ملخص سيسكو.pdf

Full Transcript

Chapter 1 Reliability Reliability transport can accomplish the following: Ensure that segments delivered will be acknowledged to the sender. Provide for retransmission of any segments that are not acknowledged. Put segments back int...

Chapter 1 Reliability Reliability transport can accomplish the following: Ensure that segments delivered will be acknowledged to the sender. Provide for retransmission of any segments that are not acknowledged. Put segments back into their correct sequence at the destination. Provide congestion avoidance and control. -------------------------------------------------------------------------------------------------------------- Flow Control Avoids the problem of a host at one side of the connection overflowing the buffers in the host at the other side. -------------------------------------------------------------------------------------------------------------- Acknowledgment Positive acknowledgment requires a recipient to communicate with the source sending back an acknowledgment message when it receives data. Sender keeps record of each data packet that it sends and expects an acknowledgment. -------------------------------------------------------------------------------------------------------------- Transmission Control Protocol (TCP) the protocols that use TCP include: FTP [File Transfer Protocol]. HTTP [Hypertext Transfer Protocol]. SMTP [Simple Mail Transfer Protocol] Telnet. -------------------------------------------------------------------------------------------------------------- User Datagram Protocol (UDP) the protocols that use UDP include: TFTP [Trivial File Transfer Protocol]. SNMP [Simple Network Management Protocol]. DHCP [Dynamic Host Control Protocol]. DNS [Domain Name System]. -------------------------------------------------------------------------------------------------------------- TCP and UDP Ports numbers Both TCP and UDP use Port (socket) numbers to pass information to the upper layers. Numbers below 1024 are considered well-known ports numbers Numbers above 1024 are dynamically assigned ports numbers Registered port numbers are those registered for vendor-specific applications. Most of these are above 1024. Domain Name Service [DNS] System used for translating names of domains into IP address There are more than 200 top-level domains on the internet. Examples: -------------------------------------------------------------------------------------------------------------- FTP and TFTP FTP is reliable connection-oriented service that uses TCP to transfer files. between systems that support FTP. TFTP is a connectionless service that uses UDP. o TFTP is used on routers to transfer configuration files and Cisco IOS images. o TFTP is designed to be small and easy to implement. -------------------------------------------------------------------------------------------------------------- SNMP application layer protocol that facilitates the exchange of management information between network devices. -------------------------------------------------------------------------------------------------------------- TELNET client software provides the ability to log in to remote internet host that is running telnet server application and then to execute commands from the command line. Chapter 2 Access Control List A Layer 3 security which controls the flow of traffic from one router to another. called Packet Filtering Firewall. -------------------------------------------------------------------------------------------------------------- Types of Access-list Standard ACL Extended ACL Named ACL -------------------------------------------------------------------------------------------------------------- Standard Access List The access-list number lies between 1 – 99. Can block a Network, Host and Subnet. Two way communication is stopped. All services are blocked. Implemented closest to the destination. (Guideline) -------------------------------------------------------------------------------------------------------------- Extended Access List The access-list number lies between 100 – 199. Can block a Network, Host, Subnet and Service. One way communication is stopped. Selected services can be blocked. Implemented closest to the source. (Guideline) -------------------------------------------------------------------------------------------------------------- Terminology Deny: Blocking a Network/Host/Subnet/Service. Permit: Allowing a Network/Host/Subnet/Service. Source Address: The address of the PC from where the request starts. Show Diagram. Destination address: The address of the PC where the request ends. Inbound: Traffic coming into the interface. Outbound: Traffic going out of the interface. Protocols: IP - TCP - UDP - ICMP Operators: eq (equal to) neq (not equal to) lt (less than) gt (greater than) Services: HTTP, FTP, TELNET, DNS, DHCP etc.. -------------------------------------------------------------------------------------------------------------- Wild Card Mask Tells the router which addressing bits must match in the address of the ACL statement. It’s the inverse of the subnet mask, hence is also called as Inverse mask. A bit value of 0 indicates MUST MATCH (Check Bits) A bit value of 1 indicates IGNORE (Ignore Bits) Wild Card Mask for a Host will be always 0.0.0.0 A wild card mask can be calculated using the formula : Named Access List Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) -------------------------------------------------------------------------------------------------------------- Creation of Standard Named Access List Router(config)# ip access-list standard Router(config-std-nacl)# Implementation of Standard Named Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Extended Named Access List Router(config)# ip access-list extended Router(config-ext-nacl)# < destination wildcard mask> Implementation of Extended Named Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Standard Access List Router(config)# access-list Implementation of Standard Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Extended Access List Router(config)# access-list < destination wildcard mask> Implementation of Extended Access List Router(config)# interface Router(config-if)# ip access-group Commands used to verify access-list configuration Command Effect show access-list Displays all access lists and their parameters configured on the router. Also shows statistics about how many times the line either permitted or denied a packet. This command does not show you which interface the list is applied on. show access-list 110 Reveals only the parameters for the access list 110. this command will not reveal the specific interface the list is set on. show ip access-list Shows only the IP access lists configured on the router. show ip interface Displays which interfaces have access lists set on them. show running-config Shows the access lists and the specific interfaces that have ACLs applied on them. Chapter 3 VLAN Configuration To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. You can create VLANs from 1 to 4094. Standard Vlans range 1 to 1005 VLAN 1, 1002, 1003,1004,1005 are reserved. VLAN 1 is called the native vlan. Extended range VLANs 1006-4094 can be created only in VTP transparent mode only. Use command Show vlan and show vlan brief to display vlans. -------------------------------------------------------------------------------------------------------------- Switchport Modes Access: It puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. Dyanmic Auto: The interface passively waits to receive a trunk negotiation message. Dyamic Desirable: The interface actively attempt to convert the link to a trunk link. Nonegotiate: Prevents the interface from generating DTP frames, it is used when switchport mode is access or trunk. Trunk (on): Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. -------------------------------------------------------------------------------------------------------------- VLAN Trunking Protocol (VTP)  VTP allows you to add, delete, and rename VLANs—information  VLANs can be created on switch with VTP server mode only.  All servers that need to share VLAN information must use the same domain name.  A switch can share VTP domain information with other switches only if they’re configured into the same VTP domain.  VTP information is sent between switches only via a trunk port. -------------------------------------------------------------------------------------------------------------- VTP Modes of Operation  Server: default mode for all Catalyst switches. The switch must be in server mode to be able to create, add, and delete VLANs in a VTP domain. VLAN configurations are saved in NVRAM on the switch.  Client: switches receive information from VTP servers forward updates to other switches. VLAN information sent from a VTP server isn’t stored in NVRAM  Transparent: The switch must be in VTP transparent mode to let you create VLAN IDs from 1006 to 4094. -------------------------------------------------------------------------------------------------------------- Spanning-Tree Protocol (STP) The primary objectives of STP is to prevent network loops on layer 2 network bridges or switches. STP monitors the network to track all links and shut down the redundant ones. STP uses the spanning-tree algorithm (STA) to first create a topology Database and then search out and Disable Redundant links. With STP running, frames will be forwarded on only premium, STP-chosen links. The default IEEE version of STP is 802.1d. Spanning Tree Terms Root Bridge: Switch with the lowest bridge ID becomes the root bridge. It is the focal point in the network. Bridge ID: used to keep track of all switches in the network. It is determined by a combination of the bridge priority and MAC address. Non root Bridges: Non-root bridges exchange BPDUs with all bridges and update STP topology database. Port Cost: The cost of a link is determined by its bandwidth. Path Cost: Path cost is the sum of the various port costs to the root bridge. BPDU: data messages exchanged between the switches containing information about ports, costs, priorities and bridge ID. Convergence: all ports on bridges and switches have transitioned to either forwarding or blocking modes. (No data will be forwarded until convergence is complete.) (The original STP (802.1d) takes 50 seconds to go from blocking to forwarding mode by default.) -------------------------------------------------------------------------------------------------------------- Bridge Port Roles 1. Root Port: The port with the best path to the root bridge is called the root port. Every non-root bridge must have a root port. All root ports are placed in forwarding state. 2. Designated Port: A designated port is one that’s been determined to have the best (lowest) cost to get to on a given network segment. 3. Non-designated Port: This is the link with highest cost and kept blocked. 4. Forwarding Port: It forwards frames and can be either a root port or a designated port. 5. Blocked Port: It can only receive BPDU frames from other switches. 6. Alternate port: This corresponds to the blocking state of 802.1d, and is a term used with the newer 802.1w (RSTP). 7. Backup Port: It is connected on a LAN segment with another port on that switch is acting the designated port. -------------------------------------------------------------------------------------------------------------- Spanning-Tree Port States  Disabled: It is non-operational state.  Blocking: Port in this state will not forward frames, just listens to BPDUs.  Listening: A port in the listening state prepares to forward data frames without populating the MAC address table.  Learning: A port in learning state populates the MAC address table but still doesn’t forward data frames.  Forwarding: If the port is still a designated or root port at the end of the learning state, it enters the forwarding state. -------------------------------------------------------------------------------------------------------------- RSTP Configuration commands Sw(config) # spanning-tree mode rapid-pvst SW# show spanning-tree SW# show mac address-table Spanning-tree Failure Consequences The list of the problems that will occur in a failed STP network. 1. The load on all links begins increasing and more and more frames enter the loop. 2. Traffic will increase on the switches because all the circling frames actually get duplicated. 3. The MAC address table is now completely unstable. 4. The device becomes unresponsive. -------------------------------------------------------------------------------------------------------------- PortFast We can use PortFast on the ports on S1 to help them transition to the STP forwarding state immediately upon connecting to the switch. ports will transition from blocking to forwarding state immediately. S1(config)#spanning-tree portfast default S1(config-if)#spanning-tree portfast -------------------------------------------------------------------------------------------------------------- BPDU Guard used for switch ports for which PortFast is enabled. -------------------------------------------------------------------------------------------------------------- EtherChannel (Port Channel) Etherchannel bundles together multiple links between switches by using port channelling. EtherChannel is Cisco’s proprietary term for port channelling. It groups several Fast Ethernet or Gigabit Ethernet ports into one logical channel. There are two version of port channel negotiation protocols. 1. Port Aggregation Protocol (PAgP): Cisco’s proprietary protocol. 2. Link Aggregation Control Protocol (LACP): IEEE 802.3ad standard protocol. Cisco EtherChannel allows us to bundle up to 8 FastEthernet or two gigabit ports active between switches. Chapter 4 Basic Service Set (BSS) solution to make every wireless service area a closed group of mobile devices that forms around a fixed device. (802.11 standard calls this BSS) Every BSS has a wireless (AP). Access Point AP offers the services that are necessary to form the infrastructure of a wireless network. AP also establishes its BSS over a single wireless channel. AP and BSS members must all use the same channel to communicate properly. (Membership with BSS is called an association) Note➔if client associated with a BSS, most communications to and from the client must pass through the AP, by using the BSSID as a source or destination address, data frames can be relayed to or from the AP -------------------------------------------------------------------------------------------------------------- Extended Service Set (ESS) To cover more area than a single AP’s cell can cover, you simply need to add more APs and spread them out geographically. (802.11 standard calls this ESS) -------------------------------------------------------------------------------------------------------------- Independent Basic Service Set (IBSS) 802.11 standard allows two or more wireless clients to communicate directly with each other. known as an ad hoc wireless network, or (IBSS) -------------------------------------------------------------------------------------------------------------- Extending the Range of an AP with a Wireless Repeater To extend wireless coverage add an additional AP that is configured for repeater mode. wireless repeater takes the signal it receives and repeats or retransmits it in a new cell area around the repeater. -------------------------------------------------------------------------------------------------------------- Two types of workgroup bridges: 1. Universal workgroup bridge (uWGB): A single wired device can be bridged to a wireless network. 2. Workgroup bridge (WGB): A Cisco-proprietary implementation that allows multiple wired devices to be bridged to a wireless network -------------------------------------------------------------------------------------------------------------- Point-to-Point Outdoor Bridge One AP configured in bridge mode is needed on each end of the wireless link. antennas are used with the bridges to focus their signals in one direction to the antenna of the AP at the seconed point (This maximizes the link distance.) Point-to-Multipoint Outdoor Bridge allows a central site to be bridged to several other sites. omnidirectional antenna signal is transmitted equally in all directions so that it can reach the other sites simultaneously. bridges at each of the other sites can be connected to a directional antenna aimed at the central site. Traveling Electric and Magnetic Waves A transmitter can send an alternating current into a section of wire (an antenna), which sets up moving electric and magnetic fields that propagate out and away as traveling waves. -------------------------------------------------------------------------------------------------------------- Frequency Unit Names Chapter 5 Mitigating Threats at the Access Layer Port security: Restricting a port to a specific set of MAC addresses is the most common way to defend the access layer. DHCP snooping: A layer 2 security feature that validates DHCP messages by acting like a firewall between untrusted hosts and trusted DHCP servers. Dynamic ARP inspection (DAI): It is used with DHCP snooping, tracks IP-to-MAC bindings from DHCP transactions to protect against ARP poisoning. Identity-based networking: It ties together several authentication, access control, and user policy components in order to provide users with the network services. IEEE 802.1x standard allows you to implement identity-based networking on wired and wireless hosts. -------------------------------------------------------------------------------------------------------------- External Authentication Options Remote Authentication Dial-In User Service (RADIUS): It combines authentication and authorization services into a single process. RADIUS implements a client/server architecture. Authentication process has three distinct stages: 1. User is prompted for a username and password 2. username and encrypted password are sent over the network to the RADIUS server. 3. RADIUS server replies with Accept, Reject, Challenge or change password. Terminal Access Controller Access Control System (TACACS+): A security server that’s Cisco proprietary and uses TCP. -------------------------------------------------------------------------------------------------------------- Dynamic ARP inspection (DAI): A security feature that rejects invalid and malicious ARP packets. The miscreant sends ARP requests or responses mapping another station's IP address to its own MAC address. DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a bindings database of valid tuples (MAC address, IP address, VLAN interface). When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. To Enabling DHCP snooping: 1→ SW(config)#int g1/0/23 2→ SW(config-if)#ip dhcp snooping trust 3→ SW(config)#ip dhcp snooping 4→ SW(config)#ip dhcp snooping vlan 12 5→ SW(config)#no ip dhcp snooping information option To Show the database of DHCP snooping: → SW#show ip dhcp snooping To Displays the contents of the DHCP Snooping Table: → SW#show ip dhcp snooping binding To Enabling DAI: 1→ SW(config)#int g1/0/23 2→ SW(config-if)#ip arp inspection trust 3→ SW(config)#ip arp inspection vlan 12 To Show all All operations or infoemation of DHCP snooping: → SW#show ip arp inspection Source Chapter 6 Quality Of Service Industry-wide set of standards and mechanisms for ensuring high-quality performance for critical applications -------------------------------------------------------------------------------------------------------------- NETWORK CHARACHTERIST. MANAGED BY QOS Bandwidth: The rate at which traffic is carried by the network. Latency: The delay in data transmission from source to destination. Jitter: The variation in latency. Reliability: The percentage of packets discarded by a router. -------------------------------------------------------------------------------------------------------------- VOICE TRAFFIC Sensitive for delays / drops No retransmission if the packet is lost (UDP Based) Smooth (Flows at even rate, doesn't burst) Benign (Not greedy for lots of BW fairly low per call) VIDEO TRAFFIC Sensitive for delays / drops No retransmission if the packet is lost (UDP Based) Bursty (Part of picture moves rest is static on screen cause of keyframes) Greedy (More BW you define, better the picture quality is) -------------------------------------------------------------------------------------------------------------- FIFO (FIRST IN FIRST OUT) Traffic departs from the interface as it arrived No traffic priority WFQ(WEIGHTED FAIR QUEUING) Flow-based queuing algorithm Schedules interactive traffic to the front of the queue to reduce response time Fairly shares the remaining bandwidth between high bandwidth flows. -------------------------------------------------------------------------------------------------------------- QoS TECHNOLOGIES OR Mechanism Used to provide improved network "service" to the applications at the edges of the network 1. Best Effort 2. Integrated Services 3. Differentiated Services -------------------------------------------------------------------------------------------------------------- BEST EFFORT Network does not provide any guarantees that data is delivered Users obtain unspecified variable bit rate and delivery time, depending on the current traffic load -------------------------------------------------------------------------------------------------------------- INTEGRATED SERVICES Provides a way to deliver the QoS that real-time applications require by explicitly managing network resources to provide QoS to specific user packet streams Uses "resource reservation" and "admission control" mechanisms QoS TOOLS QoS technologies refer to the set of tools and techniques to manage network resources QoS Tools: 1. Classification & Marking Tools 2. Congestion Avoidence Tools 3. Congestion Management Tools -------------------------------------------------------------------------------------------------------------- CLASSIFICATION AND MARKING Traffic is analyzed to discover that which class it belongs to and packets are marked after discovery process Classification of the traffic is made via ACLs or Class-Maps Marking network traffic allows to set or modify the attributes for a specific class of traffic (Layer -2 or Layer-3)

Use Quizgecko on...
Browser
Browser