range *channel bandwidth: the total bandwidth of the involved frequencies https://en.wikipedia.org/wiki/2.4_GHz_radio_use#/media/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wireless Channels - if 2 channels were close enough - streaming some common frequencies, overlapping will happen - unless, they were far enough - this is with 2.4 GHz channels only (which comes in 20 MHz width) - with 5 GHz channels, a new channel, start with a frequency - right after the last channel’s frequency ended - so, overlap won’t happen - the 5 GHz channels support from 20 MHz width, up to 160 MHz! *more channel width, means more frequencies included, thus, more data can be encoded https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Device Virtualization - Just Networks, BUT in Virtualized Environment - Multiple Devices inside One - Ease of Management - The Hypervisor: The new Mediator between SW/HW - Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor - Now the Hypervisor = Host, and the OS = Virtual Machines = Guest - Hypervisors: - Schedules the VMs requests to the HW - Distributes the HW resources between the VMs https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Hypervisors Types - Type-1 Hypervisors - The Native or Bare Metal - Runs directly on the HW resources - HW ---Hypervisor --- VM - Oracle VM, MS Hyper-V, WMWare ESXI - Type-2 Hypervisors - Hosted - Runs as a SW besides the OS - HW --- OS --- Hypervisor - Virtual Box, VMWare Workstation https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Virtual Switches - Connects all VMs Together like a Real Switch - Assigns a Virtual Network Interface Card (V.NIC) for each VM - Exists by default in Hypervisors Type1 - After Creating a vSwitch & vNIC, all VMs will automatically get connected together *also, can create Port Group for Complete Isolating (like VLANs) *there is another V.NIC for each VM (for Internet) - Microsoft Hyper-V - ESXi VSwitch https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Data Path Virtualization - Virtual Routing & Forwarding (VRF) - For Service Providers - With multiple clients - isolate each client in a “Routing Table” - for duplicated addresses - requires ISP’s network - MPLS, VPN, L3VPN, BGP - for Enterprises: - VRF-Lite - No Extra VPN protocols - classic routing protocols can be used https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Containers - virtualization requires an OS per VM - a docker engine will replace the hypervisor - a container will include all the code, settings, and dependencies to run an application - each container is isolated from other containers - containers start up very quickly - containers are very resource efficient https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Docker Containers - docker utilizes containerization to package an app and its dependencies into a single container image - docker provides docker hub - a cloud-based registry service for sharing container images and automating workflows - containers are lightweight because they share the host system's kernel - docker is ideal for microservice architectures ad building cloud-native applications - best for loosely coupled applications - updating an app component won't affect the other components - communication between components will be API based - all is cloud friendly https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Switching Concepts - First were called “Bridges” and had Bridge Tables - Bridges had low port Density Then Switches came: - Have MAC Learning based on the Device port - Have MAC Tables - Forwards Frames based on the MAC Table - Have a Look-up Engine - Look-up one frame only at a time (How fast?) - Do Schedule Frame forwarding https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - MAC Table - Filled (learned) based on the Source MAC (The Dynamic Entry) - Decision is taken, based on the Destination MAC - Aging Time! What for? How often? - Number of Entries per table - What will happen if Destination MAC is unknown - “FLOODING https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - ARP Table - Since it is all about destination MAC’s - and since it is always local (elaborate!) - then a mechanism should help to cooperate with IP Addresses - ARP will bind a destination IP (local or remote) with a - Destination MAC (local) - for local switching to happen and deliver the frame with its packet https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] Module-2 Network Access https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-2: Network Access 2.1 Configure and verify VLANs (normal range) spanning multiple switches 2.1.a Access ports (data and voice) 2.1.b Default VLAN 2.1.c InterVLAN connectivity 2.2 Configure and verify interswitch connectivity 2.2.a Trunk ports 2.2.b 802.1Q 2.2.c Native VLAN 2.3 Configure and verify Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP) 2.4 Configure and verify (Layer 2/Layer 3) EtherChannel (LACP) 2.5 Interpret basic operations of Rapid PVST+ Spanning Tree Protocol 2.5.a Root port, root bridge (primary/secondary), and other port names 2.5.b Port states and roles 2.5.c PortFast 2.5.d Root guard, loop guard, BPDU filter, and BPDU guard 2.6 Describe Cisco Wireless Architectures and AP modes 2.7 Describe physical infrastructure connections of WLAN components (AP, WLC, access/trunk ports, and LAG) 2.8 Describe network device management access (Telnet, SSH, HTTP, HTTPS, console, TACACS+/RADIUS, and cloud managed) 2.9 Interpret the wireless LAN GUI configuration for client connectivity, such as WLAN creation, security settings, QoS profiles, and advanced settings https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Virtual Local Area Networks - Can I separate hosts! - What will each group of them become? - Every single switch port must become either ________ or ________ - Access Ports - every switch port that is connected to an End device - NO Tags will be sent to the endpoints - tags will start from the access ports towards the switch internally - double tags can happen (Q-in-Q) - an access port can have 2 VLANs at the same time - one tagged (voice traffic) - one untagged (data traffic) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - VLAN Types - Data VLAN: Ordinary - standard range: 1-1001 - reserved range: 1002-1005 - extended range: 1006-4096 - Voice VLAN: Voice data only (higher priority) - tagged and passed over access ports - one port for 2 VLANs (physically towards an IP Phone) - Default VLAN: out-of-box operation - all the ports will be accessed to that VLAN (by default) - Tag ID = 1 (by default) - Native VLAN: passes with no Tags - carries switches BPDU’s even through pruning - VLAN reserved = 1 (by default) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Static and Dynamic 802.1Q Trunking - Trunk Ports: for switch ports that must carry more than one ________ - Done by using encapsulation (802.1Q) - Dynamic (enabled by default) - only requires one side to start negotiations - to cooperate and form Trunking between 2 opposite ports - negotiations can be “Disabled” - port roles are either “Dynamic Desirable” or “Dynamic Auto” - SLOW AND TAKES TIME ! - Static is to configure one or both ports - to become statically trunks using 802.1Q - no negotiations, no port roles https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - VLAN’s Workorder - VLAN Creation - (config)#vlan - (config-vlan)#name - Access Ports - (config-if)#switchport mode access - (config-if)#switchport access vlan - Trunk Ports (Static Trunking) - (config-if)#switchport mode trunk || modern switches - (config-if)#switchport trunk encapsulation dot1q || legacy switches - Native VLAN - (config-if)#switchport trunk native vlan - Voice VLAN - (config-if)#switchport mode access - (config-if)#switchport voice vlan https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Spanning Tree Protocol - We need redundancy and high availability - but there will be a broadcast message, What will happen? - a “LOOP”, AKA “Broadcast Storm” - STP / 802.1D operates at the control plane level - requires election to be performed first - The Winner must have the - Lowest Bridge ID - Lowest Bridge Priority.Lowest MAC Address - After that port roles and states will happen - Designated Port: Forwarding state D/F - Root Port: Forwarding State R/F - Alternative Port: Blocking State A/B https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Spanning Tree Protocol - The entire process of election takes (30 – 50) Seconds Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds - when it is an indirect link failure - Process = 30 Seconds (NO MAX AGE) - when it is a direct link failure! - The matter is to keep eliminating the ports that should stay - until the least needed port is determined - then, Alternative/Blocking - in cases of >= 2 links between 2 adjacent switches - lowest port ID of the designated devise wins *Designated devices (Root Bridges) sends superior BPDU’s *others will have an inferior BPDU’s *going through a pause or a cutout of receiving S.BPDU’s will start generating them https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - STP Workorder - STP Root Bridge Setting - (config-)#spanning-tree vlan priority - STP Port Cost Setting - (config-if)#spanning-tree vlan cost https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Rapid Spanning Tree Protocol - In order to speed things up: - Rapid STP / 802.1W: NO Listening, NO Blocking - only (Discard, Forwarding, Learning) - delay will become = 3 + 3 = 6 Seconds - proposal and agreement is a series of - superior and inferior BPDUs - starting from 1st to assume itself as a root bridge - until reaching an edge port ***Make it Deterministic*** - STP Loop Guard is absent here - S.BPDU’s are automatically ignored on D/F ports of a Root Bridge https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Rapid Per-VLAN STP - What’s the BIG benefit of Redundancy If STP is blocking ports - in cases of many VLANs all consuming the same D/F - There will be a Per-VLAN STP (PVST) / (RPVST+) - Each VLAN can have an ELECTION - Each VLAN will have its own root - Multiple different logical topologies https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - STP Design - STP Port-Fast - enabled on access switches only - if facing an endpoint – use port-fast (edge port) - if facing a router – use port-fast trunk - it will transition edge ports to forwarding directly - avoid including them in the elections - avoid transition delays - STP Root Guard - enabled on distribution switches only - on downstream ports - upon receiving a S.BPDU !! - the port will transition to “root-inconsistent” - that is in the listening state only https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - STP Design - STP Loop Guard - enabled on access switches only - globally enabled - upon a pause in receiving BPDU’s on A/B port - the port will transition to “loop-inconsistent” https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - STP Design - STP BPDU Guard - enabled on access switches - for access ports only - upon receiving a BPDU from an edge port! - the port will become “err-disable” - STP BPDU Filter - enabled on access switched - for unused ports - stops sending and receiving BPDU’s (BiDi) - to avoid undetermined design! (surprises) *if the same port had BPDU Guard enabled as well - BPDU Filter will overcome the BPDU Guard existence https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Neighbor Discovery - Cisco Discovery Protocol & Link Layer Discovery Protocol - Who am I connected to - can depend on the protocol and the version - CDP and LLDP do Discovery negotiations between devices - Detailed information about the neighbor - My port that is connected to it - Its port that is connected to me - The IP Address of the neighbor device - The MAC Address of the neighbor device - Port description of the neighbor - LLDP-MED is the highest flexible and useful one, carrying TLV’s https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Link Aggregation (LAG) - load balancing (distributing) the traffic flow - among more than one link (if available) - flow will be reordered and sent over multiple paths (per packet) - LAG does not split a packet and consumes the bundle as a total - Flow can be distributed per: - Basic Flow: MAC-to-MAC IP-to-IP - Micro Flow: L4-to-L4 port/protocol https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Static and Dynamic EtherChannels - EtherChannels are supported on Cisco switches - supporting both LACP and PAgP negotiations protocols - it can be negotiation based (for L2) - it can be static and fast (for L2 and L3) - LACP uses: - Active: initiates bundling negotiations - Passive: waits for other side to initiate - Static: - Mode ON: no negotiations, direct bundling https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - PO Workorder - Members bundling - (config-if)#channel-group mode Active || LACP Negotiator - (config-if)#channel-group mode Passive || LACP Listener - (config-if)#channel-group mode on || Static https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - AP Modes - AP Modes - Local Mode - the default of a LAP - CAPWAP to the WLC - everything passes through the CAPWAP - if the CAPWAP fails, all clients will be disconnected - Bridged Mode - allows an Autonomous AP to connect as a client to the LAP - Flex Connect Mode - a hybrid Cisco solution for LAP’s - Monitor Mode - generates reports & statistics, send them to the WLC - Sniffer Mode - scan a specific channel - send the scanning reports to the WLC https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - AP Modes - Sensor Mode - perform SSID tests - send test report to the DNA Center - Mesh Mode - a frame might travel multiple mesh nodes - before reaching the LAN - uses adaptive wireless path protocol (AWPP) - to determine the best path to a root node/AP (RAP) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Deployment Models - Autonomous Architecture - Autonomous (Independent) Access Points - Independent Management (GUI) - one or more SSIDs (each = 1 VLAN) *when having multiple SSIDs, and each will be 1 VLAN, the back link should be a trunk *adding a new SSID, requires to login to each AP individually - Split-MAC Architecture - there is a WLC - APs now will be called Lightweight APs (LAPs) - WLCs will manage (RF, QoS, AAA, Policies) - APs will (RF TX/RX of frames, RF Collision Detection, MAC & Data Management) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Deployment Models - Cloud-Based Architecture - also, a WLC - but remotely (through public cloud, or private cloud) - also, LAPs - might be a Cisco Meraki (does self-config to the LAPs) - or Cisco Cat. 9800-CL - Converged WLAN Architecture - connect a WLC and an AP both, to the same switch - the access/distribution layer switch - now the LAPs are reaching the WLC through the switch - multiple WLCs will be needed in such scenario - this leads to a shorter distance CAPWAP - hence, faster Wi-Fi, less delays https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Deployment Models - Centralized WLAN Architecture - single WLC that controls all the LAPs - might be placed in the DC, or near the edge of the network - all data must pass through the CAPWAP tunnel to reach the WLC - even if the destination is closer than the WLC - this can be fixed, using Cisco Flex Connect - which is a mode, to be enabled on the LAPs - especially if the LAPs like in a branch, and the WLC is in the HQ - LAPs can now pass the traffic directly to the LAN - LAPs can now authenticate the clients for access - LAPs can now work even if the CAPWAP tunnel goes down https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - AP Management - some APs have a PoE & AUX ports in the back - these 2 can be bundled/aggregated to form a higher bandwidth data interface - WLCs have a Service/Management port, can have an IP address assigned to, for GUI access - to bundle/aggregate ports: - WLC: use “channel-group mode on” on the switch, as it doesn’t support LACP/PAgP - AP: either using “ON” or “LACP”, BUT, only with “local” APs, not the “Autonomous” APs - APs and WLCs are just like other networking devices - they can be managed by CLI (console, telnet, ssh) and GUI (http and https) - Authorization access can also be done using AAA https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] Module-3 IP Connectivity https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-3: IP Connectivity 3.1 Interpret the components of routing table 3.3 Configure and verify IPv4 and IPv6 static routing 3.1.a Routing protocol code 3.3.a Default route 3.3.b Network route 3.1.b Prefix 3.3.c Host route 3.1.c Network mask 3.3.d Floating static 3.1.d Next hop 3.4 Configure and verify single area OSPFv2 3.1.e Administrative distance 3.4.a Neighbor adjacencies 3.1.f Metric 3.4.b Point-to-point 3.1.g Gateway of last resort 3.4.c Broadcast (DR/BDR selection) 3.2 Determine how a router makes a forwarding decision by default 3.4.d Router ID 3.2.a Longest match 3.5 Describe the purpose, functions, and concepts of first hop redundancy protocols 3.2.b Administrative distance 3.2.c Routing protocol metric https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - The Forwarding Decision - Routers separates broadcast domains - each within an interface only - though the support of sub-interfaces - receiving a packet on an interface will lead to - inspecting the destination IP address - and comparing it to the Route Table - based on the outcomes of the RT - the forwarding decision will be taken - The Route Table is CPU consuming - can be cloned to the Data-Plane with the use of Cisco CEF - multiple Route Tables can be created using VRF https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Static Route - the only method of manually routing a specific packet to a specific route - the first next-hop can either be the egress interface Port ID - Or, the next reachable IP Address - Available for IPv4 & IPv6 - can route a host or an entire network - Static Route Flavors: - Default Route: every un-mentioned subnet to be routed here also, can be a default Gateway - Floating Static: a hidden back-up plan https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Static Route Workorder - Static Route - Router(config)#ip router - Static Host Route - Router(config)#ip router 255.255.255.255 - Static Default Route - Router(config)#ip router 0.0.0.0 0.0.0.0 - Floating Static Route - Router(config)#ip router - IPv6 Static Route - Router(config)# ipv6 route - Router(config)# ipv6 route - Router(config)# ipv6 route https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Open Shortest-Path First (OSPF) - Link State Protocol - Dijkstra algorithm - SPF algorithm for route decision - AD = 110 - Metric = Cost (lesser = Better) - Process ID for multiple instances - Area ID for Data Base isolation - Link-State Advertisements: negotiation between OSPF Routers - it contains: LSRequest: provide the missing Information LSUpdate: reply for the LSR LSAcknowledgement: reply for the LSU https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - OSPF Neighboring Process https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - OSPF LSA’s - Link State Advertisements (LSA’s) - multiple types - depends on the advertisement they are doing - LSA Type.1 (Router LSA): investigates local OSPF connections - LSA Type.2 (Network LSA): investigates local OSPF connections for a DR - LSA Type.3 (Network Summary LSA): for ABR to reach links in Areas - LSA Type.4 (ASBR Summary LSA): for ABR to reach ASBR’s - LSA Type.5 (External LSA): for ASBR redistribution - LSA Type.7 (NSSA External LSA): for ASBR NSSA https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - OSPF Neighbor Types - A Neighboring router can be a P2P neighbor - in this case no problems - or can be connected through a “SWITCH”!! - broadcast will happen - elections must take place - only One router should update the topology (DR) - a DR (Designated Router): Highest Router Priority (0-255), Def=128 - Or Highest Router ID - Router ID (R.ID): 32-bit Address - DR needs BDR (second best of everything) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - OSPF Routers Types - Internal - participate only in a non-backbone area - generates Type-1 & Type-2 LSA’s - Backbone - participate only in a backbone area || area 0 - generates Type-1 & Type-2 LSA’s - ABR - connects Backbone Area with any other Area - regenerates Type-1 LSA’s into Type-3 LSA’s and floods them - ASBR - connects an OSPF to a non-OSPF network - floods Type-4 LSA’s https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - OSPF Workorder - Router(config)#router ospf - Router(config-router)#router-id - Router(config-router)#network OR - Router(config)#interface - Router(config-if)#ip ospf - Verification - Router#show ip ospf database - Router#show ip ospf neighbors - Router#show ip ospf interfaces brief - Router#show ip ospf border-routers - Router#show ip route ospf - Router#show ip protocols https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Route Matching - in the matter of: - first let us check the longest match for this prefix - then decide which routing protocol should handle this task (AD) - finally, the desired protocol will submit its own “Rules” (Metrics) to route the packet https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - First Hop Redundancy Protocol - Establishes a virtual gateway between a router and its redundancies - Virtual IP and Virtual MAC will be assigned - one vMAC means one GW at a time (Active/Standby) - multiple vMACs means multiple GWs at the same time (Active/Active) - can be tracked and manipulated upon events - protocols including “HSRP, VRRP, and GLBP” HSRP VRRP GLBP - Cisco Proprietary - Open Standard - Cisco Proprietary - One vMAC - One vMAC - up to 4 vMACs - MAC address range - MAC Address - MAC Addresses 0000.0C9F.F000 - 00-00-5E-00-01-{VRID} 0007.b400.XXYY 0000.0C9F.FFFF - in hex in internet standard bit- - where X = GLBP group number - last 3 digits for group No. order - and Y = AVF number - preemption is enabled by default https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - FHRP Workorders - HSRP - Router(config-if)#standby ip - Router(config-if)#standby priority - Router(config-if)#standby - Router(config-if)#standby track decrement - Router(config-if)#standby authentication md5 key-string - VRRP - Router(config-if)#vrrp ip - Router(config-if)#vrrp priority - Router(config-if)#vrrp track decrement - Router(config-if)#vrrp authentication md5 key-string https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] Module-4 IP Services https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-4: IP Services 4.1 Configure and verify inside source NAT using static and pools 4.2 Configure and verify NTP operating in a client and server mode 4.3 Explain the role of DHCP and DNS within the network 4.4 Explain the function of SNMP in network operations 4.5 Describe the use of syslog features including facilities and levels 4.6 Configure and verify DHCP client and relay 4.7 Explain the forwarding per-hop behavior (PHB) for QoS such as classification, marking, queuing, congestion, policing, shaping 4.8 Configure network devices for remote access using SSH 4.9 Describe the capabilities and function of TFTP/FTP in the network https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Address Translation - Maintain the privacy of the RFC1819 block - Avoid address duplication possibility - by translating private addresses to public ones - also supports private to private translation (Carrier-Grade NAT) - used to exhaust efforts and public address with - Static (one-to-one) and Dynamic (range-to-pool) NATs - till the NAT Overload suggested to consider ports with translating - allowed for a public address to be consumed in thousands of operations - using different port numbers for each packet flow - up to 65,536 port - also known as the NAPT, and PAT https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - NAT Workorder - Static NAT - Router(config)# interface - Router(config-if)# ip nat outside - Router(config)# interface - Router(config-if)# ip nat inside - Router(config)# ip nat inside source static - Dynamic NAT - Router(config)# ip access-list standard - Router(config-std-nacl)# permit - Router(config)# interface - Router(config-if)# ip nat outside - Router(config)# interface - Router(config-if)# ip nat inside - Router(config)# ip nat pool prefix-length - Router(config)# ip nat inside source list pool https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - NAT Workorder - PAT - Router(config)# ip access-list standard - Router(config-std-nacl)# permit - Router(config)# interface - Router(config-if)# ip nat outside - Router(config)# interface - Router(config-if)# ip nat inside - Router(config)# ip nat source list interface overload https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Network Time Protocol - synchronizes nodes time with a timing source (NTP Server) - based on UDP 123 - in Cisco systems, a node can be an: NTP Server, NTP Client - it can have an internal clock (not recommended) - time is synchronized in a server/client relation - a server should be directly attached to a timing source (Atomic Clock) - to guarantee proper synchronization of communication between them - stratum count should be in consideration - number of L3 hops to the NTP Server (Cisco Node attached to a clock) - if multiple were available, the lowest wins - max. of 16 supported - counted cumulatively (elaborate) *NTP clients can behave as NTP servers to other nodes, after the synchronize with a server first *this will cumulatively increase the stratum number https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - NTP Workorders - NTP Server - Router(config)#clock timezone - Router#clock set - Router(config)#ntp master - Router(config)#ntp source - NTP Client - Router(config)#ntp server - Router(config)#ntp server source - Router#show ntp status - Router#show ntp associations https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Dynamic Host Configuration Protocols - Dynamically (Automatically) check for who’s asking for an IP address - and assign based on the available pool (IPv6 supported) - assignment can include - IP address - Subnet mask - Gateway - DNS server (main and backup) - predefined features (leased time) - considers the DORA process - Discover (broadcast message to whomever might reply - Offer (unicast message back to the requester) - Request message (broadcast again to acquire the pack) - Acknowledge (unicast message to the server after installing the pack) *IP Forwarding can translate a broadcast request to unicast and push it to a remote server (DHCP Relay) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - DHCP Workorder - DHCP Server - Router(config)#ip dhcp excluded-address - Router(config)#ip dhcp excluded-address - Router(config)#ip dhcp pool - Router(dhcp-config)#network - Router(dhcp-config)#default-router - Router(dhcp-config)#dns-server - DHCP Relay - Router(config-if)#ip helper-address https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Domain Name Server - DNS ease the process of accessing services - memorize the name of the domain instead of the IP address! - solving and translating a request to a domain before pushing to the network - maintaining the communication to always be per IP technology - reverse DNS can resolve an IP address to its registered domain! - DNS did reserve both TCP and UDP port number 53 - you would see UDP at most - DNS server can have a private or a public address - private is inside the network - public is on the internet https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Simple Network Management Protocol - Formally, a configuration transportation protocol - currently, traps and notification (status) transportation protocol - operates in the Server/Agent way - a server would first request an agent to provide the latest updates on its status - it can include - device reachability - system and health status - interfaces status and current bandwidth - environmental parameters (depends on the agent) - and agent has 2 components to reply to the server - MIB Object (generator of elements) - Agent (contact the server - SNMP uses UDP 161/162 and it is recommended to deploy only SNMPv3 https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - System Loggings - all what the system is recording about its operations - classified and categorized per - level of severity - type of message - normally it would show by default on the screen (Cisco Systems) 0 = Emergency - from the Level 6 (information) up to Level 0 (emergency) 1 = Alert - except for the debug to be manually enabled 2 = Critical 3 = Error - as it is resources consuming 4 = Warning - Syslog has a server/client relation 5 = Notification - and uses UDP port number 514 6 = Information 7 = Debug - reporting can be to a remote server as well https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Syslog Logging Types - Console Logging: show logs to the console user - Terminal Logging: show logs to Line VTY user - Buffered Logging: store some logs in the RAM - Remote Logging: - collect and send Syslog messages to a remote server - remote server must be reachable via an interface - remote server must have a Syslog Application - monitoring will occur from the server side https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - SNMP & Syslog Workorders - SNMP - Router(config)#snmp-server community - Router(config)#snmp-server community - Router(config)#snmp-server community - Router(config)#snmp-server host - Syslog - Router(config)#logging - Router(config)#logging on - Router(config)#logging trap - Router(config)#logging trap transport port - Router(config)#logging source-interface https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Quality of Service - if traffic was more than bandwidth! - if congestion WILL happen, can some traffic be more preferred than another!? - Generally, UDP will be preferred over TCP (TCP will automatically do A retransmission) - QoS Tools that will do the specific desired “Preferring”: (Classification & Marking, Policing, Shaping, Queuing, and Scheduling) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - QoS Components - Classification & Marking - for the Ingress traffic/interface - Classification first, please classify this type of traffic, like: “UDP=High, Mail=Low” - Then, Marking, “Marks” the classified traffics to identify them uniquely in the network *Classification usually happens by matching port numbers - if further recognizing is needed - Network-Based Application Recognition (NBAR) - recognized, identifies, and classifies a traffic - based on multiple variety of things - Word, Phrase, URL!! https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - QoS Components - Policing & Shaping - The Provider – Client Relation - Policing: - From the Provider side - Drop the exceeding ingress (Coming) traffic - or mark-down that traffic, to be dropped later in the network - Shaping: - From the Client side - To avoid misunderstanding, or unwanted behavior with the provide - Queues the excess egress (Outgoing) traffic in the “Egress Queue” - This is called “Queuing” https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - QoS Components - Queuing: - Dividing the Egress Queue, to multiple sub-queues - Each, is differentiated by “Priority” - To deal with classified packets - Scheduling: - How to empty the sub-queues, by which criteria - Congestion Management: - Tools for Queuing and Scheduling - Emptying the Queued traffic in the egress queue - WFQ, CBWFQ, PQ, LLQ, WRR, SRR, Shaping https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - QoS Components - Congestion Avoidance: - Tools to avoid congestion - Before even happening - At the ingress interface/s (receiving queue) - RED, WRED, WTD, Policing - QoS Application in a Network - Integrated Services - unified settings all the way - uses The Resource Reservation Protocol (RSVP) - Differentiated Services - each hop has its unique settings - uses “Per-Hop Behavior” (PHB) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Secure SHell - An out-of-band (OOB) management protocol - should target the management plane, and can target the data plane as well - access a node remotely through Line VTY - recommended after Telnet - to use reliable transport protocol (TCP 22) - alongside with encryption to protect the transported data - requires hostname, domain-name, RSA keypair, and credentials to access - recommended to use version 2 - and can support access-lists to match who’s allowed to access https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - SSH Workorder - Router(config)#hostname - Router(config)#ip domain name - Router(config)#username password - Router(config)#crypto key generate rsa - Router(config)#ip ssh version 2 - Router(config)#line vty 0 4 - Router(config-line)#transport input ssh - Router(config-line)#login local https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Data Transfer Protocols - Volumes of data to be transferred remotely - requires internal and/or external connection - a server can host files for reference - a transfer protocol can import and export files from and to the server - File Transfer Protocol (FTP) - Reliable on TCP 20/21 - supports authentication - no encryption (no security!) - Trivial FTP (TFTP) - Unreliable on UDP 69 - no authentication - no encryption! https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - FTP/TFTP Workorder - FTP/TFTP Import - Router(config)#ip ftp username - Router(config)#ip ftp password - Router(config)#copy ftp:// : - FTP/TFTP Export - Router(config)#ip ftp username - Router(config)#ip ftp password - Router(config)#copy : ftp:// https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] Module-5 Security Fundamentals https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Module-5: Security Fundamentals 5.1 Define key security concepts (threats, vulnerabilities, exploits, and mitigation techniques) 5.2 Describe security program elements (user awareness, training, and physical access control) 5.3 Configure and verify device access control using local passwords 5.4 Describe security password policy elements, such as management, complexity, and password alternatives (multifactor authentication, certificates, and biometrics) 5.5 Describe IPsec remote access and site-to-site VPNs 5.6 Configure and verify access control lists 5.7 Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security) 5.8 Compare authentication, authorization, and accounting concepts 5.9 Describe wireless security protocols (WPA, WPA2, and WPA3) 5.10 Configure and verify WLAN within the GUI using WPA2 PSK https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Security Concepts & Programs - What do I have? And should I care about? - Asset: everything valuable (Docs, Info’s, etc.) - Threat: Danger to Asset (Hacker, SW BUG, Environmental Disaster) - Vulnerability: Weakness (old Bug, missing Patch) - Then we should consider Mitigation: - it has 3 types - Type 1: Technical/Logical Mitigation - Choosing the Correct Firewall - Choosing the Correct IPS - Choosing the Correct Design! https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Security Concepts & Programs - Type 2: Administrative - Things that you (The Network Admin.) decides and consider - Like Policies & Procedures (The company agreed policies & procedures) - Written documents - Background check for new employees - Security awareness/periodically (remind them from time to time) - And Password of course - Length (characters) - Complexity (Upper/Lower case, Numbers, Symbols) - Age (Minimum/Maximum Age for changing the Password) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Security Concepts & Programs - there are some Alternatives - 2 Factor/Multi-Factor Authentication - Done by using some biometrics and certificates - Besides passwords - Can be Physical Card (Identity Card) - One-Time Password (Mobile phone App) - Iris Scan, Fingerprints, Face recognition - Type 3: Physical - This is an in-reality protection - like securing the devices inside racks - racks should have licked metal/glass door - all racks should be installed in a secured DC - Racks and DCs can be secured using Keys, Cards, Fingerprints https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Lines and password protection - there are multiple ways to access a device - Line Console - through console port - can be accessed directly, no protection - can be protected by - assigning a login password - login password can/can’t be encrypted - a second step of protection can be applied - the “enable password” method - will not work if the password is fully privileged - Line Aux - same as Line Console - through AUX port https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Lines and password protection - Line VTY - for remote access - requires a remote session to be established - either by Telnet or SSH - multiple session can be established at the same time - through multiple lines - protection can also be by - login password - enable password - full privilege https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Lines Workorders - Lines Password Protection - Router(config)#line con - Router(config-line)#password - Router(config-line)#login - Router(config)#line aux - Router(config-line)#password - Router(config-line)#login - Router(config)#line vty - Router(config-line)#password - Router(config-line)#login https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Lines Workorders - Lines Credentials Protection - Router(config)#username privilege password - Router(config)#line con - Router(config-line)#login local - Router(config)#line aux - Router(config-line)#login local - Router(config)#line vty - Router(config-line)#transport input - Router(config-line)#login local - Router(config-line)#access-class https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Internet Protocol Security - packets travels unsecured - any sniffer, analyzer, can read your data! - IPSec is a set of tools - pick the set you like to secure your data - Confidentiality: Encrypt the data all the way - Data Integrity: Guarantees delivering original data - Authentication: only the trusted ends can communicate - Anti-Replay: only regenerated or duplicated packets - To provide and establish all the CIA and R - Security Associations (SA) will be exchanged between the peers - things like (tools, algorithms, protocols, and keys) will be discussed https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Security Associations Parameters - hashing: redistributing data by using an algorithm (MD5, SHA) - encryption: locking data by using a 2-way algorithm - shared passwords - all of the above is either statically configured, or dynamically (IKE) - Dynamic (Internet Key Exchange, IKE) - a group of SA’s - end tunnels will negotiate their accepted SA’s - IKE has versions 1 and 2 - IKEv1 creates 2 Tunnels (in 2 phases): https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - IKE Phases - Phase1: establish an authenticated tunnel, it requires: - authentication (PSK or PKI) - PSK easier, PKI requires official certificate authorizer - encryption (DES, 3DES, or AES) - Cisco recommends ONLY AES - hash (SHA or MD5) - Cisco recommends ONLY SHA - DH group - Cisco recommends Group 19 - lifetime (optional) - Phase2: negotiates SA’s between end points - (Destination, Data, and Transport Method) *PSK requires Password https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Access Control List - specific permissions for users/ networks - limits reachability and access - by using allow/deny rules - ACL Types - Standard - based on source host/network - range of 1-99 - NO specific permissions - Extended - based on source & destination hosts/networks/ports/services - range of 100-199 - specific in detail permissions (L4 & L5 perimeters) - Named: A Combination, Hierarchy Mode, Name for each list https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - ACL Workorders - Standard Numbered ACL - Router(config)# access-list - Router(config)# access-list host - Router(config)# access-list any - Router(config)# interface - Router(config-if)# ip access-group - Extended Numbered ACL - Router(config)# access-list any any eq - Router(config)# access-list any any - Router(config)# access-list - Router(config)# access-list host host - Router(config)# access-list any - Router(config)# interface - Router(config-if)# ip access-group https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - ACL Workorders - Named Standard/Extended ACL - Router(config)#ip access-list extended - Router(config-ext-nacl)# any any - Router(config-ext-nacl)# - Router(config-ext-nacl)# any - Router(config)# interface - Router(config-if)# ip access-group https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Port Security - Switch Ports connects you immediately - A limitation is needed to the switch ports - This limitation includes - The No. of learned MAC Addresses - Only “Statically” assigned MAC Addresses are allowed to connect - A combination of the 2 above *All Cisco Switch Ports are “Dynamic” by Default, Make them Access *Static Ports DON’T have timers, assign timers *Those “Statically” assigned MACs are called “Sticky” - What will be the reaction when an unallowed MAC/s hits? - Violation - Shutdown the port (Default) - Protect (Silently) - Strict (log it) https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Port Security Workorder - Switch(config)#interface - Switch(config-if)#switchport port-security - Switch(config-if)#switchport port-security maximum - Switch(config-if)#switchport port-security mac-address https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - DHCP Snooping - Rouge DHCP Servers will respond to your “Discovery” message - Computers will take/accept the first offer they receive - Snooping will trust an interface to make it the - Only interface allowed to receive Broadcast Messages - Applied on a specific VLAN *Rouge Servers will Act as a “Man in the Middle”, which is an attack https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Dynamic ARP Inspection - First, what is ARP - Address Resolution Protocol: Binds an IP Address to Its Source MAC Address - so, if a binding is missing, an ARP will handle it - but ARP is a Broadcast, thus, everyone will know about you trying to Reach your GW for any purpose - Someone might manipulate you and claim that he is the GW! *Man in the Middle detected - DAI will allow only trusted interfaces to receive and forward Broadcast - It will cooperate with the DHCP Snooping DB to perform - After inspecting, it will either Forward the ARP, or Drop it (LOG) *Static IPs don’t use DHCP - Drop the ARP - or, Trust the Port - Create ARP ACL https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - DHCP Snooping & DAI Workorders - DHCP Snooping - Switch(config)#ip dhcp snooping - Switch(config)#interface - Switch(config-if-range)#ip dhcp snooping trust - Switch (config)#ip dhcp snooping vlan - Switch(config)#no ip dhcp snooping information option * After DHCP Snooping - Dynamic ARP Inspection - Switch(config)#ip arp inspection vlan - Static ARP Inspection - Switch(config)#arp access-list - Switch(config-arp-nacl)#permit ip host mac host - Switch(config)#ip arp inspection filter vlan https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Authentication, Authorization, and Accounting - a standard-based framework that provides a set of security services - Which a device or a computer is permitted to use the network resources - Authentication - verifying a request identity by comparing the credentials to a certain database - upon a successful verification, the requester is granted access to a certain system - upon a failed verification, the login process if declined and ended - Authorization - happens if and only if Authentication was successful in the first place - grants privilege levels to the authenticated identity - specifying all the permitted and denied action related to that identity - Accounting - monitors and logs the user activity, collects connections/session parameters *deployment of AAA can be local or remote using a AAA server https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - AAA Deployment - Remote deployment using AAA Server (RADIUS or TACACS+) https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wi-Fi Security - Unsecured WLANs are the once with no password, free, and public - Secured WLANs might have: - hidden SSID - Authentication - Encrypt Data (from the client to the AP) - Authentication can be done by: - authenticating the user’s credentials - authenticating a device’s MAC Address - captive portal https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Wi-Fi Security - Extensible Authentication Protocol (EAP) - transport protocol - carries authentication information - can not travel directly in the network - must be encapsulated before injected in the media - 802.1x (Client – WLC) - RADIUS (WLC – AAA Server) - Web Authentication (WebAuth) - applied and enabled on a WLC - to authenticate through a Web Browser - carried by HTTP - also requires 802.1X to be activated on the authenticator - supports Pre-shared Key to encrypt user data - Pre-Shared Key - used to encrypt data between client and AP - same PSK can be used with all the clients connecting to the same AP - derived from the Passphrase https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Encryption in Wireless Networks - for data frames only - Management frames won’t get encrypted - happens between client and AP only - what’s beyond AP (the LAN) is not encrypted - to have an end to end encryption: - use HTTPS - that will send a digital certificate between the src and dst - thus, the entire path will be encrypted https://iiinetworking.com || https://youtube.com/@iiinetworking || https://linkedin.com/company/iii-networking || [email protected] - Encryption in Wireless Networks - Wi-Fi Protected Access (WPA) - has 2 types (Personal and Enterprise)